[ 32.428071] audit: type=1800 audit(1574718356.710:33): pid=6830 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 32.455523] audit: type=1800 audit(1574718356.720:34): pid=6830 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.743441] random: sshd: uninitialized urandom read (32 bytes read) [ 38.147083] audit: type=1400 audit(1574718362.430:35): avc: denied { map } for pid=7003 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.199702] random: sshd: uninitialized urandom read (32 bytes read) [ 38.779585] random: sshd: uninitialized urandom read (32 bytes read) [ 38.983207] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.198' (ECDSA) to the list of known hosts. [ 44.488469] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 44.601589] audit: type=1400 audit(1574718368.890:36): avc: denied { map } for pid=7016 comm="syz-executor221" path="/root/syz-executor221371106" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.612583] FAULT_INJECTION: forcing a failure. [ 44.612583] name failslab, interval 1, probability 0, space 0, times 1 [ 44.640417] CPU: 1 PID: 7017 Comm: syz-executor221 Not tainted 4.14.156-syzkaller #0 [ 44.648572] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.657926] Call Trace: [ 44.660533] dump_stack+0x142/0x197 [ 44.664160] should_fail.cold+0x10f/0x159 [ 44.668370] should_failslab+0xdb/0x130 [ 44.672422] kmem_cache_alloc_trace+0x2e9/0x790 [ 44.677081] ? lockdep_init_map+0x9/0x10 [ 44.681829] slip_open+0x85b/0xff1 [ 44.685638] ? tty_set_ldisc+0x22b/0x610 [ 44.689711] ? sl_change_mtu+0x560/0x560 [ 44.693763] ? sl_change_mtu+0x560/0x560 [ 44.698120] tty_ldisc_open.isra.0+0x73/0xb0 [ 44.702934] tty_set_ldisc+0x29a/0x610 [ 44.706885] tty_ioctl+0x95b/0x1320 [ 44.710511] ? get_pid_task+0xbf/0x140 [ 44.714424] ? tty_vhangup+0x30/0x30 [ 44.718146] ? __might_sleep+0x93/0xb0 [ 44.722287] ? tty_vhangup+0x30/0x30 [ 44.726003] do_vfs_ioctl+0x7ae/0x1060 [ 44.729896] ? selinux_file_mprotect+0x5d0/0x5d0 [ 44.734649] ? ioctl_preallocate+0x1c0/0x1c0 [ 44.739118] ? vfs_write+0x104/0x500 [ 44.742837] ? security_file_ioctl+0x7d/0xb0 [ 44.747246] ? security_file_ioctl+0x89/0xb0 [ 44.751646] SyS_ioctl+0x8f/0xc0 [ 44.754995] ? do_vfs_ioctl+0x1060/0x1060 [ 44.759127] do_syscall_64+0x1e8/0x640 [ 44.763009] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.767842] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.773152] RIP: 0033:0x441129 [ 44.776329] RSP: 002b:00007fff4b945318 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 44.784253] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441129 [ 44.791671] RDX: 0000000020000080 RSI: 0000000000005423 RDI: 0000000000000003 executing program [ 44.801010] RBP: 00007fff4b945330 R08: 0000000000000001 R09: 0000000000000000 [ 44.808434] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 44.816006] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000 [ 44.831024] ================================================================== [ 44.838790] BUG: KASAN: use-after-free in slip_open+0xd14/0xff1 [ 44.845933] Read of size 8 at addr ffff88808b6bed48 by task syz-executor221/7018 [ 44.853728] [ 44.855357] CPU: 0 PID: 7018 Comm: syz-executor221 Not tainted 4.14.156-syzkaller #0 [ 