[ 33.563168] audit: type=1800 audit(1578326935.624:33): pid=7011 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.588027] audit: type=1800 audit(1578326935.624:34): pid=7011 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.310576] random: sshd: uninitialized urandom read (32 bytes read) [ 36.749637] audit: type=1400 audit(1578326938.804:35): avc: denied { map } for pid=7186 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.801358] random: sshd: uninitialized urandom read (32 bytes read) [ 37.436972] random: sshd: uninitialized urandom read (32 bytes read) [ 37.628900] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.168' (ECDSA) to the list of known hosts. [ 43.220880] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 43.341887] audit: type=1400 audit(1578326945.404:36): avc: denied { map } for pid=7198 comm="syz-executor245" path="/root/syz-executor245898594" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 43.346339] netlink: 20 bytes leftover after parsing attributes in process `syz-executor245'. [ 43.389924] ================================================================== [ 43.397522] BUG: KASAN: use-after-free in radix_tree_next_chunk+0x953/0x9a0 [ 43.407503] Read of size 8 at addr ffff8880991ee988 by task syz-executor245/7198 [ 43.415044] [ 43.416675] CPU: 1 PID: 7198 Comm: syz-executor245 Not tainted 4.14.162-syzkaller #0 [ 43.424555] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.433914] Call Trace: [ 43.436510] dump_stack+0x142/0x197 [ 43.440146] ? radix_tree_next_chunk+0x953/0x9a0 [ 43.444904] print_address_description.cold+0x7c/0x1dc [ 43.450186] ? radix_tree_next_chunk+0x953/0x9a0 [ 43.455295] kasan_report.cold+0xa9/0x2af [ 43.459455] __asan_report_load8_noabort+0x14/0x20 [ 43.464391] radix_tree_next_chunk+0x953/0x9a0 [ 43.468990] ida_remove+0xaa/0x230 [ 43.472549] ? ida_destroy+0x1e0/0x1e0 [ 43.476472] ? ida_simple_remove+0x2b/0x60 [ 43.481081] ida_simple_remove+0x39/0x60 [ 43.485173] ipvlan_link_new+0x515/0xfe0 [ 43.489267] ? rtnl_create_link+0x12c/0x850 [ 43.493614] rtnl_newlink+0xecb/0x1700 [ 43.497525] ? ipvlan_port_destroy+0x400/0x400 [ 43.502129] ? rtnl_link_unregister+0x200/0x200 [ 43.506811] ? avc_has_perm_noaudit+0x2b2/0x420 [ 43.511506] ? lock_acquire+0x16f/0x430 [ 43.515505] ? rtnetlink_rcv_msg+0x339/0xb70 [ 43.519955] ? rtnl_link_unregister+0x200/0x200 [ 43.524713] rtnetlink_rcv_msg+0x3da/0xb70 [ 43.529103] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 43.533681] ? netlink_deliver_tap+0x93/0x8f0 [ 43.538182] netlink_rcv_skb+0x14f/0x3c0 [ 43.542263] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 43.546838] ? lock_downgrade+0x740/0x740 [ 43.550988] ? netlink_ack+0x9a0/0x9a0 [ 43.554878] ? netlink_deliver_tap+0xba/0x8f0 [ 43.559381] rtnetlink_rcv+0x1d/0x30 [ 43.563217] netlink_unicast+0x44d/0x650 [ 43.567270] ? netlink_attachskb+0x6a0/0x6a0 [ 43.571679] ? security_netlink_send+0x81/0xb0 [ 43.576571] netlink_sendmsg+0x7c4/0xc60 [ 43.580893] ? netlink_unicast+0x650/0x650 [ 43.585405] ? security_socket_sendmsg+0x89/0xb0 [ 43.590267] ? netlink_unicast+0x650/0x650 [ 43.594614] sock_sendmsg+0xce/0x110 [ 43.598338] ___sys_sendmsg+0x70a/0x840 [ 43.602344] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 43.607358] ? __might_fault+0x110/0x1d0 [ 43.611423] ? find_held_lock+0x35/0x130 [ 43.615656] ? __might_fault+0x110/0x1d0 [ 43.620539] ? lock_downgrade+0x740/0x740 [ 43.625355] ? kasan_check_read+0x11/0x20 [ 43.630667] ? _copy_to_user+0x87/0xd0 [ 43.635507] ? move_addr_to_user+0x94/0x1a0 [ 43.640076] ? __fget_light+0x172/0x1f0 [ 43.644737] ? __fdget+0x1b/0x20 [ 