Warning: Permanently added '10.128.0.172' (ECDSA) to the list of known hosts. syzkaller login: [ 65.763586][ T6840] IPVS: ftp: loaded support on port[0] = 21 executing program [ 65.884359][ T6846] Bluetooth: hci0: Unknown advertising packet type: 0xffff [ 65.884475][ T6846] ================================================================== [ 65.899887][ T6846] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x3a02/0x3ff0 [ 65.907679][ T6846] Read of size 1 at addr ffff8880a6f46209 by task kworker/u5:2/6846 [ 65.915638][ T6846] [ 65.917970][ T6846] CPU: 0 PID: 6846 Comm: kworker/u5:2 Not tainted 5.8.0-syzkaller #0 [ 65.926009][ T6846] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.936142][ T6846] Workqueue: hci0 hci_rx_work [ 65.940805][ T6846] Call Trace: [ 65.946605][ T6846] dump_stack+0x18f/0x20d [ 65.950921][ T6846] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 65.956019][ T6846] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 65.961117][ T6846] print_address_description.constprop.0.cold+0xae/0x497 [ 65.968128][ T6846] ? vprintk_func+0x97/0x1a6 [ 65.972793][ T6846] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 65.977891][ T6846] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 65.982984][ T6846] kasan_report.cold+0x1f/0x37 [ 65.987778][ T6846] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 65.993071][ T6846] hci_le_meta_evt+0x3a02/0x3ff0 [ 65.998008][ T6846] ? mark_lock+0xbc/0x1710 [ 66.002447][ T6846] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 66.009311][ T6846] ? mark_lock+0xbc/0x1710 [ 66.013735][ T6846] ? __lock_acquire+0x16cb/0x5640 [ 66.018748][ T6846] ? __lock_acquire+0x16cb/0x5640 [ 66.024548][ T6846] hci_event_packet+0x2e25/0x87a8 [ 66.029562][ T6846] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 66.035704][ T6846] ? __lock_acquire+0x16cb/0x5640 [ 66.040724][ T6846] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 66.046284][ T6846] ? lock_acquire+0x1f1/0xad0 [ 66.050950][ T6846] ? skb_dequeue+0x1c/0x180 [ 66.056218][ T6846] ? find_held_lock+0x2d/0x110 [ 66.060965][ T6846] ? mark_lock+0xbc/0x1710 [ 66.065392][ T6846] ? mark_held_locks+0x9f/0xe0 [ 66.070157][ T6846] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 66.075952][ T6846] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 66.081914][ T6846] ? trace_hardirqs_on+0x5f/0x220 [ 66.086923][ T6846] ? lockdep_hardirqs_on+0x76/0xf0 [ 66.092022][ T6846] hci_rx_work+0x22e/0xb50 [ 66.096432][ T6846] process_one_work+0x94c/0x1670 [ 66.101388][ T6846] ? lock_release+0x8e0/0x8e0 [ 66.106058][ T6846] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 66.111415][ T6846] ? rwlock_bug.part.0+0x90/0x90 [ 66.116343][ T6846] worker_thread+0x64c/0x1120 [ 66.121020][ T6846] ? __kthread_parkme+0x13f/0x1e0 [ 66.126026][ T6846] ? process_one_work+0x1670/0x1670 [ 66.131208][ T6846] kthread+0x3b5/0x4a0 [ 66.135386][ T6846] ? __kthread_bind_mask+0xc0/0xc0 [ 66.140480][ T6846] ? __kthread_bind_mask+0xc0/0xc0 [ 66.145576][ T6846] ret_from_fork+0x1f/0x30 [ 66.149997][ T6846] [ 66.152328][ T6846] Allocated by task 6840: [ 66.156661][ T6846] kasan_save_stack+0x1b/0x40 [ 66.161328][ T6846] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 66.166946][ T6846] __alloc_skb+0xae/0x550 [ 66.171256][ T6846] vhci_write+0xbd/0x450 [ 66.175480][ T6846] new_sync_write+0x422/0x650 [ 66.180136][ T6846] vfs_write+0x5ad/0x730 [ 66.184362][ T6846] ksys_write+0x12d/0x250 [ 66.188672][ T6846] __do_fast_syscall_32+0x57/0x80 [ 66.193708][ T6846] do_fast_syscall_32+0x2f/0x70 [ 66.198540][ T6846] entry_SYSENTER_compat_after_hwframe+0x4d/0x5c [ 66.204840][ T6846] [ 66.207151][ T6846] The buggy address belongs to the object at ffff8880a6f46000 [ 66.207151][ T6846] which belongs to the cache kmalloc-512 of size 512 [ 66.221203][ T6846] The buggy address is located 9 bytes to the right of [ 66.221203][ T6846] 512-byte region [ffff8880a6f46000, ffff8880a6f46200) [ 66.234803][ T6846] The