.
[   37.379666] audit: type=1800 audit(1585801098.586:33): pid=7298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   37.402256] audit: type=1800 audit(1585801098.616:34): pid=7298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0
[   37.775075] audit: type=1400 audit(1585801098.986:35): avc:  denied  { map } for  pid=7469 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   37.820967] random: sshd: uninitialized urandom read (32 bytes read)

[   38.577817] random: sshd: uninitialized urandom read (32 bytes read)
Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [  114.558320] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.16' (ECDSA) to the list of known hosts.
[  119.996905] random: sshd: uninitialized urandom read (32 bytes read)
[  120.203101] audit: type=1400 audit(1585801181.416:36): avc:  denied  { map } for  pid=7481 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2020/04/02 04:19:41 parsed 1 programs
[  121.166768] random: cc1: uninitialized urandom read (8 bytes read)
2020/04/02 04:19:43 executed programs: 0
[  122.525738] audit: type=1400 audit(1585801183.726:37): avc:  denied  { map } for  pid=7481 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=15709 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[  122.552458] audit: type=1400 audit(1585801183.766:38): avc:  denied  { map } for  pid=7481 comm="syz-execprog" path="/root/syzkaller-shm382942738" dev="sda1" ino=2233 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[  122.821079] IPVS: ftp: loaded support on port[0] = 21
[  123.620974] chnl_net:caif_netlink_parms(): no params data found
[  123.668515] bridge0: port 1(bridge_slave_0) entered blocking state
[  123.675385] bridge0: port 1(bridge_slave_0) entered disabled state
[  123.683112] device bridge_slave_0 entered promiscuous mode
[  123.690377] bridge0: port 2(bridge_slave_1) entered blocking state
[  123.696803] bridge0: port 2(bridge_slave_1) entered disabled state
[  123.703858] device bridge_slave_1 entered promiscuous mode
[  123.719368] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  123.728239] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  123.745075] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  123.752440] team0: Port device team_slave_0 added
[  123.758064] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  123.765386] team0: Port device team_slave_1 added
[  123.779323] batman_adv: batadv0: Adding interface: batadv_slave_0
[  123.786055] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[  123.812354] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  123.824105] batman_adv: batadv0: Adding interface: batadv_slave_1
[  123.830423] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[  123.857231] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  123.868515] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[  123.876077] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[  123.932098] device hsr_slave_0 entered promiscuous mode
[  124.000417] device hsr_slave_1 entered promiscuous mode
[  124.041479] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[  124.048670] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[  124.099360] audit: type=1400 audit(1585801185.306:39): avc:  denied  { create } for  pid=7498 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[  124.119407] bridge0: port 2(bridge_slave_1) entered blocking state
[  124.124094] audit: type=1400 audit(1585801185.306:40): avc:  denied  { write } for  pid=7498 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[  124.129708] bridge0: port 2(bridge_slave_1) entered forwarding state
[  124.155123] audit: type=1400 audit(1585801185.306:41): avc:  denied  { read } for  pid=7498 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[  124.160395] bridge0: port 1(bridge_slave_0) entered blocking state
[  124.190189] bridge0: port 1(bridge_slave_0) entered forwarding state
[  124.223276] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  124.229364] 8021q: adding VLAN 0 to HW filter on device bond0
[  124.238863] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  124.247267] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  124.266274] bridge0: port 1(bridge_slave_0) entered disabled state
[  124.273479] bridge0: port 2(bridge_slave_1) entered disabled state
[  124.283594] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[  124.289656] 8021q: adding VLAN 0 to HW filter on device team0
[  124.298306] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  124.306462] bridge0: port 1(bridge_slave_0) entered blocking state
[  124.312890] bridge0: port 1(bridge_slave_0) entered forwarding state
[  124.322457] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  124.330735] bridge0: port 2(bridge_slave_1) entered blocking state
[  124.337082] bridge0: port 2(bridge_slave_1) entered forwarding state
[  124.352290] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  124.360326] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  124.369472] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  124.383943] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  124.394808] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  124.405374] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[  124.412859] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  124.420912] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  124.428389] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  124.439974] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[  124.448400] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[  124.455882] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[  124.466132] 8021q: adding VLAN 0 to HW filter on device batadv0
[  124.526633] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[  124.539349] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[  124.574975] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[  124.582433] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[  124.588869] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[  124.598033] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[  124.606139] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[  124.613148] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[  124.620458] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  124.629072] device veth0_vlan entered promiscuous mode
