[   38.972260] audit: type=1800 audit(1571059807.352:32): pid=7455 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   44.096715] kauditd_printk_skb: 2 callbacks suppressed
[   44.096728] audit: type=1400 audit(1571059812.482:35): avc:  denied  { map } for  pid=7629 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.1.51' (ECDSA) to the list of known hosts.
[ 1009.210800] audit: type=1400 audit(1571060777.592:36): avc:  denied  { map } for  pid=7641 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2019/10/14 13:46:17 parsed 1 programs
[ 1009.280984] audit: type=1400 audit(1571060777.662:37): avc:  denied  { map } for  pid=7641 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=14982 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
2019/10/14 13:46:19 executed programs: 0
[ 1011.142510] IPVS: ftp: loaded support on port[0] = 21
[ 1011.215521] chnl_net:caif_netlink_parms(): no params data found
[ 1011.248641] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1011.255619] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1011.263144] device bridge_slave_0 entered promiscuous mode
[ 1011.270616] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1011.277095] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1011.284042] device bridge_slave_1 entered promiscuous mode
[ 1011.299924] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 1011.308883] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 1011.324819] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[ 1011.332508] team0: Port device team_slave_0 added
[ 1011.338039] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[ 1011.345181] team0: Port device team_slave_1 added
[ 1011.350537] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[ 1011.357844] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[ 1011.418710] device hsr_slave_0 entered promiscuous mode
[ 1011.466371] device hsr_slave_1 entered promiscuous mode
[ 1011.546586] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[ 1011.553662] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[ 1011.567662] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1011.574088] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1011.581197] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1011.587587] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1011.619128] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[ 1011.625401] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1011.633936] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 1011.643120] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1011.662085] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1011.669537] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1011.677403] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 1011.687742] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[ 1011.694021] 8021q: adding VLAN 0 to HW filter on device team0
[ 1011.703786] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1011.711804] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1011.718322] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1011.728317] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1011.736104] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1011.742464] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1011.757743] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1011.765837] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1011.775926] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1011.787615] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1011.798759] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1011.808434] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[ 1011.814731] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1011.828066] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
[ 1011.838388] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1011.848933] audit: type=1400 audit(1571060780.232:38): avc:  denied  { associate } for  pid=7657 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
[ 1012.227099] Bluetooth: Error in BCSP hdr checksum
[ 1012.486537] Bluetooth: Error in BCSP hdr checksum
[ 1013.986937] Bluetooth: hci0: command 0x1003 tx timeout
[ 1013.993857] Bluetooth: hci0: sending frame failed (-49)
[ 1016.066169] Bluetooth: hci0: command 0x1001 tx timeout
[ 1016.071909] Bluetooth: hci0: sending frame failed (-49)
[ 1018.146189] Bluetooth: hci0: command 0x1009 tx timeout
[ 1022.150003] ==================================================================
[ 1022.158200] BUG: KASAN: use-after-free in kfree_skb+0x38/0x390
