[   38.459290] audit: type=1800 audit(1583369381.620:33): pid=7362 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   38.491153] audit: type=1800 audit(1583369381.620:34): pid=7362 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   42.984695] random: sshd: uninitialized urandom read (32 bytes read)
[   43.307696] audit: type=1400 audit(1583369386.470:35): avc:  denied  { map } for  pid=7533 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   43.357840] random: sshd: uninitialized urandom read (32 bytes read)
[   44.084026] random: sshd: uninitialized urandom read (32 bytes read)
[   44.277407] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.202' (ECDSA) to the list of known hosts.
[   49.852658] random: sshd: uninitialized urandom read (32 bytes read)
[   50.075444] audit: type=1400 audit(1583369393.240:36): avc:  denied  { map } for  pid=7545 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2020/03/05 00:49:53 parsed 1 programs
[   50.771146] random: cc1: uninitialized urandom read (8 bytes read)
2020/03/05 00:49:55 executed programs: 0
[   51.821144] audit: type=1400 audit(1583369394.990:37): avc:  denied  { map } for  pid=7545 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=1160 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[   52.121168] IPVS: ftp: loaded support on port[0] = 21
[   52.910641] chnl_net:caif_netlink_parms(): no params data found
[   52.959326] bridge0: port 1(bridge_slave_0) entered blocking state
[   52.966287] bridge0: port 1(bridge_slave_0) entered disabled state
[   52.974174] device bridge_slave_0 entered promiscuous mode
[   52.981794] bridge0: port 2(bridge_slave_1) entered blocking state
[   52.988221] bridge0: port 2(bridge_slave_1) entered disabled state
[   52.995360] device bridge_slave_1 entered promiscuous mode
[   53.011054] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   53.019993] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   53.037926] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   53.045526] team0: Port device team_slave_0 added
[   53.051354] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   53.058535] team0: Port device team_slave_1 added
[   53.073100] batman_adv: batadv0: Adding interface: batadv_slave_0
[   53.079371] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   53.104688] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   53.115979] batman_adv: batadv0: Adding interface: batadv_slave_1
[   53.122458] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   53.147744] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   53.158231] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   53.166114] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   53.222470] device hsr_slave_0 entered promiscuous mode
[   53.290330] device hsr_slave_1 entered promiscuous mode
[   53.350781] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[   53.358073] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[   53.410318] audit: type=1400 audit(1583369396.570:38): avc:  denied  { create } for  pid=7563 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   53.439371] audit: type=1400 audit(1583369396.590:39): avc:  denied  { write } for  pid=7563 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   53.453266] bridge0: port 2(bridge_slave_1) entered blocking state
[   53.464017] audit: type=1400 audit(1583369396.600:40): avc:  denied  { read } for  pid=7563 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   53.469781] bridge0: port 2(bridge_slave_1) entered forwarding state
[   53.500462] bridge0: port 1(bridge_slave_0) entered blocking state
[   53.506827] bridge0: port 1(bridge_slave_0) entered forwarding state
[   53.539706] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   53.546095] 8021q: adding VLAN 0 to HW filter on device bond0
[   53.554611] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   53.564046] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   53.583043] bridge0: port 1(bridge_slave_0) entered disabled state
[   53.590355] bridge0: port 2(bridge_slave_1) entered disabled state
[   53.599925] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   53.607786] 8021q: adding VLAN 0 to HW filter on device team0
[   53.617013] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   53.624682] bridge0: port 1(bridge_slave_0) entered blocking state
[   53.631223] bridge0: port 1(bridge_slave_0) entered forwarding state
[   53.640511] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   53.648179] bridge0: port 2(bridge_slave_1) entered blocking state
[   53.654601] bridge0: port 2(bridge_slave_1) entered forwarding state
