[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. syzkaller login: [ 46.238948][ T6869] IPVS: ftp: loaded support on port[0] = 21 executing program [ 47.379904][ T1532] ================================================================== [ 47.388477][ T1532] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x14ad/0x18240 [ 47.396609][ T1532] Read of size 6 at addr ffff88809a6965fb by task kworker/u5:0/1532 [ 47.404556][ T1532] [ 47.406868][ T1532] CPU: 1 PID: 1532 Comm: kworker/u5:0 Not tainted 5.8.0-rc7-syzkaller #0 [ 47.415253][ T1532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.425295][ T1532] Workqueue: hci0 hci_rx_work [ 47.430382][ T1532] Call Trace: [ 47.433654][ T1532] dump_stack+0x1f0/0x31e [ 47.438851][ T1532] print_address_description+0x66/0x5a0 [ 47.444392][ T1532] ? vprintk_emit+0x342/0x3c0 [ 47.449280][ T1532] ? printk+0x62/0x83 [ 47.453263][ T1532] ? rcu_read_lock_sched_held+0x2f/0xa0 [ 47.462548][ T1532] ? vprintk_emit+0x339/0x3c0 [ 47.467224][ T1532] kasan_report+0x132/0x1d0 [ 47.471862][ T1532] ? hci_event_packet+0x14ad/0x18240 [ 47.477125][ T1532] ? memcpy+0x3c/0x60 [ 47.481242][ T1532] check_memory_region+0x2b5/0x2f0 [ 47.486332][ T1532] ? hci_event_packet+0x14ad/0x18240 [ 47.491698][ T1532] memcpy+0x25/0x60 [ 47.495684][ T1532] hci_event_packet+0x14ad/0x18240 [ 47.501474][ T1532] ? trace_lock_release+0x137/0x1a0 [ 47.509089][ T1532] ? lockdep_hardirqs_on+0x38/0xe0 [ 47.514181][ T1532] hci_rx_work+0x236/0x9c0 [ 47.518586][ T1532] process_one_work+0x789/0xfc0 [ 47.523444][ T1532] worker_thread+0xaa4/0x1460 [ 47.528118][ T1532] kthread+0x37e/0x3a0 [ 47.532182][ T1532] ? rcu_lock_release+0x20/0x20 [ 47.537022][ T1532] ? kthread_blkcg+0xd0/0xd0 [ 47.541693][ T1532] ret_from_fork+0x1f/0x30 [ 47.546211][ T1532] [ 47.548522][ T1532] Allocated by task 6869: [ 47.552931][ T1532] __kasan_kmalloc+0x103/0x140 [ 47.557688][ T1532] __alloc_skb+0xde/0x4f0 [ 47.561994][ T1532] vhci_write+0xb7/0x400 [ 47.566229][ T1532] vfs_write+0xa08/0xc70 [ 47.570448][ T1532] ksys_write+0x11b/0x220 [ 47.574772][ T1532] do_syscall_64+0x73/0xe0 [ 47.579166][ T1532] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 47.585127][ T1532] [ 47.587451][ T1532] Freed by task 3957: [ 47.591433][ T1532] __kasan_slab_free+0x114/0x170 [ 47.596362][ T1532] kfree+0x10a/0x220 [ 47.600238][ T1532] __kfree_skb+0x56/0x1c0 [ 47.604545][ T1532] skb_free_datagram+0x24/0xd0 [ 47.609289][ T1532] netlink_recvmsg+0x553/0xfe0 [ 47.614070][ T1532] ____sys_recvmsg+0x24a/0x510 [ 47.618809][ T1532] __sys_recvmsg+0x23b/0x7e0 [ 47.623396][ T1532] do_syscall_64+0x73/0xe0 [ 47.627791][ T1532] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 47.633827][ T1532] [ 47.636135][ T1532] The buggy address belongs to the object at ffff88809a696400 [ 47.636135][ T1532] which belongs to the cache kmalloc-512 of size 512 [ 47.650512][ T1532] The buggy address is located 507 bytes inside of [ 47.650512][ T1532] 512-byte region [ffff88809a696400, ffff88809a696600) [ 47.663758][ T1532] The buggy address belongs to the page: [ 47.669381][ T1532] page:ffffea000269a580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 47.678578][ T1532] flags: 0xfffe0000000200(slab) [ 47.683408][ T1532] raw: 00fffe0000000200 ffffea00024dca08 ffffea000269a4c8 ffff8880aa400a80 [ 47.691974][ T1532] raw: 0000000000000000 ffff88809a696000 0000000100000004 0000000000000000 [ 47.700534][ T1532] page dumped because: kasan: bad access detected [ 47.706938][ T1532] [ 47.709252][ T1532] Memory state around the buggy address: [ 47.714863][ T1532] ffff88809a696500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 47.722925][ T1532] ffff88809a696580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 47.730964][ T1532] >ffff88809a696600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.739013][ T1532] ^ [ 47.743057][ T1532] ffff88809a696680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.751220][ T1532] ffff88809a696700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.759255][ T1532] ================================================================== [ 47.767290][ T1532] Disabling lock debugging due to kernel taint [ 47.774635][ T1532] Kernel panic - not syncing: panic_on_warn set ... [ 47.781237][ T1532] CPU: 1 PID: 1532 Comm: kworker/u5:0 Tainted: G B 5.8.0-rc7-syzkaller #0 [ 47.791287][ T1532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.801555][ T1532] Workqueue: hci0 hci_rx_work [ 47.806234][ T1532] Call Trace: [ 47.809517][ T1532] dump_stack+0x1f0/0x31e [ 47.813873][ T1532] panic+0x264/0x7a0 [ 47.817765][ T1532] ? trace_hardirqs_on+0x30/0x80 [ 47.822704][ T1532] kasan_report+0x1c9/0x1d0 [ 47.827208][ T1532] ? hci_event_packet+0x14ad/0x18240 [ 47.832487][ T1532] ? memcpy+0x3c/0x60 [ 47.836469][ T1532] check_memory_region+0x2b5/0x2f0 [ 47.841601][ T1532] ? hci_event_packet+0x14ad/0x18240 [ 47.846912][ T1532] memcpy+0x25/0x60 [ 47.850720][ T1532] hci_event_packet+0x14ad/0x18240 [ 47.855824][ T1532] ? trace_lock_release+0x137/0x1a0 [ 47.861150][ T1532] ? lockdep_hardirqs_on+0x38/0xe0 [ 47.866232][ T1532] hci_rx_work+0x236/0x9c0 [ 47.870738][ T1532] process_one_work+0x789/0xfc0 [ 47.875569][ T1532] worker_thread+0xaa4/0x1460 [ 47.880272][ T1532] kthread+0x37e/0x3a0 [ 47.884368][ T1532] ? rcu_lock_release+0x20/0x20 [ 47.889199][ T1532] ? kthread_blkcg+0xd0/0xd0 [ 47.893858][ T1532] ret_from_fork+0x1f/0x30 [ 47.899590][ T1532] Kernel Offset: disabled [ 47.904054][ T1532] Rebooting in 86400 seconds..