[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.


Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.230' (ECDSA) to the list of known hosts.
syzkaller login: [   32.057069] audit: type=1400 audit(1596368109.832:8): avc:  denied  { execmem } for  pid=6354 comm="syz-executor705" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   32.338085] IPVS: ftp: loaded support on port[0] = 21
executing program
[   34.169005] ==================================================================
[   34.176448] BUG: KASAN: slab-out-of-bounds in hci_extended_inquiry_result_evt.isra.0+0x17b/0x4f0
[   34.185357] Read of size 6 at addr ffff888091817248 by task kworker/u5:0/1202
[   34.192602] 
[   34.194212] CPU: 0 PID: 1202 Comm: kworker/u5:0 Not tainted 4.14.191-syzkaller #0
[   34.201807] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.211142] Workqueue: hci0 hci_rx_work
[   34.215090] Call Trace:
[   34.217656]  dump_stack+0x1b2/0x283
[   34.221264]  print_address_description.cold+0x54/0x1d3
[   34.226526]  kasan_report_error.cold+0x8a/0x194
[   34.231176]  ? hci_extended_inquiry_result_evt.isra.0+0x17b/0x4f0
[   34.237382]  kasan_report+0x6f/0x7b
[   34.240986]  ? hci_extended_inquiry_result_evt.isra.0+0x17b/0x4f0
[   34.247201]  memcpy+0x20/0x50
[   34.250287]  hci_extended_inquiry_result_evt.isra.0+0x17b/0x4f0
[   34.256325]  ? hci_key_refresh_complete_evt.isra.0+0xe30/0xe30
[   34.262281]  ? kfree_skbmem+0x98/0x100
[   34.266148]  hci_event_packet+0xcfb/0x7c7a
[   34.270360]  ? trace_hardirqs_on+0x10/0x10
[   34.274573]  ? hci_cmd_complete_evt+0x9590/0x9590
[   34.279399]  ? trace_hardirqs_on+0x10/0x10
[   34.283612]  ? debug_object_deactivate+0x1da/0x2e0
[   34.288519]  ? skb_dequeue+0x120/0x170
[   34.292386]  ? mark_held_locks+0xa6/0xf0
[   34.296423]  ? _raw_spin_unlock_irqrestore+0x79/0xe0
[   34.301511]  ? trace_hardirqs_on_caller+0x3a8/0x580
[   34.306501]  ? _raw_spin_unlock_irqrestore+0x66/0xe0
[   34.311602]  hci_rx_work+0x3e6/0x970
[   34.315291]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   34.320718]  process_one_work+0x793/0x14a0
[   34.324933]  ? work_busy+0x320/0x320
[   34.328634]  ? worker_thread+0x158/0xff0
[   34.332677]  ? _raw_spin_unlock_irq+0x24/0x80
[   34.337152]  worker_thread+0x5cc/0xff0
[   34.341026]  ? rescuer_thread+0xc80/0xc80
[   34.345153]  kthread+0x30d/0x420
[   34.348498]  ? kthread_create_on_node+0xd0/0xd0
[   34.353147]  ret_from_fork+0x24/0x30
[   34.356842] 
[   34.358448] Allocated by task 6355:
[   34.362054]  kasan_kmalloc+0xeb/0x160
[   34.365830]  __kmalloc_node_track_caller+0x4c/0x70
[   34.370736]  __alloc_skb+0x96/0x510
[   34.374339]  vhci_write+0xb1/0x420
[   34.377855]  __vfs_write+0x44c/0x630
[   34.381540]  vfs_write+0x17f/0x4d0
[   34.385053]  SyS_write+0xf2/0x210
[   34.388481]  do_syscall_64+0x1d5/0x640
[   34.392345]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   34.397507] 
[   34.399109] Freed by task 4429:
[   34.402365]  kasan_slab_free+0xc3/0x1a0
[   34.406316]  kfree+0xc9/0x250
[   34.409395]  kernfs_fop_release+0x10e/0x180
[   34.413693]  __fput+0x25f/0x7a0
[   34.416952]  task_work_run+0x11f/0x190
[   34.420817]  exit_to_usermode_loop+0x1ad/0x200
[   34.425387]  do_syscall_64+0x4a3/0x640
[   34.429256]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   34.434417] 
[   34.436026] The buggy address belongs to the object at ffff888091817040
