[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 14.206668] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 14.503535] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.189' (ECDSA) to the list of known hosts. 2019/06/17 10:34:51 parsed 1 programs 2019/06/17 10:34:53 executed programs: 0 syzkaller login: [ 70.660475] audit: type=1400 audit(1560767693.728:5): avc: denied { sys_admin } for pid=2096 comm="syz-executor.0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 70.701130] audit: type=1400 audit(1560767693.778:6): avc: denied { net_admin } for pid=2097 comm="syz-executor.0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 70.872640] audit: type=1400 audit(1560767693.948:7): avc: denied { sys_chroot } for pid=2097 comm="syz-executor.0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 70.900099] audit: type=1400 audit(1560767693.968:8): avc: denied { associate } for pid=2097 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 70.943151] audit: type=1400 audit(1560767694.018:9): avc: denied { dac_override } for pid=2121 comm="syz-executor.0" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2019/06/17 10:34:58 executed programs: 46 [ 77.885114] ================================================================== [ 77.892802] BUG: KASAN: use-after-free in pneigh_get_next.isra.4+0x273/0x2b0 [ 77.901822] Read of size 8 at addr ffff8801c61b1120 by task syz-executor.0/2402 [ 77.909414] [ 77.911063] CPU: 1 PID: 2402 Comm: syz-executor.0 Not tainted 4.9.141+ #1 [ 77.918418] ffff8801c5c77250 ffffffff81b42e79 ffffea0007186c40 ffff8801c61b1120 [ 77.926485] 0000000000000000 ffff8801c61b1120 ffff8801c61b1120 ffff8801c5c77288 [ 77.934636] ffffffff815009b8 ffff8801c61b1120 0000000000000008 0000000000000000 [ 77.942861] Call Trace: [ 77.945582] [] dump_stack+0xc1/0x128 [ 77.951549] [] print_address_description+0x6c/0x234 [ 77.958230] [] kasan_report.cold.6+0x242/0x2fe [ 77.964599] [] ? pneigh_get_next.isra.4+0x273/0x2b0 [ 77.971278] [] __asan_report_load8_noabort+0x14/0x20 [ 77.978337] [] pneigh_get_next.isra.4+0x273/0x2b0 [ 77.985118] [] ? mark_held_locks+0xc7/0x130 [ 77.991477] [] neigh_seq_next+0xb1/0x1e0 [ 77.998518] [] seq_read+0xa0b/0x12d0 [ 78.004131] [] ? seq_lseek+0x3c0/0x3c0 [ 78.009952] [] ? __fsnotify_inode_delete+0x30/0x30 [ 78.016727] [] proc_reg_read+0xfd/0x180 [ 78.022631] [] ? seq_lseek+0x3c0/0x3c0 [ 78.028217] [] do_loop_readv_writev.part.1+0xd5/0x280 [ 78.035194] [] do_readv_writev+0x56e/0x7b0 [ 78.041081] [] ? vfs_write+0x520/0x520 [ 78.046633] [] ? kasan_unpoison_shadow+0x35/0x50 [ 78.053030] [] ? push_pipe+0x3e2/0x770 [ 78.058840] [] ? iov_iter_get_pages_alloc+0x2be/0xee0 [ 78.065993] [] vfs_readv+0x84/0xc0 [ 78.071265] [] default_file_splice_read+0x451/0x7f0 [ 78.077930] [] ? debug_check_no_obj_freed+0x2ce/0x890 [ 78.085278] [] ? do_splice_direct+0x270/0x270 [ 78.091414] [] ? free_hot_cold_page+0x5b3/0x9d0 [ 78.097725] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 78.104640] [] ? trace_hardirqs_on+0xd/0x10 [ 78.110617] [] ? security_file_permission+0x8f/0x1e0 [ 78.117876] [] ? default_file_splice_write+0x68/0x80 [ 78.124722] [] ? do_splice_direct+0x270/0x270 [ 