Warning: Permanently added '10.128.15.211' (ECDSA) to the list of known hosts. syzkaller login: [ 60.828589][ T6873] IPVS: ftp: loaded support on port[0] = 21 executing program [ 60.919882][ T1547] ================================================================== [ 60.928719][ T1547] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x3a02/0x3ff0 [ 60.936517][ T1547] Read of size 1 at addr ffff88809e2c7a04 by task kworker/u5:0/1547 [ 60.944472][ T1547] [ 60.946792][ T1547] CPU: 0 PID: 1547 Comm: kworker/u5:0 Not tainted 5.8.0-syzkaller #0 [ 60.954823][ T1547] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.964862][ T1547] Workqueue: hci0 hci_rx_work [ 60.969534][ T1547] Call Trace: [ 60.972799][ T1547] dump_stack+0x18f/0x20d [ 60.977392][ T1547] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 60.982490][ T1547] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 60.987588][ T1547] print_address_description.constprop.0.cold+0xae/0x497 [ 60.994589][ T1547] ? vprintk_func+0x97/0x1a6 [ 60.999176][ T1547] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 61.004261][ T1547] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 61.009346][ T1547] kasan_report.cold+0x1f/0x37 [ 61.014095][ T1547] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 61.019180][ T1547] hci_le_meta_evt+0x3a02/0x3ff0 [ 61.024094][ T1547] ? mark_lock+0xbc/0x1710 [ 61.028485][ T1547] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 61.035304][ T1547] ? mark_lock+0xbc/0x1710 [ 61.039696][ T1547] ? __lock_acquire+0x16cb/0x5640 [ 61.044970][ T1547] ? __lock_acquire+0x16cb/0x5640 [ 61.049974][ T1547] hci_event_packet+0x2e25/0x87a8 [ 61.054984][ T1547] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 61.060936][ T1547] ? __lock_acquire+0x16cb/0x5640 [ 61.065946][ T1547] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 61.071476][ T1547] ? lock_acquire+0x1f1/0xad0 [ 61.076145][ T1547] ? skb_dequeue+0x1c/0x180 [ 61.080622][ T1547] ? find_held_lock+0x2d/0x110 [ 61.085372][ T1547] ? mark_lock+0xbc/0x1710 [ 61.089767][ T1547] ? mark_held_locks+0x9f/0xe0 [ 61.094519][ T1547] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 61.100318][ T1547] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 61.106272][ T1547] ? trace_hardirqs_on+0x5f/0x220 [ 61.111281][ T1547] ? lockdep_hardirqs_on+0x76/0xf0 [ 61.116370][ T1547] hci_rx_work+0x22e/0xb50 [ 61.120767][ T1547] process_one_work+0x94c/0x1670 [ 61.126144][ T1547] ? lock_release+0x8e0/0x8e0 [ 61.130820][ T1547] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 61.136206][ T1547] ? rwlock_bug.part.0+0x90/0x90 [ 61.141204][ T1547] worker_thread+0x64c/0x1120 [ 61.146160][ T1547] ? process_one_work+0x1670/0x1670 [ 61.151339][ T1547] kthread+0x3b5/0x4a0 [ 61.155473][ T1547] ? __kthread_bind_mask+0xc0/0xc0 [ 61.160874][ T1547] ? __kthread_bind_mask+0xc0/0xc0 [ 61.165973][ T1547] ret_from_fork+0x1f/0x30 [ 61.170379][ T1547] [ 61.172692][ T1547] Allocated by task 6873: [ 61.177147][ T1547] kasan_save_stack+0x1b/0x40 [ 61.184064][ T1547] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.189674][ T1547] __alloc_skb+0xae/0x550 [ 61.193980][ T1547] vhci_write+0xbd/0x450 [ 61.198302][ T1547] new_sync_write+0x422/0x650 [ 61.202986][ T1547] vfs_write+0x5ad/0x730 [ 61.207553][ T1547] ksys_write+0x12d/0x250 [ 61.211859][ T1547] do_syscall_64+0x2d/0x70 [ 61.216249][ T1547] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.222108][ T1547] [ 61.224427][ T1547] The buggy address belongs to the object at ffff88809e2c7800 [ 61.224427][ T1547] which belongs to the cache kmalloc-512 of size 512 [ 61.238465][ T1547] The buggy address is located 4 bytes to the right of [ 61.238465][ T1547] 512-byte region [ffff88809e2c7800, ffff88809e2c7a00) [ 61.252073][ T1547] The buggy address belongs to the page: [ 61.257695][ T1547] page:00000000b0b83cb1 