[   41.974516] audit: type=1800 audit(1578387086.828:32): pid=7703 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   46.483598] kauditd_printk_skb: 2 callbacks suppressed
[   46.483614] audit: type=1400 audit(1578387091.388:35): avc:  denied  { map } for  pid=7876 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.117' (ECDSA) to the list of known hosts.
[   63.717292] audit: type=1400 audit(1578387108.628:36): avc:  denied  { map } for  pid=7888 comm="syz-executor603" path="/root/syz-executor603025872" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   63.738558] IPVS: ftp: loaded support on port[0] = 21
[   63.773525] audit: type=1400 audit(1578387108.678:37): avc:  denied  { create } for  pid=7889 comm="syz-executor603" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   63.799951] audit: type=1400 audit(1578387108.678:38): avc:  denied  { write } for  pid=7889 comm="syz-executor603" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   63.825077] audit: type=1400 audit(1578387108.678:39): avc:  denied  { read } for  pid=7889 comm="syz-executor603" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   63.873301] chnl_net:caif_netlink_parms(): no params data found
[   63.909832] bridge0: port 1(bridge_slave_0) entered blocking state
[   63.917196] bridge0: port 1(bridge_slave_0) entered disabled state
[   63.924492] device bridge_slave_0 entered promiscuous mode
[   63.932027] bridge0: port 2(bridge_slave_1) entered blocking state
[   63.939624] bridge0: port 2(bridge_slave_1) entered disabled state
[   63.946609] device bridge_slave_1 entered promiscuous mode
[   63.962240] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   63.971706] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   63.988614] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   63.996726] team0: Port device team_slave_0 added
[   64.002404] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   64.009812] team0: Port device team_slave_1 added
[   64.015267] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   64.022688] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   64.086938] device hsr_slave_0 entered promiscuous mode
[   64.135119] device hsr_slave_1 entered promiscuous mode
[   64.175247] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[   64.182530] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[   64.227952] bridge0: port 2(bridge_slave_1) entered blocking state
[   64.234813] bridge0: port 2(bridge_slave_1) entered forwarding state
[   64.241589] bridge0: port 1(bridge_slave_0) entered blocking state
[   64.248076] bridge0: port 1(bridge_slave_0) entered forwarding state
[   64.281588] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   64.288910] 8021q: adding VLAN 0 to HW filter on device bond0
[   64.298474] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   64.308070] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   64.328123] bridge0: port 1(bridge_slave_0) entered disabled state
[   64.335926] bridge0: port 2(bridge_slave_1) entered disabled state
[   64.342958] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   64.354043] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   64.360516] 8021q: adding VLAN 0 to HW filter on device team0
[   64.370362] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   64.378061] bridge0: port 1(bridge_slave_0) entered blocking state
[   64.384416] bridge0: port 1(bridge_slave_0) entered forwarding state
[   64.393988] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   64.401920] bridge0: port 2(bridge_slave_1) entered blocking state
[   64.408328] bridge0: port 2(bridge_slave_1) entered forwarding state
[   64.423745] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   64.432133] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   64.442421] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   64.453561] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   64.464332] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   64.473554] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[   64.480011] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   64.493918] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[   64.501599] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   64.508451] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   64.519784] 8021q: adding VLAN 0 to HW filter on device batadv0
