[ 46.168272] audit: type=1800 audit(1556765081.741:29): pid=8095 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2447 res=0 [ 46.191243] audit: type=1800 audit(1556765081.741:30): pid=8095 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.83' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 103.350212] kauditd_printk_skb: 5 callbacks suppressed [ 103.350228] audit: type=1400 audit(1556765138.921:36): avc: denied { map } for pid=8280 comm="syz-executor712" path="/root/syz-executor712434629" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 103.421473] ================================================================== [ 103.429055] BUG: KASAN: slab-out-of-bounds in bacpy+0x23/0x30 [ 103.434960] Read of size 6 at addr ffff88809b4c76fb by task kworker/u5:0/1275 [ 103.442268] [ 103.443911] CPU: 1 PID: 1275 Comm: kworker/u5:0 Not tainted 4.19.37 #5 [ 103.450630] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 103.460105] Workqueue: hci0 hci_rx_work [ 103.464080] Call Trace: [ 103.466671] dump_stack+0x172/0x1f0 [ 103.470309] ? bacpy+0x23/0x30 [ 103.473599] print_address_description.cold+0x7c/0x20d [ 103.478950] ? bacpy+0x23/0x30 [ 103.482167] kasan_report.cold+0x8c/0x2ba [ 103.486327] check_memory_region+0x123/0x190 [ 103.491421] memcpy+0x24/0x50 [ 103.494591] bacpy+0x23/0x30 [ 103.497666] hci_event_packet+0x5455/0xaa6b [ 103.502015] ? hci_cmd_complete_evt+0xb890/0xb890 [ 103.506880] ? register_lock_class+0x12b0/0x1cf0 [ 103.511822] ? kasan_check_read+0x11/0x20 [ 103.516092] ? __lock_acquire+0x2365/0x48f0 [ 103.520453] ? skb_dequeue+0x12e/0x180 [ 103.524350] ? find_held_lock+0x35/0x130 [ 103.528425] ? skb_dequeue+0x12e/0x180 [ 103.532328] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 103.537451] ? skb_dequeue+0x12e/0x180 [ 103.541351] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 103.546555] ? lockdep_hardirqs_on+0x415/0x5d0 [ 103.551714] ? trace_hardirqs_on+0x67/0x230 [ 103.556053] ? kasan_check_read+0x11/0x20 [ 103.560209] hci_rx_work+0x440/0xaa0 [ 103.564009] ? hci_rx_work+0x440/0xaa0 [ 103.567909] process_one_work+0x98e/0x1760 [ 103.572311] ? pwq_dec_nr_in_flight+0x320/0x320 [ 103.577087] ? kasan_check_write+0x14/0x20 [ 103.581333] ? do_raw_spin_lock+0xc8/0x240 [ 103.585571] worker_thread+0x98/0xe40 [ 103.589384] kthread+0x357/0x430 [ 103.592749] ? process_one_work+0x1760/0x1760 [ 103.597243] ? kthread_delayed_work_timer_fn+0x290/0x290 [ 103.602746] ret_from_fork+0x3a/0x50 [ 103.606791] [ 103.608416] Allocated by task 8284: [ 103.612046] save_stack+0x45/0xd0 [ 103.615495] kasan_kmalloc+0xce/0xf0 [ 103.619211] __kmalloc_node_track_caller+0x51/0x80 [ 103.624548] __kmalloc_reserve.isra.0+0x40/0xf0 [ 103.630274] __alloc_skb+0x10b/0x5f0 [ 103.634000] vhci_write+0xc4/0x470 [ 103.637537] __vfs_write+0x58e/0x820 [ 103.641248] vfs_write+0x20c/0x560 [ 103.644782] ksys_write+0xea/0x1f0 [ 103.648415] __x64_sys_write+0x73/0xb0 [ 103.652345] do_syscall_64+0x103/0x610 [ 103.656287] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.661474] [ 103.663211] Freed by task 3594: [ 103.666668] save_stack+0x45/0xd0 [ 103.670178] __kasan_slab_free+0x102/0x150 [ 103.674605] kasan_slab_free+0xe/0x10 [ 103.678438] kfree+0xcf/0x230 [ 103.681563] kernfs_fop_release+0x129/0x1a0 [ 103.685895] __fput+0x2df/0x8b0 [ 103.689177] ____fput+0x16/0x20 [ 103.692579] task_work_run+0x14a/0x1c0 [ 103.696484] exit_to_usermode_loop+0x273/0x2c0 [ 103.701103] do_syscall_64+0x52d/0x610 [ 103.705067] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.710282] [ 103.711909] The buggy address belongs to the object at ffff88809b4c7500 [ 103.711909] which belongs to the cache kmalloc-512 of size 512 [ 103.725218] The buggy address is located 507 bytes inside of [ 103.725218] 512-byte region [ffff88809b4c7500, ffff88809b4c7700) [ 103.737186] The buggy address belongs to the page: [ 103.742176] page:ffffea00026d31c0 count:1 mapcount:0 mapping:ffff88812c3f0940 index:0x0 [ 103.750334] flags: 0x1fffc0000000100(slab) [ 103.754571] raw: 01fffc0000000100 ffffea00022f2948 ffffea00026d3908 ffff88812c3f0940 [ 103.762836] raw: 0000000000000000 ffff88809b4c7000 0000000100000006 0000000000000000 [ 103.770714] page dumped because: kasan: bad access detected [ 103.776502] [ 103.778116] Memory state around the buggy address: [ 103.783088] ffff88809b4c7600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 103.790581] ffff88809b4c7680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 103.798043] >ffff88809b4c7700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 103.805401] ^ [ 103.808780] ffff88809b4c7780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 103.816215] ffff88809b4c7800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 103.823671] ================================================================== [ 103.831237] Disabling lock debugging due to kernel taint [ 103.837556] Kernel panic - not syncing: panic_on_warn set ... [ 103.837556] [ 103.845210] CPU: 1 PID: 1275 Comm: kworker/u5:0 Tainted: G B 4.19.37 #5 [ 103.853260] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 103.862771] Workqueue: hci0 hci_rx_work [ 103.866738] Call Trace: [ 103.869346] dump_stack+0x172/0x1f0 [ 103.872992] ? bacpy+0x23/0x30 [ 103.876350] panic+0x263/0x51d [ 103.879594] ? __warn_printk+0xf3/0xf3 [ 103.883576] ? bacpy+0x23/0x30 [ 103.886815] ? preempt_schedule+0x4b/0x60 [ 103.891258] ? ___preempt_schedule+0x16/0x18 [ 103.895671] ? trace_hardirqs_on+0x5e/0x230 [ 103.899995] ? bacpy+0x23/0x30 [ 103.903183] kasan_end_report+0x47/0x4f [ 103.907162] kasan_report.cold+0xa9/0x2ba [ 103.911321] check_memory_region+0x123/0x190 [ 103.915735] memcpy+0x24/0x50 [ 103.918836] bacpy+0x23/0x30 [ 103.921850] hci_event_packet+0x5455/0xaa6b [ 103.926171] ? hci_cmd_complete_evt+0xb890/0xb890 [ 103.931023] ? register_lock_class+0x12b0/0x1cf0 [ 103.935793] ? kasan_check_read+0x11/0x20 [ 103.940008] ? __lock_acquire+0x2365/0x48f0 [ 103.944344] ? skb_dequeue+0x12e/0x180 [ 103.948229] ? find_held_lock+0x35/0x130 [ 103.952294] ? skb_dequeue+0x12e/0x180 [ 103.956187] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 103.961286] ? skb_dequeue+0x12e/0x180 [ 103.965286] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 103.980612] ? lockdep_hardirqs_on+0x415/0x5d0 [ 103.985641] ? trace_hardirqs_on+0x67/0x230 [ 103.990062] ? kasan_check_read+0x11/0x20 [ 103.994212] hci_rx_work+0x440/0xaa0 [ 103.997938] ? hci_rx_work+0x440/0xaa0 [ 104.001961] process_one_work+0x98e/0x1760 [ 104.006196] ? pwq_dec_nr_in_flight+0x320/0x320 [ 104.011353] ? kasan_check_write+0x14/0x20 [ 104.015636] ? do_raw_spin_lock+0xc8/0x240 [ 104.019950] worker_thread+0x98/0xe40 [ 104.023784] kthread+0x357/0x430 [ 104.027145] ? process_one_work+0x1760/0x1760 [ 104.031792] ? kthread_delayed_work_timer_fn+0x290/0x290 [ 104.037279] ret_from_fork+0x3a/0x50 [ 104.041962] Kernel Offset: disabled [ 104.045811] Rebooting in 86400 seconds..