buggy address belongs to the page: [ 66.240425][ T6846] page:00000000f1999511 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa6f46 [ 66.250559][ T6846] flags: 0xfffe0000000200(slab) [ 66.255460][ T6846] raw: 00fffe0000000200 ffffea00028a1288 ffffea00029aac88 ffff8880aa040600 [ 66.264030][ T6846] raw: 0000000000000000 ffff8880a6f46000 0000000100000004 0000000000000000 [ 66.272592][ T6846] page dumped because: kasan: bad access detected [ 66.278979][ T6846] [ 66.281288][ T6846] Memory state around the buggy address: [ 66.286903][ T6846] ffff8880a6f46100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 66.294958][ T6846] ffff8880a6f46180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 66.303005][ T6846] >ffff8880a6f46200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.311048][ T6846] ^ [ 66.315358][ T6846] ffff8880a6f46280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.323400][ T6846] ffff8880a6f46300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.331438][ T6846] ================================================================== [ 66.339584][ T6846] Disabling lock debugging due to kernel taint [ 66.346280][ T6846] Kernel panic - not syncing: panic_on_warn set ... [ 66.352885][ T6846] CPU: 0 PID: 6846 Comm: kworker/u5:2 Tainted: G B 5.8.0-syzkaller #0 [ 66.362340][ T6846] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.372529][ T6846] Workqueue: hci0 hci_rx_work [ 66.377193][ T6846] Call Trace: [ 66.380721][ T6846] dump_stack+0x18f/0x20d [ 66.385326][ T6846] ? hci_le_meta_evt+0x3940/0x3ff0 [ 66.390416][ T6846] panic+0x2e3/0x75c [ 66.394459][ T6846] ? __warn_printk+0xf3/0xf3 [ 66.399043][ T6846] ? preempt_schedule_common+0x59/0xc0 [ 66.404566][ T6846] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 66.409655][ T6846] ? preempt_schedule_thunk+0x16/0x18 [ 66.415023][ T6846] ? trace_hardirqs_on+0x55/0x220 [ 66.420029][ T6846] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 66.425115][ T6846] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 66.430200][ T6846] end_report+0x4d/0x53 [ 66.434331][ T6846] kasan_report.cold+0xd/0x37 [ 66.438993][ T6846] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 66.444080][ T6846] hci_le_meta_evt+0x3a02/0x3ff0 [ 66.448994][ T6846] ? mark_lock+0xbc/0x1710 [ 66.453387][ T6846] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 66.460211][ T6846] ? mark_lock+0xbc/0x1710 [ 66.464607][ T6846] ? __lock_acquire+0x16cb/0x5640 [ 66.469605][ T6846] ? __lock_acquire+0x16cb/0x5640 [ 66.474811][ T6846] hci_event_packet+0x2e25/0x87a8 [ 66.480095][ T6846] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 66.486055][ T6846] ? __lock_acquire+0x16cb/0x5640 [ 66.491055][ T6846] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 66.496572][ T6846] ? lock_acquire+0x1f1/0xad0 [ 66.501225][ T6846] ? skb_dequeue+0x1c/0x180 [ 66.505704][ T6846] ? find_held_lock+0x2d/0x110 [ 66.510459][ T6846] ? mark_lock+0xbc/0x1710 [ 66.515543][ T6846] ? mark_held_locks+0x9f/0xe0 [ 66.520303][ T6846] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 66.526083][ T6846] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 66.532040][ T6846] ? trace_hardirqs_on+0x5f/0x220 [ 66.537056][ T6846] ? lockdep_hardirqs_on+0x76/0xf0 [ 66.542149][ T6846] hci_rx_work+0x22e/0xb50 [ 66.546544][ T6846] process_one_work+0x94c/0x1670 [ 66.551481][ T6846] ? lock_release+0x8e0/0x8e0 [ 66.556138][ T6846] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 66.561571][ T6846] ? rwlock_bug.part.0+0x90/0x90 [ 66.566501][ T6846] worker_thread+0x64c/0x1120 [ 66.571158][ T6846] ? __kthread_parkme+0x13f/0x1e0 [ 66.576155][ T6846] ? process_one_work+0x1670/0x1670 [ 66.581326][ T6846] kthread+0x3b5/0x4a0 [ 66.585384][ T6846] ? __kthread_bind_mask+0xc0/0xc0 [ 66.590552][ T6846] ? __kthread_bind_mask+0xc0/0xc0 [ 66.595659][ T6846] ret_from_fork+0x1f/0x30 [ 66.601621][ T6846] Kernel Offset: disabled [ 66.606014][ T6846] Rebooting in 86400 seconds..