[ 44.939986] audit: type=1800 audit(1584298494.872:31): pid=7843 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [ 44.963662] audit: type=1800 audit(1584298494.872:32): pid=7843 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.194' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 57.115471] kauditd_printk_skb: 3 callbacks suppressed [ 57.115485] audit: type=1400 audit(1584298507.132:36): avc: denied { map } for pid=8027 comm="syz-executor559" path="/root/syz-executor559645294" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 57.121079] ================================================================== [ 57.154443] BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x205/0x400 [ 57.162045] Read of size 768 at addr ffff888097bcf334 by task syz-executor559/8027 [ 57.169729] [ 57.171344] CPU: 1 PID: 8027 Comm: syz-executor559 Not tainted 4.19.109-syzkaller #0 [ 57.179203] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.188534] Call Trace: [ 57.191108] dump_stack+0x188/0x20d [ 57.194720] ? selinux_xfrm_alloc_user+0x205/0x400 [ 57.199633] print_address_description.cold+0x7c/0x212 [ 57.204940] ? selinux_xfrm_alloc_user+0x205/0x400 [ 57.209856] kasan_report.cold+0x88/0x2b9 [ 57.213993] memcpy+0x20/0x50 [ 57.217095] selinux_xfrm_alloc_user+0x205/0x400 [ 57.221851] security_xfrm_policy_alloc+0x6c/0xb0 [ 57.226687] xfrm_policy_construct+0x2a8/0x660 [ 57.231253] xfrm_add_acquire+0x215/0x9f0 [ 57.235423] ? mark_lock+0x85c/0x11b0 [ 57.239207] ? print_shortest_lock_dependencies+0x80/0x80 [ 57.244727] ? cap_capable+0x1eb/0x250 [ 57.248599] ? xfrm_add_policy+0x4e0/0x4e0 [ 57.252818] ? nla_parse+0x1f3/0x2f0 [ 57.256518] ? xfrm_add_policy+0x4e0/0x4e0 [ 57.260742] xfrm_user_rcv_msg+0x40c/0x6b0 [ 57.264963] ? xfrm_dump_sa_done+0xe0/0xe0 [ 57.269188] ? __lock_acquire+0x6ee/0x49c0 [ 57.273420] ? __mutex_lock+0x3cd/0x1300 [ 57.277463] ? xfrm_netlink_rcv+0x5c/0x90 [ 57.281604] netlink_rcv_skb+0x160/0x410 [ 57.285650] ? xfrm_dump_sa_done+0xe0/0xe0 [ 57.289867] ? netlink_ack+0xa60/0xa60 [ 57.293739] ? lock_downgrade+0x740/0x740 [ 57.297868] xfrm_netlink_rcv+0x6b/0x90 [ 57.301825] netlink_unicast+0x4d7/0x6a0 [ 57.305871] ? netlink_attachskb+0x710/0x710 [ 57.310298] netlink_sendmsg+0x80b/0xcd0 [ 57.314345] ? netlink_unicast+0x6a0/0x6a0 [ 57.318557] ? move_addr_to_kernel.part.0+0x110/0x110 [ 57.323733] ? netlink_unicast+0x6a0/0x6a0 [ 57.327959] sock_sendmsg+0xcf/0x120 [ 57.331740] ___sys_sendmsg+0x803/0x920 [ 57.335713] ? copy_msghdr_from_user+0x410/0x410 [ 57.340462] ? prep_transhuge_page+0xa0/0xa0 [ 57.344860] ? pud_val+0x7c/0xf0 [ 57.348216] ? __pmd+0x60/0x60 [ 57.351395] ? __handle_mm_fault+0x754/0x3b60 [ 57.355920] ? copy_page_range+0x1e70/0x1e70 [ 57.360314] ? count_memcg_event_mm+0x279/0x4c0 [ 57.364974] ? find_held_lock+0x2d/0x110 [ 57.369020] ? __do_page_fault+0x631/0xdd0 [ 57.373235] ? __fget_light+0x1a2/0x230 [ 57.377192] __sys_sendmsg+0xec/0x1b0 [ 57.380975] ? __ia32_sys_shutdown+0x70/0x70 [ 57.385379] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 