[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   50.646487][  T148] Bluetooth: hci6: Frame reassembly failed (-84)
[   50.647444][ T8441] Bluetooth: hci6: Received unexpected HCI Event 00000000
[   50.659300][  T148] Bluetooth: hci6: Frame reassembly failed (-84)
executing program
executing program
executing program
executing program
executing program
[   51.049637][ T8460] Bluetooth: hci7: Received unexpected HCI Event 00000000
[   51.057890][ T8608] ==================================================================
[   51.066080][ T8608] BUG: KASAN: use-after-free in h4_recv_buf+0x946/0xd50
[   51.073036][ T8608] Read of size 2 at addr ffff8880359e3b6a by task kworker/u4:7/8608
[   51.081001][ T8608] 
[   51.083313][ T8608] CPU: 0 PID: 8608 Comm: kworker/u4:7 Not tainted 5.14.0-rc6-syzkaller #0
[   51.091795][ T8608] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.101860][ T8608] Workqueue: events_unbound flush_to_ldisc
[   51.107679][ T8608] Call Trace:
[   51.111052][ T8608]  dump_stack_lvl+0x1ae/0x29f
[   51.115735][ T8608]  ? show_regs_print_info+0x12/0x12
[   51.120936][ T8608]  ? printk+0xc0/0x108
[   51.125004][ T8608]  ? wake_up_klogd+0xb2/0xf0
[   51.129593][ T8608]  ? log_buf_vmcoreinfo_setup+0x498/0x498
[   51.135320][ T8608]  ? _raw_spin_lock_irqsave+0xbf/0x100
[   51.140793][ T8608]  print_address_description+0x66/0x3b0
[   51.146331][ T8608]  kasan_report+0x163/0x210
[   51.150829][ T8608]  ? h4_recv_buf+0x946/0xd50
[   51.155413][ T8608]  h4_recv_buf+0x946/0xd50
[   51.159831][ T8608]  h4_recv+0xf4/0x1b0
[   51.163803][ T8608]  hci_uart_tty_receive+0x1d2/0x4a0
[   51.168988][ T8608]  ? hci_uart_tty_poll+0x10/0x10
[   51.173913][ T8608]  tty_ldisc_receive_buf+0x128/0x170
[   51.179208][ T8608]  tty_port_default_receive_buf+0x6a/0x90
[   51.184945][ T8608]  flush_to_ldisc+0x2f2/0x510
[   51.189624][ T8608]  process_one_work+0x833/0x10c0
[   51.194564][ T8608]  ? worker_detach_from_pool+0x260/0x260
[   51.200184][ T8608]  ? _raw_spin_lock_irqsave+0x100/0x100
[   51.205715][ T8608]  ? kthread_data+0x4d/0xc0
[   51.210208][ T8608]  ? wq_worker_running+0x8b/0x140
[   51.215225][ T8608]  worker_thread+0xac1/0x1320
[   51.219905][ T8608]  ? __kthread_parkme+0x166/0x1c0
[   51.224935][ T8608]  kthread+0x453/0x480
[   51.228990][ T8608]  ? rcu_lock_release+0x20/0x20
[   51.233826][ T8608]  ? kthread_blkcg+0xd0/0xd0
[   51.238403][ T8608]  ret_from_fork+0x1f/0x30
[   51.242821][ T8608] 
[   51.245147][ T8608] Allocated by task 8616:
[   51.249456][ T8608]  __kasan_slab_alloc+0x96/0xd0
[   51.254294][ T8608]  kmem_cache_alloc_node+0x200/0x370
[   51.259568][ T8608]  __alloc_skb+0xd8/0x580
[   51.263887][ T8608]  h4_recv_buf+0x274/0xd50
[   51.268288][ T8608]  h4_recv+0xf4/0x1b0
[   51.272270][ T8608]  hci_uart_tty_receive+0x1d2/0x4a0
[   51.277451][ T8608]  tty_ioctl+0xde5/0x1720
[   51.281766][ T8608]  __se_sys_ioctl+0xfb/0x170
[   51.286357][ T8608]  do_syscall_64+0x3d/0xb0
[   51.290759][ T8608]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   51.296639][ T8608] 
[   51.298946][ T8608] Freed by task 8460:
[   51.302909][ T8608]  kasan_set_track+0x3d/0x70
[   51.307483][ T8608]  kasan_set_free_info+0x1f/0x40
[   51.312407][ T8608]  ____kasan_slab_free+0x109/0x150
[   51.317501][ T8608]  slab_free_freelist_hook+0x1d8/0x290
[   51.322946][ T8608]  kmem_cache_free+0x85/0x170
[   51.327606][ T8608]  hci_event_packet+0x1238/0x1bd0
[   51.332630][ T8608]  hci_rx_work+0x229/0x410
[   51.337034][ T8608]  process_one_work+0x833/0x10c0
