[....] Starting enhanced syslogd: rsyslogd[ 14.055109] audit: type=1400 audit(1543956870.017:4): avc: denied { syslog } for pid=1920 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.223' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 executing program syzkaller login: [ 38.142582] ================================================================== [ 38.150084] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2418/0x24e0 [ 38.157252] Read of size 4 at addr ffff8801d4b37660 by task syz-executor095/2079 [ 38.164763] [ 38.166373] CPU: 1 PID: 2079 Comm: syz-executor095 Not tainted 4.4.166+ #5 [ 38.173363] 0000000000000000 7c992b1a7f2ef3f8 ffff8801d4b36ce0 ffffffff81aa62ad [ 38.181362] ffffea000752cdc0 ffff8801d4b37660 0000000000000000 ffff8801d4b37660 [ 38.189412] 0000000000000003 ffff8801d4b36d18 ffffffff8148b12b ffff8801d4b37660 [ 38.197394] Call Trace: [ 38.199964] [] dump_stack+0xc1/0x124 [ 38.205322] [] print_address_description+0x6c/0x217 [ 38.211977] [] kasan_report.cold.6+0x175/0x2f7 [ 38.218204] [] ? xfrm_state_find+0x2418/0x24e0 [ 38.224431] [] __asan_report_load4_noabort+0x14/0x20 [ 38.231227] [] xfrm_state_find+0x2418/0x24e0 [ 38.237277] [] ? xfrm_unregister_mode+0x190/0x190 [ 38.243755] [] ? trace_hardirqs_on+0x10/0x10 [ 38.249796] [] ? kasan_slab_free+0x119/0x190 [ 38.255937] [] ? kasan_slab_free+0xac/0x190 [ 38.261898] [] ? kmem_cache_free+0xbe/0x350 [ 38.267850] [] ? kfree_skbmem+0xeb/0x100 [ 38.273544] [] ? kfree_skb+0xff/0x3f0 [ 38.278982] [] ? noop_enqueue+0x15/0x20 [ 38.284592] [] ? __dev_queue_xmit+0x1039/0x1c30 [ 38.290895] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.297643] [] xfrm_tmpl_resolve_one+0x1d2/0x7a0 [ 38.304035] [] ? xfrm_expand_policies.constprop.15+0x290/0x290 [ 38.311641] [] xfrm_resolve_and_create_bundle+0x219/0x1da0 [ 38.318900] [] ? trace_hardirqs_on+0x10/0x10 [ 38.324950] [] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 38.331521] [] ? trace_hardirqs_on+0x10/0x10 [ 38.337561] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.344394] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.351128] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 38.357435] [] ? xfrm_sk_policy_lookup+0x228/0x350 [ 38.363996] [] ? xfrm_sk_policy_lookup+0x24f/0x350 [ 38.370552] [] ? xfrm_expand_policies.constprop.15+0x1c1/0x290 [ 38.378152] [] xfrm_lookup+0x238/0xb70 [ 38.383668] [] ? __down_interruptible+0x32/0x480 [ 38.390056] [] ? xfrm_sk_policy_lookup+0x350/0x350 [ 38.396616] [] ? __ip_route_output_key_hash+0xc7b/0x2040 [ 38.403704] [] ? __ip_route_output_key_hash+0xca2/0x2040 [ 38.410786] [] ? __ip_route_output_key_hash+0x16a/0x2040 [ 38.417887] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.424637] [] ? rt_set_nexthop.constprop.13+0xcc0/0xcc0 [ 38.431722] [] xfrm_lookup_route+0x39/0x140 [ 38.437676] [] ip_route_output_flow+0x90/0xa0 [ 38.443836] [] udp_sendmsg+0x1480/0x1c70 [ 38.449537] [] ? udp_sendmsg+0x615/0x1c70 [ 38.455317] [] ? __lock_acquire+0x9f6/0x5530 [ 38.461358] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 38.467480] [] ? udp_lib_unhash+0x630/0x630 [ 38.473552] [] ? trace_hardirqs_on+0x10/0x10 [ 38.479689] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.486419] [] ? __lock_acquire+0x9f6/0x5530 [ 38.492454] [] ? dst_release+0x70/0xb0 [ 38.497968] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.504854] [] udpv6_sendmsg+0x12cd/0x24c0 [ 38.510716] [] ? avc_has_perm+0x15a/0x3a0 [ 38.516611] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 