[ 35.571734] audit: type=1800 audit(1583936897.807:33): pid=7279 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 35.601521] audit: type=1800 audit(1583936897.807:34): pid=7279 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.483169] random: sshd: uninitialized urandom read (32 bytes read) [ 38.808001] audit: type=1400 audit(1583936901.037:35): avc: denied { map } for pid=7451 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.862267] random: sshd: uninitialized urandom read (32 bytes read) [ 39.601304] random: sshd: uninitialized urandom read (32 bytes read) [ 39.798451] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.246' (ECDSA) to the list of known hosts. [ 45.349249] random: sshd: uninitialized urandom read (32 bytes read) [ 45.562911] audit: type=1400 audit(1583936907.797:36): avc: denied { map } for pid=7463 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/11 14:28:27 parsed 1 programs [ 46.276345] random: cc1: uninitialized urandom read (8 bytes read) 2020/03/11 14:28:29 executed programs: 0 [ 47.120106] audit: type=1400 audit(1583936909.347:37): avc: denied { map } for pid=7463 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=95 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 47.431176] IPVS: ftp: loaded support on port[0] = 21 [ 48.331170] chnl_net:caif_netlink_parms(): no params data found [ 48.382467] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.389180] bridge0: port 1(bridge_slave_0) entered disabled state [ 48.396517] device bridge_slave_0 entered promiscuous mode [ 48.403839] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.410417] bridge0: port 2(bridge_slave_1) entered disabled state [ 48.417334] device bridge_slave_1 entered promiscuous mode [ 48.433210] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 48.442210] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 48.459711] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 48.468657] team0: Port device team_slave_0 added [ 48.474501] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 48.482041] team0: Port device team_slave_1 added [ 48.497422] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 48.503813] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 48.529095] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 48.539945] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 48.546444] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 48.572030] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 48.582496] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 48.590161] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.672187] device hsr_slave_0 entered promiscuous mode [ 48.740455] device hsr_slave_1 entered promiscuous mode [ 48.800830] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 48.809747] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 48.861915] audit: type=1400 audit(1583936911.097:38): avc: denied { create } for pid=7480 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 48.886800] audit: type=1400 audit(1583936911.097:39): avc: denied { write } for pid=7480 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 48.891785] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.911509] audit: type=1400 audit(1583936911.097:40): avc: denied { read } for pid=7480 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 48.917452] bridge0: port 2(bridge_slave_1) entered forwarding state [ 48.948821] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.956012] bridge0: port 1(bridge_slave_0) entered forwarding state [ 48.991652] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 48.998011] 8021q: adding VLAN 0 to HW filter on device bond0 [ 49.007110] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 49.017074] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 49.035608] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.042913] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.053582] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 49.059873] 8021q: adding VLAN 0 to HW filter on device team0 [ 49.069171] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 49.077326] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.083732] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.093940] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 49.102428] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.109238] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.131104] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 49.138859] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 49.146946] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 