[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 88.677945][ T32] audit: type=1800 audit(1572806133.732:25): pid=12534 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 88.701391][ T32] audit: type=1800 audit(1572806133.752:26): pid=12534 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 88.737031][ T32] audit: type=1800 audit(1572806133.782:27): pid=12534 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.73' (ECDSA) to the list of known hosts. 2019/11/03 18:35:46 fuzzer started 2019/11/03 18:35:51 dialing manager at 10.128.0.26:45579 2019/11/03 18:35:51 syscalls: 2445 2019/11/03 18:35:51 code coverage: enabled 2019/11/03 18:35:51 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2019/11/03 18:35:51 extra coverage: enabled 2019/11/03 18:35:51 setuid sandbox: enabled 2019/11/03 18:35:51 namespace sandbox: enabled 2019/11/03 18:35:51 Android sandbox: /sys/fs/selinux/policy does not exist 2019/11/03 18:35:51 fault injection: enabled 2019/11/03 18:35:51 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/11/03 18:35:51 net packet injection: enabled 2019/11/03 18:35:51 net device setup: enabled 2019/11/03 18:35:51 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist syzkaller login: [ 111.994382][T12683] ===================================================== [ 112.001380][T12683] BUG: KMSAN: use-after-free in kmem_cache_free+0x3df/0x2b70 [ 112.008754][T12683] CPU: 1 PID: 12683 Comm: syz-fuzzer Not tainted 5.4.0-rc5+ #0 [ 112.016287][T12683] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 112.026337][T12683] Call Trace: [ 112.029620][T12683] dump_stack+0x191/0x1f0 [ 112.033934][T12683] kmsan_report+0x128/0x220 [ 112.038419][T12683] __msan_warning+0x73/0xe0 [ 112.042901][T12683] kmem_cache_free+0x3df/0x2b70 [ 112.047744][T12683] ? kmsan_internal_set_origin+0x6a/0xb0 [ 112.053353][T12683] ? kfree_skb+0x473/0x4c0 [ 112.057780][T12683] ? kmsan_internal_unpoison_shadow+0x42/0x80 [ 112.063865][T12683] kfree_skb+0x473/0x4c0 [ 112.068097][T12683] ? packet_rcv_spkt+0x68d/0x7c0 [ 112.073019][T12683] packet_rcv_spkt+0x68d/0x7c0 [ 112.077779][T12683] ? packet_rcv+0x2110/0x2110 [ 112.082437][T12683] dev_queue_xmit_nit+0x1125/0x1200 [ 112.087626][T12683] dev_hard_start_xmit+0x21e/0xab0 [ 112.092725][T12683] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 112.098621][T12683] sch_direct_xmit+0x56c/0x18c0 [ 112.103490][T12683] __dev_queue_xmit+0x212d/0x4200 [ 112.108534][T12683] dev_queue_xmit+0x4b/0x60 [ 112.113098][T12683] ip_finish_output2+0x20d6/0x25d0 [ 112.118247][T12683] ? __msan_metadata_ptr_for_load_2+0x10/0x20 [ 112.124320][T12683] ? nf_ct_deliver_cached_events+0x4d5/0x6e0 [ 112.130294][T12683] __ip_finish_output+0xaf8/0xda0 [ 112.135304][T12683] ip_finish_output+0x2db/0x420 [ 112.140141][T12683] ip_output+0x541/0x610 [ 112.144370][T12683] ? ip_mc_finish_output+0x6d0/0x6d0 [ 112.149633][T12683] ? ip_finish_output+0x420/0x420 [ 112.154653][T12683] __ip_queue_xmit+0x1caf/0x21f0 [ 112.159594][T12683] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 112.165485][T12683] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 112.171551][T12683] ip_queue_xmit+0xcc/0xf0 [ 112.175957][T12683] ? tcp_v4_inbound_md5_hash+0xd10/0xd10 [ 112.181570][T12683] __tcp_transmit_skb+0x40e3/0x5d90 [ 112.186777][T12683] __tcp_send_ack+0x701/0x840 [ 112.191439][T12683] tcp_send_ack+0x68/0x90 [ 112.195762][T12683] tcp_cleanup_rbuf+0x764/0x800 [ 112.200616][T12683] tcp_recvmsg+0x334d/0x4ff0 [ 112.205213][T12683] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 112.212042][T12683] ? tcp_mmap+0x150/0x150 [ 112.216348][T12683] ? tcp_mmap+0x150/0x150 [ 112.220657][T12683] inet_recvmsg+0x237/0x7d0 [ 112.225139][T12683] ? inet_sendpage+0x2c0/0x2c0 [ 112.229883][T12683] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 112.235852][T12683] ? inet_sendpage+0x2c0/0x2c0 [ 