[   48.162734] audit: type=1800 audit(1584261712.632:30): pid=7984 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   52.730214] kauditd_printk_skb: 4 callbacks suppressed
[   52.730227] audit: type=1400 audit(1584261717.222:35): avc:  denied  { map } for  pid=8159 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.144' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
[   59.497415] audit: type=1400 audit(1584261723.992:36): avc:  denied  { map } for  pid=8171 comm="syz-executor226" path="/root/syz-executor226309558" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
[   69.891574] ==================================================================
[   69.899191] BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x48f5/0xa9d9
[   69.906420] Read of size 6 at addr ffff88809fbad788 by task kworker/u5:0/1216
[   69.913681] 
[   69.915305] CPU: 1 PID: 1216 Comm: kworker/u5:0 Not tainted 4.19.109-syzkaller #0
[   69.922912] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   69.932265] Workqueue: hci0 hci_rx_work
[   69.936238] Call Trace:
[   69.938842]  dump_stack+0x188/0x20d
[   69.942464]  ? hci_event_packet+0x48f5/0xa9d9
[   69.946966]  print_address_description.cold+0x7c/0x212
[   69.952238]  ? hci_event_packet+0x48f5/0xa9d9
[   69.956822]  kasan_report.cold+0x88/0x2b9
[   69.961746]  memcpy+0x20/0x50
[   69.964847]  hci_event_packet+0x48f5/0xa9d9
[   69.969177]  ? hci_cmd_complete_evt+0xb7c0/0xb7c0
[   69.974013]  ? mark_held_locks+0xf0/0xf0
[   69.978067]  ? __lock_acquire+0x23a3/0x49c0
[   69.982391]  ? find_held_lock+0x2d/0x110
[   69.986457]  ? skb_dequeue+0x129/0x180
[   69.990341]  ? mark_held_locks+0xa6/0xf0
[   69.994395]  ? _raw_spin_unlock_irqrestore+0x67/0xe0
[   69.999500]  ? lockdep_hardirqs_on+0x40b/0x5d0
[   70.004078]  ? hci_rx_work+0x47b/0xab0
[   70.007955]  hci_rx_work+0x47b/0xab0
[   70.011708]  process_one_work+0x91f/0x1640
[   70.015951]  ? pwq_dec_nr_in_flight+0x310/0x310
[   70.020619]  worker_thread+0x96/0xe20
[   70.024430]  ? process_one_work+0x1640/0x1640
[   70.028919]  kthread+0x34a/0x420
[   70.032276]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   70.037810]  ret_from_fork+0x24/0x30
[   70.041528] 
[   70.043154] Allocated by task 8179:
[   70.046797]  kasan_kmalloc+0xbf/0xe0
[   70.050500]  __kmalloc_node_track_caller+0x4c/0x70
[   70.056384]  __kmalloc_reserve.isra.0+0x39/0xe0
[   70.061063]  __alloc_skb+0xef/0x5b0
[   70.064690]  vhci_write+0xbd/0x460
[   70.068232]  __vfs_write+0x512/0x760
[   70.071946]  vfs_write+0x206/0x550
[   70.075477]  ksys_write+0x12b/0x2a0
[   70.079210]  do_syscall_64+0xf9/0x620
[   70.083018]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   70.088200] 
[   70.089815] Freed by task 6110:
[   70.093091]  __kasan_slab_free+0xf7/0x140
[   70.097226]  kfree+0xce/0x220
[   70.100322]  kernfs_fop_release+0x124/0x190
[   70.104635]  __fput+0x2cd/0x890
[   70.107922]  task_work_run+0x13f/0x1b0
[   70.111799]  exit_to_usermode_loop+0x25a/0x2b0
[   70.116370]  do_syscall_64+0x538/0x620
[   70.120249]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   70.125418] 
[   70.127037] The buggy address belongs to the object at ffff88809fbad580
[   70.127037]  which belongs to the cache kmalloc-512 of size 512
[   70.139685] The buggy address is located 8 bytes to the right of
[   70.139685]  512-byte region [ffff88809fbad580, ffff88809fbad780)
[   70.151893] The buggy address belongs to the page:
[   70.156814] page:ffffea00027eeb40 count:1 mapcount:0 mapping:ffff88812c3dc940 index:0x0
[   70.164944] flags: 0xfffe0000000100(slab)
[   70.169087] raw: 00fffe0000000100 ffffea0002a202c8 ffffea0002397088 ffff88812c3dc940
[   70.176960] raw: 0000000000000000 ffff88809fbad080 0000000100000006 0000000000000000
[   70.184835] page dumped because: kasan: bad access detected
[   70.190553] 
[   70.192168] Memory state around the buggy address:
[   70.197087]  ffff88809fbad680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   70.204436]  ffff88809fbad700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   70.211792] >ffff88809fbad780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   70.219138]                       ^
[   70.222756]  ffff88809fbad800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.230103]  ffff88809fbad880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.237447] ==================================================================
[   70.244791] Disabling lock debugging due to kernel taint
[   70.250363] Kernel panic - not syncing: panic_on_warn set ...
[   70.250363] 
[   70.257735] CPU: 1 PID: 1216 Comm: kworker/u5:0 Tainted: G    B             4.19.109-syzkaller #0
[   70.266727] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   70.276069] Workqueue: hci0 hci_rx_work
[   70.280065] Call Trace:
[   70.282722]  dump_stack+0x188/0x20d
[   70.286349]  panic+0x26a/0x50e
[   70.289531]  ? __warn_printk+0xf3/0xf3
[   70.293403]  ? preempt_schedule_common+0x4a/0xc0
[   70.298149]  ? hci_event_packet+0x48f5/0xa9d9
[   70.302631]  ? ___preempt_schedule+0x16/0x18
[   70.307036]  ? trace_hardirqs_on+0x55/0x210
[   70.311343]  ? hci_event_packet+0x48f5/0xa9d9
[   70.315825]  kasan_end_report+0x43/0x49
[   70.319798]  kasan_report.cold+0xa4/0x2b9
[   70.323929]  memcpy+0x20/0x50
[   70.329711]  hci_event_packet+0x48f5/0xa9d9
[   70.334019]  ? hci_cmd_complete_evt+0xb7c0/0xb7c0
[   70.338857]  ? mark_held_locks+0xf0/0xf0
[   70.342902]  ? __lock_acquire+0x23a3/0x49c0
[   70.348164]  ? find_held_lock+0x2d/0x110
[   70.352209]  ? skb_dequeue+0x129/0x180
[   70.356089]  ? mark_held_locks+0xa6/0xf0
[   70.360143]  ? _raw_spin_unlock_irqrestore+0x67/0xe0
[   70.365230]  ? lockdep_hardirqs_on+0x40b/0x5d0
[   70.369794]  ? hci_rx_work+0x47b/0xab0
[   70.373674]  hci_rx_work+0x47b/0xab0
[   70.377377]  process_one_work+0x91f/0x1640
[   70.381607]  ? pwq_dec_nr_in_flight+0x310/0x310
[   70.386263]  worker_thread+0x96/0xe20
[   70.390054]  ? process_one_work+0x1640/0x1640
[   70.394545]  kthread+0x34a/0x420
[   70.397894]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   70.403413]  ret_from_fork+0x24/0x30
[   70.408567] Kernel Offset: disabled
[   70.412212] Rebooting in 86400 seconds..