[   83.131532][   T26] audit: type=1400 audit(1575994890.565:37): avc:  denied  { watch } for  pid=9758 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1
[   83.185584][   T26] audit: type=1400 audit(1575994890.605:38): avc:  denied  { watch } for  pid=9758 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2232 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   83.490497][   T26] audit: type=1800 audit(1575994890.925:39): pid=9670 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   83.512246][   T26] audit: type=1800 audit(1575994890.925:40): pid=9670 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   84.770861][   T26] audit: type=1400 audit(1575994892.205:41): avc:  denied  { map } for  pid=9848 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
[   91.511086][   T26] audit: type=1400 audit(1575994898.945:42): avc:  denied  { map } for  pid=9860 comm="syz-executor965" path="/root/syz-executor965965818" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   91.563977][ T9868] ==================================================================
[   91.572237][ T9868] BUG: KASAN: use-after-free in try_to_grab_pending+0x115/0x910
[   91.579878][ T9868] Write of size 8 at addr ffff88809a647008 by task syz-executor965/9868
[   91.588192][ T9868] 
[   91.590525][ T9868] CPU: 1 PID: 9868 Comm: syz-executor965 Not tainted 5.5.0-rc1-syzkaller #0
[   91.599306][ T9868] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   91.609372][ T9868] Call Trace:
[   91.612682][ T9868]  dump_stack+0x197/0x210
[   91.617026][ T9868]  ? try_to_grab_pending+0x115/0x910
[   91.622330][ T9868]  print_address_description.constprop.0.cold+0xd4/0x30b
[   91.629360][ T9868]  ? try_to_grab_pending+0x115/0x910
[   91.634656][ T9868]  ? try_to_grab_pending+0x115/0x910
[   91.639952][ T9868]  __kasan_report.cold+0x1b/0x41
[   91.644914][ T9868]  ? try_to_grab_pending+0x115/0x910
[   91.650231][ T9868]  kasan_report+0x12/0x20
[   91.654572][ T9868]  check_memory_region+0x134/0x1a0
[   91.659690][ T9868]  __kasan_check_write+0x14/0x20
[   91.664777][ T9868]  try_to_grab_pending+0x115/0x910
[   91.669898][ T9868]  ? __kasan_check_read+0x11/0x20
[   91.674937][ T9868]  __cancel_work_timer+0xc4/0x540
[   91.679973][ T9868]  ? mod_delayed_work_on+0x200/0x200
[   91.685280][ T9868]  ? get_work_pool+0x1b0/0x1b0
[   91.690063][ T9868]  cancel_work_sync+0x18/0x20
[   91.694754][ T9868]  tty_buffer_cancel_work+0x16/0x20
[   91.700013][ T9868]  release_tty+0x261/0x470
[   91.704523][ T9868]  tty_release_struct+0x3c/0x50
[   91.709526][ T9868]  tty_release+0xbcb/0xe90
[   91.714166][ T9868]  __fput+0x2ff/0x890
[   91.718161][ T9868]  ? do_tty_hangup+0x30/0x30
[   91.722925][ T9868]  ____fput+0x16/0x20
[   91.726918][ T9868]  task_work_run+0x145/0x1c0
[   91.731680][ T9868]  do_exit+0x8e7/0x2ef0
[   91.735963][ T9868]  ? mm_update_next_owner+0x7c0/0x7c0
[   91.741347][ T9868]  ? down_read_non_owner+0x490/0x490
[   91.746640][ T9868]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   91.752888][ T9868]  ? handle_mm_fault+0x4ab/0xa50
[   91.757833][ T9868]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   91.763292][ T9868]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   91.768951][ T9868]  do_group_exit+0x135/0x360
[   91.773554][ T9868]  __x64_sys_exit_group+0x44/0x50
[   91.778587][ T9868]  do_syscall_64+0xfa/0x790
[   91.783098][ T9868]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   91.788989][ T9868] RIP: 0033:0x43ff38
[   91.792891][ T9868] Code: Bad RIP value.
[   91.796951][ T9868] RSP: 002b:00007fff5f9666f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   91.805368][ T9868] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38
[   91.813335][ T9868] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   91.821478][ T9868] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0
[   91.829440][ T9868] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   91.837547][ T9868] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000
[   91.845533][ T9868] 
[   91.847855][ T9868] Allocated by task 9868:
[   91.852183][ T9868]  save_stack+0x23/0x90
[   91.856327][ T9868]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   91.861945][ T9868]  kasan_kmalloc+0x9/0x10
[   91.866259][ T9868]  kmem_cache_alloc_trace+0x158/0x790
[   91.871799][ T9868]  vc_allocate+0x1fc/0x760
[   91.876228][ T9868]  con_install+0x52/0x410
[   91.880551][ T9868]  tty_init_dev+0xf9/0x470
[   91.885135][ T9868]  tty_open+0x4a5/0xbb0
[   91.889291][ T9868]  chrdev_open+0x245/0x6b0
[   91.893699][ T9868]  do_dentry_open+0x4e6/0x1380
[   91.898448][ T9868]  vfs_open+0xa0/0xd0
[   91.902424][ T9868]  path_openat+0x10df/0x4500
[   91.907002][ T9868]  do_filp_open+0x1a1/0x280
[   91.911495][ T9868]  do_sys_open+0x3fe/0x5d0
[   91.915896][ T9868]  __x64_sys_open+0x7e/0xc0
[   91.920392][ T9868]  do_syscall_64+0xfa/0x790
[   91.925929][ T9868]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   91.931806][ T9868] 
[   91.934140][ T9868] Freed by task 9867:
[   91.938110][ T9868]  save_stack+0x23/0x90
[   91.942253][ T9868]  __kasan_slab_free+0x102/0x150
