[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.143' (ECDSA) to the list of known hosts. syzkaller login: [ 39.928053] audit: type=1400 audit(1596449749.036:8): avc: denied { execmem } for pid=6437 comm="syz-executor454" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 39.942123] IPVS: ftp: loaded support on port[0] = 21 executing program [ 41.069519] Bluetooth: hci0: advertising data len corrected [ 41.079515] ================================================================== [ 41.092168] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x345b/0x39c0 [ 41.100246] Read of size 1 at addr ffff8880a5c92204 by task kworker/u5:2/6465 [ 41.112229] [ 41.115568] CPU: 1 PID: 6465 Comm: kworker/u5:2 Not tainted 4.19.136-syzkaller #0 [ 41.129725] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.143607] Workqueue: hci0 hci_rx_work [ 41.149744] Call Trace: [ 41.153628] dump_stack+0x1fc/0x2fe [ 41.159844] print_address_description.cold+0x54/0x219 [ 41.167683] kasan_report_error.cold+0x8a/0x1c7 [ 41.175645] ? hci_le_meta_evt+0x345b/0x39c0 [ 41.181761] __asan_report_load1_noabort+0x88/0x90 [ 41.188359] ? hci_le_meta_evt+0x345b/0x39c0 [ 41.194753] hci_le_meta_evt+0x345b/0x39c0 [ 41.200665] ? load_balance+0xbab/0x2080 [ 41.205900] ? read_enc_key_size_complete+0xb90/0xb90 [ 41.214099] ? __lock_acquire+0x6de/0x3ff0 [ 41.221095] ? __lock_acquire+0x6de/0x3ff0 [ 41.226322] hci_event_packet+0x1a29/0x858f [ 41.232919] ? mark_held_locks+0xf0/0xf0 [ 41.238010] ? __lock_acquire+0x6de/0x3ff0 [ 41.245634] ? hci_cmd_complete_evt+0xb5e0/0xb5e0 [ 41.252386] ? find_busiest_group+0x25f0/0x25f0 [ 41.258008] ? debug_object_deactivate+0x1f9/0x2e0 [ 41.264936] ? mark_held_locks+0xa6/0xf0 [ 41.271132] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 41.279660] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 41.286008] hci_rx_work+0x46b/0xa90 [ 41.291019] process_one_work+0x864/0x1570 [ 41.297219] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 41.303856] worker_thread+0x64c/0x1130 [ 41.309336] ? __kthread_parkme+0xfd/0x1b0 [ 41.315769] ? process_one_work+0x1570/0x1570 [ 41.321973] kthread+0x30b/0x410 [ 41.325960] ? kthread_park+0x180/0x180 [ 41.330803] ret_from_fork+0x24/0x30 [ 41.336389] [ 41.338305] Allocated by task 6438: [ 41.343304] __kmalloc_node_track_caller+0x4c/0x70 [ 41.349454] __alloc_skb+0xae/0x560 [ 41.354566] vhci_write+0xbd/0x450 [ 41.360020] __vfs_write+0x51b/0x770 [ 41.365059] vfs_write+0x1f3/0x540 [ 41.370065] ksys_write+0x12b/0x2a0 [ 41.374126] do_syscall_64+0xf9/0x620 [ 41.379108] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.387168] [ 41.389528] Freed by task 3709: [ 41.392894] kfree+0xcc/0x210 [ 41.396000] skb_release_data+0x6de/0x920 [ 41.400404] consume_skb+0x113/0x3d0 [ 41.404919] skb_free_datagram+0x16/0xf0 [ 41.410097] unix_dgram_recvmsg+0x73e/0xe80 [ 41.417173] sock_recvmsg+0xca/0x110 [ 41.421595] ___sys_recvmsg+0x255/0x570 [ 41.427241] __x64_sys_recvmsg+0x12f/0x220 [ 41.432564] do_syscall_64+0xf9/0x620 [ 41.437846] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.444597] [ 41.447242] The buggy address belongs to the object at ffff8880a5c92000 [ 41.447242] which belongs to the cache kmalloc-512 of size 512 [ 41.464139] The buggy address is located 4 bytes to the right of [ 41.464139] 512-byte region [ffff8880a5c92000, ffff8880a5c92200) [ 41.478345] The buggy address belongs to the page: [ 41.486376] page:ffffea0002972480 count:1 mapcount:0 mapping:ffff88812c39c940 index:0xffff8880a5c92780 [ 41.500543] flags: 0xfffe0000000100(slab) [ 41.506015] raw: 00fffe0000000100 ffffea000280ee08 ffffea00027c2c08 ffff88812c39c940 [ 41.516820] raw: ffff8880a5c92780 ffff8880a5c92000 0000000100000004 0000000000000000 [ 41.527693] page dumped because: kasan: bad access detected [ 41.534407] [ 41.536466] Memory state around the buggy address: [ 41.542431] ffff8880a5c92100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.550867] ffff8880a5c92180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.559465] >ffff8880a5c92200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.568200] ^ [ 41.572148] ffff8880a5c92280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.581762] ffff8880a5c92300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.592819] ================================================================== [ 41.604494] Disabling lock debugging due to kernel taint [ 41.613837] Kernel panic - not syncing: panic_on_warn set ... [ 41.613837] [ 41.623599] CPU: 1 PID: 6465 Comm: kworker/u5:2 Tainted: G B 4.19.136-syzkaller #0 [ 41.632894] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.642973] Workqueue: hci0 hci_rx_work [ 41.647192] Call Trace: [ 41.650104] dump_stack+0x1fc/0x2fe [ 41.653928] panic+0x26a/0x50e [ 41.657358] ? __warn_printk+0xf3/0xf3 [ 41.661446] ? preempt_schedule_common+0x45/0xc0 [ 41.667950] ? ___preempt_schedule+0x16/0x18 [ 41.672354] ? trace_hardirqs_on+0x55/0x210 [ 41.676676] kasan_end_report+0x43/0x49 [ 41.681078] kasan_report_error.cold+0xa7/0x1c7 [ 41.685883] ? hci_le_meta_evt+0x345b/0x39c0 [ 41.690536] __asan_report_load1_noabort+0x88/0x90 [ 41.695607] ? hci_le_meta_evt+0x345b/0x39c0 [ 41.700104] hci_le_meta_evt+0x345b/0x39c0 [ 41.704580] ? load_balance+0xbab/0x2080 [ 41.708767] ? read_enc_key_size_complete+0xb90/0xb90 [ 41.714646] ? __lock_acquire+0x6de/0x3ff0 [ 41.720436] ? __lock_acquire+0x6de/0x3ff0 [ 41.725788] hci_event_packet+0x1a29/0x858f [ 41.730823] ? mark_held_locks+0xf0/0xf0 [ 41.735452] ? __lock_acquire+0x6de/0x3ff0 [ 41.741732] ? hci_cmd_complete_evt+0xb5e0/0xb5e0 [ 41.746993] ? find_busiest_group+0x25f0/0x25f0 [ 41.751790] ? debug_object_deactivate+0x1f9/0x2e0 [ 41.758066] ? mark_held_locks+0xa6/0xf0 [ 41.762694] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 41.768008] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 41.774234] hci_rx_work+0x46b/0xa90 [ 41.778213] process_one_work+0x864/0x1570 [ 41.784425] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 41.790147] worker_thread+0x64c/0x1130 [ 41.795007] ? __kthread_parkme+0xfd/0x1b0 [ 41.801404] ? process_one_work+0x1570/0x1570 [ 41.806795] kthread+0x30b/0x410 [ 41.812097] ? kthread_park+0x180/0x180 [ 41.818604] ret_from_fork+0x24/0x30 [ 41.826620] Kernel Offset: disabled [ 41.831728] Rebooting in 86400 seconds..