[....] Starting enhanced syslogd: rsyslogd[ 12.751854] audit: type=1400 audit(1512820359.924:5): avc: denied { syslog } for pid=2993 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.868839] audit: type=1400 audit(1512820367.041:6): avc: denied { map } for pid=3133 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-kasan-gce-386-1,10.128.15.224' (ECDSA) to the list of known hosts. executing program [ 26.274162] audit: type=1400 audit(1512820373.446:7): avc: denied { map } for pid=3147 comm="syzkaller165057" path="/root/syzkaller165057384" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 26.279428] ================================================================== [ 26.279450] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30fc/0x3230 [ 26.279458] Read of size 4 at addr ffff8801c46bf5c0 by task syzkaller165057/3147 [ 26.279462] [ 26.279471] CPU: 0 PID: 3147 Comm: syzkaller165057 Not tainted 4.15.0-rc2+ #124 [ 26.279477] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.279481] Call Trace: [ 26.279493] dump_stack+0x194/0x257 [ 26.279508] ? arch_local_irq_restore+0x53/0x53 [ 26.279520] ? show_regs_print_info+0x18/0x18 [ 26.279534] ? lock_release+0xda0/0xda0 [ 26.279546] ? xfrm_state_find+0x30fc/0x3230 [ 26.279559] print_address_description+0x73/0x250 [ 26.279570] ? xfrm_state_find+0x30fc/0x3230 [ 26.279581] kasan_report+0x25b/0x340 [ 26.279598] __asan_report_load4_noabort+0x14/0x20 [ 26.279607] xfrm_state_find+0x30fc/0x3230 [ 26.279651] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 26.279665] ? __unwind_start+0x169/0x330 [ 26.279677] ? __kernel_text_address+0xd/0x40 [ 26.279694] ? __save_stack_trace+0x61/0xd0 [ 26.279714] ? udp_sendmsg+0x19b8/0x2cd0 [ 26.279730] ? save_stack_trace+0x1a/0x20 [ 26.279739] ? __lock_acquire+0x324e/0x47f0 [ 26.279746] ? find_held_lock+0x39/0x1d0 [ 26.279786] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 26.279799] ? print_usage_bug+0x3f0/0x3f0 [ 26.279810] ? lock_downgrade+0x980/0x980 [ 26.279823] ? depot_save_stack+0x1c2/0x490 [ 26.279843] ? lock_release+0xda0/0xda0 [ 26.279858] ? is_bpf_text_address+0xa4/0x120 [ 26.279874] ? __lock_acquire+0x6e9/0x47f0 [ 26.279881] ? check_noncircular+0x20/0x20 [ 26.279895] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.279912] xfrm_tmpl_resolve+0x309/0xc00 [ 26.279948] ? __xfrm_decode_session+0x110/0x110 [ 26.279968] ? lock_downgrade+0x980/0x980 [ 26.279981] ? rt_add_uncached_list+0xa2/0x240 [ 26.279992] ? check_noncircular+0x20/0x20 [ 26.280004] ? unwind_dump+0x4d0/0x4d0 [ 26.280019] ? check_noncircular+0x20/0x20 [ 26.280038] xfrm_resolve_and_create_bundle+0x11b/0x2600 [ 26.280050] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.280062] ? trace_hardirqs_on+0xd/0x10 [ 26.280072] ? __local_bh_enable_ip+0x121/0x230 [ 26.280086] ? _raw_spin_unlock_bh+0x30/0x40 [ 26.280102] ? find_held_lock+0x39/0x1d0 [ 26.280114] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 26.280136] ? lock_downgrade+0x980/0x980 [ 26.280147] ? xfrm_selector_match+0xe00/0xe00 [ 26.280159] ? rt_cache_route+0x300/0x300 [ 26.280175] ? lock_release+0xda0/0xda0 [ 26.280192] ? refcount_inc_not_zero+0xfe/0x180 [ 26.280210] ? selinux_xfrm_policy_lookup+0xac/0xd0 [ 26.280225] ? security_xfrm_policy_lookup+0x92/0xc0 [ 26.280242] ? xfrm_sk_policy_lookup+0x334/0x490 [ 26.280261] ? xfrm_selector_match+0xe00/0xe00 [ 26.280274] ? check_noncircular+0x20/0x20 [ 26.280293] xfrm_lookup+0x1574/0x23f0 [ 26.280301] ? xfrm_lookup+0x1574/0x23f0 [ 26.280313] ? unwind_next_frame.part.6+0x1a6/0xb40 [ 26.280343] ? xfrm_policy_lookup_bytype.constprop.47+0x960/0x960 [ 26.280357] ? find_held_lock+0x39/0x1d0 [ 