Warning: Permanently added '10.128.10.28' (ECDSA) to the list of known hosts. syzkaller login: [ 60.297158][ T6841] IPVS: ftp: loaded support on port[0] = 21 executing program [ 61.453130][ T6865] ================================================================== [ 61.461351][ T6865] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x384e/0x3eb0 [ 61.469160][ T6865] Read of size 1 at addr ffff8880a8fc9604 by task kworker/u5:1/6865 [ 61.477130][ T6865] [ 61.479460][ T6865] CPU: 0 PID: 6865 Comm: kworker/u5:1 Not tainted 5.8.0-syzkaller #0 [ 61.487527][ T6865] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.497600][ T6865] Workqueue: hci0 hci_rx_work [ 61.502272][ T6865] Call Trace: [ 61.505561][ T6865] dump_stack+0x18f/0x20d [ 61.509887][ T6865] ? hci_le_meta_evt+0x384e/0x3eb0 [ 61.514988][ T6865] ? hci_le_meta_evt+0x384e/0x3eb0 [ 61.520116][ T6865] print_address_description.constprop.0.cold+0xae/0x436 [ 61.527158][ T6865] ? vprintk_func+0x97/0x1a6 [ 61.531753][ T6865] ? hci_le_meta_evt+0x384e/0x3eb0 [ 61.536857][ T6865] kasan_report.cold+0x1f/0x37 [ 61.541617][ T6865] ? hci_le_meta_evt+0x384e/0x3eb0 [ 61.546723][ T6865] hci_le_meta_evt+0x384e/0x3eb0 [ 61.551660][ T6865] ? mark_lock+0xbc/0x1710 [ 61.556094][ T6865] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 61.562956][ T6865] ? mark_lock+0xbc/0x1710 [ 61.567375][ T6865] ? __lock_acquire+0x16cb/0x5640 [ 61.572402][ T6865] ? __lock_acquire+0x16cb/0x5640 [ 61.577442][ T6865] hci_event_packet+0x245a/0x86f5 [ 61.582471][ T6865] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 61.588450][ T6865] ? __lock_acquire+0x16cb/0x5640 [ 61.593471][ T6865] ? hci_cmd_complete_evt+0xc6e0/0xc6e0 [ 61.599015][ T6865] ? lock_acquire+0x1f1/0xad0 [ 61.603682][ T6865] ? skb_dequeue+0x1c/0x180 [ 61.608194][ T6865] ? find_held_lock+0x2d/0x110 [ 61.612966][ T6865] ? mark_lock+0xbc/0x1710 [ 61.617380][ T6865] ? mark_held_locks+0x9f/0xe0 [ 61.622143][ T6865] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 61.627942][ T6865] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 61.633914][ T6865] ? trace_hardirqs_on+0x5f/0x220 [ 61.638947][ T6865] ? lockdep_hardirqs_on+0x76/0xf0 [ 61.644057][ T6865] hci_rx_work+0x22e/0xb10 [ 61.648493][ T6865] process_one_work+0x94c/0x1670 [ 61.653448][ T6865] ? lock_release+0x8e0/0x8e0 [ 61.658120][ T6865] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 61.663496][ T6865] ? rwlock_bug.part.0+0x90/0x90 [ 61.668441][ T6865] worker_thread+0x64c/0x1120 [ 61.673133][ T6865] ? process_one_work+0x1670/0x1670 [ 61.678327][ T6865] kthread+0x3b5/0x4a0 [ 61.682397][ T6865] ? __kthread_bind_mask+0xc0/0xc0 [ 61.687504][ T6865] ? __kthread_bind_mask+0xc0/0xc0 [ 61.692614][ T6865] ret_from_fork+0x1f/0x30 [ 61.697026][ T6865] [ 61.699354][ T6865] Allocated by task 6841: [ 61.703681][ T6865] save_stack+0x1b/0x40 [ 61.707829][ T6865] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 61.713452][ T6865] __alloc_skb+0xae/0x550 [ 61.717769][ T6865] vhci_write+0xbd/0x450 [ 61.722002][ T6865] new_sync_write+0x422/0x650 [ 61.726667][ T6865] vfs_write+0x59d/0x6b0 [ 61.730900][ T6865] ksys_write+0x12d/0x250 [ 61.735222][ T6865] do_syscall_64+0x60/0xe0 [ 61.739631][ T6865] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.745503][ T6865] [ 61.747817][ T6865] Freed by task 6239: [ 61.751788][ T6865] save_stack+0x1b/0x40 [ 61.755945][ T6865] __kasan_slab_free+0xf5/0x140 [ 61.760780][ T6865] kfree+0x103/0x2c0 [ 61.764667][ T6865] tomoyo_supervisor+0x350/0xeb0 [ 61.769596][ T6865] tomoyo_path_permission+0x25c/0x360 [ 61.774960][ T6865] tomoyo_path_perm+0x2e7/0x3f0 [ 61.779800][ T6865] security_inode_getattr+0xcf/0x140 [ 61.785078][ T6865] vfs_statx_fd+0x70/0xf0 [ 61.789427][ T6865] __do_sys_newfstat+0x88/0x100 [ 61.794290][ T6865] do_syscall_64+0x60/0xe0 [ 61.798709][ T6865] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.804617][ T6865] [ 61.806935][ T6865] The buggy address belongs to the object at ffff8880a8fc9400 [ 61.806935][ T6865] which belongs