[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   84.803867][   T31] audit: type=1800 audit(1571982684.853:25): pid=12615 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   84.826740][   T31] audit: type=1800 audit(1571982684.873:26): pid=12615 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   84.863090][   T31] audit: type=1800 audit(1571982684.893:27): pid=12615 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.1.41' (ECDSA) to the list of known hosts.
2019/10/25 05:51:37 fuzzer started
2019/10/25 05:51:41 dialing manager at 10.128.0.26:37653
2019/10/25 05:51:41 syscalls: 2415
2019/10/25 05:51:41 code coverage: enabled
2019/10/25 05:51:41 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled
2019/10/25 05:51:41 extra coverage: enabled
2019/10/25 05:51:41 setuid sandbox: enabled
2019/10/25 05:51:41 namespace sandbox: enabled
2019/10/25 05:51:41 Android sandbox: /sys/fs/selinux/policy does not exist
2019/10/25 05:51:41 fault injection: enabled
2019/10/25 05:51:41 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2019/10/25 05:51:41 net packet injection: enabled
2019/10/25 05:51:41 net device setup: enabled
2019/10/25 05:51:41 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
syzkaller login: [  148.172300][T12766] =====================================================
[  148.179300][T12766] BUG: KMSAN: use-after-free in kmem_cache_free+0x3df/0x2b70
[  148.186680][T12766] CPU: 1 PID: 12766 Comm: syz-fuzzer Not tainted 5.4.0-rc3+ #0
[  148.194213][T12766] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  148.204269][T12766] Call Trace:
[  148.207571][T12766]  dump_stack+0x191/0x1f0
[  148.211912][T12766]  kmsan_report+0x128/0x220
[  148.216427][T12766]  __msan_warning+0x73/0xe0
[  148.220938][T12766]  kmem_cache_free+0x3df/0x2b70
[  148.225791][T12766]  ? kmsan_internal_set_origin+0x6a/0xb0
[  148.231428][T12766]  ? kfree_skb+0x473/0x4c0
[  148.235849][T12766]  ? kmsan_internal_unpoison_shadow+0x42/0x80
[  148.241941][T12766]  kfree_skb+0x473/0x4c0
[  148.246189][T12766]  ? packet_rcv_spkt+0x68d/0x7c0
[  148.251130][T12766]  packet_rcv_spkt+0x68d/0x7c0
[  148.255907][T12766]  ? packet_rcv+0x2110/0x2110
[  148.260581][T12766]  dev_queue_xmit_nit+0x1125/0x1200
[  148.265802][T12766]  dev_hard_start_xmit+0x21e/0xab0
[  148.270921][T12766]  ? kmsan_get_shadow_origin_ptr+0x91/0x4b0
[  148.276811][T12766]  sch_direct_xmit+0x56c/0x18c0
[  148.281669][T12766]  __dev_queue_xmit+0x212d/0x4200
[  148.286702][T12766]  dev_queue_xmit+0x4b/0x60
[  148.291197][T12766]  ip_finish_output2+0x20d6/0x25d0
[  148.296296][T12766]  ? __msan_metadata_ptr_for_load_2+0x10/0x20
[  148.302350][T12766]  ? nf_ct_deliver_cached_events+0x4d5/0x6e0
[  148.308338][T12766]  __ip_finish_output+0xaf8/0xda0
[  148.313362][T12766]  ip_finish_output+0x2db/0x420
