[....] Starting enhanced syslogd: rsyslogd[ 9.990308] audit: type=1400 audit(1516366212.393:4): avc: denied { syslog } for pid=3185 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. 2018/01/19 12:50:59 parsed 1 programs 2018/01/19 12:50:59 executed programs: 0 syzkaller login: [ 57.398540] IPVS: Creating netns size=2536 id=1 [ 57.403917] audit: type=1400 audit(1516366259.813:5): avc: denied { sys_admin } for pid=3370 comm="syz-executor2" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 57.416216] IPVS: Creating netns size=2536 id=2 [ 57.427579] audit: type=1400 audit(1516366259.833:6): avc: denied { sys_chroot } for pid=3377 comm="syz-executor2" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 57.432730] IPVS: Creating netns size=2536 id=3 [ 57.462533] IPVS: Creating netns size=2536 id=4 [ 57.476689] IPVS: Creating netns size=2536 id=5 [ 57.497987] IPVS: Creating netns size=2536 id=6 [ 57.519519] IPVS: Creating netns size=2536 id=7 [ 57.535428] IPVS: Creating netns size=2536 id=8 2018/01/19 12:51:04 executed programs: 294 2018/01/19 12:51:09 executed programs: 604 [ 71.203468] ================================================================== [ 71.210871] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 71.217513] Read of size 8 at addr ffff8801c185d5a0 by task syz-executor1/6488 [ 71.224837] [ 71.226436] CPU: 1 PID: 6488 Comm: syz-executor1 Not tainted 4.9.77-g9c3804b #26 [ 71.233936] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.243260] ffff8801d821f600 ffffffff81d941c9 ffffea0007061600 ffff8801c185d5a0 [ 71.251227] 0000000000000000 ffff8801c185d5a0 ffff8801c185d5a0 ffff8801d821f638 [ 71.259205] ffffffff8153db93 ffff8801c185d5a0 0000000000000008 0000000000000000 [ 71.267184] Call Trace: [ 71.269744] [] dump_stack+0xc1/0x128 [ 71.275090] [] print_address_description+0x73/0x280 [ 71.281724] [] kasan_report+0x275/0x360 [ 71.287319] [] ? __lock_acquire+0x2eff/0x3640 [ 71.293433] [] __asan_report_load8_noabort+0x14/0x20 [ 71.300158] [] __lock_acquire+0x2eff/0x3640 [ 71.306102] [] ? update_stack_state.constprop.5+0xca/0x150 [ 71.313346] [] ? __unwind_start+0x1e3/0x3c0 [ 71.319287] [] ? unwind_next_frame+0x86/0xe0 [ 71.325316] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 71.332300] [] ? free_fs_struct+0x4f/0x60 [ 71.338066] [] ? free_fs_struct+0x4f/0x60 [ 71.343835] [] ? exit_fs+0xe1/0x120 [ 71.349081] [] ? do_exit+0x7c1/0x2a40 [ 71.354503] [] ? do_group_exit+0x108/0x320 [ 71.360358] [] ? get_signal+0x4d4/0x14e0 [ 71.366038] [] ? do_signal+0x87/0x1a00 [ 71.371546] [] ? exit_to_usermode_loop+0xe1/0x120 [ 71.378010] [] lock_acquire+0x12e/0x410 [ 71.383605] [] ? lock_sock_nested+0x43/0x120 [ 71.389635] [] ? sock_release+0x1e0/0x1e0 [ 71.395423] [] _raw_spin_lock_bh+0x3a/0x50 [ 71.401280] [] ? lock_sock_nested+0x43/0x120 [ 71.407324] [] lock_sock_nested+0x43/0x120 [ 71.413182] [] pppol2tp_release+0x50/0x2e0 [ 71.419041] [] sock_release+0x8d/0x1e0 [ 71.424550] [] sock_close+0x16/0x20 [ 71.429802] [] __fput+0x28c/0x6e0 [ 71.434875] [] ____fput+0x15/0x20 [ 71.439952] [] task_work_run+0x115/0x190 [ 71.445636] [] do_exit+0x7e7/0x2a40 [ 71.450885] [] ? save_stack+0x43/0xd0 [ 71.456306] [] ? kmem_cache_free+0xc7/0x300 [ 71.462246] [] ? dentry_free+0xd5/0x150 [ 71.467854] [] ? release_task+0x1240/0x1240 [ 71.473802] [] ? __lock_acquire+0x629/0x3640 [ 71.479831] [] ? __dequeue_signal+0xa3/0x550 [ 71.485858] [] ? recalc_sigpending+0x72/0x90 [ 71.491888] [] do_group_exit+0x108/0x320 [ 71.497570] [] get_signal+0x4d4/0x14e0 [ 71.503078] [] ? check_preemption_disabled+0x3b/0x200 [ 71.509893] [] do_signal+0x87/0x1a00 [ 71.515230] [] ? check_preemption_disabled+0x3b/0x200 [ 71.522041] [] ? mntput_no_expire+0xca/0x6b0 [ 71.528071] [] ? setup_sigcontext+0x7d0/0x7d0 [ 71.534186] [] ? mntput_no_expire+0xf6/0x6b0 [ 71.540212] [] ? mnt_get_count+0x160/0x160 [ 71.546068] [] ? dput.part.23+0x16d/0x7b0 [ 71.551835] [] ? dput.part.23+0x2a/0x7b0 [ 71.557523] [] ? sock_release+0x1e0/0x1e0 [ 71.563294] [] ? mntput+0x66/0x90 [ 71.568368] [] ? exit_to_usermode_loop+0xac/0x120 [ 71.574829] [] exit_to_usermode_loop+0xe1/0x120 [ 