[ 33.169504] audit: type=1800 audit(1579832169.174:33): pid=7123 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.196041] audit: type=1800 audit(1579832169.184:34): pid=7123 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.269895] random: sshd: uninitialized urandom read (32 bytes read) [ 37.642793] audit: type=1400 audit(1579832173.654:35): avc: denied { map } for pid=7296 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.692354] random: sshd: uninitialized urandom read (32 bytes read) [ 38.401006] random: sshd: uninitialized urandom read (32 bytes read) [ 38.588243] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.33' (ECDSA) to the list of known hosts. [ 44.071966] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 44.191757] audit: type=1400 audit(1579832180.204:36): avc: denied { map } for pid=7308 comm="syz-executor733" path="/root/syz-executor733289983" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.195067] ================================================================== [ 44.225509] BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x343/0x410 [ 44.233081] Write of size 1 at addr ffff8880a6440558 by task syz-executor733/7308 [ 44.240675] [ 44.242284] CPU: 0 PID: 7308 Comm: syz-executor733 Not tainted 4.14.167-syzkaller #0 [ 44.250141] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.259472] Call Trace: [ 44.262043] dump_stack+0x142/0x197 [ 44.265648] ? setup_udp_tunnel_sock+0x343/0x410 [ 44.270385] print_address_description.cold+0x7c/0x1dc [ 44.275640] ? setup_udp_tunnel_sock+0x343/0x410 [ 44.280376] kasan_report.cold+0xa9/0x2af [ 44.284507] __asan_report_store1_noabort+0x17/0x20 [ 44.289502] setup_udp_tunnel_sock+0x343/0x410 [ 44.294066] gtp_encap_enable_socket+0x2a3/0x3d0 [ 44.298818] ? gtp_find_dev+0x1e0/0x1e0 [ 44.302773] ? gtp0_pdp_find.isra.0+0x140/0x140 [ 44.307418] ? __gtp_encap_destroy+0x180/0x180 [ 44.311984] ? alloc_netdev_mqs+0x918/0xbc0 [ 44.316283] gtp_newlink+0x93/0xc50 [ 44.319901] ? rtnl_create_link+0x12c/0x850 [ 44.324204] ? __netlink_ns_capable+0xe2/0x130 [ 44.328764] rtnl_newlink+0xecb/0x1700 [ 44.332637] ? gtp_genl_new_pdp+0xfe0/0xfe0 [ 44.336949] ? rtnl_link_unregister+0x200/0x200 [ 44.341635] ? avc_has_perm_noaudit+0x2b2/0x420 [ 44.346302] ? lock_acquire+0x16f/0x430 [ 44.350255] ? rtnetlink_rcv_msg+0x339/0xb70 [ 44.354657] ? rtnl_link_unregister+0x200/0x200 [ 44.359301] rtnetlink_rcv_msg+0x3da/0xb70 [ 44.363514] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 44.368075] ? netlink_deliver_tap+0x93/0x8f0 [ 44.372568] netlink_rcv_skb+0x14f/0x3c0 [ 44.376623] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 44.381190] ? lock_downgrade+0x740/0x740 [ 44.385324] ? netlink_ack+0x9a0/0x9a0 [ 44.389195] ? netlink_deliver_tap+0xba/0x8f0 [ 44.393691] rtnetlink_rcv+0x1d/0x30 [ 44.397395] netlink_unicast+0x44d/0x650 [ 44.401472] ? netlink_attachskb+0x6a0/0x6a0 [ 44.405875] ? security_netlink_send+0x81/0xb0 [ 44.410453] netlink_sendmsg+0x7c4/0xc60 [ 44.414498] ? netlink_unicast+0x650/0x650 [ 44.418716] ? security_socket_sendmsg+0x89/0xb0 [ 44.423498] ? netlink_unicast+0x650/0x650 [ 44.427893] sock_sendmsg+0xce/0x110 [ 44.431587] ___sys_sendmsg+0x70a/0x840 [ 44.435540] ? lock_downgrade+0x740/0x740 [ 44.439669] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 44.444433] ? do_raw_spin_unlock+0x174/0x260 [ 44.448911] ? _raw_spin_unlock+0x2d/0x50 [ 44.453044] ? do_huge_pmd_anonymous_page+0x2f9/0x1200 [ 44.458301] ? prep_transhuge_page+0xa0/0xa0 [ 44.462691] ? __handle_mm_fault+0x692/0x33d0 [ 44.467161] ? save_trace+0x290/0x290 [ 44.470942] ? copy_page_range+0x1de0/0x1de0 [ 44.475367] ? __do_page_fault+0x4e9/0xb80 [ 44.479578] ? __fget_light+0x172/0x1f0 [ 44.483531] ? __fdget+0x1b/0x20 [ 44.486884] ? sockfd_lookup_light+0xb4/0x160 [ 44.491368] __sys_sendmsg+0xb9/0x140 [ 44.495149] ? SyS_shutdown+0x170/0x170 [ 44.499104] SyS_sendmsg+0x2d/0x50 [ 44.502627] ? __sys_sendmsg+0x140/0x140 [ 44.506668] do_syscall_64+0x1e8/0x640 [ 44.510569] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.515422] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.521897] RIP: 0033:0x4402b9 [ 44.525090] RSP: 002b:00007fffa7840708 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 44.532779] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402b9 [ 44.540043] RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 [ 44.547297] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 44.554582] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b40 [ 44.561829] R13: 0000000000401bd0 R14: 0000000000000000 R15: 0000000000000000 [ 44.569112] [ 44.570716] Allocated by task 7308: [ 44.574432] save_stack_trace+0x16/0x20 [ 44.578403] save_stack+0x45/0xd0 [ 44.581834] kasan_kmalloc+0xce/0xf0 [ 44.585522] kasan_slab_alloc+0xf/0x20 [ 44.589388] kmem_cache_alloc+0x12e/0x780 [ 44.593532] sk_prot_alloc+0x67/0x2a0 [ 44.597306] sk_alloc+0x39/0xd70 [ 44.600649] inet_create+0x2f0/0xca0 [ 44.604369] __sock_create+0x2f6/0x620 [ 44.608232] SyS_socket+0xd3/0x170 [ 44.611748] do_syscall_64+0x1e8/0x640 [ 44.615611] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.620773] [ 44.622376] Freed by task 0: [ 44.625365] (stack is not available) [ 44.629050] [ 44.630655] The buggy address belongs to the object at ffff8880a6440040 [ 44.630655] which belongs to the cache RAW of size 1304 [ 44.642678] The buggy address is located 0 bytes to the right of [ 44.642678] 1304-byte region [ffff8880a6440040, ffff8880a6440558) [ 44.654965] The buggy address belongs to the page: [ 44.659927] page:ffffea0002991000 count:1 mapcount:0 mapping:ffff8880a6440040 index:0x0 compound_mapcount: 0 [ 44.669876] flags: 0xfffe0000008100(slab|head) [ 44.674444] raw: 00fffe0000008100 ffff8880a6440040 0000000000000000 0000000100000005 [ 44.682302] raw: ffff8880a7981248 ffff8880a7981248 ffff8880a68adb00 0000000000000000 [ 44.690169] page dumped because: kasan: bad access detected [ 44.695854] [ 44.697455] Memory state around the buggy address: [ 44.702368] ffff8880a6440400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.709711] ffff8880a6440480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.717052] >ffff8880a6440500: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 44.724391] ^ [ 44.730611] ffff8880a6440580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.737950] ffff8880a6440600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.745302] ================================================================== [ 44.752641] Disabling lock debugging due to kernel taint [ 44.758616] Kernel panic - not syncing: panic_on_warn set ... [ 44.758616] [ 44.765980] CPU: 0 PID: 7308 Comm: syz-executor733 Tainted: G B 4.14.167-syzkaller #0 [ 44.775052] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.784410] Call