[....] Starting enhanced syslogd: rsyslogd[ 11.804749] audit: type=1400 audit(1516244144.193:5): avc: denied { syslog } for pid=3484 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.539451] audit: type=1400 audit(1516244149.928:6): avc: denied { map } for pid=3623 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.237' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 [ 23.802814] audit: type=1400 audit(1516244156.191:7): avc: denied { map } for pid=3637 comm="syzkaller726729" path="/root/syzkaller726729658" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 24.010713] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 24.341698] ================================================================== [ 24.349147] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1ce9/0x2090 [ 24.355613] Read of size 8 at addr ffff8801d605c218 by task syzkaller726729/3638 [ 24.363115] [ 24.364718] CPU: 0 PID: 3638 Comm: syzkaller726729 Not tainted 4.15.0-rc8-next-20180117+ #99 [ 24.373262] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.382589] Call Trace: [ 24.385150] dump_stack+0x194/0x257 [ 24.388755] ? arch_local_irq_restore+0x53/0x53 [ 24.393399] ? show_regs_print_info+0x18/0x18 [ 24.397872] ? ip6_xmit+0x1ce9/0x2090 [ 24.401648] print_address_description+0x73/0x250 [ 24.406464] ? ip6_xmit+0x1ce9/0x2090 [ 24.410237] kasan_report+0x23b/0x360 [ 24.414028] __asan_report_load8_noabort+0x14/0x20 [ 24.418931] ip6_xmit+0x1ce9/0x2090 [ 24.422547] ? ip6_finish_output2+0x23a0/0x23a0 [ 24.427194] ? fl6_update_dst+0x127/0x2b0 [ 24.431318] ? check_noncircular+0x20/0x20 [ 24.435526] ? inet6_csk_route_socket+0x691/0xe80 [ 24.440347] ? lock_acquire+0x1d5/0x580 [ 24.444293] ? lock_acquire+0x1d5/0x580 [ 24.448238] ? inet6_csk_xmit+0x114/0x580 [ 24.452364] ? lock_release+0xa40/0xa40 [ 24.456327] inet6_csk_xmit+0x2fc/0x580 [ 24.460277] ? inet6_csk_update_pmtu+0x160/0x160 [ 24.465006] ? __sk_dst_check+0x1a5/0x380 [ 24.469127] ? sk_wait_data+0x610/0x610 [ 24.473089] l2tp_xmit_skb+0x105f/0x1410 [ 24.477136] ? l2tp_session_create+0xbf0/0xbf0 [ 24.481692] ? sock_wmalloc+0x15d/0x1d0 [ 24.485641] ? iov_iter_advance+0x13f0/0x13f0 [ 24.490112] ? pppol2tp_sendmsg+0x41b/0x670 [ 24.494409] pppol2tp_sendmsg+0x470/0x670 [ 24.498534] ? selinux_socket_sendmsg+0x36/0x40 [ 24.503176] ? pppol2tp_session_ioctl+0xa90/0xa90 [ 24.507994] sock_sendmsg+0xca/0x110 [ 24.511682] ___sys_sendmsg+0x767/0x8b0 [ 24.515634] ? copy_msghdr_from_user+0x590/0x590 [ 24.520371] ? __do_page_fault+0x5f7/0xc90 [ 24.524580] ? lock_downgrade+0x980/0x980 [ 24.528707] ? __fget_light+0x297/0x380 [ 24.532671] ? fget_raw+0x20/0x20 [ 24.536102] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 24.540657] ? vmacache_find+0x5f/0x280 [ 24.544614] ? up_read+0x1a/0x40 [ 24.547967] ? __do_page_fault+0x3d6/0xc90 [ 24.552183] ? __fdget+0x18/0x20 [ 24.555544] __sys_sendmsg+0xe5/0x210 [ 24.559318] ? __sys_sendmsg+0xe5/0x210 [ 24.563269] ? SyS_shutdown+0x290/0x290 [ 24.567221] ? __do_page_fault+0xc90/0xc90 [ 24.571447] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.576447] SyS_sendmsg+0x2d/0x50 [ 24.579964] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 24.584693] RIP: 0033:0x4462f9 [ 24.587855] RSP: 002b:00007ffdf77899d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 24.595536] RAX: ffffffffffffffda RBX: 0000000000000068 RCX: 00000000004462f9 [ 24.602781] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000005 [ 24.610023] RBP: 00000000004a8458 R08: 00000000004a8458 R09: 00000000004a8458 [ 24.617269] R10: 00000000004a8458 R11: 0000000000000246 R12: 0000000000403430 [ 24.624512] R13: 00000000004034c0 R14: 0000000000000000 R15: 0000000000000000 [ 24.631770] [ 24.633373] Allocated by task 0: [ 24.636717] (stack is not available) [ 24.640403] [ 24.642001] Freed by task 0: [ 24.644987] (stack is not available) [ 24.648670] [ 24.650273] The buggy address belongs to the object at ffff8801d605c200 [ 24.650273] which belongs to the cache ip_dst_cache of size 168 [ 24.662987] The buggy address is located 24 bytes inside of [ 24.662987] 168-byte region [ffff8801d605c200, ffff8801d605c2a8) [ 24.674745] The buggy address belongs to the page: [ 24.679646] page:ffffea0007581700 