[   29.365334] audit: type=1400 audit(1518016519.582:7): avc:  denied  { map } for  pid=4166 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   29.674691] audit: type=1400 audit(1518016519.891:8): avc:  denied  { map } for  pid=4166 comm="syz-fuzzer" path="/sys/kernel/debug/kcov" dev="debugfs" ino=108 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[   31.256303] can: request_module (can-proto-0) failed.
[   31.265598] can: request_module (can-proto-0) failed.
[   31.712911] audit: type=1400 audit(1518016521.929:9): avc:  denied  { map } for  pid=4166 comm="syz-fuzzer" path="/root/syzkaller-shm641682423" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[   31.744168] audit: type=1400 audit(1518016521.960:10): avc:  denied  { sys_admin } for  pid=4206 comm="syz-executor0" capability=21  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[   31.750732] IPVS: ftp: loaded support on port[0] = 21
[   31.798262] audit: type=1400 audit(1518016522.014:11): avc:  denied  { net_admin } for  pid=4207 comm="syz-executor0" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[   32.033863] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[   32.435380] audit: type=1400 audit(1518016522.652:12): avc:  denied  { sys_chroot } for  pid=4207 comm="syz-executor0" capability=18  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts.
2018/02/07 15:15:54 parsed 1 programs
2018/02/07 15:15:54 executed programs: 0
[   63.938115] IPVS: ftp: loaded support on port[0] = 21
[   63.971373] IPVS: ftp: loaded support on port[0] = 21
[   63.997821] IPVS: ftp: loaded support on port[0] = 21
[   64.023627] IPVS: ftp: loaded support on port[0] = 21
[   64.050033] IPVS: ftp: loaded support on port[0] = 21
[   64.085518] IPVS: ftp: loaded support on port[0] = 21
[   64.124058] IPVS: ftp: loaded support on port[0] = 21
[   64.150526] IPVS: ftp: loaded support on port[0] = 21
2018/02/07 15:15:59 executed programs: 1116
2018/02/07 15:16:04 executed programs: 2083
2018/02/07 15:16:09 executed programs: 3072
2018/02/07 15:16:14 executed programs: 4059
2018/02/07 15:16:19 executed programs: 5048
2018/02/07 15:16:24 executed programs: 5997
[   97.090571] ==================================================================
[   97.098089] BUG: KASAN: use-after-free in l2tp_tunnel_del_work+0x22e/0x240
[   97.105098] Read of size 8 at addr ffff8801a66b2960 by task kworker/u4:0/5
[   97.112101] 
[   97.113729] CPU: 0 PID: 5 Comm: kworker/u4:0 Not tainted 4.15.0+ #33
[   97.120205] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   97.129558] Workqueue: l2tp l2tp_tunnel_del_work
[   97.134315] Call Trace:
[   97.136897]  dump_stack+0x194/0x257
[   97.140521]  ? arch_local_irq_restore+0x53/0x53
[   97.145186]  ? show_regs_print_info+0x18/0x18
[   97.149673]  ? queue_work_on+0xc2/0x1c0
[   97.153647]  ? l2tp_tunnel_del_work+0x22e/0x240
[   97.158320]  print_address_description+0x73/0x250
[   97.163155]  ? l2tp_tunnel_del_work+0x22e/0x240
[   97.167808]  kasan_report+0x25b/0x340
[   97.171604]  __asan_report_load8_noabort+0x14/0x20
[   97.176532]  l2tp_tunnel_del_work+0x22e/0x240
[   97.181028]  process_one_work+0xbbf/0x1af0
[   97.185256]  ? trace_hardirqs_on+0xd/0x10
[   97.189401]  ? pwq_dec_nr_in_flight+0x450/0x450
[   97.194068]  ? __schedule+0x8f3/0x2060
[   97.197944]  ? check_noncircular+0x20/0x20
[   97.202152]  ? lock_downgrade+0x980/0x980
[   97.206280]  ? do_wait_intr_irq+0x3e0/0x3e0
[   97.210595]  ? lock_acquire+0x1d5/0x580
[   97.214540]  ? lock_acquire+0x1d5/0x580
[   97.218488]  ? worker_thread+0x4a3/0x1990
[   97.222608]  ? lock_downgrade+0x980/0x980
[   97.226733]  ? lock_release+0xa40/0xa40
[   97.230682]  ? retint_kernel+0x10/0x10
[   97.234543]  ? do_raw_spin_trylock+0x190/0x190
[   97.239108]  worker_thread+0x223/0x1990
[   97.243077]  ? process_one_work+0x1af0/0x1af0
[   97.247547]  ? _raw_spin_unlock_irq+0x27/0x70
[   97.252021]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   97.257028]  ? trace_hardirqs_on+0xd/0x10
