[ 41.124882] audit: type=1400 audit(1578891881.954:37): avc: denied { map } for pid=6775 comm="syz-fuzzer" path="/root/syzkaller-shm395941298" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 41.370989] IPVS: ftp: loaded support on port[0] = 21 [ 42.497698] can: request_module (can-proto-0) failed. [ 42.508569] can: request_module (can-proto-0) failed. [ 42.663190] audit: type=1400 audit(1578891883.494:38): avc: denied { create } for pid=6775 comm="syz-fuzzer" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 [ 42.690374] audit: type=1400 audit(1578891883.514:39): avc: denied { create } for pid=6775 comm="syz-fuzzer" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 42.714152] audit: type=1400 audit(1578891883.514:40): avc: denied { create } for pid=6775 comm="syz-fuzzer" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 42.998677] random: sshd: uninitialized urandom read (32 bytes read) [ 43.769327] random: sshd: uninitialized urandom read (32 bytes read) [ 43.979715] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.232' (ECDSA) to the list of known hosts. 2020/01/13 05:04:51 parsed 1 programs 2020/01/13 05:04:51 executed programs: 0 [ 51.021053] IPVS: ftp: loaded support on port[0] = 21 [ 51.778001] IPVS: ftp: loaded support on port[0] = 21 [ 51.814066] chnl_net:caif_netlink_parms(): no params data found [ 51.843922] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.850932] bridge0: port 1(bridge_slave_0) entered disabled state [ 51.859107] device bridge_slave_0 entered promiscuous mode [ 51.866445] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.872921] bridge0: port 2(bridge_slave_1) entered disabled state [ 51.879752] device bridge_slave_1 entered promiscuous mode [ 51.900834] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 51.913682] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 51.936050] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 51.943275] team0: Port device team_slave_0 added [ 51.951059] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 51.958146] team0: Port device team_slave_1 added [ 51.963502] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 51.972634] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 51.986010] IPVS: ftp: loaded support on port[0] = 21 [ 52.052210] device hsr_slave_0 entered promiscuous mode [ 52.100439] device hsr_slave_1 entered promiscuous mode [ 52.173181] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 52.180897] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 52.238397] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.245042] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.252093] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.258498] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.266916] chnl_net:caif_netlink_parms(): no params data found [ 52.328775] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.336877] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.337889] IPVS: ftp: loaded support on port[0] = 21 [ 52.349232] device bridge_slave_0 entered promiscuous mode [ 52.386733] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.393286] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.400345] device bridge_slave_1 entered promiscuous mode [ 52.417612] chnl_net:caif_netlink_parms(): no params data found [ 52.437356] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.455114] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.490869] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 52.498899] team0: Port device team_slave_0 added [ 52.505315] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 52.512644] team0: Port device team_slave_1 added [ 52.518498] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 52.526130] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 52.534798] IPVS: ftp: loaded support on port[0] = 21 [ 52.623996] device hsr_slave_0 entered promiscuous mode [ 52.670434] device hsr_slave_1 entered promiscuous mode [ 52.712888] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 52.729226] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 52.740136] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.747157] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.754370] device bridge_slave_0 entered promiscuous mode [ 52.763418] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 52.769482] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.781836] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.790585] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.796951] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.805203] device bridge_slave_1 entered promiscuous mode [ 52.844404] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.856738] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.892114] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.900736] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.907875] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.914843] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 52.924546] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 52.932569] team0: Port device team_slave_0 added [ 52.938086] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 52.945441] team0: Port device team_slave_1 added [ 52.953125] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 52.963416] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 52.971660] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 52.979080] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 52.985677] 8021q: adding VLAN 0 to HW filter on device team0 [ 52.991828] chnl_net:caif_netlink_parms(): no params data found [ 53.010433] IPVS: ftp: loaded support on port[0] = 21 [ 53.031033] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 53.039931] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 53.058485] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 53.066892] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 53.074782] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.081162] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.088074] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 53.096067] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 53.103714] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.110087] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.152677] device hsr_slave_0 entered promiscuous mode [ 53.190378] device hsr_slave_1 entered promiscuous mode [ 53.240795] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 53.278644] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 53.299075] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 53.325553] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 53.337922] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 53.355037] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.361714] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.368566] device bridge_slave_0 entered promiscuous mode [ 53.377655] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.384141] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.391803] device bridge_slave_1 entered promiscuous mode [ 53.400548] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 53.413100] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 53.422590] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 53.444381] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 53.453283] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 53.465089] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 53.474292] chnl_net:caif_netlink_parms(): no params data found [ 53.489900] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 53.497901] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 53.505782] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 