[ 72.911725][ T26] audit: type=1800 audit(1568125145.821:30): pid=10454 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 77.142211][ T26] kauditd_printk_skb: 4 callbacks suppressed [ 77.142224][ T26] audit: type=1400 audit(1568125150.081:35): avc: denied { map } for pid=10633 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.127' (ECDSA) to the list of known hosts. executing program [ 113.153543][ T26] audit: type=1400 audit(1568125186.091:36): avc: denied { map } for pid=10645 comm="syz-executor388" path="/root/syz-executor388859197" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 113.167703][T10646] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 113.229071][ T26] audit: type=1400 audit(1568125186.171:37): avc: denied { map } for pid=10645 comm="syz-executor388" path="/dev/bus/usb/007/001" dev="devtmpfs" ino=18238 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1 [ 113.259419][T10646] ================================================================== [ 113.267495][T10646] BUG: KASAN: slab-out-of-bounds in handle_vmptrld+0x777/0x800 [ 113.275208][T10646] Read of size 4 at addr ffff888090199000 by task syz-executor388/10646 [ 113.283520][T10646] [ 113.285857][T10646] CPU: 1 PID: 10646 Comm: syz-executor388 Not tainted 5.3.0-rc8+ #0 [ 113.293843][T10646] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 113.303894][T10646] Call Trace: [ 113.307184][T10646] dump_stack+0x172/0x1f0 [ 113.311502][T10646] ? handle_vmptrld+0x777/0x800 [ 113.316335][T10646] print_address_description.cold+0xd4/0x306 [ 113.322292][T10646] ? handle_vmptrld+0x777/0x800 [ 113.327132][T10646] ? handle_vmptrld+0x777/0x800 [ 113.331964][T10646] __kasan_report.cold+0x1b/0x36 [ 113.336879][T10646] ? handle_vmptrld+0x777/0x800 [ 113.341714][T10646] kasan_report+0x12/0x17 [ 113.346031][T10646] __asan_report_load_n_noabort+0xf/0x20 [ 113.351660][T10646] handle_vmptrld+0x777/0x800 [ 113.356328][T10646] ? vmx_update_host_rsp+0x71/0xd0 [ 113.361596][T10646] ? handle_vmon+0x3c0/0x3c0 [ 113.366519][T10646] ? handle_vmon+0x3c0/0x3c0 [ 113.371095][T10646] vmx_handle_exit+0x299/0x15e0 [ 113.375939][T10646] vcpu_enter_guest+0x1087/0x5e90 [ 113.380943][T10646] ? handle_emulation_failure+0x4e0/0x4e0 [ 113.386648][T10646] ? lock_acquire+0x190/0x410 [ 113.391308][T10646] ? kvm_check_async_pf_completion+0x2d8/0x440 [ 113.397448][T10646] kvm_arch_vcpu_ioctl_run+0x464/0x1750 [ 113.402986][T10646] ? kvm_arch_vcpu_ioctl_run+0x464/0x1750 [ 113.408700][T10646] kvm_vcpu_ioctl+0x4dc/0xfd0 [ 113.413462][T10646] ? kvm_write_guest_cached+0x40/0x40 [ 113.418832][T10646] ? tomoyo_path_number_perm+0x263/0x520 [ 113.418846][T10646] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 113.418863][T10646] ? __kasan_check_read+0x11/0x20 [ 113.418880][T10646] ? kvm_write_guest_cached+0x40/0x40 [ 113.430281][T10646] do_vfs_ioctl+0xdb6/0x13e0 [ 113.430294][T10646] ? ioctl_preallocate+0x210/0x210 [ 113.430308][T10646] ? selinux_file_mprotect+0x620/0x620 [ 113.430319][T10646] ? __fget+0x384/0x560 [ 113.430335][T10646] ? ksys_dup3+0x3e0/0x3e0 [ 113.464568][T10646] ? tomoyo_file_ioctl+0x23/0x30 [ 113.469761][T10646] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 113.475982][T10646] ? security_file_ioctl+0x8d/0xc0 [ 113.481080][T10646] ksys_ioctl+0xab/0xd0 [ 113.485324][T10646] __x64_sys_ioctl+0x73/0xb0 [ 113.489926][T10646] do_syscall_64+0xfd/0x6a0 [ 113.494426][T10646] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 113.500303][T10646] RIP: 0033:0x44ccc9 [ 113.504183][T10646] Code: e8 8c b0 