[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.81' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 32.821350] audit: type=1400 audit(1594324216.173:8): avc: denied { execmem } for pid=6318 comm="syz-executor886" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 32.889504] ================================================================== [ 32.897036] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x6b22/0x7324 [ 32.904241] Read of size 6 at addr ffff888094fb727b by task kworker/u5:0/1190 [ 32.911534] [ 32.913241] CPU: 1 PID: 1190 Comm: kworker/u5:0 Not tainted 4.14.184-syzkaller #0 [ 32.921111] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.930465] Workqueue: hci0 hci_rx_work [ 32.934417] Call Trace: [ 32.937005] dump_stack+0x1b2/0x283 [ 32.940613] ? hci_event_packet+0x6b22/0x7324 [ 32.945085] print_address_description.cold+0x54/0x1dc [ 32.950360] ? hci_event_packet+0x6b22/0x7324 [ 32.954839] kasan_report.cold+0xa9/0x2b9 [ 32.958980] hci_event_packet+0x6b22/0x7324 [ 32.963286] ? skb_dequeue+0x120/0x170 [ 32.967170] ? hci_phy_link_complete_evt.isra.0+0x6c0/0x6c0 [ 32.972863] ? lock_is_held_type+0x1f0/0x210 [ 32.977251] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 32.982330] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 32.987323] hci_rx_work+0x3da/0x950 [ 32.991017] process_one_work+0x7c0/0x14c0 [ 32.995232] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 32.999894] worker_thread+0x5d7/0x1080 [ 33.003856] ? process_one_work+0x14c0/0x14c0 [ 33.008329] kthread+0x30d/0x420 [ 33.011670] ? kthread_create_on_node+0xd0/0xd0 [ 33.016321] ret_from_fork+0x24/0x30 [ 33.020013] [ 33.021635] Allocated by task 6327: [ 33.025518] kasan_kmalloc.part.0+0x4f/0xd0 [ 33.029813] __kmalloc_node_track_caller+0x4c/0x70 [ 33.034718] __kmalloc_reserve.isra.0+0x35/0xd0 [ 33.039372] __alloc_skb+0xca/0x4c0 [ 33.042974] vhci_write+0xb1/0x420 [ 33.046498] __vfs_write+0x44e/0x630 [ 33.050213] vfs_write+0x17f/0x4d0 [ 33.053735] SyS_write+0xf2/0x210 [ 33.057180] do_syscall_64+0x1d5/0x640 [ 33.061044] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.066226] [ 33.067835] Freed by task 4406: [ 33.071099] kasan_slab_free+0xaf/0x190 [ 33.075049] kfree+0xcb/0x260 [ 33.078131] kernfs_fop_release+0x10d/0x180 [ 33.082438] __fput+0x25f/0x7a0 [ 33.085703] task_work_run+0x113/0x190 [ 33.089566] exit_to_usermode_loop+0x1ad/0x200 [ 33.094137] do_syscall_64+0x4a3/0x640 [ 33.098003] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.103165] [ 33.104780] The buggy address belongs to the object at ffff888094fb7080 [ 33.104780] which belongs to the cache kmalloc-512 of size 512 [ 33.117412] The buggy address is located 507 bytes inside of [ 33.117412] 512-byte region [ffff888094fb7080, ffff888094fb7280) [ 33.129259] The buggy address belongs to the page: [ 33.134175] page:ffffea000253edc0 count:1 mapcount:0 mapping:ffff888094fb7080 index:0xffff888094fb7d00 [ 33.143681] flags: 0xfffe0000000100(slab) [ 33.147806] raw: 00fffe0000000100 ffff888094fb7080 ffff888094fb7d00 0000000100000005 [ 33.155662] raw: ffffea000251eb20 ffffea00029253a0 ffff8880aa800940 0000000000000000 [ 33.163512] page dumped because: kasan: bad access detected [ 33.169204] [ 33.170807] Memory state around the buggy address: [ 33.175710] ffff888094fb7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.183043] ffff888094fb7200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.190409] >ffff888094fb7280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.197752] ^ [ 33.201099] ffff888094fb7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.208433] ffff888094fb7380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.215765] ================================================================== [ 33.223094] Disabling lock debugging due to kernel taint [ 33.229658] Kernel panic - not syncing: panic_on_warn set ... [ 33.229658] [ 33.237111] CPU: 1 PID: 1190 Comm: kworker/u5:0 Tainted: G B 4.14.184-syzkaller #0 [ 33.245935] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.255294] Workqueue: hci0 hci_rx_work [ 33.259255] Call Trace: [ 33.261822] dump_stack+0x1b2/0x283 [ 33.265426] panic+0x1f9/0x42d [ 33.268592] ? add_taint.cold+0x16/0x16 [ 33.272539] ? preempt_schedule_common+0x4a/0xc0 [ 33.277279] ? hci_event_packet+0x6b22/0x7324 [ 33.281748] ? ___preempt_schedule+0x16/0x18 [ 33.286131] ? hci_event_packet+0x6b22/0x7324 [ 33.290612] kasan_end_report+0x43/0x49 [ 33.294569] kasan_report.cold+0x12f/0x2b9 [ 33.298788] hci_event_packet+0x6b22/0x7324 [ 33.303084] ? skb_dequeue+0x120/0x170 [ 33.306945] ? hci_phy_link_complete_evt.isra.0+0x6c0/0x6c0 [ 33.312648] ? lock_is_held_type+0x1f0/0x210 [ 33.317030] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 33.322122] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 33.327122] hci_rx_work+0x3da/0x950 [ 33.330812] process_one_work+0x7c0/0x14c0 [ 33.335025] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 33.339669] worker_thread+0x5d7/0x1080 [ 33.343633] ? process_one_work+0x14c0/0x14c0 [ 33.348105] kthread+0x30d/0x420 [ 33.351443] ? kthread_create_on_node+0xd0/0xd0 [ 33.356101] ret_from_fork+0x24/0x30 [ 33.360797] Kernel Offset: disabled [ 33.364408] Rebooting in 86400 seconds..