Warning: Permanently added '10.128.0.86' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 34.223660] audit: type=1400 audit(1593833304.769:8): avc: denied { execmem } for pid=6333 comm="syz-executor884" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 34.283799] ================================================================== [ 34.291266] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x6c26/0x7324 [ 34.298449] Read of size 6 at addr ffff88809eaa1184 by task kworker/u5:0/1190 [ 34.305712] [ 34.307337] CPU: 0 PID: 1190 Comm: kworker/u5:0 Not tainted 4.14.184-syzkaller #0 [ 34.314948] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.324298] Workqueue: hci0 hci_rx_work [ 34.328258] Call Trace: [ 34.330850] dump_stack+0x1b2/0x283 [ 34.334467] ? hci_event_packet+0x6c26/0x7324 [ 34.338951] print_address_description.cold+0x54/0x1dc [ 34.344218] ? hci_event_packet+0x6c26/0x7324 [ 34.348703] kasan_report.cold+0xa9/0x2b9 [ 34.352847] hci_event_packet+0x6c26/0x7324 [ 34.357167] ? hci_phy_link_complete_evt.isra.0+0x6c0/0x6c0 [ 34.362868] ? lock_is_held_type+0x1f0/0x210 [ 34.367265] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 34.372354] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 34.377362] hci_rx_work+0x3da/0x950 [ 34.381069] process_one_work+0x7c0/0x14c0 [ 34.385294] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 34.389953] worker_thread+0x5d7/0x1080 [ 34.393920] ? process_one_work+0x14c0/0x14c0 [ 34.398417] kthread+0x30d/0x420 [ 34.401771] ? kthread_create_on_node+0xd0/0xd0 [ 34.406431] ret_from_fork+0x24/0x30 [ 34.410133] [ 34.411745] Allocated by task 6348: [ 34.415357] kasan_kmalloc.part.0+0x4f/0xd0 [ 34.419663] __kmalloc_node_track_caller+0x4c/0x70 [ 34.424578] __kmalloc_reserve.isra.0+0x35/0xd0 [ 34.429228] __alloc_skb+0xca/0x4c0 [ 34.432838] vhci_write+0xb1/0x420 [ 34.436362] __vfs_write+0x44e/0x630 [ 34.440060] vfs_write+0x17f/0x4d0 [ 34.443582] SyS_write+0xf2/0x210 [ 34.447019] do_syscall_64+0x1d5/0x640 [ 34.450890] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.456060] [ 34.457672] Freed by task 3639: [ 34.460949] kasan_slab_free+0xaf/0x190 [ 34.464917] kfree+0xcb/0x260 [ 34.468008] skb_free_head+0x83/0xa0 [ 34.471713] skb_release_data+0x57e/0x7d0 [ 34.475847] skb_release_all+0x46/0x60 [ 34.479715] consume_skb+0xa7/0x330 [ 34.483326] skb_free_datagram+0x16/0xe0 [ 34.487546] netlink_recvmsg+0x5ef/0xda0 [ 34.491591] sock_recvmsg+0xc0/0x100 [ 34.495287] ___sys_recvmsg+0x21f/0x4d0 [ 34.499257] __sys_recvmsg+0xa0/0x120 [ 34.503053] SyS_recvmsg+0x27/0x40 [ 34.506579] do_syscall_64+0x1d5/0x640 [ 34.510451] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.515618] [ 34.517229] The buggy address belongs to the object at ffff88809eaa0d80 [ 34.517229] which belongs to the cache kmalloc-1024 of size 1024 [ 34.530058] The buggy address is located 4 bytes to the right of [ 34.530058] 1024-byte region [ffff88809eaa0d80, ffff88809eaa1180) [ 34.542363] The buggy address belongs to the page: [ 34.547276] page:ffffea00027aa800 count:1 mapcount:0 mapping:ffff88809eaa0000 index:0x0 compound_mapcount: 0 [ 34.557230] flags: 0xfffe0000008100(slab|head) [ 34.561797] raw: 00fffe0000008100 ffff88809eaa0000 0000000000000000 0000000100000007 [ 34.569663] raw: ffffea00023e8b20 ffffea00023dd520 ffff8880aa800ac0 0000000000000000 [ 34.577525] page dumped because: kasan: bad access detected [ 34.583217] [ 34.584827] Memory state around the buggy address: [ 34.589752] ffff88809eaa1080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.597093] ffff88809eaa1100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.604434] >ffff88809eaa1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.611775] ^ [ 34.615122] ffff88809eaa1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.622464] ffff88809eaa1280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.629801] ================================================================== [ 34.638097] Disabling lock debugging due to kernel taint [ 34.665366] Kernel panic - not syncing: panic_on_warn set ... [ 34.665366] [ 34.672754] CPU: 0 PID: 1190 Comm: kworker/u5:0 Tainted: G B 4.14.184-syzkaller #0 [ 34.681579] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.690942] Workqueue: hci0 hci_rx_work [ 34.694894] Call Trace: [ 34.697506] dump_stack+0x1b2/0x283 [ 34.701110] panic+0x1f9/0x42d [ 34.704275] ? add_taint.cold+0x16/0x16 [ 34.708223] ? preempt_schedule_common+0x4a/0xc0 [ 34.712951] ? hci_event_packet+0x6c26/0x7324 [ 34.717475] ? ___preempt_schedule+0x16/0x18 [ 34.721859] ? hci_event_packet+0x6c26/0x7324 [ 34.726328] kasan_end_report+0x43/0x49 [ 34.730276] kasan_report.cold+0x12f/0x2b9 [ 34.734487] hci_event_packet+0x6c26/0x7324 [ 34.738784] ? hci_phy_link_complete_evt.isra.0+0x6c0/0x6c0 [ 34.744470] ? lock_is_held_type+0x1f0/0x210 [ 34.748869] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 34.753946] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 34.758950] hci_rx_work+0x3da/0x950 [ 34.762656] process_one_work+0x7c0/0x14c0 [ 34.766867] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 34.771513] worker_thread+0x5d7/0x1080 [ 34.775476] ? process_one_work+0x14c0/0x14c0 [ 34.779949] kthread+0x30d/0x420 [ 34.783291] ? kthread_create_on_node+0xd0/0xd0 [ 34.787933] ret_from_fork+0x24/0x30 [ 34.792659] Kernel Offset: disabled [ 34.796267] Rebooting in 86400 seconds..