[ 17.072137] audit: type=1400 audit(1521122614.424:5): avc: denied { syslog } for pid=4072 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.531540] audit: type=1400 audit(1521122619.883:6): avc: denied { map } for pid=4215 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. [ 44.766589] audit: type=1400 audit(1521122642.118:7): avc: denied { map } for pid=4231 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/03/15 14:04:02 parsed 1 programs 2018/03/15 14:04:02 executed programs: 0 [ 45.000667] audit: type=1400 audit(1521122642.352:8): avc: denied { map } for pid=4231 comm="syz-execprog" path="/root/syzkaller-shm680161615" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 45.026246] audit: type=1400 audit(1521122642.376:9): avc: denied { sys_admin } for pid=4236 comm="syz-executor4" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 45.029268] IPVS: ftp: loaded support on port[0] = 21 [ 45.077930] IPVS: ftp: loaded support on port[0] = 21 [ 45.087365] audit: type=1400 audit(1521122642.439:10): avc: denied { sys_chroot } for pid=4238 comm="syz-executor4" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 45.111783] audit: type=1400 audit(1521122642.439:11): avc: denied { net_admin } for pid=4238 comm="syz-executor4" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 45.115583] IPVS: ftp: loaded support on port[0] = 21 [ 45.162801] IPVS: ftp: loaded support on port[0] = 21 [ 45.188729] IPVS: ftp: loaded support on port[0] = 21 [ 45.219097] IPVS: ftp: loaded support on port[0] = 21 [ 45.250285] IPVS: ftp: loaded support on port[0] = 21 [ 45.279380] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 45.299552] IPVS: ftp: loaded support on port[0] = 21 [ 45.429089] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 45.574875] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 45.615165] l2tp_core: tunl 3: fd 4 wrong protocol, got 1, expected 17 [ 45.759886] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 45.821488] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 45.881898] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 46.017350] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 46.153633] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 46.155543] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 46.351308] l2tp_core: tunl 3: fd 6 wrong protocol, got 1, expected 17 [ 46.464258] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 46.551744] l2tp_core: tunl 3: fd 4 wrong protocol, got 1, expected 17 [ 46.745608] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 46.840603] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 46.848159] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 46.956202] l2tp_core: tunl 3: fd 6 wrong protocol, got 1, expected 17 [ 47.012461] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 47.361091] l2tp_core: tunl 3: fd 4 wrong protocol, got 1, expected 17 [ 47.685819] ================================================================== [ 47.693310] BUG: KASAN: use-after-free in pppol2tp_connect+0x1a98/0x1dd0 [ 47.700147] Read of size 8 at addr ffff8801d8499368 by task syz-executor4/5441 [ 47.704850] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 47.707488] [ 47.707502] CPU: 1 PID: 5441 Comm: syz-executor4 Not tainted 4.16.0-rc5+ #264 [ 47.707507] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.707510] Call Trace: [ 47.707525] dump_stack+0x194/0x24d [ 47.707540] ? arch_local_irq_restore+0x53/0x53 [ 47.707551] ? show_regs_print_info+0x18/0x18 [ 47.707566] ? lock_release+0xa40/0xa40 [ 47.707579] ? pppol2tp_connect+0x1a98/0x1dd0 [ 47.756145] print_address_description+0x73/0x250 [ 47.760986] ? pppol2tp_connect+0x1a98/0x1dd0 [ 47.765476] kasan_report+0x23c/0x360 [ 47.769278] __asan_report_load8_noabort+0x14/0x20 [ 47.774196] pppol2tp_connect+0x1a98/0x1dd0 [ 47.778521] ? pppol2tp_recv_payload_hook+0x1b0/0x1b0 [ 47.783715] ? selinux_netlbl_socket_connect+0x76/0x1b0 [ 47.789079] ? selinux_socket_connect+0x311/0x730 [ 47.793918] ? lock_downgrade+0x980/0x980 [ 47.798066] ? selinux_socket_setsockopt+0x80/0x80 [ 47.802984] ? lock_release+0xa40/0xa40 [ 47.806953] ? check_same_owner+0x320/0x320 [ 47.811272] ? __check_object_size+0x8b/0x530 [ 47.815772] ? __might_sleep+0x95/0x190 [ 47.819767] ? security_socket_connect+0x89/0xb0 [ 47.824531] SYSC_connect+0x213/0x4a0 [ 47.828338] ? SYSC_bind+0x410/0x410 [ 47.832052] ? get_unused_fd_flags+0x121/0x190 [ 47.836635] ? compat_SyS_get_robust_list+0x300/0x300 [ 47.841802] ? SyS_socket+0x12d/0x1d0 [ 47.845593] ? move_addr_to_kernel+0x60/0x60 [ 47.850001] SyS_connect+0x24/0x30 [ 47.853530] ? SyS_accept+0x30/0x30 [ 47.857155] do_fast_syscall_32+0x3ec/0xf9f [ 47.861469] ? exit_to_usermode_loop+0x198/0x2f0 [ 47.866212] ? do_int80_syscall_32+0x9c0/0x9c0 [ 47.870771] ? finish_task_switch+0x1c1/0x7e0 [ 47.875245] ? syscall_return_slowpath+0x2ac/0x550 [ 47.880146] ? prepare_exit_to_usermode+0x350/0x350 [ 47.885140] ? sysret32_from_system_call+0x5/0x3c [ 47.889967] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 47.894801] entry_SYSENTER_compat+0x70/0x7f [ 47.899179] RIP: 0023:0xf7f27c99 [ 47.902516] RSP: 002b:00000000f7f2309c EFLAGS: 00000286 ORIG_RAX: 000000000000016a [ 47.910193] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000020e71000 [ 47.917435] RDX: 0000000000000032 RSI: 0000000000000000 RDI: 0000000000000000 [ 47.924678] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 47.931918] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 47.939157] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 47.946413] [ 47.948019] Allocated by task 5441: [ 47.951623] save_stack+0x43/0xd0 [ 47.955054] kasan_kmalloc+0xad/0xe0 [ 47.958739] kasan_slab_alloc+0x12/0x20 [ 47.962686] kmem_cache_alloc+0x12e/0x760 [ 47.966807] sk_prot_alloc+0x65/0x2a0 [ 47.970579] sk_alloc+0x105/0x1440 [ 47.974092] inet6_create+0x44d/0x10f0 [ 47.977949] __sock_create+0x4d4/0x850 [ 47.981806] SyS_socket+0xeb/0x1d0 [ 47.985320] do_fast_syscall_32+0x3ec/0xf9f [ 47.989615] entry_SYSENTER_compat+0x70/0x7f [ 47.993990] [ 47.995590] Freed by task 38: [ 47.998671] save_stack+0x43/0xd0 [ 48.002098] __kasan_slab_free+0x11a/0x170 [ 48.006303] kasan_slab_free+0xe/0x10 [ 48.010074] kmem_cache_free+0x83/0x2a0 [ 48.014024] __sk_destruct+0x628/0x920 [ 48.018150] sk_destruct+0x47/0x80 [ 48.021661] __sk_free+0xf1/0x2b0 [ 48.025082] sk_free+0x2a/0x40 [ 48.028247] l2tp_tunnel_del_work+0x474/0x6a0 [ 48.032716] process_one_work+0xc47/0x1bb0 [ 48.036920] worker_thread+0x223/0x1990 [ 48.040863] kthread+0x33c/0x400 [ 48.044199] ret_from_fork+0x3a/0x50 [ 48.047880] [ 48.049483] The buggy address belongs to the object at ffff8801d8499140 [ 48.049483] which belongs to the cache UDPv6 of size 1664 [ 48.061674] The buggy address is located 552 bytes inside of [ 48.061674] 1664-byte region [ffff8801d8499140, ffff8801d84997c0) [ 48.073612] The buggy address belongs to the page: [ 48.078513] page:ffffea0007612640 count:1 mapcount:0 mapping:ffff8801d8499140 index:0x0 [ 48.086626] flags: 0x2fffc0000000100(slab) [ 48.090833] raw: 02fffc0000000100 ffff8801d8499140 0000000000000000 