[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.1.26' (ECDSA) to the list of known hosts.
syzkaller login: [   75.060619][   T28] audit: type=1400 audit(1596941236.637:8): avc:  denied  { execmem } for  pid=6843 comm="syz-executor956" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   75.075636][ T6844] IPVS: ftp: loaded support on port[0] = 21
executing program
[   76.200412][ T6844] ==================================================================
[   76.208699][ T6844] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[   76.215725][ T6844] Read of size 8 at addr ffff88809ea03718 by task syz-executor956/6844
[   76.223963][ T6844] 
[   76.226307][ T6844] CPU: 0 PID: 6844 Comm: syz-executor956 Not tainted 5.8.0-syzkaller #0
[   76.234722][ T6844] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   76.244783][ T6844] Call Trace:
[   76.248084][ T6844]  dump_stack+0x18f/0x20d
[   76.252427][ T6844]  ? hci_chan_del+0x14f/0x190
[   76.257107][ T6844]  ? hci_chan_del+0x14f/0x190
[   76.261799][ T6844]  print_address_description.constprop.0.cold+0xae/0x497
[   76.268833][ T6844]  ? mutex_lock_io_nested+0xf60/0xf60
[   76.274222][ T6844]  ? vprintk_func+0x97/0x1a6
[   76.278826][ T6844]  ? hci_chan_del+0x14f/0x190
[   76.283509][ T6844]  ? hci_chan_del+0x14f/0x190
[   76.288187][ T6844]  kasan_report.cold+0x1f/0x37
[   76.292961][ T6844]  ? hci_chan_del+0x14f/0x190
[   76.297646][ T6844]  hci_chan_del+0x14f/0x190
[   76.302156][ T6844]  l2cap_conn_del+0x61b/0x9e0
[   76.306851][ T6844]  ? l2cap_conn_del+0x9e0/0x9e0
[   76.311711][ T6844]  l2cap_disconn_cfm+0x85/0xa0
[   76.316511][ T6844]  hci_conn_hash_flush+0x114/0x220
[   76.321634][ T6844]  hci_dev_do_close+0x5c6/0x1080
[   76.326578][ T6844]  ? hci_dev_open+0x350/0x350
[   76.331257][ T6844]  ? do_raw_read_unlock+0x70/0x70
[   76.336286][ T6844]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   76.342194][ T6844]  hci_unregister_dev+0x1bd/0xe30
[   76.347219][ T6844]  ? fcntl_setlk+0xf60/0xf60
[   76.351809][ T6844]  ? lock_is_held_type+0xbb/0xf0
[   76.356763][ T6844]  vhci_release+0x70/0xe0
[   76.361097][ T6844]  __fput+0x285/0x920
[   76.365093][ T6844]  ? vhci_close_dev+0x50/0x50
[   76.369781][ T6844]  task_work_run+0xdd/0x190
[   76.374293][ T6844]  do_exit+0xb7d/0x29f0
[   76.378465][ T6844]  ? mm_update_next_owner+0x7a0/0x7a0
[   76.383843][ T6844]  ? __blkcg_punt_bio_submit+0x1d0/0x1d0
[   76.389482][ T6844]  ? mem_cgroup_move_account+0xcb0/0xcb0
[   76.395115][ T6844]  ? lock_is_held_type+0xbb/0xf0
[   76.400060][ T6844]  do_group_exit+0x125/0x310
[   76.404642][ T6844]  __x64_sys_exit_group+0x3a/0x50
[   76.409648][ T6844]  do_syscall_64+0x2d/0x70
[   76.414042][ T6844]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   76.419908][ T6844] RIP: 0033:0x445138
[   76.423774][ T6844] Code: Bad RIP value.
[   76.427813][ T6844] RSP: 002b:00007fffee085608 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   76.436200][ T6844] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445138
[   76.444262][ T6844] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   76.452221][ T6844] RBP: 00000000004ccef0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   76.460173][ T6844] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   76.468118][ T6844] R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000
[   76.476077][ T6844] 
[   76.478402][ T6844] Allocated by task 1540:
[   76.482715][ T6844]  kasan_save_stack+0x1b/0x40
[   76.487388][ T6844]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   76.493018][ T6844]  kmem_cache_alloc_trace+0x16e/0x2c0
[   76.498365][ T6844]  hci_chan_create+0x9b/0x330
[   76.503020][ T6844]  l2cap_conn_add.part.0+0x1e/0xe10
[   76.508192][ T6844]  l2cap_connect_cfm+0x23b/0x1090
[   76.513193][ T6844]  le_conn_complete_evt+0x1153/0x1740
[   76.518539][ T6844]  hci_le_meta_evt+0x745/0x3ff0
[   76.523363][ T6844]  hci_event_packet+0x2e25/0x87a8
[   76.528361][ T6844]  hci_rx_work+0x22e/0xb50
[   76.532755][ T6844]  process_one_work+0x94c/0x1670
[   76.537665][ T6844]  worker_thread+0x64c/0x1120
[   76.542324][ T6844]  kthread+0x3b5/0x4a0
[   76.546456][ T6844]  ret_from_fork+0x1f/0x30
[   76.550840][ T6844] 
[   76.553144][ T6844] Freed by task 6870:
[   76.557099][ T6844]  kasan_save_stack+0x1b/0x40
[   76.561752][ T6844]  kasan_set_track+0x1c/0x30
[   76.566315][ T6844]  kasan_set_free_info+0x1b/0x30
[   76.571228][ T6844]  __kasan_slab_free+0xd8/0x120
[   76.576051][ T6844]  kfree+0x103/0x2c0
[   76.579920][ T6844]  hci_event_packet+0x3e33/0x87a8
[   76.584920][ T6844]  hci_rx_work+0x22e/0xb50
[   76.589311][ T6844]  process_one_work+0x94c/0x1670
[   76.594221][ T6844]  worker_thread+0x64c/0x1120
