[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 18.294904] audit: type=1400 audit(1520315387.160:6): avc: denied { map } for pid=4225 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 24.598043] audit: type=1400 audit(1520315393.463:7): avc: denied { map } for pid=4239 comm="syzkaller217700" path="/root/syzkaller217700407" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 24.601528] ================================================================== [ 24.631322] BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 [ 24.638741] Write of size 1 at addr ffff8801d513c558 by task syzkaller217700/4239 [ 24.646333] [ 24.647936] CPU: 0 PID: 4239 Comm: syzkaller217700 Not tainted 4.16.0-rc2+ #253 [ 24.655352] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.664676] Call Trace: [ 24.667237] dump_stack+0x194/0x24d [ 24.670839] ? arch_local_irq_restore+0x53/0x53 [ 24.675479] ? show_regs_print_info+0x18/0x18 [ 24.679949] ? find_held_lock+0x35/0x1d0 [ 24.683982] ? setup_udp_tunnel_sock+0x3ee/0x5f0 [ 24.688722] print_address_description+0x73/0x250 [ 24.693536] ? setup_udp_tunnel_sock+0x3ee/0x5f0 [ 24.698263] kasan_report+0x23b/0x360 [ 24.702037] __asan_report_store1_noabort+0x17/0x20 [ 24.707026] setup_udp_tunnel_sock+0x3ee/0x5f0 [ 24.711579] ? udp_tunnel_sock_release+0x140/0x140 [ 24.716489] l2tp_tunnel_create+0x1354/0x17f0 [ 24.720964] ? l2tp_init_net+0x3c0/0x3c0 [ 24.725002] ? lock_downgrade+0x980/0x980 [ 24.729131] ? __local_bh_enable_ip+0x121/0x230 [ 24.733772] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.738757] ? l2tp_tunnel_get+0x3c7/0x690 [ 24.742960] ? trace_hardirqs_on+0xd/0x10 [ 24.747079] ? __local_bh_enable_ip+0x121/0x230 [ 24.751719] ? l2tp_tunnel_get+0x401/0x690 [ 24.755929] ? l2tp_tunnel_find+0x680/0x680 [ 24.760234] ? mark_held_locks+0xaf/0x100 [ 24.764363] ? do_raw_spin_trylock+0x190/0x190 [ 24.768919] ? __local_bh_enable_ip+0x121/0x230 [ 24.773567] ? l2tp_session_get+0x8b0/0x8b0 [ 24.777868] ? l2tp_tunnel_del_work+0x4a0/0x4a0 [ 24.782514] ? trace_hardirqs_on+0xd/0x10 [ 24.786634] ? __local_bh_enable_ip+0x121/0x230 [ 24.791290] pppol2tp_connect+0x14b1/0x1dd0 [ 24.795599] ? pppol2tp_recv_payload_hook+0x1b0/0x1b0 [ 24.800768] ? selinux_netlbl_socket_connect+0x76/0x1b0 [ 24.806108] ? selinux_socket_connect+0x311/0x730 [ 24.810927] ? lock_downgrade+0x980/0x980 [ 24.815050] ? selinux_socket_setsockopt+0x80/0x80 [ 24.819954] ? lock_release+0xa40/0xa40 [ 24.823904] ? trace_event_raw_event_sched_switch+0x810/0x810 [ 24.829765] ? __check_object_size+0x8b/0x530 [ 24.834237] ? __might_sleep+0x95/0x190 [ 24.838199] ? security_socket_connect+0x89/0xb0 [ 24.843019] SYSC_connect+0x213/0x4a0 [ 24.846794] ? SYSC_bind+0x410/0x410 [ 24.850484] ? __handle_mm_fault+0x3b60/0x3b60 [ 24.855044] ? vmacache_find+0x5f/0x280 [ 24.858996] ? vmacache_update+0xfe/0x130 [ 24.863133] ? mm_fault_error+0x2c0/0x2c0 [ 24.867253] ? move_addr_to_kernel+0x60/0x60 [ 24.871638] ? SyS_accept+0x30/0x30 [ 24.875240] SyS_connect+0x24/0x30 [ 24.878760] do_syscall_64+0x280/0x940 [ 24.882617] ? __do_page_fault+0xc90/0xc90 [ 24.886824] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.891554] ? syscall_return_slowpath+0x550/0x550 [ 