[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [ 13.704656] random: crng init done [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.117' (ECDSA) to the list of known hosts. 2019/06/15 14:22:21 parsed 1 programs 2019/06/15 14:22:24 executed programs: 0 syzkaller login: [ 43.546535] audit: type=1400 audit(1560608544.314:5): avc: denied { sys_admin } for pid=2084 comm="syz-executor.0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 43.588651] audit: type=1400 audit(1560608544.354:6): avc: denied { net_admin } for pid=2085 comm="syz-executor.0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 43.746745] audit: type=1400 audit(1560608544.514:7): avc: denied { sys_chroot } for pid=2085 comm="syz-executor.0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 43.772151] audit: type=1400 audit(1560608544.534:8): avc: denied { associate } for pid=2085 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 43.817588] audit: type=1400 audit(1560608544.584:9): avc: denied { dac_override } for pid=2109 comm="syz-executor.0" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2019/06/15 14:22:29 executed programs: 46 2019/06/15 14:22:34 executed programs: 96 [ 54.448729] ================================================================== [ 54.456495] BUG: KASAN: use-after-free in pneigh_get_next.isra.4+0x273/0x2b0 [ 54.464293] Read of size 8 at addr ffff8801d0baa300 by task syz-executor.0/2536 [ 54.471737] [ 54.473366] CPU: 1 PID: 2536 Comm: syz-executor.0 Not tainted 4.9.141+ #23 [ 54.480400] ffff8801d7af7240 ffffffff81b42e79 ffffea000742ea80 ffff8801d0baa300 [ 54.488590] 0000000000000000 ffff8801d0baa300 ffff8801d0baa300 ffff8801d7af7278 [ 54.496639] ffffffff815009b8 ffff8801d0baa300 0000000000000008 0000000000000000 [ 54.504943] Call Trace: [ 54.507675] [] dump_stack+0xc1/0x128 [ 54.513066] [] print_address_description+0x6c/0x234 [ 54.520291] [] kasan_report.cold.6+0x242/0x2fe [ 54.526622] [] ? pneigh_get_next.isra.4+0x273/0x2b0 [ 54.533439] [] __asan_report_load8_noabort+0x14/0x20 [ 54.542979] [] pneigh_get_next.isra.4+0x273/0x2b0 [ 54.550089] [] ? mark_held_locks+0xc7/0x130 [ 54.556376] [] neigh_seq_next+0xb1/0x1e0 [ 54.562513] [] seq_read+0xa0b/0x12d0 [ 54.569097] [] ? seq_lseek+0x3c0/0x3c0 [ 54.574919] [] ? __fsnotify_inode_delete+0x30/0x30 [ 54.582729] [] proc_reg_read+0xfd/0x180 [ 54.588505] [] ? seq_lseek+0x3c0/0x3c0 [ 54.594056] [] do_loop_readv_writev.part.1+0xd5/0x280 [ 54.601187] [] do_readv_writev+0x56e/0x7b0 [ 54.607483] [] ? vfs_write+0x520/0x520 [ 54.613191] [] ? kasan_unpoison_shadow+0x35/0x50 [ 54.619621] [] ? push_pipe+0x3e2/0x770 [ 54.625446] [] ? iov_iter_get_pages_alloc+0x2be/0xee0 [ 54.632985] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 54.640122] [] vfs_readv+0x84/0xc0 [ 54.645514] [] default_file_splice_read+0x451/0x7f0 [ 54.652278] [] ? do_splice_direct+0x270/0x270 [ 54.658476] [] ? free_hot_cold_page+0x5b3/0x9d0 [ 54.664805] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 54.671806] [] ? trace_hardirqs_on+0xd/0x10 [ 54.677789] [] ? rw_verify_area+0xe5/0x2a0 [ 54.683795] [] ? do_splice_direct+0x270/0x270 [ 54.689946] [] do_splice_to+0x10c/0x170 [ 54.695954] [] splice_direct_to_actor+0x23f/0x7e0 [ 54.702455] [] ? pipe_to_sendpage+0x330/0x330 [ 54.708927] [] ? do_splice_to+0x170/0x170 [ 54.714773] [] ? security_file_permission+0x8f/0x1e0 [ 54.721618] [] ? rw_verify_area+0xe5/0x2a0 [ 54.727559] [] do_splice_direct+0x1a3/0x270 [ 54.734017] [] ? splice_direct_to_actor+0x7e0/0x7e0 [ 54.740697] [] ? rcu_sync_lockdep_assert+0x73/0xb0 [ 54.747536] [] ? __sb_start_write+0x161/0x300 [ 54.753688] [] do_sendfile+0x4f0/0xc30 [ 54.759228] [] ? do_compat_pwritev64+0x180/0x180 [ 54.767316] [] ? SyS_clock_gettime+0x11e/0x1f0 [ 54.773711] [] ? SyS_clock_settime+0x220/0x220 [ 54.780051] [] compat_SyS_sendfile+0x143/0x160 [ 54.786384] [] ? SyS_sendfile64+0x160/0x160 [ 54.792680] [] ? do_fast_syscall_32+0xcf/0xa10 [ 54.798909] [] ? SyS_sendfile64+0x160/0x160 [ 54.804877] [] do_fast_syscall_32+0x2f1/0xa10 [ 54.811028] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.817927] [] entry_SYSENTER_compat+0x90/0xa2 [ 54.824224] [ 54.825891] Allocated by task 2537: [ 54.829526] save_stack_trace+0x16/0x20 [ 54.833604] kasan_kmalloc.part.1+0x62/0xf0 [ 54.838037] kasan_kmalloc+0xaf/0xc0 [ 54.842102] __kmalloc+0x12f/0x310 [ 54.845642] pneigh_lookup+0x17d/0x3f0 [ 54.849982] arp_req_set+0x443/0x570 [ 54.853700] arp_ioctl+0x32a/0x670 [ 54.857367] inet_ioctl+0x90/0x1d0 [ 54.860952] sock_do_ioctl+0x6a/0xb0 [ 54.864683] compat_sock_ioctl+0x95a/0x1310 [ 54.869245] compat_SyS_ioctl+0x12d/0x1fd0 [ 54.873481] do_fast_syscall_32+0x2f1/0xa10 [ 54.877803] entry_SYSENTER_compat+0x90/0xa2 [ 54.882196] [ 54.883850] Freed by task 2534: [ 54.887129] save_stack_trace+0x16/0x20 [ 54.891094] kasan_slab_free+0xac/0x190 [ 54.895058] kfree+0xfb/0x310 [ 54.898207] neigh_ifdown+0x1da/0x2a0 [ 54.902003] arp_ifdown+0x1c/0x20 [ 54.905557] inetdev_event+0x6f2/0x10b0 [ 54.909519] notifier_call_chain+0xb4/0x1d0 [ 54.913830] raw_notifier_call_chain+0x2d/0x40 [ 54.918521] call_netdevice_notifiers_info+0x55/0x70 [ 54.923628] rollback_registered_many+0x6e5/0xb50 [ 54.928565] rollback_registered+0xee/0x1b0 [ 54.932881] unregister_netdevice_queue+0x1aa/0x230 [ 54.938279] __tun_detach+0x821/0xa00 [ 54.942167] tun_chr_close+0x44/0x60 [ 54.945881] __fput+0x263/0x700 [ 54.949154] ____fput+0x15/0x20 [ 54.952423] task_work_run+0x10c/0x180 [ 54.956308] exit_to_usermode_loop+0x129/0x150 [ 54.960889] do_fast_syscall_32+0x6dc/0xa10 [ 54.965400] entry_SYSENTER_compat+0x90/0xa2 [ 54.970113] [ 54.971814] The buggy address belongs to the object at ffff8801d0baa300 [ 54.971814] which belongs to the cache kmalloc-64 of size 64 [ 54.984512] The buggy address is located 0 bytes inside of [ 54.984512] 64-byte region [ffff8801d0baa300, ffff8801d0baa340) [ 54.996310] The buggy address belongs to the page: [ 55.001299] page:ffffea000742ea80 count:1 mapcount:0 mapping: (null) index:0x0 [ 55.009560] flags: 0x4000000000000080(slab) [ 55.014178] page dumped because: kasan: bad access detected [ 55.019953] [ 55.021611] Memory state around the buggy address: [ 55.026577] ffff8801d0baa200: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb [ 55.034044] ffff8801d0baa280: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 55.041519] >ffff8801d0baa300: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 