[   33.434389] audit: type=1800 audit(1580164516.071:33): pid=7170 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   33.462189] audit: type=1800 audit(1580164516.071:34): pid=7170 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   36.457927] random: sshd: uninitialized urandom read (32 bytes read)
[   36.747525] audit: type=1400 audit(1580164519.381:35): avc:  denied  { map } for  pid=7343 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   36.798228] random: sshd: uninitialized urandom read (32 bytes read)
[   37.536543] random: sshd: uninitialized urandom read (32 bytes read)
[   37.729807] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.183' (ECDSA) to the list of known hosts.
[   43.317911] random: sshd: uninitialized urandom read (32 bytes read)
[   43.437885] audit: type=1400 audit(1580164526.071:36): avc:  denied  { map } for  pid=7355 comm="syz-executor935" path="/root/syz-executor935341964" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   43.670920] IPVS: ftp: loaded support on port[0] = 21
executing program
[   44.495486] ==================================================================
[   44.503989] BUG: KASAN: slab-out-of-bounds in __nla_put_nohdr+0x46/0x50
[   44.512322] Read of size 8 at addr ffff88809fb72f80 by task syz-executor935/7356
[   44.522164] 
[   44.523796] CPU: 0 PID: 7356 Comm: syz-executor935 Not tainted 4.14.168-syzkaller #0
[   44.532796] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   44.544126] Call Trace:
[   44.547021]  dump_stack+0x142/0x197
[   44.551692]  ? __nla_put_nohdr+0x46/0x50
[   44.556745]  print_address_description.cold+0x7c/0x1dc
[   44.562474]  ? __nla_put_nohdr+0x46/0x50
[   44.566724]  kasan_report.cold+0xa9/0x2af
[   44.571260]  check_memory_region+0x123/0x190
[   44.575883]  memcpy+0x24/0x50
[   44.579156]  __nla_put_nohdr+0x46/0x50
[   44.584067]  nla_put_nohdr+0xe8/0x120
[   44.588418]  tcf_em_tree_dump+0x5d1/0x890
[   44.593116]  ? tcf_em_lookup+0x130/0x130
[   44.598584]  ? tcf_proto_lookup_ops+0xf0/0xf0
[   44.604050]  ? nla_put+0xf8/0x130
[   44.608802]  basic_dump+0x1bd/0x410
[   44.612441]  ? basic_classify+0x280/0x280
[   44.617901]  ? nla_put+0xf8/0x130
[   44.621561]  ? basic_classify+0x280/0x280
[   44.627322]  tcf_fill_node+0x536/0x860
[   44.631492]  ? tcf_exts_change+0x130/0x130
[   44.636056]  ? __lock_is_held+0xb6/0x140
[   44.640864]  tfilter_notify+0x11d/0x240
[   44.647089]  tc_ctl_tfilter+0x1048/0x1aba
[   44.651372]  ? tfilter_notify+0x240/0x240
[   44.655606]  ? mutex_trylock+0x1c0/0x1c0
[   44.659783]  ? save_trace+0x290/0x290
[   44.664134]  ? tfilter_notify+0x240/0x240
[   44.669408]  rtnetlink_rcv_msg+0x3da/0xb70
[   44.674470]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   44.679534]  ? netlink_deliver_tap+0x93/0x8f0
[   44.686633]  netlink_rcv_skb+0x14f/0x3c0
[   44.692052]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   44.698196]  ? lock_downgrade+0x740/0x740
[   44.704216]  ? netlink_ack+0x9a0/0x9a0
[   44.708270]  ? netlink_deliver_tap+0xba/0x8f0
[   44.713784]  rtnetlink_rcv+0x1d/0x30
[   44.717542]  netlink_unicast+0x44d/0x650
[   44.723049]  ? netlink_attachskb+0x6a0/0x6a0
[   44.729922]  ? security_netlink_send+0x81/0xb0
[   44.735235]  netlink_sendmsg+0x7c4/0xc60
[   44.739866]  ? netlink_unicast+0x650/0x650
[   44.745109]  ? security_socket_sendmsg+0x89/0xb0
[   44.750369]  ? netlink_unicast+0x650/0x650
[   44.761849]  sock_sendmsg+0xce/0x110
[   44.765576]  ___sys_sendmsg+0x70a/0x840
[   44.771342]  ? copy_msghdr_from_user+0x3f0/0x3f0
[   44.777099]  ? __might_fault+0x110/0x1d0
[   44.782147]  ? find_held_lock+0x35/0x130
[   44.786264]  ? __might_fault+0x110/0x1d0
[   44.790723]  ? lock_downgrade+0x740/0x740
[   44.795030]  ? kasan_check_read+0x11/0x20
[   44.800358]  ? _copy_to_user+0x87/0xd0
[   44.805308]  ? move_addr_to_user+0x94/0x1a0
