[....] Starting enhanced syslogd: rsyslogd[ 16.474420] audit: type=1400 audit(1517389079.912:5): avc: denied { syslog } for pid=4008 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.669151] audit: type=1400 audit(1517389082.106:6): avc: denied { map } for pid=4145 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.215' (ECDSA) to the list of known hosts. executing program [ 27.681594] audit: type=1400 audit(1517389091.119:7): avc: denied { map } for pid=4160 comm="syzkaller766320" path="/root/syzkaller766320593" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 27.685583] ================================================================== [ 27.685603] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30de/0x3210 [ 27.685608] Read of size 4 at addr ffff8801b33afad8 by task syzkaller766320/4160 [ 27.685610] [ 27.685617] CPU: 0 PID: 4160 Comm: syzkaller766320 Not tainted 4.15.0-rc9+ #217 [ 27.685621] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.685624] Call Trace: [ 27.685634] dump_stack+0x194/0x257 [ 27.685647] ? arch_local_irq_restore+0x53/0x53 [ 27.685656] ? show_regs_print_info+0x18/0x18 [ 27.685669] ? lock_release+0xa40/0xa40 [ 27.685679] ? xfrm_state_find+0x30de/0x3210 [ 27.685691] print_address_description+0x73/0x250 [ 27.685701] ? xfrm_state_find+0x30de/0x3210 [ 27.685710] kasan_report+0x25b/0x340 [ 27.685726] __asan_report_load4_noabort+0x14/0x20 [ 27.685733] xfrm_state_find+0x30de/0x3210 [ 27.685744] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.685780] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 27.685790] ? print_irqtrace_events+0x270/0x270 [ 27.685800] ? __lock_acquire+0x664/0x3e00 [ 27.685810] ? print_irqtrace_events+0x270/0x270 [ 27.685821] ? check_usage_forwards+0x410/0x410 [ 27.685838] ? check_noncircular+0x20/0x20 [ 27.685848] ? find_held_lock+0x35/0x1d0 [ 27.685871] ? check_noncircular+0x20/0x20 [ 27.685902] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.685912] ? is_bpf_text_address+0x7b/0x120 [ 27.685929] ? print_irqtrace_events+0x270/0x270 [ 27.685947] ? depot_save_stack+0x3b5/0x490 [ 27.685957] ? lock_downgrade+0x980/0x980 [ 27.685984] xfrm_tmpl_resolve+0x2ee/0xc40 [ 27.686023] ? __xfrm_decode_session+0x110/0x110 [ 27.686034] ? save_stack+0xa3/0xd0 [ 27.686043] ? save_stack+0x43/0xd0 [ 27.686056] ? find_held_lock+0x35/0x1d0 [ 27.686077] ? rt_add_uncached_list+0x1b7/0x240 [ 27.686092] xfrm_resolve_and_create_bundle+0x184/0x28d0 [ 27.686100] ? lock_release+0xa40/0xa40 [ 27.686118] ? __local_bh_enable_ip+0x121/0x230 [ 27.686127] ? check_noncircular+0x20/0x20 [ 27.686134] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.686144] ? trace_hardirqs_on+0xd/0x10 [ 27.686158] ? _raw_spin_unlock_bh+0x30/0x40 [ 27.686167] ? xfrm_tmpl_resolve+0xc40/0xc40 [ 27.686176] ? ip_rt_bug+0x20/0x20 [ 27.686195] ? find_held_lock+0x35/0x1d0 [ 27.686215] ? xfrm_sk_policy_lookup+0x34c/0x4e0 [ 27.686225] ? lock_downgrade+0x980/0x980 [ 27.686238] ? lock_release+0xa40/0xa40 [ 27.686252] ? refcount_inc_not_zero+0xfe/0x180 [ 