[   67.232956][   T26] audit: type=1800 audit(1568645914.815:27): pid=9756 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[   67.265638][   T26] audit: type=1800 audit(1568645914.815:28): pid=9756 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   67.936959][   T26] audit: type=1800 audit(1568645915.575:29): pid=9756 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   67.958914][   T26] audit: type=1800 audit(1568645915.575:30): pid=9756 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.78' (ECDSA) to the list of known hosts.
2019/09/16 15:13:55 parsed 1 programs
2019/09/16 15:13:57 executed programs: 0
syzkaller login: [  989.597466][ T9922] IPVS: ftp: loaded support on port[0] = 21
[  989.648359][ T9922] chnl_net:caif_netlink_parms(): no params data found
[  989.673213][ T9922] bridge0: port 1(bridge_slave_0) entered blocking state
[  989.680550][ T9922] bridge0: port 1(bridge_slave_0) entered disabled state
[  989.688181][ T9922] device bridge_slave_0 entered promiscuous mode
[  989.695551][ T9922] bridge0: port 2(bridge_slave_1) entered blocking state
[  989.702710][ T9922] bridge0: port 2(bridge_slave_1) entered disabled state
[  989.710259][ T9922] device bridge_slave_1 entered promiscuous mode
[  989.724297][ T9922] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  989.734563][ T9922] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  989.751353][ T9922] team0: Port device team_slave_0 added
[  989.757920][ T9922] team0: Port device team_slave_1 added
[  989.812254][ T9922] device hsr_slave_0 entered promiscuous mode
[  989.880541][ T9922] device hsr_slave_1 entered promiscuous mode
[  989.945893][ T9922] bridge0: port 2(bridge_slave_1) entered blocking state
[  989.953143][ T9922] bridge0: port 2(bridge_slave_1) entered forwarding state
[  989.960498][ T9922] bridge0: port 1(bridge_slave_0) entered blocking state
[  989.967538][ T9922] bridge0: port 1(bridge_slave_0) entered forwarding state
[  989.992914][ T9922] 8021q: adding VLAN 0 to HW filter on device bond0
[  990.003698][ T3519] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  990.012038][ T3519] bridge0: port 1(bridge_slave_0) entered disabled state
[  990.019606][ T3519] bridge0: port 2(bridge_slave_1) entered disabled state
[  990.028251][ T3519] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  990.038030][ T9922] 8021q: adding VLAN 0 to HW filter on device team0
[  990.047331][ T3004] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  990.055900][ T3004] bridge0: port 1(bridge_slave_0) entered blocking state
[  990.062955][ T3004] bridge0: port 1(bridge_slave_0) entered forwarding state
[  990.075340][ T9927] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  990.083712][ T9927] bridge0: port 2(bridge_slave_1) entered blocking state
[  990.090776][ T9927] bridge0: port 2(bridge_slave_1) entered forwarding state
[  990.106704][ T9922] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  990.117296][ T9922] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  990.129053][ T3004] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  990.137897][ T3004] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  990.146243][ T3004] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  990.154591][ T3004] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  990.162939][ T3004] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  990.170579][ T3004] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  990.185441][ T9922] 8021q: adding VLAN 0 to HW filter on device batadv0
[  990.560435][    T7] Bluetooth: Error in BCSP hdr checksum
[  990.820541][    T7] Bluetooth: Error in BCSP hdr checksum
[  992.360279][ T3004] Bluetooth: hci0: command 0x1003 tx timeout
[  992.366377][ T9938] Bluetooth: hci0: sending frame failed (-49)
[  994.440437][ T9927] Bluetooth: hci0: command 0x1001 tx timeout
[  994.446797][ T9938] Bluetooth: hci0: sending frame failed (-49)
[  996.520339][ T3004] Bluetooth: hci0: command 0x1009 tx timeout
[ 1000.681090][ T9934] ==================================================================
[ 1000.689272][ T9934] BUG: KASAN: use-after-free in kfree_skb+0x38/0x3c0
[ 1000.696257][ T9934] Read of size 4 at addr ffff888095a017d4 by task syz-executor.0/9934
[ 1000.704448][ T9934] 
[ 1000.706784][ T9934] CPU: 1 PID: 9934 Comm: syz-executor.0 Not tainted 5.3.0 #0
[ 1000.714142][ T9934] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1000.724189][ T9934] Call Trace:
[ 1000.727522][ T9934]  dump_stack+0x172/0x1f0
[ 1000.731863][ T9934]  ? kfree_skb+0x38/0x3c0
[ 1000.736298][ T9934]  print_address_description.cold+0xd4/0x306
[ 1000.742266][ T9934]  ? kfree_skb+0x38/0x3c0
[ 1000.746587][ T9934]  ? kfree_skb+0x38/0x3c0
[ 1000.751059][ T9934]  __kasan_report.cold+0x1b/0x36
[ 1000.755994][ T9934]  ? kfree_skb+0x38/0x3c0