[   53.669217] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   53.676927] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   53.686590] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   53.697501] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   53.707394] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   53.716952] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[   53.723165] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   53.735826] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[   53.744346] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   53.751650] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   53.762664] 8021q: adding VLAN 0 to HW filter on device batadv0
[   53.824178] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[   53.834870] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   53.870629] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[   53.877909] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[   53.884992] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[   53.894032] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   53.901516] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   53.908832] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   53.915832] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   53.924751] device veth0_vlan entered promiscuous mode
[   53.935376] device veth1_vlan entered promiscuous mode
[   53.948602] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[   53.958405] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready
[   53.965517] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   53.973728] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   53.983254] device veth0_macvtap entered promiscuous mode
[   53.989426] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
[   53.998056] device veth1_macvtap entered promiscuous mode
[   54.004379] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
[   54.013652] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[   54.023207] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[   54.032575] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
[   54.039693] batman_adv: batadv0: Interface activated: batadv_slave_0
[   54.048216] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   54.055954] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   54.063171] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   54.071560] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   54.082582] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
[   54.089508] batman_adv: batadv0: Interface activated: batadv_slave_1
[   54.097066] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   54.104923] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
2020/03/05 00:50:00 executed programs: 18
[   57.850816] ==================================================================
[   57.858933] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xea/0xf0
[   57.866272] Read of size 4 at addr ffff88809f6ba7c0 by task syz-executor.0/7718
[   57.873994] 
[   57.875633] CPU: 0 PID: 7718 Comm: syz-executor.0 Not tainted 4.14.172-syzkaller #0
[   57.883897] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   57.893264] Call Trace:
[   57.895861]  dump_stack+0x13e/0x194
[   57.899492]  ? l2tp_session_queue_purge+0xea/0xf0
[   57.904615]  print_address_description.cold+0x7c/0x1e2
[   57.910112]  ? l2tp_session_queue_purge+0xea/0xf0
[   57.914963]  kasan_report.cold+0xa9/0x2ae
[   57.919526]  l2tp_session_queue_purge+0xea/0xf0
[   57.924208]  l2tp_tunnel_closeall+0x1fe/0x370
[   57.928888]  ? l2tp_tunnel_find+0x490/0x490
[   57.933308]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[   57.938537]  l2tp_udp_encap_destroy+0x8d/0xf0
[   57.943045]  udpv6_destroy_sock+0xa6/0xd0
[   57.947996]  sk_common_release+0x64/0x2f0
[   57.952606]  inet_release+0xdf/0x1b0
[   57.956937]  inet6_release+0x4c/0x70
[   57.961425]  __sock_release+0xcd/0x2b0
[   57.965985]  ? __sock_release+0x2b0/0x2b0
[   57.970922]  sock_close+0x15/0x20
[   57.974421]  __fput+0x25f/0x790
[   57.977709]  task_work_run+0x113/0x190
[   57.981982]  exit_to_usermode_loop+0x1d6/0x220
[   57.986935]  do_syscall_64+0x4a3/0x640
[   57.990985]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   57.996200] RIP: 0033:0x416011
[   57.999635] RSP: 002b:00007fffd455a7f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[   58.007540] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416011
[   58.014822] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005
[   58.023365] RBP: 0000000000000000 R08: 00000000007703e0 R09: 01ffffffffffffff
[   58.031628] R10: 00007fffd455a8c0 R11: 0000000000000293 R12: 000000000076bf20
