[ 33.028010] audit: type=1800 audit(1554988022.451:33): pid=6893 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.051110] audit: type=1800 audit(1554988022.461:34): pid=6893 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 59.148971] random: sshd: uninitialized urandom read (32 bytes read) [ 59.659446] audit: type=1400 audit(1554988049.081:35): avc: denied { map } for pid=7065 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 59.717791] random: sshd: uninitialized urandom read (32 bytes read) [ 60.298030] random: sshd: uninitialized urandom read (32 bytes read) [ 60.492187] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.247' (ECDSA) to the list of known hosts. [ 66.119606] random: sshd: uninitialized urandom read (32 bytes read) [ 66.244305] audit: type=1400 audit(1554988055.671:36): avc: denied { map } for pid=7077 comm="syz-executor201" path="/root/syz-executor201162866" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 67.000229] IPVS: ftp: loaded support on port[0] = 21 [ 67.292492] chnl_net:caif_netlink_parms(): no params data found [ 67.321227] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.327880] bridge0: port 1(bridge_slave_0) entered disabled state [ 67.335161] device bridge_slave_0 entered promiscuous mode [ 67.342367] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.348806] bridge0: port 2(bridge_slave_1) entered disabled state [ 67.355926] device bridge_slave_1 entered promiscuous mode [ 67.369826] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 67.379099] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 67.395513] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 67.403015] team0: Port device team_slave_0 added [ 67.408454] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 67.415744] team0: Port device team_slave_1 added [ 67.421206] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 67.428419] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 67.482251] device hsr_slave_0 entered promiscuous mode [ 67.521103] device hsr_slave_1 entered promiscuous mode [ 67.560713] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 67.567708] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 67.581444] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.588001] bridge0: port 2(bridge_slave_1) entered forwarding state [ 67.594938] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.601332] bridge0: port 1(bridge_slave_0) entered forwarding state [ 67.628511] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 67.635374] 8021q: adding VLAN 0 to HW filter on device bond0 [ 67.643551] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 67.652818] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 67.671464] bridge0: port 1(bridge_slave_0) entered disabled state [ 67.678509] bridge0: port 2(bridge_slave_1) entered disabled state [ 67.688092] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 67.694581] 8021q: adding VLAN 0 to HW filter on device team0 [ 67.703264] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 67.710888] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.717272] bridge0: port 1(bridge_slave_0) entered forwarding state [ 67.726107] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 67.734055] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.740505] bridge0: port 2(bridge_slave_1) entered forwarding state [ 67.754449] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 67.762153] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 67.773026] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 67.785374] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 67.795424] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 67.806092] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 67.812899] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 67.820871] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready executing program [ 67.828461] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 67.839680] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 67.849453] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 67.890725] ================================================================== [ 67.898434] BUG: KASAN: use-after-free in erspan_build_header+0x392/0x3b0 [ 67.905463] Read of size 2 at addr ffff8880a4fb568b by task syz-executor201/7088 [ 67.912981] [ 67.914613] CPU: 1 PID: 7088 Comm: syz-executor201 Not tainted 4.14.111 #1 [ 67.921727] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.931075] Call Trace: [ 67.933660] dump_stack+0x138/0x19c [ 67.937283] ? erspan_build_header+0x392/0x3b0 [ 67.941860] print_address_description.cold+0x7c/0x1dc [ 67.947133] ? erspan_build_header+0x392/0x3b0 [ 67.951713] kasan_report.cold+0xaf/0x2b5 [ 67.955856] __asan_report_load_n_noabort+0xf/0x20 [ 