[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.865122] sshd (3602) used greatest stack depth: 17232 bytes left [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.838369] audit: type=1400 audit(1516082799.007:6): avc: denied { map } for pid=3656 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.5' (ECDSA) to the list of known hosts. executing program [ 25.577818] audit: type=1400 audit(1516082805.746:7): avc: denied { map } for pid=3670 comm="syzkaller084676" path="/root/syzkaller084676122" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.580708] ================================================================== [ 25.611253] BUG: KASAN: stack-out-of-bounds in __nla_put+0x37/0x40 [ 25.617549] Read of size 255 at addr ffff8801c62f7968 by task syzkaller084676/3670 [ 25.625230] [ 25.626838] CPU: 1 PID: 3670 Comm: syzkaller084676 Not tainted 4.15.0-rc8-next-20180116+ #98 [ 25.635392] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.644723] Call Trace: [ 25.647327] dump_stack+0x194/0x257 [ 25.650944] ? arch_local_irq_restore+0x53/0x53 [ 25.655586] ? show_regs_print_info+0x18/0x18 [ 25.660058] ? __alloc_skb+0x57e/0x780 [ 25.663925] ? __nla_put+0x37/0x40 [ 25.667442] print_address_description+0x73/0x250 [ 25.672348] ? __nla_put+0x37/0x40 [ 25.675876] kasan_report+0x23b/0x360 [ 25.679665] check_memory_region+0x137/0x190 [ 25.684062] memcpy+0x23/0x50 [ 25.687145] __nla_put+0x37/0x40 [ 25.690487] nla_put+0xf5/0x130 [ 25.693758] netlink_ack+0x78a/0xa10 [ 25.697452] ? netlink_sendmsg+0xe60/0xe60 [ 25.701661] ? __might_fault+0x110/0x1d0 [ 25.705706] ? netlink_tap_init_net+0x350/0x350 [ 25.710353] netlink_rcv_skb+0x2d1/0x400 [ 25.714388] ? validate_linkmsg+0x8e0/0x8e0 [ 25.718686] ? netlink_ack+0xa10/0xa10 [ 25.722555] ? netlink_skb_destructor+0x1d0/0x1d0 [ 25.727379] rtnetlink_rcv+0x1c/0x20 [ 25.731073] netlink_unicast+0x4c4/0x6b0 [ 25.735122] ? netlink_attachskb+0x8a0/0x8a0 [ 25.739523] ? security_netlink_send+0x81/0xb0 [ 25.744098] netlink_sendmsg+0xa4a/0xe60 [ 25.748190] ? netlink_unicast+0x6b0/0x6b0 [ 25.752406] ? security_socket_sendmsg+0x89/0xb0 [ 25.757141] ? netlink_unicast+0x6b0/0x6b0 [ 25.761357] sock_sendmsg+0xca/0x110 [ 25.765053] sock_write_iter+0x31a/0x5d0 [ 25.769093] ? sock_sendmsg+0x110/0x110 [ 25.773067] ? iov_iter_init+0xaf/0x1d0 [ 25.777025] __vfs_write+0x684/0x970 [ 25.780731] ? kernel_read+0x120/0x120 [ 25.784592] ? bpf_fd_pass+0x280/0x280 [ 25.788466] ? _cond_resched+0x14/0x30 [ 25.792351] ? selinux_file_permission+0x82/0x460 [ 25.797185] ? rw_verify_area+0xe5/0x2b0 [ 25.801223] ? __fdget_raw+0x20/0x20 [ 25.804915] vfs_write+0x189/0x510 [ 25.808434] SyS_write+0xef/0x220 [ 25.811865] ? SyS_read+0x220/0x220 [ 25.815465] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.820472] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.825225] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 25.829958] RIP: 0033:0x43fce9 [ 25.833125] RSP: 002b:00007ffe2c7f0b68 EFLAGS: 00000217 ORIG_RAX: 0000000000000001 [ 25.840808] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fce9 [ 25.848065] RDX: 0000000000000022 RSI: 0000000020d1f000 RDI: 0000000000000003 [ 25.855411] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 25.862656] R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000401650 [ 25.869912] R13: 00000000004016e0 R14: 0000000000000000 R15: 0000000000000000 [ 25.877173] [ 25.878773] The buggy address belongs to the page: [ 25.883677] page:ffffea000718bdc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 25.891803] flags: 0x2fffc0000000000() [ 25.895664] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 25.903532] raw: 0000000000000000 ffffea0007180101 