[ 65.746078][ T26] audit: type=1800 audit(1568532192.921:27): pid=9628 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 65.768113][ T26] audit: type=1800 audit(1568532192.921:28): pid=9628 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 66.708874][ T26] audit: type=1800 audit(1568532193.971:29): pid=9628 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 66.729058][ T26] audit: type=1800 audit(1568532193.971:30): pid=9628 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.29' (ECDSA) to the list of known hosts. 2019/09/15 07:30:01 parsed 1 programs 2019/09/15 07:30:03 executed programs: 0 syzkaller login: [ 476.477427][ T9800] IPVS: ftp: loaded support on port[0] = 21 [ 476.525568][ T9800] chnl_net:caif_netlink_parms(): no params data found [ 476.547686][ T9800] bridge0: port 1(bridge_slave_0) entered blocking state [ 476.556027][ T9800] bridge0: port 1(bridge_slave_0) entered disabled state [ 476.564205][ T9800] device bridge_slave_0 entered promiscuous mode [ 476.571428][ T9800] bridge0: port 2(bridge_slave_1) entered blocking state [ 476.578739][ T9800] bridge0: port 2(bridge_slave_1) entered disabled state [ 476.587783][ T9800] device bridge_slave_1 entered promiscuous mode [ 476.601144][ T9800] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 476.611494][ T9800] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 476.628620][ T9800] team0: Port device team_slave_0 added [ 476.635440][ T9800] team0: Port device team_slave_1 added [ 476.714796][ T9800] device hsr_slave_0 entered promiscuous mode [ 476.783603][ T9800] device hsr_slave_1 entered promiscuous mode [ 476.858358][ T9800] bridge0: port 2(bridge_slave_1) entered blocking state [ 476.865890][ T9800] bridge0: port 2(bridge_slave_1) entered forwarding state [ 476.873281][ T9800] bridge0: port 1(bridge_slave_0) entered blocking state [ 476.880341][ T9800] bridge0: port 1(bridge_slave_0) entered forwarding state [ 476.906579][ T9800] 8021q: adding VLAN 0 to HW filter on device bond0 [ 476.917740][ T9802] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 476.926882][ T9802] bridge0: port 1(bridge_slave_0) entered disabled state [ 476.936194][ T9802] bridge0: port 2(bridge_slave_1) entered disabled state [ 476.944153][ T9802] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 476.954405][ T9800] 8021q: adding VLAN 0 to HW filter on device team0 [ 476.974142][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 476.982608][ T23] bridge0: port 1(bridge_slave_0) entered blocking state [ 476.989848][ T23] bridge0: port 1(bridge_slave_0) entered forwarding state [ 477.008535][ T9800] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 477.019402][ T9800] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 477.031452][ T9802] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 477.040184][ T9802] bridge0: port 2(bridge_slave_1) entered blocking state [ 477.047384][ T9802] bridge0: port 2(bridge_slave_1) entered forwarding state [ 477.055282][ T9802] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 477.064411][ T9802] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 477.072888][ T9802] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 477.081406][ T9802] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 477.089706][ T9802] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 477.097471][ T9802] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 477.110786][ T9800] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 477.493543][ T9804] Bluetooth: Error in BCSP hdr checksum [ 477.753374][ T9805] Bluetooth: Error in BCSP hdr checksum [ 479.243284][ T9803] Bluetooth: hci0: command 0x1003 tx timeout [ 479.249715][ T9817] Bluetooth: hci0: sending frame failed (-49) [ 481.323272][ T9803] Bluetooth: hci0: command 0x1001 tx timeout [ 481.330253][ T9817] Bluetooth: hci0: sending frame failed (-49) [ 483.403305][ T9802] Bluetooth: hci0: command 0x1009 tx timeout [ 487.404688][ T9813] ================================================================== [ 487.412965][ T9813] BUG: KASAN: use-after-free in kfree_skb+0x38/0x3c0 [ 487.419629][ T9813] Read of size 4 at addr ffff8880a79a1714 by task syz-executor.0/9813 [ 487.428099][ T9813] [ 487.430438][ T9813] CPU: 0 PID: 9813 Comm: syz-executor.0 Not tainted 5.3.0-rc8+ #0 [ 487.438227][ T9813] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 487.448306][ T9813] Call Trace: [ 487.451646][ T9813] dump_stack+0x172/0x1f0 [ 487.456026][ T9813] ? kfree_skb+0x38/0x3c0 [ 487.460374][ T9813] print_address_description.cold+0xd4/0x306 [ 487.466355][ T9813] ? kfree_skb+0x38/0x3c0 [ 487.470701][ T9813] ? kfree_skb+0x38/0x3c0 [ 487.475018][ T9813] __kasan_report.cold+0x1b/0x36 [ 487.480160][ T9813] ? kfree_skb+0x38/0x3c0 [ 487.484625][ T9813] kasan_report+0x12/0x17 [ 487.488963][ T9813] check_memory_region+0x134/0x1a0 [ 487.494076][ T9813] __kasan_check_read+0x11/0x20 [ 487.498952][ T9813] kfree_skb+0x38/0x3c0 [ 487.503360][ T9813] bcsp_close+0xc7/0x130 [ 487.507638][ T9813] hci_uart_tty_close+0x21e/0x280 [ 487.512680][ T9813] ? hci_uart_close+0x50/0x50 [ 487.517373][ T9813] tty_ldisc_close.isra.0+0x119/0x190 [ 487.522729][ T9813] tty_ldisc_kill+0x9c/0x160 [ 487.527312][ T9813] tty_ldisc_release+0xe9/0x2b0 [ 487.532148][ T9813] tty_release_struct+0x1b/0x50 [ 487.537006][ T9813] tty_release+0xbcb/0xe90 [ 487.541425][ T9813] __fput+0x2ff/0x890 [ 487.545441][ T9813] ? put_tty_driver+0x20/0x20 [ 487.550105][ T9813] ____fput+0x16/0x20 [ 487.554074][ T9813] task_work_run+0x145/0x1c0 [ 487.558702][ T9813] exit_to_usermode_loop+0x316/0x380 [ 487.564016][ T9813] do_fast_syscall_32+0xb87/0xdb3 [ 487.569057][ T9813] entry_SYSENTER_compat+0x70/0x7f [ 487.574189][ T9813] RIP: 0023:0xf7fcea29 [ 487.578243][ T9813] Code: b8 80 96 98 00 eb cc 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 487.597983][ T9813] RSP: 002b:00000000fff2f05c EFLAGS: 00000292 ORIG_RAX: 0000000000000006 [ 487.606407][ T9813] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000000000 [ 487.614410][ T9813] RDX: 0000000000000005 RSI: 000000000816b680 RDI: 000000000816b680 [ 487.622363][ T9813] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 487.630321][ T9813] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 487.638276][ T9813] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 487.646325][ T9813] [ 487.648670][ T9813] Allocated by task 9805: [ 487.652983][ T9813] save_stack+0x23/0x90 [ 487.657127][ T9813] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 487.662739][ T9813] kasan_slab_alloc+0xf/0x20 [ 487.667343][ T9813] kmem_cache_alloc_node+0x138/0x740 [ 487.672615][ T9813] __alloc_skb+0xd5/0x5e0 [ 487.676935][ T9813] bcsp_recv+0x8c1/0x13a0 [ 487.681295][ T9813] hci_uart_tty_receive+0x279/0x790 [ 487.686487][ T9813] tty_ldisc_receive_buf+0x15f/0x1c0 [ 487.691788][ T9813] tty_port_default_receive_buf+0x7d/0xb0 [ 487.697497][ T9813] flush_to_ldisc+0x222/0x390 [ 487.702169][ T9813] process_one_work+0x9af/0x1740 [ 487.707119][ T9813] worker_thread+0x98/0xe40 [ 487.711603][ T9813] kthread+0x361/0x430 [ 487.715656][ T9813] ret_from_fork+0x24/0x30 [ 487.720096][ T9813] [ 487.722405][ T9813] Freed by task 9805: [ 487.726373][ T9813] save_stack+0x23/0x90 [ 487.730512][ T9813] __kasan_slab_free+0x102/0x150 [ 487.735433][ T9813] kasan_slab_free+0xe/0x10 [ 487.739916][ T9813] kmem_cache_free+0x86/0x320 [ 487.744578][ T9813] kfree_skbmem+0xc5/0x150 [ 487.749013][ T9813] kfree_skb+0x109/0x3c0 [ 487.753252][ T9813] bcsp_recv+0x2d8/0x13a0 [ 487.757571][ T9813] hci_uart_tty_receive+0x279/0x790 [ 487.762755][ T9813] tty_ldisc_receive_buf+0x15f/0x1c0 [ 487.768053][ T9813] tty_port_default_receive_buf+0x7d/0xb0 [ 487.773848][ T9813] flush_to_ldisc+0x222/0x390 [ 487.778509][ T9813] process_one_work+0x9af/0x1740 [ 487.783437][ T9813] worker_thread+0x98/0xe40 [ 487.787962][ T9813] kthread+0x361/0x430 [ 487.792012][ T9813] ret_from_fork+0x24/0x30 [ 487.796408][ T9813] [ 487.798854][ T9813] The buggy address belongs to the object at ffff8880a79a1640 [ 487.798854][ T9813] which belongs to the cache skbuff_head_cache of size 224 [ 487.813605][ T9813] The buggy address is located 212 bytes inside of [ 487.813605][ T9813] 224-byte region [ffff8880a79a1640, ffff8880a79a1720) [ 487.827131][ T9813] The buggy address belongs to the page: [ 487.832845][ T9813] page:ffffea00029e6840 refcount:1 mapcount:0 mapping:ffff8880a99a1c40 index:0x0 [ 487.842249][ T9813] flags: 0x1fffc0000000200(slab) [ 487.847269][ T9813] raw: 01fffc0000000200 ffffea0002993d48 ffffea0002604948 ffff8880a99a1c40 [ 487.856252][ T9813] raw: 0000000000000000 ffff8880a79a1000 000000010000000c 0000000000000000 [ 487.864823][ T9813] page dumped because: kasan: bad access detected [ 487.871223][ T9813] [ 487.873535][ T9813] Memory state around the buggy address: [ 487.879156][ T9813] ffff8880a79a1600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 487.887206][ T9813] ffff8880a79a1680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 487.895403][ T9813] >ffff8880a79a1700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 487.903578][ T9813] ^ [ 487.908165][ T9813] ffff8880a79a1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 487.916434][ T9813] ffff8880a79a1800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 487.924732][ T9813] ================================================================== [ 487.933527][ T9813] Kernel panic - not syncing: panic_on_warn set ... [ 487.940506][ T9813] CPU: 1 PID: 9813 Comm: syz-executor.0 Tainted: G B 5.3.0-rc8+ #0 [ 487.949693][ T9813] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 487.959740][ T9813] Call Trace: [ 487.963056][ T9813] dump_stack+0x172/0x1f0 [ 487.967381][ T9813] panic+0x2dc/0x755 [ 487.971271][ T9813] ? add_taint.cold+0x16/0x16 [ 487.975942][ T9813] ? kfree_skb+0x38/0x3c0 [ 487.980268][ T9813] ? preempt_schedule+0x4b/0x60 [ 487.985236][ T9813] ? ___preempt_schedule+0x16/0x20 [ 487.990454][ T9813] ? trace_hardirqs_on+0x5e/0x240 [ 487.995587][ T9813] ? kfree_skb+0x38/0x3c0 [ 487.999916][ T9813] end_report+0x47/0x4f [ 488.004089][ T9813] ? kfree_skb+0x38/0x3c0 [ 488.008409][ T9813] __kasan_report.cold+0xe/0x36 [ 488.013317][ T9813] ? kfree_skb+0x38/0x3c0 [ 488.017636][ T9813] kasan_report+0x12/0x17 [ 488.021950][ T9813] check_memory_region+0x134/0x1a0 [ 488.027149][ T9813] __kasan_check_read+0x11/0x20 [ 488.032113][ T9813] kfree_skb+0x38/0x3c0 [ 488.037151][ T9813] bcsp_close+0xc7/0x130 [ 488.041640][ T9813] hci_uart_tty_close+0x21e/0x280 [ 488.046727][ T9813] ? hci_uart_close+0x50/0x50 [ 488.051407][ T9813] tty_ldisc_close.isra.0+0x119/0x190 [ 488.056898][ T9813] tty_ldisc_kill+0x9c/0x160 [ 488.061595][ T9813] tty_ldisc_release+0xe9/0x2b0 [ 488.066439][ T9813] tty_release_struct+0x1b/0x50 [ 488.071277][ T9813] tty_release+0xbcb/0xe90 [ 488.075688][ T9813] __fput+0x2ff/0x890 [ 488.079688][ T9813] ? put_tty_driver+0x20/0x20 [ 488.084373][ T9813] ____fput+0x16/0x20 [ 488.088355][ T9813] task_work_run+0x145/0x1c0 [ 488.092932][ T9813] exit_to_usermode_loop+0x316/0x380 [ 488.098208][ T9813] do_fast_syscall_32+0xb87/0xdb3 [ 488.103227][ T9813] entry_SYSENTER_compat+0x70/0x7f [ 488.108326][ T9813] RIP: 0023:0xf7fcea29 [ 488.112381][ T9813] Code: b8 80 96 98 00 eb cc 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 488.132332][ T9813] RSP: 002b:00000000fff2f05c EFLAGS: 00000292 ORIG_RAX: 0000000000000006 [ 488.141512][ T9813] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000000000 [ 488.149562][ T9813] RDX: 0000000000000005 RSI: 000000000816b680 RDI: 000000000816b680 [ 488.157519][ T9813] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 488.165489][ T9813] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 488.173479][ T9813] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 488.183176][ T9813] Kernel Offset: disabled [ 488.187512][ T9813] Rebooting in 86400 seconds..