[....] Starting enhanced syslogd: rsyslogd[ 10.507519] audit: type=1400 audit(1513519099.716:5): avc: denied { syslog } for pid=2993 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 12.606777] audit: type=1400 audit(1513519101.815:6): avc: denied { map } for pid=3132 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-kasan-gce-1,10.128.0.18' (ECDSA) to the list of known hosts. executing program [ 38.836566] audit: type=1400 audit(1513519128.045:7): avc: denied { map } for pid=3151 comm="syzkaller521347" path="/root/syzkaller521347901" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 38.853630] ================================================================== [ 38.853646] BUG: KASAN: global-out-of-bounds in crypto_chacha20_crypt+0xada/0xbd0 [ 38.853650] Read of size 4 at addr ffffffff8747a184 by task kworker/1:0/17 [ 38.853651] [ 38.853657] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 4.15.0-rc3+ #225 [ 38.853660] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.853669] Workqueue: crypto cryptd_queue_worker [ 38.853672] Call Trace: [ 38.853681] dump_stack+0x194/0x257 [ 38.853690] ? arch_local_irq_restore+0x53/0x53 [ 38.853696] ? show_regs_print_info+0x18/0x18 [ 38.853706] ? unwind_next_frame+0x3e/0x50 [ 38.853711] ? crypto_chacha20_crypt+0xada/0xbd0 [ 38.853720] print_address_description+0x178/0x250 [ 38.853725] ? crypto_chacha20_crypt+0xada/0xbd0 [ 38.853731] kasan_report+0x25b/0x340 [ 38.853740] __asan_report_load4_noabort+0x14/0x20 [ 38.853744] crypto_chacha20_crypt+0xada/0xbd0 [ 38.853753] ? __lock_acquire+0x36c0/0x3e00 [ 38.853762] ? crypto_chacha20_setkey+0xc0/0xc0 [ 38.853777] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 38.853796] ? find_held_lock+0x35/0x1d0 [ 38.853813] chacha20_simd+0xe4/0x410 [ 38.853817] ? chacha20_simd+0xe4/0x410 [ 38.853824] ? check_noncircular+0x20/0x20 [ 38.853829] ? chacha20_dosimd+0x340/0x340 [ 38.853832] ? lock_acquire+0x1d5/0x580 [ 38.853836] ? lock_acquire+0x1d5/0x580 [ 38.853841] ? pick_next_task_fair+0xdc0/0x16b0 [ 38.853846] ? pick_next_task_fair+0xd99/0x16b0 [ 38.853853] ? check_noncircular+0x20/0x20 [ 38.853864] ? print_irqtrace_events+0x270/0x270 [ 38.853872] ? check_noncircular+0x20/0x20 [ 38.853883] ? lock_acquire+0x1d5/0x580 [ 38.853893] cryptd_skcipher_decrypt+0x2de/0x5a0 [ 38.853898] ? cryptd_skcipher_decrypt+0x2de/0x5a0 [ 38.853909] ? cryptd_skcipher_decrypt+0x21/0x5a0 [ 38.853913] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.853918] ? cryptd_queue_worker+0x4f/0x1b0 [ 38.853928] cryptd_queue_worker+0xff/0x1b0 [ 38.853937] process_one_work+0xbf3/0x1bc0 [ 38.853942] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 38.853957] ? pwq_dec_nr_in_flight+0x450/0x450 [ 38.853965] ? copy_overflow+0x20/0x20 [ 38.853982] ? __schedule+0x8f3/0x2060 [ 38.853996] ? check_noncircular+0x20/0x20 [ 38.854008] ? __wake_up_common_lock+0x1c2/0x310 [ 38.854013] ? lock_downgrade+0x980/0x980 [ 38.854025] ? do_wait_intr_irq+0x3e0/0x3e0 [ 38.854042] ? lock_acquire+0x1d5/0x580 [ 