[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   56.793152][   T26] audit: type=1800 audit(1572859835.007:25): pid=8690 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   56.814708][   T26] audit: type=1800 audit(1572859835.017:26): pid=8690 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   56.835705][   T26] audit: type=1800 audit(1572859835.017:27): pid=8690 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.0' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   75.526467][ T8856] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   75.529145][ T8854] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
executing program
executing program
executing program
[   75.885203][    T7] Bluetooth: Error in BCSP hdr checksum
[   76.144825][   T30] Bluetooth: Error in BCSP hdr checksum
[   76.404886][   T30] Bluetooth: Error in BCSP hdr checksum
[   76.664835][   T30] Bluetooth: Error in BCSP hdr checksum
[   76.924798][   T30] Bluetooth: Error in BCSP hdr checksum
[   77.184885][   T30] Bluetooth: Error in BCSP hdr checksum
[   77.444962][   T30] Bluetooth: Error in BCSP hdr checksum
[   77.645141][ T3011] Bluetooth: hci2: command 0x1003 tx timeout
[   77.651662][ T3011] Bluetooth: hci1: command 0x1003 tx timeout
[   77.651725][ T8873] Bluetooth: hci2: sending frame failed (-49)
[   77.658367][ T3011] Bluetooth: hci0: command 0x1003 tx timeout
[   77.664000][ T8873] Bluetooth: hci1: sending frame failed (-49)
[   77.676526][   T30] Bluetooth: Error in BCSP hdr checksum
[   77.724603][ T3011] Bluetooth: hci3: command 0x1003 tx timeout
[   77.730830][ T8875] Bluetooth: hci3: sending frame failed (-49)
[   77.804623][ T2969] Bluetooth: hci5: command 0x1003 tx timeout
[   77.810711][ T2969] Bluetooth: hci4: command 0x1003 tx timeout
[   77.810752][ T8875] Bluetooth: hci5: sending frame failed (-49)
[   77.817691][ T8874] Bluetooth: hci4: sending frame failed (-49)
[   77.934894][    T7] Bluetooth: Error in BCSP hdr checksum
[   78.194984][   T30] Bluetooth: Error in BCSP hdr checksum
[   78.200881][   T30] Bluetooth: Error in BCSP hdr checksum
[   78.454919][   T30] Bluetooth: Error in BCSP hdr checksum
[   78.714902][    T7] Bluetooth: Error in BCSP hdr checksum
[   78.974934][    T7] Bluetooth: Error in BCSP hdr checksum
[   79.234949][    T7] Bluetooth: Error in BCSP hdr checksum
[   79.494933][    T7] Bluetooth: Error in BCSP hdr checksum
[   79.724657][ T2969] Bluetooth: hci0: command 0x1001 tx timeout
[   79.730975][ T2969] Bluetooth: hci1: command 0x1001 tx timeout
[   79.737390][ T8874] Bluetooth: hci1: sending frame failed (-49)
[   79.743520][ T2969] Bluetooth: hci2: command 0x1001 tx timeout
[   79.749632][ T8874] Bluetooth: hci2: sending frame failed (-49)
[   79.756430][    T7] Bluetooth: Error in BCSP hdr checksum
[   79.762323][    T7] Bluetooth: Error in BCSP hdr checksum
[   79.804625][ T3011] Bluetooth: hci3: command 0x1001 tx timeout
[   79.810788][ T8874] Bluetooth: hci3: sending frame failed (-49)
[   79.884668][ T2969] Bluetooth: hci4: command 0x1001 tx timeout
[   79.884674][ T3011] Bluetooth: hci5: command 0x1001 tx timeout
[   79.884790][ T8874] Bluetooth: hci5: sending frame failed (-49)
[   79.891122][ T8875] Bluetooth: hci4: sending frame failed (-49)
[   80.014826][ T2730] Bluetooth: Error in BCSP hdr checksum
[   80.020793][ T2730] Bluetooth: Error in BCSP hdr checksum
[   80.026893][ T2730] Bluetooth: Error in BCSP hdr checksum
[   80.274942][    T7] Bluetooth: Error in BCSP hdr checksum
[   80.280786][    T7] Bluetooth: Error in BCSP hdr checksum
