[ 38.634910] audit: type=1800 audit(1566087128.305:32): pid=7459 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 39.357787] audit: type=1800 audit(1566087129.085:33): pid=7459 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.145' (ECDSA) to the list of known hosts. syzkaller login: [ 48.546877] kauditd_printk_skb: 2 callbacks suppressed [ 48.546893] audit: type=1400 audit(1566087138.275:36): avc: denied { map } for pid=7647 comm="syz-executor703" path="/root/syz-executor703720291" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 48.568291] IPVS: ftp: loaded support on port[0] = 21 [ 48.635074] chnl_net:caif_netlink_parms(): no params data found [ 48.668738] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.675256] bridge0: port 1(bridge_slave_0) entered disabled state [ 48.682471] device bridge_slave_0 entered promiscuous mode [ 48.689542] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.695894] bridge0: port 2(bridge_slave_1) entered disabled state [ 48.702920] device bridge_slave_1 entered promiscuous mode [ 48.717192] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 48.725799] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 48.741613] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 48.749276] team0: Port device team_slave_0 added [ 48.754563] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 48.761817] team0: Port device team_slave_1 added [ 48.767243] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 48.774408] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.828092] device hsr_slave_0 entered promiscuous mode [ 48.906475] device hsr_slave_1 entered promiscuous mode [ 48.946903] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 48.953774] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 48.968651] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.975032] bridge0: port 2(bridge_slave_1) entered forwarding state [ 48.982019] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.988387] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.017335] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 49.023409] 8021q: adding VLAN 0 to HW filter on device bond0 [ 49.031268] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 49.039836] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 49.058690] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.065706] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.072895] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 49.082935] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 49.089189] 8021q: adding VLAN 0 to HW filter on device team0 [ 49.098172] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 49.105882] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.112274] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.121032] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 49.128874] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.135215] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.149533] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 49.157460] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 49.167212] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 49.179402] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 49.190152] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 49.200849] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 49.208079] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready executing program [ 49.215563] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 49.223261] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 49.234137] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 49.245688] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 49.315113] BUG: sleeping function called from invalid context at arch/x86/mm/fault.c:1333 [ 49.324191] in_atomic(): 0, irqs_disabled(): 1, pid: 7664, name: syz-executor703 [ 49.331734] 4 locks held by syz-executor703/7664: [ 49.336574] #0: 0000000082188cc4 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x33/0x40 [ 49.344844] #1: 0000000027bf4400 (&tty->termios_rwsem){++++}, at: tty_unthrottle+0x20/0x100 [ 49.353462] #2: 000000002ca40604 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 [ 49.361553] #3: 