[ 33.589010] audit: type=1800 audit(1582842186.266:33): pid=7162 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[ 33.615814] audit: type=1800 audit(1582842186.266:34): pid=7162 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 36.137314] random: sshd: uninitialized urandom read (32 bytes read)
[ 36.431669] audit: type=1400 audit(1582842189.116:35): avc: denied { map } for pid=7335 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[ 36.480441] random: sshd: uninitialized urandom read (32 bytes read)
[ 37.177511] random: sshd: uninitialized urandom read (32 bytes read)
[ 37.360668] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.102' (ECDSA) to the list of known hosts.
[ 42.959731] random: sshd: uninitialized urandom read (32 bytes read)
[ 43.181807] audit: type=1400 audit(1582842195.866:36): avc: denied { map } for pid=7347 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2020/02/27 22:23:15 parsed 1 programs
[ 43.833467] random: cc1: uninitialized urandom read (8 bytes read)
[ 44.678751] audit: type=1400 audit(1582842197.356:37): avc: denied { map } for pid=7347 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=1123 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
2020/02/27 22:23:17 executed programs: 0
[ 44.719789] audit: type=1400 audit(1582842197.396:38): avc: denied { map } for pid=7347 comm="syz-execprog" path="/root/syzkaller-shm650601901" dev="sda1" ino=16485 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[ 45.071006] IPVS: ftp: loaded support on port[0] = 21
[ 45.867786] chnl_net:caif_netlink_parms(): no params data found
[ 45.912846] bridge0: port 1(bridge_slave_0) entered blocking state
[ 45.919343] bridge0: port 1(bridge_slave_0) entered disabled state
[ 45.926827] device bridge_slave_0 entered promiscuous mode
[ 45.933857] bridge0: port 2(bridge_slave_1) entered blocking state
[ 45.940544] bridge0: port 2(bridge_slave_1) entered disabled state
[ 45.947333] device bridge_slave_1 entered promiscuous mode
[ 45.962274] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 45.971602] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 45.987611] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[ 45.994763] team0: Port device team_slave_0 added
[ 46.000420] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[ 46.007456] team0: Port device team_slave_1 added
[ 46.021029] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 46.027251] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 46.052572] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 46.063368] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 46.069591] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 46.094851] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 46.105440] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[ 46.112900] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[ 46.192699] device hsr_slave_0 entered promiscuous mode
[ 46.250248] device hsr_slave_1 entered promiscuous mode
[ 46.290621] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[ 46.297631] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[ 46.346750] audit: type=1400 audit(1582842199.026:39): avc: denied { create } for pid=7364 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 46.365222] bridge0: port 2(bridge_slave_1) entered blocking state
[ 46.371935] audit: type=1400 audit(1582842199.026:40): avc: denied { write } for pid=7364 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 46.377048] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 46.401490] audit: type=1400 audit(1582842199.026:41): avc: denied { read } for pid=7364 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 46.407613] bridge0: port 1(bridge_slave_0) entered blocking state
[ 46.437318] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 46.469344] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[ 46.475991] 8021q: adding VLAN 0 to HW filter on device bond0
[ 46.484714] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 46.493325] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 46.511635] bridge0: port 1(bridge_slave_0) entered disabled state
[ 46.518528] bridge0: port 2(bridge_slave_1) entered disabled state
[ 46.528160] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[ 46.534429] 8021q: adding VLAN 0 to HW filter on device team0
[ 46.542639] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 46.550815] bridge0: port 1(bridge_slave_0) entered blocking state
[ 46.557151] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 46.578009] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 46.587958] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 46.598624] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[ 46.605494] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 46.613343] bridge0: port 2(bridge_slave_1) entered blocking state
[ 46.619678] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 46.627093] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 46.634640] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 46.642160] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 46.649635] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 46.657115] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 46.663855] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 46.675926] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[ 46.684314] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 46.691008] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 46.702203] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 46.759256] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[ 46.768949] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 46.802959] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[ 46.809807] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[ 46.816954] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[ 46.826127] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 46.833741] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 46.840656] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 46.848877] device veth0_vlan entered promiscuous mode
[ 46.858315] device veth1_vlan entered promiscuous mode
[ 46.864456] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[ 46.870908] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 46.877910] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 46.892267] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[ 46.902245] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready
[ 46.909042] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[ 46.916896] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 46.926638] device veth0_macvtap entered promiscuous mode
[ 46.932685] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
[ 46.940683] device veth1_macvtap entered promiscuous mode
[ 46.946680] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
[ 46.955006] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[ 46.964034] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[ 46.973090] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
[ 46.980374] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 46.988546] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 46.995869] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[ 47.003045] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 47.010873] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 47.020685] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
[ 47.027522] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 47.035136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 47.042881] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 48.290760]
[ 48.292406] =========================
[ 48.296184] WARNING: held lock freed!
