G[ ok [39;[ 35.863544] audit: type=1800 audit(1575245510.365:34): pid=7053 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 39.025315] random: sshd: uninitialized urandom read (32 bytes read) [ 39.293804] audit: type=1400 audit(1575245513.825:35): avc: denied { map } for pid=7225 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 39.346806] random: sshd: uninitialized urandom read (32 bytes read) [ 39.936300] random: sshd: uninitialized urandom read (32 bytes read) [ 40.125425] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts. [ 45.658697] random: sshd: uninitialized urandom read (32 bytes read) [ 45.844360] audit: type=1400 audit(1575245520.375:36): avc: denied { map } for pid=7237 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/12/02 00:12:00 parsed 1 programs [ 46.587040] random: cc1: uninitialized urandom read (8 bytes read) [ 47.452302] audit: type=1400 audit(1575245521.985:37): avc: denied { map } for pid=7237 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=15668 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/12/02 00:12:02 executed programs: 0 [ 47.496587] audit: type=1400 audit(1575245522.025:38): avc: denied { map } for pid=7237 comm="syz-execprog" path="/root/syzkaller-shm341129248" dev="sda1" ino=16492 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 47.771022] IPVS: ftp: loaded support on port[0] = 21 [ 48.642733] chnl_net:caif_netlink_parms(): no params data found [ 48.675012] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.681979] bridge0: port 1(bridge_slave_0) entered disabled state [ 48.689095] device bridge_slave_0 entered promiscuous mode [ 48.696567] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.703143] bridge0: port 2(bridge_slave_1) entered disabled state [ 48.710310] device bridge_slave_1 entered promiscuous mode [ 48.725158] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 48.734298] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 48.751275] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 48.758541] team0: Port device team_slave_0 added [ 48.764360] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 48.771558] team0: Port device team_slave_1 added [ 48.776979] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 48.784583] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.832202] device hsr_slave_0 entered promiscuous mode [ 48.880456] device hsr_slave_1 entered promiscuous mode [ 48.920992] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 48.928154] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 48.941751] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.948150] bridge0: port 2(bridge_slave_1) entered forwarding state [ 48.955131] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.961497] bridge0: port 1(bridge_slave_0) entered forwarding state [ 48.991917] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 48.998014] 8021q: adding VLAN 0 to HW filter on device bond0 [ 49.007162] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 49.016484] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 49.035225] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.042874] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.053355] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 49.059429] 8021q: adding VLAN 0 to HW filter on device team0 [ 49.068550] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 49.076718] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.083079] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.093929] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 49.101854] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.108184] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.128073] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 49.138696] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 49.149560] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 49.157146] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 49.165415] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 49.173427] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 49.181213] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 49.189304] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 49.196946] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 49.208794] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 49.215995] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 49.222789] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 49.235804] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 49.640388] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 54.013495] refcount_t overflow at skb_set_owner_w+0x1f8/0x300 in syz-executor.0[7357], uid/euid: 0/0 [ 54.023327] ------------[ cut here ]------------ [ 54.028198] WARNING: CPU: 0 PID: 7357 at kernel/panic.c:613 