[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 18.713433] audit: type=1400 audit(1520713904.589:6): avc: denied { map } for pid=4219 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.16' (ECDSA) to the list of known hosts. syzkaller login: [ 36.182772] audit: type=1400 audit(1520713922.058:7): avc: denied { map } for pid=4237 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/03/10 20:32:02 parsed 1 programs 2018/03/10 20:32:02 executed programs: 0 [ 36.421139] audit: type=1400 audit(1520713922.296:8): avc: denied { map } for pid=4237 comm="syz-execprog" path="/root/syzkaller-shm918348575" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.431696] IPVS: ftp: loaded support on port[0] = 21 [ 36.446760] audit: type=1400 audit(1520713922.302:9): avc: denied { sys_admin } for pid=4242 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 36.476274] audit: type=1400 audit(1520713922.347:10): avc: denied { net_admin } for pid=4244 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 36.704583] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 37.045083] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 37.051222] 8021q: adding VLAN 0 to HW filter on device bond0 [ 37.087881] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 37.124315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 37.135525] audit: type=1400 audit(1520713923.011:11): avc: denied { sys_chroot } for pid=4244 comm="syz-executor0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 37.144188] ================================================================== [ 37.167349] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260 [ 37.173815] Read of size 8 at addr ffff8801af48e218 by task syz-executor0/4402 [ 37.181150] [ 37.182754] CPU: 0 PID: 4402 Comm: syz-executor0 Not tainted 4.16.0-rc4+ #258 [ 37.189996] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.199323] Call Trace: [ 37.201885] dump_stack+0x194/0x24d [ 37.205489] ? arch_local_irq_restore+0x53/0x53 [ 37.210134] ? show_regs_print_info+0x18/0x18 [ 37.214615] ? ip6_xmit+0x1f76/0x2260 [ 37.218402] print_address_description+0x73/0x250 [ 37.223220] ? ip6_xmit+0x1f76/0x2260 [ 37.227002] kasan_report+0x23c/0x360 [ 37.230787] __asan_report_load8_noabort+0x14/0x20 [ 37.235702] ip6_xmit+0x1f76/0x2260 [ 37.239315] ? ip6_finish_output2+0x23a0/0x23a0 [ 37.243962] ? fl6_update_dst+0x127/0x2b0 [ 37.248101] ? inet6_csk_route_socket+0x691/0xe80 [ 37.252921] ? trace_hardirqs_off+0x10/0x10 [ 37.257218] ? lock_acquire+0x1d5/0x580 [ 37.261183] ? lock_acquire+0x1d5/0x580 [ 37.265129] ? inet6_csk_xmit+0x114/0x580 [ 37.269261] ? trace_hardirqs_off+0x10/0x10 [ 37.273573] ? lock_release+0xa40/0xa40 [ 37.277535] inet6_csk_xmit+0x2fc/0x580 [ 37.281494] ? inet6_csk_update_pmtu+0x160/0x160 [ 37.286224] ? __sk_dst_check+0x1a5/0x380 [ 37.290346] ? sock_kfree_s+0x60/0x60 [ 37.294139] l2tp_xmit_skb+0x105f/0x1410 [ 37.298184] ? l2tp_session_create+0xb80/0xb80 [ 37.302748] ? sock_wmalloc+0x15d/0x1d0 [ 37.306695] ? iov_iter_advance+0x13f0/0x13f0 [ 37.311167] ? pppol2tp_sendmsg+0x41b/0x670 [ 37.315463] pppol2tp_sendmsg+0x470/0x670 [ 37.319586] ? selinux_socket_sendmsg+0x36/0x40 [ 37.324233] ? pppol2tp_getsockopt+0x900/0x900 [ 37.328789] sock_sendmsg+0xca/0x110 [ 37.332475] SYSC_sendto+0x361/0x5c0 [ 37.336165] ? SYSC_connect+0x4a0/0x4a0 [ 37.340115] ? find_held_lock+0x35/0x1d0 [ 37.344160] ? lock_downgrade+0x980/0x980 [ 37.348305] ? __do_page_fault+0x3d6/0xc90 [ 37.352519] SyS_sendto+0x40/0x50 [ 37.356034] ? SyS_getpeername+0x30/0x30 [ 37.360068] do_fast_syscall_32+0x3ec/0xf9f [ 37.364365] ? do_int80_syscall_32+0x9c0/0x9c0 [ 37.368930] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 37.374443] ? syscall_return_slowpath+0x2ac/0x550 [ 37.379355] ? sysret32_from_system_call+0x5/0x3c [ 37.384185] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.389018] entry_SYSENTER_compat+0x70/0x7f [ 37.393399] RIP: 0023:0xf7fd4c99 [ 37.396733] RSP: 002b:000000000844e9cc EFLAGS: 00000202 ORIG_RAX: 0000000000000171 [ 37.404414] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020001180 [ 37.411656] RDX: 0000000000000000 RSI: 0000000000040001 RDI: 00000000200021c0 [ 37.418901] RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000000 [ 37.426147] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 37.433398] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.440659] [ 37.442259] Allocated by task 0: [ 37.445591] (stack is not available) [ 37.449283] [ 