[ OK ] Found device /dev/ttyS0. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.65' (ECDSA) to the list of known hosts. syzkaller login: [ 36.699903] IPVS: ftp: loaded support on port[0] = 21 executing program [ 38.744299] Bluetooth: hci0: command 0x0409 tx timeout [ 40.822733] Bluetooth: hci0: command 0x041b tx timeout [ 41.872053] Bluetooth: Found 0 CAPI controller(s) on device 10:aa:aa:aa:aa:aa [ 41.880027] ================================================================== [ 41.887495] BUG: KASAN: global-out-of-bounds in detach_capi_ctr+0xaf/0x120 [ 41.894492] Read of size 8 at addr ffffffff8dd14538 by task kcmtpd_ctr_0/8130 [ 41.901754] [ 41.903368] CPU: 0 PID: 8130 Comm: kcmtpd_ctr_0 Not tainted 4.19.211-syzkaller #0 [ 41.911176] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.920522] Call Trace: [ 41.923098] dump_stack+0x1fc/0x2ef [ 41.926718] print_address_description.cold+0x5/0x219 [ 41.931909] kasan_report_error.cold+0x8a/0x1b9 [ 41.936563] ? detach_capi_ctr+0xaf/0x120 [ 41.940721] __asan_report_load8_noabort+0x88/0x90 [ 41.945638] ? detach_capi_ctr+0xaf/0x120 [ 41.949826] detach_capi_ctr+0xaf/0x120 [ 41.953839] cmtp_session+0x162e/0x19e0 [ 41.957806] ? lock_downgrade+0x720/0x720 [ 41.961996] ? lock_acquire+0x170/0x3c0 [ 41.965961] ? cmtp_send_frame.isra.0+0x170/0x170 [ 41.970793] ? do_wait_intr_irq+0x270/0x270 [ 41.975105] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 41.979676] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 41.984854] ? __kthread_parkme+0x133/0x1e0 [ 41.989157] ? cmtp_send_frame.isra.0+0x170/0x170 [ 41.993982] kthread+0x33f/0x460 [ 41.997417] ? kthread_park+0x180/0x180 [ 42.001381] ret_from_fork+0x24/0x30 [ 42.005175] [ 42.006779] The buggy address belongs to the variable: [ 42.012035] capi_applications+0x798/0x7a0 [ 42.016244] [ 42.017852] Memory state around the buggy address: [ 42.022771] ffffffff8dd14400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.030112] ffffffff8dd14480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.037452] >ffffffff8dd14500: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 [ 42.044790] ^ [ 42.050069] ffffffff8dd14580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.057497] ffffffff8dd14600: 00 00 00 00 00 00 00 00 fa fa fa fa 00 fa fa fa [ 42.064832] ================================================================== [ 42.072171] Disabling lock debugging due to kernel taint [ 42.077675] Kernel panic - not syncing: panic_on_warn set ... [ 42.077675] [ 42.085142] CPU: 0 PID: 8130 Comm: kcmtpd_ctr_0 Tainted: G B 4.19.211-syzkaller #0 [ 42.094137] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.103470] Call Trace: [ 42.106041] dump_stack+0x1fc/0x2ef [ 42.109674] panic+0x26a/0x50e [ 42.112877] ? __warn_printk+0xf3/0xf3 [ 42.116753] ? preempt_schedule_common+0x45/0xc0 [ 42.121490] ? ___preempt_schedule+0x16/0x18 [ 42.125879] ? trace_hardirqs_on+0x55/0x210 [ 42.130179] kasan_end_report+0x43/0x49 [ 42.134144] kasan_report_error.cold+0xa7/0x1b9 [ 42.138805] ? detach_capi_ctr+0xaf/0x120 [ 42.142930] __asan_report_load8_noabort+0x88/0x90 [ 42.147837] ? detach_capi_ctr+0xaf/0x120 [ 42.151963] detach_capi_ctr+0xaf/0x120 [ 42.155917] cmtp_session+0x162e/0x19e0 [ 42.159873] ? lock_downgrade+0x720/0x720 [ 42.163998] ? lock_acquire+0x170/0x3c0 [ 42.167948] ? cmtp_send_frame.isra.0+0x170/0x170 [ 42.172766] ? do_wait_intr_irq+0x270/0x270 [ 42.177066] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 42.181652] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 42.186743] ? __kthread_parkme+0x133/0x1e0 [ 42.191044] ? cmtp_send_frame.isra.0+0x170/0x170 [ 42.195861] kthread+0x33f/0x460 [ 42.199215] ? kthread_park+0x180/0x180 [ 42.203172] ret_from_fork+0x24/0x30 [ 42.207118] Kernel Offset: disabled [ 42.210740] Rebooting in 86400 seconds..