Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts. syzkaller login: [ 42.219806] audit: type=1400 audit(1596450952.716:8): avc: denied { execmem } for pid=6476 comm="syz-executor919" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 42.232736] IPVS: ftp: loaded support on port[0] = 21 executing program [ 43.335440] Bluetooth: hci0: unknown advertising packet type: 0x2b [ 43.342129] Bluetooth: hci0: unknown advertising packet type: 0x4e [ 43.348484] Bluetooth: hci0: unknown advertising packet type: 0xff [ 43.355052] Bluetooth: hci0: unknown advertising packet type: 0xff [ 43.361835] Bluetooth: hci0: unknown advertising packet type: 0x88 [ 43.368161] Bluetooth: hci0: unknown advertising packet type: 0x88 [ 43.375006] Bluetooth: hci0: unknown advertising packet type: 0xff [ 43.381404] Bluetooth: hci0: unknown advertising packet type: 0xff [ 43.387915] ================================================================== [ 43.395431] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x337e/0x39c0 [ 43.402530] Read of size 1 at addr ffff88809eeecf0c by task kworker/u5:0/1226 [ 43.409816] [ 43.411437] CPU: 1 PID: 1226 Comm: kworker/u5:0 Not tainted 4.19.136-syzkaller #0 [ 43.419036] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.428409] Workqueue: hci0 hci_rx_work [ 43.432367] Call Trace: [ 43.434940] dump_stack+0x1fc/0x2fe [ 43.438553] print_address_description.cold+0x54/0x219 [ 43.443816] kasan_report_error.cold+0x8a/0x1c7 [ 43.448539] ? hci_le_meta_evt+0x337e/0x39c0 [ 43.452933] __asan_report_load1_noabort+0x88/0x90 [ 43.457861] ? hci_le_meta_evt+0x337e/0x39c0 [ 43.462948] hci_le_meta_evt+0x337e/0x39c0 [ 43.467168] ? __lock_acquire+0x6de/0x3ff0 [ 43.471505] ? read_enc_key_size_complete+0xb90/0xb90 [ 43.476690] ? __lock_acquire+0x6de/0x3ff0 [ 43.481053] ? __lock_acquire+0x6de/0x3ff0 [ 43.485285] hci_event_packet+0x1a29/0x858f [ 43.489594] ? mark_held_locks+0xf0/0xf0 [ 43.493641] ? __lock_acquire+0x6de/0x3ff0 [ 43.497866] ? hci_cmd_complete_evt+0xb5e0/0xb5e0 [ 43.502719] ? __update_load_avg_se+0x5ec/0xa00 [ 43.507371] ? debug_object_deactivate+0x1f9/0x2e0 [ 43.512292] ? mark_held_locks+0xa6/0xf0 [ 43.516337] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 43.521425] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 43.526000] hci_rx_work+0x46b/0xa90 [ 43.529704] process_one_work+0x864/0x1570 [ 43.533933] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 43.538591] worker_thread+0x64c/0x1130 [ 43.542558] ? process_one_work+0x1570/0x1570 [ 43.547036] kthread+0x30b/0x410 [ 43.550385] ? kthread_park+0x180/0x180 [ 43.554351] ret_from_fork+0x24/0x30 [ 43.558047] [ 43.559654] Allocated by task 6477: [ 43.563355] __kmalloc_node_track_caller+0x4c/0x70 [ 43.568268] __alloc_skb+0xae/0x560 [ 43.571880] vhci_write+0xbd/0x450 [ 43.575402] __vfs_write+0x51b/0x770 [ 43.579097] vfs_write+0x1f3/0x540 [ 43.582621] ksys_write+0x12b/0x2a0 [ 43.586230] do_syscall_64+0xf9/0x620 [ 43.590016] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.595180] [ 43.596788] Freed by task 4493: [ 43.600047] kfree+0xcc/0x210 [ 43.603140] kernfs_fop_release+0x120/0x190 [ 43.607445] __fput+0x2ce/0x890 [ 43.610708] task_work_run+0x148/0x1c0 [ 43.614580] exit_to_usermode_loop+0x251/0x2a0 [ 