[....] Starting enhanced syslogd: rsyslogd[ 16.060184] audit: type=1400 audit(1520804495.482:5): avc: denied { syslog } for pid=4024 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.700278] audit: type=1400 audit(1520804498.121:6): avc: denied { map } for pid=4164 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.14' (ECDSA) to the list of known hosts. executing program [ 24.998981] audit: type=1400 audit(1520804504.420:7): avc: denied { map } for pid=4178 comm="syzkaller470741" path="/root/syzkaller470741766" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.004207] ================================================================== [ 25.032291] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260 [ 25.038757] Read of size 8 at addr ffff8801be4b4018 by task syzkaller470741/4178 [ 25.046258] [ 25.047859] CPU: 1 PID: 4178 Comm: syzkaller470741 Not tainted 4.16.0-rc4+ #350 [ 25.055273] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.064597] Call Trace: [ 25.067159] dump_stack+0x194/0x24d [ 25.070763] ? arch_local_irq_restore+0x53/0x53 [ 25.075406] ? show_regs_print_info+0x18/0x18 [ 25.079881] ? ip6_xmit+0x1f76/0x2260 [ 25.083659] print_address_description+0x73/0x250 [ 25.088471] ? ip6_xmit+0x1f76/0x2260 [ 25.092246] kasan_report+0x23c/0x360 [ 25.096032] __asan_report_load8_noabort+0x14/0x20 [ 25.100940] ip6_xmit+0x1f76/0x2260 [ 25.104550] ? ip6_finish_output2+0x23a0/0x23a0 [ 25.109195] ? fl6_update_dst+0x127/0x2b0 [ 25.113319] ? inet6_csk_route_socket+0x691/0xe80 [ 25.118135] ? trace_hardirqs_off+0x10/0x10 [ 25.122429] ? lock_acquire+0x1d5/0x580 [ 25.126372] ? lock_acquire+0x1d5/0x580 [ 25.130317] ? inet6_csk_xmit+0x114/0x580 [ 25.134437] ? trace_hardirqs_off+0x10/0x10 [ 25.138734] ? lock_release+0xa40/0xa40 [ 25.142698] inet6_csk_xmit+0x2fc/0x580 [ 25.146646] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.151375] ? __sk_dst_check+0x1a5/0x380 [ 25.155498] ? sock_kfree_s+0x60/0x60 [ 25.159292] l2tp_xmit_skb+0x105f/0x1410 [ 25.163336] ? l2tp_session_create+0xb80/0xb80 [ 25.167890] ? sock_wmalloc+0x15d/0x1d0 [ 25.171836] ? iov_iter_advance+0x13f0/0x13f0 [ 25.176308] ? pppol2tp_sendmsg+0x41b/0x670 [ 25.180603] pppol2tp_sendmsg+0x470/0x670 [ 25.184744] ? selinux_socket_sendmsg+0x36/0x40 [ 25.189408] ? pppol2tp_getsockopt+0x900/0x900 [ 25.193984] sock_sendmsg+0xca/0x110 [ 25.197690] SYSC_sendto+0x361/0x5c0 [ 25.201381] ? SYSC_connect+0x4a0/0x4a0 [ 25.205339] ? inet_dgram_connect+0x172/0x1f0 [ 25.209808] ? SYSC_connect+0x2e0/0x4a0 [ 25.213781] ? mm_fault_error+0x2c0/0x2c0 [ 25.217899] ? move_addr_to_kernel+0x60/0x60 [ 25.222282] SyS_sendto+0x40/0x50 [ 25.225706] ? SyS_getpeername+0x30/0x30 [ 25.229742] do_syscall_64+0x281/0x940 [ 25.233600] ? __do_page_fault+0xc90/0xc90 [ 25.237808] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.242539] ? syscall_return_slowpath+0x550/0x550 [ 25.247440] ? syscall_return_slowpath+0x2ac/0x550 [ 25.252343] ? prepare_exit_to_usermode+0x350/0x350 [ 25.257333] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 25.262672] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.267497] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.272672] RIP: 0033:0x43ff49 [ 25.275842] RSP: 002b:00007ffeb6674e78 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 25.283519] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff49 [ 25.290762] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 25.298007] RBP: 00000000006ca018 R08: 00000000200021c0 R09: 0000000000000080 [ 25.305255] R10: 0000000000040001 R11: 0000000000000216 R12: 0000000000401870 [ 25.312495] R13: 0000000000401900 R14: 0000000000000000 R15: 0000000000000000 [ 25.319750] [ 25.321350] Allocated by task 4159: [ 25.324948] save_stack+0x43/0xd0 [ 25.328370] kasan_kmalloc+0xad/0xe0 [ 25.332056] kasan_slab_alloc+0x12/0x20 [ 25.336000] kmem_cache_alloc+0x12e/0x760 [ 25.340124] getname_flags+0xcb/0x580 [ 25.343894] getname+0x19/0x20 [ 25.347058] do_sys_open+0x2e7/0x6d0 [ 25.350742] SyS_open+0x2d/0x40 [ 25.353995] do_syscall_64+0x281/0x940 [ 25.357859] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.363020] [ 25.364622] Freed by task 4159: [ 25.367872] save_stack+0x43/0xd0 [ 25.371297] __kasan_slab_free+0x11a/0x170 [ 25.375502] kasan_slab_free+0xe/0x10 [ 25.379272] kmem_cache_free+0x83/0x2a0 [ 25.383217] putname+0xee/0x130 [ 25.386465] do_sys_open+0x31b/0x6d0 [ 25.390149] SyS_open+0x2d/0x40 [ 25.393398] do_syscall_64+0x281/0x940 [ 25.397256] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.402411] [ 25.404013] The buggy address belongs to the object at