[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[  115.912678][   T27] audit: type=1400 audit(1579748718.834:37): avc:  denied  { watch } for  pid=10591 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [  120.189751][   T27] kauditd_printk_skb: 3 callbacks suppressed
[  120.189767][   T27] audit: type=1400 audit(1579748723.114:41): avc:  denied  { map } for  pid=10674 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.153' (ECDSA) to the list of known hosts.
executing program
[  126.936722][   T27] audit: type=1400 audit(1579748729.854:42): avc:  denied  { map } for  pid=10686 comm="syz-executor502" path="/root/syz-executor502800525" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[  126.941659][T10686] ==================================================================
[  126.973532][T10686] BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x43d/0x520
[  126.981676][T10686] Write of size 1 at addr ffff8880a4952590 by task syz-executor502/10686
[  126.990083][T10686] 
[  126.992405][T10686] CPU: 1 PID: 10686 Comm: syz-executor502 Not tainted 5.5.0-rc7-syzkaller #0
[  127.001156][T10686] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  127.011449][T10686] Call Trace:
[  127.014861][T10686]  dump_stack+0x197/0x210
[  127.019185][T10686]  ? setup_udp_tunnel_sock+0x43d/0x520
[  127.024726][T10686]  print_address_description.constprop.0.cold+0xd4/0x30b
[  127.031751][T10686]  ? setup_udp_tunnel_sock+0x43d/0x520
[  127.037219][T10686]  ? setup_udp_tunnel_sock+0x43d/0x520
[  127.042675][T10686]  __kasan_report.cold+0x1b/0x41
[  127.047619][T10686]  ? trace_hardirqs_on+0x51/0x240
[  127.052645][T10686]  ? setup_udp_tunnel_sock+0x43d/0x520
[  127.058464][T10686]  kasan_report+0x12/0x20
[  127.062805][T10686]  __asan_report_store1_noabort+0x17/0x20
[  127.068541][T10686]  setup_udp_tunnel_sock+0x43d/0x520
[  127.073821][T10686]  gtp_encap_enable_socket+0x338/0x420
[  127.079400][T10686]  ? gtp_find_pdp_by_link+0x480/0x480
[  127.084875][T10686]  ? memset+0x32/0x40
[  127.088862][T10686]  ? gtp1_pdp_find.isra.0+0x180/0x180
[  127.094394][T10686]  ? __gtp_encap_destroy+0x1e0/0x1e0
[  127.099808][T10686]  ? alloc_netdev_mqs+0xa22/0xde0
[  127.104963][T10686]  gtp_newlink+0x95/0xc60
[  127.109306][T10686]  ? rtnl_create_link+0x192/0xab0
[  127.114331][T10686]  ? netlink_ns_capable+0x26/0x30
[  127.119590][T10686]  ? gtp_genl_get_pdp+0x5c0/0x5c0
[  127.124621][T10686]  __rtnl_newlink+0x109e/0x1790
[  127.129546][T10686]  ? rtnl_link_unregister+0x250/0x250
[  127.134925][T10686]  ? is_bpf_text_address+0xce/0x160
[  127.140127][T10686]  ? kernel_text_address+0x73/0xf0
[  127.145465][T10686]  ? unwind_get_return_address+0x61/0xa0
[  127.151088][T10686]  ? profile_setup.cold+0xbb/0xbb
[  127.156122][T10686]  ? arch_stack_walk+0x97/0xf0
[  127.161040][T10686]  ? stack_trace_save+0xac/0xe0
[  127.165955][T10686]  ? stack_trace_consume_entry+0x190/0x190
[  127.171884][T10686]  ? mark_lock+0xc2/0x1220
[  127.176350][T10686]  ? save_stack+0x5c/0x90
[  127.180751][T10686]  ? save_stack+0x23/0x90
[  127.185127][T10686]  ? __kasan_kmalloc.constprop.0+0xcf/0xe0
[  127.190932][T10686]  ? kasan_kmalloc+0x9/0x10
[  127.195423][T10686]  ? kmem_cache_alloc_trace+0x158/0x790
[  127.201001][T10686]  ? rtnl_newlink+0x4b/0xa0
[  127.205626][T10686]  ? rcu_read_lock_sched_held+0x9c/0xd0
[  127.211179][T10686]  ? rcu_read_lock_any_held.part.0+0x50/0x50
[  127.217184][T10686]  rtnl_newlink+0x69/0xa0
[  127.221514][T10686]  ? __rtnl_newlink+0x1790/0x1790
[  127.226622][T10686]  rtnetlink_rcv_msg+0x45e/0xaf0
[  127.231764][T10686]  ? rtnl_bridge_getlink+0x910/0x910
[  127.237071][T10686]  ? lock_downgrade+0x920/0x920
[  127.241962][T10686]  ? netlink_deliver_tap+0x228/0xbe0
[  127.247260][T10686]  ? find_held_lock+0x35/0x130
[  127.252239][T10686]  netlink_rcv_skb+0x177/0x450
