[....] Starting enhanced syslogd: rsyslogd[ 10.399177] audit: type=1400 audit(1516206350.105:4): avc: denied { syslog } for pid=3174 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts. 2018/01/17 16:27:27 parsed 1 programs 2018/01/17 16:27:27 executed programs: 0 syzkaller login: [ 107.439949] IPVS: Creating netns size=2536 id=1 [ 107.445710] audit: type=1400 audit(1516206447.155:5): avc: denied { sys_admin } for pid=3389 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 107.457206] IPVS: Creating netns size=2536 id=2 [ 107.474671] IPVS: Creating netns size=2536 id=3 [ 107.493042] audit: type=1400 audit(1516206447.205:6): avc: denied { sys_chroot } for pid=3400 comm="syz-executor0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 107.528246] IPVS: Creating netns size=2536 id=4 [ 107.549770] IPVS: Creating netns size=2536 id=5 [ 107.570902] IPVS: Creating netns size=2536 id=6 [ 107.604303] IPVS: Creating netns size=2536 id=7 [ 107.638228] IPVS: Creating netns size=2536 id=8 INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes 2018/01/17 16:27:32 executed programs: 291 2018/01/17 16:27:37 executed programs: 595 2018/01/17 16:27:42 executed programs: 897 2018/01/17 16:27:47 executed programs: 1209 2018/01/17 16:27:52 executed programs: 1510 2018/01/17 16:27:57 executed programs: 1807 2018/01/17 16:28:02 executed programs: 2111 [ 146.473642] ================================================================== [ 146.481063] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 146.487706] Read of size 8 at addr ffff8801c7bfc4a0 by task syz-executor2/12022 [ 146.495123] [ 146.496727] CPU: 0 PID: 12022 Comm: syz-executor2 Not tainted 4.9.77-g033d019 #14 [ 146.504316] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 146.513642] ffff8801c7a87650 ffffffff81d941c9 ffffea00071efe00 ffff8801c7bfc4a0 [ 146.521624] 0000000000000000 ffff8801c7bfc4a0 ffff8801c7bfc4a0 ffff8801c7a87688 [ 146.529609] ffffffff8153db93 ffff8801c7bfc4a0 0000000000000008 0000000000000000 [ 146.537577] Call Trace: [ 146.540140] [] dump_stack+0xc1/0x128 [ 146.545473] [] print_address_description+0x73/0x280 [ 146.552108] [] kasan_report+0x275/0x360 [ 146.557705] [] ? __lock_acquire+0x2eff/0x3640 [ 146.563818] [] __asan_report_load8_noabort+0x14/0x20 [ 146.570541] [] __lock_acquire+0x2eff/0x3640 [ 146.576484] [] ? update_stack_state.constprop.5+0xca/0x150 [ 146.583724] [] ? __unwind_start+0x1e3/0x3c0 [ 146.589665] [] ? unwind_next_frame+0x86/0xe0 [ 146.595692] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 146.602675] [] ? free_fs_struct+0x4f/0x60 [ 146.608442] [] ? kmem_cache_free+0xc7/0x300 [ 146.614382] [] ? free_fs_struct+0x4f/0x60 [ 146.620147] [] ? exit_fs+0xe1/0x120 [ 146.625402] [] ? do_exit+0x7c1/0x2a40 [ 146.630824] [] ? do_group_exit+0x108/0x320 [ 146.636695] [] ? get_signal+0x4d4/0x14e0 [ 146.642375] [] ? do_signal+0x87/0x1a00 [ 146.647884] [] ? exit_to_usermode_loop+0xe1/0x120 [ 146.654347] [] lock_acquire+0x12e/0x410 [ 146.659944] [] ? lock_sock_nested+0x43/0x120 [ 146.665971] [] ? sock_release+0x1e0/0x1e0 [ 146.671739] [] _raw_spin_lock_bh+0x3a/0x50 [ 146.677592] [] ? lock_sock_nested+0x43/0x120 [ 146.683617] [] lock_sock_nested+0x43/0x120 [ 146.689474] [] pppol2tp_release+0x50/0x2e0 [ 146.695327] [] sock_release+0x8d/0x1e0 [ 146.700835] [] sock_close+0x16/0x20 [ 146.706079] [] __fput+0x28c/0x6e0 [ 146.711152] [] ____fput+0x15/0x20 [ 146.716223] [] task_work_run+0x115/0x190 [ 146.721901] [] do_exit+0x7e7/0x2a40 [ 146.727148] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 146.734143] [] ? save_stack+0x43/0xd0 [ 