[ 37.516215] audit: type=1800 audit(1580447951.353:33): pid=7264 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 37.538941] audit: type=1800 audit(1580447951.353:34): pid=7264 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 42.202028] random: sshd: uninitialized urandom read (32 bytes read) [ 42.432864] audit: type=1400 audit(1580447956.273:35): avc: denied { map } for pid=7437 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 42.486516] random: sshd: uninitialized urandom read (32 bytes read) [ 43.213756] random: sshd: uninitialized urandom read (32 bytes read) [ 43.408625] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.25' (ECDSA) to the list of known hosts. [ 48.907924] random: sshd: uninitialized urandom read (32 bytes read) [ 49.031467] audit: type=1400 audit(1580447962.873:36): avc: denied { map } for pid=7449 comm="syz-executor689" path="/root/syz-executor689575059" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 49.260884] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program [ 49.996609] netlink: 20 bytes leftover after parsing attributes in process `syz-executor689'. [ 50.008932] tunl0: Master is either lo or non-ether device [ 50.018009] netlink: 20 bytes leftover after parsing attributes in process `syz-executor689'. [ 50.030180] gre0: Master is either lo or non-ether device [ 50.039253] netlink: 20 bytes leftover after parsing attributes in process `syz-executor689'. [ 50.052538] ================================================================== [ 50.060144] BUG: KASAN: use-after-free in radix_tree_next_chunk+0x953/0x9a0 [ 50.067288] Read of size 8 at addr ffff8880984d7008 by task syz-executor689/7453 [ 50.074928] [ 50.076545] CPU: 0 PID: 7453 Comm: syz-executor689 Not tainted 4.14.169-syzkaller #0 [ 50.084500] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.093870] Call Trace: [ 50.096458] dump_stack+0x142/0x197 [ 50.100087] ? radix_tree_next_chunk+0x953/0x9a0 [ 50.104952] print_address_description.cold+0x7c/0x1dc [ 50.110269] ? radix_tree_next_chunk+0x953/0x9a0 [ 50.115015] kasan_report.cold+0xa9/0x2af [ 50.119150] __asan_report_load8_noabort+0x14/0x20 [ 50.124068] radix_tree_next_chunk+0x953/0x9a0 [ 50.128656] ida_remove+0xaa/0x230 [ 50.132196] ? ida_destroy+0x1e0/0x1e0 [ 50.136144] ? ida_simple_remove+0x2b/0x60 [ 50.140369] ida_simple_remove+0x39/0x60 [ 50.144423] ipvlan_link_new+0x515/0xfe0 [ 50.148474] ? rtnl_create_link+0x12c/0x880 [ 50.152903] rtnl_newlink+0xecb/0x1700 [ 50.156800] ? ipvlan_port_destroy+0x400/0x400 [ 50.161500] ? rtnl_link_unregister+0x200/0x200 [ 50.166177] ? avc_has_perm_noaudit+0x2b2/0x420 [ 50.170886] ? lock_acquire+0x16f/0x430 [ 50.174862] ? rtnetlink_rcv_msg+0x339/0xb70 [ 50.179389] ? rtnl_link_unregister+0x200/0x200 [ 50.184061] rtnetlink_rcv_msg+0x3da/0xb70 [ 50.188332] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 50.192903] ? netlink_deliver_tap+0x93/0x8f0 [ 50.197432] netlink_rcv_skb+0x14f/0x3c0 [ 50.201736] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 50.206391] ? lock_downgrade+0x740/0x740 [ 50.210568] ? netlink_ack+0x9a0/0x9a0 [ 50.214461] ? netlink_deliver_tap+0xba/0x8f0 [ 50.218963] rtnetlink_rcv+0x1d/0x30 [ 50.222687] netlink_unicast+0x44d/0x650 [ 50.226796] ? netlink_attachskb+0x6a0/0x6a0 [ 50.231322] ? security_netlink_send+0x81/0xb0 [ 50.235903] netlink_sendmsg+0x7c4/0xc60 [ 50.239967] ? netlink_unicast+0x650/0x650 [ 50.244293] ? security_socket_sendmsg+0x89/0xb0 [ 50.249132] ? netlink_unicast+0x650/0x650 [ 50.253371] sock_sendmsg+0xce/0x110 [ 50.257517] ___sys_sendmsg+0x70a/0x840 [ 50.261500] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 50.266249] ? __might_fault+0x110/0x1d0 [ 50.270336] ? find_held_lock+0x35/0x130 [ 50.274527] ? __might_fault+0x110/0x1d0 [ 50.278611] ? lock_downgrade+0x740/0x740 [ 50.282900] ? kasan_check_read+0x11/0x20 [ 50.287067] ? _copy_to_user+0x87/0xd0 [ 50.291002] ? move_addr_to_user+0x94/0x1a0 [ 50.295409] ? __fget_light+0x172/0x1f0 [ 50.299379] ? __fdget+0x1b/0x20 [ 50.302751] ? sockfd_lookup_light+0xb4/0x160 [ 50.307237] __sys_sendmsg+0xb9/0x140 [ 50.311034] ? SyS_shutdown+0x170/0x170 [ 50.315050] ? fd_install+0x4d/0x60 [ 50.318674] SyS_sendmsg+0x2d/0x50 [ 50.322212] ? __sys_sendmsg+0x140/0x140 [ 50.326264] do_syscall_64+0x1e8/0x640 [ 50.330142] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.335151] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.340328] RIP: 0033:0x441809 [ 50.343503] RSP: 002b:00007fffc9f50178 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 50.351209] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441809 [ 50.358470] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004 [ 50.365728] RBP: 000000000000c360 R08: 0000000100000000 R09: 0000000100000000 [ 50.372989] R10: 0000000100000000 R11: 0000000000000246 R12: 00000000004026d0 [ 50.380290] R13: 0000000000402760 R14: 0000000000000000 R15: 0000000000000000 [ 50.387564] [ 50.389183] Allocated by task 7453: [ 50.392816] save_stack_trace+0x16/0x20 [ 50.396798] save_stack+0x45/0xd0 [ 50.400251] kasan_kmalloc+0xce/0xf0 [ 50.403952] kmem_cache_alloc_trace+0x152/0x790 [ 50.408607] ipvlan_link_new+0x657/0xfe0 [ 50.412700] rtnl_newlink+0xecb/0x1700 [ 50.416627] rtnetlink_rcv_msg+0x3da/0xb70 [ 50.420855] netlink_rcv_skb+0x14f/0x3c0 [ 50.424906] rtnetlink_rcv+0x1d/0x30 [ 50.428638] netlink_unicast+0x44d/0x650 [ 50.432692] netlink_sendmsg+0x7c4/0xc60 [ 50.436747] sock_sendmsg+0xce/0x110 [ 50.440444] ___sys_sendmsg+0x70a/0x840 [ 50.444414] __sys_sendmsg+0xb9/0x140 [ 50.448207] SyS_sendmsg+0x2d/0x50 [ 50.451777] do_syscall_64+0x1e8/0x640 [ 50.455664] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.460837] [ 50.462446] Freed by task 7453: [ 50.465715] save_stack_trace+0x16/0x20 [ 50.469681] save_stack+0x45/0xd0 [ 50.473184] kasan_slab_free+0x75/0xc0 [ 50.477059] kfree+0xcc/0x270 [ 50.480149] ipvlan_port_destroy+0x285/0x400 [ 50.484550] ipvlan_uninit+0xc1/0xf0 [ 50.488257] register_netdevice+0x79b/0xcd0 [ 50.492563] ipvlan_link_new+0x49f/0xfe0 [ 50.496626] rtnl_newlink+0xecb/0x1700 [ 50.500600] rtnetlink_rcv_msg+0x3da/0xb70 [ 50.504837] netlink_rcv_skb+0x14f/0x3c0 [ 50.508930] rtnetlink_rcv+0x1d/0x30 [ 50.512635] netlink_unicast+0x44d/0x650 [ 50.516681] netlink_sendmsg+0x7c4/0xc60 [ 50.520728] sock_sendmsg+0xce/0x110 [ 50.524428] ___sys_sendmsg+0x70a/0x840 [ 50.528397] __sys_sendmsg+0xb9/0x140 [ 50.532193] SyS_sendmsg+0x2d/0x50 [ 50.535745] do_syscall_64+0x1e8/0x640 [ 50.539628] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.544799] [ 50.546461] The buggy address belongs to the object at ffff8880984d6740 [ 50.546461] which belongs to the cache kmalloc-4096 of size 4096 [ 50.559281] The buggy address is located 2248 bytes inside of [ 50.559281] 4096-byte region [ffff8880984d6740, ffff8880984d7740) [ 50.571317] The buggy address belongs to the page: [ 50.576314] page:ffffea0002613580 count:1 mapcount:0 mapping:ffff8880984d6740 index:0x0 compound_mapcount: 0 [ 50.586287] flags: 0xfffe0000008100(slab|head) [ 50.591130] raw: 00fffe0000008100 ffff8880984d6740 0000000000000000 0000000100000001 [ 50.599010] raw: ffffea0002613520 ffff8880aa801a48 ffff8880aa800dc0 0000000000000000 [ 50.606883] page dumped because: kasan: bad access detected [ 50.612579] [ 50.614196] Memory state around the buggy address: [ 50.619116] ffff8880984d6f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.626511] ffff8880984d6f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.633882] >ffff8880984d7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.641224] ^ [ 50.644879] ffff8880984d7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.652227] ffff8880984d7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.660030] ================================================================== [ 50.667380] Disabling lock debugging due to kernel taint [ 50.672885] Kernel panic - not syncing: panic_on_warn set ... [ 50.672885] [ 50.680234] CPU: 0 PID: 7453 Comm: syz-executor689 Tainted: G B 4.14.169-syzkaller #0 [ 50.689313] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.698653] Call Trace: [ 50.701275] dump_stack+0x142/0x197 [ 50.704894] ? radix_tree_next_chunk+0x953/0x9a0 [ 50.709644] panic+0x1f9/0x42d [ 50.712912] ? add_taint.cold+0x16/0x16 [ 50.716888] ? lock_downgrade+0x740/0x740 [ 50.721111] kasan_end_report+0x47/0x4f [ 50.725243] kasan_report.cold+0x130/0x2af [ 50.729471] __asan_report_load8_noabort+0x14/0x20 [ 50.734442] radix_tree_next_chunk+0x953/0x9a0 [ 50.739113] ida_remove+0xaa/0x230 [ 50.742688] ? ida_destroy+0x1e0/0x1e0 [ 50.746556] ? ida_simple_remove+0x2b/0x60 [ 50.750789] ida_simple_remove+0x39/0x60 [ 50.754847] ipvlan_link_new+0x515/0xfe0 [ 50.758887] ? rtnl_create_link+0x12c/0x880 [ 50.763193] rtnl_newlink+0xecb/0x1700 [ 50.767061] ? ipvlan_port_destroy+0x400/0x400 [ 50.771621] ? rtnl_link_unregister+0x200/0x200 [ 50.776288] ? avc_has_perm_noaudit+0x2b2/0x420 [ 50.780948] ? lock_acquire+0x16f/0x430 [ 50.785260] ? rtnetlink_rcv_msg+0x339/0xb70 [ 50.789663] ? rtnl_link_unregister+0x200/0x200 [ 50.794311] rtnetlink_rcv_msg+0x3da/0xb70 [ 50.798525] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 50.803085] ? netlink_deliver_tap+0x93/0x8f0 [ 50.807557] netlink_rcv_skb+0x14f/0x3c0 [ 50.811598] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 50.816161] ? lock_downgrade+0x740/0x740 [ 50.820296] ? netlink_ack+0x9a0/0x9a0 [ 50.824166] ? netlink_deliver_tap+0xba/0x8f0 [ 50.828654] rtnetlink_rcv+0x1d/0x30 [ 50.832345] netlink_unicast+0x44d/0x650 [ 50.836382] ? netlink_attachskb+0x6a0/0x6a0 [ 50.840771] ? security_netlink_send+0x81/0xb0 [ 50.845330] netlink_sendmsg+0x7c4/0xc60 [ 50.849369] ? netlink_unicast+0x650/0x650 [ 50.853584] ? security_socket_sendmsg+0x89/0xb0 [ 50.858332] ? netlink_unicast+0x650/0x650 [ 50.862553] sock_sendmsg+0xce/0x110 [ 50.866258] ___sys_sendmsg+0x70a/0x840 [ 50.870261] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 50.875030] ? __might_fault+0x110/0x1d0 [ 50.879093] ? find_held_lock+0x35/0x130 [ 50.883131] ? __might_fault+0x110/0x1d0 [ 50.887171] ? lock_downgrade+0x740/0x740 [ 50.891300] ? kasan_check_read+0x11/0x20 [ 50.895425] ? _copy_to_user+0x87/0xd0 [ 50.899288] ? move_addr_to_user+0x94/0x1a0 [ 50.903649] ? __fget_light+0x172/0x1f0 [ 50.907645] ? __fdget+0x1b/0x20 [ 50.911012] ? sockfd_lookup_light+0xb4/0x160 [ 50.915499] __sys_sendmsg+0xb9/0x140 [ 50.919282] ? SyS_shutdown+0x170/0x170 [ 50.923240] ? fd_install+0x4d/0x60 [ 50.926901] SyS_sendmsg+0x2d/0x50 [ 50.930432] ? __sys_sendmsg+0x140/0x140 [ 50.934480] do_syscall_64+0x1e8/0x640 [ 50.938350] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.943179] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.948348] RIP: 0033:0x441809 [ 50.951519] RSP: 002b:00007fffc9f50178 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 50.959209] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441809 [ 50.966466] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004 [ 50.973716] RBP: 000000000000c360 R08: 0000000100000000 R09: 0000000100000000 [ 50.981798] R10: 0000000100000000 R11: 0000000000000246 R12: 00000000004026d0 [ 50.989102] R13: 0000000000402760 R14: 0000000000000000 R15: 0000000000000000 [ 50.997657] Kernel Offset: disabled [ 51.001334] Rebooting in 86400 seconds..