[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   41.575891] audit: type=1800 audit(1546853882.349:25): pid=7904 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   41.610671] audit: type=1800 audit(1546853882.349:26): pid=7904 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   41.637108] audit: type=1800 audit(1546853882.349:27): pid=7904 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.4' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
syzkaller login: [   53.006366] ==================================================================
[   53.013951] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0xb33e/0xc22e
[   53.021133] Read of size 1 at addr ffff888093ef7f40 by task kworker/u5:0/1172
[   53.028553] 
[   53.030179] CPU: 0 PID: 1172 Comm: kworker/u5:0 Not tainted 4.20.0+ #13
[   53.036924] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   53.046528] Workqueue: hci0 hci_rx_work
[   53.050497] Call Trace:
[   53.053080]  dump_stack+0x1db/0x2d0
[   53.056822]  ? dump_stack_print_info.cold+0x20/0x20
[   53.061842]  ? hci_event_packet+0xb33e/0xc22e
[   53.066364]  print_address_description.cold+0x7c/0x20d
[   53.071641]  ? hci_event_packet+0xb33e/0xc22e
[   53.076274]  ? hci_event_packet+0xb33e/0xc22e
[   53.080901]  kasan_report.cold+0x1b/0x40
[   53.085463]  ? hci_event_packet+0xb33e/0xc22e
[   53.089958]  __asan_report_load1_noabort+0x14/0x20
[   53.094879]  hci_event_packet+0xb33e/0xc22e
[   53.099337]  ? hci_cmd_complete_evt+0xbe60/0xbe60
[   53.104292]  ? up_write+0x1c0/0x230
[   53.107928]  ? unwind_next_frame+0x3b/0x50
[   53.112358]  ? graph_lock+0x280/0x280
[   53.116300]  ? save_stack_trace+0x1a/0x20
[   53.120443]  ? save_trace+0xe0/0x290
[   53.124247]  ? add_lock_to_list.isra.0+0x450/0x450
[   53.129213]  ? kasan_check_read+0x11/0x20
[   53.133479]  ? __lock_acquire+0x2514/0x4a30
[   53.137799]  ? print_usage_bug+0xd0/0xd0
[   53.141860]  ? skb_dequeue+0x12e/0x180
[   53.145744]  ? mark_held_locks+0xb1/0x100
[   53.150068]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   53.155167]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   53.160294]  ? trace_hardirqs_on+0xbd/0x310
[   53.164722]  ? kasan_check_read+0x11/0x20
[   53.168866]  ? skb_dequeue+0x12e/0x180
[   53.172933]  ? trace_hardirqs_off_caller+0x300/0x300
[   53.178042]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   53.183588]  ? hci_send_to_monitor+0x306/0x470
[   53.188165]  ? hci_sock_release+0x3c0/0x3c0
[   53.192596]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   53.197704]  hci_rx_work+0x578/0xcd0
[   53.201486]  ? hci_rx_work+0x578/0xcd0
[   53.205373]  ? find_held_lock+0x35/0x120
[   53.209428]  ? add_lock_to_list.isra.0+0x450/0x450
[   53.214355]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   53.219885]  ? hci_alloc_dev+0x21a0/0x21a0
[   53.224115]  ? __lock_is_held+0xb6/0x140
[   53.228316]  process_one_work+0xd0c/0x1ce0
[   53.232567]  ? __wake_up_common_lock+0x1db/0x390
[   53.237346]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   53.242021]  ? trace_hardirqs_off+0xb8/0x310
[   53.246503]  ? kasan_check_read+0x11/0x20
[   53.250652]  ? do_raw_spin_unlock+0xa0/0x330
[   53.255182]  ? do_raw_spin_trylock+0x270/0x270
[   53.259870]  ? __wake_up_common+0x7d0/0x7d0
