49m8[?25h[?0c[ 34.793585] audit: type=1800 audit(1569308220.874:34): pid=6923 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 . Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 39.130723] random: sshd: uninitialized urandom read (32 bytes read) [ 39.439034] audit: type=1400 audit(1569308225.544:35): avc: denied { map } for pid=7097 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 39.495062] random: sshd: uninitialized urandom read (32 bytes read) [ 40.055368] random: sshd: uninitialized urandom read (32 bytes read) [ 972.464361] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.139' (ECDSA) to the list of known hosts. [ 977.969893] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/24 07:12:44 parsed 1 programs [ 978.155155] audit: type=1400 audit(1569309164.264:36): avc: denied { map } for pid=7109 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 978.214457] audit: type=1400 audit(1569309164.324:37): avc: denied { map } for pid=7109 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=54 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 978.845830] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/24 07:12:45 executed programs: 0 [ 979.514648] audit: type=1400 audit(1569309165.624:38): avc: denied { map } for pid=7109 comm="syz-execprog" path="/root/syzkaller-shm432277684" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 979.801704] IPVS: ftp: loaded support on port[0] = 21 [ 980.607718] chnl_net:caif_netlink_parms(): no params data found [ 980.637707] bridge0: port 1(bridge_slave_0) entered blocking state [ 980.644699] bridge0: port 1(bridge_slave_0) entered disabled state [ 980.651770] device bridge_slave_0 entered promiscuous mode [ 980.658561] bridge0: port 2(bridge_slave_1) entered blocking state [ 980.665141] bridge0: port 2(bridge_slave_1) entered disabled state [ 980.671973] device bridge_slave_1 entered promiscuous mode [ 980.686621] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 980.695447] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 980.710236] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 980.717362] team0: Port device team_slave_0 added [ 980.723187] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 980.730324] team0: Port device team_slave_1 added [ 980.735468] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 980.742751] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 980.792112] device hsr_slave_0 entered promiscuous mode [ 980.840278] device hsr_slave_1 entered promiscuous mode [ 980.880482] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 980.887346] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 980.899667] bridge0: port 2(bridge_slave_1) entered blocking state [ 980.906101] bridge0: port 2(bridge_slave_1) entered forwarding state [ 980.913009] bridge0: port 1(bridge_slave_0) entered blocking state [ 980.919352] bridge0: port 1(bridge_slave_0) entered forwarding state [ 980.946084] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 980.953738] 8021q: adding VLAN 0 to HW filter on device bond0 [ 980.961766] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 980.969506] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 980.988973] bridge0: port 1(bridge_slave_0) entered disabled state [ 980.996326] bridge0: port 2(bridge_slave_1) entered disabled state [ 981.006261] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 981.012816] 8021q: adding VLAN 0 to HW filter on device team0 [ 981.020875] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 981.028427] bridge0: port 1(bridge_slave_0) entered blocking state [ 981.034835] bridge0: port 1(bridge_slave_0) entered forwarding state [ 981.043534] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 981.051269] bridge0: port 2(bridge_slave_1) entered blocking state [ 981.057711] bridge0: port 2(bridge_slave_1) entered