Warning: Permanently added '10.128.0.167' (ECDSA) to the list of known hosts. syzkaller login: [ 63.655481][ T6827] IPVS: ftp: loaded support on port[0] = 21 executing program [ 63.738600][ T6831] Bluetooth: hci0: Unknown advertising packet type: 0xffff [ 63.738691][ T6831] ================================================================== [ 63.754147][ T6831] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x3a02/0x3ff0 [ 63.761939][ T6831] Read of size 1 at addr ffff88809a0c1a09 by task kworker/u5:1/6831 [ 63.769905][ T6831] [ 63.772221][ T6831] CPU: 1 PID: 6831 Comm: kworker/u5:1 Not tainted 5.8.0-syzkaller #0 [ 63.780258][ T6831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.790303][ T6831] Workqueue: hci0 hci_rx_work [ 63.794956][ T6831] Call Trace: [ 63.798234][ T6831] dump_stack+0x18f/0x20d [ 63.802564][ T6831] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 63.807677][ T6831] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 63.812798][ T6831] print_address_description.constprop.0.cold+0xae/0x497 [ 63.819915][ T6831] ? vprintk_func+0x97/0x1a6 [ 63.824514][ T6831] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 63.829604][ T6831] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 63.834696][ T6831] kasan_report.cold+0x1f/0x37 [ 63.839443][ T6831] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 63.844537][ T6831] hci_le_meta_evt+0x3a02/0x3ff0 [ 63.849457][ T6831] ? mark_lock+0xbc/0x1710 [ 63.853912][ T6831] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 63.860766][ T6831] ? mark_lock+0xbc/0x1710 [ 63.865178][ T6831] ? __lock_acquire+0x16cb/0x5640 [ 63.870195][ T6831] ? __lock_acquire+0x16cb/0x5640 [ 63.875205][ T6831] hci_event_packet+0x2e25/0x87a8 [ 63.880235][ T6831] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 63.886196][ T6831] ? __lock_acquire+0x16cb/0x5640 [ 63.891203][ T6831] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 63.896743][ T6831] ? lock_acquire+0x1f1/0xad0 [ 63.901410][ T6831] ? skb_dequeue+0x1c/0x180 [ 63.905899][ T6831] ? find_held_lock+0x2d/0x110 [ 63.910656][ T6831] ? mark_lock+0xbc/0x1710 [ 63.915055][ T6831] ? mark_held_locks+0x9f/0xe0 [ 63.919797][ T6831] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 63.925581][ T6831] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 63.931539][ T6831] ? trace_hardirqs_on+0x5f/0x220 [ 63.936545][ T6831] ? lockdep_hardirqs_on+0x76/0xf0 [ 63.941648][ T6831] hci_rx_work+0x22e/0xb50 [ 63.946055][ T6831] process_one_work+0x94c/0x1670 [ 63.950990][ T6831] ? lock_release+0x8e0/0x8e0 [ 63.955648][ T6831] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 63.961000][ T6831] ? rwlock_bug.part.0+0x90/0x90 [ 63.965930][ T6831] worker_thread+0x64c/0x1120 [ 63.970602][ T6831] ? process_one_work+0x1670/0x1670 [ 63.975792][ T6831] kthread+0x3b5/0x4a0 [ 63.979837][ T6831] ? __kthread_bind_mask+0xc0/0xc0 [ 63.984924][ T6831] ? __kthread_bind_mask+0xc0/0xc0 [ 63.990025][ T6831] ret_from_fork+0x1f/0x30 [ 63.994423][ T6831] [ 63.996732][ T6831] Allocated by task 6827: [ 64.001041][ T6831] kasan_save_stack+0x1b/0x40 [ 64.005697][ T6831] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 64.011319][ T6831] __alloc_skb+0xae/0x550 [ 64.015625][ T6831] vhci_write+0xbd/0x450 [ 64.019845][ T6831] new_sync_write+0x422/0x650 [ 64.024504][ T6831] vfs_write+0x5ad/0x730 [ 64.028723][ T6831] ksys_write+0x12d/0x250 [ 64.033050][ T6831] do_syscall_64+0x2d/0x70 [ 64.037445][ T6831] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.043318][ T6831] [ 64.045626][ T6831] The buggy address belongs to the object at ffff88809a0c1800 [ 64.045626][ T6831] which belongs to the cache kmalloc-512 of size 512 [ 64.059659][ T6831] The buggy address is located 9 bytes to the right of [ 64.059659][ T6831] 512-byte region [ffff88809a0c1800, ffff88809a0c1a00) [ 64.073263][ T6831] The buggy address belongs