Warning: Permanently added '10.128.0.146' (ECDSA) to the list of known hosts. [ 33.072729] audit: type=1400 audit(1596204830.010:8): avc: denied { execmem } for pid=6375 comm="syz-executor128" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.342768] IPVS: ftp: loaded support on port[0] = 21 executing program [ 35.288769] ================================================================== [ 35.296258] BUG: KASAN: slab-out-of-bounds in hci_inquiry_result_with_rssi_evt+0x1df/0x640 [ 35.304673] Read of size 6 at addr ffff88809fe1d4fb by task kworker/u5:0/1202 [ 35.311918] [ 35.313525] CPU: 1 PID: 1202 Comm: kworker/u5:0 Not tainted 4.14.190-syzkaller #0 [ 35.321119] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.330456] Workqueue: hci0 hci_rx_work [ 35.334406] Call Trace: [ 35.336971] dump_stack+0x1b2/0x283 [ 35.340582] print_address_description.cold+0x54/0x1d3 [ 35.345835] kasan_report_error.cold+0x8a/0x194 [ 35.350483] ? hci_inquiry_result_with_rssi_evt+0x1df/0x640 [ 35.356167] kasan_report+0x6f/0x7b [ 35.359773] ? hci_inquiry_result_with_rssi_evt+0x1df/0x640 [ 35.365459] memcpy+0x20/0x50 [ 35.368540] hci_inquiry_result_with_rssi_evt+0x1df/0x640 [ 35.374056] ? hci_resolve_name+0x150/0x150 [ 35.378356] ? static_obj+0x50/0x50 [ 35.381959] hci_event_packet+0x19cd/0x7c7a [ 35.386259] ? trace_hardirqs_on+0x10/0x10 [ 35.390472] ? hci_cmd_complete_evt+0x9590/0x9590 [ 35.395294] ? trace_hardirqs_on+0x10/0x10 [ 35.399508] ? debug_object_deactivate+0x1da/0x2e0 [ 35.404427] ? trace_hardirqs_on+0x10/0x10 [ 35.408656] ? skb_dequeue+0x120/0x170 [ 35.412524] ? mark_held_locks+0xa6/0xf0 [ 35.416577] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 35.421657] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 35.426669] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 35.431749] hci_rx_work+0x3e6/0x970 [ 35.435439] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 35.440867] process_one_work+0x793/0x14a0 [ 35.445082] ? work_busy+0x320/0x320 [ 35.448768] ? worker_thread+0x158/0xff0 [ 35.452850] ? _raw_spin_unlock_irq+0x24/0x80 [ 35.457336] worker_thread+0x5cc/0xff0 [ 35.461233] ? rescuer_thread+0xc80/0xc80 [ 35.465360] kthread+0x30d/0x420 [ 35.468728] ? kthread_create_on_node+0xd0/0xd0 [ 35.473381] ret_from_fork+0x24/0x30 [ 35.477076] [ 35.478684] Allocated by task 6376: [ 35.482294] kasan_kmalloc+0xeb/0x160 [ 35.486072] __kmalloc_node_track_caller+0x4c/0x70 [ 35.490980] __alloc_skb+0x96/0x510 [ 35.494591] vhci_write+0xb1/0x420 [ 35.498108] __vfs_write+0x44c/0x630 [ 35.501797] vfs_write+0x17f/0x4d0 [ 35.505324] SyS_write+0xf2/0x210 [ 35.508755] do_syscall_64+0x1d5/0x640 [ 35.512620] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.517782] [ 35.519387] Freed by task 4435: [ 35.522643] kasan_slab_free+0xc3/0x1a0 [ 35.526599] kfree+0xc9/0x250 [ 35.529688] kernfs_fop_release+0x10e/0x180 [ 35.534089] __fput+0x25f/0x7a0 [ 35.537342] task_work_run+0x11f/0x190 [ 35.541203] exit_to_usermode_loop+0x1ad/0x200 [ 35.545845] do_syscall_64+0x4a3/0x640 [ 35.549720] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.554880] [ 35.556482] The buggy address belongs to the object at ffff88809fe1d300 [ 35.556482] which