[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 88.317174][ T31] audit: type=1800 audit(1571384044.374:25): pid=12720 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 88.340072][ T31] audit: type=1800 audit(1571384044.404:26): pid=12720 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 88.385262][ T31] audit: type=1800 audit(1571384044.424:27): pid=12720 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.203' (ECDSA) to the list of known hosts. 2019/10/18 07:34:17 fuzzer started 2019/10/18 07:34:21 dialing manager at 10.128.0.26:46011 2019/10/18 07:34:22 syscalls: 2415 2019/10/18 07:34:22 code coverage: enabled 2019/10/18 07:34:22 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2019/10/18 07:34:22 extra coverage: enabled 2019/10/18 07:34:22 setuid sandbox: enabled 2019/10/18 07:34:22 namespace sandbox: enabled 2019/10/18 07:34:22 Android sandbox: /sys/fs/selinux/policy does not exist 2019/10/18 07:34:22 fault injection: enabled 2019/10/18 07:34:22 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/10/18 07:34:22 net packet injection: enabled 2019/10/18 07:34:22 net device setup: enabled 2019/10/18 07:34:22 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist syzkaller login: [ 150.150872][T12875] ===================================================== [ 150.157893][T12875] BUG: KMSAN: use-after-free in kmem_cache_free+0x3df/0x2b70 [ 150.165274][T12875] CPU: 1 PID: 12875 Comm: syz-fuzzer Not tainted 5.4.0-rc3+ #0 [ 150.172814][T12875] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 150.182869][T12875] Call Trace: [ 150.186176][T12875] dump_stack+0x191/0x1f0 [ 150.190530][T12875] kmsan_report+0x14a/0x2f0 [ 150.195056][T12875] __msan_warning+0x73/0xf0 [ 150.199582][T12875] kmem_cache_free+0x3df/0x2b70 [ 150.204465][T12875] ? kmsan_internal_set_origin+0x6a/0xb0 [ 150.210103][T12875] ? kfree_skb+0x473/0x4c0 [ 150.214529][T12875] ? kmsan_internal_unpoison_shadow+0x42/0x70 [ 150.222017][T12875] kfree_skb+0x473/0x4c0 [ 150.226260][T12875] ? packet_rcv_spkt+0x68d/0x7c0 [ 150.231215][T12875] packet_rcv_spkt+0x68d/0x7c0 [ 150.235997][T12875] ? packet_rcv+0x2110/0x2110 [ 150.240690][T12875] dev_queue_xmit_nit+0x1125/0x1200 [ 150.245948][T12875] dev_hard_start_xmit+0x21e/0xab0 [ 150.251206][T12875] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 150.257130][T12875] sch_direct_xmit+0x56c/0x18c0 [ 150.262052][T12875] __dev_queue_xmit+0x212d/0x4200 [ 150.267093][T12875] dev_queue_xmit+0x4b/0x60 [ 150.271608][T12875] ip_finish_output2+0x20d6/0x25d0 [ 150.276723][T12875] ? __msan_metadata_ptr_for_load_2+0x10/0x20 [ 150.282775][T12875] ? nf_ct_deliver_cached_events+0x4d5/0x6e0 [ 150.288749][T12875] __ip_finish_output+0xaf8/0xda0 [ 150.293765][T12875] ip_finish_output+0x2db/0x420 [ 150.298634][T12875] ip_output+0x541/0x610 [ 150.302891][T12875] ? ip_mc_finish_output+0x6d0/0x6d0 [ 150.308263][T12875] ? ip_finish_output+0x420/0x420 [ 150.313282][T12875] __ip_queue_xmit+0x1caf/0x21f0 [ 150.318299][T12875] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 150.324181][T12875] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 150.330252][T12875] ? should_fail+0x1d2/0xa50 [ 150.334847][T12875] ip_queue_xmit+0xcc/0xf0 [ 150.339260][T12875] ? tcp_v4_inbound_md5_hash+0xd10/0xd10 [ 150.344870][T12875] __tcp_transmit_skb+0x40e3/0x5d90 [ 150.350063][T12875] __tcp_send_ack+0x701/0x840 [ 150.354727][T12875] tcp_send_ack+0x68/0x90 [ 150.359060][T12875] tcp_cleanup_rbuf+0x764/0x800 [ 150.363960][T12875] tcp_recvmsg+0x334d/0x4ff0 [ 150.368567][T12875] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 150.374559][T12875] ? tcp_mmap+0x150/0x150 [ 150.378872][T12875] ? tcp_mmap+0x150/0x150 [ 150.383181][T12875] inet_recvmsg+0x237/0x7d0 [ 150.387664][T12875] ? inet_sendpage+0x2c0/0x2c0 [ 