[ 32.668748] audit: type=1800 audit(1578540679.337:33): pid=6988 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[ 32.695710] audit: type=1800 audit(1578540679.347:34): pid=6988 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 35.742409] random: sshd: uninitialized urandom read (32 bytes read)
[ 36.077447] audit: type=1400 audit(1578540682.747:35): avc: denied { map } for pid=7161 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[ 36.127507] random: sshd: uninitialized urandom read (32 bytes read)
[ 36.786002] random: sshd: uninitialized urandom read (32 bytes read)
[ 36.968536] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.25' (ECDSA) to the list of known hosts.
[ 42.574055] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[ 42.691079] audit: type=1400 audit(1578540689.367:36): avc: denied { map } for pid=7173 comm="syz-executor686" path="/root/syz-executor686926464" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[ 42.733665] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[ 42.760294] netlink: 4 bytes leftover after parsing attributes in process `syz-executor686'.
[ 42.775353] ==================================================================
[ 42.782896] BUG: KASAN: use-after-free in radix_tree_next_chunk+0x953/0x9a0
[ 42.790089] Read of size 8 at addr ffff888097010ec8 by task syz-executor686/7173
[ 42.797634]
[ 42.799274] CPU: 1 PID: 7173 Comm: syz-executor686 Not tainted 4.14.162-syzkaller #0
[ 42.807153] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 42.816509] Call Trace:
[ 42.819108] dump_stack+0x142/0x197
[ 42.822776] ? radix_tree_next_chunk+0x953/0x9a0
[ 42.827533] print_address_description.cold+0x7c/0x1dc
[ 42.832813] ? radix_tree_next_chunk+0x953/0x9a0
[ 42.837571] kasan_report.cold+0xa9/0x2af
[ 42.841723] __asan_report_load8_noabort+0x14/0x20
[ 42.847609] radix_tree_next_chunk+0x953/0x9a0
[ 42.852234] ida_remove+0xaa/0x230
[ 42.855776] ? ida_destroy+0x1e0/0x1e0
[ 42.859663] ? ida_simple_remove+0x2b/0x60
[ 42.863907] ida_simple_remove+0x39/0x60
[ 42.867968] ipvlan_link_new+0x515/0xfe0
[ 42.872032] ? rtnl_create_link+0x12c/0x850
[ 42.876357] rtnl_newlink+0xecb/0x1700
[ 42.880245] ? rtnl_newlink+0x3f5/0x1700
[ 42.884317] ? ipvlan_port_destroy+0x400/0x400
[ 42.888911] ? rtnl_link_unregister+0x200/0x200
[ 42.893607] ? avc_has_perm_noaudit+0x2b2/0x420
[ 42.898293] ? lock_acquire+0x16f/0x430
[ 42.902290] ? rtnetlink_rcv_msg+0x339/0xb70
[ 42.906728] ? rtnl_link_unregister+0x200/0x200
[ 42.911416] rtnetlink_rcv_msg+0x3da/0xb70
[ 42.916091] ? rtnl_bridge_getlink+0x7a0/0x7a0
[ 42.920675] ? netlink_deliver_tap+0x93/0x8f0
[ 42.925179] netlink_rcv_skb+0x14f/0x3c0
[ 42.929241] ? rtnl_bridge_getlink+0x7a0/0x7a0
[ 42.933837] ? lock_downgrade+0x740/0x740
[ 42.937994] ? netlink_ack+0x9a0/0x9a0
[ 42.941891] ? netlink_deliver_tap+0xba/0x8f0
[ 42.946390] rtnetlink_rcv+0x1d/0x30
[ 42.950126] netlink_unicast+0x44d/0x650
[ 42.954193] ? netlink_attachskb+0x6a0/0x6a0
[ 42.958606] ? security_netlink_send+0x81/0xb0
[ 42.963293] netlink_sendmsg+0x7c4/0xc60
[ 42.967363] ? netlink_unicast+0x650/0x650
[ 42.971603] ? security_socket_sendmsg+0x89/0xb0
[ 42.976361] ? netlink_unicast+0x650/0x650
[ 42.980599] sock_sendmsg+0xce/0x110
[ 42.984313] ___sys_sendmsg+0x70a/0x840
[ 42.988298] ? copy_msghdr_from_user+0x3f0/0x3f0
[ 42.993054] ? save_trace+0x290/0x290
[ 42.997812] ? selinux_file_alloc_security+0xb4/0x190
[ 43.003004] ? __fd_install+0x1fb/0x5f0
[ 43.006977] ? find_held_lock+0x35/0x130
[ 43.011042] ? __lock_is_held+0xb6/0x140
[ 43.015115] ? lock_downgrade+0x740/0x740
[ 43.019264] ? __fd_install+0x236/0x5f0
[ 43.023239] ? errseq_sample+0x4d/0x60
[ 43.027214] ? __fget_light+0x172/0x1f0
[ 43.031197] ? __fdget+0x1b/0x20
[ 43.034561] ? sockfd_lookup_light+0xb4/0x160
[ 43.039053] __sys_sendmsg+0xb9/0x140
