[ 42.428855] audit: type=1800 audit(1561915570.306:30): pid=7710 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 47.588176] kauditd_printk_skb: 4 callbacks suppressed [ 47.588192] audit: type=1400 audit(1561915575.496:35): avc: denied { map } for pid=7883 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.226' (ECDSA) to the list of known hosts. executing program [ 54.317077] audit: type=1400 audit(1561915582.226:36): avc: denied { map } for pid=7895 comm="syz-executor478" path="/root/syz-executor478147142" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 54.360560] FAULT_INJECTION: forcing a failure. [ 54.360560] name failslab, interval 1, probability 0, space 0, times 1 [ 54.371943] CPU: 1 PID: 7896 Comm: syz-executor478 Not tainted 4.19.56 #28 [ 54.379115] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.388462] Call Trace: [ 54.391049] dump_stack+0x172/0x1f0 [ 54.394669] should_fail.cold+0xa/0x1b [ 54.398727] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 54.403838] ? lock_downgrade+0x810/0x810 [ 54.407984] ? ___might_sleep+0x163/0x280 [ 54.412143] __should_failslab+0x121/0x190 [ 54.416382] should_failslab+0x9/0x14 [ 54.420175] __kmalloc+0x2e2/0x750 [ 54.423798] ? lock_downgrade+0x810/0x810 [ 54.428304] ? tls_push_record+0x107/0x13a0 [ 54.432640] tls_push_record+0x107/0x13a0 [ 54.436789] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 54.441837] ? _copy_from_iter+0x30d/0xb50 [ 54.446071] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.451621] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.457164] ? __check_object_size+0x3d/0x42f [ 54.461657] tls_sw_sendmsg+0xd2e/0x1220 [ 54.465741] ? decrypt_skb_update+0x5c0/0x5c0 [ 54.470270] ? iterate_fd+0x360/0x360 [ 54.474064] ? proc_fail_nth_write+0x9d/0x1e0 [ 54.478563] inet_sendmsg+0x141/0x5d0 [ 54.482474] ? ipip_gro_receive+0x100/0x100 [ 54.486787] sock_sendmsg+0xd7/0x130 [ 54.490503] __sys_sendto+0x262/0x380 [ 54.494297] ? __ia32_sys_getpeername+0xb0/0xb0 [ 54.498961] ? kasan_check_write+0x14/0x20 [ 54.503191] ? __sb_end_write+0xd9/0x110 [ 54.507247] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 54.512774] ? fput+0x128/0x1a0 [ 54.516047] ? ksys_write+0x1f1/0x2d0 [ 54.519846] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.524593] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.529345] ? do_syscall_64+0x26/0x620 [ 54.533320] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.538683] __x64_sys_sendto+0xe1/0x1a0 [ 54.542773] do_syscall_64+0xfd/0x620 [ 54.546587] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.551773] RIP: 0033:0x445cb9 [ 54.554968] Code: e8 fc ba 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.573886] RSP: 002b:00007f0c102c0d68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 54.581618] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000445cb9 [ 54.588905] RDX: 00000000fffffece RSI: 00000000200005c0 RDI: 0000000000000003 [ 54.596169] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 54.603456] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0c102c0d80 [ 54.610740] R13: 0000000000000005 R14: 0000000000000000 R15: f200dce948faf935 [ 54.621589] ================================================================== [ 54.629091] BUG: KASAN: use-after-free in tls_push_record+0x102a/0x13a0 [ 54.635850] Write of size 1 at addr ffff8880835f0000 by task syz-executor478/7896 [ 54.643475] [ 54.645098] CPU: 1 PID: 7896 Comm: syz-executor478 Not tainted 4.19.56 #28 [ 54.652093] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.662734] Call