[ 92.268314][ T26] audit: type=1400 audit(1578677793.794:37): avc: denied { watch } for pid=10415 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 92.293075][ T26] audit: type=1400 audit(1578677793.794:38): avc: denied { watch } for pid=10415 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2232 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 92.550413][ T26] audit: type=1800 audit(1578677794.074:39): pid=10323 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 92.574356][ T26] audit: type=1800 audit(1578677794.074:40): pid=10323 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 95.631777][ T26] audit: type=1400 audit(1578677797.154:41): avc: denied { map } for pid=10500 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.25' (ECDSA) to the list of known hosts. executing program executing program [ 102.584098][ T26] audit: type=1400 audit(1578677804.104:42): avc: denied { map } for pid=10512 comm="syz-executor103" path="/root/syz-executor103394946" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 102.596938][T10514] ================================================================== [ 102.614605][ T26] audit: type=1400 audit(1578677804.104:43): avc: denied { create } for pid=10513 comm="syz-executor103" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 102.621524][T10514] BUG: KASAN: use-after-free in bitmap_port_ext_cleanup+0xe6/0x2a0 [ 102.647077][ T26] audit: type=1400 audit(1578677804.104:44): avc: denied { write } for pid=10513 comm="syz-executor103" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 102.654389][T10514] Read of size 8 at addr ffff88809e3cba40 by task syz-executor103/10514 [ 102.654393][T10514] [ 102.654407][T10514] CPU: 0 PID: 10514 Comm: syz-executor103 Not tainted 5.5.0-rc5-syzkaller #0 [ 102.654416][T10514] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 102.654421][T10514] Call Trace: [ 102.654441][T10514] dump_stack+0x197/0x210 [ 102.654458][T10514] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 102.654481][T10514] print_address_description.constprop.0.cold+0xd4/0x30b [ 102.732417][T10514] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 102.738067][T10514] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 102.743603][T10514] __kasan_report.cold+0x1b/0x41 [ 102.748518][T10514] ? kfree+0x200/0x2c0 [ 102.752570][T10514] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 102.759050][T10514] kasan_report+0x12/0x20 [ 102.763459][T10514] check_memory_region+0x134/0x1a0 [ 102.768638][T10514] __kasan_check_read+0x11/0x20 [ 102.773476][T10514] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 102.778941][T10514] bitmap_port_destroy+0x17c/0x1d0 [ 102.784054][T10514] ip_set_create+0xe47/0x1500 [ 102.788723][T10514] ? ip_set_destroy+0xb70/0xb70 [ 102.794155][T10514] ? ip_set_destroy+0xb70/0xb70 [ 102.799950][T10514] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 102.804965][T10514] ? nfnetlink_bind+0x2c0/0x2c0 [ 102.809815][T10514] ? avc_has_extended_perms+0x10f0/0x10f0 [ 102.815886][T10514] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 102.823953][T10514] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 102.830440][T10514] ? cred_has_capability+0x199/0x330 [ 102.835746][T10514] ? selinux_sb_eat_lsm_opts+0x700/0x700 [ 102.841466][T10514] ? selinux_sb_eat_lsm_opts+0x700/0x700 [ 102.847086][T10514] ? __check_heap_object+0x43/0xb3 [ 102.852347][T10514] ? __lock_acquire+0x8a0/0x4a00 [ 102.857465][T10514] netlink_rcv_skb+0x177/0x450 [ 102.862484][T10514] ? nfnetlink_bind+0x2c0/0x2c0 [ 102.867323][T10514] ? netlink_ack+0xb50/0xb50 [ 102.872134][T10514] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 102.878464][T10514] ? ns_capable_common+0x93/0x100 [ 102.883563][T10514] ? ns_capable+0x20/0x30 [ 102.887901][T10514] ? __netlink_ns_capable+0x104/0x140 [ 102.894143][T10514] nfnetlink_rcv+0x1ba/0x460 [ 102.898827][T10514] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 