[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.210' (ECDSA) to the list of known hosts. syzkaller login: [ 35.440463] IPVS: ftp: loaded support on port[0] = 21 executing program [ 35.530549] Bluetooth: hci0: advertising data len corrected [ 35.537256] Bluetooth: hci0: advertising data len corrected [ 35.543002] Bluetooth: hci0: advertising data len corrected [ 35.548971] Bluetooth: hci0: advertising data len corrected [ 35.554904] ================================================================== [ 35.562335] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x383e/0x3f20 [ 35.569412] Read of size 1 at addr ffff8880b243c891 by task kworker/u5:2/8113 [ 35.576657] [ 35.578266] CPU: 0 PID: 8113 Comm: kworker/u5:2 Not tainted 4.19.211-syzkaller #0 [ 35.585859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 35.595197] Workqueue: hci0 hci_rx_work [ 35.599158] Call Trace: [ 35.601727] dump_stack+0x1fc/0x2ef [ 35.605340] print_address_description.cold+0x54/0x219 [ 35.610599] kasan_report_error.cold+0x8a/0x1b9 [ 35.615245] ? hci_le_meta_evt+0x383e/0x3f20 [ 35.619634] __asan_report_load1_noabort+0x88/0x90 [ 35.624549] ? hci_le_meta_evt+0x383e/0x3f20 [ 35.628936] hci_le_meta_evt+0x383e/0x3f20 [ 35.633170] ? __lock_acquire+0x6de/0x3ff0 [ 35.637387] ? hci_cmd_status_evt+0x6fc0/0x6fc0 [ 35.642038] ? __lock_acquire+0x6de/0x3ff0 [ 35.646252] ? __lock_acquire+0x6de/0x3ff0 [ 35.650468] hci_event_packet+0x34ad/0x7e20 [ 35.654768] ? mark_held_locks+0xf0/0xf0 [ 35.658809] ? __lock_acquire+0x6de/0x3ff0 [ 35.663025] ? hci_cmd_complete_evt+0xc280/0xc280 [ 35.667849] ? update_curr+0x3b9/0x870 [ 35.671717] ? debug_object_deactivate+0x1f9/0x2e0 [ 35.676634] ? mark_held_locks+0xa6/0xf0 [ 35.680676] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 35.685760] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 35.690323] hci_rx_work+0x4ad/0xc70 [ 35.694019] process_one_work+0x864/0x1570 [ 35.698248] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 35.702899] worker_thread+0x64c/0x1130 [ 35.706854] ? __kthread_parkme+0x133/0x1e0 [ 35.711154] ? process_one_work+0x1570/0x1570 [ 35.715642] kthread+0x33f/0x460 [ 35.718997] ? kthread_park+0x180/0x180 [ 35.722959] ret_from_fork+0x24/0x30 [ 35.726654] [ 35.728269] Allocated by task 8106: [ 35.731876] __kmalloc_node_track_caller+0x4c/0x70 [ 35.736781] __alloc_skb+0xae/0x560 [ 35.740385] vhci_write+0xbd/0x450 [ 35.743904] __vfs_write+0x51b/0x770 [ 35.747597] vfs_write+0x1f3/0x540 [ 35.751115] ksys_write+0x12b/0x2a0 [ 35.754719] do_syscall_64+0xf9/0x620 [ 35.758500] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.763662] [ 35.765274] Freed by task 0: [ 35.768263] (stack is not available) [ 35.772044] [ 35.773651] The buggy address belongs to the object at ffff8880b243c480 [ 35.773651] which belongs to the cache kmalloc-1024 of size 1024 [ 35.786543] The buggy address is located 17 bytes to the right of [ 35.786543] 1024-byte region [ffff8880b243c480, ffff8880b243c880) [ 35.798921] The buggy address belongs to the page: [ 35.803835] page:ffffea0002c90f00 count:1 mapcount:0 mapping:ffff88813bff0ac0 index:0x0 compound_mapcount: 0 [ 35.813783] flags: 0xfff00000008100(slab|head) [ 35.818347] raw: 00fff00000008100 ffffea0002ca4608 ffff88813bff1848 ffff88813bff0ac0 [ 35.826205] raw: 0000000000000000 ffff8880b243c000 0000000100000007 0000000000000000 [ 35.834072] page dumped because: kasan: bad access detected [ 35.839755] [ 35.841358] Memory state around the buggy address: [ 35.846276] ffff8880b243c780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.853614] ffff8880b243c800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.860953] >ffff8880b243c880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.868300] ^ [ 35.872165] ffff8880b243c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.879499] ffff8880b243c980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.886831] ================================================================== [ 35.894162] Disabling lock debugging due to kernel taint [ 35.899820] Kernel panic - not syncing: panic_on_warn set ... [ 35.899820] [ 35.907184] CPU: 0 PID: 8113 Comm: kworker/u5:2 Tainted: G B 4.19.211-syzkaller #0 [ 35.916181] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 35.925527] Workqueue: hci0 hci_rx_work [ 35.929475] Call Trace: [ 35.932042] dump_stack+0x1fc/0x2ef [ 35.935651] panic+0x26a/0x50e [ 35.938825] ? __warn_printk+0xf3/0xf3 [ 35.942689] ? preempt_schedule_common+0x45/0xc0 [ 35.947422] ? ___preempt_schedule+0x16/0x18 [ 35.951808] ? trace_hardirqs_on+0x55/0x210 [ 35.956108] kasan_end_report+0x43/0x49 [ 35.960059] kasan_report_error.cold+0xa7/0x1b9 [ 35.964705] ? hci_le_meta_evt+0x383e/0x3f20 [ 35.969089] __asan_report_load1_noabort+0x88/0x90 [ 35.973996] ? hci_le_meta_evt+0x383e/0x3f20 [ 35.978380] hci_le_meta_evt+0x383e/0x3f20 [ 35.982593] ? __lock_acquire+0x6de/0x3ff0 [ 35.986805] ? hci_cmd_status_evt+0x6fc0/0x6fc0 [ 35.991450] ? __lock_acquire+0x6de/0x3ff0 [ 35.995677] ? __lock_acquire+0x6de/0x3ff0 [ 35.999889] hci_event_packet+0x34ad/0x7e20 [ 36.004186] ? mark_held_locks+0xf0/0xf0 [ 36.008223] ? __lock_acquire+0x6de/0x3ff0 [ 36.012437] ? hci_cmd_complete_evt+0xc280/0xc280 [ 36.017255] ? update_curr+0x3b9/0x870 [ 36.021120] ? debug_object_deactivate+0x1f9/0x2e0 [ 36.026028] ? mark_held_locks+0xa6/0xf0 [ 36.030065] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 36.035142] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 36.039719] hci_rx_work+0x4ad/0xc70 [ 36.043415] process_one_work+0x864/0x1570 [ 36.047629] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 36.052275] worker_thread+0x64c/0x1130 [ 36.056228] ? __kthread_parkme+0x133/0x1e0 [ 36.060524] ? process_one_work+0x1570/0x1570 [ 36.064993] kthread+0x33f/0x460 [ 36.068335] ? kthread_park+0x180/0x180 [ 36.072284] ret_from_fork+0x24/0x30 [ 36.076149] Kernel Offset: disabled [ 36.079754] Rebooting in 86400 seconds..