57.390153] ? trace_hardirqs_off_caller+0x55/0x210 [ 57.395152] ? do_syscall_64+0x21/0x620 [ 57.399110] do_syscall_64+0xf9/0x620 [ 57.402897] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.408074] RIP: 0033:0x4406e9 [ 57.411247] Code: 23 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 57.430167] RSP: 002b:00007fff605be978 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 57.437856] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004406e9 [ 57.445105] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003 [ 57.452352] RBP: 00000000006cb018 R08: 0000000000000000 R09: 6c616b7a79732f2e [ 57.459600] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f10 [ 57.466886] R13: 0000000000401fa0 R14: 0000000000000000 R15: 0000000000000000 [ 57.474180] [ 57.475785] Allocated by task 8027: [ 57.479417] kasan_kmalloc+0xbf/0xe0 [ 57.483112] __kmalloc_node_track_caller+0x4c/0x70 [ 57.488022] __kmalloc_reserve.isra.0+0x39/0xe0 [ 57.492667] __alloc_skb+0xef/0x5b0 [ 57.496303] netlink_sendmsg+0x8d6/0xcd0 [ 57.500343] sock_sendmsg+0xcf/0x120 [ 57.504042] ___sys_sendmsg+0x803/0x920 [ 57.507997] __sys_sendmsg+0xec/0x1b0 [ 57.511778] do_syscall_64+0xf9/0x620 [ 57.515561] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.520726] [ 57.522331] Freed by task 0: [ 57.525322] (stack is not available) [ 57.529009] [ 57.530615] The buggy address belongs to the object at ffff888097bcf200 [ 57.530615] which belongs to the cache kmalloc-1024 of size 1024 [ 57.543525] The buggy address is located 308 bytes inside of [ 57.543525] 1024-byte region [ffff888097bcf200, ffff888097bcf600) [ 57.555463] The buggy address belongs to the page: [ 57.560386] page:ffffea00025ef380 count:1 mapcount:0 mapping:ffff88812c3dcac0 index:0x0 compound_mapcount: 0 [ 57.570331] flags: 0xfffe0000008100(slab|head) [ 57.574909] raw: 00fffe0000008100 ffffea0001f7a688 ffffea0002976608 ffff88812c3dcac0 [ 57.582789] raw: 0000000000000000 ffff888097bce000 0000000100000007 0000000000000000 [ 57.590654] page dumped because: kasan: bad access detected [ 57.596341] [ 57.597946] Memory state around the buggy address: [ 57.602856] ffff888097bcf500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 57.610194] ffff888097bcf580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 57.617533] >ffff888097bcf600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.624869] ^ [ 57.628237] ffff888097bcf680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.635580] ffff888097bcf700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.642939] ================================================================== [ 57.650309] Disabling lock debugging due to kernel taint [ 57.656156] Kernel panic - not syncing: panic_on_warn set ... [ 57.656156] [ 57.663516] CPU: 1 PID: 8027 Comm: syz-executor559 Tainted: G B 4.19.109-syzkaller #0 [ 57.672765] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.682103] Call Trace: [ 57.684673] dump_stack+0x188/0x20d [ 57.688282] panic+0x26a/0x50e [ 