[  OK  ] Reached target Login Prompts.
[  OK  ] Reached target Multi-User System.
[  OK  ] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[  OK  ] Started Update UTMP about System Runlevel Changes.


Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.89' (ECDSA) to the list of known hosts.
syzkaller login: [   65.733322][ T6842] IPVS: ftp: loaded support on port[0] = 21
executing program
[   66.893257][ T6868] Bluetooth: Wrong link type (-22)
[   66.961452][ T6842] ==================================================================
[   66.970401][ T6842] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[   66.977439][ T6842] Read of size 8 at addr ffff8880a83d2318 by task syz-executor257/6842
[   66.985675][ T6842] 
[   66.988007][ T6842] CPU: 1 PID: 6842 Comm: syz-executor257 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0
[   66.997893][ T6842] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   67.007945][ T6842] Call Trace:
[   67.011235][ T6842]  dump_stack+0x18f/0x20d
[   67.015554][ T6842]  ? hci_chan_del+0x14f/0x190
[   67.020237][ T6842]  ? hci_chan_del+0x14f/0x190
[   67.024907][ T6842]  print_address_description.constprop.0.cold+0xae/0x497
[   67.031953][ T6842]  ? mutex_lock_io_nested+0xf60/0xf60
[   67.037356][ T6842]  ? lockdep_hardirqs_off+0x7e/0xb0
[   67.042540][ T6842]  ? vprintk_func+0x97/0x1a6
[   67.047140][ T6842]  ? hci_chan_del+0x14f/0x190
[   67.051827][ T6842]  ? hci_chan_del+0x14f/0x190
[   67.056500][ T6842]  kasan_report.cold+0x1f/0x37
[   67.061252][ T6842]  ? hci_chan_del+0x14f/0x190
[   67.065923][ T6842]  hci_chan_del+0x14f/0x190
[   67.070439][ T6842]  l2cap_conn_del+0x61b/0x9e0
[   67.075125][ T6842]  ? l2cap_conn_del+0x9e0/0x9e0
[   67.079959][ T6842]  l2cap_disconn_cfm+0x85/0xa0
[   67.084710][ T6842]  hci_conn_hash_flush+0x114/0x220
[   67.089812][ T6842]  hci_dev_do_close+0x5c6/0x1080
[   67.094738][ T6842]  ? hci_dev_open+0x350/0x350
[   67.099517][ T6842]  ? do_raw_read_unlock+0x70/0x70
[   67.104538][ T6842]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   67.110421][ T6842]  hci_unregister_dev+0x1bd/0xe30
[   67.115431][ T6842]  ? fcntl_setlk+0xf60/0xf60
[   67.120099][ T6842]  ? lock_is_held_type+0xbb/0xf0
[   67.125025][ T6842]  vhci_release+0x70/0xe0
[   67.129339][ T6842]  __fput+0x285/0x920
[   67.133327][ T6842]  ? vhci_close_dev+0x50/0x50
[   67.137988][ T6842]  task_work_run+0xdd/0x190
[   67.142732][ T6842]  do_exit+0xb7d/0x29f0
[   67.146894][ T6842]  ? mm_update_next_owner+0x7a0/0x7a0
[   67.152260][ T6842]  ? vfs_write+0x1b0/0x730
[   67.156672][ T6842]  ? lock_is_held_type+0xbb/0xf0
[   67.161592][ T6842]  do_group_exit+0x125/0x310
[   67.166166][ T6842]  __x64_sys_exit_group+0x3a/0x50
[   67.171199][ T6842]  do_syscall_64+0x2d/0x70
[   67.175595][ T6842]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   67.181467][ T6842] RIP: 0033:0x445258
[   67.185349][ T6842] Code: Bad RIP value.