[ 48.299965] 4.14.171-syzkaller #0 Not tainted
[ 48.304437] -------------------------
[ 48.308219] syz-executor.0/7416 is freeing memory ffff8880a98f62c0-ffff8880a98f6abf, with a lock still held there!
[ 48.318679] (sk_lock-AF_PPPOX){+.+.}, at: [<ffffffff85c2af39>] pppol2tp_release+0x49/0x2f0
[ 48.327202] 2 locks held by syz-executor.0/7416:
[ 48.331937] #0: (&sb->s_type->i_mutex_key#11){+.+.}, at: [<ffffffff84f6ce16>] __sock_release+0x86/0x2b0
[ 48.341635] #1: (sk_lock-AF_PPPOX){+.+.}, at: [<ffffffff85c2af39>] pppol2tp_release+0x49/0x2f0
[ 48.350546]
[ 48.350546] stack backtrace:
[ 48.355025] CPU: 1 PID: 7416 Comm: syz-executor.0 Not tainted 4.14.171-syzkaller #0
[ 48.362807] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 48.372147] Call Trace:
[ 48.374723] dump_stack+0x13e/0x194
[ 48.378341] debug_check_no_locks_freed.cold+0x9c/0xa8
[ 48.383616] kfree+0xae/0x260
[ 48.386705] __sk_destruct+0x4f6/0x640
[ 48.390577] sk_destruct+0x97/0xc0
[ 48.394104] __sk_free+0x4c/0x220
[ 48.397534] sk_free+0x2b/0x40
[ 48.400714] pppol2tp_release+0x26a/0x2f0
[ 48.404858] __sock_release+0xcd/0x2b0
[ 48.408725] ? __sock_release+0x2b0/0x2b0
[ 48.412907] sock_close+0x15/0x20
[ 48.416337] __fput+0x25f/0x790
[ 48.419598] task_work_run+0x113/0x190
[ 48.423473] exit_to_usermode_loop+0x1d6/0x220
[ 48.428041] do_syscall_64+0x4a3/0x640
[ 48.431916] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 48.437088] RIP: 0033:0x45c479
[ 48.440258] RSP: 002b:00007f9351ec1c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[ 48.448034] RAX: 0000000000000000 RBX: 00007f9351ec26d4 RCX: 000000000045c479
[ 48.455285] RDX: 000000000000002e RSI: 0000000020000000 RDI: 0000000000000004
[ 48.462537] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
[ 48.469787] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 48.477039] R13: 000000000000008d R14: 00000000004c2e4e R15: 000000000076bf2c
[ 48.485866] ==================================================================
[ 48.493231] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e4/0x230
[ 48.499879] Read of size 4 at addr ffff8880a98f634c by task syz-executor.0/7416
[ 48.507303]
[ 48.508917] CPU: 0 PID: 7416 Comm: syz-executor.0 Not tainted 4.14.171-syzkaller #0
[ 48.516698] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 48.526037] Call Trace:
[ 48.528616] dump_stack+0x13e/0x194
[ 48.532243] ? do_raw_spin_lock+0x1e4/0x230
[ 48.536551] print_address_description.cold+0x7c/0x1e2
[ 48.541819] ? do_raw_spin_lock+0x1e4/0x230
[ 48.546117] kasan_report.cold+0xa9/0x2ae
[ 48.550246] do_raw_spin_lock+0x1e4/0x230
[ 48.554381] release_sock+0x1b/0x1b0
[ 48.558072] pppol2tp_release+0x219/0x2f0
[ 48.562208] __sock_release+0xcd/0x2b0
[ 48.566082] ? __sock_release+0x2b0/0x2b0
[ 48.570206] sock_close+0x15/0x20
[ 48.573633] __fput+0x25f/0x790
[ 48.576905] task_work_run+0x113/0x190
[ 48.580823] exit_to_usermode_loop+0x1d6/0x220
[ 48.585381] do_syscall_64+0x4a3/0x640
[ 48.589257] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 48.594439] RIP: 0033:0x45c479
[ 48.597640] RSP: 002b:00007f9351ec1c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[ 48.605384] RAX: 0000000000000000 RBX: 00007f9351ec26d4 RCX: 000000000045c479
[ 48.612633] RDX: 000000000000002e RSI: 0000000020000000 RDI: 0000000000000004
[ 48.619925] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
[ 48.627285] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 48.634535] R13: 000000000000008d R14: 00000000004c2e4e R15: 000000000076bf2c
[ 48.641787]
[ 48.643397] Allocated by task 7416:
[ 48.647010] save_stack+0x32/0xa0
[ 48.650444] kasan_kmalloc+0xbf/0xe0
[ 48.654136] __kmalloc+0x15b/0x7c0
[ 48.657660] sk_prot_alloc+0x164/0x290
[ 48.661577] sk_alloc+0x36/0xd60
