[ 34.714118] audit: type=1800 audit(1582804508.781:33): pid=7271 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 34.741284] audit: type=1800 audit(1582804508.781:34): pid=7271 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 39.287003] random: sshd: uninitialized urandom read (32 bytes read) [ 39.603717] audit: type=1400 audit(1582804513.671:35): avc: denied { map } for pid=7444 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 39.655063] random: sshd: uninitialized urandom read (32 bytes read) [ 40.365371] random: sshd: uninitialized urandom read (32 bytes read) [ 40.551133] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.120' (ECDSA) to the list of known hosts. [ 46.137845] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 46.252819] audit: type=1400 audit(1582804520.321:36): avc: denied { map } for pid=7456 comm="syz-executor557" path="/root/syz-executor557152458" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 46.255675] ================================================================== [ 46.286600] BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 46.294733] Read of size 4 at addr ffff88809aeafc50 by task syz-executor557/7456 [ 46.302248] [ 46.303859] CPU: 1 PID: 7456 Comm: syz-executor557 Not tainted 4.14.171-syzkaller #0 [ 46.311717] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.321085] Call Trace: [ 46.323695] dump_stack+0x13e/0x194 [ 46.327308] ? tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 46.332741] print_address_description.cold+0x7c/0x1e2 [ 46.338004] ? tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 46.343516] kasan_report.cold+0xa9/0x2ae [ 46.347647] tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 46.352952] tipc_sendmcast+0x599/0xb60 [ 46.356922] ? tipc_socketpair+0x630/0x630 [ 46.361151] ? unwind_next_frame+0xbc6/0x17a0 [ 46.365645] ? deref_stack_reg+0x8a/0xc0 [ 46.369709] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 46.375580] ? deref_stack_reg+0xc0/0xc0 [ 46.379630] ? entry_SYSCALL_64_after_hwframe+0x41/0xb7 [ 46.384976] ? lock_downgrade+0x6e0/0x6e0 [ 46.389105] ? unwind_next_frame+0xbc6/0x17a0 [ 46.393581] ? __bfs+0x22/0x5b0 [ 46.396844] ? __tipc_sendmsg+0xbc5/0xfd0 [ 46.400975] __tipc_sendmsg+0xbc5/0xfd0 [ 46.404930] ? print_shortest_lock_dependencies+0x80/0x80 [ 46.410449] ? tipc_sendmcast+0xb60/0xb60 [ 46.414579] ? save_trace+0xd6/0x290 [ 46.418273] ? mark_lock+0x54e/0x10b0 [ 46.422057] ? print_shortest_lock_dependencies+0x80/0x80 [ 46.427574] ? mark_held_locks+0xa6/0xf0 [ 46.431619] ? __local_bh_enable_ip+0x94/0x190 [ 46.436239] tipc_sendmsg+0x4c/0x70 [ 46.439882] ? __tipc_sendmsg+0xfd0/0xfd0 [ 46.444127] sock_sendmsg+0xc5/0x100 [ 46.447829] ___sys_sendmsg+0x70a/0x840 [ 46.451790] ? do_huge_pmd_anonymous_page+0xc63/0x11e0 [ 46.457044] ? copy_msghdr_from_user+0x380/0x380 [ 46.461785] ? lock_downgrade+0x6e0/0x6e0 [ 46.465929] ? __lru_cache_add+0x17b/0x250 [ 46.470149] ? do_raw_spin_unlock+0x164/0x250 [ 46.474628] ? _raw_spin_unlock+0x29/0x40 [ 46.478799] ? do_huge_pmd_anonymous_page+0x2f9/0x11e0 [ 46.484071] ? prep_transhuge_page+0xa0/0xa0 [ 46.488461] ? pud_val+0x6c/0xd0 [ 46.491847] ? pmd_val+0xd0/0xd0 [ 46.495196] ? trace_hardirqs_on+0x10/0x10 [ 46.499448] ? __handle_mm_fault+0x644/0x3280 [ 46.503967] ? save_trace+0x290/0x290 [ 46.507755] ? copy_page_range+0x1d70/0x1d70 [ 46.512158] ? __fget_light+0x16a/0x1f0 [ 46.516129] ? sockfd_lookup_light+0xb2/0x160 [ 46.520607] __sys_sendmsg+0xa3/0x120 [ 46.524385] ? SyS_shutdown+0x160/0x160 [ 46.528951] ? up_read+0x17/0x30 [ 46.532299] ? __do_page_fault+0x35b/0xb40 [ 46.536517] SyS_sendmsg+0x27/0x40 [ 46.540042] ? __sys_sendmsg+0x120/0x120 [ 46.544106] do_syscall_64+0x1d5/0x640 [ 46.547978] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 46.553179] RIP: 0033:0x4401b9 [ 46.556359] RSP: 002b:00007ffeda62be38 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 46.564061] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401b9 [ 46.571320] RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000003 [ 46.578627] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 46.585892] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40 [ 46.593156] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000 [ 46.600484] [ 46.602110] Allocated by task 1: [ 46.605490] save_stack+0x32/0xa0 [ 46.608934] kasan_kmalloc+0xbf/0xe0 [ 46.612632] kmem_cache_alloc_trace+0x14d/0x7b0 [ 46.617295] tipc_nameseq_create+0x7e/0x2d0 [ 46.621607] tipc_nametbl_insert_publ+0x6b1/0x1450 [ 46.626517] tipc_nametbl_publish+0x211/0x3f0 [ 46.631019] tipc_bind+0x2c4/0x600 [ 46.634558] tipc_server_start+0x31f/0x880 [ 46.638776] tipc_topsrv_init_net+0x53b/0x730 [ 46.643310] ops_init+0xa5/0x3c0 [ 46.646791] register_pernet_operations+0x32f/0x710 [ 46.651794] register_pernet_device+0x28/0x70 [ 46.656273] tipc_init+0x7d/0x137 [ 46.659708] do_one_initcall+0x88/0x202 [ 46.663665] kernel_init_freeable+0x465/0x526 [ 46.668142] kernel_init+0xd/0x15b [ 46.671664] ret_from_fork+0x24/0x30 [ 46.675364] [ 46.676970] Freed by task 0: [ 46.679975] (stack is not available) [ 46.683766] [ 46.685391] The buggy address belongs to the object at ffff88809aeafc40 [ 46.685391] which belongs to the cache kmalloc-32 of size 32 [ 46.697864] The buggy address is located 16 bytes inside of [ 46.697864] 32-byte region [ffff88809aeafc40, ffff88809aeafc60) [ 46.709545] The buggy address belongs to the page: [ 46.722101] page:ffffea00026babc0 count:1 mapcount:0 mapping:ffff88809aeaf000 index:0xffff88809aeaffc1 [ 46.731529] flags: 0xfffe0000000100(slab) [ 46.735658] raw: 00fffe0000000100 ffff88809aeaf000 ffff88809aeaffc1 0000000100000033 [ 46.743519] raw: ffffea00026b4ae0 ffffea0002499820 ffff88812fe561c0 0000000000000000 [ 46.751378] page dumped because: kasan: bad access detected [ 46.757065] [ 46.758671] Memory state around the buggy address: [ 46.763578] ffff88809aeafb00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 46.770918] ffff88809aeafb80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 46.778257] >ffff88809aeafc00: 00 00 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 46.785594] ^ [ 46.791545] ffff88809aeafc80: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 46.798897] ffff88809aeafd00: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 46.806244] ================================================================== [ 46.813585] Disabling lock debugging