[   38.008694] audit: type=1800 audit(1573541944.417:32): pid=7413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   38.787326] audit: type=1800 audit(1573541945.277:33): pid=7413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts.
2019/11/12 07:14:32 parsed 1 programs
syzkaller login: [  965.703236] kauditd_printk_skb: 2 callbacks suppressed
[  965.703251] audit: type=1400 audit(1573542872.197:36): avc:  denied  { map } for  pid=7601 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[  965.775455] audit: type=1400 audit(1573542872.267:37): avc:  denied  { map } for  pid=7601 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=15 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
2019/11/12 07:14:34 executed programs: 0
[  967.989222] IPVS: ftp: loaded support on port[0] = 21
[  968.053889] chnl_net:caif_netlink_parms(): no params data found
[  968.091537] bridge0: port 1(bridge_slave_0) entered blocking state
[  968.098417] bridge0: port 1(bridge_slave_0) entered disabled state
[  968.105988] device bridge_slave_0 entered promiscuous mode
[  968.113855] bridge0: port 2(bridge_slave_1) entered blocking state
[  968.120271] bridge0: port 2(bridge_slave_1) entered disabled state
[  968.128587] device bridge_slave_1 entered promiscuous mode
[  968.145223] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  968.154354] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  968.170894] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  968.179736] team0: Port device team_slave_0 added
[  968.190200] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  968.197758] team0: Port device team_slave_1 added
[  968.203225] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[  968.210511] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[  968.263276] device hsr_slave_0 entered promiscuous mode
[  968.301639] device hsr_slave_1 entered promiscuous mode
[  968.341605] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[  968.348602] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[  968.363567] bridge0: port 2(bridge_slave_1) entered blocking state
[  968.370431] bridge0: port 2(bridge_slave_1) entered forwarding state
[  968.377632] bridge0: port 1(bridge_slave_0) entered blocking state
[  968.384039] bridge0: port 1(bridge_slave_0) entered forwarding state
[  968.418426] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  968.425895] 8021q: adding VLAN 0 to HW filter on device bond0
[  968.435712] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  968.444979] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  968.464695] bridge0: port 1(bridge_slave_0) entered disabled state
[  968.472449] bridge0: port 2(bridge_slave_1) entered disabled state
[  968.480472] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  968.492262] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[  968.498464] 8021q: adding VLAN 0 to HW filter on device team0
[  968.507706] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  968.516292] bridge0: port 1(bridge_slave_0) entered blocking state
[  968.522740] bridge0: port 1(bridge_slave_0) entered forwarding state
[  968.533613] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  968.541652] bridge0: port 2(bridge_slave_1) entered blocking state
[  968.548096] bridge0: port 2(bridge_slave_1) entered forwarding state
[  968.563221] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  968.572990] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  968.583052] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  968.597581] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  968.608527] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  968.619645] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[  968.626236] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  968.634396] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  968.642804] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  968.657173] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[  968.665454] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[  968.672471] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[  968.684567] 8021q: adding VLAN 0 to HW filter on device batadv0
