[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 92.229802][ T32] audit: type=1800 audit(1573535939.271:25): pid=13487 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 92.267928][ T32] audit: type=1800 audit(1573535939.301:26): pid=13487 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 92.288244][ T32] audit: type=1800 audit(1573535939.301:27): pid=13487 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.244' (ECDSA) to the list of known hosts. 2019/11/12 05:19:12 parsed 1 programs 2019/11/12 05:19:19 executed programs: 0 syzkaller login: [ 112.926045][T13654] IPVS: ftp: loaded support on port[0] = 21 [ 113.004932][T13654] chnl_net:caif_netlink_parms(): no params data found [ 113.040308][T13654] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.047700][T13654] bridge0: port 1(bridge_slave_0) entered disabled state [ 113.056160][T13654] device bridge_slave_0 entered promiscuous mode [ 113.064714][T13654] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.071807][T13654] bridge0: port 2(bridge_slave_1) entered disabled state [ 113.080026][T13654] device bridge_slave_1 entered promiscuous mode [ 113.102148][T13654] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 113.114092][T13654] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 113.136401][T13654] team0: Port device team_slave_0 added [ 113.144549][T13654] team0: Port device team_slave_1 added [ 113.205262][T13654] device hsr_slave_0 entered promiscuous mode [ 113.252898][T13654] device hsr_slave_1 entered promiscuous mode [ 113.386324][T13654] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.393628][T13654] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.401339][T13654] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.408616][T13654] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.571681][T13654] 8021q: adding VLAN 0 to HW filter on device bond0 [ 113.621571][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 113.644138][ T31] bridge0: port 1(bridge_slave_0) entered disabled state [ 113.665044][ T31] bridge0: port 2(bridge_slave_1) entered disabled state [ 113.684905][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 113.728959][T13654] 8021q: adding VLAN 0 to HW filter on device team0 [ 113.760910][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 113.771079][ T31] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.778338][ T31] bridge0: port 1(bridge_slave_0) entered forwarding state [ 113.863671][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 113.872754][ T31] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.879931][ T31] bridge0: port 2(bridge_slave_1) entered forwarding state [ 113.890445][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.900917][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 113.910477][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 113.919517][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 113.933915][T13654] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 113.999608][T13654] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 114.064298][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 114.071980][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 114.081095][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 114.682852][ T268] Bluetooth: Error in BCSP hdr checksum [ 114.942654][ T110] Bluetooth: Error in BCSP hdr checksum [ 116.492415][ T31] Bluetooth: hci0: command 0x1003 tx timeout [ 116.498651][T13698] Bluetooth: hci0: sending frame failed (-49) [ 118.572398][ T31] Bluetooth: hci0: command 0x1001 tx timeout [ 118.578585][T13698] Bluetooth: hci0: sending frame failed (-49) [ 120.652446][ T12] Bluetooth: hci0: command 0x1009 tx timeout [ 124.574151][T13694] ===================================================== [ 124.581146][T13694] BUG: KMSAN: use-after-free in kfree_skb+0x23c/0x4c0 [ 124.587956][T13694] CPU: 0 PID: 13694 Comm: syz-executor.0 Not tainted 5.4.0-rc5+ #0 [ 124.595873][T13694] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 124.606050][T13694] Call Trace: [ 124.609376][T13694] dump_stack+0x191/0x1f0 [ 124.613696][T13694] kmsan_report+0x128/0x220 [ 124.618187][T13694] __msan_warning+0x73/0xe0 [ 124.622685][T13694] kfree_skb+0x23c/0x4c0 [ 124.626941][T13694] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 124.632832][T13694] bcsp_close+0x127/0x1e0 [ 124.637148][T13694] ? bcsp_open+0x5d0/0x5d0 [ 124.641594][T13694] hci_uart_tty_close+0x385/0x410 [ 124.646652][T13694] ? hci_uart_tty_open+0x5a0/0x5a0 [ 