[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.204' (ECDSA) to the list of known hosts. syzkaller login: [ 64.456501][ T6838] IPVS: ftp: loaded support on port[0] = 21 executing program [ 65.585276][ T6864] Bluetooth: hci0: unknown advertising packet type: 0x2b [ 65.585369][ T6864] ================================================================== [ 65.600602][ T6864] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x380c/0x3eb0 [ 65.608409][ T6864] Read of size 1 at addr ffff88809348a60c by task kworker/u5:2/6864 [ 65.616377][ T6864] [ 65.618710][ T6864] CPU: 0 PID: 6864 Comm: kworker/u5:2 Not tainted 5.8.0-syzkaller #0 [ 65.626794][ T6864] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.636855][ T6864] Workqueue: hci0 hci_rx_work [ 65.641520][ T6864] Call Trace: [ 65.644836][ T6864] dump_stack+0x18f/0x20d [ 65.649170][ T6864] ? hci_le_meta_evt+0x380c/0x3eb0 [ 65.654284][ T6864] ? hci_le_meta_evt+0x380c/0x3eb0 [ 65.659396][ T6864] print_address_description.constprop.0.cold+0xae/0x436 [ 65.666417][ T6864] ? vprintk_func+0x97/0x1a6 [ 65.671016][ T6864] ? hci_le_meta_evt+0x380c/0x3eb0 [ 65.676143][ T6864] kasan_report.cold+0x1f/0x37 [ 65.680915][ T6864] ? hci_le_meta_evt+0x380c/0x3eb0 [ 65.686022][ T6864] hci_le_meta_evt+0x380c/0x3eb0 [ 65.690960][ T6864] ? mark_lock+0xbc/0x1710 [ 65.695376][ T6864] ? mark_lock+0xbc/0x1710 [ 65.699851][ T6864] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 65.706735][ T6864] ? mark_lock+0xbc/0x1710 [ 65.711152][ T6864] ? __lock_acquire+0x16cb/0x5640 [ 65.716179][ T6864] ? __lock_acquire+0x16cb/0x5640 [ 65.721210][ T6864] hci_event_packet+0x245a/0x86f5 [ 65.726239][ T6864] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 65.732218][ T6864] ? __lock_acquire+0x16cb/0x5640 [ 65.737247][ T6864] ? hci_cmd_complete_evt+0xc6e0/0xc6e0 [ 65.742805][ T6864] ? lock_acquire+0x1f1/0xad0 [ 65.747490][ T6864] ? skb_dequeue+0x1c/0x180 [ 65.752020][ T6864] ? find_held_lock+0x2d/0x110 [ 65.756788][ T6864] ? mark_lock+0xbc/0x1710 [ 65.761235][ T6864] ? mark_held_locks+0x9f/0xe0 [ 65.766002][ T6864] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 65.771805][ T6864] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 65.777786][ T6864] ? trace_hardirqs_on+0x5f/0x220 [ 65.782805][ T6864] ? lockdep_hardirqs_on+0x76/0xf0 [ 65.787921][ T6864] hci_rx_work+0x22e/0xb10 [ 65.792344][ T6864] process_one_work+0x94c/0x1670 [ 65.797290][ T6864] ? lock_release+0x8e0/0x8e0 [ 65.801968][ T6864] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 65.807349][ T6864] ? rwlock_bug.part.0+0x90/0x90 [ 65.812293][ T6864] worker_thread+0x64c/0x1120 [ 65.816977][ T6864] ? __kthread_parkme+0x13f/0x1e0 [ 65.822010][ T6864] ? process_one_work+0x1670/0x1670 [ 65.827208][ T6864] kthread+0x3b5/0x4a0 [ 65.831269][ T6864] ? __kthread_bind_mask+0xc0/0xc0 [ 65.836368][ T6864] ? __kthread_bind_mask+0xc0/0xc0 [ 65.841482][ T6864] ret_from_fork+0x1f/0x30 [ 65.845897][ T6864] [ 65.848218][ T6864] Allocated by task 6838: [ 65.852537][ T6864] save_stack+0x1b/0x40 [ 65.856683][ T6864] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 65.862304][ T6864] __alloc_skb+0xae/0x550 [ 65.866625][ T6864] vhci_write+0xbd/0x450 [ 65.870855][ T6864] new_sync_write+0x422/0x650 [ 65.875523][ T6864] vfs_write+0x59d/0x6b0 [ 65.879773][ T6864] ksys_write+0x12d/0x250 [ 65.884103][ T6864] do_syscall_64+0x60/0xe0 [ 65.888520][ T6864] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.894421][ T6864] [ 65.896752][ T6864] Freed by task 4877: [ 65.900737][ T6864] save_stack+0x1b/0x40 [ 65.904888][ T6864] __kasan_slab_free+0xf5/0x140 [ 65.909733][ T6864] kfree+0x103/0x2c0 [ 65.913626][ T6864] kernfs_fop_release+0x120/0x190 [ 65.918656][ T6864] __fput+0x33c/0x880 [ 65.922630][ T6864] task_work_run+0xdd/0x190 [ 65.927134][ T6864] __prepare_exit_to_usermode+0x1a2/0x1c0 [ 65.932847][ T6864] do_syscall_64+0x6c/0xe0 [ 65.937258][ T6864] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.943135][ T6864] [ 65.945460][ T6864] The buggy address belongs to the object at ffff88809348a400 [ 65.945460][ T6864] which belongs to the