[   69.427691][   T27] audit: type=1800 audit(1564719845.395:29): pid=10211 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   69.470746][   T27] audit: type=1800 audit(1564719845.395:30): pid=10211 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts.
syzkaller login: [ 1493.673469][   T27] kauditd_printk_skb: 5 callbacks suppressed
[ 1493.673480][   T27] audit: type=1400 audit(1564721269.635:36): avc:  denied  { map } for  pid=10401 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2019/08/02 04:47:50 parsed 1 programs
[ 1494.671708][   T27] audit: type=1400 audit(1564721270.635:37): avc:  denied  { map } for  pid=10401 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=16437 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[ 1496.394192][   T27] audit: type=1400 audit(1564721272.355:38): avc:  denied  { map } for  pid=10401 comm="syz-execprog" path="/root/syzkaller-shm503192291" dev="sda1" ino=2339 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
2019/08/02 04:47:52 executed programs: 0
[ 1496.719246][T10422] IPVS: ftp: loaded support on port[0] = 21
[ 1496.799486][T10425] IPVS: ftp: loaded support on port[0] = 21
[ 1496.824446][T10427] IPVS: ftp: loaded support on port[0] = 21
[ 1496.824684][T10429] IPVS: ftp: loaded support on port[0] = 21
[ 1496.855003][T10430] IPVS: ftp: loaded support on port[0] = 21
[ 1496.862566][T10432] IPVS: ftp: loaded support on port[0] = 21
[ 1496.890509][T10422] chnl_net:caif_netlink_parms(): no params data found
[ 1496.950177][T10422] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1496.957812][T10422] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1496.965440][T10422] device bridge_slave_0 entered promiscuous mode
[ 1496.973902][T10422] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1496.981091][T10422] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1496.988605][T10422] device bridge_slave_1 entered promiscuous mode
[ 1497.015634][T10422] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1497.027708][T10422] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1497.048573][T10422] team0: Port device team_slave_0 added
[ 1497.066777][T10422] team0: Port device team_slave_1 added
[ 1497.126817][T10422] device hsr_slave_0 entered promiscuous mode
[ 1497.165648][T10422] device hsr_slave_1 entered promiscuous mode
[ 1497.212611][T10425] chnl_net:caif_netlink_parms(): no params data found
[ 1497.294841][T10432] chnl_net:caif_netlink_parms(): no params data found
[ 1497.319620][T10427] chnl_net:caif_netlink_parms(): no params data found
[ 1497.350650][T10429] chnl_net:caif_netlink_parms(): no params data found
[ 1497.382458][T10425] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1497.390479][T10425] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1497.398434][T10425] device bridge_slave_0 entered promiscuous mode
[ 1497.406740][T10430] chnl_net:caif_netlink_parms(): no params data found
[ 1497.414894][T10425] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1497.422025][T10425] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1497.429695][T10425] device bridge_slave_1 entered promiscuous mode
[ 1497.442951][T10427] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1497.451422][T10427] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1497.459037][T10427] device bridge_slave_0 entered promiscuous mode
[ 1497.467885][T10427] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1497.474991][T10427] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1497.482746][T10427] device bridge_slave_1 entered promiscuous mode
[ 1497.503020][T10432] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1497.511947][T10432] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1497.519550][T10432] device bridge_slave_0 entered promiscuous mode
[ 1497.526751][T10432] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1497.533785][T10432] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1497.541827][T10432] device bridge_slave_1 entered promiscuous mode
[ 1497.563486][T10422] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1497.570631][T10422] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1497.577948][T10422] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1497.584994][T10422] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1497.603789][T10425] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1497.617297][T10425] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1497.629105][T10427] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1497.639511][T10432] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1497.650174][T10432] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1497.667047][T10430] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1497.674114][T10430] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1497.681760][T10430] device bridge_slave_0 entered promiscuous mode
[ 1497.689403][T10430] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1497.696619][T10430] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1497.704291][T10430] device bridge_slave_1 entered promiscuous mode
[ 1497.712157][T10427] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1497.727539][T10429] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1497.734823][T10429] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1497.742586][T10429] device bridge_slave_0 entered promiscuous mode
[ 1497.752738][T10429] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1497.759875][T10429] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1497.767730][T10429] device bridge_slave_1 entered promiscuous mode
[ 1497.786199][T10430] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1497.800474][T10425] team0: Port device team_slave_0 added
[ 1497.807718][T10425] team0: Port device team_slave_1 added
[ 1497.820312][T10427] team0: Port device team_slave_0 added
[ 1497.826986][T10430] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1497.841256][T10432] team0: Port device team_slave_0 added
[ 1497.848379][T10432] team0: Port device team_slave_1 added
[ 1497.863863][T10427] team0: Port device team_slave_1 added
[ 1497.926857][T10425] device hsr_slave_0 entered promiscuous mode
[ 1497.985523][T10425] device hsr_slave_1 entered promiscuous mode
[ 1498.045189][T10425] debugfs: Directory 'hsr0' with parent '/' already present!
