[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 18.569534] audit: type=1400 audit(1520960939.680:6): avc: denied { map } for pid=4234 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. syzkaller login: [ 41.503375] audit: type=1400 audit(1520960962.614:7): avc: denied { map } for pid=4252 comm="syzkaller348359" path="/root/syzkaller348359971" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 41.511925] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 41.529367] audit: type=1400 audit(1520960962.614:8): avc: denied { sys_admin } for pid=4252 comm="syzkaller348359" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 41.558894] audit: type=1400 audit(1520960962.645:9): avc: denied { net_admin } for pid=4253 comm="syzkaller348359" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 RTNETLINK answers: File exists RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 41.768914] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 42.099794] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 42.105887] 8021q: adding VLAN 0 to HW filter on device bond0 executing program [ 42.140892] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 42.176623] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 42.190442] audit: type=1400 audit(1520960963.301:10): avc: denied { sys_chroot } for pid=4253 comm="syzkaller348359" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 42.193110] ================================================================== [ 42.222367] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260 [ 42.228827] Read of size 8 at addr ffff8801c21d3318 by task syzkaller348359/4253 [ 42.236328] [ 42.237928] CPU: 1 PID: 4253 Comm: syzkaller348359 Not tainted 4.16.0-rc5+ #352 [ 42.245342] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.254663] Call Trace: [ 42.257225] dump_stack+0x194/0x24d [ 42.260824] ? arch_local_irq_restore+0x53/0x53 [ 42.265477] ? show_regs_print_info+0x18/0x18 [ 42.269948] ? ip6_xmit+0x1f76/0x2260 [ 42.273723] print_address_description+0x73/0x250 [ 42.278535] ? ip6_xmit+0x1f76/0x2260 [ 42.282308] kasan_report+0x23c/0x360 [ 42.286086] __asan_report_load8_noabort+0x14/0x20 [ 42.290984] ip6_xmit+0x1f76/0x2260 [ 42.294596] ? ip6_finish_output2+0x23a0/0x23a0 [ 42.299589] ? fl6_update_dst+0x127/0x2b0 [ 42.303711] ? inet6_csk_route_socket+0x691/0xe80 [ 42.308528] ? trace_hardirqs_off+0x10/0x10 [ 42.312819] ? lock_acquire+0x1d5/0x580 [ 42.316760] ? lock_acquire+0x1d5/0x580 [ 42.320701] ? inet6_csk_xmit+0x114/0x580 [ 42.324818] ? trace_hardirqs_off+0x10/0x10 [ 42.329111] ? lock_release+0xa40/0xa40 [ 42.333080] inet6_csk_xmit+0x2fc/0x580 [ 42.337027] ? inet6_csk_update_pmtu+0x160/0x160 [ 42.341753] ? __sk_dst_check+0x1a5/0x380 [ 42.345873] ? sock_kfree_s+0x60/0x60 [ 42.349660] l2tp_xmit_skb+0x105f/0x1410 [ 42.353699] ? l2tp_session_create+0xb80/0xb80 [ 42.358250] ? sock_wmalloc+0x15d/0x1d0 [ 42.362198] ? iov_iter_advance+0x13f0/0x13f0 [ 42.366667] ? pppol2tp_sendmsg+0x41b/0x670 [ 42.370961] pppol2tp_sendmsg+0x470/0x670 [ 42.375082] ? selinux_socket_sendmsg+0x36/0x40 [ 42.379722] ? pppol2tp_getsockopt+0x900/0x900 [ 42.384275] sock_sendmsg+0xca/0x110 [ 42.387965] SYSC_sendto+0x361/0x5c0 [ 42.391652] ? SYSC_connect+0x4a0/0x4a0 [ 42.395604] ? inet_dgram_connect+0x172/0x1f0 [ 42.400074] ? SYSC_connect+0x2e0/0x4a0 [ 42.404045] ? mm_fault_error+0x2c0/0x2c0 [ 42.408162] ? move_addr_to_kernel+0x60/0x60 [ 42.412544] SyS_sendto+0x40/0x50 [ 42.415967] ? SyS_getpeername+0x30/0x30 [ 42.420008] do_syscall_64+0x281/0x940 [ 42.423869] ? __do_page_fault+0xc90/0xc90 [ 42.428073] ? _raw_spin_unlock_irq+0x27/0x70 [ 42.432537] ? finish_task_switch+0x1c1/0x7e0 [ 42.437002] ? syscall_return_slowpath+0x550/0x550 [ 42.441900] ? syscall_return_slowpath+0x2ac/0x550 [ 42.446799] ? prepare_exit_to_usermode+0x350/0x350 [ 42.451784] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 42.457122] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.461939] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.467097] RIP: 0033:0x442dd9 [ 42.470259] RSP: 002b:00000000007dfe88 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 42.477938] RAX: ffffffffffffffda RBX: 000000000000001a RCX: 0000000000442dd9 [ 42.485177] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 42.492415] RBP: 00000000004a4c79 R08: 00000000200021c0 R09: 0000000000000080 [ 42.499655] R10: 0000000000040001 R11: 0000000000000212 R12: 00000000007dff70 [ 42.506893] R13: 0000000000403e10 R14: 0000000000000000 R15: 0000000000000000 [ 42.514148] [ 42.515744] Allocated by task 0: [ 42.519074] (stack is not available) [ 42.522752] [ 42.524347] Freed by task 0: [ 42.527333] (stack is