[ 45.671346] audit: type=1800 audit(1583896660.407:31): pid=7889 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [ 45.693575] audit: type=1800 audit(1583896660.407:32): pid=7889 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 53.792074] kauditd_printk_skb: 3 callbacks suppressed [ 53.792088] audit: type=1400 audit(1583896668.577:36): avc: denied { map } for pid=8070 comm="syz-executor877" path="/root/syz-executor877659611" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 53.795913] ================================================================== [ 53.831035] BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x205/0x400 [ 53.838695] Read of size 768 at addr ffff8880a9534a34 by task syz-executor877/8070 [ 53.846383] [ 53.848000] CPU: 0 PID: 8070 Comm: syz-executor877 Not tainted 4.19.108-syzkaller #0 [ 53.855901] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.865249] Call Trace: [ 53.867841] dump_stack+0x188/0x20d [ 53.871459] ? selinux_xfrm_alloc_user+0x205/0x400 [ 53.876427] print_address_description.cold+0x7c/0x212 [ 53.881704] ? selinux_xfrm_alloc_user+0x205/0x400 [ 53.886639] kasan_report.cold+0x88/0x2b9 [ 53.890949] memcpy+0x20/0x50 [ 53.894056] selinux_xfrm_alloc_user+0x205/0x400 [ 53.898803] security_xfrm_policy_alloc+0x6c/0xb0 [ 53.903638] xfrm_policy_construct+0x2a8/0x660 [ 53.908205] xfrm_add_acquire+0x215/0x9f0 [ 53.912346] ? mark_lock+0x85c/0x11b0 [ 53.916177] ? print_shortest_lock_dependencies+0x80/0x80 [ 53.921704] ? cap_capable+0x1eb/0x250 [ 53.925584] ? xfrm_add_policy+0x4e0/0x4e0 [ 53.929804] ? nla_parse+0x1f3/0x2f0 [ 53.933502] ? xfrm_add_policy+0x4e0/0x4e0 [ 53.937730] xfrm_user_rcv_msg+0x40c/0x6b0 [ 53.941954] ? xfrm_dump_sa_done+0xe0/0xe0 [ 53.946217] ? __lock_acquire+0x6ee/0x49c0 [ 53.950475] ? __mutex_lock+0x3cd/0x1300 [ 53.954545] ? xfrm_netlink_rcv+0x5c/0x90 [ 53.958678] netlink_rcv_skb+0x160/0x410 [ 53.962727] ? xfrm_dump_sa_done+0xe0/0xe0 [ 53.966945] ? netlink_ack+0xa60/0xa60 [ 53.970818] ? lock_downgrade+0x740/0x740 [ 53.974950] xfrm_netlink_rcv+0x6b/0x90 [ 53.978906] netlink_unicast+0x4d7/0x6a0 [ 53.982954] ? netlink_attachskb+0x710/0x710 [ 53.987352] netlink_sendmsg+0x80b/0xcd0 [ 53.991398] ? netlink_unicast+0x6a0/0x6a0 [ 53.995613] ? move_addr_to_kernel.part.0+0x110/0x110 [ 54.000791] ? netlink_unicast+0x6a0/0x6a0 [ 54.005010] sock_sendmsg+0xcf/0x120 [ 54.008709] ___sys_sendmsg+0x803/0x920 [ 54.012681] ? copy_msghdr_from_user+0x410/0x410 [ 54.017424] ? prep_transhuge_page+0xa0/0xa0 [ 54.021828] ? pud_val+0x7c/0xf0 [ 54.025177] ? __pmd+0x60/0x60 [ 54.028354] ? __handle_mm_fault+0x754/0x3b60 [ 54.032842] ? copy_page_range+0x1e70/0x1e70 [ 54.037236] ? count_memcg_event_mm+0x279/0x4c0 [ 54.041902] ? find_held_lock+0x2d/0x110 [ 54.045947] ? __do_page_fault+0x631/0xdd0 [ 54.050174] ? __fget_light+0x1a2/0x230 [ 54.054148] __sys_sendmsg+0xec/0x1b0 [ 54.057930] ? __ia32_sys_shutdown+0x70/0x70 [ 54.062329] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.067077] ? trace_hardirqs_off_caller+0x55/0x210 [ 54.072077] ? do_syscall_64+0x21/0x620 [ 54.076039] do_syscall_64+0xf9/0x620 [ 54.079824] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.084997] RIP: 0033:0x4405f9 [ 54.088174] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.108282] RSP: 002b:00007ffd06fd0338 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 54.115971] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004405f9 [ 54.123235] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003 [ 54.130497] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 54.137763] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401e80 [ 54.145023] R13: 0000000000401f10 R14: 0000000000000000 R15: 0000000000000000 [ 54.152285] [ 54.153898] Allocated by task 8070: [ 54.157514] kasan_kmalloc+0xbf/0xe0 [ 54.161212] __kmalloc_node_track_caller+0x4c/0x70 [ 54.166126] __kmalloc_reserve.isra.0+0x39/0xe0 [ 54.170777] __alloc_skb+0xef/0x5b0 [ 54.174386] netlink_sendmsg+0x8d6/0xcd0 [ 54.178429] sock_sendmsg+0xcf/0x120 [ 54.182123] ___sys_sendmsg+0x803/0x920 [ 54.186077] __sys_sendmsg+0xec/0x1b0 [ 54.189861] do_syscall_64+0xf9/0x620 [ 54.193697] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.198878] [ 54.200546] Freed by task 4450: [ 54.203859] __kasan_slab_free+0xf7/0x140 [ 54.208117] kfree+0xce/0x220 [ 54.211215] free_pipe_info+0x232/0x2f0 [ 54.215249] put_pipe_info+0xc2/0xe0 [ 54.218959] pipe_release+0x1d6/0x270 [ 54.222744] __fput+0x2cd/0x890 [ 54.226007] task_work_run+0x13f/0x1b0 [ 54.229883] exit_to_usermode_loop+0x25a/0x2b0 [ 54.234451] do_syscall_64+0x538/0x620 [ 54.238326] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.243493] [ 54.245104] The buggy address belongs to the object at ffff8880a9534900 [ 54.245104] which belongs to the cache kmalloc-1024 of size 1024 [ 54.257920] The buggy address is located 308 bytes inside of [ 54.257920] 1024-byte region [ffff8880a9534900, ffff8880a9534d00) [ 54.269862] The buggy address belongs to the page: [ 54.274775] page:ffffea0002a54d00 count:1 mapcount:0 mapping:ffff88812c3dcac0 index:0x0 compound_mapcount: 0 [ 54.284723] flags: 0xfffe0000008100(slab|head) [ 54.289290] raw: 00fffe0000008100 ffffea0002451b88 ffffea0002a13008 ffff88812c3dcac0 [ 54.297155] raw: 0000000000000000 ffff8880a9534000 0000000100000007 0000000000000000 [ 54.305018] page dumped because: kasan: bad access detected [ 54.310706] [ 54.312311] Memory state around the buggy address: [ 54.317220] ffff8880a9534c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.324559] ffff8880a9534c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.331900] >ffff8880a9534d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.339237] ^ [ 54.342591] ffff8880a9534d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.349945] ffff8880a9534e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.357291] ================================================================== [ 54.364689] Disabling lock debugging due to kernel taint [ 54.371264] Kernel panic - not syncing: panic_on_warn set ... [ 54.371264] [ 54.378673] CPU: 0 PID: 8070 Comm: syz-executor877 Tainted: G B 4.19.108-syzkaller #0 [ 54.387969] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.397302] Call