[   31.682913] audit: type=1800 audit(1578445225.525:33): pid=7007 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   31.710551] audit: type=1800 audit(1578445225.525:34): pid=7007 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   36.422793] random: sshd: uninitialized urandom read (32 bytes read)
[   36.695450] audit: type=1400 audit(1578445230.535:35): avc:  denied  { map } for  pid=7182 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   36.744907] random: sshd: uninitialized urandom read (32 bytes read)
[   37.440242] random: sshd: uninitialized urandom read (32 bytes read)
[   37.625470] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.1.33' (ECDSA) to the list of known hosts.
[   43.220072] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   43.330278] audit: type=1400 audit(1578445237.175:36): avc:  denied  { map } for  pid=7195 comm="syz-executor910" path="/root/syz-executor910753084" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   43.334256] netlink: 20 bytes leftover after parsing attributes in process `syz-executor910'.
[   43.374934] ==================================================================
[   43.382467] BUG: KASAN: use-after-free in radix_tree_next_chunk+0x953/0x9a0
[   43.389568] Read of size 8 at addr ffff8880824ad588 by task syz-executor910/7195
[   43.397097] 
[   43.398726] CPU: 0 PID: 7195 Comm: syz-executor910 Not tainted 4.14.162-syzkaller #0
[   43.406601] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.415959] Call Trace:
[   43.418545]  dump_stack+0x142/0x197
[   43.422175]  ? radix_tree_next_chunk+0x953/0x9a0
[   43.426937]  print_address_description.cold+0x7c/0x1dc
[   43.432212]  ? radix_tree_next_chunk+0x953/0x9a0
[   43.436967]  kasan_report.cold+0xa9/0x2af
[   43.441115]  __asan_report_load8_noabort+0x14/0x20
[   43.446040]  radix_tree_next_chunk+0x953/0x9a0
[   43.450634]  ida_remove+0xaa/0x230
[   43.454173]  ? ida_destroy+0x1e0/0x1e0
[   43.458054]  ? ida_simple_remove+0x2b/0x60
[   43.462293]  ida_simple_remove+0x39/0x60
[   43.466355]  ipvlan_link_new+0x515/0xfe0
[   43.470414]  ? rtnl_create_link+0x12c/0x850
[   43.474740]  rtnl_newlink+0xecb/0x1700
[   43.478637]  ? ipvlan_port_destroy+0x400/0x400
[   43.484868]  ? rtnl_link_unregister+0x200/0x200
[   43.489538]  ? avc_has_perm_noaudit+0x2b2/0x420
[   43.494222]  ? lock_acquire+0x16f/0x430
[   43.498198]  ? rtnetlink_rcv_msg+0x339/0xb70
[   43.502639]  ? rtnl_link_unregister+0x200/0x200
[   43.507314]  rtnetlink_rcv_msg+0x3da/0xb70
[   43.511553]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   43.516138]  ? netlink_deliver_tap+0x93/0x8f0
[   43.520637]  netlink_rcv_skb+0x14f/0x3c0
[   43.524703]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   43.529283]  ? lock_downgrade+0x740/0x740
[   43.533431]  ? netlink_ack+0x9a0/0x9a0
[   43.537316]  ? netlink_deliver_tap+0xba/0x8f0
[   43.541815]  rtnetlink_rcv+0x1d/0x30
[   43.545610]  netlink_unicast+0x44d/0x650
[   43.549675]  ? netlink_attachskb+0x6a0/0x6a0
[   43.554084]  ? security_netlink_send+0x81/0xb0
[   43.558668]  netlink_sendmsg+0x7c4/0xc60
[   43.565161]  ? netlink_unicast+0x650/0x650
[   43.569401]  ? security_socket_sendmsg+0x89/0xb0
[   43.574153]  ? netlink_unicast+0x650/0x650
[   43.578388]  sock_sendmsg+0xce/0x110
[   43.582106]  ___sys_sendmsg+0x70a/0x840
[   43.586079]  ? copy_msghdr_from_user+0x3f0/0x3f0
[   43.590839]  ? __might_fault+0x110/0x1d0
[   43.594903]  ? find_held_lock+0x35/0x130
[   43.598965]  ? __might_fault+0x110/0x1d0
[   43.603044]  ? lock_downgrade+0x740/0x740
[   43.607198]  ? kasan_check_read+0x11/0x20
[   43.611348]  ? _copy_to_user+0x87/0xd0
[   43.615237]  ? move_addr_to_user+0x94/0x1a0
[   43.619559]  ? __fget_light+0x172/0x1f0
[   43.623528]  ? __fdget+0x1b/0x20
[   43.626890]  ? sockfd_lookup_light+0xb4/0x160
[   43.631413]  __sys_sendmsg+0xb9/0x140
[   43.635194]  ? SyS_shutdown+0x170/0x170
[   43.639162]  ? fd_install+0x4d/0x60
