[ 41.303799] audit: type=1800 audit(1567133847.808:31): pid=7558 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [ 41.334279] audit: type=1800 audit(1567133847.818:32): pid=7558 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.227' (ECDSA) to the list of known hosts. syzkaller login: [ 554.471171] kauditd_printk_skb: 3 callbacks suppressed [ 554.471188] audit: type=1400 audit(1567134361.048:36): avc: denied { map } for pid=7744 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/08/30 03:06:01 parsed 1 programs [ 555.387177] audit: type=1400 audit(1567134361.958:37): avc: denied { map } for pid=7744 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=55 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/08/30 03:06:03 executed programs: 0 [ 556.546088] IPVS: ftp: loaded support on port[0] = 21 [ 556.608333] chnl_net:caif_netlink_parms(): no params data found [ 556.643594] bridge0: port 1(bridge_slave_0) entered blocking state [ 556.650899] bridge0: port 1(bridge_slave_0) entered disabled state [ 556.658210] device bridge_slave_0 entered promiscuous mode [ 556.665960] bridge0: port 2(bridge_slave_1) entered blocking state [ 556.672522] bridge0: port 2(bridge_slave_1) entered disabled state [ 556.679582] device bridge_slave_1 entered promiscuous mode [ 556.695145] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 556.704388] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 556.720744] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 556.728433] team0: Port device team_slave_0 added [ 556.734101] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 556.741376] team0: Port device team_slave_1 added [ 556.746634] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 556.755199] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 556.812313] device hsr_slave_0 entered promiscuous mode [ 556.869985] device hsr_slave_1 entered promiscuous mode [ 556.910326] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 556.917324] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 556.931545] bridge0: port 2(bridge_slave_1) entered blocking state [ 556.938026] bridge0: port 2(bridge_slave_1) entered forwarding state [ 556.945066] bridge0: port 1(bridge_slave_0) entered blocking state [ 556.951432] bridge0: port 1(bridge_slave_0) entered forwarding state [ 556.982947] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 556.989035] 8021q: adding VLAN 0 to HW filter on device bond0 [ 556.998303] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 557.007139] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 557.027771] bridge0: port 1(bridge_slave_0) entered disabled state [ 557.035325] bridge0: port 2(bridge_slave_1) entered disabled state [ 557.043361] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 557.054384] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 557.060745] 8021q: adding VLAN 0 to HW filter on device team0 [ 557.070660] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 557.078836] bridge0: port 1(bridge_slave_0) entered blocking state [ 557.085235] bridge0: port 1(bridge_slave_0) entered forwarding state [ 557.102250] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 557.110949] bridge0: port 2(bridge_slave_1) entered blocking state [ 557.117286] bridge0: port 2(bridge_slave_1) entered forwarding state [ 557.125613] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 