0000000000000000 0000000000000000 [ 25.911401] page dumped because: kasan: bad access detected [ 25.917080] [ 25.918679] Memory state around the buggy address: [ 25.923582] ffff8801c62f7880: f1 f1 f1 04 f2 f2 f2 f3 f3 f3 f3 00 00 00 00 00 [ 25.930928] ffff8801c62f7900: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 [ 25.938351] >ffff8801c62f7980: f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.945686] ^ [ 25.949034] ffff8801c62f7a00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 [ 25.956382] ffff8801c62f7a80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.963711] ================================================================== [ 25.971044] Disabling lock debugging due to kernel taint [ 25.976519] Kernel panic - not syncing: panic_on_warn set ... [ 25.976519] [ 25.983872] CPU: 1 PID: 3670 Comm: syzkaller084676 Tainted: G B 4.15.0-rc8-next-20180116+ #98 [ 25.993752] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.003088] Call Trace: [ 26.005659] dump_stack+0x194/0x257 [ 26.009268] ? arch_local_irq_restore+0x53/0x53 [ 26.013918] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.018658] ? vsnprintf+0x1ed/0x1900 [ 26.022448] ? nla_put_64bit+0x90/0x150 [ 26.026397] panic+0x1e4/0x41c [ 26.029561] ? refcount_error_report+0x214/0x214 [ 26.034293] ? add_taint+0x1c/0x50 [ 26.037806] ? add_taint+0x1c/0x50 [ 26.041329] ? __nla_put+0x37/0x40 [ 26.044859] kasan_end_report+0x50/0x50 [ 26.048811] kasan_report+0x148/0x360 [ 26.052589] check_memory_region+0x137/0x190 [ 26.056970] memcpy+0x23/0x50 [ 26.060062] __nla_put+0x37/0x40 [ 26.063410] nla_put+0xf5/0x130 [ 26.066669] netlink_ack+0x78a/0xa10 [ 26.070356] ? netlink_sendmsg+0xe60/0xe60 [ 26.074574] ? __might_fault+0x110/0x1d0 [ 26.078624] ? netlink_tap_init_net+0x350/0x350 [ 26.083269] netlink_rcv_skb+0x2d1/0x400 [ 26.087304] ? validate_linkmsg+0x8e0/0x8e0 [ 26.091621] ? netlink_ack+0xa10/0xa10 [ 26.095489] ? netlink_skb_destructor+0x1d0/0x1d0 [ 26.100316] rtnetlink_rcv+0x1c/0x20 [ 26.104004] netlink_unicast+0x4c4/0x6b0 [ 26.108048] ? netlink_attachskb+0x8a0/0x8a0 [ 26.112432] ? security_netlink_send+0x81/0xb0 [ 26.116986] netlink_sendmsg+0xa4a/0xe60 [ 26.121033] ? netlink_unicast+0x6b0/0x6b0 [ 26.125243] ? security_socket_sendmsg+0x89/0xb0 [ 26.129972] ? netlink_unicast+0x6b0/0x6b0 [ 26.134194] sock_sendmsg+0xca/0x110 [ 26.137881] sock_write_iter+0x31a/0x5d0 [ 26.141915] ? sock_sendmsg+0x110/0x110 [ 26.145884] ? iov_iter_init+0xaf/0x1d0 [ 26.149837] __vfs_write+0x684/0x970 [ 26.153534] ? kernel_read+0x120/0x120 [ 26.157396] ? bpf_fd_pass+0x280/0x280 [ 26.161264] ? _cond_resched+0x14/0x30 [ 26.165132] ? selinux_file_permission+0x82/0x460 [ 26.169953] ? rw_verify_area+0xe5/0x2b0 [ 26.173986] ? __fdget_raw+0x20/0x20 [ 26.177678] vfs_write+0x189/0x510 [ 26.181192] SyS_write+0xef/0x220 [ 26.185747] ? SyS_read+0x220/0x220 [ 26.189346] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.194347] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.199083] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.203819] RIP: 0033:0x43fce9 [ 26.206983] RSP: 002b:00007ffe2c7f0b68 EFLAGS: 00000217 ORIG_RAX: 0000000000000001 [ 26.214670] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fce9 [ 26.221919] RDX: 0000000000000022 RSI: 0000000020d1f000 RDI: 0000000000000003 [ 26.229180] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 26.236426] R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000401650 [ 26.243674] R13: 00000000004016e0 R14: 0000000000000000 R15: 0000000000000000 [ 26.251412] Dumping ftrace buffer: [ 26.254936] (ftrace buffer empty) [ 26.258624] Kernel Offset: disabled [ 26.262228] Rebooting in 86400 seconds..