[   34.436026]  which belongs to the cache kmalloc-512 of size 512
[   34.448661] The buggy address is located 8 bytes to the right of
[   34.448661]  512-byte region [ffff888091817040, ffff888091817240)
[   34.460858] The buggy address belongs to the page:
[   34.465767] page:ffffea00024605c0 count:1 mapcount:0 mapping:ffff888091817040 index:0x0
[   34.473887] flags: 0xfffe0000000100(slab)
[   34.478010] raw: 00fffe0000000100 ffff888091817040 0000000000000000 0000000100000006
[   34.485866] raw: ffffea000248eae0 ffffea0002673060 ffff88812fe52940 0000000000000000
[   34.493718] page dumped because: kasan: bad access detected
[   34.499398] 
[   34.501001] Memory state around the buggy address:
[   34.506012]  ffff888091817100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   34.513344]  ffff888091817180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   34.520677] >ffff888091817200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   34.528019]                                               ^
[   34.533702]  ffff888091817280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   34.541035]  ffff888091817300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.548372] ==================================================================
[   34.555703] Disabling lock debugging due to kernel taint
[   34.575378] Kernel panic - not syncing: panic_on_warn set ...
[   34.575378] 
[   34.582766] CPU: 0 PID: 1202 Comm: kworker/u5:0 Tainted: G    B           4.14.191-syzkaller #0
[   34.591591] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.600943] Workqueue: hci0 hci_rx_work
[   34.604904] Call Trace:
[   34.607478]  dump_stack+0x1b2/0x283
[   34.611078]  panic+0x1f9/0x42d
[   34.614327]  ? add_taint.cold+0x16/0x16
[   34.618272]  ? ___preempt_schedule+0x16/0x18
[   34.622653]  kasan_end_report+0x43/0x49
[   34.626597]  kasan_report_error.cold+0xa7/0x194
[   34.631236]  ? hci_extended_inquiry_result_evt.isra.0+0x17b/0x4f0
[   34.637436]  kasan_report+0x6f/0x7b
[   34.641038]  ? hci_extended_inquiry_result_evt.isra.0+0x17b/0x4f0
[   34.647238]  memcpy+0x20/0x50
[   34.650316]  hci_extended_inquiry_result_evt.isra.0+0x17b/0x4f0
[   34.656347]  ? hci_key_refresh_complete_evt.isra.0+0xe30/0xe30
[   34.662291]  ? kfree_skbmem+0x98/0x100
[   34.666150]  hci_event_packet+0xcfb/0x7c7a
[   34.670359]  ? trace_hardirqs_on+0x10/0x10
[   34.674565]  ? hci_cmd_complete_evt+0x9590/0x9590
[   34.679378]  ? trace_hardirqs_on+0x10/0x10
[   34.683584]  ? debug_object_deactivate+0x1da/0x2e0
[   34.688482]  ? skb_dequeue+0x120/0x170
[   34.692338]  ? mark_held_locks+0xa6/0xf0
[   34.696370]  ? _raw_spin_unlock_irqrestore+0x79/0xe0
[   34.701444]  ? trace_hardirqs_on_caller+0x3a8/0x580
[   34.706452]  ? _raw_spin_unlock_irqrestore+0x66/0xe0
[   34.711536]  hci_rx_work+0x3e6/0x970
[   34.715222]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   34.720644]  process_one_work+0x793/0x14a0
[   34.724851]  ? work_busy+0x320/0x320
[   34.728534]  ? worker_thread+0x158/0xff0
[   34.732565]  ? _raw_spin_unlock_irq+0x24/0x80
[   34.737030]  worker_thread+0x5cc/0xff0
[   34.740902]  ? rescuer_thread+0xc80/0xc80
[   34.745020]  kthread+0x30d/0x420
[   34.748357]  ? kthread_create_on_node+0xd0/0xd0
[   34.752994]  ret_from_fork+0x24/0x30
[   34.757803] Kernel Offset: disabled
[   34.761429] Rebooting in 86400 seconds..