ffff8801be4b4c00 [ 25.404013] which belongs to the cache names_cache of size 4096 [ 25.416736] The buggy address is located 3048 bytes to the left of [ 25.416736] 4096-byte region [ffff8801be4b4c00, ffff8801be4b5c00) [ 25.429187] The buggy address belongs to the page: [ 25.434088] page:ffffea0006f92d00 count:1 mapcount:0 mapping:ffff8801be4b4c00 index:0x0 compound_mapcount: 0 [ 25.444031] flags: 0x2fffc0000008100(slab|head) [ 25.448675] raw: 02fffc0000008100 ffff8801be4b4c00 0000000000000000 0000000100000001 [ 25.456527] raw: ffffea0006f969a0 ffffea0006f92da0 ffff8801da5d6600 0000000000000000 [ 25.464375] page dumped because: kasan: bad access detected [ 25.470058] [ 25.471663] Memory state around the buggy address: [ 25.476572] ffff8801be4b3f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.483899] ffff8801be4b3f80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 25.491227] >ffff8801be4b4000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.498554] ^ [ 25.502672] ffff8801be4b4080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.510001] ffff8801be4b4100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.517335] ================================================================== [ 25.524665] Disabling lock debugging due to kernel taint [ 25.530122] Kernel panic - not syncing: panic_on_warn set ... [ 25.530122] [ 25.537463] CPU: 1 PID: 4178 Comm: syzkaller470741 Tainted: G B 4.16.0-rc4+ #350 [ 25.546180] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.555502] Call Trace: [ 25.558065] dump_stack+0x194/0x24d [ 25.561667] ? arch_local_irq_restore+0x53/0x53 [ 25.566304] ? kasan_end_report+0x32/0x50 [ 25.570425] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.575149] ? vsnprintf+0x1ed/0x1900 [ 25.578921] ? ip6_xmit+0x1f30/0x2260 [ 25.582693] panic+0x1e4/0x41c [ 25.585855] ? refcount_error_report+0x214/0x214 [ 25.590581] ? add_taint+0x1c/0x50 [ 25.594091] ? add_taint+0x1c/0x50 [ 25.597604] ? ip6_xmit+0x1f76/0x2260 [ 25.601373] kasan_end_report+0x50/0x50 [ 25.605319] kasan_report+0x149/0x360 [ 25.609093] __asan_report_load8_noabort+0x14/0x20 [ 25.613992] ip6_xmit+0x1f76/0x2260 [ 25.617598] ? ip6_finish_output2+0x23a0/0x23a0 [ 25.622239] ? fl6_update_dst+0x127/0x2b0 [ 25.626358] ? inet6_csk_route_socket+0x691/0xe80 [ 25.631171] ? trace_hardirqs_off+0x10/0x10 [ 25.635463] ? lock_acquire+0x1d5/0x580 [ 25.639407] ? lock_acquire+0x1d5/0x580 [ 25.643349] ? inet6_csk_xmit+0x114/0x580 [ 25.647469] ? trace_hardirqs_off+0x10/0x10 [ 25.651763] ? lock_release+0xa40/0xa40 [ 25.655716] inet6_csk_xmit+0x2fc/0x580 [ 25.659918] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.664647] ? __sk_dst_check+0x1a5/0x380 [ 25.668766] ? sock_kfree_s+0x60/0x60 [ 25.672545] l2tp_xmit_skb+0x105f/0x1410 [ 25.676581] ? l2tp_session_create+0xb80/0xb80 [ 25.681133] ? sock_wmalloc+0x15d/0x1d0 [ 25.685078] ? iov_iter_advance+0x13f0/0x13f0 [ 25.689544] ? pppol2tp_sendmsg+0x41b/0x670 [ 25.693835] pppol2tp_sendmsg+0x470/0x670 [ 25.697954] ? selinux_socket_sendmsg+0x36/0x40 [ 25.702591] ? pppol2tp_getsockopt+0x900/0x900 [ 25.707143] sock_sendmsg+0xca/0x110 [ 25.710825] SYSC_sendto+0x361/0x5c0 [ 25.714515] ? SYSC_connect+0x4a0/0x4a0 [ 25.718468] ? inet_dgram_connect+0x172/0x1f0 [ 25.722932] ? SYSC_connect+0x2e0/0x4a0 [ 25.726893] ? mm_fault_error+0x2c0/0x2c0 [ 25.731016] ? move_addr_to_kernel+0x60/0x60 [ 25.735399] SyS_sendto+0x40/0x50 [ 25.738820] ? SyS_getpeername+0x30/0x30 [ 25.742853] do_syscall_64+0x281/0x940 [ 25.746711] ? __do_page_fault+0xc90/0xc90 [ 25.750916] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.755645] ? syscall_return_slowpath+0x550/0x550 [ 25.760544] ? syscall_return_slowpath+0x2ac/0x550 [ 25.765446] ? prepare_exit_to_usermode+0x350/0x350 [ 25.770436] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 25.775771] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.780585] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.785742] RIP: 0033:0x43ff49 [ 25.788900] RSP: 002b:00007ffeb6674e78 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 25.796575] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff49 [ 25.803815] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 25.811055] RBP: 00000000006ca018 R08: 00000000200021c0 R09: 0000000000000080 [ 25.818297] R10: 0000000000040001 R11: 0000000000000216 R12: 0000000000401870 [ 25.825537] R13: 0000000000401900 R14: 0000000000000000 R15: 0000000000000000 [ 25.833257] Dumping ftrace buffer: [ 25.836771] (ftrace buffer empty) [ 25.840450] Kernel Offset: disabled [ 25.844047] Rebooting in 86400 seconds..