[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.10.61' (ECDSA) to the list of known hosts.
syzkaller login: [   36.463266] audit: type=1400 audit(1596371376.702:8): avc:  denied  { execmem } for  pid=6362 comm="syz-executor424" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   36.711060] IPVS: ftp: loaded support on port[0] = 21
executing program
[   38.549308] Bluetooth: Unknown advertising packet type: 0xff
[   38.555393] Bluetooth: hci0 advertising data length corrected
[   38.562754] ==================================================================
[   38.570251] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x3763/0x3fc0
[   38.577353] Read of size 1 at addr ffff8880a60832c4 by task kworker/u5:1/6387
[   38.584649] 
[   38.586260] CPU: 0 PID: 6387 Comm: kworker/u5:1 Not tainted 4.14.191-syzkaller #0
[   38.593879] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   38.603272] Workqueue: hci0 hci_rx_work
[   38.607224] Call Trace:
[   38.609800]  dump_stack+0x1b2/0x283
[   38.613436]  print_address_description.cold+0x54/0x1d3
[   38.618706]  kasan_report_error.cold+0x8a/0x194
[   38.623373]  ? hci_le_meta_evt+0x3763/0x3fc0
[   38.627772]  __asan_report_load1_noabort+0x68/0x70
[   38.632717]  ? hci_le_meta_evt+0x3763/0x3fc0
[   38.637160]  hci_le_meta_evt+0x3763/0x3fc0
[   38.641391]  ? __lock_acquire+0x5fc/0x3f20
[   38.645620]  ? read_enc_key_size_complete+0xa60/0xa60
[   38.650813]  ? __lock_acquire+0x5fc/0x3f20
[   38.655054]  ? static_obj+0x50/0x50
[   38.658667]  hci_event_packet+0x25a7/0x7c7a
[   38.662984]  ? trace_hardirqs_on+0x10/0x10
[   38.667298]  ? hci_cmd_complete_evt+0x9590/0x9590
[   38.672132]  ? trace_hardirqs_on+0x10/0x10
[   38.676348]  ? trace_hardirqs_on+0x10/0x10
[   38.680567]  ? debug_object_deactivate+0x1da/0x2e0
[   38.685520]  ? trace_hardirqs_on+0x10/0x10
[   38.689762]  ? skb_dequeue+0x120/0x170
[   38.693645]  ? mark_held_locks+0xa6/0xf0
[   38.697707]  ? _raw_spin_unlock_irqrestore+0x79/0xe0
[   38.702815]  ? trace_hardirqs_on_caller+0x3a8/0x580
[   38.707840]  ? _raw_spin_unlock_irqrestore+0x66/0xe0
[   38.712938]  hci_rx_work+0x3e6/0x970
[   38.716646]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   38.722151]  process_one_work+0x793/0x14a0
[   38.726372]  ? work_busy+0x320/0x320
[   38.730075]  ? worker_thread+0x158/0xff0
[   38.734126]  ? _raw_spin_unlock_irq+0x24/0x80
[   38.738615]  worker_thread+0x5cc/0xff0
[   38.742485]  ? rescuer_thread+0xc80/0xc80
[   38.746624]  kthread+0x30d/0x420
[   38.749980]  ? kthread_create_on_node+0xd0/0xd0
[   38.754647]  ret_from_fork+0x24/0x30
[   38.758357] 
[   38.759966] Allocated by task 6392:
[   38.763596]  kasan_kmalloc+0xeb/0x160
[   38.767389]  __kmalloc_node_track_caller+0x4c/0x70
[   38.772313]  __alloc_skb+0x96/0x510
[   38.775941]  vhci_write+0xb1/0x420
[   38.779480]  __vfs_write+0x44c/0x630
[   38.783166]  vfs_write+0x17f/0x4d0
[   38.786709]  SyS_write+0xf2/0x210
[   38.790166]  do_syscall_64+0x1d5/0x640
[   38.794078]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   38.799261] 
[   38.800867] Freed by task 4675:
[   38.804172]  kasan_slab_free+0xc3/0x1a0
[   38.808210]  kfree+0xc9/0x250
[   38.811316]  kernfs_fop_release+0x10e/0x180
[   38.815624]  __fput+0x25f/0x7a0
[   38.818902]  task_work_run+0x11f/0x190
[   38.822875]  exit_to_usermode_loop+0x1ad/0x200
[   38.827451]  do_syscall_64+0x4a3/0x640
[   38.831347]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   38.836523] 
[   38.838373] The buggy address belongs to the object at ffff8880a60830c0
