[....] Starting enhanced syslogd: rsyslogd[ 13.486259] audit: type=1400 audit(1516679289.475:5): avc: denied { syslog } for pid=3543 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.441882] audit: type=1400 audit(1516679295.431:6): avc: denied { map } for pid=3683 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.217' (ECDSA) to the list of known hosts. [ 25.812232] audit: type=1400 audit(1516679301.801:7): avc: denied { map } for pid=3697 comm="syzkaller740696" path="/root/syzkaller740696167" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 26.178310] ip (3736) used greatest stack depth: 16592 bytes left [ 26.214706] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 26.569169] ================================================================== [ 26.576602] BUG: KASAN: slab-out-of-bounds in erspan_build_header+0x3bf/0x3d0 [ 26.583859] Read of size 2 at addr ffff8801d637f80b by task syzkaller740696/3698 [ 26.591380] [ 26.593003] CPU: 0 PID: 3698 Comm: syzkaller740696 Not tainted 4.15.0-rc9+ #275 [ 26.600432] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.610041] Call Trace: [ 26.612634] dump_stack+0x194/0x257 [ 26.616241] ? arch_local_irq_restore+0x53/0x53 [ 26.620889] ? show_regs_print_info+0x18/0x18 [ 26.625365] ? refcount_add+0x24/0x60 [ 26.629143] ? erspan_build_header+0x3bf/0x3d0 [ 26.633703] print_address_description+0x73/0x250 [ 26.638520] ? erspan_build_header+0x3bf/0x3d0 [ 26.643079] kasan_report+0x25b/0x340 [ 26.646860] __asan_report_load_n_noabort+0xf/0x20 [ 26.651764] erspan_build_header+0x3bf/0x3d0 [ 26.656152] erspan_xmit+0x3b8/0x13b0 [ 26.659948] ? prepare_fb_xmit+0x9a0/0x9a0 [ 26.664162] ? netif_skb_features+0x9b0/0x9b0 [ 26.668635] ? __dev_get_by_index+0x1a0/0x1a0 [ 26.673110] ? check_noncircular+0x20/0x20 [ 26.677330] packet_direct_xmit+0x315/0x6b0 [ 26.681630] packet_sendmsg+0x3aed/0x60b0 [ 26.685755] ? find_held_lock+0x35/0x1d0 [ 26.689801] ? avc_has_perm+0x35e/0x680 [ 26.693768] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.698508] ? avc_has_perm+0x43e/0x680 [ 26.702462] ? avc_has_perm_noaudit+0x520/0x520 [ 26.707115] ? find_held_lock+0x35/0x1d0 [ 26.711245] ? fanout_add+0x1430/0x1430 [ 26.715205] ? avc_has_perm+0x35e/0x680 [ 26.719175] ? find_held_lock+0x35/0x1d0 [ 26.723218] ? sock_has_perm+0x2a4/0x420 [ 26.727256] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.732593] ? lock_release+0x952/0xa40 [ 26.736541] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.742414] ? __check_object_size+0x25d/0x4f0 [ 26.746990] ? avc_has_perm_noaudit+0x520/0x520 [ 26.751648] ? selinux_socket_sendmsg+0x36/0x40 [ 26.756290] ? security_socket_sendmsg+0x89/0xb0 [ 26.761027] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.765807] sock_sendmsg+0xca/0x110 [ 26.769522] SYSC_sendto+0x361/0x5c0 [ 26.773214] ? SYSC_connect+0x4a0/0x4a0 [ 26.777170] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.782521] ? __do_page_fault+0x3d6/0xc90 [ 26.786748] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 26.792045] ? SyS_setsockopt+0x215/0x360 [ 26.796189] ? SyS_recv+0x40/0x40 [ 26.799620] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 26.804460] SyS_sendto+0x40/0x50 [ 26.807905] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.812648] RIP: 0033:0x4454c9 [ 26.815811] RSP: 002b:00007fff40cabac8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 26.823494] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004454c9 [ 26.830757] RDX: 0000000000000000 RSI: 0000000020011000 RDI: 0000000000000004 [ 26.837999] RBP: 00000000004a7073 R08: 0000000020008000 R09: 000000000000001c [ 26.845256] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402600 [ 26.852501] R13: 0000000000402690 R14: 0000000000000000 R15: 0000000000000000 [ 26.859772] [ 26.861375] Allocated by task 2134: [ 26.864990] save_stack+0x43/0xd0 [ 26.868425] kasan_kmalloc+0xad/0xe0 [ 26.872371] kasan_slab_alloc+0x12/0x20 [ 26.876316] kmem_cache_alloc+0x12e/0x760 [ 26.880452] get_empty_filp+0xfb/0x4f0 [ 26.884310] alloc_file+0x26/0x390 [ 26.887823] create_pipe_files+0x4cd/0x930 [ 26.892034] __do_pipe_flags+0x35/0x220 [ 26.895981] SyS_pipe+0x8d/0x2e0 [ 26.899320] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.904131] [ 26.905731] Freed by task 0: [ 26.908722] save_stack+0x43/0xd0 [ 26.912145] kasan_slab_free+0x71/0xc0 [ 26.916004] kmem_cache_free+0x83/0x2a0 [ 26.919958] file_free_rcu+0x5c/0x70 [ 26.923685] rcu_process_callbacks+0xd6c/0x17f0 [ 26.928331] __do_softirq+0x2d7/0xb85 [ 26.932101] [ 