[ 35.095566] audit: type=1800 audit(1556006527.766:33): pid=6967 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 35.126372] audit: type=1800 audit(1556006527.766:34): pid=6967 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.542033] random: sshd: uninitialized urandom read (32 bytes read) [ 36.924235] audit: type=1400 audit(1556006529.596:35): avc: denied { map } for pid=7142 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.976768] random: sshd: uninitialized urandom read (32 bytes read) [ 37.624535] random: sshd: uninitialized urandom read (32 bytes read) [ 37.817495] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.222' (ECDSA) to the list of known hosts. [ 43.427120] random: sshd: uninitialized urandom read (32 bytes read) [ 43.547223] audit: type=1400 audit(1556006536.216:36): avc: denied { map } for pid=7154 comm="syz-executor487" path="/root/syz-executor487158042" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.310271] IPVS: ftp: loaded support on port[0] = 21 [ 44.635870] chnl_net:caif_netlink_parms(): no params data found [ 44.666239] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.672980] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.679999] device bridge_slave_0 entered promiscuous mode [ 44.686944] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.693446] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.700593] device bridge_slave_1 entered promiscuous mode [ 44.715053] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 44.724291] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 44.739787] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 44.747327] team0: Port device team_slave_0 added [ 44.752785] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 44.759840] team0: Port device team_slave_1 added [ 44.765238] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 44.772518] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 44.822606] device hsr_slave_0 entered promiscuous mode [ 44.890341] device hsr_slave_1 entered promiscuous mode [ 44.961344] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 44.968353] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 44.981965] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.989734] bridge0: port 2(bridge_slave_1) entered forwarding state [ 44.996749] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.003172] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.033304] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 45.039395] 8021q: adding VLAN 0 to HW filter on device bond0 [ 45.048512] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 45.057070] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 45.076792] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.085058] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.097119] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 45.103353] 8021q: adding VLAN 0 to HW filter on device team0 [ 45.112227] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 45.119880] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.126312] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.136233] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 45.143957] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.150422] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.164597] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 45.172468] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 45.186515] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 45.196941] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 45.208172] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 45.215029] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 45.222834] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready executing program [ 45.232660] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 45.248986] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 