[   36.127573][   T26] audit: type=1800 audit(1546854862.426:27): pid=7571 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[   36.127599][   T26] audit: type=1800 audit(1546854862.426:28): pid=7571 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   36.786195][   T26] audit: type=1800 audit(1546854863.116:29): pid=7571 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   36.806451][   T26] audit: type=1800 audit(1546854863.126:30): pid=7571 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   58.956365][ T1171] ==================================================================
[   58.964568][ T1171] BUG: KASAN: slab-out-of-bounds in bacpy+0x23/0x30
[   58.971137][ T1171] Read of size 6 at addr ffff888090f3c77b by task kworker/u5:0/1171
[   58.979088][ T1171] 
[   58.981404][ T1171] CPU: 0 PID: 1171 Comm: kworker/u5:0 Not tainted 4.20.0-next-20190107 #6
[   58.989883][ T1171] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   58.999947][ T1171] Workqueue: hci0 hci_rx_work
[   59.004604][ T1171] Call Trace:
[   59.007890][ T1171]  dump_stack+0x1db/0x2d0
[   59.012222][ T1171]  ? dump_stack_print_info.cold+0x20/0x20
[   59.017939][ T1171]  ? bacpy+0x23/0x30
[   59.021828][ T1171]  print_address_description.cold+0x7c/0x20d
[   59.027789][ T1171]  ? bacpy+0x23/0x30
[   59.031667][ T1171]  ? bacpy+0x23/0x30
[   59.035558][ T1171]  kasan_report.cold+0x1b/0x40
[   59.040314][ T1171]  ? bacpy+0x23/0x30
[   59.044196][ T1171]  check_memory_region+0x123/0x190
[   59.049303][ T1171]  memcpy+0x24/0x50
[   59.053098][ T1171]  bacpy+0x23/0x30
[   59.056804][ T1171]  hci_event_packet+0x3b2e/0xc19a
[   59.061827][ T1171]  ? hci_cmd_complete_evt+0xbe60/0xbe60
[   59.067357][ T1171]  ? __ww_mutex_wound+0xb0/0x2b0
[   59.072277][ T1171]  ? unwind_next_frame+0x3b/0x50
[   59.077198][ T1171]  ? graph_lock+0x280/0x280
[   59.081701][ T1171]  ? save_stack_trace+0x1a/0x20
[   59.086621][ T1171]  ? save_trace+0xe0/0x290
[   59.091045][ T1171]  ? add_lock_to_list.isra.0+0x450/0x450
[   59.096670][ T1171]  ? kasan_check_read+0x11/0x20
[   59.101587][ T1171]  ? __lock_acquire+0x24ed/0x4a10
[   59.106613][ T1171]  ? print_usage_bug+0xd0/0xd0
[   59.111380][ T1171]  ? skb_dequeue+0x12e/0x180
[   59.115955][ T1171]  ? mark_held_locks+0xb1/0x100
[   59.120792][ T1171]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   59.126684][ T1171]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   59.132484][ T1171]  ? trace_hardirqs_on+0xbd/0x310
[   59.137495][ T1171]  ? kasan_check_read+0x11/0x20
[   59.142334][ T1171]  ? skb_dequeue+0x12e/0x180
[   59.146908][ T1171]  ? trace_hardirqs_off_caller+0x300/0x300
[   59.152698][ T1171]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.158916][ T1171]  ? hci_send_to_monitor+0x306/0x470
[   59.164179][ T1171]  ? hci_sock_release+0x3c0/0x3c0
[   59.169192][ T1171]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   59.174995][ T1171]  hci_rx_work+0x578/0xcd0
[   59.179391][ T1171]  ? hci_rx_work+0x578/0xcd0
[   59.183960][ T1171]  ? find_held_lock+0x35/0x120
[   59.188711][ T1171]  ? add_lock_to_list.isra.0+0x450/0x450
[   59.194322][ T1171]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.200551][ T1171]  ? hci_alloc_dev+0x21a0/0x21a0
