[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

syzkaller login: [   28.575061] audit: type=1400 audit(1586274864.532:8): avc:  denied  { execmem } for  pid=6119 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   28.839597] IPVS: ftp: loaded support on port[0] = 21
[   30.018788] can: request_module (can-proto-0) failed.
[   30.029538] can: request_module (can-proto-0) failed.
[   30.059257] audit: type=1400 audit(1586274866.023:9): avc:  denied  { create } for  pid=6098 comm="syz-fuzzer" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dccp_socket permissive=1
Warning: Permanently added '10.128.15.208' (ECDSA) to the list of known hosts.
2020/04/07 15:54:33 parsed 1 programs
2020/04/07 15:54:33 executed programs: 0
[   37.627235] audit: type=1400 audit(1586274873.598:10): avc:  denied  { execmem } for  pid=6242 comm="syz-executor.2" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   37.893483] IPVS: ftp: loaded support on port[0] = 21
[   38.683043] IPVS: ftp: loaded support on port[0] = 21
[   38.733938] chnl_net:caif_netlink_parms(): no params data found
[   38.788124] bridge0: port 1(bridge_slave_0) entered blocking state
[   38.796382] bridge0: port 1(bridge_slave_0) entered disabled state
[   38.804241] device bridge_slave_0 entered promiscuous mode
[   38.815919] bridge0: port 2(bridge_slave_1) entered blocking state
[   38.822593] bridge0: port 2(bridge_slave_1) entered disabled state
[   38.829797] device bridge_slave_1 entered promiscuous mode
[   38.853380] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   38.864652] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   38.884880] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   38.893500] team0: Port device team_slave_0 added
[   38.900674] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   38.908513] team0: Port device team_slave_1 added
[   38.914564] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   38.914912] IPVS: ftp: loaded support on port[0] = 21
[   38.922866] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   38.994693] device hsr_slave_0 entered promiscuous mode
[   39.042277] device hsr_slave_1 entered promiscuous mode
[   39.084612] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[   39.094224] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[   39.149621] chnl_net:caif_netlink_parms(): no params data found
[   39.204977] bridge0: port 2(bridge_slave_1) entered blocking state
[   39.211526] bridge0: port 2(bridge_slave_1) entered forwarding state
[   39.218774] bridge0: port 1(bridge_slave_0) entered blocking state
[   39.225221] bridge0: port 1(bridge_slave_0) entered forwarding state
[   39.247776] bridge0: port 1(bridge_slave_0) entered blocking state
[   39.254961] bridge0: port 1(bridge_slave_0) entered disabled state
[   39.264414] IPVS: ftp: loaded support on port[0] = 21
[   39.264820] device bridge_slave_0 entered promiscuous mode
[   39.293129] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   39.299389] 8021q: adding VLAN 0 to HW filter on device bond0
[   39.307048] bridge0: port 2(bridge_slave_1) entered blocking state
[   39.314787] bridge0: port 2(bridge_slave_1) entered disabled state
[   39.322199] device bridge_slave_1 entered promiscuous mode
[   39.397035] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   39.409549] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   39.420076] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   39.441542] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   39.449263] team0: Port device team_slave_0 added
[   39.459154] chnl_net:caif_netlink_parms(): no params data found
[   39.468181] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   39.478130] bridge0: port 1(bridge_slave_0) entered disabled state
[   39.495636] bridge0: port 2(bridge_slave_1) entered disabled state
[   39.504821] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   39.512444] team0: Port device team_slave_1 added
[   39.527661] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   39.535487] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   39.545821] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   39.552877] 8021q: adding VLAN 0 to HW filter on device team0
[   39.604813] device hsr_slave_0 entered promiscuous mode