27.686266] ? selinux_xfrm_policy_lookup+0xac/0xd0 [ 27.686279] ? security_xfrm_policy_lookup+0x92/0xc0 [ 27.686294] ? xfrm_sk_policy_lookup+0x375/0x4e0 [ 27.686312] ? xfrm_selector_match+0xe00/0xe00 [ 27.686335] xfrm_lookup+0xfcb/0x25c0 [ 27.686346] ? xfrm_lookup+0xfcb/0x25c0 [ 27.686357] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.686375] ? xfrm_policy_lookup+0x70/0x70 [ 27.686397] ? find_held_lock+0x35/0x1d0 [ 27.686417] ? ip_route_output_key_hash+0x229/0x370 [ 27.686427] ? lock_downgrade+0x980/0x980 [ 27.686440] ? lock_release+0xa40/0xa40 [ 27.686455] ? find_held_lock+0x35/0x1d0 [ 27.686480] ? ip_route_output_key_hash+0x252/0x370 [ 27.686492] ? ip_route_output_key_hash_rcu+0x2f00/0x2f00 [ 27.686497] ? lock_release+0xa40/0xa40 [ 27.686517] xfrm_lookup_route+0x39/0x1a0 [ 27.686531] ip_route_output_flow+0x7c/0xa0 [ 27.686544] raw_sendmsg+0xcca/0x26b0 [ 27.686553] ? lock_release+0x99d/0xa40 [ 27.686589] ? raw_send_hdrinc.isra.17+0x1880/0x1880 [ 27.686605] ? avc_has_perm+0x43e/0x680 [ 27.686620] ? avc_has_perm_noaudit+0x520/0x520 [ 27.686628] ? find_held_lock+0x35/0x1d0 [ 27.686639] ? check_noncircular+0x20/0x20 [ 27.686670] ? find_held_lock+0x35/0x1d0 [ 27.686693] ? sock_has_perm+0x2a4/0x420 [ 27.686706] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.686714] ? lock_release+0x972/0xa40 [ 27.686722] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.686732] ? __check_object_size+0x25d/0x4f0 [ 27.686739] ? find_held_lock+0x35/0x1d0 [ 27.686754] inet_sendmsg+0x11f/0x5e0 [ 27.686760] ? __might_sleep+0x95/0x190 [ 27.686769] ? inet_create+0xf50/0xf50 [ 27.686781] ? selinux_socket_sendmsg+0x36/0x40 [ 27.686789] ? security_socket_sendmsg+0x89/0xb0 [ 27.686797] ? inet_create+0xf50/0xf50 [ 27.686810] sock_sendmsg+0xca/0x110 [ 27.686822] SYSC_sendto+0x361/0x5c0 [ 27.686837] ? SYSC_connect+0x4a0/0x4a0 [ 27.686845] ? up_read+0x1a/0x40 [ 27.686855] ? __do_page_fault+0x3d6/0xc90 [ 27.686901] ? __do_page_fault+0xc90/0xc90 [ 27.686916] ? SyS_setsockopt+0x215/0x360 [ 27.686931] ? SyS_recv+0x40/0x40 [ 27.686941] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 27.686960] SyS_sendto+0x40/0x50 [ 27.686976] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.686981] RIP: 0033:0x43ff69 [ 27.686985] RSP: 002b:00007ffc88878d38 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 27.686992] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 000000000043ff69 [ 27.686997] RDX: 0000000000000000 RSI: 0000000020098000 RDI: 0000000000000003 [ 27.687001] RBP: 00000000006ca018 R08: 0000000020cf9000 R09: 0000000000000010 [ 27.687005] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401890 [ 27.687009] R13: 0000000000401920 R14: 0000000000000000 R15: 0000000000000000 [ 27.687037] [ 27.687039] The buggy address belongs to the page: [ 27.687045] page:ffffea0006ccebc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 27.687051] flags: 0x2fffc0000000000() [ 27.687060] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 27.687067] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 