[....] Starting enhanced syslogd: rsyslogd[ 16.597414] audit: type=1400 audit(1520590071.902:5): avc: denied { syslog } for pid=4039 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.750657] audit: type=1400 audit(1520590078.055:6): avc: denied { map } for pid=4178 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.56' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 29.110967] audit: type=1400 audit(1520590084.415:7): avc: denied { map } for pid=4192 comm="syzkaller190613" path="/root/syzkaller190613250" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 29.119446] IPVS: ftp: loaded support on port[0] = 21 RTNETLINK answers: File exists RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 29.398823] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 29.763749] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.769861] 8021q: adding VLAN 0 to HW filter on device bond0 executing program [ 29.808756] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.846629] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.856555] ================================================================== [ 29.863996] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260 [ 29.870467] Read of size 8 at addr ffff8801c2ead618 by task syzkaller190613/4193 [ 29.877970] [ 29.879586] CPU: 0 PID: 4193 Comm: syzkaller190613 Not tainted 4.16.0-rc4+ #258 [ 29.887002] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.896336] Call Trace: [ 29.898902] dump_stack+0x194/0x24d [ 29.902504] ? arch_local_irq_restore+0x53/0x53 [ 29.907150] ? show_regs_print_info+0x18/0x18 [ 29.911630] ? ip6_xmit+0x1f76/0x2260 [ 29.915406] print_address_description+0x73/0x250 [ 29.920221] ? ip6_xmit+0x1f76/0x2260 [ 29.923995] kasan_report+0x23c/0x360 [ 29.927774] __asan_report_load8_noabort+0x14/0x20 [ 29.932675] ip6_xmit+0x1f76/0x2260 [ 29.936300] ? ip6_finish_output2+0x23d0/0x23d0 [ 29.940946] ? fl6_update_dst+0x127/0x2b0 [ 29.945072] ? inet6_csk_route_socket+0x691/0xe80 [ 29.949897] ? trace_hardirqs_off+0x10/0x10 [ 29.954193] ? lock_acquire+0x1d5/0x580 [ 29.958140] ? lock_acquire+0x1d5/0x580 [ 29.962087] ? inet6_csk_xmit+0x114/0x580 [ 29.966214] ? trace_hardirqs_off+0x10/0x10 [ 29.970513] ? lock_release+0xa40/0xa40 [ 29.974474] inet6_csk_xmit+0x2fc/0x580 [ 29.978423] ? inet6_csk_update_pmtu+0x160/0x160 [ 29.983155] ? __sk_dst_check+0x1a5/0x380 [ 29.987289] ? sock_kzfree_s+0x60/0x60 [ 29.991165] l2tp_xmit_skb+0x105f/0x1410 [ 29.995210] ? l2tp_session_create+0xb80/0xb80 [ 29.999770] ? sock_wmalloc+0x15d/0x1d0 [ 30.003722] ? iov_iter_advance+0x13f0/0x13f0 [ 30.008206] ? pppol2tp_sendmsg+0x41b/0x670 [ 30.012518] pppol2tp_sendmsg+0x470/0x670 [ 30.016641] ? selinux_socket_sendmsg+0x36/0x40 [ 30.021288] ? pppol2tp_getsockopt+0x900/0x900 [ 30.025846] sock_sendmsg+0xca/0x110 [ 30.029540] ___sys_sendmsg+0x767/0x8b0 [ 30.033494] ? copy_msghdr_from_user+0x590/0x590 [ 30.038231] ? __pmd_alloc+0x4e0/0x4e0 [ 30.042098] ? trace_hardirqs_off+0x10/0x10 [ 30.046391] ? find_held_lock+0x35/0x1d0 [ 30.050433] ? __fget_light+0x2b2/0x3c0 [ 30.054380] ? fget_raw+0x20/0x20 [ 30.057824] ? __do_page_fault+0x5f7/0xc90 [ 30.062050] ? lock_downgrade+0x980/0x980 [ 