[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.109' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 58.901551][ T6887] IPVS: ftp: loaded support on port[0] = 21 [ 58.970904][ T1548] Bluetooth: hci0: unknown advertising packet type: 0x2b [ 58.970980][ T1548] ================================================================== [ 58.986485][ T1548] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x3937/0x3ff0 [ 58.994417][ T1548] Read of size 1 at addr ffff88809dcf0e0c by task kworker/u5:0/1548 [ 59.002372][ T1548] [ 59.004709][ T1548] CPU: 1 PID: 1548 Comm: kworker/u5:0 Not tainted 5.8.0-syzkaller #0 [ 59.012838][ T1548] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.022879][ T1548] Workqueue: hci0 hci_rx_work [ 59.027529][ T1548] Call Trace: [ 59.030801][ T1548] dump_stack+0x18f/0x20d [ 59.035132][ T1548] ? hci_le_meta_evt+0x3937/0x3ff0 [ 59.040241][ T1548] ? hci_le_meta_evt+0x3937/0x3ff0 [ 59.045343][ T1548] print_address_description.constprop.0.cold+0xae/0x497 [ 59.052348][ T1548] ? vprintk_func+0x97/0x1a6 [ 59.056918][ T1548] ? hci_le_meta_evt+0x3937/0x3ff0 [ 59.062005][ T1548] ? hci_le_meta_evt+0x3937/0x3ff0 [ 59.067096][ T1548] kasan_report.cold+0x1f/0x37 [ 59.071849][ T1548] ? hci_le_meta_evt+0x3937/0x3ff0 [ 59.076940][ T1548] hci_le_meta_evt+0x3937/0x3ff0 [ 59.081946][ T1548] ? mark_lock+0xbc/0x1710 [ 59.086343][ T1548] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 59.093360][ T1548] ? mark_lock+0xbc/0x1710 [ 59.097753][ T1548] ? __lock_acquire+0x16cb/0x5640 [ 59.102790][ T1548] ? __lock_acquire+0x16cb/0x5640 [ 59.107857][ T1548] hci_event_packet+0x2e25/0x87a8 [ 59.112876][ T1548] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 59.119043][ T1548] ? __lock_acquire+0x16cb/0x5640 [ 59.124052][ T1548] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 59.129577][ T1548] ? lock_acquire+0x1f1/0xad0 [ 59.134303][ T1548] ? skb_dequeue+0x1c/0x180 [ 59.138783][ T1548] ? find_held_lock+0x2d/0x110 [ 59.143535][ T1548] ? mark_lock+0xbc/0x1710 [ 59.147934][ T1548] ? mark_held_locks+0x9f/0xe0 [ 59.152677][ T1548] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 59.158984][ T1548] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 59.164946][ T1548] ? trace_hardirqs_on+0x5f/0x220 [ 59.169976][ T1548] ? lockdep_hardirqs_on+0x76/0xf0 [ 59.175086][ T1548] hci_rx_work+0x22e/0xb50 [ 59.179490][ T1548] process_one_work+0x94c/0x1670 [ 59.184436][ T1548] ? lock_release+0x8e0/0x8e0 [ 59.189091][ T1548] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 59.194444][ T1548] ? rwlock_bug.part.0+0x90/0x90 [ 59.199363][ T1548] worker_thread+0x64c/0x1120 [ 59.204030][ T1548] ? process_one_work+0x1670/0x1670 [ 59.209208][ T1548] kthread+0x3b5/0x4a0 [ 59.213255][ T1548] ? __kthread_bind_mask+0xc0/0xc0 [ 59.218349][ T1548] ? __kthread_bind_mask+0xc0/0xc0 [ 59.223463][ T1548] ret_from_fork+0x1f/0x30 [ 59.227859][ T1548] [ 59.230165][ T1548] Allocated by task 6887: [ 59.234489][ T1548] kasan_save_stack+0x1b/0x40 [ 59.239169][ T1548] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 59.244783][ T1548] __alloc_skb+0xae/0x550 [ 59.249092][ T1548] vhci_write+0xbd/0x450 [ 59.253312][ T1548] new_sync_write+0x422/0x650 [ 59.257962][ T1548] vfs_write+0x5ad/0x730 [ 59.262280][ T1548] ksys_write+0x12d/0x250 [ 59.266590][ T1548] do_syscall_64+0x2d/0x70 [ 59.270981][ T1548] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.276844][ T1548] [ 59.279152][ T1548] The buggy address belongs to the object at ffff88809dcf0c00 [ 59.279152][ T1548] which belongs to the cache kmalloc-512 of size 512 [ 59.293207][ T1548] The buggy address is located 12 bytes to the right of [ 59.293207][ T1548] 512-byte region [ffff88809dcf0c00, ffff88809dcf0e00) [ 59.307215][ T1548] The buggy address belongs to the