[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 40.521321] audit: type=1800 audit(1546853910.698:25): pid=7925 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 40.559516] audit: type=1800 audit(1546853910.698:26): pid=7925 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 40.594303] audit: type=1800 audit(1546853910.708:27): pid=7925 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.72' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 50.859651] ================================================================== [ 50.867089] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0xb33e/0xc22e [ 50.874258] Read of size 1 at addr ffff8880944891c0 by task kworker/u5:0/1172 [ 50.881505] [ 50.883114] CPU: 0 PID: 1172 Comm: kworker/u5:0 Not tainted 4.20.0+ #13 [ 50.889844] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.899183] Workqueue: hci0 hci_rx_work [ 50.903146] Call Trace: [ 50.905758] dump_stack+0x1db/0x2d0 [ 50.909373] ? dump_stack_print_info.cold+0x20/0x20 [ 50.914378] ? hci_event_packet+0xb33e/0xc22e [ 50.918860] print_address_description.cold+0x7c/0x20d [ 50.924133] ? hci_event_packet+0xb33e/0xc22e [ 50.928612] ? hci_event_packet+0xb33e/0xc22e [ 50.933108] kasan_report.cold+0x1b/0x40 [ 50.937155] ? hci_event_packet+0xb33e/0xc22e [ 50.941637] __asan_report_load1_noabort+0x14/0x20 [ 50.946547] hci_event_packet+0xb33e/0xc22e [ 50.950860] ? hci_cmd_complete_evt+0xbe60/0xbe60 [ 50.955686] ? up_write+0x1c0/0x230 [ 50.959300] ? unwind_next_frame+0x3b/0x50 [ 50.963529] ? graph_lock+0x280/0x280 [ 50.967328] ? save_stack_trace+0x1a/0x20 [ 50.971475] ? save_trace+0xe0/0x290 [ 50.975170] ? add_lock_to_list.isra.0+0x450/0x450 [ 50.980093] ? kasan_check_read+0x11/0x20 [ 50.984225] ? __lock_acquire+0x2514/0x4a30 [ 50.988529] ? print_usage_bug+0xd0/0xd0 [ 50.992587] ? skb_dequeue+0x12e/0x180 [ 50.996457] ? mark_held_locks+0xb1/0x100 [ 51.000591] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 51.005676] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 51.010762] ? trace_hardirqs_on+0xbd/0x310 [ 51.015082] ? kasan_check_read+0x11/0x20 [ 51.019216] ? skb_dequeue+0x12e/0x180 [ 51.023094] ? trace_hardirqs_off_caller+0x300/0x300 [ 51.028181] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.033757] ? hci_send_to_monitor+0x306/0x470 [ 51.038324] ? hci_sock_release+0x3c0/0x3c0 [ 51.042640] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 51.047727] hci_rx_work+0x578/0xcd0 [ 51.051424] ? hci_rx_work+0x578/0xcd0 [ 51.055291] ? find_held_lock+0x35/0x120 [ 51.059336] ? add_lock_to_list.isra.0+0x450/0x450 [ 51.064274] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.069794] ? hci_alloc_dev+0x21a0/0x21a0 [ 51.074017] ? __lock_is_held+0xb6/0x140 [ 51.078069] process_one_work+0xd0c/0x1ce0 [ 51.082286] ? __wake_up_common_lock+0x1db/0x390 [ 51.087030] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 51.091689] ? trace_hardirqs_off+0xb8/0x310 [ 51.096092] ? kasan_check_read+0x11/0x20 [ 51.100240] ? do_raw_spin_unlock+0xa0/0x330 [ 51.104648] ? do_raw_spin_trylock+0x270/0x270 [ 51.109227] ? __wake_up_common+0x7d0/0x7d0 [ 51.113532] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.119055] ? get_work_pool_id+0x1a0/0x1a0 [ 51.123359] ? trace_hardirqs_on_caller+0x310/0x310 [ 