[....] Starting enhanced syslogd: rsyslogd[ 13.525286] audit: type=1400 audit(1516017872.579:5): avc: denied { syslog } for pid=3513 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.334149] audit: type=1400 audit(1516017877.387:6): avc: denied { map } for pid=3653 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts. executing program [ 33.812528] audit: type=1400 audit(1516017892.866:7): avc: denied { map } for pid=3670 comm="syzkaller061929" path="/root/syzkaller061929897" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 33.853508] syzkaller061929 uses obsolete (PF_INET,SOCK_PACKET) executing program executing program executing program executing program executing program [ 33.861176] device lo entered promiscuous mode [ 33.869785] device lo left promiscuous mode [ 33.882749] device lo entered promiscuous mode [ 33.888584] device lo entered promiscuous mode [ 33.895657] device lo left promiscuous mode [ 33.900960] device lo left promiscuous mode executing program [ 33.912857] device lo entered promiscuous mode [ 33.918486] device lo left promiscuous mode [ 33.927461] device lo entered promiscuous mode [ 33.936158] device lo entered promiscuous mode [ 33.941745] device lo entered promiscuous mode [ 33.947100] device lo left promiscuous mode [ 33.952514] device lo left promiscuous mode executing program executing program executing program executing program [ 33.959532] device lo left promiscuous mode [ 33.971931] device lo entered promiscuous mode [ 33.979622] device lo entered promiscuous mode [ 33.984889] device lo entered promiscuous mode [ 33.990342] device lo left promiscuous mode [ 33.999447] device lo entered promiscuous mode [ 34.005451] device lo left promiscuous mode executing program executing program executing program executing program [ 34.010459] device lo left promiscuous mode [ 34.019316] device lo left promiscuous mode [ 34.024334] device lo entered promiscuous mode [ 34.036212] device lo left promiscuous mode [ 34.041463] device lo entered promiscuous mode [ 34.049769] device lo entered promiscuous mode [ 34.054943] device lo entered promiscuous mode executing program executing program executing program executing program [ 34.060696] device lo left promiscuous mode [ 34.072599] device lo left promiscuous mode [ 34.079039] device lo left promiscuous mode [ 34.084651] device lo entered promiscuous mode [ 34.091731] device lo entered promiscuous mode [ 34.097360] device lo left promiscuous mode [ 34.107144] device lo left promiscuous mode executing program executing program executing program executing program executing program [ 34.112336] device lo entered promiscuous mode [ 34.117547] device lo entered promiscuous mode [ 34.127335] device lo entered promiscuous mode [ 34.132786] device lo left promiscuous mode [ 34.141374] device lo entered promiscuous mode [ 34.146799] device lo left promiscuous mode [ 34.151795] device lo left promiscuous mode [ 34.156824] device lo left promiscuous mode executing program executing program executing program [ 34.168433] device lo entered promiscuous mode [ 34.178740] device lo entered promiscuous mode [ 34.184484] device lo left promiscuous mode [ 34.189677] device lo entered promiscuous mode [ 34.195329] device lo entered promiscuous mode [ 