[ 1498.053845][T10429] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1498.064099][T10429] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1498.074306][T10430] team0: Port device team_slave_0 added
[ 1498.126684][T10427] device hsr_slave_0 entered promiscuous mode
[ 1498.165559][T10427] device hsr_slave_1 entered promiscuous mode
[ 1498.215241][T10427] debugfs: Directory 'hsr0' with parent '/' already present!
[ 1498.223006][   T22] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1498.241007][   T22] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1498.264058][T10430] team0: Port device team_slave_1 added
[ 1498.306723][T10432] device hsr_slave_0 entered promiscuous mode
[ 1498.365390][T10432] device hsr_slave_1 entered promiscuous mode
[ 1498.435246][T10432] debugfs: Directory 'hsr0' with parent '/' already present!
[ 1498.498040][T10430] device hsr_slave_0 entered promiscuous mode
[ 1498.545521][T10430] device hsr_slave_1 entered promiscuous mode
[ 1498.585210][T10430] debugfs: Directory 'hsr0' with parent '/' already present!
[ 1498.593566][T10429] team0: Port device team_slave_0 added
[ 1498.603016][T10429] team0: Port device team_slave_1 added
[ 1498.614223][T10422] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1498.697931][T10429] device hsr_slave_0 entered promiscuous mode
[ 1498.735491][T10429] device hsr_slave_1 entered promiscuous mode
[ 1498.775227][T10429] debugfs: Directory 'hsr0' with parent '/' already present!
[ 1498.794050][T10422] 8021q: adding VLAN 0 to HW filter on device team0
[ 1498.810576][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 1498.818714][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1498.838186][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[ 1498.846950][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1498.855527][ T3020] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1498.862568][ T3020] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1498.870483][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[ 1498.878960][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1498.887448][ T3020] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1498.894482][ T3020] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1498.902043][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[ 1498.930573][T10430] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1498.948452][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[ 1498.957547][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[ 1498.966368][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1498.974602][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[ 1498.983024][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1498.991573][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1499.010232][T10430] 8021q: adding VLAN 0 to HW filter on device team0
[ 1499.019200][T10427] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1499.032767][T10422] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 1499.044729][T10422] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 1499.063418][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 1499.074195][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1499.081944][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[ 1499.090563][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1499.098911][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[ 1499.107619][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1499.116174][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1499.130703][T10427] 8021q: adding VLAN 0 to HW filter on device team0
[ 1499.144222][T10432] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1499.155391][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 1499.163124][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1499.176984][T10445] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[ 1499.186933][T10445] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1499.195728][T10445] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1499.202764][T10445] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1499.216314][T10425] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1499.236205][T10422] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1499.249138][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[ 1499.258214][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 1499.267347][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1499.274971][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[ 1499.283668][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1499.292542][ T3020] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1499.299607][ T3020] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1499.307959][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[ 1499.316497][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1499.324713][ T3020] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1499.331780][ T3020] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1499.339269][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[ 1499.348759][ T3020] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[ 1499.358693][T10425] 8021q: adding VLAN 0 to HW filter on device team0
[ 1499.373164][T10432] 8021q: adding VLAN 0 to HW filter on device team0