78.130915] [] do_splice_to+0x10c/0x170 [ 78.136713] [] splice_direct_to_actor+0x23f/0x7e0 [ 78.143298] [] ? pipe_to_sendpage+0x330/0x330 [ 78.149596] [] ? do_splice_to+0x170/0x170 [ 78.155480] [] ? security_file_permission+0x8f/0x1e0 [ 78.162655] [] ? rw_verify_area+0xe5/0x2a0 [ 78.168686] [] do_splice_direct+0x1a3/0x270 [ 78.174656] [] ? splice_direct_to_actor+0x7e0/0x7e0 [ 78.181622] [] ? rcu_sync_lockdep_assert+0x73/0xb0 [ 78.188551] [] ? __sb_start_write+0x161/0x300 [ 78.194928] [] do_sendfile+0x4f0/0xc30 [ 78.200567] [] ? do_compat_pwritev64+0x180/0x180 [ 78.207409] [] ? __might_fault+0x114/0x1d0 [ 78.213702] [] SyS_sendfile64+0x144/0x160 [ 78.219598] [] ? SyS_sendfile+0x160/0x160 [ 78.225384] [] ? do_syscall_64+0x48/0x550 [ 78.231213] [] ? SyS_sendfile+0x160/0x160 [ 78.237236] [] do_syscall_64+0x19f/0x550 [ 78.243116] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 78.250024] [ 78.251637] Allocated by task 2404: [ 78.255729] save_stack_trace+0x16/0x20 [ 78.259690] kasan_kmalloc.part.1+0x62/0xf0 [ 78.264169] kasan_kmalloc+0xaf/0xc0 [ 78.267874] __kmalloc+0x12f/0x310 [ 78.271524] pneigh_lookup+0x17d/0x3f0 [ 78.275489] arp_req_set+0x443/0x570 [ 78.279196] arp_ioctl+0x32a/0x670 [ 78.282731] inet_ioctl+0x90/0x1d0 [ 78.286264] sock_do_ioctl+0x6a/0xb0 [ 78.290282] sock_ioctl+0x32d/0x3c0 [ 78.293895] do_vfs_ioctl+0x1ac/0x11a0 [ 78.297954] SyS_ioctl+0x8f/0xc0 [ 78.301307] do_syscall_64+0x19f/0x550 [ 78.305402] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 78.310999] [ 78.312639] Freed by task 2401: [ 78.316265] save_stack_trace+0x16/0x20 [ 78.320326] kasan_slab_free+0xac/0x190 [ 78.324378] kfree+0xfb/0x310 [ 78.327568] neigh_ifdown+0x1da/0x2a0 [ 78.331583] arp_ifdown+0x1c/0x20 [ 78.335262] inetdev_event+0x6f2/0x10b0 [ 78.339228] notifier_call_chain+0xb4/0x1d0 [ 78.343678] raw_notifier_call_chain+0x2d/0x40 [ 78.348270] call_netdevice_notifiers_info+0x55/0x70 [ 78.353385] rollback_registered_many+0x6e5/0xb50 [ 78.358243] rollback_registered+0xee/0x1b0 [ 78.363084] unregister_netdevice_queue+0x1aa/0x230 [ 78.368122] __tun_detach+0x821/0xa00 [ 78.371939] tun_chr_close+0x44/0x60 [ 78.375800] __fput+0x263/0x700 [ 78.379188] ____fput+0x15/0x20 [ 78.382464] task_work_run+0x10c/0x180 [ 78.386358] exit_to_usermode_loop+0x129/0x150 [ 78.391089] do_syscall_64+0x3e2/0x550 [ 78.394986] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 78.400255] [ 78.401947] The buggy address belongs to the object at ffff8801c61b1120 [ 78.401947] which belongs to the cache kmalloc-64 of size 64 [ 78.414680] The buggy address is located 0 bytes inside of [ 78.414680] 64-byte region [ffff8801c61b1120, ffff8801c61b1160) [ 78.426706] The buggy address belongs to the page: [ 78.431988] page:ffffea0007186c40 count:1 mapcount:0 mapping: (null) index:0x0 [ 78.440992] flags: 0x4000000000000080(slab) [ 78.445476] page dumped because: kasan: bad access detected [ 78.451397] [ 78.453017] Memory state around the buggy address: [ 78.458114] ffff8801c61b1000: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 78.466700] ffff8801c61b1080: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb [ 78.474459] >ffff8801c61b1100: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 