syzkaller login: [ 42.546451] audit: type=1400 audit(1518013154.554:7): avc: denied { map } for pid=4190 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[ 42.822972] audit: type=1400 audit(1518013154.830:8): avc: denied { map } for pid=4190 comm="syz-fuzzer" path="/sys/kernel/debug/kcov" dev="debugfs" ino=9006 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[ 44.378100] can: request_module (can-proto-0) failed.
[ 44.387180] can: request_module (can-proto-0) failed.
[ 44.808190] audit: type=1400 audit(1518013156.815:9): avc: denied { map } for pid=4190 comm="syz-fuzzer" path="/root/syzkaller-shm529727169" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[ 44.833691] audit: type=1400 audit(1518013156.817:10): avc: denied { sys_admin } for pid=4230 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[ 44.834550] IPVS: ftp: loaded support on port[0] = 21
[ 44.881420] audit: type=1400 audit(1518013156.889:11): avc: denied { net_admin } for pid=4231 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[ 45.110559] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[ 45.514374] audit: type=1400 audit(1518013157.522:12): avc: denied { sys_chroot } for pid=4231 comm="syz-executor0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
Warning: Permanently added '10.128.15.194' (ECDSA) to the list of known hosts.
2018/02/07 14:19:24 parsed 1 programs
2018/02/07 14:19:24 executed programs: 0
[ 52.110729] IPVS: ftp: loaded support on port[0] = 21
[ 52.149427] IPVS: ftp: loaded support on port[0] = 21
[ 52.172126] ==================================================================
[ 52.179605] BUG: KASAN: use-after-free in pppol2tp_put_sk+0xa8/0xb0
[ 52.186005] Read of size 8 at addr ffff8801ccf9a708 by task syz-executor/4399
[ 52.193266]
[ 52.194885] CPU: 0 PID: 4399 Comm: syz-executor Not tainted 4.15.0+ #30
[ 52.200624] IPVS: ftp: loaded support on port[0] = 21
[ 52.201620] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 52.201626] Call Trace:
[ 52.201630]
[ 52.201643] dump_stack+0x194/0x257
[ 52.201669] ? arch_local_irq_restore+0x53/0x53
[ 52.229129] ? show_regs_print_info+0x18/0x18
[ 52.233630] ? pppol2tp_put_sk+0xa8/0xb0
[ 52.237689] print_address_description+0x73/0x250
[ 52.242529] ? pppol2tp_put_sk+0xa8/0xb0
[ 52.246590] kasan_report+0x25b/0x340
[ 52.250389] ? pppol2tp_seq_start+0x4e0/0x4e0
[ 52.255231] __asan_report_load8_noabort+0x14/0x20
[ 52.260153] pppol2tp_put_sk+0xa8/0xb0
[ 52.264044] rcu_process_callbacks+0xd6c/0x17f0
[ 52.268729] ? note_gp_changes+0x650/0x650
[ 52.270821] IPVS: ftp: loaded support on port[0] = 21
[ 52.272952] ? timerqueue_add+0x1e9/0x280
[ 52.272968] ? check_noncircular+0x20/0x20
[ 52.272982] ? enqueue_hrtimer+0x177/0x4b0
[ 52.272989] ? lock_release+0xa40/0xa40
[ 52.273008] ? rcu_pm_notify+0xc0/0xc0
[ 52.298665] ? find_held_lock+0x35/0x1d0
[ 52.302738] ? clockevents_program_event+0x163/0x2e0
[ 52.307835] ? lock_downgrade+0x980/0x980
[ 52.311988] ? rcu_pm_notify+0xc0/0xc0
[ 52.315889] __do_softirq+0x2d7/0xb85
[ 52.319679] ? ktime_get+0x26f/0x3a0
[ 52.323403] ? __irqentry_text_end+0x1f8d44/0x1f8d44
[ 52.324158] IPVS: ftp: loaded support on port[0] = 21
[ 52.328495] ? do_timer+0x50/0x50
[ 52.328508] ? native_apic_msr_write+0x5c/0x80
[ 52.328520] ? lapic_next_event+0x54/0x80