[   81.804703][ T2969] Bluetooth: hci2: command 0x1009 tx timeout
[   81.810773][ T2969] Bluetooth: hci1: command 0x1009 tx timeout
[   81.816843][ T2969] Bluetooth: hci0: command 0x1009 tx timeout
[   81.884671][ T2969] Bluetooth: hci3: command 0x1009 tx timeout
[   81.964707][ T2969] Bluetooth: hci4: command 0x1009 tx timeout
[   81.964713][ T3011] Bluetooth: hci5: command 0x1009 tx timeout
executing program
[   85.971513][ T8849] ==================================================================
[   85.979798][ T8849] BUG: KASAN: use-after-free in kfree_skb+0x38/0x3c0
[   85.986505][ T8849] Read of size 4 at addr ffff8880961a0754 by task syz-executor904/8849
[   85.994762][ T8849] 
[   85.997111][ T8849] CPU: 0 PID: 8849 Comm: syz-executor904 Not tainted 5.4.0-rc6 #0
[   86.004915][ T8849] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   86.004933][ T8849] Call Trace:
[   86.004954][ T8849]  dump_stack+0x172/0x1f0
[   86.004969][ T8849]  ? kfree_skb+0x38/0x3c0
[   86.004988][ T8849]  print_address_description.constprop.0.cold+0xd4/0x30b
[   86.004999][ T8849]  ? kfree_skb+0x38/0x3c0
[   86.005010][ T8849]  ? kfree_skb+0x38/0x3c0
[   86.005028][ T8849]  __kasan_report.cold+0x1b/0x41
[   86.005044][ T8849]  ? kfree_skb+0x38/0x3c0
[   86.018456][ T8849]  kasan_report+0x12/0x20
[   86.018472][ T8849]  check_memory_region+0x134/0x1a0
[   86.018485][ T8849]  __kasan_check_read+0x11/0x20
[   86.018506][ T8849]  kfree_skb+0x38/0x3c0
executing program
executing program
executing program
executing program
[   86.027408][ T8849]  bcsp_close+0xc7/0x130
[   86.027424][ T8849]  hci_uart_tty_close+0x21e/0x280
[   86.027433][ T8849]  ? hci_uart_close+0x50/0x50
[   86.027452][ T8849]  tty_ldisc_close.isra.0+0x119/0x1a0
[   86.027468][ T8849]  tty_ldisc_kill+0x9c/0x160
[   86.027481][ T8849]  tty_ldisc_release+0xe9/0x2b0
[   86.027499][ T8849]  tty_release_struct+0x1b/0x50
[   86.027519][ T8849]  tty_release+0xbcb/0xe90
[   86.027543][ T8849]  __fput+0x2ff/0x890
[   86.027559][ T8849]  ? put_tty_driver+0x20/0x20
[   86.027578][ T8849]  ____fput+0x16/0x20
[   86.038911][ T8849]  task_work_run+0x145/0x1c0
[   86.048160][ T8849]  do_exit+0x904/0x2e60
[   86.048187][ T8849]  ? mm_update_next_owner+0x640/0x640
[   86.048206][ T8849]  ? lock_downgrade+0x920/0x920
[   86.048225][ T8849]  ? _raw_spin_unlock_irq+0x28/0x90
[   86.048239][ T8849]  ? get_signal+0x392/0x2500
[   86.056931][ T8849]  ? _raw_spin_unlock_irq+0x28/0x90
[   86.056951][ T8849]  do_group_exit+0x135/0x360
[   86.056969][ T8849]  get_signal+0x47c/0x2500
[   86.057003][ T8849]  do_signal+0x87/0x1700
[   86.057024][ T8849]  ? setup_sigcontext+0x7d0/0x7d0
[   86.057037][ T8849]  ? lock_downgrade+0x920/0x920
[   86.057052][ T8849]  ? rcu_read_lock_any_held+0xcd/0xf0
[   86.057071][ T8849]  ? exit_to_usermode_loop+0x43/0x380
[   86.066372][ T8879] kobject: 'rfkill14' (000000004cc7ac85): fill_kobj_path: path = '/devices/virtual/bluetooth/hci0/rfkill14'
[   86.067006][ T8849]  ? do_syscall_64+0x65f/0x760
[   86.067021][ T8849]  ? exit_to_usermode_loop+0x43/0x380
[   86.067039][ T8849]  ? lockdep_hardirqs_on+0x421/0x5e0
[   86.067055][ T8849]  ? trace_hardirqs_on+0x67/0x240
[   86.067079][ T8849]  exit_to_usermode_loop+0x286/0x380
[   86.110618][ T8884] kobject: 'hci1' (00000000b5a5d414): kobject_add_internal: parent: 'bluetooth', set: 'devices'
[   86.113273][ T8849]  do_syscall_64+0x65f/0x760
[   86.113297][ T8849]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   86.113308][ T8849] RIP: 0033:0x441409
[   86.113329][ T8849] Code: Bad RIP value.