Trace: [ 44.787015] dump_stack+0x142/0x197 [ 44.790622] ? setup_udp_tunnel_sock+0x343/0x410 [ 44.795351] panic+0x1f9/0x42d [ 44.798517] ? add_taint.cold+0x16/0x16 [ 44.802467] ? ___preempt_schedule+0x16/0x18 [ 44.806856] kasan_end_report+0x47/0x4f [ 44.810815] kasan_report.cold+0x130/0x2af [ 44.815027] __asan_report_store1_noabort+0x17/0x20 [ 44.820028] setup_udp_tunnel_sock+0x343/0x410 [ 44.824636] gtp_encap_enable_socket+0x2a3/0x3d0 [ 44.829372] ? gtp_find_dev+0x1e0/0x1e0 [ 44.833438] ? gtp0_pdp_find.isra.0+0x140/0x140 [ 44.838088] ? __gtp_encap_destroy+0x180/0x180 [ 44.842649] ? alloc_netdev_mqs+0x918/0xbc0 [ 44.846952] gtp_newlink+0x93/0xc50 [ 44.850565] ? rtnl_create_link+0x12c/0x850 [ 44.854866] ? __netlink_ns_capable+0xe2/0x130 [ 44.859469] rtnl_newlink+0xecb/0x1700 [ 44.863338] ? gtp_genl_new_pdp+0xfe0/0xfe0 [ 44.867639] ? rtnl_link_unregister+0x200/0x200 [ 44.872291] ? avc_has_perm_noaudit+0x2b2/0x420 [ 44.876942] ? lock_acquire+0x16f/0x430 [ 44.880893] ? rtnetlink_rcv_msg+0x339/0xb70 [ 44.885288] ? rtnl_link_unregister+0x200/0x200 [ 44.889942] rtnetlink_rcv_msg+0x3da/0xb70 [ 44.894169] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 44.898738] ? netlink_deliver_tap+0x93/0x8f0 [ 44.903210] netlink_rcv_skb+0x14f/0x3c0 [ 44.907246] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 44.911819] ? lock_downgrade+0x740/0x740 [ 44.915940] ? netlink_ack+0x9a0/0x9a0 [ 44.919813] ? netlink_deliver_tap+0xba/0x8f0 [ 44.924301] rtnetlink_rcv+0x1d/0x30 [ 44.928000] netlink_unicast+0x44d/0x650 [ 44.932050] ? netlink_attachskb+0x6a0/0x6a0 [ 44.936440] ? security_netlink_send+0x81/0xb0 [ 44.941002] netlink_sendmsg+0x7c4/0xc60 [ 44.945047] ? netlink_unicast+0x650/0x650 [ 44.949261] ? security_socket_sendmsg+0x89/0xb0 [ 44.954031] ? netlink_unicast+0x650/0x650 [ 44.958241] sock_sendmsg+0xce/0x110 [ 44.961933] ___sys_sendmsg+0x70a/0x840 [ 44.965883] ? lock_downgrade+0x740/0x740 [ 44.970006] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 44.974744] ? do_raw_spin_unlock+0x174/0x260 [ 44.979219] ? _raw_spin_unlock+0x2d/0x50 [ 44.983344] ? do_huge_pmd_anonymous_page+0x2f9/0x1200 [ 44.988606] ? prep_transhuge_page+0xa0/0xa0 [ 44.992994] ? __handle_mm_fault+0x692/0x33d0 [ 44.997479] ? save_trace+0x290/0x290 [ 45.001268] ? copy_page_range+0x1de0/0x1de0 [ 45.005663] ? __do_page_fault+0x4e9/0xb80 [ 45.009901] ? __fget_light+0x172/0x1f0 [ 45.013874] ? __fdget+0x1b/0x20 [ 45.017239] ? sockfd_lookup_light+0xb4/0x160 [ 45.021725] __sys_sendmsg+0xb9/0x140 [ 45.025517] ? SyS_shutdown+0x170/0x170 [ 45.029473] SyS_sendmsg+0x2d/0x50 [ 45.033002] ? __sys_sendmsg+0x140/0x140 [ 45.037048] do_syscall_64+0x1e8/0x640 [ 45.040938] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.045766] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.051143] RIP: 0033:0x4402b9 [ 45.054316] RSP: 002b:00007fffa7840708 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.062059] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402b9 [ 45.069354] RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 [ 45.076636] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 45.083897] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b40 [ 45.091143] R13: 0000000000401bd0 R14: 0000000000000000 R15: 0000000000000000 [ 45.099757] Kernel Offset: disabled [ 45.103377] Rebooting in 86400 seconds..