[   76.598873][ T6844]  kthread+0x3b5/0x4a0
[   76.602916][ T6844]  ret_from_fork+0x1f/0x30
[   76.607299][ T6844] 
[   76.609601][ T6844] The buggy address belongs to the object at ffff88809ea03700
[   76.609601][ T6844]  which belongs to the cache kmalloc-128 of size 128
[   76.623627][ T6844] The buggy address is located 24 bytes inside of
[   76.623627][ T6844]  128-byte region [ffff88809ea03700, ffff88809ea03780)
[   76.636785][ T6844] The buggy address belongs to the page:
[   76.642399][ T6844] page:000000009ca2aa19 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809ea03e00 pfn:0x9ea03
[   76.653819][ T6844] flags: 0xfffe0000000200(slab)
[   76.658646][ T6844] raw: 00fffe0000000200 ffffea0002888208 ffffea0002a491c8 ffff8880aa040400
[   76.667207][ T6844] raw: ffff88809ea03e00 ffff88809ea03000 000000010000000d 0000000000000000
[   76.675761][ T6844] page dumped because: kasan: bad access detected
[   76.682142][ T6844] 
[   76.684445][ T6844] Memory state around the buggy address:
[   76.690049][ T6844]  ffff88809ea03600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.698083][ T6844]  ffff88809ea03680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   76.706117][ T6844] >ffff88809ea03700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.714152][ T6844]                             ^
[   76.718975][ T6844]  ffff88809ea03780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   76.727010][ T6844]  ffff88809ea03800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   76.735128][ T6844] ==================================================================
[   76.743161][ T6844] Disabling lock debugging due to kernel taint
[   76.750107][ T6844] Kernel panic - not syncing: panic_on_warn set ...
[   76.756706][ T6844] CPU: 0 PID: 6844 Comm: syz-executor956 Tainted: G    B             5.8.0-syzkaller #0
[   76.766419][ T6844] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   76.776465][ T6844] Call Trace:
[   76.779754][ T6844]  dump_stack+0x18f/0x20d
[   76.784098][ T6844]  ? hci_chan_del+0xf0/0x190
[   76.788664][ T6844]  panic+0x2e3/0x75c
[   76.792538][ T6844]  ? __warn_printk+0xf3/0xf3
[   76.797105][ T6844]  ? preempt_schedule_common+0x59/0xc0
[   76.802539][ T6844]  ? hci_chan_del+0x14f/0x190
[   76.807200][ T6844]  ? preempt_schedule_thunk+0x16/0x18
[   76.812554][ T6844]  ? trace_hardirqs_on+0x55/0x220
[   76.817562][ T6844]  ? hci_chan_del+0x14f/0x190
[   76.822221][ T6844]  ? hci_chan_del+0x14f/0x190
[   76.826875][ T6844]  end_report+0x4d/0x53
[   76.831005][ T6844]  kasan_report.cold+0xd/0x37
[   76.835660][ T6844]  ? hci_chan_del+0x14f/0x190
[   76.840308][ T6844]  hci_chan_del+0x14f/0x190
[   76.844786][ T6844]  l2cap_conn_del+0x61b/0x9e0
[   76.849475][ T6844]  ? l2cap_conn_del+0x9e0/0x9e0
[   76.854297][ T6844]  l2cap_disconn_cfm+0x85/0xa0
[   76.859034][ T6844]  hci_conn_hash_flush+0x114/0x220
[   76.864122][ T6844]  hci_dev_do_close+0x5c6/0x1080
[   76.869035][ T6844]  ? hci_dev_open+0x350/0x350
[   76.873697][ T6844]  ? do_raw_read_unlock+0x70/0x70
[   76.878700][ T6844]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   76.884567][ T6844]  hci_unregister_dev+0x1bd/0xe30
[   76.889566][ T6844]  ? fcntl_setlk+0xf60/0xf60
[   76.894137][ T6844]  ? lock_is_held_type+0xbb/0xf0
[   76.899049][ T6844]  vhci_release+0x70/0xe0
[   76.903354][ T6844]  __fput+0x285/0x920
[   76.907355][ T6844]  ? vhci_close_dev+0x50/0x50
[   76.912018][ T6844]  task_work_run+0xdd/0x190
[   76.916494][ T6844]  do_exit+0xb7d/0x29f0
[   76.920624][ T6844]  ? mm_update_next_owner+0x7a0/0x7a0
[   76.925989][ T6844]  ? __blkcg_punt_bio_submit+0x1d0/0x1d0
[   76.931595][ T6844]  ? mem_cgroup_move_account+0xcb0/0xcb0
[   76.937198][ T6844]  ? lock_is_held_type+0xbb/0xf0
[   76.942111][ T6844]  do_group_exit+0x125/0x310
[   76.946674][ T6844]  __x64_sys_exit_group+0x3a/0x50
[   76.951674][ T6844]  do_syscall_64+0x2d/0x70
[   76.956074][ T6844]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   76.961938][ T6844] RIP: 0033:0x445138
[   76.965801][ T6844] Code: Bad RIP value.
[   76.969838][ T6844] RSP: 002b:00007fffee085608 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   76.978228][ T6844] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445138
[   76.986188][ T6844] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   76.994132][ T6844] RBP: 00000000004ccef0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   77.002081][ T6844] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   77.010547][ T6844] R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000
[   77.019868][ T6844] Kernel Offset: disabled
[   77.024194][ T6844] Rebooting in 86400 seconds..