[ 43.710604] audit: type=1400 audit(1518013542.423:7): avc: denied { map } for pid=4090 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[ 43.991596] audit: type=1400 audit(1518013542.704:8): avc: denied { map } for pid=4090 comm="syz-fuzzer" path="/sys/kernel/debug/kcov" dev="debugfs" ino=82 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[ 45.546718] can: request_module (can-proto-0) failed.
[ 45.556892] can: request_module (can-proto-0) failed.
[ 46.023816] audit: type=1400 audit(1518013544.735:9): avc: denied { map } for pid=4090 comm="syz-fuzzer" path="/root/syzkaller-shm370935752" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[ 46.051778] audit: type=1400 audit(1518013544.764:10): avc: denied { sys_admin } for pid=4130 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[ 46.058747] IPVS: ftp: loaded support on port[0] = 21
[ 46.100834] audit: type=1400 audit(1518013544.813:11): avc: denied { net_admin } for pid=4131 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[ 46.360302] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[ 46.800401] audit: type=1400 audit(1518013545.513:12): avc: denied { sys_chroot } for pid=4131 comm="syz-executor0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
Warning: Permanently added '10.128.15.228' (ECDSA) to the list of known hosts.
2018/02/07 14:25:52 parsed 1 programs
2018/02/07 14:25:52 executed programs: 0
[ 53.808241] IPVS: ftp: loaded support on port[0] = 21
[ 53.854177] IPVS: ftp: loaded support on port[0] = 21
[ 53.879158] ==================================================================
[ 53.886678] BUG: KASAN: use-after-free in pppol2tp_put_sk+0xa8/0xb0
[ 53.893081] Read of size 8 at addr ffff8801c01b6708 by task syz-executor/4295
[ 53.894840] IPVS: ftp: loaded support on port[0] = 21
[ 53.900336]
[ 53.900348] CPU: 0 PID: 4295 Comm: syz-executor Not tainted 4.15.0+ #31
[ 53.900353] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 53.900357] Call Trace:
[ 53.900361]
[ 53.900376] dump_stack+0x194/0x257
[ 53.900390] ? arch_local_irq_restore+0x53/0x53
[ 53.900404] ? show_regs_print_info+0x18/0x18
[ 53.940726] ? pppol2tp_put_sk+0xa8/0xb0
[ 53.942842] IPVS: ftp: loaded support on port[0] = 21
[ 53.944789] print_address_description+0x73/0x250
[ 53.944803] ? pppol2tp_put_sk+0xa8/0xb0
[ 53.958856] kasan_report+0x25b/0x340
[ 53.962661] ? pppol2tp_seq_start+0x4e0/0x4e0
[ 53.967462] __asan_report_load8_noabort+0x14/0x20
[ 53.972395] pppol2tp_put_sk+0xa8/0xb0
[ 53.976284] rcu_process_callbacks+0xd6c/0x17f0
[ 53.980989] ? note_gp_changes+0x650/0x650
[ 53.985265] ? timerqueue_add+0x1e9/0x280
[ 53.988349] IPVS: ftp: loaded support on port[0] = 21
[ 53.989442] ? check_noncircular+0x20/0x20
[ 53.989459] ? enqueue_hrtimer+0x177/0x4b0
[ 54.003071] ? lock_release+0xa40/0xa40
[ 54.007052] ? rcu_pm_notify+0xc0/0xc0
[ 54.010944] ? find_held_lock+0x35/0x1d0
[ 54.015017] ? clockevents_program_event+0x163/0x2e0
[ 54.020119] ? lock_downgrade+0x980/0x980
[ 54.024281] ? rcu_pm_notify+0xc0/0xc0
[ 54.028248] __do_softirq+0x2d7/0xb85
[ 54.032043] ? ktime_get+0x26f/0x3a0
[ 54.033214] IPVS: ftp: loaded support on port[0] = 21
[ 54.035760] ? __irqentry_text_end+0x1f8d44/0x1f8d44
[ 54.035775] ? do_timer+0x50/0x50
[ 54.049485] ? native_apic_msr_write+0x5c/0x80
[ 54.054067] ? lapic_next_event+0x54/0x80
