[ 38.008694] audit: type=1800 audit(1573541944.417:32): pid=7413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0
Starting mcstransd:
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting file context maintaining daemon: restorecond�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 38.787326] audit: type=1800 audit(1573541945.277:33): pid=7413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts.
2019/11/12 07:14:32 parsed 1 programs
syzkaller login: [ 965.703236] kauditd_printk_skb: 2 callbacks suppressed
[ 965.703251] audit: type=1400 audit(1573542872.197:36): avc: denied { map } for pid=7601 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[ 965.775455] audit: type=1400 audit(1573542872.267:37): avc: denied { map } for pid=7601 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=15 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
2019/11/12 07:14:34 executed programs: 0
[ 967.989222] IPVS: ftp: loaded support on port[0] = 21
[ 968.053889] chnl_net:caif_netlink_parms(): no params data found
[ 968.091537] bridge0: port 1(bridge_slave_0) entered blocking state
[ 968.098417] bridge0: port 1(bridge_slave_0) entered disabled state
[ 968.105988] device bridge_slave_0 entered promiscuous mode
[ 968.113855] bridge0: port 2(bridge_slave_1) entered blocking state
[ 968.120271] bridge0: port 2(bridge_slave_1) entered disabled state
[ 968.128587] device bridge_slave_1 entered promiscuous mode
[ 968.145223] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 968.154354] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 968.170894] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[ 968.179736] team0: Port device team_slave_0 added
[ 968.190200] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[ 968.197758] team0: Port device team_slave_1 added
[ 968.203225] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[ 968.210511] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[ 968.263276] device hsr_slave_0 entered promiscuous mode
[ 968.301639] device hsr_slave_1 entered promiscuous mode
[ 968.341605] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[ 968.348602] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[ 968.363567] bridge0: port 2(bridge_slave_1) entered blocking state
[ 968.370431] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 968.377632] bridge0: port 1(bridge_slave_0) entered blocking state
[ 968.384039] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 968.418426] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[ 968.425895] 8021q: adding VLAN 0 to HW filter on device bond0
[ 968.435712] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 968.444979] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 968.464695] bridge0: port 1(bridge_slave_0) entered disabled state
[ 968.472449] bridge0: port 2(bridge_slave_1) entered disabled state
[ 968.480472] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 968.492262] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[ 968.498464] 8021q: adding VLAN 0 to HW filter on device team0
[ 968.507706] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 968.516292] bridge0: port 1(bridge_slave_0) entered blocking state
[ 968.522740] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 968.533613] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 968.541652] bridge0: port 2(bridge_slave_1) entered blocking state
