[....] Starting enhanced syslogd: rsyslogd[ 16.584525] audit: type=1400 audit(1520853223.187:5): avc: denied { syslog } for pid=3993 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.462099] audit: type=1400 audit(1520853229.064:6): avc: denied { map } for pid=4135 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.31' (ECDSA) to the list of known hosts. [ 28.816666] audit: type=1400 audit(1520853235.419:7): avc: denied { map } for pid=4149 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/03/12 11:13:55 parsed 1 programs 2018/03/12 11:13:55 executed programs: 0 [ 29.068792] audit: type=1400 audit(1520853235.671:8): avc: denied { map } for pid=4149 comm="syz-execprog" path="/root/syzkaller-shm700258300" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 29.081935] IPVS: ftp: loaded support on port[0] = 21 [ 29.367719] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 29.742701] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.748803] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.788604] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.829057] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.842144] ================================================================== [ 29.849556] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260 [ 29.856026] Read of size 8 at addr ffff8801b3a65718 by task syz-executor0/4314 [ 29.863355] [ 29.864959] CPU: 1 PID: 4314 Comm: syz-executor0 Not tainted 4.16.0-rc5+ #261 [ 29.872201] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.881527] Call Trace: [ 29.884094] dump_stack+0x194/0x24d [ 29.887698] ? arch_local_irq_restore+0x53/0x53 [ 29.892346] ? show_regs_print_info+0x18/0x18 [ 29.896824] ? ip6_xmit+0x1f76/0x2260 [ 29.900602] print_address_description+0x73/0x250 [ 29.905418] ? ip6_xmit+0x1f76/0x2260 [ 29.909192] kasan_report+0x23c/0x360 [ 29.912974] __asan_report_load8_noabort+0x14/0x20 [ 29.917883] ip6_xmit+0x1f76/0x2260 [ 29.921498] ? ip6_finish_output2+0x23a0/0x23a0 [ 29.926142] ? fl6_update_dst+0x127/0x2b0 [ 29.930266] ? inet6_csk_route_socket+0x691/0xe80 [ 29.935083] ? trace_hardirqs_off+0x10/0x10 [ 29.939380] ? lock_acquire+0x1d5/0x580 [ 29.943333] ? lock_acquire+0x1d5/0x580 [ 29.947282] ? inet6_csk_xmit+0x114/0x580 [ 29.951834] ? trace_hardirqs_off+0x10/0x10 [ 29.956131] ? lock_release+0xa40/0xa40 [ 29.960095] inet6_csk_xmit+0x2fc/0x580 [ 29.964051] ? inet6_csk_update_pmtu+0x160/0x160 [ 29.968783] ? __sk_dst_check+0x1a5/0x380 [ 29.972905] ? sock_kfree_s+0x60/0x60 [ 29.976697] l2tp_xmit_skb+0x105f/0x1410 [ 29.980739] ? l2tp_session_create+0xb80/0xb80 [ 29.985300] ? sock_wmalloc+0x15d/0x1d0 [ 29.989255] ? iov_iter_advance+0x13f0/0x13f0 [ 29.993725] ? pppol2tp_sendmsg+0x41b/0x670 [ 29.998042] pppol2tp_sendmsg+0x470/0x670 [ 30.002181] ? selinux_socket_sendmsg+0x36/0x40 [ 30.006827] ? pppol2tp_getsockopt+0x900/0x900 [ 30.011386] sock_sendmsg+0xca/0x110 [ 30.015085] SYSC_sendto+0x361/0x5c0 [ 30.018777] ? SYSC_connect+0x4a0/0x4a0 [ 30.022728] ? find_held_lock+0x35/0x1d0 [ 30.026771] ? lock_downgrade+0x980/0x980 [ 30.030935] ? __do_page_fault+0x3d6/0xc90 [ 30.035173] SyS_sendto+0x40/0x50 [ 30.038610] ? SyS_getpeername+0x30/0x30 [ 30.042651] do_fast_syscall_32+0x3ec/0xf9f [ 30.046953] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.051507] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.056239] ? syscall_return_slowpath+0x2ac/0x550 [ 30.061147] ? prepare_exit_to_usermode+0x350/0x350 [ 30.066140] ? sysret32_from_system_call+0x5/0x3c [ 30.070978] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.075809] entry_SYSENTER_compat+0x70/0x7f [ 30.080191] RIP: 0023:0xf7f9cc99 [ 30.083525] RSP: 002b:00000000fffa9eec EFLAGS: 00000286 ORIG_RAX: 0000000000000171 [ 30.091203] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020001180 [ 30.098443] RDX: 0000000000000000 RSI: 0000000000040001 RDI: 00000000200021c0 [ 30.105690] RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000000 [ 30.112939] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.120190] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.127459] [ 30.129062] Allocated by task 0: [ 30.132394] (stack is not available) [ 30.136077] [ 30.137678] Freed by task 0: [ 30.140663] (stack is not available) [ 30.144341] [ 30.145942] The buggy address belongs to the object at ffff8801b3a65700 [ 30.145942] which belongs to the