Warning: Permanently added '10.128.0.81' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 66.800106][ T6935] ================================================================== [ 66.808395][ T6935] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x14ad/0x18240 [ 66.816381][ T6935] Read of size 6 at addr ffff8880a03fe9fb by task kworker/u5:2/6935 [ 66.824353][ T6935] [ 66.826671][ T6935] CPU: 0 PID: 6935 Comm: kworker/u5:2 Not tainted 5.8.0-rc4-syzkaller #0 [ 66.835052][ T6935] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.845091][ T6935] Workqueue: hci0 hci_rx_work [ 66.849740][ T6935] Call Trace: [ 66.853010][ T6935] dump_stack+0x1f0/0x31e [ 66.857319][ T6935] print_address_description+0x66/0x5a0 [ 66.862853][ T6935] ? vprintk_emit+0x342/0x3c0 [ 66.867509][ T6935] ? printk+0x62/0x83 [ 66.871464][ T6935] ? rcu_read_lock_sched_held+0x2f/0xa0 [ 66.876985][ T6935] ? vprintk_emit+0x339/0x3c0 [ 66.881642][ T6935] kasan_report+0x132/0x1d0 [ 66.886126][ T6935] ? hci_event_packet+0x14ad/0x18240 [ 66.891391][ T6935] ? memcpy+0x3c/0x60 [ 66.895352][ T6935] check_memory_region+0x2b5/0x2f0 [ 66.900441][ T6935] ? hci_event_packet+0x14ad/0x18240 [ 66.905706][ T6935] memcpy+0x25/0x60 [ 66.909935][ T6935] hci_event_packet+0x14ad/0x18240 [ 66.915027][ T6935] ? trace_lock_release+0x137/0x1a0 [ 66.920557][ T6935] ? lockdep_hardirqs_on+0x38/0xe0 [ 66.925650][ T6935] hci_rx_work+0x236/0x9c0 [ 66.930048][ T6935] process_one_work+0x789/0xfc0 [ 66.934886][ T6935] worker_thread+0xaa4/0x1460 [ 66.939544][ T6935] ? _raw_spin_unlock_irqrestore+0x6f/0xd0 [ 66.945338][ T6935] kthread+0x37e/0x3a0 [ 66.949381][ T6935] ? rcu_lock_release+0x20/0x20 [ 66.954205][ T6935] ? kthread_blkcg+0xd0/0xd0 [ 66.958771][ T6935] ret_from_fork+0x1f/0x30 [ 66.963168][ T6935] [ 66.965472][ T6935] Allocated by task 6938: [ 66.969777][ T6935] __kasan_kmalloc+0x103/0x140 [ 66.974514][ T6935] __alloc_skb+0xde/0x4f0 [ 66.978817][ T6935] vhci_write+0xb7/0x400 [ 66.983037][ T6935] __vfs_write+0x52f/0x6e0 [ 66.987426][ T6935] vfs_write+0x274/0x580 [ 66.991645][ T6935] ksys_write+0x11b/0x220 [ 66.995954][ T6935] do_syscall_64+0x73/0xe0 [ 67.000352][ T6935] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.006215][ T6935] [ 67.008521][ T6935] Freed by task 4964: [ 67.012483][ T6935] __kasan_slab_free+0x114/0x170 [ 67.017416][ T6935] kfree+0x10a/0x220 [ 67.021293][ T6935] ep_eventpoll_release+0x44/0x50 [ 67.026309][ T6935] __fput+0x2f0/0x750 [ 67.030282][ T6935] task_work_run+0x137/0x1c0 [ 67.034853][ T6935] __prepare_exit_to_usermode+0x14c/0x1e0 [ 67.040565][ T6935] do_syscall_64+0x7f/0xe0 [ 67.044960][ T6935] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.050927][ T6935] [ 67.053247][ T6935] The buggy address belongs to the object at ffff8880a03fe800 [ 67.053247][ T6935] which belongs to the cache kmalloc-512 of size 512 [ 67.067364][ T6935] The buggy address is located 507 bytes inside of [ 67.067364][ T6935] 512-byte region [ffff8880a03fe800, ffff8880a03fea00) [ 67.080607][ T6935] The buggy address belongs to the page: [ 67.086220][ T6935] page:ffffea000280ff80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 67.095316][ T6935] flags: 0xfffe0000000200(slab) [ 67.100148][ T6935] raw: 00fffe0000000200 ffffea000280cf88 ffffea0002795a88 ffff8880aa400a80 [ 67.108721][ T6935] raw: 0000000000000000 ffff8880a03fe000 0000000100000004 0000000000000000 [ 67.117278][ T6935] page dumped because: kasan: bad access detected [ 67.123663][ T6935] [ 67.125967][ T6935] Memory state around the buggy address: [ 67.131585][ T6935] ffff8880a03fe900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.139625][ T6935] ffff8880a03fe980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.147750][ T6935] >ffff8880a03fea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.155782][ T6935] ^ [ 67.159823][ T6935] ffff8880a03fea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.167858][ T6935] ffff8880a03feb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.175898][ T6935] ================================================================== [ 67.183933][ T6935] Disabling lock debugging due to kernel taint [ 67.201937][ T6935] Kernel panic - not syncing: panic_on_warn set ... [ 67.208555][ T6935] CPU: 0 PID: 6935 Comm: kworker/u5:2 Tainted: G B 5.8.0-rc4-syzkaller #0 [ 67.218371][ T6935] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.228429][ T6935] Workqueue: hci0 hci_rx_work [ 67.233098][ T6935] Call Trace: [ 67.236385][ T6935] dump_stack+0x1f0/0x31e [ 67.240712][ T6935] panic+0x264/0x7a0 [ 67.244603][ T6935] ? trace_hardirqs_on+0x30/0x80 [ 67.249538][ T6935] kasan_report+0x1c9/0x1d0 [ 67.254034][ T6935] ? hci_event_packet+0x14ad/0x18240 [ 67.259309][ T6935] ? memcpy+0x3c/0x60 [ 67.263272][ T6935] check_memory_region+0x2b5/0x2f0 [ 67.268354][ T6935] ? hci_event_packet+0x14ad/0x18240 [ 67.273706][ T6935] memcpy+0x25/0x60 [ 67.277511][ T6935] hci_event_packet+0x14ad/0x18240 [ 67.282622][ T6935] ? trace_lock_release+0x137/0x1a0 [ 67.287796][ T6935] ? lockdep_hardirqs_on+0x38/0xe0 [ 67.292885][ T6935] hci_rx_work+0x236/0x9c0 [ 67.297276][ T6935] process_one_work+0x789/0xfc0 [ 67.302129][ T6935] worker_thread+0xaa4/0x1460 [ 67.306779][ T6935] ? _raw_spin_unlock_irqrestore+0x6f/0xd0 [ 67.312556][ T6935] kthread+0x37e/0x3a0 [ 67.316598][ T6935] ? rcu_lock_release+0x20/0x20 [ 67.321417][ T6935] ? kthread_blkcg+0xd0/0xd0 [ 67.325976][ T6935] ret_from_fork+0x1f/0x30 [ 67.331555][ T6935] Kernel Offset: disabled [ 67.335863][ T6935] Rebooting in 86400 seconds..