26.280384] ? lock_downgrade+0x980/0x980 [ 26.280395] ? ip_route_output_key_hash+0x1a6/0x370 [ 26.280407] ? unwind_next_frame.part.6+0x1a6/0xb40 [ 26.280423] ? lock_release+0xda0/0xda0 [ 26.280450] ? lock_downgrade+0x980/0x980 [ 26.280467] ? ip_route_output_key_hash+0x252/0x370 [ 26.280480] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 26.280488] ? lock_release+0xda0/0xda0 [ 26.280510] xfrm_lookup_route+0x39/0x1a0 [ 26.280525] ip_route_output_flow+0x7c/0xa0 [ 26.280538] udp_sendmsg+0x19b8/0x2cd0 [ 26.280548] ? unwind_get_return_address+0x61/0xa0 [ 26.280562] ? ip_reply_glue_bits+0xb0/0xb0 [ 26.280588] ? udp_lib_get_port+0x1b30/0x1b30 [ 26.280598] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 26.280618] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 26.280667] ? mark_held_locks+0xb2/0x100 [ 26.280675] ? refcount_inc_not_zero+0xfe/0x180 [ 26.280688] ? check_noncircular+0x20/0x20 [ 26.280699] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.280708] ? udp_lib_get_port+0x785/0x1b30 [ 26.280716] ? trace_hardirqs_on+0xd/0x10 [ 26.280726] ? __local_bh_enable_ip+0x121/0x230 [ 26.280742] udpv6_sendmsg+0x743/0x3380 [ 26.280751] ? check_noncircular+0x20/0x20 [ 26.280782] ? udpv6_setsockopt+0x80/0x80 [ 26.280801] ? find_held_lock+0x39/0x1d0 [ 26.280827] ? lock_downgrade+0x980/0x980 [ 26.280838] ? lock_downgrade+0x980/0x980 [ 26.280872] ? __local_bh_enable_ip+0x121/0x230 [ 26.280885] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.280894] ? release_sock+0x1d4/0x2a0 [ 26.280903] ? trace_hardirqs_on+0xd/0x10 [ 26.280913] ? __local_bh_enable_ip+0x121/0x230 [ 26.280926] ? _raw_spin_unlock_bh+0x30/0x40 [ 26.280935] ? release_sock+0x1d4/0x2a0 [ 26.280948] ? __release_sock+0x360/0x360 [ 26.280955] ? udp6_portaddr_hash+0x146/0x2f0 [ 26.280971] ? udp_v6_get_port+0x9c/0xc0 [ 26.280991] inet_sendmsg+0x11f/0x5e0 [ 26.281001] ? inet_sendmsg+0x11f/0x5e0 [ 26.281010] ? __might_sleep+0x95/0x190 [ 26.281022] ? inet_recvmsg+0x5f0/0x5f0 [ 26.281035] ? selinux_socket_sendmsg+0x36/0x40 [ 26.281046] ? security_socket_sendmsg+0x89/0xb0 [ 26.281056] ? inet_recvmsg+0x5f0/0x5f0 [ 26.281071] sock_sendmsg+0xca/0x110 [ 26.281085] SYSC_sendto+0x358/0x5a0 [ 26.281102] ? SYSC_connect+0x480/0x480 [ 26.281123] ? lock_downgrade+0x980/0x980 [ 26.281164] ? __handle_mm_fault+0x3e20/0x3e20 [ 26.281172] ? vmacache_find+0x5f/0x280 [ 26.281193] ? up_read+0x1a/0x40 [ 26.281204] ? __do_page_fault+0x3d6/0xc90 [ 26.281229] SyS_sendto+0x40/0x50 [ 26.281241] ? SyS_getpeername+0x30/0x30 [ 26.281253] do_fast_syscall_32+0x3ee/0xf9d [ 26.281274] ? do_int80_syscall_32+0x9d0/0x9d0 [ 26.281284] ? kasan_check_read+0x11/0x20 [ 26.281298] ? syscall_return_slowpath+0x550/0x550 [ 26.281310] ? SyS_rt_sigaction+0x94/0x1b0 [ 26.281324] ? lockdep_sys_exit+0x47/0xf0 [ 26.281337] ? retint_user+0x18/0x18 [ 26.281355] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.281376] entry_SYSENTER_compat+0x51/0x60 [ 26.281384] RIP: 0023:0xf7ffbc79 [ 26.281389] RSP: 002b:00000000ffc63c1c EFLAGS: 00000286 ORIG_RAX: 0000000000000171 [ 26.281401] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000002028a000 [ 26.281407] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020999000 [ 26.281413] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000 [ 26.281419] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 26.281425] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 26.281456] [ 26.281461] The buggy address belongs to the page: [ 26.281471] page:000000008c25921c count:0 mapcount:0 mapping: (null) index:0x0 [ 26.281481] flags: 0x2fffc0000000000() [ 26.281492] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 