Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context mai[ 37.305423] audit: type=1800 audit(1570075053.174:33): pid=7321 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 ntaining daemon: restorecond[?2[ 37.328563] audit: type=1800 audit(1570075053.174:34): pid=7321 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 5l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 41.234858] audit: type=1400 audit(1570075057.104:35): avc: denied { map } for pid=7496 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts. executing program [ 66.220514] audit: type=1400 audit(1570075082.084:36): avc: denied { map } for pid=7508 comm="syz-executor177" path="/root/syz-executor177579298" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 66.261127] FAULT_INJECTION: forcing a failure. [ 66.261127] name failslab, interval 1, probability 0, space 0, times 1 [ 66.272492] CPU: 0 PID: 7508 Comm: syz-executor177 Not tainted 4.19.76 #0 [ 66.279426] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.288775] Call Trace: [ 66.291352] dump_stack+0x172/0x1f0 [ 66.294968] should_fail.cold+0xa/0x1b [ 66.298854] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 66.303951] ? lock_downgrade+0x880/0x880 [ 66.308089] __should_failslab+0x121/0x190 [ 66.312307] should_failslab+0x9/0x14 [ 66.316091] __kmalloc+0x2e2/0x750 [ 66.319615] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.325138] ? __sk_mem_schedule+0xac/0xe0 [ 66.329369] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 66.334894] ? tls_push_record+0x107/0x13a0 [ 66.339222] tls_push_record+0x107/0x13a0 [ 66.343373] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.348979] ? alloc_encrypted_sg+0xa8/0x110 [ 66.353397] tls_sw_sendpage+0x538/0xd50 [ 66.357460] ? tls_sw_sendmsg+0x1240/0x1240 [ 66.361769] ? pipe_lock+0x6e/0x80 [ 66.365294] ? tls_sw_sendmsg+0x1240/0x1240 [ 66.369718] inet_sendpage+0x168/0x630 [ 66.373749] kernel_sendpage+0x92/0xf0 [ 66.377631] ? inet_sendmsg+0x5d0/0x5d0 [ 66.381593] sock_sendpage+0x8b/0xc0 [ 66.385295] pipe_to_sendpage+0x296/0x360 [ 66.389425] ? kernel_sendpage+0xf0/0xf0 [ 66.393471] ? direct_splice_actor+0x190/0x190 [ 66.398060] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 66.403581] ? anon_pipe_buf_release+0x1c6/0x270 [ 66.408324] __splice_from_pipe+0x391/0x7d0 [ 66.412638] ? direct_splice_actor+0x190/0x190 [ 66.417204] ? direct_splice_actor+0x190/0x190 [ 66.421777] splice_from_pipe+0x108/0x170 [ 66.425914] ? splice_shrink_spd+0xd0/0xd0 [ 66.430138] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.435669] ? security_file_permission+0x89/0x230 [ 66.440581] generic_splice_sendpage+0x3c/0x50 [ 66.445145] ? splice_from_pipe+0x170/0x170 [ 66.449452] do_splice+0x642/0x12c0 [ 66.453062] ? __sb_end_write+0xd9/0x110 [ 66.457127] ? vfs_write+0x160/0x560 [ 66.460834] ? opipe_prep.part.0+0x2d0/0x2d0 [ 66.465236] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.470755] ? __fget_light+0x1a9/0x230 [ 66.474730] __x64_sys_splice+0x2c6/0x330 [ 66.478876] do_syscall_64+0xfd/0x620 [ 66.482663] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.487843] RIP: 0033:0x440699 [ 66.491021] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 66.509918] RSP: 002b:00007fffe78b5028 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 66.517616] RAX: ffffffffffffffda RBX: 00007fffe78b5040 RCX: 0000000000440699 [ 66.524867] RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003 [ 66.532131] RBP: 0000000000000005 R08: 000000011d100000 R09: 0000000000000000 [ 