[   81.446232][   T27] audit: type=1400 audit(1575643240.632:37): avc:  denied  { watch } for  pid=9814 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1
[   81.476857][   T27] audit: type=1400 audit(1575643240.632:38): avc:  denied  { watch } for  pid=9814 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2232 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   81.756403][   T27] audit: type=1800 audit(1575643240.942:39): pid=9721 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   81.778840][   T27] audit: type=1800 audit(1575643240.942:40): pid=9721 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   84.656310][   T27] audit: type=1400 audit(1575643243.842:41): avc:  denied  { map } for  pid=9898 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.91' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   91.260224][   T27] audit: type=1400 audit(1575643250.452:42): avc:  denied  { map } for  pid=9910 comm="syz-executor659" path="/root/syz-executor659640040" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   91.378556][ T9922] ==================================================================
[   91.386815][ T9922] BUG: KASAN: use-after-free in try_to_grab_pending+0x115/0x910
[   91.394452][ T9922] Write of size 8 at addr ffff888097823008 by task syz-executor659/9922
[   91.402774][ T9922] 
[   91.405124][ T9922] CPU: 0 PID: 9922 Comm: syz-executor659 Not tainted 5.4.0-syzkaller #0
[   91.413552][ T9922] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   91.423803][ T9922] Call Trace:
[   91.427094][ T9922]  dump_stack+0x197/0x210
[   91.431507][ T9922]  ? try_to_grab_pending+0x115/0x910
[   91.436976][ T9922]  print_address_description.constprop.0.cold+0xd4/0x30b
[   91.444000][ T9922]  ? try_to_grab_pending+0x115/0x910
[   91.449287][ T9922]  ? try_to_grab_pending+0x115/0x910
[   91.454561][ T9922]  __kasan_report.cold+0x1b/0x41
[   91.459518][ T9922]  ? try_to_grab_pending+0x115/0x910
[   91.464816][ T9922]  kasan_report+0x12/0x20
[   91.469173][ T9922]  check_memory_region+0x134/0x1a0
[   91.474446][ T9922]  __kasan_check_write+0x14/0x20
[   91.479390][ T9922]  try_to_grab_pending+0x115/0x910
[   91.484588][ T9922]  ? __kasan_check_read+0x11/0x20
[   91.489627][ T9922]  __cancel_work_timer+0xc4/0x540
[   91.494651][ T9922]  ? mod_delayed_work_on+0x200/0x200
[   91.500463][ T9922]  ? get_work_pool+0x1b0/0x1b0
[   91.505318][ T9922]  cancel_work_sync+0x18/0x20
[   91.510003][ T9922]  tty_buffer_cancel_work+0x16/0x20
[   91.515214][ T9922]  release_tty+0x261/0x470
[   91.519634][ T9922]  tty_release_struct+0x3c/0x50
[   91.524495][ T9922]  tty_release+0xbcb/0xe90
[   91.528921][ T9922]  __fput+0x2ff/0x890
[   91.532928][ T9922]  ? do_tty_hangup+0x30/0x30
[   91.537516][ T9922]  ____fput+0x16/0x20
[   91.541597][ T9922]  task_work_run+0x145/0x1c0
[   91.546210][ T9922]  do_exit+0x8e7/0x2ef0
[   91.550364][ T9922]  ? mm_update_next_owner+0x7c0/0x7c0
[   91.555728][ T9922]  ? down_read_non_owner+0x490/0x490
[   91.561097][ T9922]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   91.567596][ T9922]  ? handle_mm_fault+0x4ab/0xa50
[   91.572582][ T9922]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   91.578042][ T9922]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   91.583494][ T9922]  do_group_exit+0x135/0x360
[   91.588084][ T9922]  __x64_sys_exit_group+0x44/0x50
[   91.593217][ T9922]  do_syscall_64+0xfa/0x790
[   91.597738][ T9922]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   91.603904][ T9922] RIP: 0033:0x43ff38
[   91.608047][ T9922] Code: Bad RIP value.
[   91.612097][ T9922] RSP: 002b:00007ffd9442c538 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   91.620845][ T9922] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38
[   91.628868][ T9922] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   91.637003][ T9922] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0
[   91.644982][ T9922] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   91.653552][ T9922] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000
[   91.661884][ T9922] 
[   91.664209][ T9922] Allocated by task 9922:
[   91.668541][ T9922]  save_stack+0x23/0x90
[   91.672703][ T9922]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   91.679275][ T9922]  kasan_kmalloc+0x9/0x10
[   91.683599][ T9922]  kmem_cache_alloc_trace+0x158/0x790
[   91.688972][ T9922]  vc_allocate+0x1fc/0x760
[   91.693369][ T9922]  con_install+0x52/0x410
[   91.697679][ T9922]  tty_init_dev+0xf9/0x470
[   91.702347][ T9922]  tty_open+0x4a5/0xbb0
[   91.706631][ T9922]  chrdev_open+0x245/0x6b0
[   91.711039][ T9922]  do_dentry_open+0x4e6/0x1380
[   91.715813][ T9922]  vfs_open+0xa0/0xd0
[   91.719787][ T9922]  path_openat+0x10e4/0x4710
[   91.724376][ T9922]  do_filp_open+0x1a1/0x280
[   91.728877][ T9922]  do_sys_open+0x3fe/0x5d0
[   91.733290][ T9922]  __x64_sys_open+0x7e/0xc0
[   91.737793][ T9922]  do_syscall_64+0xfa/0x790
[   91.742297][ T9922]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   91.748297][ T9922] 
[   91.750608][ T9922] Freed by task 9921:
[   91.754582][ T9922]  save_stack+0x23/0x90
