syzkaller login: [   25.127163] audit: type=1400 audit(1518017352.091:7): avc:  denied  { map } for  pid=4185 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   25.447145] audit: type=1400 audit(1518017352.411:8): avc:  denied  { map } for  pid=4185 comm="syz-fuzzer" path="/sys/kernel/debug/kcov" dev="debugfs" ino=1133 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[   27.088834] can: request_module (can-proto-0) failed.
[   27.098499] can: request_module (can-proto-0) failed.
[   27.557679] audit: type=1400 audit(1518017354.522:9): avc:  denied  { map } for  pid=4185 comm="syz-fuzzer" path="/root/syzkaller-shm556552381" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[   27.583146] audit: type=1400 audit(1518017354.522:10): avc:  denied  { sys_admin } for  pid=4228 comm="syz-executor0" capability=21  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[   27.589413] IPVS: ftp: loaded support on port[0] = 21
[   27.631519] audit: type=1400 audit(1518017354.596:11): avc:  denied  { net_admin } for  pid=4229 comm="syz-executor0" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[   27.874541] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[   28.298529] audit: type=1400 audit(1518017355.263:12): avc:  denied  { sys_chroot } for  pid=4229 comm="syz-executor0" capability=18  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
Warning: Permanently added '10.128.0.44' (ECDSA) to the list of known hosts.
2018/02/07 15:29:46 parsed 1 programs
2018/02/07 15:29:46 executed programs: 0
[   59.495721] IPVS: ftp: loaded support on port[0] = 21
[   59.521981] IPVS: ftp: loaded support on port[0] = 21
[   59.556561] IPVS: ftp: loaded support on port[0] = 21
[   59.584579] IPVS: ftp: loaded support on port[0] = 21
[   59.615957] IPVS: ftp: loaded support on port[0] = 21
[   59.674651] IPVS: ftp: loaded support on port[0] = 21
[   59.730477] IPVS: ftp: loaded support on port[0] = 21
[   59.793412] IPVS: ftp: loaded support on port[0] = 21
2018/02/07 15:29:51 executed programs: 279
[   65.846948] l2tp_core: tunl 3: fd 0 wrong protocol, got 1, expected 17
2018/02/07 15:29:56 executed programs: 518
[   70.759485] l2tp_core: tunl 3: fd 0 wrong protocol, got 1, expected 17
2018/02/07 15:30:01 executed programs: 755
[   78.605753] l2tp_core: tunl 3: fd 0 wrong protocol, got 1, expected 17
2018/02/07 15:30:06 executed programs: 993
[   80.048090] ==================================================================
[   80.055612] BUG: KASAN: use-after-free in l2tp_tunnel_del_work+0x22e/0x240
[   80.062624] Read of size 8 at addr ffff8801cdbf2520 by task kworker/u4:14/5459
[   80.069973] 
[   80.071596] CPU: 1 PID: 5459 Comm: kworker/u4:14 Not tainted 4.15.0+ #35
[   80.078425] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   80.087789] Workqueue: l2tp l2tp_tunnel_del_work
[   80.092537] Call Trace:
[   80.095116]  dump_stack+0x194/0x257
[   80.098748]  ? arch_local_irq_restore+0x53/0x53
[   80.103425]  ? show_regs_print_info+0x18/0x18
[   80.107929]  ? l2tp_tunnel_del_work+0x22e/0x240
[   80.112597]  print_address_description+0x73/0x250
[   80.117435]  ? l2tp_tunnel_del_work+0x22e/0x240
[   80.122101]  kasan_report+0x25b/0x340
[   80.125906]  __asan_report_load8_noabort+0x14/0x20
[   80.130838]  l2tp_tunnel_del_work+0x22e/0x240
[   80.135339]  process_one_work+0xbbf/0x1af0
[   80.139572]  ? trace_hardirqs_on+0xd/0x10
[   80.143718]  ? pwq_dec_nr_in_flight+0x450/0x450
[   80.148399]  ? __schedule+0x8f3/0x2060
[   80.152298]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   80.157491]  ? check_noncircular+0x20/0x20
[   80.161733]  ? account_entity_enqueue+0x3c8/0x6e0
[   80.166614]  ? lock_acquire+0x1d5/0x580
[   80.170581]  ? lock_acquire+0x1d5/0x580
[   80.174551]  ? worker_thread+0x4a3/0x1990
[   80.178696]  ? lock_downgrade+0x980/0x980
[   80.182844]  ? lock_release+0xa40/0xa40
[   80.186816]  ? retint_kernel+0x10/0x10
[   80.190705]  ? do_raw_spin_trylock+0x190/0x190
[   80.195308]  worker_thread+0x223/0x1990
[   80.199313]  ? process_one_work+0x1af0/0x1af0