557.134147] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 557.143200] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 557.155766] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 557.165769] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 557.177819] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 557.184573] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 557.192582] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 557.200656] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 557.214680] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 557.224768] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 557.235450] audit: type=1400 audit(1567134363.808:38): avc: denied { associate } for pid=7761 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 557.287071] audit: type=1400 audit(1567134363.858:39): avc: denied { map_create } for pid=7769 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 557.310664] audit: type=1400 audit(1567134363.868:40): avc: denied { map_read map_write } for pid=7769 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 2019/08/30 03:06:08 executed programs: 327 2019/08/30 03:06:13 executed programs: 720 2019/08/30 03:06:18 executed programs: 1125 2019/08/30 03:06:23 executed programs: 1516 2019/08/30 03:06:28 executed programs: 1918 2019/08/30 03:06:33 executed programs: 2308 2019/08/30 03:06:38 executed programs: 2702 2019/08/30 03:06:43 executed programs: 3092 2019/08/30 03:06:48 executed programs: 3491 2019/08/30 03:06:53 executed programs: 3882 2019/08/30 03:06:58 executed programs: 4276 2019/08/30 03:07:03 executed programs: 4664 2019/08/30 03:07:08 executed programs: 5052 2019/08/30 03:07:13 executed programs: 5425 2019/08/30 03:07:18 executed programs: 5809 2019/08/30 03:07:23 executed programs: 6196 2019/08/30 03:07:28 executed programs: 6584 2019/08/30 03:07:33 executed programs: 6971 2019/08/30 03:07:38 executed programs: 7358 2019/08/30 03:07:43 executed programs: 7742 2019/08/30 03:07:48 executed programs: 8117 2019/08/30 03:07:53 executed programs: 8497 2019/08/30 03:07:58 executed programs: 8873 2019/08/30 03:08:03 executed programs: 9263 2019/08/30 03:08:08 executed programs: 9650 2019/08/30 03:08:13 executed programs: 10034 2019/08/30 03:08:18 executed programs: 10414 2019/08/30 03:08:23 executed programs: 10795 2019/08/30 03:08:28 executed programs: 11169 2019/08/30 03:08:33 executed programs: 11565 2019/08/30 03:08:38 executed programs: 11945 2019/08/30 03:08:43 executed programs: 12329 2019/08/30 03:08:48 executed programs: 12704 2019/08/30 03:08:53 executed programs: 13086 2019/08/30 03:08:58 executed programs: 13457 2019/08/30 03:09:03 executed programs: 13846 2019/08/30 03:09:08 executed programs: 14237 2019/08/30 03:09:13 executed programs: 14627 2019/08/30 03:09:18 executed programs: 15007 2019/08/30 03:09:23 executed programs: 15391 2019/08/30 03:09:28 executed programs: 15758 2019/08/30 03:09:33 executed programs: 16144 2019/08/30 03:09:38 executed programs: 16531 2019/08/30 03:09:43 executed programs: 16925 2019/08/30 03:09:48 executed programs: 17295 2019/08/30 03:09:53 executed programs: 17666 2019/08/30 03:09:58 executed programs: 18033 2019/08/30 03:10:03 executed programs: 18406 2019/08/30 03:10:08 executed programs: 18777 2019/08/30 03:10:13 executed programs: 19169 2019/08/30 03:10:18 