cache ip_dst_cache of size 168 [ 30.158657] The buggy address is located 24 bytes inside of [ 30.158657] 168-byte region [ffff8801b3a65700, ffff8801b3a657a8) [ 30.170411] The buggy address belongs to the page: [ 30.175314] page:ffffea0006ce9940 count:1 mapcount:0 mapping:ffff8801b3a65000 index:0xffff8801b3a65000 [ 30.184728] flags: 0x2fffc0000000100(slab) [ 30.188935] raw: 02fffc0000000100 ffff8801b3a65000 ffff8801b3a65000 000000010000000c [ 30.196787] raw: ffff8801d5422a38 ffff8801d5422a38 ffff8801d5804340 0000000000000000 [ 30.204634] page dumped because: kasan: bad access detected [ 30.210310] [ 30.211909] Memory state around the buggy address: [ 30.216810] ffff8801b3a65600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.224148] ffff8801b3a65680: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 30.231480] >ffff8801b3a65700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.238813] ^ [ 30.242945] ffff8801b3a65780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.250292] ffff8801b3a65800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.257632] ================================================================== [ 30.264968] Disabling lock debugging due to kernel taint [ 30.270428] Kernel panic - not syncing: panic_on_warn set ... [ 30.270428] [ 30.277769] CPU: 1 PID: 4314 Comm: syz-executor0 Tainted: G B 4.16.0-rc5+ #261 [ 30.286314] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.295640] Call Trace: [ 30.298205] dump_stack+0x194/0x24d [ 30.301809] ? arch_local_irq_restore+0x53/0x53 [ 30.306456] ? kasan_end_report+0x32/0x50 [ 30.310580] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.315309] ? vsnprintf+0x1ed/0x1900 [ 30.319086] ? ip6_xmit+0x1f30/0x2260 [ 30.322866] panic+0x1e4/0x41c [ 30.326045] ? refcount_error_report+0x214/0x214 [ 30.330778] ? add_taint+0x1c/0x50 [ 30.334293] ? add_taint+0x1c/0x50 [ 30.337809] ? ip6_xmit+0x1f76/0x2260 [ 30.341590] kasan_end_report+0x50/0x50 [ 30.345536] kasan_report+0x149/0x360 [ 30.349314] __asan_report_load8_noabort+0x14/0x20 [ 30.354216] ip6_xmit+0x1f76/0x2260 [ 30.357824] ? ip6_finish_output2+0x23a0/0x23a0 [ 30.362472] ? fl6_update_dst+0x127/0x2b0 [ 30.366593] ? inet6_csk_route_socket+0x691/0xe80 [ 30.371411] ? trace_hardirqs_off+0x10/0x10 [ 30.375707] ? lock_acquire+0x1d5/0x580 [ 30.379651] ? lock_acquire+0x1d5/0x580 [ 30.383598] ? inet6_csk_xmit+0x114/0x580 [ 30.387718] ? trace_hardirqs_off+0x10/0x10 [ 30.392020] ? lock_release+0xa40/0xa40 [ 30.395992] inet6_csk_xmit+0x2fc/0x580 [ 30.399954] ? inet6_csk_update_pmtu+0x160/0x160 [ 30.404690] ? __sk_dst_check+0x1a5/0x380 [ 30.408808] ? sock_kfree_s+0x60/0x60 [ 30.412588] l2tp_xmit_skb+0x105f/0x1410 [ 30.416622] ? l2tp_session_create+0xb80/0xb80 [ 30.421174] ? sock_wmalloc+0x15d/0x1d0 [ 30.425119] ? iov_iter_advance+0x13f0/0x13f0 [ 30.429584] ? pppol2tp_sendmsg+0x41b/0x670 [ 30.433888] pppol2tp_sendmsg+0x470/0x670 [ 30.438024] ? selinux_socket_sendmsg+0x36/0x40 [ 30.442674] ? pppol2tp_getsockopt+0x900/0x900 [ 30.447231] sock_sendmsg+0xca/0x110 [ 30.450922] SYSC_sendto+0x361/0x5c0 [ 30.454607] ? SYSC_connect+0x4a0/0x4a0 [ 30.458552] ? find_held_lock+0x35/0x1d0 [ 30.462587] ? lock_downgrade+0x980/0x980 [ 30.466726] ? __do_page_fault+0x3d6/0xc90 [ 30.470941] SyS_sendto+0x40/0x50 [ 30.474366] ? SyS_getpeername+0x30/0x30 [ 30.478396] do_fast_syscall_32+0x3ec/0xf9f [ 30.482688] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.487241] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.491968] ? syscall_return_slowpath+0x2ac/0x550 [ 30.496866] ? prepare_exit_to_usermode+0x350/0x350 [ 30.501851] ? sysret32_from_system_call+0x5/0x3c [ 30.506665] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.511478] entry_SYSENTER_compat+0x70/0x7f [ 30.515855] RIP: 0023:0xf7f9cc99 [ 30.519188] RSP: 002b:00000000fffa9eec EFLAGS: 00000286 ORIG_RAX: 0000000000000171 [ 30.526863] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020001180 [ 30.534101] RDX: 0000000000000000 RSI: 0000000000040001 RDI: 00000000200021c0 [ 30.541340] RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000000 [ 30.548577] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.555816] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.563505] Dumping ftrace buffer: [ 30.567017] (ftrace buffer empty) [ 30.570697] Kernel Offset: disabled [ 30.574295] Rebooting in 86400 seconds..