[ 32.448816] audit: type=1800 audit(1576233555.228:33): pid=6819 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[ 32.476169] audit: type=1800 audit(1576233555.238:34): pid=6819 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 36.700700] random: sshd: uninitialized urandom read (32 bytes read)
[ 37.047098] audit: type=1400 audit(1576233559.828:35): avc: denied { map } for pid=6994 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[ 37.096360] random: sshd: uninitialized urandom read (32 bytes read)
[ 37.678255] random: sshd: uninitialized urandom read (32 bytes read)
[ 37.853511] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.252' (ECDSA) to the list of known hosts.
[ 43.497279] random: sshd: uninitialized urandom read (32 bytes read)
[ 43.610983] audit: type=1400 audit(1576233566.398:36): avc: denied { map } for pid=7006 comm="syz-executor975" path="/root/syz-executor975176600" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[ 43.860870] IPVS: ftp: loaded support on port[0] = 21
executing program
[ 44.664717] audit: type=1400 audit(1576233567.448:37): avc: denied { create } for pid=7007 comm="syz-executor975" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 44.668956] netlink: 2 bytes leftover after parsing attributes in process `syz-executor975'.
[ 44.688831] audit: type=1400 audit(1576233567.448:38): avc: denied { write } for pid=7007 comm="syz-executor975" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 44.721947] audit: type=1400 audit(1576233567.448:39): avc: denied { read } for pid=7007 comm="syz-executor975" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 44.770239] ==================================================================
[ 44.778395] BUG: KASAN: use-after-free in __alloc_skb+0x318/0x500
[ 44.784607] Write of size 36 at addr ffff8881974a1900 by task swapper/1/0
[ 44.791510]
[ 44.793123] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.14.158-syzkaller #0
[ 44.800292] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 44.809679] Call Trace:
[ 44.812239]
[ 44.814374] dump_stack+0x142/0x197
[ 44.818235] ? __alloc_skb+0x318/0x500
[ 44.822103] print_address_description.cold+0x7c/0x1dc
[ 44.827355] ? __alloc_skb+0x318/0x500
[ 44.831217] kasan_report.cold+0xa9/0x2af
[ 44.835343] check_memory_region+0x123/0x190
[ 44.839738] memset+0x24/0x40
[ 44.842820] __alloc_skb+0x318/0x500
[ 44.846512] ? skb_trim+0x180/0x180
[ 44.850117] ? _find_next_bit+0xee/0x120
[ 44.854158] alloc_skb_with_frags+0x86/0x4b0
[ 44.858552] ? cpumask_next+0x35/0x40
[ 44.862329] ? cpumask_next_and+0x89/0xb0
[ 44.866517] sock_alloc_send_pskb+0x5db/0x740
[ 44.871031] ? __lock_acquire+0x5f7/0x4620
[ 44.875257] ? sock_wmalloc+0xf0/0xf0
[ 44.879056] ? update_group_capacity+0x900/0x900
[ 44.883798] sock_alloc_send_skb+0x32/0x40
[ 44.888017] mld_newpack+0x1c0/0x7a0
[ 44.891710] ? ip6_mc_hdr.isra.0.constprop.0+0x580/0x580
[ 44.897228] add_grhead.isra.0+0x299/0x370
[ 44.901443] add_grec+0x69c/0xef0
[ 44.904873] ? mld_ifc_timer_expire+0x632/0x7b0
[ 44.909522] ? lock_acquire+0x16f/0x430
[ 44.913487] ? mld_sendpack+0xd60/0xd60
[ 44.917441] mld_ifc_timer_expire+0x33e/0x7b0
[ 44.921918] call_timer_fn+0x161/0x670
[ 44.925783] ? mld_dad_timer_expire+0x180/0x180
[ 44.930428] ? __next_timer_interrupt+0x140/0x140
[ 44.935345] ? trace_hardirqs_on_caller+0x19b/0x590
[ 44.940394] run_timer_softirq+0x5b7/0x1520
[ 44.944778] ? mld_dad_timer_expire+0x180/0x180
[ 44.949426] ? add_timer+0xae0/0xae0
[ 44.953120] ? rcu_lockdep_current_cpu_online+0xf2/0x140
[ 44.958651] __do_softirq+0x244/0x9a0
[ 44.962452] ? sched_clock+0x2e/0x50
[ 44.966164] irq_exit+0x160/0x1b0
[ 44.969606] smp_apic_timer_interrupt+0x146/0x5e0
[ 44.974449] apic_timer_interrupt+0x96/0xa0
[ 44.979154]
[ 44.981391] RIP: 0010:native_safe_halt+0xe/0x10
[ 44.986050] RSP: 0018:ffff8880a9d37e70 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff10
[ 44.993741] RAX: 1ffffffff0fe2d2c RBX: ffff8880a9d2a340 RCX: 0000000000000000
[ 45.001263] RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff8880a9d2abbc
[ 45.008528] RBP: ffff8880a9d37e98 R08: 1ffffffff1164701 R09: 0000000000000000
[ 45.015785] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff87f16950
[ 45.023142] R13: 0000000000000000 R14: 0000000000000000 R15: ffff8880a9d2a340
[ 45.033795] ? default_idle+0x4c/0x370
[ 45.037947] arch_cpu_idle+0xa/0x10
[ 45.041559] default_idle_call+0x36/0x90
[ 45.045601] do_idle+0x262/0x3d0
[ 45.048944] cpu_startup_entry+0x1b/0x20
[ 45.052981] start_secondary+0x346/0x4b0
[ 45.057025] secondary_startup_64+0xa5/0xb0
[ 45.061331]
[ 45.062937] The buggy address belongs to the page:
[ 45.067847] page:ffffea00065d2840 count:0 mapcount:0 mapping: (null) index:0x0
[ 45.075966] flags: 0x57ffe0000000000()
[ 45.079831] raw: 057ffe0000000000 0000000000000000 0000000000000000 00000000ffffffff
[ 45.087966] raw: ffffea00065d2860 ffffea00065d2860 0000000000000000 0000000000000000
[ 45.096792] page dumped because: kasan: bad access detected
[ 45.102485]
[ 45.104090] Memory state around the buggy address:
[ 45.108999] ffff8881974a1800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 45.116783] ffff8881974a1880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 45.124124] >ffff8881974a1900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 45.131458] ^
[ 45.134817] ffff8881974a1980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 45.143135] ffff8881974a1a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 45.150477] ==================================================================
[ 45.157809] Disabling lock debugging due to kernel taint
[ 45.163286] Kernel panic - not syncing: panic_on_warn set ...
