[....] Starting enhanced syslogd: rsyslogd[ 12.352504] audit: type=1400 audit(1517120810.870:5): avc: denied { syslog } for pid=3517 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.898780] audit: type=1400 audit(1517120818.416:6): avc: denied { map } for pid=3655 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.220' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 [ 26.159179] audit: type=1400 audit(1517120824.676:7): avc: denied { map } for pid=3669 comm="syzkaller896978" path="/root/syzkaller896978865" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 26.540423] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 26.861448] ================================================================== [ 26.868843] BUG: KASAN: slab-out-of-bounds in clusterip_tg_check+0x150f/0x1570 [ 26.876170] Read of size 2 at addr ffff8801d80a5578 by task syzkaller896978/3669 [ 26.883670] [ 26.885271] CPU: 0 PID: 3669 Comm: syzkaller896978 Not tainted 4.15.0-rc9+ #212 [ 26.892683] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.902011] Call Trace: [ 26.904575] dump_stack+0x194/0x257 [ 26.908175] ? arch_local_irq_restore+0x53/0x53 [ 26.912817] ? show_regs_print_info+0x18/0x18 [ 26.917291] ? clusterip_tg_check+0x150f/0x1570 [ 26.921939] print_address_description+0x73/0x250 [ 26.926755] ? clusterip_tg_check+0x150f/0x1570 [ 26.931396] kasan_report+0x25b/0x340 [ 26.935171] __asan_report_load2_noabort+0x14/0x20 [ 26.940071] clusterip_tg_check+0x150f/0x1570 [ 26.944557] ? arp_mangle+0x550/0x550 [ 26.948332] ? xt_find_target+0x150/0x1e0 [ 26.952452] ? lock_downgrade+0x980/0x980 [ 26.956573] ? nf_connlabels_get+0x62/0x80 [ 26.960784] ? lock_release+0xa40/0xa40 [ 26.964730] ? ipv4_conntrack_in+0x90/0x90 [ 26.968950] ? __mutex_unlock_slowpath+0xe9/0xac0 [ 26.973773] ? wait_for_completion+0x770/0x770 [ 26.978327] ? nf_connlabels_get+0x67/0x80 [ 26.982533] ? arp_mangle+0x550/0x550 [ 26.986307] xt_check_target+0x22c/0x7d0 [ 26.990340] ? xt_target_seq_next+0x30/0x30 [ 26.994637] ? mutex_unlock+0xd/0x10 [ 26.998325] ? mutex_unlock+0xd/0x10 [ 27.002012] ? xt_find_target+0x17b/0x1e0 [ 27.006146] find_check_entry.isra.8+0x8c8/0xcb0 [ 27.010881] ? ipt_do_table+0x1860/0x1860 [ 27.015013] ? mark_held_locks+0xaf/0x100 [ 27.019138] ? kfree+0xf0/0x260 [ 27.022394] ? trace_hardirqs_on+0xd/0x10 [ 27.026520] translate_table+0xed1/0x1610 [ 27.030657] ? alloc_counters.isra.11+0x7d0/0x7d0 [ 27.035473] ? kasan_check_write+0x14/0x20 [ 27.039678] ? _copy_from_user+0x99/0x110 [ 27.043800] do_ipt_set_ctl+0x370/0x5f0 [ 27.047747] ? translate_compat_table+0x1b90/0x1b90 [ 27.052742] ? mutex_unlock+0xd/0x10 [ 27.056428] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 27.061681] nf_setsockopt+0x67/0xc0 [ 27.065371] ip_setsockopt+0xa1/0xb0 [ 27.069062] sctp_setsockopt+0x2b6/0x61d0 [ 27.073187] ? sctp_setsockopt_paddr_thresholds+0x550/0x550 [ 27.078871] ? __lock_is_held+0xb6/0x140 [ 27.082916] ? check_noncircular+0x20/0x20 [ 27.087121] ? lru_cache_add+0x1c7/0x3a0 [ 27.091156] ? get_mem_cgroup_from_mm+0x710/0x710 [ 27.095972] ? lru_cache_add_file+0x20/0x20 [ 