[   45.887540] audit: type=1800 audit(1546852992.565:29): pid=8243 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   45.923526] audit: type=1800 audit(1546852992.565:30): pid=8243 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.69' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
syzkaller login: [   56.876655] kauditd_printk_skb: 5 callbacks suppressed
[   56.876672] audit: type=1400 audit(1546853003.555:36): avc:  denied  { map } for  pid=8433 comm="syz-executor811" path="/root/syz-executor811589800" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   56.930542] ==================================================================
[   56.938000] BUG: KASAN: slab-out-of-bounds in bacpy+0x23/0x30
[   56.943872] Read of size 6 at addr ffff88809a82a73b by task kworker/u5:0/1171
[   56.951131] 
[   56.952805] CPU: 0 PID: 1171 Comm: kworker/u5:0 Not tainted 4.20.0+ #13
[   56.959574] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   56.968942] Workqueue: hci0 hci_rx_work
[   56.972915] Call Trace:
[   56.975488]  dump_stack+0x1db/0x2d0
[   56.979104]  ? dump_stack_print_info.cold+0x20/0x20
[   56.984112]  ? bacpy+0x23/0x30
[   56.987307]  print_address_description.cold+0x7c/0x20d
[   56.992573]  ? bacpy+0x23/0x30
[   56.995752]  ? bacpy+0x23/0x30
[   56.998932]  kasan_report.cold+0x1b/0x40
[   57.002986]  ? bacpy+0x23/0x30
[   57.006170]  check_memory_region+0x123/0x190
[   57.010572]  memcpy+0x24/0x50
[   57.013673]  bacpy+0x23/0x30
[   57.016678]  hci_event_packet+0x3afc/0xc22e
[   57.021013]  ? hci_cmd_complete_evt+0xbe60/0xbe60
[   57.025858]  ? up_write+0x1c0/0x230
[   57.029495]  ? unwind_next_frame+0x3b/0x50
[   57.033722]  ? graph_lock+0x280/0x280
[   57.037526]  ? save_stack_trace+0x1a/0x20
[   57.041661]  ? save_trace+0xe0/0x290
[   57.045364]  ? add_lock_to_list.isra.0+0x450/0x450
[   57.050278]  ? kasan_check_read+0x11/0x20
[   57.054427]  ? __lock_acquire+0x2514/0x4a30
[   57.058734]  ? lockdep_hardirqs_on+0x415/0x5d0
[   57.063301]  ? print_usage_bug+0xd0/0xd0
[   57.067351]  ? skb_dequeue+0x12e/0x180
[   57.071254]  ? mark_held_locks+0xb1/0x100
[   57.075397]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   57.080485]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   57.085578]  ? trace_hardirqs_on+0xbd/0x310
[   57.089886]  ? kasan_check_read+0x11/0x20
[   57.094018]  ? skb_dequeue+0x12e/0x180
[   57.097907]  ? trace_hardirqs_off_caller+0x300/0x300
[   57.102997]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   57.108522]  ? hci_send_to_monitor+0x306/0x470
[   57.113090]  ? hci_sock_release+0x3c0/0x3c0
[   57.117411]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   57.122513]  hci_rx_work+0x578/0xcd0
[   57.126226]  ? hci_rx_work+0x578/0xcd0
[   57.130115]  ? find_held_lock+0x35/0x120
[   57.134177]  ? add_lock_to_list.isra.0+0x450/0x450
[   57.139102]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   57.144627]  ? hci_alloc_dev+0x21a0/0x21a0
[   57.148862]  ? __lock_is_held+0xb6/0x140
[   57.152923]  process_one_work+0xd0c/0x1ce0
[   57.157226]  ? __wake_up_common_lock+0x1db/0x390
[   57.161977]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   57.166650]  ? trace_hardirqs_off+0xb8/0x310
[   57.171048]  ? kasan_check_read+0x11/0x20
[   57.175207]  ? do_raw_spin_unlock+0xa0/0x330
[   57.179616]  ? do_raw_spin_trylock+0x270/0x270
[   57.184253]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   57.189809]  ? get_work_pool_id+0x1a0/0x1a0
[   57.194116]  ? trace_hardirqs_on_caller+0x310/0x310