[   86.118466][ T8880] kobject: 'hci2' (000000009e107a20): kobject_add_internal: parent: 'bluetooth', set: 'devices'
[   86.121953][ T8849] RSP: 002b:00007ffd9a450dd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   86.121966][ T8849] RAX: 0000000000278000 RBX: 0000000000000000 RCX: 0000000000441409
[   86.121974][ T8849] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
[   86.121983][ T8849] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
[   86.121992][ T8849] R10: 00008000fffffffe R11: 0000000000000246 R12: 0000000000402180
[   86.122000][ T8849] R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000
[   86.122021][ T8849] 
[   86.122033][ T8849] Allocated by task 7:
[   86.127017][ T8885] kobject: 'hci3' (00000000e3146d07): kobject_add_internal: parent: 'bluetooth', set: 'devices'
[   86.130742][ T8849]  save_stack+0x23/0x90
[   86.130756][ T8849]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   86.130767][ T8849]  kasan_slab_alloc+0xf/0x20
[   86.130779][ T8849]  kmem_cache_alloc_node+0x138/0x740
[   86.130792][ T8849]  __alloc_skb+0xd5/0x5e0
[   86.130804][ T8849]  bcsp_recv+0x8c1/0x13a0
[   86.130819][ T8849]  hci_uart_tty_receive+0x279/0x6e0
[   86.136637][ T8878] kobject: 'hci4' (000000005a634323): kobject_add_internal: parent: 'bluetooth', set: 'devices'
[   86.141012][ T8849]  tty_ldisc_receive_buf+0x15f/0x1c0
[   86.141025][ T8849]  tty_port_default_receive_buf+0x7d/0xb0
[   86.141038][ T8849]  flush_to_ldisc+0x222/0x390
[   86.141053][ T8849]  process_one_work+0x9af/0x1740
[   86.141066][ T8849]  worker_thread+0x98/0xe40
[   86.141076][ T8849]  kthread+0x361/0x430
[   86.141094][ T8849]  ret_from_fork+0x24/0x30
[   86.155865][ T8884] kobject: 'hci1' (00000000b5a5d414): kobject_uevent_env
[   86.156110][ T8849] 
[   86.161009][ T8880] kobject: 'hci2' (000000009e107a20): kobject_uevent_env
[   86.165080][ T8849] Freed by task 7:
[   86.165098][ T8849]  save_stack+0x23/0x90
[   86.165110][ T8849]  __kasan_slab_free+0x102/0x150
[   86.165122][ T8849]  kasan_slab_free+0xe/0x10
[   86.165133][ T8849]  kmem_cache_free+0x86/0x320
[   86.165145][ T8849]  kfree_skbmem+0xc5/0x150
[   86.165156][ T8849]  kfree_skb+0x109/0x3c0
[   86.165168][ T8849]  bcsp_recv+0x2d8/0x13a0
[   86.165178][ T8849]  hci_uart_tty_receive+0x279/0x6e0
[   86.165191][ T8849]  tty_ldisc_receive_buf+0x15f/0x1c0
[   86.165202][ T8849]  tty_port_default_receive_buf+0x7d/0xb0
[   86.165217][ T8849]  flush_to_ldisc+0x222/0x390
[   86.173727][ T8885] kobject: 'hci3' (00000000e3146d07): kobject_uevent_env
[   86.174456][ T8849]  process_one_work+0x9af/0x1740
[   86.181038][ T8878] kobject: 'hci4' (000000005a634323): kobject_uevent_env
[   86.184641][ T8849]  worker_thread+0x98/0xe40
[   86.184655][ T8849]  kthread+0x361/0x430
[   86.184670][ T8849]  ret_from_fork+0x24/0x30
[   86.184674][ T8849] 
[   86.184687][ T8849] The buggy address belongs to the object at ffff8880961a0680
[   86.184687][ T8849]  which belongs to the cache skbuff_head_cache of size 224
[   86.184696][ T8849] The buggy address is located 212 bytes inside of
[   86.184696][ T8849]  224-byte region [ffff8880961a0680, ffff8880961a0760)
[   86.184701][ T8849] The buggy address belongs to the page:
