[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 41.260056] audit: type=1800 audit(1546853962.372:25): pid=7900 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 41.298375] audit: type=1800 audit(1546853962.382:26): pid=7900 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 41.321260] audit: type=1800 audit(1546853962.382:27): pid=7900 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.82' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 51.996416] ================================================================== [ 52.003917] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0xb33e/0xc22e [ 52.011115] Read of size 1 at addr ffff88808739c8c0 by task kworker/u5:0/1171 [ 52.018385] [ 52.020008] CPU: 0 PID: 1171 Comm: kworker/u5:0 Not tainted 4.20.0+ #13 [ 52.026745] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.036106] Workqueue: hci0 hci_rx_work [ 52.040073] Call Trace: [ 52.042658] dump_stack+0x1db/0x2d0 [ 52.046287] ? dump_stack_print_info.cold+0x20/0x20 [ 52.051299] ? hci_event_packet+0xb33e/0xc22e [ 52.055793] print_address_description.cold+0x7c/0x20d [ 52.061065] ? hci_event_packet+0xb33e/0xc22e [ 52.065556] ? hci_event_packet+0xb33e/0xc22e [ 52.070048] kasan_report.cold+0x1b/0x40 [ 52.074104] ? hci_event_packet+0xb33e/0xc22e [ 52.078617] __asan_report_load1_noabort+0x14/0x20 [ 52.083550] hci_event_packet+0xb33e/0xc22e [ 52.087876] ? hci_cmd_complete_evt+0xbe60/0xbe60 [ 52.092715] ? up_write+0x1c0/0x230 [ 52.096333] ? unwind_next_frame+0x3b/0x50 [ 52.100569] ? graph_lock+0x280/0x280 [ 52.104366] ? save_stack_trace+0x1a/0x20 [ 52.108513] ? save_trace+0xe0/0x290 [ 52.112224] ? add_lock_to_list.isra.0+0x450/0x450 [ 52.117148] ? kasan_check_read+0x11/0x20 [ 52.121293] ? __lock_acquire+0x2514/0x4a30 [ 52.125603] ? lockdep_hardirqs_on+0x415/0x5d0 [ 52.130180] ? print_usage_bug+0xd0/0xd0 [ 52.134235] ? skb_dequeue+0x12e/0x180 [ 52.138172] ? mark_held_locks+0xb1/0x100 [ 52.142329] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 52.147423] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 52.152523] ? trace_hardirqs_on+0xbd/0x310 [ 52.156839] ? kasan_check_read+0x11/0x20 [ 52.160988] ? skb_dequeue+0x12e/0x180 [ 52.164875] ? trace_hardirqs_off_caller+0x300/0x300 [ 52.169975] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.175505] ? hci_send_to_monitor+0x306/0x470 [ 52.180133] ? hci_sock_release+0x3c0/0x3c0 [ 52.184456] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 52.189569] hci_rx_work+0x578/0xcd0 [ 52.193274] ? hci_rx_work+0x578/0xcd0 [ 52.197165] ? find_held_lock+0x35/0x120 [ 52.201215] ? add_lock_to_list.isra.0+0x450/0x450 [ 52.206141] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.211672] ? hci_alloc_dev+0x21a0/0x21a0 [ 52.215904] ? __lock_is_held+0xb6/0x140 [ 52.219962] process_one_work+0xd0c/0x1ce0 [ 52.224190] ? __wake_up_common_lock+0x1db/0x390 [ 52.228945] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 52.233610] ? trace_hardirqs_off+0xb8/0x310 [ 52.238015] ? kasan_check_read+0x11/0x20 [ 52.242165] ? do_raw_spin_unlock+0xa0/0x330 [ 52.246573] ? do_raw_spin_trylock+0x270/0x270 [ 52.251182] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.256727] ? get_work_pool_id+0x1a0/0x1a0 [ 52.261040] ? trace_hardirqs_on_caller+0x310/0x310 [ 52.266058] worker_thread+0x143/0x14a0 [ 52.270045] ? process_one_work+0x1ce0/0x1ce0 [ 52.274545] ? __kthread_parkme+0xc3/0x1b0 [ 52.278897] ? lock_acquire+0x1db/0x570 [ 52.282865] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 52.287973] ? lockdep_hardirqs_on+0x415/0x5d0 [ 52.292556] ? trace_hardirqs_on+0xbd/0x310 [ 52.296877] ? __kthread_parkme+0xc3/0x1b0 [ 52.301109] ? trace_hardirqs_off_caller+0x300/0x300 [ 52.306215] ? do_raw_spin_trylock+0x270/0x270 [ 52.310821] ? schedule+0x108/0x350 [ 52.314508] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 52.319609] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 52.325161] ? __kthread_parkme+0xfb/0x1b0 [ 52.329413] kthread+0x357/0x430 [ 52.332780] ? process_one_work+0x1ce0/0x1ce0 [ 52.337271] ? kthread_stop+0x920/0x920 [ 52.341252] ret_from_fork+0x3a/0x50 [ 52.345003] [ 52.346658] Allocated by task 8055: [ 52.350286] save_stack+0x45/0xd0 [ 52.353735] kasan_kmalloc+0xcf/0xe0 [ 52.357446] __kmalloc_node_track_caller+0x4e/0x70 [ 52.362390] __kmalloc_reserve.isra.0+0x40/0xe0 [ 52.367058] __alloc_skb+0x12d/0x730 [ 52.370769] vhci_write+0xc4/0x470 [ 52.374305] __vfs_write+0x764/0xb40 [ 52.378015] vfs_write+0x20c/0x580 [ 52.381551] ksys_write+0x105/0x260 [ 52.385171] __x64_sys_write+0x73/0xb0 [ 52.389057] do_syscall_64+0x1a3/0x800 [ 52.392941] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.398119] [ 52.399743] Freed by task 0: [ 52.402746] (stack is not available) [ 52.406447] [ 52.408072] The buggy address belongs to the object at ffff88808739c4c0 [ 52.408072] which belongs to the cache kmalloc-1k of size 1024 [ 52.421053] The buggy address is located 0 bytes to the right of [ 52.421053] 1024-byte region [ffff88808739c4c0, ffff88808739c8c0) [ 52.433379] The buggy address belongs to the page: [ 52.438315] page:ffffea00021ce700 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0 [ 52.448391] flags: 0x1fffc0000010200(slab|head) [ 52.453067] raw: 01fffc0000010200 ffffea0002444b88 ffff88812c3f1848 ffff88812c3f0ac0 [ 52.460954] raw: 0000000000000000 ffff88808739c040 0000000100000007 0000000000000000 [ 52.468873] page dumped because: kasan: bad access detected [ 52.474592] [ 52.476212] Memory state around the buggy address: [ 52.481137] ffff88808739c780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 52.488498] ffff88808739c800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 52.495859] >ffff88808739c880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 52.503211] ^ [ 52.508661] ffff88808739c900: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 52.516021] ffff88808739c980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.523984] ================================================================== [ 52.531393] Disabling lock debugging due to kernel taint [ 52.537691] Kernel panic - not syncing: panic_on_warn set ... [ 52.543597] CPU: 0 PID: 1171 Comm: kworker/u5:0 Tainted: G B 4.20.0+ #13 [ 52.551774] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.561181] Workqueue: hci0 hci_rx_work [ 52.565154] Call Trace: [ 52.567742] dump_stack+0x1db/0x2d0 [ 52.571386] ? dump_stack_print_info.cold+0x20/0x20 [ 52.576445] panic+0x2cb/0x65c [ 52.579639] ? add_taint.cold+0x16/0x16 [ 52.583612] ? hci_event_packet+0xb33e/0xc22e [ 52.588108] ? preempt_schedule+0x4b/0x60 [ 52.592259] ? ___preempt_schedule+0x16/0x18 [ 52.596666] ? trace_hardirqs_on+0xb4/0x310 [ 52.600986] ? hci_event_packet+0xb33e/0xc22e [ 52.605515] end_report+0x47/0x4f [ 52.608966] ? hci_event_packet+0xb33e/0xc22e [ 52.613458] kasan_report.cold+0xe/0x40 [ 52.617429] ? hci_event_packet+0xb33e/0xc22e [ 52.621966] __asan_report_load1_noabort+0x14/0x20 [ 52.626893] hci_event_packet+0xb33e/0xc22e [ 52.631219] ? hci_cmd_complete_evt+0xbe60/0xbe60 [ 52.636060] ? up_write+0x1c0/0x230 [ 52.639685] ? unwind_next_frame+0x3b/0x50 [ 52.643920] ? graph_lock+0x280/0x280 [ 52.647757] ? save_stack_trace+0x1a/0x20 [ 52.651898] ? save_trace+0xe0/0x290 [ 52.655607] ? add_lock_to_list.isra.0+0x450/0x450 [ 52.660543] ? kasan_check_read+0x11/0x20 [ 52.664694] ? __lock_acquire+0x2514/0x4a30 [ 52.669008] ? lockdep_hardirqs_on+0x415/0x5d0 [ 52.673596] ? print_usage_bug+0xd0/0xd0 [ 52.677662] ? skb_dequeue+0x12e/0x180 [ 52.681547] ? mark_held_locks+0xb1/0x100 [ 52.685709] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 52.690809] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 52.695909] ? trace_hardirqs_on+0xbd/0x310 [ 52.700230] ? kasan_check_read+0x11/0x20 [ 52.704433] ? skb_dequeue+0x12e/0x180 [ 52.708333] ? trace_hardirqs_off_caller+0x300/0x300 [ 52.713462] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.718999] ? hci_send_to_monitor+0x306/0x470 [ 52.723590] ? hci_sock_release+0x3c0/0x3c0 [ 52.727999] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 52.733108] hci_rx_work+0x578/0xcd0 [ 52.736899] ? hci_rx_work+0x578/0xcd0 [ 52.740790] ? find_held_lock+0x35/0x120 [ 52.744860] ? add_lock_to_list.isra.0+0x450/0x450 [ 52.749794] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.755337] ? hci_alloc_dev+0x21a0/0x21a0 [ 52.759592] ? __lock_is_held+0xb6/0x140 [ 52.763664] process_one_work+0xd0c/0x1ce0 [ 52.767901] ? __wake_up_common_lock+0x1db/0x390 [ 52.772665] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 52.777333] ? trace_hardirqs_off+0xb8/0x310 [ 52.781794] ? kasan_check_read+0x11/0x20 [ 52.785944] ? do_raw_spin_unlock+0xa0/0x330 [ 52.790351] ? do_raw_spin_trylock+0x270/0x270 [ 52.794955] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.800494] ? get_work_pool_id+0x1a0/0x1a0 [ 52.804813] ? trace_hardirqs_on_caller+0x310/0x310 [ 52.809844] worker_thread+0x143/0x14a0 [ 52.813827] ? process_one_work+0x1ce0/0x1ce0 [ 52.818318] ? __kthread_parkme+0xc3/0x1b0 [ 52.822550] ? lock_acquire+0x1db/0x570 [ 52.826521] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 52.831621] ? lockdep_hardirqs_on+0x415/0x5d0 [ 52.836208] ? trace_hardirqs_on+0xbd/0x310 [ 52.840528] ? __kthread_parkme+0xc3/0x1b0 [ 52.844772] ? trace_hardirqs_off_caller+0x300/0x300 [ 52.849883] ? do_raw_spin_trylock+0x270/0x270 [ 52.854505] ? schedule+0x108/0x350 [ 52.858150] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 52.863270] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 52.868806] ? __kthread_parkme+0xfb/0x1b0 [ 52.873186] kthread+0x357/0x430 [ 52.876552] ? process_one_work+0x1ce0/0x1ce0 [ 52.881148] ? kthread_stop+0x920/0x920 [ 52.885487] ret_from_fork+0x3a/0x50 [ 52.890241] Kernel Offset: disabled [ 52.893981] Rebooting in 86400 seconds..