[ 34.069513] audit: type=1800 audit(1583304873.313:33): pid=7176 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 34.096683] audit: type=1800 audit(1583304873.313:34): pid=7176 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.921436] random: sshd: uninitialized urandom read (32 bytes read) [ 38.206399] audit: type=1400 audit(1583304877.453:35): avc: denied { map } for pid=7349 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.308093] random: sshd: uninitialized urandom read (32 bytes read) [ 39.095987] random: sshd: uninitialized urandom read (32 bytes read) [ 43.267989] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.223' (ECDSA) to the list of known hosts. [ 50.965823] random: sshd: uninitialized urandom read (32 bytes read) [ 51.176899] audit: type=1400 audit(1583304890.423:36): avc: denied { map } for pid=7361 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/04 06:54:50 parsed 1 programs [ 51.934924] random: cc1: uninitialized urandom read (8 bytes read) 2020/03/04 06:54:52 executed programs: 0 [ 52.836650] audit: type=1400 audit(1583304892.073:37): avc: denied { map } for pid=7361 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=17 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 53.131090] IPVS: ftp: loaded support on port[0] = 21 [ 53.922137] chnl_net:caif_netlink_parms(): no params data found [ 53.971954] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.978628] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.986195] device bridge_slave_0 entered promiscuous mode [ 53.993520] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.000437] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.007543] device bridge_slave_1 entered promiscuous mode [ 54.024431] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 54.033913] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 54.050808] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 54.058329] team0: Port device team_slave_0 added [ 54.064597] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 54.072215] team0: Port device team_slave_1 added [ 54.087984] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 54.094452] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 54.119935] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 54.131159] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 54.137404] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 54.163083] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 54.173532] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 54.181160] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 54.233570] device hsr_slave_0 entered promiscuous mode [ 54.300356] device hsr_slave_1 entered promiscuous mode [ 54.371280] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 54.378625] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 54.429225] audit: type=1400 audit(1583304893.673:38): avc: denied { create } for pid=7378 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 54.449668] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.453761] audit: type=1400 audit(1583304893.673:39): avc: denied { write } for pid=7378 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 54.459806] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.485586] audit: type=1400 audit(1583304893.683:40): avc: denied { read } for pid=7378 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 54.490533] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.520330] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.553570] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 54.559652] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.568386] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.577740] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.596291] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.603592] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.614054] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 54.620520] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.629629] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 54.638311] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.644818] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.660620] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 54.668244] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.674907] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.684094] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 54.692795] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 54.708115] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 54.718278] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 54.729676] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 54.736628] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 54.744706] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 54.752736] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 54.760745] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 54.773508] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 54.782621] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 54.789322] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 54.802122] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 54.865709] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 54.876580] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 54.910734] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 54.923518] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 54.930887] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 54.937427] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 54.947328] IPv6: ADDRCONF(NETDEV_UP): veth1_vlan: link is not ready [ 54.953977] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 54.961478] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 54.969879] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 54.977134] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 54.985579] device veth0_vlan entered promiscuous mode [ 54.995160] device veth1_vlan entered promiscuous mode [ 55.001141] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 55.010929] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 55.022699] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 55.032447] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 55.039364] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 55.047122] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 55.054615] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 55.062655] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 55.072419] device veth0_macvtap entered promiscuous mode [ 55.078627] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 55.087257] device veth1_macvtap entered promiscuous mode [ 55.093875] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 55.103242] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 