[[0;32m  OK  [0m] Started Getty on tty4.
[[0;32m  OK  [0m] Started Getty on tty3.
[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.171' (ECDSA) to the list of known hosts.
syzkaller login: [   58.340939][ T6857] IPVS: ftp: loaded support on port[0] = 21
executing program
[   61.512948][ T3916] Bluetooth: hci0: command 0x0409 tx timeout
[   63.592156][ T2963] Bluetooth: hci0: command 0x041b tx timeout
executing program
[   65.671990][ T2963] Bluetooth: hci0: command 0x040f tx timeout
[   67.751702][ T2963] Bluetooth: hci0: command 0x0419 tx timeout
[   69.468509][ T6891] ==================================================================
[   69.476697][ T6891] BUG: KASAN: use-after-free in sco_chan_del+0xe6/0x430
[   69.483621][ T6891] Write of size 4 at addr ffff8880982b8010 by task syz-executor290/6891
[   69.491910][ T6891] 
[   69.494230][ T6891] CPU: 0 PID: 6891 Comm: syz-executor290 Not tainted 5.8.0-syzkaller #0
[   69.502657][ T6891] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   69.512839][ T6891] Call Trace:
[   69.516109][ T6891]  dump_stack+0x18f/0x20d
[   69.520416][ T6891]  ? sco_chan_del+0xe6/0x430
[   69.524980][ T6891]  ? sco_chan_del+0xe6/0x430
[   69.529590][ T6891]  print_address_description.constprop.0.cold+0xae/0x497
[   69.536596][ T6891]  ? sco_chan_del+0xab/0x430
[   69.541163][ T6891]  ? vprintk_func+0x97/0x1a6
[   69.545726][ T6891]  ? sco_chan_del+0xe6/0x430
[   69.550292][ T6891]  ? sco_chan_del+0xe6/0x430
[   69.554861][ T6891]  kasan_report.cold+0x1f/0x37
[   69.559619][ T6891]  ? sco_chan_del+0xe6/0x430
[   69.564194][ T6891]  check_memory_region+0x13d/0x180
[   69.569281][ T6891]  sco_chan_del+0xe6/0x430
[   69.573678][ T6891]  __sco_sock_close+0x16e/0x5b0
[   69.578526][ T6891]  sco_sock_release+0x69/0x290
[   69.583268][ T6891]  __sock_release+0xcd/0x280
[   69.587833][ T6891]  sock_close+0x18/0x20
[   69.591965][ T6891]  __fput+0x285/0x920
[   69.595924][ T6891]  ? __sock_release+0x280/0x280
[   69.600756][ T6891]  task_work_run+0xdd/0x190
[   69.605238][ T6891]  do_exit+0xb7d/0x29f0
[   69.609371][ T6891]  ? lock_acquire+0x1f1/0xad0
[   69.614029][ T6891]  ? find_held_lock+0x2d/0x110
[   69.618767][ T6891]  ? mm_update_next_owner+0x7a0/0x7a0
[   69.624114][ T6891]  ? get_signal+0x332/0x1ee0
[   69.628729][ T6891]  ? lock_downgrade+0x830/0x830
[   69.633554][ T6891]  ? lock_is_held_type+0xbb/0xf0
[   69.638464][ T6891]  do_group_exit+0x125/0x310
[   69.643033][ T6891]  get_signal+0x40b/0x1ee0
[   69.647425][ T6891]  ? lockdep_hardirqs_on_prepare+0x354/0x530
[   69.653379][ T6891]  ? sco_sock_connect+0x4e4/0x980
[   69.658375][ T6891]  ? lockdep_hardirqs_on+0x76/0xf0
[   69.663459][ T6891]  ? sco_sock_connect+0x4e4/0x980
[   69.668460][ T6891]  arch_do_signal+0x82/0x2520
[   69.673110][ T6891]  ? sco_sock_release+0x290/0x290
[   69.678108][ T6891]  ? __sys_connect_file+0x4e/0x1a0
[   69.683193][ T6891]  ? copy_siginfo_to_user32+0xa0/0xa0
[   69.688552][ T6891]  ? __sys_connect+0x109/0x190
[   69.693291][ T6891]  ? __sys_connect_file+0x1a0/0x1a0
[   69.698469][ T6891]  ? exit_to_user_mode_prepare+0xce/0x1d0
[   69.704163][ T6891]  ? lockdep_hardirqs_on_prepare+0x354/0x530
[   69.710118][ T6891]  exit_to_user_mode_prepare+0x172/0x1d0
[   69.715723][ T6891]  syscall_exit_to_user_mode+0x59/0x2b0
[   69.721243][ T6891]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   69.727146][ T6891] RIP: 0033:0x446dc9
[   69.731018][ T6891] Code: Bad RIP value.
