[   43.474262] audit: type=1800 audit(1580255890.007:30): pid=7975 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   47.842169] kauditd_printk_skb: 4 callbacks suppressed
[   47.842185] audit: type=1400 audit(1580255894.397:35): avc:  denied  { map } for  pid=8149 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts.
executing program
[   54.644589] audit: type=1400 audit(1580255901.197:36): avc:  denied  { map } for  pid=8161 comm="syz-executor916" path="/root/syz-executor916294225" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   54.666172] IPVS: ftp: loaded support on port[0] = 21
[   54.701499] ==================================================================
[   54.709185] BUG: KASAN: slab-out-of-bounds in __nla_put_nohdr+0x46/0x50
[   54.715994] Read of size 8 at addr ffff88809664f480 by task syz-executor916/8162
[   54.723530] 
[   54.725205] CPU: 0 PID: 8162 Comm: syz-executor916 Not tainted 4.19.99-syzkaller #0
[   54.733026] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   54.742437] Call Trace:
[   54.745026]  dump_stack+0x197/0x210
[   54.748660]  ? __nla_put_nohdr+0x46/0x50
[   54.752733]  print_address_description.cold+0x7c/0x20d
[   54.758160]  ? __nla_put_nohdr+0x46/0x50
[   54.762328]  kasan_report.cold+0x8c/0x2ba
[   54.766500]  check_memory_region+0x123/0x190
[   54.770923]  memcpy+0x24/0x50
[   54.774069]  __nla_put_nohdr+0x46/0x50
[   54.777967]  nla_put_nohdr+0xff/0x140
[   54.781764]  tcf_em_tree_dump+0x67e/0x960
[   54.785962]  ? tcf_em_lookup+0x150/0x150
[   54.790113]  ? memcpy+0x46/0x50
[   54.794400]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   54.799940]  ? tcf_exts_dump+0x12d/0x590
[   54.804038]  basic_dump+0x21e/0x4c0
[   54.807677]  ? basic_classify+0x2b0/0x2b0
[   54.811830]  ? __nla_put+0x37/0x40
[   54.815361]  ? nla_put+0x116/0x150
[   54.819034]  ? basic_classify+0x2b0/0x2b0
[   54.823182]  tcf_fill_node+0x574/0x950
[   54.827065]  ? tcf_chain_flush+0x340/0x340
[   54.831291]  ? skb_trim+0x190/0x190
[   54.834937]  ? basic_init+0x1f0/0x1f0
[   54.838837]  tfilter_notify+0x129/0x270
[   54.842839]  tc_new_tfilter+0xcc8/0x1790
[   54.846926]  ? tc_del_tfilter+0xe60/0xe60
[   54.851123]  ? rtnetlink_rcv_msg+0x40a/0xb00
[   54.855525]  ? mutex_trylock+0x1e0/0x1e0
[   54.859592]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   54.865143]  ? tc_del_tfilter+0xe60/0xe60
[   54.869304]  rtnetlink_rcv_msg+0x463/0xb00
[   54.873547]  ? rtnetlink_put_metrics+0x560/0x560
[   54.878304]  ? netlink_deliver_tap+0x22d/0xc20
[   54.882940]  ? find_held_lock+0x35/0x130
[   54.887061]  netlink_rcv_skb+0x17d/0x460
[   54.891118]  ? rtnetlink_put_metrics+0x560/0x560
[   54.895901]  ? netlink_ack+0xb30/0xb30
[   54.899789]  ? kasan_check_read+0x11/0x20
[   54.903941]  ? netlink_deliver_tap+0x254/0xc20
[   54.908515]  rtnetlink_rcv+0x1d/0x30
[   54.912216]  netlink_unicast+0x53a/0x730
[   54.916327]  ? netlink_attachskb+0x770/0x770
[   54.920840]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   54.926391]  netlink_sendmsg+0x8ae/0xd70
[   54.930465]  ? netlink_unicast+0x730/0x730
[   54.934713]  ? selinux_socket_sendmsg+0x36/0x40
[   54.939378]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   54.944936]  ? security_socket_sendmsg+0x8d/0xc0
[   54.949687]  ? netlink_unicast+0x730/0x730
[   54.953927]  sock_sendmsg+0xd7/0x130
[   54.957638]  ___sys_sendmsg+0x803/0x920
[   54.961648]  ? copy_msghdr_from_user+0x430/0x430
[   54.966471]  ? __might_fault+0x12b/0x1e0
[   54.970554]  ? __might_fault+0x12b/0x1e0
[   54.974617]  ? lock_downgrade+0x880/0x880
[   54.978780]  ? kasan_check_read+0x11/0x20
[   54.982935]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   54.988524]  ? __fget_light+0x1a9/0x230
[   54.992517]  ? __fdget+0x1b/0x20
[   54.995878]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   55.001473]  __sys_sendmsg+0x105/0x1d0
