[   38.259041] audit: type=1800 audit(1556082248.607:33): pid=7161 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   42.016250] random: sshd: uninitialized urandom read (32 bytes read)
[   42.525886] kauditd_printk_skb: 1 callbacks suppressed
[   42.525895] audit: type=1400 audit(1556082252.877:35): avc:  denied  { map } for  pid=7336 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   42.583060] random: sshd: uninitialized urandom read (32 bytes read)
[   43.219043] random: sshd: uninitialized urandom read (32 bytes read)
[  797.370470] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.15' (ECDSA) to the list of known hosts.
[  802.931598] random: sshd: uninitialized urandom read (32 bytes read)
[  803.121272] audit: type=1400 audit(1556083013.477:36): avc:  denied  { map } for  pid=7348 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2019/04/24 05:16:54 parsed 1 programs
[  803.943961] audit: type=1400 audit(1556083014.297:37): avc:  denied  { map } for  pid=7348 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=13421 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[  804.995405] random: cc1: uninitialized urandom read (8 bytes read)
2019/04/24 05:16:56 executed programs: 0
[  807.000243] IPVS: ftp: loaded support on port[0] = 21
[  807.324600] chnl_net:caif_netlink_parms(): no params data found
[  807.356315] bridge0: port 1(bridge_slave_0) entered blocking state
[  807.363110] bridge0: port 1(bridge_slave_0) entered disabled state
[  807.370365] device bridge_slave_0 entered promiscuous mode
[  807.377253] bridge0: port 2(bridge_slave_1) entered blocking state
[  807.383961] bridge0: port 2(bridge_slave_1) entered disabled state
[  807.391109] device bridge_slave_1 entered promiscuous mode
[  807.405722] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  807.414775] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  807.430369] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  807.437842] team0: Port device team_slave_0 added
[  807.443374] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  807.451273] team0: Port device team_slave_1 added
[  807.456438] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[  807.463825] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[  807.512549] device hsr_slave_0 entered promiscuous mode
[  807.550356] device hsr_slave_1 entered promiscuous mode
[  807.590658] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[  807.597593] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[  807.611068] bridge0: port 2(bridge_slave_1) entered blocking state
[  807.617502] bridge0: port 2(bridge_slave_1) entered forwarding state
[  807.624551] bridge0: port 1(bridge_slave_0) entered blocking state
[  807.630929] bridge0: port 1(bridge_slave_0) entered forwarding state
[  807.660529] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  807.666625] 8021q: adding VLAN 0 to HW filter on device bond0
[  807.676031] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  807.685574] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  807.703986] bridge0: port 1(bridge_slave_0) entered disabled state
[  807.711517] bridge0: port 2(bridge_slave_1) entered disabled state
[  807.721652] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[  807.727738] 8021q: adding VLAN 0 to HW filter on device team0
[  807.736343] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  807.744037] bridge0: port 1(bridge_slave_0) entered blocking state
[  807.750446] bridge0: port 1(bridge_slave_0) entered forwarding state
[  807.771822] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  807.779425] bridge0: port 2(bridge_slave_1) entered blocking state
[  807.785864] bridge0: port 2(bridge_slave_1) entered forwarding state
[  807.794319] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  807.802361] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  807.809878] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  807.818208] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  807.826341] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  807.834693] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[  807.841479] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  807.853627] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
[  807.864552] 8021q: adding VLAN 0 to HW filter on device batadv0
[  808.320772] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  809.441518] ==================================================================
[  809.448975] BUG: KASAN: use-after-free in __lock_acquire+0x303c/0x45e0
[  809.455623] Read of size 8 at addr ffff8880a9bca6e0 by task syz-executor.0/7387
[  809.463054] 
[  809.464665] CPU: 0 PID: 7387 Comm: syz-executor.0 Not tainted 4.14.113 #3
[  809.471617] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  809.480992] Call Trace:
[  809.483606]  dump_stack+0x138/0x19c
[  809.487227]  ? __lock_acquire+0x303c/0x45e0
[  809.491531]  print_address_description.cold+0x7c/0x1dc
[  809.496799]  ? __lock_acquire+0x303c/0x45e0
