[   38.745956] audit: type=1800 audit(1571173359.297:32): pid=7455 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   39.522552] audit: type=1800 audit(1571173360.167:33): pid=7455 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.1.55' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   49.145627] kauditd_printk_skb: 2 callbacks suppressed
[   49.145641] audit: type=1400 audit(1571173369.787:36): avc:  denied  { map } for  pid=7643 comm="syz-executor544" path="/root/syz-executor544201591" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   49.184682] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   49.462263] Bluetooth: Error in BCSP hdr checksum
[   49.721904] Bluetooth: Error in BCSP hdr checksum
[   49.981851] Bluetooth: Error in BCSP hdr checksum
[   50.241927] Bluetooth: Error in BCSP hdr checksum
[   50.502087] Bluetooth: Error in BCSP hdr checksum
[   50.761894] Bluetooth: Error in BCSP hdr checksum
[   51.021862] Bluetooth: Error in BCSP hdr checksum
[   51.272108] Bluetooth: hci0: command 0x1003 tx timeout
[   51.278151] Bluetooth: Error in BCSP hdr checksum
[   51.531895] Bluetooth: Error in BCSP hdr checksum
[   51.791919] Bluetooth: Error in BCSP hdr checksum
[   52.051890] Bluetooth: Error in BCSP hdr checksum
[   52.311872] Bluetooth: Error in BCSP hdr checksum
[   52.571861] Bluetooth: Error in BCSP hdr checksum
[   52.831863] Bluetooth: Error in BCSP hdr checksum
[   53.091872] Bluetooth: Error in BCSP hdr checksum
[   53.351673] Bluetooth: hci0: command 0x1001 tx timeout
[   53.357392] Bluetooth: Error in BCSP hdr checksum
[   53.362407] Bluetooth: Error in BCSP hdr checksum
[   53.611913] Bluetooth: Error in BCSP hdr checksum
[   53.616960] Bluetooth: Error in BCSP hdr checksum
[   53.622036] Bluetooth: Error in BCSP hdr checksum
[   53.871883] Bluetooth: Error in BCSP hdr checksum
[   53.876857] Bluetooth: Error in BCSP hdr checksum
[   54.131881] Bluetooth: Error in BCSP hdr checksum
[   54.136873] Bluetooth: Error in BCSP hdr checksum
[   55.431718] Bluetooth: hci0: command 0x1009 tx timeout
[   59.595913] ==================================================================
[   59.603510] BUG: KASAN: use-after-free in kfree_skb+0x38/0x390
[   59.609580] Read of size 4 at addr ffff8880887eb7e4 by task syz-executor544/7644
[   59.617268] 
[   59.619250] CPU: 1 PID: 7644 Comm: syz-executor544 Not tainted 4.19.79 #0
[   59.626277] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   59.635629] Call Trace:
[   59.638312]  dump_stack+0x172/0x1f0
[   59.641928]  ? kfree_skb+0x38/0x390
[   59.645623]  print_address_description.cold+0x7c/0x20d
[   59.650922]  ? kfree_skb+0x38/0x390
[   59.654558]  kasan_report.cold+0x8c/0x2ba
[   59.658854]  check_memory_region+0x123/0x190
[   59.663268]  kasan_check_read+0x11/0x20
[   59.667245]  kfree_skb+0x38/0x390
[   59.670712]  bcsp_close+0xc7/0x130
[   59.674402]  hci_uart_tty_close+0x1ea/0x250
[   59.678846]  ? hci_uart_close+0x50/0x50
[   59.682848]  tty_ldisc_close.isra.0+0xaf/0xe0
[   59.687333]  tty_ldisc_kill+0x4b/0xc0
[   59.691116]  tty_ldisc_release+0xc6/0x280
[   59.695254]  tty_release_struct+0x1b/0x50
[   59.699477]  tty_release+0xbcb/0xe90
[   59.703194]  ? put_tty_driver+0x20/0x20
[   59.707156]  __fput+0x2dd/0x8b0
[   59.710423]  ____fput+0x16/0x20
[   59.713701]  task_work_run+0x145/0x1c0
[   59.717750]  do_exit+0x994/0x2fa0
[   59.721188]  ? get_signal+0x384/0x1fc0
[   59.725064]  ? mm_update_next_owner+0x660/0x660
[   59.729812]  ? _raw_spin_unlock_irq+0x28/0x90
[   59.734717]  ? get_signal+0x384/0x1fc0
[   59.738738]  ? _raw_spin_unlock_irq+0x28/0x90
[   59.743251]  do_group_exit+0x135/0x370
[   59.747145]  get_signal+0x3ec/0x1fc0
[   59.750848]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.756476]  do_signal+0x95/0x1960
[   59.760012]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.765626]  ? setup_sigcontext+0x7d0/0x7d0
[   59.770034]  ? do_compat_pwritev64+0x1c0/0x1c0
[   59.774693]  ? lock_downgrade+0x880/0x880
[   59.778837]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.784361]  ? check_preemption_disabled+0x48/0x290
[   59.789366]  ? exit_to_usermode_loop+0x43/0x2c0
[   59.794019]  ? do_syscall_64+0x53d/0x620
[   59.798066]  ? exit_to_usermode_loop+0x43/0x2c0
[   59.802722]  ? lockdep_hardirqs_on+0x415/0x5d0
[   59.807357]  ? trace_hardirqs_on+0x67/0x220
[   59.812382]  exit_to_usermode_loop+0x244/0x2c0
[   59.816976]  do_syscall_64+0x53d/0x620
[   59.820883]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.826145] RIP: 0033:0x441309
[   59.829886] Code: Bad RIP value.
