[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 40.690907][ T26] audit: type=1800 audit(1546853823.981:25): pid=7890 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 40.719627][ T26] audit: type=1800 audit(1546853823.981:26): pid=7890 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 40.753990][ T26] audit: type=1800 audit(1546853823.981:27): pid=7890 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.60' (ECDSA) to the list of known hosts. executing program executing program executing program executing program syzkaller login: [ 63.742136][ T1170] ================================================================== [ 63.750437][ T1170] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0xad68/0xc19a [ 63.758349][ T1170] Read of size 1 at addr ffff88808fe99ac0 by task kworker/u5:0/1170 [ 63.766303][ T1170] [ 63.768614][ T1170] CPU: 0 PID: 1170 Comm: kworker/u5:0 Not tainted 4.20.0-next-20190107 #6 [ 63.777084][ T1170] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.787130][ T1170] Workqueue: hci0 hci_rx_work [ 63.791790][ T1170] Call Trace: [ 63.795070][ T1170] dump_stack+0x1db/0x2d0 [ 63.799387][ T1170] ? dump_stack_print_info.cold+0x20/0x20 [ 63.805090][ T1170] ? hci_event_packet+0xad68/0xc19a [ 63.810272][ T1170] print_address_description.cold+0x7c/0x20d [ 63.816227][ T1170] ? hci_event_packet+0xad68/0xc19a [ 63.821404][ T1170] ? hci_event_packet+0xad68/0xc19a [ 63.826582][ T1170] kasan_report.cold+0x1b/0x40 [ 63.831399][ T1170] ? hci_event_packet+0xad68/0xc19a [ 63.836599][ T1170] __asan_report_load1_noabort+0x14/0x20 [ 63.842209][ T1170] hci_event_packet+0xad68/0xc19a [ 63.847229][ T1170] ? hci_cmd_complete_evt+0xbe60/0xbe60 [ 63.852765][ T1170] ? __ww_mutex_wound+0xb0/0x2b0 [ 63.857690][ T1170] ? unwind_next_frame+0x3b/0x50 [ 63.862609][ T1170] ? graph_lock+0x280/0x280 [ 63.867094][ T1170] ? save_stack_trace+0x1a/0x20 [ 63.872044][ T1170] ? save_trace+0xe0/0x290 [ 63.876670][ T1170] ? add_lock_to_list.isra.0+0x450/0x450 [ 63.882616][ T1170] ? kasan_check_read+0x11/0x20 [ 63.887563][ T1170] ? __lock_acquire+0x24ed/0x4a10 [ 63.892563][ T1170] ? print_usage_bug+0xd0/0xd0 [ 63.897308][ T1170] ? skb_dequeue+0x12e/0x180 [ 63.901883][ T1170] ? mark_held_locks+0xb1/0x100 [ 63.906713][ T1170] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 63.912509][ T1170] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 63.918301][ T1170] ? trace_hardirqs_on+0xbd/0x310 [ 63.923302][ T1170] ? kasan_check_read+0x11/0x20 [ 63.928131][ T1170] ? skb_dequeue+0x12e/0x180 [ 63.932802][ T1170] ? trace_hardirqs_off_caller+0x300/0x300 [ 63.938593][ T1170] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 63.944920][ T1170] ? hci_send_to_monitor+0x306/0x470 [ 63.950185][ T1170] ? hci_sock_release+0x3c0/0x3c0 [ 63.955190][ T1170] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 63.960978][ T1170] hci_rx_work+0x578/0xcd0 [ 63.965372][ T1170] ? hci_rx_work+0x578/0xcd0 [ 63.969936][ T1170] ? find_held_lock+0x35/0x120 [ 63.974677][ T1170] ? add_lock_to_list.isra.0+0x450/0x450 [ 63.980291][ T1170] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 63.986505][ T1170] ? hci_alloc_dev+0x21a0/0x21a0 [ 63.991422][ T1170] ? __lock_is_held+0xb6/0x140 [ 63.996173][ T1170] process_one_work+0xd0c/0x1ce0 [ 64.001087][ T1170] ? __wake_up_common_lock+0x1db/0x390 [ 64.006531][ T1170] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 64.011884][ T1170] ? trace_hardirqs_off+0xb8/0x310 [ 64.017040][ T1170] ? kasan_check_read+0x11/0x20 [ 64.021883][ T1170] ? do_raw_spin_unlock+0xa0/0x330 [ 64.026973][ T1170] ? do_raw_spin_trylock+0x270/0x270 [ 64.032248][ T1170] ? __wake_up_common+0x7d0/0x7d0 [ 64.037256][ T1170] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 64.043478][ T1170] ? wq_watchdog_reset_touched+0x180/0x180 [ 64.049260][ T1170] ? trace_hardirqs_on_caller+0x310/0x310 [ 64.054963][ T1170] worker_thread+0x143/0x14a0 [ 64.059624][ T1170] ? process_one_work+0x1ce0/0x1ce0 [ 64.064796][ T1170] ? __kthread_parkme+0xc3/0x1b0 [ 64.069708][ T1170] ? lock_acquire+0x1db/0x570 [ 64.074446][ T1170] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 64.080243][ T1170] ? lockdep_hardirqs_on+0x415/0x5d0 [ 64.085506][ T1170] ? trace_hardirqs_on+0xbd/0x310 [ 64.090508][ T1170] ? kasan_check_read+0x11/0x20 [ 64.095339][ T1170] ? __kthread_parkme+0xc3/0x1b0 [ 64.100260][ T1170] ? trace_hardirqs_off_caller+0x300/0x300 [ 64.106043][ T1170] ? do_raw_spin_trylock+0x270/0x270 [ 64.111384][ T1170] ? schedule+0x108/0x350 [ 64.115700][ T1170] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 64.121489][ T1170] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 64.127712][ T1170] ? __kthread_parkme+0xfb/0x1b0 [ 64.132640][ T1170] kthread+0x357/0x430 [ 64.136695][ T1170] ? process_one_work+0x1ce0/0x1ce0 [ 64.141871][ T1170] ? kthread_stop+0x920/0x920 [ 64.146531][ T1170] ret_from_fork+0x3a/0x50 [ 64.150928][ T1170] [ 64.153230][ T1170] Allocated by task 8045: [ 64.157537][ T1170] save_stack+0x45/0xd0 [ 64.161666][ T1170] kasan_kmalloc+0xcf/0xe0 [ 64.166053][ T1170] __kmalloc_node_track_caller+0x4e/0x70 [ 64.171661][ T1170] __kmalloc_reserve.isra.0+0x40/0xe0 [ 64.177005][ T1170] __alloc_skb+0x12d/0x730 [ 64.181401][ T1170] vhci_write+0xc4/0x470 [ 64.185618][ T1170] __vfs_write+0x764/0xb40 [ 64.190006][ T1170] vfs_write+0x20c/0x580 [ 64.194222][ T1170] ksys_write+0x105/0x260 [ 64.198528][ T1170] __x64_sys_write+0x73/0xb0 [ 64.203101][ T1170] do_syscall_64+0x1a3/0x800 [ 64.207671][ T1170] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 64.213536][ T1170] [ 64.215837][ T1170] Freed by task 0: [ 64.219532][ T1170] (stack is not available) [ 64.223921][ T1170] [ 64.226228][ T1170] The buggy address belongs to the object at ffff88808fe996c0 [ 64.226228][ T1170] which belongs to the cache kmalloc-1k of size 1024 [ 64.240256][ T1170] The buggy address is located 0 bytes to the right of [ 64.240256][ T1170] 1024-byte region [ffff88808fe996c0, ffff88808fe99ac0) [ 64.253930][ T1170] The buggy address belongs to the page: [ 64.259581][ T1170] page:ffffea00023fa600 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0 [ 64.270233][ T1170] flags: 0x1fffc0000010200(slab|head) [ 64.275736][ T1170] raw: 01fffc0000010200 ffffea00023d1388 ffff88812c3f1848 ffff88812c3f0ac0 [ 64.284299][ T1170] raw: 0000000000000000 ffff88808fe98040 0000000100000007 0000000000000000 [ 64.292860][ T1170] page dumped because: kasan: bad access detected [ 64.299248][ T1170] [ 64.301552][ T1170] Memory state around the buggy address: [ 64.307316][ T1170] ffff88808fe99980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.315359][ T1170] ffff88808fe99a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.323400][ T1170] >ffff88808fe99a80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 64.331551][ T1170] ^ [ 64.337691][ T1170] ffff88808fe99b00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 64.345739][ T1170] ffff88808fe99b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.353892][ T1170] ================================================================== [ 64.361929][ T1170] Disabling lock debugging due to kernel taint [ 64.368190][ T1170] Kernel panic - not syncing: panic_on_warn set ... [ 64.374771][ T1170] CPU: 0 PID: 1170 Comm: kworker/u5:0 Tainted: G B 4.20.0-next-20190107 #6 [ 64.384633][ T1170] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.394678][ T1170] Workqueue: hci0 hci_rx_work [ 64.399328][ T1170] Call Trace: [ 64.402750][ T1170] dump_stack+0x1db/0x2d0 [ 64.407062][ T1170] ? dump_stack_print_info.cold+0x20/0x20 [ 64.412761][ T1170] panic+0x2cb/0x65c [ 64.416676][ T1170] ? add_taint.cold+0x16/0x16 [ 64.421338][ T1170] ? hci_event_packet+0xad68/0xc19a [ 64.426516][ T1170] ? preempt_schedule+0x4b/0x60 [ 64.431344][ T1170] ? ___preempt_schedule+0x16/0x18 [ 64.436557][ T1170] ? trace_hardirqs_on+0xb4/0x310 [ 64.441561][ T1170] ? hci_event_packet+0xad68/0xc19a [ 64.446746][ T1170] end_report+0x47/0x4f [ 64.450876][ T1170] ? hci_event_packet+0xad68/0xc19a [ 64.456054][ T1170] kasan_report.cold+0xe/0x40 [ 64.460707][ T1170] ? hci_event_packet+0xad68/0xc19a [ 64.465890][ T1170] __asan_report_load1_noabort+0x14/0x20 [ 64.471498][ T1170] hci_event_packet+0xad68/0xc19a [ 64.476500][ T1170] ? hci_cmd_complete_evt+0xbe60/0xbe60 [ 64.482023][ T1170] ? __ww_mutex_wound+0xb0/0x2b0 [ 64.486935][ T1170] ? unwind_next_frame+0x3b/0x50 [ 64.491853][ T1170] ? graph_lock+0x280/0x280 [ 64.496404][ T1170] ? save_stack_trace+0x1a/0x20 [ 64.501234][ T1170] ? save_trace+0xe0/0x290 [ 64.505930][ T1170] ? add_lock_to_list.isra.0+0x450/0x450 [ 64.511540][ T1170] ? kasan_check_read+0x11/0x20 [ 64.516370][ T1170] ? __lock_acquire+0x24ed/0x4a10 [ 64.521375][ T1170] ? print_usage_bug+0xd0/0xd0 [ 64.526119][ T1170] ? skb_dequeue+0x12e/0x180 [ 64.530692][ T1170] ? mark_held_locks+0xb1/0x100 [ 64.535538][ T1170] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 64.541324][ T1170] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 64.547245][ T1170] ? trace_hardirqs_on+0xbd/0x310 [ 64.552357][ T1170] ? kasan_check_read+0x11/0x20 [ 64.557186][ T1170] ? skb_dequeue+0x12e/0x180 [ 64.561764][ T1170] ? trace_hardirqs_off_caller+0x300/0x300 [ 64.567549][ T1170] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 64.573768][ T1170] ? hci_send_to_monitor+0x306/0x470 [ 64.579030][ T1170] ? hci_sock_release+0x3c0/0x3c0 [ 64.584033][ T1170] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 64.589826][ T1170] hci_rx_work+0x578/0xcd0 [ 64.594224][ T1170] ? hci_rx_work+0x578/0xcd0 [ 64.598788][ T1170] ? find_held_lock+0x35/0x120 [ 64.603526][ T1170] ? add_lock_to_list.isra.0+0x450/0x450 [ 64.609134][ T1170] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 64.615345][ T1170] ? hci_alloc_dev+0x21a0/0x21a0 [ 64.620262][ T1170] ? __lock_is_held+0xb6/0x140 [ 64.625014][ T1170] process_one_work+0xd0c/0x1ce0 [ 64.629926][ T1170] ? __wake_up_common_lock+0x1db/0x390 [ 64.635411][ T1170] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 64.640766][ T1170] ? trace_hardirqs_off+0xb8/0x310 [ 64.645854][ T1170] ? kasan_check_read+0x11/0x20 [ 64.650688][ T1170] ? do_raw_spin_unlock+0xa0/0x330 [ 64.655780][ T1170] ? do_raw_spin_trylock+0x270/0x270 [ 64.661047][ T1170] ? __wake_up_common+0x7d0/0x7d0 [ 64.666047][ T1170] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 64.672265][ T1170] ? wq_watchdog_reset_touched+0x180/0x180 [ 64.678046][ T1170] ? trace_hardirqs_on_caller+0x310/0x310 [ 64.683748][ T1170] worker_thread+0x143/0x14a0 [ 64.688405][ T1170] ? process_one_work+0x1ce0/0x1ce0 [ 64.693575][ T1170] ? __kthread_parkme+0xc3/0x1b0 [ 64.698488][ T1170] ? lock_acquire+0x1db/0x570 [ 64.703142][ T1170] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 64.708968][ T1170] ? lockdep_hardirqs_on+0x415/0x5d0 [ 64.714235][ T1170] ? trace_hardirqs_on+0xbd/0x310 [ 64.719233][ T1170] ? kasan_check_read+0x11/0x20 [ 64.724057][ T1170] ? __kthread_parkme+0xc3/0x1b0 [ 64.728968][ T1170] ? trace_hardirqs_off_caller+0x300/0x300 [ 64.734755][ T1170] ? do_raw_spin_trylock+0x270/0x270 [ 64.740012][ T1170] ? schedule+0x108/0x350 [ 64.744318][ T1170] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 64.750100][ T1170] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 64.756320][ T1170] ? __kthread_parkme+0xfb/0x1b0 [ 64.761342][ T1170] kthread+0x357/0x430 [ 64.765390][ T1170] ? process_one_work+0x1ce0/0x1ce0 [ 64.770564][ T1170] ? kthread_stop+0x920/0x920 [ 64.775287][ T1170] ret_from_fork+0x3a/0x50 [ 64.780568][ T1170] Kernel Offset: disabled [ 64.784888][ T1170] Rebooting in 86400 seconds..