[....] Starting enhanced syslogd: rsyslogd[   12.035726] audit: type=1400 audit(1515912349.263:5): avc:  denied  { syslog } for  pid=3492 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.222408] audit: type=1400 audit(1515912356.450:6): avc:  denied  { map } for  pid=3632 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.43' (ECDSA) to the list of known hosts.
executing program
[   25.478826] audit: type=1400 audit(1515912362.706:7): avc:  denied  { map } for  pid=3646 comm="syzkaller836552" path="/root/syzkaller836552053" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   25.480374] syzkaller836552 uses obsolete (PF_INET,SOCK_PACKET)
[   25.481842] device lo entered promiscuous mode
[   25.485394] ==================================================================
[   25.485416] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x2048/0x2090
[   25.485422] Read of size 8 at addr ffff8801bce39fd8 by task syzkaller836552/3646
[   25.485424] 
[   25.485431] CPU: 1 PID: 3646 Comm: syzkaller836552 Not tainted 4.15.0-rc7+ #261
[   25.485436] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.485438] Call Trace:
[   25.485450]  dump_stack+0x194/0x257
[   25.485464]  ? arch_local_irq_restore+0x53/0x53
[   25.485473]  ? show_regs_print_info+0x18/0x18
[   25.485491]  ? ip6_xmit+0x2048/0x2090
[   25.485502]  print_address_description+0x73/0x250
[   25.485511]  ? ip6_xmit+0x2048/0x2090
[   25.485521]  kasan_report+0x25b/0x340
[   25.485536]  __asan_report_load8_noabort+0x14/0x20
[   25.485543]  ip6_xmit+0x2048/0x2090
[   25.485572]  ? ip6_finish_output2+0x23a0/0x23a0
[   25.485586]  ? fl6_update_dst+0x127/0x2b0
[   25.485597]  ? check_noncircular+0x20/0x20
[   25.485606]  ? inet6_csk_route_socket+0x691/0xe80
[   25.485621]  ? lock_acquire+0x1d5/0x580
[   25.485626]  ? lock_acquire+0x1d5/0x580
[   25.485633]  ? inet6_csk_xmit+0x114/0x580
[   25.485651]  ? lock_release+0xa40/0xa40
[   25.485665]  ? __lock_is_held+0xb6/0x140
[   25.485692]  inet6_csk_xmit+0x2fc/0x580
[   25.485703]  ? inet6_csk_update_pmtu+0x160/0x160
[   25.485716]  ? rt_cpu_seq_show+0x2c0/0x2c0
[   25.485726]  ? refcount_add_not_zero+0x133/0x200
[   25.485761]  tcp_transmit_skb+0x1b1b/0x38c0
[   25.485792]  ? __tcp_select_window+0x900/0x900
[   25.485810]  ? tcp_fastopen_cookie_check+0x50f/0x8c0
[   25.485822]  ? tcp_try_fastopen+0x1b50/0x1b50
[   25.485836]  ? check_noncircular+0x20/0x20
[   25.485864]  ? pvclock_read_flags+0x160/0x160
[   25.485876]  ? tcp_init_transfer+0x390/0x390
[   25.485898]  ? tcp_rbtree_insert+0x135/0x190
[   25.485915]  tcp_connect+0x1e79/0x3fb0
[   25.485944]  ? tcp_push_one+0x100/0x100
[   25.485951]  ? lock_downgrade+0x8e7/0x980
[   25.485974]  ? pvclock_read_flags+0x160/0x160
[   25.485982]  ? mark_held_locks+0xaf/0x100
[   25.485989]  ? ip_route_output_key_hash+0x229/0x370
[   25.485999]  ? ktime_get_with_offset+0x188/0x420
[   25.486020]  ? kvm_clock_get_cycles+0x25/0x30
