[....] Starting enhanced syslogd: rsyslogd[ 13.418420] audit: type=1400 audit(1516631366.235:5): avc: denied { syslog } for pid=3503 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.409539] audit: type=1400 audit(1516631372.226:6): avc: denied { map } for pid=3644 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.194' (ECDSA) to the list of known hosts. [ 25.637111] audit: type=1400 audit(1516631378.453:7): avc: denied { map } for pid=3658 comm="syzkaller112255" path="/root/syzkaller112255468" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 26.004809] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 26.317627] ================================================================== [ 26.325053] BUG: KASAN: use-after-free in erspan_build_header+0x3bf/0x3d0 [ 26.331953] Read of size 2 at addr ffff8801d60330cb by task syzkaller112255/3659 [ 26.339473] [ 26.341075] CPU: 0 PID: 3659 Comm: syzkaller112255 Not tainted 4.15.0-rc9+ #274 [ 26.348489] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.357811] Call Trace: [ 26.360372] dump_stack+0x194/0x257 [ 26.363977] ? arch_local_irq_restore+0x53/0x53 [ 26.368619] ? show_regs_print_info+0x18/0x18 [ 26.373090] ? refcount_add+0x24/0x60 [ 26.376866] ? erspan_build_header+0x3bf/0x3d0 [ 26.381426] print_address_description+0x73/0x250 [ 26.386241] ? erspan_build_header+0x3bf/0x3d0 [ 26.390795] kasan_report+0x25b/0x340 [ 26.394573] __asan_report_load_n_noabort+0xf/0x20 [ 26.399473] erspan_build_header+0x3bf/0x3d0 [ 26.403860] erspan_xmit+0x3b8/0x13b0 [ 26.407636] ? prepare_fb_xmit+0x9a0/0x9a0 [ 26.411844] ? netif_skb_features+0x9b0/0x9b0 [ 26.416315] ? __dev_get_by_index+0x1a0/0x1a0 [ 26.420784] ? check_noncircular+0x20/0x20 [ 26.425002] packet_direct_xmit+0x315/0x6b0 [ 26.429317] packet_sendmsg+0x3aed/0x60b0 [ 26.433442] ? find_held_lock+0x35/0x1d0 [ 26.437484] ? avc_has_perm+0x35e/0x680 [ 26.441446] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.446183] ? avc_has_perm+0x43e/0x680 [ 26.450135] ? avc_has_perm_noaudit+0x520/0x520 [ 26.454773] ? find_held_lock+0x35/0x1d0 [ 26.458808] ? fanout_add+0x1430/0x1430 [ 26.462754] ? avc_has_perm+0x35e/0x680 [ 26.466710] ? find_held_lock+0x35/0x1d0 [ 26.470753] ? sock_has_perm+0x2a4/0x420 [ 26.474788] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.480124] ? lock_release+0x952/0xa40 [ 26.484074] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.489931] ? __check_object_size+0x25d/0x4f0 [ 26.494482] ? avc_has_perm_noaudit+0x520/0x520 [ 26.499137] ? selinux_socket_sendmsg+0x36/0x40 [ 26.503776] ? security_socket_sendmsg+0x89/0xb0 [ 26.508512] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.513246] sock_sendmsg+0xca/0x110 [ 26.516933] SYSC_sendto+0x361/0x5c0 [ 26.520621] ? SYSC_connect+0x4a0/0x4a0 [ 26.524570] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.529904] ? __do_page_fault+0x3d6/0xc90 [ 26.534114] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 26.539389] ? SyS_setsockopt+0x215/0x360 [ 26.543513] ? SyS_recv+0x40/0x40 [ 26.546942] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 26.551764] SyS_sendto+0x40/0x50 [ 26.555194] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.559920] RIP: 0033:0x4454e9 [ 26.563084] RSP: 002b:00007fffd78af2c8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 26.570762] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004454e9 [ 26.578019] RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004 [ 26.585276] RBP: 00000000004a7093 R08: 0000000020008000 R09: 000000000000001c [ 26.592528] R10: 0000000000000001 R11: 0000000000000217 R12: 00007fffd78af378 [ 26.599770] R13: 00000000004026b0 R14: 0000000000000000 R15: 0000000000000000 [ 26.607040] [ 26.608641] Allocated by task 3785: [ 26.612241] save_stack+0x43/0xd0 [ 26.615675] kasan_kmalloc+0xad/0xe0 [ 26.619360] kasan_slab_alloc+0x12/0x20 [ 26.623304] kmem_cache_alloc+0x12e/0x760 [ 26.627424] getname_flags+0xcb/0x580 [ 26.631193] getname+0x19/0x20 [ 26.634358] SyS_execve+0x1f/0x50 [ 26.637793] do_syscall_64+0x273/0x920 [ 26.641652] return_from_SYSCALL_64+0x0/0x75 [ 26.646031] [ 26.647631] Freed by task 3785: [ 26.650883] save_stack+0x43/0xd0 [ 26.654305] kasan_slab_free+0x71/0xc0 [ 26.658161] kmem_cache_free+0x83/0x2a0 [ 26.662107] putname+0xee/0x130 [ 26.665362] do_execveat_common.isra.30+0x1a38/0x23c0 [ 26.670530] SyS_execve+0x39/0x50 [ 26.673955] do_syscall_64+0x273/0x920 [ 26.677812] return_from_SYSCALL_64+0x0/0x75 [ 26.682721] [ 26.684328] The buggy address belongs to the