[....] Starting enhanced syslogd: rsyslogd[   17.296295] audit: type=1400 audit(1519700255.083:5): avc:  denied  { syslog } for  pid=4083 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.412267] audit: type=1400 audit(1519700260.198:6): avc:  denied  { map } for  pid=4223 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.220' (ECDSA) to the list of known hosts.
executing program
[   31.271227] audit: type=1400 audit(1519700269.058:7): avc:  denied  { map } for  pid=4237 comm="syzkaller200378" path="/root/syzkaller200378723" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   31.274915] ==================================================================
[   31.304541] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30de/0x3210
[   31.311706] Read of size 4 at addr ffff8801b09e7480 by task syzkaller200378/4237
[   31.319214] 
[   31.320819] CPU: 1 PID: 4237 Comm: syzkaller200378 Not tainted 4.16.0-rc2+ #242
[   31.328236] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.337562] Call Trace:
[   31.340131]  dump_stack+0x194/0x24d
[   31.343737]  ? arch_local_irq_restore+0x53/0x53
[   31.348381]  ? show_regs_print_info+0x18/0x18
[   31.352853]  ? lock_release+0xa40/0xa40
[   31.356803]  ? xfrm_state_find+0x30de/0x3210
[   31.361190]  print_address_description+0x73/0x250
[   31.366012]  ? xfrm_state_find+0x30de/0x3210
[   31.370396]  kasan_report+0x23b/0x360
[   31.374176]  __asan_report_load4_noabort+0x14/0x20
[   31.379079]  xfrm_state_find+0x30de/0x3210
[   31.383291]  ? check_noncircular+0x20/0x20
[   31.387514]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   31.392596]  ? print_irqtrace_events+0x270/0x270
[   31.397323]  ? print_irqtrace_events+0x270/0x270
[   31.402057]  ? get_page_from_freelist+0x3423/0x52d0
[   31.407051]  ? lock_downgrade+0x980/0x980
[   31.411175]  ? set_pageblock_migratetype+0x40/0x40
[   31.416087]  ? mark_held_locks+0xaf/0x100
[   31.420216]  ? get_page_from_freelist+0xa80/0x52d0
[   31.425123]  ? kernel_poison_pages+0xce/0x1f0
[   31.429594]  ? kasan_unpoison_shadow+0x35/0x50
[   31.434153]  ? print_irqtrace_events+0x270/0x270
[   31.438885]  ? get_page_from_freelist+0x2d7f/0x52d0
[   31.443876]  ? get_page_from_freelist+0x2deb/0x52d0
[   31.448890]  ? print_irqtrace_events+0x270/0x270
[   31.453622]  ? __lock_acquire+0x664/0x3e00
[   31.457834]  ? print_irqtrace_events+0x270/0x270
[   31.462564]  ? __bfs+0xaa/0x750
[   31.465842]  xfrm_tmpl_resolve+0x2ee/0xc40
[   31.470073]  ? __xfrm_decode_session+0x110/0x110
[   31.474803]  ? __lock_is_held+0xb6/0x140
[   31.478850]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.483839]  ? fib_table_lookup+0xa04/0x1ba0
[   31.488229]  xfrm_resolve_and_create_bundle+0x184/0x28d0
[   31.493654]  ? call_fib_entry_notifiers+0x4f0/0x4f0
[   31.498646]  ? check_noncircular+0x20/0x20
[   31.502864]  ? xfrm_tmpl_resolve+0xc40/0xc40
[   31.507270]  ? __lock_is_held+0xb6/0x140
[   31.511311]  ? find_held_lock+0x35/0x1d0
[   31.515352]  ? xfrm_sk_policy_lookup+0x34c/0x4e0
[   31.520085]  ? lock_downgrade+0x980/0x980
[   31.524213]  ? lock_release+0xa40/0xa40
[   31.528164]  ? refcount_inc_not_zero+0xfe/0x180
[   31.532811]  ? selinux_xfrm_policy_lookup+0xac/0xd0
[   31.537804]  ? security_xfrm_policy_lookup+0x92/0xc0
[   31.542889]  ? xfrm_sk_policy_lookup+0x375/0x4e0
