[   37.030752][   T27] audit: type=1800 audit(1553579095.260:26): pid=7640 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   37.065765][   T27] audit: type=1800 audit(1553579095.260:27): pid=7640 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[   37.086923][   T27] audit: type=1800 audit(1553579095.260:28): pid=7640 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   37.803998][   T27] audit: type=1800 audit(1553579096.060:29): pid=7640 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.15.219' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   46.351695][    C1] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
[   46.411608][    C1] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
[   46.474102][ T7795] ==================================================================
[   46.482328][ T7795] BUG: KASAN: use-after-free in skb_release_data+0x11d/0x7a0
[   46.489706][ T7795] Write of size 4 at addr ffff8880a95c27a0 by task syz-executor705/7795
[   46.498016][ T7795] 
[   46.500357][ T7795] CPU: 0 PID: 7795 Comm: syz-executor705 Not tainted 5.0.0+ #108
[   46.508052][ T7795] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   46.518102][ T7795] Call Trace:
[   46.521405][ T7795]  dump_stack+0x172/0x1f0
[   46.525722][ T7795]  ? skb_release_data+0x11d/0x7a0
[   46.530752][ T7795]  ? inet_sock_destruct+0x10b/0x830
[   46.535941][ T7795]  print_address_description.cold+0x7c/0x20d
[   46.542090][ T7795]  ? skb_release_data+0x11d/0x7a0
[   46.547118][ T7795]  ? skb_release_data+0x11d/0x7a0
[   46.552158][ T7795]  ? inet_sock_destruct+0x10b/0x830
[   46.557360][ T7795]  kasan_report.cold+0x1b/0x40
[   46.562147][ T7795]  ? skb_release_data+0x11d/0x7a0
[   46.567194][ T7795]  check_memory_region+0x123/0x190
[   46.572345][ T7795]  kasan_check_write+0x14/0x20
[   46.577293][ T7795]  skb_release_data+0x11d/0x7a0
[   46.582144][ T7795]  ? sock_rfree+0x121/0x180
[   46.586651][ T7795]  ? inet_sock_destruct+0x10b/0x830
[   46.591845][ T7795]  skb_release_all+0x4d/0x60
[   46.596441][ T7795]  kfree_skb+0xe8/0x390
[   46.600587][ T7795]  inet_sock_destruct+0x10b/0x830
[   46.605607][ T7795]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   46.611866][ T7795]  ? ipip_gso_segment+0x100/0x100
[   46.616881][ T7795]  __sk_destruct+0x55/0x6d0
[   46.621375][ T7795]  sk_destruct+0x7b/0x90
[   46.625621][ T7795]  __sk_free+0xce/0x300
[   46.629788][ T7795]  sk_free+0x42/0x50
[   46.633677][ T7795]  sk_common_release+0x224/0x330
[   46.638707][ T7795]  rawv6_close+0x68/0x90
[   46.642978][ T7795]  inet_release+0x105/0x1f0
[   46.647515][ T7795]  inet6_release+0x53/0x80
[   46.651931][ T7795]  __sock_release+0xd3/0x2b0
[   46.656524][ T7795]  ? __sock_release+0x2b0/0x2b0
[   46.661385][ T7795]  sock_close+0x1b/0x30
[   46.665647][ T7795]  __fput+0x2e5/0x8d0
[   46.669619][ T7795]  ____fput+0x16/0x20
[   46.673591][ T7795]  task_work_run+0x14a/0x1c0
[   46.678177][ T7795]  do_exit+0x90a/0x2fa0
[   46.682410][ T7795]  ? get_signal+0x331/0x1d50
[   46.687000][ T7795]  ? mm_update_next_owner+0x640/0x640
[   46.693540][ T7795]  ? kasan_check_write+0x14/0x20
[   46.698471][ T7795]  ? _raw_spin_unlock_irq+0x28/0x90
[   46.703655][ T7795]  ? get_signal+0x331/0x1d50
[   46.708228][ T7795]  ? _raw_spin_unlock_irq+0x28/0x90
[   46.713426][ T7795]  do_group_exit+0x135/0x370
[   46.718038][ T7795]  get_signal+0x399/0x1d50
[   46.722450][ T7795]  ? fput+0x1b/0x20
[   46.726247][ T7795]  do_signal+0x87/0x1940
[   46.730489][ T7795]  ? setup_sigcontext+0x7d0/0x7d0
[   46.735547][ T7795]  ? exit_to_usermode_loop+0x43/0x2c0
[   46.740932][ T7795]  ? do_syscall_64+0x52d/0x610
[   46.745695][ T7795]  ? exit_to_usermode_loop+0x43/0x2c0
[   46.751080][ T7795]  ? lockdep_hardirqs_on+0x418/0x5d0
[   46.756361][ T7795]  ? trace_hardirqs_on+0x67/0x230
[   46.761388][ T7795]  exit_to_usermode_loop+0x244/0x2c0
[   46.766695][ T7795]  do_syscall_64+0x52d/0x610
[   46.771300][ T7795]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   46.777190][ T7795] RIP: 0033:0x4459a9
[   46.781263][ T7795] Code: Bad RIP value.
