[   70.653811][   T26] audit: type=1400 audit(1571311952.288:37): avc:  denied  { watch } for  pid=9701 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1
[   70.693025][   T26] audit: type=1400 audit(1571311952.298:38): avc:  denied  { watch } for  pid=9701 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2232 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining dae[   70.924204][   T26] audit: type=1800 audit(1571311952.558:39): pid=9609 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
mon: restorecond[   70.947028][   T26] audit: type=1800 audit(1571311952.558:40): pid=9609 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   75.165984][   T26] audit: type=1400 audit(1571311956.798:41): avc:  denied  { map } for  pid=9784 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts.
executing program
[   81.628775][   T26] audit: type=1400 audit(1571311963.258:42): avc:  denied  { map } for  pid=9796 comm="syz-executor797" path="/root/syz-executor797304479" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   81.663060][ T9797] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   81.950869][    T7] Bluetooth: Error in BCSP hdr checksum
[   82.209871][    T7] Bluetooth: Error in BCSP hdr checksum
[   82.469842][    T7] Bluetooth: Error in BCSP hdr checksum
[   82.729854][    T7] Bluetooth: Error in BCSP hdr checksum
[   82.989900][    T7] Bluetooth: Error in BCSP hdr checksum
[   83.249921][  T358] Bluetooth: Error in BCSP hdr checksum
[   83.510348][  T358] Bluetooth: Error in BCSP hdr checksum
[   83.700194][   T17] Bluetooth: hci0: command 0x1003 tx timeout
[   83.707070][  T358] Bluetooth: Error in BCSP hdr checksum
[   83.959938][    T7] Bluetooth: Error in BCSP hdr checksum
[   83.965744][  T358] Bluetooth: Error in BCSP hdr checksum
[   84.219910][    T7] Bluetooth: Error in BCSP hdr checksum
[   84.479913][  T129] Bluetooth: Error in BCSP hdr checksum
[   84.739930][  T129] Bluetooth: Error in BCSP hdr checksum
[   84.999903][  T129] Bluetooth: Error in BCSP hdr checksum
[   85.259936][  T129] Bluetooth: Error in BCSP hdr checksum
[   85.519948][  T129] Bluetooth: Error in BCSP hdr checksum
[   85.780167][   T12] Bluetooth: hci0: command 0x1001 tx timeout
[   85.786558][    T7] Bluetooth: Error in BCSP hdr checksum
[   85.793148][    T7] Bluetooth: Error in BCSP hdr checksum
[   85.798855][    T7] Bluetooth: Error in BCSP hdr checksum
[   86.050021][  T129] Bluetooth: Error in BCSP hdr checksum
[   86.055689][  T129] Bluetooth: Error in BCSP hdr checksum
[   86.310034][    T7] Bluetooth: Error in BCSP hdr checksum
[   86.315738][    T7] Bluetooth: Error in BCSP hdr checksum
[   86.569989][  T129] Bluetooth: Error in BCSP hdr checksum
[   86.575701][  T129] Bluetooth: Error in BCSP hdr checksum
[   87.859717][   T17] Bluetooth: hci0: command 0x1009 tx timeout
