[....] Starting enhanced syslogd: rsyslogd[ 13.364320] audit: type=1400 audit(1516641576.408:5): avc: denied { syslog } for pid=3507 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.726939] audit: type=1400 audit(1516641582.770:6): avc: denied { map } for pid=3646 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.211' (ECDSA) to the list of known hosts. [ 26.042700] audit: type=1400 audit(1516641589.086:7): avc: denied { map } for pid=3660 comm="syzkaller770874" path="/root/syzkaller770874326" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 26.412650] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 26.733600] ================================================================== [ 26.741023] BUG: KASAN: use-after-free in erspan_build_header+0x3bf/0x3d0 [ 26.747929] Read of size 2 at addr ffff8801d610078b by task syzkaller770874/3661 [ 26.755430] [ 26.757040] CPU: 1 PID: 3661 Comm: syzkaller770874 Not tainted 4.15.0-rc9+ #274 [ 26.764455] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.774482] Call Trace: [ 26.777055] dump_stack+0x194/0x257 [ 26.780661] ? arch_local_irq_restore+0x53/0x53 [ 26.785305] ? show_regs_print_info+0x18/0x18 [ 26.789776] ? refcount_add+0x24/0x60 [ 26.793550] ? erspan_build_header+0x3bf/0x3d0 [ 26.798105] print_address_description+0x73/0x250 [ 26.802917] ? erspan_build_header+0x3bf/0x3d0 [ 26.807470] kasan_report+0x25b/0x340 [ 26.811255] __asan_report_load_n_noabort+0xf/0x20 [ 26.816154] erspan_build_header+0x3bf/0x3d0 [ 26.820541] erspan_xmit+0x3b8/0x13b0 [ 26.824326] ? prepare_fb_xmit+0x9a0/0x9a0 [ 26.828539] ? netif_skb_features+0x9b0/0x9b0 [ 26.833027] ? __dev_get_by_index+0x1a0/0x1a0 [ 26.837503] ? check_noncircular+0x20/0x20 [ 26.841721] packet_direct_xmit+0x315/0x6b0 [ 26.846027] packet_sendmsg+0x3aed/0x60b0 [ 26.850159] ? find_held_lock+0x35/0x1d0 [ 26.854199] ? avc_has_perm+0x35e/0x680 [ 26.858162] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.862895] ? avc_has_perm+0x43e/0x680 [ 26.866844] ? avc_has_perm_noaudit+0x520/0x520 [ 26.871482] ? find_held_lock+0x35/0x1d0 [ 26.875521] ? fanout_add+0x1430/0x1430 [ 26.879467] ? avc_has_perm+0x35e/0x680 [ 26.883420] ? find_held_lock+0x35/0x1d0 [ 26.887461] ? sock_has_perm+0x2a4/0x420 [ 26.891495] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.896829] ? lock_release+0x952/0xa40 [ 26.900776] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.906639] ? __check_object_size+0x25d/0x4f0 [ 26.911191] ? avc_has_perm_noaudit+0x520/0x520 [ 26.915841] ? selinux_socket_sendmsg+0x36/0x40 [ 26.920479] ? security_socket_sendmsg+0x89/0xb0 [ 26.925205] ? packet_cached_dev_get+0x2b0/0x2b0 [ 26.929943] sock_sendmsg+0xca/0x110 [ 26.933631] SYSC_sendto+0x361/0x5c0 [ 26.937335] ? SYSC_connect+0x4a0/0x4a0 [ 26.941283] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.946618] ? __do_page_fault+0x3d6/0xc90 [ 26.950829] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 26.956101] ? SyS_setsockopt+0x215/0x360 [ 26.960842] ? SyS_recv+0x40/0x40 [ 26.964269] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 26.969091] SyS_sendto+0x40/0x50 [ 26.972521] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.977247] RIP: 0033:0x4454c9 [ 26.980409] RSP: 002b:00007ffcc8570b68 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 26.988088] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004454c9 [ 26.995328] RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004 [ 27.002570] RBP: 00000000004a7073 R08: 0000000020008000 R09: 000000000000001c [ 27.009811] R10: 0000000000000000 R11: 0000000000000217 R12: 00007ffcc8570c18 [ 27.017060] R13: 0000000000402690 R14: 0000000000000000 R15: 0000000000000000 [ 27.024317] [ 27.025915] Allocated by task 2109: [ 27.029515] save_stack+0x43/0xd0 [ 27.032944] kasan_kmalloc+0xad/0xe0 [ 27.036627] kasan_slab_alloc+0x12/0x20 [ 27.040574] kmem_cache_alloc+0x12e/0x760 [ 27.044693] getname_flags+0xcb/0x580 [ 27.048465] user_path_at_empty+0x2d/0x50 [ 27.052583] vfs_statx+0xe9/0x190 [ 27.056006] SYSC_newstat+0x87/0xf0 [ 27.059609] SyS_newstat+0x1d/0x30 [ 27.063122] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.067845] [ 27.069443] Freed by task 2109: [ 27.072695] save_stack+0x43/0xd0 [ 27.076128] kasan_slab_free+0x71/0xc0 [ 27.079984] kmem_cache_free+0x83/0x2a0 [ 27.083931] putname+0xee/0x130 [ 27.087181] filename_lookup+0x315/0x500 [ 27.091214] user_path_at_empty+0x40/0x50 [ 27.095331] vfs_statx+0xe9/0x190 [ 27.098757] SYSC_newstat+0x87/0xf0 [ 27.102352] SyS_newstat+0x1d/0x30 [ 27.105863] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.110584] [ 