[ 1000.760306][ T9934]  kasan_report+0x12/0x17
[ 1000.764618][ T9934]  check_memory_region+0x134/0x1a0
[ 1000.769711][ T9934]  __kasan_check_read+0x11/0x20
[ 1000.774543][ T9934]  kfree_skb+0x38/0x3c0
[ 1000.778740][ T9934]  bcsp_close+0xc7/0x130
[ 1000.782963][ T9934]  hci_uart_tty_close+0x21e/0x280
[ 1000.788570][ T9934]  ? hci_uart_close+0x50/0x50
[ 1000.793232][ T9934]  tty_ldisc_close.isra.0+0x119/0x190
[ 1000.798592][ T9934]  tty_ldisc_kill+0x9c/0x160
[ 1000.803160][ T9934]  tty_ldisc_release+0xe9/0x2b0
[ 1000.807987][ T9934]  tty_release_struct+0x1b/0x50
[ 1000.812812][ T9934]  tty_release+0xbcb/0xe90
[ 1000.817218][ T9934]  __fput+0x2ff/0x890
[ 1000.821175][ T9934]  ? put_tty_driver+0x20/0x20
[ 1000.825833][ T9934]  ____fput+0x16/0x20
[ 1000.829788][ T9934]  task_work_run+0x145/0x1c0
[ 1000.834370][ T9934]  exit_to_usermode_loop+0x316/0x380
[ 1000.839632][ T9934]  do_syscall_64+0x5a9/0x6a0
[ 1000.844238][ T9934]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1000.850116][ T9934] RIP: 0033:0x4135d1
[ 1000.853990][ T9934] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
[ 1000.873671][ T9934] RSP: 002b:00007fff7f0821d0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 1000.882061][ T9934] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004135d1
[ 1000.890024][ T9934] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
[ 1000.898030][ T9934] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
[ 1000.906140][ T9934] R10: 00007fff7f0822b0 R11: 0000000000000293 R12: 000000000075c9a0
[ 1000.914098][ T9934] R13: 000000000075c9a0 R14: 00000000007603c0 R15: ffffffffffffffff
[ 1000.922076][ T9934] 
[ 1000.924702][ T9934] Allocated by task 9925:
[ 1000.929018][ T9934]  save_stack+0x23/0x90
[ 1000.933171][ T9934]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 1000.938789][ T9934]  kasan_slab_alloc+0xf/0x20
[ 1000.943362][ T9934]  kmem_cache_alloc_node+0x138/0x740
[ 1000.948629][ T9934]  __alloc_skb+0xd5/0x5e0
[ 1000.953115][ T9934]  bcsp_recv+0x8c1/0x13a0
[ 1000.957422][ T9934]  hci_uart_tty_receive+0x279/0x790
[ 1000.962598][ T9934]  tty_ldisc_receive_buf+0x15f/0x1c0
[ 1000.967874][ T9934]  tty_port_default_receive_buf+0x7d/0xb0
[ 1000.973579][ T9934]  flush_to_ldisc+0x222/0x390
[ 1000.978569][ T9934]  process_one_work+0x9af/0x1740
[ 1000.983493][ T9934]  worker_thread+0x98/0xe40
[ 1000.987978][ T9934]  kthread+0x361/0x430
[ 1000.992029][ T9934]  ret_from_fork+0x24/0x30
[ 1000.996477][ T9934] 
[ 1000.998809][ T9934] Freed by task 7:
[ 1001.002524][ T9934]  save_stack+0x23/0x90
[ 1001.006796][ T9934]  __kasan_slab_free+0x102/0x150
[ 1001.011720][ T9934]  kasan_slab_free+0xe/0x10
[ 1001.016301][ T9934]  kmem_cache_free+0x86/0x320
[ 1001.020960][ T9934]  kfree_skbmem+0xc5/0x150
[ 1001.025374][ T9934]  kfree_skb+0x109/0x3c0
[ 1001.029593][ T9934]  bcsp_recv+0x2d8/0x13a0
[ 1001.034179][ T9934]  hci_uart_tty_receive+0x279/0x790
[ 1001.039443][ T9934]  tty_ldisc_receive_buf+0x15f/0x1c0
[ 1001.044721][ T9934]  tty_port_default_receive_buf+0x7d/0xb0
[ 1001.052599][ T9934]  flush_to_ldisc+0x222/0x390
[ 1001.057256][ T9934]  process_one_work+0x9af/0x1740
[ 1001.062270][ T9934]  worker_thread+0x98/0xe40
[ 1001.066748][ T9934]  kthread+0x361/0x430
[ 1001.071067][ T9934]  ret_from_fork+0x24/0x30
[ 1001.075559][ T9934] 
[ 1001.077871][ T9934] The buggy address belongs to the object at ffff888095a01700
[ 1001.077871][ T9934]  which belongs to the cache skbuff_head_cache of size 224
[ 1001.092961][ T9934] The buggy address is located 212 bytes inside of
[ 1001.092961][ T9934]  224-byte region [ffff888095a01700, ffff888095a017e0)
[ 1001.106202][ T9934] The buggy address belongs to the page:
[ 1001.111810][ T9934] page:ffffea0002568040 refcount:1 mapcount:0 mapping:ffff88821b69e540 index:0x0
[ 1001.121075][ T9934] flags: 0x1fffc0000000200(slab)
[ 1001.125996][ T9934] raw: 01fffc0000000200 ffffea00024ef088 ffffea00025c8348 ffff88821b69e540
[ 1001.134657][ T9934] raw: 0000000000000000 ffff888095a010c0 000000010000000c 0000000000000000
[ 1001.143398][ T9934] page dumped because: kasan: bad access detected
[ 1001.149788][ T9934] 
[ 1001.152094][ T9934] Memory state around the buggy address:
[ 1001.157732][ T9934]  ffff888095a01680: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[ 1001.165874][ T9934]  ffff888095a01700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1001.174105][ T9934] >ffff888095a01780: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 1001.182151][ T9934]                                                  ^
[ 1001.188803][ T9934]  ffff888095a01800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 1001.196859][ T9934]  ffff888095a01880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1001.205173][ T9934] ==================================================================
[ 1001.214370][ T9934] Kernel panic - not syncing: panic_on_warn set ...
