[ 88.697112][ T26] audit: type=1400 audit(1583425560.541:37): avc: denied { watch } for pid=10549 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 88.732588][ T26] audit: type=1400 audit(1583425560.571:38): avc: denied { watch } for pid=10549 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2232 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 89.004189][ T26] audit: type=1800 audit(1583425560.851:39): pid=10457 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 89.026147][ T26] audit: type=1800 audit(1583425560.851:40): pid=10457 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 92.789202][ T26] audit: type=1400 audit(1583425564.631:41): avc: denied { map } for pid=10635 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.88' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 113.265462][ T26] audit: type=1400 audit(1583425585.111:42): avc: denied { map } for pid=10647 comm="syz-executor776" path="/root/syz-executor776788999" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 113.350252][T10657] ================================================================== [ 113.358878][T10657] BUG: KASAN: use-after-free in try_to_grab_pending+0x115/0x910 [ 113.358896][T10657] Write of size 8 at addr ffff888092f37008 by task syz-executor776/10657 [ 113.358900][T10657] [ 113.358914][T10657] CPU: 0 PID: 10657 Comm: syz-executor776 Not tainted 5.6.0-rc3-syzkaller #0 [ 113.358922][T10657] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 113.358928][T10657] Call Trace: [ 113.358947][T10657] dump_stack+0x197/0x210 [ 113.358963][T10657] ? try_to_grab_pending+0x115/0x910 [ 113.358990][T10657] print_address_description.constprop.0.cold+0xd4/0x30b [ 113.359003][T10657] ? try_to_grab_pending+0x115/0x910 [ 113.359017][T10657] ? try_to_grab_pending+0x115/0x910 [ 113.359033][T10657] __kasan_report.cold+0x1b/0x32 [ 113.359053][T10657] ? try_to_grab_pending+0x115/0x910 [ 113.359074][T10657] kasan_report+0x12/0x20 [ 113.359091][T10657] check_memory_region+0x134/0x1a0 [ 113.359109][T10657] __kasan_check_write+0x14/0x20 [ 113.359124][T10657] try_to_grab_pending+0x115/0x910 [ 113.359145][T10657] ? __kasan_check_read+0x11/0x20 [ 113.359169][T10657] __cancel_work_timer+0xc4/0x540 [ 113.359187][T10657] ? mod_delayed_work_on+0x200/0x200 [ 113.359209][T10657] ? get_work_pool+0x1b0/0x1b0 [ 113.359244][T10657] cancel_work_sync+0x18/0x20 [ 113.359262][T10657] tty_buffer_cancel_work+0x16/0x20 [ 113.359274][T10657] release_tty+0x261/0x470 [ 113.359293][T10657] tty_release_struct+0x3c/0x50 [ 113.359308][T10657] tty_release+0xbcb/0xe90 [ 113.359340][T10657] __fput+0x2ff/0x890 [ 113.359360][T10657] ? do_tty_hangup+0x30/0x30 [ 113.359379][T10657] ____fput+0x16/0x20 [ 113.359396][T10657] task_work_run+0x145/0x1c0 [ 113.359426][T10657] do_exit+0xba9/0x2f50 [ 113.359443][T10657] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 113.359456][T10657] ? debug_smp_processor_id+0x33/0x18a [ 113.359485][T10657] ? mm_update_next_owner+0x7c0/0x7c0 [ 113.359499][T10657] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 113.359515][T10657] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 113.359541][T10657] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 113.359564][T10657] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 113.359587][T10657] do_group_exit+0x135/0x360 [ 113.359610][T10657] __x64_sys_exit_group+0x44/0x50 [ 113.359627][T10657] do_syscall_64+0xfa/0x790 [ 113.359652][T10657] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 113.359663][T10657] RIP: 0033:0x43ff38 [ 113.359679][T10657] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 113.359687][T10657] RSP: 002b:00007ffe97e49478 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 113.359701][T10657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 113.359710][T10657] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 113.359719][T10657] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 113.359727][T10657] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 113.359736][T10657] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 113.359770][T10657] [ 113.359777][T10657] Allocated by task 10657: [ 113.359791][T10657] save_stack+0x23/0x90 [ 113.359804][T10657] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 113.359816][T10657] kasan_kmalloc+0x9/0x10 [ 113.359829][T10657] kmem_cache_alloc_trace+0x158/0x790 [ 113.359842][T10657] vc_allocate+0x1fc/0x760 [ 113.359854][T10657] con_install+0x52/0x410 [ 113.359865][T10657] tty_init_dev+0xf9/0x470 [ 113.359876][T10657] tty_open+0x4a5/0xbb0 [ 113.359888][T10657] chrdev_open+0x245/0x6b0 [ 113.359901][T10657] do_dentry_open+0x4e6/0x1380 [ 113.359913][T10657] vfs_open+0xa0/0xd0 [ 113.359926][T10657] path_openat+0x12ee/0x3490 [ 113.359937][T10657] do_filp_open+0x192/0x260 [ 113.359949][T10657] do_sys_openat2+0x5eb/0x7e0 [ 113.359960][T10657] do_sys_open+0xf2/0x180 [ 113.359973][T10657] __x64_sys_open+0x7e/0xc0 [ 113.359986][T10657] do_syscall_64+0xfa/0x790 [ 113.360000][T10657] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 113.360004][T10657] [ 113.360011][T10657] Freed by task 10658: [ 