[....] Starting enhanced syslogd: rsyslogd[ 13.187730] audit: type=1400 audit(1517083805.402:5): avc: denied { syslog } for pid=3537 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.630814] audit: type=1400 audit(1517083810.845:6): avc: denied { map } for pid=3677 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.58' (ECDSA) to the list of known hosts. 2018/01/27 20:10:17 fuzzer started [ 24.907510] audit: type=1400 audit(1517083817.122:7): avc: denied { map } for pid=3688 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/01/27 20:10:17 dialing manager at 10.128.0.26:34603 [ 28.731925] can: request_module (can-proto-0) failed. [ 28.740990] can: request_module (can-proto-0) failed. 2018/01/27 20:10:21 kcov=true, comps=true [ 29.302214] audit: type=1400 audit(1517083821.516:8): avc: denied { map } for pid=3688 comm="syz-fuzzer" path="/sys/kernel/debug/kcov" dev="debugfs" ino=9023 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2018/01/27 20:10:23 executing program 7: 2018/01/27 20:10:23 executing program 3: 2018/01/27 20:10:23 executing program 0: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x2, &(0x7f000074c000)=0x77, 0x4) bind$inet(r0, &(0x7f0000887000-0x10)={0x2, 0x3, @broadcast=0xffffffff, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000cd5000-0x4)=0x0, 0x4) sendto$inet(r0, &(0x7f0000d5a000-0x73)="", 0xfffffc6c, 0x20000804, &(0x7f0000e1e000)={0x2, 0x3, @loopback=0x7f000001, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) recvmsg(r0, &(0x7f0000e2e000)={&(0x7f0000453000)=@pppol2tp={0x0, 0x0, {0x0, 0x0, {0x0, 0xffffffffffffffff, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0, 0x0, 0x0, 0x0}}, 0x26, &(0x7f0000007000)=[{&(0x7f000075b000-0x1000)=""/4096, 0x1000}], 0x1, &(0x7f00008be000)=""/153, 0x99, 0x0}, 0x0) 2018/01/27 20:10:23 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x805, 0x0) bind$inet6(r0, &(0x7f000067f000-0x1c)={0xa, 0x0, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c) sendto$inet6(r0, &(0x7f0000b8d000-0x3)='-', 0x1, 0x0, &(0x7f00001ab000-0x1c)={0xa, 0x0, 0x0, @loopback={0x0, 0x1}, 0x0}, 0x1c) r1 = socket$netlink(0x10, 0x3, 0x4) writev(r1, &(0x7f000051c000)=[{&(0x7f0000b8d000-0x49)="480000001400190d09004beafd0d8c560a847f0080ffe00600000000000000a2bc5603ca00000fff89000000200000000101ff0000000309ff5bffff00c7e5ed5e00000000000000", 0x48}], 0x1) 2018/01/27 20:10:23 executing program 2: mmap(&(0x7f0000000000/0x6000)=nil, 0x6000, 0x3, 0x32, 0xffffffffffffffff, 0x0) syz_emit_ethernet(0x66, &(0x7f0000004000-0x9f)={@random="0d4ddefaf676", @local={[0xaa, 0xaa, 0xaa, 0xaa], 0xffffffffffffffff, 0xaa}, [], {@ipv6={0x86dd, {0x0, 0x6, 'v`Q', 0x30, 0x29, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0xffffffffffffffff, 0xbb}, @mcast2={0xff, 0x2, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x1}, {[], @icmpv6=@dest_unreach={0x1, 0x0, 0x0, 0x0, [0x0, 0x0, 0x0], {0x0, 0x6, "f3e01e", 0x0, 0x0, 0x0, @dev={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0xffffffffffffffff, 0x0}, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0xffffffffffffffff, 0xbb}, [], ""}}}}}}}, 0x0) 2018/01/27 20:10:23 executing program 4: mmap(&(0x7f0000000000/0x39f000)=nil, 0x39f000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet(0x2, 0x1, 0x0) r1 = socket$inet(0x2, 0x80005, 0x0) setsockopt$IPT_SO_SET_REPLACE(r1, 0x0, 0x40, &(0x7f0000015000)=@filter={'filter\x00', 0xe, 0x4, 0x288, 0xffffffff, 0x0, 0x0, 0x0, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0, 0xffffffff, 