[  148.318211][T12766]  ip_output+0x541/0x610
[  148.322450][T12766]  ? ip_mc_finish_output+0x6d0/0x6d0
[  148.327724][T12766]  ? ip_finish_output+0x420/0x420
[  148.332740][T12766]  __ip_queue_xmit+0x1caf/0x21f0
[  148.337768][T12766]  ? __msan_metadata_ptr_for_store_8+0x13/0x20
[  148.343931][T12766]  ip_queue_xmit+0xcc/0xf0
[  148.348340][T12766]  ? tcp_v4_inbound_md5_hash+0xd10/0xd10
[  148.353959][T12766]  __tcp_transmit_skb+0x40e3/0x5d90
[  148.359177][T12766]  __tcp_send_ack+0x701/0x840
[  148.363848][T12766]  tcp_send_ack+0x68/0x90
[  148.368177][T12766]  tcp_cleanup_rbuf+0x764/0x800
[  148.373040][T12766]  tcp_recvmsg+0x334d/0x4ff0
[  148.377656][T12766]  ? kmsan_get_shadow_origin_ptr+0x91/0x4b0
[  148.383537][T12766]  ? tcp_mmap+0x150/0x150
[  148.387854][T12766]  ? tcp_mmap+0x150/0x150
[  148.392170][T12766]  inet_recvmsg+0x237/0x7d0
[  148.396668][T12766]  ? inet_sendpage+0x2c0/0x2c0
[  148.401423][T12766]  ? kmsan_get_shadow_origin_ptr+0x91/0x4b0
[  148.407308][T12766]  ? inet_sendpage+0x2c0/0x2c0
[  148.412065][T12766]  ? inet_sendpage+0x2c0/0x2c0
[  148.416819][T12766]  sock_read_iter+0x5be/0x660
[  148.421502][T12766]  ? kernel_sock_ip_overhead+0x340/0x340
[  148.427136][T12766]  __vfs_read+0xa67/0xc90
[  148.431473][T12766]  vfs_read+0x359/0x6f0
[  148.435641][T12766]  ksys_read+0x265/0x430
[  148.439889][T12766]  __se_sys_read+0x92/0xb0
[  148.444304][T12766]  __x64_sys_read+0x4a/0x70
[  148.448811][T12766]  do_syscall_64+0xb6/0x160
[  148.453312][T12766]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  148.459195][T12766] RIP: 0033:0x47fd44
[  148.463079][T12766] Code: ff ff cc cc cc cc e8 9b 40 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 45 31 d2 45 31 c0 45 31 c9 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30
[  148.482670][T12766] RSP: 002b:000000c42039b710 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[  148.491069][T12766] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047fd44
[  148.499030][T12766] RDX: 0000000000001000 RSI: 000000c4203ae000 RDI: 0000000000000003
[  148.506998][T12766] RBP: 000000c42039b760 R08: 0000000000000000 R09: 0000000000000000
[  148.514954][T12766] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
[  148.522911][T12766] R13: 0000000000000004 R14: 0000000000000004 R15: ffffffffffffffff
[  148.530880][T12766] 
[  148.533188][T12766] Uninit was stored to memory at:
[  148.538212][T12766]  kmsan_internal_chain_origin+0xbd/0x180
[  148.543918][T12766]  __msan_chain_origin+0x6b/0xd0
[  148.548842][T12766]  ___slab_alloc+0x1dbc/0x1fb0
[  148.553592][T12766]  kmem_cache_alloc+0xade/0xd10
[  148.558426][T12766]  skb_clone+0x326/0x5d0
[  148.562651][T12766]  dev_queue_xmit_nit+0x539/0x1200
[  148.567742][T12766]  dev_hard_start_xmit+0x21e/0xab0
[  148.572840][T12766]  sch_direct_xmit+0x56c/0x18c0
