[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.201' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 63.733146][ T1522] ================================================================== [ 63.741445][ T1522] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x6c7/0x18240 [ 63.749329][ T1522] Read of size 6 at addr ffff88809a1da404 by task kworker/u5:0/1522 [ 63.757294][ T1522] [ 63.759632][ T1522] CPU: 0 PID: 1522 Comm: kworker/u5:0 Not tainted 5.8.0-rc3-syzkaller #0 [ 63.768023][ T1522] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.778092][ T1522] Workqueue: hci0 hci_rx_work [ 63.782828][ T1522] Call Trace: [ 63.786092][ T1522] dump_stack+0x1f0/0x31e [ 63.790400][ T1522] print_address_description+0x66/0x5a0 [ 63.795917][ T1522] ? vprintk_emit+0x342/0x3c0 [ 63.800570][ T1522] ? printk+0x62/0x83 [ 63.804524][ T1522] ? rcu_read_lock_sched_held+0x2f/0xa0 [ 63.810055][ T1522] ? vprintk_emit+0x339/0x3c0 [ 63.814707][ T1522] kasan_report+0x132/0x1d0 [ 63.819189][ T1522] ? hci_event_packet+0x6c7/0x18240 [ 63.824361][ T1522] ? memcpy+0x3c/0x60 [ 63.828322][ T1522] check_memory_region+0x2b5/0x2f0 [ 63.833415][ T1522] ? hci_event_packet+0x6c7/0x18240 [ 63.838590][ T1522] memcpy+0x25/0x60 [ 63.842385][ T1522] hci_event_packet+0x6c7/0x18240 [ 63.847408][ T1522] ? trace_lock_release+0x137/0x1a0 [ 63.852588][ T1522] ? lockdep_hardirqs_on+0x38/0xe0 [ 63.857798][ T1522] hci_rx_work+0x236/0x9c0 [ 63.862212][ T1522] process_one_work+0x789/0xfc0 [ 63.867063][ T1522] worker_thread+0xaa4/0x1460 [ 63.871728][ T1522] kthread+0x37e/0x3a0 [ 63.875770][ T1522] ? rcu_lock_release+0x20/0x20 [ 63.880590][ T1522] ? kthread_blkcg+0xd0/0xd0 [ 63.885153][ T1522] ret_from_fork+0x1f/0x30 [ 63.889549][ T1522] [ 63.891852][ T1522] Allocated by task 6806: [ 63.896155][ T1522] __kasan_kmalloc+0x103/0x140 [ 63.900892][ T1522] __alloc_skb+0xde/0x4f0 [ 63.905202][ T1522] vhci_write+0xb7/0x400 [ 63.909417][ T1522] __vfs_write+0x52f/0x6e0 [ 63.913805][ T1522] vfs_write+0x274/0x580 [ 63.918018][ T1522] ksys_write+0x11b/0x220 [ 63.922336][ T1522] do_syscall_64+0x73/0xe0 [ 63.926725][ T1522] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.932584][ T1522] [ 63.934885][ T1522] Freed by task 1: [ 63.938581][ T1522] __kasan_slab_free+0x114/0x170 [ 63.943489][ T1522] kfree+0x10a/0x220 [ 63.947357][ T1522] __kfree_skb+0x56/0x1c0 [ 63.951659][ T1522] skb_free_datagram+0x24/0xd0 [ 63.956420][ T1522] netlink_recvmsg+0x553/0xfe0 [ 63.961157][ T1522] ____sys_recvmsg+0x24a/0x510 [ 63.965892][ T1522] __sys_recvmsg+0x23b/0x7e0 [ 63.970469][ T1522] do_syscall_64+0x73/0xe0 [ 63.974947][ T1522] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.980807][ T1522] [ 63.983114][ T1522] The buggy address belongs to the object at ffff88809a1da000 [ 63.983114][ T1522] which belongs to the cache kmalloc-1k of size 1024 [ 63.997224][ T1522] The buggy address is located 4 bytes to the right of [ 63.997224][ T1522] 1024-byte region [ffff88809a1da000, ffff88809a1da400) [ 64.010897][ T1522] The buggy address belongs to the page: [ 64.016505][ T1522] page:ffffea0002687680 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 64.025582][ T1522] flags: 0xfffe0000000200(slab) [ 64.030426][ T1522] raw: 00fffe0000000200 ffffea00029c2a08 ffffea00027ac808 ffff8880aa400c40 [ 64.038983][ T1522] raw: 0000000000000000 ffff88809a1da000 0000000100000002 0000000000000000 [ 64.047533][ T1522] page dumped because: kasan: bad access detected [ 64.053913][ T1522] [ 64.056233][ T1522] Memory state around the buggy address: [ 64.061836][ T1522] ffff88809a1da300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.069870][ T1522] ffff88809a1da380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.077903][ T1522] >ffff88809a1da400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.085930][ T1522] ^ [ 64.089965][ T1522] ffff88809a1da480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.097997][ T1522] ffff88809a1da500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.106026][ T1522] ================================================================== [ 64.114054][ T1522] Disabling lock debugging due to kernel taint [ 64.120953][ T1522] Kernel panic - not syncing: panic_on_warn set ... [ 64.127529][ T1522] CPU: 0 PID: 1522 Comm: kworker/u5:0 Tainted: G B 5.8.0-rc3-syzkaller #0 [ 64.137316][ T1522] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.147435][ T1522] Workqueue: hci0 hci_rx_work [ 64.152077][ T1522] Call Trace: [ 64.155361][ T1522] dump_stack+0x1f0/0x31e [ 64.159660][ T1522] panic+0x264/0x7a0 [ 64.163526][ T1522] ? trace_hardirqs_on+0x30/0x80 [ 64.168437][ T1522] kasan_report+0x1c9/0x1d0 [ 64.172910][ T1522] ? hci_event_packet+0x6c7/0x18240 [ 64.178076][ T1522] ? memcpy+0x3c/0x60 [ 64.182035][ T1522] check_memory_region+0x2b5/0x2f0 [ 64.187117][ T1522] ? hci_event_packet+0x6c7/0x18240 [ 64.192285][ T1522] memcpy+0x25/0x60 [ 64.196151][ T1522] hci_event_packet+0x6c7/0x18240 [ 64.201159][ T1522] ? trace_lock_release+0x137/0x1a0 [ 64.206334][ T1522] ? lockdep_hardirqs_on+0x38/0xe0 [ 64.211417][ T1522] hci_rx_work+0x236/0x9c0 [ 64.215808][ T1522] process_one_work+0x789/0xfc0 [ 64.220633][ T1522] worker_thread+0xaa4/0x1460 [ 64.225288][ T1522] kthread+0x37e/0x3a0 [ 64.229425][ T1522] ? rcu_lock_release+0x20/0x20 [ 64.234245][ T1522] ? kthread_blkcg+0xd0/0xd0 [ 64.238912][ T1522] ret_from_fork+0x1f/0x30 [ 64.244455][ T1522] Kernel Offset: disabled [ 64.248768][ T1522] Rebooting in 86400 seconds..