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b ce fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 113.523862][T10646] RSP: 002b:00007fccd4f6fce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 113.532274][T10646] RAX: ffffffffffffffda RBX: 00000000006dec48 RCX: 000000000044ccc9 [ 113.540231][T10646] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005 [ 113.548182][T10646] RBP: 00000000006dec40 R08: 0000000000000000 R09: 0000000000000000 [ 113.556140][T10646] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dec4c [ 113.564091][T10646] R13: 00007fff812b0b3f R14: 00007fccd4f709c0 R15: 20c49ba5e353f7cf [ 113.572049][T10646] [ 113.574392][T10646] Allocated by task 10646: [ 113.578791][T10646] save_stack+0x23/0x90 [ 113.582934][T10646] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 113.588544][T10646] kasan_kmalloc+0x9/0x10 [ 113.592850][T10646] __kmalloc+0x163/0x770 [ 113.597160][T10646] hcd_buffer_alloc+0x1c6/0x260 [ 113.602084][T10646] usb_alloc_coherent+0x62/0x90 [ 113.606917][T10646] usbdev_mmap+0x1ce/0x790 [ 113.611312][T10646] mmap_region+0xc35/0x1760 [ 113.615791][T10646] do_mmap+0x82e/0x1090 [ 113.619938][T10646] vm_mmap_pgoff+0x1c5/0x230 [ 113.624504][T10646] ksys_mmap_pgoff+0x4aa/0x630 [ 113.629247][T10646] __x64_sys_mmap+0xe9/0x1b0 [ 113.633828][T10646] do_syscall_64+0xfd/0x6a0 [ 113.638315][T10646] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 113.644190][T10646] [ 113.646512][T10646] Freed by task 10227: [ 113.650564][T10646] save_stack+0x23/0x90 [ 113.654706][T10646] __kasan_slab_free+0x102/0x150 [ 113.659650][T10646] kasan_slab_free+0xe/0x10 [ 113.664133][T10646] kfree+0x10a/0x2c0 [ 113.668101][T10646] tomoyo_init_log+0x15ba/0x2070 [ 113.673024][T10646] tomoyo_supervisor+0x33f/0xef0 [ 113.677952][T10646] tomoyo_env_perm+0x18e/0x210 [ 113.682696][T10646] tomoyo_find_next_domain+0x1354/0x1f6c [ 113.688318][T10646] tomoyo_bprm_check_security+0x124/0x1b0 [ 113.694025][T10646] security_bprm_check+0x63/0xb0 [ 113.698943][T10646] search_binary_handler+0x71/0x570 [ 113.704119][T10646] __do_execve_file.isra.0+0x1333/0x2340 [ 113.709831][T10646] __x64_sys_execve+0x8f/0xc0 [ 113.714514][T10646] do_syscall_64+0xfd/0x6a0 [ 113.719002][T10646] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 113.724869][T10646] [ 113.727182][T10646] The buggy address belongs to the object at ffff8880901993c0 [ 113.727182][T10646] which belongs to the cache kmalloc-8k of size 8192 [ 113.741226][T10646] The buggy address is located 960 bytes to the left of [ 113.741226][T10646] 8192-byte region [ffff8880901993c0, ffff88809019b3c0) [ 113.755166][T10646] The buggy address belongs to the page: [ 113.760818][T10646] page:ffffea0002406600 refcount:2 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0 [ 113.771735][T10646] flags: 0x1fffc000001020a(referenced|dirty|slab|head) [ 113.778580][T10646] raw: 01fffc000001020a ffffea0002381f08 ffffea00022b4408 ffff8880aa4021c0 [ 113.787422][T10646] raw: 0000000000000000 ffff8880901993c0 0000000200000001 0000000000000000 [ 113.796072][T10646] page dumped because: kasan: bad access detected [ 113.802456][T10646] [ 113.804856][T10646] Memory state around the buggy address: [ 113.810467][T10646] ffff888090198f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 113.818544][T10646] ffff888090198f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 113.826618][T10646] >ffff888090199000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 113.834651][T10646] ^ [ 113.840264][T10646] ffff888090199080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 