to the cache kmalloc-512 of size 512 [ 61.820978][ T6865] The buggy address is located 4 bytes to the right of [ 61.820978][ T6865] 512-byte region [ffff8880a8fc9400, ffff8880a8fc9600) [ 61.834596][ T6865] The buggy address belongs to the page: [ 61.840223][ T6865] page:ffffea0002a3f240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 61.849332][ T6865] flags: 0xfffe0000000200(slab) [ 61.854177][ T6865] raw: 00fffe0000000200 ffffea000271d908 ffffea0002a246c8 ffff8880aa000a80 [ 61.862753][ T6865] raw: 0000000000000000 ffff8880a8fc9000 0000000100000004 0000000000000000 [ 61.871323][ T6865] page dumped because: kasan: bad access detected [ 61.877717][ T6865] [ 61.880029][ T6865] Memory state around the buggy address: [ 61.885651][ T6865] ffff8880a8fc9500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.893808][ T6865] ffff8880a8fc9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.901946][ T6865] >ffff8880a8fc9600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.909991][ T6865] ^ [ 61.914050][ T6865] ffff8880a8fc9680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.922119][ T6865] ffff8880a8fc9700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.930184][ T6865] ================================================================== [ 61.938233][ T6865] Disabling lock debugging due to kernel taint [ 61.951362][ T6865] Kernel panic - not syncing: panic_on_warn set ... [ 61.957961][ T6865] CPU: 0 PID: 6865 Comm: kworker/u5:1 Tainted: G B 5.8.0-syzkaller #0 [ 61.967424][ T6865] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.977509][ T6865] Workqueue: hci0 hci_rx_work [ 61.982177][ T6865] Call Trace: [ 61.985465][ T6865] dump_stack+0x18f/0x20d [ 61.989792][ T6865] ? hci_le_meta_evt+0x37e0/0x3eb0 [ 61.994899][ T6865] panic+0x2e3/0x75c [ 61.998793][ T6865] ? __warn_printk+0xf3/0xf3 [ 62.003385][ T6865] ? preempt_schedule_common+0x59/0xc0 [ 62.008835][ T6865] ? hci_le_meta_evt+0x384e/0x3eb0 [ 62.013965][ T6865] ? preempt_schedule_thunk+0x16/0x18 [ 62.019341][ T6865] ? trace_hardirqs_on+0x55/0x220 [ 62.024365][ T6865] ? hci_le_meta_evt+0x384e/0x3eb0 [ 62.029471][ T6865] ? hci_le_meta_evt+0x384e/0x3eb0 [ 62.034577][ T6865] end_report+0x4d/0x53 [ 62.038730][ T6865] kasan_report.cold+0xd/0x37 [ 62.043405][ T6865] ? hci_le_meta_evt+0x384e/0x3eb0 [ 62.048510][ T6865] hci_le_meta_evt+0x384e/0x3eb0 [ 62.053470][ T6865] ? mark_lock+0xbc/0x1710 [ 62.057888][ T6865] ? hci_key_refresh_complete_evt.isra.0+0x10b0/0x10b0 [ 62.064742][ T6865] ? mark_lock+0xbc/0x1710 [ 62.069154][ T6865] ? __lock_acquire+0x16cb/0x5640 [ 62.074218][ T6865] ? __lock_acquire+0x16cb/0x5640 [ 62.079217][ T6865] hci_event_packet+0x245a/0x86f5 [ 62.084480][ T6865] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 62.090432][ T6865] ? __lock_acquire+0x16cb/0x5640 [ 62.095449][ T6865] ? hci_cmd_complete_evt+0xc6e0/0xc6e0 [ 62.100982][ T6865] ? lock_acquire+0x1f1/0xad0 [ 62.105631][ T6865] ? skb_dequeue+0x1c/0x180 [ 62.110121][ T6865] ? find_held_lock+0x2d/0x110 [ 62.114872][ T6865] ? mark_lock+0xbc/0x1710 [ 62.119349][ T6865] ? mark_held_locks+0x9f/0xe0 [ 62.124087][ T6865] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 62.129879][ T6865] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 62.135831][ T6865] ? trace_hardirqs_on+0x5f/0x220 [ 62.140826][ T6865] ? lockdep_hardirqs_on+0x76/0xf0 [ 62.145914][ T6865] hci_rx_work+0x22e/0xb10 [ 62.150328][ T6865] process_one_work+0x94c/0x1670 [ 62.155253][ T6865] ? lock_release+0x8e0/0x8e0 [ 62.159914][ T6865] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 62.165274][ T6865] ? rwlock_bug.part.0+0x90/0x90 [ 62.170184][ T6865] worker_thread+0x64c/0x1120 [ 62.174836][ T6865] ? process_one_work+0x1670/0x1670 [ 62.180005][ T6865] kthread+0x3b5/0x4a0 [ 62.184052][ T6865] ? __kthread_bind_mask+0xc0/0xc0 [ 62.189148][ T6865] ? __kthread_bind_mask+0xc0/0xc0 [ 62.194234][ T6865] ret_from_fork+0x1f/0x30 [ 62.199664][ T6865] Kernel Offset: disabled [ 62.203978][ T6865] Rebooting in 86400 seconds..