[  127.256996][T10686]  ? rtnl_bridge_getlink+0x910/0x910
[  127.262340][T10686]  ? netlink_ack+0xb50/0xb50
[  127.267148][T10686]  ? __kasan_check_read+0x11/0x20
[  127.272172][T10686]  ? netlink_deliver_tap+0x24a/0xbe0
[  127.277467][T10686]  rtnetlink_rcv+0x1d/0x30
[  127.282041][T10686]  netlink_unicast+0x58c/0x7d0
[  127.286919][T10686]  ? netlink_attachskb+0x870/0x870
[  127.292032][T10686]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  127.298286][T10686]  netlink_sendmsg+0x91c/0xea0
[  127.303354][T10686]  ? netlink_unicast+0x7d0/0x7d0
[  127.308386][T10686]  ? tomoyo_socket_sendmsg+0x26/0x30
[  127.313723][T10686]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  127.319969][T10686]  ? security_socket_sendmsg+0x8d/0xc0
[  127.325669][T10686]  ? netlink_unicast+0x7d0/0x7d0
[  127.330602][T10686]  sock_sendmsg+0xd7/0x130
[  127.335021][T10686]  ____sys_sendmsg+0x753/0x880
[  127.339851][T10686]  ? kernel_sendmsg+0x50/0x50
[  127.344710][T10686]  ? mark_held_locks+0xa4/0xf0
[  127.349484][T10686]  ? do_huge_pmd_anonymous_page+0x1463/0x1a50
[  127.355663][T10686]  ? __handle_mm_fault+0x3145/0x3cc0
[  127.361062][T10686]  ? do_huge_pmd_anonymous_page+0x1463/0x1a50
[  127.367372][T10686]  ___sys_sendmsg+0x100/0x170
[  127.372073][T10686]  ? do_huge_pmd_anonymous_page+0xceb/0x1a50
[  127.378282][T10686]  ? sendmsg_copy_msghdr+0x70/0x70
[  127.383529][T10686]  ? __do_page_fault+0x56a/0xd80
[  127.388526][T10686]  ? find_held_lock+0x35/0x130
[  127.393292][T10686]  ? __do_page_fault+0x56a/0xd80
[  127.398355][T10686]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  127.404713][T10686]  ? __fget_light+0x1a9/0x230
[  127.409452][T10686]  ? __fdget+0x1b/0x20
[  127.413523][T10686]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  127.419979][T10686]  __sys_sendmsg+0x105/0x1d0
[  127.424584][T10686]  ? __sys_sendmsg_sock+0xc0/0xc0
[  127.429614][T10686]  ? down_read_non_owner+0x490/0x490
[  127.434942][T10686]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  127.440546][T10686]  ? do_syscall_64+0x26/0x790
[  127.445344][T10686]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  127.451539][T10686]  ? do_syscall_64+0x26/0x790
[  127.456291][T10686]  __x64_sys_sendmsg+0x78/0xb0
[  127.461159][T10686]  do_syscall_64+0xfa/0x790
[  127.465769][T10686]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  127.471659][T10686] RIP: 0033:0x4402b9
[  127.475644][T10686] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[  127.495332][T10686] RSP: 002b:00007ffc780292f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  127.503838][T10686] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402b9
[  127.511867][T10686] RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
[  127.520001][T10686] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[  127.527988][T10686] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b40
[  127.535967][T10686] R13: 0000000000401bd0 R14: 0000000000000000 R15: 0000000000000000
[  127.544063][T10686] 
[  127.546388][T10686] Allocated by task 10686:
[  127.550804][T10686]  save_stack+0x23/0x90
[  127.555019][T10686]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[  127.560751][T10686]  kasan_slab_alloc+0xf/0x20
[  127.565448][T10686]  kmem_cache_alloc+0x121/0x710
[  127.570353][T10686]  sk_prot_alloc+0x67/0x310
[  127.575047][T10686]  sk_alloc+0x39/0xfd0
[  127.579175][T10686]  inet_create+0x363/0xdf0
[  127.583645][T10686]  __sock_create+0x3ce/0x730
[  127.588248][T10686]  __sys_socket+0x103/0x220
[  127.592743][T10686]  __x64_sys_socket+0x73/0xb0
[  127.597486][T10686]  do_syscall_64+0xfa/0x790
[  127.602119][T10686]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  127.608001][T10686] 
[  127.610334][T10686] Freed by task 0:
[  127.614045][T10686] (stack is not available)
[  127.618454][T10686] 
