[....] Starting enhanced syslogd: rsyslogd[ 17.011897] audit: type=1400 audit(1520406880.537:5): avc: denied { syslog } for pid=4079 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.502992] audit: type=1400 audit(1520406887.028:6): avc: denied { map } for pid=4218 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.4' (ECDSA) to the list of known hosts. [ 29.807546] audit: type=1400 audit(1520406893.333:7): avc: denied { map } for pid=4232 comm="syzkaller022725" path="/root/syzkaller022725083" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 29.819280] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 29.833667] audit: type=1400 audit(1520406893.333:8): avc: denied { sys_admin } for pid=4232 comm="syzkaller022725" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 29.866805] audit: type=1400 audit(1520406893.392:9): avc: denied { net_admin } for pid=4233 comm="syzkaller022725" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 RTNETLINK answers: File exists RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 30.102680] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 30.459530] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 30.465645] 8021q: adding VLAN 0 to HW filter on device bond0 executing program [ 30.504400] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 30.542197] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.553463] audit: type=1400 audit(1520406894.079:10): avc: denied { sys_chroot } for pid=4233 comm="syzkaller022725" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 30.558037] ================================================================== [ 30.585440] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260 [ 30.591905] Read of size 8 at addr ffff8801afcb3218 by task syzkaller022725/4233 [ 30.599415] [ 30.601022] CPU: 1 PID: 4233 Comm: syzkaller022725 Not tainted 4.16.0-rc4+ #343 [ 30.608440] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.617761] Call Trace: [ 30.620320] dump_stack+0x194/0x24d [ 30.623919] ? arch_local_irq_restore+0x53/0x53 [ 30.628557] ? show_regs_print_info+0x18/0x18 [ 30.633034] ? ip6_xmit+0x1f76/0x2260 [ 30.636822] print_address_description+0x73/0x250 [ 30.641634] ? ip6_xmit+0x1f76/0x2260 [ 30.645403] kasan_report+0x23c/0x360 [ 30.649178] __asan_report_load8_noabort+0x14/0x20 [ 30.654075] ip6_xmit+0x1f76/0x2260 [ 30.657684] ? ip6_finish_output2+0x23a0/0x23a0 [ 30.662326] ? fl6_update_dst+0x127/0x2b0 [ 30.666448] ? inet6_csk_route_socket+0x691/0xe80 [ 30.671265] ? trace_hardirqs_off+0x10/0x10 [ 30.675556] ? lock_acquire+0x1d5/0x580 [ 30.679504] ? lock_acquire+0x1d5/0x580 [ 30.683446] ? inet6_csk_xmit+0x114/0x580 [ 30.687567] ? trace_hardirqs_off+0x10/0x10 [ 30.691865] ? lock_release+0xa40/0xa40 [ 30.695828] inet6_csk_xmit+0x2fc/0x580 [ 30.699775] ? inet6_csk_update_pmtu+0x160/0x160 [ 30.704503] ? __sk_dst_check+0x1a5/0x380 [ 30.708624] ? sock_kfree_s+0x60/0x60 [ 30.712413] l2tp_xmit_skb+0x105f/0x1410 [ 30.716457] ? l2tp_session_create+0xb80/0xb80 [ 30.721016] ? sock_wmalloc+0x15d/0x1d0 [ 30.724968] ? iov_iter_advance+0x13f0/0x13f0 [ 30.729438] ? pppol2tp_sendmsg+0x41b/0x670 [ 30.733731] pppol2tp_sendmsg+0x470/0x670 [ 30.737852] ? selinux_socket_sendmsg+0x36/0x40 [ 30.742493] ? pppol2tp_getsockopt+0x900/0x900 [ 30.747047] sock_sendmsg+0xca/0x110 [ 30.750732] ___sys_sendmsg+0x767/0x8b0 [ 30.754683] ? copy_msghdr_from_user+0x590/0x590 [ 