[   46.785336][ T7795] RSP: 002b:00007f46bf5d7da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   46.793833][ T7795] RAX: fffffffffffffe00 RBX: 00000000006dac48 RCX: 00000000004459a9
[   46.801817][ T7795] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac48
[   46.809798][ T7795] RBP: 00000000006dac40 R08: 0000000000000000 R09: 0000000000000000
[   46.817788][ T7795] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac4c
[   46.825773][ T7795] R13: 0000000000000000 R14: 0000000000000000 R15: 20c49ba5e353f7cf
[   46.833777][ T7795] 
[   46.836105][ T7795] Allocated by task 7795:
[   46.840456][ T7795]  save_stack+0x45/0xd0
[   46.844616][ T7795]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   46.850247][ T7795]  kasan_kmalloc+0x9/0x10
[   46.854586][ T7795]  __kmalloc_node_track_caller+0x4e/0x70
[   46.860236][ T7795]  __kmalloc_reserve.isra.0+0x40/0xf0
[   46.865624][ T7795]  __alloc_skb+0x10b/0x5e0
[   46.870038][ T7795]  sk_stream_alloc_skb+0x113/0xd10
[   46.875152][ T7795]  tcp_connect+0xfd8/0x4280
[   46.879662][ T7795]  tcp_v6_connect+0x150b/0x20a0
[   46.884506][ T7795]  __inet_stream_connect+0x83f/0xea0
[   46.889778][ T7795]  tcp_sendmsg_locked+0x2314/0x34d0
[   46.894964][ T7795]  tcp_sendmsg+0x30/0x50
[   46.899204][ T7795]  inet_sendmsg+0x147/0x5e0
[   46.903695][ T7795]  sock_sendmsg+0xdd/0x130
[   46.908095][ T7795]  __sys_sendto+0x262/0x380
[   46.912601][ T7795]  __x64_sys_sendto+0xe1/0x1a0
[   46.917349][ T7795]  do_syscall_64+0x103/0x610
[   46.921950][ T7795]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   46.927831][ T7795] 
[   46.930157][ T7795] Freed by task 7795:
[   46.934132][ T7795]  save_stack+0x45/0xd0
[   46.938302][ T7795]  __kasan_slab_free+0x102/0x150
[   46.943231][ T7795]  kasan_slab_free+0xe/0x10
[   46.947722][ T7795]  kfree+0xcf/0x230
[   46.951517][ T7795]  skb_free_head+0x93/0xb0
[   46.955931][ T7795]  skb_release_data+0x576/0x7a0
[   46.960763][ T7795]  skb_release_all+0x4d/0x60
[   46.965354][ T7795]  kfree_skb+0xe8/0x390
[   46.969532][ T7795]  inet_sock_destruct+0x10b/0x830
[   46.974654][ T7795]  __sk_destruct+0x55/0x6d0
[   46.979147][ T7795]  sk_destruct+0x7b/0x90
[   46.983374][ T7795]  __sk_free+0xce/0x300
[   46.987511][ T7795]  sk_free+0x42/0x50
[   46.991387][ T7795]  sk_common_release+0x224/0x330
[   46.996312][ T7795]  rawv6_close+0x68/0x90
[   47.000541][ T7795]  inet_release+0x105/0x1f0
[   47.005041][ T7795]  inet6_release+0x53/0x80
[   47.009453][ T7795]  __sock_release+0xd3/0x2b0
[   47.014203][ T7795]  sock_close+0x1b/0x30
[   47.018366][ T7795]  __fput+0x2e5/0x8d0
[   47.022346][ T7795]  ____fput+0x16/0x20
[   47.026315][ T7795]  task_work_run+0x14a/0x1c0
[   47.030902][ T7795]  do_exit+0x90a/0x2fa0
[   47.035064][ T7795]  do_group_exit+0x135/0x370
[   47.039728][ T7795]  get_signal+0x399/0x1d50
[   47.044158][ T7795]  do_signal+0x87/0x1940