[ 52.328541] ? tick_program_event+0x83/0x100
[ 52.328557] ? rcu_pm_notify+0xc0/0xc0
[ 52.328582] irq_exit+0x1cc/0x200
[ 52.357550] smp_apic_timer_interrupt+0x16b/0x700
[ 52.362388] ? smp_reschedule_interrupt+0xe6/0x670
[ 52.367311] ? smp_call_function_single_interrupt+0x640/0x640
[ 52.373188] ? _raw_spin_lock+0x32/0x40
[ 52.377166] ? _raw_spin_unlock+0x22/0x30
[ 52.381309] ? handle_edge_irq+0x2b4/0x7c0
[ 52.385537] ? task_prio+0x40/0x40
[ 52.389091] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 52.393933] ? remove_vma+0x162/0x1b0
[ 52.397729] apic_timer_interrupt+0xa9/0xb0
[ 52.402035]
[ 52.404270] RIP: 0010:kmem_cache_free+0x17c/0x2a0
[ 52.409098] RSP: 0018:ffff8801ad8ef218 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff11
[ 52.416885] RAX: 0000000000000007 RBX: ffff8801cf52a630 RCX: 0000000000000000
[ 52.424146] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000282
[ 52.431411] RBP: ffff8801ad8ef238 R08: 0000000000000000 R09: 0000000000000000
[ 52.438676] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801da9c1840
[ 52.445938] R13: 0000000000000282 R14: ffffffff819e1652 R15: 000000000000104a
[ 52.448464] IPVS: ftp: loaded support on port[0] = 21
[ 52.453203] ? remove_vma+0x162/0x1b0
[ 52.453243] remove_vma+0x162/0x1b0
[ 52.453255] exit_mmap+0x311/0x500
[ 52.469360] ? SyS_munmap+0x30/0x30
[ 52.473013] ? __might_sleep+0x95/0x190
[ 52.477007] mmput+0x223/0x6c0
[ 52.480205] ? get_task_exe_file+0xc0/0xc0
[ 52.484442] ? is_current_pgrp_orphaned+0xa0/0xa0
[ 52.489280] ? do_exit+0x8fa/0x1ad0
[ 52.492906] ? lock_downgrade+0x980/0x980
[ 52.497068] ? mark_held_locks+0xaf/0x100
[ 52.501312] ? do_raw_spin_trylock+0x190/0x190
[ 52.505224] IPVS: ftp: loaded support on port[0] = 21
[ 52.505889] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 52.516096] ? trace_hardirqs_on+0xd/0x10
[ 52.520254] do_exit+0x90a/0x1ad0
[ 52.523716] ? mm_update_next_owner+0x930/0x930
[ 52.528386] ? debug_check_no_locks_freed+0x3c0/0x3c0
[ 52.533572] ? __might_sleep+0x95/0x190
[ 52.537550] ? find_held_lock+0x35/0x1d0
[ 52.541629] ? lock_downgrade+0x980/0x980
[ 52.545777] ? __unqueue_futex+0x1c0/0x290
[ 52.550005] ? lock_release+0xa40/0xa40
[ 52.553977] ? fault_in_user_writeable+0x90/0x90
[ 52.556275] IPVS: ftp: loaded support on port[0] = 21
[ 52.558721] ? do_raw_spin_trylock+0x190/0x190
[ 52.558732] ? futex_wake+0x680/0x680
[ 52.558751] ? mmdrop+0x18/0x30
[ 52.558760] ? check_noncircular+0x20/0x20
[ 52.558770] ? futex_wait+0x6a9/0x9a0
[ 52.583554] ? memset+0x31/0x40
[ 52.586838] ? find_held_lock+0x35/0x1d0
[ 52.590910] ? get_signal+0x7a9/0x16d0
[ 52.594792] ? lock_downgrade+0x980/0x980
[ 52.599043] do_group_exit+0x149/0x400
[ 52.602929] ? do_raw_spin_trylock+0x190/0x190
[ 52.607767] ? SyS_exit+0x30/0x30
[ 52.611220] ? _raw_spin_unlock_irq+0x27/0x70
[ 52.615715] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 52.620733] get_signal+0x73a/0x16d0
[ 52.624458] ? ptrace_notify+0x130/0x130
[ 52.628524] ? exit_robust_list+0x240/0x240
[ 52.632854] ? __sched_text_start+0x8/0x8
[ 52.637001] ? handle_mm_fault+0x2a0/0x930
[ 52.641243] ? find_held_lock+0x35/0x1d0
[ 52.645304] do_signal+0x90/0x1eb0
[ 52.648841] ? __do_page_fault+0x5f7/0xc90
[ 52.653076] ? lock_downgrade+0x980/0x980
[ 52.657224] ? setup_sigcontext+0x7d0/0x7d0
