[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.167' (ECDSA) to the list of known hosts. syzkaller login: [ 60.733165][ T6834] IPVS: ftp: loaded support on port[0] = 21 executing program [ 60.802745][ T6840] ================================================================== [ 60.811038][ T6840] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x3937/0x3ff0 [ 60.818852][ T6840] Read of size 1 at addr ffff88809dccaa0c by task kworker/u5:2/6840 [ 60.826820][ T6840] [ 60.829159][ T6840] CPU: 1 PID: 6840 Comm: kworker/u5:2 Not tainted 5.9.0-rc2-syzkaller #0 [ 60.837564][ T6840] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.847637][ T6840] Workqueue: hci0 hci_rx_work [ 60.852312][ T6840] Call Trace: [ 60.855603][ T6840] dump_stack+0x18f/0x20d [ 60.859962][ T6840] ? hci_le_meta_evt+0x3937/0x3ff0 [ 60.865077][ T6840] ? hci_le_meta_evt+0x3937/0x3ff0 [ 60.870365][ T6840] print_address_description.constprop.0.cold+0xae/0x497 [ 60.877412][ T6840] ? vprintk_func+0x97/0x1a6 [ 60.882019][ T6840] ? hci_le_meta_evt+0x3937/0x3ff0 [ 60.887153][ T6840] ? hci_le_meta_evt+0x3937/0x3ff0 [ 60.892277][ T6840] kasan_report.cold+0x1f/0x37 [ 60.897047][ T6840] ? hci_le_meta_evt+0x3937/0x3ff0 [ 60.902172][ T6840] hci_le_meta_evt+0x3937/0x3ff0 [ 60.907121][ T6840] ? mark_lock+0xbc/0x1710 [ 60.911543][ T6840] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 60.918399][ T6840] ? mark_lock+0xbc/0x1710 [ 60.922812][ T6840] ? __lock_acquire+0x16cb/0x5640 [ 60.927836][ T6840] ? __lock_acquire+0x16cb/0x5640 [ 60.932863][ T6840] hci_event_packet+0x2e25/0x87a8 [ 60.937889][ T6840] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 60.943861][ T6840] ? __lock_acquire+0x16cb/0x5640 [ 60.948883][ T6840] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 60.954513][ T6840] ? lock_acquire+0x1f1/0xad0 [ 60.959186][ T6840] ? skb_dequeue+0x1c/0x180 [ 60.963694][ T6840] ? find_held_lock+0x2d/0x110 [ 60.968456][ T6840] ? mark_lock+0xbc/0x1710 [ 60.972870][ T6840] ? mark_held_locks+0x9f/0xe0 [ 60.977628][ T6840] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 60.983432][ T6840] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 60.989429][ T6840] ? trace_hardirqs_on+0x5f/0x220 [ 60.994450][ T6840] ? lockdep_hardirqs_on+0x76/0xf0 [ 60.999569][ T6840] hci_rx_work+0x22e/0xb50 [ 61.004009][ T6840] process_one_work+0x94c/0x1670 [ 61.008968][ T6840] ? lock_release+0x8e0/0x8e0 [ 61.013646][ T6840] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 61.019014][ T6840] ? rwlock_bug.part.0+0x90/0x90 [ 61.023980][ T6840] worker_thread+0x64c/0x1120 [ 61.028696][ T6840] ? __kthread_parkme+0x13f/0x1e0 [ 61.033716][ T6840] ? process_one_work+0x1670/0x1670 [ 61.038921][ T6840] kthread+0x3b5/0x4a0 [ 61.042995][ T6840] ? __kthread_bind_mask+0xc0/0xc0 [ 61.048104][ T6840] ? __kthread_bind_mask+0xc0/0xc0 [ 61.053216][ T6840] ret_from_fork+0x1f/0x30 [ 61.057632][ T6840] [ 61.059956][ T6840] Allocated by task 6834: [ 61.064290][ T6840] kasan_save_stack+0x1b/0x40 [ 61.068974][ T6840] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.074593][ T6840] __alloc_skb+0xae/0x550 [ 61.078921][ T6840] vhci_write+0xbd/0x450 [ 61.083153][ T6840] new_sync_write+0x422/0x650 [ 61.087821][ T6840] vfs_write+0x5ad/0x730 [ 61.092053][ T6840] ksys_write+0x12d/0x250 [ 61.096373][ T6840] __do_fast_syscall_32+0x57/0x80 [ 61.101386][ T6840] do_fast_syscall_32+0x2f/0x70 [ 61.106227][ T6840] entry_SYSENTER_compat_after_hwframe+0x4d/0x5c [ 61.112532][ T6840] [ 61.114893][ T6840] The buggy address belongs to the object at ffff88809dcca800 [ 61.114893][ T6840] which belongs to the cache kmalloc-512 of size 512 [ 61.128945][ T6840] The buggy address is located 12 bytes to the right of [ 61.128945][ T6840] 512-byte region [ffff88809dcca800, ffff88809dccaa00) [ 61.142634][ T6840] The buggy address belongs to the page: [ 61.148283][ T6840] page:0000000017e1d11d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9dcca [ 61.158416][ T6840] flags: 0xfffe0000000200(slab) [ 61.163263][ T6840] raw: 00fffe0000000200 ffffea0002680848 ffffea0002679848 ffff8880aa040600 [ 61.171842][ T6840] raw: 0000000000000000 ffff88809dcca000 0000000100000004 0000000000000000 [ 61.180421][ T6840] page dumped because: kasan: bad access detected [ 61.186817][ T6840] [ 61.189135][ T6840] Memory state around the buggy address: [ 61.194775][ T6840] ffff88809dcca900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.202845][ T6840] ffff88809dcca980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.210896][ T6840] >ffff88809dccaa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.218945][ T6840] ^ [ 61.223264][ T6840] ffff88809dccaa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.231315][ T6840] ffff88809dccab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.239358][ T6840] ================================================================== [ 61.247412][ T6840] Disabling lock debugging due to kernel taint [ 61.255372][ T6840] Kernel panic - not syncing: panic_on_warn set ... [ 61.261970][ T6840] CPU: 1 PID: 6840 Comm: kworker/u5:2 Tainted: G B 5.9.0-rc2-syzkaller #0 [ 61.271760][ T6840] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.281831][ T6840] Workqueue: hci0 hci_rx_work [ 61.286510][ T6840] Call Trace: [ 61.289799][ T6840] dump_stack+0x18f/0x20d [ 61.294126][ T6840] ? hci_le_meta_evt+0x38c0/0x3ff0 [ 61.299240][ T6840] panic+0x2e3/0x75c [ 61.303137][ T6840] ? __warn_printk+0xf3/0xf3 [ 61.307726][ T6840] ? preempt_schedule_common+0x59/0xc0 [ 61.313179][ T6840] ? hci_le_meta_evt+0x3937/0x3ff0 [ 61.318287][ T6840] ? preempt_schedule_thunk+0x16/0x18 [ 61.323696][ T6840] ? trace_hardirqs_on+0x55/0x220 [ 61.328739][ T6840] ? hci_le_meta_evt+0x3937/0x3ff0 [ 61.333857][ T6840] ? hci_le_meta_evt+0x3937/0x3ff0 [ 61.338948][ T6840] end_report+0x4d/0x53 [ 61.343364][ T6840] kasan_report.cold+0xd/0x37 [ 61.348039][ T6840] ? hci_le_meta_evt+0x3937/0x3ff0 [ 61.353667][ T6840] hci_le_meta_evt+0x3937/0x3ff0 [ 61.358597][ T6840] ? mark_lock+0xbc/0x1710 [ 61.363008][ T6840] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 61.369848][ T6840] ? mark_lock+0xbc/0x1710 [ 61.374279][ T6840] ? __lock_acquire+0x16cb/0x5640 [ 61.379314][ T6840] ? __lock_acquire+0x16cb/0x5640 [ 61.384321][ T6840] hci_event_packet+0x2e25/0x87a8 [ 61.389342][ T6840] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 61.395339][ T6840] ? __lock_acquire+0x16cb/0x5640 [ 61.400346][ T6840] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 61.405874][ T6840] ? lock_acquire+0x1f1/0xad0 [ 61.410531][ T6840] ? skb_dequeue+0x1c/0x180 [ 61.415117][ T6840] ? find_held_lock+0x2d/0x110 [ 61.419858][ T6840] ? mark_lock+0xbc/0x1710 [ 61.424264][ T6840] ? mark_held_locks+0x9f/0xe0 [ 61.429004][ T6840] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 61.434787][ T6840] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 61.440747][ T6840] ? trace_hardirqs_on+0x5f/0x220 [ 61.445750][ T6840] ? lockdep_hardirqs_on+0x76/0xf0 [ 61.450872][ T6840] hci_rx_work+0x22e/0xb50 [ 61.459103][ T6840] process_one_work+0x94c/0x1670 [ 61.464037][ T6840] ? lock_release+0x8e0/0x8e0 [ 61.468699][ T6840] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 61.474051][ T6840] ? rwlock_bug.part.0+0x90/0x90 [ 61.478982][ T6840] worker_thread+0x64c/0x1120 [ 61.483643][ T6840] ? __kthread_parkme+0x13f/0x1e0 [ 61.488700][ T6840] ? process_one_work+0x1670/0x1670 [ 61.493889][ T6840] kthread+0x3b5/0x4a0 [ 61.497959][ T6840] ? __kthread_bind_mask+0xc0/0xc0 [ 61.503096][ T6840] ? __kthread_bind_mask+0xc0/0xc0 [ 61.508195][ T6840] ret_from_fork+0x1f/0x30 [ 61.513900][ T6840] Kernel Offset: disabled [ 61.518219][ T6840] Rebooting in 86400 seconds..