43.648159] ? sockfd_lookup_light+0xb4/0x160 [ 43.652900] __sys_sendmsg+0xb9/0x140 [ 43.656694] ? SyS_shutdown+0x170/0x170 [ 43.660658] ? fd_install+0x4d/0x60 [ 43.664274] SyS_sendmsg+0x2d/0x50 [ 43.667802] ? __sys_sendmsg+0x140/0x140 [ 43.671846] do_syscall_64+0x1e8/0x640 [ 43.675746] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.680831] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.686291] RIP: 0033:0x440609 [ 43.689474] RSP: 002b:00007ffe8cec3d88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 43.697396] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440609 [ 43.705228] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004 [ 43.712726] RBP: 00000000006ca018 R08: 0000000000000004 R09: 00000000004002c8 [ 43.720229] R10: 0000000000006e61 R11: 0000000000000246 R12: 0000000000401e90 [ 43.727653] R13: 0000000000401f20 R14: 0000000000000000 R15: 0000000000000000 [ 43.735108] [ 43.736730] Allocated by task 7198: [ 43.740357] save_stack_trace+0x16/0x20 [ 43.744331] save_stack+0x45/0xd0 [ 43.747850] kasan_kmalloc+0xce/0xf0 [ 43.751611] kmem_cache_alloc_trace+0x152/0x790 [ 43.756552] ipvlan_link_new+0x657/0xfe0 [ 43.760984] rtnl_newlink+0xecb/0x1700 [ 43.765421] rtnetlink_rcv_msg+0x3da/0xb70 [ 43.769648] netlink_rcv_skb+0x14f/0x3c0 [ 43.773825] rtnetlink_rcv+0x1d/0x30 [ 43.777534] netlink_unicast+0x44d/0x650 [ 43.781575] netlink_sendmsg+0x7c4/0xc60 [ 43.785648] sock_sendmsg+0xce/0x110 [ 43.789358] ___sys_sendmsg+0x70a/0x840 [ 43.793346] __sys_sendmsg+0xb9/0x140 [ 43.797231] SyS_sendmsg+0x2d/0x50 [ 43.800902] do_syscall_64+0x1e8/0x640 [ 43.804944] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.810118] [ 43.811729] Freed by task 7198: [ 43.815009] save_stack_trace+0x16/0x20 [ 43.818994] save_stack+0x45/0xd0 [ 43.822439] kasan_slab_free+0x75/0xc0 [ 43.826330] kfree+0xcc/0x270 [ 43.829664] ipvlan_port_destroy+0x285/0x400 [ 43.834071] ipvlan_uninit+0xc1/0xf0 [ 43.837826] register_netdevice+0x79b/0xca0 [ 43.842142] ipvlan_link_new+0x49f/0xfe0 [ 43.846192] rtnl_newlink+0xecb/0x1700 [ 43.850069] rtnetlink_rcv_msg+0x3da/0xb70 [ 43.854307] netlink_rcv_skb+0x14f/0x3c0 [ 43.858393] rtnetlink_rcv+0x1d/0x30 [ 43.862110] netlink_unicast+0x44d/0x650 [ 43.866157] netlink_sendmsg+0x7c4/0xc60 [ 43.870200] sock_sendmsg+0xce/0x110 [ 43.874106] ___sys_sendmsg+0x70a/0x840 [ 43.878065] __sys_sendmsg+0xb9/0x140 [ 43.881863] SyS_sendmsg+0x2d/0x50 [ 43.885385] do_syscall_64+0x1e8/0x640 [ 43.889267] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.894431] [ 43.896039] The buggy address belongs to the object at ffff8880991ee0c0 [ 43.896039] which belongs to the cache kmalloc-4096 of size 4096 [ 43.908851] The buggy address is located 2248 bytes inside of [ 43.908851] 4096-byte region [ffff8880991ee0c0, ffff8880991ef0c0) [ 43.920973] The buggy address belongs to the page: [ 43.925923] page:ffffea0002647b80 count:1 mapcount:0 mapping:ffff8880991ee0c0 index:0x0 compound_mapcount: 0 [ 43.935952] flags: 0xfffe0000008100(slab|head) [ 43.940527] raw: 00fffe0000008100 ffff8880991ee0c0 0000000000000000 0000000100000001 [ 43.948407] raw: ffffea00020dfd20 ffffea0002092ca0 ffff8880aa800dc0 0000000000000000 [ 43.956894] page dumped because: kasan: bad access detected [ 43.962599] [ 43.964210] Memory state around the buggy address: [ 43.969127] ffff8880991ee880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.977611] ffff8880991ee900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.985016] >ffff8880991ee980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.992379] ^ [ 