[ 40.200731] audit: type=1800 audit(1561355600.121:30): pid=7688 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 45.652347] kauditd_printk_skb: 4 callbacks suppressed [ 45.652363] audit: type=1400 audit(1561355605.601:35): avc: denied { map } for pid=7862 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.33' (ECDSA) to the list of known hosts. executing program [ 52.357493] audit: type=1400 audit(1561355612.301:36): avc: denied { map } for pid=7874 comm="syz-executor457" path="/root/syz-executor457904536" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 52.385607] audit: type=1400 audit(1561355612.331:37): avc: denied { map } for pid=7874 comm="syz-executor457" path="/dev/nullb0" dev="devtmpfs" ino=15244 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=blk_file permissive=1 [ 52.414784] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 52.439698] FAULT_INJECTION: forcing a failure. [ 52.439698] name failslab, interval 1, probability 0, space 0, times 1 [ 52.451393] CPU: 1 PID: 7875 Comm: syz-executor457 Not tainted 4.19.55 #27 [ 52.458414] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.467829] Call Trace: [ 52.470425] dump_stack+0x172/0x1f0 [ 52.474046] should_fail.cold+0xa/0x1b [ 52.477938] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 52.483044] ? lock_downgrade+0x810/0x810 [ 52.487189] ? ___might_sleep+0x163/0x280 [ 52.491339] __should_failslab+0x121/0x190 [ 52.495566] should_failslab+0x9/0x14 [ 52.499363] __kmalloc+0x2e2/0x750 [ 52.502897] ? lock_downgrade+0x810/0x810 [ 52.507039] ? tls_push_record+0x107/0x13a0 [ 52.511805] tls_push_record+0x107/0x13a0 [ 52.515958] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 52.521089] ? _copy_from_iter+0x30d/0xb50 [ 52.525326] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 52.530858] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 52.536591] ? __check_object_size+0x3d/0x42f [ 52.541084] tls_sw_sendmsg+0xd2e/0x1220 [ 52.545257] ? decrypt_skb_update+0x5c0/0x5c0 [ 52.549837] ? iterate_fd+0x360/0x360 [ 52.553629] ? proc_fail_nth_write+0x9d/0x1e0 [ 52.558225] inet_sendmsg+0x141/0x5d0 [ 52.562016] ? ipip_gro_receive+0x100/0x100 [ 52.566332] sock_sendmsg+0xd7/0x130 [ 52.570045] __sys_sendto+0x262/0x380 [ 52.573862] ? __ia32_sys_getpeername+0xb0/0xb0 [ 52.578524] ? kasan_check_write+0x14/0x20 [ 52.582761] ? __sb_end_write+0xd9/0x110 [ 52.586813] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 52.592340] ? fput+0x128/0x1a0 [ 52.595608] ? ksys_write+0x1f1/0x2d0 [ 52.599407] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.604154] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.608895] ? do_syscall_64+0x26/0x620 [ 52.612861] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.618227] __x64_sys_sendto+0xe1/0x1a0 [ 52.622282] do_syscall_64+0xfd/0x620 [ 52.626082] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.631258] RIP: 0033:0x4462d9 [ 52.634436] Code: e8 ec bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 52.653616] RSP: 002b:00007efe6d05bca8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 52.661412] RAX: ffffffffffffffda RBX: 00007efe6d05bcc0 RCX: 00000000004462d9 [ 52.668679] RDX: ffffffffffffffc1 RSI: 00000000200005c0 RDI: 0000000000000004 [ 52.675943] RBP: 0000000000000006 R08: 0000000000000000 R09: 1201000000003618 [ 52.683204] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c [ 52.690464] R13: 00007ffc52f6b33f R14: 00007efe6d05c9c0 R15: 20c49ba5e353f7cf [ 52.811154] ================================================================== [ 52.818720] BUG: KASAN: use-after-free in tls_push_record+0x102a/0x13a0 [ 52.825511] Write of size 1 at