[   40.284276] audit: type=1800 audit(1546855041.331:25): pid=7867 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   40.309183] audit: type=1800 audit(1546855041.331:26): pid=7867 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   40.341045] audit: type=1800 audit(1546855041.331:27): pid=7867 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] startpar: service(s) returned failure: rsyslog ssh ...[?25l[?1c7[1G[[31mFAIL[39;49m8[?25h[?0c [31mfailed![39;49m

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.66' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   62.105424] ==================================================================
[   62.113233] BUG: KASAN: slab-out-of-bounds in bacpy+0x23/0x30
[   62.119131] Read of size 6 at addr ffff8880a8ac36fb by task kworker/u5:0/1171
[   62.127286] 
[   62.128912] CPU: 1 PID: 1171 Comm: kworker/u5:0 Not tainted 4.20.0+ #13
[   62.135900] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   62.145405] Workqueue: hci0 hci_rx_work
[   62.149365] Call Trace:
[   62.151956]  dump_stack+0x1db/0x2d0
[   62.155588]  ? dump_stack_print_info.cold+0x20/0x20
[   62.160604]  ? bacpy+0x23/0x30
[   62.164110]  print_address_description.cold+0x7c/0x20d
[   62.169651]  ? bacpy+0x23/0x30
[   62.172976]  ? bacpy+0x23/0x30
[   62.176351]  kasan_report.cold+0x1b/0x40
[   62.180417]  ? bacpy+0x23/0x30
[   62.183835]  check_memory_region+0x123/0x190
[   62.188375]  memcpy+0x24/0x50
[   62.191567]  bacpy+0x23/0x30
[   62.194590]  hci_event_packet+0x3afc/0xc22e
[   62.198927]  ? hci_cmd_complete_evt+0xbe60/0xbe60
[   62.203890]  ? up_write+0x1c0/0x230
[   62.207505]  ? unwind_next_frame+0x3b/0x50
[   62.211738]  ? graph_lock+0x280/0x280
[   62.215538]  ? save_stack_trace+0x1a/0x20
[   62.219678]  ? save_trace+0xe0/0x290
[   62.223391]  ? add_lock_to_list.isra.0+0x450/0x450
[   62.228428]  ? kasan_check_read+0x11/0x20
[   62.232600]  ? __lock_acquire+0x2514/0x4a30
[   62.236932]  ? print_usage_bug+0xd0/0xd0
[   62.241013]  ? skb_dequeue+0x12e/0x180
[   62.244909]  ? mark_held_locks+0xb1/0x100
[   62.249093]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   62.254288]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   62.259388]  ? trace_hardirqs_on+0xbd/0x310
[   62.264268]  ? kasan_check_read+0x11/0x20
[   62.268568]  ? skb_dequeue+0x12e/0x180
[   62.272678]  ? trace_hardirqs_off_caller+0x300/0x300
[   62.277773]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   62.283303]  ? hci_send_to_monitor+0x306/0x470
[   62.287870]  ? hci_sock_release+0x3c0/0x3c0
[   62.292275]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   62.297503]  hci_rx_work+0x578/0xcd0
[   62.301220]  ? hci_rx_work+0x578/0xcd0
[   62.305201]  ? find_held_lock+0x35/0x120
[   62.309460]  ? add_lock_to_list.isra.0+0x450/0x450
[   62.315767]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   62.321296]  ? hci_alloc_dev+0x21a0/0x21a0
[   62.325630]  ? __lock_is_held+0xb6/0x140
[   62.329688]  process_one_work+0xd0c/0x1ce0
[   62.334029]  ? preempt_notifier_register+0x200/0x200
[   62.339119]  ? __switch_to_asm+0x34/0x70
[   62.343211]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   62.347886]  ? __schedule+0x89f/0x1e60
[   62.351766]  ? pci_mmcfg_check_reserved+0x170/0x170
[   62.356788]  ? worker_thread+0x3b7/0x14a0
[   62.360922]  ? find_held_lock+0x35/0x120
[   62.364969]  ? lock_acquire+0x1db/0x570
[   62.368941]  ? worker_thread+0x3cd/0x14a0
[   62.373102]  ? kasan_check_read+0x11/0x20
[   62.377323]  ? do_raw_spin_lock+0x156/0x360
[   62.381629]  ? lock_release+0xc40/0xc40