[ 1499.380815][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[ 1499.393117][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 1499.401284][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1499.409289][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[ 1499.417922][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1499.426358][   T17] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1499.433389][   T17] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1499.446651][T10429] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1499.476368][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[ 1499.484910][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[ 1499.493335][   T27] audit: type=1400 audit(1564721275.445:39): avc:  denied  { associate } for  pid=10422 comm="syz-executor.3" name="syz3" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
[ 1499.518840][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1499.530607][T10443] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1499.537777][T10443] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1499.545654][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[ 1499.554047][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[ 1499.562531][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1499.570955][T10443] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1499.578041][T10443] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1499.585640][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[ 1499.593979][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1499.602454][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[ 1499.610931][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[ 1499.619415][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1499.627831][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[ 1499.636376][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[ 1499.644522][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1499.652811][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[ 1499.661323][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1499.669690][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[ 1499.678118][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1499.686580][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[ 1499.694938][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1499.703295][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[ 1499.711714][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1499.720223][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[ 1499.728878][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1499.737389][T10443] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1499.744413][T10443] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1499.752002][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[ 1499.760906][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1499.769244][T10443] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1499.776324][T10443] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1499.784341][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[ 1499.792711][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1499.800585][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1499.808518][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1499.816647][T10443] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[ 1499.830364][T10430] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 1499.840958][T10430] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 1499.857468][T10425] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 1499.868526][T10425] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 1499.886874][T10429] 8021q: adding VLAN 0 to HW filter on device team0
[ 1499.906762][T10427] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 1499.919969][T10427] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1499.930656][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[ 1499.940586][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1499.950018][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[ 1499.960368][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[ 1499.968806][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1499.979719][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[ 1499.988254][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[ 1499.997155][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1500.007113][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[ 1500.015369][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1500.023454][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 1500.031095][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1500.038799][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[ 1500.047327][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1500.055817][   T12] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1500.062848][   T12] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1500.070414][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[ 1500.078652][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1500.086826][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1500.094332][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1500.101921][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[ 1500.125301][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[ 1500.133768][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1500.148527][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[ 1500.157497][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1500.168540][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[ 1500.177043][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1500.185815][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[ 1500.195653][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1500.213064][T10427] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1500.242645][T10425] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1500.257088][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1500.268925][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[ 