26.281501] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 26.281506] page dumped because: kasan: bad access detected [ 26.281510] [ 26.281514] Memory state around the buggy address: [ 26.281522] ffff8801c46bf480: f1 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 [ 26.281529] ffff8801c46bf500: f2 f8 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 [ 26.281536] >ffff8801c46bf580: f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 [ 26.281542] ^ [ 26.281549] ffff8801c46bf600: 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3 f3 00 00 00 [ 26.281556] ffff8801c46bf680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.281561] ================================================================== [ 26.281564] Disabling lock debugging due to kernel taint [ 26.281578] Kernel panic - not syncing: panic_on_warn set ... [ 26.281578] [ 26.281587] CPU: 0 PID: 3147 Comm: syzkaller165057 Tainted: G B 4.15.0-rc2+ #124 [ 26.281590] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.281591] Call Trace: [ 26.281597] dump_stack+0x194/0x257 [ 26.281606] ? arch_local_irq_restore+0x53/0x53 [ 26.281613] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.281620] ? vsnprintf+0x1ed/0x1900 [ 26.281627] ? xfrm_state_find+0x3040/0x3230 [ 26.281634] panic+0x1e4/0x41c [ 26.281640] ? refcount_error_report+0x214/0x214 [ 26.281649] ? add_taint+0x1c/0x50 [ 26.281656] ? add_taint+0x1c/0x50 [ 26.281665] ? xfrm_state_find+0x30fc/0x3230 [ 26.281671] kasan_end_report+0x50/0x50 [ 26.281677] kasan_report+0x144/0x340 [ 26.281686] __asan_report_load4_noabort+0x14/0x20 [ 26.281693] xfrm_state_find+0x30fc/0x3230 [ 26.281715] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 26.281722] ? __unwind_start+0x169/0x330 [ 26.281730] ? __kernel_text_address+0xd/0x40 [ 26.281738] ? __save_stack_trace+0x61/0xd0 [ 26.281749] ? udp_sendmsg+0x19b8/0x2cd0 [ 26.281757] ? save_stack_trace+0x1a/0x20 [ 26.281763] ? __lock_acquire+0x324e/0x47f0 [ 26.281768] ? find_held_lock+0x39/0x1d0 [ 26.281788] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 26.281796] ? print_usage_bug+0x3f0/0x3f0 [ 26.281803] ? lock_downgrade+0x980/0x980 [ 26.281810] ? depot_save_stack+0x1c2/0x490 [ 26.281821] ? lock_release+0xda0/0xda0 [ 26.281831] ? is_bpf_text_address+0xa4/0x120 [ 26.281840] ? __lock_acquire+0x6e9/0x47f0 [ 26.281845] ? check_noncircular+0x20/0x20 [ 26.281853] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.281862] xfrm_tmpl_resolve+0x309/0xc00 [ 26.281881] ? __xfrm_decode_session+0x110/0x110 [ 26.281892] ? lock_downgrade+0x980/0x980 [ 26.281900] ? rt_add_uncached_list+0xa2/0x240 [ 26.281906] ? check_noncircular+0x20/0x20 [ 26.281912] ? unwind_dump+0x4d0/0x4d0 [ 26.281920] ? check_noncircular+0x20/0x20 [ 26.281931] xfrm_resolve_and_create_bundle+0x11b/0x2600 [ 26.281938] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.281945] ? trace_hardirqs_on+0xd/0x10 [ 26.281951] ? __local_bh_enable_ip+0x121/0x230 [ 26.281958] ? _raw_spin_unlock_bh+0x30/0x40 [ 26.281968] ? find_held_lock+0x39/0x1d0 [ 26.281975] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 26.281986] ? lock_downgrade+0x980/0x980 [ 26.281993] ? xfrm_selector_match+0xe00/0xe00 [ 26.282003] ? rt_cache_route+0x300/0x300 [ 26.282012] ? lock_release+0xda0/0xda0 [ 26.282021] ? refcount_inc_not_zero+0xfe/0x180 [ 26.282030] ? selinux_xfrm_policy_lookup+0xac/0xd0 [ 26.282038] ? security_xfrm_policy_lookup+0x92/0xc0 [ 26.282047] ? xfrm_sk_policy_lookup+0x334/0x490 [ 26.282058] ? xfrm_selector_match+0xe00/0xe00 [ 26.282066] ? check_noncircular+0x20/0x20 [ 26.282076] xfrm_lookup+0x1574/0x23f0 [ 26.282081] ? xfrm_lookup+0x1574/0x23f0 [ 26.282087] ? unwind_next_frame.part.6+0x1a6/0xb40 [ 26.282101] ? xfrm_policy_lookup_bytype.constprop.47+0x960/0x960 [ 26.282109] ? find_held_lock+0x39/0x1d0 [ 26.282123] ? lock_downgrade+0x980/0x980 [ 26.282130] ? ip_route_output_key_hash+0x1a6/0x370 [ 26.282138] ? unwind_next_frame.part.6+0x1a6/0xb40 [ 26.282146] ? lock_release+0xda0/0xda0 [ 26.282161] ? lock_downgrade+0x980/0x980 [ 26.282170] ? ip_route_output_key_hash+0x252/0x370 [ 26.282178] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 26.282183] ? lock_release+0xda0/0xda0 [ 26.282195] xfrm_lookup_route+0x39/0x1a0 [ 26.282203] ip_route_output_flow+0x7c/0xa0 [ 26.282211] udp_sendmsg+0x19b8/0x2cd0 [ 26.282217] ? unwind_get_return_address+0x61/0xa0 [ 26.282225] ? ip_reply_glue_bits+0xb0/0xb0 [ 26.282239] ? udp_lib_get_port+0x1b30/0x1b30 [ 26.282245] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 26.282256] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 26.282280] ? mark_held_locks+0xb2/0x100 [ 26.282286] ? refcount_inc_not_zero+0xfe/0x180 [ 26.282294] ? check_noncircular+0x20/0x20 [ 26.282300] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.282306] ? udp_lib_get_port+0x785/0x1b30 [ 26.282312] ? trace_hardirqs_on+0xd/0x10 [ 26.282318] ? __local_bh_enable_ip+0x121/0x230 [ 26.282331] udpv6_sendmsg+0x743/0x3380 [ 26.282337] ? check_noncircular+0x20/0x20 [ 26.282352] ? udpv6_setsockopt+0x80/0x80 [ 26.282363] ? find_held_lock+0x39/0x1d0 [ 26.282377] ? lock_downgrade+0x980/0x980 [ 26.282383] ? lock_downgrade+0x980/0x980 [ 26.282401] ? __local_bh_enable_ip+0x121/0x230 [ 26.282409] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.282415] ? release_sock+0x1d4/0x2a0 [ 26.282420] ? trace_hardirqs_on+0xd/0x10 [ 26.282426] ? __local_bh_enable_ip+0x121/0x230 [ 26.282434] ? _raw_spin_unlock_bh+0x30/0x40 [ 26.282440] ? release_sock+0x1d4/0x2a0 [ 26.282447] ? __release_sock+0x360/0x360 [ 26.282452] ? udp6_portaddr_hash+0x146/0x2f0 [ 26.282461] ? udp_v6_get_port+0x9c/0xc0 [ 26.282472] inet_sendmsg+0x11f/0x5e0 [ 26.282478] ? inet_sendmsg+0x11f/0x5e0 [ 26.282483] ? __might_sleep+0x95/0x190 [ 26.282491] ? inet_recvmsg+0x5f0/0x5f0 [ 26.282499] ? selinux_socket_sendmsg+0x36/0x40 [ 26.282506] ? security_socket_sendmsg+0x89/0xb0 [ 26.282512] ? inet_recvmsg+0x5f0/0x5f0 [ 26.282520] sock_sendmsg+0xca/0x110 [ 26.282528] SYSC_sendto+0x358/0x5a0 [ 26.282538] ? SYSC_connect+0x480/0x480 [ 26.282549] ? lock_downgrade+0x980/0x980 [ 26.282570] ? __handle_mm_fault+0x3e20/0x3e20 [ 26.282576] ? vmacache_find+0x5f/0x280 [ 26.282587] ? up_read+0x1a/0x40 [ 26.282594] ? __do_page_fault+0x3d6/0xc90 [ 26.282607] SyS_sendto+0x40/0x50 [ 26.282614] ? SyS_getpeername+0x30/0x30 [ 26.282622] do_fast_syscall_32+0x3ee/0xf9d [ 26.282633] ? do_int80_syscall_32+0x9d0/0x9d0 [ 26.282639] ? kasan_check_read+0x11/0x20 [ 26.282647] ? syscall_return_slowpath+0x550/0x550 [ 26.282655] ? SyS_rt_sigaction+0x94/0x1b0 [ 26.282663] ? lockdep_sys_exit+0x47/0xf0 [ 26.282669] ? retint_user+0x18/0x18 [ 26.282679] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.282690] entry_SYSENTER_compat+0x51/0x60 [ 26.282694] RIP: 0023:0xf7ffbc79 [ 26.282697] RSP: 002b:00000000ffc63c1c EFLAGS: 00000286 ORIG_RAX: 0000000000000171 [ 26.282703] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000002028a000 [ 26.282707] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020999000 [ 26.282710] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000 [ 26.282713] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 26.282716] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 26.300461] Dumping ftrace buffer: [ 26.300465] (ftrace buffer empty) [ 26.300468] Kernel Offset: disabled [ 27.639492] Rebooting in 86400 seconds..