[  148.577671][T12766]  __dev_queue_xmit+0x212d/0x4200
[  148.582683][T12766]  dev_queue_xmit+0x4b/0x60
[  148.587185][T12766]  ip_finish_output2+0x20d6/0x25d0
[  148.592282][T12766]  __ip_finish_output+0xaf8/0xda0
[  148.597386][T12766]  ip_finish_output+0x2db/0x420
[  148.602220][T12766]  ip_output+0x541/0x610
[  148.606450][T12766]  __ip_queue_xmit+0x1caf/0x21f0
[  148.611370][T12766]  ip_queue_xmit+0xcc/0xf0
[  148.615771][T12766]  __tcp_transmit_skb+0x40e3/0x5d90
[  148.620952][T12766]  __tcp_send_ack+0x701/0x840
[  148.625619][T12766]  tcp_send_ack+0x68/0x90
[  148.629939][T12766]  tcp_cleanup_rbuf+0x764/0x800
[  148.634771][T12766]  tcp_recvmsg+0x334d/0x4ff0
[  148.639345][T12766]  inet_recvmsg+0x237/0x7d0
[  148.643832][T12766]  sock_read_iter+0x5be/0x660
[  148.648491][T12766]  __vfs_read+0xa67/0xc90
[  148.652800][T12766]  vfs_read+0x359/0x6f0
[  148.656938][T12766]  ksys_read+0x265/0x430
[  148.661161][T12766]  __se_sys_read+0x92/0xb0
[  148.665558][T12766]  __x64_sys_read+0x4a/0x70
[  148.670041][T12766]  do_syscall_64+0xb6/0x160
[  148.674537][T12766]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  148.680402][T12766] 
[  148.682710][T12766] Uninit was created at:
[  148.686950][T12766]  kmsan_internal_poison_shadow+0x60/0x120
[  148.692744][T12766]  kmsan_slab_free+0x8d/0xf0
[  148.697314][T12766]  kmem_cache_free_bulk+0x3ad9/0x3f10
[  148.702669][T12766]  __kfree_skb_flush+0xb0/0x100
[  148.707517][T12766]  net_rx_action+0x1a5e/0x1aa0
[  148.712262][T12766]  __do_softirq+0x4a1/0x83a
[  148.716760][T12766]  irq_exit+0x230/0x280
[  148.720901][T12766]  do_IRQ+0x123/0x360
[  148.724864][T12766]  ret_from_intr+0x0/0x33
[  148.729178][T12766]  kmsan_get_shadow_origin_ptr+0x13b/0x4b0
[  148.734978][T12766]  __msan_metadata_ptr_for_load_4+0x10/0x20
[  148.740855][T12766]  __tcp_select_window+0x7d/0xc10
[  148.745864][T12766]  __tcp_transmit_skb+0x1604/0x5d90
[  148.751055][T12766]  __tcp_send_ack+0x701/0x840
[  148.755718][T12766]  tcp_send_ack+0x68/0x90
[  148.760032][T12766]  tcp_cleanup_rbuf+0x764/0x800
[  148.764864][T12766]  tcp_recvmsg+0x334d/0x4ff0
[  148.769447][T12766]  inet_recvmsg+0x237/0x7d0
[  148.773934][T12766]  sock_read_iter+0x5be/0x660
[  148.778598][T12766]  __vfs_read+0xa67/0xc90
[  148.782905][T12766]  vfs_read+0x359/0x6f0
[  148.787043][T12766]  ksys_read+0x265/0x430
[  148.791263][T12766]  __se_sys_read+0x92/0xb0
[  148.795660][T12766]  __x64_sys_read+0x4a/0x70
[  148.800147][T12766]  do_syscall_64+0xb6/0x160
[  148.804635][T12766]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  148.810503][T12766] =====================================================
[  148.817415][T12766] Disabling lock debugging due to kernel taint
[  148.823555][T12766] Kernel panic - not syncing: panic_on_warn set ...