[   53.264195]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   53.269732]  ? get_work_pool_id+0x1a0/0x1a0
[   53.274045]  ? trace_hardirqs_on_caller+0x310/0x310
[   53.279067]  worker_thread+0x143/0x14a0
[   53.283050]  ? process_one_work+0x1ce0/0x1ce0
[   53.287662]  ? __kthread_parkme+0xc3/0x1b0
[   53.291892]  ? lock_acquire+0x1db/0x570
[   53.295961]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   53.301067]  ? lockdep_hardirqs_on+0x415/0x5d0
[   53.305801]  ? trace_hardirqs_on+0xbd/0x310
[   53.310364]  ? kasan_check_read+0x11/0x20
[   53.314521]  ? __kthread_parkme+0xc3/0x1b0
[   53.318750]  ? trace_hardirqs_off_caller+0x300/0x300
[   53.323988]  ? do_raw_spin_trylock+0x270/0x270
[   53.328563]  ? schedule+0x108/0x350
[   53.332182]  ? do_raw_spin_trylock+0x270/0x270
[   53.336768]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   53.341871]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   53.347534]  ? __kthread_parkme+0xfb/0x1b0
[   53.351839]  kthread+0x357/0x430
[   53.355332]  ? process_one_work+0x1ce0/0x1ce0
[   53.359931]  ? kthread_stop+0x920/0x920
[   53.364022]  ret_from_fork+0x3a/0x50
[   53.367741] 
[   53.369362] Allocated by task 8060:
[   53.372982]  save_stack+0x45/0xd0
[   53.376441]  kasan_kmalloc+0xcf/0xe0
[   53.380155]  __kmalloc_node_track_caller+0x4e/0x70
[   53.385430]  __kmalloc_reserve.isra.0+0x40/0xe0
[   53.390093]  __alloc_skb+0x12d/0x730
[   53.393800]  vhci_write+0xc4/0x470
[   53.397452]  __vfs_write+0x764/0xb40
[   53.401164]  vfs_write+0x20c/0x580
[   53.404695]  ksys_write+0x105/0x260
[   53.408455]  __x64_sys_write+0x73/0xb0
[   53.412432]  do_syscall_64+0x1a3/0x800
[   53.416318]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   53.421497] 
[   53.423114] Freed by task 0:
[   53.426253] (stack is not available)
[   53.429978] 
[   53.431722] The buggy address belongs to the object at ffff888093ef7b40
[   53.431722]  which belongs to the cache kmalloc-1k of size 1024
[   53.444500] The buggy address is located 0 bytes to the right of
[   53.444500]  1024-byte region [ffff888093ef7b40, ffff888093ef7f40)
[   53.457051] The buggy address belongs to the page:
[   53.461981] page:ffffea00024fbd80 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0
[   53.472060] flags: 0x1fffc0000010200(slab|head)
[   53.477064] raw: 01fffc0000010200 ffffea00022c4588 ffff88812c3f1848 ffff88812c3f0ac0
[   53.484941] raw: 0000000000000000 ffff888093ef6040 0000000100000007 0000000000000000
[   53.493081] page dumped because: kasan: bad access detected
[   53.498778] 
[   53.500403] Memory state around the buggy address:
[   53.505330]  ffff888093ef7e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   53.512795]  ffff888093ef7e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   53.520150] >ffff888093ef7f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   53.527682]                                            ^
[   53.533123]  ffff888093ef7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   53.540645]  ffff888093ef8000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   53.547994] ==================================================================
[   53.555474] Disabling lock debugging due to kernel taint
[   53.561548] Kernel panic - not syncing: panic_on_warn set ...
