[[0;32m  OK  [0m] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
[[0;32m  OK  [0m] Started Getty on tty6.
[[0;32m  OK  [0m] Started Getty on tty5.
[[0;32m  OK  [0m] Started Getty on tty4.
[[0;32m  OK  [0m] Started Getty on tty3.
[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.1.41' (ECDSA) to the list of known hosts.
syzkaller login: [   66.773957][   T27] audit: type=1400 audit(1596396404.277:8): avc:  denied  { execmem } for  pid=6828 comm="syz-executor604" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   66.790133][ T6829] IPVS: ftp: loaded support on port[0] = 21
executing program
[   67.964758][ T6855] ==================================================================
[   67.972998][ T6855] BUG: KASAN: use-after-free in hci_send_acl+0xabe/0xc60
[   67.980035][ T6855] Read of size 8 at addr ffff8880a6ff8818 by task kworker/u5:2/6855
[   67.987996][ T6855] 
[   67.990323][ T6855] CPU: 1 PID: 6855 Comm: kworker/u5:2 Not tainted 5.8.0-rc7-syzkaller #0
[   67.998721][ T6855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   68.008780][ T6855] Workqueue: hci0 hci_rx_work
[   68.013441][ T6855] Call Trace:
[   68.016731][ T6855]  dump_stack+0x18f/0x20d
[   68.021061][ T6855]  ? hci_send_acl+0xabe/0xc60
[   68.025737][ T6855]  ? hci_send_acl+0xabe/0xc60
[   68.030407][ T6855]  print_address_description.constprop.0.cold+0xae/0x436
[   68.037437][ T6855]  ? lockdep_hardirqs_off+0x66/0xa0
[   68.042651][ T6855]  ? vprintk_func+0x97/0x1a6
[   68.047237][ T6855]  ? hci_send_acl+0xabe/0xc60
[   68.051904][ T6855]  kasan_report.cold+0x1f/0x37
[   68.056694][ T6855]  ? rcu_read_lock_any_held+0xa0/0xd0
[   68.062062][ T6855]  ? hci_send_acl+0xabe/0xc60
[   68.066756][ T6855]  hci_send_acl+0xabe/0xc60
[   68.072211][ T6855]  ? __phys_addr+0x9a/0x110
[   68.076716][ T6855]  ? memset+0x20/0x40
[   68.088730][ T6855]  ? __alloc_skb+0x34a/0x550
[   68.093323][ T6855]  l2cap_send_cmd+0x6d5/0x8a0
[   68.098000][ T6855]  l2cap_recv_frame+0x6936/0xae10
[   68.103040][ T6855]  ? l2cap_config_rsp.isra.0+0x1130/0x1130
[   68.108836][ T6855]  ? find_held_lock+0x2d/0x110
[   68.113606][ T6855]  ? hci_rx_work+0x498/0xb10
[   68.118714][ T6855]  ? lock_downgrade+0x820/0x820
[   68.123578][ T6855]  ? lock_acquire+0x1f1/0xad0
[   68.128247][ T6855]  ? hci_rx_work+0x33d/0xb10
[   68.132842][ T6855]  ? find_held_lock+0x2d/0x110
[   68.137606][ T6855]  ? __mutex_unlock_slowpath+0xe2/0x610
[   68.143167][ T6855]  ? hci_conn_enter_active_mode+0x123/0x2f0
[   68.149061][ T6855]  l2cap_recv_acldata+0x7f6/0x8e0
[   68.154111][ T6855]  hci_rx_work+0x4c7/0xb10
[   68.158634][ T6855]  process_one_work+0x94c/0x1670
[   68.163586][ T6855]  ? lock_release+0x8d0/0x8d0
[   68.172346][ T6855]  ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[   68.177725][ T6855]  ? rwlock_bug.part.0+0x90/0x90
[   68.182674][ T6855]  ? lockdep_hardirqs_off+0x66/0xa0
[   68.187870][ T6855]  worker_thread+0x64c/0x1120
[   68.192548][ T6855]  ? __kthread_parkme+0x13f/0x1e0
[   68.197838][ T6855]  ? process_one_work+0x1670/0x1670
