Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 33.463418] random: sshd: uninitialized urandom read (32 bytes read) [ 33.748743] kauditd_printk_skb: 9 callbacks suppressed [ 33.748751] audit: type=1400 audit(1572725008.391:35): avc: denied { map } for pid=6795 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 33.796592] random: sshd: uninitialized urandom read (32 bytes read) [ 34.335105] random: sshd: uninitialized urandom read (32 bytes read) [ 847.224602] audit: type=1400 audit(1572725821.871:36): avc: denied { map } for pid=6804 comm="sh" path="/bin/dash" dev="sda1" ino=1473 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 987.780583] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.204' (ECDSA) to the list of known hosts. [ 993.308382] random: sshd: uninitialized urandom read (32 bytes read) 2019/11/02 20:19:28 parsed 1 programs [ 993.483776] audit: type=1400 audit(1572725968.131:37): avc: denied { map } for pid=6811 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 993.541177] audit: type=1400 audit(1572725968.191:38): avc: denied { map } for pid=6811 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=20 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 994.236196] random: cc1: uninitialized urandom read (8 bytes read) 2019/11/02 20:19:29 executed programs: 0 [ 995.451076] IPVS: ftp: loaded support on port[0] = 21 [ 996.254924] chnl_net:caif_netlink_parms(): no params data found [ 996.284004] bridge0: port 1(bridge_slave_0) entered blocking state [ 996.290670] bridge0: port 1(bridge_slave_0) entered disabled state [ 996.297632] device bridge_slave_0 entered promiscuous mode [ 996.304431] bridge0: port 2(bridge_slave_1) entered blocking state [ 996.310867] bridge0: port 2(bridge_slave_1) entered disabled state [ 996.317658] device bridge_slave_1 entered promiscuous mode [ 996.332053] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 996.340827] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 996.355747] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 996.363047] team0: Port device team_slave_0 added [ 996.368419] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 996.375657] team0: Port device team_slave_1 added [ 996.380889] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 996.388024] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 996.471787] device hsr_slave_0 entered promiscuous mode [ 996.530287] device hsr_slave_1 entered promiscuous mode [ 996.590545] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 996.597374] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 996.609547] bridge0: port 2(bridge_slave_1) entered blocking state [ 996.615995] bridge0: port 2(bridge_slave_1) entered forwarding state [ 996.622842] bridge0: port 1(bridge_slave_0) entered blocking state [ 996.629168] bridge0: port 1(bridge_slave_0) entered forwarding state [ 996.655270] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 996.662141] 8021q: adding VLAN 0 to HW filter on device bond0 [ 996.669482] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 996.677686] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 996.696626] bridge0: port 1(bridge_slave_0) entered disabled state [ 996.703629] bridge0: port 2(bridge_slave_1) entered disabled state [ 996.713528] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 996.719582] 8021q: adding VLAN 0 to HW filter on device team0 [ 996.727634] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 996.735809] bridge0: port 1(bridge_slave_0) entered blocking state [ 996.742170] bridge0: port 1(bridge_slave_0) entered forwarding state [ 996.750758] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 996.758278] bridge0: port 2(bridge_slave_1) entered blocking state [ 996.764662] bridge0: port 2(bridge_slave_1) entered forwarding state [ 996.776460] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 996.785275] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 996.797706] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 