[   67.189393][ T6842] RSP: 002b:00007ffc4a4293e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   67.197794][ T6842] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445258
[   67.205748][ T6842] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   67.213718][ T6842] RBP: 00000000004cd010 R08: 00000000000000e7 R09: ffffffffffffffd0
[   67.221703][ T6842] R10: 00007f3368edc9d0 R11: 0000000000000246 R12: 0000000000000001
[   67.229744][ T6842] R13: 00000000006e0200 R14: 0000000002317850 R15: 0000000000000001
[   67.237703][ T6842] 
[   67.240026][ T6842] Allocated by task 6868:
[   67.244337][ T6842]  kasan_save_stack+0x1b/0x40
[   67.249007][ T6842]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   67.254629][ T6842]  kmem_cache_alloc_trace+0x16e/0x2c0
[   67.259986][ T6842]  hci_chan_create+0x9b/0x330
[   67.264656][ T6842]  l2cap_conn_add.part.0+0x1e/0xe10
[   67.269835][ T6842]  l2cap_connect_cfm+0x23b/0x1090
[   67.274840][ T6842]  le_conn_complete_evt+0x1153/0x1740
[   67.280198][ T6842]  hci_le_meta_evt+0xe55/0x3fd0
[   67.285029][ T6842]  hci_event_packet+0x2e25/0x87a8
[   67.290043][ T6842]  hci_rx_work+0x22e/0xb50
[   67.294451][ T6842]  process_one_work+0x94c/0x1670
[   67.299367][ T6842]  worker_thread+0x64c/0x1120
[   67.304086][ T6842]  kthread+0x3b5/0x4a0
[   67.308143][ T6842]  ret_from_fork+0x1f/0x30
[   67.312547][ T6842] 
[   67.314867][ T6842] Freed by task 6868:
[   67.318834][ T6842]  kasan_save_stack+0x1b/0x40
[   67.323499][ T6842]  kasan_set_track+0x1c/0x30
[   67.328077][ T6842]  kasan_set_free_info+0x1b/0x30
[   67.332995][ T6842]  __kasan_slab_free+0xd8/0x120
[   67.337860][ T6842]  kfree+0x103/0x2c0
[   67.341741][ T6842]  hci_event_packet+0x3e33/0x87a8
[   67.346742][ T6842]  hci_rx_work+0x22e/0xb50
[   67.351237][ T6842]  process_one_work+0x94c/0x1670
[   67.356164][ T6842]  worker_thread+0x64c/0x1120
[   67.360819][ T6842]  kthread+0x3b5/0x4a0
[   67.364877][ T6842]  ret_from_fork+0x1f/0x30
[   67.369267][ T6842] 
[   67.371599][ T6842] The buggy address belongs to the object at ffff8880a83d2300
[   67.371599][ T6842]  which belongs to the cache kmalloc-128 of size 128
[   67.385739][ T6842] The buggy address is located 24 bytes inside of
[   67.385739][ T6842]  128-byte region [ffff8880a83d2300, ffff8880a83d2380)
[   67.398923][ T6842] The buggy address belongs to the page:
[   67.404546][ T6842] page:00000000949616f4 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a83d2f00 pfn:0xa83d2
[   67.415981][ T6842] flags: 0xfffe0000000200(slab)
[   67.420829][ T6842] raw: 00fffe0000000200 ffffea00029d7708 ffffea000261fd88 ffff8880aa000400
[   67.429412][ T6842] raw: ffff8880a83d2f00 ffff8880a83d2000 0000000100000009 0000000000000000
[   67.437987][ T6842] page dumped because: kasan: bad access detected
[   67.444395][ T6842] 
[   67.446705][ T6842] Memory state around the buggy address:
[   67.452331][ T6842]  ffff8880a83d2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.460390][ T6842]  ffff8880a83d2280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   67.468551][ T6842] >ffff8880a83d2300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.476675][ T6842]                             ^
[   67.481537][ T6842]  ffff8880a83d2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   67.489592][ T6842]  ffff8880a83d2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.497634][ T6842] ==================================================================
[   67.505691][ T6842] Disabling lock debugging due to kernel taint
[   67.547946][ T6842] Kernel panic - not syncing: panic_on_warn set ...
