[ 34.745170] audit: type=1800 audit(1554987349.719:33): pid=6986 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 34.766724] audit: type=1800 audit(1554987349.719:34): pid=6986 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 44.576459] random: sshd: uninitialized urandom read (32 bytes read) [ 45.141841] audit: type=1400 audit(1554987360.119:35): avc: denied { map } for pid=7156 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 45.197633] random: sshd: uninitialized urandom read (32 bytes read) [ 45.807859] random: sshd: uninitialized urandom read (32 bytes read) [ 48.246862] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.32' (ECDSA) to the list of known hosts. [ 54.005180] random: sshd: uninitialized urandom read (32 bytes read) [ 54.129463] audit: type=1400 audit(1554987369.099:36): avc: denied { map } for pid=7168 comm="syz-executor990" path="/root/syz-executor990932121" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 54.950352] IPVS: ftp: loaded support on port[0] = 21 [ 55.240253] chnl_net:caif_netlink_parms(): no params data found [ 55.273565] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.280910] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.288331] device bridge_slave_0 entered promiscuous mode [ 55.296109] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.302738] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.310350] device bridge_slave_1 entered promiscuous mode [ 55.326064] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 55.335553] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 55.352337] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 55.359763] team0: Port device team_slave_0 added [ 55.366123] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 55.373494] team0: Port device team_slave_1 added [ 55.379028] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 55.386497] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 55.472271] device hsr_slave_0 entered promiscuous mode [ 55.510403] device hsr_slave_1 entered promiscuous mode [ 55.590636] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 55.598193] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 55.614081] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.620633] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.627671] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.634099] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.662275] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 55.668401] 8021q: adding VLAN 0 to HW filter on device bond0 [ 55.677688] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 55.686558] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 55.706220] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.713745] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.724492] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 55.731009] 8021q: adding VLAN 0 to HW filter on device team0 [ 55.739444] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 55.747194] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.753755] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.764439] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 55.772647] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.779016] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.798750] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 55.809060] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 55.820396] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 55.827110] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 55.836211] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 55.843849] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 55.851563] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready executing program [ 55.859261] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 55.866299] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 