[....] Starting enhanced syslogd: rsyslogd[   13.294524] audit: type=1400 audit(1512842079.069:5): avc:  denied  { syslog } for  pid=2991 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   34.565420] audit: type=1400 audit(1512842100.340:6): avc:  denied  { map } for  pid=3136 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added 'ci-upstream-kasan-gce-2,10.128.15.230' (ECDSA) to the list of known hosts.
executing program
[   40.659491] audit: type=1400 audit(1512842106.434:7): avc:  denied  { map } for  pid=3148 comm="syzkaller712886" path="/root/syzkaller712886725" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   40.662661] ==================================================================
[   40.662679] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30fc/0x3230
[   40.662684] Read of size 4 at addr ffff8801c403f760 by task syzkaller712886/3148
[   40.662687] 
[   40.662693] CPU: 0 PID: 3148 Comm: syzkaller712886 Not tainted 4.15.0-rc2+ #214
[   40.662697] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.662700] Call Trace:
[   40.662707]  dump_stack+0x194/0x257
[   40.662717]  ? arch_local_irq_restore+0x53/0x53
[   40.662725]  ? show_regs_print_info+0x18/0x18
[   40.662735]  ? lock_release+0xda0/0xda0
[   40.662742]  ? xfrm_state_find+0x30fc/0x3230
[   40.662752]  print_address_description+0x73/0x250
[   40.662759]  ? xfrm_state_find+0x30fc/0x3230
[   40.662766]  kasan_report+0x25b/0x340
[   40.662776]  __asan_report_load4_noabort+0x14/0x20
[   40.662782]  xfrm_state_find+0x30fc/0x3230
[   40.662809]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   40.662819]  ? __unwind_start+0x169/0x330
[   40.662829]  ? __kernel_text_address+0xd/0x40
[   40.662839]  ? __save_stack_trace+0x61/0xd0
[   40.662852]  ? udp_sendmsg+0x19b8/0x2cd0
[   40.662861]  ? save_stack_trace+0x1a/0x20
[   40.662867]  ? __lock_acquire+0x324e/0x47f0
[   40.662872]  ? find_held_lock+0x39/0x1d0
[   40.662896]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   40.662904]  ? print_usage_bug+0x3f0/0x3f0
[   40.662911]  ? lock_downgrade+0x980/0x980
[   40.662921]  ? depot_save_stack+0x1c2/0x490
[   40.662933]  ? lock_release+0xda0/0xda0
[   40.662943]  ? is_bpf_text_address+0xa4/0x120
[   40.662953]  ? __lock_acquire+0x6e9/0x47f0
[   40.662958]  ? check_noncircular+0x20/0x20
[   40.662966]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.662977]  xfrm_tmpl_resolve+0x309/0xc00
[   40.662999]  ? __xfrm_decode_session+0x110/0x110
[   40.663015]  ? lock_downgrade+0x980/0x980
[   40.663025]  ? rt_add_uncached_list+0xa2/0x240
[   40.663031]  ? check_noncircular+0x20/0x20
[   40.663042]  ? check_noncircular+0x20/0x20
[   40.663057]  xfrm_resolve_and_create_bundle+0x11b/0x2600
[   40.663064]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.663071]  ? trace_hardirqs_on+0xd/0x10
[   40.663079]  ? __local_bh_enable_ip+0x121/0x230
[   40.663088]  ? _raw_spin_unlock_bh+0x30/0x40
[   40.663098]  ? find_held_lock+0x39/0x1d0
[   40.663105]  ? xfrm_tmpl_resolve+0xc00/0xc00
[   40.663118]  ? lock_downgrade+0x980/0x980
[   40.663125]  ? xfrm_selector_match+0xe00/0xe00
[   40.663133]  ? rt_cache_route+0x300/0x300
[   40.663142]  ? lock_release+0xda0/0xda0
[   40.663154]  ? refcount_inc_not_zero+0xfe/0x180
[   40.663167]  ? selinux_xfrm_policy_lookup+0xac/0xd0
[   40.663177]  ? security_xfrm_policy_lookup+0x92/0xc0
[   40.663187]  ? xfrm_sk_policy_lookup+0x334/0x490
[   40.663199]  ? xfrm_selector_match+0xe00/0xe00
[   40.663207]  ? check_noncircular+0x20/0x20
[   40.663218]  xfrm_lookup+0x1574/0x23f0
[   40.663223]  ? xfrm_lookup+0x1574/0x23f0
[   40.663227]  ? lock_release+0xda0/0xda0
[   40.663243]  ? xfrm_policy_lookup_bytype.constprop.47+0x960/0x960
[   40.663251]  ? find_held_lock+0x39/0x1d0
[   40.663268]  ? lock_downgrade+0x980/0x980
[   40.663275]  ? ip_route_output_key_hash+0x1a6/0x370
[   40.663282]  ? unwind_next_frame.part.6+0x1a6/0xb40
[   40.663292]  ? lock_release+0xda0/0xda0
[   40.663308]  ? lock_downgrade+0x980/0x980
[   40.663319]  ? ip_route_output_key_hash+0x252/0x370
[   40.663327]  ? ip_route_output_key_hash_rcu+0x2c20/0x2c20
[   40.663332]  ? lock_release+0xda0/0xda0