[   69.735056][ T6891] RSP: 002b:00007ffcef51a8f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   69.743442][ T6891] RAX: fffffffffffffffc RBX: 0000000000000003 RCX: 0000000000446dc9
[   69.751391][ T6891] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000004
[   69.759346][ T6891] RBP: 00007ffcef51a930 R08: 0000000000000002 R09: 00000000000000ff
[   69.767290][ T6891] R10: 0000000000000004 R11: 0000000000000246 R12: 000000000000e84b
[   69.775236][ T6891] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   69.783229][ T6891] 
[   69.785530][ T6891] Allocated by task 6885:
[   69.789835][ T6891]  kasan_save_stack+0x1b/0x40
[   69.794483][ T6891]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   69.800087][ T6891]  kmem_cache_alloc_trace+0x16e/0x2c0
[   69.805437][ T6891]  hci_conn_add+0x53/0x1330
[   69.809912][ T6891]  hci_connect_sco+0x356/0x860
[   69.814647][ T6891]  sco_sock_connect+0x308/0x980
[   69.819466][ T6891]  __sys_connect_file+0x155/0x1a0
[   69.824460][ T6891]  __sys_connect+0x160/0x190
[   69.829021][ T6891]  __x64_sys_connect+0x6f/0xb0
[   69.833773][ T6891]  do_syscall_64+0x2d/0x70
[   69.838173][ T6891]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   69.844027][ T6891] 
[   69.846326][ T6891] Freed by task 6884:
[   69.850278][ T6891]  kasan_save_stack+0x1b/0x40
[   69.854925][ T6891]  kasan_set_track+0x1c/0x30
[   69.859484][ T6891]  kasan_set_free_info+0x1b/0x30
[   69.864393][ T6891]  __kasan_slab_free+0xd8/0x120
[   69.869211][ T6891]  kfree+0x103/0x2c0
[   69.873095][ T6891]  device_release+0x71/0x200
[   69.877662][ T6891]  kobject_put+0x171/0x270
[   69.882136][ T6891]  put_device+0x1b/0x30
[   69.886263][ T6891]  hci_conn_del+0x27e/0x6a0
[   69.890737][ T6891]  hci_phy_link_complete_evt.isra.0+0x508/0x790
[   69.896946][ T6891]  hci_event_packet+0x4696/0x87a8
[   69.901938][ T6891]  hci_rx_work+0x22e/0xb50
[   69.906343][ T6891]  process_one_work+0x94c/0x1670
[   69.911252][ T6891]  worker_thread+0x64c/0x1120
[   69.915899][ T6891]  kthread+0x3b5/0x4a0
[   69.919952][ T6891]  ret_from_fork+0x1f/0x30
[   69.924335][ T6891] 
[   69.926637][ T6891] The buggy address belongs to the object at ffff8880982b8000
[   69.926637][ T6891]  which belongs to the cache kmalloc-4k of size 4096
[   69.940657][ T6891] The buggy address is located 16 bytes inside of
[   69.940657][ T6891]  4096-byte region [ffff8880982b8000, ffff8880982b9000)
[   69.953982][ T6891] The buggy address belongs to the page:
[   69.959688][ T6891] page:000000003354a4b4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x982b8
[   69.969803][ T6891] head:000000003354a4b4 order:1 compound_mapcount:0
[   69.976361][ T6891] flags: 0xfffe0000010200(slab|head)
[   69.981620][ T6891] raw: 00fffe0000010200 ffffea00024e0508 ffffea00024f7f88 ffff8880aa040900
[   69.990181][ T6891] raw: 0000000000000000 ffff8880982b8000 0000000100000001 0000000000000000
[   69.998731][ T6891] page dumped because: kasan: bad access detected
[   70.005108][ T6891] 
[   70.007404][ T6891] Memory state around the buggy address:
[   70.013007][ T6891]  ffff8880982b7f00: fb fb fb fb fb fb fc fc fc fc fa fb fb fb fb fb
[   70.021039][ T6891]  ffff8880982b7f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   70.029071][ T6891] >ffff8880982b8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.037100][ T6891]                          ^
[   70.041660][ T6891]  ffff8880982b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.049699][ T6891]  ffff8880982b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.057724][ T6891] ==================================================================
[   70.065754][ T6891] Disabling lock debugging due to kernel taint
[   70.081431][ T2963] Bluetooth: hci0: command 0x0405 tx timeout
[   70.088337][ T6891] Kernel panic - not syncing: panic_on_warn set ...
