Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 44.705439] audit: type=1400 audit(1518012200.395:7): avc: denied { map } for pid=4146 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[ 44.957148] audit: type=1400 audit(1518012200.647:8): avc: denied { map } for pid=4146 comm="syz-fuzzer" path="/sys/kernel/debug/kcov" dev="debugfs" ino=8946 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[ 46.496597] can: request_module (can-proto-0) failed.
[ 46.505667] can: request_module (can-proto-0) failed.
[ 46.896516] audit: type=1400 audit(1518012202.586:9): avc: denied { map } for pid=4146 comm="syz-fuzzer" path="/root/syzkaller-shm699059399" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[ 47.149449] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[ 47.530093] audit: type=1400 audit(1518012203.219:10): avc: denied { sys_admin } for pid=4186 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[ 47.558389] audit: type=1400 audit(1518012203.248:11): avc: denied { sys_chroot } for pid=4313 comm="syz-executor0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
Warning: Permanently added '10.128.15.230' (ECDSA) to the list of known hosts.
2018/02/07 14:03:43 parsed 1 programs
2018/02/07 14:03:43 executed programs: 0
[ 67.957120] ==================================================================
[ 67.964548] BUG: KASAN: use-after-free in pppol2tp_put_sk+0xa8/0xb0
[ 67.970927] Read of size 8 at addr ffff8801cdf5b4c8 by task syz-executor3/4335
[ 67.978256]
[ 67.979864] CPU: 0 PID: 4335 Comm: syz-executor3 Not tainted 4.15.0+ #28
[ 67.986679] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 67.996004] Call Trace:
[ 67.998559]
[ 68.000682] dump_stack+0x194/0x257
[ 68.004285] ? arch_local_irq_restore+0x53/0x53
[ 68.008928] ? show_regs_print_info+0x18/0x18
[ 68.013400] ? pppol2tp_put_sk+0xa8/0xb0
[ 68.017436] print_address_description+0x73/0x250
[ 68.022257] ? pppol2tp_put_sk+0xa8/0xb0
[ 68.026291] kasan_report+0x25b/0x340
[ 68.030063] ? pppol2tp_seq_start+0x4e0/0x4e0
[ 68.034531] __asan_report_load8_noabort+0x14/0x20
[ 68.039430] pppol2tp_put_sk+0xa8/0xb0
[ 68.043289] rcu_process_callbacks+0xd6c/0x17f0
[ 68.047943] ? note_gp_changes+0x650/0x650
[ 68.052148] ? timerqueue_add+0x1e9/0x280
[ 68.056268] ? check_noncircular+0x20/0x20
[ 68.060475] ? enqueue_hrtimer+0x177/0x4b0
[ 68.064678] ? lock_release+0xa40/0xa40
[ 68.068626] ? __lock_is_held+0xb6/0x140
[ 68.072664] ? print_irqtrace_events+0x270/0x270
[ 68.077391] ? check_noncircular+0x20/0x20
[ 68.081601] ? clockevents_program_event+0x163/0x2e0
[ 68.086676] ? lock_downgrade+0x980/0x980
[ 68.090803] ? __lock_is_held+0xb6/0x140
[ 68.094850] __do_softirq+0x2d7/0xb85
[ 68.098621] ? ktime_get+0x26f/0x3a0
[ 68.102313] ? __irqentry_text_end+0x1f8d44/0x1f8d44
[ 68.107390] ? check_noncircular+0x20/0x20
[ 68.111595] ? native_apic_msr_write+0x5c/0x80
