[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 18.045558] audit: type=1400 audit(1520316143.623:6): avc: denied { map } for pid=4228 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 24.336801] audit: type=1400 audit(1520316149.914:7): avc: denied { map } for pid=4242 comm="syzkaller418919" path="/root/syzkaller418919618" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 24.341318] ================================================================== [ 24.370123] BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 [ 24.377545] Write of size 1 at addr ffff8801d5146550 by task syzkaller418919/4242 [ 24.385134] [ 24.386737] CPU: 0 PID: 4242 Comm: syzkaller418919 Not tainted 4.16.0-rc4+ #342 [ 24.394154] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.403480] Call Trace: [ 24.406051] dump_stack+0x194/0x24d [ 24.409655] ? arch_local_irq_restore+0x53/0x53 [ 24.414295] ? show_regs_print_info+0x18/0x18 [ 24.418766] ? find_held_lock+0x35/0x1d0 [ 24.422801] ? setup_udp_tunnel_sock+0x3ee/0x5f0 [ 24.427533] print_address_description+0x73/0x250 [ 24.432351] ? setup_udp_tunnel_sock+0x3ee/0x5f0 [ 24.437080] kasan_report+0x23c/0x360 [ 24.440855] __asan_report_store1_noabort+0x17/0x20 [ 24.445844] setup_udp_tunnel_sock+0x3ee/0x5f0 [ 24.450402] ? udp_tunnel_sock_release+0x140/0x140 [ 24.455315] l2tp_tunnel_create+0x1361/0x1800 [ 24.459791] ? l2tp_init_net+0x3c0/0x3c0 [ 24.463830] ? lock_downgrade+0x980/0x980 [ 24.467960] ? __local_bh_enable_ip+0x121/0x230 [ 24.472605] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.477591] ? l2tp_tunnel_get+0x3c7/0x690 [ 24.481795] ? trace_hardirqs_on+0xd/0x10 [ 24.485914] ? __local_bh_enable_ip+0x121/0x230 [ 24.490558] ? l2tp_tunnel_get+0x401/0x690 [ 24.494767] ? l2tp_tunnel_find_nth+0x620/0x620 [ 24.499408] ? mark_held_locks+0xaf/0x100 [ 24.503534] ? do_raw_spin_trylock+0x190/0x190 [ 24.508089] ? __local_bh_enable_ip+0x121/0x230 [ 24.512730] ? l2tp_session_get+0x8b0/0x8b0 [ 24.517028] ? l2tp_tunnel_delete+0x50/0x50 [ 24.521323] ? trace_hardirqs_on+0xd/0x10 [ 24.525442] ? __local_bh_enable_ip+0x121/0x230 [ 24.530088] pppol2tp_connect+0x14b8/0x1dd0 [ 24.534393] ? pppol2tp_recv_payload_hook+0x1b0/0x1b0 [ 24.539561] ? selinux_netlbl_socket_connect+0x76/0x1b0 [ 24.544905] ? selinux_socket_connect+0x311/0x730 [ 24.549725] ? lock_downgrade+0x980/0x980 [ 24.553857] ? selinux_socket_setsockopt+0x80/0x80 [ 24.558759] ? lock_release+0xa40/0xa40 [ 24.562719] ? check_same_owner+0x320/0x320 [ 24.567025] ? __check_object_size+0x8b/0x530 [ 24.571505] ? __might_sleep+0x95/0x190 [ 24.575469] ? security_socket_connect+0x89/0xb0 [ 24.580209] SYSC_connect+0x213/0x4a0 [ 24.583985] ? SYSC_bind+0x410/0x410 [ 24.587677] ? __handle_mm_fault+0x38c0/0x38c0 [ 24.592231] ? vmacache_find+0x5f/0x280 [ 24.596179] ? vmacache_update+0xfe/0x130 [ 24.600322] ? mm_fault_error+0x2c0/0x2c0 [ 24.604443] ? move_addr_to_kernel+0x60/0x60 [ 24.608828] SyS_connect+0x24/0x30 [ 24.612339] ? SyS_accept+0x30/0x30 [ 24.615938] do_syscall_64+0x281/0x940 [ 24.619798] ? __do_page_fault+0xc90/0xc90 [ 24.624008] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.628744] ? syscall_return_slowpath+0x550/0x550 [ 