30.759417] ? __pmd_alloc+0x4e0/0x4e0 [ 30.763277] ? selinux_socket_connect+0x311/0x730 [ 30.768091] ? trace_hardirqs_off+0x10/0x10 [ 30.772381] ? find_held_lock+0x35/0x1d0 [ 30.776415] ? __fget_light+0x2b2/0x3c0 [ 30.780363] ? fget_raw+0x20/0x20 [ 30.783800] ? __do_page_fault+0x5f7/0xc90 [ 30.788019] ? lock_downgrade+0x980/0x980 [ 30.792150] __sys_sendmsg+0xe5/0x210 [ 30.795920] ? __sys_sendmsg+0xe5/0x210 [ 30.799864] ? SyS_shutdown+0x290/0x290 [ 30.803822] ? __do_page_fault+0x3d6/0xc90 [ 30.808042] ? move_addr_to_kernel+0x60/0x60 [ 30.812430] SyS_sendmsg+0x2d/0x50 [ 30.815941] ? __sys_sendmsg+0x210/0x210 [ 30.819974] do_syscall_64+0x281/0x940 [ 30.823833] ? __do_page_fault+0xc90/0xc90 [ 30.828039] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.832509] ? finish_task_switch+0x1c1/0x7e0 [ 30.836977] ? syscall_return_slowpath+0x550/0x550 [ 30.841880] ? syscall_return_slowpath+0x2ac/0x550 [ 30.846778] ? prepare_exit_to_usermode+0x350/0x350 [ 30.851763] ? retint_user+0x18/0x18 [ 30.855456] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.860276] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.865435] RIP: 0033:0x444589 [ 30.868597] RSP: 002b:00000000007efe98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 30.876273] RAX: ffffffffffffffda RBX: 000000000000001a RCX: 0000000000444589 [ 30.883512] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 [ 30.890753] RBP: 00000000004a6439 R08: 0000000000000019 R09: 0000000000000019 [ 30.897994] R10: 0000000000000019 R11: 0000000000000246 R12: 00000000007eff70 [ 30.905239] R13: 00000000004055c0 R14: 0000000000000000 R15: 0000000000000000 [ 30.912494] [ 30.914090] Allocated by task 0: [ 30.917425] (stack is not available) [ 30.921105] [ 30.922700] Freed by task 0: [ 30.925683] (stack is not available) [ 30.929360] [ 30.930958] The buggy address belongs to the object at ffff8801afcb3200 [ 30.930958] which belongs to the cache ip_dst_cache of size 168 [ 30.943670] The buggy address is located 24 bytes inside of [ 30.943670] 168-byte region [ffff8801afcb3200, ffff8801afcb32a8) [ 30.955429] The buggy address belongs to the page: [ 30.960330] page:ffffea0006bf2cc0 count:1 mapcount:0 mapping:ffff8801afcb3000 index:0x0 [ 30.968444] flags: 0x2fffc0000000100(slab) [ 30.972651] raw: 02fffc0000000100 ffff8801afcb3000 0000000000000000 0000000100000010 [ 30.980501] raw: ffffea00072c5660 ffff8801d6bc5348 ffff8801d5409b00 0000000000000000 [ 30.988348] page dumped because: kasan: bad access detected [ 30.994026] [ 30.995623] Memory state around the buggy address: [ 31.000520] ffff8801afcb3100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.007850] ffff8801afcb3180: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 31.015181] >ffff8801afcb3200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.022514] ^ [ 31.026629] ffff8801afcb3280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.033959] ffff8801afcb3300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.041282] ================================================================== [ 31.048606] Disabling lock debugging due to kernel taint [ 31.054061] Kernel panic - not syncing: panic_on_warn set ... [ 31.054061] [ 31.061398] CPU: 1 PID: 4233 Comm: syzkaller022725 Tainted: G B 4.16.0-rc4+ #343 [ 31.070112] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.079435] Call Trace: [ 31.081992] dump_stack+0x194/0x24d [ 