executed programs: 19550 2019/08/30 03:10:23 executed programs: 19926 2019/08/30 03:10:28 executed programs: 20275 2019/08/30 03:10:33 executed programs: 20624 2019/08/30 03:10:38 executed programs: 20977 2019/08/30 03:10:43 executed programs: 21372 2019/08/30 03:10:48 executed programs: 21742 2019/08/30 03:10:53 executed programs: 22106 2019/08/30 03:10:58 executed programs: 22465 2019/08/30 03:11:03 executed programs: 22829 2019/08/30 03:11:08 executed programs: 23195 2019/08/30 03:11:13 executed programs: 23590 2019/08/30 03:11:18 executed programs: 23977 2019/08/30 03:11:23 executed programs: 24367 2019/08/30 03:11:28 executed programs: 24734 2019/08/30 03:11:33 executed programs: 25123 2019/08/30 03:11:38 executed programs: 25514 2019/08/30 03:11:43 executed programs: 25910 2019/08/30 03:11:48 executed programs: 26298 2019/08/30 03:11:53 executed programs: 26694 2019/08/30 03:11:58 executed programs: 27078 2019/08/30 03:12:03 executed programs: 27457 2019/08/30 03:12:08 executed programs: 27847 2019/08/30 03:12:13 executed programs: 28237 2019/08/30 03:12:18 executed programs: 28626 2019/08/30 03:12:23 executed programs: 29002 2019/08/30 03:12:28 executed programs: 29382 2019/08/30 03:12:33 executed programs: 29760 2019/08/30 03:12:38 executed programs: 30149 2019/08/30 03:12:43 executed programs: 30529 2019/08/30 03:12:48 executed programs: 30909 2019/08/30 03:12:53 executed programs: 31286 2019/08/30 03:12:58 executed programs: 31665 2019/08/30 03:13:03 executed programs: 32039 2019/08/30 03:13:08 executed programs: 32419 2019/08/30 03:13:13 executed programs: 32812 2019/08/30 03:13:18 executed programs: 33204 2019/08/30 03:13:23 executed programs: 33579 2019/08/30 03:13:28 executed programs: 33963 [ 1006.930682] ================================================================== [ 1006.939197] BUG: KASAN: use-after-free in __lock_acquire+0x34ac/0x49c0 [ 1006.946364] Read of size 8 at addr ffff88809e95cb88 by task syz-executor.0/27445 [ 1006.953973] [ 1006.955592] CPU: 0 PID: 27445 Comm: syz-executor.0 Not tainted 4.19.69 #43 [ 1006.962588] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1006.971944] Call Trace: [ 1006.974538] dump_stack+0x172/0x1f0 [ 1006.978190] ? __lock_acquire+0x34ac/0x49c0 [ 1006.982518] print_address_description.cold+0x7c/0x20d [ 1006.987798] ? __lock_acquire+0x34ac/0x49c0 [ 1006.992114] kasan_report.cold+0x8c/0x2ba [ 1006.996254] __asan_report_load8_noabort+0x14/0x20 [ 1007.001194] __lock_acquire+0x34ac/0x49c0 [ 1007.005446] ? save_stack+0xa9/0xd0 [ 1007.009086] ? save_stack+0x45/0xd0 [ 1007.012710] ? __kasan_slab_free+0x102/0x150 [ 1007.017203] ? kasan_slab_free+0xe/0x10 [ 1007.021172] ? kfree+0xcf/0x220 [ 1007.024659] ? bpf_tcp_remove+0x478/0xa20 [ 1007.028822] ? bpf_tcp_close+0x130/0x390 [ 1007.032878] ? inet_release+0xff/0x1e0 [ 1007.036775] ? inet6_release+0x53/0x80 [ 1007.040923] ? __sock_release+0xce/0x2a0 [ 1007.044993] ? sock_close+0x1b/0x30 [ 1007.048715] ? __fput+0x2dd/0x8b0 [ 1007.052174] ? mark_held_locks+0x100/0x100 [ 1007.056488] ? find_held_lock+0x35/0x130 [ 1007.060547] ? debug_check_no_obj_freed+0x200/0x464 [ 1007.065558] ? lock_downgrade+0x810/0x810 [ 1007.069705] lock_acquire+0x16f/0x3f0 [ 1007.073515] ? psock_map_pop.isra.0+0x2d/0x1f0 [ 1007.078085] ? kfree+0x170/0x220 [ 1007.081443] _raw_spin_lock_bh+0x33/0x50 [ 1007.085495] ? psock_map_pop.isra.0+0x2d/0x1f0 [ 1007.090071] psock_map_pop.isra.0+0x2d/0x1f0 [ 1007.094903] bpf_tcp_remove+0x481/0xa20 [ 1007.099412] ? tcp_check_oom+0x560/0x560 [ 1007.103468] bpf_tcp_close+0x130/0x390 [ 1007.107342] inet_release+0xff/0x1e0 [ 1007.111101] inet6_release+0x53/0x80 [ 1007.114816] __sock_release+0xce/0x2a0 [ 1007.118690] ? __sock_release+0x2a0/0x2a0 [ 1007.122850] sock_close+0x1b/0x30 [ 1007.127205] __fput+0x2dd/0x8b0 [ 1007.130479] ____fput+0x16/0x20 [ 1007.133749] task_work_run+0x145/0x1c0 [ 1007.137625] exit_to_usermode_loop+0x273/0x2c0 [ 1007.142204] do_syscall_64+0x53d/0x620 [ 1007.146175] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1007.151358] RIP: 0033:0x413540 [ 1007.154555] Code: 01 f0 ff ff 0f 83 30 1b 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 4d 2d 66 00 00 75 14 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff [ 1007.174390] RSP: 002b:00007ffdb39131d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 1007.182284] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413540 [ 1007.189556] RDX: 0000001b30b20000 RSI: 0000000000000000 RDI: 0000000000000005 [ 1007.197741] RBP: 0000000000000001 R08: 0000000000000016 R09: ffffffffffffffff [ 1007.205260] R10: ffffffffffffffff R11: 0000000000000246 R12: 000000000075bf20 [ 1007.212522] R13: 0000000000000005 R14: 00000000007612a0 R15: ffffffffffffffff [ 1007.219788] [ 1007.221400] Allocated by task 27445: [ 1007.225107] save_stack+0x45/0xd0 [ 1007.228562] kasan_kmalloc+0xce/0xf0 [ 1007.232564] kmem_cache_alloc_node_trace+0x153/0x720 [ 1007.237687] __sock_map_ctx_update_elem.isra.0+0x675/0xdc0 [ 1007.243316] sock_hash_ctx_update_elem.isra.0+0x6c2/0x10d0 [ 1007.248934] sock_hash_update_elem+0x246/0x4b0 [ 1007.253514] map_update_elem+0x791/0xda0 [ 1007.257573] __x64_sys_bpf+0x2ec/0x4c0 [ 1007.261447] do_syscall_64+0xfd/0x620 [ 1007.265239] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1007.271363] [ 1007.273092] Freed by task 7765: [ 1007.276380] save_stack+0x45/0xd0 [ 1007.279827] __kasan_slab_free+0x102/0x150 [ 1007.285799] kasan_slab_free+0xe/0x10 [ 1007.289689] kfree+0xcf/0x220 [ 1007.292797] smap_gc_work+0x7e5/0xab0 [ 1007.296612] process_one_work+0x989/0x1750 [ 1007.300859] worker_thread+0x98/0xe40 [ 1007.304651] kthread+0x354/0x420 [ 1007.308004] ret_from_fork+0x24/0x30 [ 1007.311807] [ 1007.313431] The buggy address belongs to the object at ffff88809e95c940 [ 1007.313431] which belongs to the cache kmalloc-1024 of size 1024 [ 1007.326311] The buggy address is located 584 bytes inside of [ 1007.326311] 1024-byte region [ffff88809e95c940, ffff88809e95cd40) [ 1007.338480] The buggy address belongs to the page: [ 1007.343408] page:ffffea00027a5700 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0 [ 1007.354168] flags: 0x1fffc0000008100(slab|head) [ 1007.358834] raw: 01fffc0000008100 ffffea000261d888 ffffea00025b7e88 ffff88812c3f0ac0 [ 1007.366728] raw: 0000000000000000 ffff88809e95c040 0000000100000007 0000000000000000 [ 1007.374858] page dumped because: kasan: bad access detected [ 1007.380557] [ 1007.382186] Memory state around the buggy address: [ 1007.387127] ffff88809e95ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1007.394765] ffff88809e95cb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1007.402119] >ffff88809e95cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1007.409471] ^ [ 