[   57.199122]  worker_thread+0x143/0x14a0
[   57.203102]  ? process_one_work+0x1ce0/0x1ce0
[   57.207580]  ? __kthread_parkme+0xc3/0x1b0
[   57.211804]  ? lock_acquire+0x1db/0x570
[   57.215772]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   57.220881]  ? lockdep_hardirqs_on+0x415/0x5d0
[   57.225452]  ? trace_hardirqs_on+0xbd/0x310
[   57.229769]  ? __kthread_parkme+0xc3/0x1b0
[   57.233992]  ? trace_hardirqs_off_caller+0x300/0x300
[   57.239078]  ? do_raw_spin_trylock+0x270/0x270
[   57.243648]  ? schedule+0x108/0x350
[   57.247282]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   57.252372]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   57.257894]  ? __kthread_parkme+0xfb/0x1b0
[   57.262133]  kthread+0x357/0x430
[   57.265509]  ? process_one_work+0x1ce0/0x1ce0
[   57.270003]  ? kthread_stop+0x920/0x920
[   57.273968]  ret_from_fork+0x3a/0x50
[   57.277681] 
[   57.279308] Allocated by task 8437:
[   57.282930]  save_stack+0x45/0xd0
[   57.286388]  kasan_kmalloc+0xcf/0xe0
[   57.290090]  __kmalloc_node_track_caller+0x4e/0x70
[   57.295048]  __kmalloc_reserve.isra.0+0x40/0xe0
[   57.299699]  __alloc_skb+0x12d/0x730
[   57.303404]  vhci_write+0xc4/0x470
[   57.306942]  __vfs_write+0x764/0xb40
[   57.310639]  vfs_write+0x20c/0x580
[   57.314177]  ksys_write+0x105/0x260
[   57.317794]  __x64_sys_write+0x73/0xb0
[   57.321668]  do_syscall_64+0x1a3/0x800
[   57.325549]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   57.330716] 
[   57.332324] Freed by task 4258:
[   57.335589]  save_stack+0x45/0xd0
[   57.339029]  __kasan_slab_free+0x102/0x150
[   57.343249]  kasan_slab_free+0xe/0x10
[   57.347032]  kfree+0xcf/0x230
[   57.350121]  free_pipe_info+0x253/0x300
[   57.354091]  put_pipe_info+0xd0/0xf0
[   57.357786]  pipe_release+0x1e6/0x280
[   57.361589]  __fput+0x3c5/0xb10
[   57.364867]  ____fput+0x16/0x20
[   57.368145]  task_work_run+0x1f4/0x2b0
[   57.372056]  exit_to_usermode_loop+0x32a/0x3b0
[   57.376624]  do_syscall_64+0x696/0x800
[   57.380495]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   57.385678] 
[   57.387294] The buggy address belongs to the object at ffff88809a82a540
[   57.387294]  which belongs to the cache kmalloc-512 of size 512
[   57.399941] The buggy address is located 507 bytes inside of
[   57.399941]  512-byte region [ffff88809a82a540, ffff88809a82a740)
[   57.411806] The buggy address belongs to the page:
[   57.416745] page:ffffea00026a0a80 count:1 mapcount:0 mapping:ffff88812c3f0940 index:0x0
[   57.424900] flags: 0x1fffc0000000200(slab)
[   57.429121] raw: 01fffc0000000200 ffffea00026b70c8 ffffea0002686ac8 ffff88812c3f0940
[   57.437003] raw: 0000000000000000 ffff88809a82a040 0000000100000006 0000000000000000
[   57.444896] page dumped because: kasan: bad access detected
[   57.450585] 
[   57.452190] Memory state around the buggy address:
[   57.457140]  ffff88809a82a600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   57.464515]  ffff88809a82a680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   57.471882] >ffff88809a82a700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   57.479223]                                            ^
[   57.484662]  ffff88809a82a780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   57.492019]  ffff88809a82a800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.499382] ==================================================================
[   57.506772] Disabling lock debugging due to kernel taint
[   57.512512] Kernel panic - not syncing: panic_on_warn set ...
