[info] Using makefile-style concurrent boot in runlevel 2. [ 60.010433][ T26] audit: type=1800 audit(1568563122.934:21): pid=9328 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [ 60.058595][ T26] audit: type=1800 audit(1568563122.934:22): pid=9328 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="motd" dev="sda1" ino=2447 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.237' (ECDSA) to the list of known hosts. 2019/09/15 16:13:58 parsed 1 programs 2019/09/15 16:14:00 executed programs: 0 syzkaller login: [ 977.197056][ T9493] IPVS: ftp: loaded support on port[0] = 21 [ 977.249623][ T9493] chnl_net:caif_netlink_parms(): no params data found [ 977.270216][ T9493] bridge0: port 1(bridge_slave_0) entered blocking state [ 977.277389][ T9493] bridge0: port 1(bridge_slave_0) entered disabled state [ 977.285679][ T9493] device bridge_slave_0 entered promiscuous mode [ 977.293422][ T9493] bridge0: port 2(bridge_slave_1) entered blocking state [ 977.300572][ T9493] bridge0: port 2(bridge_slave_1) entered disabled state [ 977.308333][ T9493] device bridge_slave_1 entered promiscuous mode [ 977.322189][ T9493] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 977.333054][ T9493] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 977.347869][ T9493] team0: Port device team_slave_0 added [ 977.354845][ T9493] team0: Port device team_slave_1 added [ 977.409530][ T9493] device hsr_slave_0 entered promiscuous mode [ 977.447965][ T9493] device hsr_slave_1 entered promiscuous mode [ 977.522486][ T9493] bridge0: port 2(bridge_slave_1) entered blocking state [ 977.529710][ T9493] bridge0: port 2(bridge_slave_1) entered forwarding state [ 977.536977][ T9493] bridge0: port 1(bridge_slave_0) entered blocking state [ 977.544069][ T9493] bridge0: port 1(bridge_slave_0) entered forwarding state [ 977.567451][ T9493] 8021q: adding VLAN 0 to HW filter on device bond0 [ 977.577212][ T9495] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 977.596454][ T9495] bridge0: port 1(bridge_slave_0) entered disabled state [ 977.604465][ T9495] bridge0: port 2(bridge_slave_1) entered disabled state [ 977.612840][ T9495] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 977.622512][ T9493] 8021q: adding VLAN 0 to HW filter on device team0 [ 977.631900][ T3518] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 977.640457][ T3518] bridge0: port 1(bridge_slave_0) entered blocking state [ 977.647662][ T3518] bridge0: port 1(bridge_slave_0) entered forwarding state [ 977.658740][ T9495] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 977.667247][ T9495] bridge0: port 2(bridge_slave_1) entered blocking state [ 977.674387][ T9495] bridge0: port 2(bridge_slave_1) entered forwarding state [ 977.685763][ T3580] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 977.695040][ T3580] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 977.704646][ T9495] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 977.715258][ T3580] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 977.725417][ T9495] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 977.735039][ T9493] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 977.749290][ T9493] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 978.117827][ T2574] Bluetooth: Error in BCSP hdr checksum [ 978.378356][ T2574] Bluetooth: Error in BCSP hdr checksum [ 979.897709][ T3580] Bluetooth: hci0: command 0x1003 tx timeout [ 979.903823][ T9509] Bluetooth: hci0: sending frame failed (-49) [ 981.977747][ T9495] Bluetooth: hci0: command 0x1001 tx timeout [ 981.983898][ T9509] Bluetooth: hci0: sending frame failed (-49) [ 984.057703][ T3580] Bluetooth: hci0: command 0x1009 tx timeout [ 987.978449][ T9505] ================================================================== [ 