113.360023][T10657] save_stack+0x23/0x90 [ 113.360036][T10657] __kasan_slab_free+0x102/0x150 [ 113.360048][T10657] kasan_slab_free+0xe/0x10 [ 113.360059][T10657] kfree+0x10a/0x2c0 [ 113.360073][T10657] vt_disallocate_all+0x2bd/0x3e0 [ 113.360085][T10657] vt_ioctl+0xc38/0x26c0 [ 113.360096][T10657] tty_ioctl+0xa37/0x14f0 [ 113.360109][T10657] ksys_ioctl+0x123/0x180 [ 113.360121][T10657] __x64_sys_ioctl+0x73/0xb0 [ 113.360143][T10657] do_syscall_64+0xfa/0x790 [ 113.360157][T10657] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 113.360160][T10657] [ 113.360171][T10657] The buggy address belongs to the object at ffff888092f37000 [ 113.360171][T10657] which belongs to the cache kmalloc-2k of size 2048 [ 113.360183][T10657] The buggy address is located 8 bytes inside of [ 113.360183][T10657] 2048-byte region [ffff888092f37000, ffff888092f37800) [ 113.360188][T10657] The buggy address belongs to the page: [ 113.360202][T10657] page:ffffea00024bcdc0 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 113.360213][T10657] flags: 0xfffe0000000200(slab) [ 113.360231][T10657] raw: 00fffe0000000200 ffffea0002a265c8 ffffea000245e488 ffff8880aa400e00 [ 113.360248][T10657] raw: 0000000000000000 ffff888092f37000 0000000100000001 0000000000000000 [ 113.360254][T10657] page dumped because: kasan: bad access detected [ 113.360258][T10657] [ 113.360262][T10657] Memory state around the buggy address: [ 113.360274][T10657] ffff888092f36f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 113.360284][T10657] ffff888092f36f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 113.360295][T10657] >ffff888092f37000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 113.360300][T10657] ^ [ 113.360311][T10657] ffff888092f37080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 113.360322][T10657] ffff888092f37100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 113.360328][T10657] ================================================================== [ 113.360333][T10657] Disabling lock debugging due to kernel taint [ 113.360340][T10657] Kernel panic - not syncing: panic_on_warn set ... [ 113.360354][T10657] CPU: 0 PID: 10657 Comm: syz-executor776 Tainted: G B 5.6.0-rc3-syzkaller #0 [ 113.360361][T10657] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 113.360365][T10657] Call Trace: [ 113.360380][T10657] dump_stack+0x197/0x210 [ 113.360397][T10657] panic+0x2e3/0x75c [ 113.360412][T10657] ? add_taint.cold+0x16/0x16 [ 113.360430][T10657] ? try_to_grab_pending+0x115/0x910 [ 113.360447][T10657] ? trace_hardirqs_off+0x62/0x240 [ 113.360460][T10657] ? trace_hardirqs_off+0x59/0x240 [ 113.360476][T10657] ? try_to_grab_pending+0x115/0x910 [ 113.360490][T10657] end_report+0x47/0x4f [ 113.360502][T10657] ? try_to_grab_pending+0x115/0x910 [ 113.360515][T10657] __kasan_report.cold+0xe/0x32 [ 113.360530][T10657] ? try_to_grab_pending+0x115/0x910 [ 113.360546][T10657] kasan_report+0x12/0x20 [ 113.360562][T10657] check_memory_region+0x134/0x1a0 [ 113.360577][T10657] __kasan_check_write+0x14/0x20 [ 113.360589][T10657] try_to_grab_pending+0x115/0x910 [ 113.360602][T10657] ? __kasan_check_read+0x11/0x20 [ 113.360618][T10657] __cancel_work_timer+0xc4/0x540 [ 113.360633][T10657] ? mod_delayed_work_on+0x200/0x200 [ 113.360649][T10657] ? get_work_pool+0x1b0/0x1b0 [ 113.360672][T10657] cancel_work_sync+0x18/0x20 [ 113.360686][T10657] tty_buffer_cancel_work+0x16/0x20 [ 113.360698][T10657] release_tty+0x261/0x470 [ 113.360712][T10657] tty_release_struct+0x3c/0x50 [ 113.360725][T10657] tty_release+0xbcb/0xe90 [ 113.360745][T10657] __fput+0x2ff/0x890 [ 113.360760][T10657] ? do_tty_hangup+0x30/0x30 [ 113.360775][T10657] ____fput+0x16/0x20 [ 113.360789][T10657] task_work_run+0x145/0x1c0 [ 113.360808][T10657] do_exit+0xba9/0x2f50 [ 113.360822][T10657] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 113.360834][T10657] ? debug_smp_processor_id+0x33/0x18a [ 113.360854][T10657] ? mm_update_next_owner+0x7c0/0x7c0 [ 113.360866][T10657] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 113.360880][T10657] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 113.360899][T10657] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 113.360912][T10657] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 113.360930][T10657] do_group_exit+0x135/0x360 [ 113.360948][T10657] __x64_sys_exit_group+0x44/0x50 [ 113.360963][T10657] do_syscall_64+0xfa/0x790 [ 113.360980][T10657] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 113.360989][T10657] RIP: 0033:0x43ff38 [ 113.361001][T10657] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 113.361009][T10657] RSP: 002b:00007ffe97e49478 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 113.361021][T10657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 113.361029][T10657] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 113.361036][T10657] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 113.361044][T10657] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 113.361051][T10657] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 113.362027][T10657] Kernel Offset: disabled [ 114.241890][T10657] Rebooting in 86400 seconds..