[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.129' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 80.759313][ T7184] ================================================================== [ 80.767532][ T7184] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x540e/0xaa9d [ 80.775427][ T7184] Read of size 6 at addr ffff8880a8897208 by task kworker/u5:2/7184 [ 80.783408][ T7184] [ 80.785753][ T7184] CPU: 1 PID: 7184 Comm: kworker/u5:2 Not tainted 5.6.0-syzkaller #0 [ 80.793807][ T7184] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 80.803884][ T7184] Workqueue: hci0 hci_rx_work [ 80.808563][ T7184] Call Trace: [ 80.811847][ T7184] dump_stack+0x188/0x20d [ 80.816165][ T7184] ? hci_event_packet+0x540e/0xaa9d [ 80.821348][ T7184] ? hci_event_packet+0x540e/0xaa9d [ 80.826533][ T7184] print_address_description.constprop.0.cold+0xd3/0x315 [ 80.833567][ T7184] ? hci_event_packet+0x540e/0xaa9d [ 80.838750][ T7184] ? hci_event_packet+0x540e/0xaa9d [ 80.843928][ T7184] __kasan_report.cold+0x1a/0x32 [ 80.848863][ T7184] ? hci_event_packet+0x540e/0xaa9d [ 80.854046][ T7184] kasan_report+0xe/0x20 [ 80.858275][ T7184] check_memory_region+0x128/0x190 [ 80.863390][ T7184] memcpy+0x20/0x50 [ 80.867186][ T7184] hci_event_packet+0x540e/0xaa9d [ 80.872219][ T7184] ? hci_cmd_complete_evt+0xc660/0xc660 [ 80.877753][ T7184] ? mark_held_locks+0xe0/0xe0 [ 80.882511][ T7184] ? __lock_acquire+0x3041/0x4e00 [ 80.887540][ T7184] ? mark_lock+0x12b/0xf10 [ 80.891944][ T7184] ? find_held_lock+0x2d/0x110 [ 80.896693][ T7184] ? skb_dequeue+0x153/0x1c0 [ 80.901265][ T7184] ? print_usage_bug+0x240/0x240 [ 80.906186][ T7184] ? lock_downgrade+0x840/0x840 [ 80.911023][ T7184] ? mark_held_locks+0x9f/0xe0 [ 80.915771][ T7184] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 80.921573][ T7184] ? lockdep_hardirqs_on+0x463/0x620 [ 80.926839][ T7184] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 80.932635][ T7184] ? hci_rx_work+0x239/0xb30 [ 80.937207][ T7184] hci_rx_work+0x239/0xb30 [ 80.941621][ T7184] ? _raw_spin_unlock_irq+0x1f/0x80 [ 80.946819][ T7184] process_one_work+0x965/0x16a0 [ 80.951750][ T7184] ? lock_release+0x800/0x800 [ 80.956408][ T7184] ? pwq_dec_nr_in_flight+0x310/0x310 [ 80.961765][ T7184] ? rwlock_bug.part.0+0x90/0x90 [ 80.966691][ T7184] worker_thread+0x96/0xe20 [ 80.971186][ T7184] ? process_one_work+0x16a0/0x16a0 [ 80.976383][ T7184] kthread+0x388/0x470 [ 80.980450][ T7184] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 80.986147][ T7184] ret_from_fork+0x24/0x30 [ 80.990548][ T7184] [ 80.992869][ T7184] Allocated by task 7189: [ 80.997195][ T7184] save_stack+0x1b/0x80 [ 81.001339][ T7184] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 81.006981][ T7184] __kmalloc_reserve.isra.0+0x39/0xe0 [ 81.012335][ T7184] __alloc_skb+0xef/0x5a0 [ 81.016647][ T7184] vhci_write+0xbd/0x450 [ 81.020870][ T7184] new_sync_write+0x4a2/0x700 [ 81.025530][ T7184] __vfs_write+0xc9/0x100 [ 81.029841][ T7184] vfs_write+0x268/0x5d0 [ 81.034068][ T7184] ksys_write+0x12d/0x250 [ 81.038382][ T7184] do_syscall_64+0xf6/0x7d0 [ 81.042870][ T7184] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 81.048771][ T7184] [ 81.051085][ T7184] Freed by task 5213: [ 81.055065][ T7184] save_stack+0x1b/0x80 [ 81.059206][ T7184] __kasan_slab_free+0xf7/0x140 [ 81.064043][ T7184] kfree+0x109/0x2b0 [ 81.067924][ T7184] kernfs_fop_release+0x124/0x190 [ 81.072933][ T7184] __fput+0x2e9/0x860 [ 81.076921][ T7184] task_work_run+0xf4/0x1b0 [ 81.081416][ T7184] exit_to_usermode_loop+0x2fa/0x360 [ 81.086683][ T7184] do_syscall_64+0x6b1/0x7d0 [ 81.091253][ T7184] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 81.097131][ T7184] [ 81.099443][ T7184] The buggy address belongs to the object at ffff8880a8897000 [ 81.099443][ T7184] which belongs to the cache