[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.10.15' (ECDSA) to the list of known hosts.
syzkaller login: [   70.578235][   T29] audit: type=1400 audit(1596455640.383:8): avc:  denied  { execmem } for  pid=6833 comm="syz-executor997" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   70.592169][ T6834] IPVS: ftp: loaded support on port[0] = 21
executing program
[   71.752865][ T1535] Bluetooth: hci0: unknown advertising packet type: 0x2b
[   71.752950][ T1535] ==================================================================
[   71.768265][ T1535] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x380c/0x3eb0
[   71.776079][ T1535] Read of size 1 at addr ffff8880a727de0c by task kworker/u5:0/1535
[   71.784055][ T1535] 
[   71.786399][ T1535] CPU: 1 PID: 1535 Comm: kworker/u5:0 Not tainted 5.8.0-rc7-syzkaller #0
[   71.794817][ T1535] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   71.805018][ T1535] Workqueue: hci0 hci_rx_work
[   71.809965][ T1535] Call Trace:
[   71.813272][ T1535]  dump_stack+0x18f/0x20d
[   71.817907][ T1535]  ? hci_le_meta_evt+0x380c/0x3eb0
[   71.824077][ T1535]  ? hci_le_meta_evt+0x380c/0x3eb0
[   71.829236][ T1535]  print_address_description.constprop.0.cold+0xae/0x436
[   71.836276][ T1535]  ? lockdep_hardirqs_off+0x66/0xa0
[   71.841616][ T1535]  ? vprintk_func+0x97/0x1a6
[   71.846308][ T1535]  ? hci_le_meta_evt+0x380c/0x3eb0
[   71.851432][ T1535]  kasan_report.cold+0x1f/0x37
[   71.856219][ T1535]  ? hci_le_meta_evt+0x380c/0x3eb0
[   71.861465][ T1535]  hci_le_meta_evt+0x380c/0x3eb0
[   71.866419][ T1535]  ? mark_lock+0xbc/0x1710
[   71.870938][ T1535]  ? mark_lock+0xbc/0x1710
[   71.875378][ T1535]  ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0
[   71.882246][ T1535]  ? mark_lock+0xbc/0x1710
[   71.886677][ T1535]  ? __lock_acquire+0x16e3/0x56e0
[   71.891706][ T1535]  ? __lock_acquire+0x16e3/0x56e0
[   71.896897][ T1535]  hci_event_packet+0x245a/0x86f5
[   71.901912][ T1535]  ? lockdep_hardirqs_on_prepare+0x590/0x590
[   71.907877][ T1535]  ? __lock_acquire+0x16e3/0x56e0
[   71.913226][ T1535]  ? hci_cmd_complete_evt+0xc6e0/0xc6e0
[   71.918854][ T1535]  ? lock_acquire+0x1f1/0xad0
[   71.923700][ T1535]  ? skb_dequeue+0x1c/0x180
[   71.928195][ T1535]  ? find_held_lock+0x2d/0x110
[   71.933036][ T1535]  ? mark_lock+0xbc/0x1710
[   71.937445][ T1535]  ? mark_held_locks+0x9f/0xe0
[   71.942362][ T1535]  ? _raw_spin_unlock_irqrestore+0x62/0xe0
[   71.948157][ T1535]  ? lockdep_hardirqs_on_prepare+0x3a2/0x590
[   71.954124][ T1535]  ? trace_hardirqs_on+0x5f/0x220
[   71.959139][ T1535]  ? lockdep_hardirqs_on+0x6a/0xe0
[   71.964238][ T1535]  hci_rx_work+0x22e/0xb10
[   71.968720][ T1535]  process_one_work+0x94c/0x1670
[   71.973824][ T1535]  ? lock_release+0x8d0/0x8d0
[   71.978532][ T1535]  ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[   71.984173][ T1535]  ? rwlock_bug.part.0+0x90/0x90
[   71.989237][ T1535]  ? lockdep_hardirqs_off+0x66/0xa0
[   71.994789][ T1535]  worker_thread+0x64c/0x1120
[   71.999463][ T1535]  ? process_one_work+0x1670/0x1670