Trace: [ 54.665328] dump_stack+0x172/0x1f0 [ 54.668975] ? tls_push_record+0x102a/0x13a0 [ 54.673383] print_address_description.cold+0x7c/0x20d [ 54.678752] ? tls_push_record+0x102a/0x13a0 [ 54.683190] kasan_report.cold+0x8c/0x2ba [ 54.687339] __asan_report_store1_noabort+0x17/0x20 [ 54.692352] tls_push_record+0x102a/0x13a0 [ 54.696578] ? __local_bh_enable_ip+0x15a/0x270 [ 54.701250] ? lock_sock_nested+0x9a/0x120 [ 54.705502] tls_sw_push_pending_record+0x23/0x30 [ 54.710348] tls_sk_proto_close+0x5bb/0xa20 [ 54.714671] ? debug_object_activate+0x2c1/0x4e0 [ 54.719510] ? tcp_check_oom+0x560/0x560 [ 54.724949] ? tls_write_space+0x310/0x310 [ 54.729181] ? ip_mc_drop_socket+0x20c/0x270 [ 54.733582] ? __sock_release+0x89/0x2a0 [ 54.737636] inet_release+0xff/0x1e0 [ 54.741370] inet6_release+0x53/0x80 [ 54.745080] __sock_release+0xce/0x2a0 [ 54.748961] ? __sock_release+0x2a0/0x2a0 [ 54.753097] sock_close+0x1b/0x30 [ 54.756548] __fput+0x2dd/0x8b0 [ 54.759824] ____fput+0x16/0x20 [ 54.763094] task_work_run+0x145/0x1c0 [ 54.767004] do_exit+0x933/0x2fa0 [ 54.770471] ? _raw_spin_unlock_bh+0x31/0x40 [ 54.774983] ? release_sock+0x156/0x1c0 [ 54.778954] ? get_signal+0x384/0x1fc0 [ 54.782848] ? mm_update_next_owner+0x660/0x660 [ 54.787512] ? _raw_spin_unlock_irq+0x28/0x90 [ 54.792025] ? get_signal+0x384/0x1fc0 [ 54.795911] ? _raw_spin_unlock_irq+0x28/0x90 [ 54.800405] do_group_exit+0x135/0x370 [ 54.804480] get_signal+0x3ec/0x1fc0 [ 54.808190] ? inet_sendmsg+0x149/0x5d0 [ 54.812195] do_signal+0x95/0x1960 [ 54.815735] ? __ia32_sys_getpeername+0xb0/0xb0 [ 54.820422] ? kasan_check_write+0x14/0x20 [ 54.824654] ? setup_sigcontext+0x7d0/0x7d0 [ 54.828978] ? __sb_end_write+0xd9/0x110 [ 54.833413] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 54.838952] ? fput+0x128/0x1a0 [ 54.842231] ? ksys_write+0x1f1/0x2d0 [ 54.846033] ? exit_to_usermode_loop+0x43/0x2c0 [ 54.850719] ? do_syscall_64+0x53d/0x620 [ 54.854839] ? exit_to_usermode_loop+0x43/0x2c0 [ 54.859536] ? lockdep_hardirqs_on+0x415/0x5d0 [ 54.864124] ? trace_hardirqs_on+0x67/0x220 [ 54.868457] exit_to_usermode_loop+0x244/0x2c0 [ 54.873063] do_syscall_64+0x53d/0x620 [ 54.876952] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.882155] RIP: 0033:0x445cb9 [ 54.885351] Code: Bad RIP value. [ 54.888801] RSP: 002b:00007f0c102c0d68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 54.896534] RAX: 0000000000004000 RBX: 00000000006dbc28 RCX: 0000000000445cb9 [ 54.903905] RDX: 00000000fffffece RSI: 00000000200005c0 RDI: 0000000000000003 [ 54.911172] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 54.918457] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0c102c0d80 [ 54.925725] R13: 0000000000000005 R14: 0000000000000000 R15: f200dce948faf935 [ 54.933007] [ 54.934720] The buggy address belongs to the page: [ 54.939655] page:ffffea00020d7c00 count:0 mapcount:-128 mapping:0000000000000000 index:0x0 [ 54.948081] flags: 0x1fffc0000000000() [ 54.951974] raw: 01fffc0000000000 ffffea0002964608 ffff88812fffc878 0000000000000000 [ 54.959943] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 [ 54.967849] page dumped because: kasan: bad access detected [ 54.973739] [ 54.975374] Memory state around the buggy address: [ 54.980296] ffff8880835eff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.987662] ffff8880835eff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.995019] >ffff8880835f0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.002371] ^ [ 