[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 18.352962] audit: type=1400 audit(1517389797.148:6): avc: denied { map } for pid=4137 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.14' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.683714] audit: type=1400 audit(1517389806.479:7): avc: denied { map } for pid=4152 comm="syzkaller668857" path="/root/syzkaller668857449" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 27.687755] ================================================================== [ 27.687775] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30de/0x3210 [ 27.687781] Read of size 4 at addr ffff8801b37f7940 by task syzkaller668857/4152 [ 27.687783] [ 27.687790] CPU: 1 PID: 4152 Comm: syzkaller668857 Not tainted 4.15.0+ #197 [ 27.687794] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.687797] Call Trace: [ 27.687807] dump_stack+0x194/0x257 [ 27.687820] ? arch_local_irq_restore+0x53/0x53 [ 27.687831] ? show_regs_print_info+0x18/0x18 [ 27.687845] ? lock_release+0xa40/0xa40 [ 27.687855] ? xfrm_state_find+0x30de/0x3210 [ 27.687866] print_address_description+0x73/0x250 [ 27.687874] ? xfrm_state_find+0x30de/0x3210 [ 27.687884] kasan_report+0x25b/0x340 [ 27.687899] __asan_report_load4_noabort+0x14/0x20 [ 27.687906] xfrm_state_find+0x30de/0x3210 [ 27.687922] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.687952] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 27.687962] ? trace_hardirqs_off+0x10/0x10 [ 27.687981] ? find_held_lock+0x35/0x1d0 [ 27.687991] ? check_noncircular+0x20/0x20 [ 27.688015] ? lock_downgrade+0x980/0x980 [ 27.688046] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.688060] ? is_bpf_text_address+0x7b/0x120 [ 27.688075] ? print_irqtrace_events+0x270/0x270 [ 27.688095] ? depot_save_stack+0x3b5/0x490 [ 27.688105] ? lock_downgrade+0x980/0x980 [ 27.688118] ? lock_release+0xa40/0xa40 [ 27.688135] ? __lock_acquire+0x664/0x3e00 [ 27.688148] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 27.688159] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.688172] xfrm_tmpl_resolve+0x2ee/0xc40 [ 27.688206] ? __xfrm_decode_session+0x110/0x110 [ 27.688211] ? find_held_lock+0x35/0x1d0 [ 27.688233] ? rt_add_uncached_list+0x1b7/0x240 [ 27.688242] ? lock_downgrade+0x980/0x980 [ 27.688255] ? lock_release+0xa40/0xa40 [ 27.688264] ? check_noncircular+0x20/0x20 [ 27.688280] xfrm_resolve_and_create_bundle+0x172/0x2760 [ 27.688290] ? rt_add_uncached_list+0x1b7/0x240 [ 27.688299] ? check_noncircular+0x20/0x20 [ 27.688311] ? _raw_spin_unlock_bh+0x30/0x40 [ 27.688319] ? rt_add_uncached_list+0x1b7/0x240 [ 27.688337] ? xfrm_tmpl_resolve+0xc40/0xc40 [ 27.688348] ? find_held_lock+0x35/0x1d0 [ 27.688367] ? xfrm_sk_policy_lookup+0x34c/0x4e0 [ 27.688377] ? lock_downgrade+0x980/0x980 [ 27.688390] ? lock_release+0xa40/0xa40 [ 27.688402] ? refcount_inc_not_zero+0xfe/0x180 [ 27.688416] ? selinux_xfrm_policy_lookup+0xac/0xd0 [ 27.688428] ? security_xfrm_policy_lookup+0x92/0xc0 [ 27.688443] ? xfrm_sk_policy_lookup+0x375/0x4e0 [ 27.688459] ? xfrm_selector_match+0xe00/0xe00 [ 27.688480] xfrm_lookup+0xfcb/0x25d0 [ 27.688487] ? xfrm_lookup+0xfcb/0x25d0 [ 27.688497] ? check_noncircular+0x20/0x20 [ 27.688514] ? xfrm_policy_lookup+0x70/0x70 [ 27.688524] ? get_kernel_page+0x110/0x110 [ 27.688542] ? find_held_lock+0x35/0x1d0 [ 27.688562] ? ip_route_output_key_hash+0x229/0x370 [ 27.688571] ? lock_downgrade+0x980/0x980 [ 27.688577] ? kasan_kmalloc+0xad/0xe0 [ 27.688589] ? lock_release+0xa40/0xa40 [ 27.688603] ? find_held_lock+0x35/0x1d0 [ 27.688630] ? ip_route_output_key_hash+0x252/0x370 [ 27.688641] ? ip_route_output_key_hash_rcu+0x2f20/0x2f20 [ 27.688647] ? lock_release+0xa40/0xa40 [ 27.688666] xfrm_lookup_route+0x39/0x1a0 [ 27.688680] ip_route_output_flow+0x7c/0xa0 [ 27.688693] raw_sendmsg+0xcf2/0x3cf0 [ 27.688727] ? raw_setsockopt+0xd0/0xd0 [ 27.688733] ? avc_has_perm+0x35e/0x680 [ 27.688742] ? lock_downgrade+0x980/0x980 [ 27.688756] ? lock_release+0xa40/0xa40 [ 27.688763] ? do_huge_pmd_anonymous_page+0xb21/0x1b00 [ 27.688785] ? __lock_acquire+0x664/0x3e00 [ 27.688800] ? avc_has_perm+0x43e/0x680 [ 27.688815] ? avc_has_perm_noaudit+0x520/0x520 [ 27.688828] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.688836] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.688844] ? find_held_lock+0x35/0x1d0 [ 27.688871] ? find_held_lock+0x35/0x1d0 [ 27.688894] ? sock_has_perm+0x2a4/0x420 [ 27.688907] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.688914] ? lock_release+0x9a2/0xa40 [ 27.688922] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.688931] ? __check_object_size+0x25d/0x4f0 [ 27.688938] ? avc_has_perm+0x43e/0x680 [ 27.688952] inet_sendmsg+0x11f/0x5e0 [ 27.688959] ? __might_sleep+0x95/0x190 [ 27.688968] ? inet_recvmsg+0x5f0/0x5f0 [ 27.688979] ? selinux_socket_sendmsg+0x36/0x40 [ 27.688988] ? security_socket_sendmsg+0x89/0xb0 [ 27.688995] ? inet_recvmsg+0x5f0/0x5f0 [ 27.689007] sock_sendmsg+0xca/0x110 [ 27.689019] SYSC_sendto+0x361/0x5c0 [ 27.689033] ? SYSC_connect+0x4a0/0x4a0 [ 27.689047] ? find_held_lock+0x35/0x1d0 [ 27.689075] ? lock_downgrade+0x980/0x980 [ 27.689096] ? handle_mm_fault+0x410/0x8d0 [ 27.689102] ? down_read_trylock+0xdb/0x170 [ 27.689109] ? __do_page_fault+0x32d/0xc90 [ 27.689134] ? up_read+0x1a/0x40 [ 27.689142] ? __do_page_fault+0x3d6/0xc90 [ 27.689164] SyS_sendto+0x40/0x50 [ 27.689174] ? SyS_getpeername+0x30/0x30 [ 27.689184] do_fast_syscall_32+0x3ee/0xf9d [ 27.689203] ? do_int80_syscall_32+0x9d0/0x9d0 [ 27.689211] ? kasan_check_read+0x11/0x20 [ 27.689223] ? syscall_return_slowpath+0x550/0x550 [ 27.689234] ? SyS_rt_sigaction+0x94/0x1b0 [ 27.689244] ? SyS_sigprocmask+0x4b0/0x4b0 [ 27.689250] ? SyS_read+0x184/0x220 [ 27.689258] ? retint_user+0x18/0x18 [ 27.689274] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.689292] entry_SYSENTER_compat+0x54/0x63 [ 27.689298] RIP: 0023:0xf7fecc79 [ 27.689302] RSP: 002b:00000000ffadc46c EFLAGS: 00000286 ORIG_RAX: 0000000000000171 [ 27.689310] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020098000 [ 27.689314] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020cf9000 [ 27.689318] RBP: 0000000000000010 R08: 0000000000000000 R09: 0000000000000000 [ 27.689321] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 27.689325] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 27.689353] [ 27.689355] The buggy address belongs to the page: [ 27.689361] page:ffffea0006cdfdc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 27.689367] flags: 0x2fffc0000000000() [ 27.689376] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 27.689383] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 27.689386] page dumped because: kasan: bad access