[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.10.55' (ECDSA) to the list of known hosts.
syzkaller login: [   68.197218][   T27] audit: type=1400 audit(1596258867.831:8): avc:  denied  { execmem } for  pid=6843 comm="syz-executor219" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   68.211616][ T6844] IPVS: ftp: loaded support on port[0] = 21
executing program
[   69.294825][ T6869] Bluetooth: hci0: Unknown advertising packet type: 0xffff
[   69.294912][ T6869] ==================================================================
[   69.310319][ T6869] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x384e/0x3eb0
[   69.318121][ T6869] Read of size 1 at addr ffff8880947c1a09 by task kworker/u5:2/6869
[   69.326089][ T6869] 
[   69.328420][ T6869] CPU: 1 PID: 6869 Comm: kworker/u5:2 Not tainted 5.8.0-rc7-syzkaller #0
[   69.336818][ T6869] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   69.346884][ T6869] Workqueue: hci0 hci_rx_work
[   69.351559][ T6869] Call Trace:
[   69.354856][ T6869]  dump_stack+0x18f/0x20d
[   69.359194][ T6869]  ? hci_le_meta_evt+0x384e/0x3eb0
[   69.364310][ T6869]  ? hci_le_meta_evt+0x384e/0x3eb0
[   69.369422][ T6869]  print_address_description.constprop.0.cold+0xae/0x436
[   69.376453][ T6869]  ? lockdep_hardirqs_off+0x66/0xa0
[   69.381652][ T6869]  ? vprintk_func+0x97/0x1a6
[   69.386241][ T6869]  ? hci_le_meta_evt+0x384e/0x3eb0
[   69.391422][ T6869]  kasan_report.cold+0x1f/0x37
[   69.396177][ T6869]  ? hci_le_meta_evt+0x384e/0x3eb0
[   69.401290][ T6869]  hci_le_meta_evt+0x384e/0x3eb0
[   69.406215][ T6869]  ? mark_lock+0xbc/0x1710
[   69.410618][ T6869]  ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0
[   69.417444][ T6869]  ? mark_lock+0xbc/0x1710
[   69.421841][ T6869]  ? __lock_acquire+0x16e3/0x56e0
[   69.426937][ T6869]  ? __lock_acquire+0x16e3/0x56e0
[   69.431949][ T6869]  hci_event_packet+0x245a/0x86f5
[   69.436968][ T6869]  ? lockdep_hardirqs_on_prepare+0x590/0x590
[   69.442926][ T6869]  ? __lock_acquire+0x16e3/0x56e0
[   69.447934][ T6869]  ? hci_cmd_complete_evt+0xc6e0/0xc6e0
[   69.453460][ T6869]  ? lock_acquire+0x1f1/0xad0
[   69.458119][ T6869]  ? skb_dequeue+0x1c/0x180
[   69.462602][ T6869]  ? find_held_lock+0x2d/0x110
[   69.468562][ T6869]  ? mark_lock+0xbc/0x1710
[   69.472963][ T6869]  ? mark_held_locks+0x9f/0xe0
[   69.477710][ T6869]  ? _raw_spin_unlock_irqrestore+0x62/0xe0
[   69.483499][ T6869]  ? lockdep_hardirqs_on_prepare+0x3a2/0x590
[   69.489460][ T6869]  ? trace_hardirqs_on+0x5f/0x220
[   69.494465][ T6869]  ? lockdep_hardirqs_on+0x6a/0xe0
[   69.499564][ T6869]  hci_rx_work+0x22e/0xb10
[   69.504005][ T6869]  process_one_work+0x94c/0x1670
[   69.508929][ T6869]  ? lock_release+0x8d0/0x8d0
[   69.513587][ T6869]  ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[   69.518944][ T6869]  ? rwlock_bug.part.0+0x90/0x90
[   69.523877][ T6869]  ? lockdep_hardirqs_off+0x66/0xa0
[   69.529059][ T6869]  worker_thread+0x64c/0x1120
[   69.533724][ T6869]  ? __kthread_parkme+0x13f/0x1e0
[   69.538728][ T6869]  ? process_one_work+0x1670/0x1670
