[ 48.178902] audit: type=1400 audit(1518016936.382:8): avc: denied { map } for pid=4125 comm="syz-fuzzer" path="/sys/kernel/debug/kcov" dev="debugfs" ino=1085 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 49.749289] can: request_module (can-proto-0) failed. [ 49.758645] can: request_module (can-proto-0) failed. [ 50.228462] audit: type=1400 audit(1518016938.432:9): avc: denied { map } for pid=4125 comm="syz-fuzzer" path="/root/syzkaller-shm234078395" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 50.266716] audit: type=1400 audit(1518016938.470:10): avc: denied { sys_admin } for pid=4165 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 50.273676] IPVS: ftp: loaded support on port[0] = 21 [ 50.315466] audit: type=1400 audit(1518016938.519:11): avc: denied { net_admin } for pid=4166 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 50.528299] ip (4204) used greatest stack depth: 16576 bytes left [ 50.572501] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 50.994485] audit: type=1400 audit(1518016939.198:12): avc: denied { sys_chroot } for pid=4166 comm="syz-executor0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 Warning: Permanently added '10.128.15.192' (ECDSA) to the list of known hosts. 2018/02/07 15:22:26 parsed 1 programs 2018/02/07 15:22:26 executed programs: 0 [ 57.968388] IPVS: ftp: loaded support on port[0] = 21 [ 58.015894] IPVS: ftp: loaded support on port[0] = 21 [ 58.061594] IPVS: ftp: loaded support on port[0] = 21 [ 58.106380] IPVS: ftp: loaded support on port[0] = 21 [ 58.143463] IPVS: ftp: loaded support on port[0] = 21 [ 58.175258] IPVS: ftp: loaded support on port[0] = 21 [ 58.204950] IPVS: ftp: loaded support on port[0] = 21 [ 58.234597] IPVS: ftp: loaded support on port[0] = 21 2018/02/07 15:22:31 executed programs: 1172 2018/02/07 15:22:36 executed programs: 2394 2018/02/07 15:22:41 executed programs: 3609 2018/02/07 15:22:46 executed programs: 4843 2018/02/07 15:22:51 executed programs: 6075 2018/02/07 15:22:56 executed programs: 7279 2018/02/07 15:23:01 executed programs: 8508 2018/02/07 15:23:06 executed programs: 9712 2018/02/07 15:23:11 executed programs: 10887 2018/02/07 15:23:16 executed programs: 12078 2018/02/07 15:23:21 executed programs: 13268 2018/02/07 15:23:26 executed programs: 14452 2018/02/07 15:23:31 executed programs: 15657 2018/02/07 15:23:36 executed programs: 16854 [ 132.183016] ================================================================== [ 132.190569] BUG: KASAN: use-after-free in l2tp_tunnel_del_work+0x22e/0x240 [ 132.197580] Read of size 8 at addr ffff8801cd99c660 by task kworker/u4:3/87 [ 132.204674] [ 132.206318] CPU: 1 PID: 87 Comm: kworker/u4:3 Not tainted 4.15.0+ #34 [ 132.212889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 132.222245] Workqueue: l2tp l2tp_tunnel_del_work [ 132.227001] Call Trace: [ 132.229595] dump_stack+0x194/0x257 [ 132.233227] ? arch_local_irq_restore+0x53/0x53 [ 132.237900] ? show_regs_print_info+0x18/0x18 [ 132.242401] ? retint_kernel+0x10/0x10 [ 132.246308] ? l2tp_tunnel_del_work+0x22e/0x240 [ 132.250986] print_address_description+0x73/0x250 [ 132.255837] ? l2tp_tunnel_del_work+0x22e/0x240 [ 132.260516] kasan_report+0x25b/0x340 [ 132.264333] __asan_report_load8_noabort+0x14/0x20 [ 132.269274] l2tp_tunnel_del_work+0x22e/0x240 [ 132.273866] process_one_work+0xbbf/0x1af0 [ 132.278108] ? trace_hardirqs_on+0xd/0x10 [ 