Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. [ 40.545081] audit: type=1400 audit(1598516991.871:8): avc: denied { execmem } for pid=6445 comm="syz-executor673" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 41.664367] IPVS: ftp: loaded support on port[0] = 21 executing program [ 41.716538] Bluetooth: hci0: unknown advertising packet type: 0x66 [ 41.723040] Bluetooth: hci0: unknown advertising packet type: 0x50 [ 41.730879] Bluetooth: hci0: unknown advertising packet type: 0x72 [ 41.737721] Bluetooth: hci0: unknown advertising packet type: 0x53 [ 41.744121] Bluetooth: hci0: unknown advertising packet type: 0x4e [ 41.750574] Bluetooth: hci0: unknown advertising packet type: 0x3d [ 41.757114] Bluetooth: hci0: unknown advertising packet type: 0x41 [ 41.763642] Bluetooth: hci0: unknown advertising packet type: 0x3d [ 41.770295] ================================================================== [ 41.777790] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x33f5/0x3a50 [ 41.784907] Read of size 1 at addr ffff88808ba4228c by task kworker/u5:2/6453 [ 41.792183] [ 41.793842] CPU: 1 PID: 6453 Comm: kworker/u5:2 Not tainted 4.19.142-syzkaller #0 [ 41.801483] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.810857] Workqueue: hci0 hci_rx_work [ 41.814827] Call Trace: [ 41.817421] dump_stack+0x1fc/0x2fe [ 41.824281] print_address_description.cold+0x54/0x219 [ 41.829569] kasan_report_error.cold+0x8a/0x1c7 [ 41.834251] ? hci_le_meta_evt+0x33f5/0x3a50 [ 41.838667] __asan_report_load1_noabort+0x88/0x90 [ 41.843625] ? hci_le_meta_evt+0x33f5/0x3a50 [ 41.848041] hci_le_meta_evt+0x33f5/0x3a50 [ 41.852284] ? __lock_acquire+0x6de/0x3ff0 [ 41.856529] ? read_enc_key_size_complete+0xb90/0xb90 [ 41.861735] ? __lock_acquire+0x6de/0x3ff0 [ 41.865982] ? __lock_acquire+0x6de/0x3ff0 [ 41.870234] hci_event_packet+0x1e4a/0x862d [ 41.874571] ? mark_held_locks+0xf0/0xf0 [ 41.878640] ? __lock_acquire+0x6de/0x3ff0 [ 41.882887] ? hci_cmd_complete_evt+0xb5e0/0xb5e0 [ 41.887744] ? __update_load_avg_se+0x5ec/0xa00 [ 41.892424] ? debug_object_deactivate+0x1f9/0x2e0 [ 41.897376] ? mark_held_locks+0xa6/0xf0 [ 41.902854] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 41.907967] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 41.912565] hci_rx_work+0x46b/0xa90 [ 41.916291] process_one_work+0x864/0x1570 [ 41.920554] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 41.925241] worker_thread+0x64c/0x1130 [ 41.929235] ? __kthread_parkme+0x133/0x1e0 [ 41.933559] ? process_one_work+0x1570/0x1570 [ 41.938057] kthread+0x33f/0x460 [ 41.941447] ? kthread_park+0x180/0x180 [ 41.945431] ret_from_fork+0x24/0x30 [ 41.949170] [ 41.950789] Allocated by task 6446: [ 41.954435] __kmalloc_node_track_caller+0x4c/0x70 [ 41.959374] __alloc_skb+0xae/0x560 [ 41.963003] vhci_write+0xbd/0x450 [ 41.966548] __vfs_write+0x51b/0x770 [ 41.970266] vfs_write+0x1f3/0x540 [ 41.973852] ksys_write+0x12b/0x2a0 [ 41.977566] do_syscall_64+0xf9/0x620 [ 41.981369] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.986548] [ 41.988168] Freed by task 3715: [ 41.991449] kfree+0xcc/0x210 [ 41.994558] skb_release_data+0x6de/0x920 [ 41.998713] consume_skb+0x113/0x3d0 [ 42.002454] skb_free_datagram+0x16/0xf0 [ 42.006523] netlink_recvmsg+0x627/0xea0 [ 42.010592] sock_recvmsg+0xca/0x110 [ 