[   39.642182] device hsr_slave_1 entered promiscuous mode
[   39.693110] IPVS: ftp: loaded support on port[0] = 21
[   39.699229] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[   39.712296] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   39.720068] bridge0: port 1(bridge_slave_0) entered blocking state
[   39.726642] bridge0: port 1(bridge_slave_0) entered forwarding state
[   39.740987] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   39.751162] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   39.759682] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[   39.783708] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   39.792401] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   39.800255] bridge0: port 2(bridge_slave_1) entered blocking state
[   39.807178] bridge0: port 2(bridge_slave_1) entered forwarding state
[   39.819275] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   39.829899] bridge0: port 1(bridge_slave_0) entered blocking state
[   39.837184] bridge0: port 1(bridge_slave_0) entered disabled state
[   39.844847] device bridge_slave_0 entered promiscuous mode
[   39.851205] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[   39.913508] bridge0: port 2(bridge_slave_1) entered blocking state
[   39.919897] bridge0: port 2(bridge_slave_1) entered disabled state
[   39.928128] device bridge_slave_1 entered promiscuous mode
[   39.949659] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   39.965884] chnl_net:caif_netlink_parms(): no params data found
[   39.975906] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   39.984228] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[   39.993881] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   40.008564] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   40.028400] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[   40.036600] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   40.046038] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   40.054653] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[   40.062208] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   40.083973] IPVS: ftp: loaded support on port[0] = 21
[   40.096753] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[   40.104756] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   40.114741] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready
[   40.123347] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   40.131062] team0: Port device team_slave_0 added
[   40.170301] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   40.178896] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   40.189249] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready
[   40.209909] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   40.217981] team0: Port device team_slave_1 added
[   40.243008] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   40.250588] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   40.267549] bridge0: port 1(bridge_slave_0) entered blocking state
[   40.276933] bridge0: port 1(bridge_slave_0) entered disabled state
[   40.284878] device bridge_slave_0 entered promiscuous mode
[   40.291640] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   40.298723] bridge0: port 2(bridge_slave_1) entered blocking state
[   40.305598] bridge0: port 2(bridge_slave_1) entered disabled state
[   40.312860] device bridge_slave_1 entered promiscuous mode
[   40.324415] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[   40.330488] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   40.338424] chnl_net:caif_netlink_parms(): no params data found
[   40.354693] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   40.404344] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   40.429788] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
[   40.485099] device hsr_slave_0 entered promiscuous mode
[   40.531623] device hsr_slave_1 entered promiscuous mode
[   40.572498] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   40.580750] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[   40.595695] bridge0: port 1(bridge_slave_0) entered blocking state
[   40.602194] bridge0: port 1(bridge_slave_0) entered disabled state