27.687070] page dumped because: kasan: bad access detected [ 27.687072] [ 27.687074] Memory state around the buggy address: [ 27.687079] ffff8801b33af980: f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 [ 27.687084] ffff8801b33afa00: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 [ 27.687089] >ffff8801b33afa80: f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 [ 27.687093] ^ [ 27.687098] ffff8801b33afb00: 00 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 [ 27.687102] ffff8801b33afb80: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 [ 27.687105] ================================================================== [ 27.687107] Disabling lock debugging due to kernel taint [ 27.687126] Kernel panic - not syncing: panic_on_warn set ... [ 27.687126] [ 27.687132] CPU: 0 PID: 4160 Comm: syzkaller766320 Tainted: G B 4.15.0-rc9+ #217 [ 27.687135] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.687137] Call Trace: [ 27.687143] dump_stack+0x194/0x257 [ 27.687152] ? arch_local_irq_restore+0x53/0x53 [ 27.687157] ? kasan_end_report+0x32/0x50 [ 27.687167] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.687174] ? vsnprintf+0x1ed/0x1900 [ 27.687182] ? xfrm_state_find+0x3050/0x3210 [ 27.687189] panic+0x1e4/0x41c [ 27.687196] ? refcount_error_report+0x214/0x214 [ 27.687206] ? add_taint+0x1c/0x50 [ 27.687212] ? add_taint+0x1c/0x50 [ 27.687221] ? xfrm_state_find+0x30de/0x3210 [ 27.687228] kasan_end_report+0x50/0x50 [ 27.687235] kasan_report+0x144/0x340 [ 27.687245] __asan_report_load4_noabort+0x14/0x20 [ 27.687252] xfrm_state_find+0x30de/0x3210 [ 27.687260] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.687280] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 27.687288] ? print_irqtrace_events+0x270/0x270 [ 27.687295] ? __lock_acquire+0x664/0x3e00 [ 27.687303] ? print_irqtrace_events+0x270/0x270 [ 27.687311] ? check_usage_forwards+0x410/0x410 [ 27.687322] ? check_noncircular+0x20/0x20 [ 27.687329] ? find_held_lock+0x35/0x1d0 [ 27.687347] ? check_noncircular+0x20/0x20 [ 27.687365] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.687373] ? is_bpf_text_address+0x7b/0x120 [ 27.687384] ? print_irqtrace_events+0x270/0x270 [ 27.687395] ? depot_save_stack+0x3b5/0x490 [ 27.687402] ? lock_downgrade+0x980/0x980 [ 27.687418] xfrm_tmpl_resolve+0x2ee/0xc40 [ 27.687437] ? __xfrm_decode_session+0x110/0x110 [ 27.687445] ? save_stack+0xa3/0xd0 [ 27.687452] ? save_stack+0x43/0xd0 [ 27.687461] ? find_held_lock+0x35/0x1d0 [ 27.687473] ? rt_add_uncached_list+0x1b7/0x240 [ 27.687483] xfrm_resolve_and_create_bundle+0x184/0x28d0 [ 27.687490] ? lock_release+0xa40/0xa40 [ 27.687500] ? __local_bh_enable_ip+0x121/0x230 [ 27.687507] ? check_noncircular+0x20/0x20 [ 27.687514] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.687521] ? trace_hardirqs_on+0xd/0x10 [ 27.687530] ? _raw_spin_unlock_bh+0x30/0x40 [ 27.687537] ? xfrm_tmpl_resolve+0xc40/0xc40 [ 27.687543] ? ip_rt_bug+0x20/0x20 [ 27.687555] ? find_held_lock+0x35/0x1d0 [ 