[....] Starting enhanced syslogd: rsyslogd[ 17.365729] audit: type=1400 audit(1521057887.372:5): avc: denied { syslog } for pid=4018 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.602386] audit: type=1400 audit(1521057892.609:6): avc: denied { map } for pid=4157 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.25' (ECDSA) to the list of known hosts. [ 28.946988] audit: type=1400 audit(1521057898.953:7): avc: denied { map } for pid=4171 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/03/14 20:04:59 parsed 1 programs 2018/03/14 20:04:59 executed programs: 0 [ 29.186640] audit: type=1400 audit(1521057899.193:8): avc: denied { map } for pid=4171 comm="syz-execprog" path="/root/syzkaller-shm959617327" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 29.197931] IPVS: ftp: loaded support on port[0] = 21 [ 29.483756] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 29.867907] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.874390] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.915492] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.957633] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.973668] ================================================================== [ 29.981104] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260 [ 29.987572] Read of size 8 at addr ffff8801cdfed618 by task syz-executor0/4337 [ 29.994904] [ 29.996509] CPU: 0 PID: 4337 Comm: syz-executor0 Not tainted 4.16.0-rc5+ #263 [ 30.003761] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.013104] Call Trace: [ 30.015681] dump_stack+0x194/0x24d [ 30.019284] ? arch_local_irq_restore+0x53/0x53 [ 30.023928] ? show_regs_print_info+0x18/0x18 [ 30.028403] ? ip6_xmit+0x1f76/0x2260 [ 30.032182] print_address_description+0x73/0x250 [ 30.037001] ? ip6_xmit+0x1f76/0x2260 [ 30.040778] kasan_report+0x23c/0x360 [ 30.044559] __asan_report_load8_noabort+0x14/0x20 [ 30.049464] ip6_xmit+0x1f76/0x2260 [ 30.053078] ? ip6_finish_output2+0x23a0/0x23a0 [ 30.057725] ? fl6_update_dst+0x127/0x2b0 [ 30.061851] ? inet6_csk_route_socket+0x691/0xe80 [ 30.066682] ? trace_hardirqs_off+0x10/0x10 [ 30.070982] ? lock_acquire+0x1d5/0x580 [ 30.074932] ? lock_acquire+0x1d5/0x580 [ 30.078880] ? inet6_csk_xmit+0x114/0x580 [ 30.083016] ? trace_hardirqs_off+0x10/0x10 [ 30.087407] ? lock_release+0xa40/0xa40 [ 30.091371] inet6_csk_xmit+0x2fc/0x580 [ 30.095322] ? inet6_csk_update_pmtu+0x160/0x160 [ 30.100053] ? __sk_dst_check+0x1a5/0x380 [ 30.104174] ? sock_kfree_s+0x60/0x60 [ 30.107964] l2tp_xmit_skb+0x105f/0x1410 [ 30.112011] ? l2tp_session_create+0xb80/0xb80 [ 30.116570] ? sock_wmalloc+0x15d/0x1d0 [ 30.120523] ? iov_iter_advance+0x13f0/0x13f0 [ 30.124994] ? pppol2tp_sendmsg+0x41b/0x670 [ 30.129295] pppol2tp_sendmsg+0x470/0x670 [ 30.133423] ? selinux_socket_sendmsg+0x36/0x40 [ 30.138076] ? pppol2tp_getsockopt+0x900/0x900 [ 30.142637] sock_sendmsg+0xca/0x110 [ 30.146331] SYSC_sendto+0x361/0x5c0 [ 30.150024] ? SYSC_connect+0x4a0/0x4a0 [ 30.153979] ? find_held_lock+0x35/0x1d0 [ 30.158025] ? lock_downgrade+0x980/0x980 [ 30.162186] ? __do_page_fault+0x3d6/0xc90 [ 30.166396] ? compat_writev+0x420/0x420 [ 30.170451] SyS_sendto+0x40/0x50 [ 30.173969] ? SyS_getpeername+0x30/0x30 [ 30.178011] do_fast_syscall_32+0x3ec/0xf9f [ 30.182315] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.186873] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.191609] ? syscall_return_slowpath+0x2ac/0x550 [ 30.196518] ? prepare_exit_to_usermode+0x350/0x350 [ 30.201511] ? sysret32_from_system_call+0x5/0x3c [ 30.206330] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.211153] entry_SYSENTER_compat+0x70/0x7f [ 30.215534] RIP: 0023:0xf7f19c99 [ 30.218878] RSP: 002b:00000000ffcafa7c EFLAGS: 00000282 ORIG_RAX: 0000000000000171 [ 30.226561] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020001180 [ 30.233805] RDX: 0000000000000000 RSI: 0000000000040001 RDI: 00000000200021c0 [ 30.241059] RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000000 [ 30.248305] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.255548] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.262810] [ 30.264410] Allocated by task 0: [ 30.267746] (stack is not available) [ 30.271426] [ 30.273022] Freed by task 0: [ 30.276010] (stack is not available) [ 30.279691] [ 30.281291] The buggy address belongs to the object at ffff8801cdfed600 [ 30.281291] which belongs to the