[....] Starting enhanced syslogd: rsyslogd[ 10.759794] audit: type=1400 audit(1516636767.699:4): avc: denied { syslog } for pid=3172 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 19.390659] ================================================================== [ 19.391715] BUG: KASAN: use-after-free in ip6_xmit+0x1bc7/0x1bd0 [ 19.392539] Read of size 8 at addr ffff8801d0624298 by task syzkaller417738/3320 [ 19.393546] [ 19.393780] CPU: 0 PID: 3320 Comm: syzkaller417738 Not tainted 4.9.77-ge12a9c4 #18 [ 19.394900] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.396123] ffff8801c8e9f690 ffffffff81d941c9 ffffea0007418900 ffff8801d0624298 [ 19.397308] 0000000000000000 ffff8801d0624298 ffff8801c0cc0064 ffff8801c8e9f6c8 [ 19.398487] ffffffff8153db93 ffff8801d0624298 0000000000000008 0000000000000000 [ 19.399706] Call Trace: [ 19.400067] [] dump_stack+0xc1/0x128 [ 19.400780] [] print_address_description+0x73/0x280 [ 19.401675] [] kasan_report+0x275/0x360 [ 19.402420] [] ? ip6_xmit+0x1bc7/0x1bd0 [ 19.403166] [] __asan_report_load8_noabort+0x14/0x20 [ 19.404058] [] ip6_xmit+0x1bc7/0x1bd0 [ 19.404781] [] ? save_stack_trace+0x16/0x20 [ 19.405595] [] ? save_trace+0xe0/0x270 [ 19.406331] [] ? ip6_finish_output2+0x1d20/0x1d20 [ 19.407188] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.408109] [] ? __lock_is_held+0xa1/0xf0 [ 19.408878] [] ? ipv4_dst_check+0x111/0x160 [ 19.409671] [] ? __sk_dst_check+0x10e/0x240 [ 19.410463] [] inet6_csk_xmit+0x27d/0x4d0 [ 19.414359] [] ? inet6_csk_xmit+0x100/0x4d0 [ 19.420295] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 19.426842] [] l2tp_xmit_skb+0xcdc/0xf50 [ 19.432523] [] pppol2tp_sendmsg+0x5c0/0x7a0 [ 19.438462] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 19.444925] [] ? pppol2tp_release+0x2e0/0x2e0 [ 19.451035] [] sock_sendmsg+0xca/0x110 [ 19.456552] [] ___sys_sendmsg+0x6d1/0x7e0 [ 19.462330] [] ? copy_msghdr_from_user+0x550/0x550 [ 19.468960] [] ? __lru_cache_add+0x187/0x250 [ 19.474992] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 19.482058] [] ? _raw_spin_unlock+0x2c/0x50 [ 19.488006] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 19.495075] [] ? handle_mm_fault+0x6ee/0x2530 [ 19.501185] [] ? __pmd_alloc+0x410/0x410 [ 19.506961] [] ? __fget_light+0x158/0x1e0 [ 19.512725] [] ? __fdget+0x18/0x20 [ 19.517881] [] __sys_sendmsg+0xd6/0x190 [ 19.523470] [] ? SyS_shutdown+0x1b0/0x1b0 [ 19.529235] [] ? __do_page_fault+0x5ec/0xd40 [ 19.535259] [] ? __do_page_fault+0x3bd/0xd40 [ 19.541412] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 19.548217] [] SyS_sendmsg+0x2d/0x50 [ 19.553550] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 19.560094] [ 19.561689] Allocated by task 3304: [ 19.565285] save_stack_trace+0x16/0x20 [ 19.569227] save_stack+0x43/0xd0 [ 19.572645] kasan_kmalloc+0xad/0xe0 [ 19.576339] kasan_slab_alloc+0x12/0x20 [ 19.580279] kmem_cache_alloc+0xba/0x290 [ 19.584307] dst_alloc+0x11f/0x1a0 [ 19.587821] rt_dst_alloc+0x78/0x430 [ 19.591499] __ip_route_output_key_hash+0xa4e/0x23e0 [ 19.596572] __ip4_datagram_connect+0xa17/0x1160 [ 19.601298] __ip6_datagram_connect+0x6f9/0xdf0 [ 19.605933] ip6_datagram_connect+0x2f/0x50 [ 19.610223] inet_dgram_connect+0x16b/0x1f0 [ 19.614510] SYSC_connect+0x1b6/0x310 [ 19.618278] SyS_connect+0x24/0x30 [ 19.621782] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 19.626499] [ 19.628093] Freed by task 0: [ 19.631080] save_stack_trace+0x16/0x20 [ 19.635022] save_stack+0x43/0xd0 [ 19.638444] kasan_slab_free+0x72/0xc0 [ 19.642295] kmem_cache_free+0xc7/0x300 [ 19.646239] dst_destroy+0x1fd/0x360 [ 19.649918] dst_destroy_rcu+0x15/0x40 [ 19.653772] rcu_process_callbacks+0x898/0x1300 [ 19.660765] __do_softirq+0x206/0x951 [ 19.664535] [ 19.666133] The buggy address belongs to the object at ffff8801d0624280 [ 19.666133] which belongs to the cache ip_dst_cache of size 216 [ 19.678843] The buggy address is located 24 bytes inside of [ 19.678843] 216-byte region [ffff8801d0624280, ffff8801d0624358) [ 19.691308] The buggy address belongs to the page: [ 19.696300] page:ffffea0007418900 count:1 mapcount:0 mapping: (null) index:0x0 [ 19.704626] flags: 0x8000000000000080(slab) [ 19.708918] page dumped because: kasan: bad access detected [ 19.714589] [ 19.716187] Memory state around the buggy address: [ 19.721179] ffff8801d0624180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.728508] ffff8801d0624200: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.735833] >ffff8801d0624280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.743157] ^ [ 19.747270] ffff8801d0624300: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 19.754593] ffff8801d0624380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 19.761920] ================================================================== [ 19.769245] Disabling lock debugging due to kernel taint [ 19.774683] Kernel panic - not syncing: panic_on_warn set ... [ 19.774683] [ 19.782024] CPU: 0 PID: 3320 Comm: syzkaller417738 Tainted: G B 4.9.77-ge12a9c4 #18 [ 19.791679] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.801001] ffff8801c8e9f5e8 ffffffff81d941c9 ffffffff841970ff ffff8801c8e9f6c0 [ 19.808963] 0000000000000000 ffff8801d0624298 ffff8801c0cc0064 ffff8801c8e9f6b0 [ 19.816924] ffffffff8142f3c1 0000000041b58ab3 ffffffff8418ab70 ffffffff8142f205 [ 19.824879] Call Trace: [ 19.827437] [] dump_stack+0xc1/0