[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.157' (ECDSA) to the list of known hosts. syzkaller login: [ 67.210595][ T6856] IPVS: ftp: loaded support on port[0] = 21 executing program [ 68.342698][ T6878] Bluetooth: hci0: unknown advertising packet type: 0x2b [ 68.342824][ T6878] ================================================================== [ 68.358342][ T6878] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x3922/0x3fd0 [ 68.366156][ T6878] Read of size 1 at addr ffff888096c4ee0c by task kworker/u5:1/6878 [ 68.374239][ T6878] [ 68.376584][ T6878] CPU: 0 PID: 6878 Comm: kworker/u5:1 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0 [ 68.386388][ T6878] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.396459][ T6878] Workqueue: hci0 hci_rx_work [ 68.401151][ T6878] Call Trace: [ 68.404451][ T6878] dump_stack+0x18f/0x20d [ 68.408813][ T6878] ? hci_le_meta_evt+0x3922/0x3fd0 [ 68.413915][ T6878] ? hci_le_meta_evt+0x3922/0x3fd0 [ 68.419110][ T6878] print_address_description.constprop.0.cold+0xae/0x497 [ 68.426155][ T6878] ? lockdep_hardirqs_off+0x7e/0xb0 [ 68.431352][ T6878] ? vprintk_func+0x97/0x1a6 [ 68.435943][ T6878] ? hci_le_meta_evt+0x3922/0x3fd0 [ 68.441060][ T6878] ? hci_le_meta_evt+0x3922/0x3fd0 [ 68.446177][ T6878] kasan_report.cold+0x1f/0x37 [ 68.450947][ T6878] ? hci_le_meta_evt+0x3922/0x3fd0 [ 68.456075][ T6878] hci_le_meta_evt+0x3922/0x3fd0 [ 68.461006][ T6878] ? mark_lock+0xbc/0x1710 [ 68.465438][ T6878] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 68.472289][ T6878] ? mark_lock+0xbc/0x1710 [ 68.476713][ T6878] ? __lock_acquire+0x16cb/0x5640 [ 68.481727][ T6878] ? __lock_acquire+0x16cb/0x5640 [ 68.486746][ T6878] hci_event_packet+0x2e25/0x87a8 [ 68.491761][ T6878] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 68.497834][ T6878] ? __lock_acquire+0x16cb/0x5640 [ 68.502850][ T6878] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 68.508390][ T6878] ? lock_acquire+0x1f1/0xad0 [ 68.513053][ T6878] ? skb_dequeue+0x1c/0x180 [ 68.517571][ T6878] ? find_held_lock+0x2d/0x110 [ 68.522323][ T6878] ? mark_lock+0xbc/0x1710 [ 68.526741][ T6878] ? mark_held_locks+0x9f/0xe0 [ 68.531506][ T6878] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 68.537389][ T6878] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 68.543357][ T6878] ? trace_hardirqs_on+0x5f/0x220 [ 68.548371][ T6878] ? lockdep_hardirqs_on+0x76/0xf0 [ 68.553473][ T6878] hci_rx_work+0x22e/0xb50 [ 68.557885][ T6878] process_one_work+0x94c/0x1670 [ 68.562814][ T6878] ? lock_release+0x8e0/0x8e0 [ 68.567492][ T6878] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 68.572858][ T6878] ? rwlock_bug.part.0+0x90/0x90 [ 68.577888][ T6878] ? lockdep_hardirqs_off+0x7e/0xb0 [ 68.583095][ T6878] worker_thread+0x64c/0x1120 [ 68.587763][ T6878] ? __kthread_parkme+0x13f/0x1e0 [ 68.592772][ T6878] ? process_one_work+0x1670/0x1670 [ 68.597960][ T6878] kthread+0x3b5/0x4a0 [ 68.602012][ T6878] ? __kthread_bind_mask+0xc0/0xc0 [ 68.607105][ T6878] ? __kthread_bind_mask+0xc0/0xc0 [ 68.614896][ T6878] ret_from_fork+0x1f/0x30 [ 68.619317][ T6878] [ 68.621648][ T6878] Allocated by task 6856: [ 68.625971][ T6878] kasan_save_stack+0x1b/0x40 [ 68.630635][ T6878] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 68.636602][ T6878] __alloc_skb+0xae/0x550 [ 68.641006][ T6878] vhci_write+0xbd/0x450 [ 68.645237][ T6878] new_sync_write+0x422/0x650 [ 68.649960][ T6878] vfs_write+0x5ad/0x730 [ 68.654190][ T6878] ksys_write+0x12d/0x250 [ 68.658592][ T6878] do_syscall_64+0x2d/0x70 [ 68.663014][ T6878] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.668892][ T6878] [ 68.671211][ T6878] The buggy address belongs to the object at ffff888096c4ec00 [ 68.671211][ T6878] which belongs to the cache kmalloc-512 of size 512 [ 68.685253][ T6878] The buggy address is located 12 bytes to the right of [ 68.685253][ T6878] 512-byte region [ffff888096c4ec00, ffff888096c4ee00) [ 