[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 56.152540][ T1520] ================================================================== [ 56.160941][ T1520] BUG: KASAN: slab-out-of-bounds in hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 56.170072][ T1520] Read of size 6 at addr ffff8880a7b7ddfb by task kworker/u5:0/1520 [ 56.178045][ T1520] [ 56.180388][ T1520] CPU: 1 PID: 1520 Comm: kworker/u5:0 Not tainted 5.8.0-rc4-syzkaller #0 [ 56.188970][ T1520] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.199040][ T1520] Workqueue: hci0 hci_rx_work [ 56.203834][ T1520] Call Trace: [ 56.207240][ T1520] dump_stack+0x18f/0x20d [ 56.211623][ T1520] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 56.218057][ T1520] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 56.224521][ T1520] print_address_description.constprop.0.cold+0xae/0x436 [ 56.231571][ T1520] ? lockdep_hardirqs_off+0x66/0xa0 [ 56.236776][ T1520] ? vprintk_func+0x97/0x1a6 [ 56.241378][ T1520] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 56.247807][ T1520] kasan_report.cold+0x1f/0x37 [ 56.252589][ T1520] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 56.259015][ T1520] check_memory_region+0x13d/0x180 [ 56.264165][ T1520] memcpy+0x20/0x60 [ 56.267991][ T1520] hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 56.274256][ T1520] ? process_adv_report+0xe40/0xe40 [ 56.279461][ T1520] hci_event_packet+0x1e8c/0x86f5 [ 56.284508][ T1520] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 56.290660][ T1520] ? hci_cmd_complete_evt+0xc6e0/0xc6e0 [ 56.296297][ T1520] ? lock_acquire+0x1f1/0xad0 [ 56.301310][ T1520] ? skb_dequeue+0x1c/0x180 [ 56.305868][ T1520] ? find_held_lock+0x2d/0x110 [ 56.310827][ T1520] ? mark_lock+0xbc/0x1710 [ 56.315527][ T1520] ? mark_held_locks+0x9f/0xe0 [ 56.320288][ T1520] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 56.326100][ T1520] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 56.332073][ T1520] ? trace_hardirqs_on+0x5f/0x220 [ 56.337101][ T1520] ? lockdep_hardirqs_on+0x6a/0xe0 [ 56.342304][ T1520] hci_rx_work+0x22e/0xb10 [ 56.346711][ T1520] process_one_work+0x94c/0x1670 [ 56.351646][ T1520] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 56.357071][ T1520] ? rwlock_bug.part.0+0x90/0x90 [ 56.361999][ T1520] worker_thread+0x64c/0x1120 [ 56.366967][ T1520] ? process_one_work+0x1670/0x1670 [ 56.372160][ T1520] kthread+0x3b5/0x4a0 [ 56.376419][ T1520] ? __kthread_bind_mask+0xc0/0xc0 [ 56.381726][ T1520] ? __kthread_bind_mask+0xc0/0xc0 [ 56.386838][ T1520] ret_from_fork+0x1f/0x30 [ 56.391247][ T1520] [ 56.393556][ T1520] Allocated by task 6805: [ 56.397922][ T1520] save_stack+0x1b/0x40 [ 56.402067][ T1520] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 56.407691][ T1520] __alloc_skb+0xae/0x550 [ 56.412009][ T1520] vhci_write+0xbd/0x450 [ 56.416494][ T1520] new_sync_write+0x422/0x650 [ 56.421197][ T1520] __vfs_write+0xc9/0x100 [ 56.425606][ T1520] vfs_write+0x268/0x5d0 [ 56.429850][ T1520] ksys_write+0x12d/0x250 [ 56.434179][ T1520] do_syscall_64+0x60/0xe0 [ 56.438671][ T1520] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 56.444801][ T1520] [ 56.447128][ T1520] Freed by task 4898: [ 56.451117][ T1520] save_stack+0x1b/0x40 [ 56.455272][ T1520] __kasan_slab_free+0xf5/0x140 [ 56.460104][ T1520] kfree+0x103/0x2c0 [ 56.464392][ T1520] skb_release_data+0x6d9/0x910 [ 56.469779][ T1520] consume_skb+0xc2/0x160 [ 56.474112][ T1520] netlink_unicast+0x53b/0x7d0 [ 56.479288][ T1520] netlink_sendmsg+0x856/0xd90 [ 56.484038][ T1520] sock_sendmsg+0xcf/0x120 [ 56.488551][ T1520] ____sys_sendmsg+0x6e8/0x810 [ 56.493295][ T1520] ___sys_sendmsg+0xf3/0x170 [ 56.497999][ T1520] __sys_sendmsg+0xe5/0x1b0 [ 56.502503][ T1520] do_syscall_64+0x60/0xe0 [ 56.506901][ T1520] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 56.512780][ T1520] [ 56.515088][ T1520] The buggy address belongs to the object at ffff8880a7b7dc00 [ 