55.877763] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 55.890894] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 55.918997] ================================================================== [ 55.926923] BUG: KASAN: use-after-free in erspan_build_header+0x392/0x3b0 [ 55.933948] Read of size 2 at addr ffff888096864a4b by task syz-executor990/7169 [ 55.941483] [ 55.943128] CPU: 1 PID: 7169 Comm: syz-executor990 Not tainted 4.14.111 #1 [ 55.950322] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.960147] Call Trace: [ 55.962917] dump_stack+0x138/0x19c [ 55.966542] ? erspan_build_header+0x392/0x3b0 [ 55.971992] print_address_description.cold+0x7c/0x1dc [ 55.977668] ? erspan_build_header+0x392/0x3b0 [ 55.982596] kasan_report.cold+0xaf/0x2b5 [ 55.987032] __asan_report_load_n_noabort+0xf/0x20 [ 55.992316] erspan_build_header+0x392/0x3b0 [ 55.996851] ? iptunnel_handle_offloads+0x2f3/0x500 [ 56.001876] erspan_xmit+0x3ec/0x11c0 [ 56.005675] ? __gre_xmit+0x890/0x890 [ 56.009478] ? lock_acquire+0x16f/0x430 [ 56.013581] ? packet_direct_xmit+0x345/0x640 [ 56.018513] packet_direct_xmit+0x438/0x640 [ 56.022846] packet_sendmsg+0x31e1/0x5990 [ 56.027192] ? __might_fault+0x110/0x1d0 [ 56.031284] ? rw_copy_check_uvector+0x1f1/0x290 [ 56.036139] ? packet_notifier+0x770/0x770 [ 56.040526] ? copy_msghdr_from_user+0x292/0x3f0 [ 56.045354] ? security_socket_sendmsg+0x8f/0xc0 [ 56.050113] ? packet_notifier+0x770/0x770 [ 56.054344] sock_sendmsg+0xd0/0x110 [ 56.058056] ___sys_sendmsg+0x70c/0x850 [ 56.062235] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 56.067318] ? lock_downgrade+0x6e0/0x6e0 [ 56.071507] ? kasan_check_write+0x14/0x20 [ 56.075739] ? _copy_from_user+0x99/0x110 [ 56.079999] ? packet_setsockopt+0xe9/0x2830 [ 56.084486] ? sock_has_perm+0x1ed/0x280 [ 56.088726] ? selinux_tun_dev_create+0xc0/0xc0 [ 56.093561] ? __fdget+0x1b/0x20 [ 56.096920] ? sockfd_lookup_light+0xb4/0x160 [ 56.101916] __sys_sendmsg+0xb9/0x140 [ 56.105747] ? SyS_shutdown+0x180/0x180 [ 56.109828] ? security_socket_setsockopt+0x8f/0xc0 [ 56.114850] ? SyS_recv+0x40/0x40 [ 56.118532] SyS_sendmsg+0x2d/0x50 [ 56.122238] ? __sys_sendmsg+0x140/0x140 [ 56.126308] do_syscall_64+0x1eb/0x630 [ 56.130296] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.135281] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.140467] RIP: 0033:0x441989 [ 56.143652] RSP: 002b:00007ffdccf778f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 56.151503] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441989 [ 56.158917] RDX: 0000000000000000 RSI: 0000000020000600 RDI: 0000000000000003 [ 56.166316] RBP: 00000000004a9070 R08: 0000000001bbbbbb R09: 0000000001bbbbbb [ 56.173624] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402ed0 [ 56.181120] R13: 0000000000402f60 R14: 0000000000000000 R15: 0000000000000000 [ 56.188406] [ 56.190036] Allocated by task 3896: [ 56.193762] save_stack_trace+0x16/0x20 [ 56.197816] save_stack+0x45/0xd0 [ 56.201521] kasan_kmalloc+0xce/0xf0 [ 56.205231] kasan_slab_alloc+0xf/0x20 [ 56.209329] kmem_cache_alloc+0x12e/0x780 [ 56.213609] __debug_object_init+0x5b8/0x8e0 [ 56.218181] debug_object_activate+0x277/0x460 [ 56.222982] __call_rcu.constprop.0+0x35/0x820 [ 56.227593] call_rcu+0x12/0x20 [ 56.230872] __fput+0x458/0x7a0 [ 56.234226] ____fput+0x16/0x20 [ 56.237556] task_work_run+0x119/0x190 [ 56.241681] exit_to_usermode_loop+0x1da/0x220 [ 56.246446] do_syscall_64+0x4a9/0x630 [ 56.250620] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.255958] [ 56.257770] Freed by task 25: [ 56.260870] save_stack_trace+0x16/0x20 [ 56.264857] save_stack+0x45/0xd0 [ 56.268573] kasan_slab_free+0x75/0xc0 [ 56.272557] kmem_cache_free+0x83/0x2b0 [ 56.276665] free_obj_work+0x233/0x6d0 [ 56.280544] process_one_work+0x868/0x1610 [ 56.284768] worker_thread+0x5d9/0x1050 [ 56.288727] kthread+0x31c/0x430 [ 56.292085] ret_from_fork+0x3a/0x50 [ 56.295783] [ 56.297412] The buggy