[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 61.169825] random: sshd: uninitialized urandom read (32 bytes read) [ 61.507193] kauditd_printk_skb: 10 callbacks suppressed [ 61.507201] audit: type=1400 audit(1578486389.631:35): avc: denied { map } for pid=7083 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 61.552496] random: sshd: uninitialized urandom read (32 bytes read) [ 62.191574] random: sshd: uninitialized urandom read (32 bytes read) [ 76.722529] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. [ 82.269595] random: sshd: uninitialized urandom read (32 bytes read) [ 82.398225] audit: type=1400 audit(1578486410.521:36): avc: denied { map } for pid=7095 comm="syz-executor815" path="/root/syz-executor815009648" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 82.640820] IPVS: ftp: loaded support on port[0] = 21 [ 83.507661] chnl_net:caif_netlink_parms(): no params data found [ 83.539881] bridge0: port 1(bridge_slave_0) entered blocking state [ 83.546684] bridge0: port 1(bridge_slave_0) entered disabled state [ 83.553676] device bridge_slave_0 entered promiscuous mode [ 83.560692] bridge0: port 2(bridge_slave_1) entered blocking state [ 83.567058] bridge0: port 2(bridge_slave_1) entered disabled state [ 83.574144] device bridge_slave_1 entered promiscuous mode [ 83.587946] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 83.597055] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 83.612830] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 83.619932] team0: Port device team_slave_0 added [ 83.625469] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 83.632553] team0: Port device team_slave_1 added [ 83.637790] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 83.645192] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 83.691729] device hsr_slave_0 entered promiscuous mode [ 83.730282] device hsr_slave_1 entered promiscuous mode [ 83.790619] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 83.797699] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 83.836359] bridge0: port 2(bridge_slave_1) entered blocking state [ 83.842765] bridge0: port 2(bridge_slave_1) entered forwarding state [ 83.849470] bridge0: port 1(bridge_slave_0) entered blocking state [ 83.855846] bridge0: port 1(bridge_slave_0) entered forwarding state [ 83.883433] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 83.889507] 8021q: adding VLAN 0 to HW filter on device bond0 [ 83.897922] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 83.906222] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 83.925110] bridge0: port 1(bridge_slave_0) entered disabled state [ 83.932139] bridge0: port 2(bridge_slave_1) entered disabled state [ 83.941672] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 83.947884] 8021q: adding VLAN 0 to HW filter on device team0 [ 83.956209] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 83.963799] bridge0: port 1(bridge_slave_0) entered blocking state [ 83.970171] bridge0: port 1(bridge_slave_0) entered forwarding state [ 83.978890] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 83.986744] bridge0: port 2(bridge_slave_1) entered blocking state [ 83.993110] bridge0: port 2(bridge_slave_1) entered forwarding state [ 84.012522] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 84.019977] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 84.028004] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 84.035775] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 84.044006] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 84.052043] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 84.058128] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 84.070565] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 84.077639] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 84.084672] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 84.095421] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 84.149489] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 84.158629] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 84.189598] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 84.196912] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 84.203500] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 84.212673] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 84.220864] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 84.227826] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 84.236684] device veth0_vlan entered promiscuous mode executing program [ 84.245875] device veth1_vlan entered promiscuous mode [ 84.251684] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 84.259895] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 84.280286] protocol 88fb is buggy, dev hsr_slave_0 [ 84.285462] protocol 88fb is buggy, dev hsr_slave_1 [ 84.300858] ================================================================== [ 84.308285] BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x4b9/0x5c0 [ 84.315377] Read of size 4 at addr ffff88808b535d41 by task syz-executor815/7096 [ 84.322887] [ 84.324500] CPU: 1 PID: 7096 Comm: syz-executor815 Not tainted 4.14.162-syzkaller #0 [ 84.332356] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 84.341689] Call Trace: [ 84.344269] dump_stack+0x142/0x197 [ 84.347901] ? macvlan_broadcast+0x4b9/0x5c0 [ 84.352391] print_address_description.cold+0x7c/0x1dc [ 84.357664] ? macvlan_broadcast+0x4b9/0x5c0 [ 84.362091] kasan_report.cold+0xa9/0x2af [ 84.366226] __asan_report_load_n_noabort+0xf/0x20 [ 84.371142] macvlan_broadcast+0x4b9/0x5c0 [ 84.375381] ? validate_xmit_skb+0x650/0x9d0 [ 84.379772] macvlan_start_xmit+0x56b/0x72d [ 84.384075] packet_direct_xmit+0x431/0x640 [ 