[   40.538922][   T27] audit: type=1800 audit(1556765424.708:26): pid=7844 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   40.566775][   T27] audit: type=1800 audit(1556765424.708:27): pid=7844 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[   40.593030][   T27] audit: type=1800 audit(1556765424.708:28): pid=7844 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   41.534215][   T27] audit: type=1800 audit(1556765425.728:29): pid=7844 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.195' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
syzkaller login: [   52.231352][ T7995] IPVS: ftp: loaded support on port[0] = 21
[   52.301928][ T1174] ==================================================================
[   52.310119][ T1174] BUG: KASAN: slab-out-of-bounds in bacpy+0x23/0x30
[   52.316685][ T1174] Read of size 6 at addr ffff88808e82aa3b by task kworker/u5:0/1174
[   52.324635][ T1174] 
[   52.326955][ T1174] CPU: 1 PID: 1174 Comm: kworker/u5:0 Not tainted 5.1.0-rc7+ #97
[   52.334651][ T1174] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.344690][ T1174] Workqueue: hci0 hci_rx_work
[   52.349976][ T1174] Call Trace:
[   52.353267][ T1174]  dump_stack+0x172/0x1f0
[   52.357584][ T1174]  ? bacpy+0x23/0x30
[   52.361481][ T1174]  print_address_description.cold+0x7c/0x20d
[   52.367436][ T1174]  ? bacpy+0x23/0x30
[   52.371311][ T1174]  ? bacpy+0x23/0x30
[   52.375241][ T1174]  kasan_report.cold+0x1b/0x40
[   52.380004][ T1174]  ? hci_remove_remote_oob_data+0xe0/0x1a0
[   52.385835][ T1174]  ? bacpy+0x23/0x30
[   52.389774][ T1174]  check_memory_region+0x123/0x190
[   52.394877][ T1174]  memcpy+0x24/0x50
[   52.398673][ T1174]  bacpy+0x23/0x30
[   52.402402][ T1174]  hci_event_packet+0x4e86/0xaabf
[   52.407410][ T1174]  ? graph_lock+0x7b/0x200
[   52.411827][ T1174]  ? __lockdep_reset_lock+0x450/0x450
[   52.417296][ T1174]  ? hci_cmd_complete_evt+0xbe90/0xbe90
[   52.422912][ T1174]  ? __lock_acquire+0x2340/0x3fb0
[   52.427929][ T1174]  ? skb_dequeue+0x12e/0x180
[   52.432507][ T1174]  ? find_held_lock+0x35/0x130
[   52.437256][ T1174]  ? skb_dequeue+0x12e/0x180
[   52.441839][ T1174]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   52.447646][ T1174]  ? skb_dequeue+0x12e/0x180
[   52.452215][ T1174]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   52.458015][ T1174]  ? lockdep_hardirqs_on+0x418/0x5d0
[   52.463281][ T1174]  ? trace_hardirqs_on+0x67/0x230
[   52.468283][ T1174]  ? kasan_check_read+0x11/0x20
[   52.473126][ T1174]  hci_rx_work+0x440/0xaa0
[   52.477543][ T1174]  ? hci_rx_work+0x440/0xaa0
[   52.482121][ T1174]  process_one_work+0x98e/0x1790
[   52.487055][ T1174]  ? pwq_dec_nr_in_flight+0x320/0x320
[   52.492413][ T1174]  worker_thread+0x98/0xe40
[   52.496906][ T1174]  kthread+0x357/0x430
[   52.500969][ T1174]  ? process_one_work+0x1790/0x1790
[   52.506146][ T1174]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   52.512367][ T1174]  ret_from_fork+0x3a/0x50
[   52.516764][ T1174] 
[   52.519068][ T1174] Allocated by task 8001:
[   52.523380][ T1174]  save_stack+0x45/0xd0
[   52.527516][ T1174]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   52.533125][ T1174]  kasan_kmalloc+0x9/0x10
[   52.537431][ T1174]  __kmalloc_node_track_caller+0x4e/0x70
[   52.543044][ T1174]  __kmalloc_reserve.isra.0+0x40/0xf0
[   52.548410][ T1174]  __alloc_skb+0x10b/0x5e0
[   52.552818][ T1174]  vhci_write+0xc4/0x470
[   52.557057][ T1174]  new_sync_write+0x4c7/0x760
[   52.561719][ T1174]  __vfs_write+0xe4/0x110
[   52.566028][ T1174]  vfs_write+0x20c/0x580
[   52.570248][ T1174]  ksys_write+0x14f/0x2d0
[   52.574556][ T1174]  __x64_sys_write+0x73/0xb0
[   52.579131][ T1174]  do_syscall_64+0x103/0x610
[   52.583704][ T1174]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.589588][ T1174] 
[   52.591900][ T1174] Freed by task 4542:
[   52.595883][ T1174]  save_stack+0x45/0xd0
[   52.600020][ T1174]  __kasan_slab_free+0x102/0x150
[   52.604946][ T1174]  kasan_slab_free+0xe/0x10
[   52.609428][ T1174]  kfree+0xcf/0x230
[   52.613219][ T1174]  free_pipe_info+0x253/0x300
[   52.617872][ T1174]  put_pipe_info+0xd0/0xf0
[   52.622268][ T1174]  pipe_release+0x1e6/0x280
[   52.626747][ T1174]  __fput+0x2e5/0x8d0
[   52.630734][ T1174]  ____fput+0x16/0x20