[   80.203810]  ? _raw_spin_unlock_irq+0x27/0x70
[   80.208304]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   80.213329]  ? trace_hardirqs_on+0xd/0x10
[   80.217474]  ? _raw_spin_unlock_irq+0x27/0x70
[   80.221967]  ? finish_task_switch+0x1d3/0x740
[   80.226449]  ? finish_task_switch+0x1aa/0x740
[   80.230948]  ? copy_overflow+0x20/0x20
[   80.234851]  ? __schedule+0x8f3/0x2060
[   80.238754]  ? check_noncircular+0x20/0x20
[   80.242984]  ? find_held_lock+0x35/0x1d0
[   80.247054]  ? cache_grow_end.part.35+0x84/0x180
[   80.251814]  ? find_held_lock+0x35/0x1d0
[   80.255881]  ? complete+0x62/0x80
[   80.259350]  ? __schedule+0x2060/0x2060
[   80.263319]  ? do_wait_intr_irq+0x3e0/0x3e0
[   80.267638]  ? __lockdep_init_map+0xe4/0x650
[   80.272042]  ? do_raw_spin_trylock+0x190/0x190
[   80.276621]  ? lockdep_init_map+0x9/0x10
[   80.280680]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   80.285783]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   80.290794]  ? trace_hardirqs_on+0xd/0x10
[   80.294936]  ? __kthread_parkme+0x175/0x240
[   80.299258]  kthread+0x33c/0x400
[   80.302622]  ? process_one_work+0x1af0/0x1af0
[   80.307114]  ? kthread_stop+0x7a0/0x7a0
[   80.311087]  ret_from_fork+0x3a/0x50
[   80.314816] 
[   80.316433] Allocated by task 13247:
[   80.320140]  save_stack+0x43/0xd0
[   80.323583]  kasan_kmalloc+0xad/0xe0
[   80.327290]  kasan_slab_alloc+0x12/0x20
[   80.331257]  kmem_cache_alloc+0x12e/0x760
[   80.335400]  sock_alloc_inode+0x70/0x300
[   80.339454]  alloc_inode+0x65/0x180
[   80.343077]  new_inode_pseudo+0x69/0x190
[   80.347133]  sock_alloc+0x41/0x270
[   80.350669]  __sock_create+0x148/0x850
[   80.354549]  SyS_socket+0xeb/0x1d0
[   80.358083]  entry_SYSCALL_64_fastpath+0x29/0xa0
[   80.362832] 
[   80.364451] Freed by task 13264:
[   80.367810]  save_stack+0x43/0xd0
[   80.371259]  kasan_slab_free+0x71/0xc0
[   80.375143]  kmem_cache_free+0x83/0x2a0
[   80.379109]  sock_destroy_inode+0x56/0x70
[   80.383248]  destroy_inode+0x15d/0x200
[   80.387129]  evict+0x57e/0x920
[   80.390312]  iput+0x7b9/0xaf0
[   80.393408]  dentry_unlink_inode+0x4b0/0x5e0
[   80.397807]  __dentry_kill+0x3de/0x700
[   80.401685]  dput.part.21+0x6fb/0x830
[   80.405476]  dput+0x1f/0x30
[   80.408397]  __fput+0x51c/0x7e0
[   80.411668]  ____fput+0x15/0x20
[   80.414939]  task_work_run+0x199/0x270
[   80.418820]  exit_to_usermode_loop+0x275/0x2f0
[   80.423396]  syscall_return_slowpath+0x490/0x550
[   80.428150]  entry_SYSCALL_64_fastpath+0x9e/0xa0
[   80.432893] 
[   80.434514] The buggy address belongs to the object at ffff8801cdbf2500
[   80.434514]  which belongs to the cache sock_inode_cache of size 992
[   80.447596] The buggy address is located 32 bytes inside of
[   80.447596]  992-byte region [ffff8801cdbf2500, ffff8801cdbf28e0)
[   80.459372] The buggy address belongs to the page:
[   80.464294] page:ffffea000736fc80 count:1 mapcount:0 mapping:ffff8801cdbf2080 index:0xffff8801cdbf2ffd
[   80.473737] flags: 0x2fffc0000000100(slab)
[   80.477969] raw: 02fffc0000000100 ffff8801cdbf2080 ffff8801cdbf2ffd 0000000100000003
[   80.485843] raw: ffffea0006eb0420 ffffea000736fee0 ffff8801d9fea380 0000000000000000
[   80.493713] page dumped because: kasan: bad access detected
[   80.499421] 
[   80.501040] Memory state around the buggy address:
[   80.505963]  ffff8801cdbf2400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   80.513317]  ffff8801cdbf2480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   80.520665] >ffff8801cdbf2500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   80.528013]                                ^
[   80.532411]  ffff8801cdbf2580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   80.539768]  ffff8801cdbf2600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   80.547114] ==================================================================
[   80.554469] Disabling lock debugging due to kernel taint
[   80.560049] Kernel panic - not syncing: panic_on_warn set ...