53.514410] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 53.523949] 8021q: adding VLAN 0 to HW filter on device bond0 [ 53.534343] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 53.542229] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 53.557905] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 53.576435] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 53.584087] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 53.592793] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 53.601652] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 53.608518] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 53.628925] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 53.645733] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 53.656516] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 53.664888] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 53.672598] team0: Port device team_slave_0 added [ 53.678168] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 53.685554] team0: Port device team_slave_1 added [ 53.692304] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 53.698376] 8021q: adding VLAN 0 to HW filter on device team0 [ 53.707123] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 53.724742] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.733581] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.740898] device bridge_slave_0 entered promiscuous mode [ 53.747852] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 53.754401] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 53.761668] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 53.770183] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 53.777902] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 53.785687] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.792089] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.799529] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 53.807624] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.816354] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.823487] device bridge_slave_1 entered promiscuous mode [ 53.842993] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 53.851514] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 53.860383] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 53.880139] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 53.888741] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 53.953300] device hsr_slave_0 entered promiscuous mode [ 53.990357] device hsr_slave_1 entered promiscuous mode [ 54.043168] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 54.050847] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 54.058512] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 54.066546] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.072936] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.079867] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 54.092664] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 54.099744] team0: Port device team_slave_0 added [ 54.108146] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 54.115888] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 54.133386] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 54.141825] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 54.148868] team0: Port device team_slave_1 added [ 54.157730] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 54.168179] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 54.178148] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 54.188026] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 54.196097] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 54.204080] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 54.211754] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 54.219368] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 54.227501] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 54.237309] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 54.279733] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 54.286759] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 54.301750] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 54.311729] chnl_net:caif_netlink_parms(): no params data found [ 54.325353] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 54.333398] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 54.345728] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.363840] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 54.379401] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 54.388890] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 54.442784] device hsr_slave_0 entered promiscuous mode [ 54.453247] refcount_t: increment on 0; use-after-free. [ 54.458955] ------------[ cut here ]------------ [ 54.463718] WARNING: CPU: 1 PID: 6903 at lib/refcount.c:153 refcount_inc.cold.12+0x13/0x1a [ 54.472109] Kernel panic - not syncing: panic_on_warn set ... [ 54.472109] [ 54.479492] CPU: 1 PID: 6903 Comm: syz-executor.5 Not tainted 4.14.164-syzkaller #0 [ 54.487293] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.497352] Call Trace: [ 54.499953] dump_stack+0xf7/0x13b [ 54.503478] ? refcount_inc.cold.12+0x13/0x1a [ 54.507961] panic+0x1b0/0x358 [ 54.511135] ? add_taint.cold.5+0x11/0x11 [ 54.515283] ? refcount_inc.cold.12+0x13/0x1a [ 54.519766] __warn.cold.8+0x25/0x2c [ 54.523471] ? refcount_inc.cold.12+0x13/0x1a [ 54.527975] report_bug+0x1a4/0x1f3 [ 54.531596] do_error_trap+0x1bd/0x310 [ 54.535466] ? math_error+0x300/0x300 [ 54.539269] ? vprintk_emit+0x1be/0x4e0 [ 54.543255] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.548105] do_invalid_op+0x1b/0x20 [ 54.551809] invalid_op+0x1b/0x40 [ 54.555249] RIP: 0010:refcount_inc.cold.12+0x13/0x1a [ 54.560338] RSP: 0018:ffff8880832dfb08 EFLAGS: 00010286 [ 54.565684] RAX: 000000000000002b RBX: ffff88808fd02d00 RCX: 0000000000000000 [ 54.572951] RDX: 000000000000002b RSI: ffffffff868cf180 RDI: ffffed101065bf58 [ 54.580814] RBP: ffff8880832dfb08 R08: ffff88809ffc0d88 R09: 0000000000000000 [ 54.588077] R10: 0000000000000000 R11: dffffc0000000000 R12: ffff8880a1718080 [ 54.595330] R13: 0000000000000000 R14: ffff8880832dfcc8 R15: ffff8880a1718130 [ 54.602610] ? refcount_inc.cold.12+0x13/0x1a [ 54.607180] l2tp_session_create+0xb31/0x1630 [ 54.611675] ? trace_hardirqs_on_caller+0x40c/0x580 [ 54.616687] ? l2tp_session_get+0x181/0x660 [ 54.620995] ? trace_hardirqs_on+0xd/0x10 [ 54.625128] pppol2tp_connect+0x10c1/0x1900 [ 54.629531] ? pppol2tp_seq_show+0xc40/0xc40 [ 54.633922] ? __might_fault+0xf1/0x1b0 [ 54.637896] ? lock_downgrade+0x7f0/0x7f0 [ 54.642035] ? security_socket_connect+0x6a/0xa0 [ 54.646777] SYSC_connect+0x1e3/0x2a0 [ 54.650558] ? SYSC_bind+0x210/0x210 [ 54.654252] ? _copy_to_user+0x91/0xb0 [ 54.658121] ? nsecs_to_jiffies+0x20/0x20 [ 54.662270] ? SyS_clock_gettime+0x115/0x160 [ 54.666679] ? SyS_clock_settime+0x1a0/0x1a0 [ 54.671069] ? move_addr_to_kernel+0x20/0x20 [ 54.675472] ? do_syscall_64+0x4c/0x5b0 [ 54.679424] ? SyS_accept+0x10/0x10 [ 54.683043] SyS_connect+0x9/0x10 [ 54.686491] do_syscall_64+0x1c7/0x5b0 [ 54.690374] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.695217] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 54.700411] RIP: 0033:0x459819 [ 54.703598] RSP: 002b:00007fc75a309c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 54.711403] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459819 [ 54.718666] RDX: 0000000000000026 RSI: 0000000020000180 RDI: 0000000000000004 [ 54.726036] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 54.733331] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc75a30a6d4 [ 54.740593] R13: 00000000004bfd8b R14: 00000000004d1948 R15: 00000000ffffffff [ 54.748949] Kernel Offset: disabled [ 54.752654] Rebooting in 86400 seconds..