[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   40.290981] audit: type=1800 audit(1546853894.656:25): pid=7863 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   40.329019] audit: type=1800 audit(1546853894.666:26): pid=7863 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   40.351185] audit: type=1800 audit(1546853894.666:27): pid=7863 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.74' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   51.873862] ==================================================================
[   51.881319] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0xb33e/0xc22e
[   51.888607] Read of size 1 at addr ffff88808fbb1f40 by task kworker/u5:0/1170
[   51.895901] 
[   51.897538] CPU: 1 PID: 1170 Comm: kworker/u5:0 Not tainted 4.20.0+ #13
[   51.904279] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.913623] Workqueue: hci0 hci_rx_work
[   51.917593] Call Trace:
[   51.920169]  dump_stack+0x1db/0x2d0
[   51.923785]  ? dump_stack_print_info.cold+0x20/0x20
[   51.928790]  ? hci_event_packet+0xb33e/0xc22e
[   51.933307]  print_address_description.cold+0x7c/0x20d
[   51.938568]  ? hci_event_packet+0xb33e/0xc22e
[   51.943047]  ? hci_event_packet+0xb33e/0xc22e
[   51.947529]  kasan_report.cold+0x1b/0x40
[   51.951579]  ? hci_event_packet+0xb33e/0xc22e
[   51.956066]  __asan_report_load1_noabort+0x14/0x20
[   51.960984]  hci_event_packet+0xb33e/0xc22e
[   51.965308]  ? hci_cmd_complete_evt+0xbe60/0xbe60
[   51.970156]  ? up_write+0x1c0/0x230
[   51.973780]  ? unwind_next_frame+0x3b/0x50
[   51.978008]  ? graph_lock+0x280/0x280
[   51.981809]  ? save_stack_trace+0x1a/0x20
[   51.985941]  ? save_trace+0xe0/0x290
[   51.989644]  ? add_lock_to_list.isra.0+0x450/0x450
[   51.994579]  ? kasan_check_read+0x11/0x20
[   51.998716]  ? __lock_acquire+0x2514/0x4a30
[   52.003035]  ? print_usage_bug+0xd0/0xd0
[   52.007091]  ? skb_dequeue+0x12e/0x180
[   52.010974]  ? mark_held_locks+0xb1/0x100
[   52.015113]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   52.020204]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   52.025308]  ? trace_hardirqs_on+0xbd/0x310
[   52.029638]  ? kasan_check_read+0x11/0x20
[   52.033782]  ? skb_dequeue+0x12e/0x180
[   52.037673]  ? trace_hardirqs_off_caller+0x300/0x300
[   52.042789]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   52.048318]  ? hci_send_to_monitor+0x306/0x470
[   52.052890]  ? hci_sock_release+0x3c0/0x3c0
[   52.057201]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   52.062305]  hci_rx_work+0x578/0xcd0
[   52.066024]  ? hci_rx_work+0x578/0xcd0
[   52.069900]  ? find_held_lock+0x35/0x120
[   52.073964]  ? add_lock_to_list.isra.0+0x450/0x450
[   52.078888]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   52.084414]  ? hci_alloc_dev+0x21a0/0x21a0
[   52.088642]  ? __lock_is_held+0xb6/0x140
[   52.092708]  process_one_work+0xd0c/0x1ce0
[   52.096932]  ? __wake_up_common_lock+0x1db/0x390
[   52.101691]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   52.106349]  ? trace_hardirqs_off+0xb8/0x310
[   52.110751]  ? kasan_check_read+0x11/0x20
[   52.114905]  ? do_raw_spin_unlock+0xa0/0x330
[   52.119304]  ? do_raw_spin_trylock+0x270/0x270
[   52.123884]  ? __wake_up_common+0x7d0/0x7d0