78.482048] ^ [ 78.486865] ffff8801c61b1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.494688] ffff8801c61b1200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.502273] ================================================================== [ 78.510522] Disabling lock debugging due to kernel taint [ 78.516283] Kernel panic - not syncing: panic_on_warn set ... [ 78.516283] [ 78.524208] CPU: 1 PID: 2402 Comm: syz-executor.0 Tainted: G B 4.9.141+ #1 [ 78.532639] ffff8801c5c771b0 ffffffff81b42e79 ffffffff82e37630 00000000ffffffff [ 78.541289] 0000000000000000 0000000000000001 ffff8801c61b1120 ffff8801c5c77270 [ 78.549762] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66 [ 78.557901] Call Trace: [ 78.560529] [] dump_stack+0xc1/0x128 [ 78.566890] [] panic+0x1bf/0x39f [ 78.572176] [] ? add_taint.cold.5+0x16/0x16 [ 78.578319] [] kasan_end_report+0x47/0x4f [ 78.584394] [] kasan_report.cold.6+0x76/0x2fe [ 78.590673] [] ? pneigh_get_next.isra.4+0x273/0x2b0 [ 78.597555] [] __asan_report_load8_noabort+0x14/0x20 [ 78.604661] [] pneigh_get_next.isra.4+0x273/0x2b0 [ 78.611611] [] ? mark_held_locks+0xc7/0x130 [ 78.617871] [] neigh_seq_next+0xb1/0x1e0 [ 78.624282] [] seq_read+0xa0b/0x12d0 [ 78.629815] [] ? seq_lseek+0x3c0/0x3c0 [ 78.635913] [] ? __fsnotify_inode_delete+0x30/0x30 [ 78.642955] [] proc_reg_read+0xfd/0x180 [ 78.648784] [] ? seq_lseek+0x3c0/0x3c0 [ 78.654316] [] do_loop_readv_writev.part.1+0xd5/0x280 [ 78.661364] [] do_readv_writev+0x56e/0x7b0 [ 78.667644] [] ? vfs_write+0x520/0x520 [ 78.673184] [] ? kasan_unpoison_shadow+0x35/0x50 [ 78.679604] [] ? push_pipe+0x3e2/0x770 [ 78.685488] [] ? iov_iter_get_pages_alloc+0x2be/0xee0 [ 78.694561] [] vfs_readv+0x84/0xc0 [ 78.700216] [] default_file_splice_read+0x451/0x7f0 [ 78.707983] [] ? debug_check_no_obj_freed+0x2ce/0x890 [ 78.715275] [] ? do_splice_direct+0x270/0x270 [ 78.721432] [] ? free_hot_cold_page+0x5b3/0x9d0 [ 78.727746] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 78.735060] [] ? trace_hardirqs_on+0xd/0x10 [ 78.742164] [] ? security_file_permission+0x8f/0x1e0 [ 78.749329] [] ? default_file_splice_write+0x68/0x80 [ 78.756399] [] ? do_splice_direct+0x270/0x270 [ 78.762880] [] do_splice_to+0x10c/0x170 [ 78.768637] [] splice_direct_to_actor+0x23f/0x7e0 [ 78.775232] [] ? pipe_to_sendpage+0x330/0x330 [ 78.782008] [] ? do_splice_to+0x170/0x170 [ 78.787920] [] ? security_file_permission+0x8f/0x1e0 [ 78.794765] [] ? rw_verify_area+0xe5/0x2a0 [ 78.800887] [] do_splice_direct+0x1a3/0x270 [ 78.807001] [] ? splice_direct_to_actor+0x7e0/0x7e0 [ 78.813811] [] ? rcu_sync_lockdep_assert+0x73/0xb0 [ 78.820686] [] ? __sb_start_write+0x161/0x300 [ 78.827185] [] do_sendfile+0x4f0/0xc30 [ 78.832839] [] ? do_compat_pwritev64+0x180/0x180 [ 78.840213] [] ? __might_fault+0x114/0x1d0 [ 78.846283] [] SyS_sendfile64+0x144/0x160 [ 78.852262] [] ? SyS_sendfile+0x160/0x160 [ 78.858193] [] ? do_syscall_64+0x48/0x550 [ 78.864611] [] ? SyS_sendfile+0x160/0x160 [ 78.871276] [] do_syscall_64+0x19f/0x550 [ 78.877169] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 78.884298] Kernel Offset: disabled [ 78.887922] Rebooting in 86400 seconds..