refcount_error_report+0x1b2/0x210 [ 54.036860] Kernel panic - not syncing: panic_on_warn set ... [ 54.036860] [ 54.044212] CPU: 0 PID: 7357 Comm: syz-executor.0 Not tainted 4.14.157-syzkaller #0 [ 54.052018] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.061360] Call Trace: [ 54.063948] dump_stack+0x142/0x197 [ 54.067587] panic+0x1f9/0x42d [ 54.070767] ? add_taint.cold+0x16/0x16 [ 54.074740] ? refcount_error_report+0x1b2/0x210 [ 54.079489] ? refcount_error_report+0x1b2/0x210 [ 54.084250] __warn.cold+0x2f/0x2f [ 54.087781] ? ist_end_non_atomic+0x10/0x10 [ 54.092096] ? refcount_error_report+0x1b2/0x210 [ 54.096865] report_bug+0x216/0x254 [ 54.100483] do_error_trap+0x1bb/0x310 [ 54.104356] ? math_error+0x360/0x360 [ 54.108146] ? vprintk_emit+0x171/0x600 [ 54.112127] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.116951] do_invalid_op+0x1b/0x20 [ 54.120655] invalid_op+0x1b/0x40 [ 54.124099] RIP: 0010:refcount_error_report+0x1b2/0x210 [ 54.129440] RSP: 0018:ffff888097d773b0 EFLAGS: 00010286 [ 54.134807] RAX: 0000000000000059 RBX: ffff888097d775c8 RCX: 0000000000000000 [ 54.142083] RDX: 0000000000000000 RSI: ffffffff86ac2f80 RDI: ffffed1012faee6c [ 54.149341] RBP: ffff888097d773e8 R08: 0000000000000059 R09: ffff888076196b20 [ 54.156603] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff86a81e20 [ 54.163875] R13: 0000000000000000 R14: ffff888076196280 R15: 0000000000000006 [ 54.171159] ? inat_get_avx_attribute+0x3be7/0x7965 [ 54.176188] ex_handler_refcount+0x126/0x1a0 [ 54.180595] ? ex_handler_clear_fs+0xb0/0xb0 [ 54.185205] fixup_exception+0x8b/0xb9 [ 54.189078] do_trap+0x65/0x250 [ 54.192341] do_error_trap+0x153/0x310 [ 54.196218] ? math_error+0x360/0x360 [ 54.200009] ? inat_get_avx_attribute+0x3be7/0x7965 [ 54.205021] ? rcu_read_lock_sched_held+0x110/0x130 [ 54.210033] ? kmem_cache_alloc_node_trace+0x379/0x770 [ 54.215304] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.220128] do_invalid_op+0x1b/0x20 [ 54.223839] invalid_op+0x1b/0x40 [ 54.227331] RIP: 0010:skb_set_owner_w+0x1f8/0x300 [ 54.232273] RSP: 0018:ffff888097d77670 EFLAGS: 00010a82 [ 54.237633] RAX: 0000000000040100 RBX: ffff88809e685400 RCX: ffff88809dac787c [ 54.244921] RDX: 1ffff11013cd0a9c RSI: ffff88809dac7640 RDI: ffff88809e6854e0 [ 54.252195] RBP: ffff888097d77690 R08: 1ffff110313c8c90 R09: ffff888189e46480 [ 54.259599] R10: ffffed10313c8c94 R11: ffff888189e464a3 R12: ffff88809dac7640 [ 54.267004] R13: ffff88809e685460 R14: ffff88809e685418 R15: ffff88809dac7640 [ 54.274296] sock_wmalloc+0xc6/0xf0 [ 54.278037] ip_append_page+0x5fd/0xe40 [ 54.282030] udp_sendpage+0x176/0x3e0 [ 54.285844] ? udp_destroy_sock+0x1a0/0x1a0 [ 54.290190] ? lock_downgrade+0x740/0x740 [ 54.294324] ? copy_page_to_iter+0x427/0xc40 [ 54.298718] inet_sendpage+0x157/0x580 [ 54.302587] ? udp_destroy_sock+0x1a0/0x1a0 [ 54.306894] kernel_sendpage+0x92/0xf0 [ 54.310774] ? inet_sendmsg+0x500/0x500 [ 54.314765] sock_sendpage+0x8b/0xc0 [ 54.318601] ? kernel_sendpage+0xf0/0xf0 [ 54.322659] pipe_to_sendpage+0x242/0x340 [ 54.326885] ? direct_splice_actor+0x190/0x190 [ 54.331450] __splice_from_pipe+0x348/0x780 [ 54.335753] ? direct_splice_actor+0x190/0x190 [ 54.340317] ? direct_splice_actor+0x190/0x190 [ 54.344876] splice_from_pipe+0xf0/0x150 [ 54.348922] ? splice_shrink_spd+0xb0/0xb0 [ 54.353141] generic_splice_sendpage+0x3c/0x50 [ 54.357702] ? splice_from_pipe+0x150/0x150 [ 54.362004] direct_splice_actor+0x123/0x190 [ 54.366394] splice_direct_to_actor+0x29e/0x7b0 [ 54.371052] ? generic_pipe_buf_nosteal+0x10/0x10 [ 54.375881] ? do_splice_to+0x170/0x170 [ 54.379848] ? rw_verify_area+0xea/0x2b0 [ 54.383905] do_splice_direct+0x18d/0x230 [ 54.388032] ? splice_direct_to_actor+0x7b0/0x7b0 [ 54.392861] ? rw_verify_area+0xea/0x2b0 [ 54.396995] do_sendfile+0x4db/0xbd0 [ 54.400691] ? do_compat_pwritev64+0x140/0x140 [ 54.405269] ? put_timespec64+0xb4/0x100 [ 54.409326] ? nsecs_to_jiffies+0x30/0x30 [ 54.413456] SyS_sendfile64+0x102/0x110 [ 54.417416] ? SyS_sendfile+0x130/0x130 [ 54.421370] ? do_syscall_64+0x53/0x640 [ 54.425324] ? SyS_sendfile+0x130/0x130 [ 54.429276] do_syscall_64+0x1e8/0x640 [ 54.433148] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.437991] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 54.443258] RIP: 0033:0x45a679 [ 54.446453] RSP: 002b:00007f624d297c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 54.454149] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000000045a679 [ 54.461403] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000005 [ 54.468828] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 54.477066] R10: 0000000000010001 R11: 0000000000000246 R12: 00007f624d2986d4 [ 54.484342] R13: 00000000004c8d9f R14: 00000000004e0670 R15: 00000000ffffffff [ 54.493010] Kernel Offset: disabled [ 54.496727] Rebooting in 86400 seconds..