Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [[ 38.828888] audit: type=1800 audit(1568913344.628:33): pid=7371 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 ....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 115.255456] kauditd_printk_skb: 2 callbacks suppressed [ 115.255469] audit: type=1400 audit(1568913421.048:36): avc: denied { map } for pid=7557 comm="sh" path="/bin/dash" dev="sda1" ino=1473 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.161' (ECDSA) to the list of known hosts. 2019/09/19 17:27:24 parsed 1 programs [ 738.551093] audit: type=1400 audit(1568914044.348:37): avc: denied { map } for pid=7564 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 738.623281] audit: type=1400 audit(1568914044.418:38): avc: denied { map } for pid=7564 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=14978 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/09/19 17:27:26 executed programs: 0 [ 740.495395] IPVS: ftp: loaded support on port[0] = 21 [ 740.565369] chnl_net:caif_netlink_parms(): no params data found [ 740.598614] bridge0: port 1(bridge_slave_0) entered blocking state [ 740.605349] bridge0: port 1(bridge_slave_0) entered disabled state [ 740.612764] device bridge_slave_0 entered promiscuous mode [ 740.620163] bridge0: port 2(bridge_slave_1) entered blocking state [ 740.627122] bridge0: port 2(bridge_slave_1) entered disabled state [ 740.634059] device bridge_slave_1 entered promiscuous mode [ 740.650808] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 740.659796] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 740.675053] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 740.682873] team0: Port device team_slave_0 added [ 740.688409] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 740.695542] team0: Port device team_slave_1 added [ 740.700926] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 740.708217] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 740.758191] device hsr_slave_0 entered promiscuous mode [ 740.796275] device hsr_slave_1 entered promiscuous mode [ 740.836505] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 740.843933] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 740.857430] bridge0: port 2(bridge_slave_1) entered blocking state [ 740.863934] bridge0: port 2(bridge_slave_1) entered forwarding state [ 740.870954] bridge0: port 1(bridge_slave_0) entered blocking state [ 740.877353] bridge0: port 1(bridge_slave_0) entered forwarding state [ 740.908398] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 740.914514] 8021q: adding VLAN 0 to HW filter on device bond0 [ 740.922892] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 740.931857] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 740.950644] bridge0: port 1(bridge_slave_0) entered disabled state [ 740.958260] bridge0: port 2(bridge_slave_1) entered disabled state [ 740.965266] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 740.975720] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 740.982285] 8021q: adding VLAN 0 to HW filter on device team0 [ 740.991441] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 740.999057] bridge0: port 1(bridge_slave_0) entered blocking state [ 741.005383] bridge0: port 1(bridge_slave_0) entered forwarding state [ 741.014398] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 741.022246] bridge0: port 2(bridge_slave_1) entered blocking state [ 741.028651] bridge0: port 2(bridge_slave_1) entered forwarding state [ 741.046933] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 741.054784] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 741.064662] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 741.072615] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 