0000000100000002 [ 48.098687] raw: ffffea0006b96be0 ffffea000762e120 ffff8801d1aee9c0 0000000000000000 [ 48.106535] page dumped because: kasan: bad access detected [ 48.112211] [ 48.113809] Memory state around the buggy address: [ 48.118709] ffff8801d8499200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.126040] ffff8801d8499280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.133372] >ffff8801d8499300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.140707] ^ [ 48.147437] ffff8801d8499380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.154770] ffff8801d8499400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.162099] ================================================================== [ 48.169436] Disabling lock debugging due to kernel taint [ 48.175066] Kernel panic - not syncing: panic_on_warn set ... [ 48.175066] [ 48.182417] CPU: 1 PID: 5441 Comm: syz-executor4 Tainted: G B 4.16.0-rc5+ #264 [ 48.190970] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.200294] Call Trace: [ 48.202857] dump_stack+0x194/0x24d [ 48.206455] ? arch_local_irq_restore+0x53/0x53 [ 48.211096] ? kasan_end_report+0x32/0x50 [ 48.215219] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 48.219946] ? vsnprintf+0x1ed/0x1900 [ 48.223718] ? pppol2tp_connect+0x19d0/0x1dd0 [ 48.228187] panic+0x1e4/0x41c [ 48.231350] ? refcount_error_report+0x214/0x214 [ 48.236075] ? add_taint+0x1c/0x50 [ 48.239586] ? add_taint+0x1c/0x50 [ 48.243098] ? pppol2tp_connect+0x1a98/0x1dd0 [ 48.247565] kasan_end_report+0x50/0x50 [ 48.251508] kasan_report+0x149/0x360 [ 48.255282] __asan_report_load8_noabort+0x14/0x20 [ 48.260182] pppol2tp_connect+0x1a98/0x1dd0 [ 48.264478] ? pppol2tp_recv_payload_hook+0x1b0/0x1b0 [ 48.269643] ? selinux_netlbl_socket_connect+0x76/0x1b0 [ 48.274976] ? selinux_socket_connect+0x311/0x730 [ 48.279790] ? lock_downgrade+0x980/0x980 [ 48.283907] ? selinux_socket_setsockopt+0x80/0x80 [ 48.288804] ? lock_release+0xa40/0xa40 [ 48.292751] ? check_same_owner+0x320/0x320 [ 48.297046] ? __check_object_size+0x8b/0x530 [ 48.301513] ? __might_sleep+0x95/0x190 [ 48.305463] ? security_socket_connect+0x89/0xb0 [ 48.310194] SYSC_connect+0x213/0x4a0 [ 48.313967] ? SYSC_bind+0x410/0x410 [ 48.317652] ? get_unused_fd_flags+0x121/0x190 [ 48.322212] ? compat_SyS_get_robust_list+0x300/0x300 [ 48.327372] ? SyS_socket+0x12d/0x1d0 [ 48.331145] ? move_addr_to_kernel+0x60/0x60 [ 48.335525] SyS_connect+0x24/0x30 [ 48.339036] ? SyS_accept+0x30/0x30 [ 48.342635] do_fast_syscall_32+0x3ec/0xf9f [ 48.346926] ? exit_to_usermode_loop+0x198/0x2f0 [ 48.351651] ? do_int80_syscall_32+0x9c0/0x9c0 [ 48.356204] ? finish_task_switch+0x1c1/0x7e0 [ 48.360669] ? syscall_return_slowpath+0x2ac/0x550 [ 48.365570] ? prepare_exit_to_usermode+0x350/0x350 [ 48.370559] ? sysret32_from_system_call+0x5/0x3c [ 48.375373] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 48.380186] entry_SYSENTER_compat+0x70/0x7f [ 48.384562] RIP: 0023:0xf7f27c99 [ 48.387896] RSP: 002b:00000000f7f2309c EFLAGS: 00000286 ORIG_RAX: 000000000000016a [ 48.395571] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000020e71000 [ 48.402810] RDX: 0000000000000032 RSI: 0000000000000000 RDI: 0000000000000000 [ 48.410047] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 48.417284] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 48.424522] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 48.432197] Dumping ftrace buffer: [ 48.435709] (ftrace buffer empty) [ 48.439390] Kernel Offset: disabled [ 48.442985] Rebooting in 86400 seconds..