[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.98' (ECDSA) to the list of known hosts.
syzkaller login: [   64.505705][ T6830] IPVS: ftp: loaded support on port[0] = 21
[   64.514854][ T6831] IPVS: ftp: loaded support on port[0] = 21
[   64.519811][ T6832] IPVS: ftp: loaded support on port[0] = 21
[   64.528622][ T6826] IPVS: ftp: loaded support on port[0] = 21
[   64.541652][ T6833] IPVS: ftp: loaded support on port[0] = 21
[   64.553108][ T6834] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   67.756460][ T3042] Bluetooth: hci1: command 0x0409 tx timeout
[   67.762840][ T3042] Bluetooth: hci0: command 0x0409 tx timeout
[   67.835846][ T3916] Bluetooth: hci2: command 0x0409 tx timeout
[   67.841951][ T3916] Bluetooth: hci5: command 0x0409 tx timeout
[   67.849192][ T3916] Bluetooth: hci4: command 0x0409 tx timeout
[   67.855490][ T3916] Bluetooth: hci3: command 0x0409 tx timeout
[   69.835524][ T3916] Bluetooth: hci1: command 0x041b tx timeout
[   69.835530][ T3042] Bluetooth: hci0: command 0x041b tx timeout
[   69.925522][ T3042] Bluetooth: hci3: command 0x041b tx timeout
[   69.931663][ T3042] Bluetooth: hci4: command 0x041b tx timeout
[   69.938950][ T3042] Bluetooth: hci5: command 0x0405 tx timeout
[   69.944960][ T3042] Bluetooth: hci2: command 0x041b tx timeout
executing program
executing program
executing program
[   70.706938][ T6966] ==================================================================
[   70.715119][ T6966] BUG: KASAN: use-after-free in sco_chan_del+0xe6/0x430
[   70.722042][ T6966] Write of size 4 at addr ffff888089304010 by task syz-executor351/6966
[   70.730334][ T6966] 
[   70.732645][ T6966] CPU: 1 PID: 6966 Comm: syz-executor351 Not tainted 5.8.0-syzkaller #0
[   70.740948][ T6966] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   70.751106][ T6966] Call Trace:
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   70.754399][ T6966]  dump_stack+0x18f/0x20d
[   70.758829][ T6966]  ? sco_chan_del+0xe6/0x430
[   70.763411][ T6966]  ? sco_chan_del+0xe6/0x430
[   70.768000][ T6966]  ? __sock_release+0x280/0x280
[   70.772853][ T6966]  print_address_description.constprop.0.cold+0xae/0x436
[   70.779882][ T6966]  ? sco_chan_del+0xab/0x430
[   70.784592][ T6966]  ? vprintk_func+0x97/0x1a6
[   70.789186][ T6966]  ? sco_chan_del+0xe6/0x430
[   70.793774][ T6966]  kasan_report.cold+0x1f/0x37
[   70.798561][ T6966]  ? sco_chan_del+0xe6/0x430
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   70.803180][ T6966]  check_memory_region+0x13d/0x180
[   70.808297][ T6966]  sco_chan_del+0xe6/0x430
[   70.812709][ T6966]  __sco_sock_close+0x16e/0x5b0
[   70.817569][ T6966]  sco_sock_release+0x69/0x290
[   70.822334][ T6966]  __sock_release+0xcd/0x280
[   70.826930][ T6966]  sock_close+0x18/0x20
[   70.831091][ T6966]  __fput+0x33c/0x880
[   70.835253][ T6966]  task_work_run+0xdd/0x190
[   70.839760][ T6966]  do_exit+0xb7d/0x29f0
[   70.843928][ T6966]  ? lock_acquire+0x1f1/0xad0
[   70.848606][ T6966]  ? find_held_lock+0x2d/0x110
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   70.853382][ T6966]  ? mm_update_next_owner+0x7a0/0x7a0
[   70.858758][ T6966]  ? get_signal+0x332/0x1ee0
[   70.863354][ T6966]  ? lock_downgrade+0x830/0x830
[   70.868213][ T6966]  ? lock_is_held_type+0xbb/0xf0
[   70.873158][ T6966]  do_group_exit+0x125/0x310
[   70.877758][ T6966]  get_signal+0x40b/0x1ee0
[   70.882183][ T6966]  ? lockdep_hardirqs_on_prepare+0x354/0x530
[   70.888168][ T6966]  ? sco_sock_connect+0x4e4/0x980
[   70.893194][ T6966]  ? lockdep_hardirqs_on+0x76/0xf0
[   70.898307][ T6966]  ? sco_sock_connect+0x4e4/0x980
[   70.903345][ T6966]  arch_do_signal+0x82/0x2520
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   70.908035][ T6966]  ? sco_sock_release+0x290/0x290
[   70.913068][ T6966]  ? __sys_connect_file+0x4e/0x1a0
[   70.918200][ T6966]  ? copy_siginfo_to_user32+0xa0/0xa0
[   70.923580][ T6966]  ? __sys_connect+0x109/0x190
[   70.928346][ T6966]  ? __sys_connect_file+0x1a0/0x1a0
[   70.933561][ T6966]  ? exit_to_user_mode_prepare+0xce/0x1d0
[   70.939290][ T6966]  ? lockdep_hardirqs_on_prepare+0x354/0x530
[   70.945278][ T6966]  exit_to_user_mode_prepare+0x172/0x1d0
[   70.950923][ T6966]  syscall_exit_to_user_mode+0x59/0x2b0
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   70.956480][ T6966]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   70.962371][ T6966] RIP: 0033:0x446eb9
[   70.966259][ T6966] Code: Bad RIP value.