[   44.810306]  ? __fget_light+0x172/0x1f0
[   44.814560]  ? __fdget+0x1b/0x20
[   44.818076]  ? sockfd_lookup_light+0xb4/0x160
[   44.823508]  __sys_sendmsg+0xb9/0x140
[   44.828573]  ? SyS_shutdown+0x170/0x170
[   44.832684]  SyS_sendmsg+0x2d/0x50
[   44.836822]  ? __sys_sendmsg+0x140/0x140
[   44.842364]  do_syscall_64+0x1e8/0x640
[   44.846864]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   44.853810]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   44.859412] RIP: 0033:0x4410b9
[   44.863131] RSP: 002b:00007ffff343aaf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   44.872997] RAX: ffffffffffffffda RBX: 00000000004a28b0 RCX: 00000000004410b9
[   44.881928] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
[   44.891481] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522
[   44.901453] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004025c0
[   44.910332] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000
[   44.917739] 
[   44.920159] Allocated by task 7356:
[   44.924542]  save_stack_trace+0x16/0x20
[   44.928748]  save_stack+0x45/0xd0
[   44.932878]  kasan_kmalloc+0xce/0xf0
[   44.937391]  __kmalloc_track_caller+0x159/0x790
[   44.942429]  kmemdup+0x27/0x60
[   44.946338]  em_nbyte_change+0xb9/0x130
[   44.950484]  tcf_em_tree_validate+0x922/0xe7e
[   44.955194]  basic_change+0x451/0xfb0
[   44.959154]  tc_ctl_tfilter+0xff1/0x1aba
[   44.963623]  rtnetlink_rcv_msg+0x3da/0xb70
[   44.967995]  netlink_rcv_skb+0x14f/0x3c0
[   44.972189]  rtnetlink_rcv+0x1d/0x30
[   44.976007]  netlink_unicast+0x44d/0x650
[   44.980278]  netlink_sendmsg+0x7c4/0xc60
[   44.984697]  sock_sendmsg+0xce/0x110
[   44.988698]  ___sys_sendmsg+0x70a/0x840
[   44.992836]  __sys_sendmsg+0xb9/0x140
[   44.997020]  SyS_sendmsg+0x2d/0x50
[   45.000653]  do_syscall_64+0x1e8/0x640
[   45.005293]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   45.010941] 
[   45.012613] Freed by task 5619:
[   45.016074]  save_stack_trace+0x16/0x20
[   45.020208]  save_stack+0x45/0xd0
[   45.023969]  kasan_slab_free+0x75/0xc0
[   45.028153]  kfree+0xcc/0x270
[   45.031315]  xattr_getsecurity+0x104/0x110
[   45.036326]  vfs_getxattr+0xc6/0x110
[   45.040211]  getxattr+0xef/0x2a0
[   45.043959]  path_getxattr+0xa3/0x100
[   45.048798]  SyS_lgetxattr+0x31/0x40
[   45.052872]  do_syscall_64+0x1e8/0x640
[   45.057363]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   45.063211] 
[   45.065133] The buggy address belongs to the object at ffff88809fb72f80
[   45.065133]  which belongs to the cache kmalloc-32 of size 32
[   45.078601] The buggy address is located 0 bytes inside of
[   45.078601]  32-byte region [ffff88809fb72f80, ffff88809fb72fa0)
[   45.091513] The buggy address belongs to the page:
[   45.096833] page:ffffea00027edc80 count:1 mapcount:0 mapping:ffff88809fb72000 index:0xffff88809fb72fc1
[   45.107449] flags: 0xfffe0000000100(slab)
[   45.112205] raw: 00fffe0000000100 ffff88809fb72000 ffff88809fb72fc1 000000010000003b
[   45.120107] raw: ffffea00027e1aa0 ffffea00027d7120 ffff8880aa8001c0 0000000000000000
[   45.129116] page dumped because: kasan: bad access detected
[   45.135067] 
[   45.136952] Memory state around the buggy address:
[   45.142801]  ffff88809fb72e80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   45.152035]  ffff88809fb72f00: 06 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
[   45.160905] >ffff88809fb72f80: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   45.170827]                    ^
[   45.174853]  ffff88809fb73000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.189505]  ffff88809fb73080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   45.201804] ==================================================================
[   45.213317] Disabling lock debugging due to kernel taint
[   45.221631] Kernel panic - not syncing: panic_on_warn set ...