[   25.486028]  ? ktime_get_with_offset+0x2c1/0x420
[   25.486044]  ? do_gettimeofday+0x190/0x190
[   25.486052]  ? rcu_read_lock_sched_held+0x108/0x120
[   25.486070]  ? tcp_fastopen_defer_connect+0x163/0x4a0
[   25.486081]  ? tcp_fastopen_cookie_check+0x8c0/0x8c0
[   25.486087]  ? siphash_1u64+0x18/0x270
[   25.486123]  tcp_v4_connect+0x15f5/0x1e80
[   25.486130]  ? __sys_sendmmsg+0x1ee/0x620
[   25.486159]  ? tcp_v4_inbound_md5_hash+0x510/0x510
[   25.486170]  ? __lock_is_held+0xb6/0x140
[   25.486189]  __inet_stream_connect+0x2d4/0xf00
[   25.486208]  ? inet_bind+0x910/0x910
[   25.486234]  ? tcp_sendmsg_locked+0x247d/0x3b60
[   25.486242]  ? rcu_read_lock_sched_held+0x108/0x120
[   25.486250]  ? kmem_cache_alloc_trace+0x456/0x750
[   25.486261]  ? mark_held_locks+0xaf/0x100
[   25.486280]  tcp_sendmsg_locked+0x280e/0x3b60
[   25.486299]  ? avc_has_perm+0x35e/0x680
[   25.486309]  ? lock_downgrade+0x980/0x980
[   25.486323]  ? lock_release+0xa40/0xa40
[   25.486346]  ? tcp_sendpage+0x60/0x60
[   25.486378]  ? print_irqtrace_events+0x270/0x270
[   25.486384]  ? find_held_lock+0x35/0x1d0
[   25.486404]  ? lock_acquire+0x1d5/0x580
[   25.486410]  ? lock_acquire+0x1d5/0x580
[   25.486416]  ? tcp_sendmsg+0x21/0x50
[   25.486441]  ? mark_held_locks+0xaf/0x100
[   25.486448]  ? do_raw_spin_trylock+0x190/0x190
[   25.486458]  ? __local_bh_enable_ip+0x121/0x230
[   25.486470]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.486477]  ? lock_sock_nested+0x91/0x110
[   25.486484]  ? trace_hardirqs_on+0xd/0x10
[   25.486492]  ? __local_bh_enable_ip+0x121/0x230
[   25.486510]  tcp_sendmsg+0x2f/0x50
[   25.486521]  inet_sendmsg+0x11f/0x5e0
[   25.486527]  ? copy_msghdr_from_user+0x3a6/0x590
[   25.486538]  ? inet_recvmsg+0x5f0/0x5f0
[   25.486549]  ? selinux_socket_sendmsg+0x36/0x40
[   25.486558]  ? security_socket_sendmsg+0x89/0xb0
[   25.486565]  ? inet_recvmsg+0x5f0/0x5f0
[   25.486576]  sock_sendmsg+0xca/0x110
[   25.486588]  ___sys_sendmsg+0x320/0x8b0
[   25.486603]  ? copy_msghdr_from_user+0x590/0x590
[   25.486612]  ? __pmd_alloc+0x4e0/0x4e0
[   25.486621]  ? __local_bh_enable_ip+0x121/0x230
[   25.486637]  ? find_held_lock+0x35/0x1d0
[   25.486658]  ? __fget_light+0x297/0x380
[   25.486669]  ? fget_raw+0x20/0x20
[   25.486674]  ? find_held_lock+0x35/0x1d0
[   25.486694]  ? __do_page_fault+0x5f7/0xc90
[   25.486704]  ? lock_downgrade+0x980/0x980
[   25.486737]  __sys_sendmmsg+0x1ee/0x620
[   25.486744]  ? __sys_sendmmsg+0x1ee/0x620
[   25.486765]  ? SyS_sendmsg+0x50/0x50
[   25.486781]  ? mm_fault_error+0x2c0/0x2c0
[   25.486812]  ? __do_page_fault+0xc90/0xc90
[   25.486826]  ? SyS_setsockopt+0x215/0x360
[   25.486840]  ? SyS_recv+0x40/0x40
[   25.486856]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.486872]  SyS_sendmmsg+0x35/0x60
[   25.486885]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   25.486891] RIP: 0033:0x43fdd9
