[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 82.830152][ T32] audit: type=1800 audit(1572442116.879:25): pid=11932 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 82.853557][ T32] audit: type=1800 audit(1572442116.909:26): pid=11932 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 82.889390][ T32] audit: type=1800 audit(1572442116.929:27): pid=11932 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.101' (ECDSA) to the list of known hosts. 2019/10/30 13:28:50 fuzzer started 2019/10/30 13:28:54 dialing manager at 10.128.0.26:37669 2019/10/30 13:28:58 syscalls: 2431 2019/10/30 13:28:58 code coverage: enabled 2019/10/30 13:28:58 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2019/10/30 13:28:58 extra coverage: enabled 2019/10/30 13:28:58 setuid sandbox: enabled 2019/10/30 13:28:58 namespace sandbox: enabled 2019/10/30 13:28:58 Android sandbox: /sys/fs/selinux/policy does not exist 2019/10/30 13:28:58 fault injection: enabled 2019/10/30 13:28:58 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/10/30 13:28:58 net packet injection: enabled 2019/10/30 13:28:58 net device setup: enabled 2019/10/30 13:28:58 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist syzkaller login: [ 158.194217][T12087] ===================================================== [ 158.201235][T12087] BUG: KMSAN: use-after-free in kmem_cache_free+0x3df/0x2b70 [ 158.208713][T12087] CPU: 1 PID: 12087 Comm: syz-fuzzer Not tainted 5.4.0-rc5+ #0 [ 158.216237][T12087] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 158.226275][T12087] Call Trace: [ 158.229551][T12087] dump_stack+0x191/0x1f0 [ 158.233865][T12087] kmsan_report+0x128/0x220 [ 158.238349][T12087] __msan_warning+0x73/0xe0 [ 158.242834][T12087] kmem_cache_free+0x3df/0x2b70 [ 158.247663][T12087] ? kmsan_internal_set_origin+0x6a/0xb0 [ 158.253271][T12087] ? kfree_skb+0x473/0x4c0 [ 158.257679][T12087] ? kmsan_internal_unpoison_shadow+0x42/0x80 [ 158.263734][T12087] kfree_skb+0x473/0x4c0 [ 158.267954][T12087] ? packet_rcv_spkt+0x68d/0x7c0 [ 158.273042][T12087] packet_rcv_spkt+0x68d/0x7c0 [ 158.277802][T12087] ? packet_rcv+0x2110/0x2110 [ 158.282456][T12087] dev_queue_xmit_nit+0x1125/0x1200 [ 158.287728][T12087] dev_hard_start_xmit+0x21e/0xab0 [ 158.292824][T12087] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 158.298710][T12087] sch_direct_xmit+0x56c/0x18c0 [ 158.310841][T12087] __dev_queue_xmit+0x212d/0x4200 [ 158.315872][T12087] dev_queue_xmit+0x4b/0x60 [ 158.321049][T12087] ip_finish_output2+0x20d6/0x25d0 [ 158.326138][T12087] ? __msan_metadata_ptr_for_load_2+0x10/0x20 [ 158.332186][T12087] ? nf_ct_deliver_cached_events+0x4d5/0x6e0 [ 158.339112][T12087] __ip_finish_output+0xaf8/0xda0 [ 158.344125][T12087] ip_finish_output+0x2db/0x420 [ 158.348960][T12087] ip_output+0x541/0x610 [ 158.353233][T12087] ? ip_mc_finish_output+0x6d0/0x6d0 [ 158.358528][T12087] ? ip_finish_output+0x420/0x420 [ 158.363534][T12087] __ip_queue_xmit+0x1caf/0x21f0 [ 158.368451][T12087] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 158.374327][T12087] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 158.380473][T12087] ip_queue_xmit+0xcc/0xf0 [ 158.384893][T12087] ? tcp_v4_inbound_md5_hash+0xd10/0xd10 [ 158.390511][T12087] __tcp_transmit_skb+0x40e3/0x5d90 [ 158.395717][T12087] __tcp_send_ack+0x701/0x840 [ 158.400379][T12087] tcp_send_ack+0x68/0x90 [ 158.404700][T12087] tcp_cleanup_rbuf+0x764/0x800 [ 158.409547][T12087] tcp_recvmsg+0x334d/0x4ff0 [ 158.414146][T12087] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 158.420018][T12087] ? tcp_mmap+0x150/0x150 [ 158.424332][T12087] ? tcp_mmap+0x150/0x150 [ 158.428645][T12087] inet_recvmsg+0x237/0x7d0 [ 158.433146][T12087] ? inet_sendpage+0x2c0/0x2c0 [ 158.437907][T12087] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 158.443795][T12087] ? inet_sendpage+0x2c0/0x2c0 [ 