[....] Starting enhanced syslogd: rsyslogd[ 10.643248] audit: type=1400 audit(1514740747.801:4): avc: denied { syslog } for pid=3183 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.31' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 19.413874] device syz0 entered promiscuous mode [ 19.465272] ================================================================== [ 19.472647] BUG: KASAN: slab-out-of-bounds in __dev_queue_xmit+0x1db6/0x1e60 [ 19.479808] Read of size 2 at addr ffff8801c7db4d60 by task syzkaller947126/3331 [ 19.487306] [ 19.488901] CPU: 1 PID: 3331 Comm: syzkaller947126 Not tainted 4.9.73-gf3f3457 #1 [ 19.496482] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.505802] ffff8801c7fc76f0 ffffffff81d922b9 ffffea00071f6d00 ffff8801c7db4d60 [ 19.513746] 0000000000000000 ffff8801c7db4d60 0000000000000005 ffff8801c7fc7728 [ 19.521694] ffffffff8153bab3 ffff8801c7db4d60 0000000000000002 0000000000000000 [ 19.529652] Call Trace: [ 19.532208] [] dump_stack+0xc1/0x128 [ 19.537538] [] print_address_description+0x73/0x280 [ 19.544167] [] kasan_report+0x275/0x360 [ 19.549758] [] ? __dev_queue_xmit+0x1db6/0x1e60 [ 19.556043] [] __asan_report_load2_noabort+0x14/0x20 [ 19.562763] [] __dev_queue_xmit+0x1db6/0x1e60 [ 19.568878] [] ? __dev_queue_xmit+0x1d4/0x1e60 [ 19.575074] [] ? 0xffffffff810002b8 [ 19.580317] [] ? netdev_pick_tx+0x300/0x300 [ 19.586262] [] ? check_preemption_disabled+0x3b/0x200 [ 19.593067] [] ? tun_select_queue+0x30a/0x480 [ 19.599184] [] ? tun_select_queue+0x331/0x480 [ 19.605299] [] ? tun_chr_read_iter+0x1f0/0x1f0 [ 19.611495] [] ? tun_chr_read_iter+0x1f0/0x1f0 [ 19.617692] [] dev_queue_xmit+0x17/0x20 [ 19.623283] [] packet_sendmsg+0x2ccc/0x4760 [ 19.629221] [] ? avc_has_perm+0x2fd/0x4f0 [ 19.634990] [] ? avc_has_perm+0xb0/0x4f0 [ 19.640671] [] ? avc_has_perm_noaudit+0x450/0x450 [ 19.647138] [] ? assoc_array_gc+0x1241/0x1300 [ 19.653857] [] ? packet_cached_dev_get+0x200/0x200 [ 19.660408] [] ? sock_has_perm+0x292/0x3e0 [ 19.666257] [] ? sock_has_perm+0x9f/0x3e0 [ 19.672020] [] ? selinux_file_send_sigiotask+0x310/0x310 [ 19.679088] [] ? mark_held_locks+0xaf/0x100 [ 19.685033] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 19.691495] [] ? security_socket_sendmsg+0x89/0xb0 [ 19.698042] [] ? packet_cached_dev_get+0x200/0x200 [ 19.704585] [] sock_sendmsg+0xca/0x110 [ 19.710106] [] sock_write_iter+0x226/0x3b0 [ 19.715955] [] ? avc_has_perm_noaudit+0x450/0x450 [ 19.722410] [] ? sock_sendmsg+0x110/0x110 [ 19.728180] [] ? handle_mm_fault+0xb12/0x2530 [ 19.734294] [] ? iov_iter_init+0xaf/0x1d0 [ 19.740063] [] __vfs_write+0x4bf/0x680 [ 19.745565] [] ? do_iter_readv_writev+0x400/0x400 [ 19.752025] [] ? selinux_file_permission+0x82/0x460 [ 19.758661] [] ? rw_verify_area+0xe5/0x2b0 [ 19.764510] [] vfs_write+0x189/0x530 [ 19.769838] [] SyS_write+0xd9/0x1b0 [ 19.775081] [] ? SyS_read+0x1b0/0x1b0 [ 19.780497] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 19.787301] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 19.793852] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 19.800395] [ 19.801988] Allocated by task 3331: [ 19.805587] save_stack_trace+0x16/0x20 [ 19.809531] save_stack+0x43/0xd0 [ 19.812947] kasan_kmalloc+0xad/0xe0 [ 19.816626] kasan_slab_alloc+0x12/0x20 [ 19.820563] __kmalloc_track_caller+0xda/0x2b0 [ 19.825113] __kmalloc_reserve.isra.37+0x33/0xc0 [ 19.829847] __alloc_skb+0x119/0x600 [ 19.833524] alloc_skb_with_frags+0xac/0x4f0 [ 19.837895] sock_alloc_send_pskb+0x5ad/0x740 [ 19.842363] packet_sendmsg+0x18a1/0x4760 [ 19.846481] sock_sendmsg+0xca/0x110 [ 19.850162] sock_write_iter+0x226/0x3b0 [ 19.854190] __vfs_write+0x4bf/0x680 [ 19.857869] vfs_write+0x189/0x530 [ 19.861375] SyS_write+0xd9/0x1b0 [ 19.864794] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 19.869509] [ 19.871101] Freed by task 0: [ 19.874089] (stack is not available) [ 19.877765] [ 19.879358] The buggy address belongs