[  809.501104]  kasan_report.cold+0xaf/0x2b5
[  809.505371]  __asan_report_load8_noabort+0x14/0x20
[  809.510328]  __lock_acquire+0x303c/0x45e0
[  809.514456]  ? __dentry_kill+0x3ee/0x580
[  809.518505]  ? dput.part.0+0x5a4/0x750
[  809.522395]  ? dput+0x20/0x30
[  809.525482]  ? __fput+0x461/0x7a0
[  809.528916]  ? ____fput+0x16/0x20
[  809.532353]  ? __lock_acquire+0x5f9/0x45e0
[  809.536567]  ? trace_hardirqs_on+0x10/0x10
[  809.540781]  ? lock_downgrade+0x6e0/0x6e0
[  809.544908]  ? trace_hardirqs_on+0x10/0x10
[  809.549127]  ? save_trace+0x290/0x290
[  809.552913]  ? trace_hardirqs_on+0x10/0x10
[  809.557128]  ? __lock_is_held+0xb6/0x140
[  809.561182]  lock_acquire+0x16f/0x430
[  809.565026]  ? lock_sock_nested+0x3f/0x110
[  809.569281]  _raw_spin_lock_bh+0x33/0x50
[  809.573325]  ? lock_sock_nested+0x3f/0x110
[  809.577565]  lock_sock_nested+0x3f/0x110
[  809.581660]  pppol2tp_release+0x4e/0x300
[  809.585771]  __sock_release+0xd3/0x2c0
[  809.589659]  ? __sock_release+0x2c0/0x2c0
[  809.593785]  sock_close+0x1b/0x30
[  809.597218]  __fput+0x277/0x7a0
[  809.600561]  ____fput+0x16/0x20
[  809.603827]  task_work_run+0x119/0x190
[  809.607713]  exit_to_usermode_loop+0x1da/0x220
[  809.612276]  do_syscall_64+0x4a9/0x630
[  809.616140]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  809.620966]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[  809.626138] RIP: 0033:0x4129e1
[  809.629322] RSP: 002b:00007fffaae57300 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  809.637010] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004129e1
[  809.644257] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005
[  809.651504] RBP: 0000000000740490 R08: 0000000000740488 R09: 00000000000c5949
[  809.658751] R10: 00007fffaae573c0 R11: 0000000000000293 R12: 0000000000000000
[  809.666001] R13: 0000000000000000 R14: 0000000000000003 R15: 000000000073bf0c
[  809.673253] 
[  809.674863] Allocated by task 7390:
[  809.678476]  save_stack_trace+0x16/0x20
[  809.682447]  save_stack+0x45/0xd0
[  809.685883]  kasan_kmalloc+0xce/0xf0
[  809.689591]  __kmalloc+0x15d/0x7a0
[  809.693106]  sk_prot_alloc+0x171/0x2a0
[  809.696972]  sk_alloc+0x39/0xd70
[  809.700314]  pppol2tp_create+0x32/0x1f0
[  809.704317]  pppox_create+0xfc/0x210
[  809.708014]  __sock_create+0x2fb/0x620
[  809.711879]  SyS_socket+0xd3/0x170
[  809.715397]  do_syscall_64+0x1eb/0x630
[  809.719349]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[  809.724521] 
[  809.726122] Freed by task 7387:
[  809.729397]  save_stack_trace+0x16/0x20
[  809.733369]  save_stack+0x45/0xd0
[  809.736819]  kasan_slab_free+0x75/0xc0
[  809.740683]  kfree+0xcc/0x270
[  809.743777]  __sk_destruct+0x495/0x5d0
[  809.747650]  sk_destruct+0x67/0x80
[  809.751168]  __sk_free+0x54/0x230
[  809.754613]  sk_free+0x35/0x40
[  809.757974]  pppol2tp_session_sock_put+0x66/0x80
[  809.762711]  l2tp_tunnel_closeall+0x288/0x390
[  809.767374]  l2tp_udp_encap_destroy+0x99/0x100
[  809.771980]  udpv6_destroy_sock+0xb6/0xd0
[  809.776112]  sk_common_release+0x6d/0x320
[  809.780248]  udp_lib_close+0x16/0x20
[  809.784034]  inet_release+0xf2/0x1c0
[  809.787765]  inet6_release+0x53/0x80
[  809.791466]  __sock_release+0xd3/0x2c0
[  809.795332]  sock_close+0x1b/0x30
[  809.798765]  __fput+0x277/0x7a0
[  809.802019]  ____fput+0x16/0x20
[  809.805360]  task_work_run+0x119/0x190
[  809.809243]  exit_to_usermode_loop+0x1da/0x220
[  809.813819]  do_syscall_64+0x4a9/0x630
[  809.817705]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[  809.822873] 
[  809.824479] The buggy address belongs to the object at ffff8880a9bca640
[  809.824479]  which belongs to the cache kmalloc-2048 of size 2048
[  809.837309] The buggy address is located 160 bytes inside of
[  809.837309]  2048-byte region [ffff8880a9bca640, ffff8880a9bcae40)
[  809.849246] The buggy address belongs to the page:
[  809.854154] page:ffffea0002a6f280 count:1 mapcount:0 mapping:ffff8880a9bca640 index:0x0 compound_mapcount: 0
[  809.864119] flags: 0x1fffc0000008100(slab|head)
[  809.868767] raw: 01fffc0000008100 ffff8880a9bca640 0000000000000000 0000000100000003
[  809.876633] raw: ffffea0002a4f120 ffffea00022a6fa0 ffff8880aa800c40 0000000000000000
[  809.884501] page dumped because: kasan: bad access detected
[  809.890182] 
[  809.891788] Memory state around the buggy address:
[  809.896693]  ffff8880a9bca580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  809.904029]  ffff8880a9bca600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  809.911385] >ffff8880a9bca680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  809.919505]                                                        ^
[  809.925973]  ffff8880a9bca700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  809.933306]  ffff8880a9bca780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  809.940637] ==================================================================
[  809.947971] Disabling lock debugging due to kernel taint
[  809.953396] Kernel panic - not syncing: panic_on_warn set ...