43.619150] do_syscall_64+0x538/0x620 [ 43.623039] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.628207] [ 43.629822] The buggy address belongs to the object at ffff88809eeecd00 [ 43.629822] which belongs to the cache kmalloc-512 of size 512 [ 43.642581] The buggy address is located 12 bytes to the right of [ 43.642581] 512-byte region [ffff88809eeecd00, ffff88809eeecf00) [ 43.654878] The buggy address belongs to the page: [ 43.659806] page:ffffea00027bbb00 count:1 mapcount:0 mapping:ffff88812c39c940 index:0x0 [ 43.667929] flags: 0xfffe0000000100(slab) [ 43.672063] raw: 00fffe0000000100 ffffea0002288708 ffffea00029ece48 ffff88812c39c940 [ 43.680038] raw: 0000000000000000 ffff88809eeec080 0000000100000006 0000000000000000 [ 43.687895] page dumped because: kasan: bad access detected [ 43.693582] [ 43.695187] Memory state around the buggy address: [ 43.700094] ffff88809eeece00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.707521] ffff88809eeece80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.714966] >ffff88809eeecf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.722306] ^ [ 43.725916] ffff88809eeecf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.733254] ffff88809eeed000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.740592] ================================================================== [ 43.747935] Disabling lock debugging due to kernel taint [ 43.753746] Kernel panic - not syncing: panic_on_warn set ... [ 43.753746] [ 43.761124] CPU: 1 PID: 1226 Comm: kworker/u5:0 Tainted: G B 4.19.136-syzkaller #0 [ 43.770133] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.779501] Workqueue: hci0 hci_rx_work [ 43.783472] Call Trace: [ 43.786047] dump_stack+0x1fc/0x2fe [ 43.789659] panic+0x26a/0x50e [ 43.792847] ? __warn_printk+0xf3/0xf3 [ 43.796716] ? preempt_schedule_common+0x45/0xc0 [ 43.801453] ? ___preempt_schedule+0x16/0x18 [ 43.805841] ? trace_hardirqs_on+0x55/0x210 [ 43.810145] kasan_end_report+0x43/0x49 [ 43.814099] kasan_report_error.cold+0xa7/0x1c7 [ 43.818763] ? hci_le_meta_evt+0x337e/0x39c0 [ 43.823151] __asan_report_load1_noabort+0x88/0x90 [ 43.828057] ? hci_le_meta_evt+0x337e/0x39c0 [ 43.832445] hci_le_meta_evt+0x337e/0x39c0 [ 43.836668] ? __lock_acquire+0x6de/0x3ff0 [ 43.841032] ? read_enc_key_size_complete+0xb90/0xb90 [ 43.846203] ? __lock_acquire+0x6de/0x3ff0 [ 43.850420] ? __lock_acquire+0x6de/0x3ff0 [ 43.854640] hci_event_packet+0x1a29/0x858f [ 43.859032] ? mark_held_locks+0xf0/0xf0 [ 43.863152] ? __lock_acquire+0x6de/0x3ff0 [ 43.867372] ? hci_cmd_complete_evt+0xb5e0/0xb5e0 [ 43.872201] ? __update_load_avg_se+0x5ec/0xa00 [ 43.876918] ? debug_object_deactivate+0x1f9/0x2e0 [ 43.881835] ? mark_held_locks+0xa6/0xf0 [ 43.885882] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 43.890968] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 43.895537] hci_rx_work+0x46b/0xa90 [ 43.899234] process_one_work+0x864/0x1570 [ 43.903470] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 43.908119] worker_thread+0x64c/0x1130 [ 43.912079] ? process_one_work+0x1570/0x1570 [ 43.916555] kthread+0x30b/0x410 [ 43.919901] ? kthread_park+0x180/0x180 [ 43.923860] ret_from_fork+0x24/0x30 [ 43.928836] Kernel Offset: disabled [ 43.932473] Rebooting in 86400 seconds..