[ 54.058220] ? tick_program_event+0x83/0x100
[ 54.062633] ? rcu_pm_notify+0xc0/0xc0
[ 54.066535] irq_exit+0x1cc/0x200
[ 54.069987] smp_apic_timer_interrupt+0x16b/0x700
[ 54.074826] ? smp_reschedule_interrupt+0xe6/0x670
[ 54.079759] ? smp_call_function_single_interrupt+0x640/0x640
[ 54.085498] IPVS: ftp: loaded support on port[0] = 21
[ 54.085636] ? _raw_spin_lock+0x32/0x40
[ 54.094779] ? _raw_spin_unlock+0x22/0x30
[ 54.098929] ? handle_edge_irq+0x2b4/0x7c0
[ 54.103165] ? task_prio+0x40/0x40
[ 54.106731] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 54.111592] apic_timer_interrupt+0xa9/0xb0
[ 54.115908]
[ 54.118141] RIP: 0033:0x40599b
[ 54.121322] RSP: 002b:00007fff06a24290 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff11
[ 54.129024] RAX: 000000000000000d RBX: 0000000000000001 RCX: 0000000000000000
[ 54.136289] RDX: 0000000000000001 RSI: 000000000000000d RDI: 000000002076afdb
[ 54.143557] RBP: 0000000000000001 R08: 0000000000000000 R09: 000000000071bf58
[ 54.150825] R10: 0000000000000005 R11: 0000000000000246 R12: 0000000000000005
[ 54.158096] R13: fffffffffffffffe R14: 000000000071ca20 R15: ffffffffffffffff
[ 54.165389]
[ 54.167008] Allocated by task 4296:
[ 54.170635] save_stack+0x43/0xd0
[ 54.174088] kasan_kmalloc+0xad/0xe0
[ 54.177799] __kmalloc+0x162/0x760
[ 54.181334] l2tp_session_create+0x100/0xe50
[ 54.185740] pppol2tp_session_prep+0x2fc/0xa40
[ 54.190318] pppol2tp_connect+0x74a/0x1550
[ 54.194552] SYSC_connect+0x213/0x4a0
[ 54.198348] SyS_connect+0x24/0x30
[ 54.201887] entry_SYSCALL_64_fastpath+0x29/0xa0
[ 54.206633]
[ 54.208253] Freed by task 4295:
[ 54.211533] save_stack+0x43/0xd0
[ 54.215093] kasan_slab_free+0x71/0xc0
[ 54.219084] kfree+0xd6/0x260
[ 54.222185] pppol2tp_put_sk+0x4c/0xb0
[ 54.226072] rcu_process_callbacks+0xd6c/0x17f0
[ 54.230740] __do_softirq+0x2d7/0xb85
[ 54.234527]
[ 54.236153] The buggy address belongs to the object at ffff8801c01b6480
[ 54.236153] which belongs to the cache kmalloc-1024 of size 1024
[ 54.248980] The buggy address is located 648 bytes inside of
[ 54.248980] 1024-byte region [ffff8801c01b6480, ffff8801c01b6880)
[ 54.260939] The buggy address belongs to the page:
[ 54.265875] page:ffffea0007006d80 count:1 mapcount:0 mapping:ffff8801c01b6000 index:0x0 compound_mapcount: 0
[ 54.275496] IPVS: ftp: loaded support on port[0] = 21
[ 54.275846] flags: 0x2fffc0000008100(slab|head)
[ 54.285693] raw: 02fffc0000008100 ffff8801c01b6000 0000000000000000 0000000100000007
[ 54.293579] raw: ffffea0006dab8a0 ffffea0006f87820 ffff8801db000ac0 0000000000000000
[ 54.301457] page dumped because: kasan: bad access detected
[ 54.307162]
[ 54.308781] Memory state around the buggy address:
[ 54.313710] ffff8801c01b6600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.321065] ffff8801c01b6680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.328423] >ffff8801c01b6700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.335782] ^
[ 54.339535] ffff8801c01b6780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.346895] ffff8801c01b6800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.354275] ==================================================================
[ 54.361797] Disabling lock debugging due to kernel taint
[ 54.367266] Kernel panic - not syncing: panic_on_warn set ...