30.066183] __sys_sendmsg+0xe5/0x210 [ 30.069958] ? __sys_sendmsg+0xe5/0x210 [ 30.073908] ? SyS_shutdown+0x290/0x290 [ 30.077867] ? __do_page_fault+0x3d6/0xc90 [ 30.082089] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 30.087622] SyS_sendmsg+0x2d/0x50 [ 30.091137] ? __sys_sendmsg+0x210/0x210 [ 30.095177] do_syscall_64+0x281/0x940 [ 30.099053] ? __do_page_fault+0xc90/0xc90 [ 30.103263] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.107993] ? syscall_return_slowpath+0x550/0x550 [ 30.112900] ? syscall_return_slowpath+0x2ac/0x550 [ 30.117804] ? prepare_exit_to_usermode+0x350/0x350 [ 30.122795] ? retint_user+0x18/0x18 [ 30.126488] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.131316] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.136494] RIP: 0033:0x4418d9 [ 30.139655] RSP: 002b:00007fff53e05e08 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 30.147334] RAX: ffffffffffffffda RBX: 000000000000001a RCX: 00000000004418d9 [ 30.154574] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 [ 30.161817] RBP: 00000000004a343c R08: 0000000000000000 R09: 0000000000000000 [ 30.169062] R10: 0000000000000000 R11: 0000000000000217 R12: 00007fff53e05ed0 [ 30.176304] R13: 0000000000402660 R14: 0000000000000000 R15: 0000000000000000 [ 30.183561] [ 30.185164] Allocated by task 0: [ 30.188498] (stack is not available) [ 30.192180] [ 30.193779] Freed by task 0: [ 30.196766] (stack is not available) [ 30.200448] [ 30.202051] The buggy address belongs to the object at ffff8801c2ead600 [ 30.202051] which belongs to the cache ip_dst_cache of size 160 [ 30.214775] The buggy address is located 24 bytes inside of [ 30.214775] 160-byte region [ffff8801c2ead600, ffff8801c2ead6a0) [ 30.226536] The buggy address belongs to the page: [ 30.231441] page:ffffea00070bab40 count:1 mapcount:0 mapping:ffff8801c2ead000 index:0xffff8801c2ead000 [ 30.240862] flags: 0x2fffc0000000100(slab) [ 30.245076] raw: 02fffc0000000100 ffff8801c2ead000 ffff8801c2ead000 000000010000000c [ 30.252931] raw: ffff8801d6bb2138 ffff8801d6bb2138 ffff8801d6bb6340 0000000000000000 [ 30.260781] page dumped because: kasan: bad access detected [ 30.266461] [ 30.268063] Memory state around the buggy address: [ 30.272974] ffff8801c2ead500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.280308] ffff8801c2ead580: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 30.287638] >ffff8801c2ead600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.294968] ^ [ 30.299090] ffff8801c2ead680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.306427] ffff8801c2ead700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.313759] ================================================================== [ 30.321089] Disabling lock debugging due to kernel taint [ 30.326543] Kernel panic - not syncing: panic_on_warn set ... [ 30.326543] [ 30.333891] CPU: 0 PID: 4193 Comm: syzkaller190613 Tainted: G B 4.16.0-rc4+ #258 [ 30.342611] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.351940] Call Trace: [ 30.354505] dump_stack+0x194/0x24d [ 30.358107] ? arch_local_irq_restore+0x53/0x53 [ 30.362747] ? kasan_end_report+0x32/0x50 [ 30.366868] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.371595] ? vsnprintf+0x1ed/0x1900 [ 30.375369] ? ip6_xmit+0x1ee0/0x2260 [ 30.379156] panic+0x1e4/0x41c [ 30.382324] ? refcount_error_report+0x214/0x214 [ 30.387056] ? add_taint+0x1c/0x50 [ 30.390568] ? add_taint+0x1c/0x50 [ 30.394080] ? ip6_xmit+0x1f76/0x2260 [ 30.397852] kasan_end_report+0x50/0x50 [ 30.401795] kasan_report+0x149/0x360 [ 30.405569] __asan_report_load8_noabort+0x14/0x20 [ 30.410469] ip6_xmit+0x1f76/0x2260 [ 30.414085] ? ip6_finish_output2+0x23d0/0x23d0 [ 30.418728] ? fl6_update_dst+0x127/0x2b0 [ 30.422850] ? inet6_csk_route_socket+0x691/0xe80 [ 30.427666] ? trace_hardirqs_off+0x10/0x10 [ 30.431960] ? lock_acquire+0x1d5/0x580 [ 30.435904] ? lock_acquire+0x1d5/0x580 [ 30.439846] ? inet6_csk_xmit+0x114/0x580 [ 30.443963] ? trace_hardirqs_off+0x10/0x10 [ 30.448256] ? lock_release+0xa40/0xa40 [ 30.452209] inet6_csk_xmit+0x2fc/0x580 [ 30.456155] ? inet6_csk_update_pmtu+0x160/0x160 [ 30.460894] ? __sk_dst_check+0x1a5/0x380 [ 30.465024] ? sock_kzfree_s+0x60/0x60 [ 30.468910] l2tp_xmit_skb+0x105f/0x1410 [ 30.472957] ? l2tp_session_create+0xb80/0xb80 [ 30.477510] ? sock_wmalloc+0x15d/0x1d0 [ 30.481455] ? iov_iter_advance+0x13f0/0x13f0 [ 30.485924] ? pppol2tp_sendmsg+0x41b/0x670 [ 30.490219] pppol2tp_sendmsg+0x470/0x670 [ 30.494340] ? selinux_socket_sendmsg+0x36/0x40 [ 30.498983] ? pppol2tp_getsockopt+0x900/0x900 [ 30.503542] sock_sendmsg+0xca/0x110 [ 30.507227] ___sys_sendmsg+0x767/0x8b0 [ 30.511174] ? copy_msghdr_from_user+0x590/0x590 [ 30.515902] ? __pmd_alloc+0x4e0/0x4e0 [ 30.519763] ? trace_hardirqs_off+0x10/0x10 [ 30.524057] ? find_held_lock+0x35/0x1d0 [ 30.528091] ? __fget_light+0x2b2/0x3c0 [ 30.532041] ? fget_raw+0x20/0x20 [ 30.535474] ? __do_page_fault+0x5f7/0xc90 [ 30.539682] ? lock_downgrade+0x980/0x980 [ 30.543804] __sys_sendmsg+0xe5/0x210 [ 30.547578] ? __sys_sendmsg+0xe5/0x210 [ 30.551522] ? SyS_shutdown+0x290/0x290 [ 30.555473] ? __do_page_fault+0x3d6/0xc90 [ 30.559694] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 30.565216] SyS_sendmsg+0x2d/0x50 [ 30.568728] ? __sys_sendmsg+0x210/0x210 [ 30.572758] do_syscall_64+0x281/0x940 [ 30.576617] ? __do_page_fault+0xc90/0xc90 [ 30.580840] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.585569] ? syscall_return_slowpath+0x550/0x550 [ 30.590471] ? syscall_return_slowpath+0x2ac/0x550 [ 30.595370] ? prepare_exit_to_usermode+0x350/0x350 [ 30.600359] ? retint_user+0x18/0x18 [ 30.604047] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.608865] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.614031] RIP: 0033:0x4418d9 [ 30.617204] RSP: 002b:00007fff53e05e08 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 30.624892] RAX: ffffffffffffffda RBX: 000000000000001a RCX: 00000000004418d9 [ 30.632138] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 [ 30.639379] RBP: 00000000004a343c R08: 0000000000000000 R09: 0000000000000000 [ 30.646621] R10: 0000000000000000 R11: 0000000000000217 R12: 00007fff53e05ed0 [ 30.653863] R13: 0000000000402660 R14: 0000000000000000 R15: 0000000000000000 [ 30.661562] Dumping ftrace buffer: [ 30.665084] (ftrace buffer empty) [ 30.668765] Kernel Offset: disabled [ 30.672363] Rebooting in 86400 seconds..