[....] Starting enhanced syslogd: rsyslogd[   17.661904] audit: type=1400 audit(1521111890.659:5): avc:  denied  { syslog } for  pid=4095 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.336685] audit: type=1400 audit(1521111895.334:6): avc:  denied  { map } for  pid=4236 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts.
[   28.700744] audit: type=1400 audit(1521111901.698:7): avc:  denied  { map } for  pid=4250 comm="syzkaller568338" path="/root/syzkaller568338701" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   28.713386] IPVS: ftp: loaded support on port[0] = 21
net.ipv6.conf.syz_tun.accept_dad = 0
net.ipv6.conf.syz_tun.router_solicitations = 0
[   28.726748] audit: type=1400 audit(1521111901.703:8): avc:  denied  { sys_admin } for  pid=4250 comm="syzkaller568338" capability=21  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[   28.775723] audit: type=1400 audit(1521111901.774:9): avc:  denied  { net_admin } for  pid=4251 comm="syzkaller568338" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
RTNETLINK answers: File exists
RTNETLINK answers: Operation not supported
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
[   29.022848] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
[   29.381473] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   29.387592] 8021q: adding VLAN 0 to HW filter on device bond0
executing program
[   29.425866] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   29.463718] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   29.477366] audit: type=1400 audit(1521111902.475:10): avc:  denied  { sys_chroot } for  pid=4251 comm="syzkaller568338" capability=18  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[   29.482668] ==================================================================
[   29.509376] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
[   29.515497] Read of size 8 at addr ffff8801af6f1a18 by task syzkaller568338/4251
[   29.522999] 
[   29.524609] CPU: 0 PID: 4251 Comm: syzkaller568338 Not tainted 4.16.0-rc4+ #266
[   29.532025] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.541350] Call Trace:
[   29.543918]  dump_stack+0x194/0x24d
[   29.547520]  ? arch_local_irq_restore+0x53/0x53
[   29.552161]  ? show_regs_print_info+0x18/0x18
[   29.556636]  ? ip6_xmit+0x1f76/0x2260
[   29.560411]  print_address_description+0x73/0x250
[   29.565223]  ? ip6_xmit+0x1f76/0x2260
[   29.568996]  kasan_report+0x23c/0x360
[   29.572775]  __asan_report_load8_noabort+0x14/0x20
[   29.577675]  ip6_xmit+0x1f76/0x2260
[   29.581284]  ? ip6_finish_output2+0x23d0/0x23d0
[   29.586143]  ? fl6_update_dst+0x127/0x2b0
[   29.590538]  ? inet6_csk_route_socket+0x691/0xe80
[   29.595618]  ? trace_hardirqs_off+0x10/0x10
[   29.600036]  ? lock_acquire+0x1d5/0x580
[   29.603983]  ? lock_acquire+0x1d5/0x580
[   29.607933]  ? inet6_csk_xmit+0x114/0x580
[   29.612055]  ? trace_hardirqs_off+0x10/0x10
[   29.616352]  ? lock_release+0xa40/0xa40
[   29.620314]  inet6_csk_xmit+0x2fc/0x580
[   29.624263]  ? inet6_csk_update_pmtu+0x160/0x160
[   29.628992]  ? __sk_dst_check+0x1a5/0x380
[   29.633117]  ? sock_kzfree_s+0x60/0x60
[   29.636992]  l2tp_xmit_skb+0x105f/0x1410
[   29.641050]  ? l2tp_session_create+0xb80/0xb80
[   29.645611]  ? sock_wmalloc+0x15d/0x1d0
[   29.649558]  ? iov_iter_advance+0x13f0/0x13f0
[   29.654037]  ? pppol2tp_sendmsg+0x41b/0x670
[   29.658332]  pppol2tp_sendmsg+0x470/0x670
[   29.662465]  ? selinux_socket_sendmsg+0x36/0x40
[   29.667106]  ? pppol2tp_getsockopt+0x900/0x900
[   29.671664]  sock_sendmsg+0xca/0x110
[   29.675353]  ___sys_sendmsg+0x767/0x8b0
[   29.679302]  ? copy_msghdr_from_user+0x590/0x590
[   29.684039]  ? __pmd_alloc+0x4e0/0x4e0
[   29.687901]  ? selinux_socket_connect+0x311/0x730
[   29.692718]  ? trace_hardirqs_off+0x10/0x10
[   29.697017]  ? find_held_lock+0x35/0x1d0
[   29.701059]  ? __fget_light+0x2b2/0x3c0
[   29.705010]  ? fget_raw+0x20/0x20
[   29.708457]  ? __do_page_fault+0x5f7/0xc90
[   29.712666]  ? lock_downgrade+0x980/0x980