[   59.205591][ T1171]  ? __lock_is_held+0xb6/0x140
[   59.210364][ T1171]  process_one_work+0xd0c/0x1ce0
[   59.215287][ T1171]  ? __wake_up_common_lock+0x1db/0x390
[   59.220743][ T1171]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   59.226103][ T1171]  ? trace_hardirqs_off+0xb8/0x310
[   59.231199][ T1171]  ? kasan_check_read+0x11/0x20
[   59.236037][ T1171]  ? do_raw_spin_unlock+0xa0/0x330
[   59.241137][ T1171]  ? do_raw_spin_trylock+0x270/0x270
[   59.246435][ T1171]  ? __wake_up_common+0x7d0/0x7d0
[   59.251447][ T1171]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.257668][ T1171]  ? wq_watchdog_reset_touched+0x180/0x180
[   59.263459][ T1171]  ? trace_hardirqs_on_caller+0x310/0x310
[   59.269326][ T1171]  worker_thread+0x143/0x14a0
[   59.274003][ T1171]  ? process_one_work+0x1ce0/0x1ce0
[   59.279191][ T1171]  ? __kthread_parkme+0xc3/0x1b0
[   59.284117][ T1171]  ? lock_acquire+0x1db/0x570
[   59.288779][ T1171]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   59.294579][ T1171]  ? lockdep_hardirqs_on+0x415/0x5d0
[   59.299854][ T1171]  ? trace_hardirqs_on+0xbd/0x310
[   59.304871][ T1171]  ? kasan_check_read+0x11/0x20
[   59.309720][ T1171]  ? __kthread_parkme+0xc3/0x1b0
[   59.314741][ T1171]  ? trace_hardirqs_off_caller+0x300/0x300
[   59.320529][ T1171]  ? do_raw_spin_trylock+0x270/0x270
[   59.325804][ T1171]  ? schedule+0x108/0x350
[   59.330114][ T1171]  ? do_raw_spin_trylock+0x270/0x270
[   59.335393][ T1171]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   59.341254][ T1171]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   59.347492][ T1171]  ? __kthread_parkme+0xfb/0x1b0
[   59.352426][ T1171]  kthread+0x357/0x430
[   59.356484][ T1171]  ? process_one_work+0x1ce0/0x1ce0
[   59.361710][ T1171]  ? kthread_stop+0x920/0x920
[   59.366391][ T1171]  ret_from_fork+0x3a/0x50
[   59.370798][ T1171] 
[   59.373110][ T1171] Allocated by task 7731:
[   59.377573][ T1171]  save_stack+0x45/0xd0
[   59.381726][ T1171]  kasan_kmalloc+0xcf/0xe0
[   59.386124][ T1171]  __kmalloc_node_track_caller+0x4e/0x70
[   59.391873][ T1171]  __kmalloc_reserve.isra.0+0x40/0xe0
[   59.397388][ T1171]  __alloc_skb+0x12d/0x730
[   59.401803][ T1171]  vhci_write+0xc4/0x470
[   59.406043][ T1171]  __vfs_write+0x764/0xb40
[   59.410453][ T1171]  vfs_write+0x20c/0x580
[   59.414678][ T1171]  ksys_write+0x105/0x260
[   59.419161][ T1171]  __x64_sys_write+0x73/0xb0
[   59.423735][ T1171]  do_syscall_64+0x1a3/0x800
[   59.428305][ T1171]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.434657][ T1171] 
[   59.436971][ T1171] Freed by task 4224:
[   59.440946][ T1171]  save_stack+0x45/0xd0
[   59.445142][ T1171]  __kasan_slab_free+0x102/0x150
[   59.450070][ T1171]  kasan_slab_free+0xe/0x10
[   59.454564][ T1171]  kfree+0xcf/0x230
[   59.458358][ T1171]  free_pipe_info+0x253/0x300
[   59.463017][ T1171]  put_pipe_info+0xd0/0xf0
[   59.467418][ T1171]  pipe_release+0x1e6/0x280
[   59.471909][ T1171]  __fput+0x3c5/0xb10
[   59.475877][ T1171]  ____fput+0x16/0x20
[   59.479932][ T1171]  task_work_run+0x1f4/0x2b0
[   59.484518][ T1171]  exit_to_usermode_loop+0x32a/0x3b0