34.200614] device lo entered promiscuous mode [ 34.208852] device lo entered promiscuous mode [ 34.214264] device lo left promiscuous mode executing program executing program executing program executing program executing program executing program executing program [ 34.219529] device lo left promiscuous mode [ 34.225484] device lo left promiscuous mode [ 34.232053] device lo left promiscuous mode [ 34.236856] device lo left promiscuous mode [ 34.253321] device lo entered promiscuous mode [ 34.262638] device lo entered promiscuous mode executing program [ 34.269803] device lo entered promiscuous mode [ 34.275179] device lo entered promiscuous mode [ 34.280390] device lo entered promiscuous mode [ 34.285691] device lo left promiscuous mode [ 34.291178] device lo left promiscuous mode [ 34.296349] device lo entered promiscuous mode [ 34.307045] device lo left promiscuous mode [ 34.312661] device lo entered promiscuous mode executing program executing program executing program executing program executing program executing program [ 34.319184] device lo left promiscuous mode [ 34.324380] device lo left promiscuous mode [ 34.329685] device lo left promiscuous mode [ 34.334687] device lo left promiscuous mode [ 34.339787] device lo entered promiscuous mode [ 34.356630] device lo left promiscuous mode [ 34.363918] device lo entered promiscuous mode executing program executing program [ 34.374716] device lo left promiscuous mode [ 34.379805] device lo entered promiscuous mode [ 34.386996] device lo entered promiscuous mode [ 34.393147] device lo left promiscuous mode [ 34.398163] device lo entered promiscuous mode [ 34.405776] device lo entered promiscuous mode [ 34.411088] device lo entered promiscuous mode [ 34.416585] device lo entered promiscuous mode executing program executing program executing program executing program executing program executing program [ 34.423145] device lo left promiscuous mode [ 34.428135] device lo left promiscuous mode [ 34.433335] device lo left promiscuous mode [ 34.438339] device lo left promiscuous mode [ 34.444484] device lo entered promiscuous mode [ 34.450553] device lo left promiscuous mode [ 34.456769] device lo entered promiscuous mode [ 34.462361] device lo entered promiscuous mode [ 34.467885] device lo entered promiscuous mode executing program executing program [ 34.473429] device lo left promiscuous mode [ 34.478321] device lo left promiscuous mode [ 34.483421] device lo entered promiscuous mode [ 34.491394] device lo left promiscuous mode [ 34.497309] device lo left promiscuous mode [ 34.502213] device lo entered promiscuous mode [ 34.507603] device lo left promiscuous mode [ 34.513010] ================================================================== [ 34.520411] BUG: KASAN: use-after-free in fib6_add_1+0x165f/0x1790 [ 34.526708] Read of size 8 at addr ffff8801bc703b98 by task syzkaller061929/3690 [ 34.534301] [ 34.535908] CPU: 1 PID: 3690 Comm: syzkaller061929 Not tainted 4.15.0-rc7-mm1+ #56 [ 34.543585] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.552916] Call Trace: [ 34.555491] dump_stack+0x194/0x257 [ 34.559102] ? arch_local_irq_restore+0x53/0x53 [ 34.564355] ? show_regs_print_info+0x18/0x18 [ 34.568831] ? fib6_add_1+0x165f/0x1790 [ 34.572781] print_address_description+0x73/0x250 [ 34.577596] ? fib6_add_1+0x165f/0x1790 [ 34.581551] kasan_report+0x23b/0x360 [ 34.585338] __asan_report_load8_noabort+0x14/0x20 [ 34.590245] fib6_add_1+0x165f/0x1790 [ 34.594298] ? fib6_add_rt2node+0x2430/0x2430 [ 34.598777] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 34.603938] ? find_held_lock+0x35/0x1d0 [ 34.607981] ? __is_insn_slot_addr+0x1fc/0x330 [ 34.612538] ? lock_downgrade+0x980/0x980 [ 34.616676] ? find_held_lock+0x35/0x1d0 [ 34.620726] ? is_bpf_text_address+0x7b/0x120 [ 34.625195] ? lock_downgrade+0x980/0x980 [ 34.629318] ? check_noncircular+0x20/0x20 [ 34.633885] ? lock_release+0xa40/0xa40 [ 34.637845] ? __free_insn_slot+0x5c0/0x5c0 [ 34.642150] ? find_next_bit+0xcc/0x100 [ 34.646110] ? check_noncircular+0x20/0x20 [ 34.650334] ? print_irqtrace_events+0x270/0x270 [ 34.655102] ? lock_downgrade+0x980/0x980 [ 34.659844] ? find_next_bit+0xcc/0x100 [ 34.663801] ? __lock_is_held+0xb6/0x140 [ 34.667844] ? __lock_acquire+0x664/0x3e00 [ 34.672062] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.677400] ? pcpu_alloc+0x146/0x10e0 [ 34.681275] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 34.686445] ? lock_release+0xa40/0xa40 [ 34.690393] ? lock_release+0xa40/0xa40 [ 34.694348] fib6_add+0x5fa/0x1540 [ 34.697886] ? fib6_update_sernum_upto_root+0x180/0x180 [ 34.703225] ? rt6_info_init+0x93/0x1e0 [ 34.707348] ? rt6_upper_bound_set+0x2b0/0x2b0 [ 34.712756] ? lock_downgrade+0x980/0x980 [ 34.716885] ? dst_alloc+0x14a/0x1a0 [ 34.720578] ? __alloc_percpu_gfp+0x27/0x30 [ 34.724881] ? memcpy+0x45/0x50 [ 34.728140] ? ip6_route_info_create+0x11e/0x2e20 [ 34.732969] ? lock_acquire+0x1d5/0x580 [ 34.738140] ? lock_acquire+0x1d5/0x580 [ 34.743390] ? __ip6_ins_rt+0x56/0x90 [ 34.748379] ? ip6_convert_metrics+0x546/0x700 [ 34.752939] ? lock_release+0xa40/0xa40 [ 34.756899] ? dst_discard+0x50/0x50 [ 34.760609] ? __might_fault+0x110/0x1d0 [ 34.764655] ? lock_downgrade+0x980/0x980 [ 34.768785] ? __ip6_ins_rt+0x56/0x90 [ 34.772565] __ip6_ins_rt+0x6c/0x90 [ 34.776171] ip6_route_add+0x141/0x190 [ 34.780037] ? icmp6_dst_alloc+0x660/0x660 [ 34.784260] ipv6_route_ioctl+0x4db/0x6b0 [ 34.788383] ? rt6_purge_dflt_routers+0x9e0/0x9e0 [ 34.793225] ? lock_release+0xa40/0xa40 [ 34.797218] inet6_ioctl+0xef/0x1e0 [ 34.800820] ? inet6_ioctl+0xef/0x1e0 [ 34.804609] sock_do_ioctl+0x65/0xb0 [ 34.808310] sock_ioctl+0x2c2/0x440 [ 34.811932] ? dlci_ioctl_set+0x40/0x40 [ 34.815902] do_vfs_ioctl+0x1b1/0x1520 [ 34.819789] ? _cond_resched+0x14/0x30 [ 34.823686] ? ioctl_preallocate+0x2b0/0x2b0 [ 34.828073] ? selinux_capable+0x40/0x40 [ 34.832126] ? SyS_futex+0x269/0x390 [ 34.835823] ? security_file_ioctl+0x89/0xb0 [ 34.840211] SyS_ioctl+0x8f/0xc0 [ 34.843557] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 34.849420] RIP: 0033:0x4461f9 [ 34.852595] RSP: 002b:00007f90b9af9da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 34.860277] RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 00000000004461f9 [ 34.867866] RDX: 0000000020fd7000 RSI: 000000000000890b RDI: 0000000000000022 [ 34.875110] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 34.882352] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc20 [ 34.889855] R13: 0001000000000003 R14: 0100000000000000 R15: 0000000000000001 [ 34.897116] [ 