detected [ 27.689388] [ 27.689390] Memory state around the buggy address: [ 27.689395] ffff8801b37f7800: f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 [ 27.689400] ffff8801b37f7880: 00 f2 f2 f2 f2 00 00 00 00 00 00 f2 f2 f2 f2 f2 [ 27.689404] >ffff8801b37f7900: f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 [ 27.689408] ^ [ 27.689412] ffff8801b37f7980: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 [ 27.689417] ffff8801b37f7a00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f3 [ 27.689420] ================================================================== [ 27.689422] Disabling lock debugging due to kernel taint [ 27.689442] Kernel panic - not syncing: panic_on_warn set ... [ 27.689442] [ 27.689448] CPU: 1 PID: 4152 Comm: syzkaller668857 Tainted: G B 4.15.0+ #197 [ 27.689451] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.689453] Call Trace: [ 27.689460] dump_stack+0x194/0x257 [ 27.689469] ? arch_local_irq_restore+0x53/0x53 [ 27.689474] ? kasan_end_report+0x32/0x50 [ 27.689482] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.689489] ? vsnprintf+0x1ed/0x1900 [ 27.689496] ? xfrm_state_find+0x30a0/0x3210 [ 27.689504] panic+0x1e4/0x41c [ 27.689510] ? refcount_error_report+0x214/0x214 [ 27.689520] ? add_taint+0x1c/0x50 [ 27.689526] ? add_taint+0x1c/0x50 [ 27.689535] ? xfrm_state_find+0x30de/0x3210 [ 27.689542] kasan_end_report+0x50/0x50 [ 27.689548] kasan_report+0x144/0x340 [ 27.689558] __asan_report_load4_noabort+0x14/0x20 [ 27.689564] xfrm_state_find+0x30de/0x3210 [ 27.689575] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.689593] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 27.689600] ? trace_hardirqs_off+0x10/0x10 [ 27.689612] ? find_held_lock+0x35/0x1d0 [ 27.689619] ? check_noncircular+0x20/0x20 [ 27.689631] ? lock_downgrade+0x980/0x980 [ 27.689649] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.689656] ? is_bpf_text_address+0x7b/0x120 [ 27.689666] ? print_irqtrace_events+0x270/0x270 [ 27.689678] ? depot_save_stack+0x3b5/0x490 [ 27.689685] ? lock_downgrade+0x980/0x980 [ 27.689694] ? lock_release+0xa40/0xa40 [ 27.689705] ? __lock_acquire+0x664/0x3e00 [ 27.689713] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 27.689722] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.689730] xfrm_tmpl_resolve+0x2ee/0xc40 [ 27.689749] ? __xfrm_decode_session+0x110/0x110 [ 27.689754] ? find_held_lock+0x35/0x1d0 [ 27.689766] ? rt_add_uncached_list+0x1b7/0x240 [ 27.689774] ? lock_downgrade+0x980/0x980 [ 27.689783] ? lock_release+0xa40/0xa40 [ 27.689789] ? check_noncircular+0x20/0x20 [ 27.689800] xfrm_resolve_and_create_bundle+0x172/0x2760 [ 27.689807] ? rt_add_uncached_list+0x1b7/0x240 [ 27.689814] ? check_noncircular+0x20/0x20 [ 27.689822] ? _raw_spin_unlock_bh+0x30/0x40 [ 27.689829] ? rt_add_uncached_list+0x1b7/0x240 [ 27.689840] ? xfrm_tmpl_resolve+0xc40/0xc40 [ 27.689848] ? find_held_lock+0x35/0x1d0 [ 27.689859] ? xfrm_sk_policy_lookup+0x34c/0x4e0 [ 27.689867] ? lock_downgrade+0x980/0x980 [ 27.689876] ? lock_release+0xa40/0xa40 [ 27.689884] ? refcount_inc_not_zero+0xfe/0x180 [ 27.689893] ? selinux_xfrm_policy_lookup+0xac/0xd0 [ 27.689900] ? security_xfrm_policy_lookup+0x92/0xc0 [ 27.689910] ? xfrm_sk_policy_lookup+0x375/0x4e0 [ 27.689920] ? xfrm_selector_match+0xe00/0xe00 [ 27.689932] xfrm_lookup+0xfcb/0x25d0 [ 