996.808112] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 996.818971] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 996.826159] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 996.833731] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 996.841626] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 996.849554] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 996.859771] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 996.869175] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 997.260882] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 998.047073] audit: type=1400 audit(1572725972.691:39): avc: denied { map } for pid=6842 comm="syz-executor.0" path=2F6D656D66643A73656375726974792E73656C696E7578202864656C6574656429 dev="tmpfs" ino=24488 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file permissive=1 2019/11/02 20:19:34 executed programs: 39 2019/11/02 20:19:39 executed programs: 135 2019/11/02 20:19:44 executed programs: 227 2019/11/02 20:19:49 executed programs: 321 [ 1016.740406] ================================================================== [ 1016.747981] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf2/0x100 [ 1016.755241] Read of size 4 at addr ffff88808f830780 by task syz-executor.0/8281 [ 1016.762664] [ 1016.764277] CPU: 0 PID: 8281 Comm: syz-executor.0 Not tainted 4.14.151 #0 [ 1016.771176] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1016.780506] Call Trace: [ 1016.783113] dump_stack+0x138/0x197 [ 1016.786718] ? hfs_new_inode+0xc50/0xd20 [ 1016.790760] ? l2tp_session_queue_purge+0xf2/0x100 [ 1016.795700] print_address_description.cold+0x7c/0x1dc [ 1016.800956] ? l2tp_session_queue_purge+0xf2/0x100 [ 1016.805860] kasan_report.cold+0xa9/0x2af [ 1016.809987] __asan_report_load4_noabort+0x14/0x20 [ 1016.814893] l2tp_session_queue_purge+0xf2/0x100 [ 1016.819627] l2tp_tunnel_closeall+0x20c/0x380 [ 1016.824099] ? l2tp_tunnel_del_work+0x410/0x410 [ 1016.828745] l2tp_udp_encap_destroy+0x99/0x100 [ 1016.833390] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 1016.838472] udpv6_destroy_sock+0xb3/0xd0 [ 1016.842632] sk_common_release+0x6b/0x310 [ 1016.846758] udp_lib_close+0x16/0x20 [ 1016.850468] inet_release+0xec/0x1c0 [ 1016.854163] inet6_release+0x53/0x80 [ 1016.857872] __sock_release+0xce/0x2b0 [ 1016.861747] ? __sock_release+0x2b0/0x2b0 [ 1016.865877] sock_close+0x1b/0x30 [ 1016.869308] __fput+0x275/0x7a0 [ 1016.872565] ____fput+0x16/0x20 [ 1016.875821] task_work_run+0x114/0x190 [ 1016.879689] exit_to_usermode_loop+0x1da/0x220 [ 1016.884257] do_syscall_64+0x4bc/0x640 [ 1016.888123] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1016.892972] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 1016.898141] RIP: 0033:0x413ae1 [ 1016.901305] RSP: 002b:00007ffcac2ca090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 1016.908988] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413ae1 [ 1016.916235] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005 [ 1016.923479] RBP: 0000000000000000 R08: 0000000000760760 R09: ffffffffffffffff [ 1016.930723] R10: 00007ffcac2ca160 R11: 0000000000000293 R12: 000000000075bf20 [ 1016.937973] R13: 0000000000000003 R14: 0000000000760768 R15: 000000000075bf2c [ 1016.945225] [ 1016.946831] Allocated by task 8282: [ 1016.950440] save_stack_trace+0x16/0x20 [ 1016.954398] save_stack+0x45/0xd0 [ 1016.957874] kasan_kmalloc+0xce/0xf0 [ 1016.961574] __kmalloc+0x15d/0x7a0 [ 1016.965089] l2tp_session_create+0x38/0x1600 [ 1016.969475] pppol2tp_connect+0x11bf/0x18b0 [ 1016.973773] SYSC_connect+0x1f6/0x2d0 [ 1016.977632] SyS_connect+0x24/0x30 [ 1016.981146] do_syscall_64+0x1e8/0x640 [ 1016.985050] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 1016.990209] [ 1016.991812] Freed by task 8282: [ 1016.995084] save_stack_trace+0x16/0x20 [ 1016.999043] save_stack+0x45/0xd0 [ 1017.002591] kasan_slab_free+0x75/0xc0 [ 1017.006451] kfree+0xcc/0x270 [ 1017.009532] l2tp_session_free+0x176/0x210 [ 1017.013741] pppol2tp_session_destruct+0xd8/0x110 [ 