[ 52.661549] ? handle_mm_fault+0x476/0x930
[ 52.665779] ? down_read_trylock+0xdb/0x170
[ 52.670107] ? schedule+0xf5/0x430
[ 52.673651] ? vmacache_update+0xfe/0x130
[ 52.677794] ? __schedule+0x2060/0x2060
[ 52.681778] ? exit_to_usermode_loop+0x8c/0x2f0
[ 52.686428] exit_to_usermode_loop+0x258/0x2f0
[ 52.690987] ? trace_event_raw_event_sys_exit+0x260/0x260
[ 52.696509] syscall_return_slowpath+0x490/0x550
[ 52.701249] ? prepare_exit_to_usermode+0x340/0x340
[ 52.706256] ? entry_SYSCALL_64_fastpath+0x73/0xa0
[ 52.711182] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 52.716174] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 52.720911] entry_SYSCALL_64_fastpath+0x9e/0xa0
[ 52.725636] RIP: 0033:0x453299
[ 52.728800] RSP: 002b:00007fc49a74ece8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[ 52.736480] RAX: fffffffffffffe00 RBX: 000000000071bf80 RCX: 0000000000453299
[ 52.743720] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000071bf80
[ 52.750959] RBP: 000000000071bf80 R08: 0000000000000000 R09: 000000000071bf58
[ 52.758207] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 52.765450] R13: 00007fff45cc9fdf R14: 00007fc49a74f9c0 R15: 0000000000000002
[ 52.772709]
[ 52.774311] Allocated by task 4389:
[ 52.777916] save_stack+0x43/0xd0
[ 52.781343] kasan_kmalloc+0xad/0xe0
[ 52.785036] __kmalloc+0x162/0x760
[ 52.788549] l2tp_session_create+0x100/0xe50
[ 52.792926] pppol2tp_session_prep+0x2fc/0xa40
[ 52.797486] pppol2tp_connect+0x74a/0x1550
[ 52.801694] SYSC_connect+0x213/0x4a0
[ 52.805464] SyS_connect+0x24/0x30
[ 52.808975] entry_SYSCALL_64_fastpath+0x29/0xa0
[ 52.813696]
[ 52.815295] Freed by task 4399:
[ 52.818547] save_stack+0x43/0xd0
[ 52.821979] kasan_slab_free+0x71/0xc0
[ 52.825838] kfree+0xd6/0x260
[ 52.828915] pppol2tp_put_sk+0x4c/0xb0
[ 52.832777] rcu_process_callbacks+0xd6c/0x17f0
[ 52.837418] __do_softirq+0x2d7/0xb85
[ 52.841186]
[ 52.842788] The buggy address belongs to the object at ffff8801ccf9a480
[ 52.842788] which belongs to the cache kmalloc-1024 of size 1024
[ 52.855593] The buggy address is located 648 bytes inside of
[ 52.855593] 1024-byte region [ffff8801ccf9a480, ffff8801ccf9a880)
[ 52.867523] The buggy address belongs to the page:
[ 52.872435] page:ffffea000733e680 count:1 mapcount:0 mapping:ffff8801ccf9a000 index:0x0 compound_mapcount: 0
[ 52.882385] flags: 0x2fffc0000008100(slab|head)
[ 52.887033] raw: 02fffc0000008100 ffff8801ccf9a000 0000000000000000 0000000100000007
[ 52.894888] raw: ffffea00073221a0 ffffea0007321b20 ffff8801db000ac0 0000000000000000
[ 52.902743] page dumped because: kasan: bad access detected
[ 52.908426]
[ 52.910032] Memory state around the buggy address:
[ 52.914941] ffff8801ccf9a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 52.922269] ffff8801ccf9a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 52.929597] >ffff8801ccf9a700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 52.936925] ^
[ 52.940525] ffff8801ccf9a780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 52.947855] ffff8801ccf9a800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 52.955181] ==================================================================
[ 52.962523] Disabling lock debugging due to kernel taint
[ 52.967977] Kernel panic - not syncing: panic_on_warn set ...