[   53.567442] CPU: 0 PID: 1172 Comm: kworker/u5:0 Tainted: G    B             4.20.0+ #13
[   53.575699] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   53.585322] Workqueue: hci0 hci_rx_work
[   53.589295] Call Trace:
[   53.591882]  dump_stack+0x1db/0x2d0
[   53.595594]  ? dump_stack_print_info.cold+0x20/0x20
[   53.600614]  panic+0x2cb/0x65c
[   53.603875]  ? add_taint.cold+0x16/0x16
[   53.607956]  ? hci_event_packet+0xb33e/0xc22e
[   53.612448]  ? preempt_schedule+0x4b/0x60
[   53.616597]  ? ___preempt_schedule+0x16/0x18
[   53.621314]  ? trace_hardirqs_on+0xb4/0x310
[   53.625726]  ? hci_event_packet+0xb33e/0xc22e
[   53.630320]  end_report+0x47/0x4f
[   53.633772]  ? hci_event_packet+0xb33e/0xc22e
[   53.638580]  kasan_report.cold+0xe/0x40
[   53.642791]  ? hci_event_packet+0xb33e/0xc22e
[   53.647299]  __asan_report_load1_noabort+0x14/0x20
[   53.652224]  hci_event_packet+0xb33e/0xc22e
[   53.656545]  ? hci_cmd_complete_evt+0xbe60/0xbe60
[   53.661504]  ? up_write+0x1c0/0x230
[   53.665243]  ? unwind_next_frame+0x3b/0x50
[   53.669576]  ? graph_lock+0x280/0x280
[   53.673375]  ? save_stack_trace+0x1a/0x20
[   53.677512]  ? save_trace+0xe0/0x290
[   53.681218]  ? add_lock_to_list.isra.0+0x450/0x450
[   53.686135]  ? kasan_check_read+0x11/0x20
[   53.690295]  ? __lock_acquire+0x2514/0x4a30
[   53.694610]  ? print_usage_bug+0xd0/0xd0
[   53.698662]  ? skb_dequeue+0x12e/0x180
[   53.702547]  ? mark_held_locks+0xb1/0x100
[   53.706690]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   53.711785]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   53.716886]  ? trace_hardirqs_on+0xbd/0x310
[   53.721324]  ? kasan_check_read+0x11/0x20
[   53.725473]  ? skb_dequeue+0x12e/0x180
[   53.729448]  ? trace_hardirqs_off_caller+0x300/0x300
[   53.734552]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   53.740088]  ? hci_send_to_monitor+0x306/0x470
[   53.744662]  ? hci_sock_release+0x3c0/0x3c0
[   53.748979]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   53.754075]  hci_rx_work+0x578/0xcd0
[   53.757786]  ? hci_rx_work+0x578/0xcd0
[   53.761666]  ? find_held_lock+0x35/0x120
[   53.765718]  ? add_lock_to_list.isra.0+0x450/0x450
[   53.770761]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   53.776461]  ? hci_alloc_dev+0x21a0/0x21a0
[   53.780688]  ? __lock_is_held+0xb6/0x140
[   53.785243]  process_one_work+0xd0c/0x1ce0
[   53.789571]  ? __wake_up_common_lock+0x1db/0x390
[   53.794329]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   53.799064]  ? trace_hardirqs_off+0xb8/0x310
[   53.803474]  ? kasan_check_read+0x11/0x20
[   53.807622]  ? do_raw_spin_unlock+0xa0/0x330
[   53.812156]  ? do_raw_spin_trylock+0x270/0x270
[   53.816737]  ? __wake_up_common+0x7d0/0x7d0
[   53.821056]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   53.826658]  ? get_work_pool_id+0x1a0/0x1a0
[   53.830982]  ? trace_hardirqs_on_caller+0x310/0x310
[   53.836001]  worker_thread+0x143/0x14a0
[   53.840070]  ? process_one_work+0x1ce0/0x1ce0
[   53.844563]  ? __kthread_parkme+0xc3/0x1b0
[   53.848796]  ? lock_acquire+0x1db/0x570
[   53.852768]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   53.857867]  ? lockdep_hardirqs_on+0x415/0x5d0
[   53.862519]  ? trace_hardirqs_on+0xbd/0x310
[   53.866843]  ? kasan_check_read+0x11/0x20
[   53.870985]  ? __kthread_parkme+0xc3/0x1b0
[   53.875215]  ? trace_hardirqs_off_caller+0x300/0x300
[   53.880315]  ? do_raw_spin_trylock+0x270/0x270
[   53.884894]  ? schedule+0x108/0x350
[   53.888523]  ? do_raw_spin_trylock+0x270/0x270
[   53.893324]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   53.898436]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   53.903966]  ? __kthread_parkme+0xfb/0x1b0
[   53.908200]  kthread+0x357/0x430
[   53.911636]  ? process_one_work+0x1ce0/0x1ce0
[   53.916132]  ? kthread_stop+0x920/0x920
[   53.920305]  ret_from_fork+0x3a/0x50
[   53.925036] Kernel Offset: disabled
[   53.928787] Rebooting in 86400 seconds..