[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.243' (ECDSA) to the list of known hosts. syzkaller login: [ 72.646944][ T27] audit: type=1400 audit(1598521930.931:8): avc: denied { execmem } for pid=6845 comm="syz-executor620" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 executing program [ 73.769891][ T6846] IPVS: ftp: loaded support on port[0] = 21 [ 73.823030][ T6852] ================================================================== [ 73.831365][ T6852] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x3937/0x3ff0 [ 73.839616][ T6852] Read of size 1 at addr ffff888092006e0c by task kworker/u5:2/6852 [ 73.847767][ T6852] [ 73.850142][ T6852] CPU: 1 PID: 6852 Comm: kworker/u5:2 Not tainted 5.9.0-rc2-syzkaller #0 [ 73.858826][ T6852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.869014][ T6852] Workqueue: hci0 hci_rx_work [ 73.873697][ T6852] Call Trace: [ 73.877024][ T6852] dump_stack+0x18f/0x20d [ 73.881446][ T6852] ? hci_le_meta_evt+0x3937/0x3ff0 [ 73.886682][ T6852] ? hci_le_meta_evt+0x3937/0x3ff0 [ 73.891809][ T6852] print_address_description.constprop.0.cold+0xae/0x497 [ 73.898883][ T6852] ? vprintk_func+0x97/0x1a6 [ 73.904182][ T6852] ? hci_le_meta_evt+0x3937/0x3ff0 [ 73.909316][ T6852] ? hci_le_meta_evt+0x3937/0x3ff0 [ 73.914575][ T6852] kasan_report.cold+0x1f/0x37 [ 73.919445][ T6852] ? hci_le_meta_evt+0x3937/0x3ff0 [ 73.924552][ T6852] hci_le_meta_evt+0x3937/0x3ff0 [ 73.929487][ T6852] ? mark_lock+0xbc/0x1710 [ 73.933925][ T6852] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 73.940762][ T6852] ? mark_lock+0xbc/0x1710 [ 73.945188][ T6852] ? __lock_acquire+0x16cb/0x5640 [ 73.950310][ T6852] ? __lock_acquire+0x16cb/0x5640 [ 73.955430][ T6852] hci_event_packet+0x2e25/0x87a8 [ 73.960556][ T6852] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 73.966543][ T6852] ? __lock_acquire+0x16cb/0x5640 [ 73.971569][ T6852] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 73.977131][ T6852] ? lock_acquire+0x1f1/0xad0 [ 73.981822][ T6852] ? skb_dequeue+0x1c/0x180 [ 73.986337][ T6852] ? find_held_lock+0x2d/0x110 [ 73.991125][ T6852] ? mark_lock+0xbc/0x1710 [ 73.995595][ T6852] ? mark_held_locks+0x9f/0xe0 [ 74.000372][ T6852] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 74.006220][ T6852] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 74.012201][ T6852] ? trace_hardirqs_on+0x5f/0x220 [ 74.017218][ T6852] ? lockdep_hardirqs_on+0x76/0xf0 [ 74.022325][ T6852] hci_rx_work+0x22e/0xb50 [ 74.026868][ T6852] process_one_work+0x94c/0x1670 [ 74.031832][ T6852] ? lock_release+0x8e0/0x8e0 [ 74.036610][ T6852] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 74.042000][ T6852] ? rwlock_bug.part.0+0x90/0x90 [ 74.046939][ T6852] worker_thread+0x64c/0x1120 [ 74.051612][ T6852] ? __kthread_parkme+0x13f/0x1e0 [ 74.056646][ T6852] ? process_one_work+0x1670/0x1670 [ 74.061859][ T6852] kthread+0x3b5/0x4a0 [ 74.066093][ T6852] ? __kthread_bind_mask+0xc0/0xc0 [ 74.071243][ T6852] ? __kthread_bind_mask+0xc0/0xc0 [ 74.076378][ T6852] ret_from_fork+0x1f/0x30 [ 74.080795][ T6852] [ 74.083112][ T6852] Allocated by task 6846: [ 74.087445][ T6852] kasan_save_stack+0x1b/0x40 [ 74.092110][ T6852] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 74.098971][ T6852] __alloc_skb+0xae/0x550 [ 74.103326][ T6852] vhci_write+0xbd/0x450 [ 74.107576][ T6852] new_sync_write+0x422/0x650 [ 74.112382][ T6852] vfs_write+0x5ad/0x730 [ 74.116624][ T6852] ksys_write+0x12d/0x250 [ 74.120948][ T6852] do_syscall_64+0x2d/0x70 [ 74.125361][ T6852] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 74.131238][ T6852] [ 74.133555][ T6852] The buggy address belongs to the object at ffff888092006c00 [ 74.133555][ T6852] which belongs to the cache kmalloc-512 of size 512 [ 74.147694][ T6852] The buggy address is located 12 bytes to the right of [ 74.147694][ T6852] 512-byte region [ffff888092006c00, ffff888092006e00) [ 