[   25.486896] RSP: 002b:00007ffd67555e68 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   25.486903] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdd9
[   25.486907] RDX: 0000000000000001 RSI: 00000000205f8fc8 RDI: 0000000000000004
[   25.486911] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
[   25.486915] R10: 0000000020000000 R11: 0000000000000217 R12: 0000000000401740
[   25.486919] R13: 00000000004017d0 R14: 0000000000000000 R15: 0000000000000000
[   25.486947] 
[   25.486951] Allocated by task 3646:
[   25.486957]  save_stack+0x43/0xd0
[   25.486963]  kasan_kmalloc+0xad/0xe0
[   25.486968]  kasan_slab_alloc+0x12/0x20
[   25.486973]  kmem_cache_alloc+0x12e/0x760
[   25.486979]  dst_alloc+0x11f/0x1a0
[   25.486984]  rt_dst_alloc+0xe9/0x540
[   25.486990]  ip_route_output_key_hash_rcu+0xa40/0x2c40
[   25.486996]  ip_route_output_key_hash+0x20b/0x370
[   25.487002]  ip_route_output_flow+0x26/0xa0
[   25.487008]  tcp_v4_connect+0x77b/0x1e80
[   25.487013]  __inet_stream_connect+0x2d4/0xf00
[   25.487018]  tcp_sendmsg_locked+0x280e/0x3b60
[   25.487023]  tcp_sendmsg+0x2f/0x50
[   25.487028]  inet_sendmsg+0x11f/0x5e0
[   25.487033]  sock_sendmsg+0xca/0x110
[   25.487038]  ___sys_sendmsg+0x320/0x8b0
[   25.487043]  __sys_sendmmsg+0x1ee/0x620
[   25.487048]  SyS_sendmmsg+0x35/0x60
[   25.487055]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   25.487057] 
[   25.487059] Freed by task 0:
[   25.487061] (stack is not available)
[   25.487063] 
[   25.487068] The buggy address belongs to the object at ffff8801bce39e80
[   25.487068]  which belongs to the cache ip_dst_cache of size 216
[   25.487074] The buggy address is located 128 bytes to the right of
[   25.487074]  216-byte region [ffff8801bce39e80, ffff8801bce39f58)
[   25.487076] The buggy address belongs to the page:
[   25.487081] page:ffffea0006f38e40 count:1 mapcount:0 mapping:ffff8801bce390c0 index:0x0
[   25.487087] flags: 0x2fffc0000000100(slab)
[   25.487096] raw: 02fffc0000000100 ffff8801bce390c0 0000000000000000 000000010000000c
[   25.487104] raw: ffffea0007110160 ffff8801d6f87d48 ffff8801d6f86980 0000000000000000
[   25.487107] page dumped because: kasan: bad access detected
[   25.487108] 
[   25.487111] Memory state around the buggy address:
[   25.487116]  ffff8801bce39e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   25.487121]  ffff8801bce39f00: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
[   25.487126] >ffff8801bce39f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.487129]                                                     ^
[   25.487134]  ffff8801bce3a000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   25.487139]  ffff8801bce3a080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   25.487141] ==================================================================
[   25.487143] Disabling lock debugging due to kernel taint
[   25.487160] Kernel panic - not syncing: panic_on_warn set ...