0x4, &(0x7f0000001000)=[{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}], {{{[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0x70, 0x98, 0x0, {0x0, 0x0}}, {0x28, '\x00', 0x0, 0xfffffffffffffffe}}, [{{@uncond=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0x70, 0x98, 0x0, {0x0, 0x0}, []}, @REJECT={0x28, 'REJECT\x00', 0x0, {0x0}}}, {{@uncond=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0x98, 0xc0, 0x0, {0x0, 0x0}, [@common=@unspec=@connlabel={0x28, 'connlabel\x00', 0x0, {0x0, 0x0}}]}, @REJECT={0x28, 'REJECT\x00', 0x0, {0x0}}}, {{@uncond=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0x70, 0x98, 0x0, {0x0, 0x0}, []}, @REJECT={0x28, 'REJECT\x00', 0x0, {0x0}}}]}}, 0x2e8) syz_emit_ethernet(0x32, &(0x7f000039d000)={@random="0d4ddefaf676", @local={[0xaa, 0xaa, 0xaa, 0xaa], 0xffffffffffffffff, 0xaa}, [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x24, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @empty=0x0, @multicast1=0xe0000001, {[]}}, @gre={{0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x1, 0x880b, 0x0, 0x0, [], ""}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, [], ""}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x86dd, [], ""}}}}}}, 0x0) bind$inet(r0, &(0x7f000000f000-0x10)={0x2, 0x1, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) listen(r0, 0x0) r2 = socket$inet(0x2, 0x80001, 0x0) connect$inet(r2, &(0x7f0000399000-0x10)={0x2, 0x1, @remote={0xac, 0x14, 0x0, 0xbb}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) connect(r0, &(0x7f0000396000)=@ethernet={0x0, @random="0dced276b79e", [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) 2018/01/27 20:10:23 executing program 5: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$netlink(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000005000)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x0}, 0xc, &(0x7f0000016000-0x10)={&(0x7f0000f99000-0x208)={0x20, 0x22, 0xafb, 0xffffffffffffffff, 0xffffffffffffffff, {0x3, 0x0, 0x0}, [@nested={0xc, 0x3, [@generic="4852d99865"]}]}, 0x20}, 0x1, 0x0, 0x0, 0x0}, 0x0) 2018/01/27 20:10:23 executing program 6: mmap(&(0x7f0000000000/0xe85000)=nil, 0xe85000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_udp(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000e6f000)={0xa, 0x2, 0x1000000000000, @ipv4={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], [0xff, 0xff], @local={0xac, 0x14, 0x0, 0xaa}}, 0x8000000000000001}, 0x1c) connect$inet6(r0, &(0x7f0000e84000)={0xa, 0x0, 0x9, @loopback={0x0, 0x1}, 0x5a2}, 0x1c) r1 = socket$l2tp(0x18, 0x1, 0x1) connect$l2tp(r1, &(0x7f00005fb000-0x2e)=@pppol2tpv3={0x18, 0x1, {0x0, r0, {0x2, 0x1, @multicast2=0xe0000002, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x4, 0x0, 0x2, 0x0}}, 0x2e) sendmsg$nl_crypto(r1, &(0x7f0000380000-0x38)={&(0x7f00009dd000)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f00002cf000-0x10)={&(0x7f0000e77000)=@get={0x108, 0x13, 0x224, 0x3, 0x2, {{'ecb-serpent-avx\x00'}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x400, 0x400, 0x0, 0x0}, [{0x8, 0x1, 0xfffffffffffffff8}, {0x8, 0x1, 0x1000}, {0x8, 0x1, 0x400}, {0x8, 0x1, 0xc05a}, {0x8, 0x1, 0x81}]}, 0x108}, 0x1, 0x0, 0x0, 0x8820}, 0x81) [ 31.599691] audit: type=1400 audit(1517083823.814:9): avc: denied { map } for pid=3688 comm="syz-fuzzer" path="/root/syzkaller-shm478808072" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 31.654131] audit: type=1400 audit(1517083823.868:10): avc: denied { sys_admin } for pid=3732 comm="syz-executor7" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 