[   45.221631] 
[   45.234485] CPU: 1 PID: 7356 Comm: syz-executor935 Tainted: G    B           4.14.168-syzkaller #0
[   45.247812] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   45.257854] Call Trace:
[   45.260462]  dump_stack+0x142/0x197
[   45.265682]  ? __nla_put_nohdr+0x46/0x50
[   45.269917]  panic+0x1f9/0x42d
[   45.273115]  ? add_taint.cold+0x16/0x16
[   45.277389]  ? ___preempt_schedule+0x16/0x18
[   45.282699]  kasan_end_report+0x47/0x4f
[   45.287761]  kasan_report.cold+0x130/0x2af
[   45.292105]  check_memory_region+0x123/0x190
[   45.297048]  memcpy+0x24/0x50
[   45.300489]  __nla_put_nohdr+0x46/0x50
[   45.304387]  nla_put_nohdr+0xe8/0x120
[   45.308543]  tcf_em_tree_dump+0x5d1/0x890
[   45.312851]  ? tcf_em_lookup+0x130/0x130
[   45.317413]  ? tcf_proto_lookup_ops+0xf0/0xf0
[   45.322319]  ? nla_put+0xf8/0x130
[   45.325987]  basic_dump+0x1bd/0x410
[   45.329747]  ? basic_classify+0x280/0x280
[   45.334644]  ? nla_put+0xf8/0x130
[   45.338217]  ? basic_classify+0x280/0x280
[   45.343222]  tcf_fill_node+0x536/0x860
[   45.347813]  ? tcf_exts_change+0x130/0x130
[   45.352197]  ? __lock_is_held+0xb6/0x140
[   45.356561]  tfilter_notify+0x11d/0x240
[   45.360894]  tc_ctl_tfilter+0x1048/0x1aba
[   45.365141]  ? tfilter_notify+0x240/0x240
[   45.369665]  ? mutex_trylock+0x1c0/0x1c0
[   45.374110]  ? save_trace+0x290/0x290
[   45.378381]  ? tfilter_notify+0x240/0x240
[   45.390715]  rtnetlink_rcv_msg+0x3da/0xb70
[   45.395384]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   45.400325]  ? netlink_deliver_tap+0x93/0x8f0
[   45.405994]  netlink_rcv_skb+0x14f/0x3c0
[   45.410327]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   45.415490]  ? lock_downgrade+0x740/0x740
[   45.420067]  ? netlink_ack+0x9a0/0x9a0
[   45.423971]  ? netlink_deliver_tap+0xba/0x8f0
[   45.429001]  rtnetlink_rcv+0x1d/0x30
[   45.433063]  netlink_unicast+0x44d/0x650
[   45.437340]  ? netlink_attachskb+0x6a0/0x6a0
[   45.442148]  ? security_netlink_send+0x81/0xb0
[   45.447245]  netlink_sendmsg+0x7c4/0xc60
[   45.451626]  ? netlink_unicast+0x650/0x650
[   45.456306]  ? security_socket_sendmsg+0x89/0xb0
[   45.461284]  ? netlink_unicast+0x650/0x650
[   45.466099]  sock_sendmsg+0xce/0x110
[   45.471274]  ___sys_sendmsg+0x70a/0x840
[   45.475330]  ? copy_msghdr_from_user+0x3f0/0x3f0
[   45.480487]  ? __might_fault+0x110/0x1d0
[   45.485417]  ? find_held_lock+0x35/0x130
[   45.489479]  ? __might_fault+0x110/0x1d0
[   45.493912]  ? lock_downgrade+0x740/0x740
[   45.498923]  ? kasan_check_read+0x11/0x20
[   45.503780]  ? _copy_to_user+0x87/0xd0
[   45.509032]  ? move_addr_to_user+0x94/0x1a0
[   45.513859]  ? __fget_light+0x172/0x1f0
[   45.518388]  ? __fdget+0x1b/0x20
[   45.522523]  ? sockfd_lookup_light+0xb4/0x160
[   45.528426]  __sys_sendmsg+0xb9/0x140
[   45.532885]  ? SyS_shutdown+0x170/0x170
[   45.536959]  SyS_sendmsg+0x2d/0x50
[   45.541246]  ? __sys_sendmsg+0x140/0x140
[   45.545532]  do_syscall_64+0x1e8/0x640
[   45.549461]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   45.554842]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   45.560478] RIP: 0033:0x4410b9
[   45.564009] RSP: 002b:00007ffff343aaf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   45.572071] RAX: ffffffffffffffda RBX: 00000000004a28b0 RCX: 00000000004410b9
[   45.580043] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
[   45.587506] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522
[   45.594948] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004025c0
[   45.603608] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000
[   45.613993] Kernel Offset: disabled
[   45.617940] Rebooting in 86400 seconds..