38.854046] ? lock_acquire+0x1d5/0x580 [ 38.854050] ? worker_thread+0x4a3/0x1990 [ 38.854056] ? lock_downgrade+0x980/0x980 [ 38.854064] ? lock_release+0xa40/0xa40 [ 38.854070] ? try_to_del_timer_sync+0xd1/0x120 [ 38.854078] ? do_raw_spin_trylock+0x190/0x190 [ 38.854095] worker_thread+0x223/0x1990 [ 38.854118] ? process_one_work+0x1bc0/0x1bc0 [ 38.854126] ? _raw_spin_unlock_irq+0x27/0x70 [ 38.854133] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.854139] ? trace_hardirqs_on+0xd/0x10 [ 38.854146] ? finish_task_switch+0x1d3/0x740 [ 38.854150] ? finish_task_switch+0x1aa/0x740 [ 38.854159] ? copy_overflow+0x20/0x20 [ 38.854174] ? __schedule+0x8f3/0x2060 [ 38.854198] ? find_held_lock+0x35/0x1d0 [ 38.854210] ? find_held_lock+0x35/0x1d0 [ 38.854222] ? complete+0x62/0x80 [ 38.854235] ? __schedule+0x2060/0x2060 [ 38.854239] ? do_wait_intr_irq+0x3e0/0x3e0 [ 38.854243] ? __lockdep_init_map+0xe4/0x650 [ 38.854249] ? do_raw_spin_trylock+0x190/0x190 [ 38.854254] ? lockdep_init_map+0x9/0x10 [ 38.854258] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 38.854265] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.854271] ? trace_hardirqs_on+0xd/0x10 [ 38.854276] ? __kthread_parkme+0x175/0x240 [ 38.854284] kthread+0x33c/0x400 [ 38.854289] ? process_one_work+0x1bc0/0x1bc0 [ 38.854292] ? kthread_stop+0x7a0/0x7a0 [ 38.854299] ret_from_fork+0x24/0x30 [ 38.854316] [ 38.854317] The buggy address belongs to the variable: [ 38.854322] oops_in_progress+0x4/0x40 [ 38.854323] [ 38.854325] Memory state around the buggy address: [ 38.854329] ffffffff8747a080: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa [ 38.854332] ffffffff8747a100: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa [ 38.854335] >ffffffff8747a180: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa [ 38.854337] ^ [ 38.854340] ffffffff8747a200: 00 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa [ 38.854344] ffffffff8747a280: 00 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 [ 38.854345] ================================================================== [ 38.854346] Disabling lock debugging due to kernel taint [ 38.854364] Kernel panic - not syncing: panic_on_warn set ... [ 38.854364] [ 38.854368] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G B 4.15.0-rc3+ #225 [ 38.854370] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.854374] Workqueue: crypto cryptd_queue_worker [ 38.854377] Call Trace: [ 38.854381] dump_stack+0x194/0x257 [ 38.854387] ? arch_local_irq_restore+0x53/0x53 [ 38.854394] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.854398] ? vsnprintf+0x1ed/0x1900 [ 38.854403] ? crypto_chacha20_crypt+0xa80/0xbd0 [ 38.854407] panic+0x1e4/0x41c [ 38.854411] ? refcount_error_report+0x214/0x214 [ 38.854417] ? add_taint+0x1c/0x50 [ 38.854421] ? add_taint+0x1c/0x50 [ 38.854426] ? crypto_chacha20_crypt+0xada/0xbd0 [ 38.854430] kasan_end_report+0x50/0x50 [ 38.854434] kasan_report+0x144/0x340 [ 38.854440] __asan_report_load4_noabort+0x14/0x20 [ 