kmalloc-512 of size 512 [ 81.113491][ T7184] The buggy address is located 8 bytes to the right of [ 81.113491][ T7184] 512-byte region [ffff8880a8897000, ffff8880a8897200) [ 81.127087][ T7184] The buggy address belongs to the page: [ 81.132707][ T7184] page:ffffea0002a225c0 refcount:1 mapcount:0 mapping:ffff8880aa000a80 index:0x0 [ 81.141815][ T7184] flags: 0xfffe0000000200(slab) [ 81.146647][ T7184] raw: 00fffe0000000200 ffffea00028d83c8 ffffea00029ec8c8 ffff8880aa000a80 [ 81.155309][ T7184] raw: 0000000000000000 ffff8880a8897000 0000000100000004 0000000000000000 [ 81.163874][ T7184] page dumped because: kasan: bad access detected [ 81.170281][ T7184] [ 81.172591][ T7184] Memory state around the buggy address: [ 81.178206][ T7184] ffff8880a8897100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 81.186254][ T7184] ffff8880a8897180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 81.194299][ T7184] >ffff8880a8897200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 81.202355][ T7184] ^ [ 81.206841][ T7184] ffff8880a8897280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 81.214886][ T7184] ffff8880a8897300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 81.222959][ T7184] ================================================================== [ 81.231000][ T7184] Disabling lock debugging due to kernel taint [ 81.237934][ T7184] Kernel panic - not syncing: panic_on_warn set ... [ 81.244525][ T7184] CPU: 1 PID: 7184 Comm: kworker/u5:2 Tainted: G B 5.6.0-syzkaller #0 [ 81.254139][ T7184] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.264226][ T7184] Workqueue: hci0 hci_rx_work [ 81.268894][ T7184] Call Trace: [ 81.272186][ T7184] dump_stack+0x188/0x20d [ 81.276518][ T7184] panic+0x2e3/0x75c [ 81.280412][ T7184] ? add_taint.cold+0x16/0x16 [ 81.285108][ T7184] ? preempt_schedule_common+0x5e/0xc0 [ 81.290564][ T7184] ? hci_event_packet+0x540e/0xaa9d [ 81.295765][ T7184] ? preempt_schedule_thunk+0x16/0x18 [ 81.301132][ T7184] ? trace_hardirqs_on+0x55/0x220 [ 81.306148][ T7184] ? hci_event_packet+0x540e/0xaa9d [ 81.311379][ T7184] end_report+0x43/0x49 [ 81.315539][ T7184] ? hci_event_packet+0x540e/0xaa9d [ 81.320732][ T7184] __kasan_report.cold+0xd/0x32 [ 81.325580][ T7184] ? hci_event_packet+0x540e/0xaa9d [ 81.330821][ T7184] kasan_report+0xe/0x20 [ 81.335091][ T7184] check_memory_region+0x128/0x190 [ 81.340182][ T7184] memcpy+0x20/0x50 [ 81.344016][ T7184] hci_event_packet+0x540e/0xaa9d [ 81.349022][ T7184] ? hci_cmd_complete_evt+0xc660/0xc660 [ 81.354552][ T7184] ? mark_held_locks+0xe0/0xe0 [ 81.359296][ T7184] ? __lock_acquire+0x3041/0x4e00 [ 81.364346][ T7184] ? mark_lock+0x12b/0xf10 [ 81.368907][ T7184] ? find_held_lock+0x2d/0x110 [ 81.373653][ T7184] ? skb_dequeue+0x153/0x1c0 [ 81.378227][ T7184] ? print_usage_bug+0x240/0x240 [ 81.383222][ T7184] ? lock_downgrade+0x840/0x840 [ 81.388064][ T7184] ? mark_held_locks+0x9f/0xe0 [ 81.392865][ T7184] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 81.398701][ T7184] ? lockdep_hardirqs_on+0x463/0x620 [ 81.403964][ T7184] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 81.409765][ T7184] ? hci_rx_work+0x239/0xb30 [ 81.414355][ T7184] hci_rx_work+0x239/0xb30 [ 81.418752][ T7184] ? _raw_spin_unlock_irq+0x1f/0x80 [ 81.423927][ T7184] process_one_work+0x965/0x16a0 [ 81.428843][ T7184] ? lock_release+0x800/0x800 [ 81.433495][ T7184] ? pwq_dec_nr_in_flight+0x310/0x310 [ 81.438845][ T7184] ? rwlock_bug.part.0+0x90/0x90 [ 81.443785][ T7184] worker_thread+0x96/0xe20 [ 81.448418][ T7184] ? process_one_work+0x16a0/0x16a0 [ 81.453682][ T7184] kthread+0x388/0x470 [ 81.457728][ T7184] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 81.463425][ T7184] ret_from_fork+0x24/0x30 [ 81.469128][ T7184] Kernel Offset: disabled [ 81.473446][ T7184] Rebooting in 86400 seconds..