[   55.005367]  ? __ia32_sys_shutdown+0x80/0x80
[   55.009785]  ? up_read+0x1a/0x110
[   55.013272]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   55.018083]  ? do_syscall_64+0x26/0x620
[   55.022070]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   55.027432]  ? do_syscall_64+0x26/0x620
[   55.031520]  __x64_sys_sendmsg+0x78/0xb0
[   55.035705]  do_syscall_64+0xfd/0x620
[   55.039522]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   55.044714] RIP: 0033:0x4410b9
[   55.047896] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   55.066804] RSP: 002b:00007ffd1d397b08 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   55.074674] RAX: ffffffffffffffda RBX: 00000000004a28b0 RCX: 00000000004410b9
[   55.081979] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
[   55.089257] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522
[   55.096942] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004025c0
[   55.104265] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000
[   55.111596] 
[   55.113262] Allocated by task 8162:
[   55.116935]  save_stack+0x45/0xd0
[   55.120407]  kasan_kmalloc+0xce/0xf0
[   55.124216]  __kmalloc_track_caller+0x159/0x750
[   55.128913]  kmemdup+0x27/0x60
[   55.132095]  em_nbyte_change+0xd6/0x150
[   55.136079]  tcf_em_tree_validate+0x9a9/0xf30
[   55.140664]  basic_change+0x126e/0x1370
[   55.144647]  tc_new_tfilter+0xc54/0x1790
[   55.148706]  rtnetlink_rcv_msg+0x463/0xb00
[   55.152958]  netlink_rcv_skb+0x17d/0x460
[   55.157017]  rtnetlink_rcv+0x1d/0x30
[   55.160747]  netlink_unicast+0x53a/0x730
[   55.164818]  netlink_sendmsg+0x8ae/0xd70
[   55.168878]  sock_sendmsg+0xd7/0x130
[   55.172679]  ___sys_sendmsg+0x803/0x920
[   55.176667]  __sys_sendmsg+0x105/0x1d0
[   55.180570]  __x64_sys_sendmsg+0x78/0xb0
[   55.184629]  do_syscall_64+0xfd/0x620
[   55.188463]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   55.193646] 
[   55.195286] Freed by task 5714:
[   55.198602]  save_stack+0x45/0xd0
[   55.202056]  __kasan_slab_free+0x102/0x150
[   55.206298]  kasan_slab_free+0xe/0x10
[   55.210097]  kfree+0xcf/0x220
[   55.213208]  vfs_getxattr+0x1fa/0x2a0
[   55.217013]  getxattr+0x110/0x2d0
[   55.220527]  path_getxattr+0xd1/0x170
[   55.224319]  __x64_sys_lgetxattr+0x9a/0xf0
[   55.228558]  do_syscall_64+0xfd/0x620
[   55.232353]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   55.237531] 
[   55.239196] The buggy address belongs to the object at ffff88809664f480
[   55.239196]  which belongs to the cache kmalloc-32 of size 32
[   55.251729] The buggy address is located 0 bytes inside of
[   55.251729]  32-byte region [ffff88809664f480, ffff88809664f4a0)
[   55.263348] The buggy address belongs to the page:
[   55.268270] page:ffffea00025993c0 count:1 mapcount:0 mapping:ffff88812c31c1c0 index:0xffff88809664ffc1
[   55.277715] flags: 0xfffe0000000100(slab)
[   55.281896] raw: 00fffe0000000100 ffffea00029852c8 ffff88812c314248 ffff88812c31c1c0
[   55.289784] raw: ffff88809664ffc1 ffff88809664f000 000000010000003f 0000000000000000
[   55.297739] page dumped because: kasan: bad access detected
[   55.303455] 
[   55.305090] Memory state around the buggy address:
[   55.310023]  ffff88809664f380: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc
[   55.317474]  ffff88809664f400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   55.324846] >ffff88809664f480: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
[   55.332329]                    ^
[   55.335705]  ffff88809664f500: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
[   55.343072]  ffff88809664f580: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc
[   55.350477] ==================================================================
[   55.357830] Disabling lock debugging due to kernel taint
[   55.364004] Kernel panic - not syncing: panic_on_warn set ...
