[....] Starting enhanced syslogd: rsyslogd[ 14.380784] audit: type=1400 audit(1520833687.687:5): avc: denied { syslog } for pid=3991 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.785451] audit: type=1400 audit(1520833692.092:6): avc: denied { map } for pid=4132 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.5' (ECDSA) to the list of known hosts. executing program [ 34.741924] audit: type=1400 audit(1520833708.048:7): avc: denied { map } for pid=4149 comm="syzkaller244439" path="/root/syzkaller244439609" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 34.746576] ================================================================== [ 34.775206] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 34.781342] Read of size 8 at addr ffff8801bb919e18 by task syzkaller244439/4149 [ 34.788856] [ 34.790462] CPU: 0 PID: 4149 Comm: syzkaller244439 Not tainted 4.16.0-rc4+ #261 [ 34.798034] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.807357] Call Trace: [ 34.809922] dump_stack+0x194/0x24d [ 34.813524] ? arch_local_irq_restore+0x53/0x53 [ 34.818166] ? show_regs_print_info+0x18/0x18 [ 34.822638] ? ip6_xmit+0x1f76/0x2260 [ 34.826412] print_address_description+0x73/0x250 [ 34.831234] ? ip6_xmit+0x1f76/0x2260 [ 34.835007] kasan_report+0x23c/0x360 [ 34.838782] __asan_report_load8_noabort+0x14/0x20 [ 34.843680] ip6_xmit+0x1f76/0x2260 [ 34.847288] ? ip6_finish_output2+0x23d0/0x23d0 [ 34.851930] ? fl6_update_dst+0x127/0x2b0 [ 34.856052] ? inet6_csk_route_socket+0x691/0xe80 [ 34.860869] ? trace_hardirqs_off+0x10/0x10 [ 34.865162] ? lock_acquire+0x1d5/0x580 [ 34.869104] ? lock_acquire+0x1d5/0x580 [ 34.873048] ? inet6_csk_xmit+0x114/0x580 [ 34.877167] ? trace_hardirqs_off+0x10/0x10 [ 34.881462] ? lock_release+0xa40/0xa40 [ 34.885423] inet6_csk_xmit+0x2fc/0x580 [ 34.889369] ? inet6_csk_update_pmtu+0x160/0x160 [ 34.894097] ? __sk_dst_check+0x1a5/0x380 [ 34.898216] ? sock_kzfree_s+0x60/0x60 [ 34.902090] l2tp_xmit_skb+0x105f/0x1410 [ 34.906132] ? l2tp_session_create+0xb80/0xb80 [ 34.910687] ? sock_wmalloc+0x15d/0x1d0 [ 34.914637] ? iov_iter_advance+0x13f0/0x13f0 [ 34.919108] ? pppol2tp_sendmsg+0x41b/0x670 [ 34.923402] pppol2tp_sendmsg+0x470/0x670 [ 34.927523] ? selinux_socket_sendmsg+0x36/0x40 [ 34.932165] ? pppol2tp_getsockopt+0x900/0x900 [ 34.936719] sock_sendmsg+0xca/0x110 [ 34.940406] SYSC_sendto+0x361/0x5c0 [ 34.944096] ? SYSC_connect+0x4a0/0x4a0 [ 34.948051] ? inet_dgram_connect+0x172/0x1f0 [ 34.952520] ? SYSC_connect+0x2e0/0x4a0 [ 34.956494] ? mm_fault_error+0x2c0/0x2c0 [ 34.960611] ? move_addr_to_kernel+0x60/0x60 [ 34.964993] SyS_sendto+0x40/0x50 [ 34.968418] ? SyS_getpeername+0x30/0x30 [ 34.972452] do_syscall_64+0x281/0x940 [ 34.976307] ? __do_page_fault+0xc90/0xc90 [ 34.980514] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 34.986021] ? syscall_return_slowpath+0x550/0x550 [ 34.990923] ? syscall_return_slowpath+0x2ac/0x550 [ 34.995828] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 35.001168] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.005987] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.011146] RIP: 