[  124.638254] device veth1_vlan entered promiscuous mode
[  124.652999] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[  124.662965] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready
[  124.669861] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[  124.678355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[  124.688038] device veth0_macvtap entered promiscuous mode
[  124.694304] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
[  124.703189] device veth1_macvtap entered promiscuous mode
[  124.709208] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
[  124.718346] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[  124.727645] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[  124.737530] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
[  124.744871] batman_adv: batadv0: Interface activated: batadv_slave_0
[  124.752447] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[  124.759638] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[  124.766898] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[  124.774774] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[  124.786018] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
[  124.793096] batman_adv: batadv0: Interface activated: batadv_slave_1
[  124.799670] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[  124.807726] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[  126.061491] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  126.991621] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  127.351777] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
2020/04/02 04:19:48 executed programs: 18
[  128.171327] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  128.531176] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  128.751556] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  130.711884] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  132.071134] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  132.501325] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
2020/04/02 04:19:53 executed programs: 73
[  133.031191] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  134.251735] NOHZ: local_softirq_pending 08
[  134.371356] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  134.791948] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  135.741939] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  137.131337] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
2020/04/02 04:19:58 executed programs: 126
[  138.051269] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  138.671501] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  141.521610] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  141.791181] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
2020/04/02 04:20:04 executed programs: 180
[  142.941716] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  143.281204] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  144.401865] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  144.601380] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  145.021935] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  146.282168] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  147.181146] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  147.461092] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
2020/04/02 04:20:09 executed programs: 236
[  147.861239] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  147.911168] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  147.971243] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  148.021732] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  148.082123] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  148.371345] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  148.421446] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  148.481230] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  148.541268] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  148.601767] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  148.651453] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  148.711495] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  148.871424] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  149.021133] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  149.081436] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  149.131713] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  149.291886] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  149.621533] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  149.781174] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  149.842084] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  149.991492] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  150.151176] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  150.211254] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  150.681179] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  150.721705] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  150.781501] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  150.841255] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  150.901119] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  150.961359] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  151.021457] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  151.181141] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  151.241268] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  151.371237] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  151.421395] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  151.481325] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  151.531353] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  151.771244] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  151.831931] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  151.871202] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  151.931267] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  152.191233] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  152.241271] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  152.301188] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  152.341733] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  152.401784] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  152.451616] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  152.511208] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  152.571177] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  152.631389] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  152.731336] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  152.791142] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
