Warning: Permanently added '10.128.15.192' (ECDSA) to the list of known hosts. syzkaller login: [ 58.415992][ T6837] IPVS: ftp: loaded support on port[0] = 21 executing program [ 58.523220][ T6843] Bluetooth: hci0: unknown advertising packet type: 0x2b [ 58.523300][ T6843] ================================================================== [ 58.538636][ T6843] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x3937/0x3ff0 [ 58.546454][ T6843] Read of size 1 at addr ffff8880a656f60c by task kworker/u5:2/6843 [ 58.554507][ T6843] [ 58.556820][ T6843] CPU: 1 PID: 6843 Comm: kworker/u5:2 Not tainted 5.8.0-syzkaller #0 [ 58.564858][ T6843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.574904][ T6843] Workqueue: hci0 hci_rx_work [ 58.579555][ T6843] Call Trace: [ 58.585341][ T6843] dump_stack+0x18f/0x20d [ 58.589653][ T6843] ? hci_le_meta_evt+0x3937/0x3ff0 [ 58.594739][ T6843] ? hci_le_meta_evt+0x3937/0x3ff0 [ 58.599827][ T6843] print_address_description.constprop.0.cold+0xae/0x497 [ 58.606914][ T6843] ? vprintk_func+0x97/0x1a6 [ 58.611479][ T6843] ? hci_le_meta_evt+0x3937/0x3ff0 [ 58.616561][ T6843] ? hci_le_meta_evt+0x3937/0x3ff0 [ 58.621647][ T6843] kasan_report.cold+0x1f/0x37 [ 58.626390][ T6843] ? hci_le_meta_evt+0x3937/0x3ff0 [ 58.631487][ T6843] hci_le_meta_evt+0x3937/0x3ff0 [ 58.636404][ T6843] ? mark_lock+0xbc/0x1710 [ 58.640797][ T6843] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 58.647618][ T6843] ? mark_lock+0xbc/0x1710 [ 58.652010][ T6843] ? __lock_acquire+0x16cb/0x5640 [ 58.657008][ T6843] ? __lock_acquire+0x16cb/0x5640 [ 58.662097][ T6843] hci_event_packet+0x2e25/0x87a8 [ 58.667100][ T6843] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 58.673140][ T6843] ? __lock_acquire+0x16cb/0x5640 [ 58.678147][ T6843] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 58.683668][ T6843] ? lock_acquire+0x1f1/0xad0 [ 58.688347][ T6843] ? skb_dequeue+0x1c/0x180 [ 58.692821][ T6843] ? find_held_lock+0x2d/0x110 [ 58.697558][ T6843] ? mark_lock+0xbc/0x1710 [ 58.701953][ T6843] ? mark_held_locks+0x9f/0xe0 [ 58.706711][ T6843] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 58.712490][ T6843] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 58.718444][ T6843] ? trace_hardirqs_on+0x5f/0x220 [ 58.723439][ T6843] ? lockdep_hardirqs_on+0x76/0xf0 [ 58.728529][ T6843] hci_rx_work+0x22e/0xb50 [ 58.732931][ T6843] process_one_work+0x94c/0x1670 [ 58.737848][ T6843] ? lock_release+0x8e0/0x8e0 [ 58.742500][ T6843] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 58.747849][ T6843] ? rwlock_bug.part.0+0x90/0x90 [ 58.752765][ T6843] worker_thread+0x64c/0x1120 [ 58.757421][ T6843] ? __kthread_parkme+0x13f/0x1e0 [ 58.762418][ T6843] ? process_one_work+0x1670/0x1670 [ 58.767591][ T6843] kthread+0x3b5/0x4a0 [ 58.771635][ T6843] ? __kthread_bind_mask+0xc0/0xc0 [ 58.776720][ T6843] ? __kthread_bind_mask+0xc0/0xc0 [ 58.781810][ T6843] ret_from_fork+0x1f/0x30 [ 58.786204][ T6843] [ 58.788505][ T6843] Allocated by task 6837: [ 58.792818][ T6843] kasan_save_stack+0x1b/0x40 [ 58.797466][ T6843] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 58.803068][ T6843] __alloc_skb+0xae/0x550 [ 58.807384][ T6843] vhci_write+0xbd/0x450 [ 58.812296][ T6843] new_sync_write+0x422/0x650 [ 58.816945][ T6843] vfs_write+0x5ad/0x730 [ 58.821160][ T6843] ksys_write+0x12d/0x250 [ 58.825463][ T6843] __do_fast_syscall_32+0x57/0x80 [ 58.830459][ T6843] do_fast_syscall_32+0x2f/0x70 [ 58.835296][ T6843] entry_SYSENTER_compat_after_hwframe+0x4d/0x5c [ 58.842372][ T6843] [ 58.844680][ T6843] The buggy address belongs to the object at ffff8880a656f400 [ 58.844680][ T6843] which belongs to the cache kmalloc-512 of size 512 [ 58.858703][ T6843] The buggy address is located 12 bytes to the right of [ 58.858703][ T6843] 512-byte region [ffff8880a656f400, ffff8880a656f600) [ 58.872462][ T6843] The buggy