[....] Starting enhanced syslogd: rsyslogd[ 17.077525] audit: type=1400 audit(1521115074.340:5): avc: denied { syslog } for pid=4079 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.647310] audit: type=1400 audit(1521115079.910:6): avc: denied { map } for pid=4219 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.14' (ECDSA) to the list of known hosts. [ 28.916521] audit: type=1400 audit(1521115086.180:7): avc: denied { map } for pid=4233 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/03/15 11:58:06 parsed 1 programs 2018/03/15 11:58:06 executed programs: 0 [ 29.172059] audit: type=1400 audit(1521115086.435:8): avc: denied { map } for pid=4233 comm="syz-execprog" path="/root/syzkaller-shm021170521" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 29.187270] IPVS: ftp: loaded support on port[0] = 21 [ 29.456263] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 29.828544] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.834653] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.873825] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.914009] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.931521] ================================================================== [ 29.938954] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260 [ 29.945422] Read of size 8 at addr ffff8801aa59f118 by task syz-executor0/4399 [ 29.952750] [ 29.954355] CPU: 0 PID: 4399 Comm: syz-executor0 Not tainted 4.16.0-rc5+ #264 [ 29.961609] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.970939] Call Trace: [ 29.973503] dump_stack+0x194/0x24d [ 29.977107] ? arch_local_irq_restore+0x53/0x53 [ 29.981751] ? show_regs_print_info+0x18/0x18 [ 29.986269] ? ip6_xmit+0x1f76/0x2260 [ 29.990057] print_address_description+0x73/0x250 [ 29.994876] ? ip6_xmit+0x1f76/0x2260 [ 29.998653] kasan_report+0x23c/0x360 [ 30.002434] __asan_report_load8_noabort+0x14/0x20 [ 30.007338] ip6_xmit+0x1f76/0x2260 [ 30.010957] ? ip6_finish_output2+0x23a0/0x23a0 [ 30.015604] ? fl6_update_dst+0x127/0x2b0 [ 30.019730] ? inet6_csk_route_socket+0x691/0xe80 [ 30.024549] ? trace_hardirqs_off+0x10/0x10 [ 30.028854] ? lock_acquire+0x1d5/0x580 [ 30.032802] ? lock_acquire+0x1d5/0x580 [ 30.036760] ? inet6_csk_xmit+0x114/0x580 [ 30.040886] ? trace_hardirqs_off+0x10/0x10 [ 30.045188] ? lock_release+0xa40/0xa40 [ 30.049156] inet6_csk_xmit+0x2fc/0x580 [ 30.053106] ? inet6_csk_update_pmtu+0x160/0x160 [ 30.057838] ? __sk_dst_check+0x1a5/0x380 [ 30.061965] ? sock_kfree_s+0x60/0x60 [ 30.065759] l2tp_xmit_skb+0x105f/0x1410 [ 30.069807] ? l2tp_session_create+0xb80/0xb80 [ 30.074365] ? sock_wmalloc+0x15d/0x1d0 [ 30.078317] ? iov_iter_advance+0x13f0/0x13f0 [ 30.082789] ? pppol2tp_sendmsg+0x41b/0x670 [ 30.087101] pppol2tp_sendmsg+0x470/0x670 [ 30.091229] ? selinux_socket_sendmsg+0x36/0x40 [ 30.095876] ? pppol2tp_getsockopt+0x900/0x900 [ 30.100436] sock_sendmsg+0xca/0x110 [ 30.104128] ___sys_sendmsg+0x767/0x8b0 [ 30.108084] ? copy_msghdr_from_user+0x590/0x590 [ 30.112823] ? __handle_mm_fault+0x5ba/0x38c0 [ 30.117296] ? __pmd_alloc+0x4e0/0x4e0 [ 30.121157] ? trace_hardirqs_off+0x10/0x10 [ 30.125459] ? selinux_socket_setsockopt+0x80/0x80 [ 30.130368] ? lock_release+0xa40/0xa40 [ 30.134317] ? __fget_light+0x2b2/0x3c0 [ 30.138267] ? fget_raw+0x20/0x20 [ 30.141723] ? find_held_lock+0x35/0x1d0 [ 30.145776] __sys_sendmsg+0xe5/0x210 [ 30.149553] ? __sys_sendmsg+0xe5/0x210 [ 30.153505] ? SyS_shutdown+0x290/0x290 [ 30.157462] ? compat_SyS_futex+0x288/0x380 [ 30.161785] compat_SyS_sendmsg+0x2a/0x40 [ 30.165912] ? compat_SyS_getsockopt+0x420/0x420 [ 30.170648] do_fast_syscall_32+0x3ec/0xf9f [ 30.174951] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.179510] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.184245] ? syscall_return_slowpath+0x2ac/0x550 [ 30.189150] ? prepare_exit_to_usermode+0x350/0x350 [ 30.194143] ? sysret32_from_system_call+0x5/0x3c [ 30.198967] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.203792] entry_SYSENTER_compat+0x70/0x7f [ 30.208174] RIP: 0023:0xf7f60c99 [ 30.211511] RSP: 002b:00000000ffc4a4bc EFLAGS: 00000286 ORIG_RAX: 0000000000000172 [ 30.219193] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000002037ffc8 [ 30.226439] RDX: 0000000000000081 RSI: 0000000000000000 RDI: 0000000000000000 [ 30.233685] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 30.240934] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.248178] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.255447] [ 30.257058] Allocated by task 0: [ 30.260396] (stack is not available) [ 30.264079] [ 30.265681] Freed by task 0: [ 30.268668] (stack is not available) [ 30.272352] [ 30.273956] The buggy address belongs to the object at ffff8801aa59f100 [ 30.273956] which belongs to the cache ip_dst_cache of size 168 [ 30.286673] The buggy address is located 24 bytes inside of [ 30.286673] 168-byte region [ffff8801aa59f100, ffff8801aa59f1a8) [ 30.298433] The buggy address belongs to the page: [ 30.303336] page:ffffea0006a967c0 count:1 mapcount:0 mapping:ffff8801aa59f000 index:0x0 [ 30.311452] flags: 0x2fffc0000000100(slab) [ 30.315658] raw: 02fffc0000000100 ffff8801aa59f000 0000000000000000 0000000100000010 [ 30.323512] raw: ffffea0006c52ae0 ffff8801d5b9ad48 ffff8801d5b99800 0000000000000000 [ 30.331362] page dumped because: kasan: bad access detected [ 30.337048] [ 30.338647] Memory state around the buggy address: [ 30.343547] ffff8801aa59f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.350888] ffff8801aa59f080: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 30.358220] >ffff8801aa59f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.365551] ^ [ 30.369670] ffff8801aa59f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.377004] ffff8801aa59f200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.384342] ================================================================== [ 30.391678] Disabling lock debugging due to kernel taint [ 30.397139] Kernel panic - not syncing: panic_on_warn set ... [ 30.397139] [ 30.404490] CPU: 0 PID: 4399 Comm: syz-executor0 Tainted: G B 4.16.0-rc5+ #264 [ 30.413039] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.422366] Call Trace: [ 30.424939] dump_stack+0x194/0x24d [ 30.428541] ? arch_local_irq_restore+0x53/0x53 [ 30.433183] ? kasan_end_report+0x32/0x50 [ 