[   62.385596]  ? rwlock_bug.part.0+0x90/0x90
[   62.389817]  ? trace_hardirqs_on_caller+0x310/0x310
[   62.394938]  worker_thread+0x143/0x14a0
[   62.398910]  ? process_one_work+0x1ce0/0x1ce0
[   62.403388]  ? __kthread_parkme+0xc3/0x1b0
[   62.407623]  ? lock_acquire+0x1db/0x570
[   62.411582]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   62.416685]  ? lockdep_hardirqs_on+0x415/0x5d0
[   62.421256]  ? trace_hardirqs_on+0xbd/0x310
[   62.425580]  ? __kthread_parkme+0xc3/0x1b0
[   62.430038]  ? trace_hardirqs_off_caller+0x300/0x300
[   62.435276]  ? do_raw_spin_trylock+0x270/0x270
[   62.439910]  ? schedule+0x108/0x350
[   62.443750]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   62.449057]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   62.454598]  ? __kthread_parkme+0xfb/0x1b0
[   62.458930]  kthread+0x357/0x430
[   62.462394]  ? process_one_work+0x1ce0/0x1ce0
[   62.466876]  ? kthread_stop+0x920/0x920
[   62.470859]  ret_from_fork+0x3a/0x50
[   62.474777] 
[   62.476391] Allocated by task 8046:
[   62.480049]  save_stack+0x45/0xd0
[   62.483493]  kasan_kmalloc+0xcf/0xe0
[   62.487199]  __kmalloc_node_track_caller+0x4e/0x70
[   62.492247]  __kmalloc_reserve.isra.0+0x40/0xe0
[   62.496903]  __alloc_skb+0x12d/0x730
[   62.500711]  vhci_write+0xc4/0x470
[   62.504347]  __vfs_write+0x764/0xb40
[   62.508261]  vfs_write+0x20c/0x580
[   62.511788]  ksys_write+0x105/0x260
[   62.515415]  __ia32_sys_write+0x71/0xb0
[   62.520442]  do_fast_syscall_32+0x333/0xf98
[   62.524943]  entry_SYSENTER_compat+0x70/0x7f
[   62.529340] 
[   62.530964] Freed by task 5169:
[   62.534235]  save_stack+0x45/0xd0
[   62.537768]  __kasan_slab_free+0x102/0x150
[   62.541994]  kasan_slab_free+0xe/0x10
[   62.546694]  kfree+0xcf/0x230
[   62.549803]  free_pipe_info+0x253/0x300
[   62.553772]  put_pipe_info+0xd0/0xf0
[   62.557491]  pipe_release+0x1e6/0x280
[   62.561279]  __fput+0x3c5/0xb10
[   62.564548]  ____fput+0x16/0x20
[   62.567915]  task_work_run+0x1f4/0x2b0
[   62.571792]  exit_to_usermode_loop+0x32a/0x3b0
[   62.576488]  do_syscall_64+0x696/0x800
[   62.580387]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   62.585803] 
[   62.587536] The buggy address belongs to the object at ffff8880a8ac3500
[   62.587536]  which belongs to the cache kmalloc-512 of size 512
[   62.600405] The buggy address is located 507 bytes inside of
[   62.600405]  512-byte region [ffff8880a8ac3500, ffff8880a8ac3700)
[   62.612360] The buggy address belongs to the page:
[   62.617274] page:ffffea0002a2b0c0 count:1 mapcount:0 mapping:ffff88812c3f0940 index:0x0
[   62.625406] flags: 0x1fffc0000000200(slab)
[   62.629633] raw: 01fffc0000000200 ffffea0002629988 ffffea000263e608 ffff88812c3f0940
[   62.639331] raw: 0000000000000000 ffff8880a8ac3000 0000000100000006 0000000000000000
[   62.647367] page dumped because: kasan: bad access detected
[   62.653059] 
[   62.654681] Memory state around the buggy address:
[   62.659782]  ffff8880a8ac3600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   62.667129]  ffff8880a8ac3680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   62.674474] >ffff8880a8ac3700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   62.681814]                    ^
[   62.685162]  ffff8880a8ac3780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.692529]  ffff8880a8ac3800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.699876] ==================================================================
[   62.707245] Disabling lock debugging due to kernel taint
[   62.712828] Kernel panic - not syncing: panic_on_warn set ...