page: [ 59.312924][ T1548] page:00000000ab10fbfb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9dcf0 [ 59.323249][ T1548] flags: 0xfffe0000000200(slab) [ 59.328077][ T1548] raw: 00fffe0000000200 ffffea00024d5248 ffffea00027a3d88 ffff8880aa040600 [ 59.336755][ T1548] raw: 0000000000000000 ffff88809dcf0000 0000000100000004 0000000000000000 [ 59.345473][ T1548] page dumped because: kasan: bad access detected [ 59.351873][ T1548] [ 59.354211][ T1548] Memory state around the buggy address: [ 59.359823][ T1548] ffff88809dcf0d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.367861][ T1548] ffff88809dcf0d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.376083][ T1548] >ffff88809dcf0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.384139][ T1548] ^ [ 59.388471][ T1548] ffff88809dcf0e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.396540][ T1548] ffff88809dcf0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.404602][ T1548] ================================================================== [ 59.412684][ T1548] Disabling lock debugging due to kernel taint [ 59.420551][ T1548] Kernel panic - not syncing: panic_on_warn set ... [ 59.427156][ T1548] CPU: 1 PID: 1548 Comm: kworker/u5:0 Tainted: G B 5.8.0-syzkaller #0 [ 59.436605][ T1548] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.446666][ T1548] Workqueue: hci0 hci_rx_work [ 59.451328][ T1548] Call Trace: [ 59.454601][ T1548] dump_stack+0x18f/0x20d [ 59.458976][ T1548] ? hci_le_meta_evt+0x3920/0x3ff0 [ 59.464515][ T1548] panic+0x2e3/0x75c [ 59.468395][ T1548] ? __warn_printk+0xf3/0xf3 [ 59.472957][ T1548] ? preempt_schedule_common+0x59/0xc0 [ 59.478388][ T1548] ? hci_le_meta_evt+0x3937/0x3ff0 [ 59.483472][ T1548] ? preempt_schedule_thunk+0x16/0x18 [ 59.488816][ T1548] ? trace_hardirqs_on+0x55/0x220 [ 59.493812][ T1548] ? hci_le_meta_evt+0x3937/0x3ff0 [ 59.498913][ T1548] ? hci_le_meta_evt+0x3937/0x3ff0 [ 59.504186][ T1548] end_report+0x4d/0x53 [ 59.508329][ T1548] kasan_report.cold+0xd/0x37 [ 59.512991][ T1548] ? hci_le_meta_evt+0x3937/0x3ff0 [ 59.518249][ T1548] hci_le_meta_evt+0x3937/0x3ff0 [ 59.523164][ T1548] ? mark_lock+0xbc/0x1710 [ 59.527551][ T1548] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 59.534369][ T1548] ? mark_lock+0xbc/0x1710 [ 59.538777][ T1548] ? __lock_acquire+0x16cb/0x5640 [ 59.543780][ T1548] ? __lock_acquire+0x16cb/0x5640 [ 59.548781][ T1548] hci_event_packet+0x2e25/0x87a8 [ 59.553868][ T1548] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 59.559841][ T1548] ? __lock_acquire+0x16cb/0x5640 [ 59.566519][ T1548] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 59.572034][ T1548] ? lock_acquire+0x1f1/0xad0 [ 59.576685][ T1548] ? skb_dequeue+0x1c/0x180 [ 59.581179][ T1548] ? find_held_lock+0x2d/0x110 [ 59.586618][ T1548] ? mark_lock+0xbc/0x1710 [ 59.591015][ T1548] ? mark_held_locks+0x9f/0xe0 [ 59.595758][ T1548] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 59.601559][ T1548] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 59.607511][ T1548] ? trace_hardirqs_on+0x5f/0x220 [ 59.612506][ T1548] ? lockdep_hardirqs_on+0x76/0xf0 [ 59.617600][ T1548] hci_rx_work+0x22e/0xb50 [ 59.622002][ T1548] process_one_work+0x94c/0x1670 [ 59.626919][ T1548] ? lock_release+0x8e0/0x8e0 [ 59.631567][ T1548] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 59.636931][ T1548] ? rwlock_bug.part.0+0x90/0x90 [ 59.641875][ T1548] worker_thread+0x64c/0x1120 [ 59.646553][ T1548] ? process_one_work+0x1670/0x1670 [ 59.651984][ T1548] kthread+0x3b5/0x4a0 [ 59.656026][ T1548] ? __kthread_bind_mask+0xc0/0xc0 [ 59.661108][ T1548] ? __kthread_bind_mask+0xc0/0xc0 [ 59.666202][ T1548] ret_from_fork+0x1f/0x30 [ 59.672120][ T1548] Kernel Offset: disabled [ 59.676448][ T1548] Rebooting in 86400 seconds..