[   43.778259] audit: type=1800 audit(1546350917.532:30): pid=8286 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   49.168225] kauditd_printk_skb: 4 callbacks suppressed
[   49.168239] audit: type=1400 audit(1546350922.952:35): avc:  denied  { map } for  pid=8460 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.71' (ECDSA) to the list of known hosts.
[   56.048153] audit: type=1400 audit(1546350929.832:36): avc:  denied  { map } for  pid=8472 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2019/01/01 13:55:30 parsed 1 programs
[   56.802194] audit: type=1400 audit(1546350930.592:37): avc:  denied  { map } for  pid=8472 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=4997 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
2019/01/01 13:55:32 executed programs: 0
[   58.354322] IPVS: ftp: loaded support on port[0] = 21
[   58.434103] chnl_net:caif_netlink_parms(): no params data found
[   58.466974] bridge0: port 1(bridge_slave_0) entered blocking state
[   58.473800] bridge0: port 1(bridge_slave_0) entered disabled state
[   58.480945] device bridge_slave_0 entered promiscuous mode
[   58.488236] bridge0: port 2(bridge_slave_1) entered blocking state
[   58.494694] bridge0: port 2(bridge_slave_1) entered disabled state
[   58.501720] device bridge_slave_1 entered promiscuous mode
[   58.518566] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   58.528081] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   58.546397] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   58.554007] team0: Port device team_slave_0 added
[   58.559635] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   58.566825] team0: Port device team_slave_1 added
[   58.572213] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   58.579774] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   58.642198] device hsr_slave_0 entered promiscuous mode
[   58.709590] device hsr_slave_1 entered promiscuous mode
[   58.789808] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[   58.796751] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[   58.812209] bridge0: port 2(bridge_slave_1) entered blocking state
[   58.818594] bridge0: port 2(bridge_slave_1) entered forwarding state
[   58.825523] bridge0: port 1(bridge_slave_0) entered blocking state
[   58.831903] bridge0: port 1(bridge_slave_0) entered forwarding state
[   58.863922] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   58.870085] 8021q: adding VLAN 0 to HW filter on device bond0
[   58.878033] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   58.886680] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   58.896904] bridge0: port 1(bridge_slave_0) entered disabled state
[   58.915004] bridge0: port 2(bridge_slave_1) entered disabled state
[   58.923157] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   58.934103] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   58.940302] 8021q: adding VLAN 0 to HW filter on device team0
[   58.948662] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   58.956494] bridge0: port 1(bridge_slave_0) entered blocking state
[   58.962918] bridge0: port 1(bridge_slave_0) entered forwarding state
[   58.973049] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   58.980805] bridge0: port 2(bridge_slave_1) entered blocking state
[   58.987129] bridge0: port 2(bridge_slave_1) entered forwarding state
[   59.010143] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   59.020536] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   59.031161] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[   59.038453] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   59.046372] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   59.054407] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   59.062104] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   59.069908] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   59.076851] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   59.091829] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
[   59.102200] 8021q: adding VLAN 0 to HW filter on device batadv0
[   59.114194] audit: type=1400 audit(1546350932.902:38): avc:  denied  { associate } for  pid=8485 comm="syz-executor0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
[   59.167625] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details.