1500.279668][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1500.292630][   T22] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1500.299732][   T22] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1500.307869][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[ 1500.316510][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[ 1500.331640][T10429] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 1500.342663][T10429] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 1500.367465][T10432] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1500.378340][T10430] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1500.395835][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[ 1500.404341][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1500.422113][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[ 1500.448214][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1500.457536][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[ 1500.466468][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1500.476193][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[ 1500.484445][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1500.492807][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1500.500832][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1500.534533][T10429] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1501.076930][   T21] Bluetooth: Error in BCSP hdr checksum
[ 1501.082579][   T21] Bluetooth: Error in BCSP hdr checksum
[ 1502.795296][T10443] Bluetooth: hci1: command 0x1003 tx timeout
[ 1502.801369][T10443] Bluetooth: hci0: command 0x1003 tx timeout
[ 1502.802471][T10534] Bluetooth: hci1: sending frame failed (-49)
[ 1502.813582][T10534] Bluetooth: hci0: sending frame failed (-49)
[ 1502.875378][T10443] Bluetooth: hci2: command 0x1003 tx timeout
[ 1502.875384][   T12] Bluetooth: hci4: command 0x1003 tx timeout
[ 1502.875403][   T12] Bluetooth: hci3: command 0x1003 tx timeout
[ 1502.883417][T10534] Bluetooth: hci4: sending frame failed (-49)
[ 1502.887566][T10555] Bluetooth: hci2: sending frame failed (-49)
[ 1502.893916][T10534] Bluetooth: hci3: sending frame failed (-49)
[ 1503.205240][   T12] Bluetooth: hci5: command 0x1003 tx timeout
[ 1503.211390][T10534] Bluetooth: hci5: sending frame failed (-49)
[ 1504.875788][   T12] Bluetooth: hci0: command 0x1001 tx timeout
[ 1504.881887][   T12] Bluetooth: hci1: command 0x1001 tx timeout
[ 1504.881943][T10534] Bluetooth: hci0: sending frame failed (-49)
[ 1504.888430][T10556] Bluetooth: hci1: sending frame failed (-49)
[ 1504.955341][T10443] Bluetooth: hci3: command 0x1001 tx timeout
[ 1504.955610][   T12] Bluetooth: hci2: command 0x1001 tx timeout
[ 1504.961403][T10443] Bluetooth: hci4: command 0x1001 tx timeout
[ 1504.967463][T10556] Bluetooth: hci3: sending frame failed (-49)
[ 1504.976307][T10534] Bluetooth: hci4: sending frame failed (-49)
[ 1504.979537][T10556] Bluetooth: hci2: sending frame failed (-49)
[ 1505.275413][T10443] Bluetooth: hci5: command 0x1001 tx timeout
[ 1505.281547][T10556] Bluetooth: hci5: sending frame failed (-49)
[ 1506.955177][T10443] Bluetooth: hci0: command 0x1009 tx timeout
[ 1506.955183][   T12] Bluetooth: hci1: command 0x1009 tx timeout
[ 1507.035149][T10443] Bluetooth: hci4: command 0x1009 tx timeout
[ 1507.035162][   T12] Bluetooth: hci2: command 0x1009 tx timeout
[ 1507.035185][   T12] Bluetooth: hci3: command 0x1009 tx timeout
[ 1507.355177][   T12] Bluetooth: hci5: command 0x1009 tx timeout
2019/08/02 04:48:07 executed programs: 11
[ 1511.116719][T10531] ==================================================================
[ 1511.124832][T10531] BUG: KASAN: use-after-free in kfree_skb+0x38/0x3c0
[ 1511.131491][T10531] Read of size 4 at addr ffff88808b4f5614 by task syz-executor.1/10531
[ 1511.131494][T10531] 
[ 1511.131507][T10531] CPU: 1 PID: 10531 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #86
[ 1511.131513][T10531] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1511.131517][T10531] Call Trace:
[ 1511.131536][T10531]  dump_stack+0x172/0x1f0
[ 1511.131548][T10531]  ? kfree_skb+0x38/0x3c0
[ 1511.131565][T10531]  print_address_description.cold+0xd4/0x306
[ 1511.131577][T10531]  ? kfree_skb+0x38/0x3c0
[ 1511.131588][T10531]  ? kfree_skb+0x38/0x3c0
[ 1511.131599][T10531]  __kasan_report.cold+0x1b/0x36
[ 1511.131609][T10531]  ? kfree_skb+0x38/0x3c0
[ 1511.131630][T10531]  kasan_report+0x12/0x17
[ 1511.150129][T10531]  check_memory_region+0x134/0x1a0
[ 1511.150142][T10531]  __kasan_check_read+0x11/0x20
[ 1511.150155][T10531]  kfree_skb+0x38/0x3c0
[ 1511.150170][T10531]  bcsp_close+0xc7/0x130
[ 1511.150187][T10531]  hci_uart_tty_close+0x21e/0x280
[ 1511.167837][T10531]  ? hci_uart_close+0x50/0x50
[ 1511.178090][T10531]  tty_ldisc_close.isra.0+0x119/0x190
[ 1511.178103][T10531]  tty_ldisc_kill+0x9c/0x160
[ 1511.178115][T10531]  tty_ldisc_release+0xe9/0x2b0
[ 1511.178127][T10531]  tty_release_struct+0x1b/0x50
[ 1511.178137][T10531]  tty_release+0xbcb/0xe90
[ 1511.178156][T10531]  __fput+0x2ff/0x890
[ 1511.178168][T10531]  ? put_tty_driver+0x20/0x20
[ 1511.178186][T10531]  ____fput+0x16/0x20
[ 1511.186809][T10531]  task_work_run+0x145/0x1c0
[ 1511.196028][T10531]  do_exit+0x92f/0x2e50
[ 1511.196042][T10531]  ? mm_update_next_owner+0x640/0x640
[ 1511.196058][T10531]  ? __kasan_check_write+0x14/0x20
[ 1511.196072][T10531]  ? lock_downgrade+0x920/0x920
[ 1511.196085][T10531]  ? rwlock_bug.part.0+0x90/0x90
[ 1511.196097][T10531]  ? get_signal+0x20e/0x2500
[ 1511.196110][T10531]  do_group_exit+0x135/0x360
[ 1511.196129][T10531]  get_signal+0x47c/0x2500
[ 1511.205525][T10531]  ? lock_downgrade+0x920/0x920
[ 1511.205540][T10531]  ? __might_fault+0xfb/0x1e0
[ 1511.205560][T10531]  do_signal+0x87/0x1700
