[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.81' (ECDSA) to the list of known hosts. syzkaller login: [ 58.843387][ T6822] IPVS: ftp: loaded support on port[0] = 21 [ 59.932880][ T6846] ================================================================== [ 59.941218][ T6846] BUG: KASAN: slab-out-of-bounds in hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 59.950338][ T6846] Read of size 6 at addr ffff8880a75af9fb by task kworker/u5:1/6846 [ 59.958341][ T6846] [ 59.960680][ T6846] CPU: 1 PID: 6846 Comm: kworker/u5:1 Not tainted 5.8.0-rc7-syzkaller #0 [ 59.969089][ T6846] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.979192][ T6846] Workqueue: hci0 hci_rx_work [ 59.983881][ T6846] Call Trace: [ 59.987200][ T6846] dump_stack+0x18f/0x20d [ 59.991561][ T6846] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 59.998021][ T6846] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 60.004471][ T6846] print_address_description.constprop.0.cold+0xae/0x436 [ 60.011524][ T6846] ? lockdep_hardirqs_off+0x66/0xa0 [ 60.016798][ T6846] ? vprintk_func+0x97/0x1a6 [ 60.021441][ T6846] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 60.027915][ T6846] kasan_report.cold+0x1f/0x37 [ 60.032709][ T6846] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 60.039141][ T6846] check_memory_region+0x13d/0x180 [ 60.044270][ T6846] memcpy+0x20/0x60 [ 60.048082][ T6846] hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 60.054341][ T6846] ? process_adv_report+0xfb0/0xfb0 [ 60.059563][ T6846] hci_event_packet+0x1e8c/0x86f5 [ 60.064591][ T6846] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 60.070578][ T6846] ? __lock_acquire+0x16e3/0x56e0 [ 60.075607][ T6846] ? hci_cmd_complete_evt+0xc6e0/0xc6e0 [ 60.081163][ T6846] ? lock_acquire+0x1f1/0xad0 [ 60.085833][ T6846] ? skb_dequeue+0x1c/0x180 [ 60.090348][ T6846] ? find_held_lock+0x2d/0x110 [ 60.095128][ T6846] ? mark_lock+0xbc/0x1710 [ 60.099549][ T6846] ? mark_held_locks+0x9f/0xe0 [ 60.104335][ T6846] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 60.110148][ T6846] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 60.116130][ T6846] ? trace_hardirqs_on+0x5f/0x220 [ 60.121164][ T6846] ? lockdep_hardirqs_on+0x6a/0xe0 [ 60.126272][ T6846] hci_rx_work+0x22e/0xb10 [ 60.130693][ T6846] process_one_work+0x94c/0x1670 [ 60.135642][ T6846] ? lock_release+0x8d0/0x8d0 [ 60.140337][ T6846] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 60.145734][ T6846] ? rwlock_bug.part.0+0x90/0x90 [ 60.150696][ T6846] ? lockdep_hardirqs_off+0x66/0xa0 [ 60.155903][ T6846] worker_thread+0x64c/0x1120 [ 60.160586][ T6846] ? process_one_work+0x1670/0x1670 [ 60.165785][ T6846] kthread+0x3b5/0x4a0 [ 60.169845][ T6846] ? __kthread_bind_mask+0xc0/0xc0 [ 60.174965][ T6846] ? __kthread_bind_mask+0xc0/0xc0 [ 60.180085][ T6846] ret_from_fork+0x1f/0x30 [ 60.184675][ T6846] [ 60.186998][ T6846] Allocated by task 6822: [ 60.191324][ T6846] save_stack+0x1b/0x40 [ 60.195475][ T6846] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 60.201110][ T6846] __alloc_skb+0xae/0x550 [ 60.205427][ T6846] vhci_write+0xbd/0x450 [ 60.209671][ T6846] new_sync_write+0x422/0x650 [ 60.214336][ T6846] vfs_write+0x59d/0x6b0 [ 60.218563][ T6846] ksys_write+0x12d/0x250 [ 60.222879][ T6846] do_syscall_64+0x60/0xe0 [ 60.227287][ T6846] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.233173][ T6846] [ 60.235486][ T6846] Freed by task 4774: [ 60.239456][ T6846] save_stack+0x1b/0x40 [ 60.243612][ T6846] __kasan_slab_free+0xf5/0x140 [ 60.248459][ T6846] kfree+0x103/0x2c0 [ 60.252347][ T6846] kernfs_fop_release+0x120/0x190 [ 60.257363][ T6846] __fput+0x33c/0x880 [ 60.261347][ T6846] task_work_run+0xdd/0x190 [ 60.265835][ T6846] __prepare_exit_to_usermode+0x1e9/0x1f0 [ 60.271563][ T6846] do_syscall_64+0x6c/0xe0 [ 60.276032][ T6846] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.281922][ T6846] [ 60.284250][ T6846] The buggy address belongs to the object at ffff8880a75af800 [ 60.284250][ T6846] which belongs to the cache kmalloc-512 of size 