[....] Starting enhanced syslogd: rsyslogd[   12.125951] audit: type=1400 audit(1516244574.253:5): avc:  denied  { syslog } for  pid=3498 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.147338] audit: type=1400 audit(1516244581.274:6): avc:  denied  { map } for  pid=3637 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.43' (ECDSA) to the list of known hosts.
executing program
[   40.607345] audit: type=1400 audit(1516244602.735:7): avc:  denied  { map } for  pid=3654 comm="syzkaller039917" path="/root/syzkaller039917422" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   40.636017] ==================================================================
[   40.643395] BUG: KASAN: use-after-free in ip6_xmit+0x2048/0x2090
[   40.649511] Read of size 8 at addr ffff8801c34b8cd8 by task syzkaller039917/3654
[   40.657013] 
[   40.658613] CPU: 0 PID: 3654 Comm: syzkaller039917 Not tainted 4.15.0-rc8+ #176
[   40.666026] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.675352] Call Trace:
[   40.677914]  dump_stack+0x194/0x257
[   40.681519]  ? arch_local_irq_restore+0x53/0x53
[   40.686163]  ? show_regs_print_info+0x18/0x18
[   40.690636]  ? ip6_xmit+0x2048/0x2090
[   40.694408]  print_address_description+0x73/0x250
[   40.699229]  ? ip6_xmit+0x2048/0x2090
[   40.703004]  kasan_report+0x25b/0x340
[   40.706782]  __asan_report_load8_noabort+0x14/0x20
[   40.711680]  ip6_xmit+0x2048/0x2090
[   40.715290]  ? ip6_finish_output2+0x23a0/0x23a0
[   40.719932]  ? fl6_update_dst+0x127/0x2b0
[   40.724048]  ? check_noncircular+0x20/0x20
[   40.728257]  ? inet6_csk_route_socket+0x691/0xe80
[   40.733075]  ? lock_acquire+0x1d5/0x580
[   40.737019]  ? lock_acquire+0x1d5/0x580
[   40.740962]  ? inet6_csk_xmit+0x114/0x580
[   40.745083]  ? lock_release+0xa40/0xa40
[   40.749044]  inet6_csk_xmit+0x2fc/0x580
[   40.752989]  ? inet6_csk_update_pmtu+0x160/0x160
[   40.757717]  ? __sk_dst_check+0x1a5/0x380
[   40.761838]  ? sk_wait_data+0x610/0x610
[   40.765799]  l2tp_xmit_skb+0x1068/0x1410
[   40.769838]  ? l2tp_session_create+0xc60/0xc60
[   40.774393]  ? sock_wmalloc+0x15d/0x1d0
[   40.778342]  ? iov_iter_advance+0x13f0/0x13f0
[   40.782808]  ? pppol2tp_sendmsg+0x41b/0x670
[   40.787101]  pppol2tp_sendmsg+0x470/0x670
[   40.791221]  ? selinux_socket_sendmsg+0x36/0x40
[   40.795863]  ? pppol2tp_session_ioctl+0xa90/0xa90
[   40.800680]  sock_sendmsg+0xca/0x110
[   40.804367]  ___sys_sendmsg+0x767/0x8b0
[   40.808317]  ? copy_msghdr_from_user+0x590/0x590
[   40.813042]  ? check_noncircular+0x20/0x20
[   40.817258]  ? check_noncircular+0x20/0x20
[   40.821463]  ? __pmd_alloc+0x4e0/0x4e0
[   40.825319]  ? selinux_socket_setsockopt+0x80/0x80
[   40.830217]  ? lock_release+0xa40/0xa40
[   40.834162]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   40.840020]  ? __fget_light+0x297/0x380
[   40.843967]  ? fget_raw+0x20/0x20
[   40.847398]  ? handle_mm_fault+0x248/0x8d0
[   40.851609]  ? find_held_lock+0x35/0x1d0
[   40.855657]  __sys_sendmsg+0xe5/0x210
[   40.859426]  ? __sys_sendmsg+0xe5/0x210
[   40.863372]  ? SyS_shutdown+0x290/0x290
[   40.867316]  ? handle_mm_fault+0x410/0x8d0
[   40.871525]  ? __do_page_fault+0x32d/0xc90
[   40.875731]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   40.880281]  ? vmacache_find+0x5f/0x280
[   40.884246]  compat_SyS_sendmsg+0x2a/0x40
[   40.888366]  ? compat_SyS_getsockopt+0x420/0x420
[   40.893093]  do_fast_syscall_32+0x3ee/0xf9d
[   40.897391]  ? do_int80_syscall_32+0x9d0/0x9d0
[   40.901944]  ? kasan_check_read+0x11/0x20
