[....] Starting enhanced syslogd: rsyslogd[ 16.210046] audit: type=1400 audit(1520760283.546:5): avc: denied { syslog } for pid=3998 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.391305] audit: type=1400 audit(1520760289.728:6): avc: denied { map } for pid=4138 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.11' (ECDSA) to the list of known hosts. [ 28.719862] audit: type=1400 audit(1520760296.056:7): avc: denied { map } for pid=4152 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/03/11 09:24:56 parsed 1 programs 2018/03/11 09:24:56 executed programs: 0 [ 28.974368] audit: type=1400 audit(1520760296.310:8): avc: denied { map } for pid=4152 comm="syz-execprog" path="/root/syzkaller-shm629035336" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 28.986299] IPVS: ftp: loaded support on port[0] = 21 [ 29.260379] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 29.614697] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.620803] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.658253] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.697271] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.712435] ================================================================== [ 29.719860] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260 [ 29.726327] Read of size 8 at addr ffff8801c21ae118 by task syz-executor0/4317 [ 29.733657] [ 29.735280] CPU: 1 PID: 4317 Comm: syz-executor0 Not tainted 4.16.0-rc4+ #259 [ 29.742523] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.751850] Call Trace: [ 29.754435] dump_stack+0x194/0x24d [ 29.758047] ? arch_local_irq_restore+0x53/0x53 [ 29.762690] ? show_regs_print_info+0x18/0x18 [ 29.767169] ? ip6_xmit+0x1f76/0x2260 [ 29.770946] print_address_description+0x73/0x250 [ 29.775767] ? ip6_xmit+0x1f76/0x2260 [ 29.779540] kasan_report+0x23c/0x360 [ 29.783321] __asan_report_load8_noabort+0x14/0x20 [ 29.788223] ip6_xmit+0x1f76/0x2260 [ 29.791835] ? ip6_finish_output2+0x23a0/0x23a0 [ 29.796485] ? fl6_update_dst+0x127/0x2b0 [ 29.800609] ? inet6_csk_route_socket+0x691/0xe80 [ 29.805430] ? trace_hardirqs_off+0x10/0x10 [ 29.809735] ? lock_acquire+0x1d5/0x580 [ 29.813683] ? lock_acquire+0x1d5/0x580 [ 29.817629] ? inet6_csk_xmit+0x114/0x580 [ 29.821755] ? trace_hardirqs_off+0x10/0x10 [ 29.826060] ? lock_release+0xa40/0xa40 [ 29.830044] inet6_csk_xmit+0x2fc/0x580 [ 29.833997] ? inet6_csk_update_pmtu+0x160/0x160 [ 29.838735] ? __sk_dst_check+0x1a5/0x380 [ 29.842860] ? sock_kfree_s+0x60/0x60 [ 29.846651] l2tp_xmit_skb+0x105f/0x1410 [ 29.850696] ? l2tp_session_create+0xb80/0xb80 [ 29.855252] ? sock_wmalloc+0x15d/0x1d0 [ 29.859203] ? iov_iter_advance+0x13f0/0x13f0 [ 29.863675] ? pppol2tp_sendmsg+0x41b/0x670 [ 29.867977] pppol2tp_sendmsg+0x470/0x670 [ 29.872123] ? selinux_socket_sendmsg+0x36/0x40 [ 29.876767] ? pppol2tp_getsockopt+0x900/0x900 [ 29.881326] sock_sendmsg+0xca/0x110 [ 29.885022] SYSC_sendto+0x361/0x5c0 [ 29.888723] ? SYSC_connect+0x4a0/0x4a0 [ 29.892688] ? find_held_lock+0x35/0x1d0 [ 29.896735] ? lock_downgrade+0x980/0x980 [ 29.900880] ? __do_page_fault+0x3d6/0xc90 [ 29.905098] SyS_sendto+0x40/0x50 [ 29.908526] ? SyS_getpeername+0x30/0x30 [ 29.912563] do_fast_syscall_32+0x3ec/0xf9f [ 29.916864] ? do_int80_syscall_32+0x9c0/0x9c0 [ 29.921507] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.926247] ? syscall_return_slowpath+0x2ac/0x550 [ 29.931152] ? prepare_exit_to_usermode+0x350/0x350 [ 29.936147] ? sysret32_from_system_call+0x5/0x3c [ 29.940968] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.945789] entry_SYSENTER_compat+0x70/0x7f [ 29.950170] RIP: 0023:0xf7fbac99 [ 29.953506] RSP: 002b:00000000ff83ec9c EFLAGS: 00000286 ORIG_RAX: 0000000000000171 [ 29.961187] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020001180 [ 29.968433] RDX: 0000000000000000 RSI: 0000000000040001 RDI: 00000000200021c0 [ 29.975679] RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000000 [ 29.982923] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 29.990167] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 29.997433] [ 29.999044] Allocated by task 0: [ 30.002400] (stack is not available) [ 30.006090] [ 30.007689] Freed by task 0: [ 30.010675] (stack is not available) [ 30.014357] [ 30.015958] The buggy address belongs to the object at ffff8801c21ae100 [ 30.015958] which belongs to