[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   60.224183][   T26] audit: type=1800 audit(1572605135.073:25): pid=8761 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   60.269772][   T26] audit: type=1800 audit(1572605135.073:26): pid=8761 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   60.311618][   T26] audit: type=1800 audit(1572605135.083:27): pid=8761 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.246' (ECDSA) to the list of known hosts.
2019/11/01 10:51:38 parsed 1 programs
2019/11/01 10:51:40 executed programs: 0
syzkaller login: [  425.533416][ T8928] IPVS: ftp: loaded support on port[0] = 21
[  425.597577][ T8928] chnl_net:caif_netlink_parms(): no params data found
[  425.627782][ T8928] bridge0: port 1(bridge_slave_0) entered blocking state
[  425.635719][ T8928] bridge0: port 1(bridge_slave_0) entered disabled state
[  425.644398][ T8928] device bridge_slave_0 entered promiscuous mode
[  425.653215][ T8928] bridge0: port 2(bridge_slave_1) entered blocking state
[  425.660595][ T8928] bridge0: port 2(bridge_slave_1) entered disabled state
[  425.668302][ T8928] device bridge_slave_1 entered promiscuous mode
[  425.685990][ T8928] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  425.696810][ T8928] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  425.717138][ T8928] team0: Port device team_slave_0 added
[  425.724412][ T8928] team0: Port device team_slave_1 added
[  425.792022][ T8928] device hsr_slave_0 entered promiscuous mode
[  425.850030][ T8928] device hsr_slave_1 entered promiscuous mode
[  425.977293][ T8928] bridge0: port 2(bridge_slave_1) entered blocking state
[  425.984553][ T8928] bridge0: port 2(bridge_slave_1) entered forwarding state
[  425.992743][ T8928] bridge0: port 1(bridge_slave_0) entered blocking state
[  425.999883][ T8928] bridge0: port 1(bridge_slave_0) entered forwarding state
[  426.182158][ T8928] 8021q: adding VLAN 0 to HW filter on device bond0
[  426.221226][ T3009] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  426.252545][ T3009] bridge0: port 1(bridge_slave_0) entered disabled state
[  426.281957][ T3009] bridge0: port 2(bridge_slave_1) entered disabled state
[  426.301586][ T3009] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  426.335863][ T8928] 8021q: adding VLAN 0 to HW filter on device team0
[  426.370764][ T3009] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  426.379322][ T3009] bridge0: port 1(bridge_slave_0) entered blocking state
[  426.386814][ T3009] bridge0: port 1(bridge_slave_0) entered forwarding state
[  426.430409][ T3009] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  426.461436][ T3009] bridge0: port 2(bridge_slave_1) entered blocking state
[  426.468672][ T3009] bridge0: port 2(bridge_slave_1) entered forwarding state
[  426.510907][ T3009] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  426.531081][ T3009] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  426.550354][ T3009] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  426.573584][ T8928] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  426.602332][ T8928] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  426.634464][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  426.643900][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  426.697884][ T8928] 8021q: adding VLAN 0 to HW filter on device batadv0
[  427.180466][    T7] Bluetooth: Error in BCSP hdr checksum
[  427.440600][ T8932] Bluetooth: Error in BCSP hdr checksum
[  429.000297][   T12] Bluetooth: hci0: command 0x1003 tx timeout
[  429.007470][ T8974] Bluetooth: hci0: sending frame failed (-49)
[  431.079772][   T22] Bluetooth: hci0: command 0x1001 tx timeout
[  431.086061][ T8974] Bluetooth: hci0: sending frame failed (-49)
[  433.159768][   T12] Bluetooth: hci0: command 0x1009 tx timeout
[  437.246825][ T8970] ==================================================================
[  437.255221][ T8970] BUG: KASAN: use-after-free in kfree_skb+0x38/0x3c0