[   40.906064]  ? syscall_return_slowpath+0x550/0x550
[   40.910967]  ? SyS_rt_sigaction+0x94/0x1b0
[   40.915174]  ? SyS_sigprocmask+0x4b0/0x4b0
[   40.919381]  ? SyS_read+0x184/0x220
[   40.922983]  ? retint_user+0x18/0x18
[   40.926671]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.931489]  entry_SYSENTER_compat+0x54/0x63
[   40.935870] RIP: 0023:0xf7ff9c79
[   40.939203] RSP: 002b:00000000ffd7fa7c EFLAGS: 00000217 ORIG_RAX: 0000000000000172
[   40.946881] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000002037ffc8
[   40.954122] RDX: 0000000000000081 RSI: 000000000000016a RDI: 0000000000000004
[   40.961364] RBP: 00000000205fafd2 R08: 0000000000000000 R09: 0000000000000000
[   40.968607] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   40.975847] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   40.983100] 
[   40.984700] Allocated by task 1711:
[   40.988298]  save_stack+0x43/0xd0
[   40.991719]  kasan_kmalloc+0xad/0xe0
[   40.995400]  kasan_slab_alloc+0x12/0x20
[   40.999341]  kmem_cache_alloc+0x12e/0x760
[   41.003457]  dst_alloc+0x11f/0x1a0
[   41.006968]  rt_dst_alloc+0xe9/0x540
[   41.010650]  ip_route_input_rcu+0xfd6/0x31b0
[   41.015025]  ip_route_input_noref+0xf5/0x1e0
[   41.019407]  ip_rcv_finish+0x2d2/0x1e30
[   41.023349]  ip_rcv+0xc5a/0x1840
[   41.026687]  __netif_receive_skb_core+0x1a41/0x3460
[   41.031672]  __netif_receive_skb+0x2c/0x1b0
[   41.035962]  netif_receive_skb_internal+0x10b/0x670
[   41.040946]  napi_gro_receive+0x3d0/0x500
[   41.045062]  receive_buf+0xa16/0x2b30
[   41.048830]  virtnet_poll+0x359/0xbc0
[   41.052598]  net_rx_action+0x792/0x1910
[   41.056542]  __do_softirq+0x2d7/0xb85
[   41.060309] 
[   41.061904] Freed by task 3320:
[   41.065151]  save_stack+0x43/0xd0
[   41.068575]  kasan_slab_free+0x71/0xc0
[   41.072431]  kmem_cache_free+0x83/0x2a0
[   41.076373]  dst_destroy+0x216/0x330
[   41.080054]  dst_destroy_rcu+0x16/0x20
[   41.083911]  rcu_process_callbacks+0xd6c/0x17f0
[   41.088546]  __do_softirq+0x2d7/0xb85
[   41.092312] 
[   41.093909] The buggy address belongs to the object at ffff8801c34b8cc0
[   41.093909]  which belongs to the cache ip_dst_cache of size 216
[   41.106628] The buggy address is located 24 bytes inside of
[   41.106628]  216-byte region [ffff8801c34b8cc0, ffff8801c34b8d98)
[   41.118382] The buggy address belongs to the page:
[   41.123281] page:ffffea00070d2e00 count:1 mapcount:0 mapping:ffff8801c34b8040 index:0x0
[   41.131392] flags: 0x2fffc0000000100(slab)
[   41.135597] raw: 02fffc0000000100 ffff8801c34b8040 0000000000000000 000000010000000c
[   41.143447] raw: ffff8801d7f67148 ffffea0006f388a0 ffff8801d6fa94c0 0000000000000000
[   41.151295] page dumped because: kasan: bad access detected
[   41.156970] 
[   41.158567] Memory state around the buggy address:
[   41.163463]  ffff8801c34b8b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   41.170789]  ffff8801c34b8c00: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
[   41.178118] >ffff8801c34b8c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   41.185444]                                                     ^
[   41.191642]  ffff8801c34b8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.198972]  ffff8801c34b8d80: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[   41.206306] ==================================================================
[   41.213634] Disabling lock debugging due to kernel taint
[   41.219083] Kernel panic - not syncing: panic_on_warn set ...