[   40.663345]  xfrm_lookup_route+0x39/0x1a0
[   40.663354]  ip_route_output_flow+0x7c/0xa0
[   40.663363]  udp_sendmsg+0x19b8/0x2cd0
[   40.663368]  ? unwind_get_return_address+0x61/0xa0
[   40.663377]  ? ip_reply_glue_bits+0xb0/0xb0
[   40.663392]  ? udp_lib_get_port+0x1b30/0x1b30
[   40.663398]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   40.663410]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   40.663439]  ? mark_held_locks+0xb2/0x100
[   40.663444]  ? refcount_inc_not_zero+0xfe/0x180
[   40.663452]  ? check_noncircular+0x20/0x20
[   40.663459]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.663464]  ? udp_lib_get_port+0x785/0x1b30
[   40.663469]  ? trace_hardirqs_on+0xd/0x10
[   40.663475]  ? __local_bh_enable_ip+0x121/0x230
[   40.663486]  udpv6_sendmsg+0x743/0x3380
[   40.663491]  ? check_noncircular+0x20/0x20
[   40.663510]  ? udpv6_setsockopt+0x80/0x80
[   40.663515]  ? reacquire_held_locks+0x201/0x3e0
[   40.663525]  ? find_held_lock+0x39/0x1d0
[   40.663541]  ? lock_downgrade+0x980/0x980
[   40.663548]  ? lock_downgrade+0x980/0x980
[   40.663568]  ? __local_bh_enable_ip+0x121/0x230
[   40.663576]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.663583]  ? release_sock+0x1d4/0x2a0
[   40.663589]  ? trace_hardirqs_on+0xd/0x10
[   40.663594]  ? __local_bh_enable_ip+0x121/0x230
[   40.663602]  ? _raw_spin_unlock_bh+0x30/0x40
[   40.663608]  ? release_sock+0x1d4/0x2a0
[   40.663616]  ? __release_sock+0x360/0x360
[   40.663620]  ? udp6_portaddr_hash+0x146/0x2f0
[   40.663630]  ? udp_v6_get_port+0x9c/0xc0
[   40.663644]  inet_sendmsg+0x11f/0x5e0
[   40.663649]  ? inet_sendmsg+0x11f/0x5e0
[   40.663655]  ? __might_sleep+0x95/0x190
[   40.663662]  ? inet_recvmsg+0x5f0/0x5f0
[   40.663670]  ? selinux_socket_sendmsg+0x36/0x40
[   40.663677]  ? security_socket_sendmsg+0x89/0xb0
[   40.663683]  ? inet_recvmsg+0x5f0/0x5f0
[   40.663692]  sock_sendmsg+0xca/0x110
[   40.663701]  SYSC_sendto+0x358/0x5a0
[   40.663711]  ? SYSC_connect+0x480/0x480
[   40.663718]  ? __do_page_fault+0x3d6/0xc90
[   40.663731]  ? mm_fault_error+0x2c0/0x2c0
[   40.663741]  ? ipv6_setsockopt+0xa8/0x150
[   40.663756]  ? __do_page_fault+0xc90/0xc90
[   40.663774]  ? lockdep_sys_exit+0x47/0xf0
[   40.663780]  ? entry_SYSCALL_64_fastpath+0x5/0x96
[   40.663789]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.663798]  SyS_sendto+0x40/0x50
[   40.663809]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   40.663814] RIP: 0033:0x43ff59
[   40.663818] RSP: 002b:00007fff16d27318 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
[   40.663825] RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 000000000043ff59
[   40.663829] RDX: 0000000000000000 RSI: 000000002028a000 RDI: 0000000000000003
[   40.663833] RBP: 00000000006ca018 R08: 0000000020999000 R09: 000000000000001c
[   40.663836] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018c0
[   40.663840] R13: 0000000000401950 R14: 0000000000000000 R15: 0000000000000000
[   40.663859] 
[   40.663862] The buggy address belongs to the page:
[   40.663868] page:000000006cc73b57 count:0 mapcount:0 mapping:          (null) index:0x0
[   40.663877] flags: 0x2fffc0000000000()
[   40.663885] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
[   40.663893] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
[   40.663898] page dumped because: kasan: bad access detected
[   40.663900] 
[   40.663903] Memory state around the buggy address:
[   40.663907]  ffff8801c403f600: 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2
[   40.663912]  ffff8801c403f680: f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 00 00
[   40.663917] >ffff8801c403f700: 00 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2
[   40.663920]                                                        ^
[   40.663925]  ffff8801c403f780: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3
[   40.663929]  ffff8801c403f800: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   40.663932] ==================================================================
[   40.663934] Disabling lock debugging due to kernel taint
[   40.663946] Kernel panic - not syncing: panic_on_warn set ...
