[....] Starting enhanced syslogd: rsyslogd[ 12.536773] audit: type=1400 audit(1516243852.439:5): avc: denied { syslog } for pid=3503 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.819455] audit: type=1400 audit(1516243858.722:6): avc: denied { map } for pid=3643 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.220' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 [ 25.059093] audit: type=1400 audit(1516243864.961:7): avc: denied { map } for pid=3657 comm="syzkaller944646" path="/root/syzkaller944646645" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 25.272163] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 25.597526] audit: type=1400 audit(1516243865.499:8): avc: denied { sys_admin } for pid=3657 comm="syzkaller944646" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 25.625621] audit: type=1400 audit(1516243865.528:9): avc: denied { sys_chroot } for pid=3784 comm="syzkaller944646" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 25.653107] ================================================================== [ 25.660502] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1ce9/0x2090 [ 25.666969] Read of size 8 at addr ffff8801bfcf8318 by task syzkaller944646/3784 [ 25.674758] [ 25.676367] CPU: 1 PID: 3784 Comm: syzkaller944646 Not tainted 4.15.0-rc7-mm1+ #56 [ 25.684049] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.693376] Call Trace: [ 25.695945] dump_stack+0x194/0x257 [ 25.699545] ? arch_local_irq_restore+0x53/0x53 [ 25.704185] ? show_regs_print_info+0x18/0x18 [ 25.708660] ? ip6_xmit+0x1ce9/0x2090 [ 25.712433] print_address_description+0x73/0x250 [ 25.717246] ? ip6_xmit+0x1ce9/0x2090 [ 25.721018] kasan_report+0x23b/0x360 [ 25.724794] __asan_report_load8_noabort+0x14/0x20 [ 25.729697] ip6_xmit+0x1ce9/0x2090 [ 25.733860] ? ip6_finish_output2+0x23a0/0x23a0 [ 25.738510] ? fl6_update_dst+0x127/0x2b0 [ 25.742636] ? check_noncircular+0x20/0x20 [ 25.746846] ? inet6_csk_route_socket+0x691/0xe80 [ 25.751668] ? lock_acquire+0x1d5/0x580 [ 25.755614] ? lock_acquire+0x1d5/0x580 [ 25.759562] ? inet6_csk_xmit+0x114/0x580 [ 25.763698] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.768430] ? lock_release+0xa40/0xa40 [ 25.772424] inet6_csk_xmit+0x2fc/0x580 [ 25.776373] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.781111] ? __sk_dst_check+0x1a5/0x380 [ 25.785236] ? sk_wait_data+0x610/0x610 [ 25.789200] l2tp_xmit_skb+0x105f/0x1410 [ 25.793248] ? l2tp_session_create+0xbf0/0xbf0 [ 25.797806] ? sock_wmalloc+0x15d/0x1d0 [ 25.801758] ? iov_iter_advance+0x13f0/0x13f0 [ 25.806239] ? pppol2tp_sendmsg+0x41b/0x670 [ 25.810545] pppol2tp_sendmsg+0x470/0x670 [ 25.814674] ? selinux_socket_sendmsg+0x36/0x40 [ 25.819323] ? pppol2tp_session_ioctl+0xa90/0xa90 [ 25.824142] sock_sendmsg+0xca/0x110 [ 25.827829] ___sys_sendmsg+0x767/0x8b0 [ 25.831782] ? copy_msghdr_from_user+0x590/0x590 [ 25.836519] ? __do_page_fault+0x5f7/0xc90 [ 25.840730] ? lock_downgrade+0x980/0x980 [ 25.844858] ? __fget_light+0x297/0x380 [ 25.848806] ? fget_raw+0x20/0x20 [ 25.852236] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 25.856787] ? vmacache_find+0x5f/0x280 [ 25.860741] ? up_read+0x1a/0x40 [ 25.864084] ? __do_page_fault+0x3d6/0xc90 [ 25.868300] ? __fdget+0x18/0x20 [ 25.871643] __sys_sendmsg+0xe5/0x210 [ 25.875423] ? __sys_sendmsg+0xe5/0x210 [ 25.879372] ? SyS_shutdown+0x290/0x290 [ 25.883324] ? __do_page_fault+0xc90/0xc90 [ 25.887550] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.892540] SyS_sendmsg+0x2d/0x50 [ 25.896056] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 25.900784] RIP: 0033:0x446f29 [ 25.903945] RSP: 002b:00000000007eff68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 25.911626] RAX: ffffffffffffffda RBX: 00000000004a8ef4 RCX: 0000000000446f29 [ 25.918870] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000005 [ 25.926127] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 25.933372] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffebafecf98 [ 25.940623] R13: 00000000004043a0 R14: 0000000000000000 R15: 0000000000000000 [ 25.947882] [ 25.949482] Allocated by task 0: [ 25.952818] (stack is not available) [ 25.956500] [ 25.958097] Freed by task 0: [ 25.961092] (stack is not available) [ 25.964771] [ 25.966370] The buggy address belongs to the object at ffff8801bfcf8300 [ 25.966370] which belongs to the cache ip_dst_cache of size 168 [ 25.979089] The buggy address is