[   47.048396][ T7795]  exit_to_usermode_loop+0x244/0x2c0
[   47.053691][ T7795]  do_syscall_64+0x52d/0x610
[   47.058289][ T7795]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   47.064176][ T7795] 
[   47.066514][ T7795] The buggy address belongs to the object at ffff8880a95c24c0
[   47.066514][ T7795]  which belongs to the cache kmalloc-1k of size 1024
[   47.081551][ T7795] The buggy address is located 736 bytes inside of
[   47.081551][ T7795]  1024-byte region [ffff8880a95c24c0, ffff8880a95c28c0)
[   47.094931][ T7795] The buggy address belongs to the page:
[   47.100582][ T7795] page:ffffea0002a57080 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0
[   47.111252][ T7795] flags: 0x1fffc0000010200(slab|head)
[   47.116638][ T7795] raw: 01fffc0000010200 ffffea00024cc108 ffffea0002a48a08 ffff88812c3f0ac0
[   47.125239][ T7795] raw: 0000000000000000 ffff8880a95c2040 0000000100000007 0000000000000000
[   47.133844][ T7795] page dumped because: kasan: bad access detected
[   47.140247][ T7795] 
[   47.142581][ T7795] Memory state around the buggy address:
[   47.148215][ T7795]  ffff8880a95c2680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.156284][ T7795]  ffff8880a95c2700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.164459][ T7795] >ffff8880a95c2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.172513][ T7795]                                ^
[   47.177622][ T7795]  ffff8880a95c2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.185760][ T7795]  ffff8880a95c2880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   47.193814][ T7795] ==================================================================
[   47.201863][ T7795] Disabling lock debugging due to kernel taint
[   47.208195][ T7795] Kernel panic - not syncing: panic_on_warn set ...
[   47.214795][ T7795] CPU: 0 PID: 7795 Comm: syz-executor705 Tainted: G    B             5.0.0+ #108
[   47.223880][ T7795] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.233927][ T7795] Call Trace:
[   47.237216][ T7795]  dump_stack+0x172/0x1f0
[   47.241540][ T7795]  ? inet_sock_destruct+0x10b/0x830
[   47.246808][ T7795]  panic+0x2cb/0x65c
[   47.250861][ T7795]  ? __warn_printk+0xf3/0xf3
[   47.255452][ T7795]  ? skb_release_data+0x11d/0x7a0
[   47.260746][ T7795]  ? inet_sock_destruct+0x10b/0x830
[   47.265951][ T7795]  ? preempt_schedule+0x4b/0x60
[   47.270912][ T7795]  ? ___preempt_schedule+0x16/0x18
[   47.276192][ T7795]  ? trace_hardirqs_on+0x5e/0x230
[   47.281226][ T7795]  ? skb_release_data+0x11d/0x7a0
[   47.286241][ T7795]  ? inet_sock_destruct+0x10b/0x830
[   47.291469][ T7795]  end_report+0x47/0x4f
[   47.295611][ T7795]  ? skb_release_data+0x11d/0x7a0
[   47.300637][ T7795]  kasan_report.cold+0xe/0x40
[   47.305304][ T7795]  ? skb_release_data+0x11d/0x7a0
[   47.310314][ T7795]  check_memory_region+0x123/0x190
[   47.315408][ T7795]  kasan_check_write+0x14/0x20
