[ OK ] Started Regular background program processing daemon. [ OK ] Started Permit User Sessions. [ OK ] Started System Logging Service. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.90' (ECDSA) to the list of known hosts. syzkaller login: [ 41.632220][ T6840] IPVS: ftp: loaded support on port[0] = 21 executing program [ 42.725600][ T6867] ================================================================== [ 42.734025][ T6867] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x6c7/0x18260 [ 42.742040][ T6867] Read of size 6 at addr ffff8880a8f5fe08 by task kworker/u5:2/6867 [ 42.750797][ T6867] [ 42.753222][ T6867] CPU: 1 PID: 6867 Comm: kworker/u5:2 Not tainted 5.8.0-rc7-syzkaller #0 [ 42.761632][ T6867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.773007][ T6867] Workqueue: hci0 hci_rx_work [ 42.777690][ T6867] Call Trace: [ 42.781029][ T6867] dump_stack+0x1f0/0x31e [ 42.785377][ T6867] print_address_description+0x66/0x5a0 [ 42.791883][ T6867] ? vprintk_emit+0x342/0x3c0 [ 42.796571][ T6867] ? printk+0x62/0x83 [ 42.800543][ T6867] ? rcu_read_lock_sched_held+0x2f/0xa0 [ 42.806066][ T6867] ? vprintk_emit+0x339/0x3c0 [ 42.810733][ T6867] kasan_report+0x132/0x1d0 [ 42.815231][ T6867] ? hci_event_packet+0x6c7/0x18260 [ 42.820401][ T6867] ? memcpy+0x3c/0x60 [ 42.824363][ T6867] check_memory_region+0x2b5/0x2f0 [ 42.829455][ T6867] ? hci_event_packet+0x6c7/0x18260 [ 42.834629][ T6867] memcpy+0x25/0x60 [ 42.838426][ T6867] hci_event_packet+0x6c7/0x18260 [ 42.843429][ T6867] ? trace_lock_release+0x137/0x1a0 [ 42.848621][ T6867] ? lockdep_hardirqs_on+0x38/0xe0 [ 42.853711][ T6867] hci_rx_work+0x236/0x9c0 [ 42.858121][ T6867] process_one_work+0x789/0xfc0 [ 42.862960][ T6867] worker_thread+0xaa4/0x1460 [ 42.868315][ T6867] ? _raw_spin_unlock_irqrestore+0x6f/0xd0 [ 42.874109][ T6867] kthread+0x37e/0x3a0 [ 42.878165][ T6867] ? rcu_lock_release+0x20/0x20 [ 42.886481][ T6867] ? kthread_blkcg+0xd0/0xd0 [ 42.891052][ T6867] ret_from_fork+0x1f/0x30 [ 42.895448][ T6867] [ 42.897753][ T6867] Allocated by task 6840: [ 42.902062][ T6867] __kasan_kmalloc+0x103/0x140 [ 42.906798][ T6867] __alloc_skb+0xde/0x4f0 [ 42.911101][ T6867] vhci_write+0xb7/0x400 [ 42.915319][ T6867] vfs_write+0xa08/0xc70 [ 42.919536][ T6867] ksys_write+0x11b/0x220 [ 42.923851][ T6867] do_syscall_64+0x73/0xe0 [ 42.928241][ T6867] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 42.934117][ T6867] [ 42.936435][ T6867] Freed by task 4816: [ 42.940403][ T6867] __kasan_slab_free+0x114/0x170 [ 42.945318][ T6867] kfree+0x10a/0x220 [ 42.949188][ T6867] ep_eventpoll_release+0x44/0x50 [ 42.954187][ T6867] __fput+0x2f0/0x750 [ 42.958140][ T6867] task_work_run+0x137/0x1c0 [ 42.962705][ T6867] __prepare_exit_to_usermode+0x14c/0x1e0 [ 42.968394][ T6867] do_syscall_64+0x7f/0xe0 [ 42.972784][ T6867] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 42.978656][ T6867] [ 42.980977][ T6867] The buggy address belongs to the object at ffff8880a8f5fc00 [ 42.980977][ T6867] which belongs to the cache kmalloc-512 of size 512 [ 43.000236][ T6867] The buggy address is located 8 bytes to the right of [ 43.000236][ T6867] 512-byte region [ffff8880a8f5fc00, ffff8880a8f5fe00) [ 43.013834][ T6867] The buggy address belongs to the page: [ 43.019458][ T6867] page:ffffea0002a3d7c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 43.028534][ T6867] flags: 0xfffe0000000200(slab) [ 43.033359][ T6867] raw: 00fffe0000000200 ffffea00029c1788 ffffea000265ffc8 ffff8880aa400a80 [ 43.041935][ T6867] raw: 0000000000000000 ffff8880a8f5f000 0000000100000004 0000000000000000 [ 43.051441][ T6867] page dumped because: kasan: bad access detected [ 43.057820][ T6867] [ 43.060135][ T6867] Memory state around the buggy address: [ 43.065743][ T6867] ffff8880a8f5fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.073776][ T6867] ffff8880a8f5fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.081824][ T6867] >ffff8880a8f5fe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.089866][ T6867] ^ [ 43.094169][ T6867] ffff8880a8f5fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.102204][ T6867] ffff8880a8f5ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.110235][ T6867] ================================================================== [ 43.118354][ T6867] Disabling lock debugging due to kernel taint [ 43.126324][ T6867] Kernel panic - not syncing: panic_on_warn set ... [ 43.133879][ T6867] CPU: 0 PID: 6867 Comm: kworker/u5:2 Tainted: G B 5.8.0-rc7-syzkaller #0 [ 43.143666][ T6867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.153835][ T6867] Workqueue: hci0 hci_rx_work [ 43.158498][ T6867] Call Trace: [ 43.161778][ T6867] dump_stack+0x1f0/0x31e [ 43.166110][ T6867] panic+0x264/0x7a0 [ 43.170052][ T6867] ? trace_hardirqs_on+0x30/0x80 [ 43.174961][ T6867] kasan_report+0x1c9/0x1d0 [ 43.179433][ T6867] ? hci_event_packet+0x6c7/0x18260 [ 43.184599][ T6867] ? memcpy+0x3c/0x60 [ 43.188547][ T6867] check_memory_region+0x2b5/0x2f0 [ 43.193626][ T6867] ? hci_event_packet+0x6c7/0x18260 [ 43.198793][ T6867] memcpy+0x25/0x60 [ 43.202607][ T6867] hci_event_packet+0x6c7/0x18260 [ 43.207600][ T6867] ? trace_lock_release+0x137/0x1a0 [ 43.212769][ T6867] ? lockdep_hardirqs_on+0x38/0xe0 [ 43.217995][ T6867] hci_rx_work+0x236/0x9c0 [ 43.222385][ T6867] process_one_work+0x789/0xfc0 [ 43.227243][ T6867] worker_thread+0xaa4/0x1460 [ 43.231934][ T6867] ? _raw_spin_unlock_irqrestore+0x6f/0xd0 [ 43.237708][ T6867] kthread+0x37e/0x3a0 [ 43.241748][ T6867] ? rcu_lock_release+0x20/0x20 [ 43.246565][ T6867] ? kthread_blkcg+0xd0/0xd0 [ 43.251165][ T6867] ret_from_fork+0x1f/0x30 [ 43.256750][ T6867] Kernel Offset: disabled [ 43.262014][ T6867] Rebooting in 86400 seconds..