[....] Starting enhanced syslogd: rsyslogd[ 16.550874] audit: type=1400 audit(1520823981.178:5): avc: denied { syslog } for pid=4089 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.907185] audit: type=1400 audit(1520823983.534:6): avc: denied { map } for pid=4230 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.4' (ECDSA) to the list of known hosts. executing program [ 25.213082] audit: type=1400 audit(1520823989.840:7): avc: denied { map } for pid=4244 comm="syzkaller872974" path="/root/syzkaller872974361" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.217970] ================================================================== [ 25.246357] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 25.252471] Read of size 8 at addr ffff8801b7775018 by task syzkaller872974/4244 [ 25.259969] [ 25.261572] CPU: 1 PID: 4244 Comm: syzkaller872974 Not tainted 4.16.0-rc4+ #260 [ 25.268985] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.278306] Call Trace: [ 25.280866] dump_stack+0x194/0x24d [ 25.284466] ? arch_local_irq_restore+0x53/0x53 [ 25.289107] ? show_regs_print_info+0x18/0x18 [ 25.293581] ? ip6_xmit+0x1f76/0x2260 [ 25.297357] print_address_description+0x73/0x250 [ 25.302170] ? ip6_xmit+0x1f76/0x2260 [ 25.306045] kasan_report+0x23c/0x360 [ 25.309821] __asan_report_load8_noabort+0x14/0x20 [ 25.314720] ip6_xmit+0x1f76/0x2260 [ 25.318328] ? ip6_finish_output2+0x23d0/0x23d0 [ 25.322969] ? fl6_update_dst+0x127/0x2b0 [ 25.327095] ? inet6_csk_route_socket+0x691/0xe80 [ 25.331911] ? trace_hardirqs_off+0x10/0x10 [ 25.336204] ? lock_acquire+0x1d5/0x580 [ 25.340148] ? lock_acquire+0x1d5/0x580 [ 25.344091] ? inet6_csk_xmit+0x114/0x580 [ 25.348211] ? trace_hardirqs_off+0x10/0x10 [ 25.352508] ? lock_release+0xa40/0xa40 [ 25.356472] inet6_csk_xmit+0x2fc/0x580 [ 25.360419] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.365145] ? __sk_dst_check+0x1a5/0x380 [ 25.369267] ? sock_kzfree_s+0x60/0x60 [ 25.373141] l2tp_xmit_skb+0x105f/0x1410 [ 25.377185] ? l2tp_session_create+0xb80/0xb80 [ 25.381739] ? sock_wmalloc+0x15d/0x1d0 [ 25.385686] ? iov_iter_advance+0x13f0/0x13f0 [ 25.390155] ? pppol2tp_sendmsg+0x41b/0x670 [ 25.394451] pppol2tp_sendmsg+0x470/0x670 [ 25.398573] ? selinux_socket_sendmsg+0x36/0x40 [ 25.403216] ? pppol2tp_getsockopt+0x900/0x900 [ 25.407773] sock_sendmsg+0xca/0x110 [ 25.411463] SYSC_sendto+0x361/0x5c0 [ 25.415151] ? SYSC_connect+0x4a0/0x4a0 [ 25.419116] ? inet_dgram_connect+0x172/0x1f0 [ 25.423588] ? SYSC_connect+0x2e0/0x4a0 [ 25.427563] ? mm_fault_error+0x2c0/0x2c0 [ 25.431682] ? move_addr_to_kernel+0x60/0x60 [ 25.436064] SyS_sendto+0x40/0x50 [ 25.439491] ? SyS_getpeername+0x30/0x30 [ 25.443524] do_syscall_64+0x281/0x940 [ 25.447386] ? __do_page_fault+0xc90/0xc90 [ 25.451595] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.456326] ? syscall_return_slowpath+0x550/0x550 [ 25.461229] ? syscall_return_slowpath+0x2ac/0x550 [ 25.466132] ? prepare_exit_to_usermode+0x350/0x350 [ 25.471124] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 25.476462] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.481283] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.486444] RIP: 