[   69.543929][ T6869]  kthread+0x3b5/0x4a0
[   69.547992][ T6869]  ? __kthread_bind_mask+0xc0/0xc0
[   69.553091][ T6869]  ? __kthread_bind_mask+0xc0/0xc0
[   69.558211][ T6869]  ret_from_fork+0x1f/0x30
[   69.562614][ T6869] 
[   69.564921][ T6869] Allocated by task 6844:
[   69.569234][ T6869]  save_stack+0x1b/0x40
[   69.573386][ T6869]  __kasan_kmalloc.constprop.0+0xc2/0xd0
[   69.579000][ T6869]  __alloc_skb+0xae/0x550
[   69.583323][ T6869]  vhci_write+0xbd/0x450
[   69.587551][ T6869]  new_sync_write+0x422/0x650
[   69.592210][ T6869]  vfs_write+0x59d/0x6b0
[   69.596453][ T6869]  ksys_write+0x12d/0x250
[   69.600769][ T6869]  do_syscall_64+0x60/0xe0
[   69.605167][ T6869]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   69.611038][ T6869] 
[   69.613349][ T6869] Freed by task 4799:
[   69.617317][ T6869]  save_stack+0x1b/0x40
[   69.621450][ T6869]  __kasan_slab_free+0xf5/0x140
[   69.626383][ T6869]  kfree+0x103/0x2c0
[   69.630258][ T6869]  skb_release_data+0x6d9/0x910
[   69.635092][ T6869]  consume_skb+0xc2/0x160
[   69.639398][ T6869]  skb_free_datagram+0x16/0xf0
[   69.644139][ T6869]  netlink_recvmsg+0x61e/0xee0
[   69.648900][ T6869]  ____sys_recvmsg+0x2c4/0x640
[   69.653648][ T6869]  ___sys_recvmsg+0x127/0x200
[   69.658312][ T6869]  __sys_recvmsg+0xe2/0x1a0
[   69.662800][ T6869]  do_syscall_64+0x60/0xe0
[   69.667205][ T6869]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   69.673084][ T6869] 
[   69.675407][ T6869] The buggy address belongs to the object at ffff8880947c1800
[   69.675407][ T6869]  which belongs to the cache kmalloc-512 of size 512
[   69.689438][ T6869] The buggy address is located 9 bytes to the right of
[   69.689438][ T6869]  512-byte region [ffff8880947c1800, ffff8880947c1a00)
[   69.703040][ T6869] The buggy address belongs to the page:
[   69.708654][ T6869] page:ffffea000251f040 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
[   69.717737][ T6869] flags: 0xfffe0000000200(slab)
[   69.722569][ T6869] raw: 00fffe0000000200 ffffea0002799348 ffffea000286d2c8 ffff8880aa000a80
[   69.731134][ T6869] raw: 0000000000000000 ffff8880947c1000 0000000100000004 0000000000000000
[   69.739690][ T6869] page dumped because: kasan: bad access detected
[   69.746074][ T6869] 
[   69.748379][ T6869] Memory state around the buggy address:
[   69.753988][ T6869]  ffff8880947c1900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   69.762026][ T6869]  ffff8880947c1980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   69.770064][ T6869] >ffff8880947c1a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   69.778101][ T6869]                       ^
[   69.782431][ T6869]  ffff8880947c1a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   69.790482][ T6869]  ffff8880947c1b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   69.798513][ T6869] ==================================================================
[   69.806548][ T6869] Disabling lock debugging due to kernel taint
[   69.813637][ T6869] Kernel panic - not syncing: panic_on_warn set ...