[ 52.967977]
[ 52.975325] CPU: 0 PID: 4399 Comm: syz-executor Tainted: G B 4.15.0+ #30
[ 52.983349] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 52.992672] Call Trace:
[ 52.995236]
[ 52.997376] dump_stack+0x194/0x257
[ 53.000975] ? arch_local_irq_restore+0x53/0x53
[ 53.005626] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 53.010351] ? vsnprintf+0x1ed/0x1900
[ 53.014127] ? pppol2tp_seq_start+0x4b0/0x4e0
[ 53.018593] panic+0x1e4/0x41c
[ 53.021754] ? refcount_error_report+0x214/0x214
[ 53.026481] ? add_taint+0x1c/0x50
[ 53.029992] ? add_taint+0x1c/0x50
[ 53.033511] ? pppol2tp_put_sk+0xa8/0xb0
[ 53.037544] kasan_end_report+0x50/0x50
[ 53.041487] kasan_report+0x144/0x340
[ 53.045730] ? pppol2tp_seq_start+0x4e0/0x4e0
[ 53.050199] __asan_report_load8_noabort+0x14/0x20
[ 53.055107] pppol2tp_put_sk+0xa8/0xb0
[ 53.058975] rcu_process_callbacks+0xd6c/0x17f0
[ 53.063618] ? note_gp_changes+0x650/0x650
[ 53.067822] ? timerqueue_add+0x1e9/0x280
[ 53.071941] ? check_noncircular+0x20/0x20
[ 53.076147] ? enqueue_hrtimer+0x177/0x4b0
[ 53.080351] ? lock_release+0xa40/0xa40
[ 53.084297] ? rcu_pm_notify+0xc0/0xc0
[ 53.088156] ? find_held_lock+0x35/0x1d0
[ 53.092191] ? clockevents_program_event+0x163/0x2e0
[ 53.097266] ? lock_downgrade+0x980/0x980
[ 53.101386] ? rcu_pm_notify+0xc0/0xc0
[ 53.105251] __do_softirq+0x2d7/0xb85
[ 53.109033] ? ktime_get+0x26f/0x3a0
[ 53.112720] ? __irqentry_text_end+0x1f8d44/0x1f8d44
[ 53.117792] ? do_timer+0x50/0x50
[ 53.121215] ? native_apic_msr_write+0x5c/0x80
[ 53.125776] ? lapic_next_event+0x54/0x80
[ 53.129896] ? tick_program_event+0x83/0x100
[ 53.134275] ? rcu_pm_notify+0xc0/0xc0
[ 53.138141] irq_exit+0x1cc/0x200
[ 53.141566] smp_apic_timer_interrupt+0x16b/0x700
[ 53.146379] ? smp_reschedule_interrupt+0xe6/0x670
[ 53.151283] ? smp_call_function_single_interrupt+0x640/0x640
[ 53.157141] ? _raw_spin_lock+0x32/0x40
[ 53.161085] ? _raw_spin_unlock+0x22/0x30
[ 53.165201] ? handle_edge_irq+0x2b4/0x7c0
[ 53.169405] ? task_prio+0x40/0x40
[ 53.172923] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 53.177742] ? remove_vma+0x162/0x1b0
[ 53.181515] apic_timer_interrupt+0xa9/0xb0
[ 53.185803]
[ 53.188030] RIP: 0010:kmem_cache_free+0x17c/0x2a0
[ 53.192839] RSP: 0018:ffff8801ad8ef218 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff11
[ 53.200514] RAX: 0000000000000007 RBX: ffff8801cf52a630 RCX: 0000000000000000
[ 53.207753] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000282
[ 53.214994] RBP: ffff8801ad8ef238 R08: 0000000000000000 R09: 0000000000000000
[ 53.222250] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801da9c1840
[ 53.229490] R13: 0000000000000282 R14: ffffffff819e1652 R15: 000000000000104a
[ 53.236733] ? remove_vma+0x162/0x1b0
[ 53.240510] remove_vma+0x162/0x1b0
[ 53.244126] exit_mmap+0x311/0x500
[ 53.247635] ? SyS_munmap+0x30/0x30
[ 53.251240] ? __might_sleep+0x95/0x190
[ 53.255186] mmput+0x223/0x6c0
[ 53.258348] ? get_task_exe_file+0xc0/0xc0
[ 53.262553] ? is_current_pgrp_orphaned+0xa0/0xa0
