[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 60.873946][ T27] audit: type=1800 audit(1572411193.097:25): pid=8701 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 60.904566][ T27] audit: type=1800 audit(1572411193.097:26): pid=8701 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 60.945285][ T27] audit: type=1800 audit(1572411193.097:27): pid=8701 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.104' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 496.755387][ T80] Bluetooth: Error in BCSP hdr checksum [ 496.774784][ T80] Bluetooth: Error in BCSP hdr checksum [ 497.014770][ T80] Bluetooth: Error in BCSP hdr checksum [ 497.034681][ T8903] Bluetooth: Error in BCSP hdr checksum [ 497.274742][ T196] Bluetooth: Error in BCSP hdr checksum [ 497.294944][ T80] Bluetooth: Error in BCSP hdr checksum [ 497.534702][ T80] Bluetooth: Error in BCSP hdr checksum [ 497.554726][ T80] Bluetooth: Error in BCSP hdr checksum [ 497.794691][ T80] Bluetooth: Error in BCSP hdr checksum [ 497.814680][ T80] Bluetooth: Error in BCSP hdr checksum [ 498.054793][ T80] Bluetooth: Error in BCSP hdr checksum [ 498.074667][ T80] Bluetooth: Error in BCSP hdr checksum [ 498.314661][ T80] Bluetooth: Error in BCSP hdr checksum [ 498.334752][ T8904] Bluetooth: Error in BCSP hdr checksum [ 498.525137][ T8876] Bluetooth: hci5: command 0x1003 tx timeout [ 498.531718][ T8876] Bluetooth: hci0: command 0x1003 tx timeout [ 498.531805][ T8901] Bluetooth: hci5: sending frame failed (-49) [ 498.538269][ T8876] Bluetooth: hci4: command 0x1003 tx timeout [ 498.547419][ T8904] Bluetooth: Error in BCSP hdr checksum [ 498.550203][ T8905] Bluetooth: hci4: sending frame failed (-49) [ 498.561969][ T8876] Bluetooth: hci3: command 0x1003 tx timeout [ 498.568095][ T8905] Bluetooth: hci3: sending frame failed (-49) [ 498.574265][ T8876] Bluetooth: hci1: command 0x1003 tx timeout [ 498.580422][ T8905] Bluetooth: hci1: sending frame failed (-49) [ 498.586685][ T8876] Bluetooth: hci2: command 0x1003 tx timeout [ 498.593207][ T8904] Bluetooth: Error in BCSP hdr checksum [ 498.604762][ T8876] Bluetooth: hci7: command 0x1003 tx timeout [ 498.610864][ T8905] Bluetooth: hci7: sending frame failed (-49) [ 498.684635][ T8876] Bluetooth: hci6: command 0x1003 tx timeout [ 498.690817][ T8905] Bluetooth: hci6: sending frame failed (-49) [ 498.794747][ T80] Bluetooth: Error in BCSP hdr checksum [ 498.844767][ T196] Bluetooth: Error in BCSP hdr checksum [ 498.850934][ T196] Bluetooth: Error in BCSP hdr checksum [ 499.054652][ T80] Bluetooth: Error in BCSP hdr checksum [ 499.104629][ T196] Bluetooth: Error in BCSP hdr checksum [ 499.314703][ T196] Bluetooth: Error in BCSP hdr checksum [ 499.364734][ T80] Bluetooth: Error in BCSP hdr checksum [ 499.574797][ T80] Bluetooth: Error in BCSP hdr checksum [ 499.627984][ T80] Bluetooth: Error in BCSP hdr checksum [ 499.834854][ T80] Bluetooth: Error in BCSP hdr checksum [ 499.884778][ T196] Bluetooth: Error in BCSP hdr checksum [ 500.094836][ T80] Bluetooth: Error in BCSP hdr checksum [ 500.144743][ T80] Bluetooth: Error in BCSP hdr checksum [ 500.354730][ T196] Bluetooth: Error in BCSP hdr checksum [ 500.404704][ T196] Bluetooth: Error in BCSP hdr checksum [ 500.604515][ T3358] Bluetooth: hci2: command 0x1001 tx timeout [ 500.604521][ T8876] Bluetooth: hci1: command 0x1001 tx timeout [ 500.604554][ T8876] Bluetooth: hci3: command 