[ 38.259041] audit: type=1800 audit(1556082248.607:33): pid=7161 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 42.016250] random: sshd: uninitialized urandom read (32 bytes read) [ 42.525886] kauditd_printk_skb: 1 callbacks suppressed [ 42.525895] audit: type=1400 audit(1556082252.877:35): avc: denied { map } for pid=7336 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 42.583060] random: sshd: uninitialized urandom read (32 bytes read) [ 43.219043] random: sshd: uninitialized urandom read (32 bytes read) [ 797.370470] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.15' (ECDSA) to the list of known hosts. [ 802.931598] random: sshd: uninitialized urandom read (32 bytes read) [ 803.121272] audit: type=1400 audit(1556083013.477:36): avc: denied { map } for pid=7348 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/04/24 05:16:54 parsed 1 programs [ 803.943961] audit: type=1400 audit(1556083014.297:37): avc: denied { map } for pid=7348 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=13421 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 804.995405] random: cc1: uninitialized urandom read (8 bytes read) 2019/04/24 05:16:56 executed programs: 0 [ 807.000243] IPVS: ftp: loaded support on port[0] = 21 [ 807.324600] chnl_net:caif_netlink_parms(): no params data found [ 807.356315] bridge0: port 1(bridge_slave_0) entered blocking state [ 807.363110] bridge0: port 1(bridge_slave_0) entered disabled state [ 807.370365] device bridge_slave_0 entered promiscuous mode [ 807.377253] bridge0: port 2(bridge_slave_1) entered blocking state [ 807.383961] bridge0: port 2(bridge_slave_1) entered disabled state [ 807.391109] device bridge_slave_1 entered promiscuous mode [ 807.405722] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 807.414775] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 807.430369] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 807.437842] team0: Port device team_slave_0 added [ 807.443374] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 807.451273] team0: Port device team_slave_1 added [ 807.456438] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 807.463825] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 807.512549] device hsr_slave_0 entered promiscuous mode [ 807.550356] device hsr_slave_1 entered promiscuous mode [ 807.590658] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 807.597593] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 807.611068] bridge0: port 2(bridge_slave_1) entered blocking state [ 807.617502] bridge0: port 2(bridge_slave_1) entered forwarding state [ 807.624551] bridge0: port 1(bridge_slave_0) entered blocking state [ 807.630929] bridge0: port 1(bridge_slave_0) entered forwarding state [ 807.660529] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 807.666625] 8021q: adding VLAN 0 to HW filter on device bond0 [ 807.676031] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 807.685574] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 807.703986] bridge0: port 1(bridge_slave_0) entered disabled state [ 807.711517] bridge0: port 2(bridge_slave_1) entered disabled state [ 807.721652] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 807.727738] 8021q: adding VLAN 0 to HW filter on device team0 [ 807.736343] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 807.744037] bridge0: port 1(bridge_slave_0) entered blocking state [ 807.750446] bridge0: port 1(bridge_slave_0) entered forwarding state [ 807.771822] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 807.779425] bridge0: port 2(bridge_slave_1) entered blocking state [ 807.785864] bridge0: port 2(bridge_slave_1) entered forwarding state [ 807.794319] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 807.802361] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 807.809878] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 807.818208] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 807.826341] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 