[   40.609067] device bridge_slave_0 entered promiscuous mode
[   40.619914] 8021q: adding VLAN 0 to HW filter on device bond0
[   40.634192] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[   40.643219] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   40.649908] bridge0: port 2(bridge_slave_1) entered blocking state
[   40.656787] bridge0: port 2(bridge_slave_1) entered disabled state
[   40.665046] device bridge_slave_1 entered promiscuous mode
[   40.693328] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   40.702561] 8021q: adding VLAN 0 to HW filter on device batadv0
[   40.716084] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   40.728123] team0: Port device team_slave_0 added
[   40.734461] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   40.742136] team0: Port device team_slave_1 added
[   40.747550] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   40.757541] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   40.764948] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   40.773583] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   40.779777] 8021q: adding VLAN 0 to HW filter on device team0
[   40.787448] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   40.796864] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   40.809483] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   40.825401] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   40.898206] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   40.909254] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   40.918422] bridge0: port 1(bridge_slave_0) entered blocking state
[   40.924996] bridge0: port 1(bridge_slave_0) entered forwarding state
[   40.934428] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   40.936999] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
[   40.944873] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[   40.972015] ==================================================================
[   40.976484] BUG: unable to handle kernel 
[   40.979634] BUG: KASAN: use-after-free in padata_parallel_worker+0x37a/0x420
[   40.979635] paging request at ffffffffffffffc8
[   40.984680] Write of size 8 at addr ffff8880a86c3318 by task kworker/0:0/3
[   40.992125] IP: pcrypt_aead_enc+0x7b/0xf0
[   40.996730] 
[   41.003754] PGD 786d067 
[   41.007904] CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.14.175-syzkaller #0
[   41.009518] P4D 786d067 
[   41.012271] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.019537] PUD 786f067 
[   41.022229] Workqueue: pencrypt padata_parallel_worker
[   41.031567] PMD 0 
[   41.041643] Call Trace:
[   41.041648] Oops: 0000 [#1] PREEMPT SMP KASAN
[   41.041654] Modules linked in:
[   41.044417]  dump_stack+0xf7/0x13b
[   41.052100]  ? padata_parallel_worker+0x37a/0x420
[   41.055629] CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 4.14.175-syzkaller #0
[   41.060497]  print_address_description.cold.7+0x9/0x1c9
[   41.067829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.073195]  ? padata_parallel_worker+0x37a/0x420
[   41.082558] Workqueue: pencrypt padata_parallel_worker
[   41.087386]  kasan_report.cold.8+0x11a/0x2d3
[   41.092634] task: ffff8880a9e42600 task.stack: ffff8880a9e50000
[   41.097022]  __asan_report_store8_noabort+0x17/0x20
[   41.103057] RIP: 0010:pcrypt_aead_enc+0x7b/0xf0
[   41.108051]  padata_parallel_worker+0x37a/0x420
[   41.112691] RSP: 0018:ffff8880a9e57c90 EFLAGS: 00010246
[   41.117338]  ? padata_sysfs_store+0xa0/0xa0
[   41.117346]  process_one_work+0x79e/0x16c0
[   41.122683] RAX: dffffc0000000000 RBX: ffff8880a93fd210 RCX: ffffffff82b09a8e
[   41.127124]  ? pwq_dec_nr_in_flight+0x2b0/0x2b0
[   41.131361] RDX: 1ffffffffffffff9 RSI: 0000000000000008 RDI: ffff8880a93fd248
[   41.138636]  worker_thread+0xcc/0xee0
[   41.143300] RBP: ffff8880a9e57cb0 R08: 0000000000000001 R09: 0000000000000000
[   41.151190]  kthread+0x338/0x400
[   41.154981] R10: 0000000000000050 R11: ffff8880a9e42600 R12: 0000000000000000
[   41.162259]  ? process_one_work+0x16c0/0x16c0
[   41.167520] R13: ffff8880a93fd248 R14: ffff8880a9e57cf8 R15: 1ffff110153caf9b
[   41.174824]  ? kthread_create_on_node+0xa0/0xa0
[   41.179300] FS:  0000000000000000(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