55.049680] ^ [ 55.053053] ffff8801d0baa380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.060409] ffff8801d0baa400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.067884] ================================================================== [ 55.075285] Disabling lock debugging due to kernel taint [ 55.080825] Kernel panic - not syncing: panic_on_warn set ... [ 55.080825] [ 55.088278] CPU: 1 PID: 2536 Comm: syz-executor.0 Tainted: G B 4.9.141+ #23 [ 55.096676] ffff8801d7af71a0 ffffffff81b42e79 ffffffff82e37630 00000000ffffffff [ 55.104723] 0000000000000000 0000000000000001 ffff8801d0baa300 ffff8801d7af7260 [ 55.112829] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66 [ 55.120925] Call Trace: [ 55.123599] [] dump_stack+0xc1/0x128 [ 55.128958] [] panic+0x1bf/0x39f [ 55.134099] [] ? add_taint.cold.5+0x16/0x16 [ 55.140066] [] kasan_end_report+0x47/0x4f [ 55.145859] [] kasan_report.cold.6+0x76/0x2fe [ 55.152111] [] ? pneigh_get_next.isra.4+0x273/0x2b0 [ 55.159001] [] __asan_report_load8_noabort+0x14/0x20 [ 55.165755] [] pneigh_get_next.isra.4+0x273/0x2b0 [ 55.172408] [] ? mark_held_locks+0xc7/0x130 [ 55.178698] [] neigh_seq_next+0xb1/0x1e0 [ 55.184509] [] seq_read+0xa0b/0x12d0 [ 55.190231] [] ? seq_lseek+0x3c0/0x3c0 [ 55.195959] [] ? __fsnotify_inode_delete+0x30/0x30 [ 55.202694] [] proc_reg_read+0xfd/0x180 [ 55.208615] [] ? seq_lseek+0x3c0/0x3c0 [ 55.214296] [] do_loop_readv_writev.part.1+0xd5/0x280 [ 55.221275] [] do_readv_writev+0x56e/0x7b0 [ 55.227161] [] ? vfs_write+0x520/0x520 [ 55.232796] [] ? kasan_unpoison_shadow+0x35/0x50 [ 55.239303] [] ? push_pipe+0x3e2/0x770 [ 55.244843] [] ? iov_iter_get_pages_alloc+0x2be/0xee0 [ 55.251877] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 55.258850] [] vfs_readv+0x84/0xc0 [ 55.264220] [] default_file_splice_read+0x451/0x7f0 [ 55.271040] [] ? do_splice_direct+0x270/0x270 [ 55.277189] [] ? free_hot_cold_page+0x5b3/0x9d0 [ 55.283604] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 55.290690] [] ? trace_hardirqs_on+0xd/0x10 [ 55.296657] [] ? rw_verify_area+0xe5/0x2a0 [ 55.302639] [] ? do_splice_direct+0x270/0x270 [ 55.308985] [] do_splice_to+0x10c/0x170 [ 55.314671] [] splice_direct_to_actor+0x23f/0x7e0 [ 55.321178] [] ? pipe_to_sendpage+0x330/0x330 [ 55.327580] [] ? do_splice_to+0x170/0x170 [ 55.333486] [] ? security_file_permission+0x8f/0x1e0 [ 55.340420] [] ? rw_verify_area+0xe5/0x2a0 [ 55.346630] [] do_splice_direct+0x1a3/0x270 [ 55.352624] [] ? splice_direct_to_actor+0x7e0/0x7e0 [ 55.359377] [] ? rcu_sync_lockdep_assert+0x73/0xb0 [ 55.365964] [] ? __sb_start_write+0x161/0x300 [ 55.372760] [] do_sendfile+0x4f0/0xc30 [ 55.378359] [] ? do_compat_pwritev64+0x180/0x180 [ 55.384841] [] ? SyS_clock_gettime+0x11e/0x1f0 [ 55.391445] [] ? SyS_clock_settime+0x220/0x220 [ 55.398003] [] compat_SyS_sendfile+0x143/0x160 [ 55.404283] [] ? SyS_sendfile64+0x160/0x160 [ 55.410269] [] ? do_fast_syscall_32+0xcf/0xa10 [ 55.416506] [] ? SyS_sendfile64+0x160/0x160 [ 55.422517] [] do_fast_syscall_32+0x2f1/0xa10 [ 55.428714] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.435386] [] entry_SYSENTER_compat+0x90/0xa2 [ 55.442054] Kernel Offset: disabled [ 55.445787] Rebooting in 86400 seconds..