31.807056] IPVS: ftp: loaded support on port[0] = 21 [ 31.890461] audit: type=1400 audit(1517083824.103:11): avc: denied { net_admin } for pid=3737 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 32.052183] IPVS: ftp: loaded support on port[0] = 21 [ 32.152781] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 32.160143] IPVS: ftp: loaded support on port[0] = 21 [ 32.272294] IPVS: ftp: loaded support on port[0] = 21 [ 32.382794] IPVS: ftp: loaded support on port[0] = 21 [ 32.520709] IPVS: ftp: loaded support on port[0] = 21 [ 32.709081] IPVS: ftp: loaded support on port[0] = 21 [ 32.800349] IPVS: ftp: loaded support on port[0] = 21 [ 32.964719] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 33.484933] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 33.696693] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 33.922358] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 34.209503] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 34.225391] audit: type=1400 audit(1517083826.439:12): avc: denied { sys_chroot } for pid=3737 comm="syz-executor3" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2018/01/27 20:10:26 executing program 3: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$mouse(&(0x7f0000000000)='/dev/input/mouse#\x00', 0x2, 0x200) ioctl$SNDRV_CTL_IOCTL_ELEM_LOCK(r0, 0x40405514, &(0x7f0000d4b000-0x40)={0x5, 0x4, 0x4, 0x0, "a37a90f3af6fa9661aac7743323f97f191a716e0c817cf90ea8fb6131b1422071ceacc4ed0fe975ddcba02ab", 0xa021}) timer_delete(0x0) 2018/01/27 20:10:26 executing program 3: mmap(&(0x7f0000000000/0x5000)=nil, 0x5000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) getsockopt$inet_buf(r0, 0x0, 0x61, &(0x7f0000003000-0x1e)=""/30, &(0x7f0000000000)=0x24) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x1f, &(0x7f0000006000-0x4)=0x25afbe7b, 0x4) [ 34.315610] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready 2018/01/27 20:10:26 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000011000/0x3000)=nil, 0x3000, 0x1, 0x32, 0xffffffffffffffff, 0x0) r0 = userfaultfd(0x0) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f0000002000)={0xaa, 0x0, 0x0}) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000001000)={{&(0x7f0000011000/0x3000)=nil, 0x3000}, 0x1, 0x0}) r1 = openat$ppp(0xffffffffffffff9c, &(0x7f0000cbc000)='/dev/ppp\x00', 0x2000, 0x0) ioctl$sock_inet_sctp_SIOCINQ(r1, 0x541b, &(0x7f0000054000)=0x0) r2 = socket$inet_dccp(0x2, 0x6, 0x0) connect(r2, &(0x7f0000012000-0x10)=@ethernet={0x0, @empty=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0], [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) clone(0x0, &(0x7f0000f39000)="", &(0x7f0000eaa000-0x4)=0x0, &(0x7f0000bf3000-0x4)=0x0, &(0x7f00003b9000-0xcd)="") ioctl$UFFDIO_ZEROPAGE(r0, 0x8010aa02, &(0x7f00000c1000-0x10)={&(0x7f0000011000/0x3000)=nil, 0x3000}) 2018/01/27 20:10:26 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x78, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff7fffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000c94000)='/dev/ptmx\x00', 0x80003, 0x0) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000623000-0x4)=0x3) r1 = openat$ppp(0xffffffffffffff9c, &(0x7f00003dd000)='/dev/ppp\x00', 0x0, 0x0) ioctl$EVIOCGPROP(r1, 0x40047438, &(0x7f000082f000-0xf6)=""/246) ioctl$TCSETSF(r0, 0x5404, &(0x7f0000986000)={0x2, 0x7, 0x9, 0x101, 0x4, 0x100, 0x1, 0x5, 0x89a8, 0x5f, 0x7fff, 0x5}) sendto$inet(r1, &(0x7f0000b8b000-0x3f)="e5753a34a5c4ec86f5f8126d43cbe7c11011052442f5f2fdfa41fd2b1553afd7d9cbf824f5e9df0a687900836ed4866756f8e474cb4542fe7a618ddd6d69c9", 