[ 43.042851] ? SyS_shutdown+0x170/0x170
[ 43.046821] ? fd_install+0x4d/0x60
[ 43.050456] SyS_sendmsg+0x2d/0x50
[ 43.053990] ? __sys_sendmsg+0x140/0x140
[ 43.058050] do_syscall_64+0x1e8/0x640
[ 43.061941] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 43.066794] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 43.072002] RIP: 0033:0x440339
[ 43.075192] RSP: 002b:00007ffd5d272e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 43.082899] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440339
[ 43.090151] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004
[ 43.097499] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[ 43.104752] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401bc0
[ 43.112053] R13: 0000000000401c50 R14: 0000000000000000 R15: 0000000000000000
[ 43.119351]
[ 43.120965] Allocated by task 7173:
[ 43.124576] save_stack_trace+0x16/0x20
[ 43.128528] save_stack+0x45/0xd0
[ 43.132083] kasan_kmalloc+0xce/0xf0
[ 43.135784] kmem_cache_alloc_trace+0x152/0x790
[ 43.140437] ipvlan_link_new+0x657/0xfe0
[ 43.144481] rtnl_newlink+0xecb/0x1700
[ 43.148358] rtnetlink_rcv_msg+0x3da/0xb70
[ 43.152573] netlink_rcv_skb+0x14f/0x3c0
[ 43.156625] rtnetlink_rcv+0x1d/0x30
[ 43.160318] netlink_unicast+0x44d/0x650
[ 43.164472] netlink_sendmsg+0x7c4/0xc60
[ 43.168513] sock_sendmsg+0xce/0x110
[ 43.172204] ___sys_sendmsg+0x70a/0x840
[ 43.176255] __sys_sendmsg+0xb9/0x140
[ 43.180036] SyS_sendmsg+0x2d/0x50
[ 43.183579] do_syscall_64+0x1e8/0x640
[ 43.187441] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 43.192605]
[ 43.194209] Freed by task 7173:
[ 43.197465] save_stack_trace+0x16/0x20
[ 43.201423] save_stack+0x45/0xd0
[ 43.205846] kasan_slab_free+0x75/0xc0
[ 43.209736] kfree+0xcc/0x270
[ 43.212925] ipvlan_port_destroy+0x285/0x400
[ 43.217321] ipvlan_uninit+0xc1/0xf0
[ 43.221013] register_netdevice+0x79b/0xca0
[ 43.225312] ipvlan_link_new+0x49f/0xfe0
[ 43.229359] rtnl_newlink+0xecb/0x1700
[ 43.233234] rtnetlink_rcv_msg+0x3da/0xb70
[ 43.237446] netlink_rcv_skb+0x14f/0x3c0
[ 43.241483] rtnetlink_rcv+0x1d/0x30
[ 43.245185] netlink_unicast+0x44d/0x650
[ 43.249221] netlink_sendmsg+0x7c4/0xc60
[ 43.253272] sock_sendmsg+0xce/0x110
[ 43.257069] ___sys_sendmsg+0x70a/0x840
[ 43.261027] __sys_sendmsg+0xb9/0x140
[ 43.264804] SyS_sendmsg+0x2d/0x50
[ 43.268334] do_syscall_64+0x1e8/0x640
[ 43.272211] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 43.277374]
[ 43.278983] The buggy address belongs to the object at ffff888097010600
[ 43.278983] which belongs to the cache kmalloc-4096 of size 4096
[ 43.291802] The buggy address is located 2248 bytes inside of
[ 43.291802] 4096-byte region [ffff888097010600, ffff888097011600)
[ 43.303833] The buggy address belongs to the page:
[ 43.308738] page:ffffea00025c0400 count:1 mapcount:0 mapping:ffff888097010600 index:0x0 compound_mapcount: 0
[ 43.318684] flags: 0xfffe0000008100(slab|head)
[ 43.323257] raw: 00fffe0000008100 ffff888097010600 0000000000000000 0000000100000001
[ 43.331118] raw: ffffea0001fa76a0 ffffea00025c04a0 ffff8880aa800dc0 0000000000000000
[ 43.338973] page dumped because: kasan: bad access detected
[ 43.344748]
[ 43.346360] Memory state around the buggy address:
[ 43.351269] ffff888097010d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 43.358615] ffff888097010e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 43.366116] >ffff888097010e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 43.373452] ^
[ 43.379139] ffff888097010f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 43.386473] ffff888097010f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 43.393816] ==================================================================
[ 43.401160] Disabling lock debugging due to kernel taint
[ 43.406610] Kernel panic - not syncing: panic_on_warn set ...