[   70.970326][ T6966] RSP: 002b:00007fffdcf41b98 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   70.978744][ T6966] RAX: fffffffffffffffc RBX: 0000000000000000 RCX: 0000000000446eb9
[   70.986727][ T6966] RDX: 0000000000000008 RSI: 0000000020000540 RDI: 0000000000000004
[   70.994716][ T6966] RBP: 0000000000000004 R08: 0000000000000002 R09: 00000000000000ff
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   71.002692][ T6966] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
[   71.011889][ T6966] R13: 0000000000407b10 R14: 0000000000000000 R15: 0000000000000000
[   71.019875][ T6966] 
[   71.022202][ T6966] Allocated by task 6966:
[   71.026548][ T6966]  save_stack+0x1b/0x40
[   71.030716][ T6966]  __kasan_kmalloc.constprop.0+0xc2/0xd0
[   71.036355][ T6966]  kmem_cache_alloc_trace+0x14f/0x2d0
[   71.041739][ T6966]  hci_conn_add+0x53/0x1330
[   71.046246][ T6966]  hci_connect_sco+0x356/0x860
[   71.051016][ T6966]  sco_sock_connect+0x308/0x980
executing program
executing program
executing program
executing program
executing program
[   71.055876][ T6966]  __sys_connect_file+0x155/0x1a0
[   71.060994][ T6966]  __sys_connect+0x160/0x190
[   71.065592][ T6966]  __x64_sys_connect+0x6f/0xb0
[   71.070369][ T6966]  do_syscall_64+0x2d/0x70
[   71.074795][ T6966]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   71.080676][ T6966] 
[   71.082991][ T6966] Freed by task 6965:
[   71.086965][ T6966]  save_stack+0x1b/0x40
[   71.091114][ T6966]  __kasan_slab_free+0xf5/0x140
[   71.096121][ T6966]  kfree+0x103/0x2c0
[   71.099998][ T6966]  device_release+0x71/0x200
[   71.104566][ T6966]  kobject_put+0x171/0x270
[   71.108957][ T6966]  put_device+0x1b/0x30
[   71.113090][ T6966]  hci_conn_del+0x27e/0x6a0
[   71.117572][ T6966]  hci_phy_link_complete_evt.isra.0+0x508/0x790
[   71.123794][ T6966]  hci_event_packet+0x4696/0x87a8
[   71.128795][ T6966]  hci_rx_work+0x22e/0xb50
[   71.133189][ T6966]  process_one_work+0x94c/0x1670
[   71.138102][ T6966]  worker_thread+0x64c/0x1120
[   71.142763][ T6966]  kthread+0x3b5/0x4a0
[   71.146824][ T6966]  ret_from_fork+0x1f/0x30
[   71.151225][ T6966] 
[   71.153543][ T6966] The buggy address belongs to the object at ffff888089304000
[   71.153543][ T6966]  which belongs to the cache kmalloc-4k of size 4096
[   71.167573][ T6966] The buggy address is located 16 bytes inside of
[   71.167573][ T6966]  4096-byte region [ffff888089304000, ffff888089305000)
[   71.180929][ T6966] The buggy address belongs to the page:
[   71.186553][ T6966] page:ffffea000224c100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea000224c100 order:1 compound_mapcount:0
[   71.199981][ T6966] flags: 0xfffe0000010200(slab|head)
[   71.205252][ T6966] raw: 00fffe0000010200 ffffea000224c588 ffffea000224cc88 ffff8880aa002000
[   71.213832][ T6966] raw: 0000000000000000 ffff888089304000 0000000100000001 0000000000000000
[   71.222449][ T6966] page dumped because: kasan: bad access detected
[   71.228853][ T6966] 
[   71.231157][ T6966] Memory state around the buggy address:
[   71.236766][ T6966]  ffff888089303f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   71.244817][ T6966]  ffff888089303f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   71.252880][ T6966] >ffff888089304000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.260936][ T6966]                          ^
[   71.265530][ T6966]  ffff888089304080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.273577][ T6966]  ffff888089304100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.281704][ T6966] ==================================================================
[   71.289759][ T6966] Disabling lock debugging due to kernel taint
[   71.303959][ T6966] Kernel panic - not syncing: panic_on_warn set ...