located 24 bytes inside of [ 25.979089] 168-byte region [ffff8801bfcf8300, ffff8801bfcf83a8) [ 25.990851] The buggy address belongs to the page: [ 25.995753] page:ffffea0006ff3e00 count:1 mapcount:0 mapping:ffff8801bfcf8000 index:0xffff8801bfcf8b00 [ 26.005171] flags: 0x2fffc0000000100(slab) [ 26.009384] raw: 02fffc0000000100 ffff8801bfcf8000 ffff8801bfcf8b00 0000000100000009 [ 26.017253] raw: ffff8801d6ff7738 ffffea0007331ea0 ffff8801d6ffa680 0000000000000000 [ 26.025110] page dumped because: kasan: bad access detected [ 26.030791] [ 26.032392] Memory state around the buggy address: [ 26.037294] ffff8801bfcf8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.044628] ffff8801bfcf8280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 26.051962] >ffff8801bfcf8300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.059306] ^ [ 26.063427] ffff8801bfcf8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.070759] ffff8801bfcf8400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.078088] ================================================================== [ 26.085426] Disabling lock debugging due to kernel taint [ 26.090900] Kernel panic - not syncing: panic_on_warn set ... [ 26.090900] [ 26.098238] CPU: 1 PID: 3784 Comm: syzkaller944646 Tainted: G B 4.15.0-rc7-mm1+ #56 [ 26.107232] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.116569] Call Trace: [ 26.119133] dump_stack+0x194/0x257 [ 26.122733] ? arch_local_irq_restore+0x53/0x53 [ 26.127377] ? kasan_end_report+0x32/0x50 [ 26.131498] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.136224] ? vsnprintf+0x1ed/0x1900 [ 26.139997] ? ip6_xmit+0x1c10/0x2090 [ 26.143765] panic+0x1e4/0x41c [ 26.146927] ? refcount_error_report+0x214/0x214 [ 26.151653] ? add_taint+0x1c/0x50 [ 26.155162] ? add_taint+0x1c/0x50 [ 26.158673] ? ip6_xmit+0x1ce9/0x2090 [ 26.162461] kasan_end_report+0x50/0x50 [ 26.166405] kasan_report+0x148/0x360 [ 26.170177] __asan_report_load8_noabort+0x14/0x20 [ 26.175075] ip6_xmit+0x1ce9/0x2090 [ 26.178677] ? ip6_finish_output2+0x23a0/0x23a0 [ 26.183337] ? fl6_update_dst+0x127/0x2b0 [ 26.187459] ? check_noncircular+0x20/0x20 [ 26.191669] ? inet6_csk_route_socket+0x691/0xe80 [ 26.196485] ? lock_acquire+0x1d5/0x580 [ 26.200432] ? lock_acquire+0x1d5/0x580 [ 26.204385] ? inet6_csk_xmit+0x114/0x580 [ 26.208514] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.213247] ? lock_release+0xa40/0xa40 [ 26.217207] inet6_csk_xmit+0x2fc/0x580 [ 26.221157] ? inet6_csk_update_pmtu+0x160/0x160 [ 26.225885] ? __sk_dst_check+0x1a5/0x380 [ 26.230006] ? sk_wait_data+0x610/0x610 [ 26.233965] l2tp_xmit_skb+0x105f/0x1410 [ 26.238003] ? l2tp_session_create+0xbf0/0xbf0 [ 26.242567] ? sock_wmalloc+0x15d/0x1d0 [ 26.246513] ? iov_iter_advance+0x13f0/0x13f0 [ 26.250980] ? pppol2tp_sendmsg+0x41b/0x670 [ 26.255286] pppol2tp_sendmsg+0x470/0x670 [ 26.259409] ? selinux_socket_sendmsg+0x36/0x40 [ 26.264051] ? pppol2tp_session_ioctl+0xa90/0xa90 [ 26.268865] sock_sendmsg+0xca/0x110 [ 26.272559] ___sys_sendmsg+0x767/0x8b0 [ 26.276508] ? copy_msghdr_from_user+0x590/0x590 [ 26.281239] ? __do_page_fault+0x5f7/0xc90 [ 26.285447] ? lock_downgrade+0x980/0x980 [ 26.289568] ? __fget_light+0x297/0x380 [ 26.293513] ? fget_raw+0x20/0x20 [ 26.296936] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 26.301485] ? vmacache_find+0x5f/0x280 [ 26.305436] ? up_read+0x1a/0x40 [ 26.308775] ? __do_page_fault+0x3d6/0xc90 [ 26.312998] ? __fdget+0x18/0x20 [ 26.316339] __sys_sendmsg+0xe5/0x210 [ 26.320121] ? __sys_sendmsg+0xe5/0x210 [ 26.324068] ? SyS_shutdown+0x290/0x290 [ 26.328012] ? __do_page_fault+0xc90/0xc90 [ 26.332228] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.337220] SyS_sendmsg+0x2d/0x50 [ 26.340737] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.345463] RIP: 0033:0x446f29 [ 26.348625] RSP: 002b:00000000007eff68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 26.356304] RAX: ffffffffffffffda RBX: 00000000004a8ef4 RCX: 0000000000446f29 [ 26.363545] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000005 [ 26.370788] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 26.378029] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffebafecf98 [ 26.385280] R13: 00000000004043a0 R14: 0000000000000000 R15: 0000000000000000 [ 26.392910] Dumping ftrace buffer: [ 26.396420] (ftrace buffer empty) [ 26.400099] Kernel Offset: disabled [ 26.403698] Rebooting in 86400 seconds..