27.112185] The buggy address belongs to the object at ffff8801d6100500 [ 27.112185] which belongs to the cache names_cache of size 4096 [ 27.124901] The buggy address is located 651 bytes inside of [ 27.124901] 4096-byte region [ffff8801d6100500, ffff8801d6101500) [ 27.136841] The buggy address belongs to the page: [ 27.141756] page:ffffea0007584000 count:1 mapcount:0 mapping:ffff8801d6100500 index:0x0 compound_mapcount: 0 [ 27.151702] flags: 0x2fffc0000008100(slab|head) [ 27.156342] raw: 02fffc0000008100 ffff8801d6100500 0000000000000000 0000000100000001 [ 27.164194] raw: ffffea0007583ea0 ffffea0007584ea0 ffff8801dae2c600 0000000000000000 [ 27.172052] page dumped because: kasan: bad access detected [ 27.177730] [ 27.179336] Memory state around the buggy address: [ 27.184237] ffff8801d6100680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.191566] ffff8801d6100700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.198898] >ffff8801d6100780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.206227] ^ [ 27.209823] ffff8801d6100800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.217154] ffff8801d6100880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.224480] ================================================================== [ 27.231809] Disabling lock debugging due to kernel taint [ 27.237267] Kernel panic - not syncing: panic_on_warn set ... [ 27.237267] [ 27.244612] CPU: 1 PID: 3661 Comm: syzkaller770874 Tainted: G B 4.15.0-rc9+ #274 [ 27.253330] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.262653] Call Trace: [ 27.265213] dump_stack+0x194/0x257 [ 27.268812] ? arch_local_irq_restore+0x53/0x53 [ 27.273452] ? kasan_end_report+0x32/0x50 [ 27.277574] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.282299] ? vsnprintf+0x1ed/0x1900 [ 27.286079] ? erspan_build_header+0x360/0x3d0 [ 27.290894] panic+0x1e4/0x41c [ 27.294060] ? refcount_error_report+0x214/0x214 [ 27.298788] ? add_taint+0x1c/0x50 [ 27.302297] ? add_taint+0x1c/0x50 [ 27.305807] ? erspan_build_header+0x3bf/0x3d0 [ 27.310359] kasan_end_report+0x50/0x50 [ 27.314320] kasan_report+0x144/0x340 [ 27.318113] __asan_report_load_n_noabort+0xf/0x20 [ 27.323020] erspan_build_header+0x3bf/0x3d0 [ 27.327411] erspan_xmit+0x3b8/0x13b0 [ 27.331186] ? prepare_fb_xmit+0x9a0/0x9a0 [ 27.335391] ? netif_skb_features+0x9b0/0x9b0 [ 27.340039] ? __dev_get_by_index+0x1a0/0x1a0 [ 27.344507] ? check_noncircular+0x20/0x20 [ 27.348726] packet_direct_xmit+0x315/0x6b0 [ 27.353025] packet_sendmsg+0x3aed/0x60b0 [ 27.357146] ? find_held_lock+0x35/0x1d0 [ 27.361191] ? avc_has_perm+0x35e/0x680 [ 27.365143] ? packet_cached_dev_get+0x2b0/0x2b0 [ 27.369873] ? avc_has_perm+0x43e/0x680 [ 27.373819] ? avc_has_perm_noaudit+0x520/0x520 [ 27.378457] ? find_held_lock+0x35/0x1d0 [ 27.382490] ? fanout_add+0x1430/0x1430 [ 27.386435] ? avc_has_perm+0x35e/0x680 [ 27.390393] ? find_held_lock+0x35/0x1d0 [ 27.394429] ? sock_has_perm+0x2a4/0x420 [ 27.398460] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.403791] ? lock_release+0x952/0xa40 [ 27.407749] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.413612] ? __check_object_size+0x25d/0x4f0 [ 27.418165] ? avc_has_perm_noaudit+0x520/0x520 [ 27.422811] ? selinux_socket_sendmsg+0x36/0x40 [ 27.427452] ? security_socket_sendmsg+0x89/0xb0 [ 27.432183] ? packet_cached_dev_get+0x2b0/0x2b0 [ 27.436908] sock_sendmsg+0xca/0x110 [ 27.440594] SYSC_sendto+0x361/0x5c0 [ 27.444282] ? SYSC_connect+0x4a0/0x4a0 [ 27.448227] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.453575] ? __do_page_fault+0x3d6/0xc90 [ 27.457791] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 27.463050] ? SyS_setsockopt+0x215/0x360 [ 27.467171] ? SyS_recv+0x40/0x40 [ 27.470595] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 27.475419] SyS_sendto+0x40/0x50 [ 27.478845] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.483570] RIP: 0033:0x4454c9 [ 27.486729] RSP: 002b:00007ffcc8570b68 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 27.494405] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004454c9 [ 27.501644] RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004 [ 27.508883] RBP: 00000000004a7073 R08: 0000000020008000 R09: 000000000000001c [ 27.516122] R10: 0000000000000000 R11: 0000000000000217 R12: 00007ffcc8570c18 [ 27.523360] R13: 0000000000402690 R14: 0000000000000000 R15: 0000000000000000 [ 27.531060] Dumping ftrace buffer: [ 27.534578] (ftrace buffer empty) [ 27.538256] Kernel Offset: disabled [ 27.541853] Rebooting in 86400 seconds..