[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 18.205721] audit: type=1400 audit(1521291597.015:6): avc: denied { map } for pid=4221 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 syzkaller login: [ 24.538954] audit: type=1400 audit(1521291603.348:7): avc: denied { map } for pid=4235 comm="syzkaller469575" path="/root/syzkaller469575688" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 24.547492] IPVS: ftp: loaded support on port[0] = 21 [ 24.651918] ip (4252) used greatest stack depth: 16600 bytes left RTNETLINK answers: File exists RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 24.819332] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 25.176140] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 25.182233] 8021q: adding VLAN 0 to HW filter on device bond0 executing program executing program executing program [ 25.219479] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 25.257852] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 27.913147] ================================================================== [ 27.920600] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260 [ 27.927066] Read of size 8 at addr ffff8801d8f08018 by task syzkaller469575/4639 [ 27.934569] [ 27.936173] CPU: 1 PID: 4639 Comm: syzkaller469575 Not tainted 4.16.0-rc5+ #357 [ 27.943592] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.952917] Call Trace: [ 27.955478] dump_stack+0x194/0x24d [ 27.959090] ? arch_local_irq_restore+0x53/0x53 [ 27.963731] ? show_regs_print_info+0x18/0x18 [ 27.968221] ? ip6_xmit+0x1f76/0x2260 [ 27.972006] print_address_description+0x73/0x250 [ 27.976836] ? ip6_xmit+0x1f76/0x2260 [ 27.980619] kasan_report+0x23c/0x360 [ 27.984405] __asan_report_load8_noabort+0x14/0x20 [ 27.989312] ip6_xmit+0x1f76/0x2260 [ 27.992923] ? ip6_finish_output2+0x23a0/0x23a0 [ 27.997567] ? fl6_update_dst+0x127/0x2b0 [ 28.001689] ? inet6_csk_route_socket+0x691/0xe80 [ 28.006507] ? trace_hardirqs_off+0x10/0x10 [ 28.010806] ? lock_acquire+0x1d5/0x580 [ 28.014750] ? lock_acquire+0x1d5/0x580 [ 28.018696] ? inet6_csk_xmit+0x114/0x580 [ 28.022818] ? trace_hardirqs_off+0x10/0x10 [ 28.027115] ? lock_release+0xa40/0xa40 [ 28.031077] inet6_csk_xmit+0x2fc/0x580 [ 28.035036] ? inet6_csk_update_pmtu+0x160/0x160 [ 28.039765] ? __sk_dst_check+0x1a5/0x380 [ 28.043891] ? sock_kfree_s+0x60/0x60 [ 28.047682] l2tp_xmit_skb+0x105f/0x1410 [ 28.051728] ? l2tp_session_create+0xb80/0xb80 [ 28.056293] ? sock_wmalloc+0x15d/0x1d0 [ 28.060241] ? iov_iter_advance+0x13f0/0x13f0 [ 28.064713] ? pppol2tp_sendmsg+0x41b/0x670 [ 28.069015] pppol2tp_sendmsg+0x470/0x670 [ 28.073145] ? selinux_socket_sendmsg+0x36/0x40 [ 28.077790] ? pppol2tp_getsockopt+0x900/0x900 [ 28.082346] sock_sendmsg+0xca/0x110 [ 28.086039] ___sys_sendmsg+0x767/0x8b0 [ 28.089991] ? copy_msghdr_from_user+0x590/0x590 [ 28.094729] ? __pmd_alloc+0x4e0/0x4e0 [ 28.098589] ? selinux_socket_connect+0x311/0x730 [ 28.103405] ? trace_hardirqs_off+0x10/0x10 [ 28.107698] ? find_held_lock+0x35/0x1d0 [ 28.111738] ? __fget_light+0x2b2/0x3c0 [ 28.115687] ? fget_raw+0x20/0x20 [ 28.119126] ? __do_page_fault+0x5f7/0xc90 [ 28.123337] ? lock_downgrade+0x980/0x980 [ 28.127465] __sys_sendmsg+0xe5/0x210 [ 28.131244] ? __sys_sendmsg+0xe5/0x210 [ 28.135193] ? SyS_shutdown+0x290/0x290 [ 28.139147] ? __do_page_fault+0x3d6/0xc90 [ 28.143362] ? move_addr_to_kernel+0x60/0x60 [ 28.147749] SyS_sendmsg+0x2d/0x50 [ 