Warning: Permanently added '10.128.0.85' (ECDSA) to the list of known hosts.
[ 1000.709393] random: sshd: uninitialized urandom read (32 bytes read)
[ 1000.936505] audit: type=1400 audit(1585018735.070:36): avc:  denied  { map } for  pid=7363 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2020/03/24 02:58:55 parsed 1 programs
[ 1001.776666] random: cc1: uninitialized urandom read (8 bytes read)
2020/03/24 02:58:56 executed programs: 0
[ 1002.590962] audit: type=1400 audit(1585018736.730:37): avc:  denied  { map } for  pid=7363 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=15783 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[ 1002.881928] IPVS: ftp: loaded support on port[0] = 21
[ 1003.770925] chnl_net:caif_netlink_parms(): no params data found
[ 1003.819638] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1003.826678] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1003.834705] device bridge_slave_0 entered promiscuous mode
[ 1003.842046] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1003.848418] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1003.855486] device bridge_slave_1 entered promiscuous mode
[ 1003.870836] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 1003.879760] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 1003.897666] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[ 1003.905234] team0: Port device team_slave_0 added
[ 1003.911040] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[ 1003.918186] team0: Port device team_slave_1 added
[ 1003.932726] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 1003.939153] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1003.964689] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 1003.976262] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 1003.982635] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1004.008077] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 1004.019351] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[ 1004.027029] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[ 1004.092406] device hsr_slave_0 entered promiscuous mode
[ 1004.160317] device hsr_slave_1 entered promiscuous mode
[ 1004.240820] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[ 1004.247997] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[ 1004.297529] audit: type=1400 audit(1585018738.430:38): avc:  denied  { create } for  pid=7380 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 1004.318749] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1004.322396] audit: type=1400 audit(1585018738.430:39): avc:  denied  { write } for  pid=7380 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 1004.328024] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1004.352516] audit: type=1400 audit(1585018738.430:40): avc:  denied  { read } for  pid=7380 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 1004.358857] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1004.388593] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1004.423388] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[ 1004.429511] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1004.438699] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 1004.448186] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1004.466842] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1004.474356] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1004.486858] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[ 1004.493348] 8021q: adding VLAN 0 to HW filter on device team0
[ 1004.502081] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1004.509773] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1004.516222] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1004.526651] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1004.534750] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1004.541158] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1004.561451] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1004.569320] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1004.577924] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1004.585555] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1004.593750] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1004.603374] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[ 1004.609413] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1004.622761] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[ 1004.630742] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 1004.637474] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 1004.648701] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1004.709934] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[ 1004.721247] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 1004.756792] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[ 1004.764227] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[ 1004.771427] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[ 1004.777780] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 1004.789059] IPv6: ADDRCONF(NETDEV_UP): veth1_vlan: link is not ready