to the object at ffff8801c7db4900 [ 19.879358] which belongs to the cache kmalloc-1024 of size 1024 [ 19.892154] The buggy address is located 96 bytes to the right of [ 19.892154] 1024-byte region [ffff8801c7db4900, ffff8801c7db4d00) [ 19.904512] The buggy address belongs to the page: [ 19.909410] page:ffffea00071f6d00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 19.919559] flags: 0x8000000000004080(slab|head) [ 19.924283] page dumped because: kasan: bad access detected [ 19.929954] [ 19.931554] Memory state around the buggy address: [ 19.936454] ffff8801c7db4c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.943777] ffff8801c7db4c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.951101] >ffff8801c7db4d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.958423] ^ [ 19.964878] ffff8801c7db4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.972201] ffff8801c7db4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.979525] ================================================================== [ 19.986849] Disabling lock debugging due to kernel taint [ 19.992295] Kernel panic - not syncing: panic_on_warn set ... [ 19.992295] [ 19.999639] CPU: 1 PID: 3331 Comm: syzkaller947126 Tainted: G B 4.9.73-gf3f3457 #1 [ 20.008449] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.017771] ffff8801c7fc7648 ffffffff81d922b9 ffffffff841955bf ffff8801c7fc7720 [ 20.025726] 0000000000000000 ffff8801c7db4d60 0000000000000005 ffff8801c7fc7710 [ 20.033679] ffffffff8142d741 0000000041b58ab3 ffffffff84189000 ffffffff8142d585 [ 20.041632] Call Trace: [ 20.044188] [] dump_stack+0xc1/0x128 [ 20.049524] [] panic+0x1bc/0x3a8 [ 20.054505] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 20.062705] [] kasan_end_report+0x50/0x50 [ 20.068465] [] kasan_report+0x167/0x360 [ 20.074061] [] ? __dev_queue_xmit+0x1db6/0x1e60 [ 20.080346] [] __asan_report_load2_noabort+0x14/0x20 [ 20.087072] [] __dev_queue_xmit+0x1db6/0x1e60 [ 20.093182] [] ? __dev_queue_xmit+0x1d4/0x1e60 [ 20.099377] [] ? 0xffffffff810002b8 [ 20.104618] [] ? netdev_pick_tx+0x300/0x300 [ 20.110565] [] ? check_preemption_disabled+0x3b/0x200 [ 20.117371] [] ? tun_select_queue+0x30a/0x480 [ 20.123478] [] ? tun_select_queue+0x331/0x480 [ 20.129590] [] ? tun_chr_read_iter+0x1f0/0x1f0 [ 20.135788] [] ? tun_chr_read_iter+0x1f0/0x1f0 [ 20.141984] [] dev_queue_xmit+0x17/0x20 [ 20.147573] [] packet_sendmsg+0x2ccc/0x4760 [ 20.153512] [] ? avc_has_perm+0x2fd/0x4f0 [ 20.159283] [] ? avc_has_perm+0xb0/0x4f0 [ 20.164975] [] ? avc_has_perm_noaudit+0x450/0x450 [ 20.171431] [] ? assoc_array_gc+0x1241/0x1300 [ 20.177544] [] ? packet_cached_dev_get+0x200/0x200 [ 20.184093] [] ? sock_has_perm+0x292/0x3e0 [ 20.189943] [] ? sock_has_perm+0x9f/0x3e0 [ 20.195705] [] ? selinux_file_send_sigiotask+0x310/0x310 [ 20.202770] [] ? mark_held_locks+0xaf/0x100 [ 20.208707] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 20.215165] [] ? security_socket_sendmsg+0x89/0xb0 [ 20.221711] [] ? packet_cached_dev_get+0x200/0x200 [ 20.228254] [] sock_sendmsg+0xca/0x110 [ 20.233757] [] sock_write_iter+0x226/0x3b0 [ 20.239607] [] ? avc_has_perm_noaudit+0x450/0x450 [ 20.246064] [] ? sock_sendmsg+0x110/0x110 [ 20.251828] [] ? handle_mm_fault+0xb12/0x2530 [ 20.257940] [] ? iov_iter_init+0xaf/0x1d0 [ 20.263702] [] __vfs_write+0x4bf/0x680 [ 20.269204] [] ? do_iter_readv_writev+0x400/0x400 [ 20.275667] [] ? selinux_file_permission+0x82/0x460 [ 20.282296] [] ? rw_verify_area+0xe5/0x2b0 [ 20.288148] [] vfs_write+0x189/0x530 [ 20.293474] [] SyS_write+0xd9/0x1b0 [ 20.298716] [] ? SyS_read+0x1b0/0x1b0 [ 20.304141] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 20.310952] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 20.317497] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 20.324488] Dumping ftrace buffer: [ 20.327994] (ftrace buffer empty) [ 20.331671] Kernel Offset: disabled [ 20.335265] Rebooting in 86400 seconds..