belongs to the cache kmalloc-512 of size 512 [ 35.569110] The buggy address is located 507 bytes inside of [ 35.569110] 512-byte region [ffff88809fe1d300, ffff88809fe1d500) [ 35.580956] The buggy address belongs to the page: [ 35.585859] page:ffffea00027f8740 count:1 mapcount:0 mapping:ffff88809fe1d080 index:0xffff88809fe1d080 [ 35.595276] flags: 0xfffe0000000100(slab) [ 35.599400] raw: 00fffe0000000100 ffff88809fe1d080 ffff88809fe1d080 0000000100000004 [ 35.607289] raw: ffffea00022e3120 ffffea000226efa0 ffff88812fe52940 0000000000000000 [ 35.615142] page dumped because: kasan: bad access detected [ 35.620841] [ 35.622472] Memory state around the buggy address: [ 35.627374] ffff88809fe1d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.634707] ffff88809fe1d480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.642039] >ffff88809fe1d500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.649482] ^ [ 35.652840] ffff88809fe1d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.660181] ffff88809fe1d600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.667530] ================================================================== [ 35.674865] Disabling lock debugging due to kernel taint [ 35.681965] Kernel panic - not syncing: panic_on_warn set ... [ 35.681965] [ 35.689340] CPU: 1 PID: 1202 Comm: kworker/u5:0 Tainted: G B 4.14.190-syzkaller #0 [ 35.698161] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.707530] Workqueue: hci0 hci_rx_work [ 35.711492] Call Trace: [ 35.714073] dump_stack+0x1b2/0x283 [ 35.717705] panic+0x1f9/0x42d [ 35.720897] ? add_taint.cold+0x16/0x16 [ 35.724852] ? ___preempt_schedule+0x16/0x18 [ 35.729469] kasan_end_report+0x43/0x49 [ 35.733414] kasan_report_error.cold+0xa7/0x194 [ 35.738057] ? hci_inquiry_result_with_rssi_evt+0x1df/0x640 [ 35.743750] kasan_report+0x6f/0x7b [ 35.747350] ? hci_inquiry_result_with_rssi_evt+0x1df/0x640 [ 35.753039] memcpy+0x20/0x50 [ 35.756117] hci_inquiry_result_with_rssi_evt+0x1df/0x640 [ 35.761628] ? hci_resolve_name+0x150/0x150 [ 35.765925] ? static_obj+0x50/0x50 [ 35.769524] hci_event_packet+0x19cd/0x7c7a [ 35.773819] ? trace_hardirqs_on+0x10/0x10 [ 35.778026] ? hci_cmd_complete_evt+0x9590/0x9590 [ 35.782840] ? trace_hardirqs_on+0x10/0x10 [ 35.787046] ? debug_object_deactivate+0x1da/0x2e0 [ 35.791946] ? trace_hardirqs_on+0x10/0x10 [ 35.796171] ? skb_dequeue+0x120/0x170 [ 35.800084] ? mark_held_locks+0xa6/0xf0 [ 35.804120] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 35.809194] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 35.814184] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 35.819266] hci_rx_work+0x3e6/0x970 [ 35.822957] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 35.828393] process_one_work+0x793/0x14a0 [ 35.832601] ? work_busy+0x320/0x320 [ 35.836288] ? worker_thread+0x158/0xff0 [ 35.840342] ? _raw_spin_unlock_irq+0x24/0x80 [ 35.844942] worker_thread+0x5cc/0xff0 [ 35.848803] ? rescuer_thread+0xc80/0xc80 [ 35.852923] kthread+0x30d/0x420 [ 35.856259] ? kthread_create_on_node+0xd0/0xd0 [ 35.861002] ret_from_fork+0x24/0x30 [ 35.865993] Kernel Offset: disabled [ 35.869602] Rebooting in 86400 seconds..