[....] Starting enhanced syslogd: rsyslogd[ 10.921923] audit: type=1400 audit(1514741680.985:5): avc: denied { syslog } for pid=2988 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.530240] audit: type=1400 audit(1514741685.594:6): avc: denied { map } for pid=3128 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.216' (ECDSA) to the list of known hosts. executing program [ 21.740552] audit: type=1400 audit(1514741691.804:7): avc: denied { map } for pid=3143 comm="syzkaller271204" path="/root/syzkaller271204668" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 21.766569] audit: type=1400 audit(1514741691.804:8): avc: denied { sys_admin } for pid=3143 comm="syzkaller271204" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 21.774936] device syz0 entered promiscuous mode [ 21.796609] audit: type=1400 audit(1514741691.830:9): avc: denied { sys_chroot } for pid=3144 comm="syzkaller271204" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 21.821158] audit: type=1400 audit(1514741691.830:10): avc: denied { net_raw } for pid=3144 comm="syzkaller271204" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 21.845485] audit: type=1400 audit(1514741691.830:11): avc: denied { net_admin } for pid=3144 comm="syzkaller271204" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 21.872324] ================================================================== [ 21.879694] BUG: KASAN: slab-out-of-bounds in __dev_queue_xmit+0x20d3/0x2200 [ 21.886846] Read of size 2 at addr ffff8801c97bf660 by task syzkaller271204/3144 [ 21.894347] [ 21.895949] CPU: 1 PID: 3144 Comm: syzkaller271204 Not tainted 4.15.0-rc4-mm1+ #49 [ 21.903631] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.912979] Call Trace: [ 21.915562] dump_stack+0x194/0x257 [ 21.919167] ? arch_local_irq_restore+0x53/0x53 [ 21.923812] ? show_regs_print_info+0x18/0x18 [ 21.928281] ? lock_release+0xa40/0xa40 [ 21.932231] ? __dev_queue_xmit+0x20d3/0x2200 [ 21.936702] print_address_description+0x73/0x250 [ 21.941525] ? __dev_queue_xmit+0x20d3/0x2200 [ 21.945989] kasan_report+0x23b/0x360 [ 21.949760] __asan_report_load2_noabort+0x14/0x20 [ 21.954660] __dev_queue_xmit+0x20d3/0x2200 [ 21.958969] ? netdev_pick_tx+0x300/0x300 [ 21.963087] ? lock_release+0xa40/0xa40 [ 21.967035] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 21.972886] ? refcount_add+0x24/0x60 [ 21.976658] ? skb_set_owner_w+0x232/0x330 [ 21.980863] ? __might_sleep+0x95/0x190 [ 21.984805] ? kasan_check_write+0x14/0x20 [ 21.989005] ? copyin+0x91/0xb0 [ 21.992258] ? _copy_from_iter+0x367/0xf30 [ 21.996462] ? __check_object_size+0x25d/0x4f0 [ 22.001016] ? check_stack_object+0x140/0x140 [ 22.005481] ? copy_page_to_iter+0xe00/0xe00 [ 22.009866] ? _copy_from_iter_full+0x22b/0xbb0 [ 22.014508] ? skb_copy_datagram_from_iter+0x3a5/0x5a0 [ 22.019759] ? iov_iter_advance+0x13f0/0x13f0 [ 22.024230] dev_queue_xmit+0x17/0x20 [ 22.027999] packet_sendmsg+0x3ad5/0x60a0 [ 22.032117] ? find_held_lock+0x35/0x1d0 [ 22.036153] ? avc_has_perm+0x35e/0x680 [ 22.040110] ? __mem_cgroup_threshold+0x821/0x8f0 [ 22.044928] ? packet_cached_dev_get+0x2b0/0x2b0 [ 22.049656] ? avc_has_perm+0x43e/0x680 [ 22.053600] ? avc_has_perm_noaudit+0x520/0x520 [ 22.058247] ? __handle_mm_fault+0x2747/0x3ce0 [ 22.062805] ? lock_downgrade+0x980/0x980 [ 22.066924] ? lock_release+0xa40/0xa40 [ 22.070873] ? find_held_lock+0x35/0x1d0 [ 22.074906] ? avc_has_perm+0x35e/0x680 [ 22.078850] ? sock_has_perm+0x2a4/0x420 [ 22.082878] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 22.088229] ? selinux_socket_sendmsg+0x36/0x40 [ 22.092870] ? security_socket_sendmsg+0x89/0xb0 [ 22.097590] ? packet_cached_dev_get+0x2b0/0x2b0 [ 22.102328] sock_sendmsg+0xca/0x110 [ 22.106016] sock_write_iter+0x31a/0x5d0 [ 