0000000035e14d6e (&mm->mmap_sem){++++}, at: __do_page_fault+0x3c9/0xe90 [ 49.369814] irq event stamp: 12 [ 49.373118] hardirqs last enabled at (11): [] do_syscall_64+0x26/0x620 [ 49.381442] hardirqs last disabled at (12): [] queue_work_on+0x99/0x200 [ 49.389763] softirqs last enabled at (0): [] copy_process.part.0+0x158e/0x7a30 [ 49.398767] softirqs last disabled at (0): [<0000000000000000>] (null) [ 49.406312] CPU: 0 PID: 7664 Comm: syz-executor703 Not tainted 4.19.67 #41 [ 49.413319] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.422666] Call Trace: [ 49.425281] dump_stack+0x172/0x1f0 [ 49.428916] ? __mutex_lock+0xd2/0x1300 [ 49.432902] ___might_sleep.cold+0x1bd/0x1f6 [ 49.437320] __might_sleep+0x95/0x190 [ 49.441128] ? down_read_trylock+0x5d/0xd0 [ 49.445383] __do_page_fault+0x3f4/0xe90 [ 49.449461] ? vmalloc_fault+0x740/0x740 [ 49.453530] ? trace_hardirqs_off_caller+0x65/0x220 [ 49.458558] do_page_fault+0x71/0x57d [ 49.462368] page_fault+0x1e/0x30 [ 49.465822] RIP: 0010:queue_work_on+0x99/0x200 [ 49.470420] Code: 03 80 3c 10 00 0f 85 4a 01 00 00 48 83 3d 8e 43 2c 07 00 0f 84 16 01 00 00 e8 e3 5d 25 00 fa 66 0f 1f 44 00 00 e8 07 93 2a 00 49 0f ba 2c 24 00 41 0f 92 c5 31 ff 45 31 ff 44 89 ee e8 ff 5e [ 49.489715] RSP: 0018:ffff8880a5b97a30 EFLAGS: 00010082 [ 49.495082] RAX: 0000000000000007 RBX: 0000000000000293 RCX: 0000000000000000 [ 49.502352] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880a0fac844 [ 49.509621] RBP: ffff8880a5b97a60 R08: ffff8880a0fac000 R09: 0000000000000002 [ 49.516889] R10: ffff8880a0fac8d0 R11: 000000007ad05ee4 R12: 0000000000000050 [ 49.524163] R13: ffffffff841ddb90 R14: ffff88812c3ec7c0 R15: ffff88809e6dac80 [ 49.531445] ? slc_setup+0x260/0x260 [ 49.535181] ? slc_setup+0x260/0x260 [ 49.538903] slcan_write_wakeup+0x66/0x90 [ 49.543071] ? pty_set_termios+0x640/0x640 [ 49.547293] tty_wakeup+0xdc/0x110 [ 49.550814] ? pty_set_termios+0x640/0x640 [ 49.555026] pty_unthrottle+0x37/0x50 [ 49.558909] tty_unthrottle+0x9a/0x100 [ 49.562803] ? n_tty_kick_worker+0x230/0x230 [ 49.567194] __tty_perform_flush+0x1b3/0x200 [ 49.571586] n_tty_ioctl_helper+0x1cc/0x3b0 [ 49.575888] n_tty_ioctl+0x59/0x360 [ 49.579546] ? ldsem_down_read+0x33/0x40 [ 49.583599] tty_ioctl+0x8b5/0x1510 [ 49.587216] ? commit_echoes+0x1c0/0x1c0 [ 49.591269] ? tty_vhangup+0x30/0x30 [ 49.594965] ? mark_held_locks+0x100/0x100 [ 49.599187] ? __fget+0x340/0x540 [ 49.602626] ? __might_sleep+0x95/0x190 [ 49.606583] ? tty_vhangup+0x30/0x30 [ 49.610296] do_vfs_ioctl+0xd5f/0x1380 [ 49.614167] ? selinux_file_ioctl+0x46f/0x5e0 [ 49.618654] ? selinux_file_ioctl+0x125/0x5e0 [ 49.623129] ? ioctl_preallocate+0x210/0x210 [ 49.627516] ? selinux_file_mprotect+0x620/0x620 [ 49.632256] ? iterate_fd+0x360/0x360 [ 49.636042] ? calculate_sigpending+0x87/0xa0 [ 49.640540] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.646075] ? security_file_ioctl+0x8d/0xc0 [ 49.650467] ksys_ioctl+0xab/0xd0 [ 49.653902] __x64_sys_ioctl+0x73/0xb0 [ 49.657814] do_syscall_64+0xfd/0x620 [ 49.661598] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.666767] RIP: 0033:0x447a69 [ 49.669941] Code: e8 4c 15 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 0c fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 49.688824] RSP: 002b:00007f564736dc48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 49.696511] RAX: ffffffffffffffda RBX: 00000000006ddc58 RCX: 0000000000447a69 [ 49.703763] RDX: 0000000000000000 RSI: 000000000000540b RDI: 0000000000000003 [ 49.711019] RBP: 00000000006ddc50 R08: 00007f564736e700 R09: 0000000000000000 [ 49.718281] R10: 00007f564736e700 R11: 0000000000000246 R12: 00000000006ddc5c [ 49.725534] R13: 00007ffcf6ea5fdf R14: 00007f564736e9c0 R15: 0000000000000006 [ 49.732805] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050 [ 49.740747] PGD 903ae067 P4D 903ae067 PUD 94b42067 PMD 0 [ 49.746285] Oops: 0002 [#1] PREEMPT SMP KASAN [ 49.750758] CPU: 0 PID: 7664 Comm: syz-executor703 Tainted: G W 4.19.67 #41 [ 49.759150] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.768499] RIP: 0010:queue_work_on+0x99/0x200 [ 49.773058] Code: 03 80 3c 10 00 0f 85 4a 01 00 00 48 83 3d 8e 43 2c 07 00 0f 84 16 01 00 00 e8 e3 5d 25 00 fa 66 0f 1f 44 00 00 e8 07 93 2a 