51.128546] worker_thread+0x143/0x14a0 [ 51.132545] ? process_one_work+0x1ce0/0x1ce0 [ 51.137022] ? __kthread_parkme+0xc3/0x1b0 [ 51.141255] ? lock_acquire+0x1db/0x570 [ 51.145217] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 51.150304] ? lockdep_hardirqs_on+0x415/0x5d0 [ 51.154883] ? trace_hardirqs_on+0xbd/0x310 [ 51.159189] ? kasan_check_read+0x11/0x20 [ 51.163322] ? __kthread_parkme+0xc3/0x1b0 [ 51.167537] ? trace_hardirqs_off_caller+0x300/0x300 [ 51.172637] ? do_raw_spin_trylock+0x270/0x270 [ 51.177214] ? schedule+0x108/0x350 [ 51.180852] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 51.185982] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 51.191503] ? __kthread_parkme+0xfb/0x1b0 [ 51.195736] kthread+0x357/0x430 [ 51.199085] ? process_one_work+0x1ce0/0x1ce0 [ 51.203559] ? kthread_stop+0x920/0x920 [ 51.207519] ret_from_fork+0x3a/0x50 [ 51.211224] [ 51.212835] Allocated by task 8080: [ 51.216475] save_stack+0x45/0xd0 [ 51.219923] kasan_kmalloc+0xcf/0xe0 [ 51.223617] __kmalloc_node_track_caller+0x4e/0x70 [ 51.228530] __kmalloc_reserve.isra.0+0x40/0xe0 [ 51.233181] __alloc_skb+0x12d/0x730 [ 51.236893] vhci_write+0xc4/0x470 [ 51.240413] __vfs_write+0x764/0xb40 [ 51.244109] vfs_write+0x20c/0x580 [ 51.247631] ksys_write+0x105/0x260 [ 51.251239] __ia32_sys_write+0x71/0xb0 [ 51.255203] do_fast_syscall_32+0x333/0xf98 [ 51.259514] entry_SYSENTER_compat+0x70/0x7f [ 51.263899] [ 51.265505] Freed by task 0: [ 51.268501] (stack is not available) [ 51.272204] [ 51.273815] The buggy address belongs to the object at ffff888094488dc0 [ 51.273815] which belongs to the cache kmalloc-1k of size 1024 [ 51.286451] The buggy address is located 0 bytes to the right of [ 51.286451] 1024-byte region [ffff888094488dc0, ffff8880944891c0) [ 51.298733] The buggy address belongs to the page: [ 51.303659] page:ffffea0002512200 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0 [ 51.313605] flags: 0x1fffc0000010200(slab|head) [ 51.318260] raw: 01fffc0000010200 ffffea00024c7388 ffffea0002456288 ffff88812c3f0ac0 [ 51.326133] raw: 0000000000000000 ffff888094488040 0000000100000007 0000000000000000 [ 51.334006] page dumped because: kasan: bad access detected [ 51.339692] [ 51.341299] Memory state around the buggy address: [ 51.346235] ffff888094489080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.353575] ffff888094489100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.360929] >ffff888094489180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 51.368267] ^ [ 51.373694] ffff888094489200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 51.381047] ffff888094489280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.388380] ================================================================== [ 51.395713] Disabling lock debugging due to kernel taint [ 51.402164] Kernel panic - not syncing: panic_on_warn set ... [ 51.408082] CPU: 0 PID: 1172 Comm: kworker/u5:0 Tainted: G B 4.20.0+ #13 [ 51.416212] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.425550] Workqueue: hci0 hci_rx_work [ 51.429519] Call Trace: [ 51.432123] dump_stack+0x1db/0x2d0 [ 51.435742] ? dump_stack_print_info.cold+0x20/0x20 [ 51.440744] panic+0x2cb/0x65c [ 51.443918] ? add_taint.cold+0x16/0x16 [ 51.447874] ? hci_event_packet+0xb33e/0xc22e [ 