38.854444] crypto_chacha20_crypt+0xada/0xbd0 [ 38.854449] ? __lock_acquire+0x36c0/0x3e00 [ 38.854455] ? crypto_chacha20_setkey+0xc0/0xc0 [ 38.854464] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 38.854476] ? find_held_lock+0x35/0x1d0 [ 38.854485] chacha20_simd+0xe4/0x410 [ 38.854488] ? chacha20_simd+0xe4/0x410 [ 38.854493] ? check_noncircular+0x20/0x20 [ 38.854497] ? chacha20_dosimd+0x340/0x340 [ 38.854500] ? lock_acquire+0x1d5/0x580 [ 38.854503] ? lock_acquire+0x1d5/0x580 [ 38.854507] ? pick_next_task_fair+0xdc0/0x16b0 [ 38.854511] ? pick_next_task_fair+0xd99/0x16b0 [ 38.854516] ? check_noncircular+0x20/0x20 [ 38.854527] ? print_irqtrace_events+0x270/0x270 [ 38.854535] ? check_noncircular+0x20/0x20 [ 38.854547] ? lock_acquire+0x1d5/0x580 [ 38.854556] cryptd_skcipher_decrypt+0x2de/0x5a0 [ 38.854562] ? cryptd_skcipher_decrypt+0x2de/0x5a0 [ 38.854571] ? cryptd_skcipher_decrypt+0x21/0x5a0 [ 38.854576] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.854581] ? cryptd_queue_worker+0x4f/0x1b0 [ 38.854589] cryptd_queue_worker+0xff/0x1b0 [ 38.854596] process_one_work+0xbf3/0x1bc0 [ 38.854601] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 38.854613] ? pwq_dec_nr_in_flight+0x450/0x450 [ 38.854621] ? copy_overflow+0x20/0x20 [ 38.854633] ? __schedule+0x8f3/0x2060 [ 38.854647] ? check_noncircular+0x20/0x20 [ 38.854653] ? __wake_up_common_lock+0x1c2/0x310 [ 38.854657] ? lock_downgrade+0x980/0x980 [ 38.854665] ? do_wait_intr_irq+0x3e0/0x3e0 [ 38.854675] ? lock_acquire+0x1d5/0x580 [ 38.854678] ? lock_acquire+0x1d5/0x580 [ 38.854683] ? worker_thread+0x4a3/0x1990 [ 38.854690] ? lock_downgrade+0x980/0x980 [ 38.854698] ? lock_release+0xa40/0xa40 [ 38.854703] ? try_to_del_timer_sync+0xd1/0x120 [ 38.854711] ? do_raw_spin_trylock+0x190/0x190 [ 38.854728] worker_thread+0x223/0x1990 [ 38.854741] ? process_one_work+0x1bc0/0x1bc0 [ 38.854747] ? _raw_spin_unlock_irq+0x27/0x70 [ 38.854752] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.854756] ? trace_hardirqs_on+0xd/0x10 [ 38.854762] ? finish_task_switch+0x1d3/0x740 [ 38.854766] ? finish_task_switch+0x1aa/0x740 [ 38.854772] ? copy_overflow+0x20/0x20 [ 38.854781] ? __schedule+0x8f3/0x2060 [ 38.854795] ? find_held_lock+0x35/0x1d0 [ 38.854802] ? find_held_lock+0x35/0x1d0 [ 38.854810] ? complete+0x62/0x80 [ 38.854818] ? __schedule+0x2060/0x2060 [ 38.854821] ? do_wait_intr_irq+0x3e0/0x3e0 [ 38.854825] ? __lockdep_init_map+0xe4/0x650 [ 38.854830] ? do_raw_spin_trylock+0x190/0x190 [ 38.854834] ? lockdep_init_map+0x9/0x10 [ 38.854837] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 38.854842] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.854847] ? trace_hardirqs_on+0xd/0x10 [ 38.854850] ? __kthread_parkme+0x175/0x240 [ 38.854856] kthread+0x33c/0x400 [ 38.854860] ? process_one_work+0x1bc0/0x1bc0 [ 38.854863] ? kthread_stop+0x7a0/0x7a0 [ 38.854867] ret_from_fork+0x24/0x30 [ 38.862586] Dumping ftrace buffer: [ 38.862590] (ftrace buffer empty) [ 38.862592] Kernel Offset: disabled [ 39.664676] Rebooting in 86400 seconds..