34.898719] Allocated by task 3690: [ 34.902323] save_stack+0x43/0xd0 [ 34.905749] kasan_kmalloc+0xad/0xe0 [ 34.909451] kasan_slab_alloc+0x12/0x20 [ 34.913396] kmem_cache_alloc+0x12e/0x760 [ 34.917518] dst_alloc+0x11f/0x1a0 [ 34.921032] __ip6_dst_alloc+0x35/0x90 [ 34.924889] ip6_dst_alloc+0x29/0xb0 [ 34.928575] ip6_route_info_create+0x4ff/0x2e20 [ 34.933230] ip6_route_add+0xa2/0x190 [ 34.937034] ipv6_route_ioctl+0x4db/0x6b0 [ 34.941163] inet6_ioctl+0xef/0x1e0 [ 34.944772] sock_do_ioctl+0x65/0xb0 [ 34.948460] sock_ioctl+0x2c2/0x440 [ 34.952061] do_vfs_ioctl+0x1b1/0x1520 [ 34.955920] SyS_ioctl+0x8f/0xc0 [ 34.959259] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 34.963983] [ 34.965593] Freed by task 7: [ 34.969115] save_stack+0x43/0xd0 [ 34.972542] __kasan_slab_free+0x11a/0x170 [ 34.977012] kasan_slab_free+0xe/0x10 [ 34.980784] kmem_cache_free+0x86/0x2b0 [ 34.984731] dst_destroy+0x257/0x370 [ 34.988431] dst_destroy_rcu+0x16/0x20 [ 34.992302] rcu_process_callbacks+0xd6c/0x17f0 [ 34.996947] __do_softirq+0x2d7/0xb85 [ 35.000726] [ 35.002328] The buggy address belongs to the object at ffff8801bc703ac0 [ 35.002328] which belongs to the cache ip6_dst_cache of size 320 [ 35.015135] The buggy address is located 216 bytes inside of [ 35.015135] 320-byte region [ffff8801bc703ac0, ffff8801bc703c00) [ 35.026980] The buggy address belongs to the page: [ 35.031883] page:ffffea0006f1c0c0 count:1 mapcount:0 mapping:ffff8801bc703040 index:0x0 [ 35.040266] flags: 0x2fffc0000000100(slab) [ 35.044475] raw: 02fffc0000000100 ffff8801bc703040 0000000000000000 000000010000000a [ 35.052341] raw: ffffea000764c1e0 ffffea0006f67f20 ffff8801d2db2c00 0000000000000000 [ 35.060204] page dumped because: kasan: bad access detected [ 35.065884] [ 35.067482] Memory state around the buggy address: executing program [ 35.072384] ffff8801bc703a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 35.079718] ffff8801bc703b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.087053] >ffff8801bc703b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.094386] ^ [ 35.098513] ffff8801bc703c00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 35.105853] ffff8801bc703c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.113197] ================================================================== [ 35.120526] Disabling lock debugging due to kernel taint executing program executing program executing program [ 35.125996] Kernel panic - not syncing: panic_on_warn set ... [ 35.125996] [ 35.133511] CPU: 1 PID: 3690 Comm: syzkaller061929 Tainted: G B 4.15.0-rc7-mm1+ #56 [ 35.142501] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.151827] Call Trace: [ 35.154395] dump_stack+0x194/0x257 [ 35.158008] ? arch_local_irq_restore+0x53/0x53 [ 35.162651] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.167381] ? vsnprintf+0x1ed/0x1900 [ 35.171156] ? fib6_add_1+0x1580/0x1790 [ 35.175101] panic+0x1e4/0x41c executing program executing program executing program executing program [ 35.178269] ? refcount_error_report+0x214/0x214 [ 35.183012] ? add_taint+0x1c/0x50 [ 35.186523] ? add_taint+0x1c/0x50 [ 35.190038] ? fib6_add_1+0x165f/0x1790 [ 35.193987] kasan_end_report+0x50/0x50 [ 35.197947] kasan_report+0x148/0x360 [ 35.201724] __asan_report_load8_noabort+0x14/0x20 [ 35.206640] fib6_add_1+0x165f/0x1790 [ 35.210419] ? fib6_add_rt2node+0x2430/0x2430 [ 35.214907] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 35.221121] ? find_held_lock+0x35/0x1d0 executing program [ 35.225510] ? __is_insn_slot_addr+0x1fc/0x330 [ 35.230082] ? lock_downgrade+0x980/0x980 [ 35.234209] ? find_held_lock+0x35/0x1d0 [ 35.238252] ? is_bpf_text_address+0x7b/0x120 [ 35.242736] ? lock_downgrade+0x980/0x980 [ 35.246860] ? check_noncircular+0x20/0x20 [ 35.251074] ? lock_release+0xa40/0xa40 [ 35.255020] ? __free_insn_slot+0x5c0/0x5c0 [ 35.259316] ? find_next_bit+0xcc/0x100 [ 35.263265] ? check_noncircular+0x20/0x20 [ 35.267473] ? print_irqtrace_events+0x270/0x270 [ 35.272202] ? lock_downgrade+0x980/0x980 [ 35.276321] ? find_next_bit+0xcc/0x100 [ 35.280271] ? __lock_is_held+0xb6/0x140 [ 35.284318] ? __lock_acquire+0x664/0x3e00 [ 35.288525] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.293526] ? pcpu_alloc+0x146/0x10e0 [ 35.297404] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 35.302578] ? lock_release+0xa40/0xa40 [ 35.306525] ? lock_release+0xa40/0xa40 [ 35.310474] fib6_add+0x5fa/0x1540 [ 35.313994] ? fib6_update_sernum_upto_root+0x180/0x180 [ 35.319331] ? rt6_info_init+0x93/0x1e0 [ 35.323288] ? rt6_upper_bound_set+0x2b0/0x2b0 [ 35.328193] ? lock_downgrade+0x980/0x980 [ 35.332317] ? dst_alloc+0x14a/0x1a0 [ 35.336010] ? __alloc_percpu_gfp+0x27/0x30 [ 35.340304] ? memcpy+0x45/0x50 [ 35.343556] ? ip6_route_info_create+0x11e/0x2e20 [ 35.348385] ? lock_acquire+0x1d5/0x580 [ 35.352331] ? lock_acquire+0x1d5/0x580 [ 35.356275] ? __ip6_ins_rt+0x56/0x90 [ 35.360049] ? ip6_convert_metrics+0x546/0x700 [ 35.364614] ? lock_release+0xa40/0xa40 [ 35.368569] ? dst_discard+0x50/0x50 [ 35.372265] ? __might_fault+0x110/0x1d0 [ 35.376475] ? lock_downgrade+0x980/0x980 [ 35.382073] ? __ip6_ins_rt+0x56/0x90 [ 35.387150] __ip6_ins_rt+0x6c/0x90 [ 35.390757] ip6_route_add+0x141/0x190 [ 35.394615] ? icmp6_dst_alloc+0x660/0x660 [ 35.398825] ipv6_route_ioctl+0x4db/0x6b0 [ 35.402944] ? rt6_purge_dflt_routers+0x9e0/0x9e0 [ 35.407858] ? lock_release+0xa40/0xa40 [ 35.411816] inet6_ioctl+0xef/0x1e0 [ 35.415419] ? inet6_ioctl+0xef/0x1e0 [ 35.419197] sock_do_ioctl+0x65/0xb0 [ 35.422891] sock_ioctl+0x2c2/0x440 [ 35.426499] ? dlci_ioctl_set+0x40/0x40 [ 35.430448] do_vfs_ioctl+0x1b1/0x1520 [ 35.434308] ? _cond_resched+0x14/0x30 [ 35.438168] ? ioctl_preallocate+0x2b0/0x2b0 [ 35.442550] ? selinux_capable+0x40/0x40 [ 35.446589] ? SyS_futex+0x269/0x390 [ 35.450280] ? security_file_ioctl+0x89/0xb0 [ 35.454661] SyS_ioctl+0x8f/0xc0 [ 35.458011] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 35.462738] RIP: 0033:0x4461f9 [ 35.465898] RSP: 002b:00007f90b9af9da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 35.473583] RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 00000000004461f9 [ 35.480824] RDX: 0000000020fd7000 RSI: 000000000000890b RDI: 0000000000000022 [ 35.488066] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 35.495307] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc20 [ 35.502549] R13: 0001000000000003 R14: 0100000000000000 R15: 0000000000000001 [ 35.511238] Dumping ftrace buffer: [ 35.514751] (ftrace buffer empty) [ 35.518443] Kernel Offset: disabled [ 35.522046] Rebooting in 86400 seconds..