[   67.554585][ T6842] CPU: 1 PID: 6842 Comm: syz-executor257 Tainted: G    B             5.8.0-rc7-next-20200731-syzkaller #0
[   67.565863][ T6842] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   67.576079][ T6842] Call Trace:
[   67.579368][ T6842]  dump_stack+0x18f/0x20d
[   67.583687][ T6842]  ? hci_chan_del+0x140/0x190
[   67.588358][ T6842]  panic+0x2e3/0x75c
[   67.592231][ T6842]  ? __warn_printk+0xf3/0xf3
[   67.596832][ T6842]  ? preempt_schedule_common+0x59/0xc0
[   67.602276][ T6842]  ? hci_chan_del+0x14f/0x190
[   67.606945][ T6842]  ? preempt_schedule_thunk+0x16/0x18
[   67.612294][ T6842]  ? trace_hardirqs_on+0x55/0x220
[   67.617305][ T6842]  ? hci_chan_del+0x14f/0x190
[   67.621969][ T6842]  ? hci_chan_del+0x14f/0x190
[   67.626641][ T6842]  end_report+0x4d/0x53
[   67.630776][ T6842]  kasan_report.cold+0xd/0x37
[   67.635432][ T6842]  ? hci_chan_del+0x14f/0x190
[   67.640097][ T6842]  hci_chan_del+0x14f/0x190
[   67.644599][ T6842]  l2cap_conn_del+0x61b/0x9e0
[   67.649268][ T6842]  ? l2cap_conn_del+0x9e0/0x9e0
[   67.654095][ T6842]  l2cap_disconn_cfm+0x85/0xa0
[   67.658873][ T6842]  hci_conn_hash_flush+0x114/0x220
[   67.663987][ T6842]  hci_dev_do_close+0x5c6/0x1080
[   67.668992][ T6842]  ? hci_dev_open+0x350/0x350
[   67.673657][ T6842]  ? do_raw_read_unlock+0x70/0x70
[   67.678660][ T6842]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   67.684545][ T6842]  hci_unregister_dev+0x1bd/0xe30
[   67.689559][ T6842]  ? fcntl_setlk+0xf60/0xf60
[   67.694153][ T6842]  ? lock_is_held_type+0xbb/0xf0
[   67.699081][ T6842]  vhci_release+0x70/0xe0
[   67.703404][ T6842]  __fput+0x285/0x920
[   67.707373][ T6842]  ? vhci_close_dev+0x50/0x50
[   67.712031][ T6842]  task_work_run+0xdd/0x190
[   67.716535][ T6842]  do_exit+0xb7d/0x29f0
[   67.720696][ T6842]  ? mm_update_next_owner+0x7a0/0x7a0
[   67.726061][ T6842]  ? vfs_write+0x1b0/0x730
[   67.730474][ T6842]  ? lock_is_held_type+0xbb/0xf0
[   67.735394][ T6842]  do_group_exit+0x125/0x310
[   67.739965][ T6842]  __x64_sys_exit_group+0x3a/0x50
[   67.744979][ T6842]  do_syscall_64+0x2d/0x70
[   67.749400][ T6842]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   67.755294][ T6842] RIP: 0033:0x445258
[   67.759177][ T6842] Code: Bad RIP value.
[   67.763245][ T6842] RSP: 002b:00007ffc4a4293e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   67.772190][ T6842] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445258
[   67.780453][ T6842] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   67.789729][ T6842] RBP: 00000000004cd010 R08: 00000000000000e7 R09: ffffffffffffffd0
[   67.797929][ T6842] R10: 00007f3368edc9d0 R11: 0000000000000246 R12: 0000000000000001
[   67.806226][ T6842] R13: 00000000006e0200 R14: 0000000002317850 R15: 0000000000000001
[   67.815452][ T6842] Kernel Offset: disabled
[   67.819807][ T6842] Rebooting in 86400 seconds..