[   43.642775]  SyS_sendmsg+0x2d/0x50
[   43.646294]  ? __sys_sendmsg+0x140/0x140
[   43.650349]  do_syscall_64+0x1e8/0x640
[   43.654216]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   43.659042]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.664233] RIP: 0033:0x440609
[   43.667402] RSP: 002b:00007ffd4426d538 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   43.675102] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440609
[   43.682383] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004
[   43.689633] RBP: 00000000006ca018 R08: 0000000000000004 R09: 00000000004002c8
[   43.696884] R10: 0000000000006e61 R11: 0000000000000246 R12: 0000000000401e90
[   43.704133] R13: 0000000000401f20 R14: 0000000000000000 R15: 0000000000000000
[   43.711388] 
[   43.713001] Allocated by task 7195:
[   43.716610]  save_stack_trace+0x16/0x20
[   43.720562]  save_stack+0x45/0xd0
[   43.723992]  kasan_kmalloc+0xce/0xf0
[   43.727683]  kmem_cache_alloc_trace+0x152/0x790
[   43.732330]  ipvlan_link_new+0x657/0xfe0
[   43.736394]  rtnl_newlink+0xecb/0x1700
[   43.740272]  rtnetlink_rcv_msg+0x3da/0xb70
[   43.744489]  netlink_rcv_skb+0x14f/0x3c0
[   43.748531]  rtnetlink_rcv+0x1d/0x30
[   43.752413]  netlink_unicast+0x44d/0x650
[   43.756582]  netlink_sendmsg+0x7c4/0xc60
[   43.760645]  sock_sendmsg+0xce/0x110
[   43.764371]  ___sys_sendmsg+0x70a/0x840
[   43.768328]  __sys_sendmsg+0xb9/0x140
[   43.772110]  SyS_sendmsg+0x2d/0x50
[   43.775685]  do_syscall_64+0x1e8/0x640
[   43.779559]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.784727] 
[   43.786333] Freed by task 7195:
[   43.789614]  save_stack_trace+0x16/0x20
[   43.793568]  save_stack+0x45/0xd0
[   43.796999]  kasan_slab_free+0x75/0xc0
[   43.800863]  kfree+0xcc/0x270
[   43.803958]  ipvlan_port_destroy+0x285/0x400
[   43.808342]  ipvlan_uninit+0xc1/0xf0
[   43.812136]  register_netdevice+0x79b/0xca0
[   43.816460]  ipvlan_link_new+0x49f/0xfe0
[   43.820613]  rtnl_newlink+0xecb/0x1700
[   43.824509]  rtnetlink_rcv_msg+0x3da/0xb70
[   43.828726]  netlink_rcv_skb+0x14f/0x3c0
[   43.832767]  rtnetlink_rcv+0x1d/0x30
[   43.836476]  netlink_unicast+0x44d/0x650
[   43.840521]  netlink_sendmsg+0x7c4/0xc60
[   43.844566]  sock_sendmsg+0xce/0x110
[   43.848276]  ___sys_sendmsg+0x70a/0x840
[   43.852244]  __sys_sendmsg+0xb9/0x140
[   43.856046]  SyS_sendmsg+0x2d/0x50
[   43.859565]  do_syscall_64+0x1e8/0x640
[   43.863444]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.868617] 
[   43.870224] The buggy address belongs to the object at ffff8880824accc0
[   43.870224]  which belongs to the cache kmalloc-4096 of size 4096
[   43.883128] The buggy address is located 2248 bytes inside of
[   43.883128]  4096-byte region [ffff8880824accc0, ffff8880824adcc0)
[   43.895325] The buggy address belongs to the page:
[   43.900332] page:ffffea0002092b00 count:1 mapcount:0 mapping:ffff8880824accc0 index:0x0 compound_mapcount: 0
[   43.910317] flags: 0xfffe0000008100(slab|head)
[   43.914885] raw: 00fffe0000008100 ffff8880824accc0 0000000000000000 0000000100000001
[   43.922844] raw: ffffea00029ea4a0 ffffea0002225020 ffff8880aa800dc0 0000000000000000
[   43.930711] page dumped because: kasan: bad access detected
[   43.936706] 
[   43.939354] Memory state around the buggy address:
[   43.944275]  ffff8880824ad480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.953706]  ffff8880824ad500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.961058] >ffff8880824ad580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.968408]                       ^
[   43.972014]  ffff8880824ad600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.979367]  ffff8880824ad680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.986966] ==================================================================
[   43.994329] Disabling lock debugging due to kernel taint
[   43.999843] Kernel panic - not syncing: panic_on_warn set ...
