[....] Starting enhanced syslogd: rsyslogd[ 13.332633] audit: type=1400 audit(1516636185.127:5): avc: denied { syslog } for pid=3500 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.232258] audit: type=1400 audit(1516636192.026:6): avc: denied { map } for pid=3639 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. [ 26.589054] audit: type=1400 audit(1516636198.383:7): avc: denied { map } for pid=3653 comm="syzkaller408497" path="/root/syzkaller408497964" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 26.931780] ip (3692) used greatest stack depth: 16224 bytes left [ 26.965540] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 27.322288] ================================================================== [ 27.329701] BUG: KASAN: use-after-free in erspan_build_header+0x3bf/0x3d0 [ 27.336598] Read of size 2 at addr ffff8801d8cb204b by task syzkaller408497/3654 [ 27.344099] [ 27.345703] CPU: 0 PID: 3654 Comm: syzkaller408497 Not tainted 4.15.0-rc9+ #184 [ 27.353119] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.362442] Call Trace: [ 27.365021] dump_stack+0x194/0x257 [ 27.368634] ? arch_local_irq_restore+0x53/0x53 [ 27.373278] ? show_regs_print_info+0x18/0x18 [ 27.377748] ? refcount_add+0x24/0x60 [ 27.381522] ? erspan_build_header+0x3bf/0x3d0 [ 27.386080] print_address_description+0x73/0x250 [ 27.390895] ? erspan_build_header+0x3bf/0x3d0 [ 27.395451] kasan_report+0x25b/0x340 [ 27.399230] __asan_report_load_n_noabort+0xf/0x20 [ 27.404143] erspan_build_header+0x3bf/0x3d0 [ 27.408530] erspan_xmit+0x3b8/0x13b0 [ 27.412307] ? prepare_fb_xmit+0x9a0/0x9a0 [ 27.416516] ? netif_skb_features+0x9b0/0x9b0 [ 27.420985] ? __dev_get_by_index+0x1a0/0x1a0 [ 27.425457] ? check_noncircular+0x20/0x20 [ 27.429676] packet_direct_xmit+0x315/0x6b0 [ 27.433975] packet_sendmsg+0x3aed/0x60b0 [ 27.438097] ? find_held_lock+0x35/0x1d0 [ 27.442138] ? avc_has_perm+0x35e/0x680 [ 27.446101] ? packet_cached_dev_get+0x2b0/0x2b0 [ 27.450835] ? avc_has_perm+0x43e/0x680 [ 27.454784] ? avc_has_perm_noaudit+0x520/0x520 [ 27.459422] ? packet_setsockopt+0xfa5/0x1ea0 [ 27.463893] ? fanout_add+0x1430/0x1430 [ 27.467837] ? find_held_lock+0x35/0x1d0 [ 27.471880] ? find_held_lock+0x35/0x1d0 [ 27.475921] ? sock_has_perm+0x2a4/0x420 [ 27.479955] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.485293] ? lock_release+0x952/0xa40 [ 27.489239] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.495097] ? __check_object_size+0x25d/0x4f0 [ 27.499651] ? avc_has_perm+0x43e/0x680 [ 27.503610] ? selinux_socket_sendmsg+0x36/0x40 [ 27.508254] ? security_socket_sendmsg+0x89/0xb0 [ 27.512985] ? packet_cached_dev_get+0x2b0/0x2b0 [ 27.517733] sock_sendmsg+0xca/0x110 [ 27.521425] SYSC_sendto+0x361/0x5c0 [ 27.525117] ? SYSC_connect+0x4a0/0x4a0 [ 27.529071] ? sock_has_perm+0x2a4/0x420 [ 27.533108] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.538447] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 27.543697] ? lock_downgrade+0x980/0x980 [ 27.547836] ? compat_packet_setsockopt+0xe8/0x140 [ 27.552740] ? fput+0xd2/0x140 [ 27.555907] ? compat_SyS_setsockopt+0x200/0x410 [ 27.560636] ? packet_setsockopt+0x1ea0/0x1ea0 [ 27.565201] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 27.569935] SyS_sendto+0x40/0x50 [ 27.573373] ? SyS_getpeername+0x30/0x30 [ 27.577410] do_fast_syscall_32+0x3ee/0xf9d [ 27.581712] ? do_int80_syscall_32+0x9d0/0x9d0 [ 27.586269] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.591007] ? syscall_return_slowpath+0x2ad/0x550 [ 27.595916] ? prepare_exit_to_usermode+0x340/0x340 [ 27.600910] ? sysret32_from_system_call+0x5/0x3b [ 27.605730] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.610551] entry_SYSENTER_compat+0x54/0x63 [ 27.614940] RIP: 0023:0xf7f17c79 [ 27.618274] RSP: 002b:00000000ffac620c EFLAGS: 00000282 ORIG_RAX: 0000000000000171 [ 27.625953] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020003fd9 [ 27.633197] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020008000 [ 27.640438] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000 [ 27.647680] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 27.654922] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 27.662183] [ 27.663782] The buggy address belongs to the page: [ 27.668682] page:ffffea0007632c80 count:0 mapcount:0 mapping: (null) index:0x0 [ 27.676794] flags: 0x2fffc0000000000() [ 27.680657] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 