[   31.547622]  ? xfrm_selector_match+0xe00/0xe00
[   31.552186]  xfrm_lookup+0xfcb/0x25c0
[   31.555957]  ? xfrm_lookup+0xfcb/0x25c0
[   31.559908]  ? check_noncircular+0x20/0x20
[   31.564123]  ? xfrm_policy_lookup+0x70/0x70
[   31.568423]  ? lock_downgrade+0x980/0x980
[   31.572547]  ? find_held_lock+0x35/0x1d0
[   31.576592]  ? ip_route_output_key_hash+0x229/0x370
[   31.581583]  ? lock_downgrade+0x980/0x980
[   31.585709]  ? lock_release+0xa40/0xa40
[   31.589656]  ? print_irqtrace_events+0x270/0x270
[   31.594387]  ? find_held_lock+0x35/0x1d0
[   31.598434]  ? ip_route_output_key_hash+0x252/0x370
[   31.603424]  ? ip_route_output_key_hash_rcu+0x2fe0/0x2fe0
[   31.608932]  ? lock_release+0xa40/0xa40
[   31.612890]  xfrm_lookup_route+0x39/0x1a0
[   31.617026]  ip_route_output_flow+0x7c/0xa0
[   31.621331]  udp_sendmsg+0x19bd/0x2f70
[   31.625197]  ? ip_reply_glue_bits+0xb0/0xb0
[   31.629493]  ? kasan_unpoison_object_data+0x10/0x20
[   31.634487]  ? udp4_lib_lookup2+0x310/0x310
[   31.638783]  ? debug_check_no_obj_freed+0x3da/0xf1f
[   31.643770]  ? xfrm_sk_policy_insert+0x358/0x580
[   31.648507]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.653502]  ? free_obj_work+0x690/0x690
[   31.657540]  ? check_noncircular+0x20/0x20
[   31.661758]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   31.666923]  ? reacquire_held_locks+0x1f9/0x3e0
[   31.671567]  ? reacquire_held_locks+0x1f9/0x3e0
[   31.676212]  ? find_held_lock+0x35/0x1d0
[   31.680256]  udpv6_sendmsg+0x757/0x3400
[   31.684209]  ? avc_has_perm+0x35e/0x680
[   31.688170]  ? km_migrate+0x340/0x340
[   31.691952]  ? udpv6_setsockopt+0x80/0x80
[   31.696093]  ? avc_has_perm+0x43e/0x680
[   31.700048]  ? avc_has_perm_noaudit+0x520/0x520
[   31.704695]  ? find_held_lock+0x35/0x1d0
[   31.708757]  ? lock_downgrade+0x980/0x980
[   31.712892]  ? check_noncircular+0x20/0x20
[   31.717127]  ? rw_copy_check_uvector+0x1be/0x280
[   31.721884]  ? udp_lib_rehash+0x5aa/0x920
[   31.726035]  ? sock_has_perm+0x2a4/0x420
[   31.730073]  ? selinux_secmark_relabel_packet+0xc0/0xc0
[   31.735412]  ? dup_iter+0x182/0x260
[   31.739036]  inet_sendmsg+0x11f/0x5e0
[   31.742817]  ? inet_sendmsg+0x11f/0x5e0
[   31.746767]  ? copy_msghdr_from_user+0x3a6/0x590
[   31.751498]  ? inet_create+0xf50/0xf50
[   31.755368]  ? selinux_socket_sendmsg+0x36/0x40
[   31.760015]  ? security_socket_sendmsg+0x89/0xb0
[   31.764749]  ? inet_create+0xf50/0xf50
[   31.768612]  sock_sendmsg+0xca/0x110
[   31.772302]  ___sys_sendmsg+0x767/0x8b0
[   31.776251]  ? copy_msghdr_from_user+0x590/0x590
[   31.780978]  ? avc_has_perm_noaudit+0x520/0x520
[   31.785624]  ? lock_release+0xa40/0xa40
[   31.789570]  ? __ip4_datagram_connect+0xa3a/0x1240
[   31.794474]  ? lock_acquire+0x1d5/0x580
[   31.798423]  ? lock_sock_nested+0xa3/0x110
[   31.802631]  ? lock_acquire+0x1d5/0x580
[   31.806580]  ? __local_bh_enable_ip+0x121/0x230
[   31.811223]  ? release_sock+0x1d4/0x2a0
[   31.815169]  ? trace_hardirqs_on+0xd/0x10
[   31.819290]  ? __local_bh_enable_ip+0x121/0x230
[   31.823931]  ? __fget_light+0x2b2/0x3c0
[   31.827881]  ? fget_raw+0x20/0x20
[   31.831307]  ? release_sock+0x1d4/0x2a0
[   31.835259]  ? sock_has_perm+0x2a4/0x420
[   31.839303]  ? selinux_netlbl_socket_setsockopt+0x10c/0x460
[   31.844997]  __sys_sendmsg+0xe5/0x210