37.450882] Freed by task 0: [ 37.453877] (stack is not available) [ 37.457581] [ 37.459181] The buggy address belongs to the object at ffff8801af48e200 [ 37.459181] which belongs to the cache ip_dst_cache of size 168 [ 37.471901] The buggy address is located 24 bytes inside of [ 37.471901] 168-byte region [ffff8801af48e200, ffff8801af48e2a8) [ 37.483668] The buggy address belongs to the page: [ 37.488569] page:ffffea0006bd2380 count:1 mapcount:0 mapping:ffff8801af48e000 index:0x0 [ 37.496682] flags: 0x2fffc0000000100(slab) [ 37.500902] raw: 02fffc0000000100 ffff8801af48e000 0000000000000000 0000000100000010 [ 37.508763] raw: ffffea000729a320 ffff8801d6bcd348 ffff8801d5bf74c0 0000000000000000 [ 37.516612] page dumped because: kasan: bad access detected [ 37.522290] [ 37.523886] Memory state around the buggy address: [ 37.528787] ffff8801af48e100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.536130] ffff8801af48e180: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 37.543459] >ffff8801af48e200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.550787] ^ [ 37.554903] ffff8801af48e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.562232] ffff8801af48e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.569558] ================================================================== [ 37.576883] Disabling lock debugging due to kernel taint [ 37.582349] Kernel panic - not syncing: panic_on_warn set ... [ 37.582349] [ 37.589685] CPU: 0 PID: 4402 Comm: syz-executor0 Tainted: G B 4.16.0-rc4+ #258 [ 37.598244] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.607569] Call Trace: [ 37.610135] dump_stack+0x194/0x24d [ 37.613735] ? arch_local_irq_restore+0x53/0x53 [ 37.618376] ? kasan_end_report+0x32/0x50 [ 37.622499] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 37.627237] ? vsnprintf+0x1ed/0x1900 [ 37.631021] ? ip6_xmit+0x1f30/0x2260 [ 37.634795] panic+0x1e4/0x41c [ 37.637959] ? refcount_error_report+0x214/0x214 [ 37.642687] ? add_taint+0x1c/0x50 [ 37.646194] ? add_taint+0x1c/0x50 [ 37.649706] ? ip6_xmit+0x1f76/0x2260 [ 37.653477] kasan_end_report+0x50/0x50 [ 37.657420] kasan_report+0x149/0x360 [ 37.661192] __asan_report_load8_noabort+0x14/0x20 [ 37.666089] ip6_xmit+0x1f76/0x2260 [ 37.669706] ? ip6_finish_output2+0x23a0/0x23a0 [ 37.674347] ? fl6_update_dst+0x127/0x2b0 [ 37.678465] ? inet6_csk_route_socket+0x691/0xe80 [ 37.683289] ? trace_hardirqs_off+0x10/0x10 [ 37.687583] ? lock_acquire+0x1d5/0x580 [ 37.691536] ? lock_acquire+0x1d5/0x580 [ 37.695478] ? inet6_csk_xmit+0x114/0x580 [ 37.699600] ? trace_hardirqs_off+0x10/0x10 [ 37.703892] ? lock_release+0xa40/0xa40 [ 37.707843] inet6_csk_xmit+0x2fc/0x580 [ 37.711785] ? inet6_csk_update_pmtu+0x160/0x160 [ 37.716512] ? __sk_dst_check+0x1a5/0x380 [ 37.720633] ? sock_kfree_s+0x60/0x60 [ 37.724414] l2tp_xmit_skb+0x105f/0x1410 [ 37.728449] ? l2tp_session_create+0xb80/0xb80 [ 37.733000] ? sock_wmalloc+0x15d/0x1d0 [ 37.736948] ? iov_iter_advance+0x13f0/0x13f0 [ 37.741413] ? pppol2tp_sendmsg+0x41b/0x670 [ 37.745717] pppol2tp_sendmsg+0x470/0x670 [ 37.749837] ? selinux_socket_sendmsg+0x36/0x40 [ 37.754476] ? pppol2tp_getsockopt+0x900/0x900 [ 37.759039] sock_sendmsg+0xca/0x110 [ 37.762723] SYSC_sendto+0x361/0x5c0 [ 37.766409] ? SYSC_connect+0x4a0/0x4a0 [ 37.770355] ? find_held_lock+0x35/0x1d0 [ 37.774405] ? lock_downgrade+0x980/0x980 [ 37.778540] ? __do_page_fault+0x3d6/0xc90 [ 37.782748] SyS_sendto+0x40/0x50 [ 37.786171] ? SyS_getpeername+0x30/0x30 [ 37.790205] do_fast_syscall_32+0x3ec/0xf9f [ 37.794499] ? do_int80_syscall_32+0x9c0/0x9c0 [ 37.799053] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 37.804559] ? syscall_return_slowpath+0x2ac/0x550 [ 37.809461] ? sysret32_from_system_call+0x5/0x3c [ 37.814286] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.819106] entry_SYSENTER_compat+0x70/0x7f [ 37.823485] RIP: 0023:0xf7fd4c99 [ 37.826817] RSP: 002b:000000000844e9cc EFLAGS: 00000202 ORIG_RAX: 0000000000000171 [ 37.834494] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020001180 [ 37.841733] RDX: 0000000000000000 RSI: 0000000000040001 RDI: 00000000200021c0 [ 37.848973] RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000000 [ 37.856212] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 37.863462] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.871132] Dumping ftrace buffer: [ 37.874653] (ftrace buffer empty) [ 37.878332] Kernel Offset: disabled [ 37.881942] Rebooting in 86400 seconds..