[ 68.116150] ? lapic_next_event+0x54/0x80
[ 68.120278] ? tick_program_event+0x83/0x100
[ 68.124666] ? __lock_is_held+0xb6/0x140
[ 68.128718] irq_exit+0x1cc/0x200
[ 68.132144] smp_apic_timer_interrupt+0x16b/0x700
[ 68.136956] ? smp_reschedule_interrupt+0xe6/0x670
[ 68.141857] ? smp_call_function_single_interrupt+0x640/0x640
[ 68.147714] ? _raw_spin_lock+0x32/0x40
[ 68.151661] ? _raw_spin_unlock+0x22/0x30
[ 68.155784] ? handle_edge_irq+0x2b4/0x7c0
[ 68.159990] ? task_prio+0x40/0x40
[ 68.163513] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 68.168333] apic_timer_interrupt+0xa9/0xb0
[ 68.172622]
[ 68.174833] RIP: 0010:ext4_generic_delete_entry+0x0/0x470
[ 68.180341] RSP: 0018:ffff8801ac8e7bf0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff11
[ 68.188017] RAX: 0000000000000000 RBX: ffff8801d0a0e770 RCX: ffff8801a8a701f8
[ 68.195264] RDX: ffff8801bcc20018 RSI: ffff8801d0a0e770 RDI: ffff8801a8982940
[ 68.202504] RBP: ffff8801ac8e7ca0 R08: ffff8801bcc20000 R09: 0000000000001000
[ 68.209742] R10: ffff8801ac8e79d0 R11: 0000000000000004 R12: 1ffff1003591cf83
[ 68.216980] R13: ffff8801a8a701f8 R14: ffff8801a8982940 R15: ffff8801d0a0e798
[ 68.224239] ? ext4_delete_entry+0x242/0x540
[ 68.228620] ? ext4_generic_delete_entry+0x470/0x470
[ 68.233698] ? __might_sleep+0x95/0x190
[ 68.237651] ext4_rmdir+0x5fa/0xdc0
[ 68.241253] ? ext4_rename2+0x1f0/0x1f0
[ 68.245196] ? path_has_submounts+0x1a0/0x1a0
[ 68.249662] ? down_write+0x87/0x120
[ 68.253343] ? vfs_rmdir+0xd6/0x410
[ 68.256950] vfs_rmdir+0x216/0x410
[ 68.260462] do_rmdir+0x4c8/0x5f0
[ 68.263889] ? user_path_create+0x40/0x40
[ 68.268011] ? syscall_return_slowpath+0x2ad/0x550
[ 68.272912] ? entry_SYSCALL_64_fastpath+0x5/0xa0
[ 68.277734] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 68.282721] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 68.287451] SyS_rmdir+0x1a/0x20
[ 68.290786] entry_SYSCALL_64_fastpath+0x29/0xa0
[ 68.295518] RIP: 0033:0x452c77
[ 68.298680] RSP: 002b:00007ffc113fcbb8 EFLAGS: 00000206 ORIG_RAX: 0000000000000054
[ 68.306356] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000452c77
[ 68.313596] RDX: 0000000000000000 RSI: 00007ffc113fdcb0 RDI: 00007ffc113fdcb0
[ 68.320839] RBP: 00007ffc113fdcb0 R08: 0000000000000001 R09: 0000000000000001
[ 68.328078] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000002446940
[ 68.335315] R13: 0000000000000000 R14: 0000000000010961 R15: 0000000000000001
[ 68.342572]
[ 68.344169] Allocated by task 4352:
[ 68.347767] save_stack+0x43/0xd0
[ 68.351189] kasan_kmalloc+0xad/0xe0
[ 68.354868] __kmalloc+0x162/0x760
[ 68.358378] l2tp_session_create+0x100/0xe50
[ 68.362760] pppol2tp_session_prep+0x2fc/0xa40
[ 68.367312] pppol2tp_connect+0x74a/0x1550
[ 68.371517] SYSC_connect+0x213/0x4a0
[ 68.375291] SyS_connect+0x24/0x30
[ 68.378807] entry_SYSCALL_64_fastpath+0x29/0xa0
[ 68.383538]
[ 68.385137] Freed by task 4335:
[ 68.388387] save_stack+0x43/0xd0
[ 68.391811] kasan_slab_free+0x71/0xc0
[ 68.395673] kfree+0xd6/0x260
[ 68.398746] pppol2tp_put_sk+0x4c/0xb0
[ 68.402602] rcu_process_callbacks+0xd6c/0x17f0
[ 68.407242] __do_softirq+0x2d7/0xb85
[ 68.411009]
[ 68.412609] The buggy address belongs to the object at ffff8801cdf5b240
[ 68.412609] which belongs to the cache kmalloc-1024 of size 1024
[ 68.425406] The buggy address is located 648 bytes inside of
[ 68.425406] 1024-byte region [ffff8801cdf5b240, ffff8801cdf5b640)
[ 68.437331] The buggy address belongs to the page:
[ 68.442228] page:ffffea000737d680 count:1 mapcount:0 mapping:ffff8801cdf5a040 index:0x0 compound_mapcount: 0
[ 68.452167] flags: 0x2fffc0000008100(slab|head)
[ 68.456809] raw: 02fffc0000008100 ffff8801cdf5a040 0000000000000000 0000000100000007
[ 68.464661] raw: ffffea0007340ba0 ffffea0006a61620 ffff8801db000ac0 0000000000000000
[ 68.472508] page dumped because: kasan: bad access detected
[ 68.478185]
[ 68.479781] Memory state around the buggy address:
[ 68.484678] ffff8801cdf5b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.492005] ffff8801cdf5b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.499333] >ffff8801cdf5b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.506660] ^
[ 68.512337] ffff8801cdf5b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.519665] ffff8801cdf5b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.526990] ==================================================================
[ 68.534326] Disabling lock debugging due to kernel taint
[ 68.539793] Kernel panic - not syncing: panic_on_warn set ...
[ 68.539793]
[ 68.547126] CPU: 0 PID: 4335 Comm: syz-executor3 Tainted: G B 4.15.0+ #28
[ 68.555234] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 68.564554] Call Trace:
[ 68.567107]
[ 68.569229] dump_stack+0x194/0x257
[ 68.572829] ? arch_local_irq_restore+0x53/0x53
[ 68.577468] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 68.582194] ? vsnprintf+0x1ed/0x1900
[ 68.585965] ? pppol2tp_seq_start+0x4e0/0x4e0
[ 68.590432] panic+0x1e4/0x41c
[ 68.593593] ? refcount_error_report+0x214/0x214
[ 68.598318] ? add_taint+0x1c/0x50
[ 68.601827] ? add_taint+0x1c/0x50
[ 68.605338] ? pppol2tp_put_sk+0xa8/0xb0
[ 68.609371] kasan_end_report+0x50/0x50
[ 68.613312] kasan_report+0x144/0x340
[ 68.617079] ? pppol2tp_seq_start+0x4e0/0x4e0
[ 68.621544] __asan_report_load8_noabort+0x14/0x20
[ 68.626439] pppol2tp_put_sk+0xa8/0xb0
[ 68.630297] rcu_process_callbacks+0xd6c/0x17f0
[ 68.634938] ? note_gp_changes+0x650/0x650
[ 68.639140] ? timerqueue_add+0x1e9/0x280
[ 68.643259] ? check_noncircular+0x20/0x20
[ 68.647462] ? enqueue_hrtimer+0x177/0x4b0
[ 68.651663] ? lock_release+0xa40/0xa40
[ 68.655608] ? __lock_is_held+0xb6/0x140
[ 68.659639] ? print_irqtrace_events+0x270/0x270
[ 68.664361] ? check_noncircular+0x20/0x20
[ 68.668566] ? clockevents_program_event+0x163/0x2e0