2020/04/02 04:20:14 executed programs: 310
[  152.851561] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  152.901460] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  152.961756] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  153.021892] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  153.061297] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  153.121271] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  153.171684] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  153.331210] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  153.381573] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  153.431513] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  153.491375] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  153.551394] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  153.731199] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  153.861318] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  153.911264] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  153.961525] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  154.331327] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  154.391195] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  154.451204] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  154.511147] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  154.642012] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  154.781126] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  154.941202] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  155.001266] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  155.042796] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  155.361670] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  155.421280] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  155.471890] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  155.631173] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  155.871334] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  156.001111] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  156.371324] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  156.421218] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  156.572108] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  156.631626] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  156.681033] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  156.821205] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  156.871462] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  157.021174] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  157.122091] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  157.171478] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  157.321177] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  157.361231] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  157.391612] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  157.441200] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  157.581343] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  157.631185] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  157.681135] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  157.741466] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  157.781320] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
2020/04/02 04:20:19 executed programs: 385
[  159.202134] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  160.671546] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  161.511313] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  161.761188] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
2020/04/02 04:20:24 executed programs: 439
[  162.891569] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  163.881309] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  166.521611] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  166.722107] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  167.171116] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  167.391470] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  167.571316] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  167.831894] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  167.871590] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
2020/04/02 04:20:29 executed programs: 497
[  168.031340] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  168.081255] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  168.141490] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  168.221469] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  168.371307] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  169.031269] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  169.181208] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  169.281748] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  169.451314] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  169.761338] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  169.991303] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  170.111218] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  170.231387] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  170.281674] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  170.541403] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  170.581300] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  170.651219] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  170.801410] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  170.851420] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  171.281728] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  171.861263] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  172.661130] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  172.721746] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