102.904333][T10514] ? netlink_deliver_tap+0x24a/0xbe0 [ 102.909652][T10514] ? __kasan_check_write+0x14/0x20 [ 102.915031][T10514] netlink_unicast+0x58c/0x7d0 [ 102.919804][T10514] ? netlink_attachskb+0x870/0x870 [ 102.925013][T10514] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 102.931378][T10514] netlink_sendmsg+0x91c/0xea0 [ 102.936142][T10514] ? netlink_unicast+0x7d0/0x7d0 [ 102.941301][T10514] ? tomoyo_socket_sendmsg+0x26/0x30 [ 102.946603][T10514] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 102.953697][T10514] ? security_socket_sendmsg+0x8d/0xc0 [ 102.959155][T10514] ? netlink_unicast+0x7d0/0x7d0 [ 102.964072][T10514] sock_sendmsg+0xd7/0x130 [ 102.968479][T10514] ____sys_sendmsg+0x753/0x880 [ 102.973336][T10514] ? kernel_sendmsg+0x50/0x50 [ 102.978968][T10514] ? mark_held_locks+0xa4/0xf0 [ 102.983719][T10514] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 102.989884][T10514] ? __handle_mm_fault+0x3145/0x3cc0 [ 102.997071][T10514] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 103.003125][T10514] ___sys_sendmsg+0x100/0x170 [ 103.009186][T10514] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 103.015264][T10514] ? sendmsg_copy_msghdr+0x70/0x70 [ 103.020383][T10514] ? __do_page_fault+0x56a/0xd80 [ 103.025307][T10514] ? find_held_lock+0x35/0x130 [ 103.030059][T10514] ? __do_page_fault+0x56a/0xd80 [ 103.035129][T10514] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.041379][T10514] ? __fget_light+0x1a9/0x230 [ 103.046273][T10514] ? __fdget+0x1b/0x20 [ 103.050390][T10514] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 103.056676][T10514] __sys_sendmsg+0x105/0x1d0 [ 103.061381][T10514] ? __sys_sendmsg_sock+0xc0/0xc0 [ 103.066408][T10514] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 103.072028][T10514] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 103.077595][T10514] ? do_syscall_64+0x26/0x790 [ 103.082387][T10514] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.088462][T10514] ? do_syscall_64+0x26/0x790 [ 103.093137][T10514] __x64_sys_sendmsg+0x78/0xb0 [ 103.097987][T10514] do_syscall_64+0xfa/0x790 [ 103.102498][T10514] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.108389][T10514] RIP: 0033:0x4413d9 [ 103.112293][T10514] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 103.131891][T10514] RSP: 002b:00007ffd8db1afa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 103.140290][T10514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004413d9 [ 103.148244][T10514] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 103.156319][T10514] RBP: 0000000000019089 R08: 00000000004002c8 R09: 00000000004002c8 [ 103.164438][T10514] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402200 [ 103.172451][T10514] R13: 0000000000402290 R14: 0000000000000000 R15: 0000000000000000 [ 103.181220][T10514] [ 103.183648][T10514] Allocated by task 10514: [ 103.188077][T10514] save_stack+0x23/0x90 [ 103.192221][T10514] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 103.197847][T10514] kasan_kmalloc+0x9/0x10 [ 103.202254][T10514] __kmalloc+0x163/0x770 [ 103.206500][T10514] ip_set_alloc+0x38/0x5e [ 103.210816][T10514] bitmap_port_create+0x3dc/0x7c0 [ 103.215832][T10514] ip_set_create+0x6f1/0x1500 [ 103.221032][T10514] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 103.225970][T10514] netlink_rcv_skb+0x177/0x450 [ 103.230768][T10514] nfnetlink_rcv+0x1ba/0x460 [ 103.235357][T10514] netlink_unicast+0x58c/0x7d0 [ 103.240105][T10514] netlink_sendmsg+0x91c/0xea0 [ 103.244866][T10514] sock_sendmsg+0xd7/0x130 [ 103.249279][T10514] ____sys_sendmsg+0x753/0x880 [ 103.254025][T10514] ___sys_sendmsg+0x100/0x170 [ 103.258689][T10514] __sys_sendmsg+0x105/0x1d0 [ 103.263390][T10514] __x64_sys_sendmsg+0x78/0xb0 [ 103.268156][T10514] do_syscall_64+0xfa/0x790 [ 103.272642][T10514] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.278534][T10514] [ 103.280880][T10514] Freed by task 10514: [ 