[   45.582337] audit: type=1800 audit(1583984970.313:29): pid=7986 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2447 res=0
[   45.620717] audit: type=1800 audit(1583984970.313:30): pid=7986 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.64' (ECDSA) to the list of known hosts.
syzkaller login: [   53.675872] kauditd_printk_skb: 5 callbacks suppressed
[   53.675886] audit: type=1400 audit(1583984978.403:36): avc:  denied  { map } for  pid=8173 comm="syz-executor469" path="/root/syz-executor469032233" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   53.692407] IPVS: ftp: loaded support on port[0] = 21
executing program
[   53.737748] audit: type=1400 audit(1583984978.463:37): avc:  denied  { create } for  pid=8174 comm="syz-executor469" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   53.761915] audit: type=1400 audit(1583984978.463:38): avc:  denied  { write } for  pid=8174 comm="syz-executor469" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   53.765267] ==================================================================
[   53.785959] audit: type=1400 audit(1583984978.463:39): avc:  denied  { read } for  pid=8174 comm="syz-executor469" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   53.793338] BUG: KASAN: use-after-free in tcindex_set_parms+0x17d0/0x19d0
[   53.793350] Write of size 16 at addr ffff8880a7b8cb30 by task syz-executor469/8174
[   53.793353] 
[   53.793367] CPU: 0 PID: 8174 Comm: syz-executor469 Not tainted 4.19.109-syzkaller #0
[   53.793374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   53.793384] Call Trace:
[   53.853190]  dump_stack+0x188/0x20d
[   53.856807]  ? tcindex_set_parms+0x17d0/0x19d0
[   53.861378]  print_address_description.cold+0x7c/0x212
[   53.866652]  ? tcindex_set_parms+0x17d0/0x19d0
[   53.871227]  kasan_report.cold+0x88/0x2b9
[   53.875380]  tcindex_set_parms+0x17d0/0x19d0
[   53.879803]  ? avc_has_perm_noaudit+0x316/0x520
[   53.884464]  ? tcindex_alloc_perfect_hash+0x350/0x350
[   53.889663]  ? __sanitizer_cov_trace_switch+0x45/0x70
[   53.894840]  ? validate_nla+0x328/0x800
[   53.898836]  ? tcindex_change+0x200/0x2d3
[   53.902971]  tcindex_change+0x200/0x2d3
[   53.906933]  ? tcindex_set_parms+0x19d0/0x19d0
[   53.911511]  ? tcindex_set_parms+0x19d0/0x19d0
[   53.916096]  tc_new_tfilter+0xa6b/0x1450
[   53.920159]  ? tc_del_tfilter+0xd40/0xd40
[   53.924304]  ? __mutex_lock+0x3cd/0x1300
[   53.928356]  ? selinux_ipv4_output+0x50/0x50
[   53.932769]  ? rtnetlink_rcv_msg+0x3fe/0xaf0
[   53.937203]  ? tc_del_tfilter+0xd40/0xd40
[   53.941349]  rtnetlink_rcv_msg+0x453/0xaf0
[   53.945589]  ? rtnetlink_put_metrics+0x520/0x520
[   53.950343]  ? find_held_lock+0x2d/0x110
[   53.954407]  netlink_rcv_skb+0x160/0x410
[   53.958463]  ? rtnetlink_put_metrics+0x520/0x520
[   53.963222]  ? netlink_ack+0xa60/0xa60
[   53.967101]  netlink_unicast+0x4d7/0x6a0
[   53.971157]  ? netlink_attachskb+0x710/0x710
[   53.975557]  netlink_sendmsg+0x80b/0xcd0
[   53.979621]  ? netlink_unicast+0x6a0/0x6a0
[   53.983851]  ? move_addr_to_kernel.part.0+0x110/0x110
[   53.989032]  ? netlink_unicast+0x6a0/0x6a0
[   53.993292]  sock_sendmsg+0xcf/0x120
[   53.996993]  ___sys_sendmsg+0x803/0x920
[   54.000952]  ? copy_msghdr_from_user+0x410/0x410
[   54.005703]  ? find_held_lock+0x2d/0x110
[   54.009785]  ? __might_fault+0x11f/0x1d0
[   54.013837]  ? lock_downgrade+0x740/0x740
[   54.017984]  ? __might_fault+0x192/0x1d0
