[ 33.589010] audit: type=1800 audit(1582842186.266:33): pid=7162 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.615814] audit: type=1800 audit(1582842186.266:34): pid=7162 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.137314] random: sshd: uninitialized urandom read (32 bytes read) [ 36.431669] audit: type=1400 audit(1582842189.116:35): avc: denied { map } for pid=7335 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.480441] random: sshd: uninitialized urandom read (32 bytes read) [ 37.177511] random: sshd: uninitialized urandom read (32 bytes read) [ 37.360668] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.102' (ECDSA) to the list of known hosts. [ 42.959731] random: sshd: uninitialized urandom read (32 bytes read) [ 43.181807] audit: type=1400 audit(1582842195.866:36): avc: denied { map } for pid=7347 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/02/27 22:23:15 parsed 1 programs [ 43.833467] random: cc1: uninitialized urandom read (8 bytes read) [ 44.678751] audit: type=1400 audit(1582842197.356:37): avc: denied { map } for pid=7347 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=1123 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2020/02/27 22:23:17 executed programs: 0 [ 44.719789] audit: type=1400 audit(1582842197.396:38): avc: denied { map } for pid=7347 comm="syz-execprog" path="/root/syzkaller-shm650601901" dev="sda1" ino=16485 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 45.071006] IPVS: ftp: loaded support on port[0] = 21 [ 45.867786] chnl_net:caif_netlink_parms(): no params data found [ 45.912846] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.919343] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.926827] device bridge_slave_0 entered promiscuous mode [ 45.933857] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.940544] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.947333] device bridge_slave_1 entered promiscuous mode [ 45.962274] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 45.971602] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 45.987611] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 45.994763] team0: Port device team_slave_0 added [ 46.000420] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 46.007456] team0: Port device team_slave_1 added [ 46.021029] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 46.027251] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 46.052572] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 46.063368] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 46.069591] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 46.094851] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 46.105440] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 46.112900] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 46.192699] device hsr_slave_0 entered promiscuous mode [ 46.250248] device hsr_slave_1 entered promiscuous mode [ 46.290621] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 46.297631] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 46.346750] audit: type=1400 audit(1582842199.026:39): avc: denied { create } for pid=7364 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 46.365222] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.371935] audit: type=1400 audit(1582842199.026:40): avc: denied { write } for pid=7364 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 46.377048] bridge0: port 2(bridge_slave_1) entered forwarding state [ 46.401490] audit: type=1400 audit(1582842199.026:41): avc: denied { read } for pid=7364 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 46.407613] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.437318] bridge0: port 1(bridge_slave_0) entered forwarding state [ 46.469344] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 46.475991] 8021q: adding VLAN 0 to HW filter on device bond0 [ 46.484714] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 46.493325] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 46.511635] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.518528] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.528160] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 46.534429] 8021q: adding VLAN 0 to HW filter on device team0 [ 46.542639] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 46.550815] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.557151] bridge0: port 1(bridge_slave_0) entered forwarding state [ 46.578009] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 46.587958] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 46.598624] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 46.605494] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 46.613343] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.619678] bridge0: port 2(bridge_slave_1) entered forwarding state [ 46.627093] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 46.634640] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 