27.688510] raw: ffffea00070ad220 ffffea0007636560 ffff8801c33e8e70 0000000000000000 [ 27.696363] page dumped because: kasan: bad access detected [ 27.702041] [ 27.703642] Memory state around the buggy address: [ 27.708544] ffff8801d8cb1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.715880] ffff8801d8cb1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.723213] >ffff8801d8cb2000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.730544] ^ [ 27.736224] ffff8801d8cb2080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.743556] ffff8801d8cb2100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.750884] ================================================================== [ 27.758212] Disabling lock debugging due to kernel taint [ 27.763660] Kernel panic - not syncing: panic_on_warn set ... [ 27.763660] [ 27.771004] CPU: 0 PID: 3654 Comm: syzkaller408497 Tainted: G B 4.15.0-rc9+ #184 [ 27.779728] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.789050] Call Trace: [ 27.791614] dump_stack+0x194/0x257 [ 27.795214] ? arch_local_irq_restore+0x53/0x53 [ 27.799858] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.804585] ? vsnprintf+0x1ed/0x1900 [ 27.808358] ? erspan_build_header+0x360/0x3d0 [ 27.812911] panic+0x1e4/0x41c [ 27.816077] ? refcount_error_report+0x214/0x214 [ 27.820804] ? add_taint+0x1c/0x50 [ 27.824313] ? add_taint+0x1c/0x50 [ 27.827823] ? erspan_build_header+0x3bf/0x3d0 [ 27.832379] kasan_end_report+0x50/0x50 [ 27.836324] kasan_report+0x144/0x340 [ 27.840096] __asan_report_load_n_noabort+0xf/0x20 [ 27.844996] erspan_build_header+0x3bf/0x3d0 [ 27.849383] erspan_xmit+0x3b8/0x13b0 [ 27.853154] ? prepare_fb_xmit+0x9a0/0x9a0 [ 27.857364] ? netif_skb_features+0x9b0/0x9b0 [ 27.861834] ? __dev_get_by_index+0x1a0/0x1a0 [ 27.866301] ? check_noncircular+0x20/0x20 [ 27.870512] packet_direct_xmit+0x315/0x6b0 [ 27.874924] packet_sendmsg+0x3aed/0x60b0 [ 27.879049] ? find_held_lock+0x35/0x1d0 [ 27.883559] ? avc_has_perm+0x35e/0x680 [ 27.887517] ? packet_cached_dev_get+0x2b0/0x2b0 [ 27.892249] ? avc_has_perm+0x43e/0x680 [ 27.896209] ? avc_has_perm_noaudit+0x520/0x520 [ 27.900847] ? packet_setsockopt+0xfa5/0x1ea0 [ 27.905325] ? fanout_add+0x1430/0x1430 [ 27.909271] ? find_held_lock+0x35/0x1d0 [ 27.913308] ? find_held_lock+0x35/0x1d0 [ 27.917343] ? sock_has_perm+0x2a4/0x420 [ 27.921375] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.926707] ? lock_release+0x952/0xa40 [ 27.930655] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.936512] ? __check_object_size+0x25d/0x4f0 [ 27.941154] ? avc_has_perm+0x43e/0x680 [ 27.945105] ? selinux_socket_sendmsg+0x36/0x40 [ 27.949742] ? security_socket_sendmsg+0x89/0xb0 [ 27.954480] ? packet_cached_dev_get+0x2b0/0x2b0 [ 27.959208] sock_sendmsg+0xca/0x110 [ 27.962893] SYSC_sendto+0x361/0x5c0 [ 27.966577] ? SYSC_connect+0x4a0/0x4a0 [ 27.970523] ? sock_has_perm+0x2a4/0x420 [ 27.974564] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.979902] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 27.985152] ? lock_downgrade+0x980/0x980 [ 27.989280] ? compat_packet_setsockopt+0xe8/0x140 [ 27.994180] ? fput+0xd2/0x140 [ 27.997346] ? compat_SyS_setsockopt+0x200/0x410 [ 28.002077] ? packet_setsockopt+0x1ea0/0x1ea0 [ 28.006634] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 28.011363] SyS_sendto+0x40/0x50 [ 28.014787] ? SyS_getpeername+0x30/0x30 [ 28.018819] do_fast_syscall_32+0x3ee/0xf9d [ 28.023118] ? do_int80_syscall_32+0x9d0/0x9d0 [ 28.027669] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.032399] ? syscall_return_slowpath+0x2ad/0x550 [ 28.037298] ? prepare_exit_to_usermode+0x340/0x340 [ 28.042287] ? sysret32_from_system_call+0x5/0x3b [ 28.047103] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.051921] entry_SYSENTER_compat+0x54/0x63 [ 28.056300] RIP: 0023:0xf7f17c79 [ 28.059632] RSP: 002b:00000000ffac620c EFLAGS: 00000282 ORIG_RAX: 0000000000000171 [ 28.067311] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020003fd9 [ 28.074553] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020008000 [ 28.081795] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000 [ 28.089051] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 28.096291] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 28.104004] Dumping ftrace buffer: [ 28.107517] (ftrace buffer empty) [ 28.111197] Kernel Offset: disabled [ 28.114807] Rebooting in 86400 seconds..