[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.251' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 56.022632][ T1520] ================================================================== [ 56.030867][ T1520] BUG: KASAN: slab-out-of-bounds in hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 56.040496][ T1520] Read of size 6 at addr ffff8880a6dd2404 by task kworker/u5:0/1520 [ 56.048467][ T1520] [ 56.050807][ T1520] CPU: 0 PID: 1520 Comm: kworker/u5:0 Not tainted 5.8.0-rc3-syzkaller #0 [ 56.059213][ T1520] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.069297][ T1520] Workqueue: hci0 hci_rx_work [ 56.073976][ T1520] Call Trace: [ 56.077277][ T1520] dump_stack+0x18f/0x20d [ 56.081626][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 56.088833][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 56.095784][ T1520] print_address_description.constprop.0.cold+0xae/0x436 [ 56.102907][ T1520] ? lockdep_hardirqs_off+0x66/0xa0 [ 56.108119][ T1520] ? vprintk_func+0x97/0x1a6 [ 56.112745][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 56.119773][ T1520] kasan_report.cold+0x1f/0x37 [ 56.124582][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 56.131530][ T1520] check_memory_region+0x13d/0x180 [ 56.136650][ T1520] memcpy+0x20/0x60 [ 56.140472][ T1520] hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 56.150397][ T1520] ? clear_pending_adv_report+0xf0/0xf0 [ 56.156048][ T1520] hci_event_packet+0x2828/0x86f5 [ 56.161526][ T1520] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 56.167513][ T1520] ? hci_cmd_complete_evt+0xc6e0/0xc6e0 [ 56.173069][ T1520] ? lock_acquire+0x1f1/0xad0 [ 56.177737][ T1520] ? skb_dequeue+0x1c/0x180 [ 56.182232][ T1520] ? find_held_lock+0x2d/0x110 [ 56.186988][ T1520] ? mark_lock+0xbc/0x1710 [ 56.191453][ T1520] ? mark_held_locks+0x9f/0xe0 [ 56.196327][ T1520] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 56.202248][ T1520] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 56.208212][ T1520] ? trace_hardirqs_on+0x5f/0x220 [ 56.213366][ T1520] ? lockdep_hardirqs_on+0x6a/0xe0 [ 56.218463][ T1520] hci_rx_work+0x22e/0xb10 [ 56.222964][ T1520] process_one_work+0x94c/0x1670 [ 56.227895][ T1520] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 56.233338][ T1520] ? rwlock_bug.part.0+0x90/0x90 [ 56.238266][ T1520] worker_thread+0x64c/0x1120 [ 56.243028][ T1520] ? process_one_work+0x1670/0x1670 [ 56.248305][ T1520] kthread+0x3b5/0x4a0 [ 56.252449][ T1520] ? __kthread_bind_mask+0xc0/0xc0 [ 56.257581][ T1520] ? __kthread_bind_mask+0xc0/0xc0 [ 56.262708][ T1520] ret_from_fork+0x1f/0x30 [ 56.267105][ T1520] [ 56.269570][ T1520] Allocated by task 6974: [ 56.273944][ T1520] save_stack+0x1b/0x40 [ 56.278087][ T1520] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 56.283990][ T1520] __alloc_skb+0xae/0x550 [ 56.288299][ T1520] vhci_write+0xbd/0x450 [ 56.292528][ T1520] new_sync_write+0x422/0x650 [ 56.297412][ T1520] __vfs_write+0xc9/0x100 [ 56.301734][ T1520] vfs_write+0x268/0x5d0 [ 56.305965][ T1520] ksys_write+0x12d/0x250 [ 56.310279][ T1520] do_syscall_32_irqs_on+0x3f/0x60 [ 56.315466][ T1520] do_fast_syscall_32+0x7f/0x120 [ 56.320395][ T1520] entry_SYSENTER_compat+0x6d/0x7c [ 56.325478][ T1520] [ 56.327822][ T1520] Freed by task 0: [ 56.331513][ T1520] (stack is not available) [ 56.335915][ T1520] [ 56.338224][ T1520] The buggy address belongs to the object at ffff8880a6dd2000 [ 56.338224][ T1520] which belongs to the cache kmalloc-1k of size 1024 [ 56.352255][ T1520] The buggy address is located 4 bytes to the right of [ 56.352255][ T1520] 1024-byte region [ffff8880a6dd2000, ffff8880a6dd2400) [ 56.366049][ T1520] The buggy address