[  437.262057][ T8970] Read of size 4 at addr ffff8880a00ddf54 by task syz-executor.0/8970
[  437.270185][ T8970] 
[  437.272510][ T8970] CPU: 1 PID: 8970 Comm: syz-executor.0 Not tainted 5.4.0-rc5+ #0
[  437.280291][ T8970] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  437.290345][ T8970] Call Trace:
[  437.293686][ T8970]  dump_stack+0x172/0x1f0
[  437.298003][ T8970]  ? kfree_skb+0x38/0x3c0
[  437.302325][ T8970]  print_address_description.constprop.0.cold+0xd4/0x30b
[  437.309347][ T8970]  ? kfree_skb+0x38/0x3c0
[  437.313661][ T8970]  ? kfree_skb+0x38/0x3c0
[  437.317970][ T8970]  __kasan_report.cold+0x1b/0x41
[  437.322891][ T8970]  ? kfree_skb+0x38/0x3c0
[  437.327234][ T8970]  kasan_report+0x12/0x20
[  437.331549][ T8970]  check_memory_region+0x134/0x1a0
[  437.336674][ T8970]  __kasan_check_read+0x11/0x20
[  437.341518][ T8970]  kfree_skb+0x38/0x3c0
[  437.345759][ T8970]  bcsp_close+0xc7/0x130
[  437.350015][ T8970]  hci_uart_tty_close+0x21e/0x280
[  437.355035][ T8970]  ? hci_uart_close+0x50/0x50
[  437.359739][ T8970]  tty_ldisc_close.isra.0+0x119/0x1a0
[  437.365093][ T8970]  tty_ldisc_kill+0x9c/0x160
[  437.370127][ T8970]  tty_ldisc_release+0xe9/0x2b0
[  437.374984][ T8970]  tty_release_struct+0x1b/0x50
[  437.379831][ T8970]  tty_release+0xbcb/0xe90
[  437.384330][ T8970]  __fput+0x2ff/0x890
[  437.388292][ T8970]  ? put_tty_driver+0x20/0x20
[  437.392953][ T8970]  ____fput+0x16/0x20
[  437.397781][ T8970]  task_work_run+0x145/0x1c0
[  437.402571][ T8970]  exit_to_usermode_loop+0x316/0x380
[  437.407951][ T8970]  do_fast_syscall_32+0xb87/0xdb3
[  437.413128][ T8970]  entry_SYSENTER_compat+0x70/0x7f
[  437.418253][ T8970] RIP: 0023:0xf7f7da39
[  437.422310][ T8970] Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[  437.441902][ T8970] RSP: 002b:00000000ffd6bcac EFLAGS: 00000296 ORIG_RAX: 0000000000000006
[  437.450391][ T8970] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000000
[  437.458367][ T8970] RDX: 0000000000000006 RSI: 000000000816b680 RDI: 000000000816b680
[  437.466335][ T8970] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  437.474295][ T8970] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  437.483242][ T8970] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  437.491397][ T8970] 
[  437.493720][ T8970] Allocated by task 8932:
[  437.498039][ T8970]  save_stack+0x23/0x90
[  437.502176][ T8970]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[  437.507804][ T8970]  kasan_slab_alloc+0xf/0x20
[  437.512374][ T8970]  kmem_cache_alloc_node+0x138/0x740
[  437.517640][ T8970]  __alloc_skb+0xd5/0x5e0
[  437.521978][ T8970]  bcsp_recv+0x8c1/0x13a0
[  437.526284][ T8970]  hci_uart_tty_receive+0x279/0x6e0
[  437.531460][ T8970]  tty_ldisc_receive_buf+0x15f/0x1c0
[  437.536821][ T8970]  tty_port_default_receive_buf+0x7d/0xb0
[  437.542523][ T8970]  flush_to_ldisc+0x222/0x390
[  437.547178][ T8970]  process_one_work+0x9af/0x1740
[  437.552107][ T8970]  worker_thread+0x98/0xe40
[  437.556585][ T8970]  kthread+0x361/0x430
[  437.560722][ T8970]  ret_from_fork+0x24/0x30
[  437.565107][ T8970] 
[  437.567429][ T8970] Freed by task 8932:
[  437.571411][ T8970]  save_stack+0x23/0x90
[  437.575569][ T8970]  __kasan_slab_free+0x102/0x150
[  437.580681][ T8970]  kasan_slab_free+0xe/0x10
[  437.585174][ T8970]  kmem_cache_free+0x86/0x320
[  437.590180][ T8970]  kfree_skbmem+0xc5/0x150
[  437.594589][ T8970]  kfree_skb+0x109/0x3c0
[  437.598815][ T8970]  bcsp_recv+0x2d8/0x13a0
[  437.603122][ T8970]  hci_uart_tty_receive+0x279/0x6e0
[  437.608307][ T8970]  tty_ldisc_receive_buf+0x15f/0x1c0
[  437.613574][ T8970]  tty_port_default_receive_buf+0x7d/0xb0
[  437.619289][ T8970]  flush_to_ldisc+0x222/0x390
[  437.623945][ T8970]  process_one_work+0x9af/0x1740
[  437.628858][ T8970]  worker_thread+0x98/0xe40
[  437.633341][ T8970]  kthread+0x361/0x430
[  437.637400][ T8970]  ret_from_fork+0x24/0x30
[  437.641786][ T8970] 
[  437.644095][ T8970] The buggy address belongs to the object at ffff8880a00dde80
