[....] Starting enhanced syslogd: rsyslogd[ 11.174802] audit: type=1400 audit(1514708910.310:5): avc: denied { syslog } for pid=3002 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.490708] audit: type=1400 audit(1514708916.626:6): avc: denied { map } for pid=3141 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.241' (ECDSA) to the list of known hosts. [ 40.221827] audit: type=1400 audit(1514708939.357:7): avc: denied { map } for pid=3158 comm="syzkaller329098" path="/root/syzkaller329098100" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program [ 40.247810] audit: type=1400 audit(1514708939.360:8): avc: denied { sys_admin } for pid=3158 comm="syzkaller329098" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 40.277485] audit: type=1400 audit(1514708939.413:9): avc: denied { sys_chroot } for pid=3159 comm="syzkaller329098" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 40.284334] device syz0 entered promiscuous mode [ 40.306769] audit: type=1400 audit(1514708939.415:10): avc: denied { net_raw } for pid=3159 comm="syzkaller329098" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 40.331191] audit: type=1400 audit(1514708939.417:11): avc: denied { net_admin } for pid=3159 comm="syzkaller329098" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 40.366718] ================================================================== [ 40.375288] BUG: KASAN: use-after-free in __dev_queue_xmit+0x20d3/0x2200 [ 40.382099] Read of size 2 at addr ffff8801ce7d3a78 by task syzkaller329098/3159 [ 40.389599] [ 40.391196] CPU: 0 PID: 3159 Comm: syzkaller329098 Not tainted 4.15.0-rc4-next-20171221+ #78 [ 40.399748] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.409070] Call Trace: [ 40.411637] dump_stack+0x194/0x257 [ 40.415234] ? arch_local_irq_restore+0x53/0x53 [ 40.419873] ? show_regs_print_info+0x18/0x18 [ 40.424339] ? lock_release+0xa40/0xa40 [ 40.428281] ? __dev_queue_xmit+0x20d3/0x2200 [ 40.433355] print_address_description+0x73/0x250 [ 40.440073] ? __dev_queue_xmit+0x20d3/0x2200 [ 40.444971] kasan_report+0x25b/0x340 [ 40.448745] __asan_report_load2_noabort+0x14/0x20 [ 40.453727] __dev_queue_xmit+0x20d3/0x2200 [ 40.458040] ? netdev_pick_tx+0x300/0x300 [ 40.462159] ? lock_release+0xa40/0xa40 [ 40.466099] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 40.471949] ? refcount_add+0x24/0x60 [ 40.475726] ? skb_set_owner_w+0x232/0x330 [ 40.479934] ? __might_sleep+0x95/0x190 [ 40.484137] ? kasan_check_write+0x14/0x20 [ 40.488690] ? copyin+0x91/0xb0 [ 40.491945] ? _copy_from_iter+0x367/0xf30 [ 40.496147] ? __check_object_size+0x25d/0x4f0 [ 40.500700] ? check_stack_object+0x140/0x140 [ 40.505265] ? copy_page_to_iter+0xe10/0xe10 [ 40.509641] ? _copy_from_iter_full+0x22b/0xbb0 [ 40.514285] ? skb_copy_datagram_from_iter+0x3a5/0x5a0 [ 40.519530] ? iov_iter_advance+0x13f0/0x13f0 [ 40.524001] dev_queue_xmit+0x17/0x20 [ 40.527784] packet_sendmsg+0x3ad5/0x60a0 [ 40.531906] ? find_held_lock+0x35/0x1d0 [ 40.535943] ? avc_has_perm+0x35e/0x680 [ 40.539905] ? packet_cached_dev_get+0x2b0/0x2b0 [ 40.544631] ? mark_held_locks+0xaf/0x100 [ 40.548753] ? avc_has_perm+0x43e/0x680 [ 40.552700] ? avc_has_perm_noaudit+0x520/0x520 [ 40.557347] ? locks_remove_posix+0x518/0x820 [ 40.561817] ? find_held_lock+0x35/0x1d0 [ 40.565850] ? avc_has_perm+0x35e/0x680 [ 40.569795] ? sock_has_perm+0x2a4/0x420 [ 40.573825] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 40.579173] ? selinux_socket_sendmsg+0x36/0x40 [ 40.583814] ? security_socket_sendmsg+0x89/0xb0 [ 40.588536] ? packet_cached_dev_get+0x2b0/0x2b0 [ 40.593262] sock_sendmsg+0xca/0x110 [ 40.596946] sock_write_iter+0x31a/0x5d0 [ 40.600977] ? sock_sendmsg+0x110/0x110 [ 