object at ffff8801d6032280 [ 26.684328] which belongs to the cache names_cache of size 4096 [ 26.697046] The buggy address is located 3659 bytes inside of [ 26.697046] 4096-byte region [ffff8801d6032280, ffff8801d6033280) [ 26.709069] The buggy address belongs to the page: [ 26.713972] page:ffffea0007580c80 count:1 mapcount:0 mapping:ffff8801d6032280 index:0x0 compound_mapcount: 0 [ 26.723911] flags: 0x2fffc0000008100(slab|head) [ 26.728550] raw: 02fffc0000008100 ffff8801d6032280 0000000000000000 0000000100000001 [ 26.736401] raw: ffffea0007580c20 ffffea0007580da0 ffff8801dae2c600 0000000000000000 [ 26.744249] page dumped because: kasan: bad access detected [ 26.749929] [ 26.751526] Memory state around the buggy address: [ 26.756423] ffff8801d6032f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.763762] ffff8801d6033000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.771094] >ffff8801d6033080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.778424] ^ [ 26.784114] ffff8801d6033100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.791443] ffff8801d6033180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.798771] ================================================================== [ 26.806101] Disabling lock debugging due to kernel taint [ 26.811547] Kernel panic - not syncing: panic_on_warn set ... [ 26.811547] [ 26.818894] CPU: 0 PID: 3659 Comm: syzkaller112255 Tainted: G B 4.15.0-rc9+ #274 [ 26.827617] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.836940] Call Trace: [ 26.839504] dump_stack+0x194/0x257 [ 26.843108] ? arch_local_irq_restore+0x53/0x53 [ 26.847748] ? kasan_end_report+0x32/0x50 [ 26.851867] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.856594] ? vsnprintf+0x1ed/0x1900 [ 26.860366] ? erspan_build_header+0x360/0x3d0 [ 26.864932] panic+0x1e4/0x41c [ 26.868099] ? refcount_error_report+0x214/0x214 [ 26.872824] ? add_taint+0x1c/0x50 [ 26.876334] ? add_taint+0x1c/0x50 [ 26.879843] ? erspan_build_header+0x3bf/0x3d0 [ 26.884394] kasan_end_report+0x50/0x50 [ 26.888339] kasan_report+0x144/0x340 [ 26.892113] __asan_report_load_n_noabort+0xf/0x20 [ 26.897019] erspan_build_header+0x3bf/0x3d0 [ 26.901406] erspan_xmit+0x3b8/0x13b0 [ 26.905179] ? prepare_fb_xmit+0x9a0/0x9a0 [ 26.909386] ? netif_skb_features+0x9b0/0x9b0 [ 26.913856] ? __dev_get_by_index+0x1a0/0x1a0 [ 26.918324] ? check_noncircular+0x20/0x20 [ 26.922534] packet_direct_xmit+0x315/0x6b0 [ 26.926827] packet_sendmsg+0x3aed/0x60b0 [ 26.930946] ? find_held_lock+0x35/0x1d0 [ 26.934982] ? avc_has_perm+0x35e/0x680 [ 26.938937] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.943666] ? avc_has_perm+0x43e/0x680 [ 26.947612] ? avc_has_perm_noaudit+0x520/0x520 [ 26.952250] ? find_held_lock+0x35/0x1d0 [ 26.956282] ? fanout_add+0x1430/0x1430 [ 26.960224] ? avc_has_perm+0x35e/0x680 [ 26.964173] ? find_held_lock+0x35/0x1d0 [ 26.968208] ? sock_has_perm+0x2a4/0x420 [ 26.972240] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.977572] ? lock_release+0x952/0xa40 [ 26.981519] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.987377] ? __check_object_size+0x25d/0x4f0 [ 26.991927] ? avc_has_perm_noaudit+0x520/0x520 [ 26.996573] ? selinux_socket_sendmsg+0x36/0x40 [ 27.001213] ? security_socket_sendmsg+0x89/0xb0 [ 27.005949] ? packet_cached_dev_get+0x2b0/0x2b0 [ 27.010676] sock_sendmsg+0xca/0x110 [ 27.014361] SYSC_sendto+0x361/0x5c0 [ 27.018050] ? SYSC_connect+0x4a0/0x4a0 [ 27.021995] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.027332] ? __do_page_fault+0x3d6/0xc90 [ 27.031550] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 27.036809] ? SyS_setsockopt+0x215/0x360 [ 27.040929] ? SyS_recv+0x40/0x40 [ 27.044353] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 27.049167] SyS_sendto+0x40/0x50 [ 27.052592] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.057315] RIP: 0033:0x4454e9 [ 27.060475] RSP: 002b:00007fffd78af2c8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 27.068152] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004454e9 [ 27.075392] RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004 [ 27.082630] RBP: 00000000004a7093 R08: 0000000020008000 R09: 000000000000001c [ 27.089868] R10: 0000000000000001 R11: 0000000000000217 R12: 00007fffd78af378 [ 27.097107] R13: 00000000004026b0 R14: 0000000000000000 R15: 0000000000000000 [ 27.104805] Dumping ftrace buffer: [ 27.108315] (ftrace buffer empty) [ 27.111992] Kernel Offset: disabled [ 27.115588] Rebooting in 86400 seconds..