[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 35.271698] random: sshd: uninitialized urandom read (32 bytes read) [ 35.603410] kauditd_printk_skb: 10 callbacks suppressed [ 35.603419] audit: type=1400 audit(1572245217.556:35): avc: denied { map } for pid=6937 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 35.660800] random: sshd: uninitialized urandom read (32 bytes read) [ 36.221425] random: sshd: uninitialized urandom read (32 bytes read) [ 946.803555] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.187' (ECDSA) to the list of known hosts. [ 952.442036] random: sshd: uninitialized urandom read (32 bytes read) 2019/10/28 07:02:14 parsed 1 programs [ 952.625555] audit: type=1400 audit(1572246134.576:36): avc: denied { map } for pid=6949 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 952.688621] audit: type=1400 audit(1572246134.636:37): avc: denied { map } for pid=6949 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 953.568970] random: cc1: uninitialized urandom read (8 bytes read) 2019/10/28 07:02:16 executed programs: 0 [ 954.831036] IPVS: ftp: loaded support on port[0] = 21 [ 955.674271] chnl_net:caif_netlink_parms(): no params data found [ 955.704003] bridge0: port 1(bridge_slave_0) entered blocking state [ 955.710641] bridge0: port 1(bridge_slave_0) entered disabled state [ 955.717631] device bridge_slave_0 entered promiscuous mode [ 955.724782] bridge0: port 2(bridge_slave_1) entered blocking state [ 955.731381] bridge0: port 2(bridge_slave_1) entered disabled state [ 955.738169] device bridge_slave_1 entered promiscuous mode [ 955.753113] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 955.762170] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 955.778224] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 955.785647] team0: Port device team_slave_0 added [ 955.791096] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 955.798093] team0: Port device team_slave_1 added [ 955.803423] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 955.810630] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 955.871884] device hsr_slave_0 entered promiscuous mode [ 955.920417] device hsr_slave_1 entered promiscuous mode [ 955.961886] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 955.968782] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 955.982126] bridge0: port 2(bridge_slave_1) entered blocking state [ 955.988877] bridge0: port 2(bridge_slave_1) entered forwarding state [ 955.995867] bridge0: port 1(bridge_slave_0) entered blocking state [ 956.002317] bridge0: port 1(bridge_slave_0) entered forwarding state [ 956.029107] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 956.035251] 8021q: adding VLAN 0 to HW filter on device bond0 [ 956.043401] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 956.052569] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 956.071628] bridge0: port 1(bridge_slave_0) entered disabled state [ 956.078682] bridge0: port 2(bridge_slave_1) entered disabled state [ 956.088062] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 956.094744] 8021q: adding VLAN 0 to HW filter on device team0 [ 956.102830] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 956.110808] bridge0: port 1(bridge_slave_0) entered blocking state [ 956.117163] bridge0: port 1(bridge_slave_0) entered forwarding state [ 956.135274] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 956.145195] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 956.155723] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 956.162653] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 956.170793] bridge0: port 2(bridge_slave_1) entered blocking state [ 956.177121] bridge0: port 2(bridge_slave_1) entered forwarding state [ 956.184645] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 