[....] Starting enhanced syslogd: rsyslogd[ 13.358462] audit: type=1400 audit(1516642961.898:5): avc: denied { syslog } for pid=3507 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.993582] audit: type=1400 audit(1516642967.533:6): avc: denied { map } for pid=3648 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.27' (ECDSA) to the list of known hosts. [ 25.249582] audit: type=1400 audit(1516642973.789:7): avc: denied { map } for pid=3662 comm="syzkaller892192" path="/root/syzkaller892192165" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 25.619344] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 25.937712] ================================================================== [ 25.945110] BUG: KASAN: use-after-free in erspan_build_header+0x3bf/0x3d0 [ 25.952010] Read of size 2 at addr ffff8801c065780b by task syzkaller892192/3663 [ 25.959521] [ 25.961129] CPU: 0 PID: 3663 Comm: syzkaller892192 Not tainted 4.15.0-rc9+ #274 [ 25.968550] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.977975] Call Trace: [ 25.980542] dump_stack+0x194/0x257 [ 25.984154] ? arch_local_irq_restore+0x53/0x53 [ 25.988804] ? show_regs_print_info+0x18/0x18 [ 25.993279] ? refcount_add+0x24/0x60 [ 25.997057] ? erspan_build_header+0x3bf/0x3d0 [ 26.001617] print_address_description+0x73/0x250 [ 26.006441] ? erspan_build_header+0x3bf/0x3d0 [ 26.011085] kasan_report+0x25b/0x340 [ 26.014862] __asan_report_load_n_noabort+0xf/0x20 [ 26.019767] erspan_build_header+0x3bf/0x3d0 [ 26.024154] erspan_xmit+0x3b8/0x13b0 [ 26.027933] ? prepare_fb_xmit+0x9a0/0x9a0 [ 26.032141] ? netif_skb_features+0x9b0/0x9b0 [ 26.036787] ? __dev_get_by_index+0x1a0/0x1a0 [ 26.041256] ? check_noncircular+0x20/0x20 [ 26.045477] packet_direct_xmit+0x315/0x6b0 [ 26.049778] packet_sendmsg+0x3aed/0x60b0 [ 26.053918] ? find_held_lock+0x35/0x1d0 [ 26.057961] ? avc_has_perm+0x35e/0x680 [ 26.061933] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.066680] ? avc_has_perm+0x43e/0x680 [ 26.070634] ? avc_has_perm_noaudit+0x520/0x520 [ 26.075285] ? find_held_lock+0x35/0x1d0 [ 26.079326] ? fanout_add+0x1430/0x1430 [ 26.083277] ? avc_has_perm+0x35e/0x680 [ 26.087245] ? find_held_lock+0x35/0x1d0 [ 26.091288] ? sock_has_perm+0x2a4/0x420 [ 26.095324] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.100659] ? lock_release+0x952/0xa40 [ 26.104608] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.110466] ? __check_object_size+0x25d/0x4f0 [ 26.115030] ? avc_has_perm_noaudit+0x520/0x520 [ 26.119685] ? selinux_socket_sendmsg+0x36/0x40 [ 26.124325] ? security_socket_sendmsg+0x89/0xb0 [ 26.129056] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.133787] sock_sendmsg+0xca/0x110 [ 26.137477] SYSC_sendto+0x361/0x5c0 [ 26.141167] ? SYSC_connect+0x4a0/0x4a0 [ 26.145122] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.150467] ? __do_page_fault+0x3d6/0xc90 [ 26.154678] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 26.159953] ? SyS_setsockopt+0x215/0x360 [ 26.164078] ? SyS_recv+0x40/0x40 [ 26.167506] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 26.172328] SyS_sendto+0x40/0x50 [ 26.175759] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.180486] RIP: 0033:0x446699 [ 26.183655] RSP: 002b:00007fff5c7b4b18 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 26.191334] RAX: ffffffffffffffda RBX: 0000000000000068 RCX: 0000000000446699 [ 26.198577] RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004 [ 26.205823] RBP: 00000000004a80c6 R08: 0000000020008000 R09: 000000000000001c [ 26.213064] R10: 0000000000000001 R11: 0000000000000216 R12: 00000000004037d0 [ 26.220306] R13: 0000000000403860 R14: 0000000000000000 R15: 0000000000000000 [ 26.227569] [ 26.229170] Allocated by task 3415: [ 26.232774] save_stack+0x43/0xd0 [ 26.236200] kasan_kmalloc+0xad/0xe0 [ 26.239905] kasan_slab_alloc+0x12/0x20 [ 26.243849] kmem_cache_alloc+0x12e/0x760 [ 26.247969] getname_flags+0xcb/0x580 [ 26.251742] user_path_at_empty+0x2d/0x50 [ 26.255863] vfs_statx+0xe9/0x190 [ 26.259290] SYSC_newstat+0x87/0xf0 [ 26.262892] SyS_newstat+0x1d/0x30 [ 26.266404] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.271127] [ 26.272725] Freed by task 3415: [ 26.275976] save_stack+0x43/0xd0 [ 26.279402] kasan_slab_free+0x71/0xc0 [ 26.283260] kmem_cache_free+0x83/0x2a0 [ 26.287206] putname+0xee/0x130 [ 26.290455] filename_lookup+0x315/0x500 [ 26.294484] user_path_at_empty+0x40/0x50 [ 26.298604] vfs_statx+0xe9/0x190 [ 26.302033] SYSC_newstat+0x87/0xf0 [ 26.305638] SyS_newstat+0x1d/0x30 [ 26.309147] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.313868] [ 