[ 93.400563][ T27] audit: type=1400 audit(1577912353.663:37): avc: denied { watch } for pid=9946 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 93.449364][ T27] audit: type=1400 audit(1577912353.693:38): avc: denied { watch } for pid=9946 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2232 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 93.630035][ T27] audit: type=1800 audit(1577912353.893:39): pid=9852 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 93.652431][ T27] audit: type=1800 audit(1577912353.893:40): pid=9852 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 98.169988][ T27] audit: type=1400 audit(1577912358.433:41): avc: denied { map } for pid=10029 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.226' (ECDSA) to the list of known hosts. executing program executing program executing program [ 126.434108][ T27] audit: type=1400 audit(1577912386.693:42): avc: denied { map } for pid=10041 comm="syz-executor389" path="/root/syz-executor389147653" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program [ 136.516658][ T1595] ================================================================== [ 136.524927][ T1595] BUG: KASAN: slab-out-of-bounds in bacpy+0x23/0x30 [ 136.531532][ T1595] Read of size 6 at addr ffff888099490a08 by task kworker/u5:0/1595 [ 136.539492][ T1595] [ 136.541820][ T1595] CPU: 1 PID: 1595 Comm: kworker/u5:0 Not tainted 5.5.0-rc4-syzkaller #0 [ 136.550223][ T1595] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 136.560471][ T1595] Workqueue: hci0 hci_rx_work [ 136.565219][ T1595] Call Trace: [ 136.568505][ T1595] dump_stack+0x197/0x210 [ 136.572821][ T1595] ? bacpy+0x23/0x30 [ 136.576725][ T1595] print_address_description.constprop.0.cold+0xd4/0x30b [ 136.583746][ T1595] ? bacpy+0x23/0x30 [ 136.587677][ T1595] ? bacpy+0x23/0x30 [ 136.591575][ T1595] __kasan_report.cold+0x1b/0x41 [ 136.596521][ T1595] ? bacpy+0x23/0x30 [ 136.600428][ T1595] kasan_report+0x12/0x20 [ 136.604774][ T1595] check_memory_region+0x134/0x1a0 [ 136.609882][ T1595] memcpy+0x24/0x50 [ 136.613724][ T1595] bacpy+0x23/0x30 [ 136.617439][ T1595] hci_event_packet+0x506d/0xa8fb [ 136.622490][ T1595] ? hci_cmd_complete_evt+0xc350/0xc350 [ 136.628069][ T1595] ? percpu_down_write+0x3c0/0x3f0 [ 136.633194][ T1595] ? skb_dequeue+0x12e/0x180 [ 136.637921][ T1595] ? __kasan_check_read+0x11/0x20 [ 136.643016][ T1595] ? mark_lock+0xc2/0x1220 [ 136.648006][ T1595] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 136.653804][ T1595] ? skb_dequeue+0x12e/0x180 [ 136.658389][ T1595] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 136.664216][ T1595] ? lockdep_hardirqs_on+0x421/0x5e0 [ 136.669536][ T1595] ? trace_hardirqs_on+0x67/0x240 [ 136.674569][ T1595] hci_rx_work+0x4b7/0xb20 [ 136.679098][ T1595] ? hci_rx_work+0x4b7/0xb20 [ 136.683813][ T1595] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 136.690046][ T1595] ? trace_hardirqs_on+0x67/0x240 [ 136.695094][ T1595] process_one_work+0x9af/0x1740 [ 136.700051][ T1595] ? pwq_dec_nr_in_flight+0x320/0x320 [ 136.705750][ T1595] ? lock_acquire+0x190/0x410 [ 136.710534][ T1595] worker_thread+0x98/0xe40 [ 136.715063][ T1595] kthread+0x361/0x430 [ 136.719125][ T1595] ? process_one_work+0x1740/0x1740 [ 136.724321][ T1595] ? kthread_mod_delayed_work+0x1f0/0x1f0 [ 136.730090][ T1595] ret_from_fork+0x24/0x30 [ 136.734502][ T1595] [ 136.736825][ T1595] Allocated by task 10047: [ 136.741263][ T1595] save_stack+0x23/0x90 [ 136.745544][ T1595] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 136.751418][ T1595] kasan_kmalloc+0x9/0x10 [ 136.755969][ T1595] __kmalloc_node_track_caller+0x4e/0x70 [ 136.761709][ T1595] __kmalloc_reserve.isra.0+0x40/0xf0 [ 136.767107][ T1595] __alloc_skb+0x10b/0x5e0 [ 136.771681][ T1595] vhci_write+0xc4/0x470 [ 136.775914][ T1595] new_sync_write+0x4d3/0x770 [ 136.780579][ T1595] __vfs_write+0xe1/0x110 [ 136.785364][ T1595] vfs_write+0x268/0x5d0 [ 136.789612][ T1595] ksys_write+0x14f/0x290 [ 136.794205][ T1595] __x64_sys_write+0x73/0xb0 [ 136.799150][ T1595] do_syscall_64+0xfa/0x790 [ 136.803776][ T1595] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 136.810031][ T1595] [ 136.812379][ T1595] Freed by task 9614: [ 136.816768][ T1595] save_stack+0x23/0x90 [ 136.821143][ T1595] __kasan_slab_free+0x102/0x150 [ 136.826120][ T1595] kasan_slab_free+0xe/0x10 [ 136.830715][ T1595] kfree+0x10a/0x2c0 [ 136.834710][ T1595] tomoyo_supervisor+0x360/0xef0 [ 136.840279][ T1595] tomoyo_path_permission+0x263/0x360 [ 136.845961][ T1595] tomoyo_path_perm+0x318/0x430 [ 136.850807][ T1595] tomoyo_inode_getattr+0x1d/0x30 [ 136.856120][ T1595] security_inode_getattr+0xf2/0x150 [ 136.861577][ T1595] vfs_getattr+0x25/0x70 [ 136.865965][ T1595] vfs_statx+0x157/0x200 [ 136.870357][ T1595] __do_sys_newstat+0xa4/0x130 [ 136.875308][ T1595] __x64_sys_newstat+0x54/0x80 [ 136.880797][ T1595] do_syscall_64+0xfa/0x790 [ 136.885294][ T1595] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 136.891310][ T1595] [ 136.893704][ T1595] The buggy address belongs to the object at ffff888099490800 [ 136.893704][ T1595] which belongs to the cache kmalloc-512 of size 512 [ 136.908892][ T1595] The buggy address is located 8 bytes to the right of [ 136.908892][ T1595] 512-byte region [ffff888099490800, ffff888099490a00) [ 136.922744][ T1595] The buggy address belongs to the page: [ 136.928506][ T1595] page:ffffea0002652400 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0x0 [ 136.937897][ T1595] raw: 00fffe0000000200 ffffea0002a48488 ffffea00029a2888 ffff8880aa400a80 [ 136.946737][ T1595] raw: 0000000000000000 ffff888099490000 0000000100000004 0000000000000000 [ 136.955526][ T1595] page dumped because: kasan: bad access detected [ 136.961970][ T1595] [ 136.964287][ T1595] Memory state around the buggy address: [ 136.970250][ T1595] ffff888099490900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 136.978545][ T1595] ffff888099490980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 136.986807][ T1595] >ffff888099490a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 136.994931][ T1595] ^ [ 136.999280][ T1595] ffff888099490a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 137.007337][ T1595] ffff888099490b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 137.015408][ T1595] ================================================================== [ 137.024068][ T1595] Disabling lock debugging due to kernel taint [ 137.031232][ T1595] Kernel panic - not syncing: panic_on_warn set ... [ 137.038017][ T1595] CPU: 0 PID: 1595 Comm: kworker/u5:0 Tainted: G B 5.5.0-rc4-syzkaller #0 [ 137.048204][ T1595] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 137.058326][ T1595] Workqueue: hci0 hci_rx_work [ 137.063035][ T1595] Call Trace: [ 137.066322][ T1595] dump_stack+0x197/0x210 [ 137.070767][ T1595] panic+0x2e3/0x75c [ 137.074659][ T1595] ? add_taint.cold+0x16/0x16 [ 137.079487][ T1595] ? bacpy+0x23/0x30 [ 137.083390][ T1595] ? preempt_schedule+0x4b/0x60 [ 137.088243][ T1595] ? ___preempt_schedule+0x16/0x18 [ 137.093354][ T1595] ? trace_hardirqs_on+0x5e/0x240 [ 137.098647][ T1595] ? bacpy+0x23/0x30 [ 137.102637][ T1595] end_report+0x47/0x4f [ 137.106796][ T1595] ? bacpy+0x23/0x30 [ 137.110693][ T1595] __kasan_report.cold+0xe/0x41 [ 137.115547][ T1595] ? bacpy+0x23/0x30 [ 137.119431][ T1595] kasan_report+0x12/0x20 [ 137.123747][ T1595] check_memory_region+0x134/0x1a0 [ 137.128859][ T1595] memcpy+0x24/0x50 [ 137.132668][ T1595] bacpy+0x23/0x30 [ 137.136383][ T1595] hci_event_packet+0x506d/0xa8fb [ 137.141407][ T1595] ? hci_cmd_complete_evt+0xc350/0xc350 [ 137.146951][ T1595] ? percpu_down_write+0x3c0/0x3f0 [ 137.152061][ T1595] ? skb_dequeue+0x12e/0x180 [ 137.156639][ T1595] ? __kasan_check_read+0x11/0x20 [ 137.161647][ T1595] ? mark_lock+0xc2/0x1220 [ 137.166047][ T1595] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 137.171841][ T1595] ? skb_dequeue+0x12e/0x180 [ 137.176415][ T1595] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 137.182253][ T1595] ? lockdep_hardirqs_on+0x421/0x5e0 [ 137.187636][ T1595] ? trace_hardirqs_on+0x67/0x240 [ 137.192812][ T1595] hci_rx_work+0x4b7/0xb20 [ 137.197216][ T1595] ? hci_rx_work+0x4b7/0xb20 [ 137.201800][ T1595] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 137.207793][ T1595] ? trace_hardirqs_on+0x67/0x240 [ 137.212989][ T1595] process_one_work+0x9af/0x1740 [ 137.218216][ T1595] ? pwq_dec_nr_in_flight+0x320/0x320 [ 137.223583][ T1595] ? lock_acquire+0x190/0x410 [ 137.228258][ T1595] worker_thread+0x98/0xe40 [ 137.232758][ T1595] kthread+0x361/0x430 [ 137.236985][ T1595] ? process_one_work+0x1740/0x1740 [ 137.242188][ T1595] ? kthread_mod_delayed_work+0x1f0/0x1f0 [ 137.248036][ T1595] ret_from_fork+0x24/0x30 [ 137.253991][ T1595] Kernel Offset: disabled [ 137.258330][ T1595] Rebooting in 86400 seconds..