Warning: Permanently added '[localhost]:55903' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 181.098282][ T8172] ================================================================== [ 181.123005][ T8172] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x306e/0x9d9b [ 181.144123][ T8172] Read of size 6 at addr ffff888028839e08 by task kworker/u18:2/8172 [ 181.173210][ T8172] [ 181.182760][ T8172] CPU: 2 PID: 8172 Comm: kworker/u18:2 Not tainted 5.7.0-syzkaller #0 [ 181.218362][ T8172] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 181.262789][ T8172] Workqueue: hci0 hci_rx_work [ 181.262789][ T8172] Call Trace: [ 181.282354][ T8172] dump_stack+0x188/0x20d [ 181.307525][ T8172] ? hci_event_packet+0x306e/0x9d9b [ 181.312733][ T8172] ? hci_event_packet+0x306e/0x9d9b [ 181.322319][ T8172] print_address_description.constprop.0.cold+0xd3/0x413 [ 181.342324][ T8172] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 181.352353][ T8172] ? vprintk_func+0x97/0x1a6 [ 181.352353][ T8172] ? hci_event_packet+0x306e/0x9d9b [ 181.372457][ T8172] kasan_report.cold+0x1f/0x37 [ 181.382329][ T8172] ? hci_event_packet+0x306e/0x9d9b [ 181.392373][ T8172] check_memory_region+0x141/0x190 [ 181.402352][ T8172] memcpy+0x20/0x60 [ 181.402352][ T8172] hci_event_packet+0x306e/0x9d9b [ 181.412324][ T8172] ? hci_cmd_complete_evt+0xc650/0xc650 [ 181.422275][ T8172] ? __lock_acquire+0x2e69/0x48a0 [ 181.432333][ T8172] ? mark_lock+0x11f/0xdd0 [ 181.442285][ T8172] ? print_usage_bug+0x240/0x240 [ 181.452298][ T8172] ? skb_dequeue+0x153/0x1c0 [ 181.462533][ T8172] ? mark_held_locks+0x9f/0xe0 [ 181.472381][ T8172] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 181.482227][ T8172] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 181.492919][ T8172] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 181.512451][ T8172] hci_rx_work+0x239/0xb30 [ 181.532514][ T8172] process_one_work+0x965/0x16a0 [ 181.562554][ T8172] ? lock_release+0x800/0x800 [ 181.582410][ T8172] ? pwq_dec_nr_in_flight+0x310/0x310 [ 181.602402][ T8172] ? rwlock_bug.part.0+0x90/0x90 [ 181.612423][ T8172] worker_thread+0x96/0xe20 [ 181.632606][ T8172] ? process_one_work+0x16a0/0x16a0 [ 181.642355][ T8172] kthread+0x388/0x470 [ 181.662461][ T8172] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 181.696659][ T8172] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 181.722493][ T8172] ret_from_fork+0x24/0x30 [ 181.742501][ T8172] [ 181.752492][ T8172] Allocated by task 8176: [ 181.772489][ T8172] save_stack+0x1b/0x40 [ 181.782355][ T8172] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 181.792390][ T8172] __kmalloc_reserve.isra.0+0x39/0xe0 [ 181.802452][ T8172] __alloc_skb+0xef/0x5a0 [ 181.822517][ T8172] vhci_write+0xbd/0x450 [ 181.832356][ T8172] new_sync_write+0x426/0x650 [ 181.842329][ T8172] __vfs_write+0xc9/0x100 [ 181.852473][ T8172] vfs_write+0x268/0x5d0 [ 181.862317][ T8172] ksys_write+0x12d/0x250 [ 181.872382][ T8172] do_fast_syscall_32+0x270/0xe90 [ 181.892475][ T8172] entry_SYSENTER_compat+0x70/0x7f [ 181.913518][ T8172] [ 181.922650][ T8172] Freed by task 4683: [ 181.942669][ T8172] save_stack+0x1b/0x40 [ 181.952535][ T8172] __kasan_slab_free+0xf7/0x140 [ 181.972395][ T8172] kfree+0x109/0x2b0 [ 181.982639][ T8172] __do_execve_file.isra.0+0x23e3/0x2c20 [ 181.992328][ T8172] __x64_sys_execve+0x8a/0xb0 [ 182.002323][ T8172] do_syscall_64+0xf6/0x7d0 [ 182.012428][ T8172] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 182.022476][ T8172] [ 182.032412][ T8172] The buggy address belongs to the object at ffff888028839c00 [ 182.032412][ T8172] which belongs to the cache kmalloc-512 of size 512 [ 182.062490][ T8172] The buggy address is