[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.164' (ECDSA) to the list of known hosts.
syzkaller login: [   33.026257] audit: type=1400 audit(1596509388.597:8): avc:  denied  { execmem } for  pid=6375 comm="syz-executor008" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   33.270530] IPVS: ftp: loaded support on port[0] = 21
executing program
[   35.115900] Bluetooth: Unknown advertising packet type: 0x2b
[   35.121978] ==================================================================
[   35.129441] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x37d5/0x3fc0
[   35.136559] Read of size 1 at addr ffff8880a0b58a0c by task kworker/u5:1/6398
[   35.143830] 
[   35.145455] CPU: 1 PID: 6398 Comm: kworker/u5:1 Not tainted 4.14.191-syzkaller #0
[   35.153062] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.162515] Workqueue: hci0 hci_rx_work
[   35.166463] Call Trace:
[   35.169037]  dump_stack+0x1b2/0x283
[   35.172755]  print_address_description.cold+0x54/0x1d3
[   35.178042]  kasan_report_error.cold+0x8a/0x194
[   35.182707]  ? hci_le_meta_evt+0x37d5/0x3fc0
[   35.187137]  __asan_report_load1_noabort+0x68/0x70
[   35.192050]  ? hci_le_meta_evt+0x37d5/0x3fc0
[   35.196435]  hci_le_meta_evt+0x37d5/0x3fc0
[   35.200735]  ? skb_release_data+0x5f6/0x820
[   35.205050]  ? read_enc_key_size_complete+0xa60/0xa60
[   35.210217]  ? __lock_acquire+0x5fc/0x3f20
[   35.214427]  ? kfree_skbmem+0x98/0x100
[   35.218293]  hci_event_packet+0x25a7/0x7c7a
[   35.222604]  ? trace_hardirqs_on+0x10/0x10
[   35.226835]  ? hci_cmd_complete_evt+0x9590/0x9590
[   35.231681]  ? trace_hardirqs_on+0x10/0x10
[   35.235979]  ? debug_object_deactivate+0x1da/0x2e0
[   35.240884]  ? skb_dequeue+0x120/0x170
[   35.244748]  ? mark_held_locks+0xa6/0xf0
[   35.248793]  ? _raw_spin_unlock_irqrestore+0x79/0xe0
[   35.253891]  ? trace_hardirqs_on_caller+0x3a8/0x580
[   35.258882]  ? _raw_spin_unlock_irqrestore+0x66/0xe0
[   35.263973]  hci_rx_work+0x3e6/0x970
[   35.267672]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   35.273118]  process_one_work+0x793/0x14a0
[   35.277477]  ? work_busy+0x320/0x320
[   35.281345]  ? worker_thread+0x158/0xff0
[   35.285387]  ? _raw_spin_unlock_irq+0x24/0x80
[   35.289862]  worker_thread+0x5cc/0xff0
[   35.293727]  ? rescuer_thread+0xc80/0xc80
[   35.297857]  kthread+0x30d/0x420
[   35.301205]  ? kthread_create_on_node+0xd0/0xd0
[   35.305850]  ret_from_fork+0x24/0x30
[   35.309544] 
[   35.311148] Allocated by task 6376:
[   35.314874]  kasan_kmalloc+0xeb/0x160
[   35.318661]  __kmalloc_node_track_caller+0x4c/0x70
[   35.323564]  __alloc_skb+0x96/0x510
[   35.327166]  vhci_write+0xb1/0x420
[   35.330684]  __vfs_write+0x44c/0x630
[   35.334374]  vfs_write+0x17f/0x4d0
[   35.337972]  SyS_write+0xf2/0x210
[   35.341430]  do_syscall_64+0x1d5/0x640
[   35.345292]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   35.350451] 
[   35.352052] Freed by task 5111:
[   35.355306]  kasan_slab_free+0xc3/0x1a0
[   35.359252]  kfree+0xc9/0x250
[   35.362329]  load_elf_binary+0x1c1b/0x4750
[   35.366539]  search_binary_handler.part.0+0xd5/0x640
[   35.371631]  do_execveat_common+0x1099/0x1f30
[   35.376213]  SyS_execve+0x3b/0x50
[   35.379650]  do_syscall_64+0x1d5/0x640
[   35.383510]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   35.388686] 
[   35.390298] The buggy address belongs to the object at ffff8880a0b58800