512 [ 60.298325][ T6846] The buggy address is located 507 bytes inside of [ 60.298325][ T6846] 512-byte region [ffff8880a75af800, ffff8880a75afa00) [ 60.311597][ T6846] The buggy address belongs to the page: [ 60.317271][ T6846] page:ffffea00029d6bc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 60.326397][ T6846] flags: 0xfffe0000000200(slab) [ 60.331288][ T6846] raw: 00fffe0000000200 ffffea000289e8c8 ffffea00024c0cc8 ffff8880aa000a80 [ 60.339886][ T6846] raw: 0000000000000000 ffff8880a75af000 0000000100000004 0000000000000000 [ 60.348461][ T6846] page dumped because: kasan: bad access detected [ 60.354870][ T6846] [ 60.357178][ T6846] Memory state around the buggy address: [ 60.362810][ T6846] ffff8880a75af900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 60.370863][ T6846] ffff8880a75af980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 executing program [ 60.378925][ T6846] >ffff8880a75afa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.386982][ T6846] ^ [ 60.391055][ T6846] ffff8880a75afa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.399130][ T6846] ffff8880a75afb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.407177][ T6846] ================================================================== [ 60.415231][ T6846] Disabling lock debugging due to kernel taint [ 60.423256][ T6846] Kernel panic - not syncing: panic_on_warn set ... [ 60.429925][ T6846] CPU: 1 PID: 6846 Comm: kworker/u5:1 Tainted: G B 5.8.0-rc7-syzkaller #0 [ 60.439763][ T6846] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.449837][ T6846] Workqueue: hci0 hci_rx_work [ 60.454542][ T6846] Call Trace: [ 60.457846][ T6846] dump_stack+0x18f/0x20d [ 60.462187][ T6846] ? hci_inquiry_result_with_rssi_evt+0x140/0x6b0 [ 60.468645][ T6846] panic+0x2e3/0x75c [ 60.472554][ T6846] ? __warn_printk+0xf3/0xf3 [ 60.477159][ T6846] ? preempt_schedule_common+0x59/0xc0 [ 60.482645][ T6846] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 60.489045][ T6846] ? preempt_schedule_thunk+0x16/0x18 [ 60.494401][ T6846] ? trace_hardirqs_on+0x55/0x220 [ 60.499437][ T6846] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 60.505848][ T6846] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 60.512253][ T6846] end_report+0x4d/0x53 [ 60.516406][ T6846] kasan_report.cold+0xd/0x37 [ 60.521103][ T6846] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 60.527505][ T6846] check_memory_region+0x13d/0x180 [ 60.532622][ T6846] memcpy+0x20/0x60 [ 60.536438][ T6846] hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 60.542700][ T6846] ? process_adv_report+0xfb0/0xfb0 [ 60.547900][ T6846] hci_event_packet+0x1e8c/0x86f5 [ 60.552918][ T6846] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 60.558901][ T6846] ? __lock_acquire+0x16e3/0x56e0 [ 60.563917][ T6846] ? hci_cmd_complete_evt+0xc6e0/0xc6e0 [ 60.569453][ T6846] ? lock_acquire+0x1f1/0xad0 [ 60.574116][ T6846] ? skb_dequeue+0x1c/0x180 [ 60.578616][ T6846] ? find_held_lock+0x2d/0x110 [ 60.583385][ T6846] ? mark_lock+0xbc/0x1710 [ 60.587803][ T6846] ? mark_held_locks+0x9f/0xe0 [ 60.592567][ T6846] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 60.598373][ T6846] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 60.604360][ T6846] ? trace_hardirqs_on+0x5f/0x220 [ 60.609394][ T6846] ? lockdep_hardirqs_on+0x6a/0xe0 [ 60.614516][ T6846] hci_rx_work+0x22e/0xb10 [ 60.618939][ T6846] process_one_work+0x94c/0x1670 [ 60.623879][ T6846] ? lock_release+0x8d0/0x8d0 [ 60.628543][ T6846] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 60.633918][ T6846] ? rwlock_bug.part.0+0x90/0x90 [ 60.638845][ T6846] ? lockdep_hardirqs_off+0x66/0xa0 [ 60.644034][ T6846] worker_thread+0x64c/0x1120 [ 60.648702][ T6846] ? process_one_work+0x1670/0x1670 [ 60.653903][ T6846] kthread+0x3b5/0x4a0 [ 60.657973][ T6846] ? __kthread_bind_mask+0xc0/0xc0 [ 60.663072][ T6846] ? __kthread_bind_mask+0xc0/0xc0 [ 60.668188][ T6846] ret_from_fork+0x1f/0x30 [ 60.673646][ T6846] Kernel Offset: disabled [ 60.677984][ T6846] Rebooting in 86400 seconds..