[ 968.548096] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 968.563221] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 968.572990] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 968.583052] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 968.597581] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 968.608527] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 968.619645] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[ 968.626236] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 968.634396] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 968.642804] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 968.657173] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[ 968.665454] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 968.672471] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 968.684567] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 968.695317] audit: type=1400 audit(1573542875.187:38): avc: denied { associate } for pid=7617 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
[ 969.081824] Bluetooth: Error in BCSP hdr checksum
[ 969.351504] Bluetooth: Error in BCSP hdr checksum
[ 970.831575] Bluetooth: hci0: command 0x1003 tx timeout
[ 970.837898] Bluetooth: hci0: sending frame failed (-49)
[ 972.910941] Bluetooth: hci0: command 0x1001 tx timeout
[ 972.916537] Bluetooth: hci0: sending frame failed (-49)
[ 974.990954] Bluetooth: hci0: command 0x1009 tx timeout
[ 979.234400] ==================================================================
[ 979.242080] BUG: KASAN: use-after-free in kfree_skb+0x38/0x390
[ 979.248052] Read of size 4 at addr ffff8880a00e44e4 by task syz-executor.0/7624
[ 979.255477]
[ 979.257092] CPU: 1 PID: 7624 Comm: syz-executor.0 Not tainted 4.19.83 #0
[ 979.263910] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 979.273391] Call Trace:
[ 979.276051] dump_stack+0x172/0x1f0
[ 979.279670] ? kfree_skb+0x38/0x390
[ 979.283328] print_address_description.cold+0x7c/0x20d
[ 979.288588] ? kfree_skb+0x38/0x390
[ 979.292198] kasan_report.cold+0x8c/0x2ba
[ 979.296333] check_memory_region+0x123/0x190
[ 979.300723] kasan_check_read+0x11/0x20
[ 979.305388] kfree_skb+0x38/0x390
[ 979.308892] bcsp_close+0xc7/0x130
[ 979.312442] hci_uart_tty_close+0x1ea/0x250
[ 979.316748] ? hci_uart_close+0x50/0x50
[ 979.320764] tty_ldisc_close.isra.0+0xaf/0xe0
[ 979.325245] tty_ldisc_kill+0x4b/0xc0
[ 979.329027] tty_ldisc_release+0xc6/0x280
[ 979.333156] tty_release_struct+0x1b/0x50
[ 979.337283] tty_release+0xbcb/0xe90
[ 979.340982] ? put_tty_driver+0x20/0x20
[ 979.344967] __fput+0x2dd/0x8b0
[ 979.348231] ____fput+0x16/0x20
[ 979.351520] task_work_run+0x145/0x1c0
[ 979.355424] exit_to_usermode_loop+0x273/0x2c0
[ 979.359992] do_syscall_64+0x53d/0x620
[ 979.363893] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 979.369064] RIP: 0033:0x413db1
[ 979.372240] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
[ 979.392252] RSP: 002b:00007ffd3e9ae340 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 979.399943] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413db1
[ 979.407192] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
[ 979.414461] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
[ 979.422850] R10: 00007ffd3e9ae420 R11: 0000000000000293 R12: 000000000075c9a0
[ 979.430102] R13: 000000000075c9a0 R14: 0000000000760290 R15: 000000000075bfd4
[ 979.437358]
[ 979.439005] Allocated by task 40:
[ 979.442442] save_stack+0x45/0xd0
[ 979.445875] kasan_kmalloc+0xce/0xf0
[ 979.449568] kasan_slab_alloc+0xf/0x20
[ 979.453437] kmem_cache_alloc_node+0x144/0x710
[ 979.458043] __alloc_skb+0xd5/0x5f0
[ 979.461651] bcsp_recv+0x8c7/0x13a0
[ 979.465261] hci_uart_tty_receive+0x225/0x530
[ 979.469738] tty_ldisc_receive_buf+0x15f/0x1c0
[ 979.474303] tty_port_default_receive_buf+0x7d/0xb0
[ 979.479301] flush_to_ldisc+0x222/0x390
[ 979.483323] process_one_work+0x989/0x1750
[ 979.487557] worker_thread+0x98/0xe40
[ 979.491338] kthread+0x354/0x420
[ 979.494700] ret_from_fork+0x24/0x30
[ 979.498393]
[ 979.501046] Freed by task 40:
[ 979.504135] save_stack+0x45/0xd0
[ 979.507573] __kasan_slab_free+0x102/0x150
[ 979.511801] kasan_slab_free+0xe/0x10
[ 979.515585] kmem_cache_free+0x86/0x260
[ 979.519541] kfree_skbmem+0xcb/0x150