[   59.833240] RSP: 002b:00007ffe7b75c378 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   59.840950] RAX: 00000000003654c0 RBX: 0000000000000000 RCX: 0000000000441309
[   59.848218] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
[   59.855487] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
[   59.862846] R10: 00008000fffffffe R11: 0000000000000246 R12: 0000000000402130
[   59.870876] R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000
[   59.870899] 
[   59.870906] Allocated by task 23:
[   59.870926]  save_stack+0x45/0xd0
[   59.870936]  kasan_kmalloc+0xce/0xf0
[   59.870945]  kasan_slab_alloc+0xf/0x20
[   59.870954]  kmem_cache_alloc_node+0x144/0x710
[   59.870963]  __alloc_skb+0xd5/0x5f0
[   59.870972]  bcsp_recv+0x8c7/0x13a0
[   59.870984]  hci_uart_tty_receive+0x225/0x530
[   59.870994]  tty_ldisc_receive_buf+0x15f/0x1c0
[   59.871004]  tty_port_default_receive_buf+0x7d/0xb0
[   59.871013]  flush_to_ldisc+0x222/0x390
[   59.871023]  process_one_work+0x989/0x1750
[   59.871031]  worker_thread+0x98/0xe40
[   59.871042]  kthread+0x354/0x420
[   59.871053]  ret_from_fork+0x24/0x30
[   59.871056] 
[   59.871061] Freed by task 23:
[   59.871072]  save_stack+0x45/0xd0
[   59.871088]  __kasan_slab_free+0x102/0x150
[   59.953523]  kasan_slab_free+0xe/0x10
[   59.957312]  kmem_cache_free+0x86/0x260
[   59.961383]  kfree_skbmem+0xcb/0x150
[   59.965092]  kfree_skb+0xf0/0x390
[   59.968537]  bcsp_recv+0x2d8/0x13a0
[   59.972161]  hci_uart_tty_receive+0x225/0x530
[   59.977083]  tty_ldisc_receive_buf+0x15f/0x1c0
[   59.981653]  tty_port_default_receive_buf+0x7d/0xb0
[   59.986928]  flush_to_ldisc+0x222/0x390
[   59.991048]  process_one_work+0x989/0x1750
[   59.996197]  worker_thread+0x98/0xe40
[   59.999998]  kthread+0x354/0x420
[   60.003716]  ret_from_fork+0x24/0x30
[   60.007857] 
[   60.009495] The buggy address belongs to the object at ffff8880887eb700
[   60.009495]  which belongs to the cache skbuff_head_cache of size 232
[   60.023623] The buggy address is located 228 bytes inside of
[   60.023623]  232-byte region [ffff8880887eb700, ffff8880887eb7e8)
[   60.035636] The buggy address belongs to the page:
[   60.040630] page:ffffea000221fac0 count:1 mapcount:0 mapping:ffff8880aa34dac0 index:0x0
[   60.048816] flags: 0x1fffc0000000100(slab)
[   60.053641] raw: 01fffc0000000100 ffffea00020d77c8 ffffea000255b348 ffff8880aa34dac0
[   60.061528] raw: 0000000000000000 ffff8880887eb0c0 000000010000000c 0000000000000000
[   60.069399] page dumped because: kasan: bad access detected
[   60.075102] 
[   60.076719] Memory state around the buggy address:
[   60.081906]  ffff8880887eb680: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   60.089257]  ffff8880887eb700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   60.098270] >ffff8880887eb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[   60.106712]                                                        ^
[   60.113199]  ffff8880887eb800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   60.121859]  ffff8880887eb880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   60.129227] ==================================================================
[   60.136576] Disabling lock debugging due to kernel taint
[   60.143619] Kernel panic - not syncing: panic_on_warn set ...