[   40.663946] 
[   40.663950] CPU: 0 PID: 3148 Comm: syzkaller712886 Tainted: G    B            4.15.0-rc2+ #214
[   40.663952] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.663953] Call Trace:
[   40.663957]  dump_stack+0x194/0x257
[   40.663962]  ? arch_local_irq_restore+0x53/0x53
[   40.663969]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   40.663974]  ? vsnprintf+0x1ed/0x1900
[   40.663978]  ? xfrm_state_find+0x3040/0x3230
[   40.663982]  panic+0x1e4/0x41c
[   40.663986]  ? refcount_error_report+0x214/0x214
[   40.663992]  ? add_taint+0x1c/0x50
[   40.663996]  ? add_taint+0x1c/0x50
[   40.664004]  ? xfrm_state_find+0x30fc/0x3230
[   40.664008]  kasan_end_report+0x50/0x50
[   40.664011]  kasan_report+0x144/0x340
[   40.664017]  __asan_report_load4_noabort+0x14/0x20
[   40.664021]  xfrm_state_find+0x30fc/0x3230
[   40.664036]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   40.664040]  ? __unwind_start+0x169/0x330
[   40.664045]  ? __kernel_text_address+0xd/0x40
[   40.664050]  ? __save_stack_trace+0x61/0xd0
[   40.664059]  ? udp_sendmsg+0x19b8/0x2cd0
[   40.664065]  ? save_stack_trace+0x1a/0x20
[   40.664068]  ? __lock_acquire+0x324e/0x47f0
[   40.664072]  ? find_held_lock+0x39/0x1d0
[   40.664085]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   40.664089]  ? print_usage_bug+0x3f0/0x3f0
[   40.664093]  ? lock_downgrade+0x980/0x980
[   40.664098]  ? depot_save_stack+0x1c2/0x490
[   40.664105]  ? lock_release+0xda0/0xda0
[   40.664110]  ? is_bpf_text_address+0xa4/0x120
[   40.664116]  ? __lock_acquire+0x6e9/0x47f0
[   40.664119]  ? check_noncircular+0x20/0x20
[   40.664124]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.664130]  xfrm_tmpl_resolve+0x309/0xc00
[   40.664141]  ? __xfrm_decode_session+0x110/0x110
[   40.664148]  ? lock_downgrade+0x980/0x980
[   40.664153]  ? rt_add_uncached_list+0xa2/0x240
[   40.664157]  ? check_noncircular+0x20/0x20
[   40.664163]  ? check_noncircular+0x20/0x20
[   40.664170]  xfrm_resolve_and_create_bundle+0x11b/0x2600
[   40.664174]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.664179]  ? trace_hardirqs_on+0xd/0x10
[   40.664182]  ? __local_bh_enable_ip+0x121/0x230
[   40.664187]  ? _raw_spin_unlock_bh+0x30/0x40
[   40.664192]  ? find_held_lock+0x39/0x1d0
[   40.664197]  ? xfrm_tmpl_resolve+0xc00/0xc00
[   40.664204]  ? lock_downgrade+0x980/0x980
[   40.664208]  ? xfrm_selector_match+0xe00/0xe00
[   40.664213]  ? rt_cache_route+0x300/0x300
[   40.664218]  ? lock_release+0xda0/0xda0
[   40.664224]  ? refcount_inc_not_zero+0xfe/0x180
[   40.664229]  ? selinux_xfrm_policy_lookup+0xac/0xd0
[   40.664235]  ? security_xfrm_policy_lookup+0x92/0xc0
[   40.664240]  ? xfrm_sk_policy_lookup+0x334/0x490
[   40.664247]  ? xfrm_selector_match+0xe00/0xe00
[   40.664252]  ? check_noncircular+0x20/0x20
[   40.664258]  xfrm_lookup+0x1574/0x23f0
[   40.664261]  ? xfrm_lookup+0x1574/0x23f0
[   40.664264]  ? lock_release+0xda0/0xda0
[   40.664273]  ? xfrm_policy_lookup_bytype.constprop.47+0x960/0x960
[   40.664278]  ? find_held_lock+0x39/0x1d0
[   40.664286]  ? lock_downgrade+0x980/0x980
[   40.664291]  ? ip_route_output_key_hash+0x1a6/0x370
[   40.664295]  ? unwind_next_frame.part.6+0x1a6/0xb40
[   40.664301]  ? lock_release+0xda0/0xda0
[   40.664310]  ? lock_downgrade+0x980/0x980
