[....] Starting enhanced syslogd: rsyslogd[   12.603364] audit: type=1400 audit(1512819877.315:5): avc:  denied  { syslog } for  pid=2994 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.958738] audit: type=1400 audit(1512819883.670:6): avc:  denied  { map } for  pid=3133 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added 'ci-upstream-net-kasan-gce-7,10.128.15.229' (ECDSA) to the list of known hosts.
executing program
[   37.321783] audit: type=1400 audit(1512819902.033:7): avc:  denied  { map } for  pid=3150 comm="syzkaller737163" path="/root/syzkaller737163190" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   37.325151] ==================================================================
[   37.325166] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30fc/0x3230
[   37.325172] Read of size 4 at addr ffff8801c4e47760 by task syzkaller737163/3150
[   37.325174] 
[   37.325181] CPU: 1 PID: 3150 Comm: syzkaller737163 Not tainted 4.15.0-rc2+ #147
[   37.325185] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.325188] Call Trace:
[   37.325196]  dump_stack+0x194/0x257
[   37.325205]  ? arch_local_irq_restore+0x53/0x53
[   37.325214]  ? show_regs_print_info+0x65/0x65
[   37.325224]  ? lock_release+0xda0/0xda0
[   37.325231]  ? unwind_get_return_address+0x61/0xa0
[   37.325238]  ? xfrm_state_find+0x30fc/0x3230
[   37.325247]  print_address_description+0x73/0x250
[   37.325254]  ? xfrm_state_find+0x30fc/0x3230
[   37.325261]  kasan_report+0x25b/0x340
[   37.325271]  __asan_report_load4_noabort+0x14/0x20
[   37.325277]  xfrm_state_find+0x30fc/0x3230
[   37.325304]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   37.325309]  ? unwind_dump+0x4d0/0x4d0
[   37.325319]  ? __is_insn_slot_addr+0x1fc/0x330
[   37.325325]  ? lock_downgrade+0x980/0x980
[   37.325341]  ? __kernel_text_address+0xd/0x40
[   37.325348]  ? unwind_get_return_address+0x61/0xa0
[   37.325357]  ? __save_stack_trace+0x61/0xd0
[   37.325370]  ? udp_sendmsg+0x19b8/0x2cc0
[   37.325380]  ? save_stack_trace+0x1a/0x20
[   37.325385]  ? __lock_acquire+0x324e/0x47f0
[   37.325390]  ? find_held_lock+0x39/0x1d0
[   37.325415]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   37.325423]  ? print_usage_bug+0x3f0/0x3f0
[   37.325430]  ? lock_downgrade+0x980/0x980
[   37.325439]  ? depot_save_stack+0x1c2/0x490
[   37.325451]  ? lock_release+0xda0/0xda0
[   37.325462]  ? is_bpf_text_address+0xa4/0x120
[   37.325472]  xfrm_tmpl_resolve+0x309/0xc00
[   37.325494]  ? __xfrm_decode_session+0x110/0x110
[   37.325501]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   37.325510]  ? find_held_lock+0x39/0x1d0
[   37.325526]  ? lock_downgrade+0x980/0x980
[   37.325536]  ? rt_add_uncached_list+0xa2/0x240
[   37.325545]  xfrm_resolve_and_create_bundle+0x12c/0x2770
[   37.325553]  ? check_noncircular+0x20/0x20
[   37.325565]  ? __local_bh_enable_ip+0x121/0x230
[   37.325575]  ? rt_add_uncached_list+0x1b7/0x240
[   37.325583]  ? __local_bh_enable_ip+0x121/0x230
[   37.325591]  ? xfrm_tmpl_resolve+0xc00/0xc00
[   37.325601]  ? find_held_lock+0x39/0x1d0
[   37.325618]  ? lock_downgrade+0x980/0x980
[   37.325625]  ? xfrm_selector_match+0xe00/0xe00
[   37.325633]  ? rt_cache_route+0x2f0/0x2f0
[   37.325642]  ? lock_release+0xda0/0xda0
[   37.325652]  ? refcount_inc_not_zero+0xfe/0x180
[   37.325662]  ? selinux_xfrm_policy_lookup+0xac/0xd0
[   37.325671]  ? security_xfrm_policy_lookup+0x92/0xc0
[   37.325682]  ? xfrm_sk_policy_lookup+0x334/0x490
[   37.325694]  ? xfrm_selector_match+0xe00/0xe00
[   37.325699]  ? unwind_next_frame.part.6+0x1a6/0xb40
[   37.325706]  ? check_noncircular+0x20/0x20
[   37.325718]  xfrm_lookup+0x156b/0x23e0
[   37.325722]  ? xfrm_lookup+0x156b/0x23e0
[   37.325727]  ? lock_release+0xda0/0xda0
[   37.325742]  ? xfrm_policy_lookup_bytype.constprop.49+0x960/0x960
[   37.325751]  ? find_held_lock+0x39/0x1d0
[   37.325767]  ? lock_downgrade+0x980/0x980
[   37.325775]  ? ip_route_output_key_hash+0x1a6/0x370
[   37.325781]  ? unwind_next_frame.part.6+0x1a6/0xb40
[   37.325791]  ? lock_release+0xda0/0xda0
[   37.325808]  ? lock_downgrade+0x980/0x980
[   37.325819]  ? ip_route_output_key_hash+0x252/0x370
[   37.325827]  ? ip_route_output_key_hash_rcu+0x2c10/0x2c10