[   51.341958][ T8608]  worker_thread+0xac1/0x1320
[   51.346631][ T8608]  kthread+0x453/0x480
[   51.350684][ T8608]  ret_from_fork+0x1f/0x30
[   51.355083][ T8608] 
[   51.357389][ T8608] The buggy address belongs to the object at ffff8880359e3b40
[   51.357389][ T8608]  which belongs to the cache skbuff_head_cache of size 232
[   51.371952][ T8608] The buggy address is located 42 bytes inside of
[   51.371952][ T8608]  232-byte region [ffff8880359e3b40, ffff8880359e3c28)
[   51.385221][ T8608] The buggy address belongs to the page:
[   51.390842][ T8608] page:ffffea0000d678c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x359e3
[   51.400990][ T8608] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   51.408554][ T8608] raw: 00fff00000000200 ffffea0000df2c80 0000000200000002 ffff8881445f9140
[   51.417234][ T8608] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   51.425813][ T8608] page dumped because: kasan: bad access detected
[   51.432218][ T8608] page_owner tracks the page as allocated
[   51.438037][ T8608] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 6468, ts 40643694449, free_ts 40631410813
[   51.454084][ T8608]  get_page_from_freelist+0x779/0xa30
[   51.459463][ T8608]  __alloc_pages+0x26c/0x5f0
[   51.464040][ T8608]  allocate_slab+0xf1/0x540
[   51.468529][ T8608]  ___slab_alloc+0x1cf/0x350
[   51.473101][ T8608]  kmem_cache_alloc+0x299/0x340
[   51.477935][ T8608]  skb_clone+0x1b4/0x360
[   51.482171][ T8608]  netlink_broadcast_filtered+0x63f/0x1110
[   51.487962][ T8608]  netlink_sendmsg+0x953/0xe00
[   51.492712][ T8608]  ____sys_sendmsg+0x5a2/0x900
[   51.497461][ T8608]  __sys_sendmsg+0x319/0x400
[   51.502033][ T8608]  do_syscall_64+0x3d/0xb0
[   51.506433][ T8608]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   51.512326][ T8608] page last free stack trace:
[   51.516979][ T8608]  free_pcp_prepare+0xc29/0xd20
[   51.521813][ T8608]  free_unref_page+0x7e/0x550
[   51.526494][ T8608]  __slab_free+0x5c0/0x6b0
[   51.530894][ T8608]  ___cache_free+0xfc/0x120
[   51.535381][ T8608]  kasan_quarantine_reduce+0x151/0x1c0
[   51.540830][ T8608]  __kasan_slab_alloc+0x2f/0xd0
[   51.545664][ T8608]  __kmalloc+0x229/0x390
[   51.549888][ T8608]  tomoyo_realpath_from_path+0xd8/0x610
[   51.555417][ T8608]  tomoyo_path2_perm+0x2d1/0xb30
[   51.560341][ T8608]  tomoyo_path_rename+0x148/0x190
[   51.565361][ T8608]  security_path_rename+0x21b/0x2e0
[   51.570564][ T8608]  do_renameat2+0x779/0x1440
[   51.575145][ T8608]  __x64_sys_rename+0x82/0x90
[   51.579812][ T8608]  do_syscall_64+0x3d/0xb0
[   51.584223][ T8608]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   51.590127][ T8608] 
[   51.592440][ T8608] Memory state around the buggy address:
[   51.598053][ T8608]  ffff8880359e3a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.606098][ T8608]  ffff8880359e3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[   51.614141][ T8608] >ffff8880359e3b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   51.622182][ T8608]                                                           ^
[   51.629796][ T8608]  ffff8880359e3b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.637854][ T8608]  ffff8880359e3c00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   51.645904][ T8608] ==================================================================
[   51.653951][ T8608] Disabling lock debugging due to kernel taint
[   51.661183][ T8608] Kernel panic - not syncing: panic_on_warn set ...
