syzkaller login: [ 162.276677][ T40] audit: type=1400 audit(1589642743.183:41): avc: denied { map } for pid=9908 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '[localhost]:45267' (ECDSA) to the list of known hosts. executing program [ 167.097841][ T40] audit: type=1400 audit(1589642748.003:42): avc: denied { map } for pid=9925 comm="syz-executor913" path="/syz-executor913082201" dev="sda1" ino=16526 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 executing program executing program executing program executing program [ 198.095530][ T9927] ================================================================== [ 198.101736][ T9927] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x540e/0xaa9d [ 198.101736][ T9927] Read of size 6 at addr ffff888028ae9a08 by task kworker/u18:1/9927 [ 198.101736][ T9927] [ 198.101736][ T9927] CPU: 0 PID: 9927 Comm: kworker/u18:1 Not tainted 5.7.0-rc5-syzkaller #0 [ 198.101736][ T9927] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 198.101736][ T9927] Workqueue: hci0 hci_rx_work [ 198.101736][ T9927] Call Trace: [ 198.101736][ T9927] dump_stack+0x188/0x20d [ 198.101736][ T9927] print_address_description.constprop.0.cold+0xd3/0x413 [ 198.101736][ T9927] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 198.101736][ T9927] ? vprintk_func+0x81/0x17e [ 198.101736][ T9927] ? hci_event_packet+0x540e/0xaa9d [ 198.101736][ T9927] __kasan_report.cold+0x20/0x38 [ 198.101736][ T9927] ? hci_event_packet+0x540e/0xaa9d [ 198.101736][ T9927] ? hci_event_packet+0x540e/0xaa9d [ 198.101736][ T9927] kasan_report+0x33/0x50 [ 198.101736][ T9927] check_memory_region+0x141/0x190 [ 198.101736][ T9927] memcpy+0x20/0x60 [ 198.101736][ T9927] hci_event_packet+0x540e/0xaa9d [ 198.101736][ T9927] ? hci_cmd_complete_evt+0xc660/0xc660 [ 198.101736][ T9927] ? mark_held_locks+0xe0/0xe0 [ 198.101736][ T9927] ? __lock_acquire+0x2ed1/0x4c50 [ 198.101736][ T9927] ? mark_lock+0x12b/0xf10 [ 198.101736][ T9927] ? find_held_lock+0x2d/0x110 [ 198.428559][ T9927] ? skb_dequeue+0x153/0x1c0 [ 198.428559][ T9927] ? print_usage_bug+0x240/0x240 [ 198.428559][ T9927] ? lock_downgrade+0x840/0x840 [ 198.428559][ T9927] ? mark_held_locks+0x9f/0xe0 [ 198.428559][ T9927] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 198.428559][ T9927] ? lockdep_hardirqs_on+0x463/0x620 [ 198.428559][ T9927] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 198.428559][ T9927] ? hci_rx_work+0x239/0xb30 [ 198.428559][ T9927] hci_rx_work+0x239/0xb30 [ 198.428559][ T9927] ? _raw_spin_unlock_irq+0x1f/0x80 [ 198.428559][ T9927] process_one_work+0x965/0x16a0 [ 198.428559][ T9927] ? lock_release+0x800/0x800 [ 198.428559][ T9927] ? pwq_dec_nr_in_flight+0x310/0x310 [ 198.428559][ T9927] ? rwlock_bug.part.0+0x90/0x90 [ 198.428559][ T9927] worker_thread+0x96/0xe20 [ 198.428559][ T9927] ? process_one_work+0x16a0/0x16a0 [ 198.428559][ T9927] kthread+0x388/0x470 [ 198.428559][ T9927] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 198.428559][ T9927] ret_from_fork+0x24/0x30 [ 198.428559][ T9927] [ 198.428559][ T9927] Allocated by task 9933: [ 198.428559][ T9927] save_stack+0x1b/0x40 [ 198.428559][ T9927] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 198.428559][ T9927] __kmalloc_reserve.isra.0+0x39/0xe0 [ 198.428559][ T9927] __alloc_skb+0xef/0x5a0 [ 198.428559][ T9927] vhci_write+0xbd/0x450 [ 198.428559][ T9927] new_sync_write+0x4a2/0x700 [ 198.428559][ T9927] __vfs_write+0xc9/0x100 [ 198.428559][ T9927] vfs_write+0x268/0x5d0 [ 198.428559][ T9927] ksys_write+0x12d/0x250 [ 198.428559][ T9927] do_syscall_64+0xf6/0x7d0 [ 198.428559][ T9927] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 198.428559][ T9927] [ 198.428559][ T9927] Freed by task 9823: [ 198.428559][ T9927] save_stack+0x1b/0x40 [ 198.428559][ T9927] __kasan_slab_free+0xf7/0x140 [ 198.428559][ T9927] kfree+0x109/0x2b0 [ 198.428559][ T9927] tomoyo_supervisor+0x34d/0xee0 [ 198.428559][ T9927] tomoyo_path_permission+0x257/0x360 [ 198.428559][ T9927] tomoyo_check_open_permission+0x336/0x370 [ 198.428559][ T9927] tomoyo_file_open+0xa3/0xd0 [ 198.428559][ T9927] security_file_open+0x6e/0x410 [ 198.428559][ T9927] do_dentry_open+0x358/0x1290 [ 198.428559][ T9927] path_openat+0x1e59/0x27d0 [ 198.428559][ T9927] do_filp_open+0x192/0x260 [ 198.428559][ T9927] do_sys_openat2+0x585/0x7d0 [ 198.428559][ T9927] do_sys_open+0xc3/0x140 [ 198.428559][ T9927] do_syscall_64+0xf6/0x7d0 [ 198.428559][ T9927] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 198.428559][ T9927] [ 198.428559][ T9927] The buggy address belongs to the object at ffff888028ae9800 [ 198.428559][ T9927] which belongs to the cache kmalloc-512 of size 512 [ 198.428559][ T9927] The buggy address is located 8 bytes to the right of [ 198.428559][ T9927] 512-byte region [ffff888028ae9800, ffff888028ae9a00) [ 198.428559][ T9927] The buggy address belongs to the page: [ 198.428559][ T9927] page:ffffea0000a2ba40 refcount:1 mapcount:0 mapping:00000000d1a68903 index:0x0 [ 198.428559][ T9927] flags: 0xfffe0000000200(slab) [ 198.428559][ T9927] raw: 00fffe0000000200 ffffea00009c5288 ffffea0000aaa9c8 ffff88802c800a80 [ 198.428559][ T9927] raw: 0000000000000000 ffff888028ae9000 0000000100000004 0000000000000000 [ 198.428559][ T9927] page dumped because: kasan: bad access detected [ 198.428559][ T9927] [ 198.428559][ T9927] Memory state around the buggy address: [ 198.428559][ T9927] ffff888028ae9900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 198.428559][ T9927] ffff888028ae9980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 198.428559][ T9927] >ffff888028ae9a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 198.428559][ T9927] ^ [ 198.428559][ T9927] ffff888028ae9a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 198.428559][ T9927] ffff888028ae9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 198.428559][ T9927] ================================================================== [ 198.428559][ T9927] Disabling lock debugging due to kernel taint [ 199.609467][ T9927] Kernel panic - not syncing: panic_on_warn set ... [ 199.618864][ T9927] CPU: 0 PID: 9927 Comm: kworker/u18:1 Tainted: G B 5.7.0-rc5-syzkaller #0 [ 199.618864][ T9927] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 199.618864][ T9927] Workqueue: hci0 hci_rx_work [ 199.618864][ T9927] Call Trace: [ 199.618864][ T9927] dump_stack+0x188/0x20d [ 199.618864][ T9927] panic+0x2e3/0x75c [ 199.618864][ T9927] ? add_taint.cold+0x16/0x16 [ 199.618864][ T9927] ? preempt_schedule_common+0x5e/0xc0 [ 199.618864][ T9927] ? hci_event_packet+0x540e/0xaa9d [ 199.618864][ T9927] ? preempt_schedule_thunk+0x16/0x18 [ 199.618864][ T9927] ? trace_hardirqs_on+0x55/0x220 [ 199.618864][ T9927] ? hci_event_packet+0x540e/0xaa9d [ 199.618864][ T9927] end_report+0x4d/0x53 [ 199.618864][ T9927] __kasan_report.cold+0xd/0x38 [ 199.618864][ T9927] ? hci_event_packet+0x540e/0xaa9d [ 199.618864][ T9927] ? hci_event_packet+0x540e/0xaa9d [ 199.618864][ T9927] kasan_report+0x33/0x50 [ 199.618864][ T9927] check_memory_region+0x141/0x190 [ 199.618864][ T9927] memcpy+0x20/0x60 [ 199.618864][ T9927] hci_event_packet+0x540e/0xaa9d [ 199.618864][ T9927] ? hci_cmd_complete_evt+0xc660/0xc660 [ 199.618864][ T9927] ? mark_held_locks+0xe0/0xe0 [ 199.618864][ T9927] ? __lock_acquire+0x2ed1/0x4c50 [ 199.618864][ T9927] ? mark_lock+0x12b/0xf10 [ 199.618864][ T9927] ? find_held_lock+0x2d/0x110 [ 199.618864][ T9927] ? skb_dequeue+0x153/0x1c0 [ 199.618864][ T9927] ? print_usage_bug+0x240/0x240 [ 199.618864][ T9927] ? lock_downgrade+0x840/0x840 [ 199.618864][ T9927] ? mark_held_locks+0x9f/0xe0 [ 199.618864][ T9927] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 199.618864][ T9927] ? lockdep_hardirqs_on+0x463/0x620 [ 199.618864][ T9927] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 199.618864][ T9927] ? hci_rx_work+0x239/0xb30 [ 199.618864][ T9927] hci_rx_work+0x239/0xb30 [ 199.618864][ T9927] ? _raw_spin_unlock_irq+0x1f/0x80 [ 199.618864][ T9927] process_one_work+0x965/0x16a0 [ 199.618864][ T9927] ? lock_release+0x800/0x800 [ 199.618864][ T9927] ? pwq_dec_nr_in_flight+0x310/0x310 [ 199.618864][ T9927] ? rwlock_bug.part.0+0x90/0x90 [ 199.618864][ T9927] worker_thread+0x96/0xe20 [ 199.618864][ T9927] ? process_one_work+0x16a0/0x16a0 [ 199.618864][ T9927] kthread+0x388/0x470 [ 199.618864][ T9927] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 199.618864][ T9927] ret_from_fork+0x24/0x30 [ 199.618864][ T9927] Kernel Offset: disabled [ 199.618864][ T9927] Rebooting in 86400 seconds..