Warning: Permanently added '10.128.0.108' (ECDSA) to the list of known hosts.
syzkaller login: [   34.010654] audit: type=1400 audit(1598497908.647:8): avc:  denied  { execmem } for  pid=6364 comm="syz-executor220" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   35.128757] IPVS: ftp: loaded support on port[0] = 21
executing program
[   35.191722] Bluetooth: Unknown advertising packet type: 0x4e
[   35.197715] Bluetooth: Unknown advertising packet type: 0xff
[   35.204434] Bluetooth: Unknown advertising packet type: 0xff
[   35.210276] Bluetooth: Unknown advertising packet type: 0x88
[   35.216197] Bluetooth: Unknown advertising packet type: 0x88
[   35.223219] Bluetooth: Unknown advertising packet type: 0xff
[   35.229016] Bluetooth: Unknown advertising packet type: 0xff
[   35.235087] ==================================================================
[   35.242525] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x37d5/0x3fc0
[   35.249636] Read of size 1 at addr ffff88809bafe54c by task kworker/u5:1/6368
[   35.256900] 
[   35.258507] CPU: 1 PID: 6368 Comm: kworker/u5:1 Not tainted 4.14.195-syzkaller #0
[   35.266101] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.275453] Workqueue: hci0 hci_rx_work
[   35.279403] Call Trace:
[   35.281989]  dump_stack+0x1b2/0x283
[   35.285599]  print_address_description.cold+0x54/0x1d3
[   35.290869]  kasan_report_error.cold+0x8a/0x194
[   35.295519]  ? hci_le_meta_evt+0x37d5/0x3fc0
[   35.299904]  __asan_report_load1_noabort+0x68/0x70
[   35.304825]  ? hci_le_meta_evt+0x37d5/0x3fc0
[   35.309218]  hci_le_meta_evt+0x37d5/0x3fc0
[   35.313448]  ? __lock_acquire+0x5fc/0x3f20
[   35.317663]  ? read_enc_key_size_complete+0xa60/0xa60
[   35.322828]  ? __lock_acquire+0x5fc/0x3f20
[   35.327042]  ? static_obj+0x50/0x50
[   35.330752]  hci_event_packet+0x19eb/0x7d1d
[   35.335066]  ? trace_hardirqs_on+0x10/0x10
[   35.339295]  ? hci_cmd_complete_evt+0x9590/0x9590
[   35.344115]  ? trace_hardirqs_on+0x10/0x10
[   35.348345]  ? trace_hardirqs_on+0x10/0x10
[   35.352559]  ? debug_object_deactivate+0x1da/0x2e0
[   35.357465]  ? trace_hardirqs_on+0x10/0x10
[   35.361679]  ? skb_dequeue+0x120/0x170
[   35.365544]  ? mark_held_locks+0xa6/0xf0
[   35.369597]  ? _raw_spin_unlock_irqrestore+0x79/0xe0
[   35.374679]  ? trace_hardirqs_on_caller+0x3a8/0x580
[   35.379672]  ? _raw_spin_unlock_irqrestore+0x66/0xe0
[   35.384756]  hci_rx_work+0x3e6/0x970
[   35.388452]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   35.393881]  process_one_work+0x793/0x14a0
[   35.398111]  ? work_busy+0x320/0x320
[   35.401802]  ? worker_thread+0x158/0xff0
[   35.405843]  ? _raw_spin_unlock_irq+0x24/0x80
[   35.410315]  worker_thread+0x5cc/0xff0
[   35.414183]  ? rescuer_thread+0xc80/0xc80
[   35.418307]  kthread+0x30d/0x420
[   35.421652]  ? kthread_create_on_node+0xd0/0xd0
[   35.426298]  ret_from_fork+0x24/0x30
[   35.430015] 
[   35.431620] Allocated by task 6365:
[   35.435415]  kasan_kmalloc+0xeb/0x160
[   35.439190]  __kmalloc_node_track_caller+0x4c/0x70
[   35.444099]  __alloc_skb+0x96/0x510
[   35.447701]  vhci_write+0xb1/0x420
[   35.451219]  __vfs_write+0x44c/0x630
[   35.454905]  vfs_write+0x17f/0x4d0
[   35.458436]  SyS_write+0xf2/0x210
[   35.461865]  do_syscall_64+0x1d5/0x640
[   35.465744]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   35.470914] 
[   35.472520] Freed by task 4428:
[   35.475782]  kasan_slab_free+0xc3/0x1a0
[   35.479751]  kfree+0xc9/0x250
[   35.482846]  kernfs_fop_release+0x10e/0x180
[   35.487145]  __fput+0x25f/0x7a0
[   35.490402]  task_work_run+0x11f/0x190
[   35.494269]  exit_to_usermode_loop+0x1ad/0x200