[   59.201488] ==================================================================
[   59.208946] BUG: KASAN: slab-out-of-bounds in kvm_clear_dirty_log_protect+0x8cf/0x970
[   59.216914] Read of size 8 at addr ffff88809f089510 by task syz-executor0/8490
[   59.224263] 
[   59.225879] CPU: 1 PID: 8490 Comm: syz-executor0 Not tainted 4.20.0+ #3
[   59.232612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   59.241944] Call Trace:
[   59.244512]  dump_stack+0x1db/0x2d0
[   59.248139]  ? dump_stack_print_info.cold+0x20/0x20
[   59.253145]  ? kvm_clear_dirty_log_protect+0x8cf/0x970
[   59.258405]  print_address_description.cold+0x7c/0x20d
[   59.263668]  ? kvm_clear_dirty_log_protect+0x8cf/0x970
[   59.268932]  ? kvm_clear_dirty_log_protect+0x8cf/0x970
[   59.274192]  kasan_report.cold+0x1b/0x40
[   59.278232]  ? kvm_clear_dirty_log_protect+0x8cf/0x970
[   59.283507]  __asan_report_load8_noabort+0x14/0x20
[   59.288423]  kvm_clear_dirty_log_protect+0x8cf/0x970
[   59.293561]  ? vcpu_stat_get_per_vm_open+0x40/0x40
[   59.298477]  ? lock_downgrade+0x910/0x910
[   59.302646]  ? lock_release+0xc40/0xc40
[   59.306627]  kvm_vm_ioctl_clear_dirty_log+0xff/0x260
[   59.311732]  ? kvm_vm_ioctl_get_dirty_log+0x260/0x260
[   59.316906]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   59.322442]  ? _copy_from_user+0xdd/0x150
[   59.326587]  kvm_vm_ioctl+0xc19/0x1fe0
[   59.330473]  ? kvm_unregister_device_ops+0x70/0x70
[   59.335414]  ? print_usage_bug+0xd0/0xd0
[   59.339477]  ? __sanitizer_cov_trace_switch+0x49/0x80
[   59.344665]  ? drop_futex_key_refs.isra.0+0x6f/0xf0
[   59.349695]  ? get_futex_key+0x2050/0x2050
[   59.353947]  ? mark_held_locks+0x100/0x100
[   59.358164]  ? do_futex+0x1b0/0x2910
[   59.361867]  ? do_raw_spin_trylock+0x270/0x270
[   59.366432]  ? add_mm_counter_fast.part.0+0x40/0x40
[   59.371432]  ? add_lock_to_list.isra.0+0x450/0x450
[   59.376339]  ? add_lock_to_list.isra.0+0x450/0x450
[   59.381259]  ? exit_robust_list+0x290/0x290
[   59.385562]  ? __might_fault+0x12b/0x1e0
[   59.389610]  ? find_held_lock+0x35/0x120
[   59.393656]  ? __might_fault+0x12b/0x1e0
[   59.397697]  ? lock_acquire+0x1db/0x570
[   59.401659]  ? lock_downgrade+0x910/0x910
[   59.405790]  ? lock_release+0xc40/0xc40
[   59.409747]  ? kvm_unregister_device_ops+0x70/0x70
[   59.414690]  do_vfs_ioctl+0x107b/0x17d0
[   59.418660]  ? __sanitizer_cov_trace_switch+0x49/0x80
[   59.423833]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.429372]  ? selinux_file_ioctl+0x125/0x720
[   59.434024]  ? ioctl_preallocate+0x2f0/0x2f0
[   59.438414]  ? selinux_file_mprotect+0x620/0x620
[   59.443167]  ? __fget_light+0x2db/0x420
[   59.447141]  ? put_timespec64+0x115/0x1b0
[   59.451291]  ? nsecs_to_jiffies+0x30/0x30
[   59.455425]  ? do_syscall_64+0x8c/0x800
[   59.459399]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.464936]  ? security_file_ioctl+0x93/0xc0
[   59.469334]  ksys_ioctl+0xab/0xd0
[   59.472791]  __x64_sys_ioctl+0x73/0xb0
[   59.476660]  do_syscall_64+0x1a3/0x800
[   59.480533]  ? syscall_return_slowpath+0x5f0/0x5f0
[   59.485444]  ? prepare_exit_to_usermode+0x232/0x3b0
