[ 32.668748] audit: type=1800 audit(1578540679.337:33): pid=6988 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 32.695710] audit: type=1800 audit(1578540679.347:34): pid=6988 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 35.742409] random: sshd: uninitialized urandom read (32 bytes read) [ 36.077447] audit: type=1400 audit(1578540682.747:35): avc: denied { map } for pid=7161 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.127507] random: sshd: uninitialized urandom read (32 bytes read) [ 36.786002] random: sshd: uninitialized urandom read (32 bytes read) [ 36.968536] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.25' (ECDSA) to the list of known hosts. [ 42.574055] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 42.691079] audit: type=1400 audit(1578540689.367:36): avc: denied { map } for pid=7173 comm="syz-executor686" path="/root/syz-executor686926464" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 42.733665] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 42.760294] netlink: 4 bytes leftover after parsing attributes in process `syz-executor686'. [ 42.775353] ================================================================== [ 42.782896] BUG: KASAN: use-after-free in radix_tree_next_chunk+0x953/0x9a0 [ 42.790089] Read of size 8 at addr ffff888097010ec8 by task syz-executor686/7173 [ 42.797634] [ 42.799274] CPU: 1 PID: 7173 Comm: syz-executor686 Not tainted 4.14.162-syzkaller #0 [ 42.807153] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.816509] Call Trace: [ 42.819108] dump_stack+0x142/0x197 [ 42.822776] ? radix_tree_next_chunk+0x953/0x9a0 [ 42.827533] print_address_description.cold+0x7c/0x1dc [ 42.832813] ? radix_tree_next_chunk+0x953/0x9a0 [ 42.837571] kasan_report.cold+0xa9/0x2af [ 42.841723] __asan_report_load8_noabort+0x14/0x20 [ 42.847609] radix_tree_next_chunk+0x953/0x9a0 [ 42.852234] ida_remove+0xaa/0x230 [ 42.855776] ? ida_destroy+0x1e0/0x1e0 [ 42.859663] ? ida_simple_remove+0x2b/0x60 [ 42.863907] ida_simple_remove+0x39/0x60 [ 42.867968] ipvlan_link_new+0x515/0xfe0 [ 42.872032] ? rtnl_create_link+0x12c/0x850 [ 42.876357] rtnl_newlink+0xecb/0x1700 [ 42.880245] ? rtnl_newlink+0x3f5/0x1700 [ 42.884317] ? ipvlan_port_destroy+0x400/0x400 [ 42.888911] ? rtnl_link_unregister+0x200/0x200 [ 42.893607] ? avc_has_perm_noaudit+0x2b2/0x420 [ 42.898293] ? lock_acquire+0x16f/0x430 [ 42.902290] ? rtnetlink_rcv_msg+0x339/0xb70 [ 42.906728] ? rtnl_link_unregister+0x200/0x200 [ 42.911416] rtnetlink_rcv_msg+0x3da/0xb70 [ 42.916091] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 42.920675] ? netlink_deliver_tap+0x93/0x8f0 [ 42.925179] netlink_rcv_skb+0x14f/0x3c0 [ 42.929241] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 42.933837] ? lock_downgrade+0x740/0x740 [ 42.937994] ? netlink_ack+0x9a0/0x9a0 [ 42.941891] ? netlink_deliver_tap+0xba/0x8f0 [ 42.946390] rtnetlink_rcv+0x1d/0x30 [ 42.950126] netlink_unicast+0x44d/0x650 [ 42.954193] ? netlink_attachskb+0x6a0/0x6a0 [ 42.958606] ? security_netlink_send+0x81/0xb0 [ 42.963293] netlink_sendmsg+0x7c4/0xc60 [ 42.967363] ? netlink_unicast+0x650/0x650 [ 42.971603] ? security_socket_sendmsg+0x89/0xb0 [ 42.976361] ? netlink_unicast+0x650/0x650 [ 42.980599] sock_sendmsg+0xce/0x110 [ 42.984313] ___sys_sendmsg+0x70a/0x840 [ 42.988298] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 42.993054] ? save_trace+0x290/0x290 [ 42.997812] ? selinux_file_alloc_security+0xb4/0x190 [ 43.003004] ? __fd_install+0x1fb/0x5f0 [ 43.006977] ? find_held_lock+0x35/0x130 [ 43.011042] ? __lock_is_held+0xb6/0x140 [ 43.015115] ? lock_downgrade+0x740/0x740 [ 43.019264] ? __fd_install+0x236/0x5f0 [ 43.023239] ? errseq_sample+0x4d/0x60 [ 43.027214] ? __fget_light+0x172/0x1f0 [ 43.031197] ? __fdget+0x1b/0x20 [ 43.034561] ? sockfd_lookup_light+0xb4/0x160 [ 43.039053] __sys_sendmsg+0xb9/0x140 [ 43.042851] ? SyS_shutdown+0x170/0x170 [ 43.046821] ? fd_install+0x4d/0x60 [ 43.050456] SyS_sendmsg+0x2d/0x50 [ 43.053990] ? __sys_sendmsg+0x140/0x140 [ 43.058050] do_syscall_64+0x1e8/0x640 [ 43.061941] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.066794] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.072002] RIP: 0033:0x440339 [ 43.075192] RSP: 002b:00007ffd5d272e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 43.082899] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440339 [ 43.090151] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004 [ 43.097499] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 43.104752] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401bc0 [ 43.112053] R13: 0000000000401c50 R14: 0000000000000000 R15: 0000000000000000 [ 43.119351] [ 43.120965] Allocated by task 7173: [ 43.124576] save_stack_trace+0x16/0x20 [ 43.128528] save_stack+0x45/0xd0 [ 43.132083] kasan_kmalloc+0xce/0xf0 [ 43.135784] kmem_cache_alloc_trace+0x152/0x790 [ 43.140437] ipvlan_link_new+0x657/0xfe0 [ 43.144481] rtnl_newlink+0xecb/0x1700 [ 43.148358] rtnetlink_rcv_msg+0x3da/0xb70 [ 43.152573] netlink_rcv_skb+0x14f/0x3c0 [ 43.156625] rtnetlink_rcv+0x1d/0x30 [ 43.160318] netlink_unicast+0x44d/0x650 [ 43.164472] netlink_sendmsg+0x7c4/0xc60 [ 43.168513] sock_sendmsg+0xce/0x110 [ 43.172204] ___sys_sendmsg+0x70a/0x840 [ 43.176255] __sys_sendmsg+0xb9/0x140 [ 43.180036] SyS_sendmsg+0x2d/0x50 [ 43.183579] do_syscall_64+0x1e8/0x640 [ 43.187441] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.192605] [ 43.194209] Freed by task 7173: [ 43.197465] save_stack_trace+0x16/0x20 [ 43.201423] save_stack+0x45/0xd0 [ 43.205846] kasan_slab_free+0x75/0xc0 [ 43.209736] kfree+0xcc/0x270 [ 43.212925] ipvlan_port_destroy+0x285/0x400 [ 43.217321] ipvlan_uninit+0xc1/0xf0 [ 43.221013] register_netdevice+0x79b/0xca0 [ 43.225312] ipvlan_link_new+0x49f/0xfe0 [ 43.229359] rtnl_newlink+0xecb/0x1700 [ 43.233234] rtnetlink_rcv_msg+0x3da/0xb70 [ 43.237446] netlink_rcv_skb+0x14f/0x3c0 [ 43.241483] rtnetlink_rcv+0x1d/0x30 [ 43.245185] netlink_unicast+0x44d/0x650 [ 43.249221] netlink_sendmsg+0x7c4/0xc60 [ 43.253272] sock_sendmsg+0xce/0x110 [ 43.257069] ___sys_sendmsg+0x70a/0x840 [ 43.261027] __sys_sendmsg+0xb9/0x140 [ 43.264804] SyS_sendmsg+0x2d/0x50 [ 43.268334] do_syscall_64+0x1e8/0x640 [ 43.272211] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.277374] [ 43.278983] The buggy address belongs to the object at ffff888097010600 [ 43.278983] which belongs to the cache kmalloc-4096 of size 4096 [ 43.291802] The buggy address is located 2248 bytes inside of [ 43.291802] 4096-byte region [ffff888097010600, ffff888097011600) [ 43.303833] The buggy address belongs to the page: [ 43.308738] page:ffffea00025c0400 count:1 mapcount:0 mapping:ffff888097010600 index:0x0 compound_mapcount: 0 [ 43.318684] flags: 0xfffe0000008100(slab|head) [ 43.323257] raw: 00fffe0000008100 ffff888097010600 0000000000000000 0000000100000001 [ 43.331118] raw: ffffea0001fa76a0 ffffea00025c04a0 ffff8880aa800dc0 0000000000000000 [ 43.338973] page dumped because: kasan: bad access detected [ 43.344748] [ 43.346360] Memory state around the buggy address: [ 43.351269] ffff888097010d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.358615] ffff888097010e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.366116] >ffff888097010e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.373452] ^ [ 