[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[  120.852911][   T33] kauditd_printk_skb: 4 callbacks suppressed
[  120.852960][   T33] audit: type=1800 audit(1583403000.901:39): pid=11373 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[  120.894310][   T33] audit: type=1800 audit(1583403000.941:40): pid=11373 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [  122.707131][   T33] audit: type=1400 audit(1583403002.761:41): avc:  denied  { map } for  pid=11547 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[  541.949038][   T33] audit: type=1400 audit(1583403422.001:42): avc:  denied  { map } for  pid=11555 comm="sh" path="/bin/dash" dev="sda1" ino=1473 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.199' (ECDSA) to the list of known hosts.
[ 1032.653312][   T33] audit: type=1400 audit(1583403912.701:43): avc:  denied  { map } for  pid=11562 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2020/03/05 10:25:12 parsed 1 programs
[ 1037.889912][   T33] audit: type=1400 audit(1583403917.941:44): avc:  denied  { integrity } for  pid=11562 comm="syz-execprog" lockdown_reason="debugfs access" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=lockdown permissive=1
[ 1037.993726][   T33] audit: type=1400 audit(1583403918.041:45): avc:  denied  { map } for  pid=11562 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=17522 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
2020/03/05 10:25:21 executed programs: 0
[ 1041.478867][T11581] IPVS: ftp: loaded support on port[0] = 21
[ 1041.586826][T11581] chnl_net:caif_netlink_parms(): no params data found
[ 1041.667486][T11581] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1041.674767][T11581] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1041.682980][T11581] device bridge_slave_0 entered promiscuous mode
[ 1041.695265][T11581] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1041.702473][T11581] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1041.711227][T11581] device bridge_slave_1 entered promiscuous mode
[ 1041.739583][T11581] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1041.753483][T11581] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1041.782396][T11581] team0: Port device team_slave_0 added
[ 1041.792434][T11581] team0: Port device team_slave_1 added
[ 1041.816759][T11581] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 1041.823867][T11581] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1041.849873][T11581] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 1041.864129][T11581] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 1041.871168][T11581] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1041.897446][T11581] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 1041.957465][T11581] device hsr_slave_0 entered promiscuous mode
[ 1042.014583][T11581] device hsr_slave_1 entered promiscuous mode
[ 1042.207425][   T33] audit: type=1400 audit(1583403922.261:46): avc:  denied  { create } for  pid=11581 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 1042.215050][T11581] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 1042.232405][   T33] audit: type=1400 audit(1583403922.261:47): avc:  denied  { write } for  pid=11581 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 1042.263966][   T33] audit: type=1400 audit(1583403922.261:48): avc:  denied  { read } for  pid=11581 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 1042.309055][T11581] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 1042.368854][T11581] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 1042.419078][T11581] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 1042.513477][T11581] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1042.520863][T11581] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1042.528718][T11581] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1042.535983][T11581] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1042.632276][T11581] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1042.656070][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1042.668021][   T12] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1042.677668][   T12] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1042.689265][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 1042.709017][T11581] 8021q: adding VLAN 0 to HW filter on device team0
[ 1042.725852][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[ 1042.735033][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1042.744224][   T12] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1042.751404][   T12] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1042.767569][T11591] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[ 1042.777391][T11591] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1042.786851][T11591] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1042.794099][T11591] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1042.809434][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[ 1042.835840][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[ 1042.845502][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[ 1042.855674][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1042.876576][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1042.885535][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[ 1042.896059][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1042.911269][T11591] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[ 1042.921003][T11591] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1042.939651][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[ 1042.948679][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1042.965727][T11581] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1043.001442][T11591] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 1043.009130][T11591] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 1043.032414][T11581] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1043.071287][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[ 1043.082769][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 1043.118906][T11591] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[ 1043.128537][T11591] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 1043.138918][T11591] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 1043.148007][T11591] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 1043.164639][T11581] device veth0_vlan entered promiscuous mode