44.863218] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.872562] Call Trace: [ 44.875140] dump_stack+0x142/0x197 [ 44.878748] ? slip_open+0xd14/0xff1 [ 44.882451] print_address_description.cold+0x7c/0x1dc [ 44.887707] ? slip_open+0xd14/0xff1 [ 44.891406] kasan_report.cold+0xa9/0x2af [ 44.895552] __asan_report_load8_noabort+0x14/0x20 [ 44.900458] slip_open+0xd14/0xff1 [ 44.903982] ? tty_set_ldisc+0x22b/0x610 [ 44.908036] ? sl_change_mtu+0x560/0x560 [ 44.912085] ? lock_downgrade+0x740/0x740 [ 44.916236] ? sl_change_mtu+0x560/0x560 [ 44.920366] tty_ldisc_open.isra.0+0x73/0xb0 [ 44.924754] tty_set_ldisc+0x29a/0x610 [ 44.928625] tty_ioctl+0x95b/0x1320 [ 44.932234] ? get_pid_task+0xbf/0x140 [ 44.936102] ? tty_vhangup+0x30/0x30 [ 44.939799] ? __might_sleep+0x93/0xb0 [ 44.943677] ? tty_vhangup+0x30/0x30 [ 44.947406] do_vfs_ioctl+0x7ae/0x1060 [ 44.951325] ? selinux_file_mprotect+0x5d0/0x5d0 [ 44.956106] ? ioctl_preallocate+0x1c0/0x1c0 [ 44.960509] ? vfs_write+0x104/0x500 [ 44.964211] ? security_file_ioctl+0x7d/0xb0 [ 44.968598] ? security_file_ioctl+0x89/0xb0 [ 44.973004] SyS_ioctl+0x8f/0xc0 [ 44.976353] ? do_vfs_ioctl+0x1060/0x1060 [ 44.980484] do_syscall_64+0x1e8/0x640 [ 44.984349] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.989184] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.994363] RIP: 0033:0x441129 [ 44.997530] RSP: 002b:00007fff4b945318 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 45.005218] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441129 [ 45.012477] RDX: 0000000020000080 RSI: 0000000000005423 RDI: 0000000000000003 [ 45.019746] RBP: 00007fff4b945330 R08: 0000000000000001 R09: 0000000000000000 [ 45.027119] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 45.034377] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000 [ 45.041656] [ 45.043274] Allocated by task 7017: [ 45.046893] save_stack_trace+0x16/0x20 [ 45.050850] save_stack+0x45/0xd0 [ 45.054291] kasan_kmalloc+0xce/0xf0 [ 45.057980] __kmalloc_node+0x51/0x80 [ 45.061768] kvmalloc_node+0x4e/0xe0 [ 45.065472] alloc_netdev_mqs+0x7b/0xbc0 [ 45.069512] slip_open+0x2f1/0xff1 [ 45.073033] tty_ldisc_open.isra.0+0x73/0xb0 [ 45.077419] tty_set_ldisc+0x29a/0x610 [ 45.081294] tty_ioctl+0x95b/0x1320 [ 45.084905] do_vfs_ioctl+0x7ae/0x1060 [ 45.088772] SyS_ioctl+0x8f/0xc0 [ 45.092117] do_syscall_64+0x1e8/0x640 [ 45.096000] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.101176] [ 45.102783] Freed by task 7017: [ 45.106049] save_stack_trace+0x16/0x20 [ 45.110022] save_stack+0x45/0xd0 [ 45.113816] kasan_slab_free+0x75/0xc0 [ 45.117681] kfree+0xcc/0x270 [ 45.120766] kvfree+0x4d/0x60 [ 45.123858] free_netdev+0x2d0/0x360 [ 45.127549] slip_open+0xbab/0xff1 [ 45.131070] tty_ldisc_open.isra.0+0x73/0xb0 [ 45.135458] tty_set_ldisc+0x29a/0x610 [ 45.139996] tty_ioctl+0x95b/0x1320 [ 45.143631] do_vfs_ioctl+0x7ae/0x1060 [ 45.147513] SyS_ioctl+0x8f/0xc0 [ 45.150867] do_syscall_64+0x1e8/0x640 [ 45.154751] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.159928] [ 45.161536] The buggy address belongs to the object at ffff88808b6be280 [ 45.161536] which belongs to the cache kmalloc-4096 of size 4096 [ 45.174347] The buggy address is located 2760 bytes inside of [ 45.174347] 