112.240614][T12683] ? inet_sendpage+0x2c0/0x2c0 [ 112.245383][T12683] sock_read_iter+0x5be/0x660 [ 112.250089][T12683] ? kernel_sock_ip_overhead+0x340/0x340 [ 112.255708][T12683] __vfs_read+0xa67/0xc90 [ 112.260040][T12683] vfs_read+0x359/0x6f0 [ 112.264185][T12683] ksys_read+0x265/0x430 [ 112.268424][T12683] __se_sys_read+0x92/0xb0 [ 112.272823][T12683] __x64_sys_read+0x4a/0x70 [ 112.277318][T12683] do_syscall_64+0xb6/0x160 [ 112.281812][T12683] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 112.287693][T12683] RIP: 0033:0x47fd44 [ 112.291583][T12683] Code: ff ff cc cc cc cc e8 9b 40 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 45 31 d2 45 31 c0 45 31 c9 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 112.311176][T12683] RSP: 002b:000000c4203bd760 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 112.319565][T12683] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047fd44 [ 112.327515][T12683] RDX: 0000000000001000 RSI: 000000c4203f4000 RDI: 0000000000000003 [ 112.335466][T12683] RBP: 000000c4203bd7b0 R08: 0000000000000000 R09: 0000000000000000 [ 112.343420][T12683] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000008 [ 112.351370][T12683] R13: 0000000000000008 R14: 0000000000000002 R15: ffffffffffffffff [ 112.359339][T12683] [ 112.361645][T12683] Uninit was stored to memory at: [ 112.366674][T12683] kmsan_internal_chain_origin+0xbd/0x180 [ 112.372466][T12683] __msan_chain_origin+0x6b/0xd0 [ 112.377389][T12683] ___slab_alloc+0x1dbc/0x1fb0 [ 112.382134][T12683] kmem_cache_alloc+0xadf/0xd20 [ 112.386961][T12683] skb_clone+0x326/0x5d0 [ 112.391182][T12683] dev_queue_xmit_nit+0x539/0x1200 [ 112.396271][T12683] dev_hard_start_xmit+0x21e/0xab0 [ 112.401371][T12683] sch_direct_xmit+0x56c/0x18c0 [ 112.406201][T12683] __dev_queue_xmit+0x212d/0x4200 [ 112.411202][T12683] dev_queue_xmit+0x4b/0x60 [ 112.415685][T12683] ip_finish_output2+0x20d6/0x25d0 [ 112.420949][T12683] __ip_finish_output+0xaf8/0xda0 [ 112.425963][T12683] ip_finish_output+0x2db/0x420 [ 112.430802][T12683] ip_output+0x541/0x610 [ 112.435025][T12683] __ip_queue_xmit+0x1caf/0x21f0 [ 112.439941][T12683] ip_queue_xmit+0xcc/0xf0 [ 112.444334][T12683] __tcp_transmit_skb+0x40e3/0x5d90 [ 112.449511][T12683] __tcp_send_ack+0x701/0x840 [ 112.454172][T12683] tcp_send_ack+0x68/0x90 [ 112.458493][T12683] tcp_cleanup_rbuf+0x764/0x800 [ 112.463342][T12683] tcp_recvmsg+0x334d/0x4ff0 [ 112.467927][T12683] inet_recvmsg+0x237/0x7d0 [ 112.472495][T12683] sock_read_iter+0x5be/0x660 [ 112.477171][T12683] __vfs_read+0xa67/0xc90 [ 112.481495][T12683] vfs_read+0x359/0x6f0 [ 112.485633][T12683] ksys_read+0x265/0x430 [ 112.489850][T12683] __se_sys_read+0x92/0xb0 [ 112.494261][T12683] __x64_sys_read+0x4a/0x70 [ 112.498741][T12683] do_syscall_64+0xb6/0x160 [ 112.503226][T12683] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 112.509364][T12683] [ 112.511683][T12683] Uninit was created at: [ 112.515921][T12683] kmsan_internal_poison_shadow+0x60/0x120 [ 112.521705][T12683] kmsan_slab_free+0x8d/0xf0 [ 112.526274][T12683] kmem_cache_free_bulk+0x3ad9/0x3f10 [ 112.531655][T12683] __kfree_skb_flush+0xb0/0x100 [ 112.536810][T12683] net_rx_action+0x1a5e/0x1aa0 [ 112.541702][T12683] __do_softirq+0x4a1/0x83a [ 112.546348][T12683] irq_exit+0x230/0x280 [ 112.550534][T12683] do_IRQ+0x123/0x360 [ 112.554497][T12683] ret_from_intr+0x0/0x33 [ 112.558805][T12683] default_idle+0x53/0x90 [ 112.563177][T12683] arch_cpu_idle+0x25/0x30 [ 112.567698][T12683] do_idle+0x1d5/0x780 [ 112.571862][T12683] cpu_startup_entry+0x45/0x50 [ 112.576609][T12683] start_secondary+0x389/0x480 [ 112.581365][T12683] secondary_startup_64+0xa4/0xb0 [ 112.586486][T12683] ===================================================== [ 112.593624][T12683] Disabling lock debugging due to kernel taint [ 112.599846][T12683] Kernel panic - not syncing: panic_on_warn set ... [ 