[   59.490446]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   59.495276]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.500445] RIP: 0033:0x457ec9
[   59.503622] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   59.522505] RSP: 002b:00007ffe93675d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   59.530190] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
[   59.537440] RDX: 0000000020000080 RSI: 00000000c018aec0 RDI: 0000000000000004
[   59.544698] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
[   59.551959] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000205b914
[   59.559246] R13: 00000000004c9ef0 R14: 00000000004d2a10 R15: 00000000ffffffff
[   59.566529] 
[   59.568158] Allocated by task 8490:
[   59.572250]  save_stack+0x45/0xd0
[   59.575717]  kasan_kmalloc+0xcf/0xe0
[   59.579429]  __kmalloc_node+0x4e/0x70
[   59.583212]  kvmalloc_node+0x68/0x100
[   59.587008]  __kvm_set_memory_region+0x1da1/0x2c40
[   59.591955]  kvm_set_memory_region+0x2f/0x60
[   59.596395]  kvm_vm_ioctl+0xafa/0x1fe0
[   59.600278]  do_vfs_ioctl+0x107b/0x17d0
[   59.604231]  ksys_ioctl+0xab/0xd0
[   59.607662]  __x64_sys_ioctl+0x73/0xb0
[   59.611530]  do_syscall_64+0x1a3/0x800
[   59.615396]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.620560] 
[   59.622164] Freed by task 5829:
[   59.625422]  save_stack+0x45/0xd0
[   59.628853]  __kasan_slab_free+0x102/0x150
[   59.633070]  kasan_slab_free+0xe/0x10
[   59.636846]  kfree+0xcf/0x230
[   59.639944]  kvfree+0x61/0x70
[   59.643029]  setxattr+0x340/0x4a0
[   59.646459]  path_setxattr+0x1e2/0x230
[   59.650329]  __x64_sys_lsetxattr+0xc1/0x150
[   59.654655]  do_syscall_64+0x1a3/0x800
[   59.658536]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.663705] 
[   59.665390] The buggy address belongs to the object at ffff88809f089500
[   59.665390]  which belongs to the cache kmalloc-32 of size 32
[   59.677875] The buggy address is located 16 bytes inside of
[   59.677875]  32-byte region [ffff88809f089500, ffff88809f089520)
[   59.689587] The buggy address belongs to the page:
[   59.694526] page:ffffea00027c2240 count:1 mapcount:0 mapping:ffff88812c3f01c0 index:0xffff88809f089fc1
[   59.703967] flags: 0x1fffc0000000200(slab)
[   59.708190] raw: 01fffc0000000200 ffffea00029111c8 ffffea0002409c48 ffff88812c3f01c0
[   59.716056] raw: ffff88809f089fc1 ffff88809f089000 000000010000003f 0000000000000000
[   59.723916] page dumped because: kasan: bad access detected
[   59.729609] 
[   59.731228] Memory state around the buggy address:
[   59.736135]  ffff88809f089400: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc
[   59.743488]  ffff88809f089480: 04 fc fc fc fc fc fc fc 04 fc fc fc fc fc fc fc
[   59.750842] >ffff88809f089500: 00 00 fc fc fc fc fc fc 00 00 01 fc fc fc fc fc
[   59.758188]                          ^
[   59.762056]  ffff88809f089580: 04 fc fc fc fc fc fc fc 00 04 fc fc fc fc fc fc
[   59.769403]  ffff88809f089600: 00 04 fc fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   59.776751] ==================================================================
[   59.784101] Disabling lock debugging due to kernel taint
[   59.790560] Kernel panic - not syncing: panic_on_warn set ...
