[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.149' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 45.681120] audit: type=1400 audit(1593880341.274:8): avc: denied { execmem } for pid=6455 comm="syz-executor599" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 45.746471] ================================================================== [ 45.754062] BUG: KASAN: slab-out-of-bounds in hci_extended_inquiry_result_evt.isra.0+0x1aa/0x5b0 [ 45.762981] Read of size 6 at addr ffff88809e5311c4 by task kworker/u5:0/1218 [ 45.770246] [ 45.771877] CPU: 1 PID: 1218 Comm: kworker/u5:0 Not tainted 4.19.131-syzkaller #0 [ 45.779482] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.788824] Workqueue: hci0 hci_rx_work [ 45.792777] Call Trace: [ 45.795346] dump_stack+0x1fc/0x2fe [ 45.798956] print_address_description.cold+0x54/0x219 [ 45.804215] kasan_report_error.cold+0x8a/0x1c7 [ 45.808869] ? hci_extended_inquiry_result_evt.isra.0+0x1aa/0x5b0 [ 45.815079] kasan_report+0x8f/0x96 [ 45.818689] ? hci_extended_inquiry_result_evt.isra.0+0x1aa/0x5b0 [ 45.824900] memcpy+0x20/0x50 [ 45.827989] hci_extended_inquiry_result_evt.isra.0+0x1aa/0x5b0 [ 45.834046] ? hci_key_refresh_complete_evt.isra.0+0x1020/0x1020 [ 45.840176] hci_event_packet+0x2025/0x858f [ 45.844479] ? mark_held_locks+0xf0/0xf0 [ 45.848517] ? __lock_acquire+0x22f9/0x3ff0 [ 45.852817] ? hci_cmd_complete_evt+0xb5e0/0xb5e0 [ 45.857641] ? debug_object_deactivate+0x1f9/0x2e0 [ 45.862558] ? mark_held_locks+0xa6/0xf0 [ 45.866598] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 45.871682] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 45.876262] hci_rx_work+0x46b/0xa90 [ 45.879970] process_one_work+0x864/0x1570 [ 45.884190] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 45.888844] worker_thread+0x64c/0x1130 [ 45.892802] ? process_one_work+0x1570/0x1570 [ 45.897277] kthread+0x30b/0x410 [ 45.900625] ? kthread_park+0x180/0x180 [ 45.904583] ret_from_fork+0x24/0x30 [ 45.908290] [ 45.909904] Allocated by task 6470: [ 45.913518] __kmalloc_node_track_caller+0x4c/0x70 [ 45.918428] __alloc_skb+0xae/0x560 [ 45.922032] vhci_write+0xbd/0x450 [ 45.925550] __vfs_write+0x51b/0x770 [ 45.929243] vfs_write+0x1f3/0x540 [ 45.932770] ksys_write+0x12b/0x2a0 [ 45.936379] do_syscall_64+0xf9/0x620 [ 45.940175] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.945341] [ 45.946946] Freed by task 4701: [ 45.950225] kfree+0xcc/0x210 [ 45.953315] skb_release_data+0x6de/0x920 [ 45.957441] consume_skb+0x113/0x3d0 [ 45.961140] netlink_unicast+0x4dd/0x690 [ 45.965181] netlink_sendmsg+0x6bb/0xc40 [ 45.969229] sock_sendmsg+0xc3/0x120 [ 45.972922] ___sys_sendmsg+0x7bb/0x8e0 [ 45.976873] __x64_sys_sendmsg+0x132/0x220 [ 45.981090] do_syscall_64+0xf9/0x620 [ 45.984870] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.990034] [ 45.991663] The buggy address belongs to the object at ffff88809e530dc0 [ 45.991663] which belongs to the cache kmalloc-1024 of size 1024 [ 46.004471] The buggy address is located 4 bytes to the right of [ 46.004471] 1024-byte region [ffff88809e530dc0, ffff88809e5311c0) [ 46.016750] The buggy address belongs to the page: [ 46.021658] page:ffffea0002794c00 count:1 mapcount:0 mapping:ffff88812c39cac0 index:0x0 compound_mapcount: 0 [ 46.031600] flags: 0xfffe0000008100(slab|head) [ 46.036162] raw: 00fffe0000008100 ffffea000265ef08 ffffea00028f8108 ffff88812c39cac0 [ 46.044024] raw: 0000000000000000 ffff88809e530040 0000000100000007 0000000000000000 [ 46.051880] page dumped because: kasan: bad access detected [ 46.057582] [ 46.059188] Memory state around the buggy address: [ 46.064097] ffff88809e531080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 46.071444] ffff88809e531100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 46.078786] >ffff88809e531180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 46.086124] ^ [ 46.091552] ffff88809e531200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 46.098889] ffff88809e531280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.106222] ================================================================== [ 46.113552] Disabling lock debugging due to kernel taint [ 46.119575] Kernel panic - not syncing: panic_on_warn set ... [ 46.119575] [ 46.126940] CPU: 1 PID: 1218 Comm: kworker/u5:0 Tainted: G B 4.19.131-syzkaller #0 [ 46.135937] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.145282] Workqueue: hci0 hci_rx_work [ 46.149244] Call Trace: [ 46.151826] dump_stack+0x1fc/0x2fe [ 46.155447] panic+0x26a/0x50e [ 46.158630] ? __warn_printk+0xf3/0xf3 [ 46.162498] ? trace_hardirqs_on+0x55/0x210 [ 46.166797] kasan_end_report+0x43/0x49 [ 46.170752] kasan_report_error.cold+0xa7/0x1c7 [ 46.175428] ? hci_extended_inquiry_result_evt.isra.0+0x1aa/0x5b0 [ 46.181636] kasan_report+0x8f/0x96 [ 46.185243] ? hci_extended_inquiry_result_evt.isra.0+0x1aa/0x5b0 [ 46.191451] memcpy+0x20/0x50 [ 46.194537] hci_extended_inquiry_result_evt.isra.0+0x1aa/0x5b0 [ 46.200575] ? hci_key_refresh_complete_evt.isra.0+0x1020/0x1020 [ 46.206700] hci_event_packet+0x2025/0x858f [ 46.211002] ? mark_held_locks+0xf0/0xf0 [ 46.215052] ? __lock_acquire+0x22f9/0x3ff0 [ 46.219351] ? hci_cmd_complete_evt+0xb5e0/0xb5e0 [ 46.224187] ? debug_object_deactivate+0x1f9/0x2e0 [ 46.229096] ? mark_held_locks+0xa6/0xf0 [ 46.233136] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 46.238216] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 46.242778] hci_rx_work+0x46b/0xa90 [ 46.246469] process_one_work+0x864/0x1570 [ 46.250683] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 46.255332] worker_thread+0x64c/0x1130 [ 46.259289] ? process_one_work+0x1570/0x1570 [ 46.263762] kthread+0x30b/0x410 [ 46.267104] ? kthread_park+0x180/0x180 [ 46.271076] ret_from_fork+0x24/0x30 [ 46.275958] Kernel Offset: disabled [ 46.279567] Rebooting in 86400 seconds..