[....] Starting enhanced syslogd: rsyslogd[ 11.159188] audit: type=1400 audit(1515796043.860:4): avc: denied { syslog } for pid=3187 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 28.021160] device syz0 entered promiscuous mode [ 28.054037] ================================================================== [ 28.061418] BUG: KASAN: slab-out-of-bounds in __dev_queue_xmit+0x1db6/0x1e60 [ 28.068577] Read of size 2 at addr ffff8801ca233a60 by task syzkaller440157/3345 [ 28.076073] [ 28.077671] CPU: 0 PID: 3345 Comm: syzkaller440157 Not tainted 4.9.76-g8e170a5 #21 [ 28.085368] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.094689] ffff8801c8397688 ffffffff81d93149 ffffea0007288c00 ffff8801ca233a60 [ 28.102633] 0000000000000000 ffff8801ca233a60 0000000000000005 ffff8801c83976c0 [ 28.110618] ffffffff8153cb43 ffff8801ca233a60 0000000000000002 0000000000000000 [ 28.118581] Call Trace: [ 28.121139] [] dump_stack+0xc1/0x128 [ 28.126488] [] print_address_description+0x73/0x280 [ 28.133120] [] kasan_report+0x275/0x360 [ 28.138717] [] ? __dev_queue_xmit+0x1db6/0x1e60 [ 28.145035] [] __asan_report_load2_noabort+0x14/0x20 [ 28.151764] [] __dev_queue_xmit+0x1db6/0x1e60 [ 28.157891] [] ? __dev_queue_xmit+0x1d4/0x1e60 [ 28.164087] [] ? 0xffffffff810002b8 [ 28.169329] [] ? netdev_pick_tx+0x300/0x300 [ 28.175267] [] ? check_preemption_disabled+0x3b/0x200 [ 28.182074] [] ? tun_select_queue+0x30a/0x480 [ 28.188194] [] ? tun_select_queue+0x331/0x480 [ 28.194304] [] ? tun_chr_read_iter+0x1f0/0x1f0 [ 28.200502] [] ? tun_chr_read_iter+0x1f0/0x1f0 [ 28.206703] [] dev_queue_xmit+0x17/0x20 [ 28.212303] [] packet_sendmsg+0x2ccc/0x4760 [ 28.218242] [] ? avc_has_perm+0x2fd/0x4f0 [ 28.224004] [] ? avc_has_perm+0xb0/0x4f0 [ 28.229687] [] ? avc_has_perm_noaudit+0x450/0x450 [ 28.236147] [] ? assoc_array_gc+0x12c1/0x1300 [ 28.242259] [] ? packet_cached_dev_get+0x200/0x200 [ 28.248803] [] ? sock_has_perm+0x292/0x3e0 [ 28.254661] [] ? sock_has_perm+0x9f/0x3e0 [ 28.260429] [] ? selinux_file_send_sigiotask+0x310/0x310 [ 28.267496] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 28.273953] [] ? security_socket_sendmsg+0x89/0xb0 [ 28.280497] [] ? packet_cached_dev_get+0x200/0x200 [ 28.287043] [] sock_sendmsg+0xca/0x110 [ 28.292549] [] sock_write_iter+0x226/0x3b0 [ 28.298411] [] ? avc_has_perm_noaudit+0x450/0x450 [ 28.304870] [] ? sock_sendmsg+0x110/0x110 [ 28.310645] [] ? iov_iter_init+0xaf/0x1d0 [ 28.316412] [] __vfs_write+0x4bf/0x680 [ 28.321913] [] ? do_iter_readv_writev+0x400/0x400 [ 28.328372] [] ? selinux_file_permission+0x82/0x460 [ 28.335010] [] ? rw_verify_area+0xe5/0x2b0 [ 28.340859] [] vfs_write+0x189/0x530 [ 28.346189] [] SyS_write+0xd9/0x1b0 [ 28.351432] [] ? SyS_read+0x1b0/0x1b0 [ 28.356849] [] ? do_fast_syscall_32+0xcf/0x890 [ 28.363047] [] ? SyS_read+0x1b0/0x1b0 [ 28.368465] [] do_fast_syscall_32+0x2f7/0x890 [ 28.374581] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.381215] [] entry_SYSENTER_compat+0x74/0x83 [ 28.387414] [ 28.389007] Allocated by task 3345: [ 28.392598] save_stack_trace+0x16/0x20 [ 28.396542] save_stack+0x43/0xd0 [ 28.399958] kasan_kmalloc+0xad/0xe0 [ 28.403633] kasan_slab_alloc+0x12/0x20 [ 28.407571] __kmalloc_track_caller+0xda/0x2b0 [ 28.412116] __kmalloc_reserve.isra.37+0x33/0xc0 [ 28.416835] __alloc_skb+0x119/0x600 [ 28.420512] alloc_skb_with_frags+0xac/0x4f0 [ 28.424900] sock_alloc_send_pskb+0x5ad/0x740 [ 28.429376] packet_sendmsg+0x18a1/0x4760 [ 28.433497] sock_sendmsg+0xca/0x110 [ 28.437192] sock_write_iter+0x226/0x3b0 [ 28.441238] __vfs_write+0x4bf/0x680 [ 28.444931] vfs_write+0x189/0x530 [ 28.448448] SyS_write+0xd9/0x1b0 [ 28.451903] do_fast_syscall_32+0x2f7/0x890 [ 28.456192] entry_SYSENTER_compat+0x74/0x83 [ 28.460562] [ 28.462160] Freed by task 0: [ 28.465140] (stack is not available) [ 28.468816] [ 28.470411] The buggy address belongs to the object at ffff8801ca233600 [ 