[   52.128193]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   52.133719]  ? get_work_pool_id+0x1a0/0x1a0
[   52.138026]  ? trace_hardirqs_on_caller+0x310/0x310
[   52.143067]  worker_thread+0x143/0x14a0
[   52.147039]  ? process_one_work+0x1ce0/0x1ce0
[   52.151521]  ? __kthread_parkme+0xc3/0x1b0
[   52.155745]  ? lock_acquire+0x1db/0x570
[   52.159723]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   52.164864]  ? lockdep_hardirqs_on+0x415/0x5d0
[   52.169439]  ? trace_hardirqs_on+0xbd/0x310
[   52.173772]  ? kasan_check_read+0x11/0x20
[   52.177919]  ? __kthread_parkme+0xc3/0x1b0
[   52.182142]  ? trace_hardirqs_off_caller+0x300/0x300
[   52.187238]  ? do_raw_spin_trylock+0x270/0x270
[   52.191806]  ? schedule+0x108/0x350
[   52.195441]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   52.200538]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   52.206097]  ? __kthread_parkme+0xfb/0x1b0
[   52.210346]  kthread+0x357/0x430
[   52.213708]  ? process_one_work+0x1ce0/0x1ce0
[   52.218189]  ? kthread_stop+0x920/0x920
[   52.222154]  ret_from_fork+0x3a/0x50
[   52.225858] 
[   52.227470] Allocated by task 8019:
[   52.231099]  save_stack+0x45/0xd0
[   52.234539]  kasan_kmalloc+0xcf/0xe0
[   52.238255]  __kmalloc_node_track_caller+0x4e/0x70
[   52.243185]  __kmalloc_reserve.isra.0+0x40/0xe0
[   52.247838]  __alloc_skb+0x12d/0x730
[   52.251550]  vhci_write+0xc4/0x470
[   52.255084]  __vfs_write+0x764/0xb40
[   52.258794]  vfs_write+0x20c/0x580
[   52.262354]  ksys_write+0x105/0x260
[   52.265965]  __x64_sys_write+0x73/0xb0
[   52.269841]  do_syscall_64+0x1a3/0x800
[   52.273724]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.278888] 
[   52.280497] Freed by task 0:
[   52.283501] (stack is not available)
[   52.287196] 
[   52.288821] The buggy address belongs to the object at ffff88808fbb1b40
[   52.288821]  which belongs to the cache kmalloc-1k of size 1024
[   52.301460] The buggy address is located 0 bytes to the right of
[   52.301460]  1024-byte region [ffff88808fbb1b40, ffff88808fbb1f40)
[   52.313745] The buggy address belongs to the page:
[   52.318667] page:ffffea00023eec00 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0
[   52.328622] flags: 0x1fffc0000010200(slab|head)
[   52.333298] raw: 01fffc0000010200 ffffea00023b8508 ffff88812c3f1848 ffff88812c3f0ac0
[   52.341185] raw: 0000000000000000 ffff88808fbb0040 0000000100000007 0000000000000000
[   52.349045] page dumped because: kasan: bad access detected
[   52.354734] 
[   52.356342] Memory state around the buggy address:
[   52.361256]  ffff88808fbb1e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   52.368608]  ffff88808fbb1e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   52.375970] >ffff88808fbb1f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   52.383311]                                            ^
[   52.388742]  ffff88808fbb1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   52.396094]  ffff88808fbb2000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   52.403440] ==================================================================
[   52.410793] Disabling lock debugging due to kernel taint
[   52.417302] Kernel panic - not syncing: panic_on_warn set ...