28.151263] ? __sys_sendmsg+0x210/0x210 [ 28.155298] do_syscall_64+0x281/0x940 [ 28.159157] ? __do_page_fault+0xc90/0xc90 [ 28.163365] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.168095] ? syscall_return_slowpath+0x550/0x550 [ 28.172997] ? syscall_return_slowpath+0x2ac/0x550 [ 28.177914] ? prepare_exit_to_usermode+0x350/0x350 [ 28.182903] ? retint_user+0x18/0x18 [ 28.186593] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.191414] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.196580] RIP: 0033:0x4429a9 [ 28.199747] RSP: 002b:00007ffee0431108 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 28.207424] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004429a9 [ 28.214666] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 [ 28.221912] RBP: 0000000000000000 R08: 0000000000000020 R09: 0000000000000020 [ 28.229156] R10: 0000000000000020 R11: 0000000000000217 R12: 0000000000006cfb [ 28.236400] R13: 00000000006cf448 R14: 0000000000000000 R15: 0000000000000000 [ 28.243661] [ 28.245259] Allocated by task 3097: [ 28.248861] save_stack+0x43/0xd0 [ 28.252286] kasan_kmalloc+0xad/0xe0 [ 28.255970] kasan_slab_alloc+0x12/0x20 [ 28.259915] kmem_cache_alloc+0x12e/0x760 [ 28.264039] getname_flags+0xcb/0x580 [ 28.267818] user_path_at_empty+0x2d/0x50 [ 28.271936] SyS_faccessat+0x237/0x6b0 [ 28.275795] do_syscall_64+0x281/0x940 [ 28.279653] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.284810] [ 28.286411] Freed by task 3097: [ 28.289659] save_stack+0x43/0xd0 [ 28.293083] __kasan_slab_free+0x11a/0x170 [ 28.297289] kasan_slab_free+0xe/0x10 [ 28.301062] kmem_cache_free+0x83/0x2a0 [ 28.305006] putname+0xee/0x130 [ 28.308262] filename_lookup+0x315/0x500 [ 28.312292] user_path_at_empty+0x40/0x50 [ 28.316410] SyS_faccessat+0x237/0x6b0 [ 28.320281] do_syscall_64+0x281/0x940 [ 28.324164] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.329339] [ 28.330951] The buggy address belongs to the object at ffff8801d8f08d00 [ 28.330951] which belongs to the cache names_cache of size 4096 [ 28.343665] The buggy address is located 3304 bytes to the left of [ 28.343665] 4096-byte region [ffff8801d8f08d00, ffff8801d8f09d00) [ 28.356119] The buggy address belongs to the page: [ 28.361027] page:ffffea000763c200 count:1 mapcount:0 mapping:ffff8801d8f08d00 index:0x0 compound_mapcount: 0 [ 28.370979] flags: 0x2fffc0000008100(slab|head) [ 28.375619] raw: 02fffc0000008100 ffff8801d8f08d00 0000000000000000 0000000100000001 [ 28.383471] raw: ffffea0007636420 ffffea0006b1a2a0 ffff8801da5d6600 0000000000000000 [ 28.391321] page dumped because: kasan: bad access detected [ 28.397008] [ 28.398612] Memory state around the buggy address: [ 28.403511] ffff8801d8f07f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.410857] ffff8801d8f07f80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 28.418193] >ffff8801d8f08000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.425530] ^ [ 28.429646] ffff8801d8f08080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.436982] ffff8801d8f08100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.444309] ================================================================== [ 28.451635] Disabling lock debugging due to kernel taint [ 28.457076] Kernel panic - not syncing: panic_on_warn set ... [ 28.457076] [ 28.464415] CPU: 1 PID: 4639 Comm: syzkaller469575 Tainted: G B 4.16.0-rc5+ #357 [ 28.473130] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.482458] Call