[....] Starting enhanced syslogd: rsyslogd[ 12.652639] audit: type=1400 audit(1516059406.518:5): avc: denied { syslog } for pid=3493 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.136901] audit: type=1400 audit(1516059413.002:6): avc: denied { map } for pid=3631 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.206' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program [ 25.393522] audit: type=1400 audit(1516059419.259:7): avc: denied { map } for pid=3645 comm="syzkaller275009" path="/root/syzkaller275009969" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 25.532851] ================================================================== [ 25.540281] BUG: KASAN: use-after-free in tipc_group_is_open+0x3a/0x40 [ 25.546940] Read of size 1 at addr ffff8801d89f7378 by task syzkaller275009/3704 [ 25.554463] [ 25.556071] CPU: 0 PID: 3704 Comm: syzkaller275009 Not tainted 4.15.0-rc7+ #190 [ 25.563493] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.572837] Call Trace: [ 25.575416] dump_stack+0x194/0x257 [ 25.579043] ? arch_local_irq_restore+0x53/0x53 [ 25.583708] ? show_regs_print_info+0x18/0x18 [ 25.588186] ? tipc_group_is_open+0x3a/0x40 [ 25.592487] print_address_description+0x73/0x250 [ 25.597312] ? tipc_group_is_open+0x3a/0x40 [ 25.601613] kasan_report+0x25b/0x340 [ 25.605408] __asan_report_load1_noabort+0x14/0x20 [ 25.610342] tipc_group_is_open+0x3a/0x40 [ 25.614478] tipc_poll+0x364/0x4d0 [ 25.618028] ? tipc_ioctl+0x240/0x240 [ 25.621814] ? set_normalized_timespec64+0x5a/0xb0 [ 25.626726] ? select_estimate_accuracy+0x30b/0x450 executing program executing program [ 25.631735] sock_poll+0x141/0x320 [ 25.635247] ? __might_sleep+0x95/0x190 [ 25.639203] ? sock_ioctl+0x440/0x440 [ 25.642995] ? sock_ioctl+0x440/0x440 [ 25.646777] do_sys_poll+0x715/0x10b0 [ 25.650586] ? compat_core_sys_select+0x9e0/0x9e0 [ 25.655415] ? _raw_spin_unlock+0x22/0x30 [ 25.659537] ? __handle_mm_fault+0x80e/0x3ce0 [ 25.664026] ? check_noncircular+0x20/0x20 [ 25.668257] ? handle_mm_fault+0x248/0x8d0 [ 25.672472] ? find_held_lock+0x35/0x1d0 [ 25.676525] ? poll_initwait+0x180/0x180 executing program executing program [ 25.680570] ? set_fd_set.part.0+0x70/0x70 [ 25.684788] ? set_fd_set.part.0+0x70/0x70 [ 25.689020] ? set_fd_set.part.0+0x70/0x70 [ 25.693248] ? set_fd_set.part.0+0x70/0x70 [ 25.697461] ? ktime_get_ts64+0x328/0x4d0 [ 25.701590] ? timespec64_add_safe+0x1bb/0x2c0 [ 25.706149] ? nsec_to_clock_t+0x30/0x30 [ 25.710204] ? poll_select_set_timeout+0x12f/0x210 [ 25.715114] ? do_restart_poll+0x2a0/0x2a0 [ 25.719354] ? SyS_futex+0x269/0x390 [ 25.723078] SyS_poll+0x10d/0x450 [ 25.726519] ? SyS_poll+0x10d/0x450 [ 25.730125] ? SyS_pselect6+0x650/0x650 [ 25.734080] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.739073] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.743813] entry_SYSCALL_64_fastpath+0x23/0x9a [ 25.748543] RIP: 0033:0x446129 [ 25.751702] RSP: 002b:00007f0f2df96db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000007 [ 25.759390] RAX: ffffffffffffffda RBX: 00000000006dbc54 RCX: 0000000000446129 [ 25.766644] RDX: 0000000000007fff RSI: 000000000000000a RDI: 0000000020ef5000 [ 25.773898] RBP: 00000000006dbc50 R08: 0000000000000000 R09: 0000000000000000 executing program executing program [ 25.781146] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 25.788387] R13: 00007ffc07e2923f R14: 00007f0f2df979c0 R15: 0000000000000007 [ 25.795660] [ 25.797272] Allocated by task 3702: [ 25.800912] save_stack+0x43/0xd0 [ 25.804349] kasan_kmalloc+0xad/0xe0 [ 25.808047] kmem_cache_alloc_trace+0x136/0x750 [ 25.812694] tipc_group_create+0x144/0x900 [ 25.816917] tipc_setsockopt+0x274/0xce0 [ 25.821041] SyS_setsockopt+0x189/0x360 [ 25.825000] entry_SYSCALL_64_fastpath+0x23/0x9a [ 25.829734] executing program executing program [ 25.831345] Freed by task 3702: [ 25.834622] save_stack+0x43/0xd0 [ 25.838070] kasan_slab_free+0x71/0xc0 [ 25.841950] kfree+0xd6/0x260 [ 25.845032] tipc_group_delete+0x2c8/0x3d0 [ 25.849253] tipc_setsockopt+0xaa9/0xce0 [ 25.853288] SyS_setsockopt+0x189/0x360 [ 25.857238] entry_SYSCALL_64_fastpath+0x23/0x9a [ 25.861965] [ 25.863566] The buggy address belongs to the object at ffff8801d89f7300 [ 25.863566] which belongs to the cache kmalloc-128 of size 128 [ 25.876211] The buggy address is located 120 bytes inside of [ 25.876211] 128-byte region [ffff8801d89f7300, ffff8801d89f7380) [ 25.888068] The buggy address belongs to