46.642160] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 46.649635] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 46.657115] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 46.663855] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 46.675926] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 46.684314] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 46.691008] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 46.702203] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 46.759256] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 46.768949] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 46.802959] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 46.809807] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 46.816954] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 46.826127] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 46.833741] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 46.840656] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 46.848877] device veth0_vlan entered promiscuous mode [ 46.858315] device veth1_vlan entered promiscuous mode [ 46.864456] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 46.870908] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 46.877910] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 46.892267] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 46.902245] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 46.909042] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 46.916896] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 46.926638] device veth0_macvtap entered promiscuous mode [ 46.932685] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 46.940683] device veth1_macvtap entered promiscuous mode [ 46.946680] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 46.955006] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 46.964034] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 46.973090] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 46.980374] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 46.988546] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 46.995869] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 47.003045] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 47.010873] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 47.020685] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 47.027522] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 47.035136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 47.042881] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 48.290760] [ 48.292406] ========================= [ 48.296184] WARNING: held lock freed! [ 48.299965] 4.14.171-syzkaller #0 Not tainted [ 48.304437] ------------------------- [ 48.308219] syz-executor.0/7416 is freeing memory ffff8880a98f62c0-ffff8880a98f6abf, with a lock still held there! [ 48.318679] (sk_lock-AF_PPPOX){+.+.}, at: [] pppol2tp_release+0x49/0x2f0 [ 48.327202] 2 locks held by syz-executor.0/7416: [ 48.331937] #0: (&sb->s_type->i_mutex_key#11){+.+.}, at: [] __sock_release+0x86/0x2b0 [ 48.341635] #1: (sk_lock-AF_PPPOX){+.+.}, at: [] pppol2tp_release+0x49/0x2f0 [ 48.350546] [ 48.350546] stack backtrace: [ 48.355025] CPU: 1 PID: 7416 Comm: syz-executor.0 Not tainted 4.14.171-syzkaller #0 [ 48.362807] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.372147] Call Trace: [ 48.374723] dump_stack+0x13e/0x194 [ 48.378341] debug_check_no_locks_freed.cold+0x9c/0xa8 [ 48.383616] kfree+0xae/0x260 [ 48.386705] __sk_destruct+0x4f6/0x640 [ 48.390577] sk_destruct+0x97/0xc0 [ 48.394104] __sk_free+0x4c/0x220 [ 48.397534] sk_free+0x2b/0x40 [ 48.400714] pppol2tp_release+0x26a/0x2f0 [ 48.404858] __sock_release+0xcd/0x2b0 [ 48.408725] ? __sock_release+0x2b0/0x2b0 [ 48.412907] sock_close+0x15/0x20 [ 48.416337] __fput+0x25f/0x790 [ 48.419598] task_work_run+0x113/0x190 [ 48.423473] exit_to_usermode_loop+0x1d6/0x220 [ 48.428041] do_syscall_64+0x4a3/0x640 [ 48.431916] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.437088] RIP: 0033:0x45c479 [ 48.440258] RSP: 002b:00007f9351ec1c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 48.448034] RAX: 0000000000000000 RBX: 00007f9351ec26d4 RCX: 000000000045c479 [ 48.455285] RDX: 000000000000002e RSI: 0000000020000000 RDI: 0000000000000004 [ 48.462537] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 48.469787] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 48.477039] R13: 000000000000008d R14: 00000000004c2e4e R15: 000000000076bf2c [ 48.485866] ================================================================== [ 48.493231] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e4/0x230 [ 48.499879] Read of size 4 at addr ffff8880a98f634c by task syz-executor.0/7416 [ 48.507303] [ 48.508917] CPU: 0 PID: 7416 Comm: syz-executor.0 Not tainted 4.14.171-syzkaller #0 [ 48.516698] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.526037] Call Trace: [ 48.528616] dump_stack+0x13e/0x194 [ 48.532243] ? do_raw_spin_lock+0x1e4/0x230 [ 48.536551] print_address_description.cold+0x7c/0x1e2 [ 48.541819] ? do_raw_spin_lock+0x1e4/0x230 [ 48.546117] kasan_report.cold+0xa9/0x2ae [ 48.550246] do_raw_spin_lock+0x1e4/0x230 [ 48.554381] release_sock+0x1b/0x1b0 [ 48.558072] pppol2tp_release+0x219/0x2f0 [ 48.562208] __sock_release+0xcd/0x2b0 [ 48.566082] ? __sock_release+0x2b0/0x2b0 [ 48.570206] sock_close+0x15/0x20 [ 48.573633] __fput+0x25f/0x790 [ 48.576905] task_work_run+0x113/0x190 [ 48.580823] exit_to_usermode_loop+0x1d6/0x220 [ 48.585381] do_syscall_64+0x4a3/0x640 [ 48.589257] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.594439] RIP: 0033:0x45c479 [ 48.597640] RSP: 002b:00007f9351ec1c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 48.605384] RAX: 0000000000000000 RBX: 00007f9351ec26d4 RCX: 000000000045c479 [ 48.612633] RDX: 000000000000002e RSI: 0000000020000000 RDI: 0000000000000004 [ 48.619925] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 48.627285] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 48.634535] R13: 000000000000008d R14: 00000000004c2e4e R15: 000000000076bf2c [ 48.641787] [ 48.643397] Allocated by task 7416: [ 48.647010] save_stack+0x32/0xa0 [ 48.650444] kasan_kmalloc+0xbf/0xe0 [ 48.654136] __kmalloc+0x15b/0x7c0 [ 48.657660] sk_prot_alloc+0x164/0x290 [ 48.661577] sk_alloc+0x36/0xd60 [ 48.664923] pppol2tp_create+0x2d/0x1e0 [ 48.668878] pppox_create+0xf2/0x210 [ 48.672581] __sock_create+0x2f2/0x620 [ 48.676451] SyS_socket+0xd2/0x170 [ 48.679965] do_syscall_64+0x1d5/0x640 [ 48.683835] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.689006] [ 48.690613] Freed by task 7416: [ 48.693876] save_stack+0x32/0xa0 [ 48.697371] kasan_slab_free+0x75/0xc0 [ 48.701234] kfree+0xcb/0x260 [ 48.704329] __sk_destruct+0x4f6/0x640 [ 48.708200] sk_destruct+0x97/0xc0 [ 48.711717] __sk_free+0x4c/0x220 [ 48.715148] sk_free+0x2b/0x40 [ 48.718320] pppol2tp_release+0x26a/0x2f0 [ 48.722444] __sock_release+0xcd/0x2b0 [ 48.726323] sock_close+0x15/0x20 [ 48.729753] __fput+0x25f/0x790 [ 48.733008] task_work_run+0x113/0x190 [ 48.736877] exit_to_usermode_loop+0x1d6/0x220 [ 48.741451] do_syscall_64+0x4a3/0x640 [ 48.745322] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.750486] [ 48.752092] The buggy address belongs to the object at ffff8880a98f62c0 [ 48.752092] which belongs to the cache kmalloc-2048 of size 2048 [ 48.764937] The buggy address is located 140 bytes inside of [ 48.764937] 2048-byte region [ffff8880a98f62c0, ffff8880a98f6ac0) [ 48.776873] The buggy address belongs to the page: [ 48.781781] page:ffffea0002a63d80 count:1 mapcount:0 mapping:ffff8880a98f62c0 index:0x0 compound_mapcount: 0 [ 48.791771] flags: 0xfffe0000008100(slab|head) [ 48.796335] raw: 00fffe0000008100 ffff8880a98f62c0 0000000000000000 0000000100000003 [ 48.804242] raw: ffffea000295b320 ffffea0001fb34a0 ffff88812fe56c40 0000000000000000 [ 48.812103] page dumped because: kasan: bad access detected [ 48.817791] [ 48.819426] Memory state around the buggy address: [ 48.824336] ffff8880a98f6200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.831736] ffff8880a98f6280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 48.839085] >ffff8880a98f6300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.846460] ^ [ 48.852149] ffff8880a98f6380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.859553] ffff8880a98f6400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.866930] ================================================================== [ 48.874327] Kernel panic - not syncing: panic_on_warn set ... [ 48.874327] [ 48.881684] CPU: 0 PID: 7416 Comm: syz-executor.0 Tainted: G B 4.14.171-syzkaller #0 [ 48.890678] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.900014] Call Trace: [ 48.902639] dump_stack+0x13e/0x194 [ 48.906298] panic+0x1f9/0x42d [ 48.909470] ? add_taint.cold+0x16/0x16 [ 48.913431] ? do_raw_spin_lock+0x1e4/0x230 [ 48.917779] kasan_end_report+0x43/0x49 [ 48.921735] kasan_report.cold+0x12f/0x2ae [ 48.925956] do_raw_spin_lock+0x1e4/0x230 [ 48.930094] release_sock+0x1b/0x1b0 [ 48.933823] pppol2tp_release+0x219/0x2f0 [ 48.938002] __sock_release+0xcd/0x2b0 [ 48.941873] ? __sock_release+0x2b0/0x2b0 [ 48.945995] sock_close+0x15/0x20 [ 48.949442] __fput+0x25f/0x790 [ 48.952706] task_work_run+0x113/0x190 [ 48.956578] exit_to_usermode_loop+0x1d6/0x220 [ 48.961143] do_syscall_64+0x4a3/0x640 [ 48.965078] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.970333] RIP: 0033:0x45c479 [ 48.973507] RSP: 002b:00007f9351ec1c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 48.981194] RAX: 0000000000000000 RBX: 00007f9351ec26d4 RCX: 000000000045c479 [ 48.988447] RDX: 000000000000002e RSI: 0000000020000000 RDI: 0000000000000004 [ 48.995698] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 49.002961] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 49.010217] R13: 000000000000008d R14: 00000000004c2e4e R15: 000000000076bf2c [ 49.018103] Kernel Offset: disabled [ 49.021724] Rebooting in 86400 seconds..