[....] Starting enhanced syslogd: rsyslogd[ 16.521799] audit: type=1400 audit(1520772027.721:5): avc: denied { syslog } for pid=4094 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.277292] audit: type=1400 audit(1520772033.477:6): avc: denied { map } for pid=4235 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.27' (ECDSA) to the list of known hosts. executing program [ 31.860745] audit: type=1400 audit(1520772043.060:7): avc: denied { map } for pid=4250 comm="syzkaller312310" path="/root/syzkaller312310756" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 31.865883] ================================================================== [ 31.894767] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260 [ 31.901256] Read of size 8 at addr ffff8801b4892018 by task syzkaller312310/4250 [ 31.908761] [ 31.910381] CPU: 1 PID: 4250 Comm: syzkaller312310 Not tainted 4.16.0-rc4+ #349 [ 31.917811] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.927144] Call Trace: [ 31.929714] dump_stack+0x194/0x24d [ 31.933322] ? arch_local_irq_restore+0x53/0x53 [ 31.937966] ? show_regs_print_info+0x18/0x18 [ 31.942457] ? ip6_xmit+0x1f76/0x2260 [ 31.946246] print_address_description+0x73/0x250 [ 31.951070] ? ip6_xmit+0x1f76/0x2260 [ 31.954846] kasan_report+0x23c/0x360 [ 31.958624] __asan_report_load8_noabort+0x14/0x20 [ 31.963528] ip6_xmit+0x1f76/0x2260 [ 31.967155] ? ip6_finish_output2+0x23a0/0x23a0 [ 31.971799] ? fl6_update_dst+0x127/0x2b0 [ 31.975926] ? inet6_csk_route_socket+0x691/0xe80 [ 31.980749] ? trace_hardirqs_off+0x10/0x10 [ 31.985057] ? lock_acquire+0x1d5/0x580 [ 31.989020] ? lock_acquire+0x1d5/0x580 [ 31.992976] ? inet6_csk_xmit+0x114/0x580 [ 31.997099] ? trace_hardirqs_off+0x10/0x10 [ 32.001410] ? lock_release+0xa40/0xa40 [ 32.005373] inet6_csk_xmit+0x2fc/0x580 [ 32.009346] ? inet6_csk_update_pmtu+0x160/0x160 [ 32.014097] ? __sk_dst_check+0x1a5/0x380 [ 32.018222] ? sock_kfree_s+0x60/0x60 [ 32.022031] l2tp_xmit_skb+0x105f/0x1410 [ 32.026084] ? l2tp_session_create+0xb80/0xb80 [ 32.030642] ? sock_wmalloc+0x15d/0x1d0 [ 32.034592] ? iov_iter_advance+0x13f0/0x13f0 [ 32.039070] ? pppol2tp_sendmsg+0x41b/0x670 [ 32.043368] pppol2tp_sendmsg+0x470/0x670 [ 32.047496] ? selinux_socket_sendmsg+0x36/0x40 [ 32.052153] ? pppol2tp_getsockopt+0x900/0x900 [ 32.056710] sock_sendmsg+0xca/0x110 [ 32.060404] SYSC_sendto+0x361/0x5c0 [ 32.064098] ? SYSC_connect+0x4a0/0x4a0 [ 32.068057] ? inet_dgram_connect+0x172/0x1f0 [ 32.072528] ? SYSC_connect+0x2e0/0x4a0 [ 32.076504] ? mm_fault_error+0x2c0/0x2c0 [ 32.080624] ? move_addr_to_kernel+0x60/0x60 [ 32.085018] SyS_sendto+0x40/0x50 [ 32.088540] ? SyS_getpeername+0x30/0x30 [ 32.092577] do_syscall_64+0x281/0x940 [ 32.096442] ? __do_page_fault+0xc90/0xc90 [ 32.100653] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.105386] ? syscall_return_slowpath+0x550/0x550 [ 32.110289] ? syscall_return_slowpath+0x2ac/0x550 [ 32.115205] ? prepare_exit_to_usermode+0x350/0x350 [ 32.120200] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 32.125544] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.130399] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.135649] RIP: 0033:0x440169 [ 32.138813] RSP: 002b:00007ffed41712c8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 32.146493] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440169 [ 32.153740] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 32.160992] RBP: 00000000006ca018 R08: 00000000200021c0 R09: 0000000000000080 [ 32.168248] R10: 0000000000040001 R11: 0000000000000216 R12: 0000000000401a90 [ 32.175502] R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000 [ 32.182773] [ 32.184378] Allocated by task 4118: [ 32.187986] save_stack+0x43/0xd0 [ 32.191427] kasan_kmalloc+0xad/0xe0 [ 32.195563] kasan_slab_alloc+0x12/0x20 [ 32.199517] kmem_cache_alloc+0x12e/0x760 [ 32.203643] getname_flags+0xcb/0x580 [ 32.207431] user_path_at_empty+0x2d/0x50 [ 32.211559] SyS_access+0x22c/0x6a0 [ 32.215169] do_syscall_64+0x281/0x940 [ 32.219041] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.224211] [ 32.225811] Freed by task 4118: [ 32.229067] save_stack+0x43/0xd0 [ 32.232505] __kasan_slab_free+0x11a/0x170 [ 32.236711] kasan_slab_free+0xe/0x10 [ 32.240508] kmem_cache_free+0x83/0x2a0 [ 32.244457] putname+0xee/0x130 [ 32.247708] filename_lookup+0x315/0x500 [ 32.251760] user_path_at_empty+0x40/0x50 [ 32.255882] SyS_access+0x22c/0x6a0 [ 32.259480] do_syscall_64+0x281/0x940 [ 32.263351] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.268514] [ 32.270115] The buggy address belongs to