[   31.848776]  ? __sys_sendmsg+0xe5/0x210
[   31.852722]  ? SyS_shutdown+0x290/0x290
[   31.856670]  ? sock_common_setsockopt+0x95/0xd0
[   31.861314]  ? SyS_setsockopt+0x215/0x360
[   31.865442]  ? move_addr_to_kernel+0x60/0x60
[   31.869827]  ? __sys_sendmsg+0x210/0x210
[   31.873864]  SyS_sendmsg+0x2d/0x50
[   31.877383]  do_syscall_64+0x280/0x940
[   31.881242]  ? __do_page_fault+0xc90/0xc90
[   31.885448]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.890179]  ? syscall_return_slowpath+0x550/0x550
[   31.895080]  ? syscall_return_slowpath+0x2ac/0x550
[   31.899981]  ? prepare_exit_to_usermode+0x350/0x350
[   31.904975]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   31.910314]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.915136]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   31.920296] RIP: 0033:0x4402a9
[   31.923458] RSP: 002b:00007ffc2e9f6d58 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
[   31.931140] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402a9
[   31.938381] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
[   31.945624] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
[   31.952868] R10: 00000000000000e8 R11: 0000000000000217 R12: 0000000000401bd0
[   31.960107] R13: 0000000000401c60 R14: 0000000000000000 R15: 0000000000000000
[   31.967366] 
[   31.968964] The buggy address belongs to the page:
[   31.973873] page:ffffea0006c279c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   31.982413] flags: 0x2fffc0000000000()
[   31.986283] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
[   31.994140] raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
[   32.001992] page dumped because: kasan: bad access detected
[   32.007679] 
[   32.009293] Memory state around the buggy address:
[   32.014198]  ffff8801b09e7380: f2 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2
[   32.021530]  ffff8801b09e7400: f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00
[   32.028859] >ffff8801b09e7480: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2
[   32.036186]                    ^
[   32.039524]  ffff8801b09e7500: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.046855]  ffff8801b09e7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
[   32.054181] ==================================================================
[   32.061508] Disabling lock debugging due to kernel taint
[   32.066971] Kernel panic - not syncing: panic_on_warn set ...
[   32.066971] 
[   32.074316] CPU: 1 PID: 4237 Comm: syzkaller200378 Tainted: G    B            4.16.0-rc2+ #242
[   32.083044] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.092369] Call Trace:
[   32.094935]  dump_stack+0x194/0x24d
[   32.098534]  ? arch_local_irq_restore+0x53/0x53
[   32.103172]  ? kasan_end_report+0x32/0x50
[   32.107294]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.112024]  ? vsnprintf+0x1ed/0x1900
[   32.115798]  ? xfrm_state_find+0x3000/0x3210
[   32.120181]  panic+0x1e4/0x41c
[   32.123343]  ? refcount_error_report+0x214/0x214
[   32.128071]  ? add_taint+0x1c/0x50
[   32.131582]  ? add_taint+0x1c/0x50
[   32.135092]  ? xfrm_state_find+0x30de/0x3210
[   32.139471]  kasan_end_report+0x50/0x50
[   32.143414]  kasan_report+0x148/0x360
[   32.147187]  __asan_report_load4_noabort+0x14/0x20