150.392961][T12875] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 150.398852][T12875] ? inet_sendpage+0x2c0/0x2c0 [ 150.403601][T12875] ? inet_sendpage+0x2c0/0x2c0 [ 150.409051][T12875] sock_read_iter+0x5be/0x660 [ 150.413738][T12875] ? kernel_sock_ip_overhead+0x340/0x340 [ 150.419526][T12875] __vfs_read+0xa67/0xc90 [ 150.423870][T12875] vfs_read+0x359/0x6f0 [ 150.428011][T12875] ksys_read+0x265/0x430 [ 150.432252][T12875] __se_sys_read+0x92/0xb0 [ 150.436665][T12875] __x64_sys_read+0x4a/0x70 [ 150.441148][T12875] do_syscall_64+0xb6/0x160 [ 150.445631][T12875] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 150.451501][T12875] RIP: 0033:0x47fd44 [ 150.455386][T12875] Code: ff ff cc cc cc cc e8 9b 40 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 45 31 d2 45 31 c0 45 31 c9 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 150.475108][T12875] RSP: 002b:000000c42039f710 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 150.483522][T12875] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047fd44 [ 150.491500][T12875] RDX: 0000000000001000 RSI: 000000c42039a000 RDI: 0000000000000003 [ 150.499564][T12875] RBP: 000000c42039f760 R08: 0000000000000000 R09: 0000000000000000 [ 150.507537][T12875] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000020 [ 150.515512][T12875] R13: 0000000000000020 R14: 0000000000000008 R15: ffffffffffffffff [ 150.523612][T12875] [ 150.526002][T12875] Uninit was stored to memory at: [ 150.531036][T12875] kmsan_internal_chain_origin+0xbd/0x170 [ 150.536761][T12875] __msan_chain_origin+0x6b/0xe0 [ 150.541698][T12875] ___slab_alloc+0x1dbc/0x1fb0 [ 150.546460][T12875] kmem_cache_alloc+0xade/0xd10 [ 150.551324][T12875] skb_clone+0x326/0x5d0 [ 150.555554][T12875] dev_queue_xmit_nit+0x539/0x1200 [ 150.560660][T12875] dev_hard_start_xmit+0x21e/0xab0 [ 150.565779][T12875] sch_direct_xmit+0x56c/0x18c0 [ 150.570770][T12875] __dev_queue_xmit+0x212d/0x4200 [ 150.575787][T12875] dev_queue_xmit+0x4b/0x60 [ 150.580394][T12875] ip_finish_output2+0x20d6/0x25d0 [ 150.585493][T12875] __ip_finish_output+0xaf8/0xda0 [ 150.590577][T12875] ip_finish_output+0x2db/0x420 [ 150.595417][T12875] ip_output+0x541/0x610 [ 150.599639][T12875] __ip_queue_xmit+0x1caf/0x21f0 [ 150.604556][T12875] ip_queue_xmit+0xcc/0xf0 [ 150.609025][T12875] __tcp_transmit_skb+0x40e3/0x5d90 [ 150.614225][T12875] __tcp_send_ack+0x701/0x840 [ 150.618884][T12875] tcp_send_ack+0x68/0x90 [ 150.623193][T12875] tcp_cleanup_rbuf+0x764/0x800 [ 150.628023][T12875] tcp_recvmsg+0x334d/0x4ff0 [ 150.632591][T12875] inet_recvmsg+0x237/0x7d0 [ 150.637072][T12875] sock_read_iter+0x5be/0x660 [ 150.641724][T12875] __vfs_read+0xa67/0xc90 [ 150.646039][T12875] vfs_read+0x359/0x6f0 [ 150.650169][T12875] ksys_read+0x265/0x430 [ 150.654384][T12875] __se_sys_read+0x92/0xb0 [ 150.658776][T12875] __x64_sys_read+0x4a/0x70 [ 150.663257][T12875] do_syscall_64+0xb6/0x160 [ 150.667752][T12875] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 150.673734][T12875] [ 150.676045][T12875] Uninit was created at: [ 150.680274][T12875] kmsan_internal_poison_shadow+0x60/0x110 [ 150.686359][T12875] kmsan_slab_free+0x8d/0x100 [ 150.691019][T12875] kmem_cache_free_bulk+0x3ad9/0x3f10 [ 150.696372][T12875] __kfree_skb_flush+0xb0/0x100 [ 150.701811][T12875] net_rx_action+0x1a5e/0x1aa0 [ 150.706780][T12875] __do_softirq+0x4a1/0x83a [ 150.711261][T12875] irq_exit+0x230/0x280 [ 150.715394][T12875] do_IRQ+0x123/0x360 [ 150.719352][T12875] ret_from_intr+0x0/0x33 [ 150.723744][T12875] ===================================================== [ 150.730649][T12875] Disabling lock debugging due to kernel taint [ 150.736791][T12875] Kernel panic - not syncing: panic_on_warn set ... [ 150.743377][T12875] CPU: 1 PID: 12875 Comm: syz-fuzzer Tainted: G B 5.4.0-rc3+ #0 [ 