[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 59.845101][ T26] audit: type=1800 audit(1571206652.219:25): pid=8601 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 59.866529][ T26] audit: type=1800 audit(1571206652.229:26): pid=8601 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 59.888120][ T26] audit: type=1800 audit(1571206652.229:27): pid=8601 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.49' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 78.719791][ T8756] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 79.009900][ T283] Bluetooth: Error in BCSP hdr checksum [ 79.269598][ T7] Bluetooth: Error in BCSP hdr checksum [ 79.529246][ T7] Bluetooth: Error in BCSP hdr checksum [ 79.789221][ T283] Bluetooth: Error in BCSP hdr checksum [ 80.049254][ T7] Bluetooth: Error in BCSP hdr checksum [ 80.309250][ T7] Bluetooth: Error in BCSP hdr checksum [ 80.569284][ T7] Bluetooth: Error in BCSP hdr checksum [ 80.829795][ T3695] Bluetooth: hci0: command 0x1003 tx timeout [ 80.836661][ T7] Bluetooth: Error in BCSP hdr checksum [ 81.089667][ T283] Bluetooth: Error in BCSP hdr checksum [ 81.349264][ T7] Bluetooth: Error in BCSP hdr checksum [ 81.609426][ T283] Bluetooth: Error in BCSP hdr checksum [ 81.869314][ T283] Bluetooth: Error in BCSP hdr checksum [ 82.129293][ T7] Bluetooth: Error in BCSP hdr checksum [ 82.389466][ T7] Bluetooth: Error in BCSP hdr checksum [ 82.649308][ T283] Bluetooth: Error in BCSP hdr checksum [ 82.909080][ T2927] Bluetooth: hci0: command 0x1001 tx timeout [ 82.915349][ T7] Bluetooth: Error in BCSP hdr checksum [ 82.921060][ T7] Bluetooth: Error in BCSP hdr checksum [ 83.169618][ T283] Bluetooth: Error in BCSP hdr checksum [ 83.175591][ T7] Bluetooth: Error in BCSP hdr checksum [ 83.429342][ T7] Bluetooth: Error in BCSP hdr checksum [ 83.434989][ T7] Bluetooth: Error in BCSP hdr checksum [ 83.689331][ T7] Bluetooth: Error in BCSP hdr checksum [ 83.694979][ T7] Bluetooth: Error in BCSP hdr checksum [ 84.989131][ T3695] Bluetooth: hci0: command 0x1009 tx timeout [ 89.312901][ T8756] ================================================================== [ 89.322008][ T8756] BUG: KASAN: use-after-free in kfree_skb+0x38/0x3c0 [ 89.328666][ T8756] Read of size 4 at addr ffff8880a1e98c54 by task syz-executor774/8756 [ 89.337671][ T8756] [ 89.340004][ T8756] CPU: 0 PID: 8756 Comm: syz-executor774 Not tainted 5.4.0-rc3-next-20191015 #0 [ 89.349000][ T8756] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 89.359046][ T8756] Call Trace: [ 89.362329][ T8756] dump_stack+0x172/0x1f0 [ 89.366640][ T8756] ? kfree_skb+0x38/0x3c0 [ 89.370964][ T8756] print_address_description.constprop.0.cold+0xd4/0x30b [ 89.377989][ T8756] ? kfree_skb+0x38/0x3c0 [ 89.382587][ T8756] ? kfree_skb+0x38/0x3c0 [ 89.386950][ T8756] __kasan_report.cold+0x1b/0x41 [ 89.392054][ T8756] ? kfree_skb+0x38/0x3c0 [ 89.396459][ T8756] kasan_report+0x12/0x20 [ 89.401283][ T8756] check_memory_region+0x134/0x1a0 [ 89.406393][ T8756] __kasan_check_read+0x11/0x20 [ 89.411407][ T8756] kfree_skb+0x38/0x3c0 [ 89.415547][ T8756] bcsp_close+0xc7/0x130 [ 89.419770][ T8756] hci_uart_tty_close+0x21e/0x280 [ 89.424786][ T8756] ? hci_uart_close+0x50/0x50 [ 89.429460][ T8756] tty_ldisc_close.isra.0+0x119/0x1a0 [ 89.434822][ T8756] tty_ldisc_kill+0x9c/0x160 [ 89.439404][ T8756] tty_ldisc_release+0xe9/0x2b0 [ 89.444240][ T8756] tty_release_struct+0x1b/0x50 [ 89.449072][ T8756] tty_release+0xbcb/0xe90 [ 89.453485][ T8756] __fput+0x2ff/0x890 [ 89.457449][ T8756] ? put_tty_driver+0x20/0x20 [ 89.462106][ T8756] ____fput+0x16/0x20 [ 89.466125][ T8756] task_work_run+0x145/0x1c0 [ 89.470812][ T8756] do_exit+0x904/0x2e60 [ 89.475072][ T8756] ? mm_update_next_owner+0x640/0x640 [ 89.480561][ T8756] ? lock_downgrade+0x920/0x920 [ 89.485395][ T8756] ? _raw_spin_unlock_irq+0x23/0x80 [ 89.490579][ T8756] ? get_signal+0x392/0x24f0 [ 89.495242][ T8756] ? _raw_spin_unlock_irq+0x23/0x80 [ 89.500425][ T8756] do_group_exit+0x135/0x360 [ 89.505009][ T8756] get_signal+0x47c/0x24f0 [ 89.509415][ T8756] do_signal+0x87/0x1700 [ 89.513649][ T8756] ? setup_sigcontext+0x7d0/0x7d0 [ 89.518667][ T8756] ? lock_downgrade+0x920/0x920 [ 89.523496][ T8756] ? rcu_read_lock_any_held+0xcd/0xf0 [ 89.528850][ T8756] ? exit_to_usermode_loop+0x43/0x380 [ 89.534214][ T8756] ? do_syscall_64+0x65f/0x760 [ 89.539072][ T8756] ? exit_to_usermode_loop+0x43/0x380 [ 89.544439][ T8756] ? lockdep_hardirqs_on+0x421/0x5e0 [ 89.549710][ T8756] ? trace_hardirqs_on+0x67/0x240 [ 89.554718][ T8756] exit_to_usermode_loop+0x286/0x380 [ 89.560000][ T8756] do_syscall_64+0x65f/0x760 [ 89.564572][ T8756] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 89.570451][ T8756] RIP: 0033:0x441309 [ 89.574332][ T8756] Code: Bad RIP value. [ 89.578387][ T8756] RSP: 002b:00007ffcec39f4f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 89.586796][ T8756] RAX: 0000000000278000 RBX: 0000000000000000 RCX: 0000000000441309 [ 89.594839][ T8756] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004 [ 89.602882][ T8756] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 [ 89.610853][ T8756] R10: 00008000fffffffe R11: 0000000000000246 R12: 0000000000402130 [ 89.618913][ T8756] R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000 [ 89.626899][ T8756] [ 89.629239][ T8756] Allocated by task 7: [ 89.633293][ T8756] save_stack+0x23/0x90 [ 89.638207][ T8756] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 89.643841][ T8756] kasan_slab_alloc+0xf/0x20 [ 89.648442][ T8756] kmem_cache_alloc_node+0x138/0x740 [ 89.654337][ T8756] __alloc_skb+0xd5/0x5e0 [ 89.658853][ T8756] bcsp_recv+0x8c1/0x13a0 [ 89.663266][ T8756] hci_uart_tty_receive+0x279/0x6d0 [ 89.668489][ T8756] tty_ldisc_receive_buf+0x15f/0x1c0 [ 89.673760][ T8756] tty_port_default_receive_buf+0x7d/0xb0 [ 