66.539393] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f80 [ 66.546752] R13: 0000000000402010 R14: 0000000000000000 R15: 0000000000000000 [ 66.714527] ================================================================== [ 66.722021] BUG: KASAN: use-after-free in scatterwalk_copychunks+0x269/0x6a0 [ 66.729881] Read of size 4096 at addr ffff8880a0a71000 by task syz-executor177/7508 [ 66.737669] [ 66.739297] CPU: 0 PID: 7508 Comm: syz-executor177 Not tainted 4.19.76 #0 [ 66.746208] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.756507] Call Trace: [ 66.759089] dump_stack+0x172/0x1f0 [ 66.762723] ? scatterwalk_copychunks+0x269/0x6a0 [ 66.767578] print_address_description.cold+0x7c/0x20d [ 66.772846] ? scatterwalk_copychunks+0x269/0x6a0 [ 66.778042] kasan_report.cold+0x8c/0x2ba [ 66.782176] check_memory_region+0x123/0x190 [ 66.786569] memcpy+0x24/0x50 [ 66.789668] scatterwalk_copychunks+0x269/0x6a0 [ 66.794329] scatterwalk_map_and_copy+0x14d/0x1d0 [ 66.799154] ? scatterwalk_copychunks+0x6a0/0x6a0 [ 66.803986] ? rcu_read_lock_sched_held+0x110/0x130 [ 66.810025] ? __kmalloc+0x5e1/0x750 [ 66.813733] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 66.818855] ? gcmaes_encrypt.constprop.0+0x6c4/0xd90 [ 66.824044] gcmaes_encrypt.constprop.0+0x762/0xd90 [ 66.829046] ? save_stack+0x45/0xd0 [ 66.832660] ? kasan_kmalloc+0xce/0xf0 [ 66.836544] ? tls_push_record+0x107/0x13a0 [ 66.841037] ? gcmaes_crypt_by_sg.constprop.0+0x1850/0x1850 [ 66.846745] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.852117] ? mark_held_locks+0x100/0x100 [ 66.856425] ? schedule_timeout+0x52c/0xfc0 [ 66.860744] ? remove_wait_queue+0x10f/0x190 [ 66.865168] ? find_held_lock+0x35/0x130 [ 66.869216] ? fs_reclaim_acquire+0x20/0x20 [ 66.873528] ? __lock_is_held+0xb6/0x140 [ 66.877575] ? should_fail+0x14d/0x85c [ 66.881466] generic_gcmaes_encrypt+0x108/0x160 [ 66.886141] ? generic_gcmaes_encrypt+0x108/0x160 [ 66.890971] ? helper_rfc4106_encrypt+0x390/0x390 [ 66.895809] ? __kmalloc+0x5e1/0x750 [ 66.899509] ? sk_stream_wait_memory+0xadc/0xe50 [ 66.904257] gcmaes_wrapper_encrypt+0x15f/0x200 [ 66.908917] tls_push_record+0x9c0/0x13a0 [ 66.913064] tls_sw_sendpage+0x538/0xd50 [ 66.917266] ? tls_sw_sendmsg+0x1240/0x1240 [ 66.921591] ? pipe_lock+0x6e/0x80 [ 66.925120] ? tls_sw_sendmsg+0x1240/0x1240 [ 66.929441] inet_sendpage+0x168/0x630 [ 66.933316] kernel_sendpage+0x92/0xf0 [ 66.937200] ? inet_sendmsg+0x5d0/0x5d0 [ 66.941244] sock_sendpage+0x8b/0xc0 [ 66.945131] pipe_to_sendpage+0x296/0x360 [ 66.949266] ? kernel_sendpage+0xf0/0xf0 [ 66.953398] ? direct_splice_actor+0x190/0x190 [ 66.957966] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 66.963487] ? anon_pipe_buf_release+0x1c6/0x270 [ 66.968227] __splice_from_pipe+0x391/0x7d0 [ 66.972548] ? direct_splice_actor+0x190/0x190 [ 66.977120] ? direct_splice_actor+0x190/0x190 [ 66.981688] splice_from_pipe+0x108/0x170 [ 66.985843] ? splice_shrink_spd+0xd0/0xd0 [ 66.990248] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.995817] ? security_file_permission+0x89/0x230 [ 67.000743] generic_splice_sendpage+0x3c/0x50 [ 67.005312] ? splice_from_pipe+0x170/0x170 [ 67.009632] do_splice+0x642/0x12c0 [ 67.013245] ? __sb_end_write+0xd9/0x110 [ 67.017287] ? vfs_write+0x160/0x560 [ 67.020996] ? opipe_prep.part.0+0x2d0/0x2d0 [ 67.025391] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 67.030936] ? __fget_light+0x1a9/0x230 [ 67.035093] __x64_sys_splice+0x2c6/0x330 [ 67.039228] do_syscall_64+0xfd/0x620 [ 67.043011] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.048395] RIP: 