[   54.022032]  ? _copy_to_user+0xb8/0x100
[   54.025990]  ? move_addr_to_user+0xa8/0x1e0
[   54.030293]  ? __fget_light+0x1a2/0x230
[   54.034257]  __sys_sendmsg+0xec/0x1b0
[   54.038042]  ? __ia32_sys_shutdown+0x70/0x70
[   54.042456]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   54.047204]  ? trace_hardirqs_off_caller+0x55/0x210
[   54.052206]  ? do_syscall_64+0x21/0x620
[   54.056175]  do_syscall_64+0xf9/0x620
[   54.059966]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   54.065179] RIP: 0033:0x442799
[   54.068355] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   54.087244] RSP: 002b:00007ffee099d978 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   54.094944] RAX: ffffffffffffffda RBX: 00007ffee099d9b0 RCX: 0000000000442799
[   54.102203] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
[   54.109469] RBP: 0000000000000003 R08: 0000000000020003 R09: 0000000000020003
[   54.116727] R10: 0000000000020003 R11: 0000000000000246 R12: 0000000000000003
[   54.125573] R13: 0000000000000004 R14: 00007ffee099da60 R15: 0000000000000000
[   54.132839] 
[   54.134462] Allocated by task 1:
[   54.137843]  kasan_kmalloc+0xbf/0xe0
[   54.141546]  kmem_cache_alloc_trace+0x14d/0x7a0
[   54.146201]  call_usermodehelper_setup+0x77/0x2f0
[   54.151028]  kobject_uevent_env+0xc92/0x1160
[   54.155420]  tty_register_device_attr+0x46e/0x6f0
[   54.160243]  tty_register_driver+0x42d/0x800
[   54.164648]  vty_init+0x3ac/0x3e7
[   54.168079]  tty_init+0x187/0x18b
[   54.171516]  chr_dev_init+0x141/0x151
[   54.175296]  do_one_initcall+0xf1/0x734
[   54.179259]  kernel_init_freeable+0x4c9/0x5bb
[   54.183737]  kernel_init+0xd/0x1c0
[   54.187257]  ret_from_fork+0x24/0x30
[   54.190945] 
[   54.192560] Freed by task 1310:
[   54.195856]  __kasan_slab_free+0xf7/0x140
[   54.200018]  kfree+0xce/0x220
[   54.203122]  umh_complete+0x81/0x90
[   54.206735]  call_usermodehelper_exec_async+0x542/0x630
[   54.212089]  ret_from_fork+0x24/0x30
[   54.215786] 
[   54.217398] The buggy address belongs to the object at ffff8880a7b8cb00
[   54.217398]  which belongs to the cache kmalloc-192 of size 192
[   54.230046] The buggy address is located 48 bytes inside of
[   54.230046]  192-byte region [ffff8880a7b8cb00, ffff8880a7b8cbc0)
[   54.241821] The buggy address belongs to the page:
[   54.246733] page:ffffea00029ee300 count:1 mapcount:0 mapping:ffff88812c3dc040 index:0x0
[   54.254858] flags: 0xfffe0000000100(slab)
[   54.258989] raw: 00fffe0000000100 ffffea000296e148 ffffea0002975448 ffff88812c3dc040
[   54.266858] raw: 0000000000000000 ffff8880a7b8c000 0000000100000010 0000000000000000
[   54.274725] page dumped because: kasan: bad access detected
[   54.280420] 
[   54.282042] Memory state around the buggy address:
[   54.286947]  ffff8880a7b8ca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   54.294298]  ffff8880a7b8ca80: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   54.301662] >ffff8880a7b8cb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.309041]                                      ^
[   54.313957]  ffff8880a7b8cb80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   54.321300]  ffff8880a7b8cc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   54.328636] ==================================================================
[   54.335989] Disabling lock debugging due to kernel taint
[   54.342072] Kernel panic - not syncing: panic_on_warn set ...