22.110050] ? sock_sendmsg+0x110/0x110 [ 22.114004] ? iov_iter_init+0xaf/0x1d0 [ 22.117950] __vfs_write+0x684/0x970 [ 22.121635] ? kernel_read+0x120/0x120 [ 22.125497] ? bpf_fd_pass+0x280/0x280 [ 22.129364] ? _cond_resched+0x14/0x30 [ 22.133223] ? selinux_file_permission+0x82/0x460 [ 22.138041] ? rw_verify_area+0xe5/0x2b0 [ 22.142068] ? __fdget_raw+0x20/0x20 [ 22.145748] vfs_write+0x189/0x510 [ 22.149257] SyS_write+0xef/0x220 [ 22.152680] ? SyS_read+0x220/0x220 [ 22.156275] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 22.161258] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 22.165996] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 22.170718] RIP: 0033:0x444df9 [ 22.173877] RSP: 002b:00000000007eff78 EFLAGS: 00000297 ORIG_RAX: 0000000000000001 [ 22.181551] RAX: ffffffffffffffda RBX: 00007ffce7844fe0 RCX: 0000000000444df9 [ 22.188786] RDX: 00000000000000ce RSI: 0000000020fecf2b RDI: 0000000000000005 [ 22.196022] RBP: 0000000000000000 R08: 0000000120080522 R09: 0000000120080522 [ 22.203257] R10: 0000000120080522 R11: 0000000000000297 R12: 00000000004029f0 [ 22.210495] R13: 0000000000402a80 R14: 0000000000000000 R15: 0000000000000000 [ 22.217842] [ 22.219436] Allocated by task 3144: [ 22.223034] save_stack+0x43/0xd0 [ 22.226454] kasan_kmalloc+0xad/0xe0 [ 22.230139] __kmalloc_node_track_caller+0x47/0x70 [ 22.235039] __kmalloc_reserve.isra.41+0x41/0xd0 [ 22.239759] __alloc_skb+0x13b/0x780 [ 22.243440] alloc_skb_with_frags+0x10d/0x750 [ 22.247900] sock_alloc_send_pskb+0x787/0x9b0 [ 22.252362] packet_sendmsg+0x1ec2/0x60a0 [ 22.256476] sock_sendmsg+0xca/0x110 [ 22.260157] sock_write_iter+0x31a/0x5d0 [ 22.264184] __vfs_write+0x684/0x970 [ 22.267862] vfs_write+0x189/0x510 [ 22.271369] SyS_write+0xef/0x220 [ 22.274787] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 22.279503] [ 22.281097] Freed by task 1675: [ 22.284342] save_stack+0x43/0xd0 [ 22.287760] kasan_slab_free+0x71/0xc0 [ 22.291611] kfree+0xd6/0x260 [ 22.294684] free_request_size+0x59/0x70 [ 22.298710] mempool_free+0xd4/0x1d0 [ 22.302390] __blk_put_request+0x4df/0xb50 [ 22.306588] blk_finish_request+0x33f/0x680 [ 22.310873] scsi_end_request+0x3c7/0x810 [ 22.314987] scsi_io_completion+0x8ab/0x16b0 [ 22.319360] scsi_finish_command+0x5f6/0x890 [ 22.323730] scsi_softirq_done+0x3ab/0x480 [ 22.327942] blk_done_softirq+0x48a/0x700 [ 22.332061] __do_softirq+0x2d7/0xb85 [ 22.335824] [ 22.337423] The buggy address belongs to the object at ffff8801c97bf200 [ 22.337423] which belongs to the cache kmalloc-1024 of size 1024 [ 22.350219] The buggy address is located 96 bytes to the right of [ 22.350219] 1024-byte region [ffff8801c97bf200, ffff8801c97bf600) [ 22.362576] The buggy address belongs to the page: [ 22.367470] page:ffffea000725ef80 count:1 mapcount:0 mapping:ffff8801c97be000 index:0x0 compound_mapcount: 0 [ 22.377422] flags: 0x2fffc0000008100(slab|head) [ 22.382061] raw: 02fffc0000008100 ffff8801c97be000 0000000000000000 0000000100000007 [ 22.389906] raw: ffffea000725e3a0 ffffea00072411a0 ffff8801dac00ac0 0000000000000000 [ 22.397751] page dumped because: kasan: bad access detected [ 22.403422] [ 22.405015] Memory state around the buggy address: [ 22.409911] ffff8801c97bf500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.417235] ffff8801c97bf580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.424568] >ffff8801c97bf600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.431901] ^ [ 22.438368] ffff8801c97bf680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.445691] ffff8801c97bf700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.453014] ================================================================== [ 22.460335] Disabling lock debugging due to kernel taint [ 22.465799] Kernel panic - not