[   25.487160] 
[   25.487166] CPU: 1 PID: 3646 Comm: syzkaller836552 Tainted: G    B            4.15.0-rc7+ #261
[   25.487170] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.487171] Call Trace:
[   25.487178]  dump_stack+0x194/0x257
[   25.487188]  ? arch_local_irq_restore+0x53/0x53
[   25.487193]  ? kasan_end_report+0x32/0x50
[   25.487202]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.487214]  ? vsnprintf+0x1ed/0x1900
[   25.487222]  ? ip6_xmit+0x2030/0x2090
[   25.487228]  panic+0x1e4/0x41c
[   25.487235]  ? refcount_error_report+0x214/0x214
[   25.487245]  ? add_taint+0x1c/0x50
[   25.487251]  ? add_taint+0x1c/0x50
[   25.487260]  ? ip6_xmit+0x2048/0x2090
[   25.487267]  kasan_end_report+0x50/0x50
[   25.487274]  kasan_report+0x144/0x340
[   25.487284]  __asan_report_load8_noabort+0x14/0x20
[   25.487290]  ip6_xmit+0x2048/0x2090
[   25.487307]  ? ip6_finish_output2+0x23a0/0x23a0
[   25.487316]  ? fl6_update_dst+0x127/0x2b0
[   25.487323]  ? check_noncircular+0x20/0x20
[   25.487330]  ? inet6_csk_route_socket+0x691/0xe80
[   25.487340]  ? lock_acquire+0x1d5/0x580
[   25.487345]  ? lock_acquire+0x1d5/0x580
[   25.487351]  ? inet6_csk_xmit+0x114/0x580
[   25.487362]  ? lock_release+0xa40/0xa40
[   25.487371]  ? __lock_is_held+0xb6/0x140
[   25.487387]  inet6_csk_xmit+0x2fc/0x580
[   25.487395]  ? inet6_csk_update_pmtu+0x160/0x160
[   25.487403]  ? rt_cpu_seq_show+0x2c0/0x2c0
[   25.487410]  ? refcount_add_not_zero+0x133/0x200
[   25.487430]  tcp_transmit_skb+0x1b1b/0x38c0
[   25.487448]  ? __tcp_select_window+0x900/0x900
[   25.487459]  ? tcp_fastopen_cookie_check+0x50f/0x8c0
[   25.487468]  ? tcp_try_fastopen+0x1b50/0x1b50
[   25.487477]  ? check_noncircular+0x20/0x20
[   25.487493]  ? pvclock_read_flags+0x160/0x160
[   25.487501]  ? tcp_init_transfer+0x390/0x390
[   25.487515]  ? tcp_rbtree_insert+0x135/0x190
[   25.487525]  tcp_connect+0x1e79/0x3fb0
[   25.487542]  ? tcp_push_one+0x100/0x100
[   25.487548]  ? lock_downgrade+0x8e7/0x980
[   25.487561]  ? pvclock_read_flags+0x160/0x160
[   25.487568]  ? mark_held_locks+0xaf/0x100
[   25.487574]  ? ip_route_output_key_hash+0x229/0x370
[   25.487581]  ? ktime_get_with_offset+0x188/0x420
[   25.487592]  ? kvm_clock_get_cycles+0x25/0x30
[   25.487599]  ? ktime_get_with_offset+0x2c1/0x420
[   25.487609]  ? do_gettimeofday+0x190/0x190
[   25.487616]  ? rcu_read_lock_sched_held+0x108/0x120
[   25.487626]  ? tcp_fastopen_defer_connect+0x163/0x4a0
[   25.487635]  ? tcp_fastopen_cookie_check+0x8c0/0x8c0
[   25.487639]  ? siphash_1u64+0x18/0x270
[   25.487660]  tcp_v4_connect+0x15f5/0x1e80
[   25.487665]  ? __sys_sendmmsg+0x1ee/0x620
[   25.487682]  ? tcp_v4_inbound_md5_hash+0x510/0x510
[   25.487690]  ? __lock_is_held+0xb6/0x140
[   25.487701]  __inet_stream_connect+0x2d4/0xf00
[   25.487713]  ? inet_bind+0x910/0x910
[   25.487726]  ? tcp_sendmsg_locked+0x247d/0x3b60