[   40.664316]  ? ip_route_output_key_hash+0x252/0x370
[   40.664320]  ? ip_route_output_key_hash_rcu+0x2c20/0x2c20
[   40.664323]  ? lock_release+0xda0/0xda0
[   40.664331]  xfrm_lookup_route+0x39/0x1a0
[   40.664336]  ip_route_output_flow+0x7c/0xa0
[   40.664341]  udp_sendmsg+0x19b8/0x2cd0
[   40.664344]  ? unwind_get_return_address+0x61/0xa0
[   40.664349]  ? ip_reply_glue_bits+0xb0/0xb0
[   40.664358]  ? udp_lib_get_port+0x1b30/0x1b30
[   40.664361]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   40.664368]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   40.664383]  ? mark_held_locks+0xb2/0x100
[   40.664387]  ? refcount_inc_not_zero+0xfe/0x180
[   40.664391]  ? check_noncircular+0x20/0x20
[   40.664395]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.664399]  ? udp_lib_get_port+0x785/0x1b30
[   40.664402]  ? trace_hardirqs_on+0xd/0x10
[   40.664406]  ? __local_bh_enable_ip+0x121/0x230
[   40.664412]  udpv6_sendmsg+0x743/0x3380
[   40.664415]  ? check_noncircular+0x20/0x20
[   40.664425]  ? udpv6_setsockopt+0x80/0x80
[   40.664428]  ? reacquire_held_locks+0x201/0x3e0
[   40.664434]  ? find_held_lock+0x39/0x1d0
[   40.664443]  ? lock_downgrade+0x980/0x980
[   40.664446]  ? lock_downgrade+0x980/0x980
[   40.664457]  ? __local_bh_enable_ip+0x121/0x230
[   40.664462]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.664466]  ? release_sock+0x1d4/0x2a0
[   40.664469]  ? trace_hardirqs_on+0xd/0x10
[   40.664473]  ? __local_bh_enable_ip+0x121/0x230
[   40.664477]  ? _raw_spin_unlock_bh+0x30/0x40
[   40.664481]  ? release_sock+0x1d4/0x2a0
[   40.664485]  ? __release_sock+0x360/0x360
[   40.664489]  ? udp6_portaddr_hash+0x146/0x2f0
[   40.664494]  ? udp_v6_get_port+0x9c/0xc0
[   40.664501]  inet_sendmsg+0x11f/0x5e0
[   40.664505]  ? inet_sendmsg+0x11f/0x5e0
[   40.664508]  ? __might_sleep+0x95/0x190
[   40.664512]  ? inet_recvmsg+0x5f0/0x5f0
[   40.664518]  ? selinux_socket_sendmsg+0x36/0x40
[   40.664522]  ? security_socket_sendmsg+0x89/0xb0
[   40.664526]  ? inet_recvmsg+0x5f0/0x5f0
[   40.664531]  sock_sendmsg+0xca/0x110
[   40.664536]  SYSC_sendto+0x358/0x5a0
[   40.664542]  ? SYSC_connect+0x480/0x480
[   40.664546]  ? __do_page_fault+0x3d6/0xc90
[   40.664554]  ? mm_fault_error+0x2c0/0x2c0
[   40.664559]  ? ipv6_setsockopt+0xa8/0x150
[   40.664567]  ? __do_page_fault+0xc90/0xc90
[   40.664577]  ? lockdep_sys_exit+0x47/0xf0
[   40.664581]  ? entry_SYSCALL_64_fastpath+0x5/0x96
[   40.664586]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.664591]  SyS_sendto+0x40/0x50
[   40.664597]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   40.664600] RIP: 0033:0x43ff59
[   40.664602] RSP: 002b:00007fff16d27318 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
[   40.664606] RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 000000000043ff59
[   40.664608] RDX: 0000000000000000 RSI: 000000002028a000 RDI: 0000000000000003
[   40.664610] RBP: 00000000006ca018 R08: 0000000020999000 R09: 000000000000001c
[   40.664612] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018c0
[   40.664614] R13: 0000000000401950 R14: 0000000000000000 R15: 0000000000000000
[   40.685693] Dumping ftrace buffer:
[   40.685696]    (ftrace buffer empty)
[   40.685699] Kernel Offset: disabled
[   41.970257] Rebooting in 86400 seconds..