[   34.069513] audit: type=1800 audit(1583304873.313:33): pid=7176 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   34.096683] audit: type=1800 audit(1583304873.313:34): pid=7176 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   37.921436] random: sshd: uninitialized urandom read (32 bytes read)
[   38.206399] audit: type=1400 audit(1583304877.453:35): avc:  denied  { map } for  pid=7349 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   38.308093] random: sshd: uninitialized urandom read (32 bytes read)
[   39.095987] random: sshd: uninitialized urandom read (32 bytes read)
[   43.267989] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.223' (ECDSA) to the list of known hosts.
[   50.965823] random: sshd: uninitialized urandom read (32 bytes read)
[   51.176899] audit: type=1400 audit(1583304890.423:36): avc:  denied  { map } for  pid=7361 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2020/03/04 06:54:50 parsed 1 programs
[   51.934924] random: cc1: uninitialized urandom read (8 bytes read)
2020/03/04 06:54:52 executed programs: 0
[   52.836650] audit: type=1400 audit(1583304892.073:37): avc:  denied  { map } for  pid=7361 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=17 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[   53.131090] IPVS: ftp: loaded support on port[0] = 21
[   53.922137] chnl_net:caif_netlink_parms(): no params data found
[   53.971954] bridge0: port 1(bridge_slave_0) entered blocking state
[   53.978628] bridge0: port 1(bridge_slave_0) entered disabled state
[   53.986195] device bridge_slave_0 entered promiscuous mode
[   53.993520] bridge0: port 2(bridge_slave_1) entered blocking state
[   54.000437] bridge0: port 2(bridge_slave_1) entered disabled state
[   54.007543] device bridge_slave_1 entered promiscuous mode
[   54.024431] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   54.033913] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   54.050808] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   54.058329] team0: Port device team_slave_0 added
[   54.064597] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   54.072215] team0: Port device team_slave_1 added
[   54.087984] batman_adv: batadv0: Adding interface: batadv_slave_0
[   54.094452] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   54.119935] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   54.131159] batman_adv: batadv0: Adding interface: batadv_slave_1
[   54.137404] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   54.163083] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   54.173532] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   54.181160] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   54.233570] device hsr_slave_0 entered promiscuous mode
[   54.300356] device hsr_slave_1 entered promiscuous mode
[   54.371280] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[   54.378625] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[   54.429225] audit: type=1400 audit(1583304893.673:38): avc:  denied  { create } for  pid=7378 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   54.449668] bridge0: port 2(bridge_slave_1) entered blocking state
[   54.453761] audit: type=1400 audit(1583304893.673:39): avc:  denied  { write } for  pid=7378 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   54.459806] bridge0: port 2(bridge_slave_1) entered forwarding state
[   54.485586] audit: type=1400 audit(1583304893.683:40): avc:  denied  { read } for  pid=7378 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   54.490533] bridge0: port 1(bridge_slave_0) entered blocking state
[   54.520330] bridge0: port 1(bridge_slave_0) entered forwarding state
[   54.553570] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   54.559652] 8021q: adding VLAN 0 to HW filter on device bond0
[   54.568386] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   54.577740] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   54.596291] bridge0: port 1(bridge_slave_0) entered disabled state
[   54.603592] bridge0: port 2(bridge_slave_1) entered disabled state
[   54.614054] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   54.620520] 8021q: adding VLAN 0 to HW filter on device team0
[   54.629629] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   54.638311] bridge0: port 1(bridge_slave_0) entered blocking state
[   54.644818] bridge0: port 1(bridge_slave_0) entered forwarding state
[   54.660620] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   54.668244] bridge0: port 2(bridge_slave_1) entered blocking state
[   54.674907] bridge0: port 2(bridge_slave_1) entered forwarding state