[ 979.523311] kfree_skb+0xf0/0x390
[ 979.526780] bcsp_recv+0x2d8/0x13a0
[ 979.530403] hci_uart_tty_receive+0x225/0x530
[ 979.534932] tty_ldisc_receive_buf+0x15f/0x1c0
[ 979.539501] tty_port_default_receive_buf+0x7d/0xb0
[ 979.544499] flush_to_ldisc+0x222/0x390
[ 979.548464] process_one_work+0x989/0x1750
[ 979.552727] worker_thread+0x98/0xe40
[ 979.556509] kthread+0x354/0x420
[ 979.559883] ret_from_fork+0x24/0x30
[ 979.563577]
[ 979.565187] The buggy address belongs to the object at ffff8880a00e4400
[ 979.565187] which belongs to the cache skbuff_head_cache of size 232
[ 979.578346] The buggy address is located 228 bytes inside of
[ 979.578346] 232-byte region [ffff8880a00e4400, ffff8880a00e44e8)
[ 979.590205] The buggy address belongs to the page:
[ 979.595115] page:ffffea0002803900 count:1 mapcount:0 mapping:ffff8880aa347ac0 index:0x0
[ 979.603257] flags: 0x1fffc0000000100(slab)
[ 979.607617] raw: 01fffc0000000100 ffffea000262d888 ffffea0002446e08 ffff8880aa347ac0
[ 979.615517] raw: 0000000000000000 ffff8880a00e4040 000000010000000c 0000000000000000
[ 979.623378] page dumped because: kasan: bad access detected
[ 979.629066]
[ 979.630673] Memory state around the buggy address:
[ 979.635586] ffff8880a00e4380: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[ 979.642947] ffff8880a00e4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 979.650288] >ffff8880a00e4480: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[ 979.657636] ^
[ 979.664109] ffff8880a00e4500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 979.671456] ffff8880a00e4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 979.678791] ==================================================================
[ 979.686151] Disabling lock debugging due to kernel taint
[ 979.691904] Kernel panic - not syncing: panic_on_warn set ...
[ 979.691904]
[ 979.699284] CPU: 1 PID: 7624 Comm: syz-executor.0 Tainted: G B 4.19.83 #0
[ 979.707498] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 979.716870] Call Trace:
[ 979.719474] dump_stack+0x172/0x1f0
[ 979.723133] ? kfree_skb+0x38/0x390
[ 979.726809] panic+0x26a/0x50e
[ 979.730252] ? __warn_printk+0xf3/0xf3
[ 979.734126] ? kfree_skb+0x38/0x390
[ 979.737786] ? preempt_schedule+0x4b/0x60
[ 979.741921] ? ___preempt_schedule+0x16/0x18
[ 979.746423] ? trace_hardirqs_on+0x5e/0x220
[ 979.750834] ? kfree_skb+0x38/0x390
[ 979.754453] kasan_end_report+0x47/0x4f
[ 979.758414] kasan_report.cold+0xa9/0x2ba
[ 979.762678] check_memory_region+0x123/0x190
[ 979.767081] kasan_check_read+0x11/0x20
[ 979.771037] kfree_skb+0x38/0x390
[ 979.774487] bcsp_close+0xc7/0x130
[ 979.778058] hci_uart_tty_close+0x1ea/0x250
[ 979.782372] ? hci_uart_close+0x50/0x50
[ 979.786337] tty_ldisc_close.isra.0+0xaf/0xe0
[ 979.790827] tty_ldisc_kill+0x4b/0xc0
[ 979.794625] tty_ldisc_release+0xc6/0x280
[ 979.798762] tty_release_struct+0x1b/0x50
[ 979.802901] tty_release+0xbcb/0xe90
[ 979.806601] ? put_tty_driver+0x20/0x20
[ 979.813510] __fput+0x2dd/0x8b0
[ 979.816785] ____fput+0x16/0x20
[ 979.820055] task_work_run+0x145/0x1c0
[ 979.823940] exit_to_usermode_loop+0x273/0x2c0
[ 979.828506] do_syscall_64+0x53d/0x620
[ 979.832397] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 979.837577] RIP: 0033:0x413db1
[ 979.840763] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
[ 979.860281] RSP: 002b:00007ffd3e9ae340 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 979.867971] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413db1
[ 979.875326] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
[ 979.882591] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
[ 979.889856] R10: 00007ffd3e9ae420 R11: 0000000000000293 R12: 000000000075c9a0
[ 979.897124] R13: 000000000075c9a0 R14: 0000000000760290 R15: 000000000075bfd4
[ 979.905845] Kernel Offset: disabled
[ 979.909533] Rebooting in 86400 seconds..