[ 45.163286]
[ 45.170651] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 4.14.158-syzkaller #0
[ 45.178941] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 45.188278] Call Trace:
[ 45.190845]
[ 45.192978] dump_stack+0x142/0x197
[ 45.196582] ? __alloc_skb+0x318/0x500
[ 45.200446] panic+0x1f9/0x42d
[ 45.203612] ? add_taint.cold+0x16/0x16
[ 45.207566] kasan_end_report+0x47/0x4f
[ 45.211514] kasan_report.cold+0x130/0x2af
[ 45.215723] check_memory_region+0x123/0x190
[ 45.220108] memset+0x24/0x40
[ 45.223189] __alloc_skb+0x318/0x500
[ 45.226878] ? skb_trim+0x180/0x180
[ 45.230493] ? _find_next_bit+0xee/0x120
[ 45.234541] alloc_skb_with_frags+0x86/0x4b0
[ 45.238931] ? cpumask_next+0x35/0x40
[ 45.242705] ? cpumask_next_and+0x89/0xb0
[ 45.246851] sock_alloc_send_pskb+0x5db/0x740
[ 45.251322] ? __lock_acquire+0x5f7/0x4620
[ 45.255529] ? sock_wmalloc+0xf0/0xf0
[ 45.259303] ? update_group_capacity+0x900/0x900
[ 45.264042] sock_alloc_send_skb+0x32/0x40
[ 45.268267] mld_newpack+0x1c0/0x7a0
[ 45.272062] ? ip6_mc_hdr.isra.0.constprop.0+0x580/0x580
[ 45.277497] add_grhead.isra.0+0x299/0x370
[ 45.281706] add_grec+0x69c/0xef0
[ 45.285144] ? mld_ifc_timer_expire+0x632/0x7b0
[ 45.289789] ? lock_acquire+0x16f/0x430
[ 45.293740] ? mld_sendpack+0xd60/0xd60
[ 45.297699] mld_ifc_timer_expire+0x33e/0x7b0
[ 45.302175] call_timer_fn+0x161/0x670
[ 45.307001] ? mld_dad_timer_expire+0x180/0x180
[ 45.311906] ? __next_timer_interrupt+0x140/0x140
[ 45.316726] ? trace_hardirqs_on_caller+0x19b/0x590
[ 45.321729] run_timer_softirq+0x5b7/0x1520
[ 45.326023] ? mld_dad_timer_expire+0x180/0x180
[ 45.330669] ? add_timer+0xae0/0xae0
[ 45.334360] ? rcu_lockdep_current_cpu_online+0xf2/0x140
[ 45.339800] __do_softirq+0x244/0x9a0
[ 45.343580] ? sched_clock+0x2e/0x50
[ 45.347280] irq_exit+0x160/0x1b0
[ 45.350716] smp_apic_timer_interrupt+0x146/0x5e0
[ 45.355544] apic_timer_interrupt+0x96/0xa0
[ 45.359847]
[ 45.362060] RIP: 0010:native_safe_halt+0xe/0x10
[ 45.366700] RSP: 0018:ffff8880a9d37e70 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff10
[ 45.374384] RAX: 1ffffffff0fe2d2c RBX: ffff8880a9d2a340 RCX: 0000000000000000
[ 45.381651] RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff8880a9d2abbc
[ 45.388906] RBP: ffff8880a9d37e98 R08: 1ffffffff1164701 R09: 0000000000000000
[ 45.396247] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff87f16950
[ 45.403496] R13: 0000000000000000 R14: 0000000000000000 R15: ffff8880a9d2a340
[ 45.410759] ? default_idle+0x4c/0x370
[ 45.414633] arch_cpu_idle+0xa/0x10
[ 45.418239] default_idle_call+0x36/0x90
[ 45.422279] do_idle+0x262/0x3d0
[ 45.425623] cpu_startup_entry+0x1b/0x20
[ 45.429661] start_secondary+0x346/0x4b0
[ 45.433700] secondary_startup_64+0xa5/0xb0
[ 45.438679] Kernel Offset: disabled
[ 45.442311] Rebooting in 86400 seconds..