[   52.423251] CPU: 1 PID: 1170 Comm: kworker/u5:0 Tainted: G    B             4.20.0+ #13
[   52.431773] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.441122] Workqueue: hci0 hci_rx_work
[   52.445080] Call Trace:
[   52.447684]  dump_stack+0x1db/0x2d0
[   52.451324]  ? dump_stack_print_info.cold+0x20/0x20
[   52.456327]  panic+0x2cb/0x65c
[   52.459507]  ? add_taint.cold+0x16/0x16
[   52.463494]  ? hci_event_packet+0xb33e/0xc22e
[   52.467977]  ? preempt_schedule+0x4b/0x60
[   52.472130]  ? ___preempt_schedule+0x16/0x18
[   52.476526]  ? trace_hardirqs_on+0xb4/0x310
[   52.480843]  ? hci_event_packet+0xb33e/0xc22e
[   52.485328]  end_report+0x47/0x4f
[   52.488764]  ? hci_event_packet+0xb33e/0xc22e
[   52.493244]  kasan_report.cold+0xe/0x40
[   52.497210]  ? hci_event_packet+0xb33e/0xc22e
[   52.501726]  __asan_report_load1_noabort+0x14/0x20
[   52.506678]  hci_event_packet+0xb33e/0xc22e
[   52.511007]  ? hci_cmd_complete_evt+0xbe60/0xbe60
[   52.515856]  ? up_write+0x1c0/0x230
[   52.519485]  ? unwind_next_frame+0x3b/0x50
[   52.523718]  ? graph_lock+0x280/0x280
[   52.527543]  ? save_stack_trace+0x1a/0x20
[   52.531681]  ? save_trace+0xe0/0x290
[   52.535379]  ? add_lock_to_list.isra.0+0x450/0x450
[   52.540320]  ? kasan_check_read+0x11/0x20
[   52.544467]  ? __lock_acquire+0x2514/0x4a30
[   52.548772]  ? print_usage_bug+0xd0/0xd0
[   52.552831]  ? skb_dequeue+0x12e/0x180
[   52.556715]  ? mark_held_locks+0xb1/0x100
[   52.560852]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   52.565941]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   52.571035]  ? trace_hardirqs_on+0xbd/0x310
[   52.575339]  ? kasan_check_read+0x11/0x20
[   52.579469]  ? skb_dequeue+0x12e/0x180
[   52.583337]  ? trace_hardirqs_off_caller+0x300/0x300
[   52.588428]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   52.593953]  ? hci_send_to_monitor+0x306/0x470
[   52.598522]  ? hci_sock_release+0x3c0/0x3c0
[   52.602831]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   52.607919]  hci_rx_work+0x578/0xcd0
[   52.611617]  ? hci_rx_work+0x578/0xcd0
[   52.615491]  ? find_held_lock+0x35/0x120
[   52.619541]  ? add_lock_to_list.isra.0+0x450/0x450
[   52.624464]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   52.629984]  ? hci_alloc_dev+0x21a0/0x21a0
[   52.634204]  ? __lock_is_held+0xb6/0x140
[   52.638254]  process_one_work+0xd0c/0x1ce0
[   52.642476]  ? __wake_up_common_lock+0x1db/0x390
[   52.647232]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   52.651894]  ? trace_hardirqs_off+0xb8/0x310
[   52.656305]  ? kasan_check_read+0x11/0x20
[   52.660476]  ? do_raw_spin_unlock+0xa0/0x330
[   52.664892]  ? do_raw_spin_trylock+0x270/0x270
[   52.669509]  ? __wake_up_common+0x7d0/0x7d0
[   52.673829]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   52.679350]  ? get_work_pool_id+0x1a0/0x1a0
[   52.683687]  ? trace_hardirqs_on_caller+0x310/0x310
[   52.688698]  worker_thread+0x143/0x14a0
[   52.692669]  ? process_one_work+0x1ce0/0x1ce0
[   52.697182]  ? __kthread_parkme+0xc3/0x1b0
[   52.701400]  ? lock_acquire+0x1db/0x570
[   52.705360]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   52.710448]  ? lockdep_hardirqs_on+0x415/0x5d0
[   52.715035]  ? trace_hardirqs_on+0xbd/0x310
[   52.719340]  ? kasan_check_read+0x11/0x20
[   52.723470]  ? __kthread_parkme+0xc3/0x1b0
[   52.727692]  ? trace_hardirqs_off_caller+0x300/0x300
[   52.732781]  ? do_raw_spin_trylock+0x270/0x270
[   52.737347]  ? schedule+0x108/0x350
[   52.740964]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   52.746052]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   52.751573]  ? __kthread_parkme+0xfb/0x1b0
[   52.755793]  kthread+0x357/0x430
[   52.759146]  ? process_one_work+0x1ce0/0x1ce0
[   52.763631]  ? kthread_stop+0x920/0x920
[   52.767641]  ret_from_fork+0x3a/0x50
[   52.772294] Kernel Offset: disabled
[   52.775917] Rebooting in 86400 seconds..