due to kernel taint [ 46.819049] Kernel panic - not syncing: panic_on_warn set ... [ 46.819049] [ 46.826403] CPU: 1 PID: 7456 Comm: syz-executor557 Tainted: G B 4.14.171-syzkaller #0 [ 46.835475] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.844807] Call Trace: [ 46.847378] dump_stack+0x13e/0x194 [ 46.850982] panic+0x1f9/0x42d [ 46.854152] ? add_taint.cold+0x16/0x16 [ 46.858103] ? tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 46.863532] kasan_end_report+0x43/0x49 [ 46.867482] kasan_report.cold+0x12f/0x2ae [ 46.871748] tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 46.877045] tipc_sendmcast+0x599/0xb60 [ 46.881001] ? tipc_socketpair+0x630/0x630 [ 46.885216] ? unwind_next_frame+0xbc6/0x17a0 [ 46.889690] ? deref_stack_reg+0x8a/0xc0 [ 46.893731] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 46.899652] ? deref_stack_reg+0xc0/0xc0 [ 46.903714] ? entry_SYSCALL_64_after_hwframe+0x41/0xb7 [ 46.909060] ? lock_downgrade+0x6e0/0x6e0 [ 46.913187] ? unwind_next_frame+0xbc6/0x17a0 [ 46.917664] ? __bfs+0x22/0x5b0 [ 46.920959] ? __tipc_sendmsg+0xbc5/0xfd0 [ 46.925083] __tipc_sendmsg+0xbc5/0xfd0 [ 46.929047] ? print_shortest_lock_dependencies+0x80/0x80 [ 46.934571] ? tipc_sendmcast+0xb60/0xb60 [ 46.938699] ? save_trace+0xd6/0x290 [ 46.942387] ? mark_lock+0x54e/0x10b0 [ 46.946179] ? print_shortest_lock_dependencies+0x80/0x80 [ 46.951701] ? mark_held_locks+0xa6/0xf0 [ 46.955757] ? __local_bh_enable_ip+0x94/0x190 [ 46.960365] tipc_sendmsg+0x4c/0x70 [ 46.963969] ? __tipc_sendmsg+0xfd0/0xfd0 [ 46.968099] sock_sendmsg+0xc5/0x100 [ 46.971795] ___sys_sendmsg+0x70a/0x840 [ 46.975757] ? do_huge_pmd_anonymous_page+0xc63/0x11e0 [ 46.981011] ? copy_msghdr_from_user+0x380/0x380 [ 46.985800] ? lock_downgrade+0x6e0/0x6e0 [ 46.989953] ? __lru_cache_add+0x17b/0x250 [ 46.994167] ? do_raw_spin_unlock+0x164/0x250 [ 46.998673] ? _raw_spin_unlock+0x29/0x40 [ 47.002801] ? do_huge_pmd_anonymous_page+0x2f9/0x11e0 [ 47.008066] ? prep_transhuge_page+0xa0/0xa0 [ 47.012451] ? pud_val+0x6c/0xd0 [ 47.015827] ? pmd_val+0xd0/0xd0 [ 47.019168] ? trace_hardirqs_on+0x10/0x10 [ 47.023381] ? __handle_mm_fault+0x644/0x3280 [ 47.027925] ? save_trace+0x290/0x290 [ 47.031717] ? copy_page_range+0x1d70/0x1d70 [ 47.036109] ? __fget_light+0x16a/0x1f0 [ 47.040068] ? sockfd_lookup_light+0xb2/0x160 [ 47.044542] __sys_sendmsg+0xa3/0x120 [ 47.048322] ? SyS_shutdown+0x160/0x160 [ 47.052274] ? up_read+0x17/0x30 [ 47.055616] ? __do_page_fault+0x35b/0xb40 [ 47.059887] SyS_sendmsg+0x27/0x40 [ 47.063420] ? __sys_sendmsg+0x120/0x120 [ 47.067459] do_syscall_64+0x1d5/0x640 [ 47.071327] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 47.076495] RIP: 0033:0x4401b9 [ 47.079659] RSP: 002b:00007ffeda62be38 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 47.087347] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401b9 [ 47.094626] RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000003 [ 47.101912] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 47.109160] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40 [ 47.116409] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000 [ 47.124999] Kernel Offset: disabled [ 47.128667] Rebooting in 86400 seconds..