55.005762] ffff8880835f0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.013144] ffff8880835f0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.020521] ================================================================== [ 55.027876] Disabling lock debugging due to kernel taint [ 55.033737] Kernel panic - not syncing: panic_on_warn set ... [ 55.033737] [ 55.041150] CPU: 1 PID: 7896 Comm: syz-executor478 Tainted: G B 4.19.56 #28 [ 55.049538] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.058910] Call Trace: [ 55.061498] dump_stack+0x172/0x1f0 [ 55.065124] ? tls_push_record+0x102a/0x13a0 [ 55.069555] panic+0x263/0x507 [ 55.072855] ? __warn_printk+0xf3/0xf3 [ 55.076845] ? tls_push_record+0x102a/0x13a0 [ 55.081253] ? trace_hardirqs_on+0x5e/0x220 [ 55.085578] ? trace_hardirqs_on+0x5e/0x220 [ 55.089933] ? tls_push_record+0x102a/0x13a0 [ 55.095173] kasan_end_report+0x47/0x4f [ 55.099153] kasan_report.cold+0xa9/0x2ba [ 55.103308] __asan_report_store1_noabort+0x17/0x20 [ 55.108347] tls_push_record+0x102a/0x13a0 [ 55.112598] ? __local_bh_enable_ip+0x15a/0x270 [ 55.117405] ? lock_sock_nested+0x9a/0x120 [ 55.121639] tls_sw_push_pending_record+0x23/0x30 [ 55.126479] tls_sk_proto_close+0x5bb/0xa20 [ 55.130798] ? debug_object_activate+0x2c1/0x4e0 [ 55.135550] ? tcp_check_oom+0x560/0x560 [ 55.139606] ? tls_write_space+0x310/0x310 [ 55.143840] ? ip_mc_drop_socket+0x20c/0x270 [ 55.148236] ? __sock_release+0x89/0x2a0 [ 55.152310] inet_release+0xff/0x1e0 [ 55.156048] inet6_release+0x53/0x80 [ 55.159753] __sock_release+0xce/0x2a0 [ 55.163643] ? __sock_release+0x2a0/0x2a0 [ 55.167780] sock_close+0x1b/0x30 [ 55.171242] __fput+0x2dd/0x8b0 [ 55.174522] ____fput+0x16/0x20 [ 55.177796] task_work_run+0x145/0x1c0 [ 55.181691] do_exit+0x933/0x2fa0 [ 55.185159] ? _raw_spin_unlock_bh+0x31/0x40 [ 55.189561] ? release_sock+0x156/0x1c0 [ 55.193524] ? get_signal+0x384/0x1fc0 [ 55.197421] ? mm_update_next_owner+0x660/0x660 [ 55.202103] ? _raw_spin_unlock_irq+0x28/0x90 [ 55.207455] ? get_signal+0x384/0x1fc0 [ 55.211374] ? _raw_spin_unlock_irq+0x28/0x90 [ 55.215959] do_group_exit+0x135/0x370 [ 55.219845] get_signal+0x3ec/0x1fc0 [ 55.223569] ? inet_sendmsg+0x149/0x5d0 [ 55.227551] do_signal+0x95/0x1960 [ 55.231092] ? __ia32_sys_getpeername+0xb0/0xb0 [ 55.235752] ? kasan_check_write+0x14/0x20 [ 55.239997] ? setup_sigcontext+0x7d0/0x7d0 [ 55.244312] ? __sb_end_write+0xd9/0x110 [ 55.248366] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 55.253898] ? fput+0x128/0x1a0 [ 55.257169] ? ksys_write+0x1f1/0x2d0 [ 55.260958] ? exit_to_usermode_loop+0x43/0x2c0 [ 55.265610] ? do_syscall_64+0x53d/0x620 [ 55.269657] ? exit_to_usermode_loop+0x43/0x2c0 [ 55.274328] ? lockdep_hardirqs_on+0x415/0x5d0 [ 55.278900] ? trace_hardirqs_on+0x67/0x220 [ 55.283225] exit_to_usermode_loop+0x244/0x2c0 [ 55.287797] do_syscall_64+0x53d/0x620 [ 55.291677] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.296850] RIP: 0033:0x445cb9 [ 55.300058] Code: Bad RIP value. [ 55.303405] RSP: 002b:00007f0c102c0d68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 55.311100] RAX: 0000000000004000 RBX: 00000000006dbc28 RCX: 0000000000445cb9 [ 55.318364] RDX: 00000000fffffece RSI: 00000000200005c0 RDI: 0000000000000003 [ 55.325640] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 55.332914] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0c102c0d80 [ 55.340184] R13: 0000000000000005 R14: 0000000000000000 R15: f200dce948faf935 [ 55.348404] Kernel Offset: disabled [ 55.352028] Rebooting in 86400 seconds..