[   29.716795]  __sys_sendmsg+0xe5/0x210
[   29.720566]  ? __sys_sendmsg+0xe5/0x210
[   29.724514]  ? SyS_shutdown+0x290/0x290
[   29.728469]  ? __do_page_fault+0x3d6/0xc90
[   29.732688]  ? move_addr_to_kernel+0x60/0x60
[   29.737074]  SyS_sendmsg+0x2d/0x50
[   29.740586]  ? __sys_sendmsg+0x210/0x210
[   29.744634]  do_syscall_64+0x281/0x940
[   29.748501]  ? __do_page_fault+0xc90/0xc90
[   29.752708]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.757177]  ? finish_task_switch+0x1c1/0x7e0
[   29.761645]  ? syscall_return_slowpath+0x550/0x550
[   29.766545]  ? syscall_return_slowpath+0x2ac/0x550
[   29.771448]  ? prepare_exit_to_usermode+0x350/0x350
[   29.776436]  ? retint_user+0x18/0x18
[   29.780138]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.784957]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   29.790120] RIP: 0033:0x441c59
[   29.793280] RSP: 002b:00000000007dfea8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
[   29.800959] RAX: ffffffffffffffda RBX: 000000000000001a RCX: 0000000000441c59
[   29.808200] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
[   29.815442] RBP: 00000000004a3c86 R08: 0000000120080522 R09: 0000000120080522
[   29.822683] R10: 0000000120080522 R11: 0000000000000217 R12: 00000000007dff70
[   29.829924] R13: 0000000000402c90 R14: 0000000000000000 R15: 0000000000000000
[   29.837199] 
[   29.838800] Allocated by task 4243:
[   29.842404]  save_stack+0x43/0xd0
[   29.845828]  kasan_kmalloc+0xad/0xe0
[   29.849512]  kasan_slab_alloc+0x12/0x20
[   29.853462]  kmem_cache_alloc+0x12e/0x760
[   29.857583]  dst_alloc+0x11f/0x1a0
[   29.861099]  rt_dst_alloc+0xe9/0x4e0
[   29.864783]  ip_route_output_key_hash_rcu+0xa59/0x2fe0
[   29.870035]  ip_route_output_key_hash+0x20b/0x370
[   29.874849]  __ip4_datagram_connect+0xa67/0x1240
[   29.879578]  __ip6_datagram_connect+0x749/0x12d0
[   29.884303]  ip6_datagram_connect+0x2f/0x50
[   29.888600]  inet_dgram_connect+0x16b/0x1f0
[   29.892893]  SYSC_connect+0x213/0x4a0
[   29.896665]  SyS_connect+0x24/0x30
[   29.900176]  do_syscall_64+0x281/0x940
[   29.904036]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   29.909192] 
[   29.910789] Freed by task 0:
[   29.913778]  save_stack+0x43/0xd0
[   29.917201]  __kasan_slab_free+0x11a/0x170
[   29.921406]  kasan_slab_free+0xe/0x10
[   29.925179]  kmem_cache_free+0x83/0x2a0
[   29.929129]  dst_destroy+0x257/0x370
[   29.932813]  dst_destroy_rcu+0x16/0x20
[   29.936675]  rcu_process_callbacks+0xd6c/0x17f0
[   29.941314]  __do_softirq+0x2d7/0xb85
[   29.945082] 
[   29.946683] The buggy address belongs to the object at ffff8801af6f1a00
[   29.946683]  which belongs to the cache ip_dst_cache of size 160
[   29.959398] The buggy address is located 24 bytes inside of
[   29.959398]  160-byte region [ffff8801af6f1a00, ffff8801af6f1aa0)
[   29.971153] The buggy address belongs to the page:
[   29.976056] page:ffffea0006bdbc40 count:1 mapcount:0 mapping:ffff8801af6f1000 index:0x0
[   29.984167] flags: 0x2fffc0000000100(slab)
[   29.988374] raw: 02fffc0000000100 ffff8801af6f1000 0000000000000000 0000000100000010
[   29.996231] raw: ffffea00072fa460 ffff8801d6bc3448 ffff8801d54104c0 0000000000000000
[   30.004081] page dumped because: kasan: bad access detected
[   30.009757] 
[   30.011353] Memory state around the buggy address:
[   30.016253]  ffff8801af6f1900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.023584]  ffff8801af6f1980: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   30.030915] >ffff8801af6f1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.038243]                             ^
[   30.042361]  ffff8801af6f1a80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   30.049690]  ffff8801af6f1b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.057020] ==================================================================
[   30.064348] Disabling lock debugging due to kernel taint
[   30.069815] Kernel panic - not syncing: panic_on_warn set ...