[   59.796454] CPU: 1 PID: 8490 Comm: syz-executor0 Tainted: G    B             4.20.0+ #3
[   59.804574] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   59.813904] Call Trace:
[   59.816502]  dump_stack+0x1db/0x2d0
[   59.820131]  ? dump_stack_print_info.cold+0x20/0x20
[   59.825133]  panic+0x2cb/0x589
[   59.828324]  ? add_taint.cold+0x16/0x16
[   59.832304]  ? trace_hardirqs_on+0xb4/0x310
[   59.836607]  ? trace_hardirqs_on+0xb4/0x310
[   59.840925]  ? kvm_clear_dirty_log_protect+0x8cf/0x970
[   59.846188]  end_report+0x47/0x4f
[   59.849638]  ? kvm_clear_dirty_log_protect+0x8cf/0x970
[   59.854908]  kasan_report.cold+0xe/0x40
[   59.858867]  ? kvm_clear_dirty_log_protect+0x8cf/0x970
[   59.864130]  __asan_report_load8_noabort+0x14/0x20
[   59.869040]  kvm_clear_dirty_log_protect+0x8cf/0x970
[   59.874129]  ? vcpu_stat_get_per_vm_open+0x40/0x40
[   59.879042]  ? lock_downgrade+0x910/0x910
[   59.883174]  ? lock_release+0xc40/0xc40
[   59.887146]  kvm_vm_ioctl_clear_dirty_log+0xff/0x260
[   59.892233]  ? kvm_vm_ioctl_get_dirty_log+0x260/0x260
[   59.897417]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   59.902939]  ? _copy_from_user+0xdd/0x150
[   59.907067]  kvm_vm_ioctl+0xc19/0x1fe0
[   59.910945]  ? kvm_unregister_device_ops+0x70/0x70
[   59.915868]  ? print_usage_bug+0xd0/0xd0
[   59.919915]  ? __sanitizer_cov_trace_switch+0x49/0x80
[   59.925108]  ? drop_futex_key_refs.isra.0+0x6f/0xf0
[   59.930113]  ? get_futex_key+0x2050/0x2050
[   59.934334]  ? mark_held_locks+0x100/0x100
[   59.938562]  ? do_futex+0x1b0/0x2910
[   59.942273]  ? do_raw_spin_trylock+0x270/0x270
[   59.946838]  ? add_mm_counter_fast.part.0+0x40/0x40
[   59.951853]  ? add_lock_to_list.isra.0+0x450/0x450
[   59.956778]  ? add_lock_to_list.isra.0+0x450/0x450
[   59.961690]  ? exit_robust_list+0x290/0x290
[   59.965993]  ? __might_fault+0x12b/0x1e0
[   59.970034]  ? find_held_lock+0x35/0x120
[   59.974110]  ? __might_fault+0x12b/0x1e0
[   59.978168]  ? lock_acquire+0x1db/0x570
[   59.982158]  ? lock_downgrade+0x910/0x910
[   59.986284]  ? lock_release+0xc40/0xc40
[   59.990253]  ? kvm_unregister_device_ops+0x70/0x70
[   59.995175]  do_vfs_ioctl+0x107b/0x17d0
[   59.999133]  ? __sanitizer_cov_trace_switch+0x49/0x80
[   60.004301]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   60.009842]  ? selinux_file_ioctl+0x125/0x720
[   60.014326]  ? ioctl_preallocate+0x2f0/0x2f0
[   60.018726]  ? selinux_file_mprotect+0x620/0x620
[   60.023465]  ? __fget_light+0x2db/0x420
[   60.027427]  ? put_timespec64+0x115/0x1b0
[   60.031556]  ? nsecs_to_jiffies+0x30/0x30
[   60.035686]  ? do_syscall_64+0x8c/0x800
[   60.039647]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   60.045166]  ? security_file_ioctl+0x93/0xc0
[   60.049565]  ksys_ioctl+0xab/0xd0
[   60.053008]  __x64_sys_ioctl+0x73/0xb0
[   60.056881]  do_syscall_64+0x1a3/0x800
[   60.060753]  ? syscall_return_slowpath+0x5f0/0x5f0
[   60.065693]  ? prepare_exit_to_usermode+0x232/0x3b0
[   60.070692]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   60.075521]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   60.080690] RIP: 0033:0x457ec9
[   60.083880] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   60.102761] RSP: 002b:00007ffe93675d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   60.110462] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
[   60.117710] RDX: 0000000020000080 RSI: 00000000c018aec0 RDI: 0000000000000004
[   60.124974] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
[   60.132226] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000205b914
[   60.139474] R13: 00000000004c9ef0 R14: 00000000004d2a10 R15: 00000000ffffffff
[   60.147616] Kernel Offset: disabled
[   60.151235] Rebooting in 86400 seconds..