68.699027][ T6878] The buggy address belongs to the page: [ 68.704653][ T6878] page:000000002c646a78 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x96c4e [ 68.714886][ T6878] flags: 0xfffe0000000200(slab) [ 68.719726][ T6878] raw: 00fffe0000000200 ffffea00024f4008 ffffea0002523488 ffff8880aa000600 [ 68.728642][ T6878] raw: 0000000000000000 ffff888096c4e000 0000000100000004 0000000000000000 [ 68.737206][ T6878] page dumped because: kasan: bad access detected [ 68.743696][ T6878] [ 68.746614][ T6878] Memory state around the buggy address: [ 68.752284][ T6878] ffff888096c4ed00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.760453][ T6878] ffff888096c4ed80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.768518][ T6878] >ffff888096c4ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.776626][ T6878] ^ [ 68.780941][ T6878] ffff888096c4ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.789027][ T6878] ffff888096c4ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.797076][ T6878] ================================================================== [ 68.805119][ T6878] Disabling lock debugging due to kernel taint [ 68.812960][ T6878] Kernel panic - not syncing: panic_on_warn set ... [ 68.819563][ T6878] CPU: 0 PID: 6878 Comm: kworker/u5:1 Tainted: G B 5.8.0-rc7-next-20200731-syzkaller #0 [ 68.830572][ T6878] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.840638][ T6878] Workqueue: hci0 hci_rx_work [ 68.845402][ T6878] Call Trace: [ 68.848703][ T6878] dump_stack+0x18f/0x20d [ 68.853040][ T6878] ? hci_le_meta_evt+0x3920/0x3fd0 [ 68.858947][ T6878] panic+0x2e3/0x75c [ 68.862854][ T6878] ? __warn_printk+0xf3/0xf3 [ 68.867452][ T6878] ? preempt_schedule_common+0x59/0xc0 [ 68.872923][ T6878] ? hci_le_meta_evt+0x3922/0x3fd0 [ 68.878134][ T6878] ? preempt_schedule_thunk+0x16/0x18 [ 68.883687][ T6878] ? trace_hardirqs_on+0x55/0x220 [ 68.889916][ T6878] ? hci_le_meta_evt+0x3922/0x3fd0 [ 68.895066][ T6878] ? hci_le_meta_evt+0x3922/0x3fd0 [ 68.900358][ T6878] end_report+0x4d/0x53 [ 68.904527][ T6878] kasan_report.cold+0xd/0x37 [ 68.909223][ T6878] ? hci_le_meta_evt+0x3922/0x3fd0 [ 68.915918][ T6878] hci_le_meta_evt+0x3922/0x3fd0 [ 68.921072][ T6878] ? mark_lock+0xbc/0x1710 [ 68.925583][ T6878] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 68.932438][ T6878] ? mark_lock+0xbc/0x1710 [ 68.936837][ T6878] ? __lock_acquire+0x16cb/0x5640 [ 68.941955][ T6878] ? __lock_acquire+0x16cb/0x5640 [ 68.947176][ T6878] hci_event_packet+0x2e25/0x87a8 [ 68.952185][ T6878] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 68.958144][ T6878] ? __lock_acquire+0x16cb/0x5640 [ 68.963167][ T6878] ? hci_cmd_complete_evt+0xc6d0/0xc6d0 [ 68.968837][ T6878] ? lock_acquire+0x1f1/0xad0 [ 68.973493][ T6878] ? skb_dequeue+0x1c/0x180 [ 68.977979][ T6878] ? find_held_lock+0x2d/0x110 [ 68.982718][ T6878] ? mark_lock+0xbc/0x1710 [ 68.987222][ T6878] ? mark_held_locks+0x9f/0xe0 [ 68.991964][ T6878] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 68.998056][ T6878] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 69.004128][ T6878] ? trace_hardirqs_on+0x5f/0x220 [ 69.009176][ T6878] ? lockdep_hardirqs_on+0x76/0xf0 [ 69.014264][ T6878] hci_rx_work+0x22e/0xb50 [ 69.018682][ T6878] process_one_work+0x94c/0x1670 [ 69.023598][ T6878] ? lock_release+0x8e0/0x8e0 [ 69.028426][ T6878] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 69.033887][ T6878] ? rwlock_bug.part.0+0x90/0x90 [ 69.039103][ T6878] ? lockdep_hardirqs_off+0x7e/0xb0 [ 69.044472][ T6878] worker_thread+0x64c/0x1120 [ 69.049400][ T6878] ? __kthread_parkme+0x13f/0x1e0 [ 69.054759][ T6878] ? process_one_work+0x1670/0x1670 [ 69.060017][ T6878] kthread+0x3b5/0x4a0 [ 69.064061][ T6878] ? __kthread_bind_mask+0xc0/0xc0 [ 69.069149][ T6878] ? __kthread_bind_mask+0xc0/0xc0 [ 69.074639][ T6878] ret_from_fork+0x1f/0x30 [ 69.080952][ T6878] Kernel Offset: disabled [ 69.085377][ T6878] Rebooting in 86400 seconds..