84.388375] packet_sendmsg+0x1dd4/0x5a60 [ 84.392501] ? avc_has_perm_noaudit+0x420/0x420 [ 84.397151] ? trace_hardirqs_on+0x10/0x10 [ 84.401373] ? packet_notifier+0x760/0x760 [ 84.405587] ? release_sock+0x14a/0x1b0 [ 84.409556] ? security_socket_sendmsg+0x89/0xb0 [ 84.414291] ? packet_notifier+0x760/0x760 [ 84.418506] sock_sendmsg+0xce/0x110 [ 84.422212] SYSC_sendto+0x206/0x310 [ 84.425920] ? SYSC_connect+0x2d0/0x2d0 [ 84.429896] ? move_addr_to_kernel.part.0+0x100/0x100 [ 84.435092] ? ioctl_preallocate+0x1c0/0x1c0 [ 84.439489] ? security_file_ioctl+0x7d/0xb0 [ 84.443880] ? security_file_ioctl+0x89/0xb0 [ 84.448279] SyS_sendto+0x40/0x50 [ 84.451714] ? SyS_getpeername+0x30/0x30 [ 84.455796] do_syscall_64+0x1e8/0x640 [ 84.459665] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 84.464495] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 84.469661] RIP: 0033:0x4423d9 [ 84.472841] RSP: 002b:00007ffc4948a4d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 84.480526] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004423d9 [ 84.487773] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 [ 84.495020] RBP: 00007ffc4948a500 R08: 0000000000000000 R09: 0000000000000000 [ 84.502269] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 84.509643] R13: 0000000000403910 R14: 0000000000000000 R15: 0000000000000000 [ 84.516900] [ 84.518507] Allocated by task 4144: [ 84.522115] save_stack_trace+0x16/0x20 [ 84.526066] save_stack+0x45/0xd0 [ 84.529497] kasan_kmalloc+0xce/0xf0 [ 84.533184] kasan_slab_alloc+0xf/0x20 [ 84.537049] kmem_cache_alloc+0x12e/0x780 [ 84.541183] getname_flags+0xcb/0x580 [ 84.544968] getname+0x1a/0x20 [ 84.548138] do_sys_open+0x1e7/0x430 [ 84.551827] SyS_open+0x2d/0x40 [ 84.555083] do_syscall_64+0x1e8/0x640 [ 84.558946] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 84.564106] [ 84.565713] Freed by task 4144: [ 84.568969] save_stack_trace+0x16/0x20 [ 84.572935] save_stack+0x45/0xd0 [ 84.576373] kasan_slab_free+0x75/0xc0 [ 84.580249] kmem_cache_free+0x83/0x2b0 [ 84.584200] putname+0xdb/0x120 [ 84.587456] do_sys_open+0x21c/0x430 [ 84.591146] SyS_open+0x2d/0x40 [ 84.594401] do_syscall_64+0x1e8/0x640 [ 84.598278] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 84.603440] [ 84.605058] The buggy address belongs to the object at ffff88808b5349c0 [ 84.605058] which belongs to the cache names_cache of size 4096 [ 84.617786] The buggy address is located 897 bytes to the right of [ 84.617786] 4096-byte region [ffff88808b5349c0, ffff88808b5359c0) [ 84.630241] The buggy address belongs to the page: [ 84.635240] page:ffffea00022d4d00 count:1 mapcount:0 mapping:ffff88808b5349c0 index:0x0 compound_mapcount: 0 [ 84.645186] flags: 0xfffe0000008100(slab|head) [ 84.649755] raw: 00fffe0000008100 ffff88808b5349c0 0000000000000000 0000000100000001 [ 84.657613] raw: ffffea000209cfa0 ffffea00022d20a0 ffff8880aa9e9cc0 0000000000000000 [ 84.665480] page dumped because: kasan: bad access detected [ 84.671162] [ 84.672771] Memory state around the buggy address: [ 84.677676] ffff88808b535c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 84.685011] ffff88808b535c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 84.692384] >ffff88808b535d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 84.699718] ^ [ 84.705145] ffff88808b535d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 84.712482] ffff88808b535e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 84.719827] ================================================================== [ 84.727163] Disabling lock debugging due to kernel taint [ 84.732650] Kernel panic - not syncing: panic_on_warn set ... [ 84.732650] [ 84.740026] CPU: 1 PID: 7096 Comm: syz-executor815 Tainted: G B 4.14.162-syzkaller #0 [ 84.749108] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 84.758449] Call Trace: [ 84.762408] dump_stack+0x142/0x197 [ 84.766011] ? macvlan_broadcast+0x4b9/0x5c0 [ 84.770397] panic+0x1f9/0x42d [ 84.773583] ? add_taint.cold+0x16/0x16 [ 84.777534] kasan_end_report+0x47/0x4f [ 84.781482] kasan_report.cold+0x130/0x2af [ 84.785690] __asan_report_load_n_noabort+0xf/0x20 [ 84.790607] macvlan_broadcast+0x4b9/0x5c0 [ 84.794829] ? validate_xmit_skb+0x650/0x9d0 [ 84.799212] macvlan_start_xmit+0x56b/0x72d [ 84.803513] packet_direct_xmit+0x431/0x640 [ 84.807810] packet_sendmsg+0x1dd4/0x5a60 [ 84.811936] ? avc_has_perm_noaudit+0x420/0x420 [ 84.816589] ? trace_hardirqs_on+0x10/0x10 [ 84.820815] ? packet_notifier+0x760/0x760 [ 84.825025] ? release_sock+0x14a/0x1b0 [ 84.828977] ? security_socket_sendmsg+0x89/0xb0 [ 84.833711] ? packet_notifier+0x760/0x760 [ 84.837948] sock_sendmsg+0xce/0x110 [ 84.841638] SYSC_sendto+0x206/0x310 [ 84.845330] ? SYSC_connect+0x2d0/0x2d0 [ 84.849283] ? move_addr_to_kernel.part.0+0x100/0x100 [ 84.854450] ? ioctl_preallocate+0x1c0/0x1c0 [ 84.858847] ? security_file_ioctl+0x7d/0xb0 [ 84.863235] ? security_file_ioctl+0x89/0xb0 [ 84.867634] SyS_sendto+0x40/0x50 [ 84.871077] ? SyS_getpeername+0x30/0x30 [ 84.875127] do_syscall_64+0x1e8/0x640 [ 84.878993] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 84.883816] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 84.889108] RIP: 0033:0x4423d9 [ 84.892282] RSP: 002b:00007ffc4948a4d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 84.899970] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004423d9 [ 84.907220] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 [ 84.914467] RBP: 00007ffc4948a500 R08: 0000000000000000 R09: 0000000000000000 [ 84.921713] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 84.928958] R13: 0000000000403910 R14: 0000000000000000 R15: 0000000000000000 [ 84.937693] Kernel Offset: disabled [ 84.941352] Rebooting in 86400 seconds..