[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.230' (ECDSA) to the list of known hosts. syzkaller login: [ 32.057069] audit: type=1400 audit(1596368109.832:8): avc: denied { execmem } for pid=6354 comm="syz-executor705" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 32.338085] IPVS: ftp: loaded support on port[0] = 21 executing program [ 34.169005] ================================================================== [ 34.176448] BUG: KASAN: slab-out-of-bounds in hci_extended_inquiry_result_evt.isra.0+0x17b/0x4f0 [ 34.185357] Read of size 6 at addr ffff888091817248 by task kworker/u5:0/1202 [ 34.192602] [ 34.194212] CPU: 0 PID: 1202 Comm: kworker/u5:0 Not tainted 4.14.191-syzkaller #0 [ 34.201807] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.211142] Workqueue: hci0 hci_rx_work [ 34.215090] Call Trace: [ 34.217656] dump_stack+0x1b2/0x283 [ 34.221264] print_address_description.cold+0x54/0x1d3 [ 34.226526] kasan_report_error.cold+0x8a/0x194 [ 34.231176] ? hci_extended_inquiry_result_evt.isra.0+0x17b/0x4f0 [ 34.237382] kasan_report+0x6f/0x7b [ 34.240986] ? hci_extended_inquiry_result_evt.isra.0+0x17b/0x4f0 [ 34.247201] memcpy+0x20/0x50 [ 34.250287] hci_extended_inquiry_result_evt.isra.0+0x17b/0x4f0 [ 34.256325] ? hci_key_refresh_complete_evt.isra.0+0xe30/0xe30 [ 34.262281] ? kfree_skbmem+0x98/0x100 [ 34.266148] hci_event_packet+0xcfb/0x7c7a [ 34.270360] ? trace_hardirqs_on+0x10/0x10 [ 34.274573] ? hci_cmd_complete_evt+0x9590/0x9590 [ 34.279399] ? trace_hardirqs_on+0x10/0x10 [ 34.283612] ? debug_object_deactivate+0x1da/0x2e0 [ 34.288519] ? skb_dequeue+0x120/0x170 [ 34.292386] ? mark_held_locks+0xa6/0xf0 [ 34.296423] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 34.301511] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 34.306501] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 34.311602] hci_rx_work+0x3e6/0x970 [ 34.315291] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 34.320718] process_one_work+0x793/0x14a0 [ 34.324933] ? work_busy+0x320/0x320 [ 34.328634] ? worker_thread+0x158/0xff0 [ 34.332677] ? _raw_spin_unlock_irq+0x24/0x80 [ 34.337152] worker_thread+0x5cc/0xff0 [ 34.341026] ? rescuer_thread+0xc80/0xc80 [ 34.345153] kthread+0x30d/0x420 [ 34.348498] ? kthread_create_on_node+0xd0/0xd0 [ 34.353147] ret_from_fork+0x24/0x30 [ 34.356842] [ 34.358448] Allocated by task 6355: [ 34.362054] kasan_kmalloc+0xeb/0x160 [ 34.365830] __kmalloc_node_track_caller+0x4c/0x70 [ 34.370736] __alloc_skb+0x96/0x510 [ 34.374339] vhci_write+0xb1/0x420 [ 34.377855] __vfs_write+0x44c/0x630 [ 34.381540] vfs_write+0x17f/0x4d0 [ 34.385053] SyS_write+0xf2/0x210 [ 34.388481] do_syscall_64+0x1d5/0x640 [ 34.392345] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.397507] [ 34.399109] Freed by task 4429: [ 34.402365] kasan_slab_free+0xc3/0x1a0 [ 34.406316] kfree+0xc9/0x250 [ 34.409395] kernfs_fop_release+0x10e/0x180 [ 34.413693] __fput+0x25f/0x7a0 [ 34.416952] task_work_run+0x11f/0x190 [ 34.420817] exit_to_usermode_loop+0x1ad/0x200 [ 34.425387] do_syscall_64+0x4a3/0x640 [ 34.429256] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.434417] [ 34.436026] The buggy address belongs to the object at