[   91.758887][ T9922]  __kasan_slab_free+0x102/0x150
[   91.763858][ T9922]  kasan_slab_free+0xe/0x10
[   91.768348][ T9922]  kfree+0x10a/0x2c0
[   91.772593][ T9922]  vt_disallocate_all+0x2bd/0x3e0
[   91.777714][ T9922]  vt_ioctl+0xc38/0x26d0
[   91.783450][ T9922]  tty_ioctl+0xa37/0x14f0
[   91.790420][ T9922]  do_vfs_ioctl+0x977/0x14e0
[   91.795259][ T9922]  ksys_ioctl+0xab/0xd0
[   91.799597][ T9922]  __x64_sys_ioctl+0x73/0xb0
[   91.804187][ T9922]  do_syscall_64+0xfa/0x790
[   91.808687][ T9922]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   91.814819][ T9922] 
[   91.817129][ T9922] The buggy address belongs to the object at ffff888097823000
[   91.817129][ T9922]  which belongs to the cache kmalloc-2k of size 2048
[   91.831165][ T9922] The buggy address is located 8 bytes inside of
[   91.831165][ T9922]  2048-byte region [ffff888097823000, ffff888097823800)
[   91.844891][ T9922] The buggy address belongs to the page:
[   91.850534][ T9922] page:ffffea00025e08c0 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
[   91.859657][ T9922] raw: 00fffe0000000200 ffffea00025e1188 ffffea00025f9d48 ffff8880aa400e00
[   91.868260][ T9922] raw: 0000000000000000 ffff888097823000 0000000100000001 0000000000000000
[   91.876845][ T9922] page dumped because: kasan: bad access detected
[   91.883260][ T9922] 
[   91.885582][ T9922] Memory state around the buggy address:
[   91.891214][ T9922]  ffff888097822f00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[   91.899292][ T9922]  ffff888097822f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   91.907376][ T9922] >ffff888097823000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   91.915462][ T9922]                       ^
[   91.919796][ T9922]  ffff888097823080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   91.927887][ T9922]  ffff888097823100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   91.935933][ T9922] ==================================================================
[   91.944091][ T9922] Disabling lock debugging due to kernel taint
[   91.950237][ T9922] Kernel panic - not syncing: panic_on_warn set ...
[   91.956811][ T9922] CPU: 0 PID: 9922 Comm: syz-executor659 Tainted: G    B             5.4.0-syzkaller #0
[   91.966563][ T9922] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   91.976626][ T9922] Call Trace:
[   91.979932][ T9922]  dump_stack+0x197/0x210
[   91.984273][ T9922]  panic+0x2e3/0x75c
[   91.988278][ T9922]  ? add_taint.cold+0x16/0x16
[   91.993056][ T9922]  ? try_to_grab_pending+0x115/0x910
[   91.998333][ T9922]  ? trace_hardirqs_off+0x62/0x240
[   92.003550][ T9922]  ? trace_hardirqs_off+0x59/0x240
[   92.008747][ T9922]  ? try_to_grab_pending+0x115/0x910
[   92.014138][ T9922]  end_report+0x47/0x4f
[   92.018516][ T9922]  ? try_to_grab_pending+0x115/0x910
[   92.023839][ T9922]  __kasan_report.cold+0xe/0x41
[   92.028887][ T9922]  ? try_to_grab_pending+0x115/0x910
[   92.034171][ T9922]  kasan_report+0x12/0x20
[   92.038501][ T9922]  check_memory_region+0x134/0x1a0
[   92.043609][ T9922]  __kasan_check_write+0x14/0x20
[   92.048581][ T9922]  try_to_grab_pending+0x115/0x910
[   92.053680][ T9922]  ? __kasan_check_read+0x11/0x20
[   92.059354][ T9922]  __cancel_work_timer+0xc4/0x540
[   92.064509][ T9922]  ? mod_delayed_work_on+0x200/0x200
[   92.069815][ T9922]  ? get_work_pool+0x1b0/0x1b0
[   92.074591][ T9922]  cancel_work_sync+0x18/0x20
[   92.079266][ T9922]  tty_buffer_cancel_work+0x16/0x20
[   92.084480][ T9922]  release_tty+0x261/0x470
[   92.088896][ T9922]  tty_release_struct+0x3c/0x50
[   92.093738][ T9922]  tty_release+0xbcb/0xe90
[   92.098167][ T9922]  __fput+0x2ff/0x890
[   92.102149][ T9922]  ? do_tty_hangup+0x30/0x30
[   92.107704][ T9922]  ____fput+0x16/0x20
[   92.111815][ T9922]  task_work_run+0x145/0x1c0
[   92.116932][ T9922]  do_exit+0x8e7/0x2ef0
[   92.121090][ T9922]  ? mm_update_next_owner+0x7c0/0x7c0
[   92.126565][ T9922]  ? down_read_non_owner+0x490/0x490
[   92.131866][ T9922]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   92.138254][ T9922]  ? handle_mm_fault+0x4ab/0xa50
[   92.143329][ T9922]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   92.148797][ T9922]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   92.154607][ T9922]  do_group_exit+0x135/0x360
[   92.159192][ T9922]  __x64_sys_exit_group+0x44/0x50
[   92.164230][ T9922]  do_syscall_64+0xfa/0x790
[   92.168725][ T9922]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   92.174608][ T9922] RIP: 0033:0x43ff38
[   92.178497][ T9922] Code: Bad RIP value.
[   92.182545][ T9922] RSP: 002b:00007ffd9442c538 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   92.190935][ T9922] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38
[   92.199206][ T9922] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   92.207168][ T9922] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0
[   92.215126][ T9922] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   92.223089][ T9922] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000
[   92.232544][ T9922] Kernel Offset: disabled
[   92.236887][ T9922] Rebooting in 86400 seconds..