741.081854] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 741.091563] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 741.098735] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 741.112540] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 741.122464] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 741.132608] audit: type=1400 audit(1568914046.928:39): avc: denied { associate } for pid=7581 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 741.506701] Bluetooth: Error in BCSP hdr checksum [ 741.766207] Bluetooth: Error in BCSP hdr checksum [ 743.266595] Bluetooth: hci0: command 0x1003 tx timeout [ 743.272460] Bluetooth: hci0: sending frame failed (-49) [ 745.346091] Bluetooth: hci0: command 0x1001 tx timeout [ 745.352022] Bluetooth: hci0: sending frame failed (-49) [ 747.426085] Bluetooth: hci0: command 0x1009 tx timeout [ 751.429588] ================================================================== [ 751.437268] BUG: KASAN: use-after-free in kfree_skb+0x38/0x390 [ 751.443316] Read of size 4 at addr ffff8880a055c864 by task syz-executor.0/7589 [ 751.450743] [ 751.452370] CPU: 1 PID: 7589 Comm: syz-executor.0 Not tainted 4.19.74 #0 [ 751.459203] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 751.469065] Call Trace: [ 751.471751] dump_stack+0x172/0x1f0 [ 751.475383] ? kfree_skb+0x38/0x390 [ 751.479082] print_address_description.cold+0x7c/0x20d [ 751.484363] ? kfree_skb+0x38/0x390 [ 751.488071] kasan_report.cold+0x8c/0x2ba [ 751.492211] check_memory_region+0x123/0x190 [ 751.496619] kasan_check_read+0x11/0x20 [ 751.500928] kfree_skb+0x38/0x390 [ 751.504638] bcsp_close+0xc7/0x130 [ 751.508325] hci_uart_tty_close+0x1ea/0x250 [ 751.512659] ? hci_uart_close+0x50/0x50 [ 751.516713] tty_ldisc_close.isra.0+0xaf/0xe0 [ 751.521196] tty_ldisc_kill+0x4b/0xc0 [ 751.525002] tty_ldisc_release+0xc6/0x280 [ 751.529170] tty_release_struct+0x1b/0x50 [ 751.533411] tty_release+0xbcb/0xe90 [ 751.537121] ? put_tty_driver+0x20/0x20 [ 751.541167] __fput+0x2dd/0x8b0 [ 751.544623] ____fput+0x16/0x20 [ 751.547950] task_work_run+0x145/0x1c0 [ 751.551845] exit_to_usermode_loop+0x273/0x2c0 [ 751.556415] do_syscall_64+0x53d/0x620 [ 751.560304] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 751.565475] RIP: 0033:0x4135d1 [ 751.568653] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 751.588079] RSP: 002b:00007ffefb05f9b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 751.595785] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004135d1 [ 751.603051] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 751.610310] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff [ 751.618018] R10: 00007ffefb05fa90 R11: 0000000000000293 R12: 000000000075c9a0 [ 751.625374] R13: 000000000075c9a0 R14: 00000000007603c0 R15: 000000000075bfd4 [ 751.632650] [ 751.634322] Allocated by task 23: [ 751.637811] save_stack+0x45/0xd0 [ 751.641246] kasan_kmalloc+0xce/0xf0 [ 751.644948] kasan_slab_alloc+0xf/0x20 [ 751.648834] kmem_cache_alloc_node+0x144/0x710 [ 751.653419] __alloc_skb+0xd5/0x5f0 [ 751.657030] bcsp_recv+0x8c7/0x13a0 [ 751.660647] hci_uart_tty_receive+0x225/0x530 [ 751.665125] tty_ldisc_receive_buf+0x15f/0x1c0 [ 751.669694] tty_port_default_receive_buf+0x7d/0xb0 [ 751.674692] flush_to_ldisc+0x222/0x390 [ 751.678650] process_one_work+0x989/0x1750 [ 751.682898] worker_thread+0x98/0xe40 [ 751.686710] kthread+0x354/0x420 [ 751.690088] ret_from_fork+0x24/0x30 [ 751.693781] [ 751.695396] Freed by task 23: [ 751.698505] save_stack+0x45/0xd0 [ 751.701944] __kasan_slab_free+0x102/0x150 [ 751.706175] kasan_slab_free+0xe/0x10 [ 751.709972] kmem_cache_free+0x86/0x260 [ 751.713929] kfree_skbmem+0xcb/0x150 [ 751.717712] kfree_skb+0xf0/0x390 [ 751.721147] bcsp_recv+0x2d8/0x13a0 [ 