[ 61.020758][ T24] audit: type=1800 audit(1563680760.236:30): pid=9042 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 65.422244][ T24] kauditd_printk_skb: 4 callbacks suppressed [ 65.422257][ T24] audit: type=1400 audit(1563680764.646:35): avc: denied { map } for pid=9221 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.1.50' (ECDSA) to the list of known hosts. [ 71.737309][ T24] audit: type=1400 audit(1563680770.966:36): avc: denied { map } for pid=9233 comm="syz-executor712" path="/root/syz-executor712732785" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 71.740802][ T9233] ================================================================== executing program [ 71.766334][ T24] audit: type=1400 audit(1563680770.966:37): avc: denied { prog_load } for pid=9233 comm="syz-executor712" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 71.776490][ T9233] BUG: KASAN: slab-out-of-bounds in do_jit.isra.0+0x4c35/0x5630 [ 71.776500][ T9233] Read of size 4 at addr ffff8880a78dda3c by task syz-executor712/9233 [ 71.776503][ T9233] [ 71.776517][ T9233] CPU: 1 PID: 9233 Comm: syz-executor712 Not tainted 5.2.0+ #64 [ 71.776530][ T9233] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.842876][ T9233] Call Trace: [ 71.846148][ T9233] dump_stack+0x16f/0x1f0 [ 71.851032][ T9233] ? do_jit.isra.0+0x4c35/0x5630 [ 71.857603][ T9233] print_address_description.cold+0xd4/0x306 [ 71.871919][ T9233] ? do_jit.isra.0+0x4c35/0x5630 [ 71.882113][ T9233] ? do_jit.isra.0+0x4c35/0x5630 [ 71.889697][ T9233] __kasan_report.cold+0x1b/0x36 [ 71.894613][ T9233] ? bpf_prog_get_ok+0x110/0x140 [ 71.900227][ T9233] ? do_jit.isra.0+0x4c35/0x5630 [ 71.905581][ T9233] kasan_report+0x12/0x17 [ 71.910233][ T9233] __asan_report_load4_noabort+0x14/0x20 [ 71.916451][ T9233] do_jit.isra.0+0x4c35/0x5630 [ 71.922430][ T9233] ? jit_fill_hole+0x30/0x30 [ 71.928401][ T9233] ? rcu_read_lock_sched_held+0x110/0x130 [ 71.935875][ T9233] ? __kmalloc+0x5ea/0x760 [ 71.940441][ T9233] ? kmem_cache_alloc_trace+0x37c/0x770 [ 71.947529][ T9233] ? bpf_int_jit_compile+0x9a1/0xda5 [ 71.953149][ T9233] bpf_int_jit_compile+0x379/0xda5 [ 71.959745][ T9233] ? do_jit.isra.0+0x5630/0x5630 [ 71.973214][ T9233] ? ktime_get_with_offset+0x13a/0x350 [ 71.980048][ T9233] ? lockdep_hardirqs_on+0x418/0x5d0 [ 71.985837][ T9233] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.001319][ T9233] ? bpf_prog_alloc_jited_linfo+0xd3/0x1c0 [ 72.012056][ T9233] ? __bpf_prog_run64+0xe0/0xe0 [ 72.027843][ T9233] bpf_prog_select_runtime+0x4cd/0x7d0 [ 72.036932][ T9233] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 72.046382][ T9233] ? bpf_obj_name_cpy+0x13f/0x190 [ 72.052743][ T9233] bpf_prog_load+0xe9b/0x1640 [ 72.057404][ T9233] ? bpf_prog_new_fd+0x60/0x60 [ 72.062576][ T9233] ? trace_hardirqs_on+0x67/0x220 [ 72.069489][ T9233] ? lock_downgrade+0x920/0x920 [ 72.075175][ T9233] ? selinux_bpf+0xe7/0x130 [ 72.082085][ T9233] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.088319][ T9233] ? security_bpf+0x8b/0xc0 [ 72.096627][ T9233] __do_sys_bpf+0xa23/0x4240 [ 72.102849][ T9233] ? bpf_prog_load+0x1640/0x1640 [ 72.114042][ T9233] ? lock_downgrade+0x920/0x920 [ 72.125479][ T9233] ? __kasan_check_write+0x14/0x20 [ 72.135352][ T9233] ? up_read+0x159/0x570 [ 72.140277][ T9233] ? trace_hardirqs_on_thunk+0x1a/0x20 [ 72.145713][ T9233] ? do_syscall_64+0x26/0x6a0 [ 72.151795][ T9233] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.160794][ T9233] ? do_syscall_64+0x26/0x6a0 [ 72.165638][ T9233] __x64_sys_bpf+0x73/0xb0 [ 72.170037][ T9233] do_syscall_64+0xfd/0x6a0 [ 72.176877][ T9233] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.185831][ T9233] RIP: 0033:0x4402c9 [ 72.195965][ T9233] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 72.232205][ T9233] RSP: 002b:00007fff9f037ed8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 72.244865][ T9233] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402c9 [ 72.254560][ T9233] RDX: 0000000000000046 RSI: 0000000020000180 RDI: 0000000000000005 [ 72.262601][ T9233] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 72.270558][ T9233] R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401b50 [ 72.278645][ T9233] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 72.286949][ T9233] [ 72.289258][ T9233] Allocated by task 9075: [ 72.293566][ T9233] save_stack+0x23/0x90 [ 72.297698][ T9233] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 72.304197][ T9233] kasan_kmalloc+0x9/0x10 [ 72.308848][ T9233] __kmalloc+0x163/0x760 [ 72.313601][ T9233] tomoyo_encode2.part.0+0xf5/0x400 [ 72.319185][ T9233] tomoyo_encode+0x2b/0x50 [ 72.325054][ T9233] tomoyo_realpath_from_path+0x1d3/0x7b0 [ 72.331183][ T9233] tomoyo_init_log+0xc63/0x2070 [ 72.338451][ T9233] tomoyo_supervisor+0x33f/0xef0 [ 72.351203][ T9233] tomoyo_env_perm+0x18e/0x210 [ 72.355947][ T9233] tomoyo_find_next_domain+0x1354/0x1f6c [ 72.361574][ T9233] tomoyo_bprm_check_security+0x124/0x1b0 [ 72.367275][ T9233] security_bprm_check+0x63/0xb0 [ 72.372187][ T9233] search_binary_handler+0x71/0x570 [ 72.377360][ T9233] __do_execve_file.isra.0+0x133b/0x2310 [ 72.382975][ T9233] __x64_sys_execve+0x8f/0xc0 [ 72.387629][ T9233] do_syscall_64+0xfd/0x6a0 [ 72.392112][ T9233] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.398260][ T9233] [ 72.400565][ T9233] Freed by task 9075: [ 72.404539][ T9233] save_stack+0x23/0x90 [ 72.410295][ T9233] __kasan_slab_free+0x102/0x150 [ 72.422766][ T9233] kasan_slab_free+0xe/0x10 [ 72.433206][ T9233] kfree+0x10a/0x2a0 [ 72.442418][ T9233] tomoyo_init_log+0x15b2/0x2070 [ 72.448845][ T9233] tomoyo_supervisor+0x33f/0xef0 [ 72.454113][ T9233] tomoyo_env_perm+0x18e/0x210 [ 72.458856][ T9233] tomoyo_find_next_domain+0x1354/0x1f6c [ 72.466474][ T9233] tomoyo_bprm_check_security+0x124/0x1b0 [ 72.472441][ T9233] security_bprm_check+0x63/0xb0 [ 72.478138][ T9233] search_binary_handler+0x71/0x570 [ 72.490428][ T9233] __do_execve_file.isra.0+0x133b/0x2310 [ 72.496235][ T9233] __x64_sys_execve+0x8f/0xc0 [ 72.500908][ T9233] do_syscall_64+0xfd/0x6a0 [ 72.505925][ T9233] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.511796][ T9233] [ 72.514102][ T9233] The buggy address belongs to the object at ffff8880a78dda00 [ 72.514102][ T9233] which belongs to the cache kmalloc-32 of size 32 [ 72.527961][ T9233] The buggy address is located 28 bytes to the right of [ 72.527961][ T9233] 32-byte region [ffff8880a78dda00, ffff8880a78dda20) [ 72.541551][ T9233] The buggy address belongs to the page: [ 72.547161][ T9233] page:ffffea00029e3740 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff8880a78ddfc1 [ 72.557633][ T9233] flags: 0x1fffc0000000200(slab) [ 72.570120][ T9233] raw: 01fffc0000000200 ffffea00029e31c8 ffffea0002927f08 ffff8880aa4001c0 [ 72.581382][ T9233] raw: ffff8880a78ddfc1 ffff8880a78dd000 000000010000002f 0000000000000000 [ 72.600565][ T9233] page dumped because: kasan: bad access detected [ 72.614242][ T9233] [ 72.616556][ T9233] Memory state around the buggy address: [ 72.622945][ T9233] ffff8880a78dd900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 72.630985][ T9233] ffff8880a78dd980: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 72.639029][ T9233] >ffff8880a78dda00: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 72.647066][ T9233] ^ [ 72.652935][ T9233] ffff8880a78dda80: 00 01 fc fc fc fc fc fc 00 00 01 fc fc fc fc fc [ 72.660982][ T9233] ffff8880a78ddb00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 72.670842][ T9233] ================================================================== [ 72.685851][ T9233] Disabling lock debugging due to kernel taint [ 72.692124][ T9233] Kernel panic - not syncing: panic_on_warn set ... [ 72.699511][ T9233] CPU: 1 PID: 9233 Comm: syz-executor712 Tainted: G B 5.2.0+ #64 [ 72.708503][ T9233] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.718726][ T9233] Call Trace: [ 72.722007][ T9233] dump_stack+0x16f/0x1f0 [ 72.733302][ T9233] panic+0x2dc/0x755 [ 72.737188][ T9233] ? add_taint.cold+0x16/0x16 [ 72.741925][ T9233] ? retint_kernel+0x10/0x10 [ 72.749029][ T9233] ? trace_hardirqs_on+0x5e/0x220 [ 72.754044][ T9233] ? do_jit.isra.0+0x4c35/0x5630 [ 72.758957][ T9233] end_report+0x47/0x4f [ 72.763085][ T9233] ? do_jit.isra.0+0x4c35/0x5630 [ 72.767997][ T9233] __kasan_report.cold+0xe/0x36 [ 72.772823][ T9233] ? bpf_prog_get_ok+0x110/0x140 [ 72.777736][ T9233] ? do_jit.isra.0+0x4c35/0x5630 [ 72.782658][ T9233] kasan_report+0x12/0x17 [ 72.786960][ T9233] __asan_report_load4_noabort+0x14/0x20 [ 72.792653][ T9233] do_jit.isra.0+0x4c35/0x5630 [ 72.797403][ T9233] ? jit_fill_hole+0x30/0x30 [ 72.802148][ T9233] ? rcu_read_lock_sched_held+0x110/0x130 [ 72.808293][ T9233] ? __kmalloc+0x5ea/0x760 [ 72.815010][ T9233] ? kmem_cache_alloc_trace+0x37c/0x770 [ 72.822189][ T9233] ? bpf_int_jit_compile+0x9a1/0xda5 [ 72.827654][ T9233] bpf_int_jit_compile+0x379/0xda5 [ 72.832848][ T9233] ? do_jit.isra.0+0x5630/0x5630 [ 72.837761][ T9233] ? ktime_get_with_offset+0x13a/0x350 [ 72.843197][ T9233] ? lockdep_hardirqs_on+0x418/0x5d0 [ 72.848477][ T9233] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.854699][ T9233] ? bpf_prog_alloc_jited_linfo+0xd3/0x1c0 [ 72.860476][ T9233] ? __bpf_prog_run64+0xe0/0xe0 [ 72.865300][ T9233] bpf_prog_select_runtime+0x4cd/0x7d0 [ 72.870736][ T9233] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 72.876964][ T9233] ? bpf_obj_name_cpy+0x13f/0x190 [ 72.881962][ T9233] bpf_prog_load+0xe9b/0x1640 [ 72.886615][ T9233] ? bpf_prog_new_fd+0x60/0x60 [ 72.891355][ T9233] ? trace_hardirqs_on+0x67/0x220 [ 72.896441][ T9233] ? lock_downgrade+0x920/0x920 [ 72.901283][ T9233] ? selinux_bpf+0xe7/0x130 [ 72.906125][ T9233] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.912360][ T9233] ? security_bpf+0x8b/0xc0 [ 72.916845][ T9233] __do_sys_bpf+0xa23/0x4240 [ 72.921412][ T9233] ? bpf_prog_load+0x1640/0x1640 [ 72.926324][ T9233] ? lock_downgrade+0x920/0x920 [ 72.931153][ T9233] ? __kasan_check_write+0x14/0x20 [ 72.936270][ T9233] ? up_read+0x159/0x570 [ 72.940496][ T9233] ? trace_hardirqs_on_thunk+0x1a/0x20 [ 72.945925][ T9233] ? do_syscall_64+0x26/0x6a0 [ 72.957284][ T9233] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.965717][ T9233] ? do_syscall_64+0x26/0x6a0 [ 72.971157][ T9233] __x64_sys_bpf+0x73/0xb0 [ 72.975658][ T9233] do_syscall_64+0xfd/0x6a0 [ 72.992934][ T9233] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.999789][ T9233] RIP: 0033:0x4402c9 [ 73.003661][ T9233] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 73.024716][ T9233] RSP: 002b:00007fff9f037ed8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 73.033191][ T9233] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402c9 [ 73.041223][ T9233] RDX: 0000000000000046 RSI: 0000000020000180 RDI: 0000000000000005 [ 73.049780][ T9233] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 73.068432][ T9233] R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401b50 [ 73.077361][ T9233] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 73.093815][ T9233] Kernel Offset: disabled [ 73.100231][ T9233] Rebooting in 86400 seconds..