[   32.152087]  xfrm_state_find+0x30de/0x3210
[   32.156294]  ? check_noncircular+0x20/0x20
[   32.160508]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   32.165587]  ? print_irqtrace_events+0x270/0x270
[   32.170311]  ? print_irqtrace_events+0x270/0x270
[   32.175042]  ? get_page_from_freelist+0x3423/0x52d0
[   32.180032]  ? lock_downgrade+0x980/0x980
[   32.184162]  ? set_pageblock_migratetype+0x40/0x40
[   32.189073]  ? mark_held_locks+0xaf/0x100
[   32.193198]  ? get_page_from_freelist+0xa80/0x52d0
[   32.198100]  ? kernel_poison_pages+0xce/0x1f0
[   32.202567]  ? kasan_unpoison_shadow+0x35/0x50
[   32.207123]  ? print_irqtrace_events+0x270/0x270
[   32.211860]  ? get_page_from_freelist+0x2d7f/0x52d0
[   32.216853]  ? get_page_from_freelist+0x2deb/0x52d0
[   32.221854]  ? print_irqtrace_events+0x270/0x270
[   32.226593]  ? __lock_acquire+0x664/0x3e00
[   32.230799]  ? print_irqtrace_events+0x270/0x270
[   32.235529]  ? __bfs+0xaa/0x750
[   32.238790]  xfrm_tmpl_resolve+0x2ee/0xc40
[   32.243006]  ? __xfrm_decode_session+0x110/0x110
[   32.247759]  ? __lock_is_held+0xb6/0x140
[   32.251794]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.256794]  ? fib_table_lookup+0xa04/0x1ba0
[   32.261190]  xfrm_resolve_and_create_bundle+0x184/0x28d0
[   32.266617]  ? call_fib_entry_notifiers+0x4f0/0x4f0
[   32.271620]  ? check_noncircular+0x20/0x20
[   32.275844]  ? xfrm_tmpl_resolve+0xc40/0xc40
[   32.280231]  ? __lock_is_held+0xb6/0x140
[   32.284265]  ? find_held_lock+0x35/0x1d0
[   32.288301]  ? xfrm_sk_policy_lookup+0x34c/0x4e0
[   32.293028]  ? lock_downgrade+0x980/0x980
[   32.297148]  ? lock_release+0xa40/0xa40
[   32.301094]  ? refcount_inc_not_zero+0xfe/0x180
[   32.305737]  ? selinux_xfrm_policy_lookup+0xac/0xd0
[   32.310726]  ? security_xfrm_policy_lookup+0x92/0xc0
[   32.315799]  ? xfrm_sk_policy_lookup+0x375/0x4e0
[   32.320529]  ? xfrm_selector_match+0xe00/0xe00
[   32.325084]  xfrm_lookup+0xfcb/0x25c0
[   32.328853]  ? xfrm_lookup+0xfcb/0x25c0
[   32.332800]  ? check_noncircular+0x20/0x20
[   32.337011]  ? xfrm_policy_lookup+0x70/0x70
[   32.341319]  ? lock_downgrade+0x980/0x980
[   32.345438]  ? find_held_lock+0x35/0x1d0
[   32.349475]  ? ip_route_output_key_hash+0x229/0x370
[   32.354462]  ? lock_downgrade+0x980/0x980
[   32.358581]  ? lock_release+0xa40/0xa40
[   32.362527]  ? print_irqtrace_events+0x270/0x270
[   32.367256]  ? find_held_lock+0x35/0x1d0
[   32.371295]  ? ip_route_output_key_hash+0x252/0x370
[   32.376282]  ? ip_route_output_key_hash_rcu+0x2fe0/0x2fe0
[   32.381790]  ? lock_release+0xa40/0xa40
[   32.385742]  xfrm_lookup_route+0x39/0x1a0
[   32.389863]  ip_route_output_flow+0x7c/0xa0
[   32.394155]  udp_sendmsg+0x19bd/0x2f70
[   32.398022]  ? ip_reply_glue_bits+0xb0/0xb0
[   32.402320]  ? kasan_unpoison_object_data+0x10/0x20
[   32.407310]  ? udp4_lib_lookup2+0x310/0x310
[   32.411604]  ? debug_check_no_obj_freed+0x3da/0xf1f
[   32.416591]  ? xfrm_sk_policy_insert+0x358/0x580
[   32.421318]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.426309]  ? free_obj_work+0x690/0x690
[   32.430342]  ? check_noncircular+0x20/0x20
[   32.434551]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   32.439710]  ? reacquire_held_locks+0x1f9/0x3e0
[   32.444349]  ? reacquire_held_locks+0x1f9/0x3e0
[   32.448988]  ? find_held_lock+0x35/0x1d0
