[....] Starting enhanced syslogd: rsyslogd[ 12.943431] audit: type=1400 audit(1516635418.042:5): avc: denied { syslog } for pid=3504 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.431343] audit: type=1400 audit(1516635424.530:6): avc: denied { map } for pid=3644 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.238' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 [ 25.678581] audit: type=1400 audit(1516635430.777:7): avc: denied { map } for pid=3658 comm="syzkaller033416" path="/root/syzkaller033416030" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 25.896301] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 26.218592] ================================================================== [ 26.225991] BUG: KASAN: use-after-free in erspan_xmit+0x22d4/0x2430 [ 26.232370] Read of size 2 at addr ffff8801d67cca4b by task syzkaller033416/3659 [ 26.239871] [ 26.241472] CPU: 0 PID: 3659 Comm: syzkaller033416 Not tainted 4.15.0-rc8+ #203 [ 26.248886] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.258207] Call Trace: [ 26.260766] dump_stack+0x194/0x257 [ 26.264378] ? arch_local_irq_restore+0x53/0x53 [ 26.269026] ? show_regs_print_info+0x18/0x18 [ 26.273505] ? erspan_xmit+0x22d4/0x2430 [ 26.277541] print_address_description+0x73/0x250 [ 26.282358] ? erspan_xmit+0x22d4/0x2430 [ 26.286391] kasan_report+0x25b/0x340 [ 26.290189] __asan_report_load_n_noabort+0xf/0x20 [ 26.295090] erspan_xmit+0x22d4/0x2430 [ 26.298954] ? packet_direct_xmit+0x509/0x790 [ 26.303423] ? validate_xmit_skb+0x4b0/0xaf0 [ 26.307806] ? gretap_fb_dev_create+0x250/0x250 [ 26.312458] ? netif_skb_features+0x9b0/0x9b0 [ 26.316946] packet_direct_xmit+0x3ad/0x790 [ 26.321247] ? packet_mmap+0x590/0x590 [ 26.325114] ? memcpy+0x45/0x50 [ 26.328377] packet_sendmsg+0x3aed/0x60b0 [ 26.332504] ? find_held_lock+0x35/0x1d0 [ 26.336554] ? avc_has_perm+0x35e/0x680 [ 26.340521] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.345256] ? avc_has_perm+0x43e/0x680 [ 26.349211] ? avc_has_perm_noaudit+0x520/0x520 [ 26.353866] ? find_held_lock+0x35/0x1d0 [ 26.357906] ? fanout_add+0x1430/0x1430 [ 26.361858] ? avc_has_perm+0x35e/0x680 [ 26.365815] ? find_held_lock+0x35/0x1d0 [ 26.369859] ? sock_has_perm+0x2a4/0x420 [ 26.373895] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.379228] ? lock_release+0x972/0xa40 [ 26.383171] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.389034] ? __check_object_size+0x25d/0x4f0 [ 26.393590] ? avc_has_perm_noaudit+0x520/0x520 [ 26.398241] ? selinux_socket_sendmsg+0x36/0x40 [ 26.402880] ? security_socket_sendmsg+0x89/0xb0 [ 26.407609] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.412338] sock_sendmsg+0xca/0x110 [ 26.416031] SYSC_sendto+0x361/0x5c0 [ 26.419721] ? SYSC_connect+0x4a0/0x4a0 [ 26.423669] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.429006] ? __do_page_fault+0x3d6/0xc90 [ 26.433223] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 26.438492] ? SyS_setsockopt+0x215/0x360 [ 26.442616] ? SyS_recv+0x40/0x40 [ 26.446055] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 26.450878] SyS_sendto+0x40/0x50 [ 26.454309] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.459043] RIP: 0033:0x4454a9 [ 26.462220] RSP: 002b:00007ffedf46e898 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 26.469898] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004454a9 [ 26.477141] RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004 [ 26.484399] RBP: 00000000004a7053 R08: 0000000020008000 R09: 000000000000001c [ 26.491639] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004025e0 [ 26.498878] R13: 0000000000402670 R14: 0000000000000000 R15: 0000000000000000 [ 26.506142] [ 26.507827] Allocated by task 2104: [ 26.511428] save_stack+0x43/0xd0 [ 26.514849] kasan_kmalloc+0xad/0xe0 [ 26.518534] kasan_slab_alloc+0x12/0x20 [ 26.522475] kmem_cache_alloc+0x12e/0x760 [ 26.526595] getname_kernel+0x54/0x340 [ 26.530452] open_exec+0x17/0x60 [ 26.533788] load_elf_binary+0x1348/0x4c10 [ 26.537991] search_binary_handler+0x142/0x6b0 [ 26.542546] do_execveat_common.isra.30+0x1754/0x23c0 [ 26.547703] SyS_execve+0x39/0x50 [ 26.551133] do_syscall_64+0x273/0x920 [ 26.554990] return_from_SYSCALL_64+0x0/0x75 [ 26.559366] [ 26.560962] Freed by task 2104: [ 26.564210] save_stack+0x43/0xd0 [ 26.567632] kasan_slab_free+0x71/0xc0 [ 26.571487] kmem_cache_free+0x83/0x2a0 [ 26.575430] putname+0xee/0x130 [ 26.578676] open_exec+0x41/0x60 [ 26.582015] load_elf_binary+0x1348/0x4c10 [ 26.586231] search_binary_handler+0x142/0x6b0 [ 26.590782] do_execveat_common.isra.30+0x1754/0x23c0 [ 26.595939] SyS_execve+0x39/0x50 [ 