[ 38.197805] audit: type=1800 audit(1574368999.177:32): pid=7401 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 38.929480] audit: type=1800 audit(1574369000.027:33): pid=7401 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.165' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 47.768476] kauditd_printk_skb: 2 callbacks suppressed [ 47.768491] audit: type=1400 audit(1574369008.867:36): avc: denied { map } for pid=7587 comm="syz-executor205" path="/root/syz-executor205511163" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 47.780653] FAULT_INJECTION: forcing a failure. [ 47.780653] name failslab, interval 1, probability 0, space 0, times 1 [ 47.818058] CPU: 0 PID: 7588 Comm: syz-executor205 Not tainted 4.19.85-syzkaller #0 [ 47.826442] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.836390] Call Trace: [ 47.839446] dump_stack+0x197/0x210 [ 47.843654] should_fail.cold+0xa/0x1b [ 47.848013] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 47.853290] ? lock_downgrade+0x880/0x880 [ 47.857728] __should_failslab+0x121/0x190 [ 47.861978] should_failslab+0x9/0x14 [ 47.865876] kmem_cache_alloc_trace+0x2cc/0x760 [ 47.871259] slip_open+0x976/0x1175 [ 47.875289] ? sl_change_mtu+0x5c0/0x5c0 [ 47.879585] ? lock_downgrade+0x880/0x880 [ 47.883755] ? sl_change_mtu+0x5c0/0x5c0 [ 47.888155] tty_ldisc_open.isra.0+0x89/0xd0 [ 47.892594] tty_set_ldisc+0x2e3/0x690 [ 47.896783] tty_ioctl+0x65e/0x1510 [ 47.900480] ? tty_vhangup+0x30/0x30 [ 47.904206] ? proc_fail_nth_write+0x9d/0x1e0 [ 47.909023] ? proc_cwd_link+0x1d0/0x1d0 [ 47.913136] ? __might_sleep+0x95/0x190 [ 47.917129] ? vfs_write+0x2f0/0x560 [ 47.921155] ? tty_vhangup+0x30/0x30 [ 47.924888] do_vfs_ioctl+0xd5f/0x1380 [ 47.928805] ? selinux_file_ioctl+0x46f/0x5e0 [ 47.934155] ? selinux_file_ioctl+0x125/0x5e0 [ 47.938937] ? ioctl_preallocate+0x210/0x210 [ 47.944127] ? selinux_file_mprotect+0x620/0x620 [ 47.949150] ? __sb_end_write+0xd9/0x110 [ 47.953621] ? vfs_write+0x160/0x560 [ 47.957898] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.963468] ? security_file_ioctl+0x8d/0xc0 [ 47.968222] ksys_ioctl+0xab/0xd0 [ 47.972163] __x64_sys_ioctl+0x73/0xb0 [ 47.976666] do_syscall_64+0xfd/0x620 [ 47.980860] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.986491] RIP: 0033:0x441199 [ 47.989982] Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 48.009504] RSP: 002b:00007fffb6f4feb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 executing program [ 48.017225] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441199 [ 48.024738] RDX: 00000000200003c0 RSI: 0000000000005423 RDI: 0000000000000003 [ 48.032208] RBP: 00007fffb6f4fed0 R08: 0000000000000001 R09: 0000000000000000 [ 48.039700] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 48.047306] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000 [ 48.062453] ================================================================== [ 48.071545] BUG: KASAN: use-after-free in slip_open+0xe92/0x1175 [ 48.078071] Read of size 8 at addr ffff88809dab5388 by task syz-executor205/7589 [ 48.086702] [ 48.088512] CPU: 1 PID: 7589 Comm: syz-executor205 Not tainted 4.19.85-syzkaller #0 [ 48.098284] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.108162] Call Trace: [ 48.111117] dump_stack+0x197/0x210 [ 48.115096] ? slip_open+0xe92/0x1175 [ 48.119164] print_address_description.cold+0x7c/0x20d [ 48.125870] ? slip_open+0xe92/0x1175 [ 48.129862] kasan_report.cold+0x8c/0x2ba [ 48.138978] __asan_report_load8_noabort+0x14/0x20 [ 48.150598] slip_open+0xe92/0x1175 [ 48.157308] ? sl_change_mtu+0x5c0/0x5c0 [ 48.162968] ? lock_downgrade+0x880/0x880 [ 48.168388] ? sl_change_mtu+0x5c0/0x5c0 [ 48.173971] tty_ldisc_open.isra.0+0x89/0xd0 [ 48.178565] tty_set_ldisc+0x2e3/0x690 [ 48.182495] tty_ioctl+0x65e/0x1510 [ 48.186383] ? tty_vhangup+0x30/0x30 [ 48.190340] ? proc_fail_nth_write+0x9d/0x1e0 [ 48.195127] ? proc_cwd_link+0x1d0/0x1d0 [ 48.199210] ? __might_sleep+0x95/0x190 [ 48.203195] ? vfs_write+0x2f0/0x560 [ 48.207206] ? tty_vhangup+0x30/0x30 [ 48.211351] do_vfs_ioctl+0xd5f/0x1380 [ 48.215308] ? selinux_file_ioctl+0x46f/0x5e0 [ 48.219815] ? selinux_file_ioctl+0x125/0x5e0 [ 48.224316] ? ioctl_preallocate+0x210/0x210 [ 48.228918] ? selinux_file_mprotect+0x620/0x620 [ 48.233988] ? __sb_end_write+0xd9/0x110 [ 48.238268] ? vfs_write+0x160/0x560 [ 48.242295] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 48.248472] ? security_file_ioctl+0x8d/0xc0 [ 48.252981] ksys_ioctl+0xab/0xd0 [ 48.256596] __x64_sys_ioctl+0x73/0xb0 [ 48.260852] do_syscall_64+0xfd/0x620 [ 48.265323] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.271494] RIP: 0033:0x441199 [ 48.274884] Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 48.294562] RSP: 002b:00007fffb6f4feb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 48.302276] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441199 [ 48.310120] RDX: 00000000200003c0 RSI: 0000000000005423 RDI: 0000000000000003 [ 48.318006] RBP: 00007fffb6f4fed0 R08: 0000000000000001 R09: 0000000000000000 [ 48.325690] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 48.333384] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000 [ 48.341350] [ 48.343096] Allocated by task 7588: [ 48.347911] save_stack+0x45/0xd0 [ 48.352395] kasan_kmalloc+0xce/0xf0 [ 48.356736] __kmalloc_node+0x51/0x80 [ 48.361003] kvmalloc_node+0x68/0x100 [ 48.365829] alloc_netdev_mqs+0x98/0xd40 [ 48.370433] slip_open+0x38e/0x1175 [ 48.376164] tty_ldisc_open.isra.0+0x89/0xd0 [ 48.381095] tty_set_ldisc+0x2e3/0x690 [ 48.385169] tty_ioctl+0x65e/0x1510 [ 48.389786] do_vfs_ioctl+0xd5f/0x1380 [ 48.394980] ksys_ioctl+0xab/0xd0 [ 48.398818] __x64_sys_ioctl+0x73/0xb0 [ 48.403141] do_syscall_64+0xfd/0x620 [ 48.407583] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.413068] [ 48.414830] Freed by task 7588: [ 48.418684] save_stack+0x45/0xd0 [ 48.422637] __kasan_slab_free+0x102/0x150 [ 48.428036] kasan_slab_free+0xe/0x10 [ 48.432116] kfree+0xcf/0x220 [ 48.436118] kvfree+0x61/0x70 [ 48.439919] free_netdev+0x384/0x430 [ 48.444173] slip_open+0xd2a/0x1175 [ 48.448166] tty_ldisc_open.isra.0+0x89/0xd0 [ 48.453755] tty_set_ldisc+0x2e3/0x690 [ 48.459271] tty_ioctl+0x65e/0x1510 [ 48.464557] do_vfs_ioctl+0xd5f/0x1380 [ 48.469766] ksys_ioctl+0xab/0xd0 [ 48.473972] __x64_sys_ioctl+0x73/0xb0 [ 48.478971] do_syscall_64+0xfd/0x620 [ 48.483556] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.489097] [ 48.490729] The buggy address belongs to the object at ffff88809dab48c0 [ 48.490729] which belongs to the cache kmalloc-4096 of size 4096 [ 48.505612] The buggy address is located 2760 bytes inside of [ 48.505612] 4096-byte region [ffff88809dab48c0, ffff88809dab58c0) [ 48.519072] The buggy address belongs to the page: [ 48.524504] page:ffffea000276ad00 count:1 mapcount:0 mapping:ffff88812c3f0dc0 