[   69.820234][ T6869] CPU: 1 PID: 6869 Comm: kworker/u5:2 Tainted: G    B             5.8.0-rc7-syzkaller #0
[   69.830015][ T6869] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   69.840066][ T6869] Workqueue: hci0 hci_rx_work
[   69.844734][ T6869] Call Trace:
[   69.848017][ T6869]  dump_stack+0x18f/0x20d
[   69.852341][ T6869]  ? hci_le_meta_evt+0x37f0/0x3eb0
[   69.857443][ T6869]  panic+0x2e3/0x75c
[   69.861332][ T6869]  ? __warn_printk+0xf3/0xf3
[   69.865924][ T6869]  ? preempt_schedule_common+0x59/0xc0
[   69.871377][ T6869]  ? hci_le_meta_evt+0x384e/0x3eb0
[   69.876491][ T6869]  ? preempt_schedule_thunk+0x16/0x18
[   69.881854][ T6869]  ? trace_hardirqs_on+0x55/0x220
[   69.886881][ T6869]  ? hci_le_meta_evt+0x384e/0x3eb0
[   69.891987][ T6869]  ? hci_le_meta_evt+0x384e/0x3eb0
[   69.897089][ T6869]  end_report+0x4d/0x53
[   69.901234][ T6869]  kasan_report.cold+0xd/0x37
[   69.905907][ T6869]  ? hci_le_meta_evt+0x384e/0x3eb0
[   69.911009][ T6869]  hci_le_meta_evt+0x384e/0x3eb0
[   69.915940][ T6869]  ? mark_lock+0xbc/0x1710
[   69.920353][ T6869]  ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0
[   69.927194][ T6869]  ? mark_lock+0xbc/0x1710
[   69.931608][ T6869]  ? __lock_acquire+0x16e3/0x56e0
[   69.936628][ T6869]  ? __lock_acquire+0x16e3/0x56e0
[   69.941647][ T6869]  hci_event_packet+0x245a/0x86f5
[   69.946667][ T6869]  ? lockdep_hardirqs_on_prepare+0x590/0x590
[   69.952631][ T6869]  ? __lock_acquire+0x16e3/0x56e0
[   69.957630][ T6869]  ? hci_cmd_complete_evt+0xc6e0/0xc6e0
[   69.963147][ T6869]  ? lock_acquire+0x1f1/0xad0
[   69.967804][ T6869]  ? skb_dequeue+0x1c/0x180
[   69.972276][ T6869]  ? find_held_lock+0x2d/0x110
[   69.977012][ T6869]  ? mark_lock+0xbc/0x1710
[   69.981399][ T6869]  ? mark_held_locks+0x9f/0xe0
[   69.986137][ T6869]  ? _raw_spin_unlock_irqrestore+0x62/0xe0
[   69.991936][ T6869]  ? lockdep_hardirqs_on_prepare+0x3a2/0x590
[   69.997888][ T6869]  ? trace_hardirqs_on+0x5f/0x220
[   70.002887][ T6869]  ? lockdep_hardirqs_on+0x6a/0xe0
[   70.007968][ T6869]  hci_rx_work+0x22e/0xb10
[   70.012357][ T6869]  process_one_work+0x94c/0x1670
[   70.017269][ T6869]  ? lock_release+0x8d0/0x8d0
[   70.021921][ T6869]  ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[   70.027264][ T6869]  ? rwlock_bug.part.0+0x90/0x90
[   70.032175][ T6869]  ? lockdep_hardirqs_off+0x66/0xa0
[   70.037347][ T6869]  worker_thread+0x64c/0x1120
[   70.042084][ T6869]  ? __kthread_parkme+0x13f/0x1e0
[   70.047080][ T6869]  ? process_one_work+0x1670/0x1670
[   70.052247][ T6869]  kthread+0x3b5/0x4a0
[   70.056288][ T6869]  ? __kthread_bind_mask+0xc0/0xc0
[   70.061367][ T6869]  ? __kthread_bind_mask+0xc0/0xc0
[   70.066479][ T6869]  ret_from_fork+0x1f/0x30
[   70.072125][ T6869] Kernel Offset: disabled
[   70.076437][ T6869] Rebooting in 86400 seconds..