Trace: [ 54.399879] dump_stack+0x188/0x20d [ 54.403490] panic+0x26a/0x50e [ 54.406665] ? __warn_printk+0xf3/0xf3 [ 54.410543] ? preempt_schedule_common+0x4a/0xc0 [ 54.415282] ? selinux_xfrm_alloc_user+0x205/0x400 [ 54.420196] ? ___preempt_schedule+0x16/0x18 [ 54.424585] ? trace_hardirqs_on+0x55/0x210 [ 54.429170] ? selinux_xfrm_alloc_user+0x205/0x400 [ 54.434088] kasan_end_report+0x43/0x49 [ 54.438071] kasan_report.cold+0xa4/0x2b9 [ 54.442203] memcpy+0x20/0x50 [ 54.445297] selinux_xfrm_alloc_user+0x205/0x400 [ 54.450041] security_xfrm_policy_alloc+0x6c/0xb0 [ 54.454875] xfrm_policy_construct+0x2a8/0x660 [ 54.459444] xfrm_add_acquire+0x215/0x9f0 [ 54.463579] ? mark_lock+0x85c/0x11b0 [ 54.467362] ? print_shortest_lock_dependencies+0x80/0x80 [ 54.472881] ? cap_capable+0x1eb/0x250 [ 54.476754] ? xfrm_add_policy+0x4e0/0x4e0 [ 54.480969] ? nla_parse+0x1f3/0x2f0 [ 54.484665] ? xfrm_add_policy+0x4e0/0x4e0 [ 54.488878] xfrm_user_rcv_msg+0x40c/0x6b0 [ 54.493097] ? xfrm_dump_sa_done+0xe0/0xe0 [ 54.497314] ? __lock_acquire+0x6ee/0x49c0 [ 54.501537] ? __mutex_lock+0x3cd/0x1300 [ 54.505594] ? xfrm_netlink_rcv+0x5c/0x90 [ 54.509728] netlink_rcv_skb+0x160/0x410 [ 54.513770] ? xfrm_dump_sa_done+0xe0/0xe0 [ 54.517983] ? netlink_ack+0xa60/0xa60 [ 54.521858] ? lock_downgrade+0x740/0x740 [ 54.525987] xfrm_netlink_rcv+0x6b/0x90 [ 54.529942] netlink_unicast+0x4d7/0x6a0 [ 54.533985] ? netlink_attachskb+0x710/0x710 [ 54.538376] netlink_sendmsg+0x80b/0xcd0 [ 54.542420] ? netlink_unicast+0x6a0/0x6a0 [ 54.546634] ? move_addr_to_kernel.part.0+0x110/0x110 [ 54.551804] ? netlink_unicast+0x6a0/0x6a0 [ 54.556019] sock_sendmsg+0xcf/0x120 [ 54.559740] ___sys_sendmsg+0x803/0x920 [ 54.563700] ? copy_msghdr_from_user+0x410/0x410 [ 54.568445] ? prep_transhuge_page+0xa0/0xa0 [ 54.572851] ? pud_val+0x7c/0xf0 [ 54.576203] ? __pmd+0x60/0x60 [ 54.579378] ? __handle_mm_fault+0x754/0x3b60 [ 54.583864] ? copy_page_range+0x1e70/0x1e70 [ 54.588256] ? count_memcg_event_mm+0x279/0x4c0 [ 54.592910] ? find_held_lock+0x2d/0x110 [ 54.596955] ? __do_page_fault+0x631/0xdd0 [ 54.601171] ? __fget_light+0x1a2/0x230 [ 54.605169] __sys_sendmsg+0xec/0x1b0 [ 54.608950] ? __ia32_sys_shutdown+0x70/0x70 [ 54.613350] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.618088] ? trace_hardirqs_off_caller+0x55/0x210 [ 54.623251] ? do_syscall_64+0x21/0x620 [ 54.627251] do_syscall_64+0xf9/0x620 [ 54.631037] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.636207] RIP: 0033:0x4405f9 [ 54.639383] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.658277] RSP: 002b:00007ffd06fd0338 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 54.665969] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004405f9 [ 54.673237] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003 [ 54.680486] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 54.687736] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401e80 [ 54.694987] R13: 0000000000401f10 R14: 0000000000000000 R15: 0000000000000000 [ 54.703422] Kernel Offset: disabled [ 54.707054] Rebooting in 86400 seconds..