[....] Starting enhanced syslogd: rsyslogd[   13.190407] audit: type=1400 audit(1516642798.526:5): avc:  denied  { syslog } for  pid=3502 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.155204] audit: type=1400 audit(1516642804.490:6): avc:  denied  { map } for  pid=3642 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.197' (ECDSA) to the list of known hosts.
[   25.447550] audit: type=1400 audit(1516642810.783:7): avc:  denied  { map } for  pid=3656 comm="syzkaller926412" path="/root/syzkaller926412531" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
RTNETLINK answers: Operation not supported
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
[   25.825798] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
executing program
[   26.157933] ==================================================================
[   26.165336] BUG: KASAN: use-after-free in erspan_build_header+0x3bf/0x3d0
[   26.172232] Read of size 2 at addr ffff8801c36b328b by task syzkaller926412/3657
[   26.179731] 
[   26.181332] CPU: 1 PID: 3657 Comm: syzkaller926412 Not tainted 4.15.0-rc9+ #184
[   26.188753] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.198080] Call Trace:
[   26.200645]  dump_stack+0x194/0x257
[   26.204249]  ? arch_local_irq_restore+0x53/0x53
[   26.208891]  ? show_regs_print_info+0x18/0x18
[   26.213359]  ? refcount_add+0x24/0x60
[   26.217142]  ? erspan_build_header+0x3bf/0x3d0
[   26.221702]  print_address_description+0x73/0x250
[   26.226520]  ? erspan_build_header+0x3bf/0x3d0
[   26.231076]  kasan_report+0x25b/0x340
[   26.234869]  __asan_report_load_n_noabort+0xf/0x20
[   26.239775]  erspan_build_header+0x3bf/0x3d0
[   26.244163]  erspan_xmit+0x3b8/0x13b0
[   26.247940]  ? prepare_fb_xmit+0x9a0/0x9a0
[   26.252147]  ? netif_skb_features+0x9b0/0x9b0
[   26.256616]  ? __dev_get_by_index+0x1a0/0x1a0
[   26.261089]  ? check_noncircular+0x20/0x20
[   26.265307]  packet_direct_xmit+0x315/0x6b0
[   26.269611]  packet_sendmsg+0x3aed/0x60b0
[   26.273740]  ? find_held_lock+0x35/0x1d0
[   26.277784]  ? avc_has_perm+0x35e/0x680
[   26.281750]  ? packet_cached_dev_get+0x2b0/0x2b0
[   26.286484]  ? avc_has_perm+0x43e/0x680
[   26.290434]  ? avc_has_perm_noaudit+0x520/0x520
[   26.295074]  ? packet_setsockopt+0xfa5/0x1ea0
[   26.299550]  ? fanout_add+0x1430/0x1430
[   26.303495]  ? find_held_lock+0x35/0x1d0
[   26.307537]  ? find_held_lock+0x35/0x1d0
[   26.311578]  ? sock_has_perm+0x2a4/0x420
[   26.315615]  ? selinux_secmark_relabel_packet+0xc0/0xc0
[   26.320950]  ? lock_release+0x952/0xa40
[   26.324898]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   26.330762]  ? __check_object_size+0x25d/0x4f0
[   26.335314]  ? avc_has_perm+0x43e/0x680
[   26.339273]  ? selinux_socket_sendmsg+0x36/0x40
[   26.343912]  ? security_socket_sendmsg+0x89/0xb0
[   26.348641]  ? packet_cached_dev_get+0x2b0/0x2b0
[   26.353369]  sock_sendmsg+0xca/0x110
[   26.357056]  SYSC_sendto+0x361/0x5c0
[   26.360751]  ? SYSC_connect+0x4a0/0x4a0
[   26.364701]  ? sock_has_perm+0x2a4/0x420
[   26.368736]  ? selinux_secmark_relabel_packet+0xc0/0xc0
[   26.374080]  ? selinux_netlbl_sock_rcv_skb+0x730/0x730
[   26.379330]  ? lock_downgrade+0x980/0x980
[   26.383470]  ? compat_packet_setsockopt+0xe8/0x140
[   26.388373]  ? fput+0xd2/0x140
[   26.391551]  ? compat_SyS_setsockopt+0x200/0x410