[ 1511.218738][T10531]  ? __kasan_check_read+0x11/0x20
[ 1511.218752][T10531]  ? _copy_to_user+0x118/0x160
[ 1511.218770][T10531]  ? setup_sigcontext+0x7d0/0x7d0
[ 1511.218790][T10531]  ? do_futex+0x1dc0/0x1dc0
[ 1511.228457][T10531]  ? trace_hardirqs_on+0x67/0x240
[ 1511.238369][T10531]  exit_to_usermode_loop+0x286/0x380
[ 1511.238383][T10531]  do_syscall_64+0x5a9/0x6a0
[ 1511.238399][T10531]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1511.238415][T10531] RIP: 0033:0x459829
[ 1511.248061][T10531] Code: dd fe ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc 64 48 8b 0c 25 f8 ff ff ff 48 3b 61 10 76 68 48 83 ec 28 48 89 6c 24 20 48 <8d> 6c 24 20 48 8b 44 24 30 48 89 04 24 48 8b 4c 24 38 48 89 4c 24
[ 1511.248068][T10531] RSP: 002b:00007f3415b32cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[ 1511.248079][T10531] RAX: fffffffffffffe00 RBX: 000000000075bfd0 RCX: 0000000000459829
[ 1511.248085][T10531] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bfd0
[ 1511.248091][T10531] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
[ 1511.248097][T10531] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bfd4
[ 1511.248105][T10531] R13: 00007ffdaaf81d3f R14: 00007f3415b339c0 R15: 000000000075bfd4
[ 1511.248117][T10531] 
[ 1511.248123][T10531] Allocated by task 21:
[ 1511.248143][T10531]  save_stack+0x23/0x90
[ 1511.254695][T10522] kobject: 'rfkill6' (0000000013620dfc): calling ktype release
[ 1511.256489][T10531]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 1511.256500][T10531]  kasan_slab_alloc+0xf/0x20
[ 1511.256510][T10531]  kmem_cache_alloc_node+0x138/0x740
[ 1511.256522][T10531]  __alloc_skb+0xd5/0x5e0
[ 1511.256534][T10531]  bcsp_recv+0x8c1/0x13a0
[ 1511.256549][T10531]  hci_uart_tty_receive+0x279/0x790
[ 1511.261210][T10522] kobject: 'rfkill6': free name
[ 1511.265156][T10531]  tty_ldisc_receive_buf+0x15f/0x1c0
[ 1511.265168][T10531]  tty_port_default_receive_buf+0x7d/0xb0
[ 1511.265178][T10531]  flush_to_ldisc+0x222/0x390
[ 1511.265192][T10531]  process_one_work+0x9af/0x1740
[ 1511.265202][T10531]  worker_thread+0x98/0xe40
[ 1511.265218][T10531]  kthread+0x361/0x430
[ 1511.273611][T10499] kobject: 'rfkill5' (00000000d9392d46): kobject_cleanup, parent 00000000f6e0c7be
[ 1511.273923][T10531]  ret_from_fork+0x24/0x30
[ 1511.279497][T10499] kobject: 'rfkill5' (00000000d9392d46): calling ktype release
[ 1511.284345][T10531] 
[ 1511.291542][T10522] kobject: 'hci1' (00000000c414a481): kobject_uevent_env
[ 1511.294083][T10531] Freed by task 21:
[ 1511.298698][T10506] kobject: 'rfkill8': free name
[ 1511.303238][T10531]  save_stack+0x23/0x90
[ 1511.309832][T10522] kobject: 'hci1' (00000000c414a481): fill_kobj_path: path = '/devices/virtual/bluetooth/hci1'
[ 1511.312448][T10531]  __kasan_slab_free+0x102/0x150
[ 1511.317210][T10506] kobject: 'hci3' (000000000683a0a1): kobject_uevent_env
[ 1511.321311][T10531]  kasan_slab_free+0xe/0x10
[ 1511.328490][T10499] kobject: 'rfkill5': free name
[ 1511.331048][T10531]  kmem_cache_free+0x86/0x320
[ 1511.337861][T10522] kobject: 'hci1' (00000000c414a481): kobject_cleanup, parent 00000000f6e0c7be
[ 1511.340534][T10531]  kfree_skbmem+0xc5/0x150
[ 1511.347833][T10499] kobject: 'hci0' (00000000e9946c33): kobject_uevent_env
[ 1511.350791][T10531]  kfree_skb+0x109/0x3c0
[ 1511.355620][T10506] kobject: 'hci3' (000000000683a0a1): fill_kobj_path: path = '/devices/virtual/bluetooth/hci3'
[ 1511.361248][T10531]  bcsp_recv+0x2d8/0x13a0
[ 1511.367332][T10522] kobject: 'hci1' (00000000c414a481): calling ktype release
[ 1511.384725][T10531]  hci_uart_tty_receive+0x279/0x790
[ 1511.384741][T10531]  tty_ldisc_receive_buf+0x15f/0x1c0
[ 1511.384763][T10531]  tty_port_default_receive_buf+0x7d/0xb0
[ 1511.384772][T10531]  flush_to_ldisc+0x222/0x390
[ 1511.384784][T10531]  process_one_work+0x9af/0x1740
[ 1511.384793][T10531]  worker_thread+0x98/0xe40
[ 1511.384802][T10531]  kthread+0x361/0x430
[ 1511.384813][T10531]  ret_from_fork+0x24/0x30
[ 1511.384818][T10531] 
[ 1511.384827][T10531] The buggy address belongs to the object at ffff88808b4f5540
[ 1511.384827][T10531]  which belongs to the cache skbuff_head_cache of size 224
[ 1511.384836][T10531] The buggy address is located 212 bytes inside of
[ 1511.384836][T10531]  224-byte region [ffff88808b4f5540, ffff88808b4f5620)
[ 1511.384839][T10531] The buggy address belongs to the page:
[ 1511.384850][T10531] page:ffffea00022d3d40 refcount:1 mapcount:0 mapping:ffff88821bb131c0 index:0x0
[ 1511.384861][T10531] flags: 0x1fffc0000000200(slab)
[ 1511.384879][T10531] raw: 01fffc0000000200 ffffea00022ccd48 ffffea0001e96088 ffff88821bb131c0
[ 1511.384891][T10531] raw: 0000000000000000 ffff88808b4f5040 000000010000000c 0000000000000000
[ 1511.384895][T10531] page dumped because: kasan: bad access detected
[ 1511.384897][T10531] 
[ 1511.384900][T10531] Memory state around the buggy address:
[ 1511.384909][T10531]  ffff88808b4f5500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 1511.384922][T10531]  ffff88808b4f5580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1511.395657][T10499] kobject: 'hci0' (00000000e9946c33): fill_kobj_path: path = '/devices/virtual/bluetooth/hci0'
[ 1511.401627][T10531] >ffff88808b4f5600: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[ 1511.412609][T10506] kobject: 'hci3' (000000000683a0a1): kobject_cleanup, parent 00000000f6e0c7be
[ 1511.417526][T10531]                          ^
[ 1511.417538][T10531]  ffff88808b4f5680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1511.417545][T10531]  ffff88808b4f5700: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 1511.417549][T10531] ==================================================================
[ 1511.421155][T10531] Kernel panic - not syncing: panic_on_warn set ...
