[....] Starting enhanced syslogd: rsyslogd[ 13.392200] audit: type=1400 audit(1515911123.046:5): avc: denied { syslog } for pid=3509 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.426374] audit: type=1400 audit(1515911129.081:6): avc: denied { map } for pid=3650 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.58' (ECDSA) to the list of known hosts. executing program [ 25.637916] audit: type=1400 audit(1515911135.292:7): avc: denied { map } for pid=3664 comm="syzkaller716686" path="/root/syzkaller716686297" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.639337] syzkaller716686 uses obsolete (PF_INET,SOCK_PACKET) [ 25.640803] device lo entered promiscuous mode [ 25.643667] ================================================================== [ 25.643683] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1ce9/0x2090 [ 25.643687] Read of size 8 at addr ffff8801d99a1018 by task syzkaller716686/3664 [ 25.643689] [ 25.643694] CPU: 0 PID: 3664 Comm: syzkaller716686 Not tainted 4.15.0-rc7+ #187 [ 25.643697] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.643698] Call Trace: [ 25.643707] dump_stack+0x194/0x257 [ 25.643715] ? arch_local_irq_restore+0x53/0x53 [ 25.643723] ? show_regs_print_info+0x18/0x18 [ 25.643734] ? ip6_xmit+0x1ce9/0x2090 [ 25.643743] print_address_description+0x73/0x250 [ 25.643749] ? ip6_xmit+0x1ce9/0x2090 [ 25.643755] kasan_report+0x25b/0x340 [ 25.643764] __asan_report_load8_noabort+0x14/0x20 [ 25.643768] ip6_xmit+0x1ce9/0x2090 [ 25.643785] ? ip6_finish_output2+0x23a0/0x23a0 [ 25.643795] ? fl6_update_dst+0x127/0x2b0 [ 25.643802] ? check_noncircular+0x20/0x20 [ 25.643808] ? inet6_csk_route_socket+0x691/0xe80 [ 25.643817] ? lock_acquire+0x1d5/0x580 [ 25.643821] ? lock_acquire+0x1d5/0x580 [ 25.643825] ? inet6_csk_xmit+0x114/0x580 [ 25.643830] ? __lock_is_held+0xb6/0x140 [ 25.643839] ? lock_release+0xa40/0xa40 [ 25.643847] ? __lock_is_held+0xb6/0x140 [ 25.643864] inet6_csk_xmit+0x2fc/0x580 [ 25.643871] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.643881] ? rt_cpu_seq_show+0x2c0/0x2c0 [ 25.643888] ? refcount_add_not_zero+0x133/0x200 [ 25.643910] tcp_transmit_skb+0x1b1b/0x38c0 [ 25.643928] ? __tcp_select_window+0x900/0x900 [ 25.643934] ? tcp_fastopen_cache_get+0x449/0x720 [ 25.643942] ? tcp_peer_is_proven+0xc60/0xc60 [ 25.643951] ? __lock_is_held+0xb6/0x140 [ 25.643970] ? tcp_try_fastopen+0x1b50/0x1b50 [ 25.643980] ? tcp_init_transfer+0x3d0/0x3d0 [ 25.643993] ? tcp_rbtree_insert+0x135/0x190 [ 25.644008] tcp_connect+0x1edb/0x4090 [ 25.644024] ? tcp_push_one+0x100/0x100 [ 25.644029] ? lock_downgrade+0x927/0x980 [ 25.644050] ? pvclock_read_flags+0x160/0x160 [ 25.644055] ? mark_held_locks+0xaf/0x100 [ 25.644060] ? ip_route_output_key_hash+0x229/0x370 [ 25.644067] ? ktime_get_with_offset+0x188/0x420 [ 25.644078] ? kvm_clock_get_cycles+0x25/0x30 [ 25.644083] ? ktime_get_with_offset+0x2c1/0x420 [ 25.644093] ? do_gettimeofday+0x190/0x190 [ 25.644106] ? tcp_fastopen_defer_connect+0x163/0x4a0 [ 25.644113] ? tcp_fastopen_cookie_check+0x720/0x720 [ 25.644118] ? siphash_1u64+0x18/0x270 [ 25.644146] tcp_v4_connect+0x15ef/0x1e70 [ 25.644153] ? __sys_sendmmsg+0x1ee/0x620 [ 25.644180] ? tcp_v4_inbound_md5_hash+0x510/0x510 [ 