43.996026] ffff8880991eea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.003390] ffff8880991eea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.010750] ================================================================== [ 44.018234] Disabling lock debugging due to kernel taint [ 44.023674] Kernel panic - not syncing: panic_on_warn set ... [ 44.023674] [ 44.031061] CPU: 1 PID: 7198 Comm: syz-executor245 Tainted: G B 4.14.162-syzkaller #0 [ 44.040197] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.049544] Call Trace: [ 44.052121] dump_stack+0x142/0x197 [ 44.055816] ? radix_tree_next_chunk+0x953/0x9a0 [ 44.060555] panic+0x1f9/0x42d [ 44.063726] ? add_taint.cold+0x16/0x16 [ 44.067680] ? lock_downgrade+0x740/0x740 [ 44.071807] kasan_end_report+0x47/0x4f [ 44.076415] kasan_report.cold+0x130/0x2af [ 44.080630] __asan_report_load8_noabort+0x14/0x20 [ 44.085540] radix_tree_next_chunk+0x953/0x9a0 [ 44.090104] ida_remove+0xaa/0x230 [ 44.093622] ? ida_destroy+0x1e0/0x1e0 [ 44.097486] ? ida_simple_remove+0x2b/0x60 [ 44.101762] ida_simple_remove+0x39/0x60 [ 44.105818] ipvlan_link_new+0x515/0xfe0 [ 44.109865] ? rtnl_create_link+0x12c/0x850 [ 44.114375] rtnl_newlink+0xecb/0x1700 [ 44.118250] ? ipvlan_port_destroy+0x400/0x400 [ 44.122843] ? rtnl_link_unregister+0x200/0x200 [ 44.127558] ? avc_has_perm_noaudit+0x2b2/0x420 [ 44.132478] ? lock_acquire+0x16f/0x430 [ 44.136526] ? rtnetlink_rcv_msg+0x339/0xb70 [ 44.141018] ? rtnl_link_unregister+0x200/0x200 [ 44.145794] rtnetlink_rcv_msg+0x3da/0xb70 [ 44.150019] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 44.154670] ? netlink_deliver_tap+0x93/0x8f0 [ 44.159166] netlink_rcv_skb+0x14f/0x3c0 [ 44.163369] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 44.167951] ? lock_downgrade+0x740/0x740 [ 44.172083] ? netlink_ack+0x9a0/0x9a0 [ 44.176190] ? netlink_deliver_tap+0xba/0x8f0 [ 44.180787] rtnetlink_rcv+0x1d/0x30 [ 44.184488] netlink_unicast+0x44d/0x650 [ 44.188545] ? netlink_attachskb+0x6a0/0x6a0 [ 44.193071] ? security_netlink_send+0x81/0xb0 [ 44.197650] netlink_sendmsg+0x7c4/0xc60 [ 44.201735] ? netlink_unicast+0x650/0x650 [ 44.207005] ? security_socket_sendmsg+0x89/0xb0 [ 44.211757] ? netlink_unicast+0x650/0x650 [ 44.215976] sock_sendmsg+0xce/0x110 [ 44.219679] ___sys_sendmsg+0x70a/0x840 [ 44.223672] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 44.228959] ? __might_fault+0x110/0x1d0 [ 44.233015] ? find_held_lock+0x35/0x130 [ 44.237062] ? __might_fault+0x110/0x1d0 [ 44.241109] ? lock_downgrade+0x740/0x740 [ 44.245430] ? kasan_check_read+0x11/0x20 [ 44.249570] ? _copy_to_user+0x87/0xd0 [ 44.253451] ? move_addr_to_user+0x94/0x1a0 [ 44.257750] ? __fget_light+0x172/0x1f0 [ 44.261722] ? __fdget+0x1b/0x20 [ 44.265075] ? sockfd_lookup_light+0xb4/0x160 [ 44.269577] __sys_sendmsg+0xb9/0x140 [ 44.273432] ? SyS_shutdown+0x170/0x170 [ 44.277420] ? fd_install+0x4d/0x60 [ 44.281042] SyS_sendmsg+0x2d/0x50 [ 44.284560] ? __sys_sendmsg+0x140/0x140 [ 44.288621] do_syscall_64+0x1e8/0x640 [ 44.292549] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.297400] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.302688] RIP: 0033:0x440609 [ 44.305861] RSP: 002b:00007ffe8cec3d88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 44.313558] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440609 [ 44.320829] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004 [ 44.328079] RBP: 00000000006ca018 R08: 0000000000000004 R09: 00000000004002c8 [ 44.335329] R10: 0000000000006e61 R11: 0000000000000246 R12: 0000000000401e90 [ 44.342591] R13: 0000000000401f20 R14: 0000000000000000 R15: 0000000000000000 [ 44.351178] Kernel Offset: disabled [ 44.354819] Rebooting in 86400 seconds..