[   41.219083] 
[   41.226416] CPU: 0 PID: 3654 Comm: syzkaller039917 Tainted: G    B            4.15.0-rc8+ #176
[   41.235134] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.244459] Call Trace:
[   41.247018]  dump_stack+0x194/0x257
[   41.250617]  ? arch_local_irq_restore+0x53/0x53
[   41.255254]  ? kasan_end_report+0x32/0x50
[   41.259374]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   41.264098]  ? vsnprintf+0x1ed/0x1900
[   41.267871]  ? ip6_xmit+0x1f60/0x2090
[   41.271641]  panic+0x1e4/0x41c
[   41.274801]  ? refcount_error_report+0x214/0x214
[   41.279527]  ? add_taint+0x1c/0x50
[   41.283033]  ? add_taint+0x1c/0x50
[   41.286543]  ? ip6_xmit+0x2048/0x2090
[   41.290311]  kasan_end_report+0x50/0x50
[   41.294253]  kasan_report+0x144/0x340
[   41.298026]  __asan_report_load8_noabort+0x14/0x20
[   41.302922]  ip6_xmit+0x2048/0x2090
[   41.306524]  ? ip6_finish_output2+0x23a0/0x23a0
[   41.311162]  ? fl6_update_dst+0x127/0x2b0
[   41.315285]  ? check_noncircular+0x20/0x20
[   41.319491]  ? inet6_csk_route_socket+0x691/0xe80
[   41.324303]  ? lock_acquire+0x1d5/0x580
[   41.328244]  ? lock_acquire+0x1d5/0x580
[   41.332187]  ? inet6_csk_xmit+0x114/0x580
[   41.336306]  ? lock_release+0xa40/0xa40
[   41.340256]  inet6_csk_xmit+0x2fc/0x580
[   41.344200]  ? inet6_csk_update_pmtu+0x160/0x160
[   41.348927]  ? __sk_dst_check+0x1a5/0x380
[   41.353045]  ? sk_wait_data+0x610/0x610
[   41.356996]  l2tp_xmit_skb+0x1068/0x1410
[   41.361030]  ? l2tp_session_create+0xc60/0xc60
[   41.365579]  ? sock_wmalloc+0x15d/0x1d0
[   41.369523]  ? iov_iter_advance+0x13f0/0x13f0
[   41.373987]  ? pppol2tp_sendmsg+0x41b/0x670
[   41.378278]  pppol2tp_sendmsg+0x470/0x670
[   41.382395]  ? selinux_socket_sendmsg+0x36/0x40
[   41.387034]  ? pppol2tp_session_ioctl+0xa90/0xa90
[   41.391846]  sock_sendmsg+0xca/0x110
[   41.395530]  ___sys_sendmsg+0x767/0x8b0
[   41.399477]  ? copy_msghdr_from_user+0x590/0x590
[   41.404200]  ? check_noncircular+0x20/0x20
[   41.408408]  ? check_noncircular+0x20/0x20
[   41.412611]  ? __pmd_alloc+0x4e0/0x4e0
[   41.416473]  ? selinux_socket_setsockopt+0x80/0x80
[   41.421369]  ? lock_release+0xa40/0xa40
[   41.425313]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   41.431167]  ? __fget_light+0x297/0x380
[   41.435108]  ? fget_raw+0x20/0x20
[   41.438541]  ? handle_mm_fault+0x248/0x8d0
[   41.442743]  ? find_held_lock+0x35/0x1d0
[   41.446778]  __sys_sendmsg+0xe5/0x210
[   41.450545]  ? __sys_sendmsg+0xe5/0x210
[   41.454492]  ? SyS_shutdown+0x290/0x290
[   41.458434]  ? handle_mm_fault+0x410/0x8d0
[   41.462652]  ? __do_page_fault+0x32d/0xc90
[   41.466860]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   41.471417]  ? vmacache_find+0x5f/0x280
[   41.475373]  compat_SyS_sendmsg+0x2a/0x40
[   41.479489]  ? compat_SyS_getsockopt+0x420/0x420
[   41.484213]  do_fast_syscall_32+0x3ee/0xf9d
[   41.488506]  ? do_int80_syscall_32+0x9d0/0x9d0
[   41.493057]  ? kasan_check_read+0x11/0x20
[   41.497173]  ? syscall_return_slowpath+0x550/0x550
[   41.502073]  ? SyS_rt_sigaction+0x94/0x1b0
[   41.506277]  ? SyS_sigprocmask+0x4b0/0x4b0
[   41.510478]  ? SyS_read+0x184/0x220
[   41.514073]  ? retint_user+0x18/0x18
[   41.517759]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   41.522574]  entry_SYSENTER_compat+0x54/0x63
[   41.526949] RIP: 0023:0xf7ff9c79
[   41.530282] RSP: 002b:00000000ffd7fa7c EFLAGS: 00000217 ORIG_RAX: 0000000000000172
[   41.537957] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000002037ffc8
[   41.545195] RDX: 0000000000000081 RSI: 000000000000016a RDI: 0000000000000004
[   41.552433] RBP: 00000000205fafd2 R08: 0000000000000000 R09: 0000000000000000
[   41.559677] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   41.566927] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   41.574536] Dumping ftrace buffer:
[   41.578051]    (ftrace buffer empty)
[   41.581729] Kernel Offset: disabled
[   41.585324] Rebooting in 86400 seconds..