[ 53.267362] ? do_exit+0x8fa/0x1ad0
[ 53.270959] ? lock_downgrade+0x980/0x980
[ 53.275079] ? mark_held_locks+0xaf/0x100
[ 53.279202] ? do_raw_spin_trylock+0x190/0x190
[ 53.283768] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 53.288753] ? trace_hardirqs_on+0xd/0x10
[ 53.292875] do_exit+0x90a/0x1ad0
[ 53.296303] ? mm_update_next_owner+0x930/0x930
[ 53.300950] ? debug_check_no_locks_freed+0x3c0/0x3c0
[ 53.306140] ? __might_sleep+0x95/0x190
[ 53.310089] ? find_held_lock+0x35/0x1d0
[ 53.314125] ? lock_downgrade+0x980/0x980
[ 53.318243] ? __unqueue_futex+0x1c0/0x290
[ 53.322446] ? lock_release+0xa40/0xa40
[ 53.326396] ? fault_in_user_writeable+0x90/0x90
[ 53.331123] ? do_raw_spin_trylock+0x190/0x190
[ 53.335675] ? futex_wake+0x680/0x680
[ 53.339446] ? mmdrop+0x18/0x30
[ 53.342697] ? check_noncircular+0x20/0x20
[ 53.346909] ? futex_wait+0x6a9/0x9a0
[ 53.350683] ? memset+0x31/0x40
[ 53.353934] ? find_held_lock+0x35/0x1d0
[ 53.357968] ? get_signal+0x7a9/0x16d0
[ 53.361827] ? lock_downgrade+0x980/0x980
[ 53.365950] do_group_exit+0x149/0x400
[ 53.369809] ? do_raw_spin_trylock+0x190/0x190
[ 53.374363] ? SyS_exit+0x30/0x30
[ 53.377785] ? _raw_spin_unlock_irq+0x27/0x70
[ 53.382251] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 53.387241] get_signal+0x73a/0x16d0
[ 53.390932] ? ptrace_notify+0x130/0x130
[ 53.394974] ? exit_robust_list+0x240/0x240
[ 53.399276] ? __sched_text_start+0x8/0x8
[ 53.403397] ? handle_mm_fault+0x2a0/0x930
[ 53.407610] ? find_held_lock+0x35/0x1d0
[ 53.411643] do_signal+0x90/0x1eb0
[ 53.415154] ? __do_page_fault+0x5f7/0xc90
[ 53.419361] ? lock_downgrade+0x980/0x980
[ 53.423479] ? setup_sigcontext+0x7d0/0x7d0
[ 53.427781] ? handle_mm_fault+0x476/0x930
[ 53.431984] ? down_read_trylock+0xdb/0x170
[ 53.436283] ? schedule+0xf5/0x430
[ 53.439794] ? vmacache_update+0xfe/0x130
[ 53.443914] ? __schedule+0x2060/0x2060
[ 53.447869] ? exit_to_usermode_loop+0x8c/0x2f0
[ 53.452511] exit_to_usermode_loop+0x258/0x2f0
[ 53.457066] ? trace_event_raw_event_sys_exit+0x260/0x260
[ 53.462577] syscall_return_slowpath+0x490/0x550
[ 53.467305] ? prepare_exit_to_usermode+0x340/0x340
[ 53.472309] ? entry_SYSCALL_64_fastpath+0x73/0xa0
[ 53.477214] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 53.482204] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 53.486943] entry_SYSCALL_64_fastpath+0x9e/0xa0
[ 53.491666] RIP: 0033:0x453299
[ 53.494825] RSP: 002b:00007fc49a74ece8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[ 53.502503] RAX: fffffffffffffe00 RBX: 000000000071bf80 RCX: 0000000000453299
[ 53.509749] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000071bf80
[ 53.516992] RBP: 000000000071bf80 R08: 0000000000000000 R09: 000000000071bf58
[ 53.524234] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 53.531473] R13: 00007fff45cc9fdf R14: 00007fc49a74f9c0 R15: 0000000000000002
[ 53.539167] Dumping ftrace buffer:
[ 53.542684] (ftrace buffer empty)
[ 53.546365] Kernel Offset: disabled
[ 53.549963] Rebooting in 86400 seconds..