[ 1043.185974][T11581] device veth1_vlan entered promiscuous mode
[ 1043.231349][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 1043.240233][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 1043.249161][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[ 1043.258328][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 1043.274224][T11581] device veth0_macvtap entered promiscuous mode
[ 1043.289766][T11581] device veth1_macvtap entered promiscuous mode
[ 1043.322597][T11581] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 1043.331011][T11591] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 1043.340714][T11591] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[ 1043.349576][T11591] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 1043.359267][T11591] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 1043.376915][T11581] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 1043.384794][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 1043.394326][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 1043.621726][   T33] audit: type=1400 audit(1583403923.671:49): avc:  denied  { associate } for  pid=11581 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
[ 1043.815534][T11618] =====================================================
[ 1043.822543][T11618] BUG: KMSAN: use-after-free in __list_add_valid+0x280/0x420
[ 1043.829962][T11618] CPU: 0 PID: 11618 Comm: syz-executor.0 Not tainted 5.6.0-rc2-syzkaller #0
[ 1043.838613][T11618] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1043.848650][T11618] Call Trace:
[ 1043.851925][T11618]  dump_stack+0x1c9/0x220
[ 1043.856247][T11618]  kmsan_report+0xf7/0x1e0
[ 1043.860648][T11618]  __msan_warning+0x58/0xa0
[ 1043.865139][T11618]  __list_add_valid+0x280/0x420
[ 1043.869978][T11618]  rdma_listen+0x623/0x10b0
[ 1043.874469][T11618]  ? kmsan_set_origin_checked+0x95/0xf0
[ 1043.880009][T11618]  ? kmsan_get_metadata+0x11d/0x180
[ 1043.885193][T11618]  ucma_listen+0x36c/0x5e0
[ 1043.889598][T11618]  ? ucma_connect+0xa40/0xa40
[ 1043.894258][T11618]  ucma_write+0x5c5/0x630
[ 1043.898578][T11618]  ? ucma_get_global_nl_info+0xe0/0xe0
[ 1043.904018][T11618]  __vfs_write+0x1a9/0xca0
[ 1043.908424][T11618]  ? rw_verify_area+0x2c4/0x5b0
[ 1043.913261][T11618]  ? kmsan_get_metadata+0x11d/0x180
[ 1043.918447][T11618]  vfs_write+0x44a/0x8f0
[ 1043.922680][T11618]  ksys_write+0x267/0x450
[ 1043.927001][T11618]  __ia32_sys_write+0xdb/0x120
[ 1043.931763][T11618]  ? __se_sys_write+0xb0/0xb0
[ 1043.936423][T11618]  do_fast_syscall_32+0x3c7/0x6e0
[ 1043.941438][T11618]  entry_SYSENTER_compat+0x68/0x77
[ 1043.946553][T11618] RIP: 0023:0xf7fcbd99
[ 1043.950600][T11618] Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[ 1043.978577][T11618] RSP: 002b:00000000f7fc60cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004
[ 1043.986978][T11618] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000040
[ 1043.994938][T11618] RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000000
[ 1044.002892][T11618] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 1044.010848][T11618] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 1044.018891][T11618] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 1044.026852][T11618] 
[ 1044.029158][T11618] Uninit was created at:
[ 1044.033393][T11618]  kmsan_internal_poison_shadow+0x66/0xd0
[ 1044.039117][T11618]  kmsan_slab_free+0x6e/0xb0
[ 1044.043688][T11618]  kfree+0x565/0x30a0
[ 1044.047651][T11618]  rdma_destroy_id+0x197e/0x1b40
[ 1044.052569][T11618]  ucma_close+0x334/0x4c0
[ 1044.056890][T11618]  __fput+0x4c7/0xb90
[ 1044.060853][T11618]  ____fput+0x37/0x40
[ 1044.064860][T11618]  task_work_run+0x214/0x2b0
[ 1044.069429][T11618]  prepare_exit_to_usermode+0x3c8/0x520
[ 1044.074991][T11618]  syscall_return_slowpath+0x95/0x5f0
[ 1044.080343][T11618]  do_fast_syscall_32+0x422/0x6e0
[ 1044.085347][T11618]  entry_SYSENTER_compat+0x68/0x77
[ 1044.090432][T11618] =====================================================
[ 1044.097345][T11618] Disabling lock debugging due to kernel taint
[ 1044.103511][T11618] Kernel panic - not syncing: panic_on_warn set ...
[ 1044.110195][T11618] CPU: 0 PID: 11618 Comm: syz-executor.0 Tainted: G    B             5.6.0-rc2-syzkaller #0
[ 1044.120286][T11618] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1044.130322][T11618] Call Trace:
[ 1044.133605][T11618]  dump_stack+0x1c9/0x220
[ 1044.137920][T11618]  panic+0x3d5/0xc3e
[ 1044.141857][T11618]  kmsan_report+0x1df/0x1e0
[ 1044.146347][T11618]  __msan_warning+0x58/0xa0
[ 1044.150835][T11618]  __list_add_valid+0x280/0x420
[ 1044.155675][T11618]  rdma_listen+0x623/0x10b0
[ 1044.160173][T11618]  ? kmsan_set_origin_checked+0x95/0xf0
[ 1044.165717][T11618]  ? kmsan_get_metadata+0x11d/0x180
[ 1044.171083][T11618]  ucma_listen+0x36c/0x5e0
[ 1044.175488][T11618]  ? ucma_connect+0xa40/0xa40
[ 1044.180145][T11618]  ucma_write+0x5c5/0x630
[ 1044.184470][T11618]  ? ucma_get_global_nl_info+0xe0/0xe0
[ 1044.189910][T11618]  __vfs_write+0x1a9/0xca0
[ 1044.194324][T11618]  ? rw_verify_area+0x2c4/0x5b0
[ 1044.199160][T11618]  ? kmsan_get_metadata+0x11d/0x180
[ 1044.204350][T11618]  vfs_write+0x44a/0x8f0
[ 1044.208604][T11618]  ksys_write+0x267/0x450
[ 1044.212925][T11618]  __ia32_sys_write+0xdb/0x120
[ 1044.217676][T11618]  ? __se_sys_write+0xb0/0xb0
[ 1044.222349][T11618]  do_fast_syscall_32+0x3c7/0x6e0
[ 1044.227367][T11618]  entry_SYSENTER_compat+0x68/0x77
[ 1044.232458][T11618] RIP: 0023:0xf7fcbd99
[ 1044.236548][T11618] Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[ 1044.256140][T11618] RSP: 002b:00000000f7fc60cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004
[ 1044.264591][T11618] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000040
[ 1044.272555][T11618] RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000000
[ 1044.280530][T11618] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 1044.288493][T11618] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 1044.296450][T11618] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 1044.305858][T11618] Kernel Offset: 0x27000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 1044.317520][T11618] Rebooting in 86400 seconds..