[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   38.003822][   T26] audit: type=1800 audit(1553484457.414:25): pid=7718 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   38.041975][   T26] audit: type=1800 audit(1553484457.424:26): pid=7718 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   38.085629][   T26] audit: type=1800 audit(1553484457.424:27): pid=7718 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.68' (ECDSA) to the list of known hosts.
syzkaller login: [   49.014622][ T7871] IPVS: ftp: loaded support on port[0] = 21
[   49.075821][ T7871] chnl_net:caif_netlink_parms(): no params data found
[   49.111023][ T7871] bridge0: port 1(bridge_slave_0) entered blocking state
[   49.119385][ T7871] bridge0: port 1(bridge_slave_0) entered disabled state
[   49.128122][ T7871] device bridge_slave_0 entered promiscuous mode
[   49.136664][ T7871] bridge0: port 2(bridge_slave_1) entered blocking state
[   49.144138][ T7871] bridge0: port 2(bridge_slave_1) entered disabled state
[   49.152278][ T7871] device bridge_slave_1 entered promiscuous mode
[   49.168460][ T7871] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   49.179195][ T7871] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   49.196172][ T7871] team0: Port device team_slave_0 added
[   49.204295][ T7871] team0: Port device team_slave_1 added
[   49.269025][ T7871] device hsr_slave_0 entered promiscuous mode
[   49.336919][ T7871] device hsr_slave_1 entered promiscuous mode
[   49.434766][ T7871] bridge0: port 2(bridge_slave_1) entered blocking state
[   49.444317][ T7871] bridge0: port 2(bridge_slave_1) entered forwarding state
[   49.452290][ T7871] bridge0: port 1(bridge_slave_0) entered blocking state
[   49.459478][ T7871] bridge0: port 1(bridge_slave_0) entered forwarding state
[   49.492168][ T7871] 8021q: adding VLAN 0 to HW filter on device bond0
[   49.505380][ T2985] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   49.518130][ T2985] bridge0: port 1(bridge_slave_0) entered disabled state
[   49.526982][ T2985] bridge0: port 2(bridge_slave_1) entered disabled state
[   49.535447][ T2985] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   49.548928][ T7871] 8021q: adding VLAN 0 to HW filter on device team0
[   49.559865][ T3478] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   49.568525][ T3478] bridge0: port 1(bridge_slave_0) entered blocking state
[   49.575588][ T3478] bridge0: port 1(bridge_slave_0) entered forwarding state
[   49.599010][ T2985] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   49.607897][ T2985] bridge0: port 2(bridge_slave_1) entered blocking state
[   49.614961][ T2985] bridge0: port 2(bridge_slave_1) entered forwarding state
[   49.623405][ T2985] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   49.632131][ T2985] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   49.641231][ T2985] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
executing program
[   49.649749][ T2985] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   49.659885][ T7871] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   49.668715][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   49.685498][ T7871] 8021q: adding VLAN 0 to HW filter on device batadv0
[   49.777005][    C0] protocol 88fb is buggy, dev hsr_slave_0
[   49.783091][    C0] protocol 88fb is buggy, dev hsr_slave_1
[   49.896749][    C0] protocol 88fb is buggy, dev hsr_slave_0
[   49.902815][    C0] protocol 88fb is buggy, dev hsr_slave_1
[   50.007619][ T7877] ==================================================================
[   50.015883][ T7877] BUG: KASAN: use-after-free in skb_release_data+0x11d/0x7a0
[   50.023269][ T7877] Write of size 4 at addr ffff88808dee74e0 by task syz-executor887/7877
