[ 82.393168][ T27] audit: type=1400 audit(1583911784.498:37): avc: denied { watch } for pid=10698 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 82.428617][ T27] audit: type=1400 audit(1583911784.528:38): avc: denied { watch } for pid=10698 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2232 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[ 82.665999][ T27] audit: type=1800 audit(1583911784.768:39): pid=10603 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [?25l[?1c7[1[ 82.689152][ T27] audit: type=1800 audit(1583911784.778:40): pid=10603 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 G[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 84.970006][ T27] audit: type=1400 audit(1583911787.078:41): avc: denied { map } for pid=10779 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.250' (ECDSA) to the list of known hosts. [ 92.004675][ T27] audit: type=1400 audit(1583911794.108:42): avc: denied { map } for pid=10791 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/11 07:29:54 parsed 1 programs [ 93.825049][ T27] audit: type=1400 audit(1583911795.928:43): avc: denied { integrity } for pid=10791 comm="syz-execprog" lockdown_reason="debugfs access" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=lockdown permissive=1 [ 93.851785][ T27] audit: type=1400 audit(1583911795.928:44): avc: denied { map } for pid=10791 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=91 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2020/03/11 07:29:56 executed programs: 0 [ 94.114078][T10808] IPVS: ftp: loaded support on port[0] = 21 [ 94.181096][T10808] chnl_net:caif_netlink_parms(): no params data found [ 94.223100][T10808] bridge0: port 1(bridge_slave_0) entered blocking state [ 94.230898][T10808] bridge0: port 1(bridge_slave_0) entered disabled state [ 94.238891][T10808] device bridge_slave_0 entered promiscuous mode [ 94.248764][T10808] bridge0: port 2(bridge_slave_1) entered blocking state [ 94.255887][T10808] bridge0: port 2(bridge_slave_1) entered disabled state [ 94.263913][T10808] device bridge_slave_1 entered promiscuous mode [ 94.283961][T10808] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 94.295702][T10808] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 94.317011][T10808] team0: Port device team_slave_0 added [ 94.324890][T10808] team0: Port device team_slave_1 added [ 94.340549][T10808] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 94.347602][T10808] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 94.373592][T10808] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 94.386856][T10808] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 94.393972][T10808] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 94.420412][T10808] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 94.478920][T10808] device hsr_slave_0 entered promiscuous mode [ 94.516674][T10808] device hsr_slave_1 entered promiscuous mode [ 94.673227][ T27] audit: type=1400 audit(1583911796.778:45): avc: denied { create } for pid=10808 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 94.700584][T10808] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 94.709019][ T27] audit: type=1400 audit(1583911796.808:46): avc: denied { write } for pid=10808 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 94.733858][ T27] audit: type=1400 audit(1583911796.808:47): avc: denied { read } for pid=10808 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 94.779917][T10808] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 94.840072][T10808] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 94.899338][T10808] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 94.955380][T10808] bridge0: port 2(bridge_slave_1) entered blocking state [ 94.962614][T10808] bridge0: port 2(bridge_slave_1) entered forwarding state [ 94.970561][T10808] bridge0: port 1(bridge_slave_0) entered blocking state [ 94.977695][T10808] bridge0: port 1(bridge_slave_0) entered forwarding state [ 95.035393][T10808] 8021q: adding VLAN 0 to HW filter on device bond0 [ 95.051397][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 95.065290][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 95.083618][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 95.092210][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 95.105992][T10808] 8021q: adding VLAN 0 to HW filter on device team0 [ 95.118800][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 95.128008][ T3547] bridge0: port 1(bridge_slave_0) entered blocking state [ 95.135209][ T3547] bridge0: port 1(bridge_slave_0) entered forwarding state [ 95.157590][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 95.166013][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 95.173152][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 95.196676][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 95.205520][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 