[   42.631770] audit: type=1800 audit(1577912157.623:31): pid=7645 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0
[   42.660152] audit: type=1800 audit(1577912157.633:32): pid=7645 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.133' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
syzkaller login: [   51.165226] kauditd_printk_skb: 3 callbacks suppressed
[   51.165243] audit: type=1400 audit(1577912166.213:36): avc:  denied  { map } for  pid=7830 comm="syz-executor358" path="/root/syz-executor358128003" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
[   61.467477] ==================================================================
[   61.474992] BUG: KASAN: slab-out-of-bounds in bacpy+0x23/0x30
[   61.480869] Read of size 6 at addr ffff8880911a0208 by task kworker/u5:0/1204
[   61.488123] 
[   61.489770] CPU: 1 PID: 1204 Comm: kworker/u5:0 Not tainted 4.19.92-syzkaller #0
[   61.497290] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   61.506654] Workqueue: hci0 hci_rx_work
[   61.510626] Call Trace:
[   61.513207]  dump_stack+0x197/0x210
[   61.516828]  ? bacpy+0x23/0x30
[   61.520024]  print_address_description.cold+0x7c/0x20d
[   61.525289]  ? bacpy+0x23/0x30
[   61.528473]  kasan_report.cold+0x8c/0x2ba
[   61.532617]  check_memory_region+0x123/0x190
[   61.537020]  memcpy+0x24/0x50
[   61.540127]  bacpy+0x23/0x30
[   61.543145]  hci_event_packet+0x48fb/0xaa40
[   61.547460]  ? hci_cmd_complete_evt+0xb920/0xb920
[   61.552295]  ? check_usage+0x550/0x560
[   61.556260]  ? __lock_acquire+0x23a3/0x49c0
[   61.560589]  ? skb_dequeue+0x12e/0x180
[   61.564471]  ? find_held_lock+0x35/0x130
[   61.568518]  ? skb_dequeue+0x12e/0x180
[   61.572401]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   61.577493]  ? skb_dequeue+0x12e/0x180
[   61.581370]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   61.586467]  ? lockdep_hardirqs_on+0x415/0x5d0
[   61.591038]  ? trace_hardirqs_on+0x67/0x220
[   61.595356]  hci_rx_work+0x478/0xae0
[   61.599063]  ? hci_rx_work+0x478/0xae0
[   61.602974]  process_one_work+0x989/0x1750
[   61.607207]  ? pwq_dec_nr_in_flight+0x320/0x320
[   61.611865]  ? lock_acquire+0x16f/0x3f0
[   61.615843]  ? kasan_check_write+0x14/0x20
[   61.620065]  ? do_raw_spin_lock+0xc8/0x240
[   61.624299]  worker_thread+0x98/0xe40
[   61.628104]  kthread+0x354/0x420
[   61.631463]  ? process_one_work+0x1750/0x1750
[   61.635949]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   61.641490]  ret_from_fork+0x24/0x30
[   61.645200] 
[   61.646813] Allocated by task 7837:
[   61.650442]  save_stack+0x45/0xd0
[   61.653886]  kasan_kmalloc+0xce/0xf0
[   61.657586]  __kmalloc_node_track_caller+0x51/0x80
[   61.662505]  __kmalloc_reserve.isra.0+0x40/0xf0
[   61.667270]  __alloc_skb+0x10b/0x5f0
[   61.670992]  vhci_write+0xc4/0x470
[   61.674537]  __vfs_write+0x587/0x810
[   61.678249]  vfs_write+0x20c/0x560
[   61.681969]  ksys_write+0x14f/0x2d0
[   61.685589]  __x64_sys_write+0x73/0xb0
[   61.689484]  do_syscall_64+0xfd/0x620
[   61.693274]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   61.698445] 
[   61.700057] Freed by task 0:
[   61.703055] (stack is not available)
[   61.706747] 
[   61.708364] The buggy address belongs to the object at ffff8880911a0000
[   61.708364]  which belongs to the cache kmalloc-512 of size 512