[   50.031580][ T7877] 
[   50.033930][ T7877] CPU: 0 PID: 7877 Comm: syz-executor887 Not tainted 5.0.0+ #108
[   50.041639][ T7877] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.051703][ T7877] Call Trace:
[   50.054994][ T7877]  dump_stack+0x172/0x1f0
[   50.059327][ T7877]  ? skb_release_data+0x11d/0x7a0
[   50.064382][ T7877]  ? skb_queue_purge+0x19/0x40
[   50.069152][ T7877]  print_address_description.cold+0x7c/0x20d
[   50.075136][ T7877]  ? skb_release_data+0x11d/0x7a0
[   50.080178][ T7877]  ? skb_release_data+0x11d/0x7a0
[   50.085205][ T7877]  ? skb_queue_purge+0x19/0x40
[   50.089967][ T7877]  kasan_report.cold+0x1b/0x40
[   50.094729][ T7877]  ? skb_dequeue+0x71/0x180
[   50.099227][ T7877]  ? skb_release_data+0x11d/0x7a0
[   50.104247][ T7877]  check_memory_region+0x123/0x190
[   50.109368][ T7877]  kasan_check_write+0x14/0x20
[   50.114144][ T7877]  skb_release_data+0x11d/0x7a0
[   50.119095][ T7877]  ? sock_rfree+0x121/0x180
[   50.123606][ T7877]  ? skb_queue_purge+0x19/0x40
[   50.128893][ T7877]  skb_release_all+0x4d/0x60
[   50.142665][ T7877]  kfree_skb+0xe8/0x390
[   50.146856][ T7877]  skb_queue_purge+0x19/0x40
[   50.151473][ T7877]  packet_release+0x8eb/0xbf0
[   50.157166][ T7877]  ? packet_set_ring+0x1b50/0x1b50
[   50.162308][ T7877]  ? lock_acquire+0x16f/0x3f0
[   50.167003][ T7877]  ? __sock_release+0x89/0x2b0
[   50.172134][ T7877]  __sock_release+0xd3/0x2b0
[   50.176739][ T7877]  ? __sock_release+0x2b0/0x2b0
[   50.181596][ T7877]  sock_close+0x1b/0x30
[   50.185759][ T7877]  __fput+0x2e5/0x8d0
[   50.189742][ T7877]  ____fput+0x16/0x20
[   50.193727][ T7877]  task_work_run+0x14a/0x1c0
[   50.198331][ T7877]  do_exit+0x90a/0x2fa0
[   50.202498][ T7877]  ? get_signal+0x331/0x1d50
[   50.207094][ T7877]  ? mm_update_next_owner+0x640/0x640
[   50.212484][ T7877]  ? kasan_check_write+0x14/0x20
[   50.217419][ T7877]  ? _raw_spin_unlock_irq+0x28/0x90
[   50.222628][ T7877]  ? get_signal+0x331/0x1d50
[   50.227220][ T7877]  ? _raw_spin_unlock_irq+0x28/0x90
[   50.232444][ T7877]  do_group_exit+0x135/0x370
[   50.237034][ T7877]  get_signal+0x399/0x1d50
[   50.241442][ T7877]  ? fput+0x1b/0x20
[   50.245259][ T7877]  do_signal+0x87/0x1940
[   50.249498][ T7877]  ? setup_sigcontext+0x7d0/0x7d0
[   50.254515][ T7877]  ? __fd_install+0x200/0x640
[   50.259193][ T7877]  ? exit_to_usermode_loop+0x43/0x2c0
[   50.264561][ T7877]  ? do_syscall_64+0x52d/0x610
[   50.269317][ T7877]  ? exit_to_usermode_loop+0x43/0x2c0
[   50.274690][ T7877]  ? lockdep_hardirqs_on+0x418/0x5d0
[   50.279980][ T7877]  ? trace_hardirqs_on+0x67/0x230
[   50.285011][ T7877]  exit_to_usermode_loop+0x244/0x2c0
[   50.290310][ T7877]  do_syscall_64+0x52d/0x610
[   50.295023][ T7877]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   50.301031][ T7877] RIP: 0033:0x4474d9
[   50.304915][ T7877] Code: 7a 6c 69 62 77 00 73 74 72 65 61 6d 2e 63 00 6f 70 65 6e 20 65 72 72 6f 72 20 25 64 2c 20 66 69 6c 65 20 27 25 73 27 3a 20 25 <73> 0a 00 66 69 6c 65 20 25 64 20 69 73 20 61 20 74 74 79 2d 74 79
[   50.324516][ T7877] RSP: 002b:00007f7ce163fdb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   50.335391][ T7877] RAX: fffffffffffffe00 RBX: 00000000006ddc38 RCX: 00000000004474d9
[   50.344853][ T7877] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006ddc38
[   50.353835][ T7877] RBP: 00000000006ddc30 R08: 0000000000000000 R09: 0000000000000000
[   50.361808][ T7877] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc3c
[   50.372184][ T7877] R13: 00007ffe04f36bbf R14: 00007f7ce16409c0 R15: 000000000000002d
[   50.380880][ T7877] 
[   50.383651][ T7877] Allocated by task 7876:
[   50.388003][ T7877]  save_stack+0x45/0xd0