71.581118] [] do_fast_syscall_32+0x5de/0x890 [ 71.587234] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 71.593869] [] entry_SYSENTER_compat+0x74/0x83 [ 71.600066] [ 71.601663] Allocated by task 6491: [ 71.605266] save_stack_trace+0x16/0x20 [ 71.609213] save_stack+0x43/0xd0 [ 71.612636] kasan_kmalloc+0xad/0xe0 [ 71.616319] __kmalloc+0x11d/0x310 [ 71.619831] sk_prot_alloc+0x101/0x2a0 [ 71.623688] sk_alloc+0x3a/0x3a0 [ 71.627027] pppol2tp_create+0x33/0x1f0 [ 71.630970] pppox_create+0xf1/0x200 [ 71.634655] __sock_create+0x3ab/0x640 [ 71.638510] SyS_socket+0xf0/0x1b0 [ 71.642281] do_fast_syscall_32+0x2f7/0x890 [ 71.647700] entry_SYSENTER_compat+0x74/0x83 [ 71.652072] [ 71.653669] Freed by task 6488: [ 71.656921] save_stack_trace+0x16/0x20 [ 71.660864] save_stack+0x43/0xd0 [ 71.664285] kasan_slab_free+0x72/0xc0 [ 71.668154] kfree+0x103/0x300 [ 71.671317] __sk_destruct+0x47f/0x570 [ 71.675174] sk_destruct+0x47/0x80 [ 71.678682] __sk_free+0x57/0x230 [ 71.682453] sk_free+0x23/0x30 [ 71.687011] pppol2tp_session_sock_put+0x5a/0x70 [ 71.691737] l2tp_tunnel_closeall+0x254/0x3a0 [ 71.696202] l2tp_udp_encap_destroy+0x87/0xe0 [ 71.700666] udpv6_destroy_sock+0xb1/0xd0 [ 71.704781] sk_common_release+0x6b/0x2f0 [ 71.708900] udp_lib_close+0x15/0x20 [ 71.713541] inet_release+0xfa/0x1d0 [ 71.717224] inet6_release+0x50/0x70 [ 71.720905] sock_release+0x8d/0x1e0 [ 71.724586] sock_close+0x16/0x20 [ 71.728009] __fput+0x28c/0x6e0 [ 71.731254] ____fput+0x15/0x20 [ 71.734501] task_work_run+0x115/0x190 [ 71.738358] exit_to_usermode_loop+0xfc/0x120 [ 71.742822] do_fast_syscall_32+0x5de/0x890 [ 71.747116] entry_SYSENTER_compat+0x74/0x83 [ 71.751488] [ 71.753088] The buggy address belongs to the object at ffff8801c185d500 [ 71.753088] which belongs to the cache kmalloc-2048 of size 2048 [ 71.765885] The buggy address is located 160 bytes inside of [ 71.765885] 2048-byte region [ffff8801c185d500, ffff8801c185dd00) [ 71.777812] The buggy address belongs to the page: [ 71.782711] page:ffffea0007061600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 71.792879] flags: 0x8000000000004080(slab|head) [ 71.797599] page dumped because: kasan: bad access detected [ 71.803275] [ 71.804869] Memory state around the buggy address: [ 71.809766] ffff8801c185d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 71.817096] ffff8801c185d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.824422] >ffff8801c185d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.831748] ^ [ 71.836126] ffff8801c185d600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.843453] ffff8801c185d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.850777] ================================================================== [ 71.860017] Disabling lock debugging due to kernel taint [ 71.867942] Kernel panic - not syncing: panic_on_warn set ... [ 71.867942] [ 71.878230] CPU: 1 PID: 6488 Comm: syz-executor1 Tainted: G B 4.9.77-g9c3804b #26 [ 71.890071] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.903216] ffff8801d821f558 ffffffff81d941c9 ffffffff841970ff ffff8801d821f630 [ 71.914408] 0000000000000000 ffff8801c185d5a0 ffff8801c185d5a0 ffff8801d821f620 [ 71.926117] ffffffff8142f3c1 0000000041b58ab3 ffffffff8418ab70 ffffffff8142f205 [ 71.937267] Call Trace: [ 71.940435] [] dump_stack+0xc1/0x128 [ 71.948025] [] panic+0x1bc/0x3a8 [ 71.955269] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 71.963467] [] ? add_taint+0x40/0x50 [ 71.968804] [] kasan_end_report+0x50/0x50 [ 71.974572] [] kasan_report+0x167/0x360 [ 71.980167] [] ? __lock_acquire+0x2eff/0x3640 [ 71.986285] [] __asan_report_load8_noabort+0x14/0x20 [ 71.993008] [] __lock_acquire+0x2eff/0x3640 [ 71.998951] [] ? update_stack_state.constprop.5+0xca/0x150 [ 72.006194] [] ? __unwind_start+0x1e3/0x3c0 [ 72.012133] [] ? unwind_next_frame+0x86/0xe0 [ 72.018159] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 72.025141] [] ? free_fs_struct+0x4f/0x60 [ 72.030908] [] ? free_fs_struct+0x4f/0x60 [ 72.036673] [] ? exit_fs+0xe1/0x120 [ 72.041922] [] ? do_exit+0x7c1/0x2a40 [ 72.047342] [] ? do_group_exit+0x108/0x320 [ 72.053194] [] ? get_signal+