[ 37.754426] audit: type=1800 audit(1582986782.365:33): pid=7273 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 37.783405] audit: type=1800 audit(1582986782.365:34): pid=7273 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 [ 37.831850] random: sshd: uninitialized urandom read (32 bytes read) [ 38.208988] audit: type=1400 audit(1582986782.815:35): avc: denied { map } for pid=7444 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.250824] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 39.006926] random: sshd: uninitialized urandom read (32 bytes read) [ 43.520558] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.66' (ECDSA) to the list of known hosts. [ 49.035446] random: sshd: uninitialized urandom read (32 bytes read) [ 49.168824] audit: type=1400 audit(1582986793.775:36): avc: denied { map } for pid=7457 comm="syz-executor020" path="/root/syz-executor020853297" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 49.441095] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program [ 50.259461] netlink: 20 bytes leftover after parsing attributes in process `syz-executor020'. [ 50.273368] tunl0: Master is either lo or non-ether device [ 50.282903] netlink: 20 bytes leftover after parsing attributes in process `syz-executor020'. [ 50.296331] gre0: Master is either lo or non-ether device [ 50.305594] netlink: 20 bytes leftover after parsing attributes in process `syz-executor020'. [ 50.319624] ================================================================== [ 50.327111] BUG: KASAN: use-after-free in radix_tree_next_chunk+0x950/0x9a0 [ 50.334291] Read of size 8 at addr ffff88809742b648 by task syz-executor020/7461 [ 50.341811] [ 50.343544] CPU: 1 PID: 7461 Comm: syz-executor020 Not tainted 4.14.172-syzkaller #0 [ 50.351412] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.361994] Call Trace: [ 50.365077] dump_stack+0x13e/0x194 [ 50.368868] ? radix_tree_next_chunk+0x950/0x9a0 [ 50.373635] print_address_description.cold+0x7c/0x1e2 [ 50.378980] ? radix_tree_next_chunk+0x950/0x9a0 [ 50.383772] kasan_report.cold+0xa9/0x2ae [ 50.387919] radix_tree_next_chunk+0x950/0x9a0 [ 50.392633] ida_remove+0x9b/0x210 [ 50.396174] ? ida_destroy+0x1b0/0x1b0 [ 50.400066] ? lock_acquire+0x170/0x3f0 [ 50.404056] ida_simple_remove+0x31/0x50 [ 50.408147] ipvlan_link_new+0x4f9/0xfc0 [ 50.412383] rtnl_newlink+0xecb/0x1720 [ 50.416280] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 50.420851] ? trace_hardirqs_on+0x10/0x10 [ 50.425086] ? rtnl_link_unregister+0x1f0/0x1f0 [ 50.429751] ? lock_acquire+0x170/0x3f0 [ 50.433711] ? lock_acquire+0x170/0x3f0 [ 50.437742] ? rtnetlink_rcv_msg+0x31d/0xb10 [ 50.442171] ? __lock_is_held+0xad/0x140 [ 50.446323] ? lock_downgrade+0x6e0/0x6e0 [ 50.450506] ? rtnl_link_unregister+0x1f0/0x1f0 [ 50.455178] rtnetlink_rcv_msg+0x3be/0xb10 [ 50.459406] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 50.464081] ? save_trace+0x290/0x290 [ 50.467874] ? save_trace+0x290/0x290 [ 50.471672] netlink_rcv_skb+0x127/0x370 [ 50.475729] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 50.480744] ? netlink_ack+0x960/0x960 [ 50.484630] netlink_unicast+0x437/0x620 [ 50.488686] ? netlink_attachskb+0x600/0x600 [ 50.493177] netlink_sendmsg+0x733/0xbe0 [ 50.497253] ? netlink_unicast+0x620/0x620 [ 50.501474] ? SYSC_sendto+0x2b0/0x2b0 [ 50.505361] ? security_socket_sendmsg+0x83/0xb0 [ 50.510103] ? netlink_unicast+0x620/0x620 [ 50.514341] sock_sendmsg+0xc5/0x100 [ 50.518157] ___sys_sendmsg+0x70a/0x840 [ 50.522152] ? copy_msghdr_from_user+0x380/0x380 [ 50.526929] ? trace_hardirqs_on+0x10/0x10 [ 50.531218] ? save_trace+0x290/0x290 [ 50.535032] ? find_held_lock+0x2d/0x110 [ 50.539083] ? __might_fault+0x104/0x1b0 [ 50.543178] ? lock_acquire+0x170/0x3f0 [ 50.547157] ? lock_downgrade+0x6e0/0x6e0 [ 50.551301] ? __might_fault+0x177/0x1b0 [ 50.555360] ? _copy_to_user+0x82/0xd0 [ 50.559236] ? __fget_light+0x16a/0x1f0 [ 50.563225] ? sockfd_lookup_light+0xb2/0x160 [ 50.567714] __sys_sendmsg+0xa3/0x120 [ 50.571515] ? SyS_shutdown+0x160/0x160 [ 50.575493] ? move_addr_to_kernel+0x60/0x60 [ 50.579908] ? __do_page_fault+0x35b/0xb40 [ 50.584148] SyS_sendmsg+0x27/0x40 [ 50.587672] ? __sys_sendmsg+0x120/0x120 [ 50.592855] do_syscall_64+0x1d5/0x640 [ 50.596733] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.601913] RIP: 0033:0x4416f9 [ 50.605092] RSP: 002b:00007ffc8c6e3d88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 50.612797] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004416f9 [ 50.620264] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003 [ 50.628284] RBP: 000000000000c469 R08: 0000000100000000 R09: 0000000100000000 [ 50.635566] R10: 0000000100000000 R11: 0000000000000246 R12: 00000000004025c0 [ 50.643099] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000 [ 50.650652] [ 50.652287] Allocated by task 7461: [ 50.656789] save_stack+0x32/0xa0 [ 50.660452] kasan_kmalloc+0xbf/0xe0 [ 50.665267] kmem_cache_alloc_trace+0x14d/0x7b0 [ 50.669926] ipvlan_link_new+0x640/0xfc0 [ 50.674484] rtnl_newlink+0xecb/0x1720 [ 50.678523] rtnetlink_rcv_msg+0x3be/0xb10 [ 50.683379] netlink_rcv_skb+0x127/0x370 [ 50.687765] netlink_unicast+0x437/0x620 [ 50.691930] netlink_sendmsg+0x733/0xbe0 [ 50.697000] sock_sendmsg+0xc5/0x100 [ 50.701067] ___sys_sendmsg+0x70a/0x840 [ 50.705886] __sys_sendmsg+0xa3/0x120 [ 50.710185] SyS_sendmsg+0x27/0x40 [ 50.713994] do_syscall_64+0x1d5/0x640 [ 50.718513] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.724016] [ 50.725637] Freed by task 7461: [ 50.729366] save_stack+0x32/0xa0 [ 50.732825] kasan_slab_free+0x75/0xc0 [ 50.736722] kfree+0xcb/0x260 [ 50.739835] ipvlan_uninit+0xb6/0xe0 [ 50.743753] register_netdevice+0x756/0xc70 [ 50.748896] ipvlan_link_new+0x485/0xfc0 [ 50.753544] rtnl_newlink+0xecb/0x1720 [ 50.757430] rtnetlink_rcv_msg+0x3be/0xb10 [ 50.761680] netlink_rcv_skb+0x127/0x370 [ 50.765734] netlink_unicast+0x437/0x620 [ 50.769813] netlink_sendmsg+0x733/0xbe0 [ 50.774150] sock_sendmsg+0xc5/0x100 [ 50.778130] ___sys_sendmsg+0x70a/0x840 [ 50.782198] __sys_sendmsg+0xa3/0x120 [ 50.785992] SyS_sendmsg+0x27/0x40 [ 50.789572] do_syscall_64+0x1d5/0x640 [ 50.793449] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.799057] [ 50.800678] The buggy address belongs to the object at ffff88809742ad80 [ 50.800678] which belongs to the cache kmalloc-4096 of size 4096 [ 50.813711] The buggy address is located 2248 bytes inside of [ 50.813711] 4096-byte region [ffff88809742ad80, ffff88809742bd80) [ 50.825872] The buggy address belongs to the page: [ 50.830791] page:ffffea00025d0a80 count:1 mapcount:0 mapping:ffff88809742ad80 index:0x0 compound_mapcount: 0 [ 50.840766] flags: 0xfffe0000008100(slab|head) [ 50.845580] raw: 00fffe0000008100 ffff88809742ad80 0000000000000000 0000000100000001 [ 50.853466] raw: ffffea00025d0a20 ffff88812fe54a48 ffff88812fe56dc0 0000000000000000 [ 50.861345] page dumped because: kasan: bad access detected [ 50.867080] [ 50.868692] Memory state around the buggy address: [ 50.873607] ffff88809742b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.881069] ffff88809742b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.888500] >ffff88809742b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.895886] ^ [ 50.901866] ffff88809742b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.909217] ffff88809742b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.916564] ================================================================== [ 50.923914] Disabling lock debugging due to kernel taint [ 50.929346] Kernel panic - not syncing: panic_on_warn set ... [ 50.929346] [ 50.936693] CPU: 1 PID: 7461 Comm: syz-executor020 Tainted: G B 4.14.172-syzkaller #0 [ 50.945771] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.955131] Call Trace: [ 50.957895] dump_stack+0x13e/0x194 [ 50.961527] panic+0x1f9/0x42d [ 50.965669] ? add_taint.cold+0x16/0x16 [ 50.973719] ? lock_downgrade+0x6e0/0x6e0 [ 50.978089] ? radix_tree_next_chunk+0x950/0x9a0 [ 50.983302] kasan_end_report+0x43/0x49 [ 50.988090] kasan_report.cold+0x12f/0x2ae [ 50.992886] radix_tree_next_chunk+0x950/0x9a0 [ 50.998033] ida_remove+0x9b/0x210 [ 51.002037] ? ida_destroy+0x1b0/0x1b0 [ 51.006288] ? lock_acquire+0x170/0x3f0 [ 51.010378] ida_simple_remove+0x31/0x50 [ 51.014437] ipvlan_link_new+0x4f9/0xfc0 [ 51.018592] rtnl_newlink+0xecb/0x1720 [ 51.022573] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 51.027735] ? trace_hardirqs_on+0x10/0x10 [ 51.032829] ? rtnl_link_unregister+0x1f0/0x1f0 [ 51.038152] ? lock_acquire+0x170/0x3f0 [ 51.042274] ? lock_acquire+0x170/0x3f0 [ 51.046753] ? rtnetlink_rcv_msg+0x31d/0xb10 [ 51.051250] ? __lock_is_held+0xad/0x140 [ 51.055865] ? lock_downgrade+0x6e0/0x6e0 [ 51.060688] ? rtnl_link_unregister+0x1f0/0x1f0 [ 51.065732] rtnetlink_rcv_msg+0x3be/0xb10 [ 51.069971] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 51.074777] ? save_trace+0x290/0x290 [ 51.078572] ? save_trace+0x290/0x290 [ 51.082395] netlink_rcv_skb+0x127/0x370 [ 51.086734] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 51.091347] ? netlink_ack+0x960/0x960 [ 51.095308] netlink_unicast+0x437/0x620 [ 51.099489] ? netlink_attachskb+0x600/0x600 [ 51.104453] netlink_sendmsg+0x733/0xbe0 [ 51.108530] ? netlink_unicast+0x620/0x620 [ 51.112761] ? SYSC_sendto+0x2b0/0x2b0 [ 51.116643] ? security_socket_sendmsg+0x83/0xb0 [ 51.121386] ? netlink_unicast+0x620/0x620 [ 51.125608] sock_sendmsg+0xc5/0x100 [ 51.129304] ___sys_sendmsg+0x70a/0x840 [ 51.133273] ? copy_msghdr_from_user+0x380/0x380 [ 51.138196] ? trace_hardirqs_on+0x10/0x10 [ 51.142446] ? save_trace+0x290/0x290 [ 51.146227] ? find_held_lock+0x2d/0x110 [ 51.150328] ? __might_fault+0x104/0x1b0 [ 51.154380] ? lock_acquire+0x170/0x3f0 [ 51.158337] ? lock_downgrade+0x6e0/0x6e0 [ 51.162656] ? __might_fault+0x177/0x1b0 [ 51.166702] ? _copy_to_user+0x82/0xd0 [ 51.170570] ? __fget_light+0x16a/0x1f0 [ 51.174537] ? sockfd_lookup_light+0xb2/0x160 [ 51.179072] __sys_sendmsg+0xa3/0x120 [ 51.182876] ? SyS_shutdown+0x160/0x160 [ 51.186850] ? move_addr_to_kernel+0x60/0x60 [ 51.191249] ? __do_page_fault+0x35b/0xb40 [ 51.196185] SyS_sendmsg+0x27/0x40 [ 51.199712] ? __sys_sendmsg+0x120/0x120 [ 51.203781] do_syscall_64+0x1d5/0x640 [ 51.207666] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 51.212855] RIP: 0033:0x4416f9 [ 51.216026] RSP: 002b:00007ffc8c6e3d88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 51.225898] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004416f9 [ 51.233154] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003 [ 51.240408] RBP: 000000000000c469 R08: 0000000100000000 R09: 0000000100000000 [ 51.247666] R10: 0000000100000000 R11: 0000000000000246 R12: 00000000004025c0 [ 51.254919] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000 [ 51.263637] Kernel Offset: disabled [ 51.267261] Rebooting in 86400 seconds..