[   59.489785][ T1171]  do_syscall_64+0x696/0x800
[   59.494458][ T1171]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.500344][ T1171] 
[   59.502678][ T1171] The buggy address belongs to the object at ffff888090f3c580
[   59.502678][ T1171]  which belongs to the cache kmalloc-512 of size 512
[   59.516974][ T1171] The buggy address is located 507 bytes inside of
[   59.516974][ T1171]  512-byte region [ffff888090f3c580, ffff888090f3c780)
[   59.530350][ T1171] The buggy address belongs to the page:
[   59.535985][ T1171] page:ffffea000243cf00 count:1 mapcount:0 mapping:ffff88812c3f0940 index:0x0
[   59.544818][ T1171] flags: 0x1fffc0000000200(slab)
[   59.549907][ T1171] raw: 01fffc0000000200 ffffea0002803408 ffff88812c3f1748 ffff88812c3f0940
[   59.558512][ T1171] raw: 0000000000000000 ffff888090f3c080 0000000100000006 0000000000000000
[   59.567085][ T1171] page dumped because: kasan: bad access detected
[   59.573492][ T1171] 
[   59.575801][ T1171] Memory state around the buggy address:
[   59.581569][ T1171]  ffff888090f3c680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   59.589623][ T1171]  ffff888090f3c700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   59.597698][ T1171] >ffff888090f3c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   59.605747][ T1171]                    ^
[   59.609803][ T1171]  ffff888090f3c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.617859][ T1171]  ffff888090f3c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.626033][ T1171] ==================================================================
[   59.634403][ T1171] Disabling lock debugging due to kernel taint
[   59.641677][ T1171] Kernel panic - not syncing: panic_on_warn set ...
[   59.648259][ T1171] CPU: 0 PID: 1171 Comm: kworker/u5:0 Tainted: G    B             4.20.0-next-20190107 #6
[   59.658209][ T1171] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   59.668275][ T1171] Workqueue: hci0 hci_rx_work
[   59.672928][ T1171] Call Trace:
[   59.676198][ T1171]  dump_stack+0x1db/0x2d0
[   59.680503][ T1171]  ? dump_stack_print_info.cold+0x20/0x20
[   59.686200][ T1171]  panic+0x2cb/0x65c
[   59.690166][ T1171]  ? add_taint.cold+0x16/0x16
[   59.694849][ T1171]  ? bacpy+0x23/0x30
[   59.698732][ T1171]  ? preempt_schedule+0x4b/0x60
[   59.703567][ T1171]  ? ___preempt_schedule+0x16/0x18
[   59.708658][ T1171]  ? trace_hardirqs_on+0xb4/0x310
[   59.713663][ T1171]  ? bacpy+0x23/0x30
[   59.717612][ T1171]  end_report+0x47/0x4f
[   59.721769][ T1171]  ? bacpy+0x23/0x30
[   59.725723][ T1171]  kasan_report.cold+0xe/0x40
[   59.730553][ T1171]  ? bacpy+0x23/0x30
[   59.734443][ T1171]  check_memory_region+0x123/0x190
[   59.739698][ T1171]  memcpy+0x24/0x50
[   59.743494][ T1171]  bacpy+0x23/0x30
[   59.747204][ T1171]  hci_event_packet+0x3b2e/0xc19a
[   59.752349][ T1171]  ? hci_cmd_complete_evt+0xbe60/0xbe60
[   59.757970][ T1171]  ? __ww_mutex_wound+0xb0/0x2b0
[   59.763118][ T1171]  ? unwind_next_frame+0x3b/0x50
[   59.768042][ T1171]  ? graph_lock+0x280/0x280
[   59.772525][ T1171]  ? save_stack_trace+0x1a/0x20
[   59.777355][ T1171]  ? save_trace+0xe0/0x290
[   59.781763][ T1171]  ? add_lock_to_list.isra.0+0x450/0x450