103.284947][T10514] save_stack+0x23/0x90 [ 103.289136][T10514] __kasan_slab_free+0x102/0x150 [ 103.294187][T10514] kasan_slab_free+0xe/0x10 [ 103.298677][T10514] kfree+0x10a/0x2c0 [ 103.302555][T10514] kvfree+0x61/0x70 [ 103.306364][T10514] ip_set_free+0x16/0x20 [ 103.310601][T10514] bitmap_port_destroy+0xae/0x1d0 [ 103.315625][T10514] ip_set_create+0xe47/0x1500 [ 103.320371][T10514] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 103.325299][T10514] netlink_rcv_skb+0x177/0x450 [ 103.330042][T10514] nfnetlink_rcv+0x1ba/0x460 [ 103.334630][T10514] netlink_unicast+0x58c/0x7d0 [ 103.339651][T10514] netlink_sendmsg+0x91c/0xea0 [ 103.344398][T10514] sock_sendmsg+0xd7/0x130 [ 103.349069][T10514] ____sys_sendmsg+0x753/0x880 [ 103.353864][T10514] ___sys_sendmsg+0x100/0x170 [ 103.358533][T10514] __sys_sendmsg+0x105/0x1d0 [ 103.363119][T10514] __x64_sys_sendmsg+0x78/0xb0 [ 103.367870][T10514] do_syscall_64+0xfa/0x790 [ 103.372372][T10514] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.378246][T10514] [ 103.380555][T10514] The buggy address belongs to the object at ffff88809e3cba40 [ 103.380555][T10514] which belongs to the cache kmalloc-32 of size 32 [ 103.394444][T10514] The buggy address is located 0 bytes inside of [ 103.394444][T10514] 32-byte region [ffff88809e3cba40, ffff88809e3cba60) [ 103.409482][T10514] The buggy address belongs to the page: [ 103.415125][T10514] page:ffffea000278f2c0 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff88809e3cbfc1 [ 103.425538][T10514] raw: 00fffe0000000200 ffffea00028e76c8 ffffea0002782188 ffff8880aa4001c0 [ 103.434332][T10514] raw: ffff88809e3cbfc1 ffff88809e3cb000 0000000100000034 0000000000000000 [ 103.443059][T10514] page dumped because: kasan: bad access detected [ 103.449451][T10514] [ 103.451772][T10514] Memory state around the buggy address: [ 103.457389][T10514] ffff88809e3cb900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 103.465574][T10514] ffff88809e3cb980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 103.473647][T10514] >ffff88809e3cba00: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 103.481706][T10514] ^ [ 103.487861][T10514] ffff88809e3cba80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 103.496038][T10514] ffff88809e3cbb00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 103.504229][T10514] ================================================================== [ 103.512275][T10514] Disabling lock debugging due to kernel taint [ 103.519160][T10514] Kernel panic - not syncing: panic_on_warn set ... [ 103.525758][T10514] CPU: 0 PID: 10514 Comm: syz-executor103 Tainted: G B 5.5.0-rc5-syzkaller #0 [ 103.536763][T10514] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 103.550801][T10514] Call Trace: [ 103.554097][T10514] dump_stack+0x197/0x210 [ 103.558417][T10514] panic+0x2e3/0x75c [ 103.562295][T10514] ? add_taint.cold+0x16/0x16 [ 103.567054][T10514] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 103.572597][T10514] ? preempt_schedule+0x4b/0x60 [ 103.577489][T10514] ? ___preempt_schedule+0x16/0x18 [ 103.582592][T10514] ? trace_hardirqs_on+0x5e/0x240 [ 103.587720][T10514] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 103.593259][T10514] end_report+0x47/0x4f [ 103.597408][T10514] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 103.603938][T10514] __kasan_report.cold+0xe/0x41 [ 103.608783][T10514] ? kfree+0x200/0x2c0 [ 103.612849][T10514] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 103.618480][T10514] kasan_report+0x12/0x20 [ 103.622944][T10514] check_memory_region+0x134/0x1a0 [ 103.628054][T10514] __kasan_check_read+0x11/0x20 [ 103.632889][T10514] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 103.639285][T10514] bitmap_port_destroy+0x17c/0x1d0 [ 103.644380][T10514] ip_set_create+0xe47/0x1500 [ 103.649835][T10514] ? ip_set_destroy+0xb70/0xb70 [ 103.654684][T10514] ? ip_set_destroy+0xb70/0xb70 [ 103.659614][T10514] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 