24.896456] ? syscall_return_slowpath+0x2ac/0x550 [ 24.901357] ? prepare_exit_to_usermode+0x350/0x350 [ 24.906345] ? retint_user+0x18/0x18 [ 24.910034] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.914860] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.920027] RIP: 0033:0x43fd99 [ 24.923196] RSP: 002b:00007ffe83de9be8 EFLAGS: 00000217 ORIG_RAX: 000000000000002a [ 24.930881] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd99 [ 24.938121] RDX: 000000000000002e RSI: 00000000200000c0 RDI: 0000000000000003 [ 24.945360] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 24.952599] R10: 00000000004002c8 R11: 0000000000000217 R12: 00000000004016c0 [ 24.959838] R13: 0000000000401750 R14: 0000000000000000 R15: 0000000000000000 [ 24.967099] [ 24.968700] Allocated by task 4239: [ 24.972310] save_stack+0x43/0xd0 [ 24.975730] kasan_kmalloc+0xad/0xe0 [ 24.979411] kasan_slab_alloc+0x12/0x20 [ 24.983356] kmem_cache_alloc+0x12e/0x760 [ 24.987484] sk_prot_alloc+0x65/0x2a0 [ 24.991257] sk_alloc+0x105/0x1440 [ 24.994766] inet_create+0x47c/0xf50 [ 24.998448] __sock_create+0x4d4/0x850 [ 25.002303] SyS_socket+0xeb/0x1d0 [ 25.005813] do_syscall_64+0x280/0x940 [ 25.009671] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.014826] [ 25.016432] Freed by task 0: [ 25.019423] (stack is not available) [ 25.023102] [ 25.024702] The buggy address belongs to the object at ffff8801d513c040 [ 25.024702] which belongs to the cache RAW of size 1304 [ 25.036721] The buggy address is located 0 bytes to the right of [ 25.036721] 1304-byte region [ffff8801d513c040, ffff8801d513c558) [ 25.049000] The buggy address belongs to the page: [ 25.053905] page:ffffea0007544f00 count:1 mapcount:0 mapping:ffff8801d513c040 index:0x0 compound_mapcount: 0 [ 25.063844] flags: 0x2fffc0000008100(slab|head) [ 25.068482] raw: 02fffc0000008100 ffff8801d513c040 0000000000000000 0000000100000005 [ 25.076332] raw: ffff8801d5870848 ffff8801d5870848 ffff8801d6be8640 0000000000000000 [ 25.084179] page dumped because: kasan: bad access detected [ 25.089854] [ 25.091449] Memory state around the buggy address: [ 25.096347] ffff8801d513c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.103673] ffff8801d513c480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.111351] >ffff8801d513c500: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 25.118677] ^ [ 25.124877] ffff8801d513c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.132205] ffff8801d513c600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.139960] ================================================================== [ 25.147298] Disabling lock debugging due to kernel taint [ 25.153043] Kernel panic - not syncing: panic_on_warn set ... [ 25.153043] [ 25.160390] CPU: 0 PID: 4239 Comm: syzkaller217700 Tainted: G B 4.16.0-rc2+ #253 [ 25.169105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.178426] Call Trace: [ 25.180985] dump_stack+0x194/0x24d [ 25.184589] ? arch_local_irq_restore+0x53/0x53 [ 25.189228] ? kasan_end_report+0x32/0x50 [ 25.193352] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.198079] ? vsnprintf+0x1ed/0x1900 [ 25.201849] ? setup_udp_tunnel_sock+0x340/0x5f0 [ 25.206574] panic+0x1e4/0x41c [ 25.209734] ? refcount_error_report+0x214/0x214 [ 25.214459] ? add_taint+0x1c/0x50 [ 25.217967] ? add_taint+0x1c/0x50 [ 25.221478] ? setup_udp_tunnel_sock+0x3ee/0x5f0 [ 25.226210] kasan_end_report+0x50/0x50 [ 25.230153] kasan_report+0x148/0x360 [ 25.233925] __asan_report_store1_noabort+0x17/0x20 [ 25.238911] setup_udp_tunnel_sock+0x3ee/0x5f0 [ 25.243463] ? udp_tunnel_sock_release+0x140/0x140 [ 25.248373] l2tp_tunnel_create+0x1354/0x17f0 [ 25.252843] ? l2tp_init_net+0x3c0/0x3c0 [ 25.256874] ? lock_downgrade+0x980/0x980 [ 25.260995] ? __local_bh_enable_ip+0x121/0x230 [ 25.265636] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.270621] ? l2tp_tunnel_get+0x3c7/0x690 [ 25.274825] ? trace_hardirqs_on+0xd/0x10 [ 25.278940] ? __local_bh_enable_ip+0x121/0x230 [ 25.283584] ? l2tp_tunnel_get+0x401/0x690 [ 25.287788] ? l2tp_tunnel_find+0x680/0x680 [ 25.292078] ? mark_held_locks+0xaf/0x100 [ 25.296197] ? do_raw_spin_trylock+0x190/0x190 [ 25.300749] ? __local_bh_enable_ip+0x121/0x230 [ 25.305387] ? l2tp_session_get+0x8b0/0x8b0 [ 25.309674] ? l2tp_tunnel_del_work+0x4a0/0x4a0 [ 25.314311] ? trace_hardirqs_on+0xd/0x10 [ 25.318427] ? __local_bh_enable_ip+0x121/0x230 [ 25.323066] pppol2tp_connect+0x14b1/0x1dd0 [ 25.327363] ? pppol2tp_recv_payload_hook+0x1b0/0x1b0 [ 25.332523] ? selinux_netlbl_socket_connect+0x76/0x1b0 [ 25.337858] ? selinux_socket_connect+0x311/0x730 [ 25.342667] ? lock_downgrade+0x980/0x980 [ 25.346782] ? selinux_socket_setsockopt+0x80/0x80 [ 25.351677] ? lock_release+0xa40/0xa40 [ 25.355621] ? trace_event_raw_event_sched_switch+0x810/0x810 [ 25.361473] ? __check_object_size+0x8b/0x530 [ 25.365938] ? __might_sleep+0x95/0x190 [ 25.369895] ? security_socket_connect+0x89/0xb0 [ 25.374624] SYSC_connect+0x213/0x4a0 [ 25.378395] ? SYSC_bind+0x410/0x410 [ 25.382081] ? __handle_mm_fault+0x3b60/0x3b60 [ 25.386631] ? vmacache_find+0x5f/0x280 [ 25.390572] ? vmacache_update+0xfe/0x130 [ 25.394704] ? mm_fault_error+0x2c0/0x2c0 [ 25.398823] ? move_addr_to_kernel+0x60/0x60 [ 25.403201] ? SyS_accept+0x30/0x30 [ 25.406797] SyS_connect+0x24/0x30 [ 25.410319] do_syscall_64+0x280/0x940 [ 25.414181] ? __do_page_fault+0xc90/0xc90 [ 25.418390] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.423117] ? syscall_return_slowpath+0x550/0x550 [ 25.428023] ? syscall_return_slowpath+0x2ac/0x550 [ 25.432923] ? prepare_exit_to_usermode+0x350/0x350 [ 25.437908] ? retint_user+0x18/0x18 [ 25.441591] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.446407] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.451570] RIP: 0033:0x43fd99 [ 25.454730] RSP: 002b:00007ffe83de9be8 EFLAGS: 00000217 ORIG_RAX: 000000000000002a [ 25.462405] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd99 [ 25.469643] RDX: 000000000000002e RSI: 00000000200000c0 RDI: 0000000000000003 [ 25.476881] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 25.484120] R10: 00000000004002c8 R11: 0000000000000217 R12: 00000000004016c0 [ 25.491360] R13: 0000000000401750 R14: 0000000000000000 R15: 0000000000000000 [ 25.498992] Dumping ftrace buffer: [ 25.502507] (ftrace buffer empty) [ 25.506185] Kernel Offset: disabled [ 25.509780] Rebooting in 86400 seconds..