[   86.184712][ T8849] page:ffffea0002586800 refcount:1 mapcount:0 mapping:ffff8880a9957a80 index:0x0
[   86.184723][ T8849] flags: 0x1fffc0000000200(slab)
[   86.184740][ T8849] raw: 01fffc0000000200 ffffea0002933448 ffffea00029d66c8 ffff8880a9957a80
[   86.184797][ T8849] raw: 0000000000000000 ffff8880961a0040 000000010000000c 0000000000000000
[   86.184803][ T8849] page dumped because: kasan: bad access detected
[   86.184806][ T8849] 
[   86.184808][ T8849] Memory state around the buggy address:
[   86.184816][ T8849]  ffff8880961a0600: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   86.184822][ T8849]  ffff8880961a0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.184828][ T8849] >ffff8880961a0700: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   86.184831][ T8849]                                                  ^
[   86.184839][ T8849]  ffff8880961a0780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   86.184848][ T8849]  ffff8880961a0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.184852][ T8849] ==================================================================
[   86.184856][ T8849] Disabling lock debugging due to kernel taint
[   86.185440][ T8849] Kernel panic - not syncing: panic_on_warn set ...
[   86.195979][ T8880] kobject: 'hci2' (000000009e107a20): fill_kobj_path: path = '/devices/virtual/bluetooth/hci2'
[   86.201784][ T8849] CPU: 0 PID: 8849 Comm: syz-executor904 Tainted: G    B             5.4.0-rc6 #0
[   86.201791][ T8849] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   86.201796][ T8849] Call Trace:
[   86.201820][ T8849]  dump_stack+0x172/0x1f0
[   86.201837][ T8849]  panic+0x2e3/0x75c
[   86.207141][ T8884] kobject: 'hci1' (00000000b5a5d414): fill_kobj_path: path = '/devices/virtual/bluetooth/hci1'
[   86.211937][ T8849]  ? add_taint.cold+0x16/0x16
[   86.211952][ T8849]  ? kfree_skb+0x38/0x3c0
[   86.211965][ T8849]  ? preempt_schedule+0x4b/0x60
[   86.211982][ T8849]  ? ___preempt_schedule+0x16/0x20
[   86.218487][ T8878] kobject: 'hci4' (000000005a634323): fill_kobj_path: path = '/devices/virtual/bluetooth/hci4'
[   86.222258][ T8849]  ? trace_hardirqs_on+0x5e/0x240
[   86.222273][ T8849]  ? kfree_skb+0x38/0x3c0
[   86.222290][ T8849]  end_report+0x47/0x4f
[   86.229932][ T8885] kobject: 'hci3' (00000000e3146d07): fill_kobj_path: path = '/devices/virtual/bluetooth/hci3'
[   86.238041][ T8849]  ? kfree_skb+0x38/0x3c0
[   86.238056][ T8849]  __kasan_report.cold+0xe/0x41
[   86.238067][ T8849]  ? kfree_skb+0x38/0x3c0
[   86.238079][ T8849]  kasan_report+0x12/0x20
[   86.238091][ T8849]  check_memory_region+0x134/0x1a0
[   86.238102][ T8849]  __kasan_check_read+0x11/0x20
[   86.238112][ T8849]  kfree_skb+0x38/0x3c0
[   86.238130][ T8849]  bcsp_close+0xc7/0x130
[   86.255027][ T8884] kobject: 'rfkill15' (000000002027fa6b): kobject_add_internal: parent: 'hci1', set: 'devices'
[   86.256538][ T8849]  hci_uart_tty_close+0x21e/0x280
[   86.256549][ T8849]  ? hci_uart_close+0x50/0x50
[   86.256563][ T8849]  tty_ldisc_close.isra.0+0x119/0x1a0
[   86.256578][ T8849]  tty_ldisc_kill+0x9c/0x160
[   86.290014][ T8884] kobject: 'rfkill15' (000000002027fa6b): kobject_uevent_env
[   86.291429][ T8849]  tty_ldisc_release+0xe9/0x2b0
