[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.238' (ECDSA) to the list of known hosts.
syzkaller login: [   61.980031][ T6868] IPVS: ftp: loaded support on port[0] = 21
executing program
[   63.566547][   T57] tipc: TX() has been purged, node left!
[   63.583125][ T6901] ==================================================================
[   63.592241][ T6901] BUG: KASAN: use-after-free in sco_chan_del+0xe6/0x430
[   63.599204][ T6901] Write of size 4 at addr ffff888093c96010 by task syz-executor747/6901
[   63.608152][ T6901] 
[   63.610507][ T6901] CPU: 1 PID: 6901 Comm: syz-executor747 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0
[   63.622607][ T6901] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   63.635939][ T6901] Call Trace:
[   63.639337][ T6901]  dump_stack+0x18f/0x20d
[   63.643893][ T6901]  ? sco_chan_del+0xe6/0x430
[   63.648781][ T6901]  ? sco_chan_del+0xe6/0x430
[   63.653548][ T6901]  print_address_description.constprop.0.cold+0xae/0x497
[   63.660765][ T6901]  ? sco_chan_del+0xab/0x430
[   63.665733][ T6901]  ? lockdep_hardirqs_off+0x7e/0xb0
[   63.671295][ T6901]  ? vprintk_func+0x97/0x1a6
[   63.676149][ T6901]  ? sco_chan_del+0xe6/0x430
[   63.681003][ T6901]  ? sco_chan_del+0xe6/0x430
[   63.686238][ T6901]  kasan_report.cold+0x1f/0x37
[   63.691277][ T6901]  ? sco_chan_del+0xe6/0x430
[   63.696060][ T6901]  check_memory_region+0x13d/0x180
[   63.701439][ T6901]  sco_chan_del+0xe6/0x430
[   63.705926][ T6901]  __sco_sock_close+0x16e/0x5b0
[   63.710869][ T6901]  sco_sock_release+0x69/0x290
[   63.715636][ T6901]  __sock_release+0xcd/0x280
[   63.720443][ T6901]  sock_close+0x18/0x20
[   63.724602][ T6901]  __fput+0x285/0x920
[   63.729031][ T6901]  ? __sock_release+0x280/0x280
[   63.733947][ T6901]  task_work_run+0xdd/0x190
[   63.738505][ T6901]  do_exit+0xb7d/0x29f0
[   63.742661][ T6901]  ? lock_acquire+0x1f1/0xad0
[   63.747490][ T6901]  ? find_held_lock+0x2d/0x110
[   63.752388][ T6901]  ? mm_update_next_owner+0x7a0/0x7a0
[   63.758174][ T6901]  ? get_signal+0x332/0x1ee0
[   63.762898][ T6901]  ? lock_downgrade+0x830/0x830
[   63.768021][ T6901]  ? lock_is_held_type+0xbb/0xf0
[   63.773556][ T6901]  do_group_exit+0x125/0x310
[   63.778980][ T6901]  get_signal+0x40b/0x1ee0
[   63.783405][ T6901]  ? find_held_lock+0x2d/0x110
[   63.788426][ T6901]  ? __schedule+0x88e/0x21e0
[   63.793599][ T6901]  ? lockdep_hardirqs_on_prepare+0x354/0x530
[   63.800008][ T6901]  arch_do_signal+0x82/0x2520
[   63.805192][ T6901]  ? finish_task_switch+0x1dc/0x750
[   63.810589][ T6901]  ? __switch_to+0x425/0xfe0
[   63.815395][ T6901]  ? lock_is_held_type+0xbb/0xf0
[   63.820470][ T6901]  ? copy_siginfo_to_user32+0xa0/0xa0
[   63.826066][ T6901]  ? __x64_sys_futex+0x382/0x4e0
[   63.831267][ T6901]  ? fput_many+0x2f/0x1a0
[   63.835798][ T6901]  ? exit_to_user_mode_prepare+0xb9/0x1c0
[   63.841998][ T6901]  ? lockdep_hardirqs_on_prepare+0x354/0x530
[   63.848360][ T6901]  exit_to_user_mode_prepare+0x15d/0x1c0
[   63.853999][ T6901]  syscall_exit_to_user_mode+0x59/0x2b0
[   63.859693][ T6901]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   63.865579][ T6901] RIP: 0033:0x4468d9
[   63.869462][ T6901] Code: Bad RIP value.