[ 1004.796427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[ 1004.804249] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 1004.812759] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 1004.819780] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 1004.827789] device veth0_vlan entered promiscuous mode
[ 1004.837790] device veth1_vlan entered promiscuous mode
[ 1004.844158] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[ 1004.853350] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
[ 1004.865107] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[ 1004.874622] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready
[ 1004.881977] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 1004.889223] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 1004.896559] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[ 1004.904371] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 1004.914206] device veth0_macvtap entered promiscuous mode
[ 1004.921387] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
[ 1004.929782] device veth1_macvtap entered promiscuous mode
[ 1004.936176] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
[ 1004.945441] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[ 1004.954904] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[ 1004.964094] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
[ 1004.971353] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 1004.978147] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 1004.985750] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[ 1004.993141] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 1005.001012] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 1005.011232] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
[ 1005.018263] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 1005.024865] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 1005.033298] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
2020/03/24 02:59:01 executed programs: 15
[ 1011.250578] ==================================================================
[ 1011.258304] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xea/0xf0
[ 1011.265620] Read of size 4 at addr ffff88808c73da00 by task syz-executor.0/7641
[ 1011.273059] 
[ 1011.274863] CPU: 0 PID: 7641 Comm: syz-executor.0 Not tainted 4.14.174-syzkaller #0
[ 1011.282647] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1011.292225] Call Trace:
[ 1011.294885]  dump_stack+0x13e/0x194
[ 1011.298512]  ? l2tp_session_queue_purge+0xea/0xf0
[ 1011.303455]  print_address_description.cold+0x7c/0x1e2
[ 1011.308747]  ? l2tp_session_queue_purge+0xea/0xf0
[ 1011.313601]  kasan_report.cold+0xa9/0x2ae
[ 1011.317923]  l2tp_session_queue_purge+0xea/0xf0
[ 1011.322588]  l2tp_tunnel_closeall+0x1fe/0x370
[ 1011.327131]  ? l2tp_tunnel_find+0x490/0x490
[ 1011.331499]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[ 1011.336594]  l2tp_udp_encap_destroy+0x8d/0xf0
[ 1011.341121]  udpv6_destroy_sock+0xa6/0xd0
[ 1011.345334]  sk_common_release+0x64/0x2f0
[ 1011.349493]  inet_release+0xdf/0x1b0
[ 1011.353228]  inet6_release+0x4c/0x70
[ 1011.356955]  __sock_release+0xcd/0x2b0
[ 1011.360844]  ? __sock_release+0x2b0/0x2b0
[ 1011.365000]  sock_close+0x15/0x20
[ 1011.368487]  __fput+0x25f/0x790
[ 1011.371818]  task_work_run+0x113/0x190
[ 1011.375733]  exit_to_usermode_loop+0x1d6/0x220
[ 1011.380306]  do_syscall_64+0x4a3/0x640
[ 1011.384223]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 1011.389409] RIP: 0033:0x4163e1
[ 1011.392595] RSP: 002b:00007ffd38e74520 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 1011.400289] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004163e1
[ 1011.407549] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005
[ 1011.414808] RBP: 0000000000000000 R08: 00000000007703e0 R09: 01ffffffffffffff
[ 1011.422076] R10: 00007ffd38e745f0 R11: 0000000000000293 R12: 000000000076bf00
[ 1011.429368] R13: 00000000007703e8 R14: 0000000000000000 R15: 000000000076bf0c
[ 1011.436640] 