[   54.684094] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   54.692795] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   54.708115] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   54.718278] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   54.729676] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[   54.736628] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   54.744706] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   54.752736] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   54.760745] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   54.773508] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[   54.782621] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   54.789322] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   54.802122] 8021q: adding VLAN 0 to HW filter on device batadv0
[   54.865709] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[   54.876580] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   54.910734] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   54.923518] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[   54.930887] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[   54.937427] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[   54.947328] IPv6: ADDRCONF(NETDEV_UP): veth1_vlan: link is not ready
[   54.953977] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   54.961478] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   54.969879] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   54.977134] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   54.985579] device veth0_vlan entered promiscuous mode
[   54.995160] device veth1_vlan entered promiscuous mode
[   55.001141] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[   55.010929] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
[   55.022699] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[   55.032447] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready
[   55.039364] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   55.047122] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   55.054615] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   55.062655] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   55.072419] device veth0_macvtap entered promiscuous mode
[   55.078627] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
[   55.087257] device veth1_macvtap entered promiscuous mode
[   55.093875] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
[   55.103242] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[   55.113402] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[   55.122901] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
[   55.130649] batman_adv: batadv0: Interface activated: batadv_slave_0
[   55.139245] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   55.146649] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   55.154087] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   55.162223] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   55.172867] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
[   55.179867] batman_adv: batadv0: Interface activated: batadv_slave_1
[   55.187446] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   55.195601] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   56.520367] ==================================================================
[   56.527940] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xea/0xf0
[   56.535185] Read of size 4 at addr ffff8880a7f67a80 by task syz-executor.0/7441
[   56.542731] 
[   56.544366] CPU: 1 PID: 7441 Comm: syz-executor.0 Not tainted 4.14.172-syzkaller #0
[   56.552162] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   56.561609] Call Trace:
[   56.564223]  dump_stack+0x13e/0x194
[   56.567850]  ? l2tp_session_queue_purge+0xea/0xf0
[   56.572704]  print_address_description.cold+0x7c/0x1e2
[   56.577980]  ? l2tp_session_queue_purge+0xea/0xf0
[   56.582830]  kasan_report.cold+0xa9/0x2ae
[   56.586980]  l2tp_session_queue_purge+0xea/0xf0
[   56.591658]  l2tp_tunnel_closeall+0x1fe/0x370
[   56.596203]  ? l2tp_tunnel_find+0x490/0x490
[   56.600518]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[   56.605623]  l2tp_udp_encap_destroy+0x8d/0xf0
[   56.610121]  udpv6_destroy_sock+0xa6/0xd0
[   56.614374]  sk_common_release+0x64/0x2f0
[   56.618516]  inet_release+0xdf/0x1b0
[   56.622238]  inet6_release+0x4c/0x70
[   56.625963]  __sock_release+0xcd/0x2b0
[   56.629855]  ? __sock_release+0x2b0/0x2b0
[   56.633995]  sock_close+0x15/0x20
[   56.637433]  __fput+0x25f/0x790
[   56.640741]  task_work_run+0x113/0x190
[   56.644626]  exit_to_usermode_loop+0x1d6/0x220
[   56.649260]  do_syscall_64+0x4a3/0x640
[   56.653145]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   56.658325] RIP: 0033:0x416011
[   56.661501] RSP: 002b:00007fff58d96b80 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[   56.669249] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416011
[   56.676515] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005
