[   68.242592][   T26] audit: type=1400 audit(1573128093.583:38): avc:  denied  { watch } for  pid=9392 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2232 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   68.531361][   T26] audit: type=1800 audit(1573128093.883:39): pid=9304 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   68.553206][   T26] audit: type=1800 audit(1573128093.883:40): pid=9304 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   73.785395][   T26] audit: type=1400 audit(1573128099.133:41): avc:  denied  { map } for  pid=9481 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[  995.853088][   T26] audit: type=1400 audit(1573129021.203:42): avc:  denied  { map } for  pid=9489 comm="sh" path="/bin/dash" dev="sda1" ino=1473 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.73' (ECDSA) to the list of known hosts.
[ 1010.983264][   T26] audit: type=1400 audit(1573129036.333:43): avc:  denied  { map } for  pid=9496 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2019/11/07 12:17:16 parsed 1 programs
[ 1011.068735][   T26] audit: type=1400 audit(1573129036.413:44): avc:  denied  { map } for  pid=9496 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=16621 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
2019/11/07 12:17:18 executed programs: 0
[ 1013.504954][ T9511] IPVS: ftp: loaded support on port[0] = 21
[ 1013.571250][ T9511] chnl_net:caif_netlink_parms(): no params data found
[ 1013.599194][ T9511] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1013.607213][ T9511] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1013.615097][ T9511] device bridge_slave_0 entered promiscuous mode
[ 1013.623239][ T9511] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1013.630438][ T9511] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1013.638098][ T9511] device bridge_slave_1 entered promiscuous mode
[ 1013.656218][ T9511] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1013.666762][ T9511] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1013.686413][ T9511] team0: Port device team_slave_0 added
[ 1013.693628][ T9511] team0: Port device team_slave_1 added
[ 1013.772551][ T9511] device hsr_slave_0 entered promiscuous mode
[ 1013.840994][ T9511] device hsr_slave_1 entered promiscuous mode
[ 1013.941667][ T9511] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1013.949068][ T9511] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1013.957057][ T9511] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1013.964189][ T9511] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1014.170841][ T9511] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1014.212697][ T9521] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1014.242969][ T9521] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1014.261399][ T9521] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1014.291351][ T9521] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 1014.326677][ T9511] 8021q: adding VLAN 0 to HW filter on device team0
[ 1014.371701][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1014.391282][ T2839] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1014.398385][ T2839] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1014.461408][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1014.469903][ T2839] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1014.477043][ T2839] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1014.531492][ T9541] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1014.541183][ T9541] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1014.549760][ T9541] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1014.605903][ T9511] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 1014.646133][ T9511] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1014.668358][ T9541] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1014.691249][ T9541] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1014.732324][ T9521] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 1014.739792][ T9521] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 1014.758901][ T9511] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1014.806289][   T26] audit: type=1400 audit(1573129040.153:45): avc:  denied  { associate } for  pid=9511 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
[ 1015.231142][ T9514] Bluetooth: Error in BCSP hdr checksum
[ 1015.490624][  T186] Bluetooth: Error in BCSP hdr checksum
[ 1017.051089][ T9521] Bluetooth: hci0: command 0x1003 tx timeout
[ 1017.057667][ T9559] Bluetooth: hci0: sending frame failed (-49)
[ 1019.130500][ T9541] Bluetooth: hci0: command 0x1001 tx timeout
[ 1019.136614][ T9559] Bluetooth: hci0: sending frame failed (-49)
[ 1021.210417][ T9521] Bluetooth: hci0: command 0x1009 tx timeout
[ 1025.454664][ T9555] ==================================================================
[ 1025.463661][ T9555] BUG: KASAN: use-after-free in kfree_skb+0x38/0x3c0
[ 1025.470323][ T9555] Read of size 4 at addr ffff888094f5a614 by task syz-executor.0/9555
[ 1025.478975][ T9555] 
[ 1025.481295][ T9555] CPU: 0 PID: 9555 Comm: syz-executor.0 Not tainted 5.4.0-rc6+ #0
[ 1025.489080][ T9555] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1025.499125][ T9555] Call Trace:
[ 1025.502471][ T9555]  dump_stack+0x197/0x210
[ 1025.506781][ T9555]  ? kfree_skb+0x38/0x3c0
[ 1025.511097][ T9555]  print_address_description.constprop.0.cold+0xd4/0x30b
[ 1025.518097][ T9555]  ? kfree_skb+0x38/0x3c0
[ 1025.522408][ T9555]  ? kfree_skb+0x38/0x3c0
[ 1025.526738][ T9555]  __kasan_report.cold+0x1b/0x41
[ 1025.531653][ T9555]  ? kfree_skb+0x38/0x3c0
[ 1025.535960][ T9555]  kasan_report+0x12/0x20
[ 1025.540270][ T9555]  check_memory_region+0x134/0x1a0
[ 1025.545369][ T9555]  __kasan_check_read+0x11/0x20
[ 1025.550198][ T9555]  kfree_skb+0x38/0x3c0
[ 1025.554393][ T9555]  bcsp_close+0xc7/0x130
[ 1025.558625][ T9555]  hci_uart_tty_close+0x21e/0x280
[ 1025.563704][ T9555]  ? hci_uart_close+0x50/0x50
[ 1025.568415][ T9555]  tty_ldisc_close.isra.0+0x119/0x1a0
[ 1025.573775][ T9555]  tty_ldisc_kill+0x9c/0x160
[ 1025.578345][ T9555]  tty_ldisc_release+0xe9/0x2b0
[ 1025.583185][ T9555]  tty_release_struct+0x1b/0x50
[ 1025.588016][ T9555]  tty_release+0xbcb/0xe90
[ 1025.592429][ T9555]  __fput+0x2ff/0x890
[ 1025.596417][ T9555]  ? put_tty_driver+0x20/0x20
[ 1025.601095][ T9555]  ____fput+0x16/0x20
[ 1025.605071][ T9555]  task_work_run+0x145/0x1c0
[ 1025.609650][ T9555]  exit_to_usermode_loop+0x316/0x380
[ 1025.614917][ T9555]  do_syscall_64+0x65f/0x760
[ 1025.619563][ T9555]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1025.625523][ T9555] RIP: 0033:0x413db1
[ 1025.629397][ T9555] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
[ 1025.648984][ T9555] RSP: 002b:00007fffa8e36d20 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 1025.657405][ T9555] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413db1
[ 1025.665366][ T9555] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
[ 1025.673324][ T9555] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
[ 1025.681411][ T9555] R10: 00007fffa8e36e00 R11: 0000000000000293 R12: 000000000075c9a0
[ 1025.689377][ T9555] R13: 000000000075c9a0 R14: 00000000007603f0 R15: 000000000075bfd4
[ 1025.697342][ T9555] 
[ 1025.699687][ T9555] Allocated by task 186:
[ 1025.703910][ T9555]  save_stack+0x23/0x90
[ 1025.708048][ T9555]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 1025.713663][ T9555]  kasan_slab_alloc+0xf/0x20
[ 1025.718226][ T9555]  kmem_cache_alloc_node+0x138/0x740
[ 1025.723491][ T9555]  __alloc_skb+0xd5/0x5e0
[ 1025.727798][ T9555]  bcsp_recv+0x8c1/0x13a0
[ 1025.732106][ T9555]  hci_uart_tty_receive+0x279/0x6e0
[ 1025.737291][ T9555]  tty_ldisc_receive_buf+0x15f/0x1c0
[ 1025.742561][ T9555]  tty_port_default_receive_buf+0x7d/0xb0
[ 1025.748256][ T9555]  flush_to_ldisc+0x222/0x390
[ 1025.752911][ T9555]  process_one_work+0x9af/0x1740
[ 1025.757831][ T9555]  worker_thread+0x98/0xe40
[ 1025.762330][ T9555]  kthread+0x361/0x430
[ 1025.766398][ T9555]  ret_from_fork+0x24/0x30
[ 1025.770786][ T9555] 
[ 1025.773096][ T9555] Freed by task 186:
[ 1025.776968][ T9555]  save_stack+0x23/0x90
[ 1025.781111][ T9555]  __kasan_slab_free+0x102/0x150
[ 1025.786081][ T9555]  kasan_slab_free+0xe/0x10
[ 1025.790569][ T9555]  kmem_cache_free+0x86/0x320
[ 1025.795312][ T9555]  kfree_skbmem+0xc5/0x150
[ 1025.799702][ T9555]  kfree_skb+0x109/0x3c0
[ 1025.803922][ T9555]  bcsp_recv+0x2d8/0x13a0
[ 1025.808224][ T9555]  hci_uart_tty_receive+0x279/0x6e0
[ 1025.813396][ T9555]  tty_ldisc_receive_buf+0x15f/0x1c0
[ 1025.818658][ T9555]  tty_port_default_receive_buf+0x7d/0xb0
[ 1025.824353][ T9555]  flush_to_ldisc+0x222/0x390
[ 1025.829008][ T9555]  process_one_work+0x9af/0x1740
[ 1025.833923][ T9555]  worker_thread+0x98/0xe40
[ 1025.838401][ T9555]  kthread+0x361/0x430
[ 1025.842453][ T9555]  ret_from_fork+0x24/0x30
[ 1025.846841][ T9555] 
[ 1025.849147][ T9555] The buggy address belongs to the object at ffff888094f5a540
[ 1025.849147][ T9555]  which belongs to the cache skbuff_head_cache of size 224
[ 1025.863697][ T9555] The buggy address is located 212 bytes inside of
[ 1025.863697][ T9555]  224-byte region [ffff888094f5a540, ffff888094f5a620)
[ 1025.876953][ T9555] The buggy address belongs to the page:
[ 1025.882570][ T9555] page:ffffea000253d680 refcount:1 mapcount:0 mapping:ffff8880a99e8a80 index:0x0
[ 1025.891662][ T9555] flags: 0x1fffc0000000200(slab)
[ 1025.896578][ T9555] raw: 01fffc0000000200 ffffea0002233e48 ffffea0002a0f748 ffff8880a99e8a80
[ 1025.905139][ T9555] raw: 0000000000000000 ffff888094f5a040 000000010000000c 0000000000000000
[ 1025.913696][ T9555] page dumped because: kasan: bad access detected
[ 1025.920078][ T9555] 
[ 1025.922404][ T9555] Memory state around the buggy address:
[ 1025.928012][ T9555]  ffff888094f5a500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 1025.936053][ T9555]  ffff888094f5a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1025.944092][ T9555] >ffff888094f5a600: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[ 1025.952126][ T9555]                          ^
[ 1025.956691][ T9555]  ffff888094f5a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1025.964737][ T9555]  ffff888094f5a700: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 1025.972772][ T9555] ==================================================================
[ 1025.980813][ T9555] Disabling lock debugging due to kernel taint
[ 1025.987202][ T9555] Kernel panic - not syncing: panic_on_warn set ...