28.470411] which belongs to the cache kmalloc-1024 of size 1024 [ 28.483208] The buggy address is located 96 bytes to the right of [ 28.483208] 1024-byte region [ffff8801ca233600, ffff8801ca233a00) [ 28.495575] The buggy address belongs to the page: [ 28.500479] page:ffffea0007288c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 28.510634] flags: 0x8000000000004080(slab|head) [ 28.515361] page dumped because: kasan: bad access detected [ 28.521033] [ 28.522624] Memory state around the buggy address: [ 28.527520] ffff8801ca233900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.534847] ffff8801ca233980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.542188] >ffff8801ca233a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.549512] ^ [ 28.555978] ffff8801ca233a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.563318] ffff8801ca233b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.570641] ================================================================== [ 28.577970] Disabling lock debugging due to kernel taint [ 28.583443] Kernel panic - not syncing: panic_on_warn set ... [ 28.583443] [ 28.590777] CPU: 0 PID: 3345 Comm: syzkaller440157 Tainted: G B 4.9.76-g8e170a5 #21 [ 28.599667] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.608989] ffff8801c83975e0 ffffffff81d93149 ffffffff84195c17 ffff8801c83976b8 [ 28.616942] 0000000000000000 ffff8801ca233a60 0000000000000005 ffff8801c83976a8 [ 28.624884] ffffffff8142e371 0000000041b58ab3 ffffffff84189678 ffffffff8142e1b5 [ 28.632842] Call Trace: [ 28.635398] [] dump_stack+0xc1/0x128 [ 28.640728] [] panic+0x1bc/0x3a8 [ 28.645714] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 28.653907] [] ? add_taint+0x1c/0x50 [ 28.659238] [] kasan_end_report+0x50/0x50 [ 28.665000] [] kasan_report+0x167/0x360 [ 28.670591] [] ? __dev_queue_xmit+0x1db6/0x1e60 [ 28.676885] [] __asan_report_load2_noabort+0x14/0x20 [ 28.683621] [] __dev_queue_xmit+0x1db6/0x1e60 [ 28.689730] [] ? __dev_queue_xmit+0x1d4/0x1e60 [ 28.695927] [] ? 0xffffffff810002b8 [ 28.701170] [] ? netdev_pick_tx+0x300/0x300 [ 28.707108] [] ? check_preemption_disabled+0x3b/0x200 [ 28.713916] [] ? tun_select_queue+0x30a/0x480 [ 28.720037] [] ? tun_select_queue+0x331/0x480 [ 28.726146] [] ? tun_chr_read_iter+0x1f0/0x1f0 [ 28.732342] [] ? tun_chr_read_iter+0x1f0/0x1f0 [ 28.738540] [] dev_queue_xmit+0x17/0x20 [ 28.744128] [] packet_sendmsg+0x2ccc/0x4760 [ 28.750065] [] ? avc_has_perm+0x2fd/0x4f0 [ 28.755834] [] ? avc_has_perm+0xb0/0x4f0 [ 28.761511] [] ? avc_has_perm_noaudit+0x450/0x450 [ 28.767970] [] ? assoc_array_gc+0x12c1/0x1300 [ 28.774079] [] ? packet_cached_dev_get+0x200/0x200 [ 28.780623] [] ? sock_has_perm+0x292/0x3e0 [ 28.786473] [] ? sock_has_perm+0x9f/0x3e0 [ 28.792235] [] ? selinux_file_send_sigiotask+0x310/0x310 [ 28.799299] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 28.805757] [] ? security_socket_sendmsg+0x89/0xb0 [ 28.812300] [] ? packet_cached_dev_get+0x200/0x200 [ 28.818847] [] sock_sendmsg+0xca/0x110 [ 28.824347] [] sock_write_iter+0x226/0x3b0 [ 28.830198] [] ? avc_has_perm_noaudit+0x450/0x450 [ 28.836655] [] ? sock_sendmsg+0x110/0x110 [ 28.842421] [] ? iov_iter_init+0xaf/0x1d0 [ 28.848186] [] __vfs_write+0x4bf/0x680 [ 28.853689] [] ? do_iter_readv_writev+0x400/0x400 [ 28.860144] [] ? selinux_file_permission+0x82/0x460 [ 28.866774] [] ? rw_verify_area+0xe5/0x2b0 [ 28.872623] [] vfs_write+0x189/0x530 [ 28.877951] [] SyS_write+0xd9/0x1b0 [ 28.883198] [] ? SyS_read+0x1b0/0x1b0 [ 28.888615] [] ? do_fast_syscall_32+0xcf/0x890 [ 28.894811] [] ? SyS_read+0x1b0/0x1b0 [ 28.900224] [] do_fast_syscall_32+0x2f7/0x890 [ 28.906335] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.912965] [] entry_SYSENTER_compat+0x74/0x83 [ 28.919214] Dumping ftrace buffer: [ 28.922722] (ftrace buffer empty) [ 28.926399] Kernel Offset: disabled [ 28.929989] Rebooting in 86400 seconds..