[ 1011.438310] Allocated by task 7642:
[ 1011.441924]  save_stack+0x32/0xa0
[ 1011.445361]  kasan_kmalloc+0xbf/0xe0
[ 1011.449068]  __kmalloc+0x15b/0x7c0
[ 1011.452588]  l2tp_session_create+0x35/0x16f0
[ 1011.456987]  pppol2tp_connect+0x1154/0x17b0
[ 1011.461293]  SYSC_connect+0x1c6/0x250
[ 1011.465073]  do_syscall_64+0x1d5/0x640
[ 1011.468951]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 1011.474115] 
[ 1011.475733] Freed by task 7642:
[ 1011.478991]  save_stack+0x32/0xa0
[ 1011.482441]  kasan_slab_free+0x75/0xc0
[ 1011.486306]  kfree+0xcb/0x260
[ 1011.489391]  pppol2tp_session_destruct+0xcd/0x110
[ 1011.494219]  __sk_destruct+0x49/0x640
[ 1011.497998]  sk_destruct+0x97/0xc0
[ 1011.501517]  __sk_free+0x4c/0x220
[ 1011.504964]  sk_free+0x2b/0x40
[ 1011.508149]  pppol2tp_release+0x247/0x2f0
[ 1011.512277]  __sock_release+0xcd/0x2b0
[ 1011.516141]  sock_close+0x15/0x20
[ 1011.519573]  __fput+0x25f/0x790
[ 1011.522834]  task_work_run+0x113/0x190
[ 1011.526716]  exit_to_usermode_loop+0x1d6/0x220
[ 1011.531278]  do_syscall_64+0x4a3/0x640
[ 1011.535146]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 1011.540327] 
[ 1011.541991] The buggy address belongs to the object at ffff88808c73da00
[ 1011.541991]  which belongs to the cache kmalloc-512 of size 512
[ 1011.554861] The buggy address is located 0 bytes inside of
[ 1011.554861]  512-byte region [ffff88808c73da00, ffff88808c73dc00)
[ 1011.566721] The buggy address belongs to the page:
[ 1011.571634] page:ffffea000231cf40 count:1 mapcount:0 mapping:ffff88808c73d000 index:0x0
[ 1011.579772] flags: 0xfffe0000000100(slab)
[ 1011.583902] raw: 00fffe0000000100 ffff88808c73d000 0000000000000000 0000000100000006
[ 1011.591766] raw: ffffea000231ce60 ffffea000236ca20 ffff88812fe56940 0000000000000000
[ 1011.599637] page dumped because: kasan: bad access detected
[ 1011.605325] 
[ 1011.606944] Memory state around the buggy address:
[ 1011.611854]  ffff88808c73d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1011.619207]  ffff88808c73d980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1011.626554] >ffff88808c73da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1011.633893]                    ^
[ 1011.637248]  ffff88808c73da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1011.644588]  ffff88808c73db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1011.651946] ==================================================================
[ 1011.659282] Disabling lock debugging due to kernel taint
[ 1011.667477] Kernel panic - not syncing: panic_on_warn set ...
[ 1011.667477] 
[ 1011.674869] CPU: 0 PID: 7641 Comm: syz-executor.0 Tainted: G    B           4.14.174-syzkaller #0
[ 1011.683863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1011.693204] Call Trace:
[ 1011.695827]  dump_stack+0x13e/0x194
[ 1011.699487]  panic+0x1f9/0x42d
[ 1011.702665]  ? add_taint.cold+0x16/0x16
[ 1011.706636]  ? preempt_schedule_common+0x4a/0xc0
[ 1011.711375]  ? l2tp_session_queue_purge+0xea/0xf0
[ 1011.716201]  ? ___preempt_schedule+0x16/0x18
[ 1011.720591]  ? l2tp_session_queue_purge+0xea/0xf0
[ 1011.725415]  kasan_end_report+0x43/0x49
[ 1011.729369]  kasan_report.cold+0x12f/0x2ae
[ 1011.733617]  l2tp_session_queue_purge+0xea/0xf0
[ 1011.738267]  l2tp_tunnel_closeall+0x1fe/0x370
[ 1011.742747]  ? l2tp_tunnel_find+0x490/0x490
[ 1011.747069]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[ 1011.752159]  l2tp_udp_encap_destroy+0x8d/0xf0
[ 1011.756640]  udpv6_destroy_sock+0xa6/0xd0
[ 1011.760774]  sk_common_release+0x64/0x2f0
[ 1011.764908]  inet_release+0xdf/0x1b0
[ 1011.768600]  inet6_release+0x4c/0x70
[ 1011.772298]  __sock_release+0xcd/0x2b0
[ 1011.776187]  ? __sock_release+0x2b0/0x2b0
[ 1011.780321]  sock_close+0x15/0x20
[ 1011.783763]  __fput+0x25f/0x790
[ 1011.787287]  task_work_run+0x113/0x190
[ 1011.791176]  exit_to_usermode_loop+0x1d6/0x220
[ 1011.795755]  do_syscall_64+0x4a3/0x640
[ 1011.799638]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 1011.804856] RIP: 0033:0x4163e1
[ 1011.808026] RSP: 002b:00007ffd38e74520 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 1011.815747] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004163e1
[ 1011.822996] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005
[ 1011.830250] RBP: 0000000000000000 R08: 00000000007703e0 R09: 01ffffffffffffff
[ 1011.837507] R10: 00007ffd38e745f0 R11: 0000000000000293 R12: 000000000076bf00
[ 1011.844769] R13: 00000000007703e8 R14: 0000000000000000 R15: 000000000076bf0c
[ 1011.853601] Kernel Offset: disabled
[ 1011.857274] Rebooting in 86400 seconds..