24.633648] ? syscall_return_slowpath+0x2ac/0x550 [ 24.638571] ? prepare_exit_to_usermode+0x350/0x350 [ 24.643563] ? retint_user+0x18/0x18 [ 24.647256] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.652076] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.657237] RIP: 0033:0x43fd99 [ 24.660397] RSP: 002b:00007ffc18065c38 EFLAGS: 00000217 ORIG_RAX: 000000000000002a [ 24.668089] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd99 [ 24.675332] RDX: 000000000000002e RSI: 00000000200000c0 RDI: 0000000000000003 [ 24.682575] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 24.689815] R10: 00000000004002c8 R11: 0000000000000217 R12: 00000000004016c0 [ 24.697057] R13: 0000000000401750 R14: 0000000000000000 R15: 0000000000000000 [ 24.704313] [ 24.705911] Allocated by task 4242: [ 24.709511] save_stack+0x43/0xd0 [ 24.712933] kasan_kmalloc+0xad/0xe0 [ 24.716614] kasan_slab_alloc+0x12/0x20 [ 24.720559] kmem_cache_alloc+0x12e/0x760 [ 24.724681] sk_prot_alloc+0x65/0x2a0 [ 24.728455] sk_alloc+0x105/0x1440 [ 24.731970] inet_create+0x47c/0xf50 [ 24.735653] __sock_create+0x4d4/0x850 [ 24.739509] SyS_socket+0xeb/0x1d0 [ 24.743029] do_syscall_64+0x281/0x940 [ 24.746889] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.752049] [ 24.753649] Freed by task 0: [ 24.756637] (stack is not available) [ 24.760315] [ 24.761915] The buggy address belongs to the object at ffff8801d5146040 [ 24.761915] which belongs to the cache RAW of size 1296 [ 24.773931] The buggy address is located 0 bytes to the right of [ 24.773931] 1296-byte region [ffff8801d5146040, ffff8801d5146550) [ 24.786208] The buggy address belongs to the page: [ 24.791107] page:ffffea0007545180 count:1 mapcount:0 mapping:ffff8801d5146040 index:0x0 compound_mapcount: 0 [ 24.801045] flags: 0x2fffc0000008100(slab|head) [ 24.805687] raw: 02fffc0000008100 ffff8801d5146040 0000000000000000 0000000100000005 [ 24.813538] raw: ffff8801d6bbf748 ffff8801d6bbf748 ffff8801d5bdbb00 0000000000000000 [ 24.821393] page dumped because: kasan: bad access detected [ 24.827076] [ 24.828674] Memory state around the buggy address: [ 24.833582] ffff8801d5146400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.840908] ffff8801d5146480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.848239] >ffff8801d5146500: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 24.855570] ^ [ 24.861512] ffff8801d5146580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.868842] ffff8801d5146600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.876167] ================================================================== [ 24.883493] Disabling lock debugging due to kernel taint [ 24.889176] Kernel panic - not syncing: panic_on_warn set ... [ 24.889176] [ 24.896526] CPU: 0 PID: 4242 Comm: syzkaller418919 Tainted: G B 4.16.0-rc4+ #342 [ 24.905242] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.914997] Call Trace: [ 24.917562] dump_stack+0x194/0x24d [ 24.921164] ? arch_local_irq_restore+0x53/0x53 [ 24.925801] ? kasan_end_report+0x32/0x50 [ 24.929921] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.934648] ? vsnprintf+0x1ed/0x1900 [ 24.938422] ? setup_udp_tunnel_sock+0x3e0/0x5f0 [ 