[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.62' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 65.713503][ T28] audit: type=1400 audit(1594427210.562:8): avc: denied { execmem } for pid=6897 comm="syz-executor059" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 65.780153][ T1521] ================================================================== [ 65.788556][ T1521] BUG: KASAN: slab-out-of-bounds in hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 65.797658][ T1521] Read of size 6 at addr ffff88809dbc85fb by task kworker/u5:0/1521 [ 65.805619][ T1521] [ 65.807948][ T1521] CPU: 1 PID: 1521 Comm: kworker/u5:0 Not tainted 5.8.0-rc4-syzkaller #0 [ 65.816345][ T1521] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.826384][ T1521] Workqueue: hci0 hci_rx_work [ 65.831037][ T1521] Call Trace: [ 65.834309][ T1521] dump_stack+0x18f/0x20d [ 65.838622][ T1521] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 65.845016][ T1521] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 65.851408][ T1521] print_address_description.constprop.0.cold+0xae/0x436 [ 65.858412][ T1521] ? lockdep_hardirqs_off+0x66/0xa0 [ 65.863589][ T1521] ? vprintk_func+0x97/0x1a6 [ 65.868164][ T1521] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 65.874555][ T1521] kasan_report.cold+0x1f/0x37 [ 65.879315][ T1521] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 65.885708][ T1521] check_memory_region+0x13d/0x180 [ 65.890800][ T1521] memcpy+0x20/0x60 [ 65.894589][ T1521] hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 65.900813][ T1521] ? process_adv_report+0xe40/0xe40 [ 65.905997][ T1521] hci_event_packet+0x1e8c/0x86f5 [ 65.911006][ T1521] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 65.916968][ T1521] ? hci_cmd_complete_evt+0xc6e0/0xc6e0 [ 65.922520][ T1521] ? lock_acquire+0x1f1/0xad0 [ 65.927186][ T1521] ? skb_dequeue+0x1c/0x180 [ 65.931674][ T1521] ? find_held_lock+0x2d/0x110 [ 65.936424][ T1521] ? mark_lock+0xbc/0x1710 [ 65.941469][ T1521] ? mark_held_locks+0x9f/0xe0 [ 65.946223][ T1521] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 65.952014][ T1521] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 65.957978][ T1521] ? trace_hardirqs_on+0x5f/0x220 [ 65.962999][ T1521] ? lockdep_hardirqs_on+0x6a/0xe0 [ 65.968099][ T1521] hci_rx_work+0x22e/0xb10 [ 65.972514][ T1521] process_one_work+0x94c/0x1670 [ 65.977445][ T1521] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 65.982802][ T1521] ? rwlock_bug.part.0+0x90/0x90 [ 65.987727][ T1521] worker_thread+0x64c/0x1120 [ 65.992412][ T1521] ? process_one_work+0x1670/0x1670 [ 65.997596][ T1521] kthread+0x3b5/0x4a0 [ 66.001646][ T1521] ? __kthread_bind_mask+0xc0/0xc0 [ 66.006736][ T1521] ? __kthread_bind_mask+0xc0/0xc0 [ 66.011829][ T1521] ret_from_fork+0x1f/0x30 [ 66.016242][ T1521] [ 66.018547][ T1521] Allocated by task 6905: [ 66.022858][ T1521] save_stack+0x1b/0x40 [ 66.027011][ T1521] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 66.032622][ T1521] __alloc_skb+0xae/0x550 [ 66.036931][ T1521] vhci_write+0xbd/0x450 [ 66.041241][ T1521] new_sync_write+0x422/0x650 [ 66.045896][ T1521] vfs_write+0x59d/0x6b0 [ 66.050115][ T1521] ksys_write+0x12d/0x250 [ 66.054422][ T1521] do_syscall_64+0x60/0xe0 [ 66.058818][ T1521] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 66.064679][ T1521] [ 66.066988][ T1521] Freed by task 4921: [ 66.071036][ T1521] save_stack+0x1b/0x40 [ 66.075171][ T1521] __kasan_slab_free+0xf5/0x140 [ 66.080004][ T1521] kfree+0x103/0x2c0 [ 66.083876][ T1521] ep_eventpoll_release+0x41/0x60 [ 66.088877][ T1521] __fput+0x33c/0x880 [ 66.092836][ T1521] task_work_run+0xdd/0x190 [ 66.097419][ T1521] __prepare_exit_to_usermode+0x1e9/0x1f0 [ 66.103114][ T1521] do_syscall_64+0x6c/0xe0 [ 66.107506][ T1521] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 66.113367][ T1521] [ 66.115678][ T1521] The buggy address belongs to the object at ffff88809dbc8400 [ 