0x3f, 0x4801, &(0x7f00002fb000-0x10)={0x2, 0x3, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) [ 34.487984] audit: type=1400 audit(1517083826.702:13): avc: denied { name_connect } for pid=4324 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 [ 34.511802] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready 2018/01/27 20:10:26 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x2, 0x78, 0xe2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfc1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f000000e000-0xa)='./control\x00', 0x0) unlink(&(0x7f0000b8d000)='./control\x00') r0 = open(&(0x7f0000028000)='./control\x00', 0x0, 0x0) symlinkat(&(0x7f0000d45000)='./file0\x00', r0, &(0x7f0000041000)='./file0\x00') mkdirat(r0, &(0x7f0000028000)='./control\x00', 0x0) renameat(r0, &(0x7f0000044000-0x8)='./file0\x00', r0, &(0x7f0000046000-0x9)='./file1\x00') renameat2(r0, &(0x7f0000048000-0xa)='./control\x00', r0, &(0x7f0000011000)='./file1\x00', 0x2) 2018/01/27 20:10:26 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f000072d000-0x8)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000026000-0x4)=0x0, 0x4) r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000dcf000)='/dev/sequencer\x00', 0x4480, 0x0) setsockopt$ipx_IPX_TYPE(r2, 0x100, 0x1, &(0x7f00000a7000-0x4)=0x1000, 0x4) write(r1, &(0x7f000001a000-0x69)="", 0x0) write(r1, &(0x7f0000ead000-0x1)="95", 0x1) bind$ipx(r2, &(0x7f00004d6000-0x10)={0x4, 0x400, 0x10001, "4c49dd0d9559", 0x7fc000000000000, 0x0}, 0x10) recvmsg(r0, &(0x7f000001a000-0x38)={0x0, 0x0, &(0x7f000001e000)=[], 0x0, &(0x7f0000fae000)=""/0, 0x0, 0x0}, 0x1ffe) recvfrom$unix(r0, &(0x7f0000d4c000-0x8a)=""/138, 0x8a, 0x2002, 0x0, 0x0) [ 34.680269] audit: type=1400 audit(1517083826.894:14): avc: denied { dac_read_search } for pid=4379 comm="syz-executor3" capability=2 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2018/01/27 20:10:27 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000201000-0x9)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) mlock2(&(0x7f0000cf6000/0x2000)=nil, 0x2000, 0x1) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x201) [ 34.769432] audit: type=1400 audit(1517083826.895:15): avc: denied { dac_override } for pid=4379 comm="syz-executor3" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 34.886910] kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu 2018/01/27 20:10:27 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x78, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000c0d000)='./control\x00', 0x0) r0 = inotify_init() inotify_add_watch(r0, &(0x7f0000dff000-0xa)='./control\x00', 0x220000000009) inotify_add_watch(r0, &(0x7f000001f000-0xa)='./control\x00', 0x1000009) r1 = syz_open_dev$mice(&(0x7f0000dea000)='/dev/input/mice\x00', 0x0, 0x4000) ioctl$KVM_KVMCLOCK_CTRL(r1, 0xaead) syz_open_dev$vcsa(&(0x7f0000941000-0xb)='/dev/vcsa#\x00', 0x1, 0x10b000) [ 36.427137] ================================================================== [ 36.434539] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1fdc/0x2260 [ 36.441004] Read of size 8 at addr ffff8801c1d60418 by task syz-executor6/4799 [ 36.448340] [ 36.449940] CPU: 0 PID: 4799 Comm: syz-executor6 Not tainted 4.15.0-rc9+ #283 [ 36.457184] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.466522] Call Trace: [ 36.469091] dump_stack+0x194/0x257 [ 36.472698] ? arch_local_irq_restore+0x53/0x53 [ 36.477343] ? show_regs_print_info+0x18/0x18 [ 