[   72.004860][ T1535]  kthread+0x3b5/0x4a0
[   72.008930][ T1535]  ? __kthread_bind_mask+0xc0/0xc0
[   72.014037][ T1535]  ? __kthread_bind_mask+0xc0/0xc0
[   72.019144][ T1535]  ret_from_fork+0x1f/0x30
[   72.023553][ T1535] 
[   72.025872][ T1535] Allocated by task 6834:
[   72.030193][ T1535]  save_stack+0x1b/0x40
[   72.034499][ T1535]  __kasan_kmalloc.constprop.0+0xc2/0xd0
[   72.040237][ T1535]  __alloc_skb+0xae/0x550
[   72.044717][ T1535]  vhci_write+0xbd/0x450
[   72.049041][ T1535]  new_sync_write+0x422/0x650
[   72.054043][ T1535]  vfs_write+0x59d/0x6b0
[   72.058450][ T1535]  ksys_write+0x12d/0x250
[   72.063019][ T1535]  do_syscall_64+0x60/0xe0
[   72.067541][ T1535]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   72.073416][ T1535] 
[   72.075828][ T1535] Freed by task 6627:
[   72.079801][ T1535]  save_stack+0x1b/0x40
[   72.084064][ T1535]  __kasan_slab_free+0xf5/0x140
[   72.088899][ T1535]  kfree+0x103/0x2c0
[   72.092780][ T1535]  tomoyo_find_next_domain+0x81d/0x1f77
[   72.098311][ T1535]  tomoyo_bprm_check_security+0x121/0x1a0
[   72.104019][ T1535]  security_bprm_check+0x45/0xa0
[   72.108942][ T1535]  __do_execve_file+0x1577/0x2ee0
[   72.114074][ T1535]  do_execve+0x35/0x50
[   72.118125][ T1535]  __x64_sys_execve+0x7c/0xa0
[   72.122798][ T1535]  do_syscall_64+0x60/0xe0
[   72.127196][ T1535]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   72.133069][ T1535] 
[   72.135385][ T1535] The buggy address belongs to the object at ffff8880a727dc00
[   72.135385][ T1535]  which belongs to the cache kmalloc-512 of size 512
[   72.149760][ T1535] The buggy address is located 12 bytes to the right of
[   72.149760][ T1535]  512-byte region [ffff8880a727dc00, ffff8880a727de00)
[   72.163629][ T1535] The buggy address belongs to the page:
[   72.169260][ T1535] page:ffffea00029c9f40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
[   72.178437][ T1535] flags: 0xfffe0000000200(slab)
[   72.183367][ T1535] raw: 00fffe0000000200 ffffea00029e3848 ffffea0002731b88 ffff8880aa000a80
[   72.191940][ T1535] raw: 0000000000000000 ffff8880a727d000 0000000100000004 0000000000000000
[   72.200531][ T1535] page dumped because: kasan: bad access detected
[   72.206922][ T1535] 
[   72.209233][ T1535] Memory state around the buggy address:
[   72.214853][ T1535]  ffff8880a727dd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   72.222898][ T1535]  ffff8880a727dd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   72.230945][ T1535] >ffff8880a727de00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   72.239029][ T1535]                       ^
[   72.243343][ T1535]  ffff8880a727de80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   72.251390][ T1535]  ffff8880a727df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   72.259433][ T1535] ==================================================================
[   72.267546][ T1535] Disabling lock debugging due to kernel taint
[   72.275912][ T1535] Kernel panic - not syncing: panic_on_warn set ...