[   57.518405] CPU: 0 PID: 1171 Comm: kworker/u5:0 Tainted: G    B             4.20.0+ #13
[   57.526527] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   57.535870] Workqueue: hci0 hci_rx_work
[   57.539823] Call Trace:
[   57.542402]  dump_stack+0x1db/0x2d0
[   57.546024]  ? dump_stack_print_info.cold+0x20/0x20
[   57.551044]  panic+0x2cb/0x65c
[   57.554226]  ? add_taint.cold+0x16/0x16
[   57.558185]  ? bacpy+0x23/0x30
[   57.561383]  ? preempt_schedule+0x4b/0x60
[   57.565523]  ? ___preempt_schedule+0x16/0x18
[   57.569947]  ? trace_hardirqs_on+0xb4/0x310
[   57.574286]  ? bacpy+0x23/0x30
[   57.577477]  end_report+0x47/0x4f
[   57.580924]  ? bacpy+0x23/0x30
[   57.584103]  kasan_report.cold+0xe/0x40
[   57.588074]  ? bacpy+0x23/0x30
[   57.591268]  check_memory_region+0x123/0x190
[   57.595674]  memcpy+0x24/0x50
[   57.598763]  bacpy+0x23/0x30
[   57.601766]  hci_event_packet+0x3afc/0xc22e
[   57.606078]  ? hci_cmd_complete_evt+0xbe60/0xbe60
[   57.610908]  ? up_write+0x1c0/0x230
[   57.614520]  ? unwind_next_frame+0x3b/0x50
[   57.618744]  ? graph_lock+0x280/0x280
[   57.622530]  ? save_stack_trace+0x1a/0x20
[   57.626677]  ? save_trace+0xe0/0x290
[   57.630402]  ? add_lock_to_list.isra.0+0x450/0x450
[   57.635341]  ? kasan_check_read+0x11/0x20
[   57.639509]  ? __lock_acquire+0x2514/0x4a30
[   57.643823]  ? lockdep_hardirqs_on+0x415/0x5d0
[   57.648399]  ? print_usage_bug+0xd0/0xd0
[   57.652446]  ? skb_dequeue+0x12e/0x180
[   57.656347]  ? mark_held_locks+0xb1/0x100
[   57.660486]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   57.665574]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   57.670679]  ? trace_hardirqs_on+0xbd/0x310
[   57.674983]  ? kasan_check_read+0x11/0x20
[   57.679116]  ? skb_dequeue+0x12e/0x180
[   57.683001]  ? trace_hardirqs_off_caller+0x300/0x300
[   57.688107]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   57.693630]  ? hci_send_to_monitor+0x306/0x470
[   57.698203]  ? hci_sock_release+0x3c0/0x3c0
[   57.702510]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   57.707600]  hci_rx_work+0x578/0xcd0
[   57.711298]  ? hci_rx_work+0x578/0xcd0
[   57.715171]  ? find_held_lock+0x35/0x120
[   57.719226]  ? add_lock_to_list.isra.0+0x450/0x450
[   57.724140]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   57.729678]  ? hci_alloc_dev+0x21a0/0x21a0
[   57.733900]  ? __lock_is_held+0xb6/0x140
[   57.737950]  process_one_work+0xd0c/0x1ce0
[   57.742176]  ? __wake_up_common_lock+0x1db/0x390
[   57.746953]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   57.751612]  ? trace_hardirqs_off+0xb8/0x310
[   57.756026]  ? kasan_check_read+0x11/0x20
[   57.760164]  ? do_raw_spin_unlock+0xa0/0x330
[   57.764559]  ? do_raw_spin_trylock+0x270/0x270
[   57.769136]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   57.774663]  ? get_work_pool_id+0x1a0/0x1a0
[   57.778972]  ? trace_hardirqs_on_caller+0x310/0x310
[   57.783979]  worker_thread+0x143/0x14a0
[   57.787943]  ? process_one_work+0x1ce0/0x1ce0
[   57.792426]  ? __kthread_parkme+0xc3/0x1b0
[   57.796644]  ? lock_acquire+0x1db/0x570
[   57.800603]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   57.805709]  ? lockdep_hardirqs_on+0x415/0x5d0
[   57.810279]  ? trace_hardirqs_on+0xbd/0x310
[   57.814584]  ? __kthread_parkme+0xc3/0x1b0
[   57.818803]  ? trace_hardirqs_off_caller+0x300/0x300
[   57.823889]  ? do_raw_spin_trylock+0x270/0x270
[   57.828473]  ? schedule+0x108/0x350
[   57.832092]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   57.837184]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   57.842713]  ? __kthread_parkme+0xfb/0x1b0
[   57.846942]  kthread+0x357/0x430
[   57.850313]  ? process_one_work+0x1ce0/0x1ce0
[   57.854800]  ? kthread_stop+0x920/0x920
[   57.858762]  ret_from_fork+0x3a/0x50
[   57.863323] Kernel Offset: disabled
[   57.866948] Rebooting in 86400 seconds..