43.379139] ffff888097010f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.386473] ffff888097010f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.393816] ================================================================== [ 43.401160] Disabling lock debugging due to kernel taint [ 43.406610] Kernel panic - not syncing: panic_on_warn set ... [ 43.406610] [ 43.413972] CPU: 1 PID: 7173 Comm: syz-executor686 Tainted: G B 4.14.162-syzkaller #0 [ 43.423045] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.432399] Call Trace: [ 43.434968] dump_stack+0x142/0x197 [ 43.438572] ? radix_tree_next_chunk+0x953/0x9a0 [ 43.443328] panic+0x1f9/0x42d [ 43.446497] ? add_taint.cold+0x16/0x16 [ 43.450451] ? lock_downgrade+0x740/0x740 [ 43.454580] kasan_end_report+0x47/0x4f [ 43.458526] kasan_report.cold+0x130/0x2af [ 43.462859] __asan_report_load8_noabort+0x14/0x20 [ 43.467769] radix_tree_next_chunk+0x953/0x9a0 [ 43.472333] ida_remove+0xaa/0x230 [ 43.475868] ? ida_destroy+0x1e0/0x1e0 [ 43.479735] ? ida_simple_remove+0x2b/0x60 [ 43.483952] ida_simple_remove+0x39/0x60 [ 43.488032] ipvlan_link_new+0x515/0xfe0 [ 43.492074] ? rtnl_create_link+0x12c/0x850 [ 43.496373] rtnl_newlink+0xecb/0x1700 [ 43.500237] ? rtnl_newlink+0x3f5/0x1700 [ 43.504310] ? ipvlan_port_destroy+0x400/0x400 [ 43.508870] ? rtnl_link_unregister+0x200/0x200 [ 43.513518] ? avc_has_perm_noaudit+0x2b2/0x420 [ 43.518185] ? lock_acquire+0x16f/0x430 [ 43.522137] ? rtnetlink_rcv_msg+0x339/0xb70 [ 43.526531] ? rtnl_link_unregister+0x200/0x200 [ 43.531188] rtnetlink_rcv_msg+0x3da/0xb70 [ 43.535407] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 43.539987] ? netlink_deliver_tap+0x93/0x8f0 [ 43.544465] netlink_rcv_skb+0x14f/0x3c0 [ 43.548509] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 43.553074] ? lock_downgrade+0x740/0x740 [ 43.557202] ? netlink_ack+0x9a0/0x9a0 [ 43.561068] ? netlink_deliver_tap+0xba/0x8f0 [ 43.565545] rtnetlink_rcv+0x1d/0x30 [ 43.569244] netlink_unicast+0x44d/0x650 [ 43.573282] ? netlink_attachskb+0x6a0/0x6a0 [ 43.577665] ? security_netlink_send+0x81/0xb0 [ 43.582227] netlink_sendmsg+0x7c4/0xc60 [ 43.586264] ? netlink_unicast+0x650/0x650 [ 43.590498] ? security_socket_sendmsg+0x89/0xb0 [ 43.595230] ? netlink_unicast+0x650/0x650 [ 43.599439] sock_sendmsg+0xce/0x110 [ 43.603131] ___sys_sendmsg+0x70a/0x840 [ 43.607089] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 43.611823] ? save_trace+0x290/0x290 [ 43.615618] ? selinux_file_alloc_security+0xb4/0x190 [ 43.620795] ? __fd_install+0x1fb/0x5f0 [ 43.624743] ? find_held_lock+0x35/0x130 [ 43.628784] ? __lock_is_held+0xb6/0x140 [ 43.632838] ? lock_downgrade+0x740/0x740 [ 43.636970] ? __fd_install+0x236/0x5f0 [ 43.640937] ? errseq_sample+0x4d/0x60 [ 43.644827] ? __fget_light+0x172/0x1f0 [ 43.648781] ? __fdget+0x1b/0x20 [ 43.652133] ? sockfd_lookup_light+0xb4/0x160 [ 43.656612] __sys_sendmsg+0xb9/0x140 [ 43.660388] ? SyS_shutdown+0x170/0x170 [ 43.664347] ? fd_install+0x4d/0x60 [ 43.667953] SyS_sendmsg+0x2d/0x50 [ 43.671528] ? __sys_sendmsg+0x140/0x140 [ 43.675668] do_syscall_64+0x1e8/0x640 [ 43.679537] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.684622] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.689791] RIP: 0033:0x440339 [ 43.692959] RSP: 002b:00007ffd5d272e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 43.700655] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440339 [ 43.707899] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004 [ 43.715146] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 43.722476] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401bc0 [ 43.729742] R13: 0000000000401c50 R14: 0000000000000000 R15: 0000000000000000 [ 43.738715] Kernel Offset: disabled [ 43.742353] Rebooting in 86400 seconds..