112.606420][T12683] CPU: 1 PID: 12683 Comm: syz-fuzzer Tainted: G B 5.4.0-rc5+ #0 [ 112.615341][T12683] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 112.625382][T12683] Call Trace: [ 112.628676][T12683] dump_stack+0x191/0x1f0 [ 112.633019][T12683] panic+0x3c9/0xc1e [ 112.637035][T12683] kmsan_report+0x215/0x220 [ 112.641538][T12683] __msan_warning+0x73/0xe0 [ 112.646056][T12683] kmem_cache_free+0x3df/0x2b70 [ 112.651000][T12683] ? kmsan_internal_set_origin+0x6a/0xb0 [ 112.656612][T12683] ? kfree_skb+0x473/0x4c0 [ 112.661008][T12683] ? kmsan_internal_unpoison_shadow+0x42/0x80 [ 112.667079][T12683] kfree_skb+0x473/0x4c0 [ 112.671305][T12683] ? packet_rcv_spkt+0x68d/0x7c0 [ 112.676249][T12683] packet_rcv_spkt+0x68d/0x7c0 [ 112.681021][T12683] ? packet_rcv+0x2110/0x2110 [ 112.685828][T12683] dev_queue_xmit_nit+0x1125/0x1200 [ 112.691133][T12683] dev_hard_start_xmit+0x21e/0xab0 [ 112.696235][T12683] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 112.702112][T12683] sch_direct_xmit+0x56c/0x18c0 [ 112.706952][T12683] __dev_queue_xmit+0x212d/0x4200 [ 112.711983][T12683] dev_queue_xmit+0x4b/0x60 [ 112.716475][T12683] ip_finish_output2+0x20d6/0x25d0 [ 112.721570][T12683] ? __msan_metadata_ptr_for_load_2+0x10/0x20 [ 112.727631][T12683] ? nf_ct_deliver_cached_events+0x4d5/0x6e0 [ 112.733616][T12683] __ip_finish_output+0xaf8/0xda0 [ 112.738627][T12683] ip_finish_output+0x2db/0x420 [ 112.743468][T12683] ip_output+0x541/0x610 [ 112.747706][T12683] ? ip_mc_finish_output+0x6d0/0x6d0 [ 112.752974][T12683] ? ip_finish_output+0x420/0x420 [ 112.757999][T12683] __ip_queue_xmit+0x1caf/0x21f0 [ 112.762919][T12683] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 112.768989][T12683] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 112.775060][T12683] ip_queue_xmit+0xcc/0xf0 [ 112.779457][T12683] ? tcp_v4_inbound_md5_hash+0xd10/0xd10 [ 112.785073][T12683] __tcp_transmit_skb+0x40e3/0x5d90 [ 112.790268][T12683] __tcp_send_ack+0x701/0x840 [ 112.794929][T12683] tcp_send_ack+0x68/0x90 [ 112.799238][T12683] tcp_cleanup_rbuf+0x764/0x800 [ 112.804073][T12683] tcp_recvmsg+0x334d/0x4ff0 [ 112.808673][T12683] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 112.814616][T12683] ? tcp_mmap+0x150/0x150 [ 112.818924][T12683] ? tcp_mmap+0x150/0x150 [ 112.823246][T12683] inet_recvmsg+0x237/0x7d0 [ 112.827737][T12683] ? inet_sendpage+0x2c0/0x2c0 [ 112.832498][T12683] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 112.838384][T12683] ? inet_sendpage+0x2c0/0x2c0 [ 112.843126][T12683] ? inet_sendpage+0x2c0/0x2c0 [ 112.847870][T12683] sock_read_iter+0x5be/0x660 [ 112.852535][T12683] ? kernel_sock_ip_overhead+0x340/0x340 [ 112.858158][T12683] __vfs_read+0xa67/0xc90 [ 112.862487][T12683] vfs_read+0x359/0x6f0 [ 112.866641][T12683] ksys_read+0x265/0x430 [ 112.870880][T12683] __se_sys_read+0x92/0xb0 [ 112.875277][T12683] __x64_sys_read+0x4a/0x70 [ 112.879759][T12683] do_syscall_64+0xb6/0x160 [ 112.884258][T12683] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 112.890129][T12683] RIP: 0033:0x47fd44 [ 112.894006][T12683] Code: ff ff cc cc cc cc e8 9b 40 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 45 31 d2 45 31 c0 45 31 c9 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 112.913591][T12683] RSP: 002b:000000c4203bd760 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 112.921981][T12683] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047fd44 [ 112.929951][T12683] RDX: 0000000000001000 RSI: 000000c4203f4000 RDI: 0000000000000003 [ 112.937913][T12683] RBP: 000000c4203bd7b0 R08: 0000000000000000 R09: 0000000000000000 [ 112.945879][T12683] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000008 [ 112.953838][T12683] R13: 0000000000000008 R14: 0000000000000002 R15: ffffffffffffffff [ 112.963142][T12683] Kernel Offset: disabled [ 112.967475][T12683] Rebooting in 86400 seconds..