[   64.531923] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[   64.542173] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   64.582083] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[   64.589284] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[   64.596273] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[   64.605747] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   64.613257] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   64.620811] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
executing program
[   64.629909] device veth0_vlan entered promiscuous mode
[   64.639198] device veth1_vlan entered promiscuous mode
[   64.645980] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[   64.654713] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
[   64.714840] protocol 88fb is buggy, dev hsr_slave_0
[   64.720122] protocol 88fb is buggy, dev hsr_slave_1
[   64.725546] ==================================================================
[   64.733029] BUG: KASAN: use-after-free in macvlan_broadcast+0x57c/0x660
[   64.739896] Read of size 4 at addr ffff88809b55fa41 by task syz-executor603/7889
[   64.747436] 
[   64.749141] CPU: 1 PID: 7889 Comm: syz-executor603 Not tainted 4.19.93-syzkaller #0
[   64.756925] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   64.768029] Call Trace:
[   64.770618]  dump_stack+0x197/0x210
[   64.774253]  ? macvlan_broadcast+0x57c/0x660
[   64.779106]  print_address_description.cold+0x7c/0x20d
[   64.784480]  ? macvlan_broadcast+0x57c/0x660
[   64.788924]  kasan_report.cold+0x8c/0x2ba
[   64.793088]  __asan_report_load_n_noabort+0xf/0x20
[   64.798019]  macvlan_broadcast+0x57c/0x660
[   64.802275]  macvlan_start_xmit+0x408/0x785
[   64.806614]  dev_direct_xmit+0x34d/0x650
[   64.810666]  ? validate_xmit_skb_list+0x130/0x130
[   64.815517]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   64.821051]  ? skb_copy_datagram_from_iter+0x441/0x660
[   64.826345]  packet_direct_xmit+0xf9/0x170
[   64.830588]  packet_sendmsg+0x3bb2/0x6440
[   64.834762]  ? packet_notifier+0x840/0x840
[   64.839006]  ? release_sock+0x156/0x1c0
[   64.842980]  ? selinux_socket_sendmsg+0x36/0x40
[   64.847643]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   64.853189]  ? security_socket_sendmsg+0x8d/0xc0
[   64.857942]  ? packet_notifier+0x840/0x840
[   64.862171]  sock_sendmsg+0xd7/0x130
[   64.865104] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   64.865882]  __sys_sendto+0x262/0x380
[   64.873313] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   64.876427]  ? __ia32_sys_getpeername+0xb0/0xb0
[   64.876454]  ? __ia32_sys_socketpair+0xf0/0xf0
[   64.876480]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   64.876497]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   64.876512]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   64.876525]  ? do_syscall_64+0x26/0x620
[   64.876544]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   64.917204]  __x64_sys_sendto+0xe1/0x1a0
[   64.921282]  do_syscall_64+0xfd/0x620
[   64.925095]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   64.930290] RIP: 0033:0x442529
[   64.933489] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   64.952982] RSP: 002b:00007ffd492895f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   64.960702] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442529
[   64.967987] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
[   64.975361] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
[   64.982937] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   64.990354] R13: 0000000000403aa0 R14: 0000000000000000 R15: 0000000000000000
[   64.997653] 
[   64.999273] Allocated by task 7703:
[   65.002979]  save_stack+0x45/0xd0
[   65.006495]  kasan_kmalloc+0xce/0xf0
[   65.010236]  kasan_slab_alloc+0xf/0x20
[   65.014125]  kmem_cache_alloc+0x12e/0x700
[   65.018283]  anon_vma_clone+0xde/0x480
[   65.022174]  anon_vma_fork+0x8f/0x4a0
[   65.025977]  copy_process.part.0+0x34e5/0x7a30
[   65.030577]  _do_fork+0x257/0xfd0
[   65.034029]  __x64_sys_clone+0xbf/0x150
[   65.038008]  do_syscall_64+0xfd/0x620
[   65.041806]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   65.047305] 
[   65.048950] Freed by task 7704:
[   65.052357]  save_stack+0x45/0xd0
[   65.056064]  __kasan_slab_free+0x102/0x150
[   65.060294]  kasan_slab_free+0xe/0x10
[   65.064189]  kmem_cache_free+0x86/0x260
[   65.068407]  unlink_anon_vmas+0x2ba/0x860
[   65.072559]  free_pgtables+0x1af/0x2f0
[   65.076440]  exit_mmap+0x2d1/0x530
[   65.079991]  mmput+0x15f/0x4c0
[   65.083176]  flush_old_exec+0x8d9/0x1c20