[   51.667779][ T8608] CPU: 1 PID: 8608 Comm: kworker/u4:7 Tainted: G    B             5.14.0-rc6-syzkaller #0
[   51.677679][ T8608] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.687732][ T8608] Workqueue: events_unbound flush_to_ldisc
[   51.693552][ T8608] Call Trace:
[   51.696829][ T8608]  dump_stack_lvl+0x1ae/0x29f
[   51.701515][ T8608]  ? show_regs_print_info+0x12/0x12
[   51.706720][ T8608]  ? log_buf_vmcoreinfo_setup+0x498/0x498
[   51.712443][ T8608]  ? preempt_schedule+0x14a/0x170
[   51.717470][ T8608]  ? schedule_preempt_disabled+0x20/0x20
[   51.723105][ T8608]  panic+0x2e1/0x850
[   51.727007][ T8608]  ? trace_hardirqs_on+0x30/0x80
[   51.731943][ T8608]  ? nmi_panic+0x90/0x90
[   51.736186][ T8608]  ? _raw_spin_unlock_irqrestore+0x110/0x120
[   51.742167][ T8608]  ? print_memory_metadata+0xa7/0x100
[   51.747543][ T8608]  kasan_report+0x206/0x210
[   51.752049][ T8608]  ? h4_recv_buf+0x946/0xd50
[   51.756645][ T8608]  h4_recv_buf+0x946/0xd50
[   51.761077][ T8608]  h4_recv+0xf4/0x1b0
[   51.765069][ T8608]  hci_uart_tty_receive+0x1d2/0x4a0
[   51.770272][ T8608]  ? hci_uart_tty_poll+0x10/0x10
[   51.775221][ T8608]  tty_ldisc_receive_buf+0x128/0x170
[   51.780516][ T8608]  tty_port_default_receive_buf+0x6a/0x90
[   51.786242][ T8608]  flush_to_ldisc+0x2f2/0x510
[   51.790927][ T8608]  process_one_work+0x833/0x10c0
[   51.795871][ T8608]  ? worker_detach_from_pool+0x260/0x260
[   51.801593][ T8608]  ? _raw_spin_lock_irqsave+0x100/0x100
[   51.807126][ T8608]  ? kthread_data+0x4d/0xc0
[   51.811622][ T8608]  ? wq_worker_running+0x8b/0x140
[   51.816657][ T8608]  worker_thread+0xac1/0x1320
[   51.821330][ T8608]  ? __kthread_parkme+0x166/0x1c0
[   51.826352][ T8608]  kthread+0x453/0x480
[   51.830403][ T8608]  ? rcu_lock_release+0x20/0x20
[   51.835234][ T8608]  ? kthread_blkcg+0xd0/0xd0
[   51.839805][ T8608]  ret_from_fork+0x1f/0x30
[   51.845389][ T8608] Kernel Offset: disabled
[   51.849708][ T8608] Rebooting in 86400 seconds..