57.691455] ? __warn_printk+0xf3/0xf3 [ 57.695325] ? preempt_schedule_common+0x4a/0xc0 [ 57.700100] ? selinux_xfrm_alloc_user+0x205/0x400 [ 57.705049] ? ___preempt_schedule+0x16/0x18 [ 57.709439] ? trace_hardirqs_on+0x55/0x210 [ 57.713743] ? selinux_xfrm_alloc_user+0x205/0x400 [ 57.718665] kasan_end_report+0x43/0x49 [ 57.722638] kasan_report.cold+0xa4/0x2b9 [ 57.726781] memcpy+0x20/0x50 [ 57.729867] selinux_xfrm_alloc_user+0x205/0x400 [ 57.734607] security_xfrm_policy_alloc+0x6c/0xb0 [ 57.739433] xfrm_policy_construct+0x2a8/0x660 [ 57.744034] xfrm_add_acquire+0x215/0x9f0 [ 57.748162] ? mark_lock+0x85c/0x11b0 [ 57.751960] ? print_shortest_lock_dependencies+0x80/0x80 [ 57.757479] ? cap_capable+0x1eb/0x250 [ 57.761351] ? xfrm_add_policy+0x4e0/0x4e0 [ 57.765580] ? nla_parse+0x1f3/0x2f0 [ 57.769324] ? xfrm_add_policy+0x4e0/0x4e0 [ 57.773540] xfrm_user_rcv_msg+0x40c/0x6b0 [ 57.777759] ? xfrm_dump_sa_done+0xe0/0xe0 [ 57.781977] ? __lock_acquire+0x6ee/0x49c0 [ 57.786201] ? __mutex_lock+0x3cd/0x1300 [ 57.790246] ? xfrm_netlink_rcv+0x5c/0x90 [ 57.794378] netlink_rcv_skb+0x160/0x410 [ 57.798423] ? xfrm_dump_sa_done+0xe0/0xe0 [ 57.802651] ? netlink_ack+0xa60/0xa60 [ 57.806535] ? lock_downgrade+0x740/0x740 [ 57.810662] xfrm_netlink_rcv+0x6b/0x90 [ 57.814616] netlink_unicast+0x4d7/0x6a0 [ 57.818657] ? netlink_attachskb+0x710/0x710 [ 57.823048] netlink_sendmsg+0x80b/0xcd0 [ 57.827114] ? netlink_unicast+0x6a0/0x6a0 [ 57.831329] ? move_addr_to_kernel.part.0+0x110/0x110 [ 57.836499] ? netlink_unicast+0x6a0/0x6a0 [ 57.840712] sock_sendmsg+0xcf/0x120 [ 57.844412] ___sys_sendmsg+0x803/0x920 [ 57.848366] ? copy_msghdr_from_user+0x410/0x410 [ 57.853113] ? prep_transhuge_page+0xa0/0xa0 [ 57.857511] ? pud_val+0x7c/0xf0 [ 57.860860] ? __pmd+0x60/0x60 [ 57.864035] ? __handle_mm_fault+0x754/0x3b60 [ 57.868508] ? copy_page_range+0x1e70/0x1e70 [ 57.872895] ? count_memcg_event_mm+0x279/0x4c0 [ 57.877541] ? find_held_lock+0x2d/0x110 [ 57.881583] ? __do_page_fault+0x631/0xdd0 [ 57.885842] ? __fget_light+0x1a2/0x230 [ 57.889806] __sys_sendmsg+0xec/0x1b0 [ 57.893587] ? __ia32_sys_shutdown+0x70/0x70 [ 57.897984] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 57.902717] ? trace_hardirqs_off_caller+0x55/0x210 [ 57.907839] ? do_syscall_64+0x21/0x620 [ 57.911793] do_syscall_64+0xf9/0x620 [ 57.915591] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.920761] RIP: 0033:0x4406e9 [ 57.924025] Code: 23 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 57.942997] RSP: 002b:00007fff605be978 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 57.950723] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004406e9 [ 57.958059] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003 [ 57.965306] RBP: 00000000006cb018 R08: 0000000000000000 R09: 6c616b7a79732f2e [ 57.972554] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f10 [ 57.979799] R13: 0000000000401fa0 R14: 0000000000000000 R15: 0000000000000000 [ 57.988122] Kernel Offset: disabled [ 57.991740] Rebooting in 86400 seconds..