[   68.203045][ T6855]  kthread+0x3b5/0x4a0
[   68.207118][ T6855]  ? __kthread_bind_mask+0xc0/0xc0
[   68.212218][ T6855]  ? __kthread_bind_mask+0xc0/0xc0
[   68.217326][ T6855]  ret_from_fork+0x1f/0x30
[   68.221745][ T6855] 
[   68.224065][ T6855] Allocated by task 6855:
[   68.228397][ T6855]  save_stack+0x1b/0x40
[   68.232556][ T6855]  __kasan_kmalloc.constprop.0+0xc2/0xd0
[   68.238181][ T6855]  kmem_cache_alloc_trace+0x14f/0x2d0
[   68.243557][ T6855]  hci_chan_create+0x9b/0x330
[   68.248228][ T6855]  l2cap_conn_add.part.0+0x1e/0xe10
[   68.253420][ T6855]  l2cap_connect_cfm+0x23b/0x1090
[   68.258447][ T6855]  hci_event_packet+0x3e01/0x86f5
[   68.263466][ T6855]  hci_rx_work+0x22e/0xb10
[   68.267876][ T6855]  process_one_work+0x94c/0x1670
[   68.272806][ T6855]  worker_thread+0x64c/0x1120
[   68.277474][ T6855]  kthread+0x3b5/0x4a0
[   68.281537][ T6855]  ret_from_fork+0x1f/0x30
[   68.286551][ T6855] 
[   68.288865][ T6855] Freed by task 6855:
[   68.292840][ T6855]  save_stack+0x1b/0x40
[   68.296982][ T6855]  __kasan_slab_free+0xf5/0x140
[   68.301822][ T6855]  kfree+0x103/0x2c0
[   68.305713][ T6855]  hci_event_packet+0x319a/0x86f5
[   68.310822][ T6855]  hci_rx_work+0x22e/0xb10
[   68.315232][ T6855]  process_one_work+0x94c/0x1670
[   68.320174][ T6855]  worker_thread+0x64c/0x1120
[   68.324856][ T6855]  kthread+0x3b5/0x4a0
[   68.328928][ T6855]  ret_from_fork+0x1f/0x30
[   68.333323][ T6855] 
[   68.335646][ T6855] The buggy address belongs to the object at ffff8880a6ff8800
[   68.335646][ T6855]  which belongs to the cache kmalloc-128 of size 128
[   68.349697][ T6855] The buggy address is located 24 bytes inside of
[   68.349697][ T6855]  128-byte region [ffff8880a6ff8800, ffff8880a6ff8880)
[   68.362887][ T6855] The buggy address belongs to the page:
[   68.368535][ T6855] page:ffffea00029bfe00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a6ff8c00
[   68.378942][ T6855] flags: 0xfffe0000000200(slab)
[   68.383813][ T6855] raw: 00fffe0000000200 ffffea0002934388 ffff8880aa001540 ffff8880aa000700
[   68.392395][ T6855] raw: ffff8880a6ff8c00 ffff8880a6ff8000 000000010000000c 0000000000000000
[   68.400963][ T6855] page dumped because: kasan: bad access detected
[   68.407372][ T6855] 
[   68.409693][ T6855] Memory state around the buggy address:
[   68.415403][ T6855]  ffff8880a6ff8700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.423453][ T6855]  ffff8880a6ff8780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   68.431517][ T6855] >ffff8880a6ff8800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.439562][ T6855]                             ^
[   68.444401][ T6855]  ffff8880a6ff8880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   68.452453][ T6855]  ffff8880a6ff8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.460504][ T6855] ==================================================================
[   68.468551][ T6855] Disabling lock debugging due to kernel taint
[   68.479292][ T6855] Kernel panic - not syncing: panic_on_warn set ...