45.261243] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 45.271205] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 45.297624] ================================================================== [ 45.305253] BUG: KASAN: use-after-free in erspan_build_header+0x392/0x3b0 [ 45.312173] Read of size 2 at addr ffff88809644b7cb by task syz-executor487/7155 [ 45.319691] [ 45.321498] CPU: 0 PID: 7155 Comm: syz-executor487 Not tainted 4.14.113 #3 [ 45.328637] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.340250] Call Trace: [ 45.342871] dump_stack+0x138/0x19c [ 45.346489] ? erspan_build_header+0x392/0x3b0 [ 45.351199] print_address_description.cold+0x7c/0x1dc [ 45.356494] ? erspan_build_header+0x392/0x3b0 [ 45.361338] kasan_report.cold+0xaf/0x2b5 [ 45.365487] __asan_report_load_n_noabort+0xf/0x20 [ 45.370701] erspan_build_header+0x392/0x3b0 [ 45.375128] ? iptunnel_handle_offloads+0x2f3/0x500 [ 45.380140] erspan_xmit+0x3ec/0x11c0 [ 45.384036] ? __gre_xmit+0x890/0x890 [ 45.387845] ? lock_acquire+0x16f/0x430 [ 45.391838] ? packet_direct_xmit+0x345/0x640 [ 45.396327] packet_direct_xmit+0x438/0x640 [ 45.400749] packet_sendmsg+0x31e1/0x5990 [ 45.404886] ? __might_fault+0x110/0x1d0 [ 45.409139] ? rw_copy_check_uvector+0x1f1/0x290 [ 45.413893] ? packet_notifier+0x770/0x770 [ 45.418998] ? copy_msghdr_from_user+0x292/0x3f0 [ 45.423791] ? security_socket_sendmsg+0x8f/0xc0 [ 45.428561] ? packet_notifier+0x770/0x770 [ 45.433005] sock_sendmsg+0xd0/0x110 [ 45.436804] ___sys_sendmsg+0x70c/0x850 [ 45.440767] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 45.445513] ? lock_downgrade+0x6e0/0x6e0 [ 45.449651] ? kasan_check_write+0x14/0x20 [ 45.453887] ? _copy_from_user+0x99/0x110 [ 45.458600] ? packet_setsockopt+0xe9/0x2830 [ 45.463026] ? sock_has_perm+0x1ed/0x280 [ 45.467107] ? selinux_tun_dev_create+0xc0/0xc0 [ 45.471787] ? __fdget+0x1b/0x20 [ 45.475144] ? sockfd_lookup_light+0xb4/0x160 [ 45.480146] __sys_sendmsg+0xb9/0x140 [ 45.483933] ? SyS_shutdown+0x180/0x180 [ 45.487893] ? security_socket_setsockopt+0x8f/0xc0 [ 45.492929] ? SyS_recv+0x40/0x40 [ 45.496370] SyS_sendmsg+0x2d/0x50 [ 45.499891] ? __sys_sendmsg+0x140/0x140 [ 45.503955] do_syscall_64+0x1eb/0x630 [ 45.507847] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.513109] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.518292] RIP: 0033:0x441959 [ 45.521493] RSP: 002b:00007ffc3d939328 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.529539] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441959 [ 45.536933] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003 [ 45.545257] RBP: 00000000004a8fd0 R08: 0000000001bbbbbb R09: 0000000001bbbbbb [ 45.555736] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402ea0 [ 45.564568] R13: 0000000000402f30 R14: 0000000000000000 R15: 0000000000000000 [ 45.572348] [ 45.573976] Allocated by task 6358: [ 45.578155] save_stack_trace+0x16/0x20 [ 45.582294] save_stack+0x45/0xd0 [ 45.585741] kasan_kmalloc+0xce/0xf0 [ 45.589588] kasan_slab_alloc+0xf/0x20 [ 45.593746] kmem_cache_alloc+0x12e/0x780 [ 45.597984] getname_flags+0xcb/0x580 [ 45.601913] user_path_at_empty+0x2f/0x50 [ 45.607161] path_getxattr+0x82/0x100 [ 45.611302] SyS_lgetxattr+0x31/0x40 [ 45.615006] do_syscall_64+0x1eb/0x630 [ 45.618883] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.624058] [ 45.625665] Freed by task 6358: [ 45.628952] save_stack_trace+0x16/0x20 [ 45.633111] save_stack+0x45/0xd0 [ 45.636578] kasan_slab_free+0x75/0xc0 [ 45.644483] kmem_cache_free+0x83/0x2b0 [ 45.648697] putname+0xdb/0x120 [ 45.651974] filename_lookup+0x23a/0x380 [ 45.656536] user_path_at_empty+0x43/0x50 [ 45.661065] path_getxattr+0x82/0x100 [ 45.664873] SyS_lgetxattr+0x31/0x40 [ 45.668810] do_syscall_64+0x1eb/0x630 [ 45.673062] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.678264] [ 45.679911] The buggy address belongs to