26.599364] do_syscall_64+0x273/0x920 [ 26.603223] return_from_SYSCALL_64+0x0/0x75 [ 26.607596] [ 26.609194] The buggy address belongs to the object at ffff8801d67cc2c0 [ 26.609194] which belongs to the cache names_cache of size 4096 [ 26.621907] The buggy address is located 1931 bytes inside of [ 26.621907] 4096-byte region [ffff8801d67cc2c0, ffff8801d67cd2c0) [ 26.633920] The buggy address belongs to the page: [ 26.638831] page:ffffea000759f300 count:1 mapcount:0 mapping:ffff8801d67cc2c0 index:0x0 compound_mapcount: 0 [ 26.648769] flags: 0x2fffc0000008100(slab|head) [ 26.653410] raw: 02fffc0000008100 ffff8801d67cc2c0 0000000000000000 0000000100000001 [ 26.661259] raw: ffffea00075bf2a0 ffffea000759f3a0 ffff8801dae2c600 0000000000000000 [ 26.669120] page dumped because: kasan: bad access detected [ 26.674801] [ 26.676399] Memory state around the buggy address: [ 26.681305] ffff8801d67cc900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.688633] ffff8801d67cc980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.695960] >ffff8801d67cca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.703288] ^ [ 26.708965] ffff8801d67cca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.716292] ffff8801d67ccb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.723620] ================================================================== [ 26.730945] Disabling lock debugging due to kernel taint [ 26.736382] Kernel panic - not syncing: panic_on_warn set ... [ 26.736382] [ 26.743724] CPU: 0 PID: 3659 Comm: syzkaller033416 Tainted: G B 4.15.0-rc8+ #203 [ 26.752442] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.761767] Call Trace: [ 26.764328] dump_stack+0x194/0x257 [ 26.767927] ? arch_local_irq_restore+0x53/0x53 [ 26.772568] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.777295] ? vsnprintf+0x1ed/0x1900 [ 26.781066] ? erspan_xmit+0x21f0/0x2430 [ 26.785098] panic+0x1e4/0x41c [ 26.788258] ? refcount_error_report+0x214/0x214 [ 26.792986] ? add_taint+0x1c/0x50 [ 26.796508] ? add_taint+0x1c/0x50 [ 26.800025] ? erspan_xmit+0x22d4/0x2430 [ 26.804064] kasan_end_report+0x50/0x50 [ 26.808363] kasan_report+0x144/0x340 [ 26.812138] __asan_report_load_n_noabort+0xf/0x20 [ 26.817038] erspan_xmit+0x22d4/0x2430 [ 26.820897] ? packet_direct_xmit+0x509/0x790 [ 26.825362] ? validate_xmit_skb+0x4b0/0xaf0 [ 26.829751] ? gretap_fb_dev_create+0x250/0x250 [ 26.834389] ? netif_skb_features+0x9b0/0x9b0 [ 26.838863] packet_direct_xmit+0x3ad/0x790 [ 26.843825] ? packet_mmap+0x590/0x590 [ 26.847682] ? memcpy+0x45/0x50 [ 26.850938] packet_sendmsg+0x3aed/0x60b0 [ 26.855062] ? find_held_lock+0x35/0x1d0 [ 26.859106] ? avc_has_perm+0x35e/0x680 [ 26.863059] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.867789] ? avc_has_perm+0x43e/0x680 [ 26.871733] ? avc_has_perm_noaudit+0x520/0x520 [ 26.876782] ? find_held_lock+0x35/0x1d0 [ 26.880813] ? fanout_add+0x1430/0x1430 [ 26.884756] ? avc_has_perm+0x35e/0x680 [ 26.888701] ? find_held_lock+0x35/0x1d0 [ 26.892734] ? sock_has_perm+0x2a4/0x420 [ 26.896766] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.902099] ? lock_release+0x972/0xa40 [ 26.906041] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.911896] ? __check_object_size+0x25d/0x4f0 [ 26.916445] ? avc_has_perm_noaudit+0x520/0x520 [ 26.921090] ? selinux_socket_sendmsg+0x36/0x40 [ 26.925814] ? security_socket_sendmsg+0x89/0xb0 [ 26.930539] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.935265] sock_sendmsg+0xca/0x110 [ 26.938952] SYSC_sendto+0x361/0x5c0 [ 26.942643] ? SYSC_connect+0x4a0/0x4a0 [ 26.946589] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.951932] ? __do_page_fault+0x3d6/0xc90 [ 26.956145] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 26.961400] ? SyS_setsockopt+0x215/0x360 [ 26.965854] ? SyS_recv+0x40/0x40 [ 26.970234] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 26.976096] SyS_sendto+0x40/0x50 [ 26.979527] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.984249] RIP: 0033:0x4454a9 [ 26.987407] RSP: 002b:00007ffedf46e898 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 26.995084] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004454a9 [ 27.002323] RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004 [ 27.009560] RBP: 00000000004a7053 R08: 0000000020008000 R09: 000000000000001c [ 27.016798] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004025e0 [ 27.024039] R13: 0000000000402670 R14: 0000000000000000 R15: 0000000000000000 [ 27.032009] Dumping ftrace buffer: [ 27.035522] (ftrace buffer empty) [ 27.039202] Kernel Offset: disabled [ 27.042797] Rebooting in 86400 seconds..