[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.224' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 78.909719][ T27] audit: type=1400 audit(1593867997.130:8): avc: denied { execmem } for pid=6829 comm="syz-executor155" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 78.975325][ T1520] ================================================================== [ 78.983517][ T1520] BUG: KASAN: slab-out-of-bounds in hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 78.993139][ T1520] Read of size 6 at addr ffff8880a9055c04 by task kworker/u5:0/1520 [ 79.001101][ T1520] [ 79.003437][ T1520] CPU: 0 PID: 1520 Comm: kworker/u5:0 Not tainted 5.8.0-rc3-syzkaller #0 [ 79.011838][ T1520] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.021897][ T1520] Workqueue: hci0 hci_rx_work [ 79.026567][ T1520] Call Trace: [ 79.029855][ T1520] dump_stack+0x18f/0x20d [ 79.034190][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 79.041130][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 79.048061][ T1520] print_address_description.constprop.0.cold+0xae/0x436 [ 79.055089][ T1520] ? lockdep_hardirqs_off+0x66/0xa0 [ 79.060287][ T1520] ? vprintk_func+0x97/0x1a6 [ 79.064884][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 79.071816][ T1520] kasan_report.cold+0x1f/0x37 [ 79.076584][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 79.083536][ T1520] check_memory_region+0x13d/0x180 [ 79.088652][ T1520] memcpy+0x20/0x60 [ 79.092464][ T1520] hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 79.099240][ T1520] ? clear_pending_adv_report+0xf0/0xf0 [ 79.104797][ T1520] hci_event_packet+0x2828/0x86f5 [ 79.109830][ T1520] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 79.115820][ T1520] ? hci_cmd_complete_evt+0xc6e0/0xc6e0 [ 79.121372][ T1520] ? lock_acquire+0x1f1/0xad0 [ 79.126051][ T1520] ? skb_dequeue+0x1c/0x180 [ 79.130544][ T1520] ? find_held_lock+0x2d/0x110 [ 79.135309][ T1520] ? mark_lock+0xbc/0x1710 [ 79.139703][ T1520] ? mark_held_locks+0x9f/0xe0 [ 79.144441][ T1520] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 79.150242][ T1520] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 79.156214][ T1520] ? trace_hardirqs_on+0x5f/0x220 [ 79.161216][ T1520] ? lockdep_hardirqs_on+0x6a/0xe0 [ 79.166305][ T1520] hci_rx_work+0x22e/0xb10 [ 79.170703][ T1520] process_one_work+0x94c/0x1670 [ 79.175620][ T1520] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 79.180967][ T1520] ? rwlock_bug.part.0+0x90/0x90 [ 79.185879][ T1520] worker_thread+0x64c/0x1120 [ 79.190535][ T1520] ? process_one_work+0x1670/0x1670 [ 79.195719][ T1520] kthread+0x3b5/0x4a0 [ 79.199772][ T1520] ? __kthread_bind_mask+0xc0/0xc0 [ 79.204863][ T1520] ? __kthread_bind_mask+0xc0/0xc0 [ 79.209954][ T1520] ret_from_fork+0x1f/0x30 [ 79.214348][ T1520] [ 79.216650][ T1520] Allocated by task 6837: [ 79.220965][ T1520] save_stack+0x1b/0x40 [ 79.225102][ T1520] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 79.230716][ T1520] __alloc_skb+0xae/0x550 [ 79.235029][ T1520] vhci_write+0xbd/0x450 [ 79.239248][ T1520] new_sync_write+0x422/0x650 [ 79.243896][ T1520] __vfs_write+0xc9/0x100 [ 79.248211][ T1520] vfs_write+0x268/0x5d0 [ 79.252424][ T1520] ksys_write+0x12d/0x250 [ 79.256724][ T1520] do_syscall_64+0x60/0xe0 [ 79.261119][ T1520] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 79.266993][ T1520] [ 79.269380][ T1520] Freed by task 0: [ 79.273067][ T1520] (stack is not available) [ 79.277450][ T1520] [ 79.279752][ T1520] The buggy address belongs to the object at ffff8880a9055800 [ 79.279752][ T1520] which belongs to the cache kmalloc-1k of size 1024 [ 79.293773][ T1520] The buggy address is located 4 bytes to the right of [ 79.293773][ T1520] 1024-byte region [ffff8880a9055800, ffff8880a9055c00) [ 79.307457][ T1520] The buggy address belongs to the page: [ 79.313062][ T1520] page:ffffea0002a41540 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 79.322137][ T1520] flags: 0xfffe0000000200(slab) [ 79.326972][ T1520] raw: 00fffe0000000200 ffffea0002511a48 ffffea0002794b08 ffff8880aa000c40 [ 79.335529][ T1520] raw: 0000000000000000 ffff8880a9055000 0000000100000002 0000000000000000 [ 79.344084][ T1520] page dumped because: kasan: bad access detected [ 79.350466][ T1520] [ 79.352765][ T1520] Memory state around the buggy address: [ 79.358389][ T1520] ffff8880a9055b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 79.366425][ T1520] ffff8880a9055b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 79.374496][ T1520] >ffff8880a9055c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 79.382529][ T1520] ^ [ 79.386580][ T1520] ffff8880a9055c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 79.394623][ T1520] ffff8880a9055d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 79.402651][ T1520] ================================================================== [ 79.410692][ T1520] Disabling lock debugging due to kernel taint [ 79.418219][ T1520] Kernel panic - not syncing: panic_on_warn set ... [ 79.424809][ T1520] CPU: 0 PID: 1520 Comm: kworker/u5:0 Tainted: G B 5.8.0-rc3-syzkaller #0 [ 79.434594][ T1520] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.444658][ T1520] Workqueue: hci0 hci_rx_work [ 79.449337][ T1520] Call Trace: [ 79.452626][ T1520] dump_stack+0x18f/0x20d [ 79.456972][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x130/0x5e0 [ 79.463911][ T1520] panic+0x2e3/0x75c [ 79.467797][ T1520] ? __warn_printk+0xf3/0xf3 [ 79.472368][ T1520] ? preempt_schedule_common+0x59/0xc0 [ 79.477802][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 79.484712][ T1520] ? preempt_schedule_thunk+0x16/0x18 [ 79.490106][ T1520] ? trace_hardirqs_on+0x55/0x220 [ 79.495147][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 79.502069][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 79.509672][ T1520] end_report+0x4d/0x53 [ 79.513817][ T1520] kasan_report.cold+0xd/0x37 [ 79.518471][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 79.525392][ T1520] check_memory_region+0x13d/0x180 [ 79.530496][ T1520] memcpy+0x20/0x60 [ 79.534280][ T1520] hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 79.541028][ T1520] ? clear_pending_adv_report+0xf0/0xf0 [ 79.546548][ T1520] hci_event_packet+0x2828/0x86f5 [ 79.551549][ T1520] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 79.557502][ T1520] ? hci_cmd_complete_evt+0xc6e0/0xc6e0 [ 79.563030][ T1520] ? lock_acquire+0x1f1/0xad0 [ 79.567688][ T1520] ? skb_dequeue+0x1c/0x180 [ 79.572178][ T1520] ? find_held_lock+0x2d/0x110 [ 79.576946][ T1520] ? mark_lock+0xbc/0x1710 [ 79.581358][ T1520] ? mark_held_locks+0x9f/0xe0 [ 79.586109][ T1520] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 79.591897][ T1520] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 79.597856][ T1520] ? trace_hardirqs_on+0x5f/0x220 [ 79.602863][ T1520] ? lockdep_hardirqs_on+0x6a/0xe0 [ 79.607965][ T1520] hci_rx_work+0x22e/0xb10 [ 79.612363][ T1520] process_one_work+0x94c/0x1670 [ 79.617314][ T1520] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 79.622681][ T1520] ? rwlock_bug.part.0+0x90/0x90 [ 79.627604][ T1520] worker_thread+0x64c/0x1120 [ 79.632259][ T1520] ? process_one_work+0x1670/0x1670 [ 79.637436][ T1520] kthread+0x3b5/0x4a0 [ 79.641514][ T1520] ? __kthread_bind_mask+0xc0/0xc0 [ 79.646628][ T1520] ? __kthread_bind_mask+0xc0/0xc0 [ 79.651783][ T1520] ret_from_fork+0x1f/0x30 [ 79.657175][ T1520] Kernel Offset: disabled [ 79.661485][ T1520] Rebooting in 86400 seconds..