95.215252][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 95.224528][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 95.232947][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 95.241854][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 95.250314][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 95.258960][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 95.268321][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 95.279380][T10808] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 95.309131][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 95.318987][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 95.333781][T10808] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 95.357015][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 95.365824][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 95.387125][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 95.395560][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 95.408101][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 95.415952][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 95.425954][T10808] device veth0_vlan entered promiscuous mode [ 95.439439][T10808] device veth1_vlan entered promiscuous mode [ 95.465494][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 95.473963][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 95.482470][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 95.491460][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 95.503424][T10808] device veth0_macvtap entered promiscuous mode [ 95.514373][T10808] device veth1_macvtap entered promiscuous mode [ 95.535967][T10808] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 95.543585][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 95.551948][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 95.560351][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 95.569557][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 95.582538][T10808] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 95.590296][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 95.600011][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 95.741558][ T27] audit: type=1400 audit(1583911797.848:48): avc: denied { associate } for pid=10808 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 95.996230][T10835] ================================================================== [ 96.004587][T10835] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 96.011798][T10835] Read of size 8 at addr ffff888093d301e0 by task syz-executor.0/10835 [ 96.020056][T10835] [ 96.022413][T10835] CPU: 1 PID: 10835 Comm: syz-executor.0 Not tainted 5.6.0-rc5-syzkaller #0 [ 96.031082][T10835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 96.041135][T10835] Call Trace: [ 96.044417][T10835] dump_stack+0x188/0x20d [ 96.048731][T10835] ? __list_add_valid+0x93/0xa0 [ 96.053746][T10835] ? __list_add_valid+0x93/0xa0 [ 96.058584][T10835] print_address_description.constprop.0.cold+0xd3/0x315 [ 96.065603][T10835] ? __list_add_valid+0x93/0xa0 [ 96.070752][T10835] ? __list_add_valid+0x93/0xa0 [ 96.075605][T10835] __kasan_report.cold+0x1a/0x32 [ 96.080564][T10835] ? __list_add_valid+0x93/0xa0 [ 96.085408][T10835] kasan_report+0xe/0x20 [ 96.089650][T10835] __list_add_valid+0x93/0xa0 [ 96.094321][T10835] rdma_listen+0x681/0x910 [ 96.098729][T10835] ucma_listen+0x14d/0x1c0 [ 96.103174][T10835] ? ucma_notify+0x190/0x190 [ 96.107756][T10835] ? __might_fault+0x190/0x1d0 [ 96.112503][T10835] ? _copy_from_user+0x123/0x190 [ 96.117426][T10835] ? ucma_notify+0x190/0x190 [ 96.121998][T10835] ucma_write+0x285/0x350 [ 96.126315][T10835] ? ucma_open+0x270/0x270 [ 96.130719][T10835] ? security_file_permission+0x8a/0x370 [ 96.136338][T10835] ? ucma_open+0x270/0x270 [ 96.140747][T10835] __vfs_write+0x76/0x100 [ 96.145062][T10835] vfs_write+0x262/0x5c0 [ 96.149303][T10835] ksys_write+0x1e8/0x250 [ 96.153613][T10835] ? __ia32_sys_read+0xb0/0xb0 [ 96.158355][T10835] ? __ia32_sys_clock_settime+0x260/0x260 [ 96.164057][T10835] ? trace_hardirqs_off_caller+0x55/0x230 [ 96.169774][T10835] do_syscall_64+0xf6/0x7d0 [ 96.174270][T10835] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.180246][T10835] RIP: 0033:0x45c4a9 [ 96.184125][T10835] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 96.203722][T10835] RSP: 002b:00007f4f30d2ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 96.212120][T10835] RAX: ffffffffffffffda RBX: 00007f4f30d2b6d4 RCX: 000000000045c4a9 [ 96.220079][T10835] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 96.228057][T10835] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 96.236029][T10835] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 96.243992][T10835] R13: 0000000000000cbe R14: 00000000004cea80 R15: 000000000076bf2c [ 96.252094][T10835] [ 96.254410][T10835] Allocated by task 10829: [ 96.258936][T10835] save_stack+0x1b/0x80 [ 96.263090][T10835] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 