[ OK ] Started Regular background program processing daemon. Starting getty on tty2-tty6 if dbus and logind are not available... Starting System Logging Service... Starting OpenBSD Secure Shell server... Starting Permit User Sessions... [ OK ] Started System Logging Service. [ OK ] Found device /dev/ttyS0. [ OK ] Started Permit User Sessions. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Warning: Permanently added '10.128.1.196' (ECDSA) to the list of known hosts. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 80.900680][ T25] audit: type=1400 audit(1635668821.666:8): avc: denied { execmem } for pid=6452 comm="syz-executor047" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 executing program [ 82.058073][ T6459] Bluetooth: hci0: unknown advertising packet type: 0x90 [ 82.058134][ T6459] Bluetooth: hci0: Dropping invalid advertising data [ 82.073453][ T6459] ================================================================== [ 82.081673][ T6459] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x3e27/0x46d0 [ 82.089515][ T6459] Read of size 1 at addr ffff888079314e03 by task kworker/u5:2/6459 [ 82.097502][ T6459] [ 82.099829][ T6459] CPU: 1 PID: 6459 Comm: kworker/u5:2 Not tainted 5.15.0-rc7-syzkaller #0 [ 82.108514][ T6459] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.118577][ T6459] Workqueue: hci0 hci_rx_work [ 82.123281][ T6459] Call Trace: [ 82.126564][ T6459] dump_stack_lvl+0xcd/0x134 [ 82.131170][ T6459] print_address_description.constprop.0.cold+0x6c/0x2d6 [ 82.138211][ T6459] ? hci_le_meta_evt+0x3e27/0x46d0 [ 82.143340][ T6459] ? hci_le_meta_evt+0x3e27/0x46d0 [ 82.148468][ T6459] kasan_report.cold+0x83/0xdf [ 82.153248][ T6459] ? hci_le_meta_evt+0x3e27/0x46d0 [ 82.158372][ T6459] hci_le_meta_evt+0x3e27/0x46d0 [ 82.163329][ T6459] ? __mutex_lock+0x21c/0x12f0 [ 82.168108][ T6459] ? le_conn_complete_evt+0x1d00/0x1d00 [ 82.173677][ T6459] ? __mutex_unlock_slowpath+0x157/0x5e0 [ 82.179336][ T6459] ? wait_for_completion_io+0x280/0x280 [ 82.184901][ T6459] ? lock_chain_count+0x20/0x20 [ 82.189745][ T6459] ? __lock_acquire+0x162f/0x54a0 [ 82.194759][ T6459] hci_event_packet+0x5d9/0x7cf0 [ 82.199701][ T6459] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 82.205669][ T6459] ? lock_chain_count+0x20/0x20 [ 82.210513][ T6459] ? hci_le_meta_evt+0x46d0/0x46d0 [ 82.215617][ T6459] ? find_held_lock+0x2d/0x110 [ 82.220369][ T6459] ? skb_dequeue+0x125/0x180 [ 82.224956][ T6459] ? mark_held_locks+0x9f/0xe0 [ 82.229710][ T6459] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 82.235508][ T6459] ? lockdep_hardirqs_on+0x79/0x100 [ 82.240700][ T6459] hci_rx_work+0x4fa/0xd30 [ 82.245104][ T6459] process_one_work+0x9bf/0x16b0 [ 82.250029][ T6459] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 82.255386][ T6459] ? rwlock_bug.part.0+0x90/0x90 [ 82.260311][ T6459] ? _raw_spin_lock_irq+0x41/0x50 [ 82.265336][ T6459] worker_thread+0x658/0x11f0 [ 82.270000][ T6459] ? process_one_work+0x16b0/0x16b0 [ 82.275185][ T6459] kthread+0x3e5/0x4d0 [ 82.279241][ T6459] ? set_kthread_struct+0x130/0x130 [ 82.284426][ T6459] ret_from_fork+0x1f/0x30 [ 82.288848][ T6459] [ 82.291182][ T6459] Allocated by task 6453: [ 82.295488][ T6459] kasan_save_stack+0x1b/0x40 [ 82.300150][ T6459] __kasan_kmalloc+0xa1/0xd0 [ 82.304738][ T6459] __alloc_skb+0xde/0x340 [ 82.309052][ T6459] vhci_write+0xbd/0x450 [ 82.313277][ T6459] new_sync_write+0x429/0x660 [ 82.317939][ T6459] vfs_write+0x7cf/0xae0 [ 82.322162][ T6459] ksys_write+0x12d/0x250 [ 82.326473][ T6459] do_syscall_64+0x35/0xb0 [ 82.330879][ T6459] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 82.336776][ T6459] [ 82.339091][ T6459] The buggy address belongs to the object at ffff888079314c00 [ 82.339091][ T6459] which belongs to the cache kmalloc-512 of size 512 [ 82.353136][ T6459] The buggy address is located 3 bytes to the right of [ 82.353136][ T6459] 512-byte region [ffff888079314c00, ffff888079314e00) [ 82.366737][ T6459] The buggy address belongs to the page: [ 82.372345][ T6459] page:ffffea0001e4c500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x79314 [ 82.382478][ T6459] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 82.390010][ T6459] raw: 00fff00000000200 ffffea00005ef948 ffffea0000768f08 ffff888010c40600 [ 82.398575][ T6459] raw: 0000000000000000 ffff888079314000 0000000100000004 0000000000000000 [ 82.407133][ T6459] page dumped because: kasan: bad access detected [ 82.413522][ T6459] page_owner tracks the page as allocated [ 82.419213][ T6459] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, ts 20947704734, free_ts 20947079890 [ 82.436728][ T6459] get_page_from_freelist+0xa72/0x2f80 [ 82.442174][ T6459] __alloc_pages+0x1b2/0x500 [ 82.446763][ T6459] cache_grow_begin+0x75/0x460 [ 82.451512][ T6459] cache_alloc_refill+0x27f/0x380 [ 82.456516][ T6459] kmem_cache_alloc_trace+0x38c/0x480 [ 82.461885][ T6459] kernfs_fop_open+0x2c5/0xd40 [ 82.466638][ T6459] do_dentry_open+0x4c8/0x11d0 [ 82.471386][ T6459] path_openat+0x1c9a/0x2740 [ 82.475958][ T6459] do_filp_open+0x1aa/0x400 [ 82.480448][ T6459] do_sys_openat2+0x16d/0x4d0 [ 82.485109][ T6459] __x64_sys_open+0x119/0x1c0 [ 82.489772][ T6459] do_syscall_64+0x35/0xb0 [ 82.494171][ T6459] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 82.500050][ T6459] page last free stack trace: [ 82.504698][ T6459] free_pcp_prepare+0x2c5/0x780 [ 82.509548][ T6459] free_unref_page+0x19/0x690 [ 82.514208][ T6459] inode_doinit_with_dentry+0x868/0x12e0 [ 82.519825][ T6459] selinux_d_instantiate+0x23/0x30 [ 82.524936][ T6459] security_d_instantiate+0x50/0xe0 [ 82.530119][ T6459] d_splice_alias+0x8c/0xc60 [ 82.534694][ T6459] kernfs_iop_lookup+0x22d/0x2c0 [ 82.539632][ T6459] lookup_open.isra.0+0x69f/0x13d0 [ 82.544725][ T6459] path_openat+0x9a5/0x2740 [ 82.549232][ T6459] do_filp_open+0x1aa/0x400 [ 82.553719][ T6459] do_sys_openat2+0x16d/0x4d0 [ 82.558380][ T6459] __x64_sys_open+0x119/0x1c0 [ 82.563041][ T6459] do_syscall_64+0x35/0xb0 [ 82.567440][ T6459] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 82.573318][ T6459] [ 82.575625][ T6459] Memory state around the buggy address: [ 82.581233][ T6459] ffff888079314d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 82.589277][ T6459] ffff888079314d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 82.597319][ T6459] >ffff888079314e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 82.605373][ T6459] ^ [ 82.609425][ T6459] ffff888079314e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 82.617465][ T6459] ffff888079314f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 82.625519][ T6459] ================================================================== [ 82.633555][ T6459] Disabling lock debugging due to kernel taint [ 82.639977][ T6459] Kernel panic - not syncing: panic_on_warn set ... [ 82.646650][ T6459] CPU: 1 PID: 6459 Comm: kworker/u5:2 Tainted: G B 5.15.0-rc7-syzkaller #0 [ 82.656545][ T6459] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.666608][ T6459] Workqueue: hci0 hci_rx_work [ 82.671292][ T6459] Call Trace: [ 82.674558][ T6459] dump_stack_lvl+0xcd/0x134 [ 82.679149][ T6459] panic+0x2b0/0x6dd [ 82.683040][ T6459] ? __warn_printk+0xf3/0xf3 [ 82.687716][ T6459] ? preempt_schedule_common+0x59/0xc0 [ 82.693170][ T6459] ? hci_le_meta_evt+0x3e27/0x46d0 [ 82.698281][ T6459] ? preempt_schedule_thunk+0x16/0x18 [ 82.703649][ T6459] ? trace_hardirqs_on+0x38/0x1c0 [ 82.708765][ T6459] ? trace_hardirqs_on+0x51/0x1c0 [ 82.713790][ T6459] ? hci_le_meta_evt+0x3e27/0x46d0 [ 82.718910][ T6459] ? hci_le_meta_evt+0x3e27/0x46d0 [ 82.724016][ T6459] end_report.cold+0x63/0x6f [ 82.728604][ T6459] kasan_report.cold+0x71/0xdf [ 82.733365][ T6459] ? hci_le_meta_evt+0x3e27/0x46d0 [ 82.738472][ T6459] hci_le_meta_evt+0x3e27/0x46d0 [ 82.743407][ T6459] ? __mutex_lock+0x21c/0x12f0 [ 82.748181][ T6459] ? le_conn_complete_evt+0x1d00/0x1d00 [ 82.753724][ T6459] ? __mutex_unlock_slowpath+0x157/0x5e0 [ 82.759354][ T6459] ? wait_for_completion_io+0x280/0x280 [ 82.764897][ T6459] ? lock_chain_count+0x20/0x20 [ 82.769743][ T6459] ? __lock_acquire+0x162f/0x54a0 [ 82.774760][ T6459] hci_event_packet+0x5d9/0x7cf0 [ 82.779698][ T6459] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 82.785673][ T6459] ? lock_chain_count+0x20/0x20 [ 82.790519][ T6459] ? hci_le_meta_evt+0x46d0/0x46d0 [ 82.795628][ T6459] ? find_held_lock+0x2d/0x110 [ 82.800400][ T6459] ? skb_dequeue+0x125/0x180 [ 82.804990][ T6459] ? mark_held_locks+0x9f/0xe0 [ 82.809767][ T6459] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 82.815578][ T6459] ? lockdep_hardirqs_on+0x79/0x100 [ 82.820775][ T6459] hci_rx_work+0x4fa/0xd30 [ 82.825192][ T6459] process_one_work+0x9bf/0x16b0 [ 82.830129][ T6459] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 82.835497][ T6459] ? rwlock_bug.part.0+0x90/0x90 [ 82.840444][ T6459] ? _raw_spin_lock_irq+0x41/0x50 [ 82.845464][ T6459] worker_thread+0x658/0x11f0 [ 82.850143][ T6459] ? process_one_work+0x16b0/0x16b0 [ 82.855342][ T6459] kthread+0x3e5/0x4d0 [ 82.859409][ T6459] ? set_kthread_struct+0x130/0x130 [ 82.864605][ T6459] ret_from_fork+0x1f/0x30 [ 82.869313][ T6459] Kernel Offset: disabled [ 82.873621][ T6459] Rebooting in 86400 seconds..