count:1 mapcount:0 mapping:ffff8801d605c000 index:0x0 [ 24.687760] flags: 0x2fffc0000000100(slab) [ 24.691967] raw: 02fffc0000000100 ffff8801d605c000 0000000000000000 0000000100000010 [ 24.699820] raw: ffffea0007106120 ffff8801d6f2d848 ffff8801d6fde980 0000000000000000 [ 24.707669] page dumped because: kasan: bad access detected [ 24.713349] [ 24.714945] Memory state around the buggy address: [ 24.719844] ffff8801d605c100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.727173] ffff8801d605c180: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 24.734503] >ffff8801d605c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.741831] ^ [ 24.745948] ffff8801d605c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.753278] ffff8801d605c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.760605] ================================================================== [ 24.767935] Disabling lock debugging due to kernel taint [ 24.773400] Kernel panic - not syncing: panic_on_warn set ... [ 24.773400] [ 24.780738] CPU: 0 PID: 3638 Comm: syzkaller726729 Tainted: G B 4.15.0-rc8-next-20180117+ #99 [ 24.790585] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.799911] Call Trace: [ 24.802476] dump_stack+0x194/0x257 [ 24.806079] ? arch_local_irq_restore+0x53/0x53 [ 24.810717] ? kasan_end_report+0x32/0x50 [ 24.814836] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.819566] ? vsnprintf+0x1ed/0x1900 [ 24.823345] ? ip6_xmit+0x1ca0/0x2090 [ 24.827119] panic+0x1e4/0x41c [ 24.830287] ? refcount_error_report+0x214/0x214 [ 24.835016] ? add_taint+0x1c/0x50 [ 24.838526] ? add_taint+0x1c/0x50 [ 24.842039] ? ip6_xmit+0x1ce9/0x2090 [ 24.845813] kasan_end_report+0x50/0x50 [ 24.849758] kasan_report+0x148/0x360 [ 24.853535] __asan_report_load8_noabort+0x14/0x20 [ 24.858435] ip6_xmit+0x1ce9/0x2090 [ 24.862126] ? ip6_finish_output2+0x23a0/0x23a0 [ 24.866771] ? fl6_update_dst+0x127/0x2b0 [ 24.870893] ? check_noncircular+0x20/0x20 [ 24.875098] ? inet6_csk_route_socket+0x691/0xe80 [ 24.879915] ? lock_acquire+0x1d5/0x580 [ 24.883859] ? lock_acquire+0x1d5/0x580 [ 24.887804] ? inet6_csk_xmit+0x114/0x580 [ 24.891926] ? lock_release+0xa40/0xa40 [ 24.895880] inet6_csk_xmit+0x2fc/0x580 [ 24.899830] ? inet6_csk_update_pmtu+0x160/0x160 [ 24.904559] ? __sk_dst_check+0x1a5/0x380 [ 24.908677] ? sk_wait_data+0x610/0x610 [ 24.912631] l2tp_xmit_skb+0x105f/0x1410 [ 24.916670] ? l2tp_session_create+0xbf0/0xbf0 [ 24.921226] ? sock_wmalloc+0x15d/0x1d0 [ 24.925172] ? iov_iter_advance+0x13f0/0x13f0 [ 24.929640] ? pppol2tp_sendmsg+0x41b/0x670 [ 24.933932] pppol2tp_sendmsg+0x470/0x670 [ 24.938055] ? selinux_socket_sendmsg+0x36/0x40 [ 24.942697] ? pppol2tp_session_ioctl+0xa90/0xa90 [ 24.947515] sock_sendmsg+0xca/0x110 [ 24.951202] ___sys_sendmsg+0x767/0x8b0 [ 24.955154] ? copy_msghdr_from_user+0x590/0x590 [ 24.959891] ? __do_page_fault+0x5f7/0xc90 [ 24.964102] ? lock_downgrade+0x980/0x980 [ 24.968227] ? __fget_light+0x297/0x380 [ 24.972173] ? fget_raw+0x20/0x20 [ 24.975600] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 24.980154] ? vmacache_find+0x5f/0x280 [ 24.984103] ? up_read+0x1a/0x40 [ 24.987443] ? __do_page_fault+0x3d6/0xc90 [ 24.991651] ? __fdget+0x18/0x20 [ 24.994995] __sys_sendmsg+0xe5/0x210 [ 24.998779] ? __sys_sendmsg+0xe5/0x210 [ 25.003083] ? SyS_shutdown+0x290/0x290 [ 25.007032] ? __do_page_fault+0xc90/0xc90 [ 25.011247] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.016246] SyS_sendmsg+0x2d/0x50 [ 25.019764] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 25.024491] RIP: 0033:0x4462f9 [ 25.027652] RSP: 002b:00007ffdf77899d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 25.035331] RAX: ffffffffffffffda RBX: 0000000000000068 RCX: 00000000004462f9 [ 25.042573] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000005 [ 25.049816] RBP: 00000000004a8458 R08: 00000000004a8458 R09: 00000000004a8458 [ 25.058032] R10: 00000000004a8458 R11: 0000000000000246 R12: 0000000000403430 [ 25.065276] R13: 00000000004034c0 R14: 0000000000000000 R15: 0000000000000000 [ 25.072948] Dumping ftrace buffer: [ 25.076457] (ftrace buffer empty) [ 25.080142] Kernel Offset: disabled [ 25.083740] Rebooting in 86400 seconds..