[ 1001.221104][ T9934] CPU: 0 PID: 9934 Comm: syz-executor.0 Tainted: G    B             5.3.0 #0
[ 1001.229836][ T9934] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1001.240181][ T9934] Call Trace:
[ 1001.243468][ T9934]  dump_stack+0x172/0x1f0
[ 1001.247779][ T9934]  panic+0x2dc/0x755
[ 1001.251722][ T9934]  ? add_taint.cold+0x16/0x16
[ 1001.256383][ T9934]  ? kfree_skb+0x38/0x3c0
[ 1001.260810][ T9934]  ? preempt_schedule+0x4b/0x60
[ 1001.265647][ T9934]  ? ___preempt_schedule+0x16/0x20
[ 1001.270739][ T9934]  ? trace_hardirqs_on+0x5e/0x240
[ 1001.275742][ T9934]  ? kfree_skb+0x38/0x3c0
[ 1001.280411][ T9934]  end_report+0x47/0x4f
[ 1001.284573][ T9934]  ? kfree_skb+0x38/0x3c0
[ 1001.288900][ T9934]  __kasan_report.cold+0xe/0x36
[ 1001.293736][ T9934]  ? kfree_skb+0x38/0x3c0
[ 1001.298045][ T9934]  kasan_report+0x12/0x17
[ 1001.302358][ T9934]  check_memory_region+0x134/0x1a0
[ 1001.307451][ T9934]  __kasan_check_read+0x11/0x20
[ 1001.312301][ T9934]  kfree_skb+0x38/0x3c0
[ 1001.316438][ T9934]  bcsp_close+0xc7/0x130
[ 1001.320660][ T9934]  hci_uart_tty_close+0x21e/0x280
[ 1001.325662][ T9934]  ? hci_uart_close+0x50/0x50
[ 1001.330317][ T9934]  tty_ldisc_close.isra.0+0x119/0x190
[ 1001.335667][ T9934]  tty_ldisc_kill+0x9c/0x160
[ 1001.340235][ T9934]  tty_ldisc_release+0xe9/0x2b0
[ 1001.345063][ T9934]  tty_release_struct+0x1b/0x50
[ 1001.349890][ T9934]  tty_release+0xbcb/0xe90
[ 1001.354305][ T9934]  __fput+0x2ff/0x890
[ 1001.358264][ T9934]  ? put_tty_driver+0x20/0x20
[ 1001.362934][ T9934]  ____fput+0x16/0x20
[ 1001.366906][ T9934]  task_work_run+0x145/0x1c0
[ 1001.371474][ T9934]  exit_to_usermode_loop+0x316/0x380
[ 1001.376737][ T9934]  do_syscall_64+0x5a9/0x6a0
[ 1001.381308][ T9934]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1001.387191][ T9934] RIP: 0033:0x4135d1
[ 1001.391066][ T9934] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
[ 1001.410650][ T9934] RSP: 002b:00007fff7f0821d0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 1001.419195][ T9934] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004135d1
[ 1001.427154][ T9934] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
[ 1001.435105][ T9934] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
[ 1001.444099][ T9934] R10: 00007fff7f0822b0 R11: 0000000000000293 R12: 000000000075c9a0
[ 1001.452046][ T9934] R13: 000000000075c9a0 R14: 00000000007603c0 R15: ffffffffffffffff
[ 1001.461979][ T9934] Kernel Offset: disabled
[ 1001.466361][ T9934] Rebooting in 86400 seconds..