to the page: [ 64.078887][ T6831] page:00000000a6e5a99e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809a0c1400 pfn:0x9a0c1 [ 64.090323][ T6831] flags: 0xfffe0000000200(slab) [ 64.095173][ T6831] raw: 00fffe0000000200 ffffea00028f60c8 ffff8880aa041740 ffff8880aa040600 [ 64.103750][ T6831] raw: ffff88809a0c1400 ffff88809a0c1000 0000000100000002 0000000000000000 [ 64.112309][ T6831] page dumped because: kasan: bad access detected [ 64.118694][ T6831] [ 64.120997][ T6831] Memory state around the buggy address: [ 64.126620][ T6831] ffff88809a0c1900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.134667][ T6831] ffff88809a0c1980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.142703][ T6831] >ffff88809a0c1a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.150745][ T6831] ^ [ 64.155050][ T6831] ffff88809a0c1a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.163100][ T6831] ffff88809a0c1b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.171133][ T6831] ================================================================== [ 64.179170][ T6831] Disabling lock debugging due to kernel taint [ 64.187807][ T6831] Kernel panic - not syncing: panic_on_warn set ... [ 64.194431][ T6831] CPU: 1 PID: 6831 Comm: kworker/u5:1 Tainted: G B 5.8.0-syzkaller #0 [ 64.203876][ T6831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.213929][ T6831] Workqueue: hci0 hci_rx_work [ 64.218578][ T6831] Call Trace: [ 64.221846][ T6831] dump_stack+0x18f/0x20d [ 64.226152][ T6831] ? hci_le_meta_evt+0x3940/0x3ff0 [ 64.231257][ T6831] panic+0x2e3/0x75c [ 64.235132][ T6831] ? __warn_printk+0xf3/0xf3 [ 64.239717][ T6831] ? preempt_schedule_common+0x59/0xc0 [ 64.245177][ T6831] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 64.250279][ T6831] ? preempt_schedule_thunk+0x16/0x18 [ 64.255627][ T6831] ? trace_hardirqs_on+0x55/0x220 [ 64.260625][ T6831] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 64.265723][ T6831] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 64.270819][ T6831] end_report+0x4d/0x53 [ 64.274962][ T6831] kasan_report.cold+0xd/0x37 [ 64.279614][ T6831] ? hci_le_meta_evt+0x3a02/0x3ff0 [ 64.284698][ T6831] hci_le_meta_evt+0x3a02/0x3ff0 [ 64.289622][ T6831] ? mark_lock+0xbc/0x1710 [ 64.294014][ T6831] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 64.300836][ T6831] ? mark_lock+0xbc/0x1710 [ 64.305244][ T6831] ? __lock_acquire+0x16cb/0x5640 [ 64.310244][ T6831] ? __lock_acquire+0x16cb/0x5640 [ 64.315248][ T6831] hci_event_packet+0x2e25/0x87a8 [ 64.320264][ T6831] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 64.326227][ T6831] ? __lock_acquire+0x16cb/0x5640 [ 64.331228][ T6831] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 64.336748][ T6831] ? lock_acquire+0x1f1/0xad0 [ 64.341409][ T6831] ? skb_dequeue+0x1c/0x180 [ 64.345894][ T6831] ? find_held_lock+0x2d/0x110 [ 64.350645][ T6831] ? mark_lock+0xbc/0x1710 [ 64.355038][ T6831] ? mark_held_locks+0x9f/0xe0 [ 64.359778][ T6831] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 64.365572][ T6831] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 64.371527][ T6831] ? trace_hardirqs_on+0x5f/0x220 [ 64.376530][ T6831] ? lockdep_hardirqs_on+0x76/0xf0 [ 64.381616][ T6831] hci_rx_work+0x22e/0xb50 [ 64.386014][ T6831] process_one_work+0x94c/0x1670 [ 64.390937][ T6831] ? lock_release+0x8e0/0x8e0 [ 64.395606][ T6831] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 64.400955][ T6831] ? rwlock_bug.part.0+0x90/0x90 [ 64.405885][ T6831] worker_thread+0x64c/0x1120 [ 64.410542][ T6831] ? process_one_work+0x1670/0x1670 [ 64.415715][ T6831] kthread+0x3b5/0x4a0 [ 64.419761][ T6831] ? __kthread_bind_mask+0xc0/0xc0 [ 64.424872][ T6831] ? __kthread_bind_mask+0xc0/0xc0 [ 64.429972][ T6831] ret_from_fork+0x1f/0x30 [ 64.435358][ T6831] Kernel Offset: disabled [ 64.439674][ T6831] Rebooting in 86400 seconds..