158.448553][T12087] ? inet_sendpage+0x2c0/0x2c0 [ 158.453314][T12087] sock_read_iter+0x5be/0x660 [ 158.458011][T12087] ? kernel_sock_ip_overhead+0x340/0x340 [ 158.463650][T12087] __vfs_read+0xa67/0xc90 [ 158.467984][T12087] vfs_read+0x359/0x6f0 [ 158.472138][T12087] ksys_read+0x265/0x430 [ 158.476364][T12087] __se_sys_read+0x92/0xb0 [ 158.480761][T12087] __x64_sys_read+0x4a/0x70 [ 158.485246][T12087] do_syscall_64+0xb6/0x160 [ 158.489728][T12087] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 158.495627][T12087] RIP: 0033:0x47fd44 [ 158.499506][T12087] Code: ff ff cc cc cc cc e8 9b 40 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 45 31 d2 45 31 c0 45 31 c9 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 158.519090][T12087] RSP: 002b:000000c42039f708 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 158.527508][T12087] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047fd44 [ 158.535470][T12087] RDX: 0000000000001000 RSI: 000000c420350000 RDI: 0000000000000003 [ 158.543430][T12087] RBP: 000000c42039f758 R08: 0000000000000000 R09: 0000000000000000 [ 158.551384][T12087] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000080 [ 158.559343][T12087] R13: 0000000000000080 R14: 0000000000000002 R15: ffffffffffffffff [ 158.567301][T12087] [ 158.569606][T12087] Uninit was stored to memory at: [ 158.574612][T12087] kmsan_internal_chain_origin+0xbd/0x180 [ 158.580306][T12087] __msan_chain_origin+0x6b/0xd0 [ 158.585219][T12087] ___slab_alloc+0x1dbc/0x1fb0 [ 158.589975][T12087] kmem_cache_alloc+0xadf/0xd20 [ 158.594813][T12087] skb_clone+0x326/0x5d0 [ 158.599033][T12087] dev_queue_xmit_nit+0x539/0x1200 [ 158.604121][T12087] dev_hard_start_xmit+0x21e/0xab0 [ 158.609221][T12087] sch_direct_xmit+0x56c/0x18c0 [ 158.614048][T12087] __dev_queue_xmit+0x212d/0x4200 [ 158.619047][T12087] dev_queue_xmit+0x4b/0x60 [ 158.623529][T12087] ip_finish_output2+0x20d6/0x25d0 [ 158.628627][T12087] __ip_finish_output+0xaf8/0xda0 [ 158.633626][T12087] ip_finish_output+0x2db/0x420 [ 158.638811][T12087] ip_output+0x541/0x610 [ 158.643033][T12087] __ip_queue_xmit+0x1caf/0x21f0 [ 158.647943][T12087] ip_queue_xmit+0xcc/0xf0 [ 158.652349][T12087] __tcp_transmit_skb+0x40e3/0x5d90 [ 158.657544][T12087] __tcp_send_ack+0x701/0x840 [ 158.662253][T12087] tcp_send_ack+0x68/0x90 [ 158.666563][T12087] tcp_cleanup_rbuf+0x764/0x800 [ 158.671412][T12087] tcp_recvmsg+0x334d/0x4ff0 [ 158.675992][T12087] inet_recvmsg+0x237/0x7d0 [ 158.680477][T12087] sock_read_iter+0x5be/0x660 [ 158.685145][T12087] __vfs_read+0xa67/0xc90 [ 158.689451][T12087] vfs_read+0x359/0x6f0 [ 158.693583][T12087] ksys_read+0x265/0x430 [ 158.697803][T12087] __se_sys_read+0x92/0xb0 [ 158.702198][T12087] __x64_sys_read+0x4a/0x70 [ 158.706685][T12087] do_syscall_64+0xb6/0x160 [ 158.711353][T12087] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 158.717228][T12087] [ 158.719532][T12087] Uninit was created at: [ 158.723758][T12087] kmsan_internal_poison_shadow+0x60/0x120 [ 158.729542][T12087] kmsan_slab_free+0x8d/0xf0 [ 158.734133][T12087] kmem_cache_free_bulk+0x3ad9/0x3f10 [ 158.739496][T12087] __kfree_skb_flush+0xb0/0x100 [ 158.744333][T12087] net_rx_action+0x1a5e/0x1aa0 [ 158.749071][T12087] __do_softirq+0x4a1/0x83a [ 158.753562][T12087] irq_exit+0x230/0x280 [ 158.757696][T12087] do_IRQ+0x123/0x360 [ 158.761656][T12087] ret_from_intr+0x0/0x33 [ 158.765967][T12087] memset_erms+0xb/0x10 [ 158.770113][T12087] core_sys_select+0x7b0/0xe90 [ 158.774854][T12087] __se_sys_pselect6+0x741/0x8e0 [ 158.779765][T12087] __x64_sys_pselect6+0x6e/0x90 [ 158.784602][T12087] do_syscall_64+0xb6/0x160 [ 158.789083][T12087] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 158.794957][T12087] ===================================================== [ 158.801865][T12087] Disabling lock debugging due to kernel taint [ 158.808039][T12087] Kernel panic - not syncing: panic_on_warn set ... [ 158.814618][T12087] CPU: 1 PID: 12087 Comm: syz-fuzzer Tainted: G B 5.4.0-rc5+ #0 [ 158.823522][T12087] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 158.833555][T12087] Call Trace: [ 158.836829][T12087] dump_stack+0x191/0x1f0 [ 158.841240][T12087] panic+0x3c9/0xc1e [ 158.845151][T12087] kmsan_report+0x215/0x220 [ 158.849639][T12087] __msan_warning+0x73/0xe0 [ 158.854135][T12087] kmem_cache_free+0x3df/0x2b70 [ 158.858970][T12087] ? kmsan_internal_set_origin+0x6a/0xb0 [ 158.864585][T12087] ? kfree_skb+0x473/0x4c0 [ 158.868980][T12087] ? kmsan_internal_unpoison_shadow+0x42/0x80 [ 158.875046][T12087] kfree_skb+0x473/0x4c0 [ 158.879266][T12087] ? packet_rcv_spkt+0x68d/0x7c0 [ 158.884185][T12087] packet_rcv_spkt+0x68d/0x7c0 [ 158.889365][T12087] ? packet_rcv+0x2110/0x2110 [ 158.894030][T12087] dev_queue_xmit_nit+0x1125/0x1200 [ 158.899218][T12087] dev_hard_start_xmit+0x21e/0xab0 [ 158.904317][T12087] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 158.910192][T12087] sch_direct_xmit+0x56c/0x18c0 [ 158.915042][T12087] __dev_queue_xmit+0x212d/0x4200 [ 158.920068][T12087] dev_queue_xmit+0x4b/0x60 [ 158.924579][T12087] ip_finish_output2+0x20d6/0x25d0 [ 158.929693][T12087] ? __msan_metadata_ptr_for_load_2+0x10/0x20 [ 158.935737][T12087] ? nf_ct_deliver_cached_events+0x4d5/0x6e0 [ 158.941705][T12087] __ip_finish_output+0xaf8/0xda0 [ 158.946723][T12087] ip_finish_output+0x2db/0x420 [ 158.951558][T12087] ip_output+0x541/0x610 [ 158.955798][T12087] ? ip_mc_finish_output+0x6d0/0x6d0 [ 158.961059][T12087] ? ip_finish_output+0x420/0x420 [ 158.966061][T12087] __ip_queue_xmit+0x1caf/0x21f0 [ 158.970978][T12087] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 158.976861][T12087] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 158.982927][T12087] ip_queue_xmit+0xcc/0xf0 [ 158.987321][T12087] ? tcp_v4_inbound_md5_hash+0xd10/0xd10 [ 158.992930][T12087] __tcp_transmit_skb+0x40e3/0x5d90 [ 158.998123][T12087] __tcp_send_ack+0x701/0x840 [ 159.002785][T12087] tcp_send_ack+0x68/0x90 [ 159.007093][T12087] tcp_cleanup_rbuf+0x764/0x800 [ 159.011927][T12087] tcp_recvmsg+0x334d/0x4ff0 [ 159.016518][T12087] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 159.022399][T12087] ? tcp_mmap+0x150/0x150 [ 159.026704][T12087] ? tcp_mmap+0x150/0x150 [ 159.031006][T12087] inet_recvmsg+0x237/0x7d0 [ 159.035486][T12087] ? inet_sendpage+0x2c0/0x2c0 [ 159.040225][T12087] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 159.046095][T12087] ? inet_sendpage+0x2c0/0x2c0 [ 159.050836][T12087] ? inet_sendpage+0x2c0/0x2c0 [ 159.055575][T12087] sock_read_iter+0x5be/0x660 [ 159.060246][T12087] ? kernel_sock_ip_overhead+0x340/0x340 [ 159.065857][T12087] __vfs_read+0xa67/0xc90 [ 159.070262][T12087] vfs_read+0x359/0x6f0 [ 159.074401][T12087] ksys_read+0x265/0x430 [ 159.078628][T12087] __se_sys_read+0x92/0xb0 [ 159.083025][T12087] __x64_sys_read+0x4a/0x70 [ 159.087591][T12087] do_syscall_64+0xb6/0x160 [ 159.093374][T12087] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 159.099242][T12087] RIP: 0033:0x47fd44 [ 159.103114][T12087] Code: ff ff cc cc cc cc e8 9b 40 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 45 31 d2 45 31 c0 45 31 c9 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 159.122696][T12087] RSP: 002b:000000c42039f708 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 159.131079][T12087] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047fd44 [ 159.139028][T12087] RDX: 0000000000001000 RSI: 000000c420350000 RDI: 0000000000000003 [ 159.146974][T12087] RBP: 000000c42039f758 R08: 0000000000000000 R09: 0000000000000000 [ 159.157527][T12087] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000080 [ 159.165485][T12087] R13: 0000000000000080 R14: 0000000000000002 R15: ffffffffffffffff [ 159.174967][T12087] Kernel Offset: disabled [ 159.179289][T12087] Rebooting in 86400 seconds..