[   91.704216][ T9797] ==================================================================
[   91.712482][ T9797] BUG: KASAN: use-after-free in kfree_skb+0x38/0x3c0
[   91.719279][ T9797] Read of size 4 at addr ffff88809a894cd4 by task syz-executor797/9797
[   91.727504][ T9797] 
[   91.729831][ T9797] CPU: 0 PID: 9797 Comm: syz-executor797 Not tainted 5.4.0-rc3+ #0
[   91.737852][ T9797] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   91.747902][ T9797] Call Trace:
[   91.751195][ T9797]  dump_stack+0x172/0x1f0
[   91.755769][ T9797]  ? kfree_skb+0x38/0x3c0
[   91.760096][ T9797]  print_address_description.constprop.0.cold+0xd4/0x30b
[   91.767094][ T9797]  ? kfree_skb+0x38/0x3c0
[   91.771420][ T9797]  ? kfree_skb+0x38/0x3c0
[   91.775729][ T9797]  __kasan_report.cold+0x1b/0x41
[   91.780645][ T9797]  ? kfree_skb+0x38/0x3c0
[   91.784954][ T9797]  kasan_report+0x12/0x20
[   91.789262][ T9797]  check_memory_region+0x134/0x1a0
[   91.794353][ T9797]  __kasan_check_read+0x11/0x20
[   91.799195][ T9797]  kfree_skb+0x38/0x3c0
[   91.803333][ T9797]  bcsp_close+0xc7/0x130
[   91.807554][ T9797]  hci_uart_tty_close+0x21e/0x280
[   91.812556][ T9797]  ? hci_uart_close+0x50/0x50
[   91.817219][ T9797]  tty_ldisc_close.isra.0+0x119/0x1a0
[   91.822591][ T9797]  tty_ldisc_kill+0x9c/0x160
[   91.827159][ T9797]  tty_ldisc_release+0xe9/0x2b0
[   91.831998][ T9797]  tty_release_struct+0x1b/0x50
[   91.836826][ T9797]  tty_release+0xbcb/0xe90
[   91.841228][ T9797]  __fput+0x2ff/0x890
[   91.845193][ T9797]  ? put_tty_driver+0x20/0x20
[   91.849853][ T9797]  ____fput+0x16/0x20
[   91.853819][ T9797]  task_work_run+0x145/0x1c0
[   91.858412][ T9797]  do_exit+0x904/0x2e60
[   91.862564][ T9797]  ? mm_update_next_owner+0x640/0x640
[   91.867923][ T9797]  ? lock_downgrade+0x920/0x920
[   91.872756][ T9797]  ? _raw_spin_unlock_irq+0x28/0x90
[   91.877932][ T9797]  ? get_signal+0x392/0x2500
[   91.882498][ T9797]  ? _raw_spin_unlock_irq+0x28/0x90
[   91.887679][ T9797]  do_group_exit+0x135/0x360
[   91.892259][ T9797]  get_signal+0x47c/0x2500
[   91.896694][ T9797]  do_signal+0x87/0x1700
[   91.900979][ T9797]  ? setup_sigcontext+0x7d0/0x7d0
[   91.905997][ T9797]  ? lock_downgrade+0x920/0x920
[   91.910840][ T9797]  ? rcu_read_lock_any_held+0xcd/0xf0
[   91.916207][ T9797]  ? exit_to_usermode_loop+0x43/0x380
[   91.921560][ T9797]  ? do_syscall_64+0x65f/0x760
[   91.926303][ T9797]  ? exit_to_usermode_loop+0x43/0x380
[   91.931653][ T9797]  ? lockdep_hardirqs_on+0x421/0x5e0
[   91.936928][ T9797]  ? trace_hardirqs_on+0x67/0x240
[   91.941935][ T9797]  exit_to_usermode_loop+0x286/0x380
[   91.947214][ T9797]  do_syscall_64+0x65f/0x760
[   91.951804][ T9797]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   91.957673][ T9797] RIP: 0033:0x441309
[   91.961557][ T9797] Code: Bad RIP value.