not available) [ 42.531011] [ 42.532607] The buggy address belongs to the object at ffff8801c21d3300 [ 42.532607] which belongs to the cache ip_dst_cache of size 168 [ 42.545316] The buggy address is located 24 bytes inside of [ 42.545316] 168-byte region [ffff8801c21d3300, ffff8801c21d33a8) [ 42.557070] The buggy address belongs to the page: [ 42.561965] page:ffffea00070874c0 count:1 mapcount:0 mapping:ffff8801c21d3000 index:0xffff8801c21d3e00 [ 42.571376] flags: 0x2fffc0000000100(slab) [ 42.575580] raw: 02fffc0000000100 ffff8801c21d3000 ffff8801c21d3e00 000000010000000f [ 42.583430] raw: ffff8801d5b8ab38 ffff8801d5b8ab38 ffff8801d543fe00 0000000000000000 [ 42.591278] page dumped because: kasan: bad access detected [ 42.596951] [ 42.598548] Memory state around the buggy address: [ 42.603444] ffff8801c21d3200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.610770] ffff8801c21d3280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 42.618095] >ffff8801c21d3300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.625418] ^ [ 42.629531] ffff8801c21d3380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.636857] ffff8801c21d3400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.644184] ================================================================== [ 42.651506] Disabling lock debugging due to kernel taint [ 42.656960] Kernel panic - not syncing: panic_on_warn set ... [ 42.656960] [ 42.664291] CPU: 1 PID: 4253 Comm: syzkaller348359 Tainted: G B 4.16.0-rc5+ #352 [ 42.673020] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.682341] Call Trace: [ 42.684900] dump_stack+0x194/0x24d [ 42.688496] ? arch_local_irq_restore+0x53/0x53 [ 42.693133] ? kasan_end_report+0x32/0x50 [ 42.697250] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.701976] ? vsnprintf+0x1ed/0x1900 [ 42.705748] ? ip6_xmit+0x1f30/0x2260 [ 42.709520] panic+0x1e4/0x41c [ 42.712682] ? refcount_error_report+0x214/0x214 [ 42.717406] ? add_taint+0x1c/0x50 [ 42.720915] ? add_taint+0x1c/0x50 [ 42.724425] ? ip6_xmit+0x1f76/0x2260 [ 42.728193] kasan_end_report+0x50/0x50 [ 42.732135] kasan_report+0x149/0x360 [ 42.735907] __asan_report_load8_noabort+0x14/0x20 [ 42.740804] ip6_xmit+0x1f76/0x2260 [ 42.744404] ? ip6_finish_output2+0x23a0/0x23a0 [ 42.749041] ? fl6_update_dst+0x127/0x2b0 [ 42.753157] ? inet6_csk_route_socket+0x691/0xe80 [ 42.757970] ? trace_hardirqs_off+0x10/0x10 [ 42.762260] ? lock_acquire+0x1d5/0x580 [ 42.766200] ? lock_acquire+0x1d5/0x580 [ 42.770142] ? inet6_csk_xmit+0x114/0x580 [ 42.774259] ? trace_hardirqs_off+0x10/0x10 [ 42.778549] ? lock_release+0xa40/0xa40 [ 42.782499] inet6_csk_xmit+0x2fc/0x580 [ 42.786440] ? inet6_csk_update_pmtu+0x160/0x160 [ 42.791161] ? __sk_dst_check+0x1a5/0x380 [ 42.795278] ? sock_kfree_s+0x60/0x60 [ 42.799053] l2tp_xmit_skb+0x105f/0x1410 [ 42.803087] ? l2tp_session_create+0xb80/0xb80 [ 42.807637] ? sock_wmalloc+0x15d/0x1d0 [ 42.811580] ? iov_iter_advance+0x13f0/0x13f0 [ 42.816043] ? pppol2tp_sendmsg+0x41b/0x670 [ 42.820333] pppol2tp_sendmsg+0x470/0x670 [ 42.824453] ? selinux_socket_sendmsg+0x36/0x40 [ 42.829093] ? pppol2tp_getsockopt+0x900/0x900 [ 42.833643] sock_sendmsg+0xca/0x110 [ 42.837328] SYSC_sendto+0x361/0x5c0 [ 42.841009] ? SYSC_connect+0x4a0/0x4a0 [ 42.844955] ? inet_dgram_connect+0x172/0x1f0 [ 42.849419] ? SYSC_connect+0x2e0/0x4a0 [ 42.853374] ? mm_fault_error+0x2c0/0x2c0 [ 42.857488] ? move_addr_to_kernel+0x60/0x60 [ 42.861866] SyS_sendto+0x40/0x50 [ 42.865287] ? SyS_getpeername+0x30/0x30 [ 42.869319] do_syscall_64+0x281/0x940 [ 42.873170] ? __do_page_fault+0xc90/0xc90 [ 42.877373] ? _raw_spin_unlock_irq+0x27/0x70 [ 42.881834] ? finish_task_switch+0x1c1/0x7e0 [ 42.886298] ? syscall_return_slowpath+0x550/0x550 [ 42.891195] ? syscall_return_slowpath+0x2ac/0x550 [ 42.896092] ? prepare_exit_to_usermode+0x350/0x350 [ 42.901074] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 42.906406] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.911218] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.916373] RIP: 0033:0x442dd9 [ 42.919532] RSP: 002b:00000000007dfe88 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 42.927204] RAX: ffffffffffffffda RBX: 000000000000001a RCX: 0000000000442dd9 [ 42.934441] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 42.941676] RBP: 00000000004a4c79 R08: 00000000200021c0 R09: 0000000000000080 [ 42.948913] R10: 0000000000040001 R11: 0000000000000212 R12: 00000000007dff70 [ 42.956153] R13: 0000000000403e10 R14: 0000000000000000 R15: 0000000000000000 [ 42.963737] Dumping ftrace buffer: [ 42.967245] (ftrace buffer empty) [ 42.970925] Kernel Offset: disabled [ 42.974522] Rebooting in 86400 seconds..