[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.172' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 88.314146][ T6837] ================================================================== [ 88.322410][ T6837] BUG: KASAN: slab-out-of-bounds in hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 88.331513][ T6837] Read of size 6 at addr ffff8880a84df1fb by task kworker/u5:1/6837 [ 88.339478][ T6837] [ 88.341813][ T6837] CPU: 1 PID: 6837 Comm: kworker/u5:1 Not tainted 5.8.0-rc4-next-20200710-syzkaller #0 [ 88.351449][ T6837] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 88.361527][ T6837] Workqueue: hci0 hci_rx_work [ 88.366198][ T6837] Call Trace: [ 88.369489][ T6837] dump_stack+0x18f/0x20d [ 88.373825][ T6837] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 88.380239][ T6837] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 88.386654][ T6837] print_address_description.constprop.0.cold+0xae/0x497 [ 88.393684][ T6837] ? lockdep_hardirqs_off+0x66/0xa0 [ 88.398877][ T6837] ? vprintk_func+0x97/0x1a6 [ 88.403464][ T6837] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 88.409872][ T6837] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 88.416275][ T6837] kasan_report.cold+0x1f/0x37 [ 88.421036][ T6837] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 88.427447][ T6837] check_memory_region+0x13d/0x180 [ 88.432566][ T6837] memcpy+0x20/0x60 [ 88.436374][ T6837] hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 88.442609][ T6837] ? process_adv_report+0xef0/0xef0 [ 88.447809][ T6837] hci_event_packet+0x1e8c/0x86fd [ 88.452830][ T6837] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 88.458808][ T6837] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 88.464352][ T6837] ? lock_acquire+0x1f1/0xad0 [ 88.469025][ T6837] ? skb_dequeue+0x1c/0x180 [ 88.473523][ T6837] ? find_held_lock+0x2d/0x110 [ 88.478291][ T6837] ? mark_lock+0xbc/0x1710 [ 88.482711][ T6837] ? mark_held_locks+0x9f/0xe0 [ 88.487473][ T6837] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 88.493275][ T6837] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 88.499247][ T6837] ? trace_hardirqs_on+0x5f/0x220 [ 88.504267][ T6837] ? lockdep_hardirqs_on+0x6a/0xe0 [ 88.509399][ T6837] hci_rx_work+0x22e/0xb50 [ 88.513824][ T6837] process_one_work+0x94c/0x1670 [ 88.518788][ T6837] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 88.524160][ T6837] ? rwlock_bug.part.0+0x90/0x90 [ 88.529101][ T6837] worker_thread+0x64c/0x1120 [ 88.533785][ T6837] ? process_one_work+0x1670/0x1670 [ 88.538997][ T6837] kthread+0x3b5/0x4a0 [ 88.543073][ T6837] ? __kthread_bind_mask+0xc0/0xc0 [ 88.548179][ T6837] ? __kthread_bind_mask+0xc0/0xc0 [ 88.553285][ T6837] ret_from_fork+0x1f/0x30 [ 88.557710][ T6837] [ 88.560025][ T6837] Allocated by task 6833: [ 88.564346][ T6837] kasan_save_stack+0x1b/0x40 [ 88.569012][ T6837] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 88.574634][ T6837] __alloc_skb+0xae/0x550 [ 88.578971][ T6837] vhci_write+0xbd/0x450 [ 88.583207][ T6837] new_sync_write+0x422/0x650 [ 88.587871][ T6837] vfs_write+0x59d/0x6b0 [ 88.592105][ T6837] ksys_write+0x12d/0x250 [ 88.596424][ T6837] do_syscall_64+0x60/0xe0 [ 88.600833][ T6837] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 88.606710][ T6837] [ 88.609034][ T6837] The buggy address belongs to the object at ffff8880a84df000 [ 88.609034][ T6837] which belongs to the cache kmalloc-512 of size 512 [ 88.623076][ T6837] The buggy address is located 507 bytes inside of [ 88.623076][ T6837] 512-byte region [ffff8880a84df000, ffff8880a84df200) [ 88.636330][ T6837] The buggy address belongs to the page: [ 88.641959][ T6837] page:0000000017ed0181 