[   26.396277]  ? packet_setsockopt+0x1ea0/0x1ea0
[   26.400834]  ? scm_detach_fds_compat+0x3c0/0x3c0
[   26.405564]  SyS_sendto+0x40/0x50
[   26.408990]  ? SyS_getpeername+0x30/0x30
[   26.413036]  do_fast_syscall_32+0x3ee/0xf9d
[   26.417340]  ? do_int80_syscall_32+0x9d0/0x9d0
[   26.421894]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   26.426626]  ? syscall_return_slowpath+0x2ad/0x550
[   26.431527]  ? prepare_exit_to_usermode+0x340/0x340
[   26.436528]  ? sysret32_from_system_call+0x5/0x3b
[   26.441348]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   26.446179]  entry_SYSENTER_compat+0x54/0x63
[   26.450567] RIP: 0023:0xf7fd6c79
[   26.453906] RSP: 002b:00000000fff9937c EFLAGS: 00000282 ORIG_RAX: 0000000000000171
[   26.461584] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020003fd9
[   26.468825] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000020008000
[   26.476067] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
[   26.483309] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   26.490550] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   26.497821] 
[   26.499421] Allocated by task 3246:
[   26.503027]  save_stack+0x43/0xd0
[   26.506451]  kasan_kmalloc+0xad/0xe0
[   26.510138]  kasan_slab_alloc+0x12/0x20
[   26.514085]  kmem_cache_alloc+0x12e/0x760
[   26.518207]  getname_flags+0xcb/0x580
[   26.521978]  getname+0x19/0x20
[   26.525142]  do_sys_open+0x2e7/0x6d0
[   26.528829]  SyS_open+0x2d/0x40
[   26.532085]  entry_SYSCALL_64_fastpath+0x29/0xa0
[   26.536813] 
[   26.538412] Freed by task 3246:
[   26.541667]  save_stack+0x43/0xd0
[   26.545090]  kasan_slab_free+0x71/0xc0
[   26.548949]  kmem_cache_free+0x83/0x2a0
[   26.552895]  putname+0xee/0x130
[   26.556149]  do_sys_open+0x31b/0x6d0
[   26.559832]  SyS_open+0x2d/0x40
[   26.563084]  entry_SYSCALL_64_fastpath+0x29/0xa0
[   26.567808] 
[   26.569410] The buggy address belongs to the object at ffff8801c36b2e80
[   26.569410]  which belongs to the cache names_cache of size 4096
[   26.582141] The buggy address is located 1035 bytes inside of
[   26.582141]  4096-byte region [ffff8801c36b2e80, ffff8801c36b3e80)
[   26.594164] The buggy address belongs to the page:
[   26.599073] page:ffffea00070dac80 count:1 mapcount:0 mapping:ffff8801c36b2e80 index:0x0 compound_mapcount: 0
[   26.609016] flags: 0x2fffc0000008100(slab|head)
[   26.613665] raw: 02fffc0000008100 ffff8801c36b2e80 0000000000000000 0000000100000001
[   26.621521] raw: ffffea00070db3a0 ffffea00070dafa0 ffff8801dae2c600 0000000000000000
[   26.629370] page dumped because: kasan: bad access detected
[   26.635054] 
[   26.636656] Memory state around the buggy address:
[   26.641556]  ffff8801c36b3180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.648885]  ffff8801c36b3200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.656235] >ffff8801c36b3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.663563]                       ^
[   26.667171]  ffff8801c36b3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.674503]  ffff8801c36b3380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.681831] ==================================================================
[   26.689160] Disabling lock debugging due to kernel taint
[   26.694621] Kernel panic - not syncing: panic_on_warn set ...