[   68.486154][ T6855] CPU: 0 PID: 6855 Comm: kworker/u5:2 Tainted: G    B             5.8.0-rc7-syzkaller #0
[   68.495945][ T6855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   68.506003][ T6855] Workqueue: hci0 hci_rx_work
[   68.510670][ T6855] Call Trace:
[   68.513938][ T6855]  dump_stack+0x18f/0x20d
[   68.518682][ T6855]  ? hci_send_acl+0xa70/0xc60
[   68.523334][ T6855]  panic+0x2e3/0x75c
[   68.527203][ T6855]  ? __warn_printk+0xf3/0xf3
[   68.531801][ T6855]  ? preempt_schedule_common+0x59/0xc0
[   68.537244][ T6855]  ? hci_send_acl+0xabe/0xc60
[   68.541904][ T6855]  ? preempt_schedule_thunk+0x16/0x18
[   68.547379][ T6855]  ? trace_hardirqs_on+0x55/0x220
[   68.552375][ T6855]  ? hci_send_acl+0xabe/0xc60
[   68.557041][ T6855]  ? hci_send_acl+0xabe/0xc60
[   68.561708][ T6855]  end_report+0x4d/0x53
[   68.565838][ T6855]  kasan_report.cold+0xd/0x37
[   68.570489][ T6855]  ? rcu_read_lock_any_held+0xa0/0xd0
[   68.575852][ T6855]  ? hci_send_acl+0xabe/0xc60
[   68.580599][ T6855]  hci_send_acl+0xabe/0xc60
[   68.585086][ T6855]  ? __phys_addr+0x9a/0x110
[   68.589562][ T6855]  ? memset+0x20/0x40
[   68.593531][ T6855]  ? __alloc_skb+0x34a/0x550
[   68.598116][ T6855]  l2cap_send_cmd+0x6d5/0x8a0
[   68.602770][ T6855]  l2cap_recv_frame+0x6936/0xae10
[   68.607769][ T6855]  ? l2cap_config_rsp.isra.0+0x1130/0x1130
[   68.613549][ T6855]  ? find_held_lock+0x2d/0x110
[   68.618286][ T6855]  ? hci_rx_work+0x498/0xb10
[   68.622875][ T6855]  ? lock_downgrade+0x820/0x820
[   68.628317][ T6855]  ? lock_acquire+0x1f1/0xad0
[   68.632967][ T6855]  ? hci_rx_work+0x33d/0xb10
[   68.637528][ T6855]  ? find_held_lock+0x2d/0x110
[   68.642269][ T6855]  ? __mutex_unlock_slowpath+0xe2/0x610
[   68.647788][ T6855]  ? hci_conn_enter_active_mode+0x123/0x2f0
[   68.653655][ T6855]  l2cap_recv_acldata+0x7f6/0x8e0
[   68.658659][ T6855]  hci_rx_work+0x4c7/0xb10
[   68.663086][ T6855]  process_one_work+0x94c/0x1670
[   68.667999][ T6855]  ? lock_release+0x8d0/0x8d0
[   68.672648][ T6855]  ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[   68.678002][ T6855]  ? rwlock_bug.part.0+0x90/0x90
[   68.682957][ T6855]  ? lockdep_hardirqs_off+0x66/0xa0
[   68.688151][ T6855]  worker_thread+0x64c/0x1120
[   68.692807][ T6855]  ? __kthread_parkme+0x13f/0x1e0
[   68.697803][ T6855]  ? process_one_work+0x1670/0x1670
[   68.702985][ T6855]  kthread+0x3b5/0x4a0
[   68.707041][ T6855]  ? __kthread_bind_mask+0xc0/0xc0
[   68.712131][ T6855]  ? __kthread_bind_mask+0xc0/0xc0
[   68.717236][ T6855]  ret_from_fork+0x1f/0x30
[   68.722677][ T6855] Kernel Offset: disabled
[   68.727423][ T6855] Rebooting in 86400 seconds..