2020/04/02 04:20:34 executed programs: 570
[  173.321511] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  173.381307] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  173.521401] l2tp_core: tunl 2: sockfd_lookup(fd=5) returned -9
[  173.740598] ==================================================================
[  173.748101] BUG: KASAN: use-after-free in ex_handler_refcount+0x164/0x1a0
[  173.755027] Write of size 4 at addr ffff888093f12340 by task syz-executor.0/9861
[  173.762549] 
[  173.764262] CPU: 0 PID: 9861 Comm: syz-executor.0 Not tainted 4.14.174-syzkaller #0
[  173.772043] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  173.781383] Call Trace:
[  173.784048]  dump_stack+0x13e/0x194
[  173.787667]  ? ex_handler_refcount+0x164/0x1a0
[  173.792292]  print_address_description.cold+0x7c/0x1e2
[  173.797596]  ? ex_handler_refcount+0x164/0x1a0
[  173.802158]  kasan_report.cold+0xa9/0x2ae
[  173.806305]  ex_handler_refcount+0x164/0x1a0
[  173.810698]  ? ex_handler_clear_fs+0xb0/0xb0
[  173.815097]  fixup_exception+0x8a/0xc3
[  173.819013]  do_trap+0x72/0x230
[  173.822277]  ? do_error_trap+0x1d0/0x2d0
[  173.826317]  do_error_trap+0x132/0x2d0
[  173.830199]  ? math_error+0x2d0/0x2d0
[  173.833987]  ? free_object+0xe4/0x240
[  173.837765]  ? inat_get_avx_attribute+0x623b/0x7956
[  173.842817]  ? find_held_lock+0x2d/0x110
[  173.847935]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  173.852763]  invalid_op+0x1b/0x40
[  173.856199] RIP: 0010:inat_get_avx_attribute+0x623b/0x7956
[  173.861826] RSP: 0018:ffff88808d9f7cd0 EFLAGS: 00010297
[  173.867184] RAX: ffff888091340340 RBX: ffff88808ca4ca00 RCX: ffff888093f12340
[  173.874577] RDX: 0000000000000000 RSI: ffff888091340bc0 RDI: ffff88808ca4cb98
[  173.881839] RBP: ffff888093f122c0 R08: 0000000000000001 R09: 0000000000000000
[  173.889098] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808ca4ca00
[  173.896362] R13: ffff888092d5a820 R14: ffffed10125ab504 R15: ffff888092d5a7e0
[  173.903660]  l2tp_tunnel_closeall+0x26f/0x370
[  173.908135]  ? pppol2tp_seq_show+0xc20/0xc20
[  173.912540]  ? l2tp_tunnel_find+0x490/0x490
[  173.916846]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[  173.921967]  l2tp_udp_encap_destroy+0x8d/0xf0
[  173.926456]  udpv6_destroy_sock+0xa6/0xd0
[  173.930602]  sk_common_release+0x64/0x2f0
[  173.934783]  inet_release+0xdf/0x1b0
[  173.938691]  inet6_release+0x4c/0x70
[  173.942393]  __sock_release+0xcd/0x2b0
[  173.946265]  ? __sock_release+0x2b0/0x2b0
[  173.950402]  sock_close+0x15/0x20
[  173.953847]  __fput+0x25f/0x790
[  173.957114]  task_work_run+0x113/0x190
[  173.960985]  exit_to_usermode_loop+0x1d6/0x220
[  173.965552]  do_syscall_64+0x4a3/0x640
[  173.969465]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[  173.974650] RIP: 0033:0x4163e1
[  173.977904] RSP: 002b:00007fffcb05eaa0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  173.985627] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004163e1
[  173.992884] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005
[  174.000135] RBP: 0000000000000000 R08: 00000000007703e0 R09: 01ffffffffffffff
[  174.007384] R10: 00007fffcb05eb70 R11: 0000000000000293 R12: 000000000076bf00
[  174.014636] R13: 00000000007703e8 R14: 0000000000000000 R15: 000000000076bf0c
[  174.021901] 
[  174.023510] Allocated by task 9862:
[  174.027137]  save_stack+0x32/0xa0
[  174.030580]  kasan_kmalloc+0xbf/0xe0
[  174.034284]  __kmalloc+0x15b/0x7c0
[  174.037813]  sk_prot_alloc+0x164/0x290
[  174.041692]  sk_alloc+0x36/0xd60
[  174.045037]  pppol2tp_create+0x2d/0x1e0
[  174.048996]  pppox_create+0xf2/0x210
[  174.052684]  __sock_create+0x2f2/0x620
[  174.056546]  SyS_socket+0xd2/0x170
[  174.060085]  do_syscall_64+0x1d5/0x640
[  174.063984]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[  174.069164] 
[  174.070785] Freed by task 9862:
[  174.074162]  save_stack+0x32/0xa0
[  174.077609]  kasan_slab_free+0x75/0xc0
[  174.081480]  kfree+0xcb/0x260
[  174.086132]  __sk_destruct+0x4f6/0x640
[  174.090003]  sk_destruct+0x97/0xc0
[  174.093540]  __sk_free+0x4c/0x220
[  174.096978]  sk_free+0x2b/0x40
[  174.100152]  pppol2tp_release+0x247/0x2f0
[  174.104284]  __sock_release+0xcd/0x2b0
[  174.108150]  sock_close+0x15/0x20
[  174.111584]  __fput+0x25f/0x790
[  174.114842]  task_work_run+0x113/0x190
[  174.118753]  exit_to_usermode_loop+0x1d6/0x220
[  174.123324]  do_syscall_64+0x4a3/0x640
[  174.127198]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[  174.132361] 
[  174.133966] The buggy address belongs to the object at ffff888093f122c0
[  174.133966]  which belongs to the cache kmalloc-2048 of size 2048
[  174.146772] The buggy address is located 128 bytes inside of
[  174.146772]  2048-byte region [ffff888093f122c0, ffff888093f12ac0)
[  174.158710] The buggy address belongs to the page:
[  174.163616] page:ffffea00024fc480 count:1 mapcount:0 mapping:ffff888093f122c0 index:0x0 compound_mapcount: 0
[  174.173573] flags: 0xfffe0000008100(slab|head)
[  174.178141] raw: 00fffe0000008100 ffff888093f122c0 0000000000000000 0000000100000003
[  174.186021] raw: ffffea00024cdfa0 ffffea000245c320 ffff88812fe56c40 0000000000000000
[  174.193881] page dumped because: kasan: bad access detected
[  174.199575] 
[  174.201181] Memory state around the buggy address:
[  174.206132]  ffff888093f12200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  174.213477]  ffff888093f12280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  174.220862] >ffff888093f12300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  174.228202]                                            ^
[  174.233658]  ffff888093f12380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  174.241010]  ffff888093f12400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  174.248357] ==================================================================
[  174.255820] Disabling lock debugging due to kernel taint
[  174.261933] Kernel panic - not syncing: panic_on_warn set ...