00 49 0f ba 2c 24 00 41 0f 92 c5 31 ff 45 31 ff 44 89 ee e8 ff 5e [ 49.792110] RSP: 0018:ffff8880a5b97a30 EFLAGS: 00010082 [ 49.797454] RAX: 0000000000000007 RBX: 0000000000000293 RCX: 0000000000000000 [ 49.804699] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880a0fac844 [ 49.811950] RBP: ffff8880a5b97a60 R08: ffff8880a0fac000 R09: 0000000000000002 [ 49.819200] R10: ffff8880a0fac8d0 R11: 000000007ad05ee4 R12: 0000000000000050 [ 49.826449] R13: ffffffff841ddb90 R14: ffff88812c3ec7c0 R15: ffff88809e6dac80 [ 49.833697] FS: 00007f564736e700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 [ 49.841900] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 49.847756] CR2: 0000000000000050 CR3: 0000000093dcd000 CR4: 00000000001406f0 [ 49.855005] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 49.862338] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 49.869581] Call Trace: [ 49.872165] ? slc_setup+0x260/0x260 [ 49.875854] slcan_write_wakeup+0x66/0x90 [ 49.879982] ? pty_set_termios+0x640/0x640 [ 49.884211] tty_wakeup+0xdc/0x110 [ 49.887731] ? pty_set_termios+0x640/0x640 [ 49.891955] pty_unthrottle+0x37/0x50 [ 49.895734] tty_unthrottle+0x9a/0x100 [ 49.899596] ? n_tty_kick_worker+0x230/0x230 [ 49.903982] __tty_perform_flush+0x1b3/0x200 [ 49.908372] n_tty_ioctl_helper+0x1cc/0x3b0 [ 49.912670] n_tty_ioctl+0x59/0x360 [ 49.916280] ? ldsem_down_read+0x33/0x40 [ 49.920319] tty_ioctl+0x8b5/0x1510 [ 49.923941] ? commit_echoes+0x1c0/0x1c0 [ 49.927983] ? tty_vhangup+0x30/0x30 [ 49.931678] ? mark_held_locks+0x100/0x100 [ 49.935892] ? __fget+0x340/0x540 [ 49.939415] ? __might_sleep+0x95/0x190 [ 49.943367] ? tty_vhangup+0x30/0x30 [ 49.947058] do_vfs_ioctl+0xd5f/0x1380 [ 49.950921] ? selinux_file_ioctl+0x46f/0x5e0 [ 49.955392] ? selinux_file_ioctl+0x125/0x5e0 [ 49.959866] ? ioctl_preallocate+0x210/0x210 [ 49.964253] ? selinux_file_mprotect+0x620/0x620 [ 49.969000] ? iterate_fd+0x360/0x360 [ 49.972782] ? calculate_sigpending+0x87/0xa0 [ 49.977261] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.982788] ? security_file_ioctl+0x8d/0xc0 [ 49.987178] ksys_ioctl+0xab/0xd0 [ 49.990609] __x64_sys_ioctl+0x73/0xb0 [ 49.994474] do_syscall_64+0xfd/0x620 [ 49.998254] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.003419] RIP: 0033:0x447a69 [ 50.006593] Code: e8 4c 15 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 0c fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 50.025479] RSP: 002b:00007f564736dc48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 50.033165] RAX: ffffffffffffffda RBX: 00000000006ddc58 RCX: 0000000000447a69 [ 50.040411] RDX: 0000000000000000 RSI: 000000000000540b RDI: 0000000000000003 [ 50.047669] RBP: 00000000006ddc50 R08: 00007f564736e700 R09: 0000000000000000 [ 50.055006] R10: 00007f564736e700 R11: 0000000000000246 R12: 00000000006ddc5c [ 50.062252] R13: 00007ffcf6ea5fdf R14: 00007f564736e9c0 R15: 0000000000000006 [ 50.069501] Modules linked in: [ 50.072674] CR2: 0000000000000050 [ 50.076113] ---[ end trace 2bcf464bdd1ff016 ]--- [ 50.080849] RIP: 0010:queue_work_on+0x99/0x200 [ 50.085410] Code: 03 80 3c 10 00 0f 85 4a 01 00 00 48 83 3d 8e 43 2c 07 00 0f 84 16 01 00 00 e8 e3 5d 25 00 fa 66 0f 1f 44 00 00 e8 07 93 2a 00 49 0f ba 2c 24 00 41 0f 92 c5 31 ff 45 31 ff 44 89 ee e8 ff 5e [ 50.104301] RSP: 0018:ffff8880a5b97a30 EFLAGS: 00010082 [ 50.109641] RAX: 0000000000000007 RBX: 0000000000000293 RCX: 0000000000000000 [ 50.116889] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880a0fac844 [ 50.124132] RBP: ffff8880a5b97a60 R08: ffff8880a0fac000 R09: 0000000000000002 [ 50.131376] R10: ffff8880a0fac8d0 R11: 000000007ad05ee4 R12: 0000000000000050 [ 50.138627] R13: ffffffff841ddb90 R14: ffff88812c3ec7c0 R15: ffff88809e6dac80 [ 50.145881] FS: 00007f564736e700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 [ 50.154102] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 50.159961] CR2: 0000000000000050 CR3: 0000000093dcd000 CR4: 00000000001406f0 [ 50.167209] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 50.174473] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 50.181717] Kernel panic - not syncing: Fatal exception [ 50.188173] Kernel Offset: disabled [ 50.191804] Rebooting in 86400 seconds..