[   32.453029]  udpv6_sendmsg+0x757/0x3400
[   32.456986]  ? avc_has_perm+0x35e/0x680
[   32.460933]  ? km_migrate+0x340/0x340
[   32.464709]  ? udpv6_setsockopt+0x80/0x80
[   32.468839]  ? avc_has_perm+0x43e/0x680
[   32.472787]  ? avc_has_perm_noaudit+0x520/0x520
[   32.477437]  ? find_held_lock+0x35/0x1d0
[   32.481475]  ? lock_downgrade+0x980/0x980
[   32.485590]  ? check_noncircular+0x20/0x20
[   32.489800]  ? rw_copy_check_uvector+0x1be/0x280
[   32.494527]  ? udp_lib_rehash+0x5aa/0x920
[   32.498650]  ? sock_has_perm+0x2a4/0x420
[   32.502684]  ? selinux_secmark_relabel_packet+0xc0/0xc0
[   32.508025]  ? dup_iter+0x182/0x260
[   32.511629]  inet_sendmsg+0x11f/0x5e0
[   32.515401]  ? inet_sendmsg+0x11f/0x5e0
[   32.519346]  ? copy_msghdr_from_user+0x3a6/0x590
[   32.524073]  ? inet_create+0xf50/0xf50
[   32.527930]  ? selinux_socket_sendmsg+0x36/0x40
[   32.532568]  ? security_socket_sendmsg+0x89/0xb0
[   32.537295]  ? inet_create+0xf50/0xf50
[   32.541152]  sock_sendmsg+0xca/0x110
[   32.544836]  ___sys_sendmsg+0x767/0x8b0
[   32.548784]  ? copy_msghdr_from_user+0x590/0x590
[   32.553510]  ? avc_has_perm_noaudit+0x520/0x520
[   32.558150]  ? lock_release+0xa40/0xa40
[   32.562096]  ? __ip4_datagram_connect+0xa3a/0x1240
[   32.566996]  ? lock_acquire+0x1d5/0x580
[   32.570947]  ? lock_sock_nested+0xa3/0x110
[   32.575154]  ? lock_acquire+0x1d5/0x580
[   32.579102]  ? __local_bh_enable_ip+0x121/0x230
[   32.583748]  ? release_sock+0x1d4/0x2a0
[   32.587699]  ? trace_hardirqs_on+0xd/0x10
[   32.591823]  ? __local_bh_enable_ip+0x121/0x230
[   32.596481]  ? __fget_light+0x2b2/0x3c0
[   32.600441]  ? fget_raw+0x20/0x20
[   32.603869]  ? release_sock+0x1d4/0x2a0
[   32.607822]  ? sock_has_perm+0x2a4/0x420
[   32.611857]  ? selinux_netlbl_socket_setsockopt+0x10c/0x460
[   32.617548]  __sys_sendmsg+0xe5/0x210
[   32.621317]  ? __sys_sendmsg+0xe5/0x210
[   32.625259]  ? SyS_shutdown+0x290/0x290
[   32.629203]  ? sock_common_setsockopt+0x95/0xd0
[   32.633843]  ? SyS_setsockopt+0x215/0x360
[   32.637963]  ? move_addr_to_kernel+0x60/0x60
[   32.642341]  ? __sys_sendmsg+0x210/0x210
[   32.646371]  SyS_sendmsg+0x2d/0x50
[   32.649885]  do_syscall_64+0x280/0x940
[   32.653744]  ? __do_page_fault+0xc90/0xc90
[   32.657950]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.662674]  ? syscall_return_slowpath+0x550/0x550
[   32.667577]  ? syscall_return_slowpath+0x2ac/0x550
[   32.672479]  ? prepare_exit_to_usermode+0x350/0x350
[   32.677477]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   32.682825]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.687643]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   32.692800] RIP: 0033:0x4402a9
[   32.695960] RSP: 002b:00007ffc2e9f6d58 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
[   32.703636] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402a9
[   32.710875] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
[   32.718113] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
[   32.725352] R10: 00000000000000e8 R11: 0000000000000217 R12: 0000000000401bd0
[   32.732591] R13: 0000000000401c60 R14: 0000000000000000 R15: 0000000000000000
[   32.740323] Dumping ftrace buffer:
[   32.743844]    (ftrace buffer empty)
[   32.747533] Kernel Offset: disabled
[   32.751131] Rebooting in 86400 seconds..