0x1001 tx timeout [ 500.610645][ T8905] Bluetooth: hci1: sending frame failed (-49) [ 500.616803][ T8897] Bluetooth: hci3: sending frame failed (-49) [ 500.622940][ T3358] Bluetooth: hci0: command 0x1001 tx timeout [ 500.629118][ T8876] Bluetooth: hci4: command 0x1001 tx timeout [ 500.635107][ T3358] Bluetooth: hci5: command 0x1001 tx timeout [ 500.641297][ T8897] Bluetooth: hci4: sending frame failed (-49) [ 500.647488][ T8905] Bluetooth: hci5: sending frame failed (-49) [ 500.665836][ T80] Bluetooth: Error in BCSP hdr checksum [ 500.671879][ T8904] Bluetooth: Error in BCSP hdr checksum [ 500.672034][ T8903] Bluetooth: Error in BCSP hdr checksum [ 500.677529][ T8904] Bluetooth: Error in BCSP hdr checksum [ 500.688997][ T8903] Bluetooth: Error in BCSP hdr checksum [ 500.694765][ T3358] Bluetooth: hci7: command 0x1001 tx timeout [ 500.700996][ T8905] Bluetooth: hci7: sending frame failed (-49) [ 500.764486][ T3358] Bluetooth: hci6: command 0x1001 tx timeout [ 500.770681][ T8905] Bluetooth: hci6: sending frame failed (-49) [ 500.924727][ T8904] Bluetooth: Error in BCSP hdr checksum [ 500.930511][ T80] Bluetooth: Error in BCSP hdr checksum [ 500.936555][ T80] Bluetooth: Error in BCSP hdr checksum [ 500.942428][ T80] Bluetooth: Error in BCSP hdr checksum [ 501.184743][ T8903] Bluetooth: Error in BCSP hdr checksum [ 501.190468][ T8903] Bluetooth: Error in BCSP hdr checksum [ 501.196569][ T80] Bluetooth: Error in BCSP hdr checksum [ 501.202406][ T80] Bluetooth: Error in BCSP hdr checksum [ 501.444732][ T80] Bluetooth: Error in BCSP hdr checksum [ 501.450549][ T80] Bluetooth: Error in BCSP hdr checksum [ 501.454986][ T196] Bluetooth: Error in BCSP hdr checksum [ 501.461782][ T196] Bluetooth: Error in BCSP hdr checksum [ 501.704829][ T196] Bluetooth: Error in BCSP hdr checksum [ 501.710433][ T196] Bluetooth: Error in BCSP hdr checksum [ 501.714815][ T80] Bluetooth: Error in BCSP hdr checksum [ 501.721531][ T80] Bluetooth: Error in BCSP hdr checksum [ 501.964855][ T196] Bluetooth: Error in BCSP hdr checksum [ 501.970464][ T196] Bluetooth: Error in BCSP hdr checksum [ 501.976371][ T196] Bluetooth: Error in BCSP hdr checksum [ 501.981963][ T196] Bluetooth: Error in BCSP hdr checksum [ 502.224835][ T80] Bluetooth: Error in BCSP hdr checksum [ 502.230476][ T80] Bluetooth: Error in BCSP hdr checksum [ 502.236500][ T196] Bluetooth: Error in BCSP hdr checksum [ 502.242199][ T196] Bluetooth: Error in BCSP hdr checksum [ 502.484927][ T80] Bluetooth: Error in BCSP hdr checksum [ 502.490735][ T80] Bluetooth: Error in BCSP hdr checksum [ 502.496715][ T196] Bluetooth: Error in BCSP hdr checksum [ 502.502449][ T196] Bluetooth: Error in BCSP hdr checksum [ 502.684615][ T3358] Bluetooth: hci5: command 0x1009 tx timeout [ 502.684652][ T8876] Bluetooth: hci4: command 0x1009 tx timeout [ 502.690738][ T3358] Bluetooth: hci2: command 0x1009 tx timeout [ 502.696828][ T8876] Bluetooth: hci0: command 0x1009 tx timeout [ 502.702924][ T3358] Bluetooth: hci1: command 0x1009 tx timeout [ 502.708799][ T8876] Bluetooth: hci3: command 0x1009 tx timeout [ 502.744789][ T80] Bluetooth: Error in BCSP hdr checksum [ 502.750455][ T80] Bluetooth: Error in BCSP hdr checksum [ 502.756440][ T8903] Bluetooth: Error in BCSP hdr checksum [ 502.762020][ T8903] Bluetooth: Error in BCSP hdr checksum [ 502.767663][ T8876] Bluetooth: hci7: command 0x1009 tx timeout [ 502.844587][ T8876] Bluetooth: hci6: command 0x1009 tx timeout [ 503.004763][ T196] Bluetooth: Error in BCSP hdr checksum [ 503.010432][ T196] Bluetooth: Error in BCSP hdr checksum [ 503.016522][ T196] Bluetooth: Error in BCSP hdr checksum [ 503.022092][ T196] Bluetooth: Error in BCSP hdr checksum [ 503.264768][ T80] Bluetooth: Error in BCSP hdr checksum [ 503.270536][ T80] Bluetooth: Error in BCSP hdr checksum [ 503.276540][ T80] Bluetooth: Error in BCSP hdr checksum [ 503.282108][ T80] Bluetooth: Error in BCSP hdr checksum [ 503.524851][ T196] Bluetooth: Error in BCSP hdr checksum [ 503.530631][ T196] Bluetooth: Error in BCSP hdr checksum [ 503.536627][ T8903] Bluetooth: Error in BCSP hdr checksum [ 503.542292][ T8903] Bluetooth: Error in BCSP hdr checksum [ 503.784838][ T196] Bluetooth: Error in BCSP hdr checksum [ 503.790442][ T196] Bluetooth: Error in BCSP hdr checksum [ 503.796351][ T80] Bluetooth: Error in BCSP hdr checksum [ 503.802019][ T80] Bluetooth: Error in BCSP hdr checksum [ 504.044780][ T196] Bluetooth: Error in BCSP hdr checksum [ 504.050457][ T196] Bluetooth: Error in BCSP hdr checksum [ 504.056380][ T196] Bluetooth: Error in BCSP hdr checksum [ 504.061951][ T196] Bluetooth: Error in BCSP hdr checksum [ 504.304828][ T80] Bluetooth: Error in BCSP hdr checksum [ 504.310581][ T80] Bluetooth: Error in BCSP hdr checksum [ 504.316510][ T196] Bluetooth: Error in BCSP hdr checksum [ 504.322140][ T196] Bluetooth: Error in BCSP hdr checksum [ 504.564826][ T8903] Bluetooth: Error in BCSP hdr checksum [ 504.570441][ T8903] Bluetooth: Error in BCSP hdr checksum [ 504.576342][ T8903] Bluetooth: Error in BCSP hdr checksum [ 504.581921][ T8903] Bluetooth: Error in BCSP hdr checksum [ 504.824825][ T80] Bluetooth: Error in BCSP hdr checksum [ 504.830521][ T80] Bluetooth: Error in BCSP hdr checksum [ 504.836448][ T196] Bluetooth: Error in BCSP hdr checksum [ 504.842021][ T196] Bluetooth: Error in BCSP hdr checksum [ 505.084815][ T196] Bluetooth: Error in BCSP hdr checksum [ 505.090427][ T196] Bluetooth: Error in BCSP hdr checksum [ 505.094821][ T80] Bluetooth: Error in BCSP hdr checksum [ 505.101731][ T80] Bluetooth: Error in BCSP hdr checksum [ 505.344796][ T196] Bluetooth: Error in BCSP hdr checksum [ 505.350425][ T196] Bluetooth: Error in BCSP hdr checksum [ 505.356453][ T80] Bluetooth: Error in BCSP hdr checksum [ 505.362029][ T80] Bluetooth: Error in BCSP hdr checksum [ 505.604804][ T196] Bluetooth: Error in BCSP hdr checksum [ 505.610427][ T196] Bluetooth: Error in BCSP hdr checksum [ 505.616410][ T80] Bluetooth: Error in BCSP hdr checksum [ 505.622189][ T80] Bluetooth: Error in BCSP hdr checksum [ 505.864842][ T196] Bluetooth: Error in BCSP hdr checksum [ 505.870450][ T196] Bluetooth: Error in BCSP hdr checksum [ 505.876356][ T8903] Bluetooth: Error in BCSP hdr checksum [ 505.881927][ T8903] Bluetooth: Error in BCSP hdr checksum [ 506.124852][ T196] Bluetooth: Error in BCSP hdr checksum [ 506.130463][ T196] Bluetooth: Error in BCSP hdr checksum [ 506.136389][ T196] Bluetooth: Error in BCSP hdr checksum [ 506.141976][ T196] Bluetooth: Error in BCSP hdr checksum [ 506.384830][ T80] Bluetooth: Error in BCSP hdr checksum [ 506.390448][ T80] Bluetooth: Error in BCSP hdr checksum [ 506.396462][ T80] Bluetooth: Error in BCSP hdr checksum [ 506.402038][ T80] Bluetooth: Error in BCSP hdr checksum executing program executing program executing