[....] Starting enhanced syslogd: rsyslogd[ 15.910155] audit: type=1400 audit(1520825162.978:5): avc: denied { syslog } for pid=4030 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.054209] audit: type=1400 audit(1520825169.122:6): avc: denied { map } for pid=4170 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.5' (ECDSA) to the list of known hosts. [ 28.369651] audit: type=1400 audit(1520825175.437:7): avc: denied { map } for pid=4184 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/03/12 03:26:15 parsed 1 programs 2018/03/12 03:26:15 executed programs: 0 [ 28.615392] audit: type=1400 audit(1520825175.683:8): avc: denied { map } for pid=4184 comm="syz-execprog" path="/root/syzkaller-shm539879419" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 28.633944] IPVS: ftp: loaded support on port[0] = 21 [ 28.640995] audit: type=1400 audit(1520825175.693:9): avc: denied { sys_admin } for pid=4189 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 28.674197] audit: type=1400 audit(1520825175.741:10): avc: denied { net_admin } for pid=4192 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 28.907825] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 29.254760] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.260865] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.296742] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.333899] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.347433] audit: type=1400 audit(1520825176.415:11): avc: denied { sys_chroot } for pid=4192 comm="syz-executor0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 29.358778] ================================================================== [ 29.379239] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260 [ 29.385701] Read of size 8 at addr ffff8801cb8a8318 by task syz-executor0/4350 [ 29.393026] [ 29.394632] CPU: 1 PID: 4350 Comm: syz-executor0 Not tainted 4.16.0-rc4+ #260 [ 29.401873] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.411196] Call Trace: [ 29.413758] dump_stack+0x194/0x24d [ 29.417357] ? arch_local_irq_restore+0x53/0x53 [ 29.421999] ? show_regs_print_info+0x18/0x18 [ 29.426472] ? ip6_xmit+0x1f76/0x2260 [ 29.430247] print_address_description+0x73/0x250 [ 29.435068] ? ip6_xmit+0x1f76/0x2260 [ 29.438850] kasan_report+0x23c/0x360 [ 29.442625] __asan_report_load8_noabort+0x14/0x20 [ 29.447526] ip6_xmit+0x1f76/0x2260 [ 29.451137] ? ip6_finish_output2+0x23a0/0x23a0 [ 29.455781] ? fl6_update_dst+0x127/0x2b0 [ 29.459903] ? inet6_csk_route_socket+0x691/0xe80 [ 29.464718] ? trace_hardirqs_off+0x10/0x10 [ 29.469009] ? lock_acquire+0x1d5/0x580 [ 29.472953] ? lock_acquire+0x1d5/0x580 [ 29.476896] ? inet6_csk_xmit+0x114/0x580 [ 29.481016] ? trace_hardirqs_off+0x10/0x10 [ 29.485313] ? lock_release+0xa40/0xa40 [ 29.489275] inet6_csk_xmit+0x2fc/0x580 [ 29.493224] ? inet6_csk_update_pmtu+0x160/0x160 [ 29.497953] ? __sk_dst_check+0x1a5/0x380 [ 29.502077] ? sock_kfree_s+0x60/0x60 [ 29.505867] l2tp_xmit_skb+0x105f/0x1410 [ 29.509910] ? l2tp_session_create+0xb80/0xb80 [ 29.514464] ? sock_wmalloc+0x15d/0x1d0 [ 29.518414] ? iov_iter_advance+0x13f0/0x13f0 [ 29.522884] ? pppol2tp_sendmsg+0x41b/0x670 [ 29.527192] pppol2tp_sendmsg+0x470/0x670 [ 29.531324] ? selinux_socket_sendmsg+0x36/0x40 [ 29.535969] ? pppol2tp_getsockopt+0x900/0x900 [ 29.540525] sock_sendmsg+0xca/0x110 [ 29.544212] SYSC_sendto+0x361/0x5c0 [ 29.547901] ? SYSC_connect+0x4a0/0x4a0 [ 29.551850] ? find_held_lock+0x35/0x1d0 [ 29.555892] ? lock_downgrade+0x980/0x980 [ 29.560053] ? __do_page_fault+0x3d6/0xc90 [ 29.564272] SyS_sendto+0x40/0x50 [ 29.567697] ? SyS_getpeername+0x30/0x30 [ 29.571733] do_fast_syscall_32+0x3ec/0xf9f [ 29.576047] ? do_int80_syscall_32+0x9c0/0x9c0 [ 29.580604] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.585336] ? syscall_return_slowpath+0x2ac/0x550 [ 29.590236] ? prepare_exit_to_usermode+0x350/0x350 [ 29.595229] ? sysret32_from_system_call+0x5/0x3c [ 29.600055] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.604879] entry_SYSENTER_compat+0x70/0x7f [ 29.609257] RIP: 0023:0xf7f26c99 [ 29.612591] RSP: 002b:000000000844e9cc EFLAGS: 00000202 ORIG_RAX: 0000000000000171 [ 29.620270] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020001180 [ 29.627511] RDX: 0000000000000000 RSI: 0000000000040001 RDI: 00000000200021c0 [ 29.634749] RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000000 [ 29.641989] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 29.649233] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 29.656488] [ 29.658085] Allocated by task 0: [ 