[ 1511.429555][T10499] kobject: 'hci0' (00000000e9946c33): kobject_cleanup, parent 00000000f6e0c7be
[ 1511.433553][T10531] CPU: 1 PID: 10531 Comm: syz-executor.1 Tainted: G    B             5.3.0-rc2+ #86
[ 1511.435935][T10506] kobject: 'hci3' (000000000683a0a1): calling ktype release
[ 1511.439995][T10531] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1511.444198][T10506] kobject: 'hci3': free name
[ 1511.451755][T10531] Call Trace:
[ 1511.451779][T10531]  dump_stack+0x172/0x1f0
[ 1511.451797][T10531]  panic+0x2dc/0x755
[ 1511.451808][T10531]  ? add_taint.cold+0x16/0x16
[ 1511.451823][T10531]  ? kfree_skb+0x38/0x3c0
[ 1511.451837][T10531]  ? preempt_schedule+0x4b/0x60
[ 1511.451857][T10531]  ? ___preempt_schedule+0x16/0x20
[ 1511.459692][T10499] kobject: 'hci0' (00000000e9946c33): calling ktype release
[ 1511.462035][T10531]  ? trace_hardirqs_on+0x5e/0x240
[ 1511.467376][T10522] kobject: 'hci1': free name
[ 1511.471601][T10531]  ? kfree_skb+0x38/0x3c0
[ 1511.478160][T10499] kobject: 'hci0': free name
[ 1511.481078][T10531]  end_report+0x47/0x4f
[ 1511.490160][T10506] ==================================================================
[ 1511.491198][T10531]  ? kfree_skb+0x38/0x3c0
[ 1511.496889][T10506] BUG: KASAN: double-free or invalid-free in skb_free_head+0x93/0xb0
[ 1511.501541][T10531]  __kasan_report.cold+0xe/0x36
[ 1511.506449][T10506] 
[ 1511.510935][T10531]  ? kfree_skb+0x38/0x3c0
[ 1511.971272][T10531]  kasan_report+0x12/0x17
[ 1511.975592][T10531]  check_memory_region+0x134/0x1a0
[ 1511.980704][T10531]  __kasan_check_read+0x11/0x20
[ 1511.985548][T10531]  kfree_skb+0x38/0x3c0
[ 1511.989701][T10531]  bcsp_close+0xc7/0x130
[ 1511.994644][T10531]  hci_uart_tty_close+0x21e/0x280
[ 1511.999657][T10531]  ? hci_uart_close+0x50/0x50
[ 1512.004329][T10531]  tty_ldisc_close.isra.0+0x119/0x190
[ 1512.009696][T10531]  tty_ldisc_kill+0x9c/0x160
[ 1512.014276][T10531]  tty_ldisc_release+0xe9/0x2b0
[ 1512.019134][T10531]  tty_release_struct+0x1b/0x50
[ 1512.023973][T10531]  tty_release+0xbcb/0xe90
[ 1512.028385][T10531]  __fput+0x2ff/0x890
[ 1512.032359][T10531]  ? put_tty_driver+0x20/0x20
[ 1512.037024][T10531]  ____fput+0x16/0x20
[ 1512.040995][T10531]  task_work_run+0x145/0x1c0
[ 1512.045578][T10531]  do_exit+0x92f/0x2e50
[ 1512.049727][T10531]  ? mm_update_next_owner+0x640/0x640
[ 1512.055106][T10531]  ? __kasan_check_write+0x14/0x20
[ 1512.062985][T10531]  ? lock_downgrade+0x920/0x920
[ 1512.067826][T10531]  ? rwlock_bug.part.0+0x90/0x90
[ 1512.072753][T10531]  ? get_signal+0x20e/0x2500
[ 1512.077333][T10531]  do_group_exit+0x135/0x360
[ 1512.081919][T10531]  get_signal+0x47c/0x2500
[ 1512.086325][T10531]  ? lock_downgrade+0x920/0x920
[ 1512.091169][T10531]  ? __might_fault+0xfb/0x1e0
[ 1512.095856][T10531]  do_signal+0x87/0x1700
[ 1512.100090][T10531]  ? __kasan_check_read+0x11/0x20
[ 1512.105103][T10531]  ? _copy_to_user+0x118/0x160
[ 1512.109856][T10531]  ? setup_sigcontext+0x7d0/0x7d0
[ 1512.114876][T10531]  ? do_futex+0x1dc0/0x1dc0
[ 1512.119369][T10531]  ? trace_hardirqs_on+0x67/0x240
[ 1512.124387][T10531]  exit_to_usermode_loop+0x286/0x380
[ 1512.129665][T10531]  do_syscall_64+0x5a9/0x6a0
[ 1512.134251][T10531]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1512.140129][T10531] RIP: 0033:0x459829
[ 1512.144030][T10531] Code: Bad RIP value.