[   63.873519][ T6901] RSP: 002b:00007f830fbdfdb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   63.882679][ T6901] RAX: fffffffffffffe00 RBX: 00000000006dbc38 RCX: 00000000004468d9
[   63.891159][ T6901] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38
[   63.900333][ T6901] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000
[   63.908443][ T6901] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c
[   63.916467][ T6901] R13: 00007ffcd490a3cf R14: 00007f830fbe09c0 R15: 00000000006dbc3c
[   63.925040][ T6901] 
[   63.927368][ T6901] Allocated by task 6898:
[   63.931699][ T6901]  kasan_save_stack+0x1b/0x40
[   63.936461][ T6901]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   63.942139][ T6901]  kmem_cache_alloc_trace+0x16e/0x2c0
[   63.947575][ T6901]  hci_conn_add+0x53/0x1330
[   63.952075][ T6901]  hci_connect_sco+0x356/0x860
[   63.957074][ T6901]  sco_sock_connect+0x308/0x980
[   63.961945][ T6901]  __sys_connect_file+0x155/0x1a0
[   63.966963][ T6901]  __sys_connect+0x160/0x190
[   63.971546][ T6901]  __x64_sys_connect+0x6f/0xb0
[   63.976313][ T6901]  do_syscall_64+0x2d/0x70
[   63.980863][ T6901]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   63.986978][ T6901] 
[   63.989478][ T6901] Freed by task 6894:
[   63.993546][ T6901]  kasan_save_stack+0x1b/0x40
[   63.998411][ T6901]  kasan_set_track+0x1c/0x30
[   64.003226][ T6901]  kasan_set_free_info+0x1b/0x30
[   64.008376][ T6901]  __kasan_slab_free+0xd8/0x120
[   64.013282][ T6901]  kfree+0x103/0x2c0
[   64.017176][ T6901]  device_release+0x71/0x200
[   64.021761][ T6901]  kobject_put+0x171/0x270
[   64.026226][ T6901]  put_device+0x1b/0x30
[   64.030436][ T6901]  hci_conn_del+0x27e/0x6a0
[   64.035220][ T6901]  hci_phy_link_complete_evt.isra.0+0x508/0x790
[   64.041457][ T6901]  hci_event_packet+0x4696/0x87a8
[   64.046746][ T6901]  hci_rx_work+0x22e/0xb50
[   64.051213][ T6901]  process_one_work+0x94c/0x1670
[   64.056145][ T6901]  worker_thread+0x64c/0x1120
[   64.061165][ T6901]  kthread+0x3b5/0x4a0
[   64.065233][ T6901]  ret_from_fork+0x1f/0x30
[   64.069857][ T6901] 
[   64.073325][ T6901] The buggy address belongs to the object at ffff888093c96000
[   64.073325][ T6901]  which belongs to the cache kmalloc-4k of size 4096
[   64.088004][ T6901] The buggy address is located 16 bytes inside of
[   64.088004][ T6901]  4096-byte region [ffff888093c96000, ffff888093c97000)
[   64.101474][ T6901] The buggy address belongs to the page:
[   64.107230][ T6901] page:000000001fd9174a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x93c96
[   64.117426][ T6901] head:000000001fd9174a order:1 compound_mapcount:0
[   64.124165][ T6901] flags: 0xfffe0000010200(slab|head)
[   64.129457][ T6901] raw: 00fffe0000010200 ffffea000252d888 ffffea00024fd288 ffff8880aa000900
[   64.138270][ T6901] raw: 0000000000000000 ffff888093c96000 0000000100000001 0000000000000000
[   64.146900][ T6901] page dumped because: kasan: bad access detected
[   64.153441][ T6901] 
[   64.155760][ T6901] Memory state around the buggy address:
[   64.161442][ T6901]  ffff888093c95f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.169919][ T6901]  ffff888093c95f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.178228][ T6901] >ffff888093c96000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.187375][ T6901]                          ^
[   64.192208][ T6901]  ffff888093c96080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.200403][ T6901]  ffff888093c96100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.208546][ T6901] ==================================================================
[   64.216971][ T6901] Disabling lock debugging due to kernel taint
[   64.224252][ T6901] Kernel panic - not syncing: panic_on_warn set ...