55.113402] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 55.122901] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 55.130649] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 55.139245] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 55.146649] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 55.154087] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 55.162223] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 55.172867] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 55.179867] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 55.187446] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 55.195601] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 56.520367] ================================================================== [ 56.527940] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xea/0xf0 [ 56.535185] Read of size 4 at addr ffff8880a7f67a80 by task syz-executor.0/7441 [ 56.542731] [ 56.544366] CPU: 1 PID: 7441 Comm: syz-executor.0 Not tainted 4.14.172-syzkaller #0 [ 56.552162] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.561609] Call Trace: [ 56.564223] dump_stack+0x13e/0x194 [ 56.567850] ? l2tp_session_queue_purge+0xea/0xf0 [ 56.572704] print_address_description.cold+0x7c/0x1e2 [ 56.577980] ? l2tp_session_queue_purge+0xea/0xf0 [ 56.582830] kasan_report.cold+0xa9/0x2ae [ 56.586980] l2tp_session_queue_purge+0xea/0xf0 [ 56.591658] l2tp_tunnel_closeall+0x1fe/0x370 [ 56.596203] ? l2tp_tunnel_find+0x490/0x490 [ 56.600518] ? udp_v6_flush_pending_frames+0xd0/0xd0 [ 56.605623] l2tp_udp_encap_destroy+0x8d/0xf0 [ 56.610121] udpv6_destroy_sock+0xa6/0xd0 [ 56.614374] sk_common_release+0x64/0x2f0 [ 56.618516] inet_release+0xdf/0x1b0 [ 56.622238] inet6_release+0x4c/0x70 [ 56.625963] __sock_release+0xcd/0x2b0 [ 56.629855] ? __sock_release+0x2b0/0x2b0 [ 56.633995] sock_close+0x15/0x20 [ 56.637433] __fput+0x25f/0x790 [ 56.640741] task_work_run+0x113/0x190 [ 56.644626] exit_to_usermode_loop+0x1d6/0x220 [ 56.649260] do_syscall_64+0x4a3/0x640 [ 56.653145] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.658325] RIP: 0033:0x416011 [ 56.661501] RSP: 002b:00007fff58d96b80 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 56.669249] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416011 [ 56.676515] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005 [ 56.683771] RBP: 0000000000000000 R08: 00000000007703e0 R09: 01ffffffffffffff [ 56.691029] R10: 00007fff58d96c50 R11: 0000000000000293 R12: 000000000076bf20 [ 56.698380] R13: 00000000007703e8 R14: 0000000000000000 R15: 000000000076bf2c [ 56.705669] [ 56.707297] Allocated by task 7442: [ 56.710918] save_stack+0x32/0xa0 [ 56.714385] kasan_kmalloc+0xbf/0xe0 [ 56.718082] __kmalloc+0x15b/0x7c0 [ 56.721606] l2tp_session_create+0x35/0x16f0 [ 56.725996] pppol2tp_connect+0x1154/0x17b0 [ 56.730300] SYSC_connect+0x1c6/0x250 [ 56.734099] do_syscall_64+0x1d5/0x640 [ 56.737977] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.743161] [ 56.744779] Freed by task 7442: [ 56.748052] save_stack+0x32/0xa0 [ 56.751550] kasan_slab_free+0x75/0xc0 [ 56.755435] kfree+0xcb/0x260 [ 56.758622] pppol2tp_session_destruct+0xcd/0x110 [ 56.763570] __sk_destruct+0x49/0x640 [ 56.767389] sk_destruct+0x97/0xc0 [ 56.770917] __sk_free+0x4c/0x220 [ 56.774356] sk_free+0x2b/0x40 [ 56.777546] pppol2tp_release+0x247/0x2f0 [ 56.781678] __sock_release+0xcd/0x2b0 [ 56.785554] sock_close+0x15/0x20 [ 56.789001] __fput+0x25f/0x790 [ 56.792277] task_work_run+0x113/0x190 [ 56.796160] exit_to_usermode_loop+0x1d6/0x220 [ 56.800723] do_syscall_64+0x4a3/0x640 [ 56.804601] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.809825] [ 56.811488] The buggy address belongs to the object at ffff8880a7f67a80 [ 56.811488] which belongs to the cache kmalloc-512 of size 512 [ 56.824239] The buggy address is located 0 bytes inside of [ 56.824239] 512-byte region [ffff8880a7f67a80, ffff8880a7f67c80) [ 56.835925] The buggy address belongs to the page: [ 56.840844] page:ffffea00029fd9c0 count:1 mapcount:0 mapping:ffff8880a7f67080 index:0x0 [ 56.848976] flags: 0xfffe0000000100(slab) [ 56.853114] raw: 00fffe0000000100 ffff8880a7f67080 0000000000000000 0000000100000006 [ 56.861203] raw: ffffea0002a41f20 ffffea00024522a0 ffff88812fe56940 0000000000000000 [ 56.869100] page dumped because: kasan: bad access detected [ 56.874796] [ 56.876407] Memory state around the buggy address: [ 56.881756] ffff8880a7f67980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.889114] ffff8880a7f67a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.896467] >ffff8880a7f67a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.903817] ^ [ 56.907174] ffff8880a7f67b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.914532] ffff8880a7f67b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.921885] ================================================================== [ 56.929234] Disabling lock debugging due to kernel taint [ 56.937962] Kernel panic - not syncing: panic_on_warn set ... [ 56.937962] [ 56.945448] CPU: 0 PID: 7441 Comm: syz-executor.0 Tainted: G B 4.14.172-syzkaller #0 [ 56.954559] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.963913] Call Trace: [ 56.966492] dump_stack+0x13e/0x194 [ 56.970116] panic+0x1f9/0x42d [ 56.973305] ? add_taint.cold+0x16/0x16 [ 56.977277] ? preempt_schedule_common+0x4a/0xc0 [ 56.982154] ? l2tp_session_queue_purge+0xea/0xf0 [ 56.987026] ? ___preempt_schedule+0x16/0x18 [ 56.991474] ? l2tp_session_queue_purge+0xea/0xf0 [ 56.996307] kasan_end_report+0x43/0x49 [ 57.000261] kasan_report.cold+0x12f/0x2ae [ 57.004476] l2tp_session_queue_purge+0xea/0xf0 [ 57.009136] l2tp_tunnel_closeall+0x1fe/0x370 [ 57.013628] ? l2tp_tunnel_find+0x490/0x490 [ 57.017938] ? udp_v6_flush_pending_frames+0xd0/0xd0 [ 57.023019] l2tp_udp_encap_destroy+0x8d/0xf0 [ 57.027492] udpv6_destroy_sock+0xa6/0xd0 [ 57.031620] sk_common_release+0x64/0x2f0 [ 57.035758] inet_release+0xdf/0x1b0 [ 57.039967] inet6_release+0x4c/0x70 [ 57.043674] __sock_release+0xcd/0x2b0 [ 57.047543] ? __sock_release+0x2b0/0x2b0 [ 57.051671] sock_close+0x15/0x20 [ 57.055108] __fput+0x25f/0x790 [ 57.058387] task_work_run+0x113/0x190 [ 57.062259] exit_to_usermode_loop+0x1d6/0x220 [ 57.066832] do_syscall_64+0x4a3/0x640 [ 57.070701] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 57.075865] RIP: 0033:0x416011 [ 57.079044] RSP: 002b:00007fff58d96b80 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 57.086744] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416011 [ 57.093998] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005 [ 57.101306] RBP: 0000000000000000 R08: 00000000007703e0 R09: 01ffffffffffffff [ 57.108567] R10: 00007fff58d96c50 R11: 0000000000000293 R12: 000000000076bf20 [ 57.115876] R13: 00000000007703e8 R14: 0000000000000000 R15: 000000000076bf2c [ 57.124547] Kernel Offset: disabled [ 57.128168] Rebooting in 86400 seconds..