[   35.390298]  which belongs to the cache kmalloc-512 of size 512
[   35.402926] The buggy address is located 12 bytes to the right of
[   35.402926]  512-byte region [ffff8880a0b58800, ffff8880a0b58a00)
[   35.415220] The buggy address belongs to the page:
[   35.420134] page:ffffea000282d600 count:1 mapcount:0 mapping:ffff8880a0b58080 index:0xffff8880a0b58580
[   35.429639] flags: 0xfffe0000000100(slab)
[   35.433762] raw: 00fffe0000000100 ffff8880a0b58080 ffff8880a0b58580 0000000100000005
[   35.441623] raw: ffffea0002815720 ffffea000238a3e0 ffff88812fe52940 0000000000000000
[   35.449478] page dumped because: kasan: bad access detected
[   35.455173] 
[   35.456772] Memory state around the buggy address:
[   35.461676]  ffff8880a0b58900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   35.469018]  ffff8880a0b58980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   35.476445] >ffff8880a0b58a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.483777]                       ^
[   35.488008]  ffff8880a0b58a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.495339]  ffff8880a0b58b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.502781] ==================================================================
[   35.510124] Disabling lock debugging due to kernel taint
[   35.516335] Kernel panic - not syncing: panic_on_warn set ...
[   35.516335] 
[   35.523707] CPU: 1 PID: 6398 Comm: kworker/u5:1 Tainted: G    B           4.14.191-syzkaller #0
[   35.534367] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.543729] Workqueue: hci0 hci_rx_work
[   35.547801] Call Trace:
[   35.550377]  dump_stack+0x1b2/0x283
[   35.553995]  panic+0x1f9/0x42d
[   35.557166]  ? add_taint.cold+0x16/0x16
[   35.561242]  ? ___preempt_schedule+0x16/0x18
[   35.565747]  kasan_end_report+0x43/0x49
[   35.569704]  kasan_report_error.cold+0xa7/0x194
[   35.574349]  ? hci_le_meta_evt+0x37d5/0x3fc0
[   35.578735]  __asan_report_load1_noabort+0x68/0x70
[   35.583657]  ? hci_le_meta_evt+0x37d5/0x3fc0
[   35.588130]  hci_le_meta_evt+0x37d5/0x3fc0
[   35.592355]  ? skb_release_data+0x5f6/0x820
[   35.596650]  ? read_enc_key_size_complete+0xa60/0xa60
[   35.601814]  ? __lock_acquire+0x5fc/0x3f20
[   35.606023]  ? kfree_skbmem+0x98/0x100
[   35.609995]  hci_event_packet+0x25a7/0x7c7a
[   35.614305]  ? trace_hardirqs_on+0x10/0x10
[   35.618519]  ? hci_cmd_complete_evt+0x9590/0x9590
[   35.623364]  ? trace_hardirqs_on+0x10/0x10
[   35.627620]  ? debug_object_deactivate+0x1da/0x2e0
[   35.632525]  ? skb_dequeue+0x120/0x170
[   35.636411]  ? mark_held_locks+0xa6/0xf0
[   35.640542]  ? _raw_spin_unlock_irqrestore+0x79/0xe0
[   35.645618]  ? trace_hardirqs_on_caller+0x3a8/0x580
[   35.650609]  ? _raw_spin_unlock_irqrestore+0x66/0xe0
[   35.655696]  hci_rx_work+0x3e6/0x970
[   35.659393]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   35.664818]  process_one_work+0x793/0x14a0
[   35.669142]  ? work_busy+0x320/0x320
[   35.672833]  ? worker_thread+0x158/0xff0
[   35.676873]  ? _raw_spin_unlock_irq+0x24/0x80
[   35.681350]  worker_thread+0x5cc/0xff0
[   35.685233]  ? rescuer_thread+0xc80/0xc80
[   35.689362]  kthread+0x30d/0x420
[   35.692700]  ? kthread_create_on_node+0xd0/0xd0
[   35.697437]  ret_from_fork+0x24/0x30
[   35.702869] Kernel Offset: disabled
[   35.706486] Rebooting in 86400 seconds..