[   97.261152]  ? mmdrop+0x18/0x30
[   97.264404]  ? finish_task_switch+0x1f6/0x740
[   97.268876]  ? copy_overflow+0x20/0x20
[   97.272749]  ? __schedule+0x8f3/0x2060
[   97.276620]  ? check_noncircular+0x20/0x20
[   97.280833]  ? find_held_lock+0x35/0x1d0
[   97.284873]  ? find_held_lock+0x35/0x1d0
[   97.288911]  ? complete+0x62/0x80
[   97.292345]  ? __schedule+0x2060/0x2060
[   97.296296]  ? do_wait_intr_irq+0x3e0/0x3e0
[   97.300592]  ? __lockdep_init_map+0xe4/0x650
[   97.304973]  ? do_raw_spin_trylock+0x190/0x190
[   97.309529]  ? lockdep_init_map+0x9/0x10
[   97.313566]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   97.318645]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   97.323636]  ? trace_hardirqs_on+0xd/0x10
[   97.327758]  ? __kthread_parkme+0x175/0x240
[   97.332059]  kthread+0x33c/0x400
[   97.335399]  ? process_one_work+0x1af0/0x1af0
[   97.339866]  ? kthread_stop+0x7a0/0x7a0
[   97.343815]  ret_from_fork+0x3a/0x50
[   97.347513] 
[   97.349117] Allocated by task 24128:
[   97.352805]  save_stack+0x43/0xd0
[   97.356228]  kasan_kmalloc+0xad/0xe0
[   97.359914]  kasan_slab_alloc+0x12/0x20
[   97.363858]  kmem_cache_alloc+0x12e/0x760
[   97.367978]  sock_alloc_inode+0x70/0x300
[   97.372010]  alloc_inode+0x65/0x180
[   97.375613]  new_inode_pseudo+0x69/0x190
[   97.379644]  sock_alloc+0x41/0x270
[   97.383157]  __sock_create+0x148/0x850
[   97.387020]  SyS_socket+0xeb/0x1d0
[   97.390544]  entry_SYSCALL_64_fastpath+0x29/0xa0
[   97.395271] 
[   97.396877] Freed by task 24136:
[   97.400221]  save_stack+0x43/0xd0
[   97.403659]  kasan_slab_free+0x71/0xc0
[   97.407523]  kmem_cache_free+0x83/0x2a0
[   97.411477]  sock_destroy_inode+0x56/0x70
[   97.415596]  destroy_inode+0x15d/0x200
[   97.419458]  evict+0x57e/0x920
[   97.422622]  iput+0x7b9/0xaf0
[   97.425699]  dentry_unlink_inode+0x4b0/0x5e0
[   97.430077]  __dentry_kill+0x3de/0x700
[   97.433933]  dput.part.21+0x6fb/0x830
[   97.437702]  dput+0x1f/0x30
[   97.440603]  __fput+0x51c/0x7e0
[   97.443851]  ____fput+0x15/0x20
[   97.447103]  task_work_run+0x199/0x270
[   97.450965]  do_exit+0x9bb/0x1ad0
[   97.454388]  do_group_exit+0x149/0x400
[   97.458247]  get_signal+0x73a/0x16d0
[   97.461931]  do_signal+0x90/0x1eb0
[   97.465442]  exit_to_usermode_loop+0x258/0x2f0
[   97.469995]  syscall_return_slowpath+0x490/0x550
[   97.474725]  entry_SYSCALL_64_fastpath+0x9e/0xa0
[   97.479447] 
[   97.481055] The buggy address belongs to the object at ffff8801a66b2940
[   97.481055]  which belongs to the cache sock_inode_cache of size 992
[   97.494120] The buggy address is located 32 bytes inside of
[   97.494120]  992-byte region [ffff8801a66b2940, ffff8801a66b2d20)
[   97.505883] The buggy address belongs to the page:
[   97.510796] page:ffffea000699ac80 count:1 mapcount:0 mapping:ffff8801a66b2040 index:0xffff8801a66b2ffd
[   97.520224] flags: 0x2fffc0000000100(slab)
[   97.524434] raw: 02fffc0000000100 ffff8801a66b2040 ffff8801a66b2ffd 0000000100000003
[   97.532305] raw: ffffea000699a760 ffffea000699ad20 ffff8801d980e9c0 0000000000000000
[   97.540158] page dumped because: kasan: bad access detected
[   97.545836] 
[   97.547433] Memory state around the buggy address:
[   97.552333]  ffff8801a66b2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   97.559664]  ffff8801a66b2880: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   97.566993] >ffff8801a66b2900: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   97.574324]                                                        ^
[   97.580801]  ffff8801a66b2980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   97.588174]  ffff8801a66b2a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   97.595514] ==================================================================
[   97.602858] Disabling lock debugging due to kernel taint
[   97.608593] Kernel panic - not syncing: panic_on_warn set ...
