[ 31.682913] audit: type=1800 audit(1578445225.525:33): pid=7007 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 31.710551] audit: type=1800 audit(1578445225.525:34): pid=7007 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.422793] random: sshd: uninitialized urandom read (32 bytes read) [ 36.695450] audit: type=1400 audit(1578445230.535:35): avc: denied { map } for pid=7182 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.744907] random: sshd: uninitialized urandom read (32 bytes read) [ 37.440242] random: sshd: uninitialized urandom read (32 bytes read) [ 37.625470] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.33' (ECDSA) to the list of known hosts. [ 43.220072] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 43.330278] audit: type=1400 audit(1578445237.175:36): avc: denied { map } for pid=7195 comm="syz-executor910" path="/root/syz-executor910753084" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 43.334256] netlink: 20 bytes leftover after parsing attributes in process `syz-executor910'. [ 43.374934] ================================================================== [ 43.382467] BUG: KASAN: use-after-free in radix_tree_next_chunk+0x953/0x9a0 [ 43.389568] Read of size 8 at addr ffff8880824ad588 by task syz-executor910/7195 [ 43.397097] [ 43.398726] CPU: 0 PID: 7195 Comm: syz-executor910 Not tainted 4.14.162-syzkaller #0 [ 43.406601] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.415959] Call Trace: [ 43.418545] dump_stack+0x142/0x197 [ 43.422175] ? radix_tree_next_chunk+0x953/0x9a0 [ 43.426937] print_address_description.cold+0x7c/0x1dc [ 43.432212] ? radix_tree_next_chunk+0x953/0x9a0 [ 43.436967] kasan_report.cold+0xa9/0x2af [ 43.441115] __asan_report_load8_noabort+0x14/0x20 [ 43.446040] radix_tree_next_chunk+0x953/0x9a0 [ 43.450634] ida_remove+0xaa/0x230 [ 43.454173] ? ida_destroy+0x1e0/0x1e0 [ 43.458054] ? ida_simple_remove+0x2b/0x60 [ 43.462293] ida_simple_remove+0x39/0x60 [ 43.466355] ipvlan_link_new+0x515/0xfe0 [ 43.470414] ? rtnl_create_link+0x12c/0x850 [ 43.474740] rtnl_newlink+0xecb/0x1700 [ 43.478637] ? ipvlan_port_destroy+0x400/0x400 [ 43.484868] ? rtnl_link_unregister+0x200/0x200 [ 43.489538] ? avc_has_perm_noaudit+0x2b2/0x420 [ 43.494222] ? lock_acquire+0x16f/0x430 [ 43.498198] ? rtnetlink_rcv_msg+0x339/0xb70 [ 43.502639] ? rtnl_link_unregister+0x200/0x200 [ 43.507314] rtnetlink_rcv_msg+0x3da/0xb70 [ 43.511553] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 43.516138] ? netlink_deliver_tap+0x93/0x8f0 [ 43.520637] netlink_rcv_skb+0x14f/0x3c0 [ 43.524703] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 43.529283] ? lock_downgrade+0x740/0x740 [ 43.533431] ? netlink_ack+0x9a0/0x9a0 [ 43.537316] ? netlink_deliver_tap+0xba/0x8f0 [ 43.541815] rtnetlink_rcv+0x1d/0x30 [ 43.545610] netlink_unicast+0x44d/0x650 [ 43.549675] ? netlink_attachskb+0x6a0/0x6a0 [ 43.554084] ? security_netlink_send+0x81/0xb0 [ 43.558668] netlink_sendmsg+0x7c4/0xc60 [ 43.565161] ? netlink_unicast+0x650/0x650 [ 43.569401] ? security_socket_sendmsg+0x89/0xb0 [ 43.574153] ? netlink_unicast+0x650/0x650 [ 43.578388] sock_sendmsg+0xce/0x110 [ 43.582106] ___sys_sendmsg+0x70a/0x840 [ 43.586079] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 43.590839] ? __might_fault+0x110/0x1d0 [ 43.594903] ? find_held_lock+0x35/0x130 [ 43.598965] ? __might_fault+0x110/0x1d0 [ 43.603044] ? lock_downgrade+0x740/0x740 [ 43.607198] ? kasan_check_read+0x11/0x20 [ 43.611348] ? _copy_to_user+0x87/0xd0 [ 43.615237] ? move_addr_to_user+0x94/0x1a0 [ 43.619559] ? __fget_light+0x172/0x1f0 [ 43.623528] ? __fdget+0x1b/0x20 [ 