[  968.695317] audit: type=1400 audit(1573542875.187:38): avc:  denied  { associate } for  pid=7617 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
[  969.081824] Bluetooth: Error in BCSP hdr checksum
[  969.351504] Bluetooth: Error in BCSP hdr checksum
[  970.831575] Bluetooth: hci0: command 0x1003 tx timeout
[  970.837898] Bluetooth: hci0: sending frame failed (-49)
[  972.910941] Bluetooth: hci0: command 0x1001 tx timeout
[  972.916537] Bluetooth: hci0: sending frame failed (-49)
[  974.990954] Bluetooth: hci0: command 0x1009 tx timeout
[  979.234400] ==================================================================
[  979.242080] BUG: KASAN: use-after-free in kfree_skb+0x38/0x390
[  979.248052] Read of size 4 at addr ffff8880a00e44e4 by task syz-executor.0/7624
[  979.255477] 
[  979.257092] CPU: 1 PID: 7624 Comm: syz-executor.0 Not tainted 4.19.83 #0
[  979.263910] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  979.273391] Call Trace:
[  979.276051]  dump_stack+0x172/0x1f0
[  979.279670]  ? kfree_skb+0x38/0x390
[  979.283328]  print_address_description.cold+0x7c/0x20d
[  979.288588]  ? kfree_skb+0x38/0x390
[  979.292198]  kasan_report.cold+0x8c/0x2ba
[  979.296333]  check_memory_region+0x123/0x190
[  979.300723]  kasan_check_read+0x11/0x20
[  979.305388]  kfree_skb+0x38/0x390
[  979.308892]  bcsp_close+0xc7/0x130
[  979.312442]  hci_uart_tty_close+0x1ea/0x250
[  979.316748]  ? hci_uart_close+0x50/0x50
[  979.320764]  tty_ldisc_close.isra.0+0xaf/0xe0
[  979.325245]  tty_ldisc_kill+0x4b/0xc0
[  979.329027]  tty_ldisc_release+0xc6/0x280
[  979.333156]  tty_release_struct+0x1b/0x50
[  979.337283]  tty_release+0xbcb/0xe90
[  979.340982]  ? put_tty_driver+0x20/0x20
[  979.344967]  __fput+0x2dd/0x8b0
[  979.348231]  ____fput+0x16/0x20
[  979.351520]  task_work_run+0x145/0x1c0
[  979.355424]  exit_to_usermode_loop+0x273/0x2c0
[  979.359992]  do_syscall_64+0x53d/0x620
[  979.363893]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  979.369064] RIP: 0033:0x413db1
[  979.372240] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
[  979.392252] RSP: 002b:00007ffd3e9ae340 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  979.399943] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413db1
[  979.407192] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
[  979.414461] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
[  979.422850] R10: 00007ffd3e9ae420 R11: 0000000000000293 R12: 000000000075c9a0
[  979.430102] R13: 000000000075c9a0 R14: 0000000000760290 R15: 000000000075bfd4
[  979.437358] 
[  979.439005] Allocated by task 40:
[  979.442442]  save_stack+0x45/0xd0
[  979.445875]  kasan_kmalloc+0xce/0xf0
[  979.449568]  kasan_slab_alloc+0xf/0x20
[  979.453437]  kmem_cache_alloc_node+0x144/0x710
[  979.458043]  __alloc_skb+0xd5/0x5f0
[  979.461651]  bcsp_recv+0x8c7/0x13a0
[  979.465261]  hci_uart_tty_receive+0x225/0x530
[  979.469738]  tty_ldisc_receive_buf+0x15f/0x1c0
[  979.474303]  tty_port_default_receive_buf+0x7d/0xb0
[  979.479301]  flush_to_ldisc+0x222/0x390
[  979.483323]  process_one_work+0x989/0x1750
[  979.487557]  worker_thread+0x98/0xe40
[  979.491338]  kthread+0x354/0x420
[  979.494700]  ret_from_fork+0x24/0x30
[  979.498393] 
[  979.501046] Freed by task 40:
[  979.504135]  save_stack+0x45/0xd0
[  979.507573]  __kasan_slab_free+0x102/0x150
[  979.511801]  kasan_slab_free+0xe/0x10
[  979.515585]  kmem_cache_free+0x86/0x260
[  979.519541]  kfree_skbmem+0xcb/0x150
[  979.523311]  kfree_skb+0xf0/0x390
[  979.526780]  bcsp_recv+0x2d8/0x13a0
[  979.530403]  hci_uart_tty_receive+0x225/0x530