29.661417] (stack is not available) [ 29.665099] [ 29.666695] Freed by task 0: [ 29.669679] (stack is not available) [ 29.673358] [ 29.674957] The buggy address belongs to the object at ffff8801cb8a8300 [ 29.674957] which belongs to the cache ip_dst_cache of size 168 [ 29.687670] The buggy address is located 24 bytes inside of [ 29.687670] 168-byte region [ffff8801cb8a8300, ffff8801cb8a83a8) [ 29.699426] The buggy address belongs to the page: [ 29.704325] page:ffffea00072e2a00 count:1 mapcount:0 mapping:ffff8801cb8a8000 index:0x0 [ 29.712436] flags: 0x2fffc0000000100(slab) [ 29.716707] raw: 02fffc0000000100 ffff8801cb8a8000 0000000000000000 0000000100000010 [ 29.724557] raw: ffff8801d6bdb548 ffffea000737c920 ffff8801d6bda340 0000000000000000 [ 29.732403] page dumped because: kasan: bad access detected [ 29.738079] [ 29.739678] Memory state around the buggy address: [ 29.744578] ffff8801cb8a8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.751905] ffff8801cb8a8280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 29.759235] >ffff8801cb8a8300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.766566] ^ [ 29.770681] ffff8801cb8a8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.778013] ffff8801cb8a8400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.785345] ================================================================== [ 29.792673] Disabling lock debugging due to kernel taint [ 29.798131] Kernel panic - not syncing: panic_on_warn set ... [ 29.798131] [ 29.805471] CPU: 1 PID: 4350 Comm: syz-executor0 Tainted: G B 4.16.0-rc4+ #260 [ 29.814018] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.823349] Call Trace: [ 29.825909] dump_stack+0x194/0x24d [ 29.829511] ? arch_local_irq_restore+0x53/0x53 [ 29.834152] ? kasan_end_report+0x32/0x50 [ 29.838273] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.842997] ? vsnprintf+0x1ed/0x1900 [ 29.846772] ? ip6_xmit+0x1f30/0x2260 [ 29.850546] panic+0x1e4/0x41c [ 29.853708] ? refcount_error_report+0x214/0x214 [ 29.858438] ? add_taint+0x1c/0x50 [ 29.861947] ? add_taint+0x1c/0x50 [ 29.865458] ? ip6_xmit+0x1f76/0x2260 [ 29.869229] kasan_end_report+0x50/0x50 [ 29.873173] kasan_report+0x149/0x360 [ 29.876946] __asan_report_load8_noabort+0x14/0x20 [ 29.881846] ip6_xmit+0x1f76/0x2260 [ 29.885451] ? ip6_finish_output2+0x23a0/0x23a0 [ 29.890090] ? fl6_update_dst+0x127/0x2b0 [ 29.894210] ? inet6_csk_route_socket+0x691/0xe80 [ 29.899031] ? trace_hardirqs_off+0x10/0x10 [ 29.903324] ? lock_acquire+0x1d5/0x580 [ 29.907269] ? lock_acquire+0x1d5/0x580 [ 29.911214] ? inet6_csk_xmit+0x114/0x580 [ 29.915335] ? trace_hardirqs_off+0x10/0x10 [ 29.919633] ? lock_release+0xa40/0xa40 [ 29.923587] inet6_csk_xmit+0x2fc/0x580 [ 29.927534] ? inet6_csk_update_pmtu+0x160/0x160 [ 29.932261] ? __sk_dst_check+0x1a5/0x380 [ 29.936380] ? sock_kfree_s+0x60/0x60 [ 29.940162] l2tp_xmit_skb+0x105f/0x1410 [ 29.944198] ? l2tp_session_create+0xb80/0xb80 [ 29.948753] ? sock_wmalloc+0x15d/0x1d0 [ 29.952699] ? iov_iter_advance+0x13f0/0x13f0 [ 29.957173] ? pppol2tp_sendmsg+0x41b/0x670 [ 29.961478] pppol2tp_sendmsg+0x470/0x670 [ 29.965599] ? selinux_socket_sendmsg+0x36/0x40 [ 29.970609] ? pppol2tp_getsockopt+0x900/0x900 [ 29.975164] sock_sendmsg+0xca/0x110 [ 29.978851] SYSC_sendto+0x361/0x5c0 [ 29.982537] ? SYSC_connect+0x4a0/0x4a0 [ 29.986486] ? find_held_lock+0x35/0x1d0 [ 29.990525] ? lock_downgrade+0x980/0x980 [ 29.994660] ? __do_page_fault+0x3d6/0xc90 [ 29.998867] SyS_sendto+0x40/0x50 [ 30.002291] ? SyS_getpeername+0x30/0x30 [ 30.006327] do_fast_syscall_32+0x3ec/0xf9f [ 30.010621] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.015181] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.019915] ? syscall_return_slowpath+0x2ac/0x550 [ 30.024813] ? prepare_exit_to_usermode+0x350/0x350 [ 30.029804] ? sysret32_from_system_call+0x5/0x3c [ 30.034617] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.039433] entry_SYSENTER_compat+0x70/0x7f [ 30.043808] RIP: 0023:0xf7f26c99 [ 30.047142] RSP: 002b:000000000844e9cc EFLAGS: 00000202 ORIG_RAX: 0000000000000171 [ 30.054819] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020001180 [ 30.062064] RDX: 0000000000000000 RSI: 0000000000040001 RDI: 00000000200021c0 [ 30.069302] RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000000 [ 30.076542] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.083779] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.091438] Dumping ftrace buffer: [ 30.094951] (ftrace buffer empty) [ 30.098631] Kernel Offset: disabled [ 30.102228] Rebooting in 86400 seconds..