[   58.039891] R13: 00000000007703e8 R14: 0000000000000000 R15: 000000000076bf2c
[   58.050546] 
[   58.052180] Allocated by task 7719:
[   58.056242]  save_stack+0x32/0xa0
[   58.060292]  kasan_kmalloc+0xbf/0xe0
[   58.064007]  __kmalloc+0x15b/0x7c0
[   58.067535]  l2tp_session_create+0x35/0x16f0
[   58.071924]  pppol2tp_connect+0x1154/0x17b0
[   58.076561]  SYSC_connect+0x1c6/0x250
[   58.080450]  do_syscall_64+0x1d5/0x640
[   58.084933]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   58.090366] 
[   58.091983] Freed by task 7719:
[   58.095260]  save_stack+0x32/0xa0
[   58.098722]  kasan_slab_free+0x75/0xc0
[   58.102783]  kfree+0xcb/0x260
[   58.106116]  pppol2tp_session_destruct+0xcd/0x110
[   58.111101]  __sk_destruct+0x49/0x640
[   58.115322]  sk_destruct+0x97/0xc0
[   58.118859]  __sk_free+0x4c/0x220
[   58.122310]  sk_free+0x2b/0x40
[   58.125633]  pppol2tp_release+0x247/0x2f0
[   58.130137]  __sock_release+0xcd/0x2b0
[   58.134020]  sock_close+0x15/0x20
[   58.137651]  __fput+0x25f/0x790
[   58.141019]  task_work_run+0x113/0x190
[   58.145552]  exit_to_usermode_loop+0x1d6/0x220
[   58.150256]  do_syscall_64+0x4a3/0x640
[   58.154167]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   58.159350] 
[   58.161070] The buggy address belongs to the object at ffff88809f6ba7c0
[   58.161070]  which belongs to the cache kmalloc-512 of size 512
[   58.173837] The buggy address is located 0 bytes inside of
[   58.173837]  512-byte region [ffff88809f6ba7c0, ffff88809f6ba9c0)
[   58.185822] The buggy address belongs to the page:
[   58.191022] page:ffffea00027dae80 count:1 mapcount:0 mapping:ffff88809f6ba040 index:0x0
[   58.199550] flags: 0xfffe0000000100(slab)
[   58.204764] raw: 00fffe0000000100 ffff88809f6ba040 0000000000000000 0000000100000006
[   58.213467] raw: ffffea000285d6a0 ffffea00027c8ca0 ffff88812fe56940 0000000000000000
[   58.221611] page dumped because: kasan: bad access detected
[   58.227497] 
[   58.229297] Memory state around the buggy address:
[   58.234844]  ffff88809f6ba680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.242396]  ffff88809f6ba700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   58.250322] >ffff88809f6ba780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   58.257786]                                            ^
[   58.263288]  ffff88809f6ba800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.270654]  ffff88809f6ba880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.278221] ==================================================================
[   58.285802] Disabling lock debugging due to kernel taint
[   58.295582] Kernel panic - not syncing: panic_on_warn set ...
[   58.295582] 
[   58.316896] CPU: 0 PID: 7718 Comm: syz-executor.0 Tainted: G    B           4.14.172-syzkaller #0
[   58.330543] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   58.339883] Call Trace:
[   58.342483]  dump_stack+0x13e/0x194
[   58.346398]  panic+0x1f9/0x42d
[   58.349601]  ? add_taint.cold+0x16/0x16
[   58.353686]  ? preempt_schedule_common+0x4a/0xc0
[   58.358507]  ? l2tp_session_queue_purge+0xea/0xf0
[   58.363349]  ? ___preempt_schedule+0x16/0x18
[   58.376616]  ? l2tp_session_queue_purge+0xea/0xf0
[   58.381632]  kasan_end_report+0x43/0x49
[   58.386647]  kasan_report.cold+0x12f/0x2ae
[   58.391149]  l2tp_session_queue_purge+0xea/0xf0
[   58.396176]  l2tp_tunnel_closeall+0x1fe/0x370
[   58.401418]  ? l2tp_tunnel_find+0x490/0x490
[   58.405868]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[   58.414997]  l2tp_udp_encap_destroy+0x8d/0xf0
[   58.422467]  udpv6_destroy_sock+0xa6/0xd0
[   58.426623]  sk_common_release+0x64/0x2f0
[   58.432161]  inet_release+0xdf/0x1b0
[   58.436052]  inet6_release+0x4c/0x70
[   58.440006]  __sock_release+0xcd/0x2b0
[   58.443930]  ? __sock_release+0x2b0/0x2b0
[   58.453082]  sock_close+0x15/0x20
[   58.457432]  __fput+0x25f/0x790
[   58.460978]  task_work_run+0x113/0x190
[   58.465483]  exit_to_usermode_loop+0x1d6/0x220
[   58.470154]  do_syscall_64+0x4a3/0x640
[   58.474515]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   58.480957] RIP: 0033:0x416011
[   58.484319] RSP: 002b:00007fffd455a7f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[   58.492795] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416011
[   58.503477] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005
[   58.511559] RBP: 0000000000000000 R08: 00000000007703e0 R09: 01ffffffffffffff
[   58.519915] R10: 00007fffd455a8c0 R11: 0000000000000293 R12: 000000000076bf20
[   58.527696] R13: 00000000007703e8 R14: 0000000000000000 R15: 000000000076bf2c
[   58.536430] Kernel Offset: disabled
[   58.540072] Rebooting in 86400 seconds..