[....] Starting enhanced syslogd: rsyslogd[ 12.844478] audit: type=1400 audit(1515912807.888:5): avc: denied { syslog } for pid=3518 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.707180] audit: type=1400 audit(1515912812.750:6): avc: denied { map } for pid=3657 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. executing program [ 28.765799] audit: type=1400 audit(1515912823.809:7): avc: denied { map } for pid=3672 comm="syzkaller135211" path="/root/syzkaller135211794" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 28.767254] syzkaller135211 uses obsolete (PF_INET,SOCK_PACKET) [ 28.768795] device lo entered promiscuous mode [ 28.771823] ================================================================== [ 28.771839] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1ce9/0x2090 [ 28.771843] Read of size 8 at addr ffff8801d6730518 by task syzkaller135211/3672 [ 28.771844] [ 28.771849] CPU: 1 PID: 3672 Comm: syzkaller135211 Not tainted 4.15.0-rc7-mm1+ #56 [ 28.771852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.771854] Call Trace: [ 28.771863] dump_stack+0x194/0x257 [ 28.771871] ? arch_local_irq_restore+0x53/0x53 [ 28.771877] ? show_regs_print_info+0x18/0x18 [ 28.771887] ? ip6_xmit+0x1ce9/0x2090 [ 28.771897] print_address_description+0x73/0x250 [ 28.771902] ? ip6_xmit+0x1ce9/0x2090 [ 28.771907] kasan_report+0x23b/0x360 [ 28.771916] __asan_report_load8_noabort+0x14/0x20 [ 28.771920] ip6_xmit+0x1ce9/0x2090 [ 28.771937] ? ip6_finish_output2+0x23a0/0x23a0 [ 28.771947] ? fl6_update_dst+0x127/0x2b0 [ 28.771955] ? check_noncircular+0x20/0x20 [ 28.771960] ? inet6_csk_route_socket+0x691/0xe80 [ 28.771969] ? lock_acquire+0x1d5/0x580 [ 28.771973] ? lock_acquire+0x1d5/0x580 [ 28.771977] ? inet6_csk_xmit+0x114/0x580 [ 28.771982] ? __lock_is_held+0xb6/0x140 [ 28.771991] ? lock_release+0xa40/0xa40 [ 28.771999] ? __lock_is_held+0xb6/0x140 [ 28.772020] inet6_csk_xmit+0x2fc/0x580 [ 28.772027] ? inet6_csk_update_pmtu+0x160/0x160 [ 28.772037] ? rt_cpu_seq_show+0x2c0/0x2c0 [ 28.772045] ? refcount_add_not_zero+0x133/0x200 [ 28.772066] tcp_transmit_skb+0x1b1b/0x38c0 [ 28.772084] ? __tcp_select_window+0x900/0x900 [ 28.772091] ? tcp_fastopen_cache_get+0x449/0x720 [ 28.772099] ? tcp_peer_is_proven+0xc60/0xc60 [ 28.772108] ? __lock_is_held+0xb6/0x140 [ 28.772127] ? tcp_try_fastopen+0x1b50/0x1b50 [ 28.772137] ? tcp_init_transfer+0x3d0/0x3d0 [ 28.772149] ? tcp_rbtree_insert+0x135/0x190 [ 28.772159] tcp_connect+0x1edb/0x4090 [ 28.772176] ? tcp_push_one+0x100/0x100 [ 28.772180] ? lock_downgrade+0x927/0x980 [ 28.772195] ? pvclock_read_flags+0x160/0x160 [ 28.772200] ? mark_held_locks+0xaf/0x100 [ 28.772204] ? ip_route_output_key_hash+0x229/0x370 [ 28.772210] ? ktime_get_with_offset+0x188/0x420 [ 28.772220] ? kvm_clock_get_cycles+0x25/0x30 [ 28.772225] ? ktime_get_with_offset+0x2c1/0x420 [ 28.772235] ? do_gettimeofday+0x190/0x190 [ 28.772248] ? tcp_fastopen_defer_connect+0x163/0x4a0 [ 28.772255] ? tcp_fastopen_cookie_check+0x720/0x720 [ 28.772259] ? siphash_1u64+0x18/0x270 [ 28.772280] tcp_v4_connect+0x15ef/0x1e70 [ 28.772286] ? __sys_sendmmsg+0x1ee/0x620 [ 28.772303] ? tcp_v4_inbound_md5_hash+0x510/0x510 [ 28.772310] ? __lock_is_held+0xb6/0x140 [ 