[  437.644095][ T8970]  which belongs to the cache skbuff_head_cache of size 224
[  437.658652][ T8970] The buggy address is located 212 bytes inside of
[  437.658652][ T8970]  224-byte region [ffff8880a00dde80, ffff8880a00ddf60)
[  437.672026][ T8970] The buggy address belongs to the page:
[  437.677675][ T8970] page:ffffea0002803740 refcount:1 mapcount:0 mapping:ffff8880a99ce8c0 index:0x0
[  437.686767][ T8970] flags: 0x1fffc0000000200(slab)
[  437.691691][ T8970] raw: 01fffc0000000200 ffffea0002894e88 ffffea0002867888 ffff8880a99ce8c0
[  437.700255][ T8970] raw: 0000000000000000 ffff8880a00dd0c0 000000010000000c 0000000000000000
[  437.708812][ T8970] page dumped because: kasan: bad access detected
[  437.715895][ T8970] 
[  437.718218][ T8970] Memory state around the buggy address:
[  437.723828][ T8970]  ffff8880a00dde00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[  437.731872][ T8970]  ffff8880a00dde80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  437.739913][ T8970] >ffff8880a00ddf00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[  437.747963][ T8970]                                                  ^
[  437.754616][ T8970]  ffff8880a00ddf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  437.762670][ T8970]  ffff8880a00de000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  437.770706][ T8970] ==================================================================
[  437.778739][ T8970] Disabling lock debugging due to kernel taint
[  437.785558][ T8970] Kernel panic - not syncing: panic_on_warn set ...
[  437.792877][ T8970] CPU: 1 PID: 8970 Comm: syz-executor.0 Tainted: G    B             5.4.0-rc5+ #0
[  437.802525][ T8970] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  437.812559][ T8970] Call Trace:
[  437.815844][ T8970]  dump_stack+0x172/0x1f0
[  437.820150][ T8970]  panic+0x2e3/0x75c
[  437.824020][ T8970]  ? add_taint.cold+0x16/0x16
[  437.828685][ T8970]  ? kfree_skb+0x38/0x3c0
[  437.832995][ T8970]  ? preempt_schedule+0x4b/0x60
[  437.837820][ T8970]  ? ___preempt_schedule+0x16/0x20
[  437.842910][ T8970]  ? trace_hardirqs_on+0x5e/0x240
[  437.847912][ T8970]  ? kfree_skb+0x38/0x3c0
[  437.852235][ T8970]  end_report+0x47/0x4f
[  437.856369][ T8970]  ? kfree_skb+0x38/0x3c0
[  437.860691][ T8970]  __kasan_report.cold+0xe/0x41
[  437.865543][ T8970]  ? kfree_skb+0x38/0x3c0
[  437.869866][ T8970]  kasan_report+0x12/0x20
[  437.874187][ T8970]  check_memory_region+0x134/0x1a0
[  437.879296][ T8970]  __kasan_check_read+0x11/0x20
[  437.884133][ T8970]  kfree_skb+0x38/0x3c0
[  437.888266][ T8970]  bcsp_close+0xc7/0x130
[  437.892489][ T8970]  hci_uart_tty_close+0x21e/0x280
[  437.897487][ T8970]  ? hci_uart_close+0x50/0x50
[  437.902154][ T8970]  tty_ldisc_close.isra.0+0x119/0x1a0
[  437.907503][ T8970]  tty_ldisc_kill+0x9c/0x160
[  437.912073][ T8970]  tty_ldisc_release+0xe9/0x2b0
[  437.916902][ T8970]  tty_release_struct+0x1b/0x50
[  437.921740][ T8970]  tty_release+0xbcb/0xe90
[  437.926223][ T8970]  __fput+0x2ff/0x890
[  437.930198][ T8970]  ? put_tty_driver+0x20/0x20
[  437.934863][ T8970]  ____fput+0x16/0x20
[  437.938821][ T8970]  task_work_run+0x145/0x1c0
[  437.943393][ T8970]  exit_to_usermode_loop+0x316/0x380
[  437.948656][ T8970]  do_fast_syscall_32+0xb87/0xdb3
[  437.953662][ T8970]  entry_SYSENTER_compat+0x70/0x7f
[  437.958746][ T8970] RIP: 0023:0xf7f7da39
[  437.962791][ T8970] Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[  437.982373][ T8970] RSP: 002b:00000000ffd6bcac EFLAGS: 00000296 ORIG_RAX: 0000000000000006
[  437.990764][ T8970] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000000
[  437.998713][ T8970] RDX: 0000000000000006 RSI: 000000000816b680 RDI: 000000000816b680
[  438.006659][ T8970] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  438.014608][ T8970] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  438.022556][ T8970] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  438.032003][ T8970] Kernel Offset: disabled
[  438.036330][ T8970] Rebooting in 86400 seconds..