146.739573] [] ? kmem_cache_free+0xc7/0x300 [ 146.745515] [] ? dentry_free+0xd5/0x150 [ 146.751107] [] ? release_task+0x1240/0x1240 [ 146.757050] [] ? __lock_acquire+0x629/0x3640 [ 146.763087] [] ? __dequeue_signal+0xa3/0x550 [ 146.769114] [] ? recalc_sigpending+0x72/0x90 [ 146.775152] [] do_group_exit+0x108/0x320 [ 146.780834] [] get_signal+0x4d4/0x14e0 [ 146.786342] [] ? check_preemption_disabled+0x3b/0x200 [ 146.793169] [] do_signal+0x87/0x1a00 [ 146.798502] [] ? check_preemption_disabled+0x3b/0x200 [ 146.805310] [] ? mntput_no_expire+0xca/0x6b0 [ 146.811339] [] ? setup_sigcontext+0x7d0/0x7d0 [ 146.817453] [] ? mntput_no_expire+0xf6/0x6b0 [ 146.823477] [] ? mnt_get_count+0x160/0x160 [ 146.829328] [] ? dput.part.23+0x16d/0x7b0 [ 146.835092] [] ? dput.part.23+0x2a/0x7b0 [ 146.840771] [] ? sock_release+0x1e0/0x1e0 [ 146.846534] [] ? mntput+0x66/0x90 [ 146.851605] [] ? exit_to_usermode_loop+0xac/0x120 [ 146.858063] [] exit_to_usermode_loop+0xe1/0x120 [ 146.864351] [] syscall_return_slowpath+0x1a0/0x1e0 [ 146.870900] [] entry_SYSCALL_64_fastpath+0xe6/0xe8 [ 146.877494] [ 146.879095] Allocated by task 12032: [ 146.882779] save_stack_trace+0x16/0x20 [ 146.886721] save_stack+0x43/0xd0 [ 146.890153] kasan_kmalloc+0xad/0xe0 [ 146.893834] __kmalloc+0x11d/0x310 [ 146.897341] sk_prot_alloc+0x101/0x2a0 [ 146.901196] sk_alloc+0x3a/0x3a0 [ 146.904533] pppol2tp_create+0x33/0x1f0 [ 146.908479] pppox_create+0xf1/0x200 [ 146.912162] __sock_create+0x3ab/0x640 [ 146.916020] SyS_socket+0xf0/0x1b0 [ 146.919533] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 146.924256] [ 146.925852] Freed by task 12022: [ 146.929187] save_stack_trace+0x16/0x20 [ 146.933129] save_stack+0x43/0xd0 [ 146.936549] kasan_slab_free+0x72/0xc0 [ 146.940404] kfree+0x103/0x300 [ 146.943564] __sk_destruct+0x47f/0x570 [ 146.947416] sk_destruct+0x47/0x80 [ 146.950924] __sk_free+0x57/0x230 [ 146.954344] sk_free+0x23/0x30 [ 146.957504] pppol2tp_session_sock_put+0x5a/0x70 [ 146.962226] l2tp_tunnel_closeall+0x254/0x3a0 [ 146.966691] l2tp_udp_encap_destroy+0x87/0xe0 [ 146.971160] udpv6_destroy_sock+0xb1/0xd0 [ 146.975275] sk_common_release+0x6b/0x2f0 [ 146.979391] udp_lib_close+0x15/0x20 [ 146.983073] inet_release+0xfa/0x1d0 [ 146.986754] inet6_release+0x50/0x70 [ 146.990436] sock_release+0x8d/0x1e0 [ 146.994117] sock_close+0x16/0x20 [ 146.997538] __fput+0x28c/0x6e0 [ 147.000784] ____fput+0x15/0x20 [ 147.004035] task_work_run+0x115/0x190 [ 147.007889] exit_to_usermode_loop+0xfc/0x120 [ 147.012351] syscall_return_slowpath+0x1a0/0x1e0 [ 147.017081] entry_SYSCALL_64_fastpath+0xe6/0xe8 [ 147.021804] [ 147.023404] The buggy address belongs to the object at ffff8801c7bfc400 [ 147.023404] which belongs to the cache kmalloc-2048 of size 2048 [ 147.036204] The buggy address is located 160 bytes inside of [ 147.036204] 2048-byte region [ffff8801c7bfc400, ffff8801c7bfcc00) [ 147.048131] The buggy address belongs to the page: [ 147.053028] page:ffffea00071efe00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 147.063196] flags: 0x8000000000004080(slab|head) [ 147.067918] page dumped because: kasan: bad access detected [ 147.073603] [ 147.075200] Memory state around the buggy address: [ 147.080098] ffff8801c7bfc380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 147.087441] ffff8801c7bfc400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 147.094773] >ffff8801c7bfc480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 147.102101] ^ [ 147.106479] ffff8801c7bfc500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 147.113804] ffff8801c7bfc580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 