28.772322] __inet_stream_connect+0x2d4/0xf00 [ 28.772334] ? inet_bind+0x910/0x910 [ 28.772348] ? tcp_sendmsg_locked+0x1f71/0x3c70 [ 28.772353] ? rcu_read_lock_sched_held+0x108/0x120 [ 28.772358] ? kmem_cache_alloc_trace+0x456/0x750 [ 28.772365] ? mark_held_locks+0xaf/0x100 [ 28.772377] tcp_sendmsg_locked+0x264e/0x3c70 [ 28.772389] ? avc_has_perm+0x35e/0x680 [ 28.772395] ? lock_downgrade+0x980/0x980 [ 28.772403] ? lock_release+0xa40/0xa40 [ 28.772417] ? tcp_sendpage+0x60/0x60 [ 28.772436] ? print_irqtrace_events+0x270/0x270 [ 28.772439] ? find_held_lock+0x35/0x1d0 [ 28.772451] ? lock_acquire+0x1d5/0x580 [ 28.772455] ? lock_acquire+0x1d5/0x580 [ 28.772459] ? tcp_sendmsg+0x21/0x50 [ 28.772474] ? mark_held_locks+0xaf/0x100 [ 28.772477] ? do_raw_spin_trylock+0x190/0x190 [ 28.772484] ? __local_bh_enable_ip+0x121/0x230 [ 28.772491] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.772496] ? lock_sock_nested+0x91/0x110 [ 28.772500] ? trace_hardirqs_on+0xd/0x10 [ 28.772505] ? __local_bh_enable_ip+0x121/0x230 [ 28.772516] tcp_sendmsg+0x2f/0x50 [ 28.772523] inet_sendmsg+0x11f/0x5e0 [ 28.772527] ? copy_msghdr_from_user+0x3a6/0x590 [ 28.772533] ? inet_create+0xf50/0xf50 [ 28.772540] ? selinux_socket_sendmsg+0x36/0x40 [ 28.772546] ? security_socket_sendmsg+0x89/0xb0 [ 28.772551] ? inet_create+0xf50/0xf50 [ 28.772557] sock_sendmsg+0xca/0x110 [ 28.772564] ___sys_sendmsg+0x320/0x8b0 [ 28.772575] ? copy_msghdr_from_user+0x590/0x590 [ 28.772583] ? __pmd_alloc+0x4e0/0x4e0 [ 28.772590] ? __local_bh_enable_ip+0x121/0x230 [ 28.772603] ? find_held_lock+0x35/0x1d0 [ 28.772617] ? __fget_light+0x297/0x380 [ 28.772624] ? fget_raw+0x20/0x20 [ 28.772628] ? find_held_lock+0x35/0x1d0 [ 28.772640] ? __do_page_fault+0x5f7/0xc90 [ 28.772646] ? lock_downgrade+0x980/0x980 [ 28.772666] __sys_sendmmsg+0x1ee/0x620 [ 28.772670] ? __sys_sendmmsg+0x1ee/0x620 [ 28.772683] ? SyS_sendmsg+0x50/0x50 [ 28.772692] ? mm_fault_error+0x2c0/0x2c0 [ 28.772711] ? __do_page_fault+0xc90/0xc90 [ 28.772721] ? SyS_setsockopt+0x215/0x360 [ 28.772729] ? SyS_recv+0x40/0x40 [ 28.772739] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.772749] SyS_sendmmsg+0x35/0x60 [ 28.772762] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 28.772767] RIP: 0033:0x43fdd9 [ 28.772769] RSP: 002b:00007ffc241f4328 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 28.772774] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdd9 [ 28.772777] RDX: 0000000000000001 RSI: 00000000205f8fc8 RDI: 0000000000000004 [ 28.772780] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 28.772782] R10: 0000000020000000 R11: 0000000000000217 R12: 0000000000401740 [ 28.772785] R13: 00000000004017d0 R14: 0000000000000000 R15: 0000000000000000 [ 28.772801] [ 28.772804] Allocated by task 0: [ 28.772805] (stack is not available) [ 28.772806] [ 28.772808] Freed by task 0: [ 28.772809] (stack is not available) [ 28.772810] [ 28.772813] The buggy address belongs to the object at ffff8801d6730500 [ 28.772813] which belongs to the cache ip_dst_cache of size 168 [ 28.772817] The buggy address is located 24 bytes inside of [ 28.772817] 168-byte region [ffff8801d6730500, ffff8801d67305a8) [ 28.772818] The buggy address belongs to the page: [ 28.772823] page:ffffea000759cc00 