25.644188] ? __lock_is_held+0xb6/0x140 [ 25.644201] __inet_stream_connect+0x2d4/0xf00 [ 25.644213] ? inet_bind+0x910/0x910 [ 25.644226] ? tcp_sendmsg_locked+0x1f71/0x3c70 [ 25.644232] ? rcu_read_lock_sched_held+0x108/0x120 [ 25.644237] ? kmem_cache_alloc_trace+0x456/0x750 [ 25.644244] ? mark_held_locks+0xaf/0x100 [ 25.644256] tcp_sendmsg_locked+0x264e/0x3c70 [ 25.644268] ? avc_has_perm+0x35e/0x680 [ 25.644274] ? lock_downgrade+0x980/0x980 [ 25.644282] ? lock_release+0xa40/0xa40 [ 25.644296] ? tcp_sendpage+0x60/0x60 [ 25.644315] ? print_irqtrace_events+0x270/0x270 [ 25.644318] ? find_held_lock+0x35/0x1d0 [ 25.644330] ? lock_acquire+0x1d5/0x580 [ 25.644334] ? lock_acquire+0x1d5/0x580 [ 25.644338] ? tcp_sendmsg+0x21/0x50 [ 25.644353] ? mark_held_locks+0xaf/0x100 [ 25.644357] ? do_raw_spin_trylock+0x190/0x190 [ 25.644364] ? __local_bh_enable_ip+0x121/0x230 [ 25.644371] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.644376] ? lock_sock_nested+0x91/0x110 [ 25.644380] ? trace_hardirqs_on+0xd/0x10 [ 25.644385] ? __local_bh_enable_ip+0x121/0x230 [ 25.644396] tcp_sendmsg+0x2f/0x50 [ 25.644403] inet_sendmsg+0x11f/0x5e0 [ 25.644407] ? copy_msghdr_from_user+0x3a6/0x590 [ 25.644414] ? inet_create+0xf50/0xf50 [ 25.644421] ? selinux_socket_sendmsg+0x36/0x40 [ 25.644426] ? security_socket_sendmsg+0x89/0xb0 [ 25.644432] ? inet_create+0xf50/0xf50 [ 25.644438] sock_sendmsg+0xca/0x110 [ 25.644445] ___sys_sendmsg+0x320/0x8b0 [ 25.644455] ? copy_msghdr_from_user+0x590/0x590 [ 25.644462] ? __pmd_alloc+0x4e0/0x4e0 [ 25.644467] ? __local_bh_enable_ip+0x121/0x230 [ 25.644476] ? find_held_lock+0x35/0x1d0 [ 25.644491] ? __fget_light+0x297/0x380 [ 25.644497] ? fget_raw+0x20/0x20 [ 25.644501] ? find_held_lock+0x35/0x1d0 [ 25.644515] ? __do_page_fault+0x5f7/0xc90 [ 25.644521] ? lock_downgrade+0x980/0x980 [ 25.644541] __sys_sendmmsg+0x1ee/0x620 [ 25.644545] ? __sys_sendmmsg+0x1ee/0x620 [ 25.644557] ? SyS_sendmsg+0x50/0x50 [ 25.644567] ? mm_fault_error+0x2c0/0x2c0 [ 25.644586] ? __do_page_fault+0xc90/0xc90 [ 25.644595] ? SyS_setsockopt+0x215/0x360 [ 25.644603] ? SyS_recv+0x40/0x40 [ 25.644613] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.644623] SyS_sendmmsg+0x35/0x60 [ 25.644632] entry_SYSCALL_64_fastpath+0x23/0x9a [ 25.644636] RIP: 0033:0x43fdd9 [ 25.644638] RSP: 002b:00007ffcaf235288 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 25.644643] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdd9 [ 25.644646] RDX: 0000000000000001 RSI: 00000000205f8fc8 RDI: 0000000000000004 [ 25.644648] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 25.644650] R10: 0000000020000000 R11: 0000000000000217 R12: 0000000000401740 [ 25.644653] R13: 00000000004017d0 R14: 0000000000000000 R15: 0000000000000000 [ 25.644670] [ 25.644672] Allocated by task 0: [ 25.644673] (stack is not available) [ 25.644674] [ 25.644676] Freed by task 0: [ 25.644677] (stack is not available) [ 25.644678] [ 25.644681] The buggy address belongs to the object at ffff8801d99a1000 [ 25.644681] which belongs to the cache selinux_inode_security of size 96 [ 25.644685] The buggy address is located 24 bytes inside of [ 25.644685] 96-byte region [ffff8801d99a1000, ffff8801d99a1060) [ 25.644686] The buggy address belongs to the