[   60.143619] 
[   60.151097] CPU: 1 PID: 7644 Comm: syz-executor544 Tainted: G    B             4.19.79 #0
[   60.159413] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   60.168756] Call Trace:
[   60.171351]  dump_stack+0x172/0x1f0
[   60.174972]  ? kfree_skb+0x38/0x390
[   60.178617]  panic+0x263/0x507
[   60.181881]  ? __warn_printk+0xf3/0xf3
[   60.185771]  ? kfree_skb+0x38/0x390
[   60.189405]  ? preempt_schedule+0x4b/0x60
[   60.193547]  ? ___preempt_schedule+0x16/0x18
[   60.197942]  ? trace_hardirqs_on+0x5e/0x220
[   60.202302]  ? kfree_skb+0x38/0x390
[   60.205919]  kasan_end_report+0x47/0x4f
[   60.210000]  kasan_report.cold+0xa9/0x2ba
[   60.214235]  check_memory_region+0x123/0x190
[   60.218630]  kasan_check_read+0x11/0x20
[   60.222590]  kfree_skb+0x38/0x390
[   60.226044]  bcsp_close+0xc7/0x130
[   60.229569]  hci_uart_tty_close+0x1ea/0x250
[   60.233888]  ? hci_uart_close+0x50/0x50
[   60.238384]  tty_ldisc_close.isra.0+0xaf/0xe0
[   60.242870]  tty_ldisc_kill+0x4b/0xc0
[   60.246655]  tty_ldisc_release+0xc6/0x280
[   60.250971]  tty_release_struct+0x1b/0x50
[   60.255117]  tty_release+0xbcb/0xe90
[   60.258817]  ? put_tty_driver+0x20/0x20
[   60.262812]  __fput+0x2dd/0x8b0
[   60.266883]  ____fput+0x16/0x20
[   60.270429]  task_work_run+0x145/0x1c0
[   60.274337]  do_exit+0x994/0x2fa0
[   60.277882]  ? get_signal+0x384/0x1fc0
[   60.281773]  ? mm_update_next_owner+0x660/0x660
[   60.286446]  ? _raw_spin_unlock_irq+0x28/0x90
[   60.290923]  ? get_signal+0x384/0x1fc0
[   60.294795]  ? _raw_spin_unlock_irq+0x28/0x90
[   60.299450]  do_group_exit+0x135/0x370
[   60.303334]  get_signal+0x3ec/0x1fc0
[   60.307051]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   60.312674]  do_signal+0x95/0x1960
[   60.316658]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   60.322292]  ? setup_sigcontext+0x7d0/0x7d0
[   60.326619]  ? do_compat_pwritev64+0x1c0/0x1c0
[   60.331202]  ? lock_downgrade+0x880/0x880
[   60.335339]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   60.340886]  ? check_preemption_disabled+0x48/0x290
[   60.346688]  ? exit_to_usermode_loop+0x43/0x2c0
[   60.351354]  ? do_syscall_64+0x53d/0x620
[   60.355402]  ? exit_to_usermode_loop+0x43/0x2c0
[   60.360059]  ? lockdep_hardirqs_on+0x415/0x5d0
[   60.364641]  ? trace_hardirqs_on+0x67/0x220
[   60.369000]  exit_to_usermode_loop+0x244/0x2c0
[   60.373585]  do_syscall_64+0x53d/0x620
[   60.377459]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   60.382690] RIP: 0033:0x441309
[   60.386024] Code: Bad RIP value.
[   60.389496] RSP: 002b:00007ffe7b75c378 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   60.397202] RAX: 00000000003654c0 RBX: 0000000000000000 RCX: 0000000000441309
[   60.404461] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
[   60.411809] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
[   60.419061] R10: 00008000fffffffe R11: 0000000000000246 R12: 0000000000402130
[   60.426316] R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000
[   60.435102] Kernel Offset: disabled
[   60.438729] Rebooting in 86400 seconds..