[   91.947283][ T9868]  kasan_slab_free+0xe/0x10
[   91.951770][ T9868]  kfree+0x10a/0x2c0
[   91.955784][ T9868]  vt_disallocate_all+0x2bd/0x3e0
[   91.960820][ T9868]  vt_ioctl+0xc38/0x26d0
[   91.965052][ T9868]  tty_ioctl+0xa37/0x14f0
[   91.969409][ T9868]  do_vfs_ioctl+0x977/0x14e0
[   91.973986][ T9868]  ksys_ioctl+0xab/0xd0
[   91.978123][ T9868]  __x64_sys_ioctl+0x73/0xb0
[   91.982699][ T9868]  do_syscall_64+0xfa/0x790
[   91.987189][ T9868]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   91.993064][ T9868] 
[   91.995391][ T9868] The buggy address belongs to the object at ffff88809a647000
[   91.995391][ T9868]  which belongs to the cache kmalloc-2k of size 2048
[   92.009638][ T9868] The buggy address is located 8 bytes inside of
[   92.009638][ T9868]  2048-byte region [ffff88809a647000, ffff88809a647800)
[   92.022816][ T9868] The buggy address belongs to the page:
[   92.028459][ T9868] page:ffffea00026991c0 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
[   92.037565][ T9868] raw: 00fffe0000000200 ffffea0002688188 ffffea00029b4448 ffff8880aa400e00
[   92.046145][ T9868] raw: 0000000000000000 ffff88809a647000 0000000100000001 0000000000000000
[   92.054709][ T9868] page dumped because: kasan: bad access detected
[   92.061109][ T9868] 
[   92.063416][ T9868] Memory state around the buggy address:
[   92.069032][ T9868]  ffff88809a646f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   92.077221][ T9868]  ffff88809a646f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   92.085271][ T9868] >ffff88809a647000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.093310][ T9868]                       ^
[   92.097625][ T9868]  ffff88809a647080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.105843][ T9868]  ffff88809a647100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.113884][ T9868] ==================================================================
[   92.121926][ T9868] Disabling lock debugging due to kernel taint
[   92.128142][ T9868] Kernel panic - not syncing: panic_on_warn set ...
[   92.134715][ T9868] CPU: 1 PID: 9868 Comm: syz-executor965 Tainted: G    B             5.5.0-rc1-syzkaller #0
[   92.144757][ T9868] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   92.154792][ T9868] Call Trace:
[   92.158073][ T9868]  dump_stack+0x197/0x210
[   92.162393][ T9868]  panic+0x2e3/0x75c
[   92.166288][ T9868]  ? add_taint.cold+0x16/0x16
[   92.170965][ T9868]  ? try_to_grab_pending+0x115/0x910
[   92.176763][ T9868]  ? trace_hardirqs_off+0x62/0x240
[   92.181858][ T9868]  ? trace_hardirqs_off+0x59/0x240
[   92.186954][ T9868]  ? try_to_grab_pending+0x115/0x910
[   92.192223][ T9868]  end_report+0x47/0x4f
[   92.196361][ T9868]  ? try_to_grab_pending+0x115/0x910
[   92.201640][ T9868]  __kasan_report.cold+0xe/0x41
[   92.206487][ T9868]  ? try_to_grab_pending+0x115/0x910
[   92.211755][ T9868]  kasan_report+0x12/0x20
[   92.216090][ T9868]  check_memory_region+0x134/0x1a0
[   92.221187][ T9868]  __kasan_check_write+0x14/0x20
[   92.226106][ T9868]  try_to_grab_pending+0x115/0x910
[   92.231200][ T9868]  ? __kasan_check_read+0x11/0x20
[   92.236209][ T9868]  __cancel_work_timer+0xc4/0x540
[   92.241228][ T9868]  ? mod_delayed_work_on+0x200/0x200
[   92.246505][ T9868]  ? get_work_pool+0x1b0/0x1b0
[   92.251266][ T9868]  cancel_work_sync+0x18/0x20
[   92.255933][ T9868]  tty_buffer_cancel_work+0x16/0x20
[   92.261116][ T9868]  release_tty+0x261/0x470
[   92.265526][ T9868]  tty_release_struct+0x3c/0x50
[   92.270363][ T9868]  tty_release+0xbcb/0xe90
[   92.274766][ T9868]  __fput+0x2ff/0x890
[   92.278759][ T9868]  ? do_tty_hangup+0x30/0x30
[   92.283345][ T9868]  ____fput+0x16/0x20
[   92.287313][ T9868]  task_work_run+0x145/0x1c0
[   92.291905][ T9868]  do_exit+0x8e7/0x2ef0
[   92.296059][ T9868]  ? mm_update_next_owner+0x7c0/0x7c0
[   92.301450][ T9868]  ? down_read_non_owner+0x490/0x490
[   92.306721][ T9868]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   92.312952][ T9868]  ? handle_mm_fault+0x4ab/0xa50
[   92.317875][ T9868]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   92.323314][ T9868]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   92.328760][ T9868]  do_group_exit+0x135/0x360
[   92.333336][ T9868]  __x64_sys_exit_group+0x44/0x50
[   92.338344][ T9868]  do_syscall_64+0xfa/0x790
[   92.342854][ T9868]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   92.348732][ T9868] RIP: 0033:0x43ff38
[   92.352637][ T9868] Code: Bad RIP value.
[   92.356695][ T9868] RSP: 002b:00007fff5f9666f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   92.365094][ T9868] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38
[   92.373060][ T9868] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   92.381025][ T9868] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0
[   92.388976][ T9868] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   92.396943][ T9868] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000
[   92.406815][ T9868] Kernel Offset: disabled
[   92.411175][ T9868] Rebooting in 86400 seconds..