[   97.608593] 
[   97.615958] CPU: 0 PID: 5 Comm: kworker/u4:0 Tainted: G    B            4.15.0+ #33
[   97.623748] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   97.633105] Workqueue: l2tp l2tp_tunnel_del_work
[   97.637849] Call Trace:
[   97.640430]  dump_stack+0x194/0x257
[   97.644057]  ? arch_local_irq_restore+0x53/0x53
[   97.648725]  ? kasan_end_report+0x32/0x50
[   97.652877]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   97.657621]  ? vsnprintf+0x1ed/0x1900
[   97.661423]  ? l2tp_tunnel_del_work+0x170/0x240
[   97.666090]  panic+0x1e4/0x41c
[   97.669285]  ? refcount_error_report+0x214/0x214
[   97.674042]  ? add_taint+0x1c/0x50
[   97.677570]  ? add_taint+0x1c/0x50
[   97.681105]  ? l2tp_tunnel_del_work+0x22e/0x240
[   97.685764]  kasan_end_report+0x50/0x50
[   97.689730]  kasan_report+0x144/0x340
[   97.693521]  __asan_report_load8_noabort+0x14/0x20
[   97.698438]  l2tp_tunnel_del_work+0x22e/0x240
[   97.702924]  process_one_work+0xbbf/0x1af0
[   97.707151]  ? trace_hardirqs_on+0xd/0x10
[   97.711307]  ? pwq_dec_nr_in_flight+0x450/0x450
[   97.715991]  ? __schedule+0x8f3/0x2060
[   97.719900]  ? check_noncircular+0x20/0x20
[   97.724137]  ? lock_downgrade+0x980/0x980
[   97.728300]  ? do_wait_intr_irq+0x3e0/0x3e0
[   97.733456]  ? lock_acquire+0x1d5/0x580
[   97.737441]  ? lock_acquire+0x1d5/0x580
[   97.741421]  ? worker_thread+0x4a3/0x1990
[   97.745594]  ? lock_downgrade+0x980/0x980
[   97.749788]  ? lock_release+0xa40/0xa40
[   97.753776]  ? retint_kernel+0x10/0x10
[   97.757672]  ? do_raw_spin_trylock+0x190/0x190
[   97.762286]  worker_thread+0x223/0x1990
[   97.766293]  ? process_one_work+0x1af0/0x1af0
[   97.770826]  ? _raw_spin_unlock_irq+0x27/0x70
[   97.775335]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   97.780359]  ? trace_hardirqs_on+0xd/0x10
[   97.784507]  ? mmdrop+0x18/0x30
[   97.787785]  ? finish_task_switch+0x1f6/0x740
[   97.792283]  ? copy_overflow+0x20/0x20
[   97.796175]  ? __schedule+0x8f3/0x2060
[   97.800071]  ? check_noncircular+0x20/0x20
[   97.804306]  ? find_held_lock+0x35/0x1d0
[   97.808365]  ? find_held_lock+0x35/0x1d0
[   97.812419]  ? complete+0x62/0x80
[   97.815872]  ? __schedule+0x2060/0x2060
[   97.819836]  ? do_wait_intr_irq+0x3e0/0x3e0
[   97.824150]  ? __lockdep_init_map+0xe4/0x650
[   97.828552]  ? do_raw_spin_trylock+0x190/0x190
[   97.833123]  ? lockdep_init_map+0x9/0x10
[   97.837174]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   97.842279]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   97.847303]  ? trace_hardirqs_on+0xd/0x10
[   97.851439]  ? __kthread_parkme+0x175/0x240
[   97.855753]  kthread+0x33c/0x400
[   97.859111]  ? process_one_work+0x1af0/0x1af0
[   97.863593]  ? kthread_stop+0x7a0/0x7a0
[   97.867558]  ret_from_fork+0x3a/0x50
[   97.871669] Dumping ftrace buffer:
[   97.875181]    (ftrace buffer empty)
[   97.878859] Kernel Offset: disabled
[   97.882454] Rebooting in 86400 seconds..