index:0x0 compound_mapcount: 0 [ 48.538994] flags: 0x1fffc0000008100(slab|head) [ 48.547888] raw: 01fffc0000008100 ffffea0002657b08 ffffea00027c8e08 ffff88812c3f0dc0 [ 48.564751] raw: 0000000000000000 ffff88809dab48c0 0000000100000001 0000000000000000 [ 48.579281] page dumped because: kasan: bad access detected [ 48.585573] [ 48.587210] Memory state around the buggy address: [ 48.592592] ffff88809dab5280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.600088] ffff88809dab5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.609118] >ffff88809dab5380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.617201] ^ [ 48.621157] ffff88809dab5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.629541] ffff88809dab5480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.637984] ================================================================== [ 48.649420] Disabling lock debugging due to kernel taint [ 48.655958] Kernel panic - not syncing: panic_on_warn set ... [ 48.655958] [ 48.665178] CPU: 1 PID: 7589 Comm: syz-executor205 Tainted: G B 4.19.85-syzkaller #0 [ 48.675508] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.685528] Call Trace: [ 48.688275] dump_stack+0x197/0x210 [ 48.692376] ? slip_open+0xe92/0x1175 [ 48.696517] panic+0x26a/0x50e [ 48.700115] ? __warn_printk+0xf3/0xf3 [ 48.704390] ? slip_open+0xe92/0x1175 [ 48.708380] ? preempt_schedule+0x4b/0x60 [ 48.712813] ? ___preempt_schedule+0x16/0x18 [ 48.717518] ? trace_hardirqs_on+0x5e/0x220 [ 48.722585] ? slip_open+0xe92/0x1175 [ 48.726900] kasan_end_report+0x47/0x4f [ 48.731176] kasan_report.cold+0xa9/0x2ba [ 48.737661] __asan_report_load8_noabort+0x14/0x20 [ 48.744478] slip_open+0xe92/0x1175 [ 48.749073] ? sl_change_mtu+0x5c0/0x5c0 [ 48.753355] ? lock_downgrade+0x880/0x880 [ 48.758076] ? sl_change_mtu+0x5c0/0x5c0 [ 48.763455] tty_ldisc_open.isra.0+0x89/0xd0 [ 48.772550] tty_set_ldisc+0x2e3/0x690 [ 48.777258] tty_ioctl+0x65e/0x1510 [ 48.781042] ? tty_vhangup+0x30/0x30 [ 48.784959] ? proc_fail_nth_write+0x9d/0x1e0 [ 48.789836] ? proc_cwd_link+0x1d0/0x1d0 [ 48.794538] ? __might_sleep+0x95/0x190 [ 48.798536] ? vfs_write+0x2f0/0x560 [ 48.802816] ? tty_vhangup+0x30/0x30 [ 48.806874] do_vfs_ioctl+0xd5f/0x1380 [ 48.811315] ? selinux_file_ioctl+0x46f/0x5e0 [ 48.816139] ? selinux_file_ioctl+0x125/0x5e0 [ 48.820814] ? ioctl_preallocate+0x210/0x210 [ 48.825419] ? selinux_file_mprotect+0x620/0x620 [ 48.830560] ? __sb_end_write+0xd9/0x110 [ 48.835017] ? vfs_write+0x160/0x560 [ 48.839543] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 48.845246] ? security_file_ioctl+0x8d/0xc0 [ 48.849944] ksys_ioctl+0xab/0xd0 [ 48.854054] __x64_sys_ioctl+0x73/0xb0 [ 48.858039] do_syscall_64+0xfd/0x620 [ 48.861939] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.867688] RIP: 0033:0x441199 [ 48.870946] Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 48.890458] RSP: 002b:00007fffb6f4feb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 48.898423] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441199 [ 48.906102] RDX: 00000000200003c0 RSI: 0000000000005423 RDI: 0000000000000003 [ 48.913379] RBP: 00007fffb6f4fed0 R08: 0000000000000001 R09: 0000000000000000 [ 48.920932] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 48.929585] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000 [ 48.940916] Kernel Offset: disabled [ 48.944967] Rebooting in 86400 seconds..