[ 1025.993810][ T9555] CPU: 0 PID: 9555 Comm: syz-executor.0 Tainted: G    B             5.4.0-rc6+ #0
[ 1026.002978][ T9555] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1026.013011][ T9555] Call Trace:
[ 1026.016291][ T9555]  dump_stack+0x197/0x210
[ 1026.020609][ T9555]  panic+0x2e3/0x75c
[ 1026.024513][ T9555]  ? add_taint.cold+0x16/0x16
[ 1026.029176][ T9555]  ? kfree_skb+0x38/0x3c0
[ 1026.033506][ T9555]  ? preempt_schedule+0x4b/0x60
[ 1026.038335][ T9555]  ? ___preempt_schedule+0x16/0x20
[ 1026.043423][ T9555]  ? trace_hardirqs_on+0x5e/0x240
[ 1026.048426][ T9555]  ? kfree_skb+0x38/0x3c0
[ 1026.052731][ T9555]  end_report+0x47/0x4f
[ 1026.056863][ T9555]  ? kfree_skb+0x38/0x3c0
[ 1026.061257][ T9555]  __kasan_report.cold+0xe/0x41
[ 1026.066096][ T9555]  ? kfree_skb+0x38/0x3c0
[ 1026.070411][ T9555]  kasan_report+0x12/0x20
[ 1026.074724][ T9555]  check_memory_region+0x134/0x1a0
[ 1026.079816][ T9555]  __kasan_check_read+0x11/0x20
[ 1026.084642][ T9555]  kfree_skb+0x38/0x3c0
[ 1026.088775][ T9555]  bcsp_close+0xc7/0x130
[ 1026.092992][ T9555]  hci_uart_tty_close+0x21e/0x280
[ 1026.097998][ T9555]  ? hci_uart_close+0x50/0x50
[ 1026.104836][ T9555]  tty_ldisc_close.isra.0+0x119/0x1a0
[ 1026.110198][ T9555]  tty_ldisc_kill+0x9c/0x160
[ 1026.114762][ T9555]  tty_ldisc_release+0xe9/0x2b0
[ 1026.119596][ T9555]  tty_release_struct+0x1b/0x50
[ 1026.124432][ T9555]  tty_release+0xbcb/0xe90
[ 1026.128826][ T9555]  __fput+0x2ff/0x890
[ 1026.132785][ T9555]  ? put_tty_driver+0x20/0x20
[ 1026.137436][ T9555]  ____fput+0x16/0x20
[ 1026.141403][ T9555]  task_work_run+0x145/0x1c0
[ 1026.145980][ T9555]  exit_to_usermode_loop+0x316/0x380
[ 1026.151242][ T9555]  do_syscall_64+0x65f/0x760
[ 1026.155809][ T9555]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1026.161677][ T9555] RIP: 0033:0x413db1
[ 1026.165556][ T9555] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
[ 1026.185134][ T9555] RSP: 002b:00007fffa8e36d20 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 1026.193527][ T9555] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413db1
[ 1026.201535][ T9555] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
[ 1026.209499][ T9555] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
[ 1026.217451][ T9555] R10: 00007fffa8e36e00 R11: 0000000000000293 R12: 000000000075c9a0
[ 1026.225435][ T9555] R13: 000000000075c9a0 R14: 00000000007603f0 R15: 000000000075bfd4
[ 1026.235206][ T9555] Kernel Offset: disabled
[ 1026.239536][ T9555] Rebooting in 86400 seconds..