[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.114' (ECDSA) to the list of known hosts. syzkaller login: [ 33.318492] IPVS: ftp: loaded support on port[0] = 21 executing program [ 33.432261] Bluetooth: Unknown advertising packet type: 0xff00 [ 33.438722] Bluetooth: hci0: advertising data len corrected [ 33.445539] ================================================================== [ 33.453069] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x383e/0x3f20 [ 33.460150] Read of size 1 at addr ffff8880a5ff1f04 by task kworker/u5:2/8096 [ 33.467400] [ 33.469011] CPU: 1 PID: 8096 Comm: kworker/u5:2 Not tainted 4.19.211-syzkaller #0 [ 33.476608] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 33.485960] Workqueue: hci0 hci_rx_work [ 33.489918] Call Trace: [ 33.492491] dump_stack+0x1fc/0x2ef [ 33.496102] print_address_description.cold+0x54/0x219 [ 33.501380] kasan_report_error.cold+0x8a/0x1b9 [ 33.506033] ? hci_le_meta_evt+0x383e/0x3f20 [ 33.510443] __asan_report_load1_noabort+0x88/0x90 [ 33.515440] ? hci_le_meta_evt+0x383e/0x3f20 [ 33.519840] hci_le_meta_evt+0x383e/0x3f20 [ 33.524065] ? __lock_acquire+0x6de/0x3ff0 [ 33.528283] ? hci_cmd_status_evt+0x6fc0/0x6fc0 [ 33.532932] ? __lock_acquire+0x6de/0x3ff0 [ 33.537152] ? __lock_acquire+0x6de/0x3ff0 [ 33.541375] hci_event_packet+0x34ad/0x7e20 [ 33.545702] ? mark_held_locks+0xf0/0xf0 [ 33.549745] ? __lock_acquire+0x6de/0x3ff0 [ 33.553968] ? hci_cmd_complete_evt+0xc280/0xc280 [ 33.558793] ? __update_load_avg_se+0x5ec/0xa00 [ 33.563444] ? debug_object_deactivate+0x1f9/0x2e0 [ 33.568362] ? mark_held_locks+0xa6/0xf0 [ 33.572414] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 33.577500] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 33.582068] hci_rx_work+0x4ad/0xc70 [ 33.585768] process_one_work+0x864/0x1570 [ 33.589991] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 33.594646] worker_thread+0x64c/0x1130 [ 33.598604] ? __kthread_parkme+0x133/0x1e0 [ 33.602908] ? process_one_work+0x1570/0x1570 [ 33.607385] kthread+0x33f/0x460 [ 33.610734] ? kthread_park+0x180/0x180 [ 33.614688] ret_from_fork+0x24/0x30 [ 33.618389] [ 33.619997] Allocated by task 8090: [ 33.623605] __kmalloc_node_track_caller+0x4c/0x70 [ 33.628517] __alloc_skb+0xae/0x560 [ 33.632124] vhci_write+0xbd/0x450 [ 33.635643] __vfs_write+0x51b/0x770 [ 33.639332] vfs_write+0x1f3/0x540 [ 33.642848] ksys_write+0x12b/0x2a0 [ 33.646455] do_syscall_64+0xf9/0x620 [ 33.650237] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.655397] [ 33.656999] Freed by task 6132: [ 33.660254] kfree+0xcc/0x210 [ 33.663340] kernfs_fop_release+0x120/0x190 [ 33.667679] __fput+0x2ce/0x890 [ 33.670937] task_work_run+0x148/0x1c0 [ 33.674801] exit_to_usermode_loop+0x251/0x2a0 [ 33.679367] do_syscall_64+0x538/0x620 [ 33.683232] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.688395] [ 33.690004] The buggy address belongs to the object at ffff8880a5ff1d00 [ 33.690004] which belongs to the cache kmalloc-512 of size 512 [ 33.702635] The buggy address is located 4 bytes to the right of [ 33.702635] 512-byte region [ffff8880a5ff1d00, ffff8880a5ff1f00) [ 33.714830] The buggy address belongs to the page: [ 33.719737] page:ffffea000297fc40 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 [ 33.727864] flags: 0xfff00000000100(slab) [ 33.732343] raw: 00fff00000000100 ffffea0002d17dc8 ffffea000297fc08 ffff88813bff0940 [ 33.740200] raw: 0000000000000000 ffff8880a5ff1080 0000000100000006 0000000000000000 [ 33.748052] page dumped because: kasan: bad access detected [ 33.753734] [ 33.755336] Memory state around the buggy address: [ 33.760261] ffff8880a5ff1e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.767594] ffff8880a5ff1e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.774928] >ffff8880a5ff1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.782262] ^ [ 33.785606] ffff8880a5ff1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.792945] ffff8880a5ff2000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.800288] ================================================================== [ 33.807621] Disabling lock debugging due to kernel taint [ 33.822837] Kernel panic - not syncing: panic_on_warn set ... [ 33.822837] [ 33.830223] CPU: 0 PID: 8096 Comm: kworker/u5:2 Tainted: G B 4.19.211-syzkaller #0 [ 33.839229] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 33.848578] Workqueue: hci0 hci_rx_work [ 33.852525] Call Trace: [ 33.855093] dump_stack+0x1fc/0x2ef [ 33.858709] panic+0x26a/0x50e [ 33.861880] ? __warn_printk+0xf3/0xf3 [ 33.865745] ? preempt_schedule_common+0x45/0xc0 [ 33.870481] ? ___preempt_schedule+0x16/0x18 [ 33.874867] ? trace_hardirqs_on+0x55/0x210 [ 33.879169] kasan_end_report+0x43/0x49 [ 33.883121] kasan_report_error.cold+0xa7/0x1b9 [ 33.887766] ? hci_le_meta_evt+0x383e/0x3f20 [ 33.892152] __asan_report_load1_noabort+0x88/0x90 [ 33.897061] ? hci_le_meta_evt+0x383e/0x3f20 [ 33.901448] hci_le_meta_evt+0x383e/0x3f20 [ 33.905660] ? __lock_acquire+0x6de/0x3ff0 [ 33.909871] ? hci_cmd_status_evt+0x6fc0/0x6fc0 [ 33.914516] ? __lock_acquire+0x6de/0x3ff0 [ 33.918733] ? __lock_acquire+0x6de/0x3ff0 [ 33.922946] hci_event_packet+0x34ad/0x7e20 [ 33.927243] ? mark_held_locks+0xf0/0xf0 [ 33.931282] ? __lock_acquire+0x6de/0x3ff0 [ 33.935495] ? hci_cmd_complete_evt+0xc280/0xc280 [ 33.940317] ? __update_load_avg_se+0x5ec/0xa00 [ 33.944964] ? debug_object_deactivate+0x1f9/0x2e0 [ 33.949872] ? mark_held_locks+0xa6/0xf0 [ 33.953911] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 33.958989] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 33.963552] hci_rx_work+0x4ad/0xc70 [ 33.967244] process_one_work+0x864/0x1570 [ 33.971456] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 33.976104] worker_thread+0x64c/0x1130 [ 33.980058] ? __kthread_parkme+0x133/0x1e0 [ 33.984355] ? process_one_work+0x1570/0x1570 [ 33.988827] kthread+0x33f/0x460 [ 33.992169] ? kthread_park+0x180/0x180 [ 33.996240] ret_from_fork+0x24/0x30 [ 34.000117] Kernel Offset: disabled [ 34.003737] Rebooting in 86400 seconds..