[  127.620774][T10686] The buggy address belongs to the object at ffff8880a4952040
[  127.620774][T10686]  which belongs to the cache RAW of size 1360
[  127.634322][T10686] The buggy address is located 0 bytes to the right of
[  127.634322][T10686]  1360-byte region [ffff8880a4952040, ffff8880a4952590)
[  127.648144][T10686] The buggy address belongs to the page:
[  127.654002][T10686] page:ffffea0002925480 refcount:1 mapcount:0 mapping:ffff88821a8abe00 index:0x0 compound_mapcount: 0
[  127.665391][T10686] raw: 00fffe0000010200 ffff8880a4d7a348 ffff8880a4d7a348 ffff88821a8abe00
[  127.674007][T10686] raw: 0000000000000000 ffff8880a4952040 0000000100000005 0000000000000000
[  127.682583][T10686] page dumped because: kasan: bad access detected
[  127.688989][T10686] 
[  127.688994][T10686] Memory state around the buggy address:
[  127.689008][T10686]  ffff8880a4952480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  127.689019][T10686]  ffff8880a4952500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  127.689029][T10686] >ffff8880a4952580: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  127.689035][T10686]                          ^
[  127.689045][T10686]  ffff8880a4952600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  127.689056][T10686]  ffff8880a4952680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  127.689061][T10686] ==================================================================
[  127.689065][T10686] Disabling lock debugging due to kernel taint
[  127.760213][T10686] Kernel panic - not syncing: panic_on_warn set ...
[  127.766856][T10686] CPU: 0 PID: 10686 Comm: syz-executor502 Tainted: G    B             5.5.0-rc7-syzkaller #0
[  127.777025][T10686] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  127.787104][T10686] Call Trace:
[  127.790444][T10686]  dump_stack+0x197/0x210
[  127.794764][T10686]  panic+0x2e3/0x75c
[  127.798653][T10686]  ? add_taint.cold+0x16/0x16
[  127.803413][T10686]  ? setup_udp_tunnel_sock+0x43d/0x520
[  127.809108][T10686]  ? preempt_schedule+0x4b/0x60
[  127.814059][T10686]  ? ___preempt_schedule+0x16/0x18
[  127.819187][T10686]  ? trace_hardirqs_on+0x5e/0x240
[  127.824265][T10686]  ? setup_udp_tunnel_sock+0x43d/0x520
[  127.830056][T10686]  end_report+0x47/0x4f
[  127.834253][T10686]  ? setup_udp_tunnel_sock+0x43d/0x520
[  127.839775][T10686]  __kasan_report.cold+0xe/0x41
[  127.844917][T10686]  ? trace_hardirqs_on+0x51/0x240
[  127.849932][T10686]  ? setup_udp_tunnel_sock+0x43d/0x520
[  127.855390][T10686]  kasan_report+0x12/0x20
[  127.859861][T10686]  __asan_report_store1_noabort+0x17/0x20
[  127.865620][T10686]  setup_udp_tunnel_sock+0x43d/0x520
[  127.870949][T10686]  gtp_encap_enable_socket+0x338/0x420
[  127.876422][T10686]  ? gtp_find_pdp_by_link+0x480/0x480
[  127.881799][T10686]  ? memset+0x32/0x40
[  127.885776][T10686]  ? gtp1_pdp_find.isra.0+0x180/0x180
[  127.891250][T10686]  ? __gtp_encap_destroy+0x1e0/0x1e0
[  127.896709][T10686]  ? alloc_netdev_mqs+0xa22/0xde0
[  127.901745][T10686]  gtp_newlink+0x95/0xc60
[  127.906080][T10686]  ? rtnl_create_link+0x192/0xab0
[  127.911112][T10686]  ? netlink_ns_capable+0x26/0x30
[  127.916282][T10686]  ? gtp_genl_get_pdp+0x5c0/0x5c0
[  127.921317][T10686]  __rtnl_newlink+0x109e/0x1790
[  127.926159][T10686]  ? rtnl_link_unregister+0x250/0x250
[  127.931641][T10686]  ? is_bpf_text_address+0xce/0x160
[  127.936889][T10686]  ? kernel_text_address+0x73/0xf0
[  127.942132][T10686]  ? unwind_get_return_address+0x61/0xa0
[  127.947767][T10686]  ? profile_setup.cold+0xbb/0xbb
[  127.952781][T10686]  ? arch_stack_walk+0x97/0xf0
[  127.957544][T10686]  ? stack_trace_save+0xac/0xe0
[  127.962378][T10686]  ? stack_trace_consume_entry+0x190/0x190
[  127.968197][T10686]  ? mark_lock+0xc2/0x1220
[  127.972693][T10686]  ? save_stack+0x5c/0x90
[  127.977111][T10686]  ? save_stack+0x23/0x90