[   65.087234]  load_elf_binary+0x9c0/0x53a0
[   65.091721]  search_binary_handler+0x179/0x570
[   65.096319]  load_script+0x671/0x8d0
[   65.100033]  search_binary_handler+0x179/0x570
[   65.104611]  __do_execve_file.isra.0+0x1227/0x2150
[   65.109542]  __x64_sys_execve+0x8f/0xc0
[   65.113575]  do_syscall_64+0xfd/0x620
[   65.117462]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   65.122660] 
[   65.124300] The buggy address belongs to the object at ffff88809b55fa10
[   65.124300]  which belongs to the cache anon_vma_chain of size 80
[   65.137483] The buggy address is located 49 bytes inside of
[   65.137483]  80-byte region [ffff88809b55fa10, ffff88809b55fa60)
[   65.149361] The buggy address belongs to the page:
[   65.154285] page:ffffea00026d57c0 count:1 mapcount:0 mapping:ffff88821bc334c0 index:0xffff88809b55f380
[   65.163738] flags: 0xfffe0000000100(slab)
[   65.167881] raw: 00fffe0000000100 ffffea0002118f08 ffffea0002835f08 ffff88821bc334c0
[   65.175752] raw: ffff88809b55f380 ffff88809b55f000 000000010000001b 0000000000000000
[   65.183618] page dumped because: kasan: bad access detected
[   65.189341] 
[   65.190975] Memory state around the buggy address:
[   65.195985]  ffff88809b55f900: fb fb fc fc fc fc fb fb fb fb fb fb fb fb fb fb
[   65.203344]  ffff88809b55f980: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fc fc
[   65.210706] >ffff88809b55fa00: fc fc fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   65.218054]                                            ^
[   65.223521]  ffff88809b55fa80: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fb fb
[   65.231069]  ffff88809b55fb00: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
[   65.238420] ==================================================================
[   65.245784] Disabling lock debugging due to kernel taint
[   65.251554] Kernel panic - not syncing: panic_on_warn set ...
[   65.251554] 
[   65.258937] CPU: 1 PID: 7889 Comm: syz-executor603 Tainted: G    B             4.19.93-syzkaller #0
[   65.268326] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   65.277842] Call Trace:
[   65.280440]  dump_stack+0x197/0x210
[   65.284085]  ? macvlan_broadcast+0x57c/0x660
[   65.288485]  panic+0x26a/0x50e
[   65.291663]  ? __warn_printk+0xf3/0xf3
[   65.295556]  ? retint_kernel+0x2d/0x2d
[   65.299438]  ? trace_hardirqs_on+0x5e/0x220
[   65.303749]  ? macvlan_broadcast+0x57c/0x660
[   65.308164]  kasan_end_report+0x47/0x4f
[   65.312149]  kasan_report.cold+0xa9/0x2ba
[   65.316289]  __asan_report_load_n_noabort+0xf/0x20
[   65.321307]  macvlan_broadcast+0x57c/0x660
[   65.325551]  macvlan_start_xmit+0x408/0x785
[   65.329864]  dev_direct_xmit+0x34d/0x650
[   65.334003]  ? validate_xmit_skb_list+0x130/0x130
[   65.338838]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   65.344377]  ? skb_copy_datagram_from_iter+0x441/0x660
[   65.349667]  packet_direct_xmit+0xf9/0x170
[   65.353903]  packet_sendmsg+0x3bb2/0x6440
[   65.358062]  ? packet_notifier+0x840/0x840
[   65.362289]  ? release_sock+0x156/0x1c0
[   65.366256]  ? selinux_socket_sendmsg+0x36/0x40
[   65.370932]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   65.376482]  ? security_socket_sendmsg+0x8d/0xc0
[   65.381245]  ? packet_notifier+0x840/0x840
[   65.385508]  sock_sendmsg+0xd7/0x130
[   65.389275]  __sys_sendto+0x262/0x380
[   65.393139]  ? __ia32_sys_getpeername+0xb0/0xb0
[   65.397833]  ? __ia32_sys_socketpair+0xf0/0xf0
[   65.402412]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   65.407963]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   65.412708]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   65.417453]  ? do_syscall_64+0x26/0x620
[   65.421416]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   65.426809]  __x64_sys_sendto+0xe1/0x1a0
[   65.430866]  do_syscall_64+0xfd/0x620
[   65.434806]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   65.440582] RIP: 0033:0x442529
[   65.443870] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   65.463072] RSP: 002b:00007ffd492895f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   65.470861] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442529
[   65.478252] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
[   65.485534] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
[   65.492794] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   65.500149] R13: 0000000000403aa0 R14: 0000000000000000 R15: 0000000000000000
[   65.509088] Kernel Offset: disabled
[   65.512729] Rebooting in 86400 seconds..