74.162091][ T6852] The buggy address belongs to the page: [ 74.167723][ T6852] page:00000000bf4cfd8b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x92006 [ 74.177906][ T6852] flags: 0xfffe0000000200(slab) [ 74.182769][ T6852] raw: 00fffe0000000200 ffffea00027d9e48 ffffea000278e408 ffff8880aa040600 [ 74.191359][ T6852] raw: 0000000000000000 ffff888092006000 0000000100000004 0000000000000000 [ 74.200699][ T6852] page dumped because: kasan: bad access detected [ 74.207348][ T6852] [ 74.209664][ T6852] Memory state around the buggy address: [ 74.215310][ T6852] ffff888092006d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 74.223374][ T6852] ffff888092006d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 74.231447][ T6852] >ffff888092006e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.239512][ T6852] ^ [ 74.243849][ T6852] ffff888092006e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.251955][ T6852] ffff888092006f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.261472][ T6852] ================================================================== [ 74.269536][ T6852] Disabling lock debugging due to kernel taint [ 74.277026][ T6852] Kernel panic - not syncing: panic_on_warn set ... [ 74.283638][ T6852] CPU: 1 PID: 6852 Comm: kworker/u5:2 Tainted: G B 5.9.0-rc2-syzkaller #0 [ 74.293436][ T6852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.304549][ T6852] Workqueue: hci0 hci_rx_work [ 74.309219][ T6852] Call Trace: [ 74.312499][ T6852] dump_stack+0x18f/0x20d [ 74.316912][ T6852] ? hci_le_meta_evt+0x38c0/0x3ff0 [ 74.322074][ T6852] panic+0x2e3/0x75c [ 74.326126][ T6852] ? __warn_printk+0xf3/0xf3 [ 74.330735][ T6852] ? preempt_schedule_common+0x59/0xc0 [ 74.336377][ T6852] ? hci_le_meta_evt+0x3937/0x3ff0 [ 74.341475][ T6852] ? preempt_schedule_thunk+0x16/0x18 [ 74.346850][ T6852] ? trace_hardirqs_on+0x55/0x220 [ 74.351860][ T6852] ? hci_le_meta_evt+0x3937/0x3ff0 [ 74.356955][ T6852] ? hci_le_meta_evt+0x3937/0x3ff0 [ 74.362158][ T6852] end_report+0x4d/0x53 [ 74.366340][ T6852] kasan_report.cold+0xd/0x37 [ 74.371017][ T6852] ? hci_le_meta_evt+0x3937/0x3ff0 [ 74.376124][ T6852] hci_le_meta_evt+0x3937/0x3ff0 [ 74.381065][ T6852] ? mark_lock+0xbc/0x1710 [ 74.385475][ T6852] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 74.392312][ T6852] ? mark_lock+0xbc/0x1710 [ 74.396742][ T6852] ? __lock_acquire+0x16cb/0x5640 [ 74.401797][ T6852] ? __lock_acquire+0x16cb/0x5640 [ 74.406847][ T6852] hci_event_packet+0x2e25/0x87a8 [ 74.412121][ T6852] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 74.418106][ T6852] ? __lock_acquire+0x16cb/0x5640 [ 74.423403][ T6852] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 74.428945][ T6852] ? lock_acquire+0x1f1/0xad0 [ 74.433617][ T6852] ? skb_dequeue+0x1c/0x180 [ 74.438128][ T6852] ? find_held_lock+0x2d/0x110 [ 74.442880][ T6852] ? mark_lock+0xbc/0x1710 [ 74.447289][ T6852] ? mark_held_locks+0x9f/0xe0 [ 74.452048][ T6852] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 74.457850][ T6852] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 74.463842][ T6852] ? trace_hardirqs_on+0x5f/0x220 [ 74.468858][ T6852] ? lockdep_hardirqs_on+0x76/0xf0 [ 74.473981][ T6852] hci_rx_work+0x22e/0xb50 [ 74.478403][ T6852] process_one_work+0x94c/0x1670 [ 74.483346][ T6852] ? lock_release+0x8e0/0x8e0 [ 74.488208][ T6852] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 74.494176][ T6852] ? rwlock_bug.part.0+0x90/0x90 [ 74.499124][ T6852] worker_thread+0x64c/0x1120 [ 74.503987][ T6852] ? __kthread_parkme+0x13f/0x1e0 [ 74.509014][ T6852] ? process_one_work+0x1670/0x1670 [ 74.514236][ T6852] kthread+0x3b5/0x4a0 [ 74.518307][ T6852] ? __kthread_bind_mask+0xc0/0xc0 [ 74.523497][ T6852] ? __kthread_bind_mask+0xc0/0xc0 [ 74.528592][ T6852] ret_from_fork+0x1f/0x30 [ 74.534206][ T6852] Kernel Offset: disabled [ 74.538523][ T6852] Rebooting in 86400 seconds..