113.848406][T10646] ffff888090199100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 113.856449][T10646] ================================================================== [ 113.865915][T10646] Kernel panic - not syncing: panic_on_warn set ... [ 113.872524][T10646] CPU: 1 PID: 10646 Comm: syz-executor388 Tainted: G B 5.3.0-rc8+ #0 [ 113.881892][T10646] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 113.891997][T10646] Call Trace: [ 113.895298][T10646] dump_stack+0x172/0x1f0 [ 113.899613][T10646] panic+0x2dc/0x755 [ 113.903533][T10646] ? add_taint.cold+0x16/0x16 [ 113.908260][T10646] ? handle_vmptrld+0x777/0x800 [ 113.913098][T10646] ? preempt_schedule+0x4b/0x60 [ 113.918034][T10646] ? ___preempt_schedule+0x16/0x20 [ 113.923184][T10646] ? trace_hardirqs_on+0x5e/0x240 [ 113.928217][T10646] ? handle_vmptrld+0x777/0x800 [ 113.933072][T10646] end_report+0x47/0x4f [ 113.937406][T10646] ? handle_vmptrld+0x777/0x800 [ 113.942299][T10646] __kasan_report.cold+0xe/0x36 [ 113.947157][T10646] ? handle_vmptrld+0x777/0x800 [ 113.951996][T10646] kasan_report+0x12/0x17 [ 113.956527][T10646] __asan_report_load_n_noabort+0xf/0x20 [ 113.962249][T10646] handle_vmptrld+0x777/0x800 [ 113.967110][T10646] ? vmx_update_host_rsp+0x71/0xd0 [ 113.972224][T10646] ? handle_vmon+0x3c0/0x3c0 [ 113.976800][T10646] ? handle_vmon+0x3c0/0x3c0 [ 113.981370][T10646] vmx_handle_exit+0x299/0x15e0 [ 113.986201][T10646] vcpu_enter_guest+0x1087/0x5e90 [ 113.991218][T10646] ? handle_emulation_failure+0x4e0/0x4e0 [ 113.996933][T10646] ? lock_acquire+0x190/0x410 [ 114.001618][T10646] ? kvm_check_async_pf_completion+0x2d8/0x440 [ 114.007754][T10646] kvm_arch_vcpu_ioctl_run+0x464/0x1750 [ 114.013276][T10646] ? kvm_arch_vcpu_ioctl_run+0x464/0x1750 [ 114.018983][T10646] kvm_vcpu_ioctl+0x4dc/0xfd0 [ 114.023634][T10646] ? kvm_write_guest_cached+0x40/0x40 [ 114.028989][T10646] ? tomoyo_path_number_perm+0x263/0x520 [ 114.034596][T10646] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 114.040395][T10646] ? __kasan_check_read+0x11/0x20 [ 114.045399][T10646] ? kvm_write_guest_cached+0x40/0x40 [ 114.050746][T10646] do_vfs_ioctl+0xdb6/0x13e0 [ 114.055325][T10646] ? ioctl_preallocate+0x210/0x210 [ 114.060413][T10646] ? selinux_file_mprotect+0x620/0x620 [ 114.065847][T10646] ? __fget+0x384/0x560 [ 114.069988][T10646] ? ksys_dup3+0x3e0/0x3e0 [ 114.074392][T10646] ? tomoyo_file_ioctl+0x23/0x30 [ 114.079322][T10646] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 114.085623][T10646] ? security_file_ioctl+0x8d/0xc0 [ 114.090711][T10646] ksys_ioctl+0xab/0xd0 [ 114.094860][T10646] __x64_sys_ioctl+0x73/0xb0 [ 114.099427][T10646] do_syscall_64+0xfd/0x6a0 [ 114.103908][T10646] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 114.109786][T10646] RIP: 0033:0x44ccc9 [ 114.113656][T10646] Code: e8 8c b0 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b ce fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 114.133233][T10646] RSP: 002b:00007fccd4f6fce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 114.141619][T10646] RAX: ffffffffffffffda RBX: 00000000006dec48 RCX: 000000000044ccc9 [ 114.149577][T10646] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005 [ 114.157538][T10646] RBP: 00000000006dec40 R08: 0000000000000000 R09: 0000000000000000 [ 114.165486][T10646] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dec4c [ 114.173434][T10646] R13: 00007fff812b0b3f R14: 00007fccd4f709c0 R15: 20c49ba5e353f7cf [ 114.182971][T10646] Kernel Offset: disabled [ 114.187298][T10646] Rebooting in 86400 seconds..