[   37.325831]  ? lock_release+0xda0/0xda0
[   37.325845]  xfrm_lookup_route+0x39/0x1a0
[   37.325854]  ip_route_output_flow+0x7c/0xa0
[   37.325863]  udp_sendmsg+0x19b8/0x2cc0
[   37.325868]  ? unwind_get_return_address+0x61/0xa0
[   37.325877]  ? ip_reply_glue_bits+0xb0/0xb0
[   37.325893]  ? udp_lib_get_port+0x1b30/0x1b30
[   37.325899]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   37.325911]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   37.325938]  ? mark_held_locks+0xb2/0x100
[   37.325948]  ? refcount_inc_not_zero+0xfe/0x180
[   37.325957]  ? check_noncircular+0x20/0x20
[   37.325962]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   37.325968]  ? udp_lib_get_port+0x785/0x1b30
[   37.325974]  ? trace_hardirqs_on+0xd/0x10
[   37.325980]  ? __local_bh_enable_ip+0x121/0x230
[   37.325992]  udpv6_sendmsg+0x743/0x3380
[   37.325997]  ? check_noncircular+0x20/0x20
[   37.326019]  ? udpv6_setsockopt+0x80/0x80
[   37.326024]  ? reacquire_held_locks+0x201/0x3e0
[   37.326034]  ? find_held_lock+0x39/0x1d0
[   37.326051]  ? lock_downgrade+0x980/0x980
[   37.326057]  ? lock_downgrade+0x980/0x980
[   37.326078]  ? __local_bh_enable_ip+0x121/0x230
[   37.326086]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   37.326093]  ? release_sock+0x1d4/0x2a0
[   37.326098]  ? trace_hardirqs_on+0xd/0x10
[   37.326104]  ? __local_bh_enable_ip+0x121/0x230
[   37.326114]  ? _raw_spin_unlock_bh+0x30/0x40
[   37.326120]  ? release_sock+0x1d4/0x2a0
[   37.326127]  ? __release_sock+0x360/0x360
[   37.326137]  ? udp_v6_get_port+0x355/0x600
[   37.326152]  inet_sendmsg+0x11f/0x5e0
[   37.326157]  ? inet_sendmsg+0x11f/0x5e0
[   37.326163]  ? __might_sleep+0x95/0x190
[   37.326171]  ? inet_recvmsg+0x5f0/0x5f0
[   37.326180]  ? selinux_socket_sendmsg+0x36/0x40
[   37.326187]  ? security_socket_sendmsg+0x89/0xb0
[   37.326193]  ? inet_recvmsg+0x5f0/0x5f0
[   37.326202]  sock_sendmsg+0xca/0x110
[   37.326211]  SYSC_sendto+0x358/0x5a0
[   37.326222]  ? SYSC_connect+0x480/0x480
[   37.326229]  ? __do_page_fault+0x3d6/0xc90
[   37.326242]  ? mm_fault_error+0x2c0/0x2c0
[   37.326254]  ? ipv6_setsockopt+0xa8/0x150
[   37.326269]  ? __do_page_fault+0xc90/0xc90
[   37.326287]  ? lockdep_sys_exit+0x47/0xf0
[   37.326293]  ? entry_SYSCALL_64_fastpath+0x5/0x96
[   37.326301]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   37.326311]  SyS_sendto+0x40/0x50
[   37.326321]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   37.326327] RIP: 0033:0x43ff59
[   37.326331] RSP: 002b:00007ffc613cb828 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
[   37.326338] RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 000000000043ff59
[   37.326342] RDX: 0000000000000000 RSI: 000000002028a000 RDI: 0000000000000003
[   37.326346] RBP: 00000000006ca018 R08: 0000000020999000 R09: 000000000000001c
[   37.326350] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018c0
[   37.326353] R13: 0000000000401950 R14: 0000000000000000 R15: 0000000000000000
[   37.326373] 
[   37.326376] The buggy address belongs to the page:
[   37.326382] page:000000001d8f29b7 count:0 mapcount:0 mapping:          (null) index:0x0
[   37.326388] flags: 0x2fffc0000000000()
[   37.326395] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
[   37.326400] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
[   37.326404] page dumped because: kasan: bad access detected
[   37.326406] 
[   37.326409] Memory state around the buggy address:
[   37.326413]  ffff8801c4e47600: 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2
[   37.326418]  ffff8801c4e47680: f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 00 00
[   37.326422] >ffff8801c4e47700: 00 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2
[   37.326425]                                                        ^
[   37.326430]  ffff8801c4e47780: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3
[   37.326434]  ffff8801c4e47800: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   37.326437] ==================================================================
[   37.326439] Disabling lock debugging due to kernel taint
[   37.326453] Kernel panic - not syncing: panic_on_warn set ...