[  174.261933] 
[  174.269452] CPU: 0 PID: 9861 Comm: syz-executor.0 Tainted: G    B           4.14.174-syzkaller #0
[  174.278442] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  174.287786] Call Trace:
[  174.290370]  dump_stack+0x13e/0x194
[  174.294759]  panic+0x1f9/0x42d
[  174.297955]  ? add_taint.cold+0x16/0x16
[  174.301908]  ? preempt_schedule_common+0x4a/0xc0
[  174.306639]  ? ex_handler_refcount+0x164/0x1a0
[  174.311239]  ? ___preempt_schedule+0x16/0x18
[  174.315625]  ? ex_handler_refcount+0x164/0x1a0
[  174.320183]  kasan_end_report+0x43/0x49
[  174.324142]  kasan_report.cold+0x12f/0x2ae
[  174.328355]  ex_handler_refcount+0x164/0x1a0
[  174.332741]  ? ex_handler_clear_fs+0xb0/0xb0
[  174.337174]  fixup_exception+0x8a/0xc3
[  174.341056]  do_trap+0x72/0x230
[  174.344426]  ? do_error_trap+0x1d0/0x2d0
[  174.348479]  do_error_trap+0x132/0x2d0
[  174.352387]  ? math_error+0x2d0/0x2d0
[  174.356168]  ? free_object+0xe4/0x240
[  174.360037]  ? inat_get_avx_attribute+0x623b/0x7956
[  174.365051]  ? find_held_lock+0x2d/0x110
[  174.369131]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  174.373998]  invalid_op+0x1b/0x40
[  174.377433] RIP: 0010:inat_get_avx_attribute+0x623b/0x7956
[  174.383028] RSP: 0018:ffff88808d9f7cd0 EFLAGS: 00010297
[  174.388374] RAX: ffff888091340340 RBX: ffff88808ca4ca00 RCX: ffff888093f12340
[  174.395697] RDX: 0000000000000000 RSI: ffff888091340bc0 RDI: ffff88808ca4cb98
[  174.402949] RBP: ffff888093f122c0 R08: 0000000000000001 R09: 0000000000000000
[  174.410204] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808ca4ca00
[  174.417460] R13: ffff888092d5a820 R14: ffffed10125ab504 R15: ffff888092d5a7e0
[  174.424731]  l2tp_tunnel_closeall+0x26f/0x370
[  174.429211]  ? pppol2tp_seq_show+0xc20/0xc20
[  174.433621]  ? l2tp_tunnel_find+0x490/0x490
[  174.437925]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[  174.443016]  l2tp_udp_encap_destroy+0x8d/0xf0
[  174.447495]  udpv6_destroy_sock+0xa6/0xd0
[  174.451631]  sk_common_release+0x64/0x2f0
[  174.455796]  inet_release+0xdf/0x1b0
[  174.459489]  inet6_release+0x4c/0x70
[  174.463199]  __sock_release+0xcd/0x2b0
[  174.467078]  ? __sock_release+0x2b0/0x2b0
[  174.471202]  sock_close+0x15/0x20
[  174.474637]  __fput+0x25f/0x790
[  174.477912]  task_work_run+0x113/0x190
[  174.481782]  exit_to_usermode_loop+0x1d6/0x220
[  174.486345]  do_syscall_64+0x4a3/0x640
[  174.490262]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[  174.495470] RIP: 0033:0x4163e1
[  174.498687] RSP: 002b:00007fffcb05eaa0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  174.506377] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004163e1
[  174.513631] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005
[  174.520920] RBP: 0000000000000000 R08: 00000000007703e0 R09: 01ffffffffffffff
[  174.529132] R10: 00007fffcb05eb70 R11: 0000000000000293 R12: 000000000076bf00
[  174.536500] R13: 00000000007703e8 R14: 0000000000000000 R15: 000000000076bf0c
[  174.545123] Kernel Offset: disabled
[  174.548740] Rebooting in 86400 seconds..