[ 1512.148082][T10531] RSP: 002b:00007f3415b32cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[ 1512.156503][T10531] RAX: fffffffffffffe00 RBX: 000000000075bfd0 RCX: 0000000000459829
[ 1512.164465][T10531] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bfd0
[ 1512.172417][T10531] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
[ 1512.180383][T10531] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bfd4
[ 1512.188340][T10531] R13: 00007ffdaaf81d3f R14: 00007f3415b339c0 R15: 000000000075bfd4
[ 1512.196321][T10506] CPU: 0 PID: 10506 Comm: syz-executor.5 Tainted: G    B             5.3.0-rc2+ #86
[ 1512.205710][T10506] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1512.215741][T10506] Call Trace:
[ 1512.219025][T10506]  dump_stack+0x172/0x1f0
[ 1512.223344][T10506]  print_address_description.cold+0xd4/0x306
[ 1512.229305][T10506]  ? skb_free_head+0x93/0xb0
[ 1512.233876][T10506]  kasan_report_invalid_free+0x65/0xa0
[ 1512.239315][T10506]  ? skb_free_head+0x93/0xb0
[ 1512.243887][T10506]  __kasan_slab_free+0x13a/0x150
[ 1512.248804][T10506]  ? skb_free_head+0x93/0xb0
[ 1512.253375][T10506]  kasan_slab_free+0xe/0x10
[ 1512.257883][T10506]  kfree+0x10a/0x2c0
[ 1512.261932][T10506]  skb_free_head+0x93/0xb0
[ 1512.266334][T10506]  skb_release_data+0x42d/0x7c0
[ 1512.271258][T10506]  ? bcsp_close+0xc7/0x130
[ 1512.275655][T10506]  skb_release_all+0x4d/0x60
[ 1512.280252][T10506]  kfree_skb+0x101/0x3c0
[ 1512.284528][T10506]  bcsp_close+0xc7/0x130
[ 1512.288773][T10506]  hci_uart_tty_close+0x21e/0x280
[ 1512.293792][T10506]  ? hci_uart_close+0x50/0x50
[ 1512.298451][T10506]  tty_ldisc_close.isra.0+0x119/0x190
[ 1512.303809][T10506]  tty_ldisc_kill+0x9c/0x160
[ 1512.308382][T10506]  tty_ldisc_release+0xe9/0x2b0
[ 1512.313299][T10506]  tty_release_struct+0x1b/0x50
[ 1512.318138][T10506]  tty_release+0xbcb/0xe90
[ 1512.322538][T10506]  __fput+0x2ff/0x890
[ 1512.326500][T10506]  ? put_tty_driver+0x20/0x20
[ 1512.331155][T10506]  ____fput+0x16/0x20
[ 1512.335117][T10506]  task_work_run+0x145/0x1c0
[ 1512.339688][T10506]  do_exit+0x92f/0x2e50
[ 1512.343824][T10506]  ? finish_task_switch+0x147/0x720
[ 1512.348999][T10506]  ? finish_task_switch+0x119/0x720
[ 1512.354177][T10506]  ? trace_hardirqs_off+0x1f1/0x240
[ 1512.359358][T10506]  ? mm_update_next_owner+0x640/0x640
[ 1512.364709][T10506]  ? __kasan_check_write+0x14/0x20
[ 1512.369808][T10506]  ? lock_downgrade+0x920/0x920
[ 1512.374644][T10506]  ? rwlock_bug.part.0+0x90/0x90
[ 1512.379560][T10506]  ? get_signal+0x20e/0x2500
[ 1512.384133][T10506]  do_group_exit+0x135/0x360
[ 1512.388702][T10506]  get_signal+0x47c/0x2500
[ 1512.393098][T10506]  ? trace_hardirqs_on+0x67/0x240
[ 1512.398103][T10506]  ? __kasan_check_read+0x11/0x20
[ 1512.403113][T10506]  ? debug_object_free+0x1f9/0x390
[ 1512.408207][T10506]  do_signal+0x87/0x1700
[ 1512.412435][T10506]  ? nanosleep_copyout+0x110/0x110
[ 1512.417529][T10506]  ? setup_sigcontext+0x7d0/0x7d0
[ 1512.422537][T10506]  ? clock_was_set_work+0x30/0x30
[ 1512.427549][T10506]  ? trace_hardirqs_on+0x67/0x240
[ 1512.432560][T10506]  exit_to_usermode_loop+0x286/0x380
[ 1512.437828][T10506]  do_syscall_64+0x5a9/0x6a0
[ 1512.442403][T10506]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1512.448296][T10506] RIP: 0033:0x457cf1
[ 1512.452180][T10506] Code: 75 14 b8 23 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 24 d3 fb ff c3 48 83 ec 08 e8 ea 46 00 00 48 89 04 24 b8 23 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 33 47 00 00 48 89 d0 48 83 c4 08 48 3d 01
[ 1512.471764][T10506] RSP: 002b:00007ffc2e3e5590 EFLAGS: 00000293 ORIG_RAX: 0000000000000023
[ 1512.480157][T10506] RAX: 0000000000000000 RBX: 000000000016e920 RCX: 0000000000457cf1