27.687568] ? xfrm_sk_policy_lookup+0x34c/0x4e0 [ 27.687575] ? lock_downgrade+0x980/0x980 [ 27.687584] ? lock_release+0xa40/0xa40 [ 27.687592] ? refcount_inc_not_zero+0xfe/0x180 [ 27.687601] ? selinux_xfrm_policy_lookup+0xac/0xd0 [ 27.687609] ? security_xfrm_policy_lookup+0x92/0xc0 [ 27.687620] ? xfrm_sk_policy_lookup+0x375/0x4e0 [ 27.687631] ? xfrm_selector_match+0xe00/0xe00 [ 27.687644] xfrm_lookup+0xfcb/0x25c0 [ 27.687650] ? xfrm_lookup+0xfcb/0x25c0 [ 27.687658] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.687670] ? xfrm_policy_lookup+0x70/0x70 [ 27.687683] ? find_held_lock+0x35/0x1d0 [ 27.687695] ? ip_route_output_key_hash+0x229/0x370 [ 27.687702] ? lock_downgrade+0x980/0x980 [ 27.687711] ? lock_release+0xa40/0xa40 [ 27.687721] ? find_held_lock+0x35/0x1d0 [ 27.687736] ? ip_route_output_key_hash+0x252/0x370 [ 27.687744] ? ip_route_output_key_hash_rcu+0x2f00/0x2f00 [ 27.687749] ? lock_release+0xa40/0xa40 [ 27.687761] xfrm_lookup_route+0x39/0x1a0 [ 27.687770] ip_route_output_flow+0x7c/0xa0 [ 27.687778] raw_sendmsg+0xcca/0x26b0 [ 27.687785] ? lock_release+0x99d/0xa40 [ 27.687800] ? raw_send_hdrinc.isra.17+0x1880/0x1880 [ 27.687810] ? avc_has_perm+0x43e/0x680 [ 27.687820] ? avc_has_perm_noaudit+0x520/0x520 [ 27.687826] ? find_held_lock+0x35/0x1d0 [ 27.687834] ? check_noncircular+0x20/0x20 [ 27.687851] ? find_held_lock+0x35/0x1d0 [ 27.687866] ? sock_has_perm+0x2a4/0x420 [ 27.687875] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.687881] ? lock_release+0x972/0xa40 [ 27.687888] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.687894] ? __check_object_size+0x25d/0x4f0 [ 27.687900] ? find_held_lock+0x35/0x1d0 [ 27.687909] inet_sendmsg+0x11f/0x5e0 [ 27.687914] ? __might_sleep+0x95/0x190 [ 27.687921] ? inet_create+0xf50/0xf50 [ 27.687929] ? selinux_socket_sendmsg+0x36/0x40 [ 27.687936] ? security_socket_sendmsg+0x89/0xb0 [ 27.687942] ? inet_create+0xf50/0xf50 [ 27.687949] sock_sendmsg+0xca/0x110 [ 27.687958] SYSC_sendto+0x361/0x5c0 [ 27.687967] ? SYSC_connect+0x4a0/0x4a0 [ 27.687974] ? up_read+0x1a/0x40 [ 27.687981] ? __do_page_fault+0x3d6/0xc90 [ 27.688010] ? __do_page_fault+0xc90/0xc90 [ 27.688020] ? SyS_setsockopt+0x215/0x360 [ 27.688029] ? SyS_recv+0x40/0x40 [ 27.688037] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 27.688049] SyS_sendto+0x40/0x50 [ 27.688059] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.688063] RIP: 0033:0x43ff69 [ 27.688066] RSP: 002b:00007ffc88878d38 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 27.688072] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 000000000043ff69 [ 27.688076] RDX: 0000000000000000 RSI: 0000000020098000 RDI: 0000000000000003 [ 27.688079] RBP: 00000000006ca018 R08: 0000000020cf9000 R09: 0000000000000010 [ 27.688083] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401890 [ 27.688086] R13: 0000000000401920 R14: 0000000000000000 R15: 0000000000000000 [ 27.707913] Dumping ftrace buffer: [ 27.707917] (ftrace buffer empty) [ 27.707919] Kernel Offset: disabled [ 28.809347] Rebooting in 86400 seconds..