[   59.787392][ T1171]  ? kasan_check_read+0x11/0x20
[   59.792237][ T1171]  ? __lock_acquire+0x24ed/0x4a10
[   59.797241][ T1171]  ? print_usage_bug+0xd0/0xd0
[   59.801989][ T1171]  ? skb_dequeue+0x12e/0x180
[   59.806554][ T1171]  ? mark_held_locks+0xb1/0x100
[   59.811390][ T1171]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   59.817171][ T1171]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   59.823069][ T1171]  ? trace_hardirqs_on+0xbd/0x310
[   59.828088][ T1171]  ? kasan_check_read+0x11/0x20
[   59.832933][ T1171]  ? skb_dequeue+0x12e/0x180
[   59.837870][ T1171]  ? trace_hardirqs_off_caller+0x300/0x300
[   59.843679][ T1171]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.849958][ T1171]  ? hci_send_to_monitor+0x306/0x470
[   59.855236][ T1171]  ? hci_sock_release+0x3c0/0x3c0
[   59.860245][ T1171]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   59.866056][ T1171]  hci_rx_work+0x578/0xcd0
[   59.871082][ T1171]  ? hci_rx_work+0x578/0xcd0
[   59.875894][ T1171]  ? find_held_lock+0x35/0x120
[   59.880638][ T1171]  ? add_lock_to_list.isra.0+0x450/0x450
[   59.886394][ T1171]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.892728][ T1171]  ? hci_alloc_dev+0x21a0/0x21a0
[   59.897748][ T1171]  ? __lock_is_held+0xb6/0x140
[   59.902497][ T1171]  process_one_work+0xd0c/0x1ce0
[   59.907419][ T1171]  ? __wake_up_common_lock+0x1db/0x390
[   59.912870][ T1171]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   59.918218][ T1171]  ? trace_hardirqs_off+0xb8/0x310
[   59.923304][ T1171]  ? kasan_check_read+0x11/0x20
[   59.928130][ T1171]  ? do_raw_spin_unlock+0xa0/0x330
[   59.933217][ T1171]  ? do_raw_spin_trylock+0x270/0x270
[   59.938484][ T1171]  ? __wake_up_common+0x7d0/0x7d0
[   59.943486][ T1171]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.949700][ T1171]  ? wq_watchdog_reset_touched+0x180/0x180
[   59.955486][ T1171]  ? trace_hardirqs_on_caller+0x310/0x310
[   59.961194][ T1171]  worker_thread+0x143/0x14a0
[   59.965849][ T1171]  ? process_one_work+0x1ce0/0x1ce0
[   59.971025][ T1171]  ? __kthread_parkme+0xc3/0x1b0
[   59.975938][ T1171]  ? lock_acquire+0x1db/0x570
[   59.980658][ T1171]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   59.986452][ T1171]  ? lockdep_hardirqs_on+0x415/0x5d0
[   59.991798][ T1171]  ? trace_hardirqs_on+0xbd/0x310
[   59.996810][ T1171]  ? kasan_check_read+0x11/0x20
[   60.001651][ T1171]  ? __kthread_parkme+0xc3/0x1b0
[   60.006573][ T1171]  ? trace_hardirqs_off_caller+0x300/0x300
[   60.012365][ T1171]  ? do_raw_spin_trylock+0x270/0x270
[   60.017627][ T1171]  ? schedule+0x108/0x350
[   60.021935][ T1171]  ? do_raw_spin_trylock+0x270/0x270
[   60.027203][ T1171]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   60.033192][ T1171]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   60.039410][ T1171]  ? __kthread_parkme+0xfb/0x1b0
[   60.044324][ T1171]  kthread+0x357/0x430
[   60.048377][ T1171]  ? process_one_work+0x1ce0/0x1ce0
[   60.053565][ T1171]  ? kthread_stop+0x920/0x920
[   60.058499][ T1171]  ret_from_fork+0x3a/0x50
[   60.064055][ T1171] Kernel Offset: disabled
[   60.068379][ T1171] Rebooting in 86400 seconds..