43.626890] ? sockfd_lookup_light+0xb4/0x160 [ 43.631413] __sys_sendmsg+0xb9/0x140 [ 43.635194] ? SyS_shutdown+0x170/0x170 [ 43.639162] ? fd_install+0x4d/0x60 [ 43.642775] SyS_sendmsg+0x2d/0x50 [ 43.646294] ? __sys_sendmsg+0x140/0x140 [ 43.650349] do_syscall_64+0x1e8/0x640 [ 43.654216] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.659042] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.664233] RIP: 0033:0x440609 [ 43.667402] RSP: 002b:00007ffd4426d538 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 43.675102] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440609 [ 43.682383] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004 [ 43.689633] RBP: 00000000006ca018 R08: 0000000000000004 R09: 00000000004002c8 [ 43.696884] R10: 0000000000006e61 R11: 0000000000000246 R12: 0000000000401e90 [ 43.704133] R13: 0000000000401f20 R14: 0000000000000000 R15: 0000000000000000 [ 43.711388] [ 43.713001] Allocated by task 7195: [ 43.716610] save_stack_trace+0x16/0x20 [ 43.720562] save_stack+0x45/0xd0 [ 43.723992] kasan_kmalloc+0xce/0xf0 [ 43.727683] kmem_cache_alloc_trace+0x152/0x790 [ 43.732330] ipvlan_link_new+0x657/0xfe0 [ 43.736394] rtnl_newlink+0xecb/0x1700 [ 43.740272] rtnetlink_rcv_msg+0x3da/0xb70 [ 43.744489] netlink_rcv_skb+0x14f/0x3c0 [ 43.748531] rtnetlink_rcv+0x1d/0x30 [ 43.752413] netlink_unicast+0x44d/0x650 [ 43.756582] netlink_sendmsg+0x7c4/0xc60 [ 43.760645] sock_sendmsg+0xce/0x110 [ 43.764371] ___sys_sendmsg+0x70a/0x840 [ 43.768328] __sys_sendmsg+0xb9/0x140 [ 43.772110] SyS_sendmsg+0x2d/0x50 [ 43.775685] do_syscall_64+0x1e8/0x640 [ 43.779559] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.784727] [ 43.786333] Freed by task 7195: [ 43.789614] save_stack_trace+0x16/0x20 [ 43.793568] save_stack+0x45/0xd0 [ 43.796999] kasan_slab_free+0x75/0xc0 [ 43.800863] kfree+0xcc/0x270 [ 43.803958] ipvlan_port_destroy+0x285/0x400 [ 43.808342] ipvlan_uninit+0xc1/0xf0 [ 43.812136] register_netdevice+0x79b/0xca0 [ 43.816460] ipvlan_link_new+0x49f/0xfe0 [ 43.820613] rtnl_newlink+0xecb/0x1700 [ 43.824509] rtnetlink_rcv_msg+0x3da/0xb70 [ 43.828726] netlink_rcv_skb+0x14f/0x3c0 [ 43.832767] rtnetlink_rcv+0x1d/0x30 [ 43.836476] netlink_unicast+0x44d/0x650 [ 43.840521] netlink_sendmsg+0x7c4/0xc60 [ 43.844566] sock_sendmsg+0xce/0x110 [ 43.848276] ___sys_sendmsg+0x70a/0x840 [ 43.852244] __sys_sendmsg+0xb9/0x140 [ 43.856046] SyS_sendmsg+0x2d/0x50 [ 43.859565] do_syscall_64+0x1e8/0x640 [ 43.863444] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.868617] [ 43.870224] The buggy address belongs to the object at ffff8880824accc0 [ 43.870224] which belongs to the cache kmalloc-4096 of size 4096 [ 43.883128] The buggy address is located 2248 bytes inside of [ 43.883128] 4096-byte region [ffff8880824accc0, ffff8880824adcc0) [ 43.895325] The buggy address belongs to the page: [ 43.900332] page:ffffea0002092b00 count:1 mapcount:0 mapping:ffff8880824accc0 index:0x0 compound_mapcount: 0 [ 43.910317] flags: 0xfffe0000008100(slab|head) [ 43.914885] raw: 00fffe0000008100 ffff8880824accc0 0000000000000000 0000000100000001 [ 43.922844] raw: ffffea00029ea4a0 ffffea0002225020 ffff8880aa800dc0 0000000000000000 [ 43.930711] page dumped because: kasan: bad access detected [ 43.936706] [ 43.939354] Memory state around the buggy address: [ 43.944275] ffff8880824ad480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.953706] ffff8880824ad500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.961058] >ffff8880824ad580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.968408] ^ [ 