1007.413108] ffff88809e95cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1007.420464] ffff88809e95cc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1007.427905] ================================================================== [ 1007.435336] Disabling lock debugging due to kernel taint [ 1007.440877] Kernel panic - not syncing: panic_on_warn set ... [ 1007.440877] [ 1007.448248] CPU: 0 PID: 27445 Comm: syz-executor.0 Tainted: G B 4.19.69 #43 [ 1007.456659] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1007.466011] Call Trace: [ 1007.468599] dump_stack+0x172/0x1f0 [ 1007.472220] ? __lock_acquire+0x34ac/0x49c0 [ 1007.476533] panic+0x263/0x507 [ 1007.479732] ? __warn_printk+0xf3/0xf3 [ 1007.483608] ? lock_downgrade+0x810/0x810 [ 1007.487845] ? trace_hardirqs_off+0x62/0x220 [ 1007.492259] ? trace_hardirqs_off+0x59/0x220 [ 1007.496662] ? __lock_acquire+0x34ac/0x49c0 [ 1007.500979] kasan_end_report+0x47/0x4f [ 1007.504943] kasan_report.cold+0xa9/0x2ba [ 1007.509099] __asan_report_load8_noabort+0x14/0x20 [ 1007.514038] __lock_acquire+0x34ac/0x49c0 [ 1007.518175] ? save_stack+0xa9/0xd0 [ 1007.521786] ? save_stack+0x45/0xd0 [ 1007.525400] ? __kasan_slab_free+0x102/0x150 [ 1007.529971] ? kasan_slab_free+0xe/0x10 [ 1007.533951] ? kfree+0xcf/0x220 [ 1007.537241] ? bpf_tcp_remove+0x478/0xa20 [ 1007.541378] ? bpf_tcp_close+0x130/0x390 [ 1007.545426] ? inet_release+0xff/0x1e0 [ 1007.549316] ? inet6_release+0x53/0x80 [ 1007.553197] ? __sock_release+0xce/0x2a0 [ 1007.557246] ? sock_close+0x1b/0x30 [ 1007.561059] ? __fput+0x2dd/0x8b0 [ 1007.564602] ? mark_held_locks+0x100/0x100 [ 1007.569108] ? find_held_lock+0x35/0x130 [ 1007.573251] ? debug_check_no_obj_freed+0x200/0x464 [ 1007.578342] ? lock_downgrade+0x810/0x810 [ 1007.582513] lock_acquire+0x16f/0x3f0 [ 1007.586308] ? psock_map_pop.isra.0+0x2d/0x1f0 [ 1007.590968] ? kfree+0x170/0x220 [ 1007.594331] _raw_spin_lock_bh+0x33/0x50 [ 1007.598385] ? psock_map_pop.isra.0+0x2d/0x1f0 [ 1007.602964] psock_map_pop.isra.0+0x2d/0x1f0 [ 1007.607360] bpf_tcp_remove+0x481/0xa20 [ 1007.611324] ? tcp_check_oom+0x560/0x560 [ 1007.628634] bpf_tcp_close+0x130/0x390 [ 1007.632611] inet_release+0xff/0x1e0 [ 1007.636322] inet6_release+0x53/0x80 [ 1007.640060] __sock_release+0xce/0x2a0 [ 1007.643945] ? __sock_release+0x2a0/0x2a0 [ 1007.648077] sock_close+0x1b/0x30 [ 1007.651518] __fput+0x2dd/0x8b0 [ 1007.654788] ____fput+0x16/0x20 [ 1007.658057] task_work_run+0x145/0x1c0 [ 1007.661932] exit_to_usermode_loop+0x273/0x2c0 [ 1007.666521] do_syscall_64+0x53d/0x620 [ 1007.670412] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1007.675682] RIP: 0033:0x413540 [ 1007.678859] Code: 01 f0 ff ff 0f 83 30 1b 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 4d 2d 66 00 00 75 14 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff [ 1007.698442] RSP: 002b:00007ffdb39131d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 1007.706148] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413540 [ 1007.713496] RDX: 0000001b30b20000 RSI: 0000000000000000 RDI: 0000000000000005 [ 1007.720756] RBP: 0000000000000001 R08: 0000000000000016 R09: ffffffffffffffff [ 1007.728040] R10: ffffffffffffffff R11: 0000000000000246 R12: 000000000075bf20 [ 1007.735314] R13: 0000000000000005 R14: 00000000007612a0 R15: ffffffffffffffff [ 1007.744220] Kernel Offset: disabled [ 1007.747853] Rebooting in 86400 seconds..