[ 1512.488111][T10506] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffc2e3e55a0
[ 1512.496063][T10506] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
[ 1512.504013][T10506] R10: 00007ffc2e3e5690 R11: 0000000000000293 R12: 000000000075bf20
[ 1512.511981][T10506] R13: 000000000075c9a0 R14: 0000000000760288 R15: ffffffffffffffff
[ 1512.519939][T10506] 
[ 1512.522250][T10506] Allocated by task 21:
[ 1512.526411][T10506]  save_stack+0x23/0x90
[ 1512.530633][T10506]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 1512.536244][T10506]  kasan_kmalloc+0x9/0x10
[ 1512.540556][T10506]  __kmalloc_node_track_caller+0x4e/0x70
[ 1512.546178][T10506]  __kmalloc_reserve.isra.0+0x40/0xf0
[ 1512.551527][T10506]  __alloc_skb+0x10b/0x5e0
[ 1512.555927][T10506]  bcsp_recv+0x8c1/0x13a0
[ 1512.560253][T10506]  hci_uart_tty_receive+0x279/0x790
[ 1512.565434][T10506]  tty_ldisc_receive_buf+0x15f/0x1c0
[ 1512.570697][T10506]  tty_port_default_receive_buf+0x7d/0xb0
[ 1512.576396][T10506]  flush_to_ldisc+0x222/0x390
[ 1512.581057][T10506]  process_one_work+0x9af/0x1740
[ 1512.585972][T10506]  worker_thread+0x98/0xe40
[ 1512.590452][T10506]  kthread+0x361/0x430
[ 1512.594499][T10506]  ret_from_fork+0x24/0x30
[ 1512.598889][T10506] 
[ 1512.601198][T10506] Freed by task 21:
[ 1512.604989][T10506]  save_stack+0x23/0x90
[ 1512.609126][T10506]  __kasan_slab_free+0x102/0x150
[ 1512.614046][T10506]  kasan_slab_free+0xe/0x10
[ 1512.618528][T10506]  kfree+0x10a/0x2c0
[ 1512.622410][T10506]  skb_free_head+0x93/0xb0
[ 1512.626822][T10506]  skb_release_data+0x42d/0x7c0
[ 1512.631654][T10506]  skb_release_all+0x4d/0x60
[ 1512.636223][T10506]  kfree_skb+0x101/0x3c0
[ 1512.640443][T10506]  bcsp_recv+0x2d8/0x13a0
[ 1512.644753][T10506]  hci_uart_tty_receive+0x279/0x790
[ 1512.649958][T10506]  tty_ldisc_receive_buf+0x15f/0x1c0
[ 1512.655223][T10506]  tty_port_default_receive_buf+0x7d/0xb0
[ 1512.660922][T10506]  flush_to_ldisc+0x222/0x390
[ 1512.665581][T10506]  process_one_work+0x9af/0x1740
[ 1512.670508][T10506]  worker_thread+0x98/0xe40
[ 1512.674992][T10506]  kthread+0x361/0x430
[ 1512.679042][T10506]  ret_from_fork+0x24/0x30
[ 1512.683432][T10506] 
[ 1512.685744][T10506] The buggy address belongs to the object at ffff88808c811c40
[ 1512.685744][T10506]  which belongs to the cache kmalloc-8k of size 8192
[ 1512.699777][T10506] The buggy address is located 0 bytes inside of
[ 1512.699777][T10506]  8192-byte region [ffff88808c811c40, ffff88808c813c40)
[ 1512.712953][T10506] The buggy address belongs to the page:
[ 1512.718575][T10506] page:ffffea0002320400 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0
[ 1512.729486][T10506] flags: 0x1fffc0000010200(slab|head)
[ 1512.734841][T10506] raw: 01fffc0000010200 ffffea000280bb08 ffffea0002622408 ffff8880aa4021c0
[ 1512.743410][T10506] raw: 0000000000000000 ffff88808c811c40 0000000100000001 0000000000000000
[ 1512.751968][T10506] page dumped because: kasan: bad access detected
[ 1512.758367][T10506] 
[ 1512.760671][T10506] Memory state around the buggy address:
[ 1512.766283][T10506]  ffff88808c811b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1512.774327][T10506]  ffff88808c811b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1512.782375][T10506] >ffff88808c811c00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 1512.790414][T10506]                                            ^
[ 1512.796545][T10506]  ffff88808c811c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1512.804594][T10506]  ffff88808c811d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1512.812630][T10506] ==================================================================
[ 1513.327845][T10531] Shutting down cpus with NMI
[ 1513.333518][T10531] Kernel Offset: disabled
[ 1513.337845][T10531] Rebooting in 86400 seconds..