[   47.320251][ T7795]  skb_release_data+0x11d/0x7a0
[   47.325081][ T7795]  ? sock_rfree+0x121/0x180
[   47.329570][ T7795]  ? inet_sock_destruct+0x10b/0x830
[   47.334782][ T7795]  skb_release_all+0x4d/0x60
[   47.339361][ T7795]  kfree_skb+0xe8/0x390
[   47.343522][ T7795]  inet_sock_destruct+0x10b/0x830
[   47.348564][ T7795]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   47.354822][ T7795]  ? ipip_gso_segment+0x100/0x100
[   47.359852][ T7795]  __sk_destruct+0x55/0x6d0
[   47.364345][ T7795]  sk_destruct+0x7b/0x90
[   47.368572][ T7795]  __sk_free+0xce/0x300
[   47.372708][ T7795]  sk_free+0x42/0x50
[   47.376585][ T7795]  sk_common_release+0x224/0x330
[   47.381507][ T7795]  rawv6_close+0x68/0x90
[   47.385734][ T7795]  inet_release+0x105/0x1f0
[   47.390218][ T7795]  inet6_release+0x53/0x80
[   47.394612][ T7795]  __sock_release+0xd3/0x2b0
[   47.399197][ T7795]  ? __sock_release+0x2b0/0x2b0
[   47.404034][ T7795]  sock_close+0x1b/0x30
[   47.408175][ T7795]  __fput+0x2e5/0x8d0
[   47.412151][ T7795]  ____fput+0x16/0x20
[   47.416112][ T7795]  task_work_run+0x14a/0x1c0
[   47.420725][ T7795]  do_exit+0x90a/0x2fa0
[   47.424861][ T7795]  ? get_signal+0x331/0x1d50
[   47.429434][ T7795]  ? mm_update_next_owner+0x640/0x640
[   47.434791][ T7795]  ? kasan_check_write+0x14/0x20
[   47.439720][ T7795]  ? _raw_spin_unlock_irq+0x28/0x90
[   47.444933][ T7795]  ? get_signal+0x331/0x1d50
[   47.449516][ T7795]  ? _raw_spin_unlock_irq+0x28/0x90
[   47.454730][ T7795]  do_group_exit+0x135/0x370
[   47.459315][ T7795]  get_signal+0x399/0x1d50
[   47.463730][ T7795]  ? fput+0x1b/0x20
[   47.467571][ T7795]  do_signal+0x87/0x1940
[   47.472122][ T7795]  ? setup_sigcontext+0x7d0/0x7d0
[   47.477136][ T7795]  ? exit_to_usermode_loop+0x43/0x2c0
[   47.482491][ T7795]  ? do_syscall_64+0x52d/0x610
[   47.487234][ T7795]  ? exit_to_usermode_loop+0x43/0x2c0
[   47.492681][ T7795]  ? lockdep_hardirqs_on+0x418/0x5d0
[   47.498310][ T7795]  ? trace_hardirqs_on+0x67/0x230
[   47.503353][ T7795]  exit_to_usermode_loop+0x244/0x2c0
[   47.508919][ T7795]  do_syscall_64+0x52d/0x610
[   47.513520][ T7795]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   47.519393][ T7795] RIP: 0033:0x4459a9
[   47.523333][ T7795] Code: Bad RIP value.
[   47.527402][ T7795] RSP: 002b:00007f46bf5d7da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   47.536147][ T7795] RAX: fffffffffffffe00 RBX: 00000000006dac48 RCX: 00000000004459a9
[   47.544279][ T7795] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac48
[   47.552250][ T7795] RBP: 00000000006dac40 R08: 0000000000000000 R09: 0000000000000000
[   47.560230][ T7795] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac4c
[   47.568216][ T7795] R13: 0000000000000000 R14: 0000000000000000 R15: 20c49ba5e353f7cf
[   47.581618][ T7795] Kernel Offset: disabled
[   47.585946][ T7795] Rebooting in 86400 seconds..