[   37.326453] 
[   37.326457] CPU: 1 PID: 3150 Comm: syzkaller737163 Tainted: G    B            4.15.0-rc2+ #147
[   37.326459] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.326460] Call Trace:
[   37.326464]  dump_stack+0x194/0x257
[   37.326470]  ? arch_local_irq_restore+0x53/0x53
[   37.326476]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   37.326481]  ? vsnprintf+0x1ed/0x1900
[   37.326486]  ? xfrm_state_find+0x3050/0x3230
[   37.326490]  panic+0x1e4/0x41c
[   37.326494]  ? refcount_error_report+0x214/0x214
[   37.326499]  ? add_taint+0x1c/0x50
[   37.326503]  ? add_taint+0x1c/0x50
[   37.326509]  ? xfrm_state_find+0x30fc/0x3230
[   37.326513]  kasan_end_report+0x50/0x50
[   37.326516]  kasan_report+0x144/0x340
[   37.326522]  __asan_report_load4_noabort+0x14/0x20
[   37.326526]  xfrm_state_find+0x30fc/0x3230
[   37.326541]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   37.326544]  ? unwind_dump+0x4d0/0x4d0
[   37.326549]  ? __is_insn_slot_addr+0x1fc/0x330
[   37.326553]  ? lock_downgrade+0x980/0x980
[   37.326561]  ? __kernel_text_address+0xd/0x40
[   37.326565]  ? unwind_get_return_address+0x61/0xa0
[   37.326569]  ? __save_stack_trace+0x61/0xd0
[   37.326576]  ? udp_sendmsg+0x19b8/0x2cc0
[   37.326581]  ? save_stack_trace+0x1a/0x20
[   37.326585]  ? __lock_acquire+0x324e/0x47f0
[   37.326588]  ? find_held_lock+0x39/0x1d0
[   37.326601]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   37.326605]  ? print_usage_bug+0x3f0/0x3f0
[   37.326610]  ? lock_downgrade+0x980/0x980
[   37.326614]  ? depot_save_stack+0x1c2/0x490
[   37.326621]  ? lock_release+0xda0/0xda0
[   37.326626]  ? is_bpf_text_address+0xa4/0x120
[   37.326632]  xfrm_tmpl_resolve+0x309/0xc00
[   37.326644]  ? __xfrm_decode_session+0x110/0x110
[   37.326648]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   37.326653]  ? find_held_lock+0x39/0x1d0
[   37.326662]  ? lock_downgrade+0x980/0x980
[   37.326667]  ? rt_add_uncached_list+0xa2/0x240
[   37.326673]  xfrm_resolve_and_create_bundle+0x12c/0x2770
[   37.326678]  ? check_noncircular+0x20/0x20
[   37.326684]  ? __local_bh_enable_ip+0x121/0x230
[   37.326690]  ? rt_add_uncached_list+0x1b7/0x240
[   37.326694]  ? __local_bh_enable_ip+0x121/0x230
[   37.326699]  ? xfrm_tmpl_resolve+0xc00/0xc00
[   37.326705]  ? find_held_lock+0x39/0x1d0
[   37.326714]  ? lock_downgrade+0x980/0x980
[   37.326718]  ? xfrm_selector_match+0xe00/0xe00
[   37.326723]  ? rt_cache_route+0x2f0/0x2f0
[   37.326728]  ? lock_release+0xda0/0xda0
[   37.326734]  ? refcount_inc_not_zero+0xfe/0x180
[   37.326739]  ? selinux_xfrm_policy_lookup+0xac/0xd0
[   37.326745]  ? security_xfrm_policy_lookup+0x92/0xc0
[   37.326751]  ? xfrm_sk_policy_lookup+0x334/0x490
[   37.326757]  ? xfrm_selector_match+0xe00/0xe00
[   37.326761]  ? unwind_next_frame.part.6+0x1a6/0xb40
[   37.326765]  ? check_noncircular+0x20/0x20
[   37.326772]  xfrm_lookup+0x156b/0x23e0
[   37.326775]  ? xfrm_lookup+0x156b/0x23e0
[   37.326778]  ? lock_release+0xda0/0xda0
[   37.326787]  ? xfrm_policy_lookup_bytype.constprop.49+0x960/0x960
[   37.326792]  ? find_held_lock+0x39/0x1d0
[   37.326800]  ? lock_downgrade+0x980/0x980
[   37.326805]  ? ip_route_output_key_hash+0x1a6/0x370
[   37.326809]  ? unwind_next_frame.part.6+0x1a6/0xb40
[   37.326815]  ? lock_release+0xda0/0xda0