count:1 mapcount:0 mapping:ffff8801d6730000 index:0xffff8801d6730000 [ 28.772827] flags: 0x2fffc0000000100(slab) [ 28.772833] raw: 02fffc0000000100 ffff8801d6730000 ffff8801d6730000 000000010000000d [ 28.772837] raw: ffff8801d6f67a38 ffff8801d6f67a38 ffff8801d6f68980 0000000000000000 [ 28.772839] page dumped because: kasan: bad access detected [ 28.772840] [ 28.772841] Memory state around the buggy address: [ 28.772845] ffff8801d6730400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.772848] ffff8801d6730480: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 28.772850] >ffff8801d6730500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.772853] ^ [ 28.772856] ffff8801d6730580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.772858] ffff8801d6730600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.772860] ================================================================== [ 28.772861] Disabling lock debugging due to kernel taint [ 28.772882] Kernel panic - not syncing: panic_on_warn set ... [ 28.772882] [ 28.772886] CPU: 1 PID: 3672 Comm: syzkaller135211 Tainted: G B 4.15.0-rc7-mm1+ #56 [ 28.772888] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.772889] Call Trace: [ 28.772893] dump_stack+0x194/0x257 [ 28.772899] ? arch_local_irq_restore+0x53/0x53 [ 28.772902] ? kasan_end_report+0x32/0x50 [ 28.772909] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.772914] ? vsnprintf+0x1ed/0x1900 [ 28.772918] ? ip6_xmit+0x1c10/0x2090 [ 28.772922] panic+0x1e4/0x41c [ 28.772926] ? refcount_error_report+0x214/0x214 [ 28.772932] ? add_taint+0x1c/0x50 [ 28.772936] ? add_taint+0x1c/0x50 [ 28.772941] ? ip6_xmit+0x1ce9/0x2090 [ 28.772946] kasan_end_report+0x50/0x50 [ 28.772949] kasan_report+0x148/0x360 [ 28.772955] __asan_report_load8_noabort+0x14/0x20 [ 28.772958] ip6_xmit+0x1ce9/0x2090 [ 28.772969] ? ip6_finish_output2+0x23a0/0x23a0 [ 28.772974] ? fl6_update_dst+0x127/0x2b0 [ 28.772980] ? check_noncircular+0x20/0x20 [ 28.772986] ? inet6_csk_route_socket+0x691/0xe80 [ 28.772995] ? lock_acquire+0x1d5/0x580 [ 28.772999] ? lock_acquire+0x1d5/0x580 [ 28.773006] ? inet6_csk_xmit+0x114/0x580 [ 28.773010] ? __lock_is_held+0xb6/0x140 [ 28.773016] ? lock_release+0xa40/0xa40 [ 28.773022] ? __lock_is_held+0xb6/0x140 [ 28.773032] inet6_csk_xmit+0x2fc/0x580 [ 28.773037] ? inet6_csk_update_pmtu+0x160/0x160 [ 28.773043] ? rt_cpu_seq_show+0x2c0/0x2c0 [ 28.773047] ? refcount_add_not_zero+0x133/0x200 [ 28.773058] tcp_transmit_skb+0x1b1b/0x38c0 [ 28.773069] ? __tcp_select_window+0x900/0x900 [ 28.773073] ? tcp_fastopen_cache_get+0x449/0x720 [ 28.773079] ? tcp_peer_is_proven+0xc60/0xc60 [ 28.773085] ? __lock_is_held+0xb6/0x140 [ 28.773096] ? tcp_try_fastopen+0x1b50/0x1b50 [ 28.773103] ? tcp_init_transfer+0x3d0/0x3d0 [ 28.773110] ? tcp_rbtree_insert+0x135/0x190 [ 28.773117] tcp_connect+0x1edb/0x4090 [ 28.773126] ? tcp_push_one+0x100/0x100 [ 28.773130] ? lock_downgrade+0x927/0x980 [ 28.773139] ? pvclock_read_flags+0x160/0x160 [ 28.773143] ? mark_held_locks+0xaf/0x100 [ 28.773146] ? ip_route_output_key_hash+0x229/0x370 [ 28.773150] ? ktime_get_with_offset+0x188/0x420 [ 28.773157] ? kvm_clock_get_cycles+0x25/0x30 [ 28.773161] ? ktime_get_with_offset+0x2c1/0x420 [ 