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809e2c7000 pfn:0x9e2c7 [ 61.269115][ T1547] flags: 0xfffe0000000200(slab) [ 61.273942][ T1547] raw: 00fffe0000000200 ffffea00024f9408 ffffea00025b8ac8 ffff8880aa040600 [ 61.282501][ T1547] raw: ffff88809e2c7000 ffff88809e2c7000 0000000100000003 0000000000000000 [ 61.291052][ T1547] page dumped because: kasan: bad access detected [ 61.297430][ T1547] [ 61.299741][ T1547] Memory state around the buggy address: [ 61.305344][ T1547] ffff88809e2c7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.313392][ T1547] ffff88809e2c7980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.321553][ T1547] >ffff88809e2c7a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.329587][ T1547] ^ [ 61.333643][ T1547] ffff88809e2c7a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.341770][ T1547] ffff88809e2c7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.350151][ T1547] ================================================================== [ 61.358182][ T1547] Disabling lock debugging due to kernel taint [ 61.367275][ T164] tipc: TX() has been purged, node left! [ 61.380423][ T1547] Kernel panic - not syncing: panic_on_warn set ... [ 61.387034][ T1547] CPU: 0 PID: 1547 Comm: kworker/u5:0 Tainted: G B 5.8.0-syzkaller #0 [ 61.396459][ T1547] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.406497][ T1547] Workqueue: hci0 hci_rx_work [ 61.411161][ T1547] Call Trace: [ 61.414438][ T1547] dump_stack+0x18f/0x20d [ 61.418741][ T1547] ? hci_le_meta_evt+0x3920/0x3ff0 [ 61.423927][ T1547] panic+0x2e3/0x75c [ 61.427796][ T1547] ? __warn_printk+0xf3/0xf3 [ 61.432361][ T1547] ? preempt_schedule_common+0x59/0xc0 [ 61.437790][ T1547] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 61.442874][ T1547] ? preempt_schedule_thunk+0x16/0x18 [ 61.448234][ T1547] ? trace_hardirqs_on+0x55/0x220 [ 61.453232][ T1547] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 61.458346][ T1547] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 61.463446][ T1547] end_report+0x4d/0x53 [ 61.467583][ T1547] kasan_report.cold+0xd/0x37 [ 61.472343][ T1547] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 61.477441][ T1547] hci_le_meta_evt+0x3a02/0x3ff0 [ 61.482370][ T1547] ? mark_lock+0xbc/0x1710 [ 61.486761][ T1547] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 61.493582][ T1547] ? mark_lock+0xbc/0x1710 [ 61.497969][ T1547] ? __lock_acquire+0x16cb/0x5640 [ 61.503067][ T1547] ? __lock_acquire+0x16cb/0x5640 [ 61.508067][ T1547] hci_event_packet+0x2e25/0x87a8 [ 61.513084][ T1547] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 61.519048][ T1547] ? __lock_acquire+0x16cb/0x5640 [ 61.524053][ T1547] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 61.529573][ T1547] ? lock_acquire+0x1f1/0xad0 [ 61.534240][ T1547] ? skb_dequeue+0x1c/0x180 [ 61.538732][ T1547] ? find_held_lock+0x2d/0x110 [ 61.543469][ T1547] ? mark_lock+0xbc/0x1710 [ 61.547863][ T1547] ? mark_held_locks+0x9f/0xe0 [ 61.552615][ T1547] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 61.558393][ T1547] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 61.564363][ T1547] ? trace_hardirqs_on+0x5f/0x220 [ 61.569400][ T1547] ? lockdep_hardirqs_on+0x76/0xf0 [ 61.574492][ T1547] hci_rx_work+0x22e/0xb50 [ 61.578914][ T1547] process_one_work+0x94c/0x1670 [ 61.583839][ T1547] ? lock_release+0x8e0/0x8e0 [ 61.588576][ T1547] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 61.593921][ T1547] ? rwlock_bug.part.0+0x90/0x90 [ 61.598842][ T1547] worker_thread+0x64c/0x1120 [ 61.603502][ T1547] ? process_one_work+0x1670/0x1670 [ 61.608746][ T1547] kthread+0x3b5/0x4a0 [ 61.613029][ T1547] ? __kthread_bind_mask+0xc0/0xc0 [ 61.618185][ T1547] ? __kthread_bind_mask+0xc0/0xc0 [ 61.623277][ T1547] ret_from_fork+0x1f/0x30 [ 61.629327][ T1547] Kernel Offset: disabled [ 61.633661][ T1547] Rebooting in 86400 seconds..