ffff888091817040 [ 34.436026] which belongs to the cache kmalloc-512 of size 512 [ 34.448661] The buggy address is located 8 bytes to the right of [ 34.448661] 512-byte region [ffff888091817040, ffff888091817240) [ 34.460858] The buggy address belongs to the page: [ 34.465767] page:ffffea00024605c0 count:1 mapcount:0 mapping:ffff888091817040 index:0x0 [ 34.473887] flags: 0xfffe0000000100(slab) [ 34.478010] raw: 00fffe0000000100 ffff888091817040 0000000000000000 0000000100000006 [ 34.485866] raw: ffffea000248eae0 ffffea0002673060 ffff88812fe52940 0000000000000000 [ 34.493718] page dumped because: kasan: bad access detected [ 34.499398] [ 34.501001] Memory state around the buggy address: [ 34.506012] ffff888091817100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.513344] ffff888091817180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.520677] >ffff888091817200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 34.528019] ^ [ 34.533702] ffff888091817280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 34.541035] ffff888091817300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.548372] ================================================================== [ 34.555703] Disabling lock debugging due to kernel taint [ 34.575378] Kernel panic - not syncing: panic_on_warn set ... [ 34.575378] [ 34.582766] CPU: 0 PID: 1202 Comm: kworker/u5:0 Tainted: G B 4.14.191-syzkaller #0 [ 34.591591] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.600943] Workqueue: hci0 hci_rx_work [ 34.604904] Call Trace: [ 34.607478] dump_stack+0x1b2/0x283 [ 34.611078] panic+0x1f9/0x42d [ 34.614327] ? add_taint.cold+0x16/0x16 [ 34.618272] ? ___preempt_schedule+0x16/0x18 [ 34.622653] kasan_end_report+0x43/0x49 [ 34.626597] kasan_report_error.cold+0xa7/0x194 [ 34.631236] ? hci_extended_inquiry_result_evt.isra.0+0x17b/0x4f0 [ 34.637436] kasan_report+0x6f/0x7b [ 34.641038] ? hci_extended_inquiry_result_evt.isra.0+0x17b/0x4f0 [ 34.647238] memcpy+0x20/0x50 [ 34.650316] hci_extended_inquiry_result_evt.isra.0+0x17b/0x4f0 [ 34.656347] ? hci_key_refresh_complete_evt.isra.0+0xe30/0xe30 [ 34.662291] ? kfree_skbmem+0x98/0x100 [ 34.666150] hci_event_packet+0xcfb/0x7c7a [ 34.670359] ? trace_hardirqs_on+0x10/0x10 [ 34.674565] ? hci_cmd_complete_evt+0x9590/0x9590 [ 34.679378] ? trace_hardirqs_on+0x10/0x10 [ 34.683584] ? debug_object_deactivate+0x1da/0x2e0 [ 34.688482] ? skb_dequeue+0x120/0x170 [ 34.692338] ? mark_held_locks+0xa6/0xf0 [ 34.696370] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 34.701444] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 34.706452] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 34.711536] hci_rx_work+0x3e6/0x970 [ 34.715222] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 34.720644] process_one_work+0x793/0x14a0 [ 34.724851] ? work_busy+0x320/0x320 [ 34.728534] ? worker_thread+0x158/0xff0 [ 34.732565] ? _raw_spin_unlock_irq+0x24/0x80 [ 34.737030] worker_thread+0x5cc/0xff0 [ 34.740902] ? rescuer_thread+0xc80/0xc80 [ 34.745020] kthread+0x30d/0x420 [ 34.748357] ? kthread_create_on_node+0xd0/0xd0 [ 34.752994] ret_from_fork+0x24/0x30 [ 34.757803] Kernel Offset: disabled [ 34.761429] Rebooting in 86400 seconds..