[....] Starting enhanced syslogd: rsyslogd[ 12.416367] audit: type=1400 audit(1515782870.834:5): avc: denied { syslog } for pid=3345 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.968136] audit: type=1400 audit(1515782878.385:6): avc: denied { map } for pid=3484 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts. [ 41.038752] audit: type=1400 audit(1515782899.456:7): avc: denied { map } for pid=3501 comm="syzkaller937663" path="/root/syzkaller937663364" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program [ 41.064833] audit: type=1400 audit(1515782899.456:8): avc: denied { sys_admin } for pid=3501 comm="syzkaller937663" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 41.094529] audit: type=1400 audit(1515782899.512:9): avc: denied { sys_chroot } for pid=3502 comm="syzkaller937663" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 41.098219] ================================================================== [ 41.098239] BUG: KASAN: slab-out-of-bounds in map_lookup_elem+0x4dc/0xbd0 [ 41.098243] Read of size 2097153 at addr ffff8801bfc7e690 by task syzkaller937663/3502 [ 41.098244] [ 41.098251] CPU: 0 PID: 3502 Comm: syzkaller937663 Not tainted 4.15.0-rc7+ #185 [ 41.098254] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.098256] Call Trace: [ 41.098265] dump_stack+0x194/0x257 [ 41.098276] ? arch_local_irq_restore+0x53/0x53 [ 41.098285] ? show_regs_print_info+0x18/0x18 [ 41.098295] ? map_lookup_elem+0x4dc/0xbd0 [ 41.098303] print_address_description+0x73/0x250 [ 41.098308] ? map_lookup_elem+0x4dc/0xbd0 [ 41.098314] kasan_report+0x25b/0x340 [ 41.098324] check_memory_region+0x137/0x190 [ 41.098329] memcpy+0x23/0x50 [ 41.098336] map_lookup_elem+0x4dc/0xbd0 [ 41.098349] ? bpf_map_get_with_uref+0x110/0x110 [ 41.098358] ? __might_sleep+0x95/0x190 [ 41.098366] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 41.098373] ? selinux_bpf+0xd1/0x110 [ 41.098379] ? security_bpf+0x89/0xb0 [ 41.098388] SyS_bpf+0x922/0x4400 [ 41.098398] ? bpf_prog_get+0x20/0x20 [ 41.098409] ? lock_release+0xa40/0xa40 [ 41.098419] ? do_raw_spin_trylock+0x190/0x190 [ 41.098437] ? _raw_spin_unlock+0x22/0x30 [ 41.098445] ? __handle_mm_fault+0x80e/0x3ce0 [ 41.098455] ? check_noncircular+0x20/0x20 [ 41.098459] ? __pmd_alloc+0x4e0/0x4e0 [ 41.098464] ? vma_link+0xe9/0x170 [ 41.098474] ? find_held_lock+0x35/0x1d0 [ 41.098486] ? handle_mm_fault+0x248/0x8d0 [ 41.098494] ? find_held_lock+0x35/0x1d0 [ 41.098508] ? __do_page_fault+0x5f7/0xc90 [ 41.098514] ? lock_downgrade+0x980/0x980 [ 41.098527] ? handle_mm_fault+0x410/0x8d0 [ 41.098530] ? down_read_trylock+0xdb/0x170 [ 41.098534] ? __do_page_fault+0x32d/0xc90 [ 41.098540] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 41.098544] ? vmacache_find+0x5f/0x280 [ 41.098555] ? up_read+0x1a/0x40 [ 41.098560] ? __do_page_fault+0x3d6/0xc90 [ 41.098572] ? mm_fault_error+0x2c0/0x2c0 [ 41.098587] ? do_page_fault+0xee/0x720 [ 41.098596] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 41.098602] ? __do_page_fault+0xc90/0xc90 [ 41.098615] ? SyS_mmap_pgoff+0x243/0x5f0 [ 41.098630] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.098641] entry_SYSCALL_64_fastpath+0x23/0x9a [ 41.098645] RIP: 0033:0x440ab9 [ 41.098648] RSP: 002b:00000000007dff68 EFLAGS: 00000203 ORIG_RAX: 0000000000000141 [ 41.098653] RAX: ffffffffffffffda RBX: 00007fffc494ea60 RCX: 0000000000440ab9 [ 41.098656] RDX: 0000000000000018 RSI: 0000000020eab000 RDI: 0000000000000001 [ 41.098658] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 41.098661] R10: 0000000000000000 R11: 0000000000000203 R12: 0000000000402290 [ 41.098663] R13: 0000000000402320 R14: 0000000000000000 R15: 0000000000000000 [ 41.098680] [ 41.098682] Allocated by task 3502: [ 41.098687] save_stack+0x43/0xd0 [ 41.098690] kasan_kmalloc+0xad/0xe0 [ 41.098694] __kmalloc_node+0x47/0x70 [ 41.098697] bpf_map_area_alloc+0x32/0x80 [ 41.098702] array_map_alloc+0x351/0xa00 [ 41.098705] SyS_bpf+0x7f8/0x4400 [ 41.098708] entry_SYSCALL_64_fastpath+0x23/0x9a [ 41.098709] [ 41.098711] Freed by task 1966: [ 41.098715] save_stack+0x43/0xd0 [ 41.098719] kasan_slab_free+0x71/0xc0 [ 41.098722] kfree+0xd6/0x260 [ 41.098726] single_release+0x80/0xb0 [ 41.098730] __fput+0x327/0x7e0 [ 41.098733] ____fput+0x15/0x20 [ 41.098738] task_work_run+0x199/0x270 [ 41.098742] exit_to_usermode_loop+0x296/0x310 [ 41.098745] syscall_return_slowpath+0x490/0x550 [ 41.098749] entry_SYSCALL_64_fastpath+0x98/0x9a [ 41.098750] [ 41.098753] The buggy address belongs to the object at ffff8801bfc7e5c0 [ 41.098753] which belongs to the cache kmalloc-256 of size 256 [ 41.098757] The buggy address is located 208 bytes inside of [ 41.098757] 256-byte region [ffff8801bfc7e5c0, ffff8801bfc7e6c0) [ 41.098758] The buggy address belongs to the page: [ 41.098762] page:ffffea0006ff1f80 count:1 mapcount:0 mapping:ffff8801bfc7e0c0 index:0x0 [ 41.098767] flags: 0x2fffc0000000100(slab) [ 41.098773] raw: 02fffc0000000100 ffff8801bfc7e0c0 0000000000000000 000000010000000c [ 41.098778] raw: ffffea00070149e0 ffffea0006ff2be0 ffff8801dac007c0 0000000000000000 [ 41.098780] page dumped because: kasan: bad access detected [ 41.098781] [ 41.098783] Memory state around the buggy address: [ 41.098786] ffff8801bfc7e580: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 41.098789] ffff8801bfc7e600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.098792] >ffff8801bfc7e680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 41.098793] ^ [ 41.098796] ffff8801bfc7e700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.098799] ffff8801bfc7e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.098801] ================================================================== [ 41.098802] Disabling lock debugging due to kernel taint [ 41.098805] Kernel panic - not syncing: panic_on_warn set ... [ 41.098805] [ 41.098809] CPU: 0 PID: 3502 Comm: syzkaller937663 Tainted: G B 4.15.0-rc7+ #185 [ 41.098811] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.098812] Call Trace: [ 41.098816] dump_stack+0x194/0x257 [ 41.098822] ? arch_local_irq_restore+0x53/0x53 [ 41.098825] ? kasan_end_report+0x32/0x50 [ 41.098830] ? lock_downgrade+0x980/0x980 [ 41.098835] ? vsnprintf+0x1ed/0x1900 [ 41.098840] ? map_lookup_elem+0x430/0xbd0 [ 41.098845] panic+0x1e4/0x41c [ 41.098849] ? refcount_error_report+0x214/0x214 [ 41.098856] ? add_taint+0x40/0x50 [ 41.098859] ? add_taint+0x1c/0x50 [ 41.098864] ? map_lookup_elem+0x4dc/0xbd0 [ 41.098868] kasan_end_report+0x50/0x50 [ 41.098872] kasan_report+0x144/0x340 [ 41.098879] check_memory_region+0x137/0x190 [ 41.098883] memcpy+0x23/0x50 [ 41.098887] map_lookup_elem+0x4dc/0xbd0 [ 41.098894] ? bpf_map_get_with_uref+0x110/0x110 [ 41.098898] ? __might_sleep+0x95/0x190 [ 41.098903] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 41.098907] ? selinux_bpf+0xd1/0x110 [ 41.098911] ? security_bpf+0x89/0xb0 [ 41.098916] SyS_bpf+0x922/0x4400 [ 41.098923] ? bpf_prog_get+0x20/0x20 [ 41.098929] ? lock_release+0xa40/0xa40 [ 41.098936] ? do_raw_spin_trylock+0x190/0x190 [ 41.098944] ? _raw_spin_unlock+0x22/0x30 [ 41.098949] ? __handle_mm_fault+0x80e/0x3ce0 [ 41.098955] ? check_noncircular+0x20/0x20 [ 41.098958] ? __pmd_alloc+0x4e0/0x4e0 [ 41.098962] ? vma_link+0xe9/0x170 [ 41.098969] ? find_held_lock+0x35/0x1d0 [ 41.098976] ? handle_mm_fault+0x248/0x8d0 [ 41.098982] ? find_held_lock+0x35/0x1d0 [ 41.098990] ? __do_page_fault+0x5f7/0xc90 [ 41.098994] ? lock_downgrade+0x980/0x980 [ 41.099005] ? handle_mm_fault+0x410/0x8d0 [ 41.099008] ? down_read_trylock+0xdb/0x170 [ 41.099012] ? __do_page_fault+0x32d/0xc90 [ 41.099016] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 41.099019] ? vmacache_find+0x5f/0x280 [ 41.099026] ? up_read+0x1a/0x40 [ 41.099030] ? __do_page_fault+0x3d6/0xc90 [ 41.099038] ? mm_fault_error+0x2c0/0x2c0 [ 41.099047] ? do_page_fault+0xee/0x720 [ 41.099051] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 41.099056] ? __do_page_fault+0xc90/0xc90 [ 41.099066] ? SyS_mmap_pgoff+0x243/0x5f0 [ 41.099078] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.099087] entry_SYSCALL_64_fastpath+0x23/0x9a [ 41.099090] RIP: 0033:0x440ab9 [ 41.099093] RSP: 002b:00000000007dff68 EFLAGS: 00000203 ORIG_RAX: 0000000000000141 [ 41.099098] RAX: ffffffffffffffda RBX: 00007fffc494ea60 RCX: 0000000000440ab9 [ 41.099100] RDX: 0000000000000018 RSI: 0000000020eab000 RDI: 0000000000000001 [ 41.099102] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 41.099104] R10: 0000000000000000 R11: 0000000000000203 R12: 0000000000402290 [ 41.099106] R13: 0000000000402320 R14: 0000000000000000 R15: 0000000000000000 [ 41.119015] Dumping ftrace buffer: [ 41.119019] (ftrace buffer empty) [ 41.119022] Kernel Offset: disabled [ 41.888623] Rebooting in 86400 seconds..