located 8 bytes to the right of [ 182.062490][ T8172] 512-byte region [ffff888028839c00, ffff888028839e00) [ 182.102800][ T8172] The buggy address belongs to the page: [ 182.122437][ T8172] page:ffffea0000a20e40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 182.132290][ T8172] flags: 0xfffe0000000200(slab) [ 182.142340][ T8172] raw: 00fffe0000000200 ffffea0000a15a08 ffffea000090e648 ffff88802c800a80 [ 182.152369][ T8172] raw: 0000000000000000 ffff888028839000 0000000100000004 0000000000000000 [ 182.193785][ T8172] page dumped because: kasan: bad access detected [ 182.202648][ T8172] [ 182.212655][ T8172] Memory state around the buggy address: [ 182.222378][ T8172] ffff888028839d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 182.232300][ T8172] ffff888028839d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 182.242290][ T8172] >ffff888028839e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 182.252311][ T8172] ^ [ 182.262348][ T8172] ffff888028839e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 182.272280][ T8172] ffff888028839f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 182.292459][ T8172] ================================================================== [ 182.312525][ T8172] Disabling lock debugging due to kernel taint [ 182.365731][ T8172] Kernel panic - not syncing: panic_on_warn set ... [ 182.372902][ T8172] CPU: 0 PID: 8172 Comm: kworker/u18:2 Tainted: G B 5.7.0-syzkaller #0 [ 182.372902][ T8172] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 182.372902][ T8172] Workqueue: hci0 hci_rx_work [ 182.372902][ T8172] Call Trace: [ 182.372902][ T8172] dump_stack+0x188/0x20d [ 182.372902][ T8172] ? hci_event_packet+0x2fb0/0x9d9b [ 182.372902][ T8172] panic+0x2e3/0x75c [ 182.372902][ T8172] ? add_taint.cold+0x16/0x16 [ 182.372902][ T8172] ? preempt_schedule_common+0x5e/0xc0 [ 182.372902][ T8172] ? hci_event_packet+0x306e/0x9d9b [ 182.372902][ T8172] ? hci_event_packet+0x306e/0x9d9b [ 182.372902][ T8172] ? preempt_schedule_thunk+0x16/0x18 [ 182.372902][ T8172] ? trace_hardirqs_on+0x55/0x230 [ 182.372902][ T8172] ? hci_event_packet+0x306e/0x9d9b [ 182.372902][ T8172] ? hci_event_packet+0x306e/0x9d9b [ 182.372902][ T8172] end_report+0x4d/0x53 [ 182.372902][ T8172] kasan_report.cold+0xd/0x37 [ 182.372902][ T8172] ? hci_event_packet+0x306e/0x9d9b [ 182.372902][ T8172] check_memory_region+0x141/0x190 [ 182.372902][ T8172] memcpy+0x20/0x60 [ 182.372902][ T8172] hci_event_packet+0x306e/0x9d9b [ 182.372902][ T8172] ? hci_cmd_complete_evt+0xc650/0xc650 [ 182.372902][ T8172] ? __lock_acquire+0x2e69/0x48a0 [ 182.372902][ T8172] ? mark_lock+0x11f/0xdd0 [ 182.372902][ T8172] ? print_usage_bug+0x240/0x240 [ 182.372902][ T8172] ? skb_dequeue+0x153/0x1c0 [ 182.372902][ T8172] ? mark_held_locks+0x9f/0xe0 [ 182.372902][ T8172] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 182.372902][ T8172] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 182.372902][ T8172] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 182.372902][ T8172] hci_rx_work+0x239/0xb30 [ 182.372902][ T8172] process_one_work+0x965/0x16a0 [ 182.372902][ T8172] ? lock_release+0x800/0x800 [ 182.372902][ T8172] ? pwq_dec_nr_in_flight+0x310/0x310 [ 182.372902][ T8172] ? rwlock_bug.part.0+0x90/0x90 [ 182.372902][ T8172] worker_thread+0x96/0xe20 [ 182.372902][ T8172] ? process_one_work+0x16a0/0x16a0 [ 182.372902][ T8172] kthread+0x388/0x470 [ 182.372902][ T8172] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 182.372902][ T8172] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 182.372902][ T8172] ret_from_fork+0x24/0x30 [ 182.372902][ T8172] Kernel Offset: disabled [ 182.372902][ T8172] Rebooting in 86400 seconds..