[   35.498833]  do_syscall_64+0x4a3/0x640
[   35.502722]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   35.507885] 
[   35.509510] The buggy address belongs to the object at ffff88809bafe340
[   35.509510]  which belongs to the cache kmalloc-512 of size 512
[   35.522142] The buggy address is located 12 bytes to the right of
[   35.522142]  512-byte region [ffff88809bafe340, ffff88809bafe540)
[   35.534427] The buggy address belongs to the page:
[   35.539360] page:ffffea00026ebf80 count:1 mapcount:0 mapping:ffff88809bafe0c0 index:0x0
[   35.547480] flags: 0xfffe0000000100(slab)
[   35.551708] raw: 00fffe0000000100 ffff88809bafe0c0 0000000000000000 0000000100000006
[   35.559584] raw: ffffea000278f760 ffffea0002792260 ffff88812fe52940 0000000000000000
[   35.567457] page dumped because: kasan: bad access detected
[   35.573140] 
[   35.574770] Memory state around the buggy address:
[   35.579695]  ffff88809bafe400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   35.587033]  ffff88809bafe480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   35.594368] >ffff88809bafe500: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   35.601707]                                               ^
[   35.607409]  ffff88809bafe580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   35.614747]  ffff88809bafe600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.622094] ==================================================================
[   35.629437] Disabling lock debugging due to kernel taint
[   35.635144] Kernel panic - not syncing: panic_on_warn set ...
[   35.635144] 
[   35.642505] CPU: 1 PID: 6368 Comm: kworker/u5:1 Tainted: G    B           4.14.195-syzkaller #0
[   35.651330] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.660679] Workqueue: hci0 hci_rx_work
[   35.664644] Call Trace:
[   35.667205]  dump_stack+0x1b2/0x283
[   35.670826]  panic+0x1f9/0x42d
[   35.673992]  ? add_taint.cold+0x16/0x16
[   35.677941]  ? ___preempt_schedule+0x16/0x18
[   35.682329]  kasan_end_report+0x43/0x49
[   35.686294]  kasan_report_error.cold+0xa7/0x194
[   35.690943]  ? hci_le_meta_evt+0x37d5/0x3fc0
[   35.695326]  __asan_report_load1_noabort+0x68/0x70
[   35.700244]  ? hci_le_meta_evt+0x37d5/0x3fc0
[   35.704630]  hci_le_meta_evt+0x37d5/0x3fc0
[   35.708838]  ? __lock_acquire+0x5fc/0x3f20
[   35.713050]  ? read_enc_key_size_complete+0xa60/0xa60
[   35.718213]  ? __lock_acquire+0x5fc/0x3f20
[   35.722533]  ? static_obj+0x50/0x50
[   35.726136]  hci_event_packet+0x19eb/0x7d1d
[   35.730431]  ? trace_hardirqs_on+0x10/0x10
[   35.734644]  ? hci_cmd_complete_evt+0x9590/0x9590
[   35.739475]  ? trace_hardirqs_on+0x10/0x10
[   35.743692]  ? trace_hardirqs_on+0x10/0x10
[   35.747927]  ? debug_object_deactivate+0x1da/0x2e0
[   35.752839]  ? trace_hardirqs_on+0x10/0x10
[   35.757055]  ? skb_dequeue+0x120/0x170
[   35.760918]  ? mark_held_locks+0xa6/0xf0
[   35.764959]  ? _raw_spin_unlock_irqrestore+0x79/0xe0
[   35.770038]  ? trace_hardirqs_on_caller+0x3a8/0x580
[   35.775052]  ? _raw_spin_unlock_irqrestore+0x66/0xe0
[   35.780131]  hci_rx_work+0x3e6/0x970
[   35.783826]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   35.789251]  process_one_work+0x793/0x14a0
[   35.793478]  ? work_busy+0x320/0x320
[   35.797166]  ? worker_thread+0x158/0xff0
[   35.801329]  ? _raw_spin_unlock_irq+0x24/0x80
[   35.805798]  worker_thread+0x5cc/0xff0
[   35.809679]  ? rescuer_thread+0xc80/0xc80
[   35.813803]  kthread+0x30d/0x420
[   35.817143]  ? kthread_create_on_node+0xd0/0xd0
[   35.821806]  ret_from_fork+0x24/0x30
[   35.826571] Kernel Offset: disabled
[   35.830185] Rebooting in 86400 seconds..