27.689938] ? xfrm_lookup+0xfcb/0x25d0 [ 27.689946] ? check_noncircular+0x20/0x20 [ 27.689956] ? xfrm_policy_lookup+0x70/0x70 [ 27.689963] ? get_kernel_page+0x110/0x110 [ 27.689974] ? find_held_lock+0x35/0x1d0 [ 27.689987] ? ip_route_output_key_hash+0x229/0x370 [ 27.689994] ? lock_downgrade+0x980/0x980 [ 27.689999] ? kasan_kmalloc+0xad/0xe0 [ 27.690012] ? lock_release+0xa40/0xa40 [ 27.690022] ? find_held_lock+0x35/0x1d0 [ 27.690037] ? ip_route_output_key_hash+0x252/0x370 [ 27.690046] ? ip_route_output_key_hash_rcu+0x2f20/0x2f20 [ 27.690052] ? lock_release+0xa40/0xa40 [ 27.690068] xfrm_lookup_route+0x39/0x1a0 [ 27.690077] ip_route_output_flow+0x7c/0xa0 [ 27.690085] raw_sendmsg+0xcf2/0x3cf0 [ 27.690105] ? raw_setsockopt+0xd0/0xd0 [ 27.690110] ? avc_has_perm+0x35e/0x680 [ 27.690117] ? lock_downgrade+0x980/0x980 [ 27.690126] ? lock_release+0xa40/0xa40 [ 27.690132] ? do_huge_pmd_anonymous_page+0xb21/0x1b00 [ 27.690146] ? __lock_acquire+0x664/0x3e00 [ 27.690156] ? avc_has_perm+0x43e/0x680 [ 27.690166] ? avc_has_perm_noaudit+0x520/0x520 [ 27.690175] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.690182] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.690188] ? find_held_lock+0x35/0x1d0 [ 27.690204] ? find_held_lock+0x35/0x1d0 [ 27.690217] ? sock_has_perm+0x2a4/0x420 [ 27.690226] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.690232] ? lock_release+0x9a2/0xa40 [ 27.690239] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.690245] ? __check_object_size+0x25d/0x4f0 [ 27.690251] ? avc_has_perm+0x43e/0x680 [ 27.690260] inet_sendmsg+0x11f/0x5e0 [ 27.690266] ? __might_sleep+0x95/0x190 [ 27.690273] ? inet_recvmsg+0x5f0/0x5f0 [ 27.690282] ? selinux_socket_sendmsg+0x36/0x40 [ 27.690288] ? security_socket_sendmsg+0x89/0xb0 [ 27.690295] ? inet_recvmsg+0x5f0/0x5f0 [ 27.690302] sock_sendmsg+0xca/0x110 [ 27.690310] SYSC_sendto+0x361/0x5c0 [ 27.690320] ? SYSC_connect+0x4a0/0x4a0 [ 27.690329] ? find_held_lock+0x35/0x1d0 [ 27.690344] ? lock_downgrade+0x980/0x980 [ 27.690356] ? handle_mm_fault+0x410/0x8d0 [ 27.690362] ? down_read_trylock+0xdb/0x170 [ 27.690367] ? __do_page_fault+0x32d/0xc90 [ 27.690382] ? up_read+0x1a/0x40 [ 27.690389] ? __do_page_fault+0x3d6/0xc90 [ 27.690402] SyS_sendto+0x40/0x50 [ 27.690409] ? SyS_getpeername+0x30/0x30 [ 27.690417] do_fast_syscall_32+0x3ee/0xf9d [ 27.690429] ? do_int80_syscall_32+0x9d0/0x9d0 [ 27.690435] ? kasan_check_read+0x11/0x20 [ 27.690443] ? syscall_return_slowpath+0x550/0x550 [ 27.690451] ? SyS_rt_sigaction+0x94/0x1b0 [ 27.690459] ? SyS_sigprocmask+0x4b0/0x4b0 [ 27.690464] ? SyS_read+0x184/0x220 [ 27.690471] ? retint_user+0x18/0x18 [ 27.690482] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.690493] entry_SYSENTER_compat+0x54/0x63 [ 27.690497] RIP: 0023:0xf7fecc79 [ 27.690500] RSP: 002b:00000000ffadc46c EFLAGS: 00000286 ORIG_RAX: 0000000000000171 [ 27.690506] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020098000 [ 27.690509] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020cf9000 [ 27.690513] RBP: 0000000000000010 R08: 0000000000000000 R09: 0000000000000000 [ 27.690516] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 27.690519] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 27.710003] Dumping ftrace buffer: [ 27.710007] (ftrace buffer empty) [ 27.710010] Kernel Offset: disabled [ 28.954996] Rebooting in 86400 seconds..