[   41.186558]  ret_from_fork+0x24/0x30
[   41.191443] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   41.199886] 
[   41.203602] CR2: ffffffffffffffc8 CR3: 00000000929f3000 CR4: 00000000001406e0
[   41.209697] Allocated by task 7026:
[   41.211310] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   41.218940]  save_stack_trace+0x16/0x20
[   41.222546] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   41.229815]  save_stack+0x43/0xd0
[   41.233882] Call Trace:
[   41.241284]  kasan_kmalloc+0xc7/0xe0
[   41.244724]  padata_parallel_worker+0x24e/0x420
[   41.247283]  __kmalloc+0x15b/0x7b0
[   41.251173]  ? padata_sysfs_store+0xa0/0xa0
[   41.255848]  tls_push_record+0xf6/0x14c0
[   41.259386]  process_one_work+0x79e/0x16c0
[   41.263685]  tls_sw_sendmsg+0x90b/0x10a0
[   41.267840]  ? pwq_dec_nr_in_flight+0x2b0/0x2b0
[   41.272079]  inet_sendmsg+0x108/0x440
[   41.276162]  worker_thread+0xcc/0xee0
[   41.280948]  sock_sendmsg+0xb5/0xf0
[   41.284916]  kthread+0x338/0x400
[   41.288706]  SYSC_sendto+0x1e3/0x2c0
[   41.292345]  ? process_one_work+0x16c0/0x16c0
[   41.295719]  SyS_sendto+0x9/0x10
[   41.299610]  ? kthread_create_on_node+0xa0/0xa0
[   41.304083]  do_syscall_64+0x1c7/0x5b0
[   41.307431]  ret_from_fork+0x24/0x30
[   41.312071]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.312074] 
[   41.316231] Code: 
[   41.320038] Freed by task 7026:
[   41.325281] 00 
[   41.326914]  save_stack_trace+0x16/0x20
[   41.329041] 0f 
[   41.332307]  save_stack+0x43/0xd0
[   41.332312]  kasan_slab_free+0x71/0xc0
[   41.334194] 85 
[   41.338292]  kfree+0xcc/0x270
[   41.340180] 82 
[   41.343609]  tls_push_record+0xd32/0x14c0
[   41.347496] 00 
[   41.349392]  tls_sw_sendmsg+0x90b/0x10a0
[   41.352465] 00 
[   41.354335]  inet_sendmsg+0x108/0x440
[   41.358454] 00 
[   41.360325]  sock_sendmsg+0xb5/0xf0
[   41.364359] 48 
[   41.366227]  SYSC_sendto+0x1e3/0x2c0
[   41.370000] b8 
[   41.371869]  SyS_sendto+0x9/0x10
[   41.375568] 00 
[   41.377461]  do_syscall_64+0x1c7/0x5b0
[   41.381233] 00 
[   41.383107]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.386533] 00 00 
[   41.388408] 
[   41.392291] 00 
[   41.394163] The buggy address belongs to the object at ffff8880a86c32c0
[   41.394163]  which belongs to the cache kmalloc-256 of size 256
[   41.399377] fc 
[   41.401523] The buggy address is located 88 bytes inside of
[   41.401523]  256-byte region [ffff8880a86c32c0, ffff8880a86c33c0)
[   41.403128] ff 
[   41.405021] The buggy address belongs to the page:
[   41.417682] df 
[   41.419589] page:ffffea0002a1b0c0 count:1 mapcount:0 mapping:ffff8880a86c3040 index:0x0
[   41.431362] 4d 
[   41.438135] 8b 
[   41.440017] flags: 0x1fffc0000000100(slab)
[   41.448130] 64 
[   41.450000] raw: 01fffc0000000100 ffff8880a86c3040 0000000000000000 000000010000000c
[   41.451861] 24 
[   41.456073] raw: ffffea00027cb3e0 ffffea0002515520 ffff8880aa8007c0 0000000000000000
[   41.457954] 38 
[   41.465811] page dumped because: kasan: bad access detected
[   41.467676] 49 
[   41.475533] 
[   41.477398] 8d 7c 
[   41.483086] Memory state around the buggy address:
[   41.484952] 24 
[   41.486570]  ffff8880a86c3200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.488718] c8 
[   41.493649]  ffff8880a86c3280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   41.495534] 48 
[   41.502887] >ffff8880a86c3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.504770] 89 
[   41.512154]                             ^
[   41.514035] fa 
[   41.521389]  ffff8880a86c3380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   41.523268] 48 
[   41.527398]  ffff8880a86c3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.529262] c1 
[   41.536621] ==================================================================
[   41.538516] ea 
[   41.546124] Kernel panic - not syncing: panic_on_warn set ...
[   41.546124] 
[   41.547939] 03 80 3c 02 00 75 5a 4c 89 ef <41> ff 54 24 c8 48 8d 7b 1c 48 ba 00 00 00 00 00 fc ff df 48 89 
[   41.574512] RIP: pcrypt_aead_enc+0x7b/0xf0 RSP: ffff8880a9e57c90
[   41.580639] CR2: ffffffffffffffc8
[   41.584077] ---[ end trace 907e7faca4f5281b ]---
[   42.679258] Shutting down cpus with NMI
[   42.684854] Kernel Offset: disabled
[   42.688490] Rebooting in 86400 seconds..