[....] Starting enhanced syslogd: rsyslogd[ 11.487460] audit: type=1400 audit(1513562501.453:5): avc: denied { syslog } for pid=2983 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.354744] audit: type=1400 audit(1513562507.320:6): avc: denied { map } for pid=3122 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-kasan-gce-386-3,10.128.15.232' (ECDSA) to the list of known hosts. executing program [ 23.507379] audit: type=1400 audit(1513562513.473:7): avc: denied { map } for pid=3135 comm="syzkaller768715" path="/root/syzkaller768715512" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 23.511431] ================================================================== [ 23.511450] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x1634/0x3270 [ 23.511456] Read of size 8192 at addr ffff8801c6c84558 by task syzkaller768715/3135 [ 23.511458] [ 23.511465] CPU: 1 PID: 3135 Comm: syzkaller768715 Not tainted 4.15.0-rc3+ #136 [ 23.511469] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.511472] Call Trace: [ 23.511484] dump_stack+0x194/0x257 [ 23.511498] ? arch_local_irq_restore+0x53/0x53 [ 23.511507] ? show_regs_print_info+0x18/0x18 [ 23.511514] ? __lock_is_held+0xb6/0x140 [ 23.511529] ? pfkey_add+0x1634/0x3270 [ 23.511541] print_address_description+0x73/0x250 [ 23.511548] ? pfkey_add+0x1634/0x3270 [ 23.511557] kasan_report+0x25b/0x340 [ 23.511571] check_memory_region+0x137/0x190 [ 23.511580] memcpy+0x23/0x50 [ 23.511589] pfkey_add+0x1634/0x3270 [ 23.511612] ? set_ipsecrequest+0x310/0x310 [ 23.511624] ? lock_release+0xa40/0xa40 [ 23.511633] ? set_ipsecrequest+0x310/0x310 [ 23.511644] pfkey_process+0x60b/0x720 [ 23.511661] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 23.511666] ? kasan_check_write+0x14/0x20 [ 23.511718] pfkey_sendmsg+0x4d6/0x9f0 [ 23.511731] ? pfkey_spdget+0xb00/0xb00 [ 23.511746] ? selinux_socket_sendmsg+0x36/0x40 [ 23.511754] ? security_socket_sendmsg+0x89/0xb0 [ 23.511762] ? pfkey_spdget+0xb00/0xb00 [ 23.511774] sock_sendmsg+0xca/0x110 [ 23.511786] ___sys_sendmsg+0x755/0x890 [ 23.511802] ? copy_msghdr_from_user+0x590/0x590 [ 23.511816] ? __handle_mm_fault+0x80e/0x3ce0 [ 23.511832] ? check_noncircular+0x20/0x20 [ 23.511837] ? __pmd_alloc+0x4e0/0x4e0 [ 23.511851] ? __fget_light+0x297/0x380 [ 23.511861] ? fget_raw+0x20/0x20 [ 23.511880] ? handle_mm_fault+0x248/0x8d0 [ 23.511893] ? find_held_lock+0x35/0x1d0 [ 23.511913] ? __fdget+0x18/0x20 [ 23.511927] __sys_sendmsg+0xe5/0x210 [ 23.511935] ? __sys_sendmsg+0xe5/0x210 [ 23.511946] ? SyS_shutdown+0x290/0x290 [ 23.511951] ? handle_mm_fault+0x410/0x8d0 [ 23.511960] ? __do_page_fault+0x32d/0xc90 [ 23.511969] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 23.511976] ? vmacache_find+0x5f/0x280 [ 23.512023] compat_SyS_sendmsg+0x2a/0x40 [ 23.512031] ? compat_SyS_getsockopt+0x420/0x420 [ 23.512040] do_fast_syscall_32+0x3ee/0xf9d [ 23.512058] ? do_int80_syscall_32+0x9d0/0x9d0 [ 23.512066] ? kasan_check_read+0x11/0x20 [ 23.512077] ? syscall_return_slowpath+0x550/0x550 [ 23.512093] ? SyS_rt_sigaction+0x94/0x1b0 [ 23.512103] ? SyS_sigprocmask+0x4b0/0x4b0 [ 23.512108] ? SyS_read+0x184/0x220 [ 23.512117] ? retint_user+0x18/0x18 [ 23.512134] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 23.512153] entry_SYSENTER_compat+0x51/0x60 [ 23.512159] RIP: 0023:0xf7fbdc79 [ 23.512162] RSP: 002b:00000000ffd1481c EFLAGS: 00000203 ORIG_RAX: 0000000000000172 [ 23.512169] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020cbd000 [ 23.512173] RDX: 0000000000000000 RSI: 0000000000000167 RDI: 000000000000000f [ 23.512177] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 23.512181] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 23.512184] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 23.512212] [ 23.512215] Allocated by task 3135: [ 23.512221] save_stack+0x43/0xd0 [ 23.512227] kasan_kmalloc+0xad/0xe0 [ 23.512234] __kmalloc_node_track_caller+0x47/0x70 [ 23.512240] __kmalloc_reserve.isra.41+0x41/0xd0 [ 23.512246] __alloc_skb+0x13b/0x780 [ 23.512251] pfkey_sendmsg+0x20f/0x9f0 [ 23.512256] sock_sendmsg+0xca/0x110 [ 23.512262] ___sys_sendmsg+0x755/0x890 [ 23.512268] __sys_sendmsg+0xe5/0x210 [ 23.512273] compat_SyS_sendmsg+0x2a/0x40 [ 23.512278] do_fast_syscall_32+0x3ee/0xf9d [ 23.512284] entry_SYSENTER_compat+0x51/0x60 [ 23.512286] [ 23.512289] Freed by task 1657: [ 23.512293] save_stack+0x43/0xd0 [ 23.512298] kasan_slab_free+0x71/0xc0 [ 23.512303] kfree+0xca/0x250 [ 23.512309] skb_free_head+0x74/0xb0 [ 23.512314] skb_release_data+0x58c/0x790 [ 23.512320] skb_release_all+0x4a/0x60 [ 23.512326] kfree_skb+0x15d/0x4c0 [ 23.512333] unix_stream_connect+0x876/0x1580 [ 23.512338] SYSC_connect+0x204/0x470 [ 23.512344] SyS_connect+0x24/0x30 [ 23.512349] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 23.512351] [ 23.512356] The buggy address belongs to the object at ffff8801c6c84540 [ 23.512356] which belongs to the cache kmalloc-512 of size 512 [ 23.512361] The buggy address is located 24 bytes inside of [ 23.512361] 512-byte region [ffff8801c6c84540, ffff8801c6c84740) [ 23.512363] The buggy address belongs to the page: [ 23.512369] page:00000000c2812f85 count:1 mapcount:0 mapping:000000002ea7dd00 index:0x0 [ 23.512375] flags: 0x2fffc0000000100(slab) [ 23.512385] raw: 02fffc0000000100 ffff8801c6c84040 0000000000000000 0000000100000006 [ 23.512392] raw: ffffea00071b1fe0 ffffea00072dd920 ffff8801db000940 0000000000000000 [ 23.512395] page dumped because: kasan: bad access detected [ 23.512396] [ 23.512399] Memory state around the buggy address: [ 23.512404] ffff8801c6c84600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.512409] ffff8801c6c84680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.512414] >ffff8801c6c84700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 23.512417] ^ [ 23.512421] ffff8801c6c84780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 23.512426] ffff8801c6c84800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.512429] ================================================================== [ 23.512431] Disabling lock debugging due to kernel taint [ 23.512446] Kernel panic - not syncing: panic_on_warn set ... [ 23.512446] [ 23.512452] CPU: 1 PID: 3135 Comm: syzkaller768715 Tainted: G B 