67.960805] erspan_build_header+0x392/0x3b0 [ 67.965311] ? iptunnel_handle_offloads+0x2f3/0x500 [ 67.970435] erspan_xmit+0x3ec/0x11c0 [ 67.974235] ? __gre_xmit+0x890/0x890 [ 67.978026] ? lock_acquire+0x16f/0x430 [ 67.982254] ? packet_direct_xmit+0x345/0x640 [ 67.986748] packet_direct_xmit+0x438/0x640 [ 67.991070] packet_sendmsg+0x31e1/0x5990 [ 67.995222] ? trace_hardirqs_on+0x10/0x10 [ 67.999455] ? packet_notifier+0x770/0x770 [ 68.003879] ? release_sock+0x14c/0x1c0 [ 68.007914] ? security_socket_sendmsg+0x8f/0xc0 [ 68.012793] ? packet_notifier+0x770/0x770 [ 68.017062] sock_sendmsg+0xd0/0x110 [ 68.020789] SYSC_sendto+0x206/0x310 [ 68.024495] ? SYSC_connect+0x2d0/0x2d0 [ 68.028469] ? move_addr_to_kernel.part.0+0x100/0x100 [ 68.033649] ? selinux_socket_setsockopt+0x65/0x80 [ 68.038899] ? SyS_setsockopt+0x160/0x210 [ 68.043053] ? SyS_recv+0x40/0x40 [ 68.046558] SyS_sendto+0x40/0x50 [ 68.050021] ? SyS_getpeername+0x30/0x30 [ 68.054198] do_syscall_64+0x1eb/0x630 [ 68.058072] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 68.062920] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 68.068190] RIP: 0033:0x442249 [ 68.071370] RSP: 002b:00007ffc99a67dc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 68.079075] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442249 [ 68.086376] RDX: 000000000000000e RSI: 0000000020000180 RDI: 0000000000000003 [ 68.093785] RBP: 00000000004a9450 R08: 0000000000000000 R09: 0000000000000000 [ 68.101061] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403150 [ 68.108372] R13: 00000000004031e0 R14: 0000000000000000 R15: 0000000000000000 [ 68.115693] [ 68.117312] The buggy address belongs to the page: [ 68.122237] page:ffffea000293ed40 count:0 mapcount:0 mapping: (null) index:0x0 [ 68.130411] flags: 0x1fffc0000000000() [ 68.134300] raw: 01fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 68.142183] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 68.150058] page dumped because: kasan: bad access detected [ 68.155808] [ 68.157427] Memory state around the buggy address: [ 68.162502] ffff8880a4fb5580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.169909] ffff8880a4fb5600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.177394] >ffff8880a4fb5680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.185283] ^ [ 68.188910] ffff8880a4fb5700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.196271] ffff8880a4fb5780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.203658] ================================================================== [ 68.211024] Disabling lock debugging due to kernel taint [ 68.216544] Kernel panic - not syncing: panic_on_warn set ... [ 68.216544] [ 68.223916] CPU: 1 PID: 7088 Comm: syz-executor201 Tainted: G B 4.14.111 #1 [ 68.232138] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.241488] Call Trace: [ 68.244070] dump_stack+0x138/0x19c [ 68.247706] ? erspan_build_header+0x392/0x3b0 [ 68.252289] panic+0x1f2/0x438 [ 68.255464] ? add_taint.cold+0x16/0x16 [ 68.259420] kasan_end_report+0x47/0x4f [ 68.263382] kasan_report.cold+0x136/0x2b5 [ 68.267665] __asan_report_load_n_noabort+0xf/0x20 [ 68.272592] erspan_build_header+0x392/0x3b0 [ 68.277031] ? iptunnel_handle_offloads+0x2f3/0x500 [ 68.282038] erspan_xmit+0x3ec/0x11c0 [ 68.285834] ? __gre_xmit+0x890/0x890 [ 68.289624] ? lock_acquire+0x16f/0x430 [ 68.293588] ? packet_direct_xmit+0x345/0x640 [ 68.298068] packet_direct_xmit+0x438/0x640 [ 68.302371] packet_sendmsg+0x31e1/0x5990 [ 68.306515] ? trace_hardirqs_on+0x10/0x10 [ 68.310746] ? packet_notifier+0x770/0x770 [ 68.314980] ? release_sock+0x14c/0x1c0 [ 68.318944] ? security_socket_sendmsg+0x8f/0xc0 [ 68.323749] ? packet_notifier+0x770/0x770 [ 68.328067] sock_sendmsg+0xd0/0x110 [ 68.331762] SYSC_sendto+0x206/0x310 [ 68.335461] ? SYSC_connect+0x2d0/0x2d0 [ 68.339420] ? move_addr_to_kernel.part.0+0x100/0x100 [ 68.344605] ? selinux_socket_setsockopt+0x65/0x80 [ 68.349524] ? SyS_setsockopt+0x160/0x210 [ 68.353675] ? SyS_recv+0x40/0x40 [ 68.357115] SyS_sendto+0x40/0x50 [ 68.360550] ? SyS_getpeername+0x30/0x30 [ 68.364640] do_syscall_64+0x1eb/0x630 [ 68.368517] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 68.373366] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 68.378847] RIP: 0033:0x442249 [ 68.382074] RSP: 002b:00007ffc99a67dc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 68.389780] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442249 [ 68.397044] RDX: 000000000000000e RSI: 0000000020000180 RDI: 0000000000000003 [ 68.404309] RBP: 00000000004a9450 R08: 0000000000000000 R09: 0000000000000000 [ 68.411572] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403150 [ 68.418832] R13: 00000000004031e0 R14: 0000000000000000 R15: 0000000000000000 [ 68.426787] Kernel Offset: disabled [ 68.430437] Rebooting in 86400 seconds..