[   50.392174][ T7877]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   50.399113][ T7877]  kasan_kmalloc+0x9/0x10
[   50.403461][ T7877]  __kmalloc_node_track_caller+0x4e/0x70
[   50.409083][ T7877]  __kmalloc_reserve.isra.0+0x40/0xf0
[   50.414446][ T7877]  __alloc_skb+0x10b/0x5e0
[   50.418851][ T7877]  sk_stream_alloc_skb+0x113/0xd10
[   50.431037][ T7877]  tcp_connect+0xfd8/0x4280
[   50.435537][ T7877]  tcp_v4_connect+0x1514/0x1c40
[   50.440413][ T7877]  __inet_stream_connect+0x83f/0xea0
[   50.445704][ T7877]  tcp_sendmsg_locked+0x2314/0x34d0
[   50.450913][ T7877]  tcp_sendmsg+0x30/0x50
[   50.455157][ T7877]  inet_sendmsg+0x147/0x5e0
[   50.459669][ T7877]  sock_sendmsg+0xdd/0x130
[   50.464083][ T7877]  __sys_sendto+0x262/0x380
[   50.468588][ T7877]  __x64_sys_sendto+0xe1/0x1a0
[   50.473380][ T7877]  do_syscall_64+0x103/0x610
[   50.478007][ T7877]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   50.483897][ T7877] 
[   50.486253][ T7877] Freed by task 7877:
[   50.490246][ T7877]  save_stack+0x45/0xd0
[   50.494441][ T7877]  __kasan_slab_free+0x102/0x150
[   50.499396][ T7877]  kasan_slab_free+0xe/0x10
[   50.504196][ T7877]  kfree+0xcf/0x230
[   50.515434][ T7877]  skb_free_head+0x93/0xb0
[   50.519908][ T7877]  skb_release_data+0x576/0x7a0
[   50.524774][ T7877]  skb_release_all+0x4d/0x60
[   50.529371][ T7877]  kfree_skb+0xe8/0x390
[   50.533536][ T7877]  skb_queue_purge+0x19/0x40
[   50.538128][ T7877]  packet_release+0x8eb/0xbf0
[   50.542803][ T7877]  __sock_release+0xd3/0x2b0
[   50.547415][ T7877]  sock_close+0x1b/0x30
[   50.552018][ T7877]  __fput+0x2e5/0x8d0
[   50.555993][ T7877]  ____fput+0x16/0x20
[   50.559970][ T7877]  task_work_run+0x14a/0x1c0
[   50.564576][ T7877]  do_exit+0x90a/0x2fa0
[   50.568722][ T7877]  do_group_exit+0x135/0x370
[   50.573309][ T7877]  get_signal+0x399/0x1d50
[   50.577719][ T7877]  do_signal+0x87/0x1940
[   50.581981][ T7877]  exit_to_usermode_loop+0x244/0x2c0
[   50.587281][ T7877]  do_syscall_64+0x52d/0x610
[   50.591904][ T7877]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   50.597869][ T7877] 
[   50.600187][ T7877] The buggy address belongs to the object at ffff88808dee7200
[   50.600187][ T7877]  which belongs to the cache kmalloc-1k of size 1024
[   50.614236][ T7877] The buggy address is located 736 bytes inside of
[   50.614236][ T7877]  1024-byte region [ffff88808dee7200, ffff88808dee7600)
[   50.627673][ T7877] The buggy address belongs to the page:
[   50.633468][ T7877] page:ffffea000237b980 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0
[   50.644288][ T7877] flags: 0x1fffc0000010200(slab|head)
[   50.649849][ T7877] raw: 01fffc0000010200 ffffea000224ba08 ffffea0002a63288 ffff88812c3f0ac0
[   50.658441][ T7877] raw: 0000000000000000 ffff88808dee6000 0000000100000007 0000000000000000
[   50.667138][ T7877] page dumped because: kasan: bad access detected
[   50.673579][ T7877] 
[   50.675894][ T7877] Memory state around the buggy address:
[   50.681556][ T7877]  ffff88808dee7380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.689618][ T7877]  ffff88808dee7400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.697799][ T7877] >ffff88808dee7480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.705857][ T7877]                                                        ^
[   50.713059][ T7877]  ffff88808dee7500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.721123][ T7877]  ffff88808dee7580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.729201][ T7877] ==================================================================
[   50.737324][ T7877] Disabling lock debugging due to kernel taint
[   50.745926][ T7877] Kernel panic - not syncing: panic_on_warn set ...