0033:0x43ff49 [ 35.014304] RSP: 002b:00007ffc3ab75718 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 35.021983] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff49 [ 35.029221] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 35.036462] RBP: 00000000006ca018 R08: 00000000200021c0 R09: 0000000000000080 [ 35.043703] R10: 0000000000040001 R11: 0000000000000216 R12: 0000000000401870 [ 35.050943] R13: 0000000000401900 R14: 0000000000000000 R15: 0000000000000000 [ 35.058199] [ 35.059808] Allocated by task 2068: [ 35.063407] save_stack+0x43/0xd0 [ 35.066839] kasan_kmalloc+0xad/0xe0 [ 35.070520] kasan_slab_alloc+0x12/0x20 [ 35.074464] kmem_cache_alloc+0x12e/0x760 [ 35.078580] dst_alloc+0x11f/0x1a0 [ 35.082088] rt_dst_alloc+0xe9/0x4e0 [ 35.085773] ip_route_input_slow+0x1284/0x3c80 [ 35.090323] ip_route_input_rcu+0xf1/0xd20 [ 35.094534] ip_route_input_noref+0xf5/0x1e0 [ 35.098910] ip_rcv_finish+0x3a6/0x2040 [ 35.102853] ip_rcv+0xb76/0x1820 [ 35.106188] __netif_receive_skb_core+0x1a41/0x3460 [ 35.111171] __netif_receive_skb+0x2c/0x1b0 [ 35.115464] netif_receive_skb_internal+0x10b/0x670 [ 35.120446] napi_gro_receive+0x3d0/0x500 [ 35.124573] receive_buf+0xb6f/0x2530 [ 35.128344] virtnet_poll+0x320/0xb70 [ 35.132114] net_rx_action+0x792/0x1910 [ 35.136059] __do_softirq+0x2d7/0xb85 [ 35.139827] [ 35.141423] Freed by task 2068: [ 35.144672] save_stack+0x43/0xd0 [ 35.148092] __kasan_slab_free+0x11a/0x170 [ 35.152294] kasan_slab_free+0xe/0x10 [ 35.156072] kmem_cache_free+0x83/0x2a0 [ 35.160012] dst_destroy+0x257/0x370 [ 35.163694] dst_destroy_rcu+0x16/0x20 [ 35.167550] rcu_process_callbacks+0xd6c/0x17f0 [ 35.172189] __do_softirq+0x2d7/0xb85 [ 35.175956] [ 35.177553] The buggy address belongs to the object at ffff8801bb919e00 [ 35.177553] which belongs to the cache ip_dst_cache of size 160 [ 35.190263] The buggy address is located 24 bytes inside of [ 35.190263] 160-byte region [ffff8801bb919e00, ffff8801bb919ea0) [ 35.202015] The buggy address belongs to the page: [ 35.206911] page:ffffea0006ee4640 count:1 mapcount:0 mapping:ffff8801bb919000 index:0x0 [ 35.215021] flags: 0x2fffc0000000100(slab) [ 35.219227] raw: 02fffc0000000100 ffff8801bb919000 0000000000000000 0000000100000010 [ 35.227074] raw: ffff8801d6be4548 ffffea000754de20 ffff8801d6bb3340 0000000000000000 [ 35.234922] page dumped because: kasan: bad access detected [ 35.240596] [ 35.242195] Memory state around the buggy address: [ 35.247091] ffff8801bb919d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.254421] ffff8801bb919d80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 35.261750] >ffff8801bb919e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.269075] ^ [ 35.273190] ffff8801bb919e80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 35.280519] ffff8801bb919f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.287846] ================================================================== [ 35.295173] Disabling lock debugging due to kernel taint [ 35.300748] Kernel panic - not syncing: panic_on_warn set ... [ 35.300748] [ 35.308078] CPU: 0 PID: 4149 Comm: syzkaller244439 