[ 68.673651] ? lock_downgrade+0x980/0x980
[ 68.677779] ? __lock_is_held+0xb6/0x140
[ 68.681827] __do_softirq+0x2d7/0xb85
[ 68.685594] ? ktime_get+0x26f/0x3a0
[ 68.689281] ? __irqentry_text_end+0x1f8d44/0x1f8d44
[ 68.694353] ? check_noncircular+0x20/0x20
[ 68.698556] ? native_apic_msr_write+0x5c/0x80
[ 68.703635] ? lapic_next_event+0x54/0x80
[ 68.707767] ? tick_program_event+0x83/0x100
[ 68.712147] ? __lock_is_held+0xb6/0x140
[ 68.716180] irq_exit+0x1cc/0x200
[ 68.719603] smp_apic_timer_interrupt+0x16b/0x700
[ 68.724412] ? smp_reschedule_interrupt+0xe6/0x670
[ 68.729308] ? smp_call_function_single_interrupt+0x640/0x640
[ 68.735162] ? _raw_spin_lock+0x32/0x40
[ 68.739107] ? _raw_spin_unlock+0x22/0x30
[ 68.743224] ? handle_edge_irq+0x2b4/0x7c0
[ 68.747437] ? task_prio+0x40/0x40
[ 68.750951] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 68.755762] apic_timer_interrupt+0xa9/0xb0
[ 68.760050]
[ 68.762259] RIP: 0010:ext4_generic_delete_entry+0x0/0x470
[ 68.767760] RSP: 0018:ffff8801ac8e7bf0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff11
[ 68.775435] RAX: 0000000000000000 RBX: ffff8801d0a0e770 RCX: ffff8801a8a701f8
[ 68.782671] RDX: ffff8801bcc20018 RSI: ffff8801d0a0e770 RDI: ffff8801a8982940
[ 68.789908] RBP: ffff8801ac8e7ca0 R08: ffff8801bcc20000 R09: 0000000000001000
[ 68.797144] R10: ffff8801ac8e79d0 R11: 0000000000000004 R12: 1ffff1003591cf83
[ 68.804380] R13: ffff8801a8a701f8 R14: ffff8801a8982940 R15: ffff8801d0a0e798
[ 68.811629] ? ext4_delete_entry+0x242/0x540
[ 68.816005] ? ext4_generic_delete_entry+0x470/0x470
[ 68.821074] ? __might_sleep+0x95/0x190
[ 68.825016] ext4_rmdir+0x5fa/0xdc0
[ 68.828613] ? ext4_rename2+0x1f0/0x1f0
[ 68.832561] ? path_has_submounts+0x1a0/0x1a0
[ 68.837026] ? down_write+0x87/0x120
[ 68.840716] ? vfs_rmdir+0xd6/0x410
[ 68.844315] vfs_rmdir+0x216/0x410
[ 68.847822] do_rmdir+0x4c8/0x5f0
[ 68.851244] ? user_path_create+0x40/0x40
[ 68.855361] ? syscall_return_slowpath+0x2ad/0x550
[ 68.860260] ? entry_SYSCALL_64_fastpath+0x5/0xa0
[ 68.865070] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 68.870052] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 68.874775] SyS_rmdir+0x1a/0x20
[ 68.878111] entry_SYSCALL_64_fastpath+0x29/0xa0
[ 68.882834] RIP: 0033:0x452c77
[ 68.885994] RSP: 002b:00007ffc113fcbb8 EFLAGS: 00000206 ORIG_RAX: 0000000000000054
[ 68.893666] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000452c77
[ 68.900903] RDX: 0000000000000000 RSI: 00007ffc113fdcb0 RDI: 00007ffc113fdcb0
[ 68.908142] RBP: 00007ffc113fdcb0 R08: 0000000000000001 R09: 0000000000000001
[ 68.915380] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000002446940
[ 68.922617] R13: 0000000000000000 R14: 0000000000010961 R15: 0000000000000001
[ 68.930244] Dumping ftrace buffer:
[ 68.933751] (ftrace buffer empty)
[ 68.937429] Kernel Offset: disabled
[ 68.941025] Rebooting in 86400 seconds..