124.651742][T13694] tty_ldisc_release+0x5dd/0xd50 [ 124.656704][T13694] tty_release_struct+0x4f/0x1d0 [ 124.661631][T13694] ? tty_unlock+0x82/0x100 [ 124.666026][T13694] tty_release+0x1be2/0x1e80 [ 124.670606][T13694] ? tty_release_struct+0x1d0/0x1d0 [ 124.675781][T13694] __fput+0x4c9/0xba0 [ 124.679747][T13694] ____fput+0x37/0x40 [ 124.683728][T13694] ? fput_many+0x2a0/0x2a0 [ 124.688122][T13694] task_work_run+0x22e/0x2a0 [ 124.692694][T13694] prepare_exit_to_usermode+0x39d/0x4d0 [ 124.698221][T13694] syscall_return_slowpath+0x90/0x610 [ 124.703585][T13694] do_syscall_64+0xdc/0x160 [ 124.708086][T13694] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 124.713969][T13694] RIP: 0033:0x413db1 [ 124.717850][T13694] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 124.737634][T13694] RSP: 002b:00007fffa9cf4e10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 124.746109][T13694] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413db1 [ 124.754073][T13694] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 [ 124.762028][T13694] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff [ 124.770001][T13694] R10: 00007fffa9cf4ef0 R11: 0000000000000293 R12: 000000000075c9a0 [ 124.777954][T13694] R13: 000000000075c9a0 R14: 0000000000760290 R15: 000000000075bfd4 [ 124.785919][T13694] [ 124.788267][T13694] Uninit was created at: [ 124.792498][T13694] kmsan_internal_poison_shadow+0x60/0x120 [ 124.798282][T13694] kmsan_slab_free+0x8d/0xf0 [ 124.802859][T13694] kmem_cache_free+0x2d1/0x2b70 [ 124.807690][T13694] kfree_skb+0x473/0x4c0 [ 124.811910][T13694] __netif_receive_skb_core+0x4a5a/0x51a0 [ 124.817611][T13694] process_backlog+0x612/0x1410 [ 124.822450][T13694] net_rx_action+0x7a6/0x1aa0 [ 124.827203][T13694] __do_softirq+0x4a1/0x83a [ 124.831682][T13694] irq_exit+0x230/0x280 [ 124.835835][T13694] exiting_irq+0xe/0x10 [ 124.839968][T13694] smp_apic_timer_interrupt+0x48/0x70 [ 124.845315][T13694] apic_timer_interrupt+0x2e/0x40 [ 124.850331][T13694] default_idle+0x53/0x90 [ 124.854668][T13694] arch_cpu_idle+0x25/0x30 [ 124.859059][T13694] do_idle+0x1d5/0x780 [ 124.863106][T13694] cpu_startup_entry+0x45/0x50 [ 124.867847][T13694] start_secondary+0x389/0x480 [ 124.872587][T13694] secondary_startup_64+0xa4/0xb0 [ 124.877592][T13694] ===================================================== [ 124.884515][T13694] Disabling lock debugging due to kernel taint [ 124.890666][T13694] Kernel panic - not syncing: panic_on_warn set ... [ 124.897230][T13694] CPU: 0 PID: 13694 Comm: syz-executor.0 Tainted: G B 5.4.0-rc5+ #0 [ 124.906506][T13694] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 124.916552][T13694] Call Trace: [ 124.919826][T13694] dump_stack+0x191/0x1f0 [ 124.924152][T13694] panic+0x3c9/0xc1e [ 124.928040][T13694] kmsan_report+0x215/0x220 [ 124.932524][T13694] __msan_warning+0x73/0xe0 [ 124.937006][T13694] kfree_skb+0x23c/0x4c0 [ 124.941239][T13694] ? kmsan_get_shadow_origin_ptr+0x91/0x4b0 [ 124.947114][T13694] bcsp_close+0x127/0x1e0 [ 124.951421][T13694] ? bcsp_open+0x5d0/0x5d0 [ 124.955816][T13694] hci_uart_tty_close+0x385/0x410 [ 124.960820][T13694] ? hci_uart_tty_open+0x5a0/0x5a0 [ 124.965916][T13694] tty_ldisc_release+0x5dd/0xd50 [ 124.971016][T13694] tty_release_struct+0x4f/0x1d0 [ 124.975937][T13694] ? tty_unlock+0x82/0x100 [ 124.980331][T13694] tty_release+0x1be2/0x1e80 [ 124.984924][T13694] ? tty_release_struct+0x1d0/0x1d0 [ 124.990107][T13694] __fput+0x4c9/0xba0 [ 124.994085][T13694] ____fput+0x37/0x40 [ 124.998054][T13694] ? fput_many+0x2a0/0x2a0 [ 125.002466][T13694] task_work_run+0x22e/0x2a0 [ 125.007054][T13694] prepare_exit_to_usermode+0x39d/0x4d0 [ 125.012582][T13694] syscall_return_slowpath+0x90/0x610 [ 125.018002][T13694] do_syscall_64+0xdc/0x160 [ 125.022528][T13694] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 125.028443][T13694] RIP: 0033:0x413db1 [ 125.032338][T13694] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 125.051983][T13694] RSP: 002b:00007fffa9cf4e10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 125.060415][T13694] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413db1 [ 125.068456][T13694] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 [ 125.076413][T13694] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff [ 125.084383][T13694] R10: 00007fffa9cf4ef0 R11: 0000000000000293 R12: 000000000075c9a0 [ 125.092341][T13694] R13: 000000000075c9a0 R14: 0000000000760290 R15: 000000000075bfd4 [ 125.101844][T13694] Kernel Offset: disabled [ 125.106181][T13694] Rebooting in 86400 seconds..