[   72.282535][ T1535] CPU: 1 PID: 1535 Comm: kworker/u5:0 Tainted: G    B             5.8.0-rc7-syzkaller #0
[   72.292338][ T1535] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   72.302520][ T1535] Workqueue: hci0 hci_rx_work
[   72.307282][ T1535] Call Trace:
[   72.310579][ T1535]  dump_stack+0x18f/0x20d
[   72.314916][ T1535]  ? hci_le_meta_evt+0x37f0/0x3eb0
[   72.320033][ T1535]  panic+0x2e3/0x75c
[   72.323935][ T1535]  ? __warn_printk+0xf3/0xf3
[   72.328565][ T1535]  ? preempt_schedule_common+0x59/0xc0
[   72.334190][ T1535]  ? hci_le_meta_evt+0x380c/0x3eb0
[   72.339306][ T1535]  ? preempt_schedule_thunk+0x16/0x18
[   72.344684][ T1535]  ? trace_hardirqs_on+0x55/0x220
[   72.349895][ T1535]  ? hci_le_meta_evt+0x380c/0x3eb0
[   72.355024][ T1535]  ? hci_le_meta_evt+0x380c/0x3eb0
[   72.360158][ T1535]  end_report+0x4d/0x53
[   72.364579][ T1535]  kasan_report.cold+0xd/0x37
[   72.369268][ T1535]  ? hci_le_meta_evt+0x380c/0x3eb0
[   72.374392][ T1535]  hci_le_meta_evt+0x380c/0x3eb0
[   72.379335][ T1535]  ? mark_lock+0xbc/0x1710
[   72.383738][ T1535]  ? mark_lock+0xbc/0x1710
[   72.388260][ T1535]  ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0
[   72.395183][ T1535]  ? mark_lock+0xbc/0x1710
[   72.399670][ T1535]  ? __lock_acquire+0x16e3/0x56e0
[   72.404721][ T1535]  ? __lock_acquire+0x16e3/0x56e0
[   72.409802][ T1535]  hci_event_packet+0x245a/0x86f5
[   72.414815][ T1535]  ? lockdep_hardirqs_on_prepare+0x590/0x590
[   72.427987][ T1535]  ? __lock_acquire+0x16e3/0x56e0
[   72.433001][ T1535]  ? hci_cmd_complete_evt+0xc6e0/0xc6e0
[   72.438620][ T1535]  ? lock_acquire+0x1f1/0xad0
[   72.443301][ T1535]  ? skb_dequeue+0x1c/0x180
[   72.447821][ T1535]  ? find_held_lock+0x2d/0x110
[   72.452702][ T1535]  ? mark_lock+0xbc/0x1710
[   72.457118][ T1535]  ? mark_held_locks+0x9f/0xe0
[   72.461874][ T1535]  ? _raw_spin_unlock_irqrestore+0x62/0xe0
[   72.467794][ T1535]  ? lockdep_hardirqs_on_prepare+0x3a2/0x590
[   72.473759][ T1535]  ? trace_hardirqs_on+0x5f/0x220
[   72.478769][ T1535]  ? lockdep_hardirqs_on+0x6a/0xe0
[   72.483863][ T1535]  hci_rx_work+0x22e/0xb10
[   72.488274][ T1535]  process_one_work+0x94c/0x1670
[   72.493196][ T1535]  ? lock_release+0x8d0/0x8d0
[   72.498077][ T1535]  ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[   72.503496][ T1535]  ? rwlock_bug.part.0+0x90/0x90
[   72.508463][ T1535]  ? lockdep_hardirqs_off+0x66/0xa0
[   72.513649][ T1535]  worker_thread+0x64c/0x1120
[   72.518522][ T1535]  ? process_one_work+0x1670/0x1670
[   72.523708][ T1535]  kthread+0x3b5/0x4a0
[   72.527846][ T1535]  ? __kthread_bind_mask+0xc0/0xc0
[   72.532948][ T1535]  ? __kthread_bind_mask+0xc0/0xc0
[   72.538214][ T1535]  ret_from_fork+0x1f/0x30
[   72.544260][ T1535] Kernel Offset: disabled
[   72.548609][ T1535] Rebooting in 86400 seconds..