[   64.230879][ T6901] CPU: 1 PID: 6901 Comm: syz-executor747 Tainted: G    B             5.8.0-rc7-next-20200731-syzkaller #0
[   64.242583][ T6901] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   64.252809][ T6901] Call Trace:
[   64.256223][ T6901]  dump_stack+0x18f/0x20d
[   64.260890][ T6901]  ? sco_chan_del+0x20/0x430
[   64.265755][ T6901]  panic+0x2e3/0x75c
[   64.269893][ T6901]  ? __warn_printk+0xf3/0xf3
[   64.274565][ T6901]  ? preempt_schedule_common+0x59/0xc0
[   64.280421][ T6901]  ? sco_chan_del+0xe6/0x430
[   64.285311][ T6901]  ? preempt_schedule_thunk+0x16/0x18
[   64.290740][ T6901]  ? trace_hardirqs_on+0x55/0x220
[   64.295964][ T6901]  ? sco_chan_del+0xe6/0x430
[   64.300551][ T6901]  ? sco_chan_del+0xe6/0x430
[   64.305760][ T6901]  end_report+0x4d/0x53
[   64.310058][ T6901]  kasan_report.cold+0xd/0x37
[   64.314737][ T6901]  ? sco_chan_del+0xe6/0x430
[   64.319492][ T6901]  check_memory_region+0x13d/0x180
[   64.325069][ T6901]  sco_chan_del+0xe6/0x430
[   64.329628][ T6901]  __sco_sock_close+0x16e/0x5b0
[   64.334529][ T6901]  sco_sock_release+0x69/0x290
[   64.339507][ T6901]  __sock_release+0xcd/0x280
[   64.344229][ T6901]  sock_close+0x18/0x20
[   64.348564][ T6901]  __fput+0x285/0x920
[   64.352605][ T6901]  ? __sock_release+0x280/0x280
[   64.357681][ T6901]  task_work_run+0xdd/0x190
[   64.362332][ T6901]  do_exit+0xb7d/0x29f0
[   64.366908][ T6901]  ? lock_acquire+0x1f1/0xad0
[   64.372537][ T6901]  ? find_held_lock+0x2d/0x110
[   64.378095][ T6901]  ? mm_update_next_owner+0x7a0/0x7a0
[   64.383739][ T6901]  ? get_signal+0x332/0x1ee0
[   64.388577][ T6901]  ? lock_downgrade+0x830/0x830
[   64.393495][ T6901]  ? lock_is_held_type+0xbb/0xf0
[   64.398432][ T6901]  do_group_exit+0x125/0x310
[   64.403068][ T6901]  get_signal+0x40b/0x1ee0
[   64.407609][ T6901]  ? find_held_lock+0x2d/0x110
[   64.412509][ T6901]  ? __schedule+0x88e/0x21e0
[   64.417240][ T6901]  ? lockdep_hardirqs_on_prepare+0x354/0x530
[   64.423440][ T6901]  arch_do_signal+0x82/0x2520
[   64.428691][ T6901]  ? finish_task_switch+0x1dc/0x750
[   64.434015][ T6901]  ? __switch_to+0x425/0xfe0
[   64.438760][ T6901]  ? lock_is_held_type+0xbb/0xf0
[   64.443834][ T6901]  ? copy_siginfo_to_user32+0xa0/0xa0
[   64.449202][ T6901]  ? __x64_sys_futex+0x382/0x4e0
[   64.454130][ T6901]  ? fput_many+0x2f/0x1a0
[   64.458453][ T6901]  ? exit_to_user_mode_prepare+0xb9/0x1c0
[   64.464169][ T6901]  ? lockdep_hardirqs_on_prepare+0x354/0x530
[   64.470299][ T6901]  exit_to_user_mode_prepare+0x15d/0x1c0
[   64.476395][ T6901]  syscall_exit_to_user_mode+0x59/0x2b0
[   64.482081][ T6901]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   64.488130][ T6901] RIP: 0033:0x4468d9
[   64.492015][ T6901] Code: Bad RIP value.
[   64.496320][ T6901] RSP: 002b:00007f830fbdfdb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   64.504980][ T6901] RAX: fffffffffffffe00 RBX: 00000000006dbc38 RCX: 00000000004468d9
[   64.513216][ T6901] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38
[   64.521402][ T6901] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000
[   64.529588][ T6901] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c
[   64.537799][ T6901] R13: 00007ffcd490a3cf R14: 00007f830fbe09c0 R15: 00000000006dbc3c
[   64.547407][ T6901] Kernel Offset: disabled
[   64.552152][ T6901] Rebooting in 86400 seconds..