27.100271] ? __mem_cgroup_threshold+0x8f0/0x8f0 [ 27.105091] ? mark_held_locks+0xaf/0x100 [ 27.109217] ? find_held_lock+0x35/0x1d0 [ 27.113247] ? check_noncircular+0x20/0x20 [ 27.117459] ? __handle_mm_fault+0x2747/0x3ce0 [ 27.122020] ? lock_downgrade+0x980/0x980 [ 27.126153] ? lock_release+0xa40/0xa40 [ 27.130105] ? find_held_lock+0x35/0x1d0 [ 27.134152] ? avc_has_perm+0x35e/0x680 [ 27.138096] ? lock_downgrade+0x980/0x980 [ 27.142217] ? lock_release+0xa40/0xa40 [ 27.146158] ? check_noncircular+0x20/0x20 [ 27.150360] ? __pmd_alloc+0x4e0/0x4e0 [ 27.154224] ? find_held_lock+0x35/0x1d0 [ 27.158260] ? avc_has_perm+0x43e/0x680 [ 27.162208] ? avc_has_perm_noaudit+0x520/0x520 [ 27.166856] ? __do_page_fault+0x5f7/0xc90 [ 27.171071] ? lock_downgrade+0x980/0x980 [ 27.175197] ? handle_mm_fault+0x410/0x8d0 [ 27.179407] ? down_read_trylock+0xdb/0x170 [ 27.183696] ? __do_page_fault+0x32d/0xc90 [ 27.187903] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 27.192455] ? vmacache_find+0x5f/0x280 [ 27.196404] ? sock_has_perm+0x2a4/0x420 [ 27.200443] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.205776] ? __do_page_fault+0x3d6/0xc90 [ 27.209985] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 27.215667] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 27.220932] sock_common_setsockopt+0x95/0xd0 [ 27.225409] SyS_setsockopt+0x189/0x360 [ 27.229356] ? SyS_recv+0x40/0x40 [ 27.232782] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 27.237597] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.242586] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.247319] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.252050] RIP: 0033:0x445ff9 [ 27.255211] RSP: 002b:00007fffb6cf2ab8 EFLAGS: 00000207 ORIG_RAX: 0000000000000036 [ 27.262890] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000445ff9 [ 27.270129] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004 [ 27.277369] RBP: 00007fffb6cf2bf8 R08: 0000000000000358 R09: 0000000000000000 [ 27.284608] R10: 0000000020016ca8 R11: 0000000000000207 R12: 00007fffb6cf2bf8 [ 27.291853] R13: 00000000004034c0 R14: 0000000000000000 R15: 0000000000000000 [ 27.299110] [ 27.300710] Allocated by task 3669: [ 27.304311] save_stack+0x43/0xd0 [ 27.307734] kasan_kmalloc+0xad/0xe0 [ 27.311414] __kmalloc_node+0x47/0x70 [ 27.315185] kvmalloc_node+0x99/0xd0 [ 27.318867] xt_alloc_table_info+0x64/0xe0 [ 27.323071] do_ipt_set_ctl+0x29b/0x5f0 [ 27.327021] nf_setsockopt+0x67/0xc0 [ 27.330713] ip_setsockopt+0xa1/0xb0 [ 27.334401] sctp_setsockopt+0x2b6/0x61d0 [ 27.338519] sock_common_setsockopt+0x95/0xd0 [ 27.342985] SyS_setsockopt+0x189/0x360 [ 27.346932] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.351652] [ 27.353249] Freed by task 2125: [ 27.356503] save_stack+0x43/0xd0 [ 27.359929] kasan_slab_free+0x71/0xc0 [ 27.363784] kfree+0xd6/0x260 [ 27.366859] free_pipe_info+0x1f8/0x2a0 [ 27.370800] put_pipe_info+0xb0/0xd0 [ 27.374480] pipe_release+0x1af/0x250 [ 27.378247] __fput+0x327/0x7e0 [ 27.381496] ____fput+0x15/0x20 [ 27.384755] task_work_run+0x199/0x270 [ 27.388618] exit_to_usermode_loop+0x296/0x310 [ 