24.943151] panic+0x1e4/0x41c [ 24.946321] ? refcount_error_report+0x214/0x214 [ 24.951049] ? add_taint+0x1c/0x50 [ 24.954560] ? add_taint+0x1c/0x50 [ 24.958071] ? setup_udp_tunnel_sock+0x3ee/0x5f0 [ 24.962797] kasan_end_report+0x50/0x50 [ 24.966739] kasan_report+0x149/0x360 [ 24.970511] __asan_report_store1_noabort+0x17/0x20 [ 24.975494] setup_udp_tunnel_sock+0x3ee/0x5f0 [ 24.980047] ? udp_tunnel_sock_release+0x140/0x140 [ 24.984950] l2tp_tunnel_create+0x1361/0x1800 [ 24.989422] ? l2tp_init_net+0x3c0/0x3c0 [ 24.993454] ? lock_downgrade+0x980/0x980 [ 24.997576] ? __local_bh_enable_ip+0x121/0x230 [ 25.002215] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.007204] ? l2tp_tunnel_get+0x3c7/0x690 [ 25.011420] ? trace_hardirqs_on+0xd/0x10 [ 25.015536] ? __local_bh_enable_ip+0x121/0x230 [ 25.020177] ? l2tp_tunnel_get+0x401/0x690 [ 25.024384] ? l2tp_tunnel_find_nth+0x620/0x620 [ 25.029029] ? mark_held_locks+0xaf/0x100 [ 25.033154] ? do_raw_spin_trylock+0x190/0x190 [ 25.037711] ? __local_bh_enable_ip+0x121/0x230 [ 25.042352] ? l2tp_session_get+0x8b0/0x8b0 [ 25.046644] ? l2tp_tunnel_delete+0x50/0x50 [ 25.050935] ? trace_hardirqs_on+0xd/0x10 [ 25.055055] ? __local_bh_enable_ip+0x121/0x230 [ 25.059697] pppol2tp_connect+0x14b8/0x1dd0 [ 25.063993] ? pppol2tp_recv_payload_hook+0x1b0/0x1b0 [ 25.069161] ? selinux_netlbl_socket_connect+0x76/0x1b0 [ 25.074496] ? selinux_socket_connect+0x311/0x730 [ 25.079308] ? lock_downgrade+0x980/0x980 [ 25.083429] ? selinux_socket_setsockopt+0x80/0x80 [ 25.088324] ? lock_release+0xa40/0xa40 [ 25.092268] ? check_same_owner+0x320/0x320 [ 25.096558] ? __check_object_size+0x8b/0x530 [ 25.101034] ? __might_sleep+0x95/0x190 [ 25.104987] ? security_socket_connect+0x89/0xb0 [ 25.109716] SYSC_connect+0x213/0x4a0 [ 25.113487] ? SYSC_bind+0x410/0x410 [ 25.117174] ? __handle_mm_fault+0x38c0/0x38c0 [ 25.121724] ? vmacache_find+0x5f/0x280 [ 25.125668] ? vmacache_update+0xfe/0x130 [ 25.129798] ? mm_fault_error+0x2c0/0x2c0 [ 25.134005] ? move_addr_to_kernel+0x60/0x60 [ 25.138392] SyS_connect+0x24/0x30 [ 25.141916] ? SyS_accept+0x30/0x30 [ 25.145513] do_syscall_64+0x281/0x940 [ 25.149370] ? __do_page_fault+0xc90/0xc90 [ 25.153575] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.158308] ? syscall_return_slowpath+0x550/0x550 [ 25.163208] ? syscall_return_slowpath+0x2ac/0x550 [ 25.168108] ? prepare_exit_to_usermode+0x350/0x350 [ 25.173097] ? retint_user+0x18/0x18 [ 25.176784] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.181601] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.186761] RIP: 0033:0x43fd99 [ 25.189935] RSP: 002b:00007ffc18065c38 EFLAGS: 00000217 ORIG_RAX: 000000000000002a [ 25.197617] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd99 [ 25.204861] RDX: 000000000000002e RSI: 00000000200000c0 RDI: 0000000000000003 [ 25.212105] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 25.219346] R10: 00000000004002c8 R11: 0000000000000217 R12: 00000000004016c0 [ 25.226588] R13: 0000000000401750 R14: 0000000000000000 R15: 0000000000000000 [ 25.234310] Dumping ftrace buffer: [ 25.237825] (ftrace buffer empty) [ 25.241504] Kernel Offset: disabled [ 25.245101] Rebooting in 86400 seconds..