[....] Starting enhanced syslogd: rsyslogd[ 13.365721] audit: type=1400 audit(1516642050.254:5): avc: denied { syslog } for pid=3501 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.884314] audit: type=1400 audit(1516642055.773:6): avc: denied { map } for pid=3642 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.31' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 [ 27.988310] audit: type=1400 audit(1516642064.877:7): avc: denied { map } for pid=3657 comm="syzkaller099344" path="/root/syzkaller099344897" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 28.204890] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 28.528701] ================================================================== [ 28.536100] BUG: KASAN: use-after-free in erspan_xmit+0x22d4/0x2430 [ 28.542477] Read of size 2 at addr ffff8801d890fa8b by task syzkaller099344/3658 [ 28.549977] [ 28.551577] CPU: 0 PID: 3658 Comm: syzkaller099344 Not tainted 4.15.0-rc8+ #203 [ 28.558990] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.568316] Call Trace: [ 28.570882] dump_stack+0x194/0x257 [ 28.574485] ? arch_local_irq_restore+0x53/0x53 [ 28.579129] ? show_regs_print_info+0x18/0x18 [ 28.583604] ? erspan_xmit+0x22d4/0x2430 [ 28.587639] print_address_description+0x73/0x250 [ 28.592456] ? erspan_xmit+0x22d4/0x2430 [ 28.596488] kasan_report+0x25b/0x340 [ 28.600269] __asan_report_load_n_noabort+0xf/0x20 [ 28.605172] erspan_xmit+0x22d4/0x2430 [ 28.609038] ? packet_direct_xmit+0x509/0x790 [ 28.613518] ? validate_xmit_skb+0x4b0/0xaf0 [ 28.617903] ? gretap_fb_dev_create+0x250/0x250 [ 28.622650] ? netif_skb_features+0x9b0/0x9b0 [ 28.627135] packet_direct_xmit+0x3ad/0x790 [ 28.631430] ? packet_mmap+0x590/0x590 [ 28.635297] ? memcpy+0x45/0x50 [ 28.638557] packet_sendmsg+0x3aed/0x60b0 [ 28.642680] ? find_held_lock+0x35/0x1d0 [ 28.646722] ? avc_has_perm+0x35e/0x680 [ 28.650683] ? packet_cached_dev_get+0x2b0/0x2b0 [ 28.655415] ? avc_has_perm+0x43e/0x680 [ 28.659365] ? avc_has_perm_noaudit+0x520/0x520 [ 28.664007] ? find_held_lock+0x35/0x1d0 [ 28.668053] ? fanout_add+0x1430/0x1430 [ 28.672001] ? avc_has_perm+0x35e/0x680 [ 28.675965] ? find_held_lock+0x35/0x1d0 [ 28.680009] ? sock_has_perm+0x2a4/0x420 [ 28.684053] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 28.689393] ? lock_release+0x972/0xa40 [ 28.693341] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 28.699197] ? __check_object_size+0x25d/0x4f0 [ 28.703757] ? avc_has_perm_noaudit+0x520/0x520 [ 28.708409] ? selinux_socket_sendmsg+0x36/0x40 [ 28.713058] ? security_socket_sendmsg+0x89/0xb0 [ 28.717791] ? packet_cached_dev_get+0x2b0/0x2b0 [ 28.722520] sock_sendmsg+0xca/0x110 [ 28.726209] SYSC_sendto+0x361/0x5c0 [ 28.729900] ? SYSC_connect+0x4a0/0x4a0 [ 28.733850] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 28.739182] ? __do_page_fault+0x3d6/0xc90 [ 28.743394] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 28.748673] ? SyS_setsockopt+0x215/0x360 [ 28.752811] ? SyS_recv+0x40/0x40 [ 28.756242] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 28.761061] SyS_sendto+0x40/0x50 [ 28.764493] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 28.769219] RIP: 0033:0x4455b9 [ 28.772379] RSP: 002b:00007ffdea868098 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 28.780060] RAX: ffffffffffffffda RBX: 0000000000000068 RCX: 00000000004455b9 [ 28.787300] RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004 [ 28.794539] RBP: 00000000004a7153 R08: 0000000020008000 R09: 000000000000001c [ 28.801781] R10: 0000000000000001 R11: 0000000000000217 R12: 00000000004026f0 [ 28.809026] R13: 0000000000402780 R14: 0000000000000000 R15: 0000000000000000 [ 28.816286] [ 28.817886] Allocated by task 3727: [ 28.821489] save_stack+0x43/0xd0 [ 28.824910] kasan_kmalloc+0xad/0xe0 [ 28.828593] kasan_slab_alloc+0x12/0x20 [ 28.832536] kmem_cache_alloc+0x12e/0x760 [ 28.836653] copy_mm+0x30a/0x131b [ 28.840078] copy_process.part.38+0x1ee9/0x4b20 [ 28.844717] _do_fork+0x1f7/0xfe0 [ 28.848140] SyS_clone+0x37/0x50 [ 28.851475] do_syscall_64+0x273/0x920 [ 28.855336] return_from_SYSCALL_64+0x0/0x75 [ 28.860077] [ 28.861674] Freed by task 3728: [ 28.864924] save_stack+0x43/0xd0 [ 28.868360] kasan_slab_free+0x71/0xc0 [ 28.872220] kmem_cache_free+0x83/0x2a0 [ 28.876171] __mmdrop+0x242/0x3d0 [ 28.879593] mmput+0x537/0x6d0 [ 28.882759] flush_old_exec+0xc8b/0x2010 [ 28.886794] load_elf_binary+0x87b/0x4c10 [ 28.890913] search_binary_handler+0x142/0x6b0 [ 28.895467] do_execveat_common.isra.30+0x1754/0x23c0 [ 28.900628] SyS_execve+0x39/0x50 [ 28.904059] do_syscall_64+0x273/0x920 [ 28.907927] return_from_SYSCALL_64+0x0/0x75 [ 28.912304] [ 28.913913] The buggy address belongs to the object at ffff8801d890f980 [ 28.913913] which belongs to the cache mm_struct of size 1440 [ 28.926454] The buggy address is located 267 bytes inside of [ 28.926454] 1440-byte region [ffff8801d890f980, ffff8801d890ff20) [ 28.938383] The buggy address belongs to the page: [ 28.943285] page:ffffea0007624380 count:1 mapcount:0 mapping:ffff8801d890e080 index:0x0 compound_mapcount: 0 [ 28.953228] flags: 0x2fffc0000008100(slab|head) [ 28.957872] raw: 02fffc0000008100 ffff8801d890e080 0000000000000000 0000000100000005 [ 28.965732] raw: ffffea0007629720 ffffea000763c5a0 ffff8801dae279c0 0000000000000000 [ 28.973583] page dumped because: kasan: bad access detected [ 28.979259] [ 28.980858] Memory state around the buggy address: [ 28.985763] ffff8801d890f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.993094] ffff8801d890fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.000425] >ffff8801d890fa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.007751] ^ [ 29.011345] ffff8801d890fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.018672] ffff8801d890fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.026001] ================================================================== [ 29.033334] Disabling lock debugging due to kernel taint [ 29.038776] Kernel panic - not syncing: panic_on_warn set ... [ 29.038776] [ 29.046123] CPU: 0 PID: 3658 Comm: syzkaller099344 Tainted: G B 4.15.0-rc8+ #203 [ 29.054843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.064166] Call Trace: [ 29.066733] dump_stack+0x194/0x257 [ 29.070333] ? arch_local_irq_restore+0x53/0x53 [ 29.074973] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.079698] ? vsnprintf+0x1ed/0x1900 [ 29.083472] ? erspan_xmit+0x21f0/0x2430 [ 29.087514] panic+0x1e4/0x41c [ 29.090676] ? refcount_error_report+0x214/0x214 [ 29.095405] ? add_taint+0x1c/0x50 [ 29.098921] ? add_taint+0x1c/0x50 [ 29.102433] ? erspan_xmit+0x22d4/0x2430 [ 29.106464] kasan_end_report+0x50/0x50 [ 29.110409] kasan_report+0x144/0x340 [ 29.114180] __asan_report_load_n_noabort+0xf/0x20 [ 29.119078] erspan_xmit+0x22d4/0x2430 [ 29.122936] ? packet_direct_xmit+0x509/0x790 [ 29.127403] ? validate_xmit_skb+0x4b0/0xaf0 [ 29.131784] ? gretap_fb_dev_create+0x250/0x250 [ 29.136421] ? netif_skb_features+0x9b0/0x9b0 [ 29.140892] packet_direct_xmit+0x3ad/0x790 [ 29.145184] ? packet_mmap+0x590/0x590 [ 29.149044] ? memcpy+0x45/0x50 [ 29.152298] packet_sendmsg+0x3aed/0x60b0 [ 29.156420] ? find_held_lock+0x35/0x1d0 [ 29.160456] ? avc_has_perm+0x35e/0x680 [ 29.164407] ? packet_cached_dev_get+0x2b0/0x2b0 [ 29.169132] ? avc_has_perm+0x43e/0x680 [ 29.173076] ? avc_has_perm_noaudit+0x520/0x520 [ 29.177718] ? find_held_lock+0x35/0x1d0 [ 29.181748] ? fanout_add+0x1430/0x1430 [ 29.185692] ? avc_has_perm+0x35e/0x680 [ 29.189649] ? find_held_lock+0x35/0x1d0 [ 29.193685] ? sock_has_perm+0x2a4/0x420 [ 29.197720] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 29.203052] ? lock_release+0x972/0xa40 [ 29.206996] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 29.212853] ? __check_object_size+0x25d/0x4f0 [ 29.217403] ? avc_has_perm_noaudit+0x520/0x520 [ 29.222054] ? selinux_socket_sendmsg+0x36/0x40 [ 29.226701] ? security_socket_sendmsg+0x89/0xb0 [ 29.231445] ? packet_cached_dev_get+0x2b0/0x2b0 [ 29.236181] sock_sendmsg+0xca/0x110 [ 29.239868] SYSC_sendto+0x361/0x5c0 [ 29.243555] ? SYSC_connect+0x4a0/0x4a0 [ 29.247499] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 29.252839] ? __do_page_fault+0x3d6/0xc90 [ 29.257049] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 29.262306] ? SyS_setsockopt+0x215/0x360 [ 29.266425] ? SyS_recv+0x40/0x40 [ 29.269855] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 29.274669] SyS_sendto+0x40/0x50 [ 29.278097] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 29.282824] RIP: 0033:0x4455b9 [ 29.285985] RSP: 002b:00007ffdea868098 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 29.293662] RAX: ffffffffffffffda RBX: 0000000000000068 RCX: 00000000004455b9 [ 29.300907] RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004 [ 29.308155] RBP: 00000000004a7153 R08: 0000000020008000 R09: 000000000000001c [ 29.315394] R10: 0000000000000001 R11: 0000000000000217 R12: 00000000004026f0 [ 29.322633] R13: 0000000000402780 R14: 0000000000000000 R15: 0000000000000000 [ 29.330316] Dumping ftrace buffer: [ 29.333831] (ftrace buffer empty) [ 29.337508] Kernel Offset: disabled [ 29.341110] Rebooting in 86400 seconds..