150.752315][T12875] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 150.762361][T12875] Call Trace: [ 150.765697][T12875] dump_stack+0x191/0x1f0 [ 150.770031][T12875] panic+0x3c9/0xc1e [ 150.773940][T12875] kmsan_report+0x2e8/0x2f0 [ 150.778431][T12875] __msan_warning+0x73/0xf0 [ 150.782929][T12875] kmem_cache_free+0x3df/0x2b70 [ 150.787758][T12875] ? kmsan_internal_set_origin+0x6a/0xb0 [ 150.793372][T12875] ? kfree_skb+0x473/0x4c0 [ 150.797872][T12875] ? kmsan_internal_unpoison_shadow+0x42/0x70 [ 150.803930][T12875] kfree_skb+0x473/0x4c0 [ 150.808147][T12875] ? packet_rcv_spkt+0x68d/0x7c0 [ 150.813064][T12875] packet_rcv_spkt+0x68d/0x7c0 [ 150.817829][T12875] ? packet_rcv+0x2110/0x2110 [ 150.822484][T12875] dev_queue_xmit_nit+0x1125/0x1200 [ 150.827739][T12875] dev_hard_start_xmit+0x21e/0xab0 [ 150.832896][T12875] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 150.838782][T12875] sch_direct_xmit+0x56c/0x18c0 [ 150.843624][T12875] __dev_queue_xmit+0x212d/0x4200 [ 150.848641][T12875] dev_queue_xmit+0x4b/0x60 [ 150.853128][T12875] ip_finish_output2+0x20d6/0x25d0 [ 150.858220][T12875] ? __msan_metadata_ptr_for_load_2+0x10/0x20 [ 150.864265][T12875] ? nf_ct_deliver_cached_events+0x4d5/0x6e0 [ 150.870236][T12875] __ip_finish_output+0xaf8/0xda0 [ 150.875249][T12875] ip_finish_output+0x2db/0x420 [ 150.880102][T12875] ip_output+0x541/0x610 [ 150.884342][T12875] ? ip_mc_finish_output+0x6d0/0x6d0 [ 150.889618][T12875] ? ip_finish_output+0x420/0x420 [ 150.894729][T12875] __ip_queue_xmit+0x1caf/0x21f0 [ 150.899677][T12875] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 150.905580][T12875] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 150.911950][T12875] ? should_fail+0x1d2/0xa50 [ 150.916554][T12875] ip_queue_xmit+0xcc/0xf0 [ 150.920955][T12875] ? tcp_v4_inbound_md5_hash+0xd10/0xd10 [ 150.926570][T12875] __tcp_transmit_skb+0x40e3/0x5d90 [ 150.931829][T12875] __tcp_send_ack+0x701/0x840 [ 150.936533][T12875] tcp_send_ack+0x68/0x90 [ 150.940864][T12875] tcp_cleanup_rbuf+0x764/0x800 [ 150.946412][T12875] tcp_recvmsg+0x334d/0x4ff0 [ 150.951011][T12875] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 150.956887][T12875] ? tcp_mmap+0x150/0x150 [ 150.961225][T12875] ? tcp_mmap+0x150/0x150 [ 150.965557][T12875] inet_recvmsg+0x237/0x7d0 [ 150.970055][T12875] ? inet_sendpage+0x2c0/0x2c0 [ 150.974818][T12875] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 150.980689][T12875] ? inet_sendpage+0x2c0/0x2c0 [ 150.985437][T12875] ? inet_sendpage+0x2c0/0x2c0 [ 150.990184][T12875] sock_read_iter+0x5be/0x660 [ 150.994880][T12875] ? kernel_sock_ip_overhead+0x340/0x340 [ 151.000615][T12875] __vfs_read+0xa67/0xc90 [ 151.004945][T12875] vfs_read+0x359/0x6f0 [ 151.009088][T12875] ksys_read+0x265/0x430 [ 151.013320][T12875] __se_sys_read+0x92/0xb0 [ 151.017755][T12875] __x64_sys_read+0x4a/0x70 [ 151.022363][T12875] do_syscall_64+0xb6/0x160 [ 151.026908][T12875] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 151.032800][T12875] RIP: 0033:0x47fd44 [ 151.036693][T12875] Code: ff ff cc cc cc cc e8 9b 40 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 45 31 d2 45 31 c0 45 31 c9 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 151.056429][T12875] RSP: 002b:000000c42039f710 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 151.064848][T12875] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047fd44 [ 151.072803][T12875] RDX: 0000000000001000 RSI: 000000c42039a000 RDI: 0000000000000003 [ 151.080757][T12875] RBP: 000000c42039f760 R08: 0000000000000000 R09: 0000000000000000 [ 151.088709][T12875] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000020 [ 151.096675][T12875] R13: 0000000000000020 R14: 0000000000000008 R15: ffffffffffffffff [ 151.106236][T12875] Kernel Offset: disabled [ 151.110589][T12875] Rebooting in 86400 seconds..