31.085590] ? arch_local_irq_restore+0x53/0x53 [ 31.090225] ? kasan_end_report+0x32/0x50 [ 31.094345] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.099068] ? vsnprintf+0x1ed/0x1900 [ 31.102838] ? ip6_xmit+0x1f30/0x2260 [ 31.106609] panic+0x1e4/0x41c [ 31.109768] ? refcount_error_report+0x214/0x214 [ 31.114499] ? add_taint+0x1c/0x50 [ 31.118008] ? add_taint+0x1c/0x50 [ 31.121521] ? ip6_xmit+0x1f76/0x2260 [ 31.125287] kasan_end_report+0x50/0x50 [ 31.129232] kasan_report+0x149/0x360 [ 31.133010] __asan_report_load8_noabort+0x14/0x20 [ 31.137911] ip6_xmit+0x1f76/0x2260 [ 31.141514] ? ip6_finish_output2+0x23a0/0x23a0 [ 31.146151] ? fl6_update_dst+0x127/0x2b0 [ 31.150268] ? inet6_csk_route_socket+0x691/0xe80 [ 31.155079] ? trace_hardirqs_off+0x10/0x10 [ 31.159367] ? lock_acquire+0x1d5/0x580 [ 31.163305] ? lock_acquire+0x1d5/0x580 [ 31.167248] ? inet6_csk_xmit+0x114/0x580 [ 31.171363] ? trace_hardirqs_off+0x10/0x10 [ 31.175654] ? lock_release+0xa40/0xa40 [ 31.179605] inet6_csk_xmit+0x2fc/0x580 [ 31.183555] ? inet6_csk_update_pmtu+0x160/0x160 [ 31.188284] ? __sk_dst_check+0x1a5/0x380 [ 31.192402] ? sock_kfree_s+0x60/0x60 [ 31.196184] l2tp_xmit_skb+0x105f/0x1410 [ 31.200221] ? l2tp_session_create+0xb80/0xb80 [ 31.204770] ? sock_wmalloc+0x15d/0x1d0 [ 31.208716] ? iov_iter_advance+0x13f0/0x13f0 [ 31.213181] ? pppol2tp_sendmsg+0x41b/0x670 [ 31.217471] pppol2tp_sendmsg+0x470/0x670 [ 31.221587] ? selinux_socket_sendmsg+0x36/0x40 [ 31.226224] ? pppol2tp_getsockopt+0x900/0x900 [ 31.230773] sock_sendmsg+0xca/0x110 [ 31.234454] ___sys_sendmsg+0x767/0x8b0 [ 31.238407] ? copy_msghdr_from_user+0x590/0x590 [ 31.243134] ? __pmd_alloc+0x4e0/0x4e0 [ 31.246987] ? selinux_socket_connect+0x311/0x730 [ 31.251801] ? trace_hardirqs_off+0x10/0x10 [ 31.256090] ? find_held_lock+0x35/0x1d0 [ 31.260121] ? __fget_light+0x2b2/0x3c0 [ 31.264062] ? fget_raw+0x20/0x20 [ 31.267491] ? __do_page_fault+0x5f7/0xc90 [ 31.271699] ? lock_downgrade+0x980/0x980 [ 31.275822] __sys_sendmsg+0xe5/0x210 [ 31.279592] ? __sys_sendmsg+0xe5/0x210 [ 31.283534] ? SyS_shutdown+0x290/0x290 [ 31.287567] ? __do_page_fault+0x3d6/0xc90 [ 31.291772] ? move_addr_to_kernel+0x60/0x60 [ 31.296151] SyS_sendmsg+0x2d/0x50 [ 31.299659] ? __sys_sendmsg+0x210/0x210 [ 31.303688] do_syscall_64+0x281/0x940 [ 31.307545] ? __do_page_fault+0xc90/0xc90 [ 31.311746] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.316208] ? finish_task_switch+0x1c1/0x7e0 [ 31.320670] ? syscall_return_slowpath+0x550/0x550 [ 31.325567] ? syscall_return_slowpath+0x2ac/0x550 [ 31.330464] ? prepare_exit_to_usermode+0x350/0x350 [ 31.335448] ? retint_user+0x18/0x18 [ 31.339130] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.343945] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.349104] RIP: 0033:0x444589 [ 31.352260] RSP: 002b:00000000007efe98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 31.360024] RAX: ffffffffffffffda RBX: 000000000000001a RCX: 0000000000444589 [ 31.367262] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 [ 31.374499] RBP: 00000000004a6439 R08: 0000000000000019 R09: 0000000000000019 [ 31.381737] R10: 0000000000000019 R11: 0000000000000246 R12: 00000000007eff70 [ 31.388980] R13: 00000000004055c0 R14: 0000000000000000 R15: 0000000000000000 [ 31.396645] Dumping ftrace buffer: [ 31.400156] (ftrace buffer empty) [ 31.403835] Kernel Offset: disabled [ 31.407430] Rebooting in 86400 seconds..