program executing program [ 506.657474][ T8862] ================================================================== [ 506.666286][ T8862] BUG: KASAN: use-after-free in kfree_skb+0x38/0x3c0 [ 506.672971][ T8862] Read of size 4 at addr ffff888096a16894 by task syz-executor193/8862 [ 506.672981][ T8862] [ 506.672998][ T8862] CPU: 0 PID: 8862 Comm: syz-executor193 Not tainted 5.4.0-rc5-next-20191029 #0 [ 506.673005][ T8862] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 506.673017][ T8862] Call Trace: [ 506.673097][ T8862] dump_stack+0x172/0x1f0 [ 506.702722][ T8862] ? kfree_skb+0x38/0x3c0 [ 506.702744][ T8862] print_address_description.constprop.0.cold+0xd4/0x30b [ 506.702757][ T8862] ? kfree_skb+0x38/0x3c0 [ 506.702767][ T8862] ? kfree_skb+0x38/0x3c0 [ 506.702784][ T8862] __kasan_report.cold+0x1b/0x41 [ 506.726003][ T8862] ? kfree_skb+0x38/0x3c0 [ 506.726024][ T8862] kasan_report+0x12/0x20 [ 506.726039][ T8862] check_memory_region+0x134/0x1a0 [ 506.726054][ T8862] __kasan_check_read+0x11/0x20 [ 506.726067][ T8862] kfree_skb+0x38/0x3c0 [ 506.726180][ T8862] bcsp_close+0xc7/0x130 [ 506.744058][ T8862] hci_uart_tty_close+0x21e/0x280 [ 506.744072][ T8862] ? hci_uart_close+0x50/0x50 [ 506.744173][ T8862] tty_ldisc_close.isra.0+0x119/0x1a0 [ 506.744191][ T8862] tty_ldisc_kill+0x9c/0x160 [ 506.772283][ T8862] tty_ldisc_release+0xe9/0x2b0 [ 506.772302][ T8862] tty_release_struct+0x1b/0x50 [ 506.772316][ T8862] tty_release+0xbcb/0xe90 [ 506.772339][ T8862] __fput+0x2ff/0x890 [ 506.800309][ T8862] ? put_tty_driver+0x20/0x20 [ 506.800329][ T8862] ____fput+0x16/0x20 [ 506.800344][ T8862] task_work_run+0x145/0x1c0 [ 506.800367][ T8862] do_exit+0x904/0x2e60 [ 506.817748][ T8862] ? mm_update_next_owner+0x640/0x640 [ 506.823124][ T8862] ? lock_downgrade+0x920/0x920 [ 506.823207][ T8862] ? _raw_spin_unlock_irq+0x23/0x80 [ 506.823224][ T8862] ? get_signal+0x392/0x24f0 [ 506.837823][ T8862] ? _raw_spin_unlock_irq+0x23/0x80 [ 506.843047][ T8862] do_group_exit+0x135/0x360 [ 506.847641][ T8862] get_signal+0x47c/0x24f0 [ 506.847659][ T8862] ? rwlock_bug.part.0+0x90/0x90 [ 506.847688][ T8862] do_signal+0x87/0x1700 [ 506.847707][ T8862] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 506.847806][ T8862] ? debug_smp_processor_id+0x33/0x18a [ 506.847824][ T8862] ? rcu_lockdep_current_cpu_online+0xe3/0x130 [ 506.857251][ T8862] ? setup_sigcontext+0x7d0/0x7d0 [ 506.857278][ T8862] ? exit_to_usermode_loop+0x43/0x380 [ 506.857297][ T8862] ? do_syscall_64+0x65f/0x760 [ 506.857311][ T8862] ? exit_to_usermode_loop+0x43/0x380 [ 506.857327][ T8862] ? lockdep_hardirqs_on+0x421/0x5e0 [ 506.857339][ T8862] ? trace_hardirqs_on+0x67/0x240 [ 506.857358][ T8862] exit_to_usermode_loop+0x286/0x380 [ 506.868353][ T8862] do_syscall_64+0x65f/0x760 [ 506.868375][ T8862] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 506.868387][ T8862] RIP: 0033:0x446909 [ 506.868410][ T8862] Code: Bad RIP value. [ 506.868423][ T8862] RSP: 002b:00007efdb05acda8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 506.947704][ T8862] RAX: fffffffffffffe00 RBX: 00000000006dbc48 RCX: 0000000000446909 [ 506.955663][ T8862] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc48 [ 506.963630][ T8862] RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000 [ 506.971584][ T8862] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c [ 506.979546][ T8862] R13: 00000000200002c0 R14: 