[   37.326824]  ? lock_downgrade+0x980/0x980
[   37.326830]  ? ip_route_output_key_hash+0x252/0x370
[   37.326834]  ? ip_route_output_key_hash_rcu+0x2c10/0x2c10
[   37.326837]  ? lock_release+0xda0/0xda0
[   37.326845]  xfrm_lookup_route+0x39/0x1a0
[   37.326850]  ip_route_output_flow+0x7c/0xa0
[   37.326855]  udp_sendmsg+0x19b8/0x2cc0
[   37.326858]  ? unwind_get_return_address+0x61/0xa0
[   37.326864]  ? ip_reply_glue_bits+0xb0/0xb0
[   37.326872]  ? udp_lib_get_port+0x1b30/0x1b30
[   37.326876]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   37.326883]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   37.326897]  ? mark_held_locks+0xb2/0x100
[   37.326901]  ? refcount_inc_not_zero+0xfe/0x180
[   37.326906]  ? check_noncircular+0x20/0x20
[   37.326910]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   37.326913]  ? udp_lib_get_port+0x785/0x1b30
[   37.326917]  ? trace_hardirqs_on+0xd/0x10
[   37.326920]  ? __local_bh_enable_ip+0x121/0x230
[   37.326927]  udpv6_sendmsg+0x743/0x3380
[   37.326930]  ? check_noncircular+0x20/0x20
[   37.326944]  ? udpv6_setsockopt+0x80/0x80
[   37.326948]  ? reacquire_held_locks+0x201/0x3e0
[   37.326954]  ? find_held_lock+0x39/0x1d0
[   37.326963]  ? lock_downgrade+0x980/0x980
[   37.326966]  ? lock_downgrade+0x980/0x980
[   37.326977]  ? __local_bh_enable_ip+0x121/0x230
[   37.326982]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   37.326986]  ? release_sock+0x1d4/0x2a0
[   37.326989]  ? trace_hardirqs_on+0xd/0x10
[   37.326993]  ? __local_bh_enable_ip+0x121/0x230
[   37.326998]  ? _raw_spin_unlock_bh+0x30/0x40
[   37.327004]  ? release_sock+0x1d4/0x2a0
[   37.327009]  ? __release_sock+0x360/0x360
[   37.327014]  ? udp_v6_get_port+0x355/0x600
[   37.327022]  inet_sendmsg+0x11f/0x5e0
[   37.327026]  ? inet_sendmsg+0x11f/0x5e0
[   37.327029]  ? __might_sleep+0x95/0x190
[   37.327033]  ? inet_recvmsg+0x5f0/0x5f0
[   37.327039]  ? selinux_socket_sendmsg+0x36/0x40
[   37.327043]  ? security_socket_sendmsg+0x89/0xb0
[   37.327047]  ? inet_recvmsg+0x5f0/0x5f0
[   37.327052]  sock_sendmsg+0xca/0x110
[   37.327057]  SYSC_sendto+0x358/0x5a0
[   37.327063]  ? SYSC_connect+0x480/0x480
[   37.327067]  ? __do_page_fault+0x3d6/0xc90
[   37.327075]  ? mm_fault_error+0x2c0/0x2c0
[   37.327081]  ? ipv6_setsockopt+0xa8/0x150
[   37.327089]  ? __do_page_fault+0xc90/0xc90
[   37.327099]  ? lockdep_sys_exit+0x47/0xf0
[   37.327102]  ? entry_SYSCALL_64_fastpath+0x5/0x96
[   37.327107]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   37.327113]  SyS_sendto+0x40/0x50
[   37.327119]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   37.327121] RIP: 0033:0x43ff59
[   37.327123] RSP: 002b:00007ffc613cb828 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
[   37.327127] RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 000000000043ff59
[   37.327129] RDX: 0000000000000000 RSI: 000000002028a000 RDI: 0000000000000003
[   37.327131] RBP: 00000000006ca018 R08: 0000000020999000 R09: 000000000000001c
[   37.327133] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018c0
[   37.327135] R13: 0000000000401950 R14: 0000000000000000 R15: 0000000000000000
[   37.347674] Dumping ftrace buffer:
[   37.347678]    (ftrace buffer empty)
[   37.347680] Kernel Offset: disabled
[   38.639014] Rebooting in 86400 seconds..