66.115678][ T1521] which belongs to the cache kmalloc-512 of size 512 [ 66.129806][ T1521] The buggy address is located 507 bytes inside of [ 66.129806][ T1521] 512-byte region [ffff88809dbc8400, ffff88809dbc8600) [ 66.143055][ T1521] The buggy address belongs to the page: [ 66.148666][ T1521] page:ffffea000276f200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 66.157747][ T1521] flags: 0xfffe0000000200(slab) [ 66.162578][ T1521] raw: 00fffe0000000200 ffffea000288bb48 ffffea0002877488 ffff8880aa000a80 [ 66.171146][ T1521] raw: 0000000000000000 ffff88809dbc8000 0000000100000004 0000000000000000 [ 66.179703][ T1521] page dumped because: kasan: bad access detected [ 66.186086][ T1521] [ 66.188387][ T1521] Memory state around the buggy address: [ 66.195136][ T1521] ffff88809dbc8500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 66.203207][ T1521] ffff88809dbc8580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 66.211250][ T1521] >ffff88809dbc8600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.219288][ T1521] ^ [ 66.223350][ T1521] ffff88809dbc8680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.231393][ T1521] ffff88809dbc8700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.239436][ T1521] ================================================================== [ 66.247472][ T1521] Disabling lock debugging due to kernel taint [ 66.255712][ T1521] Kernel panic - not syncing: panic_on_warn set ... [ 66.262311][ T1521] CPU: 1 PID: 1521 Comm: kworker/u5:0 Tainted: G B 5.8.0-rc4-syzkaller #0 [ 66.272095][ T1521] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.282147][ T1521] Workqueue: hci0 hci_rx_work [ 66.286806][ T1521] Call Trace: [ 66.290087][ T1521] dump_stack+0x18f/0x20d [ 66.294416][ T1521] ? hci_inquiry_result_with_rssi_evt+0x220/0x6b0 [ 66.300824][ T1521] panic+0x2e3/0x75c [ 66.304711][ T1521] ? __warn_printk+0xf3/0xf3 [ 66.309297][ T1521] ? preempt_schedule_common+0x59/0xc0 [ 66.314757][ T1521] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 66.321161][ T1521] ? preempt_schedule_thunk+0x16/0x18 [ 66.326519][ T1521] ? trace_hardirqs_on+0x55/0x220 [ 66.331524][ T1521] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 66.337916][ T1521] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 66.344303][ T1521] end_report+0x4d/0x53 [ 66.348435][ T1521] kasan_report.cold+0xd/0x37 [ 66.353091][ T1521] ? hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 66.359491][ T1521] check_memory_region+0x13d/0x180 [ 66.364578][ T1521] memcpy+0x20/0x60 [ 66.368364][ T1521] hci_inquiry_result_with_rssi_evt+0x230/0x6b0 [ 66.374580][ T1521] ? process_adv_report+0xe40/0xe40 [ 66.379758][ T1521] hci_event_packet+0x1e8c/0x86f5 [ 66.384873][ T1521] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 66.390867][ T1521] ? hci_cmd_complete_evt+0xc6e0/0xc6e0 [ 66.396420][ T1521] ? lock_acquire+0x1f1/0xad0 [ 66.401079][ T1521] ? skb_dequeue+0x1c/0x180 [ 66.405557][ T1521] ? find_held_lock+0x2d/0x110 [ 66.410300][ T1521] ? mark_lock+0xbc/0x1710 [ 66.414698][ T1521] ? mark_held_locks+0x9f/0xe0 [ 66.419442][ T1521] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 66.425223][ T1521] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 66.431175][ T1521] ? trace_hardirqs_on+0x5f/0x220 [ 66.436179][ T1521] ? lockdep_hardirqs_on+0x6a/0xe0 [ 66.441273][ T1521] hci_rx_work+0x22e/0xb10 [ 66.445675][ T1521] process_one_work+0x94c/0x1670 [ 66.450594][ T1521] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 66.455945][ T1521] ? rwlock_bug.part.0+0x90/0x90 [ 66.460862][ T1521] worker_thread+0x64c/0x1120 [ 66.465520][ T1521] ? process_one_work+0x1670/0x1670 [ 66.470706][ T1521] kthread+0x3b5/0x4a0 [ 66.474751][ T1521] ? __kthread_bind_mask+0xc0/0xc0 [ 66.479838][ T1521] ? __kthread_bind_mask+0xc0/0xc0 [ 66.484928][ T1521] ret_from_fork+0x1f/0x30 [ 66.490427][ T1521] Kernel Offset: disabled [ 66.494738][ T1521] Rebooting in 86400 seconds..