26.315474] The buggy address belongs to the object at ffff8801c0656b80 [ 26.315474] which belongs to the cache names_cache of size 4096 [ 26.328186] The buggy address is located 3211 bytes inside of [ 26.328186] 4096-byte region [ffff8801c0656b80, ffff8801c0657b80) [ 26.340205] The buggy address belongs to the page: [ 26.345108] page:ffffea0007019580 count:1 mapcount:0 mapping:ffff8801c0656b80 index:0x0 compound_mapcount: 0 [ 26.355050] flags: 0x2fffc0000008100(slab|head) [ 26.359693] raw: 02fffc0000008100 ffff8801c0656b80 0000000000000000 0000000100000001 [ 26.367559] raw: ffffea00070196a0 ffffea00070194a0 ffff8801dae2c600 0000000000000000 [ 26.375417] page dumped because: kasan: bad access detected [ 26.381108] [ 26.382707] Memory state around the buggy address: [ 26.387615] ffff8801c0657700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.394945] ffff8801c0657780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.402283] >ffff8801c0657800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.409612] ^ [ 26.413208] ffff8801c0657880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.420537] ffff8801c0657900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.427865] ================================================================== [ 26.435197] Disabling lock debugging due to kernel taint [ 26.440642] Kernel panic - not syncing: panic_on_warn set ... [ 26.440642] [ 26.447985] CPU: 0 PID: 3663 Comm: syzkaller892192 Tainted: G B 4.15.0-rc9+ #274 [ 26.456707] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.466033] Call Trace: [ 26.468598] dump_stack+0x194/0x257 [ 26.472198] ? arch_local_irq_restore+0x53/0x53 [ 26.476837] ? kasan_end_report+0x32/0x50 [ 26.480961] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.485689] ? vsnprintf+0x1ed/0x1900 [ 26.489465] ? erspan_build_header+0x360/0x3d0 [ 26.494024] panic+0x1e4/0x41c [ 26.497193] ? refcount_error_report+0x214/0x214 [ 26.501941] ? add_taint+0x1c/0x50 [ 26.505450] ? add_taint+0x1c/0x50 [ 26.508976] ? erspan_build_header+0x3bf/0x3d0 [ 26.513534] kasan_end_report+0x50/0x50 [ 26.517482] kasan_report+0x144/0x340 [ 26.521257] __asan_report_load_n_noabort+0xf/0x20 [ 26.526155] erspan_build_header+0x3bf/0x3d0 [ 26.530539] erspan_xmit+0x3b8/0x13b0 [ 26.534312] ? prepare_fb_xmit+0x9a0/0x9a0 [ 26.538523] ? netif_skb_features+0x9b0/0x9b0 [ 26.542994] ? __dev_get_by_index+0x1a0/0x1a0 [ 26.547467] ? check_noncircular+0x20/0x20 [ 26.551681] packet_direct_xmit+0x315/0x6b0 [ 26.555986] packet_sendmsg+0x3aed/0x60b0 [ 26.560116] ? find_held_lock+0x35/0x1d0 [ 26.564156] ? avc_has_perm+0x35e/0x680 [ 26.568121] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.572857] ? avc_has_perm+0x43e/0x680 [ 26.576811] ? avc_has_perm_noaudit+0x520/0x520 [ 26.581455] ? find_held_lock+0x35/0x1d0 [ 26.585488] ? fanout_add+0x1430/0x1430 [ 26.589440] ? avc_has_perm+0x35e/0x680 [ 26.593391] ? find_held_lock+0x35/0x1d0 [ 26.597430] ? sock_has_perm+0x2a4/0x420 [ 26.601475] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.606812] ? lock_release+0x952/0xa40 [ 26.610760] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.616627] ? __check_object_size+0x25d/0x4f0 [ 26.621186] ? avc_has_perm_noaudit+0x520/0x520 [ 26.625833] ? selinux_socket_sendmsg+0x36/0x40 [ 26.630483] ? security_socket_sendmsg+0x89/0xb0 [ 26.635215] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.639948] sock_sendmsg+0xca/0x110 [ 26.643639] SYSC_sendto+0x361/0x5c0 [ 26.647326] ? SYSC_connect+0x4a0/0x4a0 [ 26.651279] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.656626] ? __do_page_fault+0x3d6/0xc90 [ 26.660838] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 26.666111] ? SyS_setsockopt+0x215/0x360 [ 26.670237] ? SyS_recv+0x40/0x40 [ 26.673661] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 26.678478] SyS_sendto+0x40/0x50 [ 26.681906] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.686634] RIP: 0033:0x446699 [ 26.689793] RSP: 002b:00007fff5c7b4b18 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 26.697479] RAX: ffffffffffffffda RBX: 0000000000000068 RCX: 0000000000446699 [ 26.704723] RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004 [ 26.711968] RBP: 00000000004a80c6 R08: 0000000020008000 R09: 000000000000001c [ 26.719209] R10: 0000000000000001 R11: 0000000000000216 R12: 00000000004037d0 [ 26.726450] R13: 0000000000403860 R14: 0000000000000000 R15: 0000000000000000 [ 26.734171] Dumping ftrace buffer: [ 26.737682] (ftrace buffer empty) [ 26.741362] Kernel Offset: disabled [ 26.744959] Rebooting in 86400 seconds..