89.679473][ T8756] flush_to_ldisc+0x222/0x390 [ 89.684136][ T8756] process_one_work+0x9af/0x1740 [ 89.689106][ T8756] worker_thread+0x98/0xe40 [ 89.693602][ T8756] kthread+0x361/0x430 [ 89.698083][ T8756] ret_from_fork+0x24/0x30 [ 89.702472][ T8756] [ 89.704778][ T8756] Freed by task 7: [ 89.708479][ T8756] save_stack+0x23/0x90 [ 89.712617][ T8756] __kasan_slab_free+0x102/0x150 [ 89.717529][ T8756] kasan_slab_free+0xe/0x10 [ 89.722008][ T8756] kmem_cache_free+0x86/0x320 [ 89.726661][ T8756] kfree_skbmem+0xc5/0x150 [ 89.731063][ T8756] kfree_skb+0x109/0x3c0 [ 89.735292][ T8756] bcsp_recv+0x2d8/0x13a0 [ 89.739772][ T8756] hci_uart_tty_receive+0x279/0x6d0 [ 89.745053][ T8756] tty_ldisc_receive_buf+0x15f/0x1c0 [ 89.750325][ T8756] tty_port_default_receive_buf+0x7d/0xb0 [ 89.756391][ T8756] flush_to_ldisc+0x222/0x390 [ 89.761056][ T8756] process_one_work+0x9af/0x1740 [ 89.765987][ T8756] worker_thread+0x98/0xe40 [ 89.770473][ T8756] kthread+0x361/0x430 [ 89.774539][ T8756] ret_from_fork+0x24/0x30 [ 89.779020][ T8756] [ 89.781354][ T8756] The buggy address belongs to the object at ffff8880a1e98b80 [ 89.781354][ T8756] which belongs to the cache skbuff_head_cache of size 224 [ 89.795921][ T8756] The buggy address is located 212 bytes inside of [ 89.795921][ T8756] 224-byte region [ffff8880a1e98b80, ffff8880a1e98c60) [ 89.809305][ T8756] The buggy address belongs to the page: [ 89.814927][ T8756] page:ffffea000287a600 refcount:1 mapcount:0 mapping:ffff88821b751380 index:0x0 [ 89.824016][ T8756] flags: 0x1fffc0000000200(slab) [ 89.828950][ T8756] raw: 01fffc0000000200 ffffea0002619c08 ffffea00025bc608 ffff88821b751380 [ 89.837534][ T8756] raw: 0000000000000000 ffff8880a1e98040 000000010000000c 0000000000000000 [ 89.846111][ T8756] page dumped because: kasan: bad access detected [ 89.852499][ T8756] [ 89.854819][ T8756] Memory state around the buggy address: [ 89.860429][ T8756] ffff8880a1e98b00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 89.868481][ T8756] ffff8880a1e98b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.876623][ T8756] >ffff8880a1e98c00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 89.884694][ T8756] ^ [ 89.891708][ T8756] ffff8880a1e98c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 89.899757][ T8756] ffff8880a1e98d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.907899][ T8756] ================================================================== [ 89.915964][ T8756] Disabling lock debugging due to kernel taint [ 89.922542][ T8756] Kernel panic - not syncing: panic_on_warn set ... [ 89.929146][ T8756] CPU: 0 PID: 8756 Comm: syz-executor774 Tainted: G B 5.4.0-rc3-next-20191015 #0 [ 89.939569][ T8756] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 89.949604][ T8756] Call Trace: [ 89.952882][ T8756] dump_stack+0x172/0x1f0 [ 89.957189][ T8756] panic+0x2e3/0x75c [ 89.961060][ T8756] ? add_taint.cold+0x16/0x16 [ 89.965732][ T8756] ? kfree_skb+0x38/0x3c0 [ 89.970051][ T8756] ? preempt_schedule+0x4b/0x60 [ 89.974895][ T8756] ? ___preempt_schedule+0x16/0x20 [ 89.979987][ T8756] ? trace_hardirqs_on+0x5e/0x240 [ 89.985161][ T8756] ? kfree_skb+0x38/0x3c0 [ 89.989557][ T8756] end_report+0x47/0x4f [ 89.993686][ T8756] ? kfree_skb+0x38/0x3c0 [ 89.998601][ T8756] __kasan_report.cold+0xe/0x41 [ 90.003450][ T8756] ? kfree_skb+0x38/0x3c0 [ 90.007767][ T8756] kasan_report+0x12/0x20 [ 90.012076][ T8756] check_memory_region+0x134/0x1a0 [ 90.017176][ T8756] __kasan_check_read+0x11/0x20 [ 90.022023][ T8756] kfree_skb+0x38/0x3c0 [ 90.026176][ T8756] bcsp_close+0xc7/0x130 [ 90.030397][ T8756] hci_uart_tty_close+0x21e/0x280 [ 90.035394][ T8756] ? hci_uart_close+0x50/0x50 [ 90.040054][ T8756] tty_ldisc_close.isra.0+0x119/0x1a0 [ 90.045402][ T8756] tty_ldisc_kill+0x9c/0x160 [ 90.049972][ T8756] tty_ldisc_release+0xe9/0x2b0 [ 90.054800][ T8756] tty_release_struct+0x1b/0x50 [ 90.059630][ T8756] tty_release+0xbcb/0xe90 [ 90.064031][ T8756] __fput+0x2ff/0x890 [ 90.067988][ T8756] ? put_tty_driver+0x20/0x20 [ 90.072641][ T8756] ____fput+0x16/0x20 [ 90.076615][ T8756] task_work_run+0x145/0x1c0 [ 90.083456][ T8756] do_exit+0x904/0x2e60 [ 90.087592][ T8756] ? mm_update_next_owner+0x640/0x640 [ 90.092957][ T8756] ? lock_downgrade+0x920/0x920 [ 90.097788][ T8756] ? _raw_spin_unlock_irq+0x23/0x80 [ 90.102971][ T8756] ? get_signal+0x392/0x24f0 [ 90.107623][ T8756] ? _raw_spin_unlock_irq+0x23/0x80 [ 90.112797][ T8756] do_group_exit+0x135/0x360 [ 90.117364][ T8756] get_signal+0x47c/0x24f0 [ 90.121795][ T8756] do_signal+0x87/0x1700 [ 90.126036][ T8756] ? setup_sigcontext+0x7d0/0x7d0 [ 90.132316][ T8756] ? lock_downgrade+0x920/0x920 [ 90.137308][ T8756] ? rcu_read_lock_any_held+0xcd/0xf0 [ 90.142783][ T8756] ? exit_to_usermode_loop+0x43/0x380 [ 90.148249][ T8756] ? do_syscall_64+0x65f/0x760 [ 90.152998][ T8756] ? exit_to_usermode_loop+0x43/0x380 [ 90.158354][ T8756] ? lockdep_hardirqs_on+0x421/0x5e0 [ 90.163628][ T8756] ? trace_hardirqs_on+0x67/0x240 [ 90.168634][ T8756] exit_to_usermode_loop+0x286/0x380 [ 90.174147][ T8756] do_syscall_64+0x65f/0x760 [ 90.178763][ T8756] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 90.184657][ T8756] RIP: 0033:0x441309 [ 90.188548][ T8756] Code: Bad RIP value. [ 90.192853][ T8756] RSP: 002b:00007ffcec39f4f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 90.201242][ T8756] RAX: 0000000000278000 RBX: 0000000000000000 RCX: 0000000000441309 [ 90.209673][ T8756] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004 [ 90.217807][ T8756] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 [ 90.225768][ T8756] R10: 00008000fffffffe R11: 0000000000000246 R12: 0000000000402130 [ 90.233734][ T8756] R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000 [ 90.243290][ T8756] Kernel Offset: disabled [ 90.247630][ T8756] Rebooting in 86400 seconds..