forwarding state [ 981.075052] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 981.085119] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 981.095759] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 981.103676] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 981.111397] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 981.118779] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 981.126768] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 981.134310] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 981.141087] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 981.152154] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 981.162000] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 981.600847] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 982.640867] Bluetooth: Error in BCSP hdr checksum [ 982.900582] Bluetooth: Error in BCSP hdr checksum [ 984.390788] Bluetooth: hci0 command 0x1003 tx timeout [ 984.396430] Bluetooth: hci0 sending frame failed (-49) [ 986.470240] Bluetooth: hci0 command 0x1001 tx timeout [ 986.475677] Bluetooth: hci0 sending frame failed (-49) [ 988.550159] Bluetooth: hci0 command 0x1009 tx timeout [ 992.474702] ================================================================== [ 992.482476] BUG: KASAN: use-after-free in kfree_skb+0x2e9/0x340 [ 992.488529] Read of size 4 at addr ffff88807dc1e8e4 by task syz-executor.0/7143 [ 992.495956] [ 992.497583] CPU: 1 PID: 7143 Comm: syz-executor.0 Not tainted 4.14.146 #0 [ 992.504498] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 992.513886] Call Trace: [ 992.516559] dump_stack+0x138/0x197 [ 992.520196] ? kfree_skb+0x2e9/0x340 [ 992.523972] print_address_description.cold+0x7c/0x1dc [ 992.529248] ? kfree_skb+0x2e9/0x340 [ 992.532957] kasan_report.cold+0xa9/0x2af [ 992.537106] __asan_report_load4_noabort+0x14/0x20 [ 992.542021] kfree_skb+0x2e9/0x340 [ 992.545619] bcsp_close+0xc7/0x130 [ 992.549141] hci_uart_tty_close+0x1cb/0x230 [ 992.553443] ? hci_uart_close+0x50/0x50 [ 992.557460] tty_ldisc_close.isra.0+0x99/0xd0 [ 992.561958] tty_ldisc_kill+0x4b/0xc0 [ 992.565761] tty_ldisc_release+0xb6/0x230 [ 992.569918] tty_release_struct+0x1b/0x50 [ 992.574048] tty_release+0xaa3/0xd60 [ 992.577766] ? put_tty_driver+0x20/0x20 [ 992.581777] __fput+0x275/0x7a0 [ 992.585062] ____fput+0x16/0x20 [ 992.588374] task_work_run+0x114/0x190 [ 992.592273] exit_to_usermode_loop+0x1da/0x220 [ 992.596863] do_syscall_64+0x4bc/0x640 [ 992.600819] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 992.605698] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 992.610870] RIP: 0033:0x4136f1 [ 992.614071] RSP: 002b:00007ffe8da89530 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 992.621761] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004136f1 [ 992.629010] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 992.636270] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff [ 992.643670] R10: 00007ffe8da89610 R11: 0000000000000293 R12: 000000000075c9a0 [ 992.650942] R13: 000000000075c9a0 R14: 00000000007603c0 R15: 000000000075bfd4 [ 992.658214] [ 992.659825] Allocated by task 2269: [ 992.663469] save_stack_trace+0x16/0x20 [ 992.667423] save_stack+0x45/0xd0 [ 992.670858] kasan_kmalloc+0xce/0xf0 [ 992.674549] kasan_slab_alloc+0xf/0x20 [ 992.678456] kmem_cache_alloc_node+0x144/0x780 [ 992.683036] __alloc_skb+0x9c/0x500 [ 992.686651] bcsp_recv+0x38a/0x1450 [ 992.690259] hci_uart_tty_receive+0x1f4/0x4d0 [ 992.694746] tty_ldisc_receive_buf+0x14d/0x1a0 [ 992.699316] tty_port_default_receive_buf+0x73/0xa0 [ 992.704313] flush_to_ldisc+0x1ec/0x400 [ 992.708269] process_one_work+0x863/0x1600 [ 992.712584] worker_thread+0x5d9/0x1050 [ 992.716550] kthread+0x319/0x430 [ 992.719903] ret_from_fork+0x24/0x30 [ 992.723598] [ 992.725213] Freed by task 2269: [ 