[   25.487732]  ? rcu_read_lock_sched_held+0x108/0x120
[   25.487738]  ? kmem_cache_alloc_trace+0x456/0x750
[   25.487746]  ? mark_held_locks+0xaf/0x100
[   25.487758]  tcp_sendmsg_locked+0x280e/0x3b60
[   25.487769]  ? avc_has_perm+0x35e/0x680
[   25.487776]  ? lock_downgrade+0x980/0x980
[   25.487785]  ? lock_release+0xa40/0xa40
[   25.487798]  ? tcp_sendpage+0x60/0x60
[   25.487817]  ? print_irqtrace_events+0x270/0x270
[   25.487822]  ? find_held_lock+0x35/0x1d0
[   25.487834]  ? lock_acquire+0x1d5/0x580
[   25.487839]  ? lock_acquire+0x1d5/0x580
[   25.487845]  ? tcp_sendmsg+0x21/0x50
[   25.487859]  ? mark_held_locks+0xaf/0x100
[   25.487865]  ? do_raw_spin_trylock+0x190/0x190
[   25.487872]  ? __local_bh_enable_ip+0x121/0x230
[   25.487881]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.487887]  ? lock_sock_nested+0x91/0x110
[   25.487893]  ? trace_hardirqs_on+0xd/0x10
[   25.487899]  ? __local_bh_enable_ip+0x121/0x230
[   25.487910]  tcp_sendmsg+0x2f/0x50
[   25.487918]  inet_sendmsg+0x11f/0x5e0
[   25.487923]  ? copy_msghdr_from_user+0x3a6/0x590
[   25.487930]  ? inet_recvmsg+0x5f0/0x5f0
[   25.487938]  ? selinux_socket_sendmsg+0x36/0x40
[   25.487945]  ? security_socket_sendmsg+0x89/0xb0
[   25.487951]  ? inet_recvmsg+0x5f0/0x5f0
[   25.487958]  sock_sendmsg+0xca/0x110
[   25.487966]  ___sys_sendmsg+0x320/0x8b0
[   25.487976]  ? copy_msghdr_from_user+0x590/0x590
[   25.487983]  ? __pmd_alloc+0x4e0/0x4e0
[   25.487990]  ? __local_bh_enable_ip+0x121/0x230
[   25.488000]  ? find_held_lock+0x35/0x1d0
[   25.488015]  ? __fget_light+0x297/0x380
[   25.488023]  ? fget_raw+0x20/0x20
[   25.488028]  ? find_held_lock+0x35/0x1d0
[   25.488041]  ? __do_page_fault+0x5f7/0xc90
[   25.488048]  ? lock_downgrade+0x980/0x980
[   25.488067]  __sys_sendmmsg+0x1ee/0x620
[   25.488072]  ? __sys_sendmmsg+0x1ee/0x620
[   25.488085]  ? SyS_sendmsg+0x50/0x50
[   25.488096]  ? mm_fault_error+0x2c0/0x2c0
[   25.488114]  ? __do_page_fault+0xc90/0xc90
[   25.488124]  ? SyS_setsockopt+0x215/0x360
[   25.488133]  ? SyS_recv+0x40/0x40
[   25.488144]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.488153]  SyS_sendmmsg+0x35/0x60
[   25.488163]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   25.488167] RIP: 0033:0x43fdd9
[   25.488170] RSP: 002b:00007ffd67555e68 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   25.488176] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdd9
[   25.488180] RDX: 0000000000000001 RSI: 00000000205f8fc8 RDI: 0000000000000004
[   25.488183] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
[   25.488187] R10: 0000000020000000 R11: 0000000000000217 R12: 0000000000401740
[   25.488190] R13: 00000000004017d0 R14: 0000000000000000 R15: 0000000000000000
[   25.505514] Dumping ftrace buffer:
[   25.505518]    (ftrace buffer empty)
[   25.505520] Kernel Offset: disabled
[   26.793789] Rebooting in 86400 seconds..