43.972014] ffff8880824ad600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.979367] ffff8880824ad680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.986966] ================================================================== [ 43.994329] Disabling lock debugging due to kernel taint [ 43.999843] Kernel panic - not syncing: panic_on_warn set ... [ 43.999843] [ 44.007804] CPU: 0 PID: 7195 Comm: syz-executor910 Tainted: G B 4.14.162-syzkaller #0 [ 44.016963] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.026813] Call Trace: [ 44.029383] dump_stack+0x142/0x197 [ 44.032997] ? radix_tree_next_chunk+0x953/0x9a0 [ 44.038356] panic+0x1f9/0x42d [ 44.041530] ? add_taint.cold+0x16/0x16 [ 44.045480] ? lock_downgrade+0x740/0x740 [ 44.049606] kasan_end_report+0x47/0x4f [ 44.053558] kasan_report.cold+0x130/0x2af [ 44.057776] __asan_report_load8_noabort+0x14/0x20 [ 44.062684] radix_tree_next_chunk+0x953/0x9a0 [ 44.067244] ida_remove+0xaa/0x230 [ 44.070768] ? ida_destroy+0x1e0/0x1e0 [ 44.074654] ? ida_simple_remove+0x2b/0x60 [ 44.078867] ida_simple_remove+0x39/0x60 [ 44.082906] ipvlan_link_new+0x515/0xfe0 [ 44.086945] ? rtnl_create_link+0x12c/0x850 [ 44.091245] rtnl_newlink+0xecb/0x1700 [ 44.095110] ? ipvlan_port_destroy+0x400/0x400 [ 44.099768] ? rtnl_link_unregister+0x200/0x200 [ 44.104442] ? avc_has_perm_noaudit+0x2b2/0x420 [ 44.109092] ? lock_acquire+0x16f/0x430 [ 44.113046] ? rtnetlink_rcv_msg+0x339/0xb70 [ 44.117441] ? rtnl_link_unregister+0x200/0x200 [ 44.122090] rtnetlink_rcv_msg+0x3da/0xb70 [ 44.126316] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 44.130877] ? netlink_deliver_tap+0x93/0x8f0 [ 44.135367] netlink_rcv_skb+0x14f/0x3c0 [ 44.139427] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 44.144016] ? lock_downgrade+0x740/0x740 [ 44.148146] ? netlink_ack+0x9a0/0x9a0 [ 44.152014] ? netlink_deliver_tap+0xba/0x8f0 [ 44.156504] rtnetlink_rcv+0x1d/0x30 [ 44.160201] netlink_unicast+0x44d/0x650 [ 44.164244] ? netlink_attachskb+0x6a0/0x6a0 [ 44.168633] ? security_netlink_send+0x81/0xb0 [ 44.173194] netlink_sendmsg+0x7c4/0xc60 [ 44.177248] ? netlink_unicast+0x650/0x650 [ 44.181461] ? security_socket_sendmsg+0x89/0xb0 [ 44.186193] ? netlink_unicast+0x650/0x650 [ 44.190406] sock_sendmsg+0xce/0x110 [ 44.194100] ___sys_sendmsg+0x70a/0x840 [ 44.198053] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 44.202795] ? __might_fault+0x110/0x1d0 [ 44.207790] ? find_held_lock+0x35/0x130 [ 44.211840] ? __might_fault+0x110/0x1d0 [ 44.215881] ? lock_downgrade+0x740/0x740 [ 44.220013] ? kasan_check_read+0x11/0x20 [ 44.224147] ? _copy_to_user+0x87/0xd0 [ 44.228011] ? move_addr_to_user+0x94/0x1a0 [ 44.232325] ? __fget_light+0x172/0x1f0 [ 44.236277] ? __fdget+0x1b/0x20 [ 44.239640] ? sockfd_lookup_light+0xb4/0x160 [ 44.244115] __sys_sendmsg+0xb9/0x140 [ 44.247892] ? SyS_shutdown+0x170/0x170 [ 44.251841] ? fd_install+0x4d/0x60 [ 44.255466] SyS_sendmsg+0x2d/0x50 [ 44.258994] ? __sys_sendmsg+0x140/0x140 [ 44.263046] do_syscall_64+0x1e8/0x640 [ 44.266923] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.271742] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.276909] RIP: 0033:0x440609 [ 44.280075] RSP: 002b:00007ffd4426d538 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 44.287761] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440609 [ 44.295008] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004 [ 44.302257] RBP: 00000000006ca018 R08: 0000000000000004 R09: 00000000004002c8 [ 44.309535] R10: 0000000000006e61 R11: 0000000000000246 R12: 0000000000401e90 [ 44.316788] R13: 0000000000401f20 R14: 0000000000000000 R15: 0000000000000000 [ 44.325702] Kernel Offset: disabled [ 44.329350] Rebooting in 86400 seconds..