36.481818] ? ip6_xmit+0x1fdc/0x2260 [ 36.485603] print_address_description+0x73/0x250 [ 36.490420] ? ip6_xmit+0x1fdc/0x2260 [ 36.494193] kasan_report+0x25b/0x340 [ 36.497974] __asan_report_load8_noabort+0x14/0x20 [ 36.502873] ip6_xmit+0x1fdc/0x2260 [ 36.506487] ? ip6_finish_output2+0x23a0/0x23a0 [ 36.511134] ? fl6_update_dst+0x127/0x2b0 [ 36.515256] ? check_noncircular+0x20/0x20 [ 36.519467] ? inet6_csk_route_socket+0x691/0xe80 [ 36.524290] ? lock_acquire+0x1d5/0x580 [ 36.528238] ? lock_acquire+0x1d5/0x580 [ 36.532183] ? inet6_csk_xmit+0x114/0x580 [ 36.536312] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.541044] ? lock_release+0xa40/0xa40 [ 36.545020] inet6_csk_xmit+0x2fc/0x580 [ 36.548969] ? inet6_csk_update_pmtu+0x160/0x160 [ 36.553701] ? __sk_dst_check+0x1a5/0x380 [ 36.557825] ? sk_wait_data+0x610/0x610 [ 36.561797] l2tp_xmit_skb+0x1068/0x1410 [ 36.565846] ? l2tp_session_create+0xc60/0xc60 [ 36.570405] ? sock_wmalloc+0x15d/0x1d0 [ 36.574353] ? iov_iter_advance+0x13f0/0x13f0 [ 36.578829] ? pppol2tp_sendmsg+0x41b/0x670 [ 36.583131] pppol2tp_sendmsg+0x470/0x670 [ 36.587258] ? selinux_socket_sendmsg+0x36/0x40 [ 36.591906] ? pppol2tp_session_ioctl+0xa90/0xa90 [ 36.596724] sock_sendmsg+0xca/0x110 [ 36.600415] ___sys_sendmsg+0x767/0x8b0 [ 36.604369] ? copy_msghdr_from_user+0x590/0x590 [ 36.609107] ? selinux_socket_connect+0x311/0x730 [ 36.613935] ? __fget_light+0x297/0x380 [ 36.617887] ? fget_raw+0x20/0x20 [ 36.621320] ? __might_sleep+0x95/0x190 [ 36.625283] ? security_socket_connect+0x89/0xb0 [ 36.630021] ? __fdget+0x18/0x20 [ 36.633371] __sys_sendmsg+0xe5/0x210 [ 36.637142] ? __sys_sendmsg+0xe5/0x210 [ 36.641093] ? SyS_shutdown+0x290/0x290 [ 36.645043] ? selinux_capable+0x40/0x40 [ 36.649086] ? SyS_futex+0x269/0x390 [ 36.652789] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.657783] SyS_sendmsg+0x2d/0x50 [ 36.661305] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 36.666035] RIP: 0033:0x453299 [ 36.669196] RSP: 002b:00007f464ce4ac58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e [ 36.676877] RAX: ffffffffffffffda RBX: 00007f464ce4b700 RCX: 0000000000453299 [ 36.684122] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000014 [ 36.691364] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 36.698608] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 [ 36.705850] R13: 0000000000a2f33f R14: 00007f464ce4b9c0 R15: 0000000000000000 [ 36.713112] [ 36.714711] Allocated by task 0: [ 36.718043] (stack is not available) [ 36.721726] [ 36.723325] Freed by task 0: [ 36.726311] (stack is not available) [ 36.729992] [ 36.731598] The buggy address belongs to the object at ffff8801c1d60400 [ 36.731598] which belongs to the cache ip_dst_cache of size 216 [ 36.744315] The buggy address is located 24 bytes inside of [ 36.744315] 216-byte region [ffff8801c1d60400, ffff8801c1d604d8) [ 36.756072] The buggy address belongs to the page: [ 36.760973] page:ffffea0007075800 count:1 mapcount:0 mapping:ffff8801c1d60040 index:0x0 [ 36.769086] flags: 0x2fffc0000000100(slab) [ 36.773298] raw: 02fffc0000000100 ffff8801c1d60040 0000000000000000 000000010000000c [ 36.781152] raw: ffffea0006fc2160 ffffea00072b3c20 ffff8801d6f6d800 0000000000000000 [ 36.789001] page dumped because: kasan: bad access detected [ 36.794682] [ 36.796283] Memory state around the buggy address: [ 36.801186] ffff8801c1d60300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.808515] ffff8801c1d60380: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.815846] >ffff8801c1d60400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.823175] ^ [ 36.827380] ffff8801c1d60480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.834709] ffff8801c1d60500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 36.842036] ================================================================== [ 36.849366] Disabling lock debugging due to kernel taint [ 36.854827] Kernel panic - not syncing: panic_on_warn set ... [ 36.854827] [ 36.862171] CPU: 0 PID: 4799 Comm: syz-executor6 Tainted: G B 4.15.0-rc9+ #283 [ 36.870716] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.880039] Call Trace: [ 36.882601] dump_stack+0x194/0x257 [ 36.886203] ? arch_local_irq_restore+0x53/0x53 [ 36.890845] ? kasan_end_report+0x32/0x50 [ 36.894966] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.899693] ? vsnprintf+0x1ed/0x1900 [ 36.903467] ? ip6_xmit+0x1fb0/0x2260 [ 36.907240] panic+0x1e4/0x41c [ 36.910404] ? refcount_error_report+0x214/0x214 [ 36.915131] ? add_taint+0x1c/0x50 [ 36.918642] ? add_taint+0x1c/0x50 [ 36.922152] ? ip6_xmit+0x1fdc/0x2260 [ 36.925926] kasan_end_report+0x50/0x50 [ 36.929872] kasan_report+0x144/0x340 [ 36.933647] __asan_report_load8_noabort+0x14/0x20 [ 36.938546] ip6_xmit+0x1fdc/0x2260 [ 36.942153] ? ip6_finish_output2+0x23a0/0x23a0 [ 36.946794] ? fl6_update_dst+0x127/0x2b0 [ 36.950916] ? check_noncircular+0x20/0x20 [ 36.955137] ? inet6_csk_route_socket+0x691/0xe80 [ 36.959956] ? lock_acquire+0x1d5/0x580 [ 36.963906] ? lock_acquire+0x1d5/0x580 [ 36.967853] ? inet6_csk_xmit+0x114/0x580 [ 36.971973] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.976700] ? lock_release+0xa40/0xa40 [ 36.980658] inet6_csk_xmit+0x2fc/0x580 [ 36.984604] ? inet6_csk_update_pmtu+0x160/0x160 [ 36.989333] ? __sk_dst_check+0x1a5/0x380 [ 36.993454] ? sk_wait_data+0x610/0x610 [ 36.997411] l2tp_xmit_skb+0x1068/0x1410 [ 37.001449] ? l2tp_session_create+0xc60/0xc60 [ 37.006005] ? sock_wmalloc+0x15d/0x1d0 [ 37.009953] ? iov_iter_advance+0x13f0/0x13f0 [ 37.014422] ? pppol2tp_sendmsg+0x41b/0x670 [ 37.018716] pppol2tp_sendmsg+0x470/0x670 [ 37.022839] ? selinux_socket_sendmsg+0x36/0x40 [ 37.027483] ? pppol2tp_session_ioctl+0xa90/0xa90 [ 37.032296] sock_sendmsg+0xca/0x110 [ 37.035983] ___sys_sendmsg+0x767/0x8b0 [ 37.039932] ? copy_msghdr_from_user+0x590/0x590 [ 37.044664] ? selinux_socket_connect+0x311/0x730 [ 37.049487] ? __fget_light+0x297/0x380 [ 37.053432] ? fget_raw+0x20/0x20 [ 37.056859] ? __might_sleep+0x95/0x190 [ 37.060822] ? security_socket_connect+0x89/0xb0 [ 37.065555] ? __fdget+0x18/0x20 [ 37.068896] __sys_sendmsg+0xe5/0x210 [ 37.072666] ? __sys_sendmsg+0xe5/0x210 [ 37.076614] ? SyS_shutdown+0x290/0x290 [ 37.080562] ? selinux_capable+0x40/0x40 [ 37.084598] ? SyS_futex+0x269/0x390 [ 37.088290] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.093280] SyS_sendmsg+0x2d/0x50 [ 37.096794] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 37.101520] RIP: 0033:0x453299 [ 37.104681] RSP: 002b:00007f464ce4ac58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e [ 37.112367] RAX: ffffffffffffffda RBX: 00007f464ce4b700 RCX: 0000000000453299 [ 37.119612] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000014 [ 37.126853] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 37.134092] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 [ 37.141334] R13: 0000000000a2f33f R14: 00007f464ce4b9c0 R15: 0000000000000000 [ 37.149021] Dumping ftrace buffer: [ 37.152531] (ftrace buffer empty) [ 37.156209] Kernel Offset: disabled [ 37.159806] Rebooting in 86400 seconds..