956.192196] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 956.199578] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 956.207155] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 956.214673] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 956.221435] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 956.232723] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 956.242779] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 956.671314] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 957.194076] audit: type=1400 audit(1572246139.146:38): avc: denied { map } for pid=6982 comm="syz-executor.0" path=2F6D656D66643A73656375726974792E73656C696E7578202864656C6574656429 dev="tmpfs" ino=26873 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file permissive=1 [ 957.300043] hrtimer: interrupt took 42858 ns [ 959.530801] ================================================================== [ 959.538395] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf2/0x100 [ 959.545653] Read of size 4 at addr ffff8880902b0000 by task syz-executor.0/7094 [ 959.553076] [ 959.554684] CPU: 0 PID: 7094 Comm: syz-executor.0 Not tainted 4.14.150 #0 [ 959.561585] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 959.570917] Call Trace: [ 959.573527] dump_stack+0x138/0x197 [ 959.577135] ? l2tp_session_queue_purge+0xf2/0x100 [ 959.582044] print_address_description.cold+0x7c/0x1dc [ 959.587300] ? l2tp_session_queue_purge+0xf2/0x100 [ 959.592208] kasan_report.cold+0xa9/0x2af [ 959.596335] __asan_report_load4_noabort+0x14/0x20 [ 959.601270] l2tp_session_queue_purge+0xf2/0x100 [ 959.606014] l2tp_tunnel_closeall+0x20c/0x380 [ 959.610493] ? l2tp_tunnel_del_work+0x410/0x410 [ 959.615149] l2tp_udp_encap_destroy+0x99/0x100 [ 959.619802] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 959.624896] udpv6_destroy_sock+0xb3/0xd0 [ 959.629106] sk_common_release+0x6b/0x310 [ 959.633239] udp_lib_close+0x16/0x20 [ 959.636965] inet_release+0xec/0x1c0 [ 959.640675] inet6_release+0x53/0x80 [ 959.644406] __sock_release+0xce/0x2b0 [ 959.648278] ? __sock_release+0x2b0/0x2b0 [ 959.652406] sock_close+0x1b/0x30 [ 959.655844] __fput+0x275/0x7a0 [ 959.659121] ____fput+0x16/0x20 [ 959.662389] task_work_run+0x114/0x190 [ 959.666274] exit_to_usermode_loop+0x1da/0x220 [ 959.670839] do_syscall_64+0x4bc/0x640 [ 959.674703] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 959.679587] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 959.684757] RIP: 0033:0x413ad1 [ 959.687925] RSP: 002b:00007ffea8c928e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 959.695610] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000413ad1 [ 959.702859] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000006 [ 959.710196] RBP: 0000000000000000 R08: 0000000000760f58 R09: ffffffffffffffff [ 959.717444] R10: 00007ffea8c929b0 R11: 0000000000000293 R12: 000000000075bf20 [ 959.724690] R13: 0000000000000003 R14: 0000000000760f60 R15: 000000000075bf2c [ 959.731957] [ 959.733577] Allocated by task 7095: [ 959.737186] save_stack_trace+0x16/0x20 [ 959.741139] save_stack+0x45/0xd0 [ 959.744569] kasan_kmalloc+0xce/0xf0 [ 959.748264] __kmalloc+0x15d/0x7a0 [ 959.751783] l2tp_session_create+0x38/0x1600 [ 959.756203] pppol2tp_connect+0x11bf/0x18b0 [ 959.760545] SYSC_connect+0x1f6/0x2d0 [ 959.764333] SyS_connect+0x24/0x30 [ 959.767851] do_syscall_64+0x1e8/0x640 [ 959.771717] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 959.776884] [ 959.778497] Freed by task 7095: [ 959.781753] save_stack_trace+0x16/0x20 [ 959.785705] save_stack+0x45/0xd0 [ 959.789144] kasan_slab_free+0x75/0xc0 [ 959.793006] kfree+0xcc/0x270 [ 959.796087] l2tp_session_free+0x176/0x210 [ 959.800343] pppol2tp_session_destruct+0xd8/0x110 [ 959.805166] __sk_destruct+0x4f/0x580 [ 959.808941] sk_destruct+0xa4/0xd0 [ 959.812456] __sk_free+0x54/0x230 [ 959.815885] sk_free+0x35/0x40 [ 959.819054] pppol2tp_release+0x244/0x300 [ 959.823181] __sock_release+0xce/0x2b0 [ 959.827059] sock_close+0x1b/0x30 [ 959.830496] __fput+0x275/0x7a0 [ 959.833750] ____fput+0x16/0x20 [ 959.837019] task_work_run+0x114/0x190 [ 959.840884] exit_to_usermode_loop+0x1da/0x220 [ 959.845450] do_syscall_64+0x4bc/0x640 [ 959.849314] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 959.854477] [ 959.856092] The buggy address belongs to the object at ffff8880902b0000 [ 959.856092] which belongs to the cache kmalloc-512 of size 512 [ 959.868723] The buggy address is located 0 bytes inside of [ 959.868723] 512-byte region [ffff8880902b0000, ffff8880902b0200) [ 959.880398] The buggy address belongs to the page: [ 959.885304] page:ffffea000240ac00 count:1 mapcount:0 mapping:ffff8880902b0000 index:0x0 [ 959.893424] flags: 0x1fffc0000000100(slab) [ 959.897648] raw: 01fffc0000000100 ffff8880902b0000 0000000000000000 0000000100000006 [ 959.905510] raw: ffffea00023fbf20 ffffea0002362aa0 ffff8880aa800940 0000000000000000 [ 959.913365] page dumped because: kasan: bad access detected [ 959.919048] [ 959.920650] Memory state around the buggy address: [ 959.925554] ffff8880902aff00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 959.932888] ffff8880902aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 959.940226] >ffff8880902b0000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 959.947560] ^ [ 959.950906] ffff8880902b0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 959.958251] ffff8880902b0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 959.965582] ================================================================== [ 959.972915] Disabling lock debugging due to kernel taint [ 959.978968] Kernel panic - not syncing: panic_on_warn set ... [ 959.978968] [ 959.986325] CPU: 0 PID: 7094 Comm: syz-executor.0 Tainted: G B 4.14.150 #0 [ 959.994439] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 960.003768] Call Trace: [ 960.006338] dump_stack+0x138/0x197 [ 960.009944] ? l2tp_session_queue_purge+0xf2/0x100 [ 960.014848] panic+0x1f9/0x42d [ 960.018027] ? add_taint.cold+0x16/0x16 [ 960.021979] ? ___preempt_schedule+0x16/0x18 [ 960.026365] kasan_end_report+0x47/0x4f [ 960.030328] kasan_report.cold+0x130/0x2af [ 960.034542] __asan_report_load4_noabort+0x14/0x20 [ 960.039448] l2tp_session_queue_purge+0xf2/0x100 [ 960.044180] l2tp_tunnel_closeall+0x20c/0x380 [ 960.048663] ? l2tp_tunnel_del_work+0x410/0x410 [ 960.053306] l2tp_udp_encap_destroy+0x99/0x100 [ 960.057877] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 960.062969] udpv6_destroy_sock+0xb3/0xd0 [ 960.067103] sk_common_release+0x6b/0x310 [ 960.071271] udp_lib_close+0x16/0x20 [ 960.074971] inet_release+0xec/0x1c0 [ 960.078710] inet6_release+0x53/0x80 [ 960.082407] __sock_release+0xce/0x2b0 [ 960.087926] ? __sock_release+0x2b0/0x2b0 [ 960.092061] sock_close+0x1b/0x30 [ 960.095492] __fput+0x275/0x7a0 [ 960.098749] ____fput+0x16/0x20 [ 960.102008] task_work_run+0x114/0x190 [ 960.105876] exit_to_usermode_loop+0x1da/0x220 [ 960.110432] do_syscall_64+0x4bc/0x640 [ 960.114296] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 960.119119] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 960.124283] RIP: 0033:0x413ad1 [ 960.127451] RSP: 002b:00007ffea8c928e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 960.135146] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000413ad1 [ 960.142390] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000006 [ 960.149637] RBP: 0000000000000000 R08: 0000000000760f58 R09: ffffffffffffffff [ 960.157138] R10: 00007ffea8c929b0 R11: 0000000000000293 R12: 000000000075bf20 [ 960.164390] R13: 0000000000000003 R14: 0000000000760f60 R15: 000000000075bf2c [ 960.173022] Kernel Offset: disabled [ 960.176655] Rebooting in 86400 seconds..