[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 78.218397][ T31] audit: type=1800 audit(1572025067.267:25): pid=11391 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 78.248132][ T31] audit: type=1800 audit(1572025067.287:26): pid=11391 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 78.268517][ T31] audit: type=1800 audit(1572025067.297:27): pid=11391 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. 2019/10/25 17:38:02 fuzzer started 2019/10/25 17:38:07 dialing manager at 10.128.0.26:45117 2019/10/25 17:38:07 syscalls: 2424 2019/10/25 17:38:07 code coverage: enabled 2019/10/25 17:38:07 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2019/10/25 17:38:07 extra coverage: enabled 2019/10/25 17:38:07 setuid sandbox: enabled 2019/10/25 17:38:07 namespace sandbox: enabled 2019/10/25 17:38:07 Android sandbox: /sys/fs/selinux/policy does not exist 2019/10/25 17:38:07 fault injection: enabled 2019/10/25 17:38:07 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/10/25 17:38:07 net packet injection: enabled 2019/10/25 17:38:07 net device setup: enabled 2019/10/25 17:38:07 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist syzkaller login: [ 119.356182][T11542] ===================================================== [ 119.363200][T11542] BUG: KMSAN: use-after-free in kmem_cache_free+0x3df/0x2b70 [ 119.371366][T11542] CPU: 0 PID: 11542 Comm: syz-fuzzer Not tainted 5.4.0-rc3+ #0 [ 119.378907][T11542] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 119.388967][T11542] Call Trace: [ 119.392276][T11542] dump_stack+0x191/0x1f0 [ 119.396621][T11542] kmsan_report+0x128/0x220 [ 119.401142][T11542] __msan_warning+0x73/0xe0 [ 119.406266][T11542] kmem_cache_free+0x3df/0x2b70 [ 119.411133][T11542] ? kmsan_internal_set_origin+0x6a/0xb0 [ 119.416876][T11542] ? kfree_skb+0x473/0x4c0 [ 119.421285][T11542] ? kmsan_internal_unpoison_shadow+0x42/0x80 [ 119.427581][T11542] kfree_skb+0x473/0x4c0 [ 119.431885][T11542] ? packet_rcv_spkt+0x68d/0x7c0 [ 119.436996][T11542] packet_rcv_spkt+0x68d/0x7c0 [ 119.441755][T11542] ? packet_rcv+0x2110/0x2110 [ 119.446768][T11542] dev_queue_xmit_nit+0x1125/0x1200 [ 119.451962][T11542] dev_hard_start_xmit+0x21e/0xab0 [ 119.457078][T11542] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 119.462956][T11542] sch_direct_xmit+0x56c/0x18c0 [ 119.467794][T11542] __dev_queue_xmit+0x212d/0x4200 [ 119.472822][T11542] dev_queue_xmit+0x4b/0x60 [ 119.477394][T11542] ip_finish_output2+0x20d6/0x25d0 [ 119.482930][T11542] ? __msan_metadata_ptr_for_load_2+0x10/0x20 [ 119.488976][T11542] ? nf_ct_deliver_cached_events+0x4d5/0x6e0 [ 119.495034][T11542] __ip_finish_output+0xaf8/0xda0 [ 119.500046][T11542] ip_finish_output+0x2db/0x420 [ 119.504884][T11542] ip_output+0x541/0x610 [ 119.509544][T11542] ? ip_mc_finish_output+0x6d0/0x6d0 [ 119.514807][T11542] ? ip_finish_output+0x420/0x420 [ 119.519814][T11542] __ip_queue_xmit+0x1caf/0x21f0 [ 119.524758][T11542] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 119.530637][T11542] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 119.536697][T11542] ? should_fail+0x1d2/0xa50 [ 119.541800][T11542] ip_queue_xmit+0xcc/0xf0 [ 119.546214][T11542] ? tcp_v4_inbound_md5_hash+0xd10/0xd10 [ 119.551836][T11542] __tcp_transmit_skb+0x40e3/0x5d90 [ 119.557030][T11542] __tcp_send_ack+0x701/0x840 [ 119.561690][T11542] tcp_send_ack+0x68/0x90 [ 119.565998][T11542] tcp_cleanup_rbuf+0x764/0x800 [ 119.570841][T11542] tcp_recvmsg+0x334d/0x4ff0 [ 119.575439][T11542] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 119.581319][T11542] ? tcp_mmap+0x150/0x150 [ 119.585627][T11542] ? tcp_mmap+0x150/0x150 [ 119.589942][T11542] inet_recvmsg+0x237/0x7d0 [ 119.594442][T11542] ? inet_sendpage+0x2c0/0x2c0 [ 119.599185][T11542] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 119.605055][T11542] ? inet_sendpage+0x2c0/0x2c0 [ 119.609813][T11542] ? inet_sendpage+0x2c0/0x2c0 [ 