[   30.069815] 
[   30.077167] CPU: 0 PID: 4251 Comm: syzkaller568338 Tainted: G    B            4.16.0-rc4+ #266
[   30.085894] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.095217] Call Trace:
[   30.097782]  dump_stack+0x194/0x24d
[   30.101382]  ? arch_local_irq_restore+0x53/0x53
[   30.106026]  ? kasan_end_report+0x32/0x50
[   30.110147]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.114872]  ? vsnprintf+0x1ed/0x1900
[   30.118647]  ? ip6_xmit+0x1e90/0x2260
[   30.122417]  panic+0x1e4/0x41c
[   30.125583]  ? refcount_error_report+0x214/0x214
[   30.130308]  ? add_taint+0x1c/0x50
[   30.133819]  ? add_taint+0x1c/0x50
[   30.137331]  ? ip6_xmit+0x1f76/0x2260
[   30.141112]  kasan_end_report+0x50/0x50
[   30.145069]  kasan_report+0x149/0x360
[   30.148842]  __asan_report_load8_noabort+0x14/0x20
[   30.153740]  ip6_xmit+0x1f76/0x2260
[   30.157344]  ? ip6_finish_output2+0x23d0/0x23d0
[   30.161984]  ? fl6_update_dst+0x127/0x2b0
[   30.166114]  ? inet6_csk_route_socket+0x691/0xe80
[   30.170927]  ? trace_hardirqs_off+0x10/0x10
[   30.175220]  ? lock_acquire+0x1d5/0x580
[   30.179162]  ? lock_acquire+0x1d5/0x580
[   30.183104]  ? inet6_csk_xmit+0x114/0x580
[   30.187220]  ? trace_hardirqs_off+0x10/0x10
[   30.191517]  ? lock_release+0xa40/0xa40
[   30.195469]  inet6_csk_xmit+0x2fc/0x580
[   30.199417]  ? inet6_csk_update_pmtu+0x160/0x160
[   30.204149]  ? __sk_dst_check+0x1a5/0x380
[   30.208270]  ? sock_kzfree_s+0x60/0x60
[   30.212141]  l2tp_xmit_skb+0x105f/0x1410
[   30.216178]  ? l2tp_session_create+0xb80/0xb80
[   30.220730]  ? sock_wmalloc+0x15d/0x1d0
[   30.224690]  ? iov_iter_advance+0x13f0/0x13f0
[   30.229161]  ? pppol2tp_sendmsg+0x41b/0x670
[   30.233455]  pppol2tp_sendmsg+0x470/0x670
[   30.237579]  ? selinux_socket_sendmsg+0x36/0x40
[   30.242222]  ? pppol2tp_getsockopt+0x900/0x900
[   30.246792]  sock_sendmsg+0xca/0x110
[   30.250479]  ___sys_sendmsg+0x767/0x8b0
[   30.254426]  ? copy_msghdr_from_user+0x590/0x590
[   30.259155]  ? __pmd_alloc+0x4e0/0x4e0
[   30.263019]  ? selinux_socket_connect+0x311/0x730
[   30.267840]  ? trace_hardirqs_off+0x10/0x10
[   30.272133]  ? find_held_lock+0x35/0x1d0
[   30.276182]  ? __fget_light+0x2b2/0x3c0
[   30.280129]  ? fget_raw+0x20/0x20
[   30.283571]  ? __do_page_fault+0x5f7/0xc90
[   30.287777]  ? lock_downgrade+0x980/0x980
[   30.291902]  __sys_sendmsg+0xe5/0x210
[   30.295672]  ? __sys_sendmsg+0xe5/0x210
[   30.299623]  ? SyS_shutdown+0x290/0x290
[   30.303576]  ? __do_page_fault+0x3d6/0xc90
[   30.307785]  ? move_addr_to_kernel+0x60/0x60
[   30.312169]  SyS_sendmsg+0x2d/0x50
[   30.315680]  ? __sys_sendmsg+0x210/0x210
[   30.319724]  do_syscall_64+0x281/0x940
[   30.323582]  ? __do_page_fault+0xc90/0xc90
[   30.327788]  ? _raw_spin_unlock_irq+0x27/0x70
[   30.332253]  ? finish_task_switch+0x1c1/0x7e0
[   30.336730]  ? syscall_return_slowpath+0x550/0x550
[   30.341640]  ? syscall_return_slowpath+0x2ac/0x550
[   30.346540]  ? prepare_exit_to_usermode+0x350/0x350
[   30.351531]  ? retint_user+0x18/0x18
[   30.355220]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.360036]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   30.365198] RIP: 0033:0x441c59
[   30.368360] RSP: 002b:00000000007dfea8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
[   30.376051] RAX: ffffffffffffffda RBX: 000000000000001a RCX: 0000000000441c59
[   30.383293] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
[   30.390570] RBP: 00000000004a3c86 R08: 0000000120080522 R09: 0000000120080522
[   30.397813] R10: 0000000120080522 R11: 0000000000000217 R12: 00000000007dff70
[   30.405062] R13: 0000000000402c90 R14: 0000000000000000 R15: 0000000000000000
[   30.412898] Dumping ftrace buffer:
[   30.416419]    (ftrace buffer empty)
[   30.420101] Kernel Offset: disabled
[   30.423700] Rebooting in 86400 seconds..