[ 43.406610]
[ 43.413972] CPU: 1 PID: 7173 Comm: syz-executor686 Tainted: G B 4.14.162-syzkaller #0
[ 43.423045] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 43.432399] Call Trace:
[ 43.434968] dump_stack+0x142/0x197
[ 43.438572] ? radix_tree_next_chunk+0x953/0x9a0
[ 43.443328] panic+0x1f9/0x42d
[ 43.446497] ? add_taint.cold+0x16/0x16
[ 43.450451] ? lock_downgrade+0x740/0x740
[ 43.454580] kasan_end_report+0x47/0x4f
[ 43.458526] kasan_report.cold+0x130/0x2af
[ 43.462859] __asan_report_load8_noabort+0x14/0x20
[ 43.467769] radix_tree_next_chunk+0x953/0x9a0
[ 43.472333] ida_remove+0xaa/0x230
[ 43.475868] ? ida_destroy+0x1e0/0x1e0
[ 43.479735] ? ida_simple_remove+0x2b/0x60
[ 43.483952] ida_simple_remove+0x39/0x60
[ 43.488032] ipvlan_link_new+0x515/0xfe0
[ 43.492074] ? rtnl_create_link+0x12c/0x850
[ 43.496373] rtnl_newlink+0xecb/0x1700
[ 43.500237] ? rtnl_newlink+0x3f5/0x1700
[ 43.504310] ? ipvlan_port_destroy+0x400/0x400
[ 43.508870] ? rtnl_link_unregister+0x200/0x200
[ 43.513518] ? avc_has_perm_noaudit+0x2b2/0x420
[ 43.518185] ? lock_acquire+0x16f/0x430
[ 43.522137] ? rtnetlink_rcv_msg+0x339/0xb70
[ 43.526531] ? rtnl_link_unregister+0x200/0x200
[ 43.531188] rtnetlink_rcv_msg+0x3da/0xb70
[ 43.535407] ? rtnl_bridge_getlink+0x7a0/0x7a0
[ 43.539987] ? netlink_deliver_tap+0x93/0x8f0
[ 43.544465] netlink_rcv_skb+0x14f/0x3c0
[ 43.548509] ? rtnl_bridge_getlink+0x7a0/0x7a0
[ 43.553074] ? lock_downgrade+0x740/0x740
[ 43.557202] ? netlink_ack+0x9a0/0x9a0
[ 43.561068] ? netlink_deliver_tap+0xba/0x8f0
[ 43.565545] rtnetlink_rcv+0x1d/0x30
[ 43.569244] netlink_unicast+0x44d/0x650
[ 43.573282] ? netlink_attachskb+0x6a0/0x6a0
[ 43.577665] ? security_netlink_send+0x81/0xb0
[ 43.582227] netlink_sendmsg+0x7c4/0xc60
[ 43.586264] ? netlink_unicast+0x650/0x650
[ 43.590498] ? security_socket_sendmsg+0x89/0xb0
[ 43.595230] ? netlink_unicast+0x650/0x650
[ 43.599439] sock_sendmsg+0xce/0x110
[ 43.603131] ___sys_sendmsg+0x70a/0x840
[ 43.607089] ? copy_msghdr_from_user+0x3f0/0x3f0
[ 43.611823] ? save_trace+0x290/0x290
[ 43.615618] ? selinux_file_alloc_security+0xb4/0x190
[ 43.620795] ? __fd_install+0x1fb/0x5f0
[ 43.624743] ? find_held_lock+0x35/0x130
[ 43.628784] ? __lock_is_held+0xb6/0x140
[ 43.632838] ? lock_downgrade+0x740/0x740
[ 43.636970] ? __fd_install+0x236/0x5f0
[ 43.640937] ? errseq_sample+0x4d/0x60
[ 43.644827] ? __fget_light+0x172/0x1f0
[ 43.648781] ? __fdget+0x1b/0x20
[ 43.652133] ? sockfd_lookup_light+0xb4/0x160
[ 43.656612] __sys_sendmsg+0xb9/0x140
[ 43.660388] ? SyS_shutdown+0x170/0x170
[ 43.664347] ? fd_install+0x4d/0x60
[ 43.667953] SyS_sendmsg+0x2d/0x50
[ 43.671528] ? __sys_sendmsg+0x140/0x140
[ 43.675668] do_syscall_64+0x1e8/0x640
[ 43.679537] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 43.684622] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 43.689791] RIP: 0033:0x440339
[ 43.692959] RSP: 002b:00007ffd5d272e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 43.700655] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440339
[ 43.707899] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004
[ 43.715146] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[ 43.722476] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401bc0
[ 43.729742] R13: 0000000000401c50 R14: 0000000000000000 R15: 0000000000000000
[ 43.738715] Kernel Offset: disabled
[ 43.742353] Rebooting in 86400 seconds..