[   71.310571][ T6966] CPU: 0 PID: 6966 Comm: syz-executor351 Tainted: G    B             5.8.0-syzkaller #0
[   71.320273][ T6966] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   71.330325][ T6966] Call Trace:
[   71.333624][ T6966]  dump_stack+0x18f/0x20d
[   71.337959][ T6966]  ? sco_chan_del+0xd0/0x430
[   71.342537][ T6966]  ? __sock_release+0x280/0x280
[   71.347362][ T6966]  panic+0x2e3/0x75c
[   71.351230][ T6966]  ? __warn_printk+0xf3/0xf3
[   71.355796][ T6966]  ? preempt_schedule_common+0x59/0xc0
[   71.361226][ T6966]  ? sco_chan_del+0xe6/0x430
[   71.365789][ T6966]  ? preempt_schedule_thunk+0x16/0x18
[   71.371133][ T6966]  ? trace_hardirqs_on+0x55/0x220
[   71.376129][ T6966]  ? sco_chan_del+0xe6/0x430
[   71.380688][ T6966]  ? sco_chan_del+0xe6/0x430
[   71.385257][ T6966]  ? __sock_release+0x280/0x280
[   71.390084][ T6966]  end_report+0x4d/0x53
[   71.394210][ T6966]  kasan_report.cold+0xd/0x37
[   71.398862][ T6966]  ? sco_chan_del+0xe6/0x430
[   71.403465][ T6966]  check_memory_region+0x13d/0x180
[   71.408550][ T6966]  sco_chan_del+0xe6/0x430
[   71.412953][ T6966]  __sco_sock_close+0x16e/0x5b0
[   71.417785][ T6966]  sco_sock_release+0x69/0x290
[   71.422527][ T6966]  __sock_release+0xcd/0x280
[   71.427094][ T6966]  sock_close+0x18/0x20
[   71.431227][ T6966]  __fput+0x33c/0x880
[   71.435186][ T6966]  task_work_run+0xdd/0x190
[   71.439712][ T6966]  do_exit+0xb7d/0x29f0
[   71.443840][ T6966]  ? lock_acquire+0x1f1/0xad0
[   71.448489][ T6966]  ? find_held_lock+0x2d/0x110
[   71.453222][ T6966]  ? mm_update_next_owner+0x7a0/0x7a0
[   71.458565][ T6966]  ? get_signal+0x332/0x1ee0
[   71.463127][ T6966]  ? lock_downgrade+0x830/0x830
[   71.467955][ T6966]  ? lock_is_held_type+0xbb/0xf0
[   71.472874][ T6966]  do_group_exit+0x125/0x310
[   71.477438][ T6966]  get_signal+0x40b/0x1ee0
[   71.481826][ T6966]  ? lockdep_hardirqs_on_prepare+0x354/0x530
[   71.487786][ T6966]  ? sco_sock_connect+0x4e4/0x980
[   71.492782][ T6966]  ? lockdep_hardirqs_on+0x76/0xf0
[   71.497864][ T6966]  ? sco_sock_connect+0x4e4/0x980
[   71.502861][ T6966]  arch_do_signal+0x82/0x2520
[   71.507510][ T6966]  ? sco_sock_release+0x290/0x290
[   71.512506][ T6966]  ? __sys_connect_file+0x4e/0x1a0
[   71.517591][ T6966]  ? copy_siginfo_to_user32+0xa0/0xa0
[   71.522931][ T6966]  ? __sys_connect+0x109/0x190
[   71.527665][ T6966]  ? __sys_connect_file+0x1a0/0x1a0
[   71.532851][ T6966]  ? exit_to_user_mode_prepare+0xce/0x1d0
[   71.538545][ T6966]  ? lockdep_hardirqs_on_prepare+0x354/0x530
[   71.544498][ T6966]  exit_to_user_mode_prepare+0x172/0x1d0
[   71.550104][ T6966]  syscall_exit_to_user_mode+0x59/0x2b0
[   71.555623][ T6966]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   71.561484][ T6966] RIP: 0033:0x446eb9
[   71.565344][ T6966] Code: Bad RIP value.
[   71.569378][ T6966] RSP: 002b:00007fffdcf41b98 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   71.577758][ T6966] RAX: fffffffffffffffc RBX: 0000000000000000 RCX: 0000000000446eb9
[   71.585700][ T6966] RDX: 0000000000000008 RSI: 0000000020000540 RDI: 0000000000000004
[   71.593654][ T6966] RBP: 0000000000000004 R08: 0000000000000002 R09: 00000000000000ff
[   71.601597][ T6966] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
[   71.609542][ T6966] R13: 0000000000407b10 R14: 0000000000000000 R15: 0000000000000000
[   71.618655][ T6966] Kernel Offset: disabled
[   71.622968][ T6966] Rebooting in 86400 seconds..