103.664539][T10514] ? nfnetlink_bind+0x2c0/0x2c0 [ 103.669370][T10514] ? avc_has_extended_perms+0x10f0/0x10f0 [ 103.675072][T10514] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.681464][T10514] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.687701][T10514] ? cred_has_capability+0x199/0x330 [ 103.692985][T10514] ? selinux_sb_eat_lsm_opts+0x700/0x700 [ 103.698608][T10514] ? selinux_sb_eat_lsm_opts+0x700/0x700 [ 103.704224][T10514] ? __check_heap_object+0x43/0xb3 [ 103.710411][T10514] ? __lock_acquire+0x8a0/0x4a00 [ 103.715337][T10514] netlink_rcv_skb+0x177/0x450 [ 103.720082][T10514] ? nfnetlink_bind+0x2c0/0x2c0 [ 103.725001][T10514] ? netlink_ack+0xb50/0xb50 [ 103.729604][T10514] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.735822][T10514] ? ns_capable_common+0x93/0x100 [ 103.740866][T10514] ? ns_capable+0x20/0x30 [ 103.745223][T10514] ? __netlink_ns_capable+0x104/0x140 [ 103.750581][T10514] nfnetlink_rcv+0x1ba/0x460 [ 103.756142][T10514] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 103.761592][T10514] ? netlink_deliver_tap+0x24a/0xbe0 [ 103.766865][T10514] ? __kasan_check_write+0x14/0x20 [ 103.772085][T10514] netlink_unicast+0x58c/0x7d0 [ 103.776842][T10514] ? netlink_attachskb+0x870/0x870 [ 103.782515][T10514] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.788892][T10514] netlink_sendmsg+0x91c/0xea0 [ 103.794603][T10514] ? netlink_unicast+0x7d0/0x7d0 [ 103.799524][T10514] ? tomoyo_socket_sendmsg+0x26/0x30 [ 103.804966][T10514] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.811187][T10514] ? security_socket_sendmsg+0x8d/0xc0 [ 103.816779][T10514] ? netlink_unicast+0x7d0/0x7d0 [ 103.821710][T10514] sock_sendmsg+0xd7/0x130 [ 103.829064][T10514] ____sys_sendmsg+0x753/0x880 [ 103.833864][T10514] ? kernel_sendmsg+0x50/0x50 [ 103.838525][T10514] ? mark_held_locks+0xa4/0xf0 [ 103.843375][T10514] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 103.849464][T10514] ? __handle_mm_fault+0x3145/0x3cc0 [ 103.854731][T10514] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 103.860795][T10514] ___sys_sendmsg+0x100/0x170 [ 103.865548][T10514] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 103.871625][T10514] ? sendmsg_copy_msghdr+0x70/0x70 [ 103.876737][T10514] ? __do_page_fault+0x56a/0xd80 [ 103.881688][T10514] ? find_held_lock+0x35/0x130 [ 103.886583][T10514] ? __do_page_fault+0x56a/0xd80 [ 103.891515][T10514] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.897745][T10514] ? __fget_light+0x1a9/0x230 [ 103.902466][T10514] ? __fdget+0x1b/0x20 [ 103.906574][T10514] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 103.912813][T10514] __sys_sendmsg+0x105/0x1d0 [ 103.917398][T10514] ? __sys_sendmsg_sock+0xc0/0xc0 [ 103.922636][T10514] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 103.928175][T10514] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 103.933666][T10514] ? do_syscall_64+0x26/0x790 [ 103.938511][T10514] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.944746][T10514] ? do_syscall_64+0x26/0x790 [ 103.949425][T10514] __x64_sys_sendmsg+0x78/0xb0 [ 103.954179][T10514] do_syscall_64+0xfa/0x790 [ 103.958668][T10514] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.964549][T10514] RIP: 0033:0x4413d9 [ 103.968438][T10514] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 103.988127][T10514] RSP: 002b:00007ffd8db1afa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 103.996738][T10514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004413d9 [ 104.004704][T10514] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 104.012800][T10514] RBP: 0000000000019089 R08: 00000000004002c8 R09: 00000000004002c8 [ 104.020871][T10514] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402200 [ 104.029207][T10514] R13: 0000000000402290 R14: 0000000000000000 R15: 0000000000000000 [ 104.040348][T10514] Kernel Offset: disabled [ 104.044686][T10514] Rebooting in 86400 seconds..