address belongs to the page: [ 58.878069][ T6843] page:00000000d556d1ac refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa656f [ 58.888188][ T6843] flags: 0xfffe0000000200(slab) [ 58.893026][ T6843] raw: 00fffe0000000200 ffffea000286cbc8 ffffea0002890508 ffff8880aa040600 [ 58.901593][ T6843] raw: 0000000000000000 ffff8880a656f000 0000000100000004 0000000000000000 [ 58.910167][ T6843] page dumped because: kasan: bad access detected [ 58.916656][ T6843] [ 58.918958][ T6843] Memory state around the buggy address: [ 58.924677][ T6843] ffff8880a656f500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.932732][ T6843] ffff8880a656f580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.940769][ T6843] >ffff8880a656f600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.948893][ T6843] ^ [ 58.953214][ T6843] ffff8880a656f680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.961256][ T6843] ffff8880a656f700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.969334][ T6843] ================================================================== [ 58.977366][ T6843] Disabling lock debugging due to kernel taint [ 58.984740][ T6843] Kernel panic - not syncing: panic_on_warn set ... [ 58.991331][ T6843] CPU: 1 PID: 6843 Comm: kworker/u5:2 Tainted: G B 5.8.0-syzkaller #0 [ 59.000864][ T6843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.010910][ T6843] Workqueue: hci0 hci_rx_work [ 59.015562][ T6843] Call Trace: [ 59.018827][ T6843] dump_stack+0x18f/0x20d [ 59.023130][ T6843] ? hci_le_meta_evt+0x3920/0x3ff0 [ 59.028213][ T6843] panic+0x2e3/0x75c [ 59.032082][ T6843] ? __warn_printk+0xf3/0xf3 [ 59.036643][ T6843] ? preempt_schedule_common+0x59/0xc0 [ 59.042081][ T6843] ? hci_le_meta_evt+0x3937/0x3ff0 [ 59.047168][ T6843] ? preempt_schedule_thunk+0x16/0x18 [ 59.052511][ T6843] ? trace_hardirqs_on+0x55/0x220 [ 59.057507][ T6843] ? hci_le_meta_evt+0x3937/0x3ff0 [ 59.062588][ T6843] ? hci_le_meta_evt+0x3937/0x3ff0 [ 59.067788][ T6843] end_report+0x4d/0x53 [ 59.071917][ T6843] kasan_report.cold+0xd/0x37 [ 59.076565][ T6843] ? hci_le_meta_evt+0x3937/0x3ff0 [ 59.081648][ T6843] hci_le_meta_evt+0x3937/0x3ff0 [ 59.086561][ T6843] ? mark_lock+0xbc/0x1710 [ 59.090953][ T6843] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 59.097773][ T6843] ? mark_lock+0xbc/0x1710 [ 59.102158][ T6843] ? __lock_acquire+0x16cb/0x5640 [ 59.107198][ T6843] ? __lock_acquire+0x16cb/0x5640 [ 59.112197][ T6843] hci_event_packet+0x2e25/0x87a8 [ 59.117193][ T6843] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 59.123158][ T6843] ? __lock_acquire+0x16cb/0x5640 [ 59.128159][ T6843] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 59.133856][ T6843] ? lock_acquire+0x1f1/0xad0 [ 59.138510][ T6843] ? skb_dequeue+0x1c/0x180 [ 59.142986][ T6843] ? find_held_lock+0x2d/0x110 [ 59.147729][ T6843] ? mark_lock+0xbc/0x1710 [ 59.152213][ T6843] ? mark_held_locks+0x9f/0xe0 [ 59.156953][ T6843] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 59.162749][ T6843] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 59.168722][ T6843] ? trace_hardirqs_on+0x5f/0x220 [ 59.173717][ T6843] ? lockdep_hardirqs_on+0x76/0xf0 [ 59.178822][ T6843] hci_rx_work+0x22e/0xb50 [ 59.183318][ T6843] process_one_work+0x94c/0x1670 [ 59.188230][ T6843] ? lock_release+0x8e0/0x8e0 [ 59.192877][ T6843] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 59.198223][ T6843] ? rwlock_bug.part.0+0x90/0x90 [ 59.203133][ T6843] worker_thread+0x64c/0x1120 [ 59.207896][ T6843] ? __kthread_parkme+0x13f/0x1e0 [ 59.212889][ T6843] ? process_one_work+0x1670/0x1670 [ 59.218060][ T6843] kthread+0x3b5/0x4a0 [ 59.222100][ T6843] ? __kthread_bind_mask+0xc0/0xc0 [ 59.227182][ T6843] ? __kthread_bind_mask+0xc0/0xc0 [ 59.232354][ T6843] ret_from_fork+0x1f/0x30 [ 59.237933][ T6843] Kernel Offset: disabled [ 59.242243][ T6843] Rebooting in 86400 seconds..