Trace: [ 28.485029] dump_stack+0x194/0x24d [ 28.488629] ? arch_local_irq_restore+0x53/0x53 [ 28.493268] ? kasan_end_report+0x32/0x50 [ 28.497389] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.502116] ? vsnprintf+0x1ed/0x1900 [ 28.505887] ? ip6_xmit+0x1f30/0x2260 [ 28.509658] panic+0x1e4/0x41c [ 28.512821] ? refcount_error_report+0x214/0x214 [ 28.517547] ? add_taint+0x1c/0x50 [ 28.521057] ? add_taint+0x1c/0x50 [ 28.524570] ? ip6_xmit+0x1f76/0x2260 [ 28.528341] kasan_end_report+0x50/0x50 [ 28.532287] kasan_report+0x149/0x360 [ 28.536059] __asan_report_load8_noabort+0x14/0x20 [ 28.540960] ip6_xmit+0x1f76/0x2260 [ 28.544565] ? ip6_finish_output2+0x23a0/0x23a0 [ 28.549203] ? fl6_update_dst+0x127/0x2b0 [ 28.553323] ? inet6_csk_route_socket+0x691/0xe80 [ 28.558135] ? trace_hardirqs_off+0x10/0x10 [ 28.562427] ? lock_acquire+0x1d5/0x580 [ 28.566368] ? lock_acquire+0x1d5/0x580 [ 28.570313] ? inet6_csk_xmit+0x114/0x580 [ 28.574439] ? trace_hardirqs_off+0x10/0x10 [ 28.578731] ? lock_release+0xa40/0xa40 [ 28.582682] inet6_csk_xmit+0x2fc/0x580 [ 28.586626] ? inet6_csk_update_pmtu+0x160/0x160 [ 28.591352] ? __sk_dst_check+0x1a5/0x380 [ 28.595469] ? sock_kfree_s+0x60/0x60 [ 28.599256] l2tp_xmit_skb+0x105f/0x1410 [ 28.603303] ? l2tp_session_create+0xb80/0xb80 [ 28.607857] ? sock_wmalloc+0x15d/0x1d0 [ 28.611807] ? iov_iter_advance+0x13f0/0x13f0 [ 28.616274] ? pppol2tp_sendmsg+0x41b/0x670 [ 28.620574] pppol2tp_sendmsg+0x470/0x670 [ 28.624694] ? selinux_socket_sendmsg+0x36/0x40 [ 28.629333] ? pppol2tp_getsockopt+0x900/0x900 [ 28.633887] sock_sendmsg+0xca/0x110 [ 28.637573] ___sys_sendmsg+0x767/0x8b0 [ 28.641519] ? copy_msghdr_from_user+0x590/0x590 [ 28.646247] ? __pmd_alloc+0x4e0/0x4e0 [ 28.650106] ? selinux_socket_connect+0x311/0x730 [ 28.654920] ? trace_hardirqs_off+0x10/0x10 [ 28.659212] ? find_held_lock+0x35/0x1d0 [ 28.663244] ? __fget_light+0x2b2/0x3c0 [ 28.667188] ? fget_raw+0x20/0x20 [ 28.670619] ? __do_page_fault+0x5f7/0xc90 [ 28.674824] ? lock_downgrade+0x980/0x980 [ 28.678947] __sys_sendmsg+0xe5/0x210 [ 28.682718] ? __sys_sendmsg+0xe5/0x210 [ 28.686661] ? SyS_shutdown+0x290/0x290 [ 28.690607] ? __do_page_fault+0x3d6/0xc90 [ 28.694816] ? move_addr_to_kernel+0x60/0x60 [ 28.699198] SyS_sendmsg+0x2d/0x50 [ 28.702706] ? __sys_sendmsg+0x210/0x210 [ 28.706740] do_syscall_64+0x281/0x940 [ 28.710597] ? __do_page_fault+0xc90/0xc90 [ 28.714803] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.719530] ? syscall_return_slowpath+0x550/0x550 [ 28.724428] ? syscall_return_slowpath+0x2ac/0x550 [ 28.729328] ? prepare_exit_to_usermode+0x350/0x350 [ 28.734314] ? retint_user+0x18/0x18 [ 28.738013] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.742837] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.747994] RIP: 0033:0x4429a9 [ 28.751160] RSP: 002b:00007ffee0431108 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 28.758837] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004429a9 [ 28.766079] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 [ 28.773320] RBP: 0000000000000000 R08: 0000000000000020 R09: 0000000000000020 [ 28.780562] R10: 0000000000000020 R11: 0000000000000217 R12: 0000000000006cfb [ 28.787803] R13: 00000000006cf448 R14: 0000000000000000 R15: 0000000000000000 [ 28.795482] Dumping ftrace buffer: [ 28.798995] (ftrace buffer empty) [ 28.802672] Kernel Offset: disabled [ 28.806272] Rebooting in 86400 seconds..