[ 48.664923] pppol2tp_create+0x2d/0x1e0
[ 48.668878] pppox_create+0xf2/0x210
[ 48.672581] __sock_create+0x2f2/0x620
[ 48.676451] SyS_socket+0xd2/0x170
[ 48.679965] do_syscall_64+0x1d5/0x640
[ 48.683835] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 48.689006]
[ 48.690613] Freed by task 7416:
[ 48.693876] save_stack+0x32/0xa0
[ 48.697371] kasan_slab_free+0x75/0xc0
[ 48.701234] kfree+0xcb/0x260
[ 48.704329] __sk_destruct+0x4f6/0x640
[ 48.708200] sk_destruct+0x97/0xc0
[ 48.711717] __sk_free+0x4c/0x220
[ 48.715148] sk_free+0x2b/0x40
[ 48.718320] pppol2tp_release+0x26a/0x2f0
[ 48.722444] __sock_release+0xcd/0x2b0
[ 48.726323] sock_close+0x15/0x20
[ 48.729753] __fput+0x25f/0x790
[ 48.733008] task_work_run+0x113/0x190
[ 48.736877] exit_to_usermode_loop+0x1d6/0x220
[ 48.741451] do_syscall_64+0x4a3/0x640
[ 48.745322] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 48.750486]
[ 48.752092] The buggy address belongs to the object at ffff8880a98f62c0
[ 48.752092] which belongs to the cache kmalloc-2048 of size 2048
[ 48.764937] The buggy address is located 140 bytes inside of
[ 48.764937] 2048-byte region [ffff8880a98f62c0, ffff8880a98f6ac0)
[ 48.776873] The buggy address belongs to the page:
[ 48.781781] page:ffffea0002a63d80 count:1 mapcount:0 mapping:ffff8880a98f62c0 index:0x0 compound_mapcount: 0
[ 48.791771] flags: 0xfffe0000008100(slab|head)
[ 48.796335] raw: 00fffe0000008100 ffff8880a98f62c0 0000000000000000 0000000100000003
[ 48.804242] raw: ffffea000295b320 ffffea0001fb34a0 ffff88812fe56c40 0000000000000000
[ 48.812103] page dumped because: kasan: bad access detected
[ 48.817791]
[ 48.819426] Memory state around the buggy address:
[ 48.824336] ffff8880a98f6200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 48.831736] ffff8880a98f6280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 48.839085] >ffff8880a98f6300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 48.846460] ^
[ 48.852149] ffff8880a98f6380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 48.859553] ffff8880a98f6400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 48.866930] ==================================================================
[ 48.874327] Kernel panic - not syncing: panic_on_warn set ...
[ 48.874327]
[ 48.881684] CPU: 0 PID: 7416 Comm: syz-executor.0 Tainted: G B 4.14.171-syzkaller #0
[ 48.890678] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 48.900014] Call Trace:
[ 48.902639] dump_stack+0x13e/0x194
[ 48.906298] panic+0x1f9/0x42d
[ 48.909470] ? add_taint.cold+0x16/0x16
[ 48.913431] ? do_raw_spin_lock+0x1e4/0x230
[ 48.917779] kasan_end_report+0x43/0x49
[ 48.921735] kasan_report.cold+0x12f/0x2ae
[ 48.925956] do_raw_spin_lock+0x1e4/0x230
[ 48.930094] release_sock+0x1b/0x1b0
[ 48.933823] pppol2tp_release+0x219/0x2f0
[ 48.938002] __sock_release+0xcd/0x2b0
[ 48.941873] ? __sock_release+0x2b0/0x2b0
[ 48.945995] sock_close+0x15/0x20
[ 48.949442] __fput+0x25f/0x790
[ 48.952706] task_work_run+0x113/0x190
[ 48.956578] exit_to_usermode_loop+0x1d6/0x220
[ 48.961143] do_syscall_64+0x4a3/0x640
[ 48.965078] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 48.970333] RIP: 0033:0x45c479
[ 48.973507] RSP: 002b:00007f9351ec1c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[ 48.981194] RAX: 0000000000000000 RBX: 00007f9351ec26d4 RCX: 000000000045c479
[ 48.988447] RDX: 000000000000002e RSI: 0000000020000000 RDI: 0000000000000004
[ 48.995698] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
[ 49.002961] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 49.010217] R13: 000000000000008d R14: 00000000004c2e4e R15: 000000000076bf2c
[ 49.018103] Kernel Offset: disabled
[ 49.021724] Rebooting in 86400 seconds..