807.834693] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 807.841479] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 807.853627] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 807.864552] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 808.320772] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 809.441518] ================================================================== [ 809.448975] BUG: KASAN: use-after-free in __lock_acquire+0x303c/0x45e0 [ 809.455623] Read of size 8 at addr ffff8880a9bca6e0 by task syz-executor.0/7387 [ 809.463054] [ 809.464665] CPU: 0 PID: 7387 Comm: syz-executor.0 Not tainted 4.14.113 #3 [ 809.471617] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 809.480992] Call Trace: [ 809.483606] dump_stack+0x138/0x19c [ 809.487227] ? __lock_acquire+0x303c/0x45e0 [ 809.491531] print_address_description.cold+0x7c/0x1dc [ 809.496799] ? __lock_acquire+0x303c/0x45e0 [ 809.501104] kasan_report.cold+0xaf/0x2b5 [ 809.505371] __asan_report_load8_noabort+0x14/0x20 [ 809.510328] __lock_acquire+0x303c/0x45e0 [ 809.514456] ? __dentry_kill+0x3ee/0x580 [ 809.518505] ? dput.part.0+0x5a4/0x750 [ 809.522395] ? dput+0x20/0x30 [ 809.525482] ? __fput+0x461/0x7a0 [ 809.528916] ? ____fput+0x16/0x20 [ 809.532353] ? __lock_acquire+0x5f9/0x45e0 [ 809.536567] ? trace_hardirqs_on+0x10/0x10 [ 809.540781] ? lock_downgrade+0x6e0/0x6e0 [ 809.544908] ? trace_hardirqs_on+0x10/0x10 [ 809.549127] ? save_trace+0x290/0x290 [ 809.552913] ? trace_hardirqs_on+0x10/0x10 [ 809.557128] ? __lock_is_held+0xb6/0x140 [ 809.561182] lock_acquire+0x16f/0x430 [ 809.565026] ? lock_sock_nested+0x3f/0x110 [ 809.569281] _raw_spin_lock_bh+0x33/0x50 [ 809.573325] ? lock_sock_nested+0x3f/0x110 [ 809.577565] lock_sock_nested+0x3f/0x110 [ 809.581660] pppol2tp_release+0x4e/0x300 [ 809.585771] __sock_release+0xd3/0x2c0 [ 809.589659] ? __sock_release+0x2c0/0x2c0 [ 809.593785] sock_close+0x1b/0x30 [ 809.597218] __fput+0x277/0x7a0 [ 809.600561] ____fput+0x16/0x20 [ 809.603827] task_work_run+0x119/0x190 [ 809.607713] exit_to_usermode_loop+0x1da/0x220 [ 809.612276] do_syscall_64+0x4a9/0x630 [ 809.616140] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 809.620966] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 809.626138] RIP: 0033:0x4129e1 [ 809.629322] RSP: 002b:00007fffaae57300 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 809.637010] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004129e1 [ 809.644257] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005 [ 809.651504] RBP: 0000000000740490 R08: 0000000000740488 R09: 00000000000c5949 [ 809.658751] R10: 00007fffaae573c0 R11: 0000000000000293 R12: 0000000000000000 [ 809.666001] R13: 0000000000000000 R14: 0000000000000003 R15: 000000000073bf0c [ 809.673253] [ 809.674863] Allocated by task 7390: [ 809.678476] save_stack_trace+0x16/0x20 [ 809.682447] save_stack+0x45/0xd0 [ 809.685883] kasan_kmalloc+0xce/0xf0 [ 809.689591] __kmalloc+0x15d/0x7a0 [ 809.693106] sk_prot_alloc+0x171/0x2a0 [ 809.696972] sk_alloc+0x39/0xd70 [ 809.700314] pppol2tp_create+0x32/0x1f0 [ 809.704317] pppox_create+0xfc/0x210 [ 809.708014] __sock_create+0x2fb/0x620 [ 809.711879] SyS_socket+0xd3/0x170 [ 809.715397] do_syscall_64+0x1eb/0x630 [ 809.719349] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 809.724521] [ 809.726122] Freed by task 7387: [ 809.729397] save_stack_trace+0x16/0x20 [ 809.733369] save_stack+0x45/0xd0 [ 809.736819] kasan_slab_free+0x75/0xc0 [ 809.740683] kfree+0xcc/0x270 [ 809.743777] __sk_destruct+0x495/0x5d0 [ 809.747650] sk_destruct+0x67/0x80 [ 809.751168] __sk_free+0x54/0x230 [ 809.754613] sk_free+0x35/0x40 [ 809.757974] pppol2tp_session_sock_put+0x66/0x80 [ 809.762711] l2tp_tunnel_closeall+0x288/0x390 [ 809.767374] l2tp_udp_encap_destroy+0x99/0x100 [ 809.771980] udpv6_destroy_sock+0xb6/0xd0 [ 809.776112] sk_common_release+0x6d/0x320 [ 809.780248] udp_lib_close+0x16/0x20 [ 809.784034] inet_release+0xf2/0x1c0 [ 809.787765] inet6_release+0x53/0x80 [ 809.791466] __sock_release+0xd3/0x2c0 [ 809.795332] sock_close+0x1b/0x30 [ 