96.268722][T10835] kmem_cache_alloc_trace+0x153/0x7d0 [ 96.274129][T10835] __rdma_create_id+0x5b/0x850 [ 96.278911][T10835] ucma_create_id+0x1cb/0x580 [ 96.283620][T10835] ucma_write+0x285/0x350 [ 96.287940][T10835] __vfs_write+0x76/0x100 [ 96.292252][T10835] vfs_write+0x262/0x5c0 [ 96.296477][T10835] ksys_write+0x1e8/0x250 [ 96.300802][T10835] do_syscall_64+0xf6/0x7d0 [ 96.305289][T10835] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.311181][T10835] [ 96.313506][T10835] Freed by task 10829: [ 96.317562][T10835] save_stack+0x1b/0x80 [ 96.321725][T10835] __kasan_slab_free+0xf7/0x140 [ 96.326563][T10835] kfree+0x109/0x2b0 [ 96.330446][T10835] ucma_close+0x10b/0x300 [ 96.334768][T10835] __fput+0x2da/0x850 [ 96.338737][T10835] task_work_run+0x13f/0x1b0 [ 96.343320][T10835] exit_to_usermode_loop+0x2fa/0x360 [ 96.348591][T10835] do_syscall_64+0x6b1/0x7d0 [ 96.353180][T10835] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.359056][T10835] [ 96.361370][T10835] The buggy address belongs to the object at ffff888093d30000 [ 96.361370][T10835] which belongs to the cache kmalloc-2k of size 2048 [ 96.375412][T10835] The buggy address is located 480 bytes inside of [ 96.375412][T10835] 2048-byte region [ffff888093d30000, ffff888093d30800) [ 96.388766][T10835] The buggy address belongs to the page: [ 96.394383][T10835] page:ffffea00024f4c00 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0 [ 96.403477][T10835] flags: 0xfffe0000000200(slab) [ 96.408332][T10835] raw: 00fffe0000000200 ffffea0002837e88 ffffea000247cec8 ffff8880aa000e00 [ 96.416905][T10835] raw: 0000000000000000 ffff888093d30000 0000000100000001 0000000000000000 [ 96.426168][T10835] page dumped because: kasan: bad access detected [ 96.432566][T10835] [ 96.434919][T10835] Memory state around the buggy address: [ 96.440532][T10835] ffff888093d30080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.448611][T10835] ffff888093d30100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.456677][T10835] >ffff888093d30180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.464748][T10835] ^ [ 96.471928][T10835] ffff888093d30200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.479969][T10835] ffff888093d30280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.488006][T10835] ================================================================== [ 96.496054][T10835] Disabling lock debugging due to kernel taint [ 96.510087][T10835] Kernel panic - not syncing: panic_on_warn set ... [ 96.516719][T10835] CPU: 1 PID: 10835 Comm: syz-executor.0 Tainted: G B 5.6.0-rc5-syzkaller #0 [ 96.526783][T10835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 96.536821][T10835] Call Trace: [ 96.540129][T10835] dump_stack+0x188/0x20d [ 96.544469][T10835] panic+0x2e3/0x75c [ 96.548385][T10835] ? add_taint.cold+0x16/0x16 [ 96.553063][T10835] ? preempt_schedule_common+0x5e/0xc0 [ 96.558505][T10835] ? __list_add_valid+0x93/0xa0 [ 96.564208][T10835] ? ___preempt_schedule+0x16/0x18 [ 96.569302][T10835] ? trace_hardirqs_on+0x55/0x220 [ 96.574314][T10835] ? __list_add_valid+0x93/0xa0 [ 96.579156][T10835] end_report+0x43/0x49 [ 96.583298][T10835] ? __list_add_valid+0x93/0xa0 [ 96.588125][T10835] __kasan_report.cold+0xd/0x32 [ 96.592957][T10835] ? __list_add_valid+0x93/0xa0 [ 96.597804][T10835] kasan_report+0xe/0x20 [ 96.602032][T10835] __list_add_valid+0x93/0xa0 [ 96.606691][T10835] rdma_listen+0x681/0x910 [ 96.611090][T10835] ucma_listen+0x14d/0x1c0 [ 96.615485][T10835] ? ucma_notify+0x190/0x190 [ 96.620054][T10835] ? __might_fault+0x190/0x1d0 [ 96.624798][T10835] ? _copy_from_user+0x123/0x190 [ 96.629731][T10835] ? ucma_notify+0x190/0x190 [ 96.634307][T10835] ucma_write+0x285/0x350 [ 96.638638][T10835] ? ucma_open+0x270/0x270 [ 96.643046][T10835] ? security_file_permission+0x8a/0x370 [ 96.648674][T10835] ? ucma_open+0x270/0x270 [ 96.653118][T10835] __vfs_write+0x76/0x100 [ 96.657476][T10835] vfs_write+0x262/0x5c0 [ 96.661705][T10835] ksys_write+0x1e8/0x250 [ 96.666016][T10835] ? __ia32_sys_read+0xb0/0xb0 [ 96.670781][T10835] ? __ia32_sys_clock_settime+0x260/0x260 [ 96.676485][T10835] ? trace_hardirqs_off_caller+0x55/0x230 [ 96.682190][T10835] do_syscall_64+0xf6/0x7d0 [ 96.686683][T10835] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.692562][T10835] RIP: 0033:0x45c4a9 [ 96.696436][T10835] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 96.716217][T10835] RSP: 002b:00007f4f30d2ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 96.724625][T10835] RAX: ffffffffffffffda RBX: 00007f4f30d2b6d4 RCX: 000000000045c4a9 [ 96.732604][T10835] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 96.740564][T10835] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 96.748526][T10835] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 96.756588][T10835] R13: 0000000000000cbe R14: 00000000004cea80 R15: 000000000076bf2c [ 96.765781][T10835] Kernel Offset: disabled [ 96.770130][T10835] Rebooting in 86400 seconds..