the page: [ 25.892972] page:ffffea0007627dc0 count:1 mapcount:0 mapping:ffff8801d89f7000 index:0x0 [ 25.901087] flags: 0x2fffc0000000100(slab) [ 25.905303] raw: 02fffc0000000100 ffff8801d89f7000 0000000000000000 0000000100000015 [ 25.913207] raw: ffffea0007622720 ffffea0007627ce0 ffff8801dac00640 0000000000000000 [ 25.921081] page dumped because: kasan: bad access detected [ 25.926762] [ 25.928362] Memory state around the buggy address: executing program executing program [ 25.933266] ffff8801d89f7200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 25.940603] ffff8801d89f7280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.947948] >ffff8801d89f7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.955293] ^ [ 25.962544] ffff8801d89f7380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 25.969883] ffff8801d89f7400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 25.977417] ================================================================== executing program executing program executing program [ 25.984973] Disabling lock debugging due to kernel taint [ 25.990520] Kernel panic - not syncing: panic_on_warn set ... [ 25.990520] [ 25.997880] CPU: 0 PID: 3704 Comm: syzkaller275009 Tainted: G B 4.15.0-rc7+ #190 [ 26.006640] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.016341] Call Trace: [ 26.018929] dump_stack+0x194/0x257 [ 26.022561] ? arch_local_irq_restore+0x53/0x53 [ 26.027215] ? kasan_end_report+0x32/0x50 executing program executing program executing program executing program executing program executing program [ 26.031351] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.036094] ? vsnprintf+0x1ed/0x1900 [ 26.039918] ? tipc_group_proto_xmit+0x9b0/0xa70 [ 26.044669] panic+0x1e4/0x41c [ 26.047850] ? refcount_error_report+0x214/0x214 [ 26.052609] ? add_taint+0x1c/0x50 [ 26.056182] ? add_taint+0x1c/0x50 [ 26.059727] ? tipc_group_is_open+0x3a/0x40 [ 26.064037] kasan_end_report+0x50/0x50 [ 26.067993] kasan_report+0x144/0x340 [ 26.071794] __asan_report_load1_noabort+0x14/0x20 [ 26.076732] tipc_group_is_open+0x3a/0x40 [ 26.080873] tipc_poll+0x364/0x4d0 executing program executing program executing program executing program executing program [ 26.084399] ? tipc_ioctl+0x240/0x240 [ 26.088536] ? set_normalized_timespec64+0x5a/0xb0 [ 26.093642] ? select_estimate_accuracy+0x30b/0x450 [ 26.098668] sock_poll+0x141/0x320 [ 26.102202] ? __might_sleep+0x95/0x190 [ 26.106176] ? sock_ioctl+0x440/0x440 [ 26.109975] ? sock_ioctl+0x440/0x440 [ 26.113758] do_sys_poll+0x715/0x10b0 [ 26.117576] ? compat_core_sys_select+0x9e0/0x9e0 [ 26.122439] ? _raw_spin_unlock+0x22/0x30 [ 26.126580] ? __handle_mm_fault+0x80e/0x3ce0 [ 26.131083] ? check_noncircular+0x20/0x20 executing program executing program executing program executing program [ 26.135323] ? handle_mm_fault+0x248/0x8d0 [ 26.139553] ? find_held_lock+0x35/0x1d0 [ 26.143619] ? poll_initwait+0x180/0x180 [ 26.147674] ? set_fd_set.part.0+0x70/0x70 [ 26.151895] ? set_fd_set.part.0+0x70/0x70 [ 26.156133] ? set_fd_set.part.0+0x70/0x70 [ 26.160358] ? set_fd_set.part.0+0x70/0x70 [ 26.164577] ? ktime_get_ts64+0x328/0x4d0 [ 26.168713] ? timespec64_add_safe+0x1bb/0x2c0 [ 26.173304] ? nsec_to_clock_t+0x30/0x30 [ 26.177370] ? poll_select_set_timeout+0x12f/0x210 executing program executing program executing program executing program executing program [ 26.182287] ? do_restart_poll+0x2a0/0x2a0 [ 26.186510] ? SyS_futex+0x269/0x390 [ 26.190229] SyS_poll+0x10d/0x450 [ 26.193672] ? SyS_poll+0x10d/0x450 [ 26.197283] ? SyS_pselect6+0x650/0x650 [ 26.201262] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.206260] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.211009] entry_SYSCALL_64_fastpath+0x23/0x9a [ 26.215746] RIP: 0033:0x446129 [ 26.219061] RSP: 002b:00007f0f2df96db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000007 [ 26.226755] RAX: ffffffffffffffda RBX: 00000000006dbc54 RCX: 0000000000446129 executing program executing program executing program [ 26.234015] RDX: 0000000000007fff RSI: 000000000000000a RDI: 0000000020ef5000 [ 26.241985] RBP: 00000000006dbc50 R08: 0000000000000000 R09: 0000000000000000 [ 26.249232] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 26.256481] R13: 00007ffc07e2923f R14: 00007f0f2df979c0 R15: 0000000000000007 [ 26.264295] Dumping ftrace buffer: [ 26.267815] (ftrace buffer empty) [ 26.271492] Kernel Offset: disabled [ 26.275085] Rebooting in 86400 seconds..