[   80.560049] 
[   80.567404] CPU: 1 PID: 5459 Comm: kworker/u4:14 Tainted: G    B            4.15.0+ #35
[   80.575529] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   80.584878] Workqueue: l2tp l2tp_tunnel_del_work
[   80.589642] Call Trace:
[   80.592221]  dump_stack+0x194/0x257
[   80.595843]  ? arch_local_irq_restore+0x53/0x53
[   80.600502]  ? kasan_end_report+0x32/0x50
[   80.604644]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   80.609389]  ? vsnprintf+0x1ed/0x1900
[   80.613181]  ? l2tp_tunnel_del_work+0x170/0x240
[   80.617846]  panic+0x1e4/0x41c
[   80.621030]  ? refcount_error_report+0x214/0x214
[   80.625780]  ? add_taint+0x1c/0x50
[   80.629308]  ? add_taint+0x1c/0x50
[   80.632845]  ? l2tp_tunnel_del_work+0x22e/0x240
[   80.637507]  kasan_end_report+0x50/0x50
[   80.641477]  kasan_report+0x144/0x340
[   80.645273]  __asan_report_load8_noabort+0x14/0x20
[   80.650194]  l2tp_tunnel_del_work+0x22e/0x240
[   80.654681]  process_one_work+0xbbf/0x1af0
[   80.658907]  ? trace_hardirqs_on+0xd/0x10
[   80.663056]  ? pwq_dec_nr_in_flight+0x450/0x450
[   80.667731]  ? __schedule+0x8f3/0x2060
[   80.671617]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   80.676799]  ? check_noncircular+0x20/0x20
[   80.681026]  ? account_entity_enqueue+0x3c8/0x6e0
[   80.685877]  ? lock_acquire+0x1d5/0x580
[   80.689843]  ? lock_acquire+0x1d5/0x580
[   80.693809]  ? worker_thread+0x4a3/0x1990
[   80.697947]  ? lock_downgrade+0x980/0x980
[   80.702090]  ? lock_release+0xa40/0xa40
[   80.706055]  ? retint_kernel+0x10/0x10
[   80.709933]  ? do_raw_spin_trylock+0x190/0x190
[   80.714518]  worker_thread+0x223/0x1990
[   80.718500]  ? process_one_work+0x1af0/0x1af0
[   80.722990]  ? _raw_spin_unlock_irq+0x27/0x70
[   80.727475]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   80.732482]  ? trace_hardirqs_on+0xd/0x10
[   80.736655]  ? _raw_spin_unlock_irq+0x27/0x70
[   80.741145]  ? finish_task_switch+0x1d3/0x740
[   80.745630]  ? finish_task_switch+0x1aa/0x740
[   80.750116]  ? copy_overflow+0x20/0x20
[   80.754007]  ? __schedule+0x8f3/0x2060
[   80.757900]  ? check_noncircular+0x20/0x20
[   80.762125]  ? find_held_lock+0x35/0x1d0
[   80.766190]  ? cache_grow_end.part.35+0x84/0x180
[   80.770935]  ? find_held_lock+0x35/0x1d0
[   80.774994]  ? complete+0x62/0x80
[   80.778453]  ? __schedule+0x2060/0x2060
[   80.782426]  ? do_wait_intr_irq+0x3e0/0x3e0
[   80.786736]  ? __lockdep_init_map+0xe4/0x650
[   80.791135]  ? do_raw_spin_trylock+0x190/0x190
[   80.795715]  ? lockdep_init_map+0x9/0x10
[   80.799769]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   80.804865]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   80.809874]  ? trace_hardirqs_on+0xd/0x10
[   80.814012]  ? __kthread_parkme+0x175/0x240
[   80.818326]  kthread+0x33c/0x400
[   80.821685]  ? process_one_work+0x1af0/0x1af0
[   80.826176]  ? kthread_stop+0x7a0/0x7a0
[   80.830145]  ret_from_fork+0x3a/0x50
[   80.834307] Dumping ftrace buffer:
[   80.837830]    (ftrace buffer empty)
[   80.841511] Kernel Offset: disabled
[   80.845109] Rebooting in 86400 seconds..