page: [ 25.644690] page:ffffea0007666840 count:1 mapcount:0 mapping:ffff8801d99a1000 index:0x0 [ 25.644694] flags: 0x2fffc0000000100(slab) [ 25.644700] raw: 02fffc0000000100 ffff8801d99a1000 0000000000000000 0000000100000020 [ 25.644705] raw: ffffea00076b61e0 ffffea000756cc60 ffff8801dae27240 0000000000000000 [ 25.644707] page dumped because: kasan: bad access detected [ 25.644708] [ 25.644709] Memory state around the buggy address: [ 25.644712] ffff8801d99a0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.644715] ffff8801d99a0f80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 25.644718] >ffff8801d99a1000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.644720] ^ [ 25.644723] ffff8801d99a1080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.644726] ffff8801d99a1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.644727] ================================================================== [ 25.644729] Disabling lock debugging due to kernel taint [ 25.644746] Kernel panic - not syncing: panic_on_warn set ... [ 25.644746] [ 25.644750] CPU: 0 PID: 3664 Comm: syzkaller716686 Tainted: G B 4.15.0-rc7+ #187 [ 25.644752] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.644754] Call Trace: [ 25.644758] dump_stack+0x194/0x257 [ 25.644764] ? arch_local_irq_restore+0x53/0x53 [ 25.644767] ? kasan_end_report+0x32/0x50 [ 25.644774] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.644778] ? vsnprintf+0x1ed/0x1900 [ 25.644783] ? ip6_xmit+0x1c50/0x2090 [ 25.644787] panic+0x1e4/0x41c [ 25.644791] ? refcount_error_report+0x214/0x214 [ 25.644797] ? add_taint+0x1c/0x50 [ 25.644801] ? add_taint+0x1c/0x50 [ 25.644806] ? ip6_xmit+0x1ce9/0x2090 [ 25.644810] kasan_end_report+0x50/0x50 [ 25.644815] kasan_report+0x144/0x340 [ 25.644821] __asan_report_load8_noabort+0x14/0x20 [ 25.644824] ip6_xmit+0x1ce9/0x2090 [ 25.644835] ? ip6_finish_output2+0x23a0/0x23a0 [ 25.644841] ? fl6_update_dst+0x127/0x2b0 [ 25.644846] ? check_noncircular+0x20/0x20 [ 25.644851] ? inet6_csk_route_socket+0x691/0xe80 [ 25.644857] ? lock_acquire+0x1d5/0x580 [ 25.644860] ? lock_acquire+0x1d5/0x580 [ 25.644864] ? inet6_csk_xmit+0x114/0x580 [ 25.644868] ? __lock_is_held+0xb6/0x140 [ 25.644874] ? lock_release+0xa40/0xa40 [ 25.644879] ? __lock_is_held+0xb6/0x140 [ 25.644889] inet6_csk_xmit+0x2fc/0x580 [ 25.644895] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.644900] ? rt_cpu_seq_show+0x2c0/0x2c0 [ 25.644904] ? refcount_add_not_zero+0x133/0x200 [ 25.644916] tcp_transmit_skb+0x1b1b/0x38c0 [ 25.644927] ? __tcp_select_window+0x900/0x900 [ 25.644932] ? tcp_fastopen_cache_get+0x449/0x720 [ 25.644938] ? tcp_peer_is_proven+0xc60/0xc60 [ 25.644943] ? __lock_is_held+0xb6/0x140 [ 25.644955] ? tcp_try_fastopen+0x1b50/0x1b50 [ 25.644961] ? tcp_init_transfer+0x3d0/0x3d0 [ 25.644969] ? tcp_rbtree_insert+0x135/0x190 [ 25.644976] tcp_connect+0x1edb/0x4090 [ 25.644986] ? tcp_push_one+0x100/0x100 [ 25.644990] ? lock_downgrade+0x927/0x980 [ 25.644998] ? pvclock_read_flags+0x160/0x160 [ 25.645006] ? mark_held_locks+0xaf/0x100 [ 25.645010] ? ip_route_output_key_hash+0x229/0x370 [ 25.645014] ? ktime_get_with_offset+0x188/0x420 [ 25.645021] ? kvm_clock_get_cycles+0x25/0x30 [ 25.645025] ? ktime_get_with_offset+0x2c1/0x420 [ 25.645031] ? do_gettimeofday+0x190/0x190 [ 25.645040] ? tcp_fastopen_defer_connect+0x163/0x4a0 [ 25.645049] ? tcp_fastopen_cookie_check+0x720/0x720 [ 25.645052] ? siphash_1u64+0x18/0x270 [ 25.645065] tcp_v4_connect+0x15ef/0x1e70 [ 25.645068] ? __sys_sendmmsg+0x1ee/0x620 [ 25.645078] ? tcp_v4_inbound_md5_hash+0x510/0x510 [ 25.645083] ? __lock_is_held+0xb6/0x140 [ 25.645091] __inet_stream_connect+0x2d4/0xf00 [ 25.645098] ? inet_bind+0x910/0x910 [ 25.645107] ? tcp_sendmsg_locked+0x1f71/0x3c70 [ 25.645111] ? rcu_read_lock_sched_held+0x108/0x120 [ 25.645115] ? kmem_cache_alloc_trace+0x456/0x750 [ 25.645120] ? mark_held_locks+0xaf/0x100 [ 25.645127] tcp_sendmsg_locked+0x264e/0x3c70 [ 25.645134] ? avc_has_perm+0x35e/0x680 [ 25.645139] ? lock_downgrade+0x980/0x980 [ 25.645144] ? lock_release+0xa40/0xa40 [ 25.645153] ? tcp_sendpage+0x60/0x60 [ 25.645165] ? print_irqtrace_events+0x270/0x270 [ 25.645168] ? find_held_lock+0x35/0x1d0 [ 25.645175] ? lock_acquire+0x1d5/0x580 [ 25.645178] ? lock_acquire+0x1d5/0x580 [ 25.645182] ? tcp_sendmsg+0x21/0x50 [ 25.645191] ? mark_held_locks+0xaf/0x100 [ 25.645195] ? do_raw_spin_trylock+0x190/0x190 [ 25.645199] ? __local_bh_enable_ip+0x121/0x230 [ 25.645205] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.645209] ? lock_sock_nested+0x91/0x110 [ 25.645212] ? trace_hardirqs_on+0xd/0x10 [ 25.645216] ? __local_bh_enable_ip+0x121/0x230 [ 25.645224] tcp_sendmsg+0x2f/0x50 [ 25.645229] inet_sendmsg+0x11f/0x5e0 [ 25.645232] ? copy_msghdr_from_user+0x3a6/0x590 [ 25.645237] ? inet_create+0xf50/0xf50 [ 25.645242] ? selinux_socket_sendmsg+0x36/0x40 [ 25.645246] ? security_socket_sendmsg+0x89/0xb0 [ 25.645250] ? inet_create+0xf50/0xf50 [ 25.645255] sock_sendmsg+0xca/0x110 [ 25.645260] ___sys_sendmsg+0x320/0x8b0 [ 25.645267] ? copy_msghdr_from_user+0x590/0x590 [ 25.645271] ? __pmd_alloc+0x4e0/0x4e0 [ 25.645275] ? __local_bh_enable_ip+0x121/0x230 [ 25.645282] ? find_held_lock+0x35/0x1d0 [ 25.645289] ? __fget_light+0x297/0x380 [ 25.645294] ? fget_raw+0x20/0x20 [ 25.645297] ? find_held_lock+0x35/0x1d0 [ 25.645305] ? __do_page_fault+0x5f7/0xc90 [ 25.645310] ? lock_downgrade+0x980/0x980 [ 25.645322] __sys_sendmmsg+0x1ee/0x620 [ 25.645325] ? __sys_sendmmsg+0x1ee/0x620 [ 25.645333] ? SyS_sendmsg+0x50/0x50 [ 25.645340] ? mm_fault_error+0x2c0/0x2c0 [ 25.645351] ? __do_page_fault+0xc90/0xc90 [ 25.645357] ? SyS_setsockopt+0x215/0x360 [ 25.645363] ? SyS_recv+0x40/0x40 [ 25.645370] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.645376] SyS_sendmmsg+0x35/0x60 [ 25.645382] entry_SYSCALL_64_fastpath+0x23/0x9a [ 25.645385] RIP: 0033:0x43fdd9 [ 25.645386] RSP: 002b:00007ffcaf235288 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 25.645390] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdd9 [ 25.645393] RDX: 0000000000000001 RSI: 00000000205f8fc8 RDI: 0000000000000004 [ 25.645395] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 25.645397] R10: 0000000020000000 R11: 0000000000000217 R12: 0000000000401740 [ 25.645399] R13: 00000000004017d0 R14: 0000000000000000 R15: 0000000000000000 [ 25.664161] Dumping ftrace buffer: [ 25.664164] (ftrace buffer empty) [ 25.664167] Kernel Offset: disabled [ 26.855160] Rebooting in 86400 seconds..