4096-byte region [ffff88808b6be280, ffff88808b6bf280) [ 45.186377] The buggy address belongs to the page: [ 45.191288] page:ffffea00022daf80 count:1 mapcount:0 mapping:ffff88808b6be280 index:0x0 compound_mapcount: 0 [ 45.201241] flags: 0x1fffc0000008100(slab|head) [ 45.205900] raw: 01fffc0000008100 ffff88808b6be280 0000000000000000 0000000100000001 [ 45.213765] raw: ffffea0002960d20 ffff8880aa801a48 ffff8880aa800dc0 0000000000000000 [ 45.221621] page dumped because: kasan: bad access detected [ 45.227308] [ 45.228913] Memory state around the buggy address: [ 45.233821] ffff88808b6bec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.241161] ffff88808b6bec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.248505] >ffff88808b6bed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.255841] ^ [ 45.261531] ffff88808b6bed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.268896] ffff88808b6bee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.276233] ================================================================== [ 45.283583] Disabling lock debugging due to kernel taint [ 45.289825] Kernel panic - not syncing: panic_on_warn set ... [ 45.289825] [ 45.297286] CPU: 0 PID: 7018 Comm: syz-executor221 Tainted: G B 4.14.156-syzkaller #0 [ 45.306445] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.315786] Call Trace: [ 45.318621] dump_stack+0x142/0x197 [ 45.322231] ? slip_open+0xd14/0xff1 [ 45.325925] panic+0x1f9/0x42d [ 45.329095] ? add_taint.cold+0x16/0x16 [ 45.333058] ? ___preempt_schedule+0x16/0x18 [ 45.337618] kasan_end_report+0x47/0x4f [ 45.341656] kasan_report.cold+0x130/0x2af [ 45.345879] __asan_report_load8_noabort+0x14/0x20 [ 45.350807] slip_open+0xd14/0xff1 [ 45.354335] ? tty_set_ldisc+0x22b/0x610 [ 45.358388] ? sl_change_mtu+0x560/0x560 [ 45.362437] ? lock_downgrade+0x740/0x740 [ 45.366573] ? sl_change_mtu+0x560/0x560 [ 45.370617] tty_ldisc_open.isra.0+0x73/0xb0 [ 45.375026] tty_set_ldisc+0x29a/0x610 [ 45.378904] tty_ioctl+0x95b/0x1320 [ 45.382510] ? get_pid_task+0xbf/0x140 [ 45.386372] ? tty_vhangup+0x30/0x30 [ 45.390074] ? __might_sleep+0x93/0xb0 [ 45.393939] ? tty_vhangup+0x30/0x30 [ 45.397632] do_vfs_ioctl+0x7ae/0x1060 [ 45.401501] ? selinux_file_mprotect+0x5d0/0x5d0 [ 45.406236] ? ioctl_preallocate+0x1c0/0x1c0 [ 45.410621] ? vfs_write+0x104/0x500 [ 45.414316] ? security_file_ioctl+0x7d/0xb0 [ 45.418703] ? security_file_ioctl+0x89/0xb0 [ 45.423107] SyS_ioctl+0x8f/0xc0 [ 45.426463] ? do_vfs_ioctl+0x1060/0x1060 [ 45.430591] do_syscall_64+0x1e8/0x640 [ 45.434457] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.439289] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.444455] RIP: 0033:0x441129 [ 45.447632] RSP: 002b:00007fff4b945318 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 45.455379] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441129 [ 45.462654] RDX: 0000000020000080 RSI: 0000000000005423 RDI: 0000000000000003 [ 45.469902] RBP: 00007fff4b945330 R08: 0000000000000001 R09: 0000000000000000 [ 45.477160] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 45.484410] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000 [ 45.492916] Kernel Offset: disabled [ 45.496547] Rebooting in 86400 seconds..