[   26.694621] 
[   26.701967] CPU: 1 PID: 3657 Comm: syzkaller926412 Tainted: G    B            4.15.0-rc9+ #184
[   26.710689] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.720018] Call Trace:
[   26.722588]  dump_stack+0x194/0x257
[   26.726193]  ? arch_local_irq_restore+0x53/0x53
[   26.730841]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   26.735568]  ? vsnprintf+0x1ed/0x1900
[   26.739342]  ? erspan_build_header+0x360/0x3d0
[   26.743897]  panic+0x1e4/0x41c
[   26.747062]  ? refcount_error_report+0x214/0x214
[   26.751792]  ? add_taint+0x1c/0x50
[   26.755303]  ? add_taint+0x1c/0x50
[   26.758815]  ? erspan_build_header+0x3bf/0x3d0
[   26.763370]  kasan_end_report+0x50/0x50
[   26.767318]  kasan_report+0x144/0x340
[   26.771092]  __asan_report_load_n_noabort+0xf/0x20
[   26.776013]  erspan_build_header+0x3bf/0x3d0
[   26.780403]  erspan_xmit+0x3b8/0x13b0
[   26.784180]  ? prepare_fb_xmit+0x9a0/0x9a0
[   26.788389]  ? netif_skb_features+0x9b0/0x9b0
[   26.792857]  ? __dev_get_by_index+0x1a0/0x1a0
[   26.797325]  ? check_noncircular+0x20/0x20
[   26.801546]  packet_direct_xmit+0x315/0x6b0
[   26.805840]  packet_sendmsg+0x3aed/0x60b0
[   26.809961]  ? find_held_lock+0x35/0x1d0
[   26.813997]  ? avc_has_perm+0x35e/0x680
[   26.817963]  ? packet_cached_dev_get+0x2b0/0x2b0
[   26.822694]  ? avc_has_perm+0x43e/0x680
[   26.826650]  ? avc_has_perm_noaudit+0x520/0x520
[   26.831296]  ? packet_setsockopt+0xfa5/0x1ea0
[   26.835766]  ? fanout_add+0x1430/0x1430
[   26.839711]  ? find_held_lock+0x35/0x1d0
[   26.843747]  ? find_held_lock+0x35/0x1d0
[   26.847783]  ? sock_has_perm+0x2a4/0x420
[   26.851817]  ? selinux_secmark_relabel_packet+0xc0/0xc0
[   26.857158]  ? lock_release+0x952/0xa40
[   26.861115]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   26.866973]  ? __check_object_size+0x25d/0x4f0
[   26.871527]  ? avc_has_perm+0x43e/0x680
[   26.875478]  ? selinux_socket_sendmsg+0x36/0x40
[   26.880121]  ? security_socket_sendmsg+0x89/0xb0
[   26.884854]  ? packet_cached_dev_get+0x2b0/0x2b0
[   26.889585]  sock_sendmsg+0xca/0x110
[   26.893269]  SYSC_sendto+0x361/0x5c0
[   26.896957]  ? SYSC_connect+0x4a0/0x4a0
[   26.900903]  ? sock_has_perm+0x2a4/0x420
[   26.904934]  ? selinux_secmark_relabel_packet+0xc0/0xc0
[   26.910269]  ? selinux_netlbl_sock_rcv_skb+0x730/0x730
[   26.915514]  ? lock_downgrade+0x980/0x980
[   26.919642]  ? compat_packet_setsockopt+0xe8/0x140
[   26.924546]  ? fput+0xd2/0x140
[   26.927723]  ? compat_SyS_setsockopt+0x200/0x410
[   26.932452]  ? packet_setsockopt+0x1ea0/0x1ea0
[   26.937021]  ? scm_detach_fds_compat+0x3c0/0x3c0
[   26.941760]  SyS_sendto+0x40/0x50
[   26.945195]  ? SyS_getpeername+0x30/0x30
[   26.949229]  do_fast_syscall_32+0x3ee/0xf9d
[   26.953524]  ? do_int80_syscall_32+0x9d0/0x9d0
[   26.958077]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   26.962809]  ? syscall_return_slowpath+0x2ad/0x550
[   26.967709]  ? prepare_exit_to_usermode+0x340/0x340
[   26.972696]  ? sysret32_from_system_call+0x5/0x3b
[   26.977511]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   26.982327]  entry_SYSENTER_compat+0x54/0x63
[   26.986706] RIP: 0023:0xf7fd6c79
[   26.990039] RSP: 002b:00000000fff9937c EFLAGS: 00000282 ORIG_RAX: 0000000000000171
[   26.997732] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020003fd9
[   27.004983] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000020008000
[   27.012228] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
[   27.019471] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   27.026714] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   27.034432] Dumping ftrace buffer:
[   27.037957]    (ftrace buffer empty)
[   27.041635] Kernel Offset: disabled
[   27.045232] Rebooting in 86400 seconds..