[   61.721535] The buggy address is located 8 bytes to the right of
[   61.721535]  512-byte region [ffff8880911a0000, ffff8880911a0200)
[   61.733742] The buggy address belongs to the page:
[   61.738668] page:ffffea0002446800 count:1 mapcount:0 mapping:ffff88812c31c940 index:0x0
[   61.746796] flags: 0xfffe0000000100(slab)
[   61.750938] raw: 00fffe0000000100 ffffea00026db9c8 ffffea00022e6348 ffff88812c31c940
[   61.758811] raw: 0000000000000000 ffff8880911a0000 0000000100000006 0000000000000000
[   61.766676] page dumped because: kasan: bad access detected
[   61.772366] 
[   61.773980] Memory state around the buggy address:
[   61.778910]  ffff8880911a0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   61.786260]  ffff8880911a0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   61.793608] >ffff8880911a0200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   61.800947]                       ^
[   61.804559]  ffff8880911a0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.811906]  ffff8880911a0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.819337] ==================================================================
[   61.826686] Disabling lock debugging due to kernel taint
[   61.832665] Kernel panic - not syncing: panic_on_warn set ...
[   61.832665] 
[   61.840034] CPU: 1 PID: 1204 Comm: kworker/u5:0 Tainted: G    B             4.19.92-syzkaller #0
[   61.848997] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   61.858359] Workqueue: hci0 hci_rx_work
[   61.862312] Call Trace:
[   61.864888]  dump_stack+0x197/0x210
[   61.868498]  ? bacpy+0x23/0x30
[   61.871707]  panic+0x26a/0x50e
[   61.874887]  ? __warn_printk+0xf3/0xf3
[   61.878880]  ? bacpy+0x23/0x30
[   61.882058]  ? preempt_schedule+0x4b/0x60
[   61.886288]  ? ___preempt_schedule+0x16/0x18
[   61.890711]  ? trace_hardirqs_on+0x5e/0x220
[   61.895041]  ? bacpy+0x23/0x30
[   61.898231]  kasan_end_report+0x47/0x4f
[   61.902197]  kasan_report.cold+0xa9/0x2ba
[   61.906444]  check_memory_region+0x123/0x190
[   61.910871]  memcpy+0x24/0x50
[   61.913979]  bacpy+0x23/0x30
[   61.917039]  hci_event_packet+0x48fb/0xaa40
[   61.921363]  ? hci_cmd_complete_evt+0xb920/0xb920
[   61.926198]  ? check_usage+0x550/0x560
[   61.930075]  ? __lock_acquire+0x23a3/0x49c0
[   61.934438]  ? skb_dequeue+0x12e/0x180
[   61.938348]  ? find_held_lock+0x35/0x130
[   61.942391]  ? skb_dequeue+0x12e/0x180
[   61.946264]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   61.951346]  ? skb_dequeue+0x12e/0x180
[   61.955258]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   61.960348]  ? lockdep_hardirqs_on+0x415/0x5d0
[   61.964914]  ? trace_hardirqs_on+0x67/0x220
[   61.969241]  hci_rx_work+0x478/0xae0
[   61.972955]  ? hci_rx_work+0x478/0xae0
[   61.977103]  process_one_work+0x989/0x1750
[   61.981334]  ? pwq_dec_nr_in_flight+0x320/0x320
[   61.985995]  ? lock_acquire+0x16f/0x3f0
[   61.989958]  ? kasan_check_write+0x14/0x20
[   61.994178]  ? do_raw_spin_lock+0xc8/0x240
[   61.998422]  worker_thread+0x98/0xe40
[   62.002233]  kthread+0x354/0x420
[   62.005585]  ? process_one_work+0x1750/0x1750
[   62.010078]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   62.015599]  ret_from_fork+0x24/0x30
[   62.020680] Kernel Offset: disabled
[   62.024309] Rebooting in 86400 seconds..