[  809.953396] 
[  809.960751] CPU: 0 PID: 7387 Comm: syz-executor.0 Tainted: G    B           4.14.113 #3
[  809.968885] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  809.978235] Call Trace:
[  809.980808]  dump_stack+0x138/0x19c
[  809.984417]  ? __lock_acquire+0x303c/0x45e0
[  809.988715]  panic+0x1f2/0x438
[  809.991881]  ? add_taint.cold+0x16/0x16
[  809.995833]  ? lock_downgrade+0x6e0/0x6e0
[  809.999981]  kasan_end_report+0x47/0x4f
[  810.003932]  kasan_report.cold+0x136/0x2b5
[  810.008143]  __asan_report_load8_noabort+0x14/0x20
[  810.013048]  __lock_acquire+0x303c/0x45e0
[  810.017172]  ? __dentry_kill+0x3ee/0x580
[  810.021216]  ? dput.part.0+0x5a4/0x750
[  810.025077]  ? dput+0x20/0x30
[  810.028161]  ? __fput+0x461/0x7a0
[  810.031591]  ? ____fput+0x16/0x20
[  810.035026]  ? __lock_acquire+0x5f9/0x45e0
[  810.039258]  ? trace_hardirqs_on+0x10/0x10
[  810.043472]  ? lock_downgrade+0x6e0/0x6e0
[  810.047606]  ? trace_hardirqs_on+0x10/0x10
[  810.051820]  ? save_trace+0x290/0x290
[  810.055612]  ? trace_hardirqs_on+0x10/0x10
[  810.059825]  ? __lock_is_held+0xb6/0x140
[  810.063886]  lock_acquire+0x16f/0x430
[  810.067672]  ? lock_sock_nested+0x3f/0x110
[  810.071891]  _raw_spin_lock_bh+0x33/0x50
[  810.075941]  ? lock_sock_nested+0x3f/0x110
[  810.080152]  lock_sock_nested+0x3f/0x110
[  810.084194]  pppol2tp_release+0x4e/0x300
[  810.088241]  __sock_release+0xd3/0x2c0
[  810.092113]  ? __sock_release+0x2c0/0x2c0
[  810.096236]  sock_close+0x1b/0x30
[  810.099668]  __fput+0x277/0x7a0
[  810.102929]  ____fput+0x16/0x20
[  810.106192]  task_work_run+0x119/0x190
[  810.110067]  exit_to_usermode_loop+0x1da/0x220
[  810.114628]  do_syscall_64+0x4a9/0x630
[  810.118490]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  810.123315]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[  810.128511] RIP: 0033:0x4129e1
[  810.131681] RSP: 002b:00007fffaae57300 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  810.139368] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004129e1
[  810.146614] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005
[  810.153868] RBP: 0000000000740490 R08: 0000000000740488 R09: 00000000000c5949
[  810.161114] R10: 00007fffaae573c0 R11: 0000000000000293 R12: 0000000000000000
[  810.168358] R13: 0000000000000000 R14: 0000000000000003 R15: 000000000073bf0c
[  810.176425] Kernel Offset: disabled
[  810.180060] Rebooting in 86400 seconds..