0033:0x440699 [ 67.051580] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 67.071224] RSP: 002b:00007fffe78b5028 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 67.078936] RAX: ffffffffffffffda RBX: 00007fffe78b5040 RCX: 0000000000440699 [ 67.086188] RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003 [ 67.093471] RBP: 0000000000000005 R08: 000000011d100000 R09: 0000000000000000 [ 67.100725] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f80 [ 67.107992] R13: 0000000000402010 R14: 0000000000000000 R15: 0000000000000000 [ 67.115428] [ 67.117059] Allocated by task 5909: [ 67.120687] save_stack+0x45/0xd0 [ 67.124130] kasan_kmalloc+0xce/0xf0 [ 67.128098] kasan_slab_alloc+0xf/0x20 [ 67.132151] kmem_cache_alloc+0x12e/0x700 [ 67.136297] anon_vma_fork+0x1ea/0x4a0 [ 67.140184] copy_process.part.0+0x34e5/0x7a30 [ 67.144776] _do_fork+0x257/0xfd0 [ 67.148231] __x64_sys_clone+0xbf/0x150 [ 67.152228] do_syscall_64+0xfd/0x620 [ 67.156019] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.161187] [ 67.162803] Freed by task 5914: [ 67.166065] save_stack+0x45/0xd0 [ 67.169500] __kasan_slab_free+0x102/0x150 [ 67.173717] kasan_slab_free+0xe/0x10 [ 67.177499] kmem_cache_free+0x86/0x260 [ 67.181458] unlink_anon_vmas+0x487/0x860 [ 67.185608] free_pgtables+0x1af/0x2f0 [ 67.189476] exit_mmap+0x2d1/0x530 [ 67.193015] mmput+0x15f/0x4c0 [ 67.196211] flush_old_exec+0x8d9/0x1c20 [ 67.200268] load_elf_binary+0x9c0/0x5350 [ 67.204403] search_binary_handler+0x179/0x570 [ 67.208970] __do_execve_file.isra.0+0x1227/0x2150 [ 67.213882] __x64_sys_execve+0x8f/0xc0 [ 67.217840] do_syscall_64+0xfd/0x620 [ 67.221627] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.226792] [ 67.228412] The buggy address belongs to the object at ffff8880a0a71000 [ 67.228412] which belongs to the cache anon_vma_chain of size 80 [ 67.241235] The buggy address is located 0 bytes inside of [ 67.241235] 80-byte region [ffff8880a0a71000, ffff8880a0a71050) [ 67.252837] The buggy address belongs to the page: [ 67.257749] page:ffffea0002829c40 count:1 mapcount:0 mapping:ffff88821bc334c0 index:0x0 [ 67.265888] flags: 0x1fffc0000000100(slab) [ 67.270205] raw: 01fffc0000000100 ffffea00026d7d08 ffffea000280cb48 ffff88821bc334c0 [ 67.278081] raw: 0000000000000000 ffff8880a0a71000 0000000100000024 0000000000000000 [ 67.285939] page dumped because: kasan: bad access detected [ 67.291634] [ 67.293337] Memory state around the buggy address: [ 67.298258] ffff8880a0a70f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.305608] ffff8880a0a70f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.312958] >ffff8880a0a71000: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fb fb [ 67.320295] ^ [ 67.323645] ffff8880a0a71080: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 67.330985] ffff8880a0a71100: fb fb fb fb fb fb fc fc fc fc fb fb fb fb fb fb [ 67.338344] ================================================================== [ 67.345808] Disabling lock debugging due to kernel taint [ 67.351379] Kernel panic - not syncing: panic_on_warn set ... [ 67.351379] [ 67.358753] CPU: 0 PID: 7508 Comm: syz-executor177 Tainted: G B 4.19.76 #0 [ 67.367053] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.376473] Call Trace: [ 67.379061] dump_stack+0x172/0x1f0 [ 67.382687] ? scatterwalk_copychunks+0x269/0x6a0 [ 67.387611] panic+0x263/0x507 [ 67.390797] ? __warn_printk+0xf3/0xf3 [ 67.394675] ? scatterwalk_copychunks+0x269/0x6a0 [ 67.399586] ? trace_hardirqs_on+0x5e/0x220 [ 67.403901] ? trace_hardirqs_on+0x5e/0x220 [ 67.408215] ? scatterwalk_copychunks+0x269/0x6a0 [ 67.413041] kasan_end_report+0x47/0x4f [ 67.416998] kasan_report.cold+0xa9/0x2ba [ 67.421127] check_memory_region+0x123/0x190 [ 67.425529] memcpy+0x24/0x50 [ 67.428617] scatterwalk_copychunks+0x269/0x6a0 [ 67.433268] scatterwalk_map_and_copy+0x14d/0x1d0 [ 67.438099] ? scatterwalk_copychunks+0x6a0/0x6a0 [ 67.442921] ? rcu_read_lock_sched_held+0x110/0x130 [ 67.447925] ? __kmalloc+0x5e1/0x750 [ 67.451624] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 67.456714] ? gcmaes_encrypt.constprop.0+0x6c4/0xd90 [ 67.461921] gcmaes_encrypt.constprop.0+0x762/0xd90 [ 67.466926] ? save_stack+0x45/0xd0 [ 67.470536] ? kasan_kmalloc+0xce/0xf0 [ 67.474424] ? tls_push_record+0x107/0x13a0 [ 67.478727] ? gcmaes_crypt_by_sg.constprop.0+0x1850/0x1850 [ 67.485158] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.490522] ? mark_held_locks+0x100/0x100 [ 67.494750] ? schedule_timeout+0x52c/0xfc0 [ 67.499056] ? remove_wait_queue+0x10f/0x190 [ 67.503471] ? find_held_lock+0x35/0x130 [ 67.507514] ? fs_reclaim_acquire+0x20/0x20 [ 67.511827] ? __lock_is_held+0xb6/0x140 [ 67.515869] ? should_fail+0x14d/0x85c [ 67.519751] generic_gcmaes_encrypt+0x108/0x160 [ 67.524488] ? generic_gcmaes_encrypt+0x108/0x160 [ 67.529310] ? helper_rfc4106_encrypt+0x390/0x390 [ 67.534137] ? __kmalloc+0x5e1/0x750 [ 67.537842] ? sk_stream_wait_memory+0xadc/0xe50 [ 67.542578] gcmaes_wrapper_encrypt+0x15f/0x200 [ 67.547231] tls_push_record+0x9c0/0x13a0 [ 67.551366] tls_sw_sendpage+0x538/0xd50 [ 67.555422] ? tls_sw_sendmsg+0x1240/0x1240 [ 67.559725] ? pipe_lock+0x6e/0x80 [ 67.563245] ? tls_sw_sendmsg+0x1240/0x1240 [ 67.567548] inet_sendpage+0x168/0x630 [ 67.571427] kernel_sendpage+0x92/0xf0 [ 67.575470] ? inet_sendmsg+0x5d0/0x5d0 [ 67.579435] sock_sendpage+0x8b/0xc0 [ 67.583131] pipe_to_sendpage+0x296/0x360 [ 67.587264] ? kernel_sendpage+0xf0/0xf0 [ 67.591318] ? direct_splice_actor+0x190/0x190 [ 67.595898] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 67.601414] ? anon_pipe_buf_release+0x1c6/0x270 [ 67.606152] __splice_from_pipe+0x391/0x7d0 [ 67.610453] ? direct_splice_actor+0x190/0x190 [ 67.615018] ? direct_splice_actor+0x190/0x190 [ 67.619579] splice_from_pipe+0x108/0x170 [ 67.623710] ? splice_shrink_spd+0xd0/0xd0 [ 67.627937] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 67.633454] ? security_file_permission+0x89/0x230 [ 67.638366] generic_splice_sendpage+0x3c/0x50 [ 67.642930] ? splice_from_pipe+0x170/0x170 [ 67.647232] do_splice+0x642/0x12c0 [ 67.650845] ? __sb_end_write+0xd9/0x110 [ 67.654895] ? vfs_write+0x160/0x560 [ 67.658591] ? opipe_prep.part.0+0x2d0/0x2d0 [ 67.663079] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 67.668599] ? __fget_light+0x1a9/0x230 [ 67.672555] __x64_sys_splice+0x2c6/0x330 [ 67.676689] do_syscall_64+0xfd/0x620 [ 67.680493] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.685926] RIP: 0033:0x440699 [ 67.689103] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 67.708118] RSP: 002b:00007fffe78b5028 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 67.716340] RAX: ffffffffffffffda RBX: 00007fffe78b5040 RCX: 0000000000440699 [ 67.723678] RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003 [ 67.732150] RBP: 0000000000000005 R08: 000000011d100000 R09: 0000000000000000 [ 67.739684] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f80 [ 67.747831] R13: 0000000000402010 R14: 0000000000000000 R15: 0000000000000000 [ 67.756650] Kernel Offset: disabled [ 67.760711] Rebooting in 86400 seconds..