38.523538] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 38.530049] [] ? trace_hardirqs_on+0x10/0x10 [ 38.536087] [] ? sock_has_perm+0x1c1/0x3f0 [ 38.541956] [] ? sock_has_perm+0x2a1/0x3f0 [ 38.547838] [] ? sock_has_perm+0x9f/0x3f0 [ 38.553611] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 38.561124] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.567893] [] ? check_preemption_disabled+0x3b/0x200 [ 38.574818] [] ? inet_sendmsg+0x143/0x4d0 [ 38.580648] [] inet_sendmsg+0x203/0x4d0 [ 38.586248] [] ? inet_sendmsg+0x73/0x4d0 [ 38.591936] [] ? inet_recvmsg+0x4c0/0x4c0 [ 38.597714] [] sock_sendmsg+0xbb/0x110 [ 38.603229] [] ___sys_sendmsg+0x441/0x880 [ 38.609172] [] ? copy_msghdr_from_user+0x550/0x550 [ 38.615734] [] ? trace_hardirqs_on+0x10/0x10 [ 38.621780] [] ? check_preemption_disabled+0x3b/0x200 [ 38.628613] [] ? check_preemption_disabled+0x3b/0x200 [ 38.635481] [] ? prandom_u32_state+0x13/0x180 [ 38.641622] [] ? __might_fault+0x114/0x1d0 [ 38.647482] [] __sys_sendmmsg+0x12e/0x2e0 [ 38.653255] [] ? SyS_sendmsg+0x50/0x50 [ 38.658765] [] ? ip6_datagram_connect+0x3a/0x50 [ 38.665055] [] ? inet_dgram_connect+0x11e/0x200 [ 38.671362] [] ? SyS_connect+0x203/0x310 [ 38.677047] [] ? sock_common_setsockopt+0x9a/0xe0 [ 38.683694] [] ? SyS_setsockopt+0x185/0x260 [ 38.689649] [] ? SyS_recv+0x40/0x40 [ 38.694898] [] ? retint_user+0x18/0x3c [ 38.700407] [] SyS_sendmmsg+0x35/0x60 [ 38.705840] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 38.712578] [ 38.714191] The buggy address belongs to the page: [ 38.719096] page:ffffea000752cdc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 38.727223] flags: 0x4000000000000000() [ 38.731287] page dumped because: kasan: bad access detected [ 38.736968] [ 38.738567] Memory state around the buggy address: [ 38.743466] ffff8801d4b37500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.750832] ffff8801d4b37580: 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 [ 38.758162] >ffff8801d4b37600: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 [ 38.765490] ^ [ 38.771954] ffff8801d4b37680: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 [ 38.779312] ffff8801d4b37700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.786646] ================================================================== [ 38.794031] Disabling lock debugging due to kernel taint [ 38.799520] Kernel panic - not syncing: panic_on_warn set ... [ 38.799520] [ 38.806891] CPU: 1 PID: 2079 Comm: syz-executor095 Tainted: G B 4.4.166+ #5 [ 38.815097] 0000000000000000 7c992b1a7f2ef3f8 ffff8801d4b36c40 ffffffff81aa62ad [ 38.823097] ffffffff82c4f549 0000000000000004 0000000000000000 ffff8801d4b37660 [ 38.831172] 0000000000000003 ffff8801d4b36d00 ffffffff813a2274 0000000041b58ab3 [ 38.839152] Call Trace: [ 38.841713] [] dump_stack+0xc1/0x124 [ 38.847158] [] panic+0x19e/0x359 [ 38.852151] [] ? add_taint.cold.4+0x16/0x16 [ 38.858104] [] kasan_end_report+0x47/0x4f [ 38.863875] [] kasan_report.cold.6+0x192/0x2f7 [ 38.870080] [] ? xfrm_state_find+0x2418/0x24e0 [ 38.876290] [] __asan_report_load4_noabort+0x14/0x20 [ 38.883014] [] xfrm_state_find+0x2418/0x24e0 [ 38.889043] [] ? xfrm_unregister_mode+0x190/0x190 [ 38.895506] [] ? trace_hardirqs_on+0x10/0x10 [ 38.901536] [] ? kasan_slab_free+0x119/0x190 [ 38.907567] [] ? kasan_slab_free+0xac/0x190 [ 38.913508] [] ? kmem_cache_free+0xbe/0x350 [ 38.919465] [] ? kfree_skbmem+0xeb/0x100 [ 38.925148] [] ? kfree_skb+0xff/0x3f0 [ 38.930567] [] ? noop_enqueue+0x15/0x20 [ 38.936167] [] ? __dev_queue_xmit+0x1039/0x1c30 [ 38.942459] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.949184] [] xfrm_tmpl_resolve_one+0x1d2/0x7a0 [ 38.955560] [] ? xfrm_expand_policies.constprop.15+0x290/0x290 [ 38.963184] [] xfrm_resolve_and_create_bundle+0x219/0x1da0 [ 38.970430] [] ? trace_hardirqs_on+0x10/0x10 [ 38.976459] [] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 38.983011] [] ? trace_hardirqs_on+0x10/0x10 [ 38.989040] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.995764] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 39.002489] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 39.008778] [] ? xfrm_sk_policy_lookup+0x228/0x350 [ 39.015331] [] ? xfrm_sk_policy_lookup+0x24f/0x350 [ 39.021897] [] ? xfrm_expand_policies.constprop.15+0x1c1/0x290 [ 39.029487] [] xfrm_lookup+0x238/0xb70 [ 39.035000] [] ? __down_interruptible+0x32/0x480 [ 39.041496] [] ? xfrm_sk_policy_lookup+0x350/0x350 [ 39.048054] [] ? __ip_route_output_key_hash+0xc7b/0x2040 [ 39.055127] [] ? __ip_route_output_key_hash+0xca2/0x2040 [ 39.062203] [] ? __ip_route_output_key_hash+0x16a/0x2040 [ 39.069279] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 39.076008] [] ? rt_set_nexthop.constprop.13+0xcc0/0xcc0 [ 39.083183] [] xfrm_lookup_route+0x39/0x140 [ 39.089244] [] ip_route_output_flow+0x90/0xa0 [ 39.095372] [] udp_sendmsg+0x1480/0x1c70 [ 39.101065] [] ? udp_sendmsg+0x615/0x1c70 [ 39.106848] [] ? __lock_acquire+0x9f6/0x5530 [ 39.112891] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 39.119025] [] ? udp_lib_unhash+0x630/0x630 [ 39.125054] [] ? trace_hardirqs_on+0x10/0x10 [ 39.131166] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 39.138146] [] ? __lock_acquire+0x9f6/0x5530 [ 39.144201] [] ? dst_release+0x70/0xb0 [ 39.149848] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 39.156585] [] udpv6_sendmsg+0x12cd/0x24c0 [ 39.162677] [] ? avc_has_perm+0x15a/0x3a0 [ 39.168468] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 39.175375] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 39.181853] [] ? trace_hardirqs_on+0x10/0x10 [ 39.187906] [] ? sock_has_perm+0x1c1/0x3f0 [ 39.193770] [] ? sock_has_perm+0x2a1/0x3f0 [ 39.199948] [] ? sock_has_perm+0x9f/0x3f0 [ 39.205730] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 39.213246] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 39.219986] [] ? check_preemption_disabled+0x3b/0x200 [ 39.226806] [] ? inet_sendmsg+0x143/0x4d0 [ 39.232589] [] inet_sendmsg+0x203/0x4d0 [ 39.238199] [] ? inet_sendmsg+0x73/0x4d0 [ 39.243899] [] ? inet_recvmsg+0x4c0/0x4c0 [ 39.249682] [] sock_sendmsg+0xbb/0x110 [ 39.255303] [] ___sys_sendmsg+0x441/0x880 [ 39.261081] [] ? copy_msghdr_from_user+0x550/0x550 [ 39.267660] [] ? trace_hardirqs_on+0x10/0x10 [ 39.273717] [] ? check_preemption_disabled+0x3b/0x200 [ 39.280543] [] ? check_preemption_disabled+0x3b/0x200 [ 39.287384] [] ? prandom_u32_state+0x13/0x180 [ 39.293535] [] ? __might_fault+0x114/0x1d0 [ 39.299400] [] __sys_sendmmsg+0x12e/0x2e0 [ 39.305178] [] ? SyS_sendmsg+0x50/0x50 [ 39.310697] [] ? ip6_datagram_connect+0x3a/0x50 [ 39.317001] [] ? inet_dgram_connect+0x11e/0x200 [ 39.323299] [] ? SyS_connect+0x203/0x310 [ 39.329163] [] ? sock_common_setsockopt+0x9a/0xe0 [ 39.335671] [] ? SyS_setsockopt+0x185/0x260 [ 39.341735] [] ? SyS_recv+0x40/0x40 [ 39.346991] [] ? retint_user+0x18/0x3c [ 39.352510] [] SyS_sendmmsg+0x35/0x60 [ 39.358049] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 39.364947] Kernel Offset: disabled [ 39.368558] Rebooting in 86400 seconds..