49.155782] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 49.165259] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 49.172058] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 49.179700] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 49.193163] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 49.202697] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 49.209430] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 49.222600] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 49.292354] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 49.303291] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 49.313132] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 49.343783] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 49.352320] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 49.358884] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 49.367813] IPv6: ADDRCONF(NETDEV_UP): veth1_vlan: link is not ready [ 49.375493] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 49.383696] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 49.391874] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 49.398778] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 49.408387] device veth0_vlan entered promiscuous mode [ 49.417169] device veth1_vlan entered promiscuous mode [ 49.423635] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 49.432793] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 49.445532] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 49.455596] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 49.463528] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 49.471356] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 49.478499] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 49.486715] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 49.496706] device veth0_macvtap entered promiscuous mode [ 49.503461] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 49.513603] device veth1_macvtap entered promiscuous mode [ 49.519960] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 49.528859] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 49.538486] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 49.548111] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 49.555937] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 49.564870] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 49.573182] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 49.580882] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 49.588636] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 49.599266] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 49.606839] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 49.614619] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 49.622669] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2020/03/11 14:28:34 executed programs: 13 2020/03/11 14:28:39 executed programs: 67 [ 58.360402] ================================================================== [ 58.368257] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xea/0xf0 [ 58.375444] Read of size 4 at addr ffff8880a8618580 by task syz-executor.0/7835 [ 58.384098] [ 58.385710] CPU: 1 PID: 7835 Comm: syz-executor.0 Not tainted 4.14.172-syzkaller #0 [ 58.393483] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.402926] Call Trace: [ 58.405508] dump_stack+0x13e/0x194 [ 58.410112] ? l2tp_session_queue_purge+0xea/0xf0 [ 58.414953] print_address_description.cold+0x7c/0x1e2 [ 58.420215] ? l2tp_session_queue_purge+0xea/0xf0 [ 58.425398] kasan_report.cold+0xa9/0x2ae [ 58.429541] l2tp_session_queue_purge+0xea/0xf0 [ 58.434482] l2tp_tunnel_closeall+0x1fe/0x370 [ 58.439360] ? l2tp_tunnel_find+0x490/0x490 [ 58.443947] ? udp_v6_flush_pending_frames+0xd0/0xd0 [ 58.449039] l2tp_udp_encap_destroy+0x8d/0xf0 [ 58.453523] udpv6_destroy_sock+0xa6/0xd0 [ 58.457716] sk_common_release+0x64/0x2f0 [ 58.461861] inet_release+0xdf/0x1b0 [ 58.465578] inet6_release+0x4c/0x70 [ 58.469279] __sock_release+0xcd/0x2b0 [ 58.473153] ? __sock_release+0x2b0/0x2b0 [ 58.477314] sock_close+0x15/0x20 [ 58.480777] __fput+0x25f/0x790 [ 58.484133] task_work_run+0x113/0x190 [ 58.488185] exit_to_usermode_loop+0x1d6/0x220 [ 58.492752] do_syscall_64+0x4a3/0x640 [ 58.496743] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.501927] RIP: 0033:0x416261 [ 58.505096] RSP: 002b:00007ffceea79ce0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 58.512786] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416261 [ 58.520044] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005 [ 58.527301] RBP: 0000000000000000 R08: 00000000007703e0 R09: 01ffffffffffffff [ 58.534566] R10: 00007ffceea79db0 R11: 0000000000000293 R12: 000000000076bf20 [ 58.541916] R13: 00000000007703e8 R14: 0000000000000000 R15: 000000000076bf2c [ 58.549188] [ 58.550819] Allocated by task 7836: [ 58.554450] save_stack+0x32/0xa0 [ 58.558727] kasan_kmalloc+0xbf/0xe0 [ 58.562447] __kmalloc+0x15b/0x7c0 [ 58.565983] l2tp_session_create+0x35/0x16f0 [ 58.570549] pppol2tp_connect+0x1154/0x17b0 [ 58.574881] SYSC_connect+0x1c6/0x250 [ 58.578775] do_syscall_64+0x1d5/0x640 [ 58.582833] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.588007] [ 58.589618] Freed by task 7836: [ 58.592894] save_stack+0x32/0xa0 [ 58.596437] kasan_slab_free+0x75/0xc0 [ 58.600408] kfree+0xcb/0x260 [ 58.603500] pppol2tp_session_destruct+0xcd/0x110 [ 58.608360] __sk_destruct+0x49/0x640 [ 58.612140] sk_destruct+0x97/0xc0 [ 58.615669] __sk_free+0x4c/0x220 [ 58.619109] sk_free+0x2b/0x40 [ 58.622294] pppol2tp_release+0x247/0x2f0 [ 58.626450] __sock_release+0xcd/0x2b0 [ 58.630321] sock_close+0x15/0x20 [ 58.633756] __fput+0x25f/0x790 [ 58.637039] task_work_run+0x113/0x190 [ 58.640919] exit_to_usermode_loop+0x1d6/0x220 [ 58.645511] do_syscall_64+0x4a3/0x640 [ 58.649391] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.655087] [ 58.656714] The buggy address belongs to the object at ffff8880a8618580 [ 58.656714] which belongs to the cache kmalloc-512 of size 512 [ 58.669437] The buggy address is located 0 bytes inside of [ 58.669437] 512-byte region [ffff8880a8618580, ffff8880a8618780) [ 58.681131] The buggy address belongs to the page: [ 58.686041] page:ffffea0002a18600 count:1 mapcount:0 mapping:ffff8880a8618080 index:0x0 [ 58.694339] flags: 0xfffe0000000100(slab) [ 58.698486] raw: 00fffe0000000100 ffff8880a8618080 0000000000000000 0000000100000006 [ 58.706367] raw: ffffea0002a3ed20 ffffea0002a2eae0 ffff88812fe56940 0000000000000000 [ 58.711802] NOHZ: local_softirq_pending 08 [ 58.714406] page dumped because: kasan: bad access detected [ 58.724357] [ 58.725967] Memory state around the buggy address: [ 58.730998] ffff8880a8618480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.738473] ffff8880a8618500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.745819] >ffff8880a8618580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.753160] ^ [ 58.756677] ffff8880a8618600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.764034] ffff8880a8618680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.771744] ================================================================== [ 58.779109] Disabling lock debugging due to kernel taint [ 58.785610] Kernel panic - not syncing: panic_on_warn set ... [ 58.785610] [ 58.793027] CPU: 1 PID: 7835 Comm: syz-executor.0 Tainted: G B 4.14.172-syzkaller #0 [ 58.802255] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.811830] Call Trace: [ 58.814413] dump_stack+0x13e/0x194 [ 58.818030] panic+0x1f9/0x42d [ 58.821204] ? add_taint.cold+0x16/0x16 [ 58.825206] ? preempt_schedule_common+0x4a/0xc0 [ 58.829989] ? l2tp_session_queue_purge+0xea/0xf0 [ 58.834815] ? ___preempt_schedule+0x16/0x18 [ 58.839205] ? l2tp_session_queue_purge+0xea/0xf0 [ 58.844174] kasan_end_report+0x43/0x49 [ 58.848140] kasan_report.cold+0x12f/0x2ae [ 58.852370] l2tp_session_queue_purge+0xea/0xf0 [ 58.857241] l2tp_tunnel_closeall+0x1fe/0x370 [ 58.861743] ? l2tp_tunnel_find+0x490/0x490 [ 58.866057] ? udp_v6_flush_pending_frames+0xd0/0xd0 [ 58.871169] l2tp_udp_encap_destroy+0x8d/0xf0 [ 58.875718] udpv6_destroy_sock+0xa6/0xd0 [ 58.879857] sk_common_release+0x64/0x2f0 [ 58.884056] inet_release+0xdf/0x1b0 [ 58.887779] inet6_release+0x4c/0x70 [ 58.891492] __sock_release+0xcd/0x2b0 [ 58.895364] ? __sock_release+0x2b0/0x2b0 [ 58.899489] sock_close+0x15/0x20 [ 58.902927] __fput+0x25f/0x790 [ 58.906206] task_work_run+0x113/0x190 [ 58.910080] exit_to_usermode_loop+0x1d6/0x220 [ 58.914646] do_syscall_64+0x4a3/0x640 [ 58.918531] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.923728] RIP: 0033:0x416261 [ 58.926909] RSP: 002b:00007ffceea79ce0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 58.934603] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416261 [ 58.942133] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005 [ 58.949394] RBP: 0000000000000000 R08: 00000000007703e0 R09: 01ffffffffffffff [ 58.956652] R10: 00007ffceea79db0 R11: 0000000000000293 R12: 000000000076bf20 [ 58.964019] R13: 00000000007703e8 R14: 0000000000000000 R15: 000000000076bf2c [ 58.972829] Kernel Offset: disabled [ 58.976470] Rebooting in 86400 seconds..