cache ip_dst_cache of size 168 [ 30.294007] The buggy address is located 24 bytes inside of [ 30.294007] 168-byte region [ffff8801cdfed600, ffff8801cdfed6a8) [ 30.305763] The buggy address belongs to the page: [ 30.310668] page:ffffea000737fb40 count:1 mapcount:0 mapping:ffff8801cdfed000 index:0xffff8801cdfed000 [ 30.320095] flags: 0x2fffc0000000100(slab) [ 30.324303] raw: 02fffc0000000100 ffff8801cdfed000 ffff8801cdfed000 000000010000000d [ 30.332159] raw: ffff8801d5ba1d38 ffff8801d5ba1d38 ffff8801d580a340 0000000000000000 [ 30.340008] page dumped because: kasan: bad access detected [ 30.345687] [ 30.347282] Memory state around the buggy address: [ 30.352182] ffff8801cdfed500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.359514] ffff8801cdfed580: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 30.366845] >ffff8801cdfed600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.374183] ^ [ 30.378301] ffff8801cdfed680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.385633] ffff8801cdfed700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.392961] ================================================================== [ 30.400298] Disabling lock debugging due to kernel taint [ 30.405766] Kernel panic - not syncing: panic_on_warn set ... [ 30.405766] [ 30.413108] CPU: 0 PID: 4337 Comm: syz-executor0 Tainted: G B 4.16.0-rc5+ #263 [ 30.421652] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.430979] Call Trace: [ 30.433548] dump_stack+0x194/0x24d [ 30.437150] ? arch_local_irq_restore+0x53/0x53 [ 30.441792] ? kasan_end_report+0x32/0x50 [ 30.445915] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.450652] ? vsnprintf+0x1ed/0x1900 [ 30.454430] ? ip6_xmit+0x1f30/0x2260 [ 30.458203] panic+0x1e4/0x41c [ 30.461376] ? refcount_error_report+0x214/0x214 [ 30.466191] ? add_taint+0x1c/0x50 [ 30.469704] ? add_taint+0x1c/0x50 [ 30.473214] ? ip6_xmit+0x1f76/0x2260 [ 30.476987] kasan_end_report+0x50/0x50 [ 30.480934] kasan_report+0x149/0x360 [ 30.484708] __asan_report_load8_noabort+0x14/0x20 [ 30.489608] ip6_xmit+0x1f76/0x2260 [ 30.493210] ? ip6_finish_output2+0x23a0/0x23a0 [ 30.497850] ? fl6_update_dst+0x127/0x2b0 [ 30.501967] ? inet6_csk_route_socket+0x691/0xe80 [ 30.506783] ? trace_hardirqs_off+0x10/0x10 [ 30.511075] ? lock_acquire+0x1d5/0x580 [ 30.515020] ? lock_acquire+0x1d5/0x580 [ 30.518961] ? inet6_csk_xmit+0x114/0x580 [ 30.523080] ? trace_hardirqs_off+0x10/0x10 [ 30.527374] ? lock_release+0xa40/0xa40 [ 30.531326] inet6_csk_xmit+0x2fc/0x580 [ 30.535272] ? inet6_csk_update_pmtu+0x160/0x160 [ 30.540006] ? __sk_dst_check+0x1a5/0x380 [ 30.544122] ? sock_kfree_s+0x60/0x60 [ 30.547904] l2tp_xmit_skb+0x105f/0x1410 [ 30.551948] ? l2tp_session_create+0xb80/0xb80 [ 30.556502] ? sock_wmalloc+0x15d/0x1d0 [ 30.560448] ? iov_iter_advance+0x13f0/0x13f0 [ 30.564915] ? pppol2tp_sendmsg+0x41b/0x670 [ 30.569208] pppol2tp_sendmsg+0x470/0x670 [ 30.573327] ? selinux_socket_sendmsg+0x36/0x40 [ 30.577967] ? pppol2tp_getsockopt+0x900/0x900 [ 30.582520] sock_sendmsg+0xca/0x110 [ 30.586205] SYSC_sendto+0x361/0x5c0 [ 30.589891] ? SYSC_connect+0x4a0/0x4a0 [ 30.593836] ? find_held_lock+0x35/0x1d0 [ 30.597871] ? lock_downgrade+0x980/0x980 [ 30.602022] ? __do_page_fault+0x3d6/0xc90 [ 30.606226] ? compat_writev+0x420/0x420 [ 30.610269] SyS_sendto+0x40/0x50 [ 30.613692] ? SyS_getpeername+0x30/0x30 [ 30.617724] do_fast_syscall_32+0x3ec/0xf9f [ 30.622023] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.626573] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.631298] ? syscall_return_slowpath+0x2ac/0x550 [ 30.636196] ? prepare_exit_to_usermode+0x350/0x350 [ 30.641184] ? sysret32_from_system_call+0x5/0x3c [ 30.645998] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.650811] entry_SYSENTER_compat+0x70/0x7f [ 30.655188] RIP: 0023:0xf7f19c99 [ 30.658522] RSP: 002b:00000000ffcafa7c EFLAGS: 00000282 ORIG_RAX: 0000000000000171 [ 30.666202] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020001180 [ 30.673445] RDX: 0000000000000000 RSI: 0000000000040001 RDI: 00000000200021c0 [ 30.680685] RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000000 [ 30.687924] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.695161] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.702822] Dumping ftrace buffer: [ 30.706341] (ftrace buffer empty) [ 30.710024] Kernel Offset: disabled [ 30.713625] Rebooting in 86400 seconds..