[   91.965607][ T9797] RSP: 002b:00007ffca966acd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   91.973994][ T9797] RAX: 0000000000278000 RBX: 0000000000000000 RCX: 0000000000441309
[   91.981941][ T9797] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
[   91.989892][ T9797] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
[   91.997859][ T9797] R10: 00008000fffffffe R11: 0000000000000246 R12: 0000000000402130
[   92.005822][ T9797] R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000
[   92.013794][ T9797] 
[   92.016107][ T9797] Allocated by task 129:
[   92.020337][ T9797]  save_stack+0x23/0x90
[   92.024509][ T9797]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   92.030124][ T9797]  kasan_slab_alloc+0xf/0x20
[   92.034700][ T9797]  kmem_cache_alloc_node+0x138/0x740
[   92.039962][ T9797]  __alloc_skb+0xd5/0x5e0
[   92.044265][ T9797]  bcsp_recv+0x8c1/0x13a0
[   92.048571][ T9797]  hci_uart_tty_receive+0x279/0x6e0
[   92.053747][ T9797]  tty_ldisc_receive_buf+0x15f/0x1c0
[   92.059005][ T9797]  tty_port_default_receive_buf+0x7d/0xb0
[   92.064696][ T9797]  flush_to_ldisc+0x222/0x390
[   92.069496][ T9797]  process_one_work+0x9af/0x1740
[   92.074419][ T9797]  worker_thread+0x98/0xe40
[   92.079017][ T9797]  kthread+0x361/0x430
[   92.083068][ T9797]  ret_from_fork+0x24/0x30
[   92.087458][ T9797] 
[   92.089766][ T9797] Freed by task 129:
[   92.093748][ T9797]  save_stack+0x23/0x90
[   92.097926][ T9797]  __kasan_slab_free+0x102/0x150
[   92.102840][ T9797]  kasan_slab_free+0xe/0x10
[   92.107323][ T9797]  kmem_cache_free+0x86/0x320
[   92.112001][ T9797]  kfree_skbmem+0xc5/0x150
[   92.116445][ T9797]  kfree_skb+0x109/0x3c0
[   92.120667][ T9797]  bcsp_recv+0x2d8/0x13a0
[   92.124993][ T9797]  hci_uart_tty_receive+0x279/0x6e0
[   92.130169][ T9797]  tty_ldisc_receive_buf+0x15f/0x1c0
[   92.135431][ T9797]  tty_port_default_receive_buf+0x7d/0xb0
[   92.141124][ T9797]  flush_to_ldisc+0x222/0x390
[   92.145776][ T9797]  process_one_work+0x9af/0x1740
[   92.150697][ T9797]  worker_thread+0x98/0xe40
[   92.155176][ T9797]  kthread+0x361/0x430
[   92.159219][ T9797]  ret_from_fork+0x24/0x30
[   92.163635][ T9797] 
[   92.165943][ T9797] The buggy address belongs to the object at ffff88809a894c00
[   92.165943][ T9797]  which belongs to the cache skbuff_head_cache of size 224
[   92.180498][ T9797] The buggy address is located 212 bytes inside of
[   92.180498][ T9797]  224-byte region [ffff88809a894c00, ffff88809a894ce0)
[   92.193739][ T9797] The buggy address belongs to the page:
[   92.199345][ T9797] page:ffffea00026a2500 refcount:1 mapcount:0 mapping:ffff8880a99e8a80 index:0x0
[   92.208424][ T9797] flags: 0x1fffc0000000200(slab)
[   92.213351][ T9797] raw: 01fffc0000000200 ffffea0002722048 ffffea00028201c8 ffff8880a99e8a80
[   92.221925][ T9797] raw: 0000000000000000 ffff88809a8940c0 000000010000000c 0000000000000000
[   92.230490][ T9797] page dumped because: kasan: bad access detected
[   92.236880][ T9797] 
[   92.239180][ T9797] Memory state around the buggy address:
[   92.244785][ T9797]  ffff88809a894b80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   92.252822][ T9797]  ffff88809a894c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.260856][ T9797] >ffff88809a894c80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   92.268887][ T9797]                                                  ^
[   92.275537][ T9797]  ffff88809a894d00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   92.283572][ T9797]  ffff88809a894d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.291866][ T9797] ==================================================================
[   92.299904][ T9797] Disabling lock debugging due to kernel taint
[   92.306441][ T9797] Kernel panic - not syncing: panic_on_warn set ...