[  148.830133][T12766] CPU: 1 PID: 12766 Comm: syz-fuzzer Tainted: G    B             5.4.0-rc3+ #0
[  148.839040][T12766] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  148.849074][T12766] Call Trace:
[  148.852356][T12766]  dump_stack+0x191/0x1f0
[  148.856673][T12766]  panic+0x3c9/0xc1e
[  148.860578][T12766]  kmsan_report+0x215/0x220
[  148.865077][T12766]  __msan_warning+0x73/0xe0
[  148.869567][T12766]  kmem_cache_free+0x3df/0x2b70
[  148.874404][T12766]  ? kmsan_internal_set_origin+0x6a/0xb0
[  148.880043][T12766]  ? kfree_skb+0x473/0x4c0
[  148.884457][T12766]  ? kmsan_internal_unpoison_shadow+0x42/0x80
[  148.890526][T12766]  kfree_skb+0x473/0x4c0
[  148.894756][T12766]  ? packet_rcv_spkt+0x68d/0x7c0
[  148.899682][T12766]  packet_rcv_spkt+0x68d/0x7c0
[  148.904443][T12766]  ? packet_rcv+0x2110/0x2110
[  148.909102][T12766]  dev_queue_xmit_nit+0x1125/0x1200
[  148.914303][T12766]  dev_hard_start_xmit+0x21e/0xab0
[  148.919409][T12766]  ? kmsan_get_shadow_origin_ptr+0x91/0x4b0
[  148.925292][T12766]  sch_direct_xmit+0x56c/0x18c0
[  148.930145][T12766]  __dev_queue_xmit+0x212d/0x4200
[  148.935189][T12766]  dev_queue_xmit+0x4b/0x60
[  148.939699][T12766]  ip_finish_output2+0x20d6/0x25d0
[  148.944801][T12766]  ? __msan_metadata_ptr_for_load_2+0x10/0x20
[  148.950854][T12766]  ? nf_ct_deliver_cached_events+0x4d5/0x6e0
[  148.956840][T12766]  __ip_finish_output+0xaf8/0xda0
[  148.961863][T12766]  ip_finish_output+0x2db/0x420
[  148.966712][T12766]  ip_output+0x541/0x610
[  148.970951][T12766]  ? ip_mc_finish_output+0x6d0/0x6d0
[  148.976226][T12766]  ? ip_finish_output+0x420/0x420
[  148.981237][T12766]  __ip_queue_xmit+0x1caf/0x21f0
[  148.986170][T12766]  ? __msan_metadata_ptr_for_store_8+0x13/0x20
[  148.992331][T12766]  ip_queue_xmit+0xcc/0xf0
[  148.996744][T12766]  ? tcp_v4_inbound_md5_hash+0xd10/0xd10
[  149.002361][T12766]  __tcp_transmit_skb+0x40e3/0x5d90
[  149.007583][T12766]  __tcp_send_ack+0x701/0x840
[  149.012255][T12766]  tcp_send_ack+0x68/0x90
[  149.016574][T12766]  tcp_cleanup_rbuf+0x764/0x800
[  149.021419][T12766]  tcp_recvmsg+0x334d/0x4ff0
[  149.026031][T12766]  ? kmsan_get_shadow_origin_ptr+0x91/0x4b0
[  149.031921][T12766]  ? tcp_mmap+0x150/0x150
[  149.036232][T12766]  ? tcp_mmap+0x150/0x150
[  149.040555][T12766]  inet_recvmsg+0x237/0x7d0
[  149.045047][T12766]  ? inet_sendpage+0x2c0/0x2c0
[  149.049807][T12766]  ? kmsan_get_shadow_origin_ptr+0x91/0x4b0
[  149.055688][T12766]  ? inet_sendpage+0x2c0/0x2c0
[  149.060439][T12766]  ? inet_sendpage+0x2c0/0x2c0
[  149.065191][T12766]  sock_read_iter+0x5be/0x660
[  149.069865][T12766]  ? kernel_sock_ip_overhead+0x340/0x340
[  149.075482][T12766]  __vfs_read+0xa67/0xc90
[  149.079815][T12766]  vfs_read+0x359/0x6f0
[  149.083966][T12766]  ksys_read+0x265/0x430
[  149.088206][T12766]  __se_sys_read+0x92/0xb0
[  149.092610][T12766]  __x64_sys_read+0x4a/0x70
[  149.097107][T12766]  do_syscall_64+0xb6/0x160
[  149.101597][T12766]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  149.107476][T12766] RIP: 0033:0x47fd44
[  149.111355][T12766] Code: ff ff cc cc cc cc e8 9b 40 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 45 31 d2 45 31 c0 45 31 c9 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30
[  149.130942][T12766] RSP: 002b:000000c42039b710 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[  149.139340][T12766] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047fd44
[  149.147304][T12766] RDX: 0000000000001000 RSI: 000000c4203ae000 RDI: 0000000000000003
[  149.155261][T12766] RBP: 000000c42039b760 R08: 0000000000000000 R09: 0000000000000000
[  149.163213][T12766] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
[  149.171165][T12766] R13: 0000000000000004 R14: 0000000000000004 R15: ffffffffffffffff
[  149.180379][T12766] Kernel Offset: disabled
[  149.184705][T12766] Rebooting in 86400 seconds..