[  127.981491][T10686]  ? __kasan_kmalloc.constprop.0+0xcf/0xe0
[  127.987423][T10686]  ? kasan_kmalloc+0x9/0x10
[  127.991924][T10686]  ? kmem_cache_alloc_trace+0x158/0x790
[  127.997474][T10686]  ? rtnl_newlink+0x4b/0xa0
[  128.001981][T10686]  ? rcu_read_lock_sched_held+0x9c/0xd0
[  128.007578][T10686]  ? rcu_read_lock_any_held.part.0+0x50/0x50
[  128.013721][T10686]  rtnl_newlink+0x69/0xa0
[  128.018033][T10686]  ? __rtnl_newlink+0x1790/0x1790
[  128.023250][T10686]  rtnetlink_rcv_msg+0x45e/0xaf0
[  128.028192][T10686]  ? rtnl_bridge_getlink+0x910/0x910
[  128.033474][T10686]  ? lock_downgrade+0x920/0x920
[  128.038333][T10686]  ? netlink_deliver_tap+0x228/0xbe0
[  128.043644][T10686]  ? find_held_lock+0x35/0x130
[  128.048514][T10686]  netlink_rcv_skb+0x177/0x450
[  128.053331][T10686]  ? rtnl_bridge_getlink+0x910/0x910
[  128.058752][T10686]  ? netlink_ack+0xb50/0xb50
[  128.063341][T10686]  ? __kasan_check_read+0x11/0x20
[  128.068414][T10686]  ? netlink_deliver_tap+0x24a/0xbe0
[  128.073818][T10686]  rtnetlink_rcv+0x1d/0x30
[  128.078220][T10686]  netlink_unicast+0x58c/0x7d0
[  128.083044][T10686]  ? netlink_attachskb+0x870/0x870
[  128.088156][T10686]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  128.094445][T10686]  netlink_sendmsg+0x91c/0xea0
[  128.099680][T10686]  ? netlink_unicast+0x7d0/0x7d0
[  128.104644][T10686]  ? tomoyo_socket_sendmsg+0x26/0x30
[  128.109985][T10686]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  128.116228][T10686]  ? security_socket_sendmsg+0x8d/0xc0
[  128.121684][T10686]  ? netlink_unicast+0x7d0/0x7d0
[  128.126872][T10686]  sock_sendmsg+0xd7/0x130
[  128.132850][T10686]  ____sys_sendmsg+0x753/0x880
[  128.137634][T10686]  ? kernel_sendmsg+0x50/0x50
[  128.142355][T10686]  ? mark_held_locks+0xa4/0xf0
[  128.147246][T10686]  ? do_huge_pmd_anonymous_page+0x1463/0x1a50
[  128.153500][T10686]  ? __handle_mm_fault+0x3145/0x3cc0
[  128.158805][T10686]  ? do_huge_pmd_anonymous_page+0x1463/0x1a50
[  128.164917][T10686]  ___sys_sendmsg+0x100/0x170
[  128.169596][T10686]  ? do_huge_pmd_anonymous_page+0xceb/0x1a50
[  128.175573][T10686]  ? sendmsg_copy_msghdr+0x70/0x70
[  128.180697][T10686]  ? __do_page_fault+0x56a/0xd80
[  128.185696][T10686]  ? find_held_lock+0x35/0x130
[  128.190463][T10686]  ? __do_page_fault+0x56a/0xd80
[  128.195408][T10686]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  128.201647][T10686]  ? __fget_light+0x1a9/0x230
[  128.206464][T10686]  ? __fdget+0x1b/0x20
[  128.210533][T10686]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  128.216776][T10686]  __sys_sendmsg+0x105/0x1d0
[  128.221362][T10686]  ? __sys_sendmsg_sock+0xc0/0xc0
[  128.226384][T10686]  ? down_read_non_owner+0x490/0x490
[  128.231770][T10686]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  128.237213][T10686]  ? do_syscall_64+0x26/0x790
[  128.241890][T10686]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  128.247941][T10686]  ? do_syscall_64+0x26/0x790
[  128.252719][T10686]  __x64_sys_sendmsg+0x78/0xb0
[  128.257616][T10686]  do_syscall_64+0xfa/0x790
[  128.262123][T10686]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  128.268094][T10686] RIP: 0033:0x4402b9
[  128.271992][T10686] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[  128.291863][T10686] RSP: 002b:00007ffc780292f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  128.300275][T10686] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402b9
[  128.308353][T10686] RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
[  128.316549][T10686] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[  128.324519][T10686] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b40
[  128.332691][T10686] R13: 0000000000401bd0 R14: 0000000000000000 R15: 0000000000000000
[  128.342380][T10686] Kernel Offset: disabled
[  128.346716][T10686] Rebooting in 86400 seconds..