addr ffff8880a5480000 by task syz-executor457/7875 [ 52.833181] [ 52.834802] CPU: 0 PID: 7875 Comm: syz-executor457 Not tainted 4.19.55 #27 [ 52.841837] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.851289] Call Trace: [ 52.853874] dump_stack+0x172/0x1f0 [ 52.857498] ? tls_push_record+0x102a/0x13a0 [ 52.861910] print_address_description.cold+0x7c/0x20d [ 52.867186] ? tls_push_record+0x102a/0x13a0 [ 52.871590] kasan_report.cold+0x8c/0x2ba [ 52.875731] __asan_report_store1_noabort+0x17/0x20 [ 52.880741] tls_push_record+0x102a/0x13a0 [ 52.884973] ? __local_bh_enable_ip+0x15a/0x270 [ 52.889644] ? lock_sock_nested+0x9a/0x120 [ 52.893879] tls_sw_push_pending_record+0x23/0x30 [ 52.898707] tls_sk_proto_close+0x5bb/0xa20 [ 52.903019] ? debug_object_activate+0x2c1/0x4e0 [ 52.907774] ? tcp_check_oom+0x560/0x560 [ 52.911830] ? tls_write_space+0x310/0x310 [ 52.916058] ? ip_mc_drop_socket+0x20c/0x270 [ 52.920456] ? __sock_release+0x89/0x2a0 [ 52.924509] inet_release+0xff/0x1e0 [ 52.928211] inet6_release+0x53/0x80 [ 52.931926] __sock_release+0xce/0x2a0 [ 52.935856] ? __sock_release+0x2a0/0x2a0 [ 52.940080] sock_close+0x1b/0x30 [ 52.943542] __fput+0x2dd/0x8b0 [ 52.946815] ____fput+0x16/0x20 [ 52.950093] task_work_run+0x145/0x1c0 [ 52.953979] do_exit+0x933/0x2fa0 [ 52.957428] ? _raw_spin_unlock_bh+0x31/0x40 [ 52.961882] ? release_sock+0x156/0x1c0 [ 52.965855] ? get_signal+0x384/0x1fc0 [ 52.969791] ? mm_update_next_owner+0x660/0x660 [ 52.974463] ? _raw_spin_unlock_irq+0x28/0x90 [ 52.978984] ? get_signal+0x384/0x1fc0 [ 52.982904] ? _raw_spin_unlock_irq+0x28/0x90 [ 52.987411] do_group_exit+0x135/0x370 [ 52.991337] get_signal+0x3ec/0x1fc0 [ 52.995105] ? inet_sendmsg+0x149/0x5d0 [ 52.999075] do_signal+0x95/0x1960 [ 53.002614] ? __ia32_sys_getpeername+0xb0/0xb0 [ 53.007273] ? kasan_check_write+0x14/0x20 [ 53.011494] ? setup_sigcontext+0x7d0/0x7d0 [ 53.015806] ? __sb_end_write+0xd9/0x110 [ 53.019865] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 53.025408] ? fput+0x128/0x1a0 [ 53.028680] ? ksys_write+0x1f1/0x2d0 [ 53.032481] ? exit_to_usermode_loop+0x43/0x2c0 [ 53.037136] ? do_syscall_64+0x53d/0x620 [ 53.041188] ? exit_to_usermode_loop+0x43/0x2c0 [ 53.045923] ? lockdep_hardirqs_on+0x415/0x5d0 [ 53.050507] ? trace_hardirqs_on+0x67/0x220 [ 53.054822] exit_to_usermode_loop+0x244/0x2c0 [ 53.059448] do_syscall_64+0x53d/0x620 [ 53.063341] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.068520] RIP: 0033:0x4462d9 [ 53.071708] Code: Bad RIP value. [ 53.075062] RSP: 002b:00007efe6d05bca8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 53.082758] RAX: 0000000000004000 RBX: 00007efe6d05bcc0 RCX: 00000000004462d9 [ 53.090061] RDX: ffffffffffffffc1 RSI: 00000000200005c0 RDI: 0000000000000004 [ 53.097370] RBP: 0000000000000006 R08: 0000000000000000 R09: 1201000000003618 [ 53.104629] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c [ 53.111888] R13: 00007ffc52f6b33f R14: 00007efe6d05c9c0 R15: 20c49ba5e353f7cf [ 53.119163] [ 53.120779] The buggy address belongs to the page: [ 53.125762] page:ffffea0002952000 count:0 mapcount:-128 mapping:0000000000000000 index:0x0 [ 53.134218] flags: 0x1fffc0000000000() [ 53.138104] raw: 01fffc0000000000 ffffea00022a0208 ffffea0002716a08 0000000000000000 [ 53.146672] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 [ 53.154548] page dumped because: kasan: bad access detected [ 53.160243] [ 53.161852] Memory state around the buggy address: [ 53.166768] ffff8880a547ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.174264] ffff8880a547ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.181613] >ffff8880a5480000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 