[....] Starting enhanced syslogd: rsyslogd[ 17.856054] audit: type=1400 audit(1520392263.162:5): avc: denied { syslog } for pid=4100 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.046701] audit: type=1400 audit(1520392268.353:6): avc: denied { map } for pid=4240 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.60' (ECDSA) to the list of known hosts. [ 29.342818] audit: type=1400 audit(1520392274.649:7): avc: denied { map } for pid=4254 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/03/07 03:11:14 parsed 1 programs 2018/03/07 03:11:14 executed programs: 0 [ 29.576738] audit: type=1400 audit(1520392274.883:8): avc: denied { map } for pid=4254 comm="syz-execprog" path="/root/syzkaller-shm345245634" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 29.587618] IPVS: ftp: loaded support on port[0] = 21 [ 29.856854] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 30.235167] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 30.241365] 8021q: adding VLAN 0 to HW filter on device bond0 [ 30.280162] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 30.318365] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.335520] ================================================================== [ 30.342937] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260 [ 30.349405] Read of size 8 at addr ffff8801cf0fb218 by task syz-executor0/4420 [ 30.356733] [ 30.358337] CPU: 1 PID: 4420 Comm: syz-executor0 Not tainted 4.16.0-rc4+ #253 [ 30.365584] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.374925] Call Trace: [ 30.377492] dump_stack+0x194/0x24d [ 30.381099] ? arch_local_irq_restore+0x53/0x53 [ 30.385746] ? show_regs_print_info+0x18/0x18 [ 30.390222] ? ip6_xmit+0x1f76/0x2260 [ 30.393997] print_address_description+0x73/0x250 [ 30.398814] ? ip6_xmit+0x1f76/0x2260 [ 30.402590] kasan_report+0x23c/0x360 [ 30.406368] __asan_report_load8_noabort+0x14/0x20 [ 30.411273] ip6_xmit+0x1f76/0x2260 [ 30.414885] ? ip6_finish_output2+0x23a0/0x23a0 [ 30.419531] ? fl6_update_dst+0x127/0x2b0 [ 30.423655] ? inet6_csk_route_socket+0x691/0xe80 [ 30.428478] ? trace_hardirqs_off+0x10/0x10 [ 30.432774] ? lock_acquire+0x1d5/0x580 [ 30.436720] ? lock_acquire+0x1d5/0x580 [ 30.440666] ? inet6_csk_xmit+0x114/0x580 [ 30.444791] ? trace_hardirqs_off+0x10/0x10 [ 30.449092] ? lock_release+0xa40/0xa40 [ 30.453063] inet6_csk_xmit+0x2fc/0x580 [ 30.457014] ? inet6_csk_update_pmtu+0x160/0x160 [ 30.461755] ? __sk_dst_check+0x1a5/0x380 [ 30.465880] ? sock_kfree_s+0x60/0x60 [ 30.469672] l2tp_xmit_skb+0x105f/0x1410 [ 30.473717] ? l2tp_session_create+0xb80/0xb80 [ 30.478271] ? sock_wmalloc+0x15d/0x1d0 [ 30.482218] ? iov_iter_advance+0x13f0/0x13f0 [ 30.486688] ? pppol2tp_sendmsg+0x41b/0x670 [ 30.490986] pppol2tp_sendmsg+0x470/0x670 [ 30.495112] ? selinux_socket_sendmsg+0x36/0x40 [ 30.499757] ? pppol2tp_getsockopt+0x900/0x900 [ 30.504326] sock_sendmsg+0xca/0x110 [ 30.508017] ___sys_sendmsg+0x767/0x8b0 [ 30.511970] ? copy_msghdr_from_user+0x590/0x590 [ 30.516705] ? __handle_mm_fault+0x5ba/0x38c0 [ 30.521179] ? __pmd_alloc+0x4e0/0x4e0 [ 30.525039] ? trace_hardirqs_off+0x10/0x10 [ 30.529338] ? selinux_socket_setsockopt+0x80/0x80 [ 30.534250] ? lock_release+0xa40/0xa40 [ 30.538203] ? __fget_light+0x2b2/0x3c0 [ 30.542152] ? fget_raw+0x20/0x20 [ 30.545591] ? find_held_lock+0x35/0x1d0 [ 30.549638] __sys_sendmsg+0xe5/0x210 [ 30.553413] ? __sys_sendmsg+0xe5/0x210 [ 30.557360] ? SyS_shutdown+0x290/0x290 [ 30.561317] ? compat_SyS_futex+0x288/0x380 [ 30.565632] compat_SyS_sendmsg+0x2a/0x40 [ 30.569750] ? compat_SyS_getsockopt+0x420/0x420 [ 30.574479] do_fast_syscall_32+0x3ec/0xf9f [ 30.578789] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.583342] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.588078] ? syscall_return_slowpath+0x2ac/0x550 [ 30.592981] ? prepare_exit_to_usermode+0x350/0x350 [ 30.597975] ? sysret32_from_system_call+0x5/0x3c [ 30.602796] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.607711] entry_SYSENTER_compat+0x70/0x7f [ 30.612095] RIP: 0023:0xf7f67c99 [ 30.615429] RSP: 002b:00000000ffd451cc EFLAGS: 00000282 ORIG_RAX: 0000000000000172 [ 30.623119] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000002037ffc8 [ 30.630363] RDX: 0000000000000081 RSI: 0000000000000000 RDI: 0000000000000000 [ 30.637692] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 30.644937] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.652182] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.659443] [ 30.661054] Allocated by task 0: [ 30.664398] (stack is not available) [ 30.668083] [ 30.669682] Freed by task 0: [ 30.672671] (stack is not available) [ 30.676360] [ 30.677959] The buggy address belongs to the object at ffff8801cf0fb200 [ 30.677959] which belongs to the cache ip_dst_cache of size 168 [ 30.690674] The buggy address is located 24 bytes inside of [ 30.690674] 168-byte region [ffff8801cf0fb200, ffff8801cf0fb2a8) [ 30.702432] The buggy address belongs to the page: [ 30.707342] page:ffffea00073c3ec0 count:1 mapcount:0 mapping:ffff8801cf0fb000 index:0xffff8801cf0fbb00 [ 30.716758] flags: 0x2fffc0000000100(slab) [ 30.720965] raw: 02fffc0000000100 ffff8801cf0fb000 ffff8801cf0fbb00 000000010000000a [ 30.728819] raw: ffff8801d541e938 ffffea000729ade0 ffff8801d541f980 0000000000000000 [ 30.736671] page dumped because: kasan: bad access detected [ 30.742368] [ 30.743969] Memory state around the buggy address: [ 30.748869] ffff8801cf0fb100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.756200] ffff8801cf0fb180: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 30.763533] >ffff8801cf0fb200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.770863] ^ [ 30.774978] ffff8801cf0fb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.782308] ffff8801cf0fb300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.789645] ================================================================== [ 30.796973] Disabling lock debugging due to kernel taint [ 30.802422] Kernel panic - not syncing: panic_on_warn set ... [ 30.802422] [ 30.809763] CPU: 1 PID: 4420 Comm: syz-executor0 Tainted: G B 4.16.0-rc4+ #253 [ 30.818309] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.827634] Call Trace: [ 30.830195] dump_stack+0x194/0x24d [ 30.833795] ? arch_local_irq_restore+0x53/0x53 [ 30.838434] ? kasan_end_report+0x32/0x50 [ 30.842552] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.847277] ? vsnprintf+0x1ed/0x1900 [ 30.851051] ? ip6_xmit+0x1f30/0x2260 [ 30.854825] panic+0x1e4/0x41c [ 30.858001] ? refcount_error_report+0x214/0x214 [ 30.862734] ? add_taint+0x1c/0x50 [ 30.866241] ? add_taint+0x1c/0x50 [ 30.869751] ? ip6_xmit+0x1f76/0x2260 [ 30.873527] kasan_end_report+0x50/0x50 [ 30.877476] kasan_report+0x149/0x360 [ 30.881247] __asan_report_load8_noabort+0x14/0x20 [ 30.886148] ip6_xmit+0x1f76/0x2260 [ 30.889752] ? ip6_finish_output2+0x23a0/0x23a0 [ 30.894389] ? fl6_update_dst+0x127/0x2b0 [ 30.898507] ? inet6_csk_route_socket+0x691/0xe80 [ 30.903320] ? trace_hardirqs_off+0x10/0x10 [ 30.907612] ? lock_acquire+0x1d5/0x580 [ 30.911555] ? lock_acquire+0x1d5/0x580 [ 30.915496] ? inet6_csk_xmit+0x114/0x580 [ 30.919612] ? trace_hardirqs_off+0x10/0x10 [ 30.923904] ? lock_release+0xa40/0xa40 [ 30.927856] inet6_csk_xmit+0x2fc/0x580 [ 30.931800] ? inet6_csk_update_pmtu+0x160/0x160 [ 30.936527] ? __sk_dst_check+0x1a5/0x380 [ 30.940647] ? sock_kfree_s+0x60/0x60 [ 30.944425] l2tp_xmit_skb+0x105f/0x1410 [ 30.948462] ? l2tp_session_create+0xb80/0xb80 [ 30.953017] ? sock_wmalloc+0x15d/0x1d0 [ 30.956966] ? iov_iter_advance+0x13f0/0x13f0 [ 30.961435] ? pppol2tp_sendmsg+0x41b/0x670 [ 30.965728] pppol2tp_sendmsg+0x470/0x670 [ 30.969847] ? selinux_socket_sendmsg+0x36/0x40 [ 30.974485] ? pppol2tp_getsockopt+0x900/0x900 [ 30.979034] sock_sendmsg+0xca/0x110 [ 30.982716] ___sys_sendmsg+0x767/0x8b0 [ 30.986660] ? copy_msghdr_from_user+0x590/0x590 [ 30.991392] ? __handle_mm_fault+0x5ba/0x38c0 [ 30.995861] ? __pmd_alloc+0x4e0/0x4e0 [ 30.999716] ? trace_hardirqs_off+0x10/0x10 [ 31.004009] ? selinux_socket_setsockopt+0x80/0x80 [ 31.008906] ? lock_release+0xa40/0xa40 [ 31.012855] ? __fget_light+0x2b2/0x3c0 [ 31.016803] ? fget_raw+0x20/0x20 [ 31.020241] ? find_held_lock+0x35/0x1d0 [ 31.024281] __sys_sendmsg+0xe5/0x210 [ 31.028053] ? __sys_sendmsg+0xe5/0x210 [ 31.032020] ? SyS_shutdown+0x290/0x290 [ 31.035976] ? compat_SyS_futex+0x288/0x380 [ 31.040282] compat_SyS_sendmsg+0x2a/0x40 [ 31.044417] ? compat_SyS_getsockopt+0x420/0x420 [ 31.049146] do_fast_syscall_32+0x3ec/0xf9f [ 31.053440] ? do_int80_syscall_32+0x9c0/0x9c0 [ 31.057991] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.062725] ? syscall_return_slowpath+0x2ac/0x550 [ 31.067628] ? prepare_exit_to_usermode+0x350/0x350 [ 31.072617] ? sysret32_from_system_call+0x5/0x3c [ 31.077433] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.082249] entry_SYSENTER_compat+0x70/0x7f [ 31.086624] RIP: 0023:0xf7f67c99 [ 31.089956] RSP: 002b:00000000ffd451cc EFLAGS: 00000282 ORIG_RAX: 0000000000000172 [ 31.097631] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000002037ffc8 [ 31.104871] RDX: 0000000000000081 RSI: 0000000000000000 RDI: 0000000000000000 [ 31.112110] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 31.119348] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 31.126590] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 31.134198] Dumping ftrace buffer: [ 31.137722] (ftrace buffer empty) [ 31.141405] Kernel Offset: disabled [ 31.145005] Rebooting in 86400 seconds..