751.724802] hci_uart_tty_receive+0x225/0x530 [ 751.729303] tty_ldisc_receive_buf+0x15f/0x1c0 [ 751.733867] tty_port_default_receive_buf+0x7d/0xb0 [ 751.738881] flush_to_ldisc+0x222/0x390 [ 751.742851] process_one_work+0x989/0x1750 [ 751.747377] worker_thread+0x98/0xe40 [ 751.751164] kthread+0x354/0x420 [ 751.754705] ret_from_fork+0x24/0x30 [ 751.758425] [ 751.760047] The buggy address belongs to the object at ffff8880a055c780 [ 751.760047] which belongs to the cache skbuff_head_cache of size 232 [ 751.773256] The buggy address is located 228 bytes inside of [ 751.773256] 232-byte region [ffff8880a055c780, ffff8880a055c868) [ 751.785819] The buggy address belongs to the page: [ 751.790737] page:ffffea0002815700 count:1 mapcount:0 mapping:ffff8880aa347ac0 index:0x0 [ 751.799752] flags: 0x1fffc0000000100(slab) [ 751.804167] raw: 01fffc0000000100 ffffea000225e908 ffffea00027f7ac8 ffff8880aa347ac0 [ 751.812056] raw: 0000000000000000 ffff8880a055c000 000000010000000c 0000000000000000 [ 751.819939] page dumped because: kasan: bad access detected [ 751.825641] [ 751.827271] Memory state around the buggy address: [ 751.832183] ffff8880a055c700: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 751.839523] ffff8880a055c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 751.846863] >ffff8880a055c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 751.854207] ^ [ 751.860867] ffff8880a055c880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 751.868433] ffff8880a055c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 751.875914] ================================================================== [ 751.883270] Disabling lock debugging due to kernel taint [ 751.889447] Kernel panic - not syncing: panic_on_warn set ... [ 751.889447] [ 751.896863] CPU: 1 PID: 7589 Comm: syz-executor.0 Tainted: G B 4.19.74 #0 [ 751.905159] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 751.914503] Call Trace: [ 751.917080] dump_stack+0x172/0x1f0 [ 751.920691] ? kfree_skb+0x38/0x390 [ 751.924358] panic+0x263/0x507 [ 751.927536] ? __warn_printk+0xf3/0xf3 [ 751.931428] ? kfree_skb+0x38/0x390 [ 751.935037] ? preempt_schedule+0x4b/0x60 [ 751.939171] ? ___preempt_schedule+0x16/0x18 [ 751.943623] ? trace_hardirqs_on+0x5e/0x220 [ 751.948027] ? kfree_skb+0x38/0x390 [ 751.951651] kasan_end_report+0x47/0x4f [ 751.955622] kasan_report.cold+0xa9/0x2ba [ 751.959764] check_memory_region+0x123/0x190 [ 751.964159] kasan_check_read+0x11/0x20 [ 751.968120] kfree_skb+0x38/0x390 [ 751.971564] bcsp_close+0xc7/0x130 [ 751.975089] hci_uart_tty_close+0x1ea/0x250 [ 751.979401] ? hci_uart_close+0x50/0x50 [ 751.983374] tty_ldisc_close.isra.0+0xaf/0xe0 [ 751.987866] tty_ldisc_kill+0x4b/0xc0 [ 751.991665] tty_ldisc_release+0xc6/0x280 [ 751.995799] tty_release_struct+0x1b/0x50 [ 751.999932] tty_release+0xbcb/0xe90 [ 752.003644] ? put_tty_driver+0x20/0x20 [ 752.007617] __fput+0x2dd/0x8b0 [ 752.010883] ____fput+0x16/0x20 [ 752.014151] task_work_run+0x145/0x1c0 [ 752.018028] exit_to_usermode_loop+0x273/0x2c0 [ 752.022592] do_syscall_64+0x53d/0x620 [ 752.026464] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 752.031725] RIP: 0033:0x4135d1 [ 752.034899] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 752.053872] RSP: 002b:00007ffefb05f9b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 752.061576] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004135d1 [ 752.068842] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 752.076104] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff [ 752.083553] R10: 00007ffefb05fa90 R11: 0000000000000293 R12: 000000000075c9a0 [ 752.090805] R13: 000000000075c9a0 R14: 00000000007603c0 R15: 000000000075bfd4 [ 752.099713] Kernel Offset: disabled [ 752.103347] Rebooting in 86400 seconds..