26.933704] The buggy address belongs to the object at ffff8801d637f5c0 [ 26.933704] which belongs to the cache filp of size 456 [ 26.945734] The buggy address is located 131 bytes to the right of [ 26.945734] 456-byte region [ffff8801d637f5c0, ffff8801d637f788) [ 26.958099] The buggy address belongs to the page: [ 26.963002] page:ffffea000758dfc0 count:1 mapcount:0 mapping:ffff8801d637f0c0 index:0xffff8801d637f340 [ 26.972427] flags: 0x2fffc0000000100(slab) [ 26.976643] raw: 02fffc0000000100 ffff8801d637f0c0 ffff8801d637f340 0000000100000001 [ 26.984507] raw: ffffea000758f220 ffffea0007588de0 ffff8801dae2c180 0000000000000000 [ 26.992356] page dumped because: kasan: bad access detected [ 26.998036] [ 26.999635] Memory state around the buggy address: [ 27.004571] ffff8801d637f700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.011915] ffff8801d637f780: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.019248] >ffff8801d637f800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 27.026577] ^ [ 27.030185] ffff8801d637f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.037517] ffff8801d637f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.044847] ================================================================== [ 27.052175] Disabling lock debugging due to kernel taint [ 27.057670] Kernel panic - not syncing: panic_on_warn set ... [ 27.057670] [ 27.065028] CPU: 0 PID: 3698 Comm: syzkaller740696 Tainted: G B 4.15.0-rc9+ #275 [ 27.073754] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.083175] Call Trace: [ 27.085745] dump_stack+0x194/0x257 [ 27.089348] ? arch_local_irq_restore+0x53/0x53 [ 27.093999] ? kasan_end_report+0x32/0x50 [ 27.098131] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.102870] ? vsnprintf+0x1ed/0x1900 [ 27.106652] ? erspan_build_header+0x360/0x3d0 [ 27.111224] panic+0x1e4/0x41c [ 27.114393] ? refcount_error_report+0x214/0x214 [ 27.119124] ? add_taint+0x1c/0x50 [ 27.122648] ? add_taint+0x1c/0x50 [ 27.126163] ? erspan_build_header+0x3bf/0x3d0 [ 27.130733] kasan_end_report+0x50/0x50 [ 27.134680] kasan_report+0x144/0x340 [ 27.138457] __asan_report_load_n_noabort+0xf/0x20 [ 27.143358] erspan_build_header+0x3bf/0x3d0 [ 27.147740] erspan_xmit+0x3b8/0x13b0 [ 27.151514] ? prepare_fb_xmit+0x9a0/0x9a0 [ 27.155724] ? netif_skb_features+0x9b0/0x9b0 [ 27.160195] ? __dev_get_by_index+0x1a0/0x1a0 [ 27.164844] ? check_noncircular+0x20/0x20 [ 27.169059] packet_direct_xmit+0x315/0x6b0 [ 27.173355] packet_sendmsg+0x3aed/0x60b0 [ 27.177481] ? find_held_lock+0x35/0x1d0 [ 27.181534] ? avc_has_perm+0x35e/0x680 [ 27.185489] ? packet_cached_dev_get+0x2b0/0x2b0 [ 27.190219] ? avc_has_perm+0x43e/0x680 [ 27.194168] ? avc_has_perm_noaudit+0x520/0x520 [ 27.198827] ? find_held_lock+0x35/0x1d0 [ 27.202872] ? fanout_add+0x1430/0x1430 [ 27.206829] ? avc_has_perm+0x35e/0x680 [ 27.210779] ? find_held_lock+0x35/0x1d0 [ 27.214817] ? sock_has_perm+0x2a4/0x420 [ 27.218852] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.224186] ? lock_release+0x952/0xa40 [ 27.228132] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.233991] ? __check_object_size+0x25d/0x4f0 [ 27.238551] ? avc_has_perm_noaudit+0x520/0x520 [ 27.243201] ? selinux_socket_sendmsg+0x36/0x40 [ 27.247853] ? security_socket_sendmsg+0x89/0xb0 [ 27.252609] ? packet_cached_dev_get+0x2b0/0x2b0 [ 27.257865] sock_sendmsg+0xca/0x110 [ 27.261552] SYSC_sendto+0x361/0x5c0 [ 27.265237] ? SYSC_connect+0x4a0/0x4a0 [ 27.269190] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.274551] ? __do_page_fault+0x3d6/0xc90 [ 27.278764] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 27.284037] ? SyS_setsockopt+0x215/0x360 [ 27.288165] ? SyS_recv+0x40/0x40 [ 27.291598] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 27.296435] SyS_sendto+0x40/0x50 [ 27.299880] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.304615] RIP: 0033:0x4454c9 [ 27.307782] RSP: 002b:00007fff40cabac8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 27.315479] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004454c9 [ 27.322748] RDX: 0000000000000000 RSI: 0000000020011000 RDI: 0000000000000004 [ 27.330022] RBP: 00000000004a7073 R08: 0000000020008000 R09: 000000000000001c [ 27.337289] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402600 [ 27.344568] R13: 0000000000402690 R14: 0000000000000000 R15: 0000000000000000 [ 27.352338] Dumping ftrace buffer: [ 27.355861] (ftrace buffer empty) [ 27.359547] Kernel Offset: disabled [ 27.363149] Rebooting in 86400 seconds..