[   54.342072] 
[   54.349454] CPU: 0 PID: 8174 Comm: syz-executor469 Tainted: G    B             4.19.109-syzkaller #0
[   54.358713] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   54.368052] Call Trace:
[   54.370640]  dump_stack+0x188/0x20d
[   54.374267]  panic+0x26a/0x50e
[   54.377449]  ? __warn_printk+0xf3/0xf3
[   54.381361]  ? preempt_schedule_common+0x4a/0xc0
[   54.386137]  ? tcindex_set_parms+0x17d0/0x19d0
[   54.390745]  ? ___preempt_schedule+0x16/0x18
[   54.395142]  ? trace_hardirqs_on+0x55/0x210
[   54.399449]  ? tcindex_set_parms+0x17d0/0x19d0
[   54.404025]  kasan_end_report+0x43/0x49
[   54.408071]  kasan_report.cold+0xa4/0x2b9
[   54.412205]  tcindex_set_parms+0x17d0/0x19d0
[   54.416596]  ? avc_has_perm_noaudit+0x316/0x520
[   54.421252]  ? tcindex_alloc_perfect_hash+0x350/0x350
[   54.426427]  ? __sanitizer_cov_trace_switch+0x45/0x70
[   54.431601]  ? validate_nla+0x328/0x800
[   54.435561]  ? tcindex_change+0x200/0x2d3
[   54.439690]  tcindex_change+0x200/0x2d3
[   54.443650]  ? tcindex_set_parms+0x19d0/0x19d0
[   54.448256]  ? tcindex_set_parms+0x19d0/0x19d0
[   54.452821]  tc_new_tfilter+0xa6b/0x1450
[   54.456877]  ? tc_del_tfilter+0xd40/0xd40
[   54.461010]  ? __mutex_lock+0x3cd/0x1300
[   54.465054]  ? selinux_ipv4_output+0x50/0x50
[   54.469440]  ? rtnetlink_rcv_msg+0x3fe/0xaf0
[   54.473838]  ? tc_del_tfilter+0xd40/0xd40
[   54.477977]  rtnetlink_rcv_msg+0x453/0xaf0
[   54.482214]  ? rtnetlink_put_metrics+0x520/0x520
[   54.486955]  ? find_held_lock+0x2d/0x110
[   54.491000]  netlink_rcv_skb+0x160/0x410
[   54.495047]  ? rtnetlink_put_metrics+0x520/0x520
[   54.499784]  ? netlink_ack+0xa60/0xa60
[   54.503667]  netlink_unicast+0x4d7/0x6a0
[   54.507713]  ? netlink_attachskb+0x710/0x710
[   54.512107]  netlink_sendmsg+0x80b/0xcd0
[   54.516161]  ? netlink_unicast+0x6a0/0x6a0
[   54.520380]  ? move_addr_to_kernel.part.0+0x110/0x110
[   54.525566]  ? netlink_unicast+0x6a0/0x6a0
[   54.529791]  sock_sendmsg+0xcf/0x120
[   54.533511]  ___sys_sendmsg+0x803/0x920
[   54.537467]  ? copy_msghdr_from_user+0x410/0x410
[   54.542214]  ? find_held_lock+0x2d/0x110
[   54.546256]  ? __might_fault+0x11f/0x1d0
[   54.550300]  ? lock_downgrade+0x740/0x740
[   54.554433]  ? __might_fault+0x192/0x1d0
[   54.558483]  ? _copy_to_user+0xb8/0x100
[   54.562443]  ? move_addr_to_user+0xa8/0x1e0
[   54.566747]  ? __fget_light+0x1a2/0x230
[   54.570705]  __sys_sendmsg+0xec/0x1b0
[   54.574492]  ? __ia32_sys_shutdown+0x70/0x70
[   54.578882]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   54.583617]  ? trace_hardirqs_off_caller+0x55/0x210
[   54.588624]  ? do_syscall_64+0x21/0x620
[   54.592586]  do_syscall_64+0xf9/0x620
[   54.596370]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   54.601540] RIP: 0033:0x442799
[   54.604716] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   54.623602] RSP: 002b:00007ffee099d978 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   54.631383] RAX: ffffffffffffffda RBX: 00007ffee099d9b0 RCX: 0000000000442799
[   54.638631] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
[   54.645884] RBP: 0000000000000003 R08: 0000000000020003 R09: 0000000000020003
[   54.653141] R10: 0000000000020003 R11: 0000000000000246 R12: 0000000000000003
[   54.660395] R13: 0000000000000004 R14: 00007ffee099da60 R15: 0000000000000000
[   54.668909] Kernel Offset: disabled
[   54.672533] Rebooting in 86400 seconds..