[   52.634699][ T1174]  task_work_run+0x14a/0x1c0
[   52.639268][ T1174]  exit_to_usermode_loop+0x273/0x2c0
[   52.644531][ T1174]  do_syscall_64+0x52d/0x610
[   52.649110][ T1174]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.654996][ T1174] 
[   52.657306][ T1174] The buggy address belongs to the object at ffff88808e82a840
[   52.657306][ T1174]  which belongs to the cache kmalloc-512 of size 512
[   52.671333][ T1174] The buggy address is located 507 bytes inside of
[   52.671333][ T1174]  512-byte region [ffff88808e82a840, ffff88808e82aa40)
[   52.684576][ T1174] The buggy address belongs to the page:
[   52.690187][ T1174] page:ffffea00023a0a80 count:1 mapcount:0 mapping:ffff8880aa400940 index:0x0
[   52.699024][ T1174] flags: 0x1fffc0000000200(slab)
[   52.703953][ T1174] raw: 01fffc0000000200 ffffea00026c6208 ffffea00023d8d08 ffff8880aa400940
[   52.712516][ T1174] raw: 0000000000000000 ffff88808e82a0c0 0000000100000006 0000000000000000
[   52.721072][ T1174] page dumped because: kasan: bad access detected
[   52.727454][ T1174] 
[   52.729757][ T1174] Memory state around the buggy address:
[   52.735379][ T1174]  ffff88808e82a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   52.743437][ T1174]  ffff88808e82a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   52.751476][ T1174] >ffff88808e82aa00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   52.759511][ T1174]                                            ^
[   52.765657][ T1174]  ffff88808e82aa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   52.773709][ T1174]  ffff88808e82ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.781758][ T1174] ==================================================================
[   52.789809][ T1174] Disabling lock debugging due to kernel taint
[   52.796686][ T1174] Kernel panic - not syncing: panic_on_warn set ...
[   52.803282][ T1174] CPU: 1 PID: 1174 Comm: kworker/u5:0 Tainted: G    B             5.1.0-rc7+ #97
[   52.812359][ T1174] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.822419][ T1174] Workqueue: hci0 hci_rx_work
[   52.827069][ T1174] Call Trace:
[   52.830337][ T1174]  dump_stack+0x172/0x1f0
[   52.834647][ T1174]  panic+0x2cb/0x65c
[   52.838522][ T1174]  ? __warn_printk+0xf3/0xf3
[   52.843087][ T1174]  ? bacpy+0x23/0x30
[   52.846962][ T1174]  ? preempt_schedule+0x4b/0x60
[   52.851788][ T1174]  ? ___preempt_schedule+0x16/0x18
[   52.856875][ T1174]  ? trace_hardirqs_on+0x5e/0x230
[   52.861873][ T1174]  ? bacpy+0x23/0x30
[   52.865745][ T1174]  end_report+0x47/0x4f
[   52.869884][ T1174]  ? bacpy+0x23/0x30
[   52.873755][ T1174]  kasan_report.cold+0xe/0x40
[   52.878441][ T1174]  ? hci_remove_remote_oob_data+0xe0/0x1a0
[   52.884227][ T1174]  ? bacpy+0x23/0x30
[   52.888098][ T1174]  check_memory_region+0x123/0x190
[   52.893185][ T1174]  memcpy+0x24/0x50
[   52.896971][ T1174]  bacpy+0x23/0x30
[   52.900679][ T1174]  hci_event_packet+0x4e86/0xaabf
[   52.905700][ T1174]  ? graph_lock+0x7b/0x200
[   52.910094][ T1174]  ? __lockdep_reset_lock+0x450/0x450
[   52.915443][ T1174]  ? hci_cmd_complete_evt+0xbe90/0xbe90
[   52.920963][ T1174]  ? __lock_acquire+0x2340/0x3fb0
[   52.925968][ T1174]  ? skb_dequeue+0x12e/0x180
[   52.930535][ T1174]  ? find_held_lock+0x35/0x130
[   52.935279][ T1174]  ? skb_dequeue+0x12e/0x180
[   52.939853][ T1174]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   52.945635][ T1174]  ? skb_dequeue+0x12e/0x180
[   52.950207][ T1174]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   52.956006][ T1174]  ? lockdep_hardirqs_on+0x418/0x5d0
[   52.961272][ T1174]  ? trace_hardirqs_on+0x67/0x230
[   52.966276][ T1174]  ? kasan_check_read+0x11/0x20
[   52.971111][ T1174]  hci_rx_work+0x440/0xaa0
[   52.975505][ T1174]  ? hci_rx_work+0x440/0xaa0
[   52.980091][ T1174]  process_one_work+0x98e/0x1790
[   52.985012][ T1174]  ? pwq_dec_nr_in_flight+0x320/0x320
[   52.990364][ T1174]  worker_thread+0x98/0xe40
[   52.994863][ T1174]  kthread+0x357/0x430
[   52.998911][ T1174]  ? process_one_work+0x1790/0x1790
[   53.004094][ T1174]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   53.010314][ T1174]  ret_from_fork+0x3a/0x50
[   53.015788][ T1174] Kernel Offset: disabled
[   53.020112][ T1174] Rebooting in 86400 seconds..