Tainted: G B 4.16.0-rc4+ #261 [ 35.316795] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.326122] Call Trace: [ 35.328684] dump_stack+0x194/0x24d [ 35.332283] ? arch_local_irq_restore+0x53/0x53 [ 35.336923] ? kasan_end_report+0x32/0x50 [ 35.341056] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.345781] ? vsnprintf+0x1ed/0x1900 [ 35.349551] ? ip6_xmit+0x1eb0/0x2260 [ 35.353319] panic+0x1e4/0x41c [ 35.356481] ? refcount_error_report+0x214/0x214 [ 35.361206] ? add_taint+0x1c/0x50 [ 35.364717] ? add_taint+0x1c/0x50 [ 35.368231] ? ip6_xmit+0x1f76/0x2260 [ 35.372001] kasan_end_report+0x50/0x50 [ 35.375943] kasan_report+0x149/0x360 [ 35.379714] __asan_report_load8_noabort+0x14/0x20 [ 35.384625] ip6_xmit+0x1f76/0x2260 [ 35.388226] ? ip6_finish_output2+0x23d0/0x23d0 [ 35.392864] ? fl6_update_dst+0x127/0x2b0 [ 35.396984] ? inet6_csk_route_socket+0x691/0xe80 [ 35.401796] ? trace_hardirqs_off+0x10/0x10 [ 35.406088] ? lock_acquire+0x1d5/0x580 [ 35.410031] ? lock_acquire+0x1d5/0x580 [ 35.413975] ? inet6_csk_xmit+0x114/0x580 [ 35.418090] ? trace_hardirqs_off+0x10/0x10 [ 35.422383] ? lock_release+0xa40/0xa40 [ 35.426335] inet6_csk_xmit+0x2fc/0x580 [ 35.430279] ? inet6_csk_update_pmtu+0x160/0x160 [ 35.435006] ? __sk_dst_check+0x1a5/0x380 [ 35.439123] ? sock_kzfree_s+0x60/0x60 [ 35.442989] l2tp_xmit_skb+0x105f/0x1410 [ 35.447022] ? l2tp_session_create+0xb80/0xb80 [ 35.451572] ? sock_wmalloc+0x15d/0x1d0 [ 35.455519] ? iov_iter_advance+0x13f0/0x13f0 [ 35.459985] ? pppol2tp_sendmsg+0x41b/0x670 [ 35.464275] pppol2tp_sendmsg+0x470/0x670 [ 35.468395] ? selinux_socket_sendmsg+0x36/0x40 [ 35.473034] ? pppol2tp_getsockopt+0x900/0x900 [ 35.477583] sock_sendmsg+0xca/0x110 [ 35.481265] SYSC_sendto+0x361/0x5c0 [ 35.484947] ? SYSC_connect+0x4a0/0x4a0 [ 35.488897] ? inet_dgram_connect+0x172/0x1f0 [ 35.493363] ? SYSC_connect+0x2e0/0x4a0 [ 35.497321] ? mm_fault_error+0x2c0/0x2c0 [ 35.501436] ? move_addr_to_kernel+0x60/0x60 [ 35.505812] SyS_sendto+0x40/0x50 [ 35.509233] ? SyS_getpeername+0x30/0x30 [ 35.513268] do_syscall_64+0x281/0x940 [ 35.517123] ? __do_page_fault+0xc90/0xc90 [ 35.521327] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 35.526837] ? syscall_return_slowpath+0x550/0x550 [ 35.531735] ? syscall_return_slowpath+0x2ac/0x550 [ 35.536636] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 35.541973] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.546786] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.551945] RIP: 0033:0x43ff49 [ 35.555104] RSP: 002b:00007ffc3ab75718 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 35.562777] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff49 [ 35.570019] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 35.577257] RBP: 00000000006ca018 R08: 00000000200021c0 R09: 0000000000000080 [ 35.584493] R10: 0000000000040001 R11: 0000000000000216 R12: 0000000000401870 [ 35.591733] R13: 0000000000401900 R14: 0000000000000000 R15: 0000000000000000 [ 35.599362] Dumping ftrace buffer: [ 35.602902] (ftrace buffer empty) [ 35.606590] Kernel Offset: disabled [ 35.610194] Rebooting in 86400 seconds..