syncing: panic_on_warn set ... [ 22.465799] [ 22.473145] CPU: 1 PID: 3144 Comm: syzkaller271204 Tainted: G B 4.15.0-rc4-mm1+ #49 [ 22.482125] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.491452] Call Trace: [ 22.494010] dump_stack+0x194/0x257 [ 22.497603] ? arch_local_irq_restore+0x53/0x53 [ 22.502235] ? kasan_end_report+0x32/0x50 [ 22.506352] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 22.511075] ? vsnprintf+0x1ed/0x1900 [ 22.514841] ? __dev_queue_xmit+0x1fe0/0x2200 [ 22.519308] panic+0x1e4/0x41c [ 22.522464] ? refcount_error_report+0x214/0x214 [ 22.527186] ? add_taint+0x1c/0x50 [ 22.530690] ? add_taint+0x1c/0x50 [ 22.534198] ? __dev_queue_xmit+0x20d3/0x2200 [ 22.538661] kasan_end_report+0x50/0x50 [ 22.542600] kasan_report+0x148/0x360 [ 22.546366] __asan_report_load2_noabort+0x14/0x20 [ 22.551262] __dev_queue_xmit+0x20d3/0x2200 [ 22.555553] ? netdev_pick_tx+0x300/0x300 [ 22.559669] ? lock_release+0xa40/0xa40 [ 22.563610] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 22.569460] ? refcount_add+0x24/0x60 [ 22.573233] ? skb_set_owner_w+0x232/0x330 [ 22.577434] ? __might_sleep+0x95/0x190 [ 22.581375] ? kasan_check_write+0x14/0x20 [ 22.585577] ? copyin+0x91/0xb0 [ 22.588823] ? _copy_from_iter+0x367/0xf30 [ 22.593024] ? __check_object_size+0x25d/0x4f0 [ 22.597576] ? check_stack_object+0x140/0x140 [ 22.602040] ? copy_page_to_iter+0xe00/0xe00 [ 22.606414] ? _copy_from_iter_full+0x22b/0xbb0 [ 22.611055] ? skb_copy_datagram_from_iter+0x3a5/0x5a0 [ 22.616297] ? iov_iter_advance+0x13f0/0x13f0 [ 22.620762] dev_queue_xmit+0x17/0x20 [ 22.624534] packet_sendmsg+0x3ad5/0x60a0 [ 22.628649] ? find_held_lock+0x35/0x1d0 [ 22.632679] ? avc_has_perm+0x35e/0x680 [ 22.636622] ? __mem_cgroup_threshold+0x821/0x8f0 [ 22.641433] ? packet_cached_dev_get+0x2b0/0x2b0 [ 22.646155] ? avc_has_perm+0x43e/0x680 [ 22.650098] ? avc_has_perm_noaudit+0x520/0x520 [ 22.654733] ? __handle_mm_fault+0x2747/0x3ce0 [ 22.659293] ? lock_downgrade+0x980/0x980 [ 22.663411] ? lock_release+0xa40/0xa40 [ 22.667357] ? find_held_lock+0x35/0x1d0 [ 22.671386] ? avc_has_perm+0x35e/0x680 [ 22.675326] ? sock_has_perm+0x2a4/0x420 [ 22.679354] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 22.684693] ? selinux_socket_sendmsg+0x36/0x40 [ 22.689328] ? security_socket_sendmsg+0x89/0xb0 [ 22.694049] ? packet_cached_dev_get+0x2b0/0x2b0 [ 22.698786] sock_sendmsg+0xca/0x110 [ 22.702466] sock_write_iter+0x31a/0x5d0 [ 22.706492] ? sock_sendmsg+0x110/0x110 [ 22.710436] ? iov_iter_init+0xaf/0x1d0 [ 22.714377] __vfs_write+0x684/0x970 [ 22.718064] ? kernel_read+0x120/0x120 [ 22.721921] ? bpf_fd_pass+0x280/0x280 [ 22.725780] ? _cond_resched+0x14/0x30 [ 22.729635] ? selinux_file_permission+0x82/0x460 [ 22.734445] ? rw_verify_area+0xe5/0x2b0 [ 22.738470] ? __fdget_raw+0x20/0x20 [ 22.742150] vfs_write+0x189/0x510 [ 22.745656] SyS_write+0xef/0x220 [ 22.749076] ? SyS_read+0x220/0x220 [ 22.752667] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 22.757648] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 22.762378] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 22.767101] RIP: 0033:0x444df9 [ 22.770256] RSP: 002b:00000000007eff78 EFLAGS: 00000297 ORIG_RAX: 0000000000000001 [ 22.777930] RAX: ffffffffffffffda RBX: 00007ffce7844fe0 RCX: 0000000000444df9 [ 22.785173] RDX: 00000000000000ce RSI: 0000000020fecf2b RDI: 0000000000000005 [ 22.792409] RBP: 0000000000000000 R08: 0000000120080522 R09: 0000000120080522 [ 22.799653] R10: 0000000120080522 R11: 0000000000000297 R12: 00000000004029f0 [ 22.806888] R13: 0000000000402a80 R14: 0000000000000000 R15: 0000000000000000 [ 22.814164] Dumping ftrace buffer: [ 22.817672] (ftrace buffer empty) [ 22.821349] Kernel Offset: disabled [ 22.824947] Rebooting in 86400 seconds..