[   62.718721] CPU: 1 PID: 1171 Comm: kworker/u5:0 Tainted: G    B             4.20.0+ #13
[   62.726857] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   62.736207] Workqueue: hci0 hci_rx_work
[   62.740161] Call Trace:
[   62.742846]  dump_stack+0x1db/0x2d0
[   62.746504]  ? dump_stack_print_info.cold+0x20/0x20
[   62.751635]  panic+0x2cb/0x65c
[   62.754816]  ? add_taint.cold+0x16/0x16
[   62.758790]  ? bacpy+0x23/0x30
[   62.761978]  ? preempt_schedule+0x4b/0x60
[   62.766113]  ? ___preempt_schedule+0x16/0x18
[   62.770508]  ? trace_hardirqs_on+0xb4/0x310
[   62.774877]  ? bacpy+0x23/0x30
[   62.778063]  end_report+0x47/0x4f
[   62.781500]  ? bacpy+0x23/0x30
[   62.784700]  kasan_report.cold+0xe/0x40
[   62.788675]  ? bacpy+0x23/0x30
[   62.791954]  check_memory_region+0x123/0x190
[   62.796357]  memcpy+0x24/0x50
[   62.799448]  bacpy+0x23/0x30
[   62.802448]  hci_event_packet+0x3afc/0xc22e
[   62.806768]  ? hci_cmd_complete_evt+0xbe60/0xbe60
[   62.811600]  ? up_write+0x1c0/0x230
[   62.815214]  ? unwind_next_frame+0x3b/0x50
[   62.819557]  ? graph_lock+0x280/0x280
[   62.823352]  ? save_stack_trace+0x1a/0x20
[   62.827483]  ? save_trace+0xe0/0x290
[   62.831204]  ? add_lock_to_list.isra.0+0x450/0x450
[   62.836227]  ? kasan_check_read+0x11/0x20
[   62.840366]  ? __lock_acquire+0x2514/0x4a30
[   62.844670]  ? print_usage_bug+0xd0/0xd0
[   62.848728]  ? skb_dequeue+0x12e/0x180
[   62.852608]  ? mark_held_locks+0xb1/0x100
[   62.856844]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   62.861937]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   62.867037]  ? trace_hardirqs_on+0xbd/0x310
[   62.871344]  ? kasan_check_read+0x11/0x20
[   62.875472]  ? skb_dequeue+0x12e/0x180
[   62.879340]  ? trace_hardirqs_off_caller+0x300/0x300
[   62.884427]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   62.889950]  ? hci_send_to_monitor+0x306/0x470
[   62.894525]  ? hci_sock_release+0x3c0/0x3c0
[   62.899120]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   62.904226]  hci_rx_work+0x578/0xcd0
[   62.907930]  ? hci_rx_work+0x578/0xcd0
[   62.911808]  ? find_held_lock+0x35/0x120
[   62.915947]  ? add_lock_to_list.isra.0+0x450/0x450
[   62.920867]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   62.926402]  ? hci_alloc_dev+0x21a0/0x21a0
[   62.930627]  ? __lock_is_held+0xb6/0x140
[   62.934779]  process_one_work+0xd0c/0x1ce0
[   62.939015]  ? preempt_notifier_register+0x200/0x200
[   62.944104]  ? __switch_to_asm+0x34/0x70
[   62.948165]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   62.952828]  ? __schedule+0x89f/0x1e60
[   62.956713]  ? pci_mmcfg_check_reserved+0x170/0x170
[   62.961873]  ? worker_thread+0x3b7/0x14a0
[   62.966009]  ? find_held_lock+0x35/0x120
[   62.970256]  ? lock_acquire+0x1db/0x570
[   62.974223]  ? worker_thread+0x3cd/0x14a0
[   62.978457]  ? kasan_check_read+0x11/0x20
[   62.982596]  ? do_raw_spin_lock+0x156/0x360
[   62.986903]  ? lock_release+0xc40/0xc40
[   62.990984]  ? rwlock_bug.part.0+0x90/0x90
[   62.995204]  ? trace_hardirqs_on_caller+0x310/0x310
[   63.000210]  worker_thread+0x143/0x14a0
[   63.004277]  ? process_one_work+0x1ce0/0x1ce0
[   63.008760]  ? __kthread_parkme+0xc3/0x1b0
[   63.013103]  ? lock_acquire+0x1db/0x570
[   63.017114]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   63.022409]  ? lockdep_hardirqs_on+0x415/0x5d0
[   63.026980]  ? trace_hardirqs_on+0xbd/0x310
[   63.031295]  ? __kthread_parkme+0xc3/0x1b0
[   63.035531]  ? trace_hardirqs_off_caller+0x300/0x300
[   63.040630]  ? do_raw_spin_trylock+0x270/0x270
[   63.045208]  ? schedule+0x108/0x350
[   63.048827]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   63.054042]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   63.059571]  ? __kthread_parkme+0xfb/0x1b0
[   63.063789]  kthread+0x357/0x430
[   63.067269]  ? process_one_work+0x1ce0/0x1ce0
[   63.071760]  ? kthread_stop+0x920/0x920
[   63.075726]  ret_from_fork+0x3a/0x50
[   63.080405] Kernel Offset: disabled
[   63.084027] Rebooting in 86400 seconds..