28.773168] ? do_gettimeofday+0x190/0x190 [ 28.773176] ? tcp_fastopen_defer_connect+0x163/0x4a0 [ 28.773181] ? tcp_fastopen_cookie_check+0x720/0x720 [ 28.773184] ? siphash_1u64+0x18/0x270 [ 28.773196] tcp_v4_connect+0x15ef/0x1e70 [ 28.773200] ? __sys_sendmmsg+0x1ee/0x620 [ 28.773213] ? tcp_v4_inbound_md5_hash+0x510/0x510 [ 28.773219] ? __lock_is_held+0xb6/0x140 [ 28.773226] __inet_stream_connect+0x2d4/0xf00 [ 28.773234] ? inet_bind+0x910/0x910 [ 28.773242] ? tcp_sendmsg_locked+0x1f71/0x3c70 [ 28.773246] ? rcu_read_lock_sched_held+0x108/0x120 [ 28.773250] ? kmem_cache_alloc_trace+0x456/0x750 [ 28.773255] ? mark_held_locks+0xaf/0x100 [ 28.773263] tcp_sendmsg_locked+0x264e/0x3c70 [ 28.773270] ? avc_has_perm+0x35e/0x680 [ 28.773274] ? lock_downgrade+0x980/0x980 [ 28.773280] ? lock_release+0xa40/0xa40 [ 28.773289] ? tcp_sendpage+0x60/0x60 [ 28.773300] ? print_irqtrace_events+0x270/0x270 [ 28.773303] ? find_held_lock+0x35/0x1d0 [ 28.773311] ? lock_acquire+0x1d5/0x580 [ 28.773314] ? lock_acquire+0x1d5/0x580 [ 28.773318] ? tcp_sendmsg+0x21/0x50 [ 28.773327] ? mark_held_locks+0xaf/0x100 [ 28.773330] ? do_raw_spin_trylock+0x190/0x190 [ 28.773334] ? __local_bh_enable_ip+0x121/0x230 [ 28.773339] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.773343] ? lock_sock_nested+0x91/0x110 [ 28.773347] ? trace_hardirqs_on+0xd/0x10 [ 28.773351] ? __local_bh_enable_ip+0x121/0x230 [ 28.773358] tcp_sendmsg+0x2f/0x50 [ 28.773363] inet_sendmsg+0x11f/0x5e0 [ 28.773366] ? copy_msghdr_from_user+0x3a6/0x590 [ 28.773371] ? inet_create+0xf50/0xf50 [ 28.773377] ? selinux_socket_sendmsg+0x36/0x40 [ 28.773381] ? security_socket_sendmsg+0x89/0xb0 [ 28.773385] ? inet_create+0xf50/0xf50 [ 28.773389] sock_sendmsg+0xca/0x110 [ 28.773394] ___sys_sendmsg+0x320/0x8b0 [ 28.773401] ? copy_msghdr_from_user+0x590/0x590 [ 28.773405] ? __pmd_alloc+0x4e0/0x4e0 [ 28.773409] ? __local_bh_enable_ip+0x121/0x230 [ 28.773416] ? find_held_lock+0x35/0x1d0 [ 28.773424] ? __fget_light+0x297/0x380 [ 28.773428] ? fget_raw+0x20/0x20 [ 28.773431] ? find_held_lock+0x35/0x1d0 [ 28.773439] ? __do_page_fault+0x5f7/0xc90 [ 28.773444] ? lock_downgrade+0x980/0x980 [ 28.773455] __sys_sendmmsg+0x1ee/0x620 [ 28.773459] ? __sys_sendmmsg+0x1ee/0x620 [ 28.773467] ? SyS_sendmsg+0x50/0x50 [ 28.773473] ? mm_fault_error+0x2c0/0x2c0 [ 28.773484] ? __do_page_fault+0xc90/0xc90 [ 28.773490] ? SyS_setsockopt+0x215/0x360 [ 28.773496] ? SyS_recv+0x40/0x40 [ 28.773503] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.773509] SyS_sendmmsg+0x35/0x60 [ 28.773515] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 28.773517] RIP: 0033:0x43fdd9 [ 28.773519] RSP: 002b:00007ffc241f4328 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 28.773523] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdd9 [ 28.773525] RDX: 0000000000000001 RSI: 00000000205f8fc8 RDI: 0000000000000004 [ 28.773527] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 28.773529] R10: 0000000020000000 R11: 0000000000000217 R12: 0000000000401740 [ 28.773531] R13: 00000000004017d0 R14: 0000000000000000 R15: 0000000000000000 [ 28.792091] Dumping ftrace buffer: [ 28.792096] (ftrace buffer empty) [ 28.792098] Kernel Offset: disabled [ 29.985178] Rebooting in 86400 seconds..