the cache ip_dst_cache of size 168 [ 30.028672] The buggy address is located 24 bytes inside of [ 30.028672] 168-byte region [ffff8801c21ae100, ffff8801c21ae1a8) [ 30.040436] The buggy address belongs to the page: [ 30.045337] page:ffffea0007086b80 count:1 mapcount:0 mapping:ffff8801c21ae000 index:0x0 [ 30.053451] flags: 0x2fffc0000000100(slab) [ 30.057658] raw: 02fffc0000000100 ffff8801c21ae000 0000000000000000 0000000100000010 [ 30.065510] raw: ffffea000708c920 ffff8801d5be9c48 ffff8801d5be8680 0000000000000000 [ 30.073362] page dumped because: kasan: bad access detected [ 30.079048] [ 30.080652] Memory state around the buggy address: [ 30.085551] ffff8801c21ae000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.092900] ffff8801c21ae080: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 30.100666] >ffff8801c21ae100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.107994] ^ [ 30.112135] ffff8801c21ae180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.119475] ffff8801c21ae200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.126804] ================================================================== [ 30.134131] Disabling lock debugging due to kernel taint [ 30.139577] Kernel panic - not syncing: panic_on_warn set ... [ 30.139577] [ 30.146923] CPU: 1 PID: 4317 Comm: syz-executor0 Tainted: G B 4.16.0-rc4+ #259 [ 30.155468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.164795] Call Trace: [ 30.167361] dump_stack+0x194/0x24d [ 30.171014] ? arch_local_irq_restore+0x53/0x53 [ 30.175663] ? kasan_end_report+0x32/0x50 [ 30.179786] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.184518] ? vsnprintf+0x1ed/0x1900 [ 30.188290] ? ip6_xmit+0x1f30/0x2260 [ 30.192066] panic+0x1e4/0x41c [ 30.195230] ? refcount_error_report+0x214/0x214 [ 30.199968] ? add_taint+0x1c/0x50 [ 30.203477] ? add_taint+0x1c/0x50 [ 30.206991] ? ip6_xmit+0x1f76/0x2260 [ 30.210765] kasan_end_report+0x50/0x50 [ 30.214710] kasan_report+0x149/0x360 [ 30.218496] __asan_report_load8_noabort+0x14/0x20 [ 30.223399] ip6_xmit+0x1f76/0x2260 [ 30.227014] ? ip6_finish_output2+0x23a0/0x23a0 [ 30.231663] ? fl6_update_dst+0x127/0x2b0 [ 30.235783] ? inet6_csk_route_socket+0x691/0xe80 [ 30.240598] ? trace_hardirqs_off+0x10/0x10 [ 30.244890] ? lock_acquire+0x1d5/0x580 [ 30.248833] ? lock_acquire+0x1d5/0x580 [ 30.252776] ? inet6_csk_xmit+0x114/0x580 [ 30.256894] ? trace_hardirqs_off+0x10/0x10 [ 30.262838] ? lock_release+0xa40/0xa40 [ 30.266790] inet6_csk_xmit+0x2fc/0x580 [ 30.270735] ? inet6_csk_update_pmtu+0x160/0x160 [ 30.275462] ? __sk_dst_check+0x1a5/0x380 [ 30.279581] ? sock_kfree_s+0x60/0x60 [ 30.283361] l2tp_xmit_skb+0x105f/0x1410 [ 30.287397] ? l2tp_session_create+0xb80/0xb80 [ 30.291964] ? sock_wmalloc+0x15d/0x1d0 [ 30.295924] ? iov_iter_advance+0x13f0/0x13f0 [ 30.300421] ? pppol2tp_sendmsg+0x41b/0x670 [ 30.304726] pppol2tp_sendmsg+0x470/0x670 [ 30.308850] ? selinux_socket_sendmsg+0x36/0x40 [ 30.313495] ? pppol2tp_getsockopt+0x900/0x900 [ 30.318054] sock_sendmsg+0xca/0x110 [ 30.321740] SYSC_sendto+0x361/0x5c0 [ 30.325425] ? SYSC_connect+0x4a0/0x4a0 [ 30.329375] ? find_held_lock+0x35/0x1d0 [ 30.333418] ? lock_downgrade+0x980/0x980 [ 30.337549] ? __do_page_fault+0x3d6/0xc90 [ 30.341758] SyS_sendto+0x40/0x50 [ 30.345186] ? SyS_getpeername+0x30/0x30 [ 30.349221] do_fast_syscall_32+0x3ec/0xf9f [ 30.353515] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.358070] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.362814] ? syscall_return_slowpath+0x2ac/0x550 [ 30.367713] ? prepare_exit_to_usermode+0x350/0x350 [ 30.372714] ? sysret32_from_system_call+0x5/0x3c [ 30.377528] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.382343] entry_SYSENTER_compat+0x70/0x7f [ 30.386722] RIP: 0023:0xf7fbac99 [ 30.390055] RSP: 002b:00000000ff83ec9c EFLAGS: 00000286 ORIG_RAX: 0000000000000171 [ 30.397732] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020001180 [ 30.404972] RDX: 0000000000000000 RSI: 0000000000040001 RDI: 00000000200021c0 [ 30.412211] RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000000 [ 30.419464] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.426703] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.434433] Dumping ftrace buffer: [ 30.437947] (ftrace buffer empty) [ 30.441627] Kernel Offset: disabled [ 30.445226] Rebooting in 86400 seconds..