[ 1022.164174] Read of size 4 at addr ffff8880a08c8524 by task syz-executor.0/7666
[ 1022.171799] 
[ 1022.173428] CPU: 0 PID: 7666 Comm: syz-executor.0 Not tainted 4.19.79 #0
[ 1022.180352] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1022.189876] Call Trace:
[ 1022.192801]  dump_stack+0x172/0x1f0
[ 1022.196609]  ? kfree_skb+0x38/0x390
[ 1022.200607]  print_address_description.cold+0x7c/0x20d
[ 1022.206131]  ? kfree_skb+0x38/0x390
[ 1022.209776]  kasan_report.cold+0x8c/0x2ba
[ 1022.213925]  check_memory_region+0x123/0x190
[ 1022.218339]  kasan_check_read+0x11/0x20
[ 1022.222406]  kfree_skb+0x38/0x390
[ 1022.226259]  bcsp_close+0xc7/0x130
[ 1022.229874]  hci_uart_tty_close+0x1ea/0x250
[ 1022.234329]  ? hci_uart_close+0x50/0x50
[ 1022.238378]  tty_ldisc_close.isra.0+0xaf/0xe0
[ 1022.243208]  tty_ldisc_kill+0x4b/0xc0
[ 1022.247110]  tty_ldisc_release+0xc6/0x280
[ 1022.251261]  tty_release_struct+0x1b/0x50
[ 1022.255637]  tty_release+0xbcb/0xe90
[ 1022.259396]  ? put_tty_driver+0x20/0x20
[ 1022.263795]  __fput+0x2dd/0x8b0
[ 1022.267208]  ____fput+0x16/0x20
[ 1022.270526]  task_work_run+0x145/0x1c0
[ 1022.274497]  exit_to_usermode_loop+0x273/0x2c0
[ 1022.279277]  do_syscall_64+0x53d/0x620
[ 1022.283299]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1022.289314] RIP: 0033:0x413741
[ 1022.292534] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
[ 1022.312238] RSP: 002b:00007ffdbdbe99b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 1022.319954] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000413741
[ 1022.327552] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
[ 1022.334818] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
[ 1022.342084] R10: 00007ffdbdbe9a90 R11: 0000000000000293 R12: 000000000075c9a0
[ 1022.349563] R13: 000000000075c9a0 R14: 00000000007603c0 R15: 000000000075bfd4
[ 1022.357081] 
[ 1022.358761] Allocated by task 7659:
[ 1022.362693]  save_stack+0x45/0xd0
[ 1022.366160]  kasan_kmalloc+0xce/0xf0
[ 1022.369881]  kasan_slab_alloc+0xf/0x20
[ 1022.373761]  kmem_cache_alloc_node+0x144/0x710
[ 1022.378580]  __alloc_skb+0xd5/0x5f0
[ 1022.382205]  bcsp_recv+0x8c7/0x13a0
[ 1022.385872]  hci_uart_tty_receive+0x225/0x530
[ 1022.390405]  tty_ldisc_receive_buf+0x15f/0x1c0
[ 1022.395023]  tty_port_default_receive_buf+0x7d/0xb0
[ 1022.400050]  flush_to_ldisc+0x222/0x390
[ 1022.404070]  process_one_work+0x989/0x1750
[ 1022.408307]  worker_thread+0x98/0xe40
[ 1022.412154]  kthread+0x354/0x420
[ 1022.415524]  ret_from_fork+0x24/0x30
[ 1022.419266] 
[ 1022.420890] Freed by task 7659:
[ 1022.424169]  save_stack+0x45/0xd0
[ 1022.427619]  __kasan_slab_free+0x102/0x150
[ 1022.432002]  kasan_slab_free+0xe/0x10
[ 1022.435848]  kmem_cache_free+0x86/0x260
[ 1022.439831]  kfree_skbmem+0xcb/0x150
[ 1022.443539]  kfree_skb+0xf0/0x390
[ 1022.446993]  bcsp_recv+0x2d8/0x13a0
[ 1022.450836]  hci_uart_tty_receive+0x225/0x530
[ 1022.455332]  tty_ldisc_receive_buf+0x15f/0x1c0
[ 1022.459915]  tty_port_default_receive_buf+0x7d/0xb0
[ 1022.464928]  flush_to_ldisc+0x222/0x390
[ 1022.469134]  process_one_work+0x989/0x1750
[ 1022.473449]  worker_thread+0x98/0xe40
[ 1022.477366]  kthread+0x354/0x420
[ 1022.480783]  ret_from_fork+0x24/0x30
[ 1022.484482] 
[ 1022.486106] The buggy address belongs to the object at ffff8880a08c8440
[ 1022.486106]  which belongs to the cache skbuff_head_cache of size 232
[ 1022.499686] The buggy address is located 228 bytes inside of
[ 1022.499686]  232-byte region [ffff8880a08c8440, ffff8880a08c8528)
[ 1022.513019] The buggy address belongs to the page:
[ 1022.518335] page:ffffea0002823200 count:1 mapcount:0 mapping:ffff88821bab2840 index:0x0
[ 1022.526848] flags: 0x1fffc0000000100(slab)
[ 1022.531326] raw: 01fffc0000000100 ffffea0002701588 ffffea000295d808 ffff88821bab2840
[ 1022.539655] raw: 0000000000000000 ffff8880a08c8080 000000010000000c 0000000000000000
[ 1022.547568] page dumped because: kasan: bad access detected
[ 1022.553386] 
[ 1022.555009] Memory state around the buggy address:
[ 1022.559939]  ffff8880a08c8400: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 1022.567849]  ffff8880a08c8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1022.575387] >ffff8880a08c8500: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[ 1022.582862]                                ^
[ 1022.587570]  ffff8880a08c8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1022.595134]  ffff8880a08c8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[ 1022.602622] ==================================================================
[ 1022.610312] Disabling lock debugging due to kernel taint
[ 1022.616491] Kernel panic - not syncing: panic_on_warn set ...