[   50.752554][ T7877] CPU: 0 PID: 7877 Comm: syz-executor887 Tainted: G    B             5.0.0+ #108
[   50.761649][ T7877] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.771697][ T7877] Call Trace:
[   50.774990][ T7877]  dump_stack+0x172/0x1f0
[   50.779346][ T7877]  ? skb_queue_purge+0x19/0x40
[   50.784141][ T7877]  panic+0x2cb/0x65c
[   50.788057][ T7877]  ? __warn_printk+0xf3/0xf3
[   50.792661][ T7877]  ? skb_release_data+0x11d/0x7a0
[   50.797677][ T7877]  ? skb_queue_purge+0x19/0x40
[   50.802432][ T7877]  ? preempt_schedule+0x4b/0x60
[   50.807276][ T7877]  ? ___preempt_schedule+0x16/0x18
[   50.812387][ T7877]  ? trace_hardirqs_on+0x5e/0x230
[   50.817412][ T7877]  ? skb_release_data+0x11d/0x7a0
[   50.822422][ T7877]  ? skb_queue_purge+0x19/0x40
[   50.827168][ T7877]  end_report+0x47/0x4f
[   50.831311][ T7877]  ? skb_release_data+0x11d/0x7a0
[   50.836411][ T7877]  kasan_report.cold+0xe/0x40
[   50.841080][ T7877]  ? skb_dequeue+0x71/0x180
[   50.845576][ T7877]  ? skb_release_data+0x11d/0x7a0
[   50.850593][ T7877]  check_memory_region+0x123/0x190
[   50.855698][ T7877]  kasan_check_write+0x14/0x20
[   50.860472][ T7877]  skb_release_data+0x11d/0x7a0
[   50.865336][ T7877]  ? sock_rfree+0x121/0x180
[   50.869842][ T7877]  ? skb_queue_purge+0x19/0x40
[   50.874597][ T7877]  skb_release_all+0x4d/0x60
[   50.879182][ T7877]  kfree_skb+0xe8/0x390
[   50.883327][ T7877]  skb_queue_purge+0x19/0x40
[   50.887916][ T7877]  packet_release+0x8eb/0xbf0
[   50.892616][ T7877]  ? packet_set_ring+0x1b50/0x1b50
[   50.897731][ T7877]  ? lock_acquire+0x16f/0x3f0
[   50.902403][ T7877]  ? __sock_release+0x89/0x2b0
[   50.907161][ T7877]  __sock_release+0xd3/0x2b0
[   50.911760][ T7877]  ? __sock_release+0x2b0/0x2b0
[   50.916613][ T7877]  sock_close+0x1b/0x30
[   50.921109][ T7877]  __fput+0x2e5/0x8d0
[   50.925073][ T7877]  ____fput+0x16/0x20
[   50.929037][ T7877]  task_work_run+0x14a/0x1c0
[   50.933615][ T7877]  do_exit+0x90a/0x2fa0
[   50.937758][ T7877]  ? get_signal+0x331/0x1d50
[   50.942355][ T7877]  ? mm_update_next_owner+0x640/0x640
[   50.947758][ T7877]  ? kasan_check_write+0x14/0x20
[   50.952695][ T7877]  ? _raw_spin_unlock_irq+0x28/0x90
[   50.957886][ T7877]  ? get_signal+0x331/0x1d50
[   50.962473][ T7877]  ? _raw_spin_unlock_irq+0x28/0x90
[   50.967678][ T7877]  do_group_exit+0x135/0x370
[   50.972265][ T7877]  get_signal+0x399/0x1d50
[   50.976672][ T7877]  ? fput+0x1b/0x20
[   50.980468][ T7877]  do_signal+0x87/0x1940
[   50.984723][ T7877]  ? setup_sigcontext+0x7d0/0x7d0
[   50.989743][ T7877]  ? __fd_install+0x200/0x640
[   50.996812][ T7877]  ? exit_to_usermode_loop+0x43/0x2c0
[   51.002181][ T7877]  ? do_syscall_64+0x52d/0x610
[   51.006953][ T7877]  ? exit_to_usermode_loop+0x43/0x2c0
[   51.012339][ T7877]  ? lockdep_hardirqs_on+0x418/0x5d0
[   51.017637][ T7877]  ? trace_hardirqs_on+0x67/0x230
[   51.022655][ T7877]  exit_to_usermode_loop+0x244/0x2c0
[   51.027937][ T7877]  do_syscall_64+0x52d/0x610
[   51.032684][ T7877]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.038600][ T7877] RIP: 0033:0x4474d9
[   51.042489][ T7877] Code: 7a 6c 69 62 77 00 73 74 72 65 61 6d 2e 63 00 6f 70 65 6e 20 65 72 72 6f 72 20 25 64 2c 20 66 69 6c 65 20 27 25 73 27 3a 20 25 <73> 0a 00 66 69 6c 65 20 25 64 20 69 73 20 61 20 74 74 79 2d 74 79
[   51.062085][ T7877] RSP: 002b:00007f7ce163fdb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   51.070776][ T7877] RAX: fffffffffffffe00 RBX: 00000000006ddc38 RCX: 00000000004474d9
[   51.078743][ T7877] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006ddc38
[   51.086721][ T7877] RBP: 00000000006ddc30 R08: 0000000000000000 R09: 0000000000000000
[   51.101448][ T7877] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc3c
[   51.109416][ T7877] R13: 00007ffe04f36bbf R14: 00007f7ce16409c0 R15: 000000000000002d
[   51.118417][ T7877] Kernel Offset: disabled
[   51.122747][ T7877] Rebooting in 86400 seconds..