40.604939] ? iov_iter_init+0xaf/0x1d0 [ 40.608886] __vfs_write+0x684/0x970 [ 40.612569] ? kernel_read+0x120/0x120 [ 40.616423] ? bpf_fd_pass+0x280/0x280 [ 40.620284] ? _cond_resched+0x14/0x30 [ 40.624143] ? selinux_file_permission+0x82/0x460 [ 40.628982] ? rw_verify_area+0xe5/0x2b0 [ 40.633016] ? __fdget_raw+0x20/0x20 [ 40.636700] vfs_write+0x189/0x510 [ 40.640217] SyS_write+0xef/0x220 [ 40.643641] ? SyS_read+0x220/0x220 [ 40.647239] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 40.652237] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 40.656969] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 40.662211] RIP: 0033:0x444b89 [ 40.665976] RSP: 002b:00000000007eff78 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 40.673651] RAX: ffffffffffffffda RBX: 00007ffeeaf812d0 RCX: 0000000000444b89 [ 40.680891] RDX: 000000000000005d RSI: 0000000020384000 RDI: 0000000000000005 [ 40.689442] RBP: 0000000000000000 R08: 0000000120080522 R09: 0000000120080522 [ 40.696786] R10: 0000000120080522 R11: 0000000000000293 R12: 0000000000402780 [ 40.704027] R13: 0000000000402810 R14: 0000000000000000 R15: 0000000000000000 [ 40.711285] [ 40.712882] Allocated by task 1636: [ 40.716496] save_stack+0x43/0xd0 [ 40.719918] kasan_kmalloc+0xad/0xe0 [ 40.724127] __kmalloc_node_track_caller+0x47/0x70 [ 40.729025] __kmalloc_reserve.isra.41+0x41/0xd0 [ 40.733746] __alloc_skb+0x13b/0x780 [ 40.737427] kobject_uevent_env+0x6e3/0xbc0 [ 40.741754] kobject_synth_uevent+0x514/0xad0 [ 40.746219] uevent_store+0x27/0x50 [ 40.749813] dev_attr_store+0x5c/0x90 [ 40.753580] sysfs_kf_write+0x107/0x160 [ 40.757519] kernfs_fop_write+0x2bc/0x450 [ 40.761631] __vfs_write+0xef/0x970 [ 40.765221] vfs_write+0x189/0x510 [ 40.768727] SyS_write+0xef/0x220 [ 40.772146] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 40.776865] [ 40.778458] Freed by task 1607: [ 40.781880] save_stack+0x43/0xd0 [ 40.785297] kasan_slab_free+0x71/0xc0 [ 40.789168] kfree+0xd6/0x260 [ 40.792242] skb_free_head+0x74/0xb0 [ 40.795922] skb_release_data+0x58c/0x790 [ 40.800035] skb_release_all+0x4a/0x60 [ 40.803888] consume_skb+0x153/0x490 [ 40.807569] skb_free_datagram+0x1a/0xe0 [ 40.811597] netlink_recvmsg+0x5c6/0x1300 [ 40.815716] sock_recvmsg+0xc9/0x110 [ 40.819395] ___sys_recvmsg+0x2a4/0x640 [ 40.823336] __sys_recvmsg+0xe2/0x210 [ 40.827102] SyS_recvmsg+0x2d/0x50 [ 40.830609] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 40.835329] [ 40.836927] The buggy address belongs to the object at ffff8801ce7d3a00 [ 40.836927] which belongs to the cache kmalloc-512 of size 512 [ 40.849553] The buggy address is located 120 bytes inside of [ 40.849553] 512-byte region [ffff8801ce7d3a00, ffff8801ce7d3c00) [ 40.861748] The buggy address belongs to the page: [ 40.867515] page:00000000f388711e count:1 mapcount:0 mapping:000000009914ca15 index:0x0 [ 40.875626] flags: 0x2fffc0000000100(slab) [ 40.879831] raw: 02fffc0000000100 ffff8801ce7d3000 0000000000000000 0000000100000006 [ 40.887678] raw: ffffea000739f560 ffff8801dac01748 ffff8801dac00940 0000000000000000 [ 40.895522] page dumped because: kasan: bad access detected [ 40.901197] [ 40.902792] Memory state around the buggy address: [ 40.907688] ffff8801ce7d3900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 40.915017] ffff8801ce7d3980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.922352] >ffff8801ce7d3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.929695] ^ [ 40.936953] ffff8801ce7d3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.944280] ffff8801ce7d3b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.951606] ================================================================== [ 40.958931] Disabling lock debugging due to kernel