992.728471] save_stack_trace+0x16/0x20 [ 992.732508] save_stack+0x45/0xd0 [ 992.735939] kasan_slab_free+0x75/0xc0 [ 992.739803] kmem_cache_free+0x83/0x2b0 [ 992.743757] kfree_skbmem+0xac/0x120 [ 992.747458] kfree_skb+0xbd/0x340 [ 992.750892] bcsp_recv+0x28c/0x1450 [ 992.754497] hci_uart_tty_receive+0x1f4/0x4d0 [ 992.758971] tty_ldisc_receive_buf+0x14d/0x1a0 [ 992.763532] tty_port_default_receive_buf+0x73/0xa0 [ 992.768525] flush_to_ldisc+0x1ec/0x400 [ 992.772493] process_one_work+0x863/0x1600 [ 992.776712] worker_thread+0x5d9/0x1050 [ 992.781017] kthread+0x319/0x430 [ 992.784367] ret_from_fork+0x24/0x30 [ 992.788056] [ 992.789664] The buggy address belongs to the object at ffff88807dc1e800 [ 992.789664] which belongs to the cache skbuff_head_cache of size 232 [ 992.802842] The buggy address is located 228 bytes inside of [ 992.802842] 232-byte region [ffff88807dc1e800, ffff88807dc1e8e8) [ 992.814783] The buggy address belongs to the page: [ 992.819691] page:ffffea0001f70780 count:1 mapcount:0 mapping:ffff88807dc1e080 index:0x0 [ 992.827813] flags: 0x1fffc0000000100(slab) [ 992.832029] raw: 01fffc0000000100 ffff88807dc1e080 0000000000000000 000000010000000c [ 992.839889] raw: ffffea0002785560 ffffea0001f305a0 ffff8880a9e1aa80 0000000000000000 [ 992.847746] page dumped because: kasan: bad access detected [ 992.853443] [ 992.855082] Memory state around the buggy address: [ 992.860010] ffff88807dc1e780: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 992.867372] ffff88807dc1e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 992.874712] >ffff88807dc1e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 992.882049] ^ [ 992.888606] ffff88807dc1e900: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 992.895955] ffff88807dc1e980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 992.903305] ================================================================== [ 992.910653] Disabling lock debugging due to kernel taint [ 992.916171] Kernel panic - not syncing: panic_on_warn set ... [ 992.916171] [ 992.923529] CPU: 1 PID: 7143 Comm: syz-executor.0 Tainted: G B 4.14.146 #0 [ 992.931653] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 992.940987] Call Trace: [ 992.943557] dump_stack+0x138/0x197 [ 992.947166] ? kfree_skb+0x2e9/0x340 [ 992.950924] panic+0x1f2/0x426 [ 992.954096] ? add_taint.cold+0x16/0x16 [ 992.958061] ? ___preempt_schedule+0x16/0x18 [ 992.962713] kasan_end_report+0x47/0x4f [ 992.966908] kasan_report.cold+0x130/0x2af [ 992.971251] __asan_report_load4_noabort+0x14/0x20 [ 992.976171] kfree_skb+0x2e9/0x340 [ 992.979700] bcsp_close+0xc7/0x130 [ 992.983242] hci_uart_tty_close+0x1cb/0x230 [ 992.988075] ? hci_uart_close+0x50/0x50 [ 992.992033] tty_ldisc_close.isra.0+0x99/0xd0 [ 992.996516] tty_ldisc_kill+0x4b/0xc0 [ 993.000643] tty_ldisc_release+0xb6/0x230 [ 993.004772] tty_release_struct+0x1b/0x50 [ 993.008912] tty_release+0xaa3/0xd60 [ 993.012608] ? put_tty_driver+0x20/0x20 [ 993.016621] __fput+0x275/0x7a0 [ 993.019906] ____fput+0x16/0x20 [ 993.023168] task_work_run+0x114/0x190 [ 993.027038] exit_to_usermode_loop+0x1da/0x220 [ 993.031700] do_syscall_64+0x4bc/0x640 [ 993.035563] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 993.040399] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 993.045570] RIP: 0033:0x4136f1 [ 993.048738] RSP: 002b:00007ffe8da89530 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 993.056477] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004136f1 [ 993.063763] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 993.071019] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff [ 993.078327] R10: 00007ffe8da89610 R11: 0000000000000293 R12: 000000000075c9a0 [ 993.085585] R13: 000000000075c9a0 R14: 00000000007603c0 R15: 000000000075bfd4 [ 993.094392] Kernel Offset: disabled [ 993.098127] Rebooting in 86400 seconds..