147.121132] ================================================================== [ 147.128461] Disabling lock debugging due to kernel taint [ 147.133878] Kernel panic - not syncing: panic_on_warn set ... [ 147.133878] [ 147.141214] CPU: 0 PID: 12022 Comm: syz-executor2 Tainted: G B 4.9.77-g033d019 #14 [ 147.150018] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 147.159351] ffff8801c7a875a8 ffffffff81d941c9 ffffffff841970ff ffff8801c7a87680 [ 147.167341] 0000000000000000 ffff8801c7bfc4a0 ffff8801c7bfc4a0 ffff8801c7a87670 [ 147.175326] ffffffff8142f3c1 0000000041b58ab3 ffffffff8418ab70 ffffffff8142f205 [ 147.183296] Call Trace: [ 147.185859] [] dump_stack+0xc1/0x128 [ 147.191193] [] panic+0x1bc/0x3a8 [ 147.196180] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 147.204378] [] ? add_taint+0x40/0x50 [ 147.209715] [] kasan_end_report+0x50/0x50 [ 147.215481] [] kasan_report+0x167/0x360 [ 147.221078] [] ? __lock_acquire+0x2eff/0x3640 [ 147.227197] [] __asan_report_load8_noabort+0x14/0x20 [ 147.233918] [] __lock_acquire+0x2eff/0x3640 [ 147.239866] [] ? update_stack_state.constprop.5+0xca/0x150 [ 147.247114] [] ? __unwind_start+0x1e3/0x3c0 [ 147.253056] [] ? unwind_next_frame+0x86/0xe0 [ 147.259085] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 147.266067] [] ? free_fs_struct+0x4f/0x60 [ 147.271837] [] ? kmem_cache_free+0xc7/0x300 [ 147.277776] [] ? free_fs_struct+0x4f/0x60 [ 147.283542] [] ? exit_fs+0xe1/0x120 [ 147.288790] [] ? do_exit+0x7c1/0x2a40 [ 147.294212] [] ? do_group_exit+0x108/0x320 [ 147.300069] [] ? get_signal+0x4d4/0x14e0 [ 147.305751] [] ? do_signal+0x87/0x1a00 [ 147.311260] [] ? exit_to_usermode_loop+0xe1/0x120 [ 147.317724] [] lock_acquire+0x12e/0x410 [ 147.323318] [] ? lock_sock_nested+0x43/0x120 [ 147.329346] [] ? sock_release+0x1e0/0x1e0 [ 147.335117] [] _raw_spin_lock_bh+0x3a/0x50 [ 147.340969] [] ? lock_sock_nested+0x43/0x120 [ 147.347000] [] lock_sock_nested+0x43/0x120 [ 147.352856] [] pppol2tp_release+0x50/0x2e0 [ 147.358708] [] sock_release+0x8d/0x1e0 [ 147.364214] [] sock_close+0x16/0x20 [ 147.369461] [] __fput+0x28c/0x6e0 [ 147.374532] [] ____fput+0x15/0x20 [ 147.379606] [] task_work_run+0x115/0x190 [ 147.385288] [] do_exit+0x7e7/0x2a40 [ 147.390536] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 147.397527] [] ? save_stack+0x43/0xd0 [ 147.402946] [] ? kmem_cache_free+0xc7/0x300 [ 147.408890] [] ? dentry_free+0xd5/0x150 [ 147.414487] [] ? release_task+0x1240/0x1240 [ 147.420440] [] ? __lock_acquire+0x629/0x3640 [ 147.426476] [] ? __dequeue_signal+0xa3/0x550 [ 147.432509] [] ? recalc_sigpending+0x72/0x90 [ 147.438546] [] do_group_exit+0x108/0x320 [ 147.444234] [] get_signal+0x4d4/0x14e0 [ 147.449753] [] ? check_preemption_disabled+0x3b/0x200 [ 147.456566] [] do_signal+0x87/0x1a00 [ 147.461904] [] ? check_preemption_disabled+0x3b/0x200 [ 147.468720] [] ? mntput_no_expire+0xca/0x6b0 [ 147.474750] [] ? setup_sigcontext+0x7d0/0x7d0 [ 147.480866] [] ? mntput_no_expire+0xf6/0x6b0 [ 147.486915] [] ? mnt_get_count+0x160/0x160 [ 147.492769] [] ? dput.part.23+0x16d/0x7b0 [ 147.498535] [] ? dput.part.23+0x2a/0x7b0 [ 147.504216] [] ? sock_release+0x1e0/0x1e0 [ 147.509983] [] ? mntput+0x66/0x90 [ 147.515055] [] ? exit_to_usermode_loop+0xac/0x120 [ 147.521519] [] exit_to_usermode_loop+0xe1/0x120 [ 147.527808] [] syscall_return_slowpath+0x1a0/0x1e0 [ 147.534367] [] entry_SYSCALL_64_fastpath+0xe6/0xe8 [ 147.541314] Dumping ftrace buffer: [ 147.544827] (ftrace buffer empty) [ 147.548509] Kernel Offset: disabled [ 147.552103] Rebooting in 86400 seconds..