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa84df [ 88.652097][ T6837] flags: 0xfffe0000000200(slab) [ 88.656945][ T6837] raw: 00fffe0000000200 ffffea00028c7988 ffffea00028eec88 ffff8880aa000600 [ 88.665522][ T6837] raw: 0000000000000000 ffff8880a84df000 0000000100000004 0000000000000000 [ 88.674090][ T6837] page dumped because: kasan: bad access detected [ 88.680487][ T6837] [ 88.682803][ T6837] Memory state around the buggy address: [ 88.688424][ T6837] ffff8880a84df100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 88.696482][ T6837] ffff8880a84df180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 88.704535][ T6837] >ffff8880a84df200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 88.712583][ T6837] ^ [ 88.716656][ T6837] ffff8880a84df280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 88.724708][ T6837] ffff8880a84df300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 88.732752][ T6837] ================================================================== [ 88.740883][ T6837] Disabling lock debugging due to kernel taint [ 88.751791][ T6837] Kernel panic - not syncing: panic_on_warn set ... [ 88.758386][ T6837] CPU: 1 PID: 6837 Comm: kworker/u5:1 Tainted: G B 5.8.0-rc4-next-20200710-syzkaller #0 [ 88.769391][ T6837] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 88.779448][ T6837] Workqueue: hci0 hci_rx_work [ 88.784114][ T6837] Call Trace: [ 88.787399][ T6837] dump_stack+0x18f/0x20d [ 88.791741][ T6837] ? hci_inquiry_result_with_rssi_evt+0x180/0x6b0 [ 88.798155][ T6837] panic+0x2e3/0x75c [ 88.802040][ T6837] ? __warn_printk+0xf3/0xf3 [ 88.806730][ T6837] ? preempt_schedule_common+0x59/0xc0 [ 88.812176][ T6837] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 88.818579][ T6837] ? preempt_schedule_thunk+0x16/0x18 [ 88.823959][ T6837] ? trace_hardirqs_on+0x55/0x220 [ 88.828978][ T6837] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 88.835380][ T6837] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 88.841782][ T6837] end_report+0x4d/0x53 [ 88.845928][ T6837] kasan_report.cold+0xd/0x37 [ 88.850599][ T6837] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 88.857001][ T6837] check_memory_region+0x13d/0x180 [ 88.862097][ T6837] memcpy+0x20/0x60 [ 88.865899][ T6837] hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 88.872562][ T6837] ? process_adv_report+0xef0/0xef0 [ 88.877751][ T6837] hci_event_packet+0x1e8c/0x86fd [ 88.882766][ T6837] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 88.888736][ T6837] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 88.894267][ T6837] ? lock_acquire+0x1f1/0xad0 [ 88.898933][ T6837] ? skb_dequeue+0x1c/0x180 [ 88.903425][ T6837] ? find_held_lock+0x2d/0x110 [ 88.908188][ T6837] ? mark_lock+0xbc/0x1710 [ 88.912608][ T6837] ? mark_held_locks+0x9f/0xe0 [ 88.917364][ T6837] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 88.923170][ T6837] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 88.929136][ T6837] ? trace_hardirqs_on+0x5f/0x220 [ 88.934154][ T6837] ? lockdep_hardirqs_on+0x6a/0xe0 [ 88.939255][ T6837] hci_rx_work+0x22e/0xb50 [ 88.943665][ T6837] process_one_work+0x94c/0x1670 [ 88.948597][ T6837] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 88.953973][ T6837] ? rwlock_bug.part.0+0x90/0x90 [ 88.958905][ T6837] worker_thread+0x64c/0x1120 [ 88.963579][ T6837] ? process_one_work+0x1670/0x1670 [ 88.968781][ T6837] kthread+0x3b5/0x4a0 [ 88.972851][ T6837] ? __kthread_bind_mask+0xc0/0xc0 [ 88.977964][ T6837] ? __kthread_bind_mask+0xc0/0xc0 [ 88.983068][ T6837] ret_from_fork+0x1f/0x30 [ 88.988472][ T6837] Kernel Offset: disabled [ 88.992816][ T6837] Rebooting in 86400 seconds..