[   70.094928][ T6891] CPU: 0 PID: 6891 Comm: syz-executor290 Tainted: G    B             5.8.0-syzkaller #0
[   70.104619][ T6891] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   70.114646][ T6891] Call Trace:
[   70.117910][ T6891]  dump_stack+0x18f/0x20d
[   70.122212][ T6891]  ? sco_chan_del+0xb0/0x430
[   70.126772][ T6891]  panic+0x2e3/0x75c
[   70.130637][ T6891]  ? __warn_printk+0xf3/0xf3
[   70.135200][ T6891]  ? preempt_schedule_common+0x59/0xc0
[   70.140626][ T6891]  ? sco_chan_del+0xe6/0x430
[   70.145188][ T6891]  ? preempt_schedule_thunk+0x16/0x18
[   70.150529][ T6891]  ? trace_hardirqs_on+0x55/0x220
[   70.155522][ T6891]  ? sco_chan_del+0xe6/0x430
[   70.160079][ T6891]  ? sco_chan_del+0xe6/0x430
[   70.164641][ T6891]  end_report+0x4d/0x53
[   70.168768][ T6891]  kasan_report.cold+0xd/0x37
[   70.173421][ T6891]  ? sco_chan_del+0xe6/0x430
[   70.177980][ T6891]  check_memory_region+0x13d/0x180
[   70.183059][ T6891]  sco_chan_del+0xe6/0x430
[   70.187459][ T6891]  __sco_sock_close+0x16e/0x5b0
[   70.192313][ T6891]  sco_sock_release+0x69/0x290
[   70.197047][ T6891]  __sock_release+0xcd/0x280
[   70.201609][ T6891]  sock_close+0x18/0x20
[   70.205737][ T6891]  __fput+0x285/0x920
[   70.209698][ T6891]  ? __sock_release+0x280/0x280
[   70.214519][ T6891]  task_work_run+0xdd/0x190
[   70.218991][ T6891]  do_exit+0xb7d/0x29f0
[   70.223123][ T6891]  ? lock_acquire+0x1f1/0xad0
[   70.227770][ T6891]  ? find_held_lock+0x2d/0x110
[   70.232505][ T6891]  ? mm_update_next_owner+0x7a0/0x7a0
[   70.237847][ T6891]  ? get_signal+0x332/0x1ee0
[   70.242409][ T6891]  ? lock_downgrade+0x830/0x830
[   70.247231][ T6891]  ? lock_is_held_type+0xbb/0xf0
[   70.252141][ T6891]  do_group_exit+0x125/0x310
[   70.256718][ T6891]  get_signal+0x40b/0x1ee0
[   70.261105][ T6891]  ? lockdep_hardirqs_on_prepare+0x354/0x530
[   70.267056][ T6891]  ? sco_sock_connect+0x4e4/0x980
[   70.272050][ T6891]  ? lockdep_hardirqs_on+0x76/0xf0
[   70.277127][ T6891]  ? sco_sock_connect+0x4e4/0x980
[   70.282123][ T6891]  arch_do_signal+0x82/0x2520
[   70.286767][ T6891]  ? sco_sock_release+0x290/0x290
[   70.291762][ T6891]  ? __sys_connect_file+0x4e/0x1a0
[   70.296843][ T6891]  ? copy_siginfo_to_user32+0xa0/0xa0
[   70.302187][ T6891]  ? __sys_connect+0x109/0x190
[   70.307008][ T6891]  ? __sys_connect_file+0x1a0/0x1a0
[   70.312183][ T6891]  ? exit_to_user_mode_prepare+0xce/0x1d0
[   70.317873][ T6891]  ? lockdep_hardirqs_on_prepare+0x354/0x530
[   70.323823][ T6891]  exit_to_user_mode_prepare+0x172/0x1d0
[   70.329426][ T6891]  syscall_exit_to_user_mode+0x59/0x2b0
[   70.334942][ T6891]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   70.340803][ T6891] RIP: 0033:0x446dc9
[   70.344663][ T6891] Code: Bad RIP value.
[   70.348699][ T6891] RSP: 002b:00007ffcef51a8f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   70.357085][ T6891] RAX: fffffffffffffffc RBX: 0000000000000003 RCX: 0000000000446dc9
[   70.365032][ T6891] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000004
[   70.372974][ T6891] RBP: 00007ffcef51a930 R08: 0000000000000002 R09: 00000000000000ff
[   70.380919][ T6891] R10: 0000000000000004 R11: 0000000000000246 R12: 000000000000e84b
[   70.388861][ T6891] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   70.398051][ T6891] Kernel Offset: disabled
[   70.402361][ T6891] Rebooting in 86400 seconds..