42.014309] ___sys_recvmsg+0x255/0x570 [ 42.018286] __x64_sys_recvmsg+0x12f/0x220 [ 42.022536] do_syscall_64+0xf9/0x620 [ 42.026360] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.031545] [ 42.033172] The buggy address belongs to the object at ffff88808ba42080 [ 42.033172] which belongs to the cache kmalloc-512 of size 512 [ 42.045837] The buggy address is located 12 bytes to the right of [ 42.045837] 512-byte region [ffff88808ba42080, ffff88808ba42280) [ 42.058156] The buggy address belongs to the page: [ 42.063115] page:ffffea00022e9080 count:1 mapcount:0 mapping:ffff88812c39c940 index:0xffff88808ba42d00 [ 42.072565] flags: 0xfffe0000000100(slab) [ 42.076746] raw: 00fffe0000000100 ffffea00022e6608 ffffea00022e9008 ffff88812c39c940 [ 42.084645] raw: ffff88808ba42d00 ffff88808ba42080 0000000100000003 0000000000000000 [ 42.092531] page dumped because: kasan: bad access detected [ 42.098258] [ 42.099874] Memory state around the buggy address: [ 42.104801] ffff88808ba42180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.112169] ffff88808ba42200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.119529] >ffff88808ba42280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.126899] ^ [ 42.130530] ffff88808ba42300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.137892] ffff88808ba42380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.145334] ================================================================== [ 42.152693] Disabling lock debugging due to kernel taint [ 42.158517] Kernel panic - not syncing: panic_on_warn set ... [ 42.158517] [ 42.165898] CPU: 1 PID: 6453 Comm: kworker/u5:2 Tainted: G B 4.19.142-syzkaller #0 [ 42.174919] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.184290] Workqueue: hci0 hci_rx_work [ 42.188270] Call Trace: [ 42.190866] dump_stack+0x1fc/0x2fe [ 42.194505] panic+0x26a/0x50e [ 42.198006] ? __warn_printk+0xf3/0xf3 [ 42.201918] ? trace_hardirqs_on+0x55/0x210 [ 42.206222] kasan_end_report+0x43/0x49 [ 42.210181] kasan_report_error.cold+0xa7/0x1c7 [ 42.214835] ? hci_le_meta_evt+0x33f5/0x3a50 [ 42.219228] __asan_report_load1_noabort+0x88/0x90 [ 42.224142] ? hci_le_meta_evt+0x33f5/0x3a50 [ 42.228536] hci_le_meta_evt+0x33f5/0x3a50 [ 42.232790] ? __lock_acquire+0x6de/0x3ff0 [ 42.237021] ? read_enc_key_size_complete+0xb90/0xb90 [ 42.242196] ? __lock_acquire+0x6de/0x3ff0 [ 42.246431] ? __lock_acquire+0x6de/0x3ff0 [ 42.250666] hci_event_packet+0x1e4a/0x862d [ 42.254974] ? mark_held_locks+0xf0/0xf0 [ 42.259034] ? __lock_acquire+0x6de/0x3ff0 [ 42.263253] ? hci_cmd_complete_evt+0xb5e0/0xb5e0 [ 42.268094] ? __update_load_avg_se+0x5ec/0xa00 [ 42.272746] ? debug_object_deactivate+0x1f9/0x2e0 [ 42.277682] ? mark_held_locks+0xa6/0xf0 [ 42.281727] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 42.286815] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 42.291382] hci_rx_work+0x46b/0xa90 [ 42.295097] process_one_work+0x864/0x1570 [ 42.299318] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 42.303970] worker_thread+0x64c/0x1130 [ 42.309756] ? __kthread_parkme+0x133/0x1e0 [ 42.314074] ? process_one_work+0x1570/0x1570 [ 42.318565] kthread+0x33f/0x460 [ 42.321955] ? kthread_park+0x180/0x180 [ 42.325921] ret_from_fork+0x24/0x30 [ 42.330753] Kernel Offset: disabled [ 42.334373] Rebooting in 86400 seconds..