[ 82.017283][ T26] audit: type=1400 audit(1576411923.873:37): avc: denied { watch } for pid=9716 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 82.069970][ T26] audit: type=1400 audit(1576411923.873:38): avc: denied { watch } for pid=9716 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2232 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 82.251591][ T26] audit: type=1800 audit(1576411924.103:39): pid=9621 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 82.273449][ T26] audit: type=1800 audit(1576411924.103:40): pid=9621 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 85.425850][ T26] audit: type=1400 audit(1576411927.283:41): avc: denied { map } for pid=9799 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.54' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program [ 92.059414][ T26] audit: type=1400 audit(1576411933.913:42): avc: denied { map } for pid=9811 comm="syz-executor327" path="/root/syz-executor327713164" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 92.143374][ T9818] ================================================================== [ 92.143433][ T9818] BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x270f/0x2b70 [ 92.143445][ T9818] Read of size 1 at addr ffff888092154001 by task syz-executor327/9818 [ 92.143449][ T9818] [ 92.143464][ T9818] CPU: 1 PID: 9818 Comm: syz-executor327 Not tainted 5.5.0-rc1-syzkaller #0 [ 92.143473][ T9818] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 92.143478][ T9818] Call Trace: [ 92.143495][ T9818] dump_stack+0x197/0x210 [ 92.143510][ T9818] ? n_tty_receive_buf_common+0x270f/0x2b70 [ 92.143529][ T9818] print_address_description.constprop.0.cold+0xd4/0x30b [ 92.143542][ T9818] ? n_tty_receive_buf_common+0x270f/0x2b70 [ 92.143556][ T9818] ? n_tty_receive_buf_common+0x270f/0x2b70 [ 92.143569][ T9818] __kasan_report.cold+0x1b/0x41 [ 92.143584][ T9818] ? n_tty_receive_buf_common+0x270f/0x2b70 [ 92.143598][ T9818] kasan_report+0x12/0x20 [ 92.143611][ T9818] __asan_report_load1_noabort+0x14/0x20 [ 92.143624][ T9818] n_tty_receive_buf_common+0x270f/0x2b70 [ 92.143636][ T9818] ? __kasan_check_read+0x11/0x20 [ 92.143665][ T9818] n_tty_receive_buf2+0x34/0x40 [ 92.143682][ T9818] tty_ldisc_receive_buf+0xad/0x1c0 [ 92.143693][ T9818] ? add_wait_queue+0x112/0x170 [ 92.143705][ T9818] ? n_tty_receive_buf_common+0x2b70/0x2b70 [ 92.143721][ T9818] paste_selection+0x1ff/0x460 [ 92.143739][ T9818] ? vcs_remove_sysfs+0x60/0x60 [ 92.143752][ T9818] ? lock_downgrade+0x920/0x920 [ 92.143768][ T9818] ? wake_up_q+0x140/0x140 [ 92.143793][ T9818] tioclinux+0x133/0x480 [ 92.143810][ T9818] vt_ioctl+0x1a41/0x26d0 [ 92.143827][ T9818] ? complete_change_console+0x3a0/0x3a0 [ 92.143838][ T9818] ? lock_downgrade+0x920/0x920 [ 92.143852][ T9818] ? rwlock_bug.part.0+0x90/0x90 [ 92.143875][ T9818] ? tomoyo_path_number_perm+0x214/0x520 [ 92.143888][ T9818] ? find_held_lock+0x35/0x130 [ 92.143902][ T9818] ? tomoyo_path_number_perm+0x214/0x520 [ 92.143917][ T9818] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 92.143931][ T9818] ? tty_jobctrl_ioctl+0x50/0xd40 [ 92.143945][ T9818] ? complete_change_console+0x3a0/0x3a0 [ 92.143960][ T9818] tty_ioctl+0xa37/0x14f0 [ 92.143975][ T9818] ? tty_vhangup+0x30/0x30 [ 92.143988][ T9818] ? tomoyo_path_number_perm+0x454/0x520 [ 92.144006][ T9818] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 92.144018][ T9818] ? tomoyo_path_number_perm+0x25e/0x520 [ 92.144034][ T9818] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 92.144056][ T9818] ? ___might_sleep+0x163/0x2c0 [ 92.144076][ T9818] ? tty_vhangup+0x30/0x30 [ 92.144091][ T9818] do_vfs_ioctl+0x977/0x14e0 [ 92.144111][ T9818] ? compat_ioctl_preallocate+0x220/0x220 [ 92.144126][ T9818] ? selinux_file_mprotect+0x620/0x620 [ 92.144141][ T9818] ? kmem_cache_free+0x26b/0x320 [ 92.144156][ T9818] ? putname+0xf4/0x130 [ 92.144171][ T9818] ? do_sys_open+0x31d/0x5d0 [ 92.144189][ T9818] ? tomoyo_file_ioctl+0x23/0x30 [ 92.144202][ T9818] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 92.144215][ T9818] ? security_file_ioctl+0x8d/0xc0 [ 92.144230][ T9818] ksys_ioctl+0xab/0xd0 [ 92.144246][ T9818] __x64_sys_ioctl+0x73/0xb0 [ 92.144264][ T9818] do_syscall_64+0xfa/0x790 [ 92.144281][ T9818] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.144292][ T9818] RIP: 0033:0x445079 [ 92.144306][ T9818] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 92.144313][ T9818] RSP: 002b:00007ffc93f38138 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 92.144326][ T9818] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445079 [ 92.144333][ T9818] RDX: 0000000020000140 RSI: 000000000000541c RDI: 0000000000000005 [ 92.144341][ T9818] RBP: 00000000006d0018 R08: 000000000000000d R09: 00000000004002e0 [ 92.144349][ T9818] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402210 [ 92.144356][ T9818] R13: 00000000004022a0 R14: 0000000000000000 R15: 0000000000000000 [ 92.144374][ T9818] [ 92.144381][ T9818] Allocated by task 9822: [ 92.144393][ T9818] save_stack+0x23/0x90 [ 92.144404][ T9818] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 92.144415][ T9818] kasan_kmalloc+0x9/0x10 [ 92.144424][ T9818] __kmalloc+0x163/0x770 [ 92.144435][ T9818] set_selection_kernel+0x872/0x13b0 [ 92.144445][ T9818] set_selection_user+0x95/0xd9 [ 92.144456][ T9818] tioclinux+0x11c/0x480 [ 92.144468][ T9818] vt_ioctl+0x1a41/0x26d0 [ 92.144478][ T9818] tty_ioctl+0xa37/0x14f0 [ 92.144488][ T9818] do_vfs_ioctl+0x977/0x14e0 [ 92.144498][ T9818] ksys_ioctl+0xab/0xd0 [ 92.144509][ T9818] __x64_sys_ioctl+0x73/0xb0 [ 92.144522][ T9818] do_syscall_64+0xfa/0x790 [ 92.144534][ T9818] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.144537][ T9818] [ 92.144543][ T9818] Freed by task 9824: [ 92.144553][ T9818] save_stack+0x23/0x90 [ 92.144563][ T9818] __kasan_slab_free+0x102/0x150 [ 92.144573][ T9818] kasan_slab_free+0xe/0x10 [ 92.144582][ T9818] kfree+0x10a/0x2c0 [ 92.144592][ T9818] set_selection_kernel+0x88f/0x13b0 [ 92.144602][ T9818] set_selection_user+0x95/0xd9 [ 92.144613][ T9818] tioclinux+0x11c/0x480 [ 92.144625][ T9818] vt_ioctl+0x1a41/0x26d0 [ 92.144636][ T9818] tty_ioctl+0xa37/0x14f0 [ 92.144647][ T9818] do_vfs_ioctl+0x977/0x14e0 [ 92.144658][ T9818] ksys_ioctl+0xab/0xd0 [ 92.144668][ T9818] __x64_sys_ioctl+0x73/0xb0 [ 92.144680][ T9818] do_syscall_64+0xfa/0x790 [ 92.144691][ T9818] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.144695][ T9818] [ 92.144704][ T9818] The buggy address belongs to the object at ffff888092154000 [ 92.144704][ T9818] which belongs to the cache kmalloc-8k of size 8192 [ 92.144715][ T9818] The buggy address is located 1 bytes inside of [ 92.144715][ T9818] 8192-byte region [ffff888092154000, ffff888092156000) [ 92.144719][ T9818] The buggy address belongs to the page: [ 92.144734][ T9818] page:ffffea0002485500 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0 [ 92.144751][ T9818] raw: 00fffe0000010200 ffffea00026de808 ffffea0002113a08 ffff8880aa4021c0 [ 92.144767][ T9818] raw: 0000000000000000 ffff888092154000 0000000100000001 0000000000000000 [ 92.144773][ T9818] page dumped because: kasan: bad access detected [ 92.144777][ T9818] [ 92.144781][ T9818] Memory state around the buggy address: [ 92.144792][ T9818] ffff888092153f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.144801][ T9818] ffff888092153f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.144811][ T9818] >ffff888092154000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.144816][ T9818] ^ [ 92.144825][ T9818] ffff888092154080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.144835][ T9818] ffff888092154100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.144840][ T9818] ================================================================== [ 92.144844][ T9818] Disabling lock debugging due to kernel taint [ 92.145144][ T9818] Kernel panic - not syncing: panic_on_warn set ... [ 92.145159][ T9818] CPU: 1 PID: 9818 Comm: syz-executor327 Tainted: G B 5.5.0-rc1-syzkaller #0 [ 92.145169][ T9818] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 92.145177][ T9818] Call Trace: [ 92.145193][ T9818] dump_stack+0x197/0x210 [ 92.145208][ T9818] panic+0x2e3/0x75c [ 92.145222][ T9818] ? add_taint.cold+0x16/0x16 [ 92.145238][ T9818] ? n_tty_receive_buf_common+0x270f/0x2b70 [ 92.145253][ T9818] ? preempt_schedule+0x4b/0x60 [ 92.145268][ T9818] ? ___preempt_schedule+0x16/0x18 [ 92.145284][ T9818] ? trace_hardirqs_on+0x5e/0x240 [ 92.145299][ T9818] ? n_tty_receive_buf_common+0x270f/0x2b70 [ 92.145312][ T9818] end_report+0x47/0x4f [ 92.145326][ T9818] ? n_tty_receive_buf_common+0x270f/0x2b70 [ 92.145339][ T9818] __kasan_report.cold+0xe/0x41 [ 92.145354][ T9818] ? n_tty_receive_buf_common+0x270f/0x2b70 [ 92.145369][ T9818] kasan_report+0x12/0x20 [ 92.145383][ T9818] __asan_report_load1_noabort+0x14/0x20 [ 92.145398][ T9818] n_tty_receive_buf_common+0x270f/0x2b70 [ 92.145411][ T9818] ? __kasan_check_read+0x11/0x20 [ 92.145434][ T9818] n_tty_receive_buf2+0x34/0x40 [ 92.145449][ T9818] tty_ldisc_receive_buf+0xad/0x1c0 [ 92.145462][ T9818] ? add_wait_queue+0x112/0x170 [ 92.145476][ T9818] ? n_tty_receive_buf_common+0x2b70/0x2b70 [ 92.145489][ T9818] paste_selection+0x1ff/0x460 [ 92.145503][ T9818] ? vcs_remove_sysfs+0x60/0x60 [ 92.145516][ T9818] ? lock_downgrade+0x920/0x920 [ 92.145530][ T9818] ? wake_up_q+0x140/0x140 [ 92.145546][ T9818] tioclinux+0x133/0x480 [ 92.145560][ T9818] vt_ioctl+0x1a41/0x26d0 [ 92.145585][ T9818] ? complete_change_console+0x3a0/0x3a0 [ 92.145598][ T9818] ? lock_downgrade+0x920/0x920 [ 92.145612][ T9818] ? rwlock_bug.part.0+0x90/0x90 [ 92.145626][ T9818] ? tomoyo_path_number_perm+0x214/0x520 [ 92.145638][ T9818] ? find_held_lock+0x35/0x130 [ 92.145652][ T9818] ? tomoyo_path_number_perm+0x214/0x520 [ 92.145668][ T9818] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 92.145677][ T9818] ? tty_jobctrl_ioctl+0x50/0xd40 [ 92.145687][ T9818] ? complete_change_console+0x3a0/0x3a0 [ 92.145696][ T9818] tty_ioctl+0xa37/0x14f0 [ 92.145707][ T9818] ? tty_vhangup+0x30/0x30 [ 92.145718][ T9818] ? tomoyo_path_number_perm+0x454/0x520 [ 92.145732][ T9818] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 92.145743][ T9818] ? tomoyo_path_number_perm+0x25e/0x520 [ 92.145756][ T9818] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 92.145772][ T9818] ? ___might_sleep+0x163/0x2c0 [ 92.145787][ T9818] ? tty_vhangup+0x30/0x30 [ 92.145799][ T9818] do_vfs_ioctl+0x977/0x14e0 [ 92.145811][ T9818] ? compat_ioctl_preallocate+0x220/0x220 [ 92.145822][ T9818] ? selinux_file_mprotect+0x620/0x620 [ 92.145835][ T9818] ? kmem_cache_free+0x26b/0x320 [ 92.145850][ T9818] ? putname+0xf4/0x130 [ 92.145869][ T9818] ? do_sys_open+0x31d/0x5d0 [ 92.145883][ T9818] ? tomoyo_file_ioctl+0x23/0x30 [ 92.145898][ T9818] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 92.145911][ T9818] ? security_file_ioctl+0x8d/0xc0 [ 92.145924][ T9818] ksys_ioctl+0xab/0xd0 [ 92.145938][ T9818] __x64_sys_ioctl+0x73/0xb0 [ 92.145952][ T9818] do_syscall_64+0xfa/0x790 [ 92.145967][ T9818] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.145979][ T9818] RIP: 0033:0x445079 [ 92.145993][ T9818] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 92.146003][ T9818] RSP: 002b:00007ffc93f38138 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 92.146022][ T9818] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445079 [ 92.146033][ T9818] RDX: 0000000020000140 RSI: 000000000000541c RDI: 0000000000000005 [ 92.146043][ T9818] RBP: 00000000006d0018 R08: 000000000000000d R09: 00000000004002e0 [ 92.146053][ T9818] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402210 [ 92.146064][ T9818] R13: 00000000004022a0 R14: 0000000000000000 R15: 0000000000000000 [ 92.147381][ T9818] Kernel Offset: disabled [ 93.231931][ T9818] Rebooting in 86400 seconds..