[   38.838373]  which belongs to the cache kmalloc-512 of size 512
[   38.851024] The buggy address is located 4 bytes to the right of
[   38.851024]  512-byte region [ffff8880a60830c0, ffff8880a60832c0)
[   38.863249] The buggy address belongs to the page:
[   38.868177] page:ffffea00029820c0 count:1 mapcount:0 mapping:ffff8880a60830c0 index:0xffff8880a6083ac0
[   38.877622] flags: 0xfffe0000000100(slab)
[   38.881764] raw: 00fffe0000000100 ffff8880a60830c0 ffff8880a6083ac0 0000000100000002
[   38.889637] raw: ffffea00029814a0 ffffea0002a37620 ffff88812fe52940 0000000000000000
[   38.897504] page dumped because: kasan: bad access detected
[   38.903237] 
[   38.904844] Memory state around the buggy address:
[   38.909757]  ffff8880a6083180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   38.917103]  ffff8880a6083200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   38.924463] >ffff8880a6083280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   38.931809]                                            ^
[   38.937249]  ffff8880a6083300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
executing program
executing program
executing program
[   38.944604]  ffff8880a6083380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.951948] ==================================================================
[   38.959306] Disabling lock debugging due to kernel taint
[   38.977136] Kernel panic - not syncing: panic_on_warn set ...
[   38.977136] 
[   38.984546] CPU: 0 PID: 6387 Comm: kworker/u5:1 Tainted: G    B           4.14.191-syzkaller #0
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   38.993391] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.002763] Workqueue: hci0 hci_rx_work
[   39.006734] Call Trace:
[   39.009321]  dump_stack+0x1b2/0x283
[   39.012948]  panic+0x1f9/0x42d
[   39.016139]  ? add_taint.cold+0x16/0x16
[   39.020128]  ? ___preempt_schedule+0x16/0x18
[   39.024550]  kasan_end_report+0x43/0x49
[   39.028522]  kasan_report_error.cold+0xa7/0x194
[   39.033192]  ? hci_le_meta_evt+0x3763/0x3fc0
[   39.037608]  __asan_report_load1_noabort+0x68/0x70
[   39.042565]  ? hci_le_meta_evt+0x3763/0x3fc0
[   39.046965]  hci_le_meta_evt+0x3763/0x3fc0
[   39.051196]  ? __lock_acquire+0x5fc/0x3f20
[   39.055439]  ? read_enc_key_size_complete+0xa60/0xa60
[   39.060638]  ? __lock_acquire+0x5fc/0x3f20
[   39.064875]  ? static_obj+0x50/0x50
[   39.068494]  hci_event_packet+0x25a7/0x7c7a
[   39.072810]  ? trace_hardirqs_on+0x10/0x10
[   39.077047]  ? hci_cmd_complete_evt+0x9590/0x9590
[   39.081889]  ? trace_hardirqs_on+0x10/0x10
[   39.086120]  ? trace_hardirqs_on+0x10/0x10
[   39.090361]  ? debug_object_deactivate+0x1da/0x2e0
[   39.095311]  ? trace_hardirqs_on+0x10/0x10
[   39.099562]  ? skb_dequeue+0x120/0x170
[   39.103438]  ? mark_held_locks+0xa6/0xf0
[   39.107494]  ? _raw_spin_unlock_irqrestore+0x79/0xe0
[   39.112599]  ? trace_hardirqs_on_caller+0x3a8/0x580
[   39.117620]  ? _raw_spin_unlock_irqrestore+0x66/0xe0
[   39.122727]  hci_rx_work+0x3e6/0x970
[   39.126449]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   39.131908]  process_one_work+0x793/0x14a0
[   39.136144]  ? work_busy+0x320/0x320
[   39.139873]  ? worker_thread+0x158/0xff0
[   39.143950]  ? _raw_spin_unlock_irq+0x24/0x80
[   39.148460]  worker_thread+0x5cc/0xff0
[   39.152357]  ? rescuer_thread+0xc80/0xc80
[   39.156501]  kthread+0x30d/0x420
[   39.159865]  ? kthread_create_on_node+0xd0/0xd0
[   39.164536]  ret_from_fork+0x24/0x30
[   39.169316] Kernel Offset: disabled
[   39.172936] Rebooting in 86400 seconds..