[   33.419796] audit: type=1800 audit(1556763903.564:33): pid=6893 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   33.451558] audit: type=1800 audit(1556763903.574:34): pid=6893 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   37.138613] random: sshd: uninitialized urandom read (32 bytes read)
[   37.409514] audit: type=1400 audit(1556763907.554:35): avc:  denied  { map } for  pid=7066 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   37.474951] random: sshd: uninitialized urandom read (32 bytes read)
[   38.064686] random: sshd: uninitialized urandom read (32 bytes read)
[   58.543610] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.31' (ECDSA) to the list of known hosts.
[   64.227715] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
[   64.367604] audit: type=1400 audit(1556763934.514:36): avc:  denied  { map } for  pid=7078 comm="syz-executor021" path="/root/syz-executor021756876" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   64.416944] ==================================================================
[   64.424550] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x9524/0x9d13
[   64.431738] Read of size 6 at addr ffff88808ba3ec7b by task kworker/u5:0/1402
[   64.439422] 
[   64.441047] CPU: 1 PID: 1402 Comm: kworker/u5:0 Not tainted 4.14.114 #4
[   64.447789] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   64.457167] Workqueue: hci0 hci_rx_work
[   64.461151] Call Trace:
[   64.463763]  dump_stack+0x138/0x19c
[   64.467391]  ? hci_event_packet+0x9524/0x9d13
[   64.472044]  print_address_description.cold+0x7c/0x1dc
[   64.477410]  ? hci_event_packet+0x9524/0x9d13
[   64.481915]  kasan_report.cold+0xaf/0x2b5
[   64.486066]  __asan_report_load_n_noabort+0xf/0x20
[   64.490999]  hci_event_packet+0x9524/0x9d13
[   64.495337]  ? hci_cmd_complete_evt+0x9ba0/0x9ba0
[   64.500205]  ? __lock_acquire+0x270b/0x45e0
[   64.504553]  ? __debug_object_init+0x8a0/0x8e0
[   64.509140]  ? partition_sched_domains+0x70/0x605
[   64.514106]  ? skb_dequeue+0x12e/0x180
[   64.518005]  ? mark_held_locks+0xb1/0x100
[   64.522164]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   64.527358]  ? trace_hardirqs_on_caller+0x400/0x590
[   64.532397]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   64.537516]  hci_rx_work+0x3ab/0x900
[   64.541224]  ? hci_rx_work+0x3ab/0x900
[   64.545126]  process_one_work+0x868/0x1610
[   64.549369]  ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[   64.554038]  worker_thread+0x5d9/0x1050
[   64.558114]  kthread+0x31c/0x430
[   64.561476]  ? process_one_work+0x1610/0x1610
[   64.565968]  ? kthread_create_on_node+0xd0/0xd0
[   64.571695]  ret_from_fork+0x3a/0x50
[   64.575571] 
[   64.577230] Allocated by task 7082:
[   64.580893]  save_stack_trace+0x16/0x20
[   64.585075]  save_stack+0x45/0xd0
[   64.588725]  kasan_kmalloc+0xce/0xf0
[   64.592474]  __kmalloc_node_track_caller+0x51/0x80
[   64.597450]  __kmalloc_reserve.isra.0+0x40/0xe0
[   64.602147]  __alloc_skb+0xcf/0x500
[   64.605822]  vhci_write+0xb6/0x437
[   64.609403]  __vfs_write+0x4ae/0x6c0
[   64.613149]  vfs_write+0x198/0x500
[   64.616734]  SyS_write+0xb8/0x180
[   64.620221]  do_syscall_64+0x1eb/0x630
[   64.624132]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   64.629325] 
[   64.630958] Freed by task 3559:
[   64.634263]  save_stack_trace+0x16/0x20
[   64.638268]  save_stack+0x45/0xd0
[   64.641743]  kasan_slab_free+0x75/0xc0
[   64.645650]  kfree+0xcc/0x270
[   64.648795]  kernfs_fop_release+0x112/0x180
[   64.653171]  __fput+0x277/0x7a0
[   64.656476]  ____fput+0x16/0x20
[   64.659793]  task_work_run+0x119/0x190
[   64.663710]  exit_to_usermode_loop+0x1da/0x220
[   64.668324]  do_syscall_64+0x4a9/0x630
[   64.672234]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   64.677435] 
[   64.679074] The buggy address belongs to the object at ffff88808ba3ea80
[   64.679074]  which belongs to the cache kmalloc-512 of size 512
[   64.691749] The buggy address is located 507 bytes inside of
[   64.691749]  512-byte region [ffff88808ba3ea80, ffff88808ba3ec80)
[   64.703814] The buggy address belongs to the page:
[   64.708764] page:ffffea00022e8f80 count:1 mapcount:0 mapping:ffff88808ba3e080 index:0x0
[   64.716954] flags: 0x1fffc0000000100(slab)
[   64.721231] raw: 01fffc0000000100 ffff88808ba3e080 0000000000000000 0000000100000006
[   64.729218] raw: ffffea00022e8f20 ffffea00024050e0 ffff8880aa800940 0000000000000000
[   64.737134] page dumped because: kasan: bad access detected
[   64.742855] 
[   64.744483] Memory state around the buggy address:
[   64.749434]  ffff88808ba3eb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   64.756816]  ffff88808ba3ec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   64.764201] >ffff88808ba3ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.771582]                    ^
[   64.774992]  ffff88808ba3ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.782367]  ffff88808ba3ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.789754] ==================================================================
[   64.797128] Disabling lock debugging due to kernel taint
[   64.803655] Kernel panic - not syncing: panic_on_warn set ...
[   64.803655] 
[   64.811040] CPU: 1 PID: 1402 Comm: kworker/u5:0 Tainted: G    B           4.14.114 #4
[   64.819061] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   64.828774] Workqueue: hci0 hci_rx_work
[   64.832859] Call Trace:
[   64.835455]  dump_stack+0x138/0x19c
[   64.839199]  ? hci_event_packet+0x9524/0x9d13
[   64.843697]  panic+0x1f2/0x438
[   64.846889]  ? add_taint.cold+0x16/0x16
[   64.850860]  ? ___preempt_schedule+0x16/0x18
[   64.855554]  kasan_end_report+0x47/0x4f
[   64.859577]  kasan_report.cold+0x136/0x2b5
[   64.863826]  __asan_report_load_n_noabort+0xf/0x20
[   64.868775]  hci_event_packet+0x9524/0x9d13
[   64.873100]  ? hci_cmd_complete_evt+0x9ba0/0x9ba0
[   64.877937]  ? __lock_acquire+0x270b/0x45e0
[   64.882256]  ? __debug_object_init+0x8a0/0x8e0
[   64.886858]  ? partition_sched_domains+0x70/0x605
[   64.891700]  ? skb_dequeue+0x12e/0x180
[   64.895586]  ? mark_held_locks+0xb1/0x100
[   64.899845]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   64.904984]  ? trace_hardirqs_on_caller+0x400/0x590
[   64.909990]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   64.915169]  hci_rx_work+0x3ab/0x900
[   64.919030]  ? hci_rx_work+0x3ab/0x900
[   64.922910]  process_one_work+0x868/0x1610
[   64.927130]  ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[   64.931790]  worker_thread+0x5d9/0x1050
[   64.935756]  kthread+0x31c/0x430
[   64.939139]  ? process_one_work+0x1610/0x1610
[   64.943700]  ? kthread_create_on_node+0xd0/0xd0
[   64.948757]  ret_from_fork+0x3a/0x50
[   64.953737] Kernel Offset: disabled
[   64.957389] Rebooting in 86400 seconds..