[ 54.367266]
[ 54.374622] CPU: 0 PID: 4295 Comm: syz-executor Tainted: G B 4.15.0+ #31
[ 54.382666] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 54.392028] Call Trace:
[ 54.394600]
[ 54.396751] dump_stack+0x194/0x257
[ 54.400375] ? arch_local_irq_restore+0x53/0x53
[ 54.405045] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 54.409797] ? vsnprintf+0x1ed/0x1900
[ 54.413596] ? pppol2tp_seq_start+0x4b0/0x4e0
[ 54.418088] panic+0x1e4/0x41c
[ 54.421282] ? refcount_error_report+0x214/0x214
[ 54.426036] ? add_taint+0x1c/0x50
[ 54.429572] ? add_taint+0x1c/0x50
[ 54.433109] ? pppol2tp_put_sk+0xa8/0xb0
[ 54.437169] kasan_end_report+0x50/0x50
[ 54.441140] kasan_report+0x144/0x340
[ 54.444938] ? pppol2tp_seq_start+0x4e0/0x4e0
[ 54.449434] __asan_report_load8_noabort+0x14/0x20
[ 54.454361] pppol2tp_put_sk+0xa8/0xb0
[ 54.458249] rcu_process_callbacks+0xd6c/0x17f0
[ 54.462923] ? note_gp_changes+0x650/0x650
[ 54.467152] ? timerqueue_add+0x1e9/0x280
[ 54.471297] ? check_noncircular+0x20/0x20
[ 54.475540] ? enqueue_hrtimer+0x177/0x4b0
[ 54.480034] ? lock_release+0xa40/0xa40
[ 54.484009] ? rcu_pm_notify+0xc0/0xc0
[ 54.487896] ? find_held_lock+0x35/0x1d0
[ 54.491960] ? clockevents_program_event+0x163/0x2e0
[ 54.497058] ? lock_downgrade+0x980/0x980
[ 54.501209] ? rcu_pm_notify+0xc0/0xc0
[ 54.505118] __do_softirq+0x2d7/0xb85
[ 54.508913] ? ktime_get+0x26f/0x3a0
[ 54.512630] ? __irqentry_text_end+0x1f8d44/0x1f8d44
[ 54.517732] ? do_timer+0x50/0x50
[ 54.521183] ? native_apic_msr_write+0x5c/0x80
[ 54.525761] ? lapic_next_event+0x54/0x80
[ 54.529906] ? tick_program_event+0x83/0x100
[ 54.534325] ? rcu_pm_notify+0xc0/0xc0
[ 54.538219] irq_exit+0x1cc/0x200
[ 54.541681] smp_apic_timer_interrupt+0x16b/0x700
[ 54.546528] ? smp_reschedule_interrupt+0xe6/0x670
[ 54.551464] ? smp_call_function_single_interrupt+0x640/0x640
[ 54.557354] ? _raw_spin_lock+0x32/0x40
[ 54.561332] ? _raw_spin_unlock+0x22/0x30
[ 54.565478] ? handle_edge_irq+0x2b4/0x7c0
[ 54.569712] ? task_prio+0x40/0x40
[ 54.573259] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 54.578105] apic_timer_interrupt+0xa9/0xb0
[ 54.582416]
[ 54.584647] RIP: 0033:0x40599b
[ 54.587831] RSP: 002b:00007fff06a24290 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff11
[ 54.595527] RAX: 000000000000000d RBX: 0000000000000001 RCX: 0000000000000000
[ 54.602796] RDX: 0000000000000001 RSI: 000000000000000d RDI: 000000002076afdb
[ 54.610066] RBP: 0000000000000001 R08: 0000000000000000 R09: 000000000071bf58
[ 54.617334] R10: 0000000000000005 R11: 0000000000000246 R12: 0000000000000005
[ 54.624598] R13: fffffffffffffffe R14: 000000000071ca20 R15: ffffffffffffffff
[ 54.632310] Dumping ftrace buffer:
[ 54.635839] (ftrace buffer empty)
[ 54.639526] Kernel Offset: disabled
[ 54.643129] Rebooting in 86400 seconds..