the object at ffff8801b48927c0 [ 32.270115] which belongs to the cache names_cache of size 4096 [ 32.282834] The buggy address is located 1960 bytes to the left of [ 32.282834] 4096-byte region [ffff8801b48927c0, ffff8801b48937c0) [ 32.295288] The buggy address belongs to the page: [ 32.300198] page:ffffea0006d22480 count:1 mapcount:0 mapping:ffff8801b48927c0 index:0x0 compound_mapcount: 0 [ 32.310142] flags: 0x2fffc0000008100(slab|head) [ 32.314784] raw: 02fffc0000008100 ffff8801b48927c0 0000000000000000 0000000100000001 [ 32.322642] raw: ffffea0006d62f20 ffffea0006d68020 ffff8801da5d6600 0000000000000000 [ 32.330504] page dumped because: kasan: bad access detected [ 32.336190] [ 32.337807] Memory state around the buggy address: [ 32.342715] ffff8801b4891f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.350050] ffff8801b4891f80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 32.357382] >ffff8801b4892000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.364711] ^ [ 32.368829] ffff8801b4892080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.376169] ffff8801b4892100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.383500] ================================================================== [ 32.390830] Disabling lock debugging due to kernel taint [ 32.396554] Kernel panic - not syncing: panic_on_warn set ... [ 32.396554] [ 32.403910] CPU: 1 PID: 4250 Comm: syzkaller312310 Tainted: G B 4.16.0-rc4+ #349 [ 32.412828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.422174] Call Trace: [ 32.424748] dump_stack+0x194/0x24d [ 32.428352] ? arch_local_irq_restore+0x53/0x53 [ 32.432993] ? kasan_end_report+0x32/0x50 [ 32.437128] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.441856] ? vsnprintf+0x1ed/0x1900 [ 32.445629] ? ip6_xmit+0x1f30/0x2260 [ 32.449403] panic+0x1e4/0x41c [ 32.452570] ? refcount_error_report+0x214/0x214 [ 32.457323] ? add_taint+0x1c/0x50 [ 32.460848] ? add_taint+0x1c/0x50 [ 32.464368] ? ip6_xmit+0x1f76/0x2260 [ 32.468161] kasan_end_report+0x50/0x50 [ 32.472128] kasan_report+0x149/0x360 [ 32.475935] __asan_report_load8_noabort+0x14/0x20 [ 32.480841] ip6_xmit+0x1f76/0x2260 [ 32.484456] ? ip6_finish_output2+0x23a0/0x23a0 [ 32.489098] ? fl6_update_dst+0x127/0x2b0 [ 32.493221] ? inet6_csk_route_socket+0x691/0xe80 [ 32.498050] ? trace_hardirqs_off+0x10/0x10 [ 32.502366] ? lock_acquire+0x1d5/0x580 [ 32.506314] ? lock_acquire+0x1d5/0x580 [ 32.510269] ? inet6_csk_xmit+0x114/0x580 [ 32.514394] ? trace_hardirqs_off+0x10/0x10 [ 32.518692] ? lock_release+0xa40/0xa40 [ 32.522645] inet6_csk_xmit+0x2fc/0x580 [ 32.526594] ? inet6_csk_update_pmtu+0x160/0x160 [ 32.531326] ? __sk_dst_check+0x1a5/0x380 [ 32.535453] ? sock_kfree_s+0x60/0x60 [ 32.539241] l2tp_xmit_skb+0x105f/0x1410 [ 32.543284] ? l2tp_session_create+0xb80/0xb80 [ 32.547842] ? sock_wmalloc+0x15d/0x1d0 [ 32.551789] ? iov_iter_advance+0x13f0/0x13f0 [ 32.556255] ? pppol2tp_sendmsg+0x41b/0x670 [ 32.560550] pppol2tp_sendmsg+0x470/0x670 [ 32.564671] ? selinux_socket_sendmsg+0x36/0x40 [ 32.569311] ? pppol2tp_getsockopt+0x900/0x900 [ 32.573866] sock_sendmsg+0xca/0x110 [ 32.577555] SYSC_sendto+0x361/0x5c0 [ 32.581246] ? SYSC_connect+0x4a0/0x4a0 [ 32.585201] ? inet_dgram_connect+0x172/0x1f0 [ 32.589672] ? SYSC_connect+0x2e0/0x4a0 [ 32.593634] ? mm_fault_error+0x2c0/0x2c0 [ 32.597753] ? move_addr_to_kernel+0x60/0x60 [ 32.602315] SyS_sendto+0x40/0x50 [ 32.605754] ? SyS_getpeername+0x30/0x30 [ 32.609805] do_syscall_64+0x281/0x940 [ 32.613672] ? __do_page_fault+0xc90/0xc90 [ 32.617891] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.622629] ? syscall_return_slowpath+0x550/0x550 [ 32.627532] ? syscall_return_slowpath+0x2ac/0x550 [ 32.632434] ? prepare_exit_to_usermode+0x350/0x350 [ 32.637422] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 32.642764] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.647598] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.652760] RIP: 0033:0x440169 [ 32.655922] RSP: 002b:00007ffed41712c8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 32.663604] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440169 [ 32.670856] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 32.678109] RBP: 00000000006ca018 R08: 00000000200021c0 R09: 0000000000000080 [ 32.685360] R10: 0000000000040001 R11: 0000000000000216 R12: 0000000000401a90 [ 32.692604] R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000 [ 32.700388] Dumping ftrace buffer: [ 32.703911] (ftrace buffer empty) [ 32.707606] Kernel Offset: disabled [ 32.711214] Rebooting in 86400 seconds..