taint [ 40.964403] Kernel panic - not syncing: panic_on_warn set ... [ 40.964403] [ 40.971739] CPU: 0 PID: 3159 Comm: syzkaller329098 Tainted: G B 4.15.0-rc4-next-20171221+ #78 [ 40.981584] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.990907] Call Trace: [ 40.993468] dump_stack+0x194/0x257 [ 40.997083] ? arch_local_irq_restore+0x53/0x53 [ 41.002241] ? kasan_end_report+0x32/0x50 [ 41.006360] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.011081] ? vsnprintf+0x1ed/0x1900 [ 41.014851] ? __dev_queue_xmit+0x1fe0/0x2200 [ 41.019315] panic+0x1e4/0x41c [ 41.022474] ? refcount_error_report+0x214/0x214 [ 41.027198] ? add_taint+0x1c/0x50 [ 41.030705] ? add_taint+0x1c/0x50 [ 41.034212] ? __dev_queue_xmit+0x20d3/0x2200 [ 41.038673] kasan_end_report+0x50/0x50 [ 41.042614] kasan_report+0x144/0x340 [ 41.046383] __asan_report_load2_noabort+0x14/0x20 [ 41.051279] __dev_queue_xmit+0x20d3/0x2200 [ 41.055573] ? netdev_pick_tx+0x300/0x300 [ 41.059691] ? lock_release+0xa40/0xa40 [ 41.063638] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 41.069492] ? refcount_add+0x24/0x60 [ 41.073261] ? skb_set_owner_w+0x232/0x330 [ 41.077727] ? __might_sleep+0x95/0x190 [ 41.081669] ? kasan_check_write+0x14/0x20 [ 41.085881] ? copyin+0x91/0xb0 [ 41.089131] ? _copy_from_iter+0x367/0xf30 [ 41.093331] ? __check_object_size+0x25d/0x4f0 [ 41.097883] ? check_stack_object+0x140/0x140 [ 41.102348] ? copy_page_to_iter+0xe10/0xe10 [ 41.106725] ? _copy_from_iter_full+0x22b/0xbb0 [ 41.111365] ? skb_copy_datagram_from_iter+0x3a5/0x5a0 [ 41.116608] ? iov_iter_advance+0x13f0/0x13f0 [ 41.121076] dev_queue_xmit+0x17/0x20 [ 41.124844] packet_sendmsg+0x3ad5/0x60a0 [ 41.128960] ? find_held_lock+0x35/0x1d0 [ 41.132993] ? avc_has_perm+0x35e/0x680 [ 41.136941] ? packet_cached_dev_get+0x2b0/0x2b0 [ 41.141665] ? mark_held_locks+0xaf/0x100 [ 41.145784] ? avc_has_perm+0x43e/0x680 [ 41.149725] ? avc_has_perm_noaudit+0x520/0x520 [ 41.154365] ? locks_remove_posix+0x518/0x820 [ 41.159352] ? find_held_lock+0x35/0x1d0 [ 41.163397] ? avc_has_perm+0x35e/0x680 [ 41.167346] ? sock_has_perm+0x2a4/0x420 [ 41.171376] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 41.176718] ? selinux_socket_sendmsg+0x36/0x40 [ 41.181355] ? security_socket_sendmsg+0x89/0xb0 [ 41.186075] ? packet_cached_dev_get+0x2b0/0x2b0 [ 41.190800] sock_sendmsg+0xca/0x110 [ 41.194482] sock_write_iter+0x31a/0x5d0 [ 41.198512] ? sock_sendmsg+0x110/0x110 [ 41.202460] ? iov_iter_init+0xaf/0x1d0 [ 41.206403] __vfs_write+0x684/0x970 [ 41.210085] ? kernel_read+0x120/0x120 [ 41.214634] ? bpf_fd_pass+0x280/0x280 [ 41.218667] ? _cond_resched+0x14/0x30 [ 41.222523] ? selinux_file_permission+0x82/0x460 [ 41.227338] ? rw_verify_area+0xe5/0x2b0 [ 41.231368] ? __fdget_raw+0x20/0x20 [ 41.235050] vfs_write+0x189/0x510 [ 41.238560] SyS_write+0xef/0x220 [ 41.241982] ? SyS_read+0x220/0x220 [ 41.246273] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.251258] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.256001] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 41.260986] RIP: 0033:0x444b89 [ 41.264663] RSP: 002b:00000000007eff78 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 41.272338] RAX: ffffffffffffffda RBX: 00007ffeeaf812d0 RCX: 0000000000444b89 [ 41.279575] RDX: 000000000000005d RSI: 0000000020384000 RDI: 0000000000000005 [ 41.286823] RBP: 0000000000000000 R08: 0000000120080522 R09: 0000000120080522 [ 41.294060] R10: 0000000120080522 R11: 0000000000000293 R12: 0000000000402780 [ 41.301733] R13: 0000000000402810 R14: 0000000000000000 R15: 0000000000000000 [ 41.311018] Dumping ftrace buffer: [ 41.314542] (ftrace buffer empty) [ 41.318233] Kernel Offset: disabled [ 41.322098] Rebooting in 86400 seconds..