132.282267] ? pwq_dec_nr_in_flight+0x450/0x450 [ 132.286924] ? __schedule+0x8f3/0x2060 [ 132.290798] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 132.295967] ? check_noncircular+0x20/0x20 [ 132.300186] ? check_noncircular+0x20/0x20 [ 132.304405] ? lock_acquire+0x1d5/0x580 [ 132.308370] ? lock_acquire+0x1d5/0x580 [ 132.312319] ? worker_thread+0x4a3/0x1990 [ 132.316447] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 132.321184] ? lock_release+0xa40/0xa40 [ 132.325146] ? retint_kernel+0x10/0x10 [ 132.329040] worker_thread+0x223/0x1990 [ 132.332995] ? lock_downgrade+0x980/0x980 [ 132.337139] ? process_one_work+0x1af0/0x1af0 [ 132.341610] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 132.346606] ? account_kernel_stack+0x194/0x270 [ 132.351255] ? put_task_stack+0x116/0x270 [ 132.355387] ? finish_task_switch+0x4eb/0x740 [ 132.359885] ? copy_overflow+0x20/0x20 [ 132.363761] ? __schedule+0x8f3/0x2060 [ 132.367636] ? check_noncircular+0x20/0x20 [ 132.371848] ? find_held_lock+0x35/0x1d0 [ 132.375891] ? find_held_lock+0x35/0x1d0 [ 132.379935] ? find_held_lock+0x35/0x1d0 [ 132.383996] ? __schedule+0x2060/0x2060 [ 132.387947] ? retint_kernel+0x10/0x10 [ 132.391819] ? _raw_spin_unlock_irqrestore+0x5e/0xba [ 132.396902] ? __kthread_parkme+0x175/0x240 [ 132.401210] kthread+0x33c/0x400 [ 132.404563] ? process_one_work+0x1af0/0x1af0 [ 132.409035] ? kthread_stop+0x7a0/0x7a0 [ 132.412989] ret_from_fork+0x3a/0x50 [ 132.416698] [ 132.418297] Allocated by task 25324: [ 132.421987] save_stack+0x43/0xd0 [ 132.425414] kasan_kmalloc+0xad/0xe0 [ 132.429099] kasan_slab_alloc+0x12/0x20 [ 132.433046] kmem_cache_alloc+0x12e/0x760 [ 132.437171] sock_alloc_inode+0x70/0x300 [ 132.441217] alloc_inode+0x65/0x180 [ 132.444824] new_inode_pseudo+0x69/0x190 [ 132.448864] sock_alloc+0x41/0x270 [ 132.452375] __sock_create+0x148/0x850 [ 132.456234] SyS_socket+0xeb/0x1d0 [ 132.459748] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 132.464476] [ 132.466086] Freed by task 25324: [ 132.469430] save_stack+0x43/0xd0 [ 132.472856] kasan_slab_free+0x71/0xc0 [ 132.476717] kmem_cache_free+0x83/0x2a0 [ 132.480676] sock_destroy_inode+0x56/0x70 [ 132.484800] destroy_inode+0x15d/0x200 [ 132.488659] evict+0x57e/0x920 [ 132.491827] iput+0x7b9/0xaf0 [ 132.494907] dentry_unlink_inode+0x4b0/0x5e0 [ 132.499287] __dentry_kill+0x3de/0x700 [ 132.503145] dput.part.21+0x6fb/0x830 [ 132.506926] dput+0x1f/0x30 [ 132.509833] __fput+0x51c/0x7e0 [ 132.513083] ____fput+0x15/0x20 [ 132.516338] task_work_run+0x199/0x270 [ 132.520203] do_exit+0x9bb/0x1ad0 [ 132.523628] do_group_exit+0x149/0x400 [ 132.527488] get_signal+0x73a/0x16d0 [ 132.531185] do_signal+0x90/0x1eb0 [ 132.534704] exit_to_usermode_loop+0x258/0x2f0 [ 132.539259] syscall_return_slowpath+0x490/0x550 [ 132.543993] entry_SYSCALL_64_fastpath+0x9e/0xa0 [ 132.548722] [ 132.550326] The buggy address belongs to the object at ffff8801cd99c640 [ 132.550326] which belongs to the cache sock_inode_cache of size 992 [ 132.563399] The buggy address is located 32 bytes inside of [ 132.563399] 992-byte region [ffff8801cd99c640, ffff8801cd99ca20) [ 132.575167] The buggy address belongs to the page: [ 132.580072] page:ffffea0007366700 count:1 mapcount:0 mapping:ffff8801cd99c1c0 index:0xffff8801cd99cffd [ 132.589501] flags: 0x2fffc0000000100(slab) [ 132.593711] raw: 02fffc0000000100 ffff8801cd99c1c0 ffff8801cd99cffd 0000000100000003 [ 132.601568] raw: ffffea000741f4a0 ffffea000736eb20 ffff8801d980d9c0 0000000000000000 [ 132.609428] page dumped because: kasan: bad access detected [ 132.615110] [ 132.616711] Memory state around the buggy address: [ 132.621617] ffff8801cd99c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 132.628951] ffff8801cd99c580: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 132.636284] >ffff8801cd99c600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 132.643626] ^ [ 132.650093] ffff8801cd99c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 132.657423] ffff8801cd99c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 132.664768] ================================================================== [ 132.672098] Disabling lock debugging due to kernel taint [ 132.677635] Kernel panic - not syncing: panic_on_warn set ... [ 132.677635] [ 132.684994] CPU: 1 PID: 87 Comm: kworker/u4:3 Tainted: G B 4.15.0+ #34 [ 132.692864] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 132.702220] Workqueue: l2tp l2tp_tunnel_del_work [ 132.706971] Call Trace: [ 132.709555] dump_stack+0x194/0x257 [ 132.713183] ? arch_local_irq_restore+0x53/0x53 [ 132.717844] ? kasan_end_report+0x32/0x50 [ 132.721987] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 132.726735] ? vsnprintf+0x1ed/0x1900 [ 132.730524] ? l2tp_tunnel_del_work+0x170/0x240 [ 132.735180] panic+0x1e4/0x41c [ 132.738365] ? refcount_error_report+0x214/0x214 [ 132.743119] ? add_taint+0x1c/0x50 [ 132.746651] ? add_taint+0x1c/0x50 [ 132.750186] ? l2tp_tunnel_del_work+0x22e/0x240 [ 132.754849] kasan_end_report+0x50/0x50 [ 132.758817] kasan_report+0x144/0x340 [ 132.762617] __asan_report_load8_noabort+0x14/0x20 [ 132.767542] l2tp_tunnel_del_work+0x22e/0x240 [ 132.772030] process_one_work+0xbbf/0x1af0 [ 132.776255] ? trace_hardirqs_on+0xd/0x10 [ 132.780406] ? pwq_dec_nr_in_flight+0x450/0x450 [ 132.785075] ? __schedule+0x8f3/0x2060 [ 132.788966] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 132.794153] ? check_noncircular+0x20/0x20 [ 132.798387] ? check_noncircular+0x20/0x20 [ 132.802623] ? lock_acquire+0x1d5/0x580 [ 132.806584] ? lock_acquire+0x1d5/0x580 [ 132.810552] ? worker_thread+0x4a3/0x1990 [ 132.814695] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 132.819448] ? lock_release+0xa40/0xa40 [ 132.823416] ? retint_kernel+0x10/0x10 [ 132.827317] worker_thread+0x223/0x1990 [ 132.831293] ? lock_downgrade+0x980/0x980 [ 132.835453] ? process_one_work+0x1af0/0x1af0 [ 132.839939] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 132.844950] ? account_kernel_stack+0x194/0x270 [ 132.849618] ? put_task_stack+0x116/0x270 [ 132.853764] ? finish_task_switch+0x4eb/0x740 [ 132.858257] ? copy_overflow+0x20/0x20 [ 132.862152] ? __schedule+0x8f3/0x2060 [ 132.866047] ? check_noncircular+0x20/0x20 [ 132.870276] ? find_held_lock+0x35/0x1d0 [ 132.874350] ? find_held_lock+0x35/0x1d0 [ 132.878410] ? find_held_lock+0x35/0x1d0 [ 132.882479] ? __schedule+0x2060/0x2060 [ 132.886451] ? retint_kernel+0x10/0x10 [ 132.890348] ? _raw_spin_unlock_irqrestore+0x5e/0xba [ 132.895452] ? __kthread_parkme+0x175/0x240 [ 132.899776] kthread+0x33c/0x400 [ 132.903137] ? process_one_work+0x1af0/0x1af0 [ 132.907626] ? kthread_stop+0x7a0/0x7a0 [ 132.911595] ret_from_fork+0x3a/0x50 [ 132.915744] Dumping ftrace buffer: [ 132.919260] (ftrace buffer empty) [ 132.922939] Kernel Offset: disabled [ 132.926539] Rebooting in 86400 seconds..