[   43.999843] 
[   44.007804] CPU: 0 PID: 7195 Comm: syz-executor910 Tainted: G    B           4.14.162-syzkaller #0
[   44.016963] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   44.026813] Call Trace:
[   44.029383]  dump_stack+0x142/0x197
[   44.032997]  ? radix_tree_next_chunk+0x953/0x9a0
[   44.038356]  panic+0x1f9/0x42d
[   44.041530]  ? add_taint.cold+0x16/0x16
[   44.045480]  ? lock_downgrade+0x740/0x740
[   44.049606]  kasan_end_report+0x47/0x4f
[   44.053558]  kasan_report.cold+0x130/0x2af
[   44.057776]  __asan_report_load8_noabort+0x14/0x20
[   44.062684]  radix_tree_next_chunk+0x953/0x9a0
[   44.067244]  ida_remove+0xaa/0x230
[   44.070768]  ? ida_destroy+0x1e0/0x1e0
[   44.074654]  ? ida_simple_remove+0x2b/0x60
[   44.078867]  ida_simple_remove+0x39/0x60
[   44.082906]  ipvlan_link_new+0x515/0xfe0
[   44.086945]  ? rtnl_create_link+0x12c/0x850
[   44.091245]  rtnl_newlink+0xecb/0x1700
[   44.095110]  ? ipvlan_port_destroy+0x400/0x400
[   44.099768]  ? rtnl_link_unregister+0x200/0x200
[   44.104442]  ? avc_has_perm_noaudit+0x2b2/0x420
[   44.109092]  ? lock_acquire+0x16f/0x430
[   44.113046]  ? rtnetlink_rcv_msg+0x339/0xb70
[   44.117441]  ? rtnl_link_unregister+0x200/0x200
[   44.122090]  rtnetlink_rcv_msg+0x3da/0xb70
[   44.126316]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   44.130877]  ? netlink_deliver_tap+0x93/0x8f0
[   44.135367]  netlink_rcv_skb+0x14f/0x3c0
[   44.139427]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   44.144016]  ? lock_downgrade+0x740/0x740
[   44.148146]  ? netlink_ack+0x9a0/0x9a0
[   44.152014]  ? netlink_deliver_tap+0xba/0x8f0
[   44.156504]  rtnetlink_rcv+0x1d/0x30
[   44.160201]  netlink_unicast+0x44d/0x650
[   44.164244]  ? netlink_attachskb+0x6a0/0x6a0
[   44.168633]  ? security_netlink_send+0x81/0xb0
[   44.173194]  netlink_sendmsg+0x7c4/0xc60
[   44.177248]  ? netlink_unicast+0x650/0x650
[   44.181461]  ? security_socket_sendmsg+0x89/0xb0
[   44.186193]  ? netlink_unicast+0x650/0x650
[   44.190406]  sock_sendmsg+0xce/0x110
[   44.194100]  ___sys_sendmsg+0x70a/0x840
[   44.198053]  ? copy_msghdr_from_user+0x3f0/0x3f0
[   44.202795]  ? __might_fault+0x110/0x1d0
[   44.207790]  ? find_held_lock+0x35/0x130
[   44.211840]  ? __might_fault+0x110/0x1d0
[   44.215881]  ? lock_downgrade+0x740/0x740
[   44.220013]  ? kasan_check_read+0x11/0x20
[   44.224147]  ? _copy_to_user+0x87/0xd0
[   44.228011]  ? move_addr_to_user+0x94/0x1a0
[   44.232325]  ? __fget_light+0x172/0x1f0
[   44.236277]  ? __fdget+0x1b/0x20
[   44.239640]  ? sockfd_lookup_light+0xb4/0x160
[   44.244115]  __sys_sendmsg+0xb9/0x140
[   44.247892]  ? SyS_shutdown+0x170/0x170
[   44.251841]  ? fd_install+0x4d/0x60
[   44.255466]  SyS_sendmsg+0x2d/0x50
[   44.258994]  ? __sys_sendmsg+0x140/0x140
[   44.263046]  do_syscall_64+0x1e8/0x640
[   44.266923]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   44.271742]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   44.276909] RIP: 0033:0x440609
[   44.280075] RSP: 002b:00007ffd4426d538 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   44.287761] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440609
[   44.295008] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004
[   44.302257] RBP: 00000000006ca018 R08: 0000000000000004 R09: 00000000004002c8
[   44.309535] R10: 0000000000006e61 R11: 0000000000000246 R12: 0000000000401e90
[   44.316788] R13: 0000000000401f20 R14: 0000000000000000 R15: 0000000000000000
[   44.325702] Kernel Offset: disabled
[   44.329350] Rebooting in 86400 seconds..