[ 1022.616491] 
[ 1022.623958] CPU: 0 PID: 7666 Comm: syz-executor.0 Tainted: G    B             4.19.79 #0
[ 1022.632241] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1022.641761] Call Trace:
[ 1022.644397]  dump_stack+0x172/0x1f0
[ 1022.648142]  ? kfree_skb+0x38/0x390
[ 1022.651840]  panic+0x263/0x507
[ 1022.655028]  ? __warn_printk+0xf3/0xf3
[ 1022.658948]  ? kfree_skb+0x38/0x390
[ 1022.663340]  ? preempt_schedule+0x4b/0x60
[ 1022.667751]  ? ___preempt_schedule+0x16/0x18
[ 1022.672539]  ? trace_hardirqs_on+0x5e/0x220
[ 1022.677031]  ? kfree_skb+0x38/0x390
[ 1022.680667]  kasan_end_report+0x47/0x4f
[ 1022.684650]  kasan_report.cold+0xa9/0x2ba
[ 1022.688861]  check_memory_region+0x123/0x190
[ 1022.693539]  kasan_check_read+0x11/0x20
[ 1022.697576]  kfree_skb+0x38/0x390
[ 1022.701179]  bcsp_close+0xc7/0x130
[ 1022.704730]  hci_uart_tty_close+0x1ea/0x250
[ 1022.709325]  ? hci_uart_close+0x50/0x50
[ 1022.713408]  tty_ldisc_close.isra.0+0xaf/0xe0
[ 1022.717955]  tty_ldisc_kill+0x4b/0xc0
[ 1022.722001]  tty_ldisc_release+0xc6/0x280
[ 1022.726526]  tty_release_struct+0x1b/0x50
[ 1022.730670]  tty_release+0xbcb/0xe90
[ 1022.734419]  ? put_tty_driver+0x20/0x20
[ 1022.739724]  __fput+0x2dd/0x8b0
[ 1022.743155]  ____fput+0x16/0x20
[ 1022.746523]  task_work_run+0x145/0x1c0
[ 1022.750458]  exit_to_usermode_loop+0x273/0x2c0
[ 1022.755128]  do_syscall_64+0x53d/0x620
[ 1022.759015]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1022.764558] RIP: 0033:0x413741
[ 1022.767779] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
[ 1022.787557] RSP: 002b:00007ffdbdbe99b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 1022.795976] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000413741
[ 1022.803472] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
[ 1022.811090] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
[ 1022.818888] R10: 00007ffdbdbe9a90 R11: 0000000000000293 R12: 000000000075c9a0
[ 1022.826748] R13: 000000000075c9a0 R14: 00000000007603c0 R15: 000000000075bfd4
[ 1022.837539] Kernel Offset: disabled
[ 1022.841291] Rebooting in 86400 seconds..