[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 47.083990][ T26] audit: type=1800 audit(1556765869.477:25): pid=7885 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 47.113248][ T26] audit: type=1800 audit(1556765869.477:26): pid=7885 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 47.147256][ T26] audit: type=1800 audit(1556765869.477:27): pid=7885 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.47' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 55.364846][ T8036] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program [ 55.457741][ T1174] ================================================================== [ 55.465979][ T1174] BUG: KASAN: slab-out-of-bounds in bacpy+0x23/0x30 [ 55.472556][ T1174] Read of size 6 at addr ffff8880909ed4fb by task kworker/u5:0/1174 [ 55.480507][ T1174] [ 55.482825][ T1174] CPU: 1 PID: 1174 Comm: kworker/u5:0 Not tainted 5.1.0-rc7+ #96 [ 55.490519][ T1174] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.500574][ T1174] Workqueue: hci0 hci_rx_work [ 55.505247][ T1174] Call Trace: [ 55.508534][ T1174] dump_stack+0x172/0x1f0 [ 55.512852][ T1174] ? bacpy+0x23/0x30 [ 55.516763][ T1174] print_address_description.cold+0x7c/0x20d [ 55.522744][ T1174] ? bacpy+0x23/0x30 [ 55.526623][ T1174] ? bacpy+0x23/0x30 [ 55.530518][ T1174] kasan_report.cold+0x1b/0x40 [ 55.535289][ T1174] ? hci_remove_remote_oob_data+0xe0/0x1a0 [ 55.541089][ T1174] ? bacpy+0x23/0x30 [ 55.544994][ T1174] check_memory_region+0x123/0x190 [ 55.550127][ T1174] memcpy+0x24/0x50 [ 55.553921][ T1174] bacpy+0x23/0x30 [ 55.557642][ T1174] hci_event_packet+0x4e86/0xaabf [ 55.562653][ T1174] ? graph_lock+0x7b/0x200 [ 55.567073][ T1174] ? __lockdep_reset_lock+0x450/0x450 [ 55.572437][ T1174] ? hci_cmd_complete_evt+0xbe90/0xbe90 [ 55.578146][ T1174] ? __lock_acquire+0x2340/0x3fb0 [ 55.583167][ T1174] ? skb_dequeue+0x12e/0x180 [ 55.587767][ T1174] ? find_held_lock+0x35/0x130 [ 55.592533][ T1174] ? skb_dequeue+0x12e/0x180 [ 55.597113][ T1174] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 55.602908][ T1174] ? skb_dequeue+0x12e/0x180 [ 55.607488][ T1174] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 55.613280][ T1174] ? lockdep_hardirqs_on+0x418/0x5d0 [ 55.618553][ T1174] ? trace_hardirqs_on+0x67/0x230 [ 55.623564][ T1174] ? kasan_check_read+0x11/0x20 [ 55.628410][ T1174] hci_rx_work+0x440/0xaa0 [ 55.632813][ T1174] ? hci_rx_work+0x440/0xaa0 [ 55.637396][ T1174] process_one_work+0x98e/0x1790 [ 55.642342][ T1174] ? pwq_dec_nr_in_flight+0x320/0x320 [ 55.647712][ T1174] worker_thread+0x98/0xe40 [ 55.652207][ T1174] kthread+0x357/0x430 [ 55.656264][ T1174] ? process_one_work+0x1790/0x1790 [ 55.661487][ T1174] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 55.667737][ T1174] ret_from_fork+0x3a/0x50 [ 55.672141][ T1174] [ 55.674473][ T1174] Allocated by task 8043: [ 55.678808][ T1174] save_stack+0x45/0xd0 [ 55.682948][ T1174] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 55.688566][ T1174] kasan_kmalloc+0x9/0x10 [ 55.692881][ T1174] __kmalloc_node_track_caller+0x4e/0x70 [ 55.698496][ T1174] __kmalloc_reserve.isra.0+0x40/0xf0 [ 55.703862][ T1174] __alloc_skb+0x10b/0x5e0 [ 55.708279][ T1174] vhci_write+0xc4/0x470 [ 55.712508][ T1174] new_sync_write+0x4c7/0x760 [ 55.717165][ T1174] __vfs_write+0xe4/0x110 [ 55.721476][ T1174] vfs_write+0x20c/0x580 [ 55.725699][ T1174] ksys_write+0x14f/0x2d0 [ 55.730033][ T1174] __x64_sys_write+0x73/0xb0 [ 55.734609][ T1174] do_syscall_64+0x103/0x610 [ 55.739202][ T1174] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.745070][ T1174] [ 55.747376][ T1174] Freed by task 6181: [ 55.751342][ T1174] save_stack+0x45/0xd0 [ 55.755491][ T1174] __kasan_slab_free+0x102/0x150 [ 55.760410][ T1174] kasan_slab_free+0xe/0x10 [ 55.764893][ T1174] kfree+0xcf/0x230 [ 55.768710][ T1174] tomoyo_find_next_domain+0x776/0x1f8a [ 55.774249][ T1174] tomoyo_bprm_check_security+0x12a/0x1b0 [ 55.779991][ T1174] security_bprm_check+0x69/0xb0 [ 55.784936][ T1174] search_binary_handler+0x77/0x570 [ 55.790142][ T1174] __do_execve_file.isra.0+0x1394/0x23f0 [ 55.795768][ T1174] __x64_sys_execve+0x8f/0xc0 [ 55.800434][ T1174] do_syscall_64+0x103/0x610 [ 55.805023][ T1174] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.810905][ T1174] [ 55.813223][ T1174] The buggy address belongs to the object at ffff8880909ed300 [ 55.813223][ T1174] which belongs to the cache kmalloc-512 of size 512 [ 55.827283][ T1174] The buggy address is located 507 bytes inside of [ 55.827283][ T1174] 512-byte region [ffff8880909ed300, ffff8880909ed500) [ 55.840570][ T1174] The buggy address belongs to the page: [ 55.846217][ T1174] page:ffffea0002427b40 count:1 mapcount:0 mapping:ffff8880aa400940 index:0x0 [ 55.855068][ T1174] flags: 0x1fffc0000000200(slab) [ 55.859993][ T1174] raw: 01fffc0000000200 ffffea0002435348 ffffea0002428ac8 ffff8880aa400940 [ 55.868563][ T1174] raw: 0000000000000000 ffff8880909ed080 0000000100000006 0000000000000000 [ 55.877172][ T1174] page dumped because: kasan: bad access detected [ 55.883561][ T1174] [ 55.885869][ T1174] Memory state around the buggy address: [ 55.891483][ T1174] ffff8880909ed400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.899544][ T1174] ffff8880909ed480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.907594][ T1174] >ffff8880909ed500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.915635][ T1174] ^ [ 55.919689][ T1174] ffff8880909ed580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.927753][ T1174] ffff8880909ed600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.935811][ T1174] ================================================================== [ 55.943873][ T1174] Disabling lock debugging due to kernel taint [ 55.951093][ T1174] Kernel panic - not syncing: panic_on_warn set ... [ 55.957711][ T1174] CPU: 1 PID: 1174 Comm: kworker/u5:0 Tainted: G B 5.1.0-rc7+ #96 [ 55.966825][ T1174] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.976870][ T1174] Workqueue: hci0 hci_rx_work [ 55.981549][ T1174] Call Trace: [ 55.984842][ T1174] dump_stack+0x172/0x1f0 [ 55.989159][ T1174] panic+0x2cb/0x65c [ 55.993044][ T1174] ? __warn_printk+0xf3/0xf3 [ 55.997612][ T1174] ? bacpy+0x23/0x30 [ 56.001491][ T1174] ? preempt_schedule+0x4b/0x60 [ 56.006324][ T1174] ? ___preempt_schedule+0x16/0x18 [ 56.011417][ T1174] ? trace_hardirqs_on+0x5e/0x230 [ 56.016420][ T1174] ? bacpy+0x23/0x30 [ 56.020296][ T1174] end_report+0x47/0x4f [ 56.024439][ T1174] ? bacpy+0x23/0x30 [ 56.028330][ T1174] kasan_report.cold+0xe/0x40 [ 56.032994][ T1174] ? hci_remove_remote_oob_data+0xe0/0x1a0 [ 56.038801][ T1174] ? bacpy+0x23/0x30 [ 56.042681][ T1174] check_memory_region+0x123/0x190 [ 56.047777][ T1174] memcpy+0x24/0x50 [ 56.051569][ T1174] bacpy+0x23/0x30 [ 56.055273][ T1174] hci_event_packet+0x4e86/0xaabf [ 56.060301][ T1174] ? graph_lock+0x7b/0x200 [ 56.064713][ T1174] ? __lockdep_reset_lock+0x450/0x450 [ 56.070105][ T1174] ? hci_cmd_complete_evt+0xbe90/0xbe90 [ 56.075658][ T1174] ? __lock_acquire+0x2340/0x3fb0 [ 56.080700][ T1174] ? skb_dequeue+0x12e/0x180 [ 56.085273][ T1174] ? find_held_lock+0x35/0x130 [ 56.090026][ T1174] ? skb_dequeue+0x12e/0x180 [ 56.094642][ T1174] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 56.100459][ T1174] ? skb_dequeue+0x12e/0x180 [ 56.105039][ T1174] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 56.110831][ T1174] ? lockdep_hardirqs_on+0x418/0x5d0 [ 56.116102][ T1174] ? trace_hardirqs_on+0x67/0x230 [ 56.121136][ T1174] ? kasan_check_read+0x11/0x20 [ 56.125990][ T1174] hci_rx_work+0x440/0xaa0 [ 56.130407][ T1174] ? hci_rx_work+0x440/0xaa0 [ 56.135080][ T1174] process_one_work+0x98e/0x1790 [ 56.140022][ T1174] ? pwq_dec_nr_in_flight+0x320/0x320 [ 56.145381][ T1174] worker_thread+0x98/0xe40 [ 56.149871][ T1174] kthread+0x357/0x430 [ 56.153927][ T1174] ? process_one_work+0x1790/0x1790 [ 56.159127][ T1174] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 56.165354][ T1174] ret_from_fork+0x3a/0x50 [ 56.170860][ T1174] Kernel Offset: disabled [ 56.175202][ T1174] Rebooting in 86400 seconds..