address belongs to the object at ffff888096864a48 [ 56.297412] which belongs to the cache debug_objects_cache of size 40 [ 56.310933] The buggy address is located 3 bytes inside of [ 56.310933] 40-byte region [ffff888096864a48, ffff888096864a70) [ 56.322753] The buggy address belongs to the page: [ 56.327928] page:ffffea00025a1900 count:1 mapcount:0 mapping:ffff888096864000 index:0xffff888096864fb9 [ 56.337646] flags: 0x1fffc0000000100(slab) [ 56.341875] raw: 01fffc0000000100 ffff888096864000 ffff888096864fb9 0000000100000004 [ 56.349947] raw: ffffea00023d6ba0 ffffea00029760a0 ffff8880aa810dc0 0000000000000000 [ 56.358002] page dumped because: kasan: bad access detected [ 56.363787] [ 56.365404] Memory state around the buggy address: [ 56.370321] ffff888096864900: fb fb fb fb fc fc fb fb fb fb fb fc fc fb fb fb [ 56.377683] ffff888096864980: fb fb fc fc fb fb fb fb fb fc fc fb fb fb fb fb [ 56.385028] >ffff888096864a00: fc fc fb fb fb fb fb fc fc fb fb fb fb fb fc fc [ 56.393095] ^ [ 56.398823] ffff888096864a80: fb fb fb fb fb fc fc fb fb fb fb fb fc fc fb fb [ 56.406441] ffff888096864b00: fb fb fb fc fc fb fb fb fb fb fc fc fb fb fb fb [ 56.413918] ================================================================== [ 56.421406] Disabling lock debugging due to kernel taint [ 56.427101] Kernel panic - not syncing: panic_on_warn set ... [ 56.427101] [ 56.434459] CPU: 1 PID: 7169 Comm: syz-executor990 Tainted: G B 4.14.111 #1 [ 56.443107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.452485] Call Trace: [ 56.455370] dump_stack+0x138/0x19c [ 56.459006] ? erspan_build_header+0x392/0x3b0 [ 56.463680] panic+0x1f2/0x438 [ 56.466868] ? add_taint.cold+0x16/0x16 [ 56.471280] kasan_end_report+0x47/0x4f [ 56.475342] kasan_report.cold+0x136/0x2b5 [ 56.479566] __asan_report_load_n_noabort+0xf/0x20 [ 56.484492] erspan_build_header+0x392/0x3b0 [ 56.489120] ? iptunnel_handle_offloads+0x2f3/0x500 [ 56.494357] erspan_xmit+0x3ec/0x11c0 [ 56.498146] ? __gre_xmit+0x890/0x890 [ 56.502703] ? lock_acquire+0x16f/0x430 [ 56.506869] ? packet_direct_xmit+0x345/0x640 [ 56.511576] packet_direct_xmit+0x438/0x640 [ 56.515895] packet_sendmsg+0x31e1/0x5990 [ 56.520257] ? __might_fault+0x110/0x1d0 [ 56.525064] ? rw_copy_check_uvector+0x1f1/0x290 [ 56.530281] ? packet_notifier+0x770/0x770 [ 56.535138] ? copy_msghdr_from_user+0x292/0x3f0 [ 56.540078] ? security_socket_sendmsg+0x8f/0xc0 [ 56.544952] ? packet_notifier+0x770/0x770 [ 56.549385] sock_sendmsg+0xd0/0x110 [ 56.553391] ___sys_sendmsg+0x70c/0x850 [ 56.557358] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 56.562111] ? lock_downgrade+0x6e0/0x6e0 [ 56.566376] ? kasan_check_write+0x14/0x20 [ 56.570796] ? _copy_from_user+0x99/0x110 [ 56.575095] ? packet_setsockopt+0xe9/0x2830 [ 56.580358] ? sock_has_perm+0x1ed/0x280 [ 56.603390] ? selinux_tun_dev_create+0xc0/0xc0 [ 56.608292] ? __fdget+0x1b/0x20 [ 56.611653] ? sockfd_lookup_light+0xb4/0x160 [ 56.616139] __sys_sendmsg+0xb9/0x140 [ 56.620009] ? SyS_shutdown+0x180/0x180 [ 56.623988] ? security_socket_setsockopt+0x8f/0xc0 [ 56.629084] ? SyS_recv+0x40/0x40 [ 56.632925] SyS_sendmsg+0x2d/0x50 [ 56.636627] ? __sys_sendmsg+0x140/0x140 [ 56.640921] do_syscall_64+0x1eb/0x630 [ 56.645650] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.651641] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.657070] RIP: 0033:0x441989 [ 56.660244] RSP: 002b:00007ffdccf778f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 56.668367] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441989 [ 56.675632] RDX: 0000000000000000 RSI: 0000000020000600 RDI: 0000000000000003 [ 56.683215] RBP: 00000000004a9070 R08: 0000000001bbbbbb R09: 0000000001bbbbbb [ 56.690477] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402ed0 [ 56.697778] R13: 0000000000402f60 R14: 0000000000000000 R15: 0000000000000000 [ 56.706159] Kernel Offset: disabled [ 56.709998] Rebooting in 86400 seconds..