[  979.534932]  tty_ldisc_receive_buf+0x15f/0x1c0
[  979.539501]  tty_port_default_receive_buf+0x7d/0xb0
[  979.544499]  flush_to_ldisc+0x222/0x390
[  979.548464]  process_one_work+0x989/0x1750
[  979.552727]  worker_thread+0x98/0xe40
[  979.556509]  kthread+0x354/0x420
[  979.559883]  ret_from_fork+0x24/0x30
[  979.563577] 
[  979.565187] The buggy address belongs to the object at ffff8880a00e4400
[  979.565187]  which belongs to the cache skbuff_head_cache of size 232
[  979.578346] The buggy address is located 228 bytes inside of
[  979.578346]  232-byte region [ffff8880a00e4400, ffff8880a00e44e8)
[  979.590205] The buggy address belongs to the page:
[  979.595115] page:ffffea0002803900 count:1 mapcount:0 mapping:ffff8880aa347ac0 index:0x0
[  979.603257] flags: 0x1fffc0000000100(slab)
[  979.607617] raw: 01fffc0000000100 ffffea000262d888 ffffea0002446e08 ffff8880aa347ac0
[  979.615517] raw: 0000000000000000 ffff8880a00e4040 000000010000000c 0000000000000000
[  979.623378] page dumped because: kasan: bad access detected
[  979.629066] 
[  979.630673] Memory state around the buggy address:
[  979.635586]  ffff8880a00e4380: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[  979.642947]  ffff8880a00e4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  979.650288] >ffff8880a00e4480: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[  979.657636]                                                        ^
[  979.664109]  ffff8880a00e4500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  979.671456]  ffff8880a00e4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  979.678791] ==================================================================
[  979.686151] Disabling lock debugging due to kernel taint
[  979.691904] Kernel panic - not syncing: panic_on_warn set ...
[  979.691904] 
[  979.699284] CPU: 1 PID: 7624 Comm: syz-executor.0 Tainted: G    B             4.19.83 #0
[  979.707498] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  979.716870] Call Trace:
[  979.719474]  dump_stack+0x172/0x1f0
[  979.723133]  ? kfree_skb+0x38/0x390
[  979.726809]  panic+0x26a/0x50e
[  979.730252]  ? __warn_printk+0xf3/0xf3
[  979.734126]  ? kfree_skb+0x38/0x390
[  979.737786]  ? preempt_schedule+0x4b/0x60
[  979.741921]  ? ___preempt_schedule+0x16/0x18
[  979.746423]  ? trace_hardirqs_on+0x5e/0x220
[  979.750834]  ? kfree_skb+0x38/0x390
[  979.754453]  kasan_end_report+0x47/0x4f
[  979.758414]  kasan_report.cold+0xa9/0x2ba
[  979.762678]  check_memory_region+0x123/0x190
[  979.767081]  kasan_check_read+0x11/0x20
[  979.771037]  kfree_skb+0x38/0x390
[  979.774487]  bcsp_close+0xc7/0x130
[  979.778058]  hci_uart_tty_close+0x1ea/0x250
[  979.782372]  ? hci_uart_close+0x50/0x50
[  979.786337]  tty_ldisc_close.isra.0+0xaf/0xe0
[  979.790827]  tty_ldisc_kill+0x4b/0xc0
[  979.794625]  tty_ldisc_release+0xc6/0x280
[  979.798762]  tty_release_struct+0x1b/0x50
[  979.802901]  tty_release+0xbcb/0xe90
[  979.806601]  ? put_tty_driver+0x20/0x20
[  979.813510]  __fput+0x2dd/0x8b0
[  979.816785]  ____fput+0x16/0x20
[  979.820055]  task_work_run+0x145/0x1c0
[  979.823940]  exit_to_usermode_loop+0x273/0x2c0
[  979.828506]  do_syscall_64+0x53d/0x620
[  979.832397]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  979.837577] RIP: 0033:0x413db1
[  979.840763] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
[  979.860281] RSP: 002b:00007ffd3e9ae340 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  979.867971] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413db1
[  979.875326] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
[  979.882591] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
[  979.889856] R10: 00007ffd3e9ae420 R11: 0000000000000293 R12: 000000000075c9a0
[  979.897124] R13: 000000000075c9a0 R14: 0000000000760290 R15: 000000000075bfd4
[  979.905845] Kernel Offset: disabled
[  979.909533] Rebooting in 86400 seconds..