cache kmalloc-512 of size 512 [ 65.959535][ T6864] The buggy address is located 12 bytes to the right of [ 65.959535][ T6864] 512-byte region [ffff88809348a400, ffff88809348a600) [ 65.973239][ T6864] The buggy address belongs to the page: [ 65.978872][ T6864] page:ffffea00024d2280 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 65.987965][ T6864] flags: 0xfffe0000000200(slab) [ 65.992808][ T6864] raw: 00fffe0000000200 ffffea00029bdf48 ffffea0002a06dc8 ffff8880aa000a80 [ 66.001386][ T6864] raw: 0000000000000000 ffff88809348a000 0000000100000004 0000000000000000 [ 66.009952][ T6864] page dumped because: kasan: bad access detected [ 66.016344][ T6864] [ 66.018660][ T6864] Memory state around the buggy address: [ 66.024281][ T6864] ffff88809348a500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 66.032330][ T6864] ffff88809348a580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 66.040381][ T6864] >ffff88809348a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.048426][ T6864] ^ [ 66.052742][ T6864] ffff88809348a680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.060796][ T6864] ffff88809348a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.068843][ T6864] ================================================================== [ 66.076891][ T6864] Disabling lock debugging due to kernel taint [ 66.083710][ T6864] Kernel panic - not syncing: panic_on_warn set ... [ 66.090307][ T6864] CPU: 0 PID: 6864 Comm: kworker/u5:2 Tainted: G B 5.8.0-syzkaller #0 [ 66.099749][ T6864] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.109807][ T6864] Workqueue: hci0 hci_rx_work [ 66.114472][ T6864] Call Trace: [ 66.117760][ T6864] dump_stack+0x18f/0x20d [ 66.122088][ T6864] ? hci_le_meta_evt+0x37e0/0x3eb0 [ 66.127203][ T6864] panic+0x2e3/0x75c [ 66.131097][ T6864] ? __warn_printk+0xf3/0xf3 [ 66.135686][ T6864] ? preempt_schedule_common+0x59/0xc0 [ 66.141139][ T6864] ? hci_le_meta_evt+0x380c/0x3eb0 [ 66.146247][ T6864] ? preempt_schedule_thunk+0x16/0x18 [ 66.151622][ T6864] ? trace_hardirqs_on+0x55/0x220 [ 66.156645][ T6864] ? hci_le_meta_evt+0x380c/0x3eb0 [ 66.161782][ T6864] ? hci_le_meta_evt+0x380c/0x3eb0 [ 66.166889][ T6864] end_report+0x4d/0x53 [ 66.171065][ T6864] kasan_report.cold+0xd/0x37 [ 66.175741][ T6864] ? hci_le_meta_evt+0x380c/0x3eb0 [ 66.180868][ T6864] hci_le_meta_evt+0x380c/0x3eb0 [ 66.185805][ T6864] ? mark_lock+0xbc/0x1710 [ 66.190222][ T6864] ? mark_lock+0xbc/0x1710 [ 66.194626][ T6864] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 66.201456][ T6864] ? mark_lock+0xbc/0x1710 [ 66.205852][ T6864] ? __lock_acquire+0x16cb/0x5640 [ 66.210880][ T6864] ? __lock_acquire+0x16cb/0x5640 [ 66.215893][ T6864] hci_event_packet+0x245a/0x86f5 [ 66.220899][ T6864] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 66.226851][ T6864] ? __lock_acquire+0x16cb/0x5640 [ 66.231854][ T6864] ? hci_cmd_complete_evt+0xc6e0/0xc6e0 [ 66.237411][ T6864] ? lock_acquire+0x1f1/0xad0 [ 66.242071][ T6864] ? skb_dequeue+0x1c/0x180 [ 66.246551][ T6864] ? find_held_lock+0x2d/0x110 [ 66.251316][ T6864] ? mark_lock+0xbc/0x1710 [ 66.255701][ T6864] ? mark_held_locks+0x9f/0xe0 [ 66.260439][ T6864] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 66.266218][ T6864] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 66.272179][ T6864] ? trace_hardirqs_on+0x5f/0x220 [ 66.277183][ T6864] ? lockdep_hardirqs_on+0x76/0xf0 [ 66.282272][ T6864] hci_rx_work+0x22e/0xb10 [ 66.286664][ T6864] process_one_work+0x94c/0x1670 [ 66.291574][ T6864] ? lock_release+0x8e0/0x8e0 [ 66.296224][ T6864] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 66.302524][ T6864] ? rwlock_bug.part.0+0x90/0x90 [ 66.307440][ T6864] worker_thread+0x64c/0x1120 [ 66.312101][ T6864] ? __kthread_parkme+0x13f/0x1e0 [ 66.317098][ T6864] ? process_one_work+0x1670/0x1670 [ 66.322277][ T6864] kthread+0x3b5/0x4a0 [ 66.326316][ T6864] ? __kthread_bind_mask+0xc0/0xc0 [ 66.331409][ T6864] ? __kthread_bind_mask+0xc0/0xc0 [ 66.336501][ T6864] ret_from_fork+0x1f/0x30 [ 66.341901][ T6864] Kernel Offset: disabled [ 66.346215][ T6864] Rebooting in 86400 seconds..