the object at ffff88809644acc0 [ 45.679911] which belongs to the cache names_cache of size 4096 [ 45.692644] The buggy address is located 2827 bytes inside of [ 45.692644] 4096-byte region [ffff88809644acc0, ffff88809644bcc0) [ 45.704688] The buggy address belongs to the page: [ 45.710037] page:ffffea0002591280 count:1 mapcount:0 mapping:ffff88809644acc0 index:0x0 compound_mapcount: 0 [ 45.720343] flags: 0x1fffc0000008100(slab|head) [ 45.725297] raw: 01fffc0000008100 ffff88809644acc0 0000000000000000 0000000100000001 [ 45.733194] raw: ffffea0002591220 ffffea00026b7620 ffff8880aa9e0cc0 0000000000000000 [ 45.742164] page dumped because: kasan: bad access detected [ 45.748387] [ 45.749996] Memory state around the buggy address: [ 45.754917] ffff88809644b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.763395] ffff88809644b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.770755] >ffff88809644b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.778406] ^ [ 45.784117] ffff88809644b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.791733] ffff88809644b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.799168] ================================================================== [ 45.806517] Disabling lock debugging due to kernel taint [ 45.812022] Kernel panic - not syncing: panic_on_warn set ... [ 45.812022] [ 45.819390] CPU: 0 PID: 7155 Comm: syz-executor487 Tainted: G B 4.14.113 #3 [ 45.827630] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.847205] Call Trace: [ 45.850139] dump_stack+0x138/0x19c [ 45.853751] ? erspan_build_header+0x392/0x3b0 [ 45.858346] panic+0x1f2/0x438 [ 45.861555] ? add_taint.cold+0x16/0x16 [ 45.865696] kasan_end_report+0x47/0x4f [ 45.869658] kasan_report.cold+0x136/0x2b5 [ 45.873898] __asan_report_load_n_noabort+0xf/0x20 [ 45.879063] erspan_build_header+0x392/0x3b0 [ 45.883672] ? iptunnel_handle_offloads+0x2f3/0x500 [ 45.889131] erspan_xmit+0x3ec/0x11c0 [ 45.892933] ? __gre_xmit+0x890/0x890 [ 45.896719] ? lock_acquire+0x16f/0x430 [ 45.900695] ? packet_direct_xmit+0x345/0x640 [ 45.905175] packet_direct_xmit+0x438/0x640 [ 45.909482] packet_sendmsg+0x31e1/0x5990 [ 45.913639] ? __might_fault+0x110/0x1d0 [ 45.917685] ? rw_copy_check_uvector+0x1f1/0x290 [ 45.922909] ? packet_notifier+0x770/0x770 [ 45.927154] ? copy_msghdr_from_user+0x292/0x3f0 [ 45.931916] ? security_socket_sendmsg+0x8f/0xc0 [ 45.936664] ? packet_notifier+0x770/0x770 [ 45.941265] sock_sendmsg+0xd0/0x110 [ 45.945136] ___sys_sendmsg+0x70c/0x850 [ 45.949104] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 45.953861] ? lock_downgrade+0x6e0/0x6e0 [ 45.958020] ? kasan_check_write+0x14/0x20 [ 45.962830] ? _copy_from_user+0x99/0x110 [ 45.966978] ? packet_setsockopt+0xe9/0x2830 [ 45.971537] ? sock_has_perm+0x1ed/0x280 [ 45.975580] ? selinux_tun_dev_create+0xc0/0xc0 [ 45.980248] ? __fdget+0x1b/0x20 [ 45.983609] ? sockfd_lookup_light+0xb4/0x160 [ 45.988104] __sys_sendmsg+0xb9/0x140 [ 45.991907] ? SyS_shutdown+0x180/0x180 [ 45.995886] ? security_socket_setsockopt+0x8f/0xc0 [ 46.001238] ? SyS_recv+0x40/0x40 [ 46.004673] SyS_sendmsg+0x2d/0x50 [ 46.008213] ? __sys_sendmsg+0x140/0x140 [ 46.012263] do_syscall_64+0x1eb/0x630 [ 46.016163] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 46.021016] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 46.026194] RIP: 0033:0x441959 [ 46.029364] RSP: 002b:00007ffc3d939328 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 46.037057] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441959 [ 46.044314] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003 [ 46.051568] RBP: 00000000004a8fd0 R08: 0000000001bbbbbb R09: 0000000001bbbbbb [ 46.058822] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402ea0 [ 46.066076] R13: 0000000000402f30 R14: 0000000000000000 R15: 0000000000000000 [ 46.075521] Kernel Offset: disabled [ 46.079144] Rebooting in 86400 seconds..