[   55.364004] 
[   55.371390] CPU: 0 PID: 8162 Comm: syz-executor916 Tainted: G    B             4.19.99-syzkaller #0
[   55.380568] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   55.389962] Call Trace:
[   55.392593]  dump_stack+0x197/0x210
[   55.396263]  ? __nla_put_nohdr+0x46/0x50
[   55.400335]  panic+0x26a/0x50e
[   55.403520]  ? __warn_printk+0xf3/0xf3
[   55.407516]  ? __nla_put_nohdr+0x46/0x50
[   55.411614]  ? preempt_schedule+0x4b/0x60
[   55.415781]  ? ___preempt_schedule+0x16/0x18
[   55.420242]  ? trace_hardirqs_on+0x5e/0x220
[   55.424597]  ? __nla_put_nohdr+0x46/0x50
[   55.428708]  kasan_end_report+0x47/0x4f
[   55.432686]  kasan_report.cold+0xa9/0x2ba
[   55.436953]  check_memory_region+0x123/0x190
[   55.441365]  memcpy+0x24/0x50
[   55.444465]  __nla_put_nohdr+0x46/0x50
[   55.448360]  nla_put_nohdr+0xff/0x140
[   55.452164]  tcf_em_tree_dump+0x67e/0x960
[   55.456324]  ? tcf_em_lookup+0x150/0x150
[   55.460381]  ? memcpy+0x46/0x50
[   55.463653]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   55.469222]  ? tcf_exts_dump+0x12d/0x590
[   55.473287]  basic_dump+0x21e/0x4c0
[   55.477026]  ? basic_classify+0x2b0/0x2b0
[   55.481173]  ? __nla_put+0x37/0x40
[   55.484702]  ? nla_put+0x116/0x150
[   55.488232]  ? basic_classify+0x2b0/0x2b0
[   55.492419]  tcf_fill_node+0x574/0x950
[   55.496365]  ? tcf_chain_flush+0x340/0x340
[   55.500793]  ? skb_trim+0x190/0x190
[   55.504463]  ? basic_init+0x1f0/0x1f0
[   55.508270]  tfilter_notify+0x129/0x270
[   55.512252]  tc_new_tfilter+0xcc8/0x1790
[   55.516369]  ? tc_del_tfilter+0xe60/0xe60
[   55.520566]  ? rtnetlink_rcv_msg+0x40a/0xb00
[   55.525023]  ? mutex_trylock+0x1e0/0x1e0
[   55.529131]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   55.534663]  ? tc_del_tfilter+0xe60/0xe60
[   55.538814]  rtnetlink_rcv_msg+0x463/0xb00
[   55.543070]  ? rtnetlink_put_metrics+0x560/0x560
[   55.547835]  ? netlink_deliver_tap+0x22d/0xc20
[   55.552466]  ? find_held_lock+0x35/0x130
[   55.556532]  netlink_rcv_skb+0x17d/0x460
[   55.560611]  ? rtnetlink_put_metrics+0x560/0x560
[   55.565397]  ? netlink_ack+0xb30/0xb30
[   55.569289]  ? kasan_check_read+0x11/0x20
[   55.573445]  ? netlink_deliver_tap+0x254/0xc20
[   55.578032]  rtnetlink_rcv+0x1d/0x30
[   55.581735]  netlink_unicast+0x53a/0x730
[   55.585807]  ? netlink_attachskb+0x770/0x770
[   55.590234]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   55.595802]  netlink_sendmsg+0x8ae/0xd70
[   55.599916]  ? netlink_unicast+0x730/0x730
[   55.604182]  ? selinux_socket_sendmsg+0x36/0x40
[   55.608852]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   55.614451]  ? security_socket_sendmsg+0x8d/0xc0
[   55.619298]  ? netlink_unicast+0x730/0x730
[   55.623620]  sock_sendmsg+0xd7/0x130
[   55.627388]  ___sys_sendmsg+0x803/0x920
[   55.631358]  ? copy_msghdr_from_user+0x430/0x430
[   55.636121]  ? __might_fault+0x12b/0x1e0
[   55.640193]  ? __might_fault+0x12b/0x1e0
[   55.644268]  ? lock_downgrade+0x880/0x880
[   55.648463]  ? kasan_check_read+0x11/0x20
[   55.652657]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   55.658218]  ? __fget_light+0x1a9/0x230
[   55.662241]  ? __fdget+0x1b/0x20
[   55.665612]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   55.671155]  __sys_sendmsg+0x105/0x1d0
[   55.675102]  ? __ia32_sys_shutdown+0x80/0x80
[   55.679648]  ? up_read+0x1a/0x110
[   55.683098]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   55.687895]  ? do_syscall_64+0x26/0x620
[   55.691976]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   55.701756]  ? do_syscall_64+0x26/0x620
[   55.705741]  __x64_sys_sendmsg+0x78/0xb0
[   55.709922]  do_syscall_64+0xfd/0x620
[   55.713721]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   55.718911] RIP: 0033:0x4410b9
[   55.722116] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   55.741026] RSP: 002b:00007ffd1d397b08 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   55.748817] RAX: ffffffffffffffda RBX: 00000000004a28b0 RCX: 00000000004410b9
[   55.756081] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
[   55.763400] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522
[   55.770669] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004025c0
[   55.777937] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000
[   55.786674] Kernel Offset: disabled
[   55.790316] Rebooting in 86400 seconds..