30.437303] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.442030] ? vsnprintf+0x1ed/0x1900 [ 30.445803] ? ip6_xmit+0x1f30/0x2260 [ 30.449574] panic+0x1e4/0x41c [ 30.452739] ? refcount_error_report+0x214/0x214 [ 30.457467] ? add_taint+0x1c/0x50 [ 30.460977] ? add_taint+0x1c/0x50 [ 30.464489] ? ip6_xmit+0x1f76/0x2260 [ 30.468259] kasan_end_report+0x50/0x50 [ 30.472201] kasan_report+0x149/0x360 [ 30.475974] __asan_report_load8_noabort+0x14/0x20 [ 30.480876] ip6_xmit+0x1f76/0x2260 [ 30.484481] ? ip6_finish_output2+0x23a0/0x23a0 [ 30.489121] ? fl6_update_dst+0x127/0x2b0 [ 30.493240] ? inet6_csk_route_socket+0x691/0xe80 [ 30.498059] ? trace_hardirqs_off+0x10/0x10 [ 30.502352] ? lock_acquire+0x1d5/0x580 [ 30.506296] ? lock_acquire+0x1d5/0x580 [ 30.510241] ? inet6_csk_xmit+0x114/0x580 [ 30.514368] ? trace_hardirqs_off+0x10/0x10 [ 30.518660] ? lock_release+0xa40/0xa40 [ 30.522612] inet6_csk_xmit+0x2fc/0x580 [ 30.526563] ? inet6_csk_update_pmtu+0x160/0x160 [ 30.531289] ? __sk_dst_check+0x1a5/0x380 [ 30.535407] ? sock_kfree_s+0x60/0x60 [ 30.539187] l2tp_xmit_skb+0x105f/0x1410 [ 30.543223] ? l2tp_session_create+0xb80/0xb80 [ 30.547777] ? sock_wmalloc+0x15d/0x1d0 [ 30.551723] ? iov_iter_advance+0x13f0/0x13f0 [ 30.556197] ? pppol2tp_sendmsg+0x41b/0x670 [ 30.560491] pppol2tp_sendmsg+0x470/0x670 [ 30.564610] ? selinux_socket_sendmsg+0x36/0x40 [ 30.569258] ? pppol2tp_getsockopt+0x900/0x900 [ 30.573811] sock_sendmsg+0xca/0x110 [ 30.577495] ___sys_sendmsg+0x767/0x8b0 [ 30.581442] ? copy_msghdr_from_user+0x590/0x590 [ 30.586172] ? __handle_mm_fault+0x5ba/0x38c0 [ 30.590642] ? __pmd_alloc+0x4e0/0x4e0 [ 30.594500] ? trace_hardirqs_off+0x10/0x10 [ 30.598791] ? selinux_socket_setsockopt+0x80/0x80 [ 30.603690] ? lock_release+0xa40/0xa40 [ 30.607637] ? __fget_light+0x2b2/0x3c0 [ 30.611585] ? fget_raw+0x20/0x20 [ 30.615127] ? find_held_lock+0x35/0x1d0 [ 30.619170] __sys_sendmsg+0xe5/0x210 [ 30.622960] ? __sys_sendmsg+0xe5/0x210 [ 30.626906] ? SyS_shutdown+0x290/0x290 [ 30.630859] ? compat_SyS_futex+0x288/0x380 [ 30.635162] compat_SyS_sendmsg+0x2a/0x40 [ 30.639283] ? compat_SyS_getsockopt+0x420/0x420 [ 30.644012] do_fast_syscall_32+0x3ec/0xf9f [ 30.648323] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.652876] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.657605] ? syscall_return_slowpath+0x2ac/0x550 [ 30.662507] ? prepare_exit_to_usermode+0x350/0x350 [ 30.667496] ? sysret32_from_system_call+0x5/0x3c [ 30.672311] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.677129] entry_SYSENTER_compat+0x70/0x7f [ 30.681508] RIP: 0023:0xf7f60c99 [ 30.684842] RSP: 002b:00000000ffc4a4bc EFLAGS: 00000286 ORIG_RAX: 0000000000000172 [ 30.692532] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000002037ffc8 [ 30.699788] RDX: 0000000000000081 RSI: 0000000000000000 RDI: 0000000000000000 [ 30.707038] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 30.714281] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.721520] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.729256] Dumping ftrace buffer: [ 30.732777] (ftrace buffer empty) [ 30.736460] Kernel Offset: disabled [ 30.740060] Rebooting in 86400 seconds..