51.452364] ? preempt_schedule+0x4b/0x60 [ 51.456492] ? ___preempt_schedule+0x16/0x18 [ 51.460901] ? trace_hardirqs_on+0xb4/0x310 [ 51.465226] ? hci_event_packet+0xb33e/0xc22e [ 51.469744] end_report+0x47/0x4f [ 51.473176] ? hci_event_packet+0xb33e/0xc22e [ 51.477674] kasan_report.cold+0xe/0x40 [ 51.481630] ? hci_event_packet+0xb33e/0xc22e [ 51.486146] __asan_report_load1_noabort+0x14/0x20 [ 51.491055] hci_event_packet+0xb33e/0xc22e [ 51.495364] ? hci_cmd_complete_evt+0xbe60/0xbe60 [ 51.500201] ? up_write+0x1c0/0x230 [ 51.503814] ? unwind_next_frame+0x3b/0x50 [ 51.508032] ? graph_lock+0x280/0x280 [ 51.511840] ? save_stack_trace+0x1a/0x20 [ 51.515973] ? save_trace+0xe0/0x290 [ 51.519678] ? add_lock_to_list.isra.0+0x450/0x450 [ 51.524592] ? kasan_check_read+0x11/0x20 [ 51.528720] ? __lock_acquire+0x2514/0x4a30 [ 51.533056] ? print_usage_bug+0xd0/0xd0 [ 51.537097] ? skb_dequeue+0x12e/0x180 [ 51.540980] ? mark_held_locks+0xb1/0x100 [ 51.545120] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 51.550216] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 51.555319] ? trace_hardirqs_on+0xbd/0x310 [ 51.559633] ? kasan_check_read+0x11/0x20 [ 51.563758] ? skb_dequeue+0x12e/0x180 [ 51.567626] ? trace_hardirqs_off_caller+0x300/0x300 [ 51.572712] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.578235] ? hci_send_to_monitor+0x306/0x470 [ 51.582825] ? hci_sock_release+0x3c0/0x3c0 [ 51.587231] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 51.592347] hci_rx_work+0x578/0xcd0 [ 51.596042] ? hci_rx_work+0x578/0xcd0 [ 51.599925] ? find_held_lock+0x35/0x120 [ 51.603968] ? add_lock_to_list.isra.0+0x450/0x450 [ 51.608880] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.614399] ? hci_alloc_dev+0x21a0/0x21a0 [ 51.618620] ? __lock_is_held+0xb6/0x140 [ 51.622668] process_one_work+0xd0c/0x1ce0 [ 51.626901] ? __wake_up_common_lock+0x1db/0x390 [ 51.631641] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 51.636292] ? trace_hardirqs_off+0xb8/0x310 [ 51.640681] ? kasan_check_read+0x11/0x20 [ 51.644811] ? do_raw_spin_unlock+0xa0/0x330 [ 51.649227] ? do_raw_spin_trylock+0x270/0x270 [ 51.653800] ? __wake_up_common+0x7d0/0x7d0 [ 51.658103] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.663621] ? get_work_pool_id+0x1a0/0x1a0 [ 51.667923] ? trace_hardirqs_on_caller+0x310/0x310 [ 51.672935] worker_thread+0x143/0x14a0 [ 51.676908] ? process_one_work+0x1ce0/0x1ce0 [ 51.681388] ? __kthread_parkme+0xc3/0x1b0 [ 51.685605] ? lock_acquire+0x1db/0x570 [ 51.689565] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 51.694666] ? lockdep_hardirqs_on+0x415/0x5d0 [ 51.699238] ? trace_hardirqs_on+0xbd/0x310 [ 51.703554] ? kasan_check_read+0x11/0x20 [ 51.707682] ? __kthread_parkme+0xc3/0x1b0 [ 51.711899] ? trace_hardirqs_off_caller+0x300/0x300 [ 51.716982] ? do_raw_spin_trylock+0x270/0x270 [ 51.721542] ? schedule+0x108/0x350 [ 51.725155] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 51.730239] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 51.735760] ? __kthread_parkme+0xfb/0x1b0 [ 51.739979] kthread+0x357/0x430 [ 51.743329] ? process_one_work+0x1ce0/0x1ce0 [ 51.747806] ? kthread_stop+0x920/0x920 [ 51.751796] ret_from_fork+0x3a/0x50 [ 51.756538] Kernel Offset: disabled [ 51.760162] Rebooting in 86400 seconds..