[....] Starting enhanced syslogd: rsyslogd[ 16.799938] audit: type=1400 audit(1519984742.639:5): avc: denied { syslog } for pid=4085 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.737248] audit: type=1400 audit(1519984748.577:6): avc: denied { map } for pid=4224 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. [ 36.265240] audit: type=1400 audit(1519984762.105:7): avc: denied { map } for pid=4240 comm="syzkaller660003" path="/root/syzkaller660003922" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 36.276173] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 36.318261] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 36.342773] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.accept_dad = 0 [ 36.376671] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.router_solicitations = 0 net.ipv6.conf.syz_tun.accept_dad = 0 [ 36.418825] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.router_solicitations = 0 net.ipv6.conf.syz_tun.accept_dad = 0 [ 36.457352] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 36.499138] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.router_solicitations = 0 net.ipv6.conf.syz_tun.accept_dad = 0 [ 36.579426] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.router_solicitations = 0 net.ipv6.conf.syz_tun.accept_dad = 0 RTNETLINK answers: File exists net.ipv6.conf.syz_tun.router_solicitations = 0 RTNETLINK answers: File exists RTNETLINK answers: File exists RTNETLINK answers: File exists RTNETLINK answers: File exists RTNETLINK answers: File exists RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: File exists RTNETLINK answers: File exists RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 37.159727] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 37.206970] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 37.360737] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 37.368366] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 37.381065] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 37.424420] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 37.549161] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 37.586717] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 38.943474] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 38.949713] 8021q: adding VLAN 0 to HW filter on device bond0 [ 39.005565] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 39.011703] 8021q: adding VLAN 0 to HW filter on device bond0 [ 39.143750] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.216675] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.257634] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 39.263924] 8021q: adding VLAN 0 to HW filter on device bond0 [ 39.329468] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 39.335650] 8021q: adding VLAN 0 to HW filter on device bond0 [ 39.344824] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 39.350915] 8021q: adding VLAN 0 to HW filter on device bond0 [ 39.406420] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 39.412786] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 39.424203] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.484301] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 39.509074] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 39.515279] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 39.525327] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.538583] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 39.544708] 8021q: adding VLAN 0 to HW filter on device bond0 [ 39.552195] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 39.593896] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.617326] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.626847] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.765640] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 39.771799] 8021q: adding VLAN 0 to HW filter on device bond0 [ 39.783087] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.791549] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 39.797709] 8021q: adding VLAN 0 to HW filter on device bond0 [ 39.847164] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 39.853354] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 39.862997] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.879704] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 39.891992] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 39.918884] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.925797] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 39.928945] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 39.951937] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 39.969102] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 39.987776] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 40.046321] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 40.069104] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 40.113383] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 40.122116] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 40.132224] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 40.159575] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 40.192532] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 40.335258] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 40.341525] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 40.359437] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 40.411098] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 40.424891] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 40.435132] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 40.444936] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 40.493008] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 41.777105] ================================================================== [ 41.784581] BUG: KASAN: use-after-free in __unwind_start+0x2d/0x330 [ 41.790978] Write of size 88 at addr ffff8801a9846e60 by task syzkaller660003/6219 [ 41.798674] [ 41.800298] CPU: 1 PID: 6219 Comm: syzkaller660003 Not tainted 4.16.0-rc3+ #335 [ 41.807730] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.817077] Call Trace: [ 41.819648] [ 41.821266] Allocated by task 2956211648: [ 41.825471] ------------[ cut here ]------------ [ 41.830219] kernel BUG at mm/slab.c:4406! [ 41.834360] invalid opcode: 0000 [#1] SMP KASAN [ 41.839015] Dumping ftrace buffer: [ 41.842536] (ftrace buffer empty) [ 41.846232] Modules linked in: [ 41.849413] CPU: 1 PID: 6219 Comm: syzkaller660003 Not tainted 4.16.0-rc3+ #335 [ 41.856843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.866193] RIP: 0010:__check_heap_object+0xa7/0xc0 [ 41.871201] RSP: 0018:ffff8801a9845e20 EFLAGS: 00010046 [ 41.876555] RAX: 0000000000000003 RBX: 1ffff10035308bcb RCX: 000000000000000b [ 41.883817] RDX: ffff8801a98445c0 RSI: 0000000000000002 RDI: ffff8801a9845f90 [ 41.891078] RBP: ffff8801a9845e20 R08: ffffed0035308bf2 R09: ffff8801dac00c40 [ 41.898336] R10: 00000000000016c6 R11: 0000000000000000 R12: ffff8801a9845f90 [ 41.905593] R13: 0000000000000002 R14: ffffea0006a61100 R15: ffffea0006a61100 [ 41.912857] FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 41.921072] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 41.926942] CR2: ffffffff89ed8b88 CR3: 0000000006e22006 CR4: 00000000001606e0 [ 41.934204] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 41.941465] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 41.948727] Call Trace: [ 41.951296] Code: 2c 48 c7 c7 3f 71 c6 86 e8 b7 cb 07 00 5d c3 49 8b 91 08 01 00 00 48 29 c7 48 39 d7 77 be 48 01 d0 48 29 c8 48 39 f0 72 b3 5d c3 <0f> 0b 48 c7 c7 3f 71 c6 86 e8 8b cc 07 00 90 90 90 90 90 90 90 [ 41.970473] RIP: __check_heap_object+0xa7/0xc0 RSP: ffff8801a9845e20 [ 41.976961] ---[ end trace 8f5b8eb895da0bb9 ]--- [ 41.981698] Kernel panic - not syncing: Fatal exception in interrupt [ 41.988650] Dumping ftrace buffer: [ 41.992166] (ftrace buffer empty) [ 41.995846] Kernel Offset: disabled [ 41.999441] Rebooting in 86400 seconds..