809.798765] __fput+0x277/0x7a0 [ 809.802019] ____fput+0x16/0x20 [ 809.805360] task_work_run+0x119/0x190 [ 809.809243] exit_to_usermode_loop+0x1da/0x220 [ 809.813819] do_syscall_64+0x4a9/0x630 [ 809.817705] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 809.822873] [ 809.824479] The buggy address belongs to the object at ffff8880a9bca640 [ 809.824479] which belongs to the cache kmalloc-2048 of size 2048 [ 809.837309] The buggy address is located 160 bytes inside of [ 809.837309] 2048-byte region [ffff8880a9bca640, ffff8880a9bcae40) [ 809.849246] The buggy address belongs to the page: [ 809.854154] page:ffffea0002a6f280 count:1 mapcount:0 mapping:ffff8880a9bca640 index:0x0 compound_mapcount: 0 [ 809.864119] flags: 0x1fffc0000008100(slab|head) [ 809.868767] raw: 01fffc0000008100 ffff8880a9bca640 0000000000000000 0000000100000003 [ 809.876633] raw: ffffea0002a4f120 ffffea00022a6fa0 ffff8880aa800c40 0000000000000000 [ 809.884501] page dumped because: kasan: bad access detected [ 809.890182] [ 809.891788] Memory state around the buggy address: [ 809.896693] ffff8880a9bca580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 809.904029] ffff8880a9bca600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 809.911385] >ffff8880a9bca680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 809.919505] ^ [ 809.925973] ffff8880a9bca700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 809.933306] ffff8880a9bca780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 809.940637] ================================================================== [ 809.947971] Disabling lock debugging due to kernel taint [ 809.953396] Kernel panic - not syncing: panic_on_warn set ... [ 809.953396] [ 809.960751] CPU: 0 PID: 7387 Comm: syz-executor.0 Tainted: G B 4.14.113 #3 [ 809.968885] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 809.978235] Call Trace: [ 809.980808] dump_stack+0x138/0x19c [ 809.984417] ? __lock_acquire+0x303c/0x45e0 [ 809.988715] panic+0x1f2/0x438 [ 809.991881] ? add_taint.cold+0x16/0x16 [ 809.995833] ? lock_downgrade+0x6e0/0x6e0 [ 809.999981] kasan_end_report+0x47/0x4f [ 810.003932] kasan_report.cold+0x136/0x2b5 [ 810.008143] __asan_report_load8_noabort+0x14/0x20 [ 810.013048] __lock_acquire+0x303c/0x45e0 [ 810.017172] ? __dentry_kill+0x3ee/0x580 [ 810.021216] ? dput.part.0+0x5a4/0x750 [ 810.025077] ? dput+0x20/0x30 [ 810.028161] ? __fput+0x461/0x7a0 [ 810.031591] ? ____fput+0x16/0x20 [ 810.035026] ? __lock_acquire+0x5f9/0x45e0 [ 810.039258] ? trace_hardirqs_on+0x10/0x10 [ 810.043472] ? lock_downgrade+0x6e0/0x6e0 [ 810.047606] ? trace_hardirqs_on+0x10/0x10 [ 810.051820] ? save_trace+0x290/0x290 [ 810.055612] ? trace_hardirqs_on+0x10/0x10 [ 810.059825] ? __lock_is_held+0xb6/0x140 [ 810.063886] lock_acquire+0x16f/0x430 [ 810.067672] ? lock_sock_nested+0x3f/0x110 [ 810.071891] _raw_spin_lock_bh+0x33/0x50 [ 810.075941] ? lock_sock_nested+0x3f/0x110 [ 810.080152] lock_sock_nested+0x3f/0x110 [ 810.084194] pppol2tp_release+0x4e/0x300 [ 810.088241] __sock_release+0xd3/0x2c0 [ 810.092113] ? __sock_release+0x2c0/0x2c0 [ 810.096236] sock_close+0x1b/0x30 [ 810.099668] __fput+0x277/0x7a0 [ 810.102929] ____fput+0x16/0x20 [ 810.106192] task_work_run+0x119/0x190 [ 810.110067] exit_to_usermode_loop+0x1da/0x220 [ 810.114628] do_syscall_64+0x4a9/0x630 [ 810.118490] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 810.123315] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 810.128511] RIP: 0033:0x4129e1 [ 810.131681] RSP: 002b:00007fffaae57300 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 810.139368] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004129e1 [ 810.146614] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005 [ 810.153868] RBP: 0000000000740490 R08: 0000000000740488 R09: 00000000000c5949 [ 810.161114] R10: 00007fffaae573c0 R11: 0000000000000293 R12: 0000000000000000 [ 810.168358] R13: 0000000000000000 R14: 0000000000000003 R15: 000000000073bf0c [ 810.176425] Kernel Offset: disabled [ 810.180060] Rebooting in 86400 seconds..