119.614564][T11542] sock_read_iter+0x5be/0x660 [ 119.619227][T11542] ? kernel_sock_ip_overhead+0x340/0x340 [ 119.624838][T11542] __vfs_read+0xa67/0xc90 [ 119.629168][T11542] vfs_read+0x359/0x6f0 [ 119.633307][T11542] ksys_read+0x265/0x430 [ 119.637542][T11542] __se_sys_read+0x92/0xb0 [ 119.642722][T11542] __x64_sys_read+0x4a/0x70 [ 119.647214][T11542] do_syscall_64+0xb6/0x160 [ 119.651697][T11542] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 119.657573][T11542] RIP: 0033:0x47fd44 [ 119.661447][T11542] Code: ff ff cc cc cc cc e8 9b 40 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 45 31 d2 45 31 c0 45 31 c9 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 119.681035][T11542] RSP: 002b:000000c420065710 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 119.690119][T11542] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047fd44 [ 119.698080][T11542] RDX: 0000000000001000 RSI: 000000c42034a000 RDI: 0000000000000003 [ 119.706027][T11542] RBP: 000000c420065760 R08: 0000000000000000 R09: 0000000000000000 [ 119.713976][T11542] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000010 [ 119.722060][T11542] R13: 0000000000000010 R14: 0000000000000040 R15: ffffffffffffffff [ 119.730052][T11542] [ 119.732359][T11542] Uninit was stored to memory at: [ 119.737375][T11542] kmsan_internal_chain_origin+0xbd/0x180 [ 119.743084][T11542] __msan_chain_origin+0x6b/0xd0 [ 119.747999][T11542] ___slab_alloc+0x1dbc/0x1fb0 [ 119.752737][T11542] kmem_cache_alloc+0xade/0xd10 [ 119.757562][T11542] skb_clone+0x326/0x5d0 [ 119.761776][T11542] dev_queue_xmit_nit+0x539/0x1200 [ 119.766862][T11542] dev_hard_start_xmit+0x21e/0xab0 [ 119.771964][T11542] sch_direct_xmit+0x56c/0x18c0 [ 119.776787][T11542] __dev_queue_xmit+0x212d/0x4200 [ 119.781796][T11542] dev_queue_xmit+0x4b/0x60 [ 119.786275][T11542] ip_finish_output2+0x20d6/0x25d0 [ 119.791359][T11542] __ip_finish_output+0xaf8/0xda0 [ 119.796355][T11542] ip_finish_output+0x2db/0x420 [ 119.801181][T11542] ip_output+0x541/0x610 [ 119.805406][T11542] __ip_queue_xmit+0x1caf/0x21f0 [ 119.810324][T11542] ip_queue_xmit+0xcc/0xf0 [ 119.814716][T11542] __tcp_transmit_skb+0x40e3/0x5d90 [ 119.819891][T11542] __tcp_send_ack+0x701/0x840 [ 119.824543][T11542] tcp_send_ack+0x68/0x90 [ 119.828846][T11542] tcp_cleanup_rbuf+0x764/0x800 [ 119.833671][T11542] tcp_recvmsg+0x334d/0x4ff0 [ 119.838246][T11542] inet_recvmsg+0x237/0x7d0 [ 119.842728][T11542] sock_read_iter+0x5be/0x660 [ 119.847380][T11542] __vfs_read+0xa67/0xc90 [ 119.851684][T11542] vfs_read+0x359/0x6f0 [ 119.855812][T11542] ksys_read+0x265/0x430 [ 119.860028][T11542] __se_sys_read+0x92/0xb0 [ 119.864418][T11542] __x64_sys_read+0x4a/0x70 [ 119.868934][T11542] do_syscall_64+0xb6/0x160 [ 119.873430][T11542] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 119.879296][T11542] [ 119.881601][T11542] Uninit was created at: [ 119.885822][T11542] kmsan_internal_poison_shadow+0x60/0x120 [ 119.891602][T11542] kmsan_slab_free+0x8d/0xf0 [ 119.896167][T11542] kmem_cache_free_bulk+0x3ad9/0x3f10 [ 119.901522][T11542] __kfree_skb_flush+0xb0/0x100 [ 119.906349][T11542] net_rx_action+0x1a5e/0x1aa0 [ 119.911092][T11542] __do_softirq+0x4a1/0x83a [ 119.915568][T11542] irq_exit+0x230/0x280 [ 119.919695][T11542] do_IRQ+0x123/0x360 [ 119.923650][T11542] ret_from_intr+0x0/0x33 [ 119.927953][T11542] __msan_memset+0xa9/0xf0 [ 119.932346][T11542] sock_read_iter+0x12a/0x660 [ 119.936996][T11542] __vfs_read+0xa67/0xc90 [ 119.941298][T11542] vfs_read+0x359/0x6f0 [ 119.945432][T11542] ksys_read+0x265/0x430 [ 119.949646][T11542] __se_sys_read+0x92/0xb0 [ 119.954035][T11542] __x64_sys_read+0x4a/0x70 [ 119.958511][T11542] do_syscall_64+0xb6/0x160 [ 119.963001][T11542] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 119.968862][T11542] ===================================================== [ 119.975775][T11542] Disabling lock debugging due to kernel taint [ 119.981912][T11542] Kernel panic - not syncing: panic_on_warn set ... [ 119.988477][T11542] CPU: 0 PID: 11542 Comm: syz-fuzzer Tainted: G B 5.4.0-rc3+ #0 [ 119.997380][T11542] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 120.007425][T11542] Call Trace: [ 120.010698][T11542] dump_stack+0x191/0x1f0 [ 120.015011][T11542] panic+0x3c9/0xc1e [ 120.018917][T11542] kmsan_report+0x215/0x220 [ 120.023537][T11542] __msan_warning+0x73/0xe0 [ 120.028080][T11542] kmem_cache_free+0x3df/0x2b70 [ 120.032917][T11542] ? kmsan_internal_set_origin+0x6a/0xb0 [ 120.038818][T11542] ? kfree_skb+0x473/0x4c0 [ 120.043215][T11542] ? kmsan_internal_unpoison_shadow+0x42/0x80 [ 120.049281][T11542] kfree_skb+0x473/0x4c0 [ 120.053504][T11542] ? packet_rcv_spkt+0x68d/0x7c0 [ 120.058429][T11542] packet_rcv_spkt+0x68d/0x7c0 [ 120.063283][T11542] ? packet_rcv+0x2110/0x2110 [ 120.067947][T11542] dev_queue_xmit_nit+0x1125/0x1200 [ 120.073146][T11542] dev_hard_start_xmit+0x21e/0xab0 [ 120.078253][T11542] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 120.084190][T11542] sch_direct_xmit+0x56c/0x18c0 [ 120.089055][T11542] __dev_queue_xmit+0x212d/0x4200 [ 120.094083][T11542] dev_queue_xmit+0x4b/0x60 [ 120.098571][T11542] ip_finish_output2+0x20d6/0x25d0 [ 120.103667][T11542] ? __msan_metadata_ptr_for_load_2+0x10/0x20 [ 120.109734][T11542] ? nf_ct_deliver_cached_events+0x4d5/0x6e0 [ 120.115720][T11542] __ip_finish_output+0xaf8/0xda0 [ 120.120740][T11542] ip_finish_output+0x2db/0x420 [ 120.125581][T11542] ip_output+0x541/0x610 [ 120.129808][T11542] ? ip_mc_finish_output+0x6d0/0x6d0 [ 120.135073][T11542] ? ip_finish_output+0x420/0x420 [ 120.140086][T11542] __ip_queue_xmit+0x1caf/0x21f0 [ 120.145009][T11542] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 120.150883][T11542] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 120.156944][T11542] ? should_fail+0x1d2/0xa50 [ 120.161536][T11542] ip_queue_xmit+0xcc/0xf0 [ 120.165940][T11542] ? tcp_v4_inbound_md5_hash+0xd10/0xd10 [ 120.171549][T11542] __tcp_transmit_skb+0x40e3/0x5d90 [ 120.176741][T11542] __tcp_send_ack+0x701/0x840 [ 120.181400][T11542] tcp_send_ack+0x68/0x90 [ 120.185709][T11542] tcp_cleanup_rbuf+0x764/0x800 [ 120.190540][T11542] tcp_recvmsg+0x334d/0x4ff0 [ 120.195133][T11542] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 120.201003][T11542] ? tcp_mmap+0x150/0x150 [ 120.205312][T11542] ? tcp_mmap+0x150/0x150 [ 120.209617][T11542] inet_recvmsg+0x237/0x7d0 [ 120.214098][T11542] ? inet_sendpage+0x2c0/0x2c0 [ 120.218930][T11542] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 120.224800][T11542] ? inet_sendpage+0x2c0/0x2c0 [ 120.229540][T11542] ? inet_sendpage+0x2c0/0x2c0 [ 120.234280][T11542] sock_read_iter+0x5be/0x660 [ 120.238942][T11542] ? kernel_sock_ip_overhead+0x340/0x340 [ 120.244565][T11542] __vfs_read+0xa67/0xc90 [ 120.248887][T11542] vfs_read+0x359/0x6f0 [ 120.253023][T11542] ksys_read+0x265/0x430 [ 120.257260][T11542] __se_sys_read+0x92/0xb0 [ 120.261657][T11542] __x64_sys_read+0x4a/0x70 [ 120.266141][T11542] do_syscall_64+0xb6/0x160 [ 120.270632][T11542] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 120.276501][T11542] RIP: 0033:0x47fd44 [ 120.280379][T11542] Code: ff ff cc cc cc cc e8 9b 40 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 45 31 d2 45 31 c0 45 31 c9 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 120.299958][T11542] RSP: 002b:000000c420065710 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 120.308695][T11542] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047fd44 [ 120.316644][T11542] RDX: 0000000000001000 RSI: 000000c42034a000 RDI: 0000000000000003 [ 120.324596][T11542] RBP: 000000c420065760 R08: 0000000000000000 R09: 0000000000000000 [ 120.332553][T11542] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000010 [ 120.340519][T11542] R13: 0000000000000010 R14: 0000000000000040 R15: ffffffffffffffff [ 120.350023][T11542] Kernel Offset: disabled [ 120.354388][T11542] Rebooting in 86400 seconds..