00000000004ae7c8 R15: 0000000000000000 [ 506.987637][ T8862] [ 506.989950][ T8862] Allocated by task 80: [ 506.994093][ T8862] save_stack+0x23/0x90 [ 506.998231][ T8862] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 507.003947][ T8862] kasan_slab_alloc+0xf/0x20 [ 507.008524][ T8862] kmem_cache_alloc_node+0x138/0x740 [ 507.013795][ T8862] __alloc_skb+0xd5/0x5e0 [ 507.018120][ T8862] bcsp_recv+0x8c1/0x13a0 [ 507.022429][ T8862] hci_uart_tty_receive+0x279/0x6d0 [ 507.028074][ T8862] tty_ldisc_receive_buf+0x15f/0x1c0 [ 507.033339][ T8862] tty_port_default_receive_buf+0x7d/0xb0 [ 507.039112][ T8862] flush_to_ldisc+0x222/0x390 [ 507.043776][ T8862] process_one_work+0x9af/0x1740 [ 507.048718][ T8862] worker_thread+0x98/0xe40 [ 507.053204][ T8862] kthread+0x361/0x430 [ 507.057256][ T8862] ret_from_fork+0x24/0x30 [ 507.061649][ T8862] [ 507.064057][ T8862] Freed by task 80: [ 507.067849][ T8862] save_stack+0x23/0x90 [ 507.071986][ T8862] __kasan_slab_free+0x102/0x150 [ 507.076905][ T8862] kasan_slab_free+0xe/0x10 [ 507.081391][ T8862] kmem_cache_free+0x86/0x320 [ 507.086051][ T8862] kfree_skbmem+0xc5/0x150 [ 507.090450][ T8862] kfree_skb+0x109/0x3c0 [ 507.094676][ T8862] bcsp_recv+0x2d8/0x13a0 [ 507.099007][ T8862] hci_uart_tty_receive+0x279/0x6d0 [ 507.104187][ T8862] tty_ldisc_receive_buf+0x15f/0x1c0 [ 507.109452][ T8862] tty_port_default_receive_buf+0x7d/0xb0 [ 507.115436][ T8862] flush_to_ldisc+0x222/0x390 [ 507.120463][ T8862] process_one_work+0x9af/0x1740 [ 507.125382][ T8862] worker_thread+0x98/0xe40 [ 507.129878][ T8862] kthread+0x361/0x430 [ 507.133943][ T8862] ret_from_fork+0x24/0x30 [ 507.138443][ T8862] [ 507.140756][ T8862] The buggy address belongs to the object at ffff888096a167c0 [ 507.140756][ T8862] which belongs to the cache skbuff_head_cache of size 224 [ 507.155312][ T8862] The buggy address is located 212 bytes inside of [ 507.155312][ T8862] 224-byte region [ffff888096a167c0, ffff888096a168a0) [ 507.168778][ T8862] The buggy address belongs to the page: [ 507.174410][ T8862] page:ffffea00025a8580 refcount:1 mapcount:0 mapping:ffff8880a9946a80 index:0x0 [ 507.183511][ T8862] flags: 0x1fffc0000000200(slab) [ 507.188437][ T8862] raw: 01fffc0000000200 ffffea0002a67508 ffffea0002869608 ffff8880a9946a80 [ 507.197020][ T8862] raw: 0000000000000000 ffff888096a16040 000000010000000c 0000000000000000 [ 507.205688][ T8862] page dumped because: kasan: bad access detected [ 507.212087][ T8862] [ 507.214397][ T8862] Memory state around the buggy address: [ 507.220105][ T8862] ffff888096a16780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 507.228238][ T8862] ffff888096a16800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 507.236304][ T8862] >ffff888096a16880: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 507.244587][ T8862] ^ [ 507.249259][ T8862] ffff888096a16900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 507.257303][ T8862] ffff888096a16980: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 507.265375][ T8862] ================================================================== [ 507.273436][ T8862] Disabling lock debugging due to kernel taint [ 507.279566][ T8869] ================================================================== [ 507.287654][ T8869] BUG: KASAN: double-free or invalid-free in skb_free_head+0x93/0xb0 [ 507.295702][ T8869] [ 507.295720][ T8869] CPU: 1 PID: 8869 Comm: syz-executor193 Tainted: G B 5.4.0-rc5-next-20191029 #0 [ 507.295726][ T8869] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 507.295729][ T8869] Call Trace: [ 507.295751][ T8869] dump_stack+0x172/0x1f0 [ 507.295767][ T8869] print_address_description.constprop.0.cold+0xd4/0x30b [ 507.295784][ T8869] ? skb_free_head+0x93/0xb0 [ 507.308579][ T8869] kasan_report_invalid_free+0x65/0xa0 [ 507.308592][ T8869] ? skb_free_head+0x93/0xb0 [ 507.308603][ T8869] __kasan_slab_free+0x13a/0x150 [ 507.308612][ T8869] ? skb_free_head+0x93/0xb0 [ 507.308622][ T8869] kasan_slab_free+0xe/0x10 [ 507.308631][ T8869] kfree+0x10a/0x2c0 [ 507.308646][ T8869] skb_free_head+0x93/0xb0 [ 507.326553][ T8869] skb_release_data+0x42d/0x7c0 [ 507.326573][ T8869] ? bcsp_close+0xc7/0x130 [ 507.337974][ T8869] skb_release_all+0x4d/0x60 [ 507.337986][ T8869] kfree_skb+0x101/0x3c0 [ 507.337999][ T8869] bcsp_close+0xc7/0x130 [ 507.338011][ T8869] hci_uart_tty_close+0x21e/0x280 [ 507.338020][ T8869] ? hci_uart_close+0x50/0x50 [ 507.338041][ T8869] tty_ldisc_close.isra.0+0x119/0x1a0 [ 507.366646][ T8869] tty_ldisc_kill+0x9c/0x160 [ 507.366663][ T8869] tty_ldisc_release+0xe9/0x2b0 [ 507.375026][ T8869] tty_release_struct+0x1b/0x50 [ 507.375037][ T8869] tty_release+0xbcb/0xe90 [ 507.375053][ T8869] __fput+0x2ff/0x890 [ 507.375064][ T8869] ? put_tty_driver+0x20/0x20 [ 507.375074][ T8869] ____fput+0x16/0x20 [ 507.375093][ T8869] task_work_run+0x145/0x1c0 [ 507.393127][ T8869] do_exit+0x904/0x2e60 [ 507.393146][ T8869] ? mm_update_next_owner+0x640/0x640 [ 507.412513][ T8869] ? lock_downgrade+0x920/0x920 [ 507.431138][ T8869] ? _raw_spin_unlock_irq+0x23/0x80 [ 507.448378][ T8869] ? get_signal+0x392/0x24f0 [ 507.448393][ T8869] ? _raw_spin_unlock_irq+0x23/0x80 [ 507.448410][ T8869] do_group_exit+0x135/0x360 [ 507.457892][ T8869] get_signal+0x47c/0x24f0 [ 507.486606][ T8869] ? rwlock_bug.part.0+0x90/0x90 [ 507.491550][ T8869] do_signal+0x87/0x1700 [ 507.495906][ T8869] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 507.502226][ T8869] ? debug_smp_processor_id+0x33/0x18a [ 507.507677][ T8869] ? rcu_lockdep_current_cpu_online+0xe3/0x130 [ 507.509220][ T8862] Kernel panic - not syncing: panic_on_warn set ... [ 507.513824][ T8869] ? setup_sigcontext+0x7d0/0x7d0 [ 507.525391][ T8869] ? exit_to_usermode_loop+0x43/0x380 [ 507.530748][ T8869] ? do_syscall_64+0x65f/0x760 [ 507.535498][ T8869] ? exit_to_usermode_loop+0x43/0x380 [ 507.540853][ T8869] ? lockdep_hardirqs_on+0x421/0x5e0 [ 507.546120][ T8869] ? trace_hardirqs_on+0x67/0x240 [ 507.551130][ T8869] exit_to_usermode_loop+0x286/0x380 [ 507.556487][ T8869] do_syscall_64+0x65f/0x760 [ 507.561065][ T8869] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 507.566938][ T8869] RIP: 0033:0x446909 [ 507.570818][ T8869] Code: 00 45 52 52 4f 52 3a 20 6f 75 74 20 6f 66 20 6d 65 6d 6f 72 79 20 64 75 72 69 6e 67 20 64 65 62 75 67 20 73 65 74 75 70 0a 00 <00> 00 00 00 00 00 00 72 73 79 73 6c 6f 67 64 20 35 2e 38 2e 31 31 [ 507.590406][ T8869] RSP: 002b:00007efdb05acda8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 507.598805][ T8869] RAX: fffffffffffffe00 RBX: 00000000006dbc48 RCX: 0000000000446909 [ 507.606789][ T8869] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc48 [ 507.614743][ T8869] RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000 [ 507.622698][ T8869] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c [ 507.630668][ T8869] R13: 00000000200002c0 R14: 00000000004ae7c8 R15: 0000000000000000 [ 507.638643][ T8869] [ 507.638655][ T8862] CPU: 0 PID: 8862 Comm: syz-executor193 Tainted: G B 5.4.0-rc5-next-20191029 #0 [ 507.638662][ T8862] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 507.638671][ T8862] Call Trace: [ 507.640988][ T8869] Allocated by task 80: [ 507.651403][ T8862] dump_stack+0x172/0x1f0 [ 507.661431][ T8869] save_stack+0x23/0x90 [ 507.664689][ T8862] panic+0x2e3/0x75c [ 507.668904][ T8869] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 507.674677][ T8862] ? add_taint.cold+0x16/0x16 [ 507.678798][ T8869] kasan_kmalloc+0x9/0x10 [ 507.678813][ T8869] __kmalloc_node_track_caller+0x4e/0x70 [ 507.682698][ T8862] ? kfree_skb+0x38/0x3c0 [ 507.688312][ T8869] __kmalloc_reserve.isra.0+0x40/0xf0 [ 507.692980][ T8862] ? preempt_schedule+0x4b/0x60 [ 507.697283][ T8869] __alloc_skb+0x10b/0x5e0 [ 507.702900][ T8862] ? ___preempt_schedule+0x16/0x18 [ 507.707201][ T8869] bcsp_recv+0x8c1/0x13a0 [ 507.712551][ T8862] ? trace_hardirqs_on+0x5e/0x240 [ 507.717458][ T8869] hci_uart_tty_receive+0x279/0x6d0 [ 507.721846][ T8862] ? kfree_skb+0x38/0x3c0 [ 507.726919][ T8869] tty_ldisc_receive_buf+0x15f/0x1c0 [ 507.726934][ T8869] tty_port_default_receive_buf+0x7d/0xb0 [ 507.731241][ T8862] end_report+0x47/0x4f [ 507.736231][ T8869] flush_to_ldisc+0x222/0x390 [ 507.741413][ T8862] ? kfree_skb+0x38/0x3c0 [ 507.745716][ T8869] process_one_work+0x9af/0x1740 [ 507.750984][ T8862] __kasan_report.cold+0xe/0x41 [ 507.756667][ T8869] worker_thread+0x98/0xe40 [ 507.756681][ T8869] kthread+0x361/0x430 [ 507.760809][ T8862] ? kfree_skb+0x38/0x3c0 [ 507.765542][ T8869] ret_from_fork+0x24/0x30 [ 507.769840][ T8862] kasan_report+0x12/0x20 [ 507.774741][ T8869] [ 507.779576][ T8862] check_memory_region+0x134/0x1a0 [ 507.784048][ T8869] Freed by task 80: [ 507.788100][ T8862] __kasan_check_read+0x11/0x20 [ 507.792397][ T8869] save_stack+0x23/0x90 [ 507.796793][ T8862] kfree_skb+0x38/0x3c0 [ 507.801263][ T8869] __kasan_slab_free+0x102/0x150 [ 507.803669][ T8862] bcsp_close+0xc7/0x130 [ 507.808763][ T8869] kasan_slab_free+0xe/0x10 [ 507.812544][ T8862] hci_uart_tty_close+0x21e/0x280 [ 507.817366][ T8869] kfree+0x10a/0x2c0 [ 507.817382][ T8869] skb_free_head+0x93/0xb0 [ 507.821776][ T8862] ? hci_uart_close+0x50/0x50 [ 507.825904][ T8869] skb_release_data+0x42d/0x7c0 [ 507.830814][ T8862] tty_ldisc_close.isra.0+0x119/0x1a0 [ 507.835016][ T8869] skb_release_all+0x4d/0x60 [ 507.835030][ T8869] kfree_skb+0x101/0x3c0 [ 507.839593][ T8862] tty_ldisc_kill+0x9c/0x160 [ 507.844773][ T8869] bcsp_recv+0x2d8/0x13a0 [ 507.848658][ T8862] tty_ldisc_release+0xe9/0x2b0 [ 507.853052][ T8869] hci_uart_tty_receive+0x279/0x6d0 [ 507.853070][ T8869] tty_ldisc_receive_buf+0x15f/0x1c0 [ 507.857737][ T8862] tty_release_struct+0x1b/0x50 [ 507.862571][ T8869] tty_port_default_receive_buf+0x7d/0xb0 [ 507.867920][ T8862] tty_release+0xbcb/0xe90 [ 507.872583][ T8869] flush_to_ldisc+0x222/0x390 [ 507.876804][ T8862] __fput+0x2ff/0x890 [ 507.881373][ T8869] process_one_work+0x9af/0x1740 [ 507.885679][ T8862] ? put_tty_driver+0x20/0x20 [ 507.890588][ T8869] worker_thread+0x98/0xe40 [ 507.895825][ T8862] ____fput+0x16/0x20 [ 507.901080][ T8869] kthread+0x361/0x430 [ 507.905900][ T8862] task_work_run+0x145/0x1c0 [ 507.911690][ T8869] ret_from_fork+0x24/0x30 [ 507.916076][ T8862] do_exit+0x904/0x2e60 [ 507.920831][ T8869] [ 507.924795][ T8862] ? mm_update_next_owner+0x640/0x640 [ 507.929701][ T8869] The buggy address belongs to the object at ffff88809a0cc000 [ 507.929701][ T8869] which belongs to the cache kmalloc-8k of size 8192 [ 507.934367][ T8862] ? lock_downgrade+0x920/0x920 [ 507.938840][ T8869] The buggy address is located 0 bytes inside of [ 507.938840][ T8869] 8192-byte region [ffff88809a0cc000, ffff88809a0ce000) [ 507.942809][ T8862] ? _raw_spin_unlock_irq+0x23/0x80 [ 507.946840][ T8869] The buggy address belongs to the page: [ 507.951416][ T8862] ? get_signal+0x392/0x24f0 [ 507.955815][ T8869] page:ffffea0002683300 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0 [ 507.960695][ T8862] ? _raw_spin_unlock_irq+0x23/0x80 [ 507.962998][ T8869] flags: 0x1fffc0000010200(slab|head) [ 507.969047][ T8862] do_group_exit+0x135/0x360 [ 507.983074][ T8869] raw: 01fffc0000010200 ffffea00026aff08 ffffea000268c608 ffff8880aa4021c0 [ 507.987991][ T8862] get_signal+0x47c/0x24f0 [ 508.001151][ T8869] raw: 0000000000000000 ffff88809a0cc000 0000000100000001 0000000000000000 [ 508.006337][ T8862] ? rwlock_bug.part.0+0x90/0x90 [ 508.011932][ T8869] page dumped because: kasan: bad access detected [ 508.016515][ T8862] do_signal+0x87/0x1700 [ 508.027588][ T8869] [ 508.032955][ T8862] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 508.038286][ T8869] Memory state around the buggy address: [ 508.042869][ T8862] ? debug_smp_processor_id+0x33/0x18a [ 508.051504][ T8869] ffff88809a0cbf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 508.055901][ T8862] ? rcu_lockdep_current_cpu_online+0xe3/0x130 [ 508.064536][ T8869] ffff88809a0cbf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 508.069455][ T8862] ? setup_sigcontext+0x7d0/0x7d0 [ 508.076102][ T8869] >ffff88809a0cc000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 508.080335][ T8862] ? exit_to_usermode_loop+0x43/0x380 [ 508.082644][ T8869] ^ [ 508.089122][ T8862] ? do_syscall_64+0x65f/0x760 [ 508.094720][ T8869] ffff88809a0cc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 508.100155][ T8862] ? exit_to_usermode_loop+0x43/0x380 [ 508.108180][ T8869] ffff88809a0cc100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 508.114310][ T8862] ? lockdep_hardirqs_on+0x421/0x5e0 [ 508.122336][ T8869] ================================================================== [ 508.127336][ T8862] ? trace_hardirqs_on+0x67/0x240 [ 508.189534][ T8862] exit_to_usermode_loop+0x286/0x380 [ 508.194802][ T8862] do_syscall_64+0x65f/0x760 [ 508.199379][ T8862] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 508.205350][ T8862] RIP: 0033:0x446909 [ 508.209230][ T8862] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 508.229001][ T8862] RSP: 002b:00007efdb05acda8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 508.237391][ T8862] RAX: fffffffffffffe00 RBX: 00000000006dbc48 RCX: 0000000000446909 [ 508.245342][ T8862] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc48 [ 508.253476][ T8862] RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000 [ 508.261428][ T8862] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c [ 508.269381][ T8862] R13: 00000000200002c0 R14: 00000000004ae7c8 R15: 0000000000000000 [ 509.365522][ T8862] Shutting down cpus with NMI [ 509.372141][ T8862] Kernel Offset: disabled [ 509.376467][ T8862] Rebooting in 86400 seconds..