4.15.0-rc3+ #136 [ 23.512455] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.512456] Call Trace: [ 23.512464] dump_stack+0x194/0x257 [ 23.512473] ? arch_local_irq_restore+0x53/0x53 [ 23.512481] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 23.512488] ? vsnprintf+0x1ed/0x1900 [ 23.512495] ? pfkey_add+0x1560/0x3270 [ 23.512502] panic+0x1e4/0x41c [ 23.512509] ? refcount_error_report+0x214/0x214 [ 23.512518] ? add_taint+0x1c/0x50 [ 23.512525] ? add_taint+0x1c/0x50 [ 23.512532] ? pfkey_add+0x1634/0x3270 [ 23.512538] kasan_end_report+0x50/0x50 [ 23.512544] kasan_report+0x144/0x340 [ 23.512554] check_memory_region+0x137/0x190 [ 23.512560] memcpy+0x23/0x50 [ 23.512567] pfkey_add+0x1634/0x3270 [ 23.512581] ? set_ipsecrequest+0x310/0x310 [ 23.512589] ? lock_release+0xa40/0xa40 [ 23.512596] ? set_ipsecrequest+0x310/0x310 [ 23.512604] pfkey_process+0x60b/0x720 [ 23.512615] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 23.512619] ? kasan_check_write+0x14/0x20 [ 23.512647] pfkey_sendmsg+0x4d6/0x9f0 [ 23.512656] ? pfkey_spdget+0xb00/0xb00 [ 23.512665] ? selinux_socket_sendmsg+0x36/0x40 [ 23.512672] ? security_socket_sendmsg+0x89/0xb0 [ 23.512678] ? pfkey_spdget+0xb00/0xb00 [ 23.512686] sock_sendmsg+0xca/0x110 [ 23.512695] ___sys_sendmsg+0x755/0x890 [ 23.512706] ? copy_msghdr_from_user+0x590/0x590 [ 23.512715] ? __handle_mm_fault+0x80e/0x3ce0 [ 23.512725] ? check_noncircular+0x20/0x20 [ 23.512730] ? __pmd_alloc+0x4e0/0x4e0 [ 23.512739] ? __fget_light+0x297/0x380 [ 23.512747] ? fget_raw+0x20/0x20 [ 23.512758] ? handle_mm_fault+0x248/0x8d0 [ 23.512767] ? find_held_lock+0x35/0x1d0 [ 23.512780] ? __fdget+0x18/0x20 [ 23.512789] __sys_sendmsg+0xe5/0x210 [ 23.512796] ? __sys_sendmsg+0xe5/0x210 [ 23.512804] ? SyS_shutdown+0x290/0x290 [ 23.512809] ? handle_mm_fault+0x410/0x8d0 [ 23.512815] ? __do_page_fault+0x32d/0xc90 [ 23.512822] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 23.512828] ? vmacache_find+0x5f/0x280 [ 23.512851] compat_SyS_sendmsg+0x2a/0x40 [ 23.512858] ? compat_SyS_getsockopt+0x420/0x420 [ 23.512864] do_fast_syscall_32+0x3ee/0xf9d [ 23.512876] ? do_int80_syscall_32+0x9d0/0x9d0 [ 23.512882] ? kasan_check_read+0x11/0x20 [ 23.512890] ? syscall_return_slowpath+0x550/0x550 [ 23.512898] ? SyS_rt_sigaction+0x94/0x1b0 [ 23.512905] ? SyS_sigprocmask+0x4b0/0x4b0 [ 23.512910] ? SyS_read+0x184/0x220 [ 23.512916] ? retint_user+0x18/0x18 [ 23.512926] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 23.512938] entry_SYSENTER_compat+0x51/0x60 [ 23.512942] RIP: 0023:0xf7fbdc79 [ 23.512945] RSP: 002b:00000000ffd1481c EFLAGS: 00000203 ORIG_RAX: 0000000000000172 [ 23.512951] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020cbd000 [ 23.512955] RDX: 0000000000000000 RSI: 0000000000000167 RDI: 000000000000000f [ 23.512958] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 23.512961] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 23.512964] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 23.533669] Dumping ftrace buffer: [ 23.533673] (ftrace buffer empty) [ 23.533676] Kernel Offset: disabled [ 24.377484] Rebooting in 86400 seconds..