27.393171] syscall_return_slowpath+0x490/0x550 [ 27.397898] entry_SYSCALL_64_fastpath+0x9e/0xa0 [ 27.402618] [ 27.404217] The buggy address belongs to the object at ffff8801d80a5240 [ 27.404217] which belongs to the cache kmalloc-1024 of size 1024 [ 27.417018] The buggy address is located 824 bytes inside of [ 27.417018] 1024-byte region [ffff8801d80a5240, ffff8801d80a5640) [ 27.428950] The buggy address belongs to the page: [ 27.433854] page:ffffea0007602900 count:1 mapcount:0 mapping:ffff8801d80a4040 index:0x0 compound_mapcount: 0 [ 27.443789] flags: 0x2fffc0000008100(slab|head) [ 27.448428] raw: 02fffc0000008100 ffff8801d80a4040 0000000000000000 0000000100000007 [ 27.456278] raw: ffffea00076028a0 ffffea00075f0b20 ffff8801dac00ac0 0000000000000000 [ 27.464126] page dumped because: kasan: bad access detected [ 27.469803] [ 27.471398] Memory state around the buggy address: [ 27.476294] ffff8801d80a5400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.483620] ffff8801d80a5480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.490951] >ffff8801d80a5500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 27.498284] ^ [ 27.505525] ffff8801d80a5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.512851] ffff8801d80a5600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.520181] ================================================================== [ 27.527508] Disabling lock debugging due to kernel taint [ 27.533038] Kernel panic - not syncing: panic_on_warn set ... [ 27.533038] [ 27.540388] CPU: 0 PID: 3669 Comm: syzkaller896978 Tainted: G B 4.15.0-rc9+ #212 [ 27.549117] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.558442] Call Trace: [ 27.561006] dump_stack+0x194/0x257 [ 27.564610] ? arch_local_irq_restore+0x53/0x53 [ 27.569247] ? kasan_end_report+0x32/0x50 [ 27.573366] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.578091] ? vsnprintf+0x1ed/0x1900 [ 27.581861] ? clusterip_tg_check+0x1440/0x1570 [ 27.586499] panic+0x1e4/0x41c [ 27.589662] ? refcount_error_report+0x214/0x214 [ 27.594388] ? add_taint+0x1c/0x50 [ 27.597896] ? add_taint+0x1c/0x50 [ 27.601406] ? clusterip_tg_check+0x150f/0x1570 [ 27.606042] kasan_end_report+0x50/0x50 [ 27.609987] kasan_report+0x144/0x340 [ 27.613767] __asan_report_load2_noabort+0x14/0x20 [ 27.618665] clusterip_tg_check+0x150f/0x1570 [ 27.623133] ? arp_mangle+0x550/0x550 [ 27.626907] ? xt_find_target+0x150/0x1e0 [ 27.631028] ? lock_downgrade+0x980/0x980 [ 27.635154] ? nf_connlabels_get+0x62/0x80 [ 27.639367] ? lock_release+0xa40/0xa40 [ 27.643309] ? ipv4_conntrack_in+0x90/0x90 [ 27.647523] ? __mutex_unlock_slowpath+0xe9/0xac0 [ 27.652341] ? wait_for_completion+0x770/0x770 [ 27.656892] ? nf_connlabels_get+0x67/0x80 [ 27.661097] ? arp_mangle+0x550/0x550 [ 27.664867] xt_check_target+0x22c/0x7d0 [ 27.668902] ? xt_target_seq_next+0x30/0x30 [ 27.673193] ? mutex_unlock+0xd/0x10 [ 27.676876] ? mutex_unlock+0xd/0x10 [ 27.680557] ? xt_find_target+0x17b/0x1e0 [ 27.684679] find_check_entry.isra.8+0x8c8/0xcb0 [ 27.689409] ? ipt_do_table+0x1860/0x1860 [ 27.693530] ? mark_held_locks+0xaf/0x100 [ 27.697646] ? kfree+0xf0/0x260 [ 27.700896] ? trace_hardirqs_on+0xd/0x10 [ 27.705024] translate_table+0xed1/0x1610 [ 27.709152] ? alloc_counters.isra.11+0x7d0/0x7d0 [ 27.714137] ? kasan_check_write+0x14/0x20 [ 27.718340] ? _copy_from_user+0x99/0x110 [ 27.722459] do_ipt_set_ctl+0x370/0x5f0 [ 27.726403] ? translate_compat_table+0x1b90/0x1b90 [ 27.731392] ? mutex_unlock+0xd/0x10 [ 27.735075] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 27.740320] nf_setsockopt+0x67/0xc0 [ 27.744006] ip_setsockopt+0xa1/0xb0 [ 27.747695] sctp_setsockopt+0x2b6/0x61d0 [ 27.751820] ? sctp_setsockopt_paddr_thresholds+0x550/0x550 [ 27.757501] ? __lock_is_held+0xb6/0x140 [ 27.761538] ? check_noncircular+0x20/0x20 [ 27.765743] ? lru_cache_add+0x1c7/0x3a0 [ 27.769773] ? get_mem_cgroup_from_mm+0x710/0x710 [ 27.774589] ? lru_cache_add_file+0x20/0x20 [ 27.778879] ? __mem_cgroup_threshold+0x8f0/0x8f0 [ 27.783693] ? mark_held_locks+0xaf/0x100 [ 27.787812] ? find_held_lock+0x35/0x1d0 [ 27.791841] ? check_noncircular+0x20/0x20 [ 27.796045] ? __handle_mm_fault+0x2747/0x3ce0 [ 27.800595] ? lock_downgrade+0x980/0x980 [ 27.804713] ? lock_release+0xa40/0xa40 [ 27.808662] ? find_held_lock+0x35/0x1d0 [ 27.812699] ? avc_has_perm+0x35e/0x680 [ 27.816642] ? lock_downgrade+0x980/0x980 [ 27.820760] ? lock_release+0xa40/0xa40 [ 27.824700] ? check_noncircular+0x20/0x20 [ 27.828902] ? __pmd_alloc+0x4e0/0x4e0 [ 27.832763] ? find_held_lock+0x35/0x1d0 [ 27.836794] ? avc_has_perm+0x43e/0x680 [ 27.840738] ? avc_has_perm_noaudit+0x520/0x520 [ 27.845381] ? __do_page_fault+0x5f7/0xc90 [ 27.849586] ? lock_downgrade+0x980/0x980 [ 27.853705] ? handle_mm_fault+0x410/0x8d0 [ 27.857909] ? down_read_trylock+0xdb/0x170 [ 27.862204] ? __do_page_fault+0x32d/0xc90 [ 27.866406] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 27.870956] ? vmacache_find+0x5f/0x280 [ 27.874900] ? sock_has_perm+0x2a4/0x420 [ 27.878936] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.884268] ? __do_page_fault+0x3d6/0xc90 [ 27.888478] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 27.894158] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 27.899412] sock_common_setsockopt+0x95/0xd0 [ 27.903877] SyS_setsockopt+0x189/0x360 [ 27.907821] ? SyS_recv+0x40/0x40 [ 27.911252] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 27.916066] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.921054] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.925785] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.930509] RIP: 0033:0x445ff9 [ 27.933668] RSP: 002b:00007fffb6cf2ab8 EFLAGS: 00000207 ORIG_RAX: 0000000000000036 [ 27.941347] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000445ff9 [ 27.948592] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004 [ 27.955832] RBP: 00007fffb6cf2bf8 R08: 0000000000000358 R09: 0000000000000000 [ 27.963078] R10: 0000000020016ca8 R11: 0000000000000207 R12: 00007fffb6cf2bf8 [ 27.970318] R13: 00000000004034c0 R14: 0000000000000000 R15: 0000000000000000 [ 27.978077] Dumping ftrace buffer: [ 27.981587] (ftrace buffer empty) [ 27.985267] Kernel Offset: disabled [ 27.988865] Rebooting in 86400 seconds..