Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.27' (ECDSA) to the list of known hosts. syzkaller login: [ 34.372825] IPVS: ftp: loaded support on port[0] = 21 executing program [ 34.492584] Bluetooth: Unknown advertising packet type: 0x5b [ 34.498714] Bluetooth: hci0: advertising data len corrected [ 34.505545] ================================================================== [ 34.513186] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x383e/0x3f20 [ 34.520311] Read of size 1 at addr ffff8880b2a50c04 by task kworker/u5:1/8092 [ 34.527555] [ 34.529175] CPU: 1 PID: 8092 Comm: kworker/u5:1 Not tainted 4.19.211-syzkaller #0 [ 34.536863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 34.546288] Workqueue: hci0 hci_rx_work [ 34.550247] Call Trace: [ 34.552816] dump_stack+0x1fc/0x2ef [ 34.556430] print_address_description.cold+0x54/0x219 [ 34.561698] kasan_report_error.cold+0x8a/0x1b9 [ 34.566357] ? hci_le_meta_evt+0x383e/0x3f20 [ 34.570749] __asan_report_load1_noabort+0x88/0x90 [ 34.575658] ? hci_le_meta_evt+0x383e/0x3f20 [ 34.580044] hci_le_meta_evt+0x383e/0x3f20 [ 34.584260] ? __lock_acquire+0x6de/0x3ff0 [ 34.588472] ? hci_cmd_status_evt+0x6fc0/0x6fc0 [ 34.593120] ? __lock_acquire+0x6de/0x3ff0 [ 34.597337] ? __lock_acquire+0x6de/0x3ff0 [ 34.601575] hci_event_packet+0x34ad/0x7e20 [ 34.605878] ? mark_held_locks+0xf0/0xf0 [ 34.609916] ? __lock_acquire+0x6de/0x3ff0 [ 34.614141] ? hci_cmd_complete_evt+0xc280/0xc280 [ 34.618968] ? __update_load_avg_se+0x5ec/0xa00 [ 34.623617] ? debug_object_deactivate+0x1f9/0x2e0 [ 34.628531] ? mark_held_locks+0xa6/0xf0 [ 34.632569] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 34.637654] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 34.642217] hci_rx_work+0x4ad/0xc70 [ 34.645913] process_one_work+0x864/0x1570 [ 34.650141] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 34.654792] worker_thread+0x64c/0x1130 [ 34.658751] ? process_one_work+0x1570/0x1570 [ 34.663230] kthread+0x33f/0x460 [ 34.666588] ? kthread_park+0x180/0x180 [ 34.670541] ret_from_fork+0x24/0x30 [ 34.674234] [ 34.675836] Allocated by task 8088: [ 34.679542] __kmalloc_node_track_caller+0x4c/0x70 [ 34.684451] __alloc_skb+0xae/0x560 [ 34.688081] vhci_write+0xbd/0x450 [ 34.691619] __vfs_write+0x51b/0x770 [ 34.695312] vfs_write+0x1f3/0x540 [ 34.698831] ksys_write+0x12b/0x2a0 [ 34.702439] do_syscall_64+0xf9/0x620 [ 34.706233] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.711403] [ 34.713097] Freed by task 6230: [ 34.716355] kfree+0xcc/0x210 [ 34.719461] kernfs_fop_release+0x120/0x190 [ 34.723765] __fput+0x2ce/0x890 [ 34.727025] task_work_run+0x148/0x1c0 [ 34.730890] exit_to_usermode_loop+0x251/0x2a0 [ 34.735455] do_syscall_64+0x538/0x620 [ 34.739330] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.744491] [ 34.746109] The buggy address belongs to the object at ffff8880b2a50a00 [ 34.746109] which belongs to the cache kmalloc-512 of size 512 [ 34.758752] The buggy address is located 4 bytes to the right of [ 34.758752] 512-byte region [ffff8880b2a50a00, ffff8880b2a50c00) [ 34.770946] The buggy address belongs to the page: [ 34.775855] page:ffffea0002ca9400 count:1 mapcount:0 mapping:ffff88813bff0940 index:0xffff8880b2a50000 [ 34.785281] flags: 0xfff00000000100(slab) [ 34.789496] raw: 00fff00000000100 ffffea00027505c8 ffffea0002c907c8 ffff88813bff0940 [ 34.797442] raw: ffff8880b2a50000 ffff8880b2a50000 0000000100000005 0000000000000000 [ 34.805386] page dumped because: kasan: bad access detected [ 34.811069] [ 34.812671] Memory state around the buggy address: [ 34.817587] ffff8880b2a50b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.824922] ffff8880b2a50b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.832257] >ffff8880b2a50c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.839591] ^ [ 34.843036] ffff8880b2a50c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.850374] ffff8880b2a50d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.857706] ================================================================== [ 34.865036] Disabling lock debugging due to kernel taint [ 34.874342] Kernel panic - not syncing: panic_on_warn set ... [ 34.874342] [ 34.881722] CPU: 0 PID: 8092 Comm: kworker/u5:1 Tainted: G B 4.19.211-syzkaller #0 [ 34.890857] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 34.900226] Workqueue: hci0 hci_rx_work [ 34.904176] Call Trace: [ 34.906744] dump_stack+0x1fc/0x2ef [ 34.910351] panic+0x26a/0x50e [ 34.913525] ? __warn_printk+0xf3/0xf3 [ 34.917411] ? preempt_schedule_common+0x45/0xc0 [ 34.922143] ? ___preempt_schedule+0x16/0x18 [ 34.926530] ? trace_hardirqs_on+0x55/0x210 [ 34.930831] kasan_end_report+0x43/0x49 [ 34.934786] kasan_report_error.cold+0xa7/0x1b9 [ 34.939430] ? hci_le_meta_evt+0x383e/0x3f20 [ 34.943880] __asan_report_load1_noabort+0x88/0x90 [ 34.948938] ? hci_le_meta_evt+0x383e/0x3f20 [ 34.953369] hci_le_meta_evt+0x383e/0x3f20 [ 34.957595] ? __lock_acquire+0x6de/0x3ff0 [ 34.961828] ? hci_cmd_status_evt+0x6fc0/0x6fc0 [ 34.966495] ? __lock_acquire+0x6de/0x3ff0 [ 34.970712] ? __lock_acquire+0x6de/0x3ff0 [ 34.974929] hci_event_packet+0x34ad/0x7e20 [ 34.979233] ? mark_held_locks+0xf0/0xf0 [ 34.983283] ? __lock_acquire+0x6de/0x3ff0 [ 34.987505] ? hci_cmd_complete_evt+0xc280/0xc280 [ 34.992338] ? __update_load_avg_se+0x5ec/0xa00 [ 34.996992] ? debug_object_deactivate+0x1f9/0x2e0 [ 35.001904] ? mark_held_locks+0xa6/0xf0 [ 35.005944] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 35.011027] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 35.015589] hci_rx_work+0x4ad/0xc70 [ 35.019284] process_one_work+0x864/0x1570 [ 35.023509] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 35.028158] worker_thread+0x64c/0x1130 [ 35.032120] ? process_one_work+0x1570/0x1570 [ 35.036621] kthread+0x33f/0x460 [ 35.039992] ? kthread_park+0x180/0x180 [ 35.043959] ret_from_fork+0x24/0x30 [ 35.047853] Kernel Offset: disabled [ 35.051571] Rebooting in 86400 seconds..