53.188958] ^ [ 53.192362] ffff8880a5480080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 53.199715] ffff8880a5480100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 53.207063] ================================================================== [ 53.214401] Disabling lock debugging due to kernel taint [ 53.220322] Kernel panic - not syncing: panic_on_warn set ... [ 53.220322] [ 53.227709] CPU: 0 PID: 7875 Comm: syz-executor457 Tainted: G B 4.19.55 #27 [ 53.236175] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.245564] Call Trace: [ 53.248218] dump_stack+0x172/0x1f0 [ 53.251841] ? tls_push_record+0x102a/0x13a0 [ 53.256247] panic+0x263/0x507 [ 53.259434] ? __warn_printk+0xf3/0xf3 [ 53.263310] ? tls_push_record+0x102a/0x13a0 [ 53.267712] ? preempt_schedule+0x4b/0x60 [ 53.271850] ? ___preempt_schedule+0x16/0x18 [ 53.276248] ? trace_hardirqs_on+0x5e/0x220 [ 53.280562] ? tls_push_record+0x102a/0x13a0 [ 53.284977] kasan_end_report+0x47/0x4f [ 53.288994] kasan_report.cold+0xa9/0x2ba [ 53.293258] __asan_report_store1_noabort+0x17/0x20 [ 53.298259] tls_push_record+0x102a/0x13a0 [ 53.302652] ? __local_bh_enable_ip+0x15a/0x270 [ 53.307321] ? lock_sock_nested+0x9a/0x120 [ 53.311549] tls_sw_push_pending_record+0x23/0x30 [ 53.316375] tls_sk_proto_close+0x5bb/0xa20 [ 53.320697] ? debug_object_activate+0x2c1/0x4e0 [ 53.325450] ? tcp_check_oom+0x560/0x560 [ 53.329506] ? tls_write_space+0x310/0x310 [ 53.333729] ? ip_mc_drop_socket+0x20c/0x270 [ 53.338119] ? __sock_release+0x89/0x2a0 [ 53.342171] inet_release+0xff/0x1e0 [ 53.346038] inet6_release+0x53/0x80 [ 53.349755] __sock_release+0xce/0x2a0 [ 53.353631] ? __sock_release+0x2a0/0x2a0 [ 53.357762] sock_close+0x1b/0x30 [ 53.361201] __fput+0x2dd/0x8b0 [ 53.364472] ____fput+0x16/0x20 [ 53.367749] task_work_run+0x145/0x1c0 [ 53.371624] do_exit+0x933/0x2fa0 [ 53.375198] ? _raw_spin_unlock_bh+0x31/0x40 [ 53.379604] ? release_sock+0x156/0x1c0 [ 53.383570] ? get_signal+0x384/0x1fc0 [ 53.387444] ? mm_update_next_owner+0x660/0x660 [ 53.392143] ? _raw_spin_unlock_irq+0x28/0x90 [ 53.396633] ? get_signal+0x384/0x1fc0 [ 53.400512] ? _raw_spin_unlock_irq+0x28/0x90 [ 53.405003] do_group_exit+0x135/0x370 [ 53.408881] get_signal+0x3ec/0x1fc0 [ 53.412591] ? inet_sendmsg+0x149/0x5d0 [ 53.416563] do_signal+0x95/0x1960 [ 53.420112] ? __ia32_sys_getpeername+0xb0/0xb0 [ 53.424818] ? kasan_check_write+0x14/0x20 [ 53.429052] ? setup_sigcontext+0x7d0/0x7d0 [ 53.433363] ? __sb_end_write+0xd9/0x110 [ 53.437418] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 53.442968] ? fput+0x128/0x1a0 [ 53.446241] ? ksys_write+0x1f1/0x2d0 [ 53.450036] ? exit_to_usermode_loop+0x43/0x2c0 [ 53.454762] ? do_syscall_64+0x53d/0x620 [ 53.458819] ? exit_to_usermode_loop+0x43/0x2c0 [ 53.463477] ? lockdep_hardirqs_on+0x415/0x5d0 [ 53.468044] ? trace_hardirqs_on+0x67/0x220 [ 53.472353] exit_to_usermode_loop+0x244/0x2c0 [ 53.477027] do_syscall_64+0x53d/0x620 [ 53.480914] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.486088] RIP: 0033:0x4462d9 [ 53.489277] Code: Bad RIP value. [ 53.492626] RSP: 002b:00007efe6d05bca8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 53.500330] RAX: 0000000000004000 RBX: 00007efe6d05bcc0 RCX: 00000000004462d9 [ 53.507591] RDX: ffffffffffffffc1 RSI: 00000000200005c0 RDI: 0000000000000004 [ 53.514850] RBP: 0000000000000006 R08: 0000000000000000 R09: 1201000000003618 [ 53.522148] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c [ 53.529406] R13: 00007ffc52f6b33f R14: 00007efe6d05c9c0 R15: 20c49ba5e353f7cf [ 53.537706] Kernel Offset: disabled [ 53.541380] Rebooting in 86400 seconds..