0033:0x43ff49 [ 25.489606] RSP: 002b:00007ffdb0761bd8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 25.497282] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff49 [ 25.504528] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 25.511771] RBP: 00000000006ca018 R08: 00000000200021c0 R09: 0000000000000080 [ 25.519015] R10: 0000000000040001 R11: 0000000000000216 R12: 0000000000401870 [ 25.526265] R13: 0000000000401900 R14: 0000000000000000 R15: 0000000000000000 [ 25.533521] [ 25.535120] Allocated by task 4050: [ 25.538719] save_stack+0x43/0xd0 [ 25.542142] kasan_kmalloc+0xad/0xe0 [ 25.545824] kasan_slab_alloc+0x12/0x20 [ 25.549768] kmem_cache_alloc+0x12e/0x760 [ 25.553895] copy_mm+0x8d7/0x131f [ 25.557323] copy_process.part.38+0x1f56/0x4b60 [ 25.561964] _do_fork+0x1f7/0xf70 [ 25.565386] SyS_clone+0x37/0x50 [ 25.568723] do_syscall_64+0x281/0x940 [ 25.572584] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.577738] [ 25.579335] Freed by task 4055: [ 25.582582] save_stack+0x43/0xd0 [ 25.586005] __kasan_slab_free+0x11a/0x170 [ 25.590211] kasan_slab_free+0xe/0x10 [ 25.593983] kmem_cache_free+0x83/0x2a0 [ 25.597930] remove_vma+0x162/0x1b0 [ 25.601524] exit_mmap+0x311/0x500 [ 25.605034] mmput+0x223/0x6d0 [ 25.608196] flush_old_exec+0xc8b/0x2010 [ 25.612228] load_elf_binary+0x87b/0x4c10 [ 25.616346] search_binary_handler+0x142/0x6b0 [ 25.620904] load_script+0x6fd/0x890 [ 25.624587] search_binary_handler+0x142/0x6b0 [ 25.629137] do_execveat_common.isra.30+0x1754/0x23c0 [ 25.634296] SyS_execve+0x39/0x50 [ 25.637728] do_syscall_64+0x281/0x940 [ 25.641599] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.646758] [ 25.648357] The buggy address belongs to the object at ffff8801b7775000 [ 25.648357] which belongs to the cache vm_area_struct of size 200 [ 25.661248] The buggy address is located 24 bytes inside of [ 25.661248] 200-byte region [ffff8801b7775000, ffff8801b77750c8) [ 25.673006] The buggy address belongs to the page: [ 25.677907] page:ffffea0006dddd40 count:1 mapcount:0 mapping:ffff8801b7775000 index:0x0 [ 25.686027] flags: 0x2fffc0000000100(slab) [ 25.690235] raw: 02fffc0000000100 ffff8801b7775000 0000000000000000 000000010000000f [ 25.698088] raw: ffffea0006d93520 ffffea0006e69be0 ffff8801da5c3840 0000000000000000 [ 25.705937] page dumped because: kasan: bad access detected [ 25.711615] [ 25.713213] Memory state around the buggy address: [ 25.718121] ffff8801b7774f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.725452] ffff8801b7774f80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 25.732789] >ffff8801b7775000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.740115] ^ [ 25.744238] ffff8801b7775080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 25.751567] ffff8801b7775100: fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.758893] ================================================================== [ 25.766220] Disabling lock debugging due to kernel taint [ 25.771673] Kernel panic - not syncing: panic_on_warn set ... [ 25.771673] [ 25.779018] CPU: 1 PID: 4244 Comm: syzkaller872974 Tainted: G B 4.16.0-rc4+ #260 [ 25.787737] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.797059] Call Trace: [ 25.799621] dump_stack+0x194/0x24d [ 25.803225] ? arch_local_irq_restore+0x53/0x53 [ 25.807863] ? kasan_end_report+0x32/0x50 [ 25.811981] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.816704] ? vsnprintf+0x1ed/0x1900 [ 25.820477] ? ip6_xmit+0x1eb0/0x2260 [ 25.824247] panic+0x1e4/0x41c [ 25.827408] ? refcount_error_report+0x214/0x214 [ 25.832132] ? add_taint+0x1c/0x50 [ 25.835643] ? add_taint+0x1c/0x50 [ 25.839155] ? ip6_xmit+0x1f76/0x2260 [ 25.842923] kasan_end_report+0x50/0x50 [ 25.846865] kasan_report+0x149/0x360 [ 25.850636] __asan_report_load8_noabort+0x14/0x20 [ 25.855535] ip6_xmit+0x1f76/0x2260 [ 25.859137] ? ip6_finish_output2+0x23d0/0x23d0 [ 25.863779] ? fl6_update_dst+0x127/0x2b0 [ 25.867899] ? inet6_csk_route_socket+0x691/0xe80 [ 25.872715] ? trace_hardirqs_off+0x10/0x10 [ 25.877007] ? lock_acquire+0x1d5/0x580 [ 25.880952] ? lock_acquire+0x1d5/0x580 [ 25.884896] ? inet6_csk_xmit+0x114/0x580 [ 25.889018] ? trace_hardirqs_off+0x10/0x10 [ 25.893310] ? lock_release+0xa40/0xa40 [ 25.897259] inet6_csk_xmit+0x2fc/0x580 [ 25.901204] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.905930] ? __sk_dst_check+0x1a5/0x380 [ 25.910047] ? sock_kzfree_s+0x60/0x60 [ 25.913911] l2tp_xmit_skb+0x105f/0x1410 [ 25.917945] ? l2tp_session_create+0xb80/0xb80 [ 25.922502] ? sock_wmalloc+0x15d/0x1d0 [ 25.926445] ? iov_iter_advance+0x13f0/0x13f0 [ 25.930910] ? pppol2tp_sendmsg+0x41b/0x670 [ 25.935202] pppol2tp_sendmsg+0x470/0x670 [ 25.939321] ? selinux_socket_sendmsg+0x36/0x40 [ 25.943958] ? pppol2tp_getsockopt+0x900/0x900 [ 25.948509] sock_sendmsg+0xca/0x110 [ 25.952194] SYSC_sendto+0x361/0x5c0 [ 25.955877] ? SYSC_connect+0x4a0/0x4a0 [ 25.959827] ? inet_dgram_connect+0x172/0x1f0 [ 25.964290] ? SYSC_connect+0x2e0/0x4a0 [ 25.968252] ? mm_fault_error+0x2c0/0x2c0 [ 25.972366] ? move_addr_to_kernel+0x60/0x60 [ 25.976743] SyS_sendto+0x40/0x50 [ 25.980164] ? SyS_getpeername+0x30/0x30 [ 25.984198] do_syscall_64+0x281/0x940 [ 25.988053] ? __do_page_fault+0xc90/0xc90 [ 25.992258] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.996981] ? syscall_return_slowpath+0x550/0x550 [ 26.001880] ? syscall_return_slowpath+0x2ac/0x550 [ 26.006778] ? prepare_exit_to_usermode+0x350/0x350 [ 26.011766] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 26.017100] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.021922] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.027084] RIP: 0033:0x43ff49 [ 26.030242] RSP: 002b:00007ffdb0761bd8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 26.037921] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff49 [ 26.045166] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 26.052405] RBP: 00000000006ca018 R08: 00000000200021c0 R09: 0000000000000080 [ 26.059642] R10: 0000000000040001 R11: 0000000000000216 R12: 0000000000401870 [ 26.066878] R13: 0000000000401900 R14: 0000000000000000 R15: 0000000000000000 [ 26.074508] Dumping ftrace buffer: [ 26.078020] (ftrace buffer empty) [ 26.081699] Kernel Offset: disabled [ 26.085298] Rebooting in 86400 seconds..