987.986809][ T9505] BUG: KASAN: use-after-free in kfree_skb+0x2a/0xb0 [ 987.993389][ T9505] Read of size 4 at addr ffff888097065254 by task syz-executor.0/9505 [ 988.001514][ T9505] [ 988.004240][ T9505] CPU: 0 PID: 9505 Comm: syz-executor.0 Not tainted 5.3.0-rc8+ #0 [ 988.012189][ T9505] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 988.022317][ T9505] Call Trace: [ 988.025664][ T9505] dump_stack+0x1d8/0x2f8 [ 988.030014][ T9505] print_address_description+0x75/0x5b0 [ 988.035567][ T9505] ? vprintk_func+0x158/0x170 [ 988.040241][ T9505] ? printk+0x62/0x8d [ 988.044200][ T9505] ? vprintk_emit+0x2d4/0x3a0 [ 988.048870][ T9505] __kasan_report+0x14b/0x1c0 [ 988.053525][ T9505] ? kfree_skb+0x2a/0xb0 [ 988.057738][ T9505] kasan_report+0x26/0x50 [ 988.062041][ T9505] check_memory_region+0x2cf/0x2e0 [ 988.067166][ T9505] __kasan_check_read+0x11/0x20 [ 988.072021][ T9505] kfree_skb+0x2a/0xb0 [ 988.076130][ T9505] bcsp_close+0xb1/0xf0 [ 988.080374][ T9505] hci_uart_tty_close+0x201/0x240 [ 988.085390][ T9505] ? hci_uart_tty_open+0x340/0x340 [ 988.090524][ T9505] tty_ldisc_close+0x128/0x1a0 [ 988.095272][ T9505] tty_ldisc_release+0x248/0x5c0 [ 988.100199][ T9505] tty_release_struct+0x2a/0xe0 [ 988.105136][ T9505] tty_release+0xce9/0xfa0 [ 988.109578][ T9505] ? tty_release_struct+0xe0/0xe0 [ 988.114645][ T9505] __fput+0x2e4/0x740 [ 988.119156][ T9505] ____fput+0x15/0x20 [ 988.123363][ T9505] task_work_run+0x17e/0x1b0 [ 988.128054][ T9505] prepare_exit_to_usermode+0x459/0x580 [ 988.133588][ T9505] syscall_return_slowpath+0x113/0x4a0 [ 988.139118][ T9505] do_syscall_64+0x126/0x140 [ 988.143753][ T9505] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 988.149638][ T9505] RIP: 0033:0x4135d1 [ 988.153509][ T9505] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 988.173200][ T9505] RSP: 002b:00007ffe8bb4f410 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 988.181776][ T9505] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004135d1 [ 988.189732][ T9505] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 988.198038][ T9505] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff [ 988.206092][ T9505] R10: 00007ffe8bb4f4f0 R11: 0000000000000293 R12: 000000000075c9a0 [ 988.214153][ T9505] R13: 000000000075c9a0 R14: 00000000007603c0 R15: ffffffffffffffff [ 988.222312][ T9505] [ 988.224622][ T9505] Allocated by task 2574: [ 988.228929][ T9505] __kasan_kmalloc+0x11c/0x1b0 [ 988.233697][ T9505] kasan_slab_alloc+0xf/0x20 [ 988.238260][ T9505] kmem_cache_alloc_node+0x235/0x280 [ 988.243525][ T9505] __alloc_skb+0x9f/0x500 [ 988.247827][ T9505] bcsp_recv+0x12e7/0x1720 [ 988.252310][ T9505] hci_uart_tty_receive+0x16b/0x4f0 [ 988.257487][ T9505] tty_ldisc_receive_buf+0x12e/0x170 [ 988.262770][ T9505] tty_port_default_receive_buf+0x82/0xb0 [ 988.268608][ T9505] flush_to_ldisc+0x328/0x560 [ 988.273270][ T9505] process_one_work+0x7ef/0x10e0 [ 988.278206][ T9505] worker_thread+0xc01/0x1630 [ 988.282886][ T9505] kthread+0x332/0x350 [ 988.286940][ T9505] ret_from_fork+0x24/0x30 [ 988.291351][ T9505] [ 988.293654][ T9505] Freed by task 2574: [ 988.297716][ T9505] __kasan_slab_free+0x12a/0x1e0 [ 988.302624][ T9505] kasan_slab_free+0xe/0x10 [ 988.307098][ T9505] kmem_cache_free+0x81/0xf0 [ 988.311661][ T9505] __kfree_skb+0x118/0x170 [ 988.316220][ T9505] kfree_skb+0x6f/0xb0 [ 988.320275][ T9505] bcsp_recv+0x99c/0x1720 [ 988.324575][ T9505] hci_uart_tty_receive+0x16b/0x4f0 [ 988.329844][ T9505] tty_ldisc_receive_buf+0x12e/0x170 [ 988.335897][ T9505] tty_port_default_receive_buf+0x82/0xb0 [ 988.341588][ T9505] flush_to_ldisc+0x328/0x560 [ 988.346239][ T9505] process_one_work+0x7ef/0x10e0 [ 988.351157][ T9505] worker_thread+0xc01/0x1630 [ 988.355811][ T9505] kthread+0x332/0x350 [ 988.359852][ T9505] ret_from_fork+0x24/0x30 [ 988.364248][ T9505] [ 988.366550][ T9505] The buggy address belongs to the object at ffff888097065180 [ 988.366550][ T9505] which belongs to the cache skbuff_head_cache of size 224 [ 988.381406][ T9505] The buggy address is located 212 bytes inside of [ 988.381406][ T9505] 224-byte region [ffff888097065180, ffff888097065260) [ 988.394768][ T9505] The buggy address belongs to the page: [ 988.400386][ T9505] page:ffffea00025c1940 refcount:1 mapcount:0 mapping:ffff8880a9ff7700 index:0x0 [ 988.409475][ T9505] flags: 0x1fffc0000000200(slab) [ 988.414387][ T9505] raw: 01fffc0000000200 ffffea000240d748 ffffea00025503c8 ffff8880a9ff7700 [ 988.423032][ T9505] raw: 0000000000000000 ffff888097065040 000000010000000c 0000000000000000 [ 988.431590][ T9505] page dumped because: kasan: bad access detected [ 988.438150][ T9505] [ 988.440460][ T9505] Memory state around the buggy address: [ 988.446161][ T9505] ffff888097065100: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 988.454202][ T9505] ffff888097065180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 988.462267][ T9505] >ffff888097065200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 988.470325][ T9505] ^ [ 988.476986][ T9505] ffff888097065280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 988.485035][ T9505] ffff888097065300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 988.493066][ T9505] ================================================================== [ 988.502749][ T9505] Kernel panic - not syncing: panic_on_warn set ... [ 988.509541][ T9505] CPU: 0 PID: 9505 Comm: syz-executor.0 Tainted: G B 5.3.0-rc8+ #0 [ 988.518706][ T9505] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 988.528732][ T9505] Call Trace: [ 988.532004][ T9505] dump_stack+0x1d8/0x2f8 [ 988.536373][ T9505] panic+0x25c/0x799 [ 988.540242][ T9505] ? __kasan_report+0x195/0x1c0 [ 988.545086][ T9505] ? trace_hardirqs_on+0x34/0x80 [ 988.549997][ T9505] ? __kasan_report+0x195/0x1c0 [ 988.554818][ T9505] __kasan_report+0x1bb/0x1c0 [ 988.559490][ T9505] ? kfree_skb+0x2a/0xb0 [ 988.563713][ T9505] kasan_report+0x26/0x50 [ 988.568111][ T9505] check_memory_region+0x2cf/0x2e0 [ 988.573193][ T9505] __kasan_check_read+0x11/0x20 [ 988.578012][ T9505] kfree_skb+0x2a/0xb0 [ 988.582053][ T9505] bcsp_close+0xb1/0xf0 [ 988.586181][ T9505] hci_uart_tty_close+0x201/0x240 [ 988.591176][ T9505] ? hci_uart_tty_open+0x340/0x340 [ 988.596260][ T9505] tty_ldisc_close+0x128/0x1a0 [ 988.600994][ T9505] tty_ldisc_release+0x248/0x5c0 [ 988.605917][ T9505] tty_release_struct+0x2a/0xe0 [ 988.610739][ T9505] tty_release+0xce9/0xfa0 [ 988.615126][ T9505] ? tty_release_struct+0xe0/0xe0 [ 988.620134][ T9505] __fput+0x2e4/0x740 [ 988.624090][ T9505] ____fput+0x15/0x20 [ 988.628043][ T9505] task_work_run+0x17e/0x1b0 [ 988.632607][ T9505] prepare_exit_to_usermode+0x459/0x580 [ 988.638214][ T9505] syscall_return_slowpath+0x113/0x4a0 [ 988.643641][ T9505] do_syscall_64+0x126/0x140 [ 988.648206][ T9505] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 988.654072][ T9505] RIP: 0033:0x4135d1 [ 988.657947][ T9505] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 988.677881][ T9505] RSP: 002b:00007ffe8bb4f410 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 988.686273][ T9505] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004135d1 [ 988.694223][ T9505] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 988.702183][ T9505] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff [ 988.710215][ T9505] R10: 00007ffe8bb4f4f0 R11: 0000000000000293 R12: 000000000075c9a0 [ 988.718167][ T9505] R13: 000000000075c9a0 R14: 00000000007603c0 R15: ffffffffffffffff [ 988.728164][ T9505] Kernel Offset: disabled [ 988.732493][ T9505] Rebooting in 86400 seconds..