[   86.291443][ T8849]  tty_release_struct+0x1b/0x50
[   86.291461][ T8849]  tty_release+0xbcb/0xe90
[   86.310625][ T8884] kobject: 'rfkill15' (000000002027fa6b): fill_kobj_path: path = '/devices/virtual/bluetooth/hci1/rfkill15'
[   86.315533][ T8849]  __fput+0x2ff/0x890
[   86.315549][ T8849]  ? put_tty_driver+0x20/0x20
[   86.315561][ T8849]  ____fput+0x16/0x20
[   86.315573][ T8849]  task_work_run+0x145/0x1c0
[   86.315586][ T8849]  do_exit+0x904/0x2e60
[   86.315605][ T8849]  ? mm_update_next_owner+0x640/0x640
[   86.330168][ T8878] kobject: 'rfkill16' (00000000b08cfd88): kobject_add_internal: parent: 'hci4', set: 'devices'
[   86.332379][ T8849]  ? lock_downgrade+0x920/0x920
[   86.332397][ T8849]  ? _raw_spin_unlock_irq+0x28/0x90
[   86.332415][ T8849]  ? get_signal+0x392/0x2500
[   86.338495][ T8878] kobject: 'rfkill16' (00000000b08cfd88): kobject_uevent_env
[   86.342172][ T8849]  ? _raw_spin_unlock_irq+0x28/0x90
[   86.342189][ T8849]  do_group_exit+0x135/0x360
[   86.342207][ T8849]  get_signal+0x47c/0x2500
[   86.358036][ T8878] kobject: 'rfkill16' (00000000b08cfd88): fill_kobj_path: path = '/devices/virtual/bluetooth/hci4/rfkill16'
[   86.360696][ T8849]  do_signal+0x87/0x1700
[   86.360716][ T8849]  ? setup_sigcontext+0x7d0/0x7d0
[   86.381487][ T8880] kobject: 'rfkill17' (00000000482142b3): kobject_add_internal: parent: 'hci2', set: 'devices'
[   86.381738][ T8849]  ? lock_downgrade+0x920/0x920
[   86.388877][ T8880] kobject: 'rfkill17' (00000000482142b3): kobject_uevent_env
[   86.392103][ T8849]  ? rcu_read_lock_any_held+0xcd/0xf0
[   86.392120][ T8849]  ? exit_to_usermode_loop+0x43/0x380
[   86.392138][ T8849]  ? do_syscall_64+0x65f/0x760
[   86.408503][ T8880] kobject: 'rfkill17' (00000000482142b3): fill_kobj_path: path = '/devices/virtual/bluetooth/hci2/rfkill17'
[   86.410034][ T8849]  ? exit_to_usermode_loop+0x43/0x380
[   86.410049][ T8849]  ? lockdep_hardirqs_on+0x421/0x5e0
[   86.410066][ T8849]  ? trace_hardirqs_on+0x67/0x240
[   86.432577][ T8885] kobject: 'rfkill18' (0000000039929974): kobject_add_internal: parent: 'hci3', set: 'devices'
[   86.434266][ T8849]  exit_to_usermode_loop+0x286/0x380
[   86.434281][ T8849]  do_syscall_64+0x65f/0x760
[   86.434297][ T8849]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   86.434311][ T8849] RIP: 0033:0x441409
[   86.442550][ T8885] kobject: 'rfkill18' (0000000039929974): kobject_uevent_env
[   86.443734][ T8849] Code: Bad RIP value.
[   86.443742][ T8849] RSP: 002b:00007ffd9a450dd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   86.457138][ T8885] kobject: 'rfkill18' (0000000039929974): fill_kobj_path: path = '/devices/virtual/bluetooth/hci3/rfkill18'
[   86.457245][ T8849] RAX: 0000000000278000 RBX: 0000000000000000 RCX: 0000000000441409
[   87.101312][ T8849] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
[   87.109359][ T8849] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
[   87.117315][ T8849] R10: 00008000fffffffe R11: 0000000000000246 R12: 0000000000402180
[   87.125283][ T8849] R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000
[   87.134834][ T8849] Kernel Offset: disabled
[   87.139169][ T8849] Rebooting in 86400 seconds..