1017.018561] __sk_destruct+0x4f/0x580 [ 1017.022345] sk_destruct+0xa4/0xd0 [ 1017.025860] __sk_free+0x54/0x230 [ 1017.029299] sk_free+0x35/0x40 [ 1017.032474] pppol2tp_release+0x244/0x300 [ 1017.036596] __sock_release+0xce/0x2b0 [ 1017.040468] sock_close+0x1b/0x30 [ 1017.043896] __fput+0x275/0x7a0 [ 1017.047160] ____fput+0x16/0x20 [ 1017.050423] task_work_run+0x114/0x190 [ 1017.054287] exit_to_usermode_loop+0x1da/0x220 [ 1017.058848] do_syscall_64+0x4bc/0x640 [ 1017.062724] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 1017.067896] [ 1017.069499] The buggy address belongs to the object at ffff88808f830780 [ 1017.069499] which belongs to the cache kmalloc-512 of size 512 [ 1017.082127] The buggy address is located 0 bytes inside of [ 1017.082127] 512-byte region [ffff88808f830780, ffff88808f830980) [ 1017.093812] The buggy address belongs to the page: [ 1017.098715] page:ffffea00023e0c00 count:1 mapcount:0 mapping:ffff88808f830000 index:0x0 [ 1017.106843] flags: 0x1fffc0000000100(slab) [ 1017.111061] raw: 01fffc0000000100 ffff88808f830000 0000000000000000 0000000100000006 [ 1017.118928] raw: ffffea00023eece0 ffffea00023ebda0 ffff8880aa800940 0000000000000000 [ 1017.126781] page dumped because: kasan: bad access detected [ 1017.132461] [ 1017.134062] Memory state around the buggy address: [ 1017.138964] ffff88808f830680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1017.146296] ffff88808f830700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1017.153628] >ffff88808f830780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1017.160969] ^ [ 1017.164308] ffff88808f830800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1017.171644] ffff88808f830880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1017.178985] ================================================================== [ 1017.186322] Disabling lock debugging due to kernel taint [ 1017.192288] Kernel panic - not syncing: panic_on_warn set ... [ 1017.192288] [ 1017.199652] CPU: 0 PID: 8281 Comm: syz-executor.0 Tainted: G B 4.14.151 #0 [ 1017.207768] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1017.217097] Call Trace: [ 1017.219662] dump_stack+0x138/0x197 [ 1017.223267] ? l2tp_session_queue_purge+0xf2/0x100 [ 1017.228180] panic+0x1f9/0x42d [ 1017.231349] ? add_taint.cold+0x16/0x16 [ 1017.235297] ? ___preempt_schedule+0x16/0x18 [ 1017.239681] kasan_end_report+0x47/0x4f [ 1017.243629] kasan_report.cold+0x130/0x2af [ 1017.247838] __asan_report_load4_noabort+0x14/0x20 [ 1017.252755] l2tp_session_queue_purge+0xf2/0x100 [ 1017.257490] l2tp_tunnel_closeall+0x20c/0x380 [ 1017.261961] ? l2tp_tunnel_del_work+0x410/0x410 [ 1017.266605] l2tp_udp_encap_destroy+0x99/0x100 [ 1017.271165] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 1017.276241] udpv6_destroy_sock+0xb3/0xd0 [ 1017.280363] sk_common_release+0x6b/0x310 [ 1017.284486] udp_lib_close+0x16/0x20 [ 1017.288174] inet_release+0xec/0x1c0 [ 1017.291864] inet6_release+0x53/0x80 [ 1017.295552] __sock_release+0xce/0x2b0 [ 1017.299413] ? __sock_release+0x2b0/0x2b0 [ 1017.303534] sock_close+0x1b/0x30 [ 1017.306962] __fput+0x275/0x7a0 [ 1017.310229] ____fput+0x16/0x20 [ 1017.313492] task_work_run+0x114/0x190 [ 1017.317354] exit_to_usermode_loop+0x1da/0x220 [ 1017.321913] do_syscall_64+0x4bc/0x640 [ 1017.325774] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1017.330594] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 1017.335768] RIP: 0033:0x413ae1 [ 1017.338940] RSP: 002b:00007ffcac2ca090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 1017.346704] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413ae1 [ 1017.353960] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005 [ 1017.361256] RBP: 0000000000000000 R08: 0000000000760760 R09: ffffffffffffffff [ 1017.368504] R10: 00007ffcac2ca160 R11: 0000000000000293 R12: 000000000075bf20 [ 1017.375752] R13: 0000000000000003 R14: 0000000000760768 R15: 000000000075bf2c [ 1017.384251] Kernel Offset: disabled [ 1017.387887] Rebooting in 86400 seconds..