belongs to the page: [ 56.371815][ T1520] page:ffffea00029b7480 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 56.381075][ T1520] flags: 0xfffe0000000200(slab) [ 56.385913][ T1520] raw: 00fffe0000000200 ffffea00027f1d48 ffffea00029894c8 ffff8880aa000c40 [ 56.394482][ T1520] raw: 0000000000000000 ffff8880a6dd2000 0000000100000002 0000000000000000 [ 56.403043][ T1520] page dumped because: kasan: bad access detected [ 56.409444][ T1520] [ 56.411749][ T1520] Memory state around the buggy address: [ 56.417375][ T1520] ffff8880a6dd2300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.425588][ T1520] ffff8880a6dd2380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.433637][ T1520] >ffff8880a6dd2400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.441680][ T1520] ^ [ 56.445797][ T1520] ffff8880a6dd2480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.453967][ T1520] ffff8880a6dd2500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.462009][ T1520] ================================================================== [ 56.470582][ T1520] Disabling lock debugging due to kernel taint [ 56.477720][ T1520] Kernel panic - not syncing: panic_on_warn set ... [ 56.484310][ T1520] CPU: 0 PID: 1520 Comm: kworker/u5:0 Tainted: G B 5.8.0-rc3-syzkaller #0 [ 56.494100][ T1520] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.504440][ T1520] Workqueue: hci0 hci_rx_work [ 56.509109][ T1520] Call Trace: [ 56.512481][ T1520] dump_stack+0x18f/0x20d [ 56.517052][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x130/0x5e0 [ 56.530829][ T1520] panic+0x2e3/0x75c [ 56.534717][ T1520] ? __warn_printk+0xf3/0xf3 [ 56.539820][ T1520] ? preempt_schedule_common+0x59/0xc0 [ 56.545257][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 56.552167][ T1520] ? preempt_schedule_thunk+0x16/0x18 [ 56.557515][ T1520] ? trace_hardirqs_on+0x55/0x220 [ 56.562529][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 56.569614][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 56.576534][ T1520] end_report+0x4d/0x53 [ 56.580682][ T1520] kasan_report.cold+0xd/0x37 [ 56.585374][ T1520] ? hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 56.592289][ T1520] check_memory_region+0x13d/0x180 [ 56.597846][ T1520] memcpy+0x20/0x60 [ 56.601770][ T1520] hci_extended_inquiry_result_evt.isra.0+0x1be/0x5e0 [ 56.608515][ T1520] ? clear_pending_adv_report+0xf0/0xf0 [ 56.614999][ T1520] hci_event_packet+0x2828/0x86f5 [ 56.620006][ T1520] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 56.626025][ T1520] ? hci_cmd_complete_evt+0xc6e0/0xc6e0 [ 56.631552][ T1520] ? lock_acquire+0x1f1/0xad0 [ 56.636554][ T1520] ? skb_dequeue+0x1c/0x180 [ 56.641033][ T1520] ? find_held_lock+0x2d/0x110 [ 56.645772][ T1520] ? mark_lock+0xbc/0x1710 [ 56.650773][ T1520] ? mark_held_locks+0x9f/0xe0 [ 56.655513][ T1520] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 56.661297][ T1520] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 56.667251][ T1520] ? trace_hardirqs_on+0x5f/0x220 [ 56.672255][ T1520] ? lockdep_hardirqs_on+0x6a/0xe0 [ 56.677358][ T1520] hci_rx_work+0x22e/0xb10 [ 56.681755][ T1520] process_one_work+0x94c/0x1670 [ 56.686670][ T1520] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 56.692027][ T1520] ? rwlock_bug.part.0+0x90/0x90 [ 56.697057][ T1520] worker_thread+0x64c/0x1120 [ 56.701727][ T1520] ? process_one_work+0x1670/0x1670 [ 56.706902][ T1520] kthread+0x3b5/0x4a0 [ 56.710946][ T1520] ? __kthread_bind_mask+0xc0/0xc0 [ 56.716038][ T1520] ? __kthread_bind_mask+0xc0/0xc0 [ 56.721134][ T1520] ret_from_fork+0x1f/0x30 [ 56.726876][ T1520] Kernel Offset: disabled [ 56.731318][ T1520] Rebooting in 86400 seconds..