[   92.313033][ T9797] CPU: 0 PID: 9797 Comm: syz-executor797 Tainted: G    B             5.4.0-rc3+ #0
[   92.322283][ T9797] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   92.332320][ T9797] Call Trace:
[   92.335593][ T9797]  dump_stack+0x172/0x1f0
[   92.339899][ T9797]  panic+0x2e3/0x75c
[   92.343766][ T9797]  ? add_taint.cold+0x16/0x16
[   92.348427][ T9797]  ? kfree_skb+0x38/0x3c0
[   92.352741][ T9797]  ? preempt_schedule+0x4b/0x60
[   92.357566][ T9797]  ? ___preempt_schedule+0x16/0x20
[   92.362658][ T9797]  ? trace_hardirqs_on+0x5e/0x240
[   92.367658][ T9797]  ? kfree_skb+0x38/0x3c0
[   92.371966][ T9797]  end_report+0x47/0x4f
[   92.376096][ T9797]  ? kfree_skb+0x38/0x3c0
[   92.380399][ T9797]  __kasan_report.cold+0xe/0x41
[   92.385236][ T9797]  ? kfree_skb+0x38/0x3c0
[   92.389541][ T9797]  kasan_report+0x12/0x20
[   92.393848][ T9797]  check_memory_region+0x134/0x1a0
[   92.398932][ T9797]  __kasan_check_read+0x11/0x20
[   92.403761][ T9797]  kfree_skb+0x38/0x3c0
[   92.407892][ T9797]  bcsp_close+0xc7/0x130
[   92.412110][ T9797]  hci_uart_tty_close+0x21e/0x280
[   92.417107][ T9797]  ? hci_uart_close+0x50/0x50
[   92.421760][ T9797]  tty_ldisc_close.isra.0+0x119/0x1a0
[   92.427104][ T9797]  tty_ldisc_kill+0x9c/0x160
[   92.431667][ T9797]  tty_ldisc_release+0xe9/0x2b0
[   92.436494][ T9797]  tty_release_struct+0x1b/0x50
[   92.441339][ T9797]  tty_release+0xbcb/0xe90
[   92.445739][ T9797]  __fput+0x2ff/0x890
[   92.449706][ T9797]  ? put_tty_driver+0x20/0x20
[   92.454363][ T9797]  ____fput+0x16/0x20
[   92.458320][ T9797]  task_work_run+0x145/0x1c0
[   92.462892][ T9797]  do_exit+0x904/0x2e60
[   92.467027][ T9797]  ? mm_update_next_owner+0x640/0x640
[   92.472382][ T9797]  ? lock_downgrade+0x920/0x920
[   92.477208][ T9797]  ? _raw_spin_unlock_irq+0x28/0x90
[   92.482384][ T9797]  ? get_signal+0x392/0x2500
[   92.486962][ T9797]  ? _raw_spin_unlock_irq+0x28/0x90
[   92.492139][ T9797]  do_group_exit+0x135/0x360
[   92.496718][ T9797]  get_signal+0x47c/0x2500
[   92.501117][ T9797]  do_signal+0x87/0x1700
[   92.505336][ T9797]  ? setup_sigcontext+0x7d0/0x7d0
[   92.510335][ T9797]  ? lock_downgrade+0x920/0x920
[   92.515167][ T9797]  ? rcu_read_lock_any_held+0xcd/0xf0
[   92.520515][ T9797]  ? exit_to_usermode_loop+0x43/0x380
[   92.525858][ T9797]  ? do_syscall_64+0x65f/0x760
[   92.530596][ T9797]  ? exit_to_usermode_loop+0x43/0x380
[   92.535943][ T9797]  ? lockdep_hardirqs_on+0x421/0x5e0
[   92.541229][ T9797]  ? trace_hardirqs_on+0x67/0x240
[   92.546361][ T9797]  exit_to_usermode_loop+0x286/0x380
[   92.551639][ T9797]  do_syscall_64+0x65f/0x760
[   92.556207][ T9797]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   92.562076][ T9797] RIP: 0033:0x441309
[   92.565955][ T9797] Code: Bad RIP value.
[   92.569999][ T9797] RSP: 002b:00007ffca966acd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   92.578388][ T9797] RAX: 0000000000278000 RBX: 0000000000000000 RCX: 0000000000441309
[   92.586344][ T9797] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
[   92.594297][ T9797] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
[   92.602248][ T9797] R10: 00008000fffffffe R11: 0000000000000246 R12: 0000000000402130
[   92.610208][ T9797] R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000
[   92.619742][ T9797] Kernel Offset: disabled
[   92.624076][ T9797] Rebooting in 86400 seconds..