56.515088][ T1520] which belongs to the cache kmalloc-512 of size 512 [ 56.529137][ T1520] The buggy address is located 507 bytes inside of [ 56.529137][ T1520] 512-byte region [ffff8880a7b7dc00, ffff8880a7b7de00) [ 56.542389][ T1520] The buggy address belongs to the page: [ 56.548526][ T1520] page:ffffea00029edf40 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a7b7d000 [ 56.559030][ T1520] flags: 0xfffe0000000200(slab) [ 56.563869][ T1520] raw: 00fffe0000000200 ffffea00025508c8 ffffea00025dfb08 ffff8880aa000a80 [ 56.572449][ T1520] raw: ffff8880a7b7d000 ffff8880a7b7d000 0000000100000001 0000000000000000 [ 56.581034][ T1520] page dumped because: kasan: bad access detected [ 56.587437][ T1520] [ 56.589741][ T1520] Memory state around the buggy address: [ 56.595371][ T1520] ffff8880a7b7dd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.603419][ T1520] ffff8880a7b7dd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.611468][ T1520] >ffff8880a7b7de00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.619514][ T1520] ^ [ 56.623574][ T1520] ffff8880a7b7de80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.631768][ T1520] ffff8880a7b7df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.639890][ T1520] ================================================================== [ 56.647933][ T1520] Disabling lock debugging due to kernel taint [ 56.655835][ T1520] Kernel panic - not syncing: panic_on_warn set ... [ 56.662538][ T1520] CPU: 0 PID: 1520 Comm: kworker/u5:0 Tainted: G B 5.8.0-rc4-syzkaller #0 [ 56.672521][ T1520] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.683023][ T1520] Workqueue: hci0 hci_rx_work [ 56.687693][ T1520] Call Trace: [ 56.691158][ T1520] dump_stack+0x18f/0x20d [ 56.695513][ T1520] ? hci_inquiry_result_with_rssi_evt+0x1c0/0x6b0 [ 56.702010][ T1520] panic+0x2e3/0x75c [ 56.705915][ T1520] ? __warn_printk+0xf3/0xf3 [ 56.710581][ T1520] ? preempt_schedule_common+0x59/0xc0 [ 56.716132][ T1520] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 56.722539][ T1520] ? preempt_schedule_thunk+0x16/0x18 [ 56.728075][ T1520] ? trace_hardirqs_on+0x55/0x220 [ 56.733087][ T1520] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 56.739480][ T1520] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 56.745885][ T1520] end_report+0x4d/0x53 [ 56.750045][ T1520] kasan_report.cold+0xd/0x37 [ 56.754714][ T1520] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 56.761118][ T1520] check_memory_region+0x13d/0x180 [ 56.766367][ T1520] memcpy+0x20/0x60 [ 56.770312][ T1520] hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 56.776929][ T1520] ? process_adv_report+0xe40/0xe40 [ 56.782693][ T1520] hci_event_packet+0x1e8c/0x86f5 [ 56.787805][ T1520] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 56.793956][ T1520] ? hci_cmd_complete_evt+0xc6e0/0xc6e0 [ 56.799483][ T1520] ? lock_acquire+0x1f1/0xad0 [ 56.804153][ T1520] ? skb_dequeue+0x1c/0x180 [ 56.808649][ T1520] ? find_held_lock+0x2d/0x110 [ 56.813423][ T1520] ? mark_lock+0xbc/0x1710 [ 56.817837][ T1520] ? mark_held_locks+0x9f/0xe0 [ 56.822698][ T1520] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 56.828532][ T1520] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 56.835441][ T1520] ? trace_hardirqs_on+0x5f/0x220 [ 56.840732][ T1520] ? lockdep_hardirqs_on+0x6a/0xe0 [ 56.845936][ T1520] hci_rx_work+0x22e/0xb10 [ 56.850346][ T1520] process_one_work+0x94c/0x1670 [ 56.855280][ T1520] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 56.860643][ T1520] ? rwlock_bug.part.0+0x90/0x90 [ 56.865647][ T1520] worker_thread+0x64c/0x1120 [ 56.870314][ T1520] ? process_one_work+0x1670/0x1670 [ 56.875688][ T1520] kthread+0x3b5/0x4a0 [ 56.879752][ T1520] ? __kthread_bind_mask+0xc0/0xc0 [ 56.884839][ T1520] ? __kthread_bind_mask+0xc0/0xc0 [ 56.889934][ T1520] ret_from_fork+0x1f/0x30 [ 56.895390][ T1520] Kernel Offset: disabled [ 56.899799][ T1520] Rebooting in 86400 seconds..