[   56.683771] RBP: 0000000000000000 R08: 00000000007703e0 R09: 01ffffffffffffff
[   56.691029] R10: 00007fff58d96c50 R11: 0000000000000293 R12: 000000000076bf20
[   56.698380] R13: 00000000007703e8 R14: 0000000000000000 R15: 000000000076bf2c
[   56.705669] 
[   56.707297] Allocated by task 7442:
[   56.710918]  save_stack+0x32/0xa0
[   56.714385]  kasan_kmalloc+0xbf/0xe0
[   56.718082]  __kmalloc+0x15b/0x7c0
[   56.721606]  l2tp_session_create+0x35/0x16f0
[   56.725996]  pppol2tp_connect+0x1154/0x17b0
[   56.730300]  SYSC_connect+0x1c6/0x250
[   56.734099]  do_syscall_64+0x1d5/0x640
[   56.737977]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   56.743161] 
[   56.744779] Freed by task 7442:
[   56.748052]  save_stack+0x32/0xa0
[   56.751550]  kasan_slab_free+0x75/0xc0
[   56.755435]  kfree+0xcb/0x260
[   56.758622]  pppol2tp_session_destruct+0xcd/0x110
[   56.763570]  __sk_destruct+0x49/0x640
[   56.767389]  sk_destruct+0x97/0xc0
[   56.770917]  __sk_free+0x4c/0x220
[   56.774356]  sk_free+0x2b/0x40
[   56.777546]  pppol2tp_release+0x247/0x2f0
[   56.781678]  __sock_release+0xcd/0x2b0
[   56.785554]  sock_close+0x15/0x20
[   56.789001]  __fput+0x25f/0x790
[   56.792277]  task_work_run+0x113/0x190
[   56.796160]  exit_to_usermode_loop+0x1d6/0x220
[   56.800723]  do_syscall_64+0x4a3/0x640
[   56.804601]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   56.809825] 
[   56.811488] The buggy address belongs to the object at ffff8880a7f67a80
[   56.811488]  which belongs to the cache kmalloc-512 of size 512
[   56.824239] The buggy address is located 0 bytes inside of
[   56.824239]  512-byte region [ffff8880a7f67a80, ffff8880a7f67c80)
[   56.835925] The buggy address belongs to the page:
[   56.840844] page:ffffea00029fd9c0 count:1 mapcount:0 mapping:ffff8880a7f67080 index:0x0
[   56.848976] flags: 0xfffe0000000100(slab)
[   56.853114] raw: 00fffe0000000100 ffff8880a7f67080 0000000000000000 0000000100000006
[   56.861203] raw: ffffea0002a41f20 ffffea00024522a0 ffff88812fe56940 0000000000000000
[   56.869100] page dumped because: kasan: bad access detected
[   56.874796] 
[   56.876407] Memory state around the buggy address:
[   56.881756]  ffff8880a7f67980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.889114]  ffff8880a7f67a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   56.896467] >ffff8880a7f67a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.903817]                    ^
[   56.907174]  ffff8880a7f67b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.914532]  ffff8880a7f67b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.921885] ==================================================================
[   56.929234] Disabling lock debugging due to kernel taint
[   56.937962] Kernel panic - not syncing: panic_on_warn set ...
[   56.937962] 
[   56.945448] CPU: 0 PID: 7441 Comm: syz-executor.0 Tainted: G    B           4.14.172-syzkaller #0
[   56.954559] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   56.963913] Call Trace:
[   56.966492]  dump_stack+0x13e/0x194
[   56.970116]  panic+0x1f9/0x42d
[   56.973305]  ? add_taint.cold+0x16/0x16
[   56.977277]  ? preempt_schedule_common+0x4a/0xc0
[   56.982154]  ? l2tp_session_queue_purge+0xea/0xf0
[   56.987026]  ? ___preempt_schedule+0x16/0x18
[   56.991474]  ? l2tp_session_queue_purge+0xea/0xf0
[   56.996307]  kasan_end_report+0x43/0x49
[   57.000261]  kasan_report.cold+0x12f/0x2ae
[   57.004476]  l2tp_session_queue_purge+0xea/0xf0
[   57.009136]  l2tp_tunnel_closeall+0x1fe/0x370
[   57.013628]  ? l2tp_tunnel_find+0x490/0x490
[   57.017938]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[   57.023019]  l2tp_udp_encap_destroy+0x8d/0xf0
[   57.027492]  udpv6_destroy_sock+0xa6/0xd0
[   57.031620]  sk_common_release+0x64/0x2f0
[   57.035758]  inet_release+0xdf/0x1b0
[   57.039967]  inet6_release+0x4c/0x70
[   57.043674]  __sock_release+0xcd/0x2b0
[   57.047543]  ? __sock_release+0x2b0/0x2b0
[   57.051671]  sock_close+0x15/0x20
[   57.055108]  __fput+0x25f/0x790
[   57.058387]  task_work_run+0x113/0x190
[   57.062259]  exit_to_usermode_loop+0x1d6/0x220
[   57.066832]  do_syscall_64+0x4a3/0x640
[   57.070701]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   57.075865] RIP: 0033:0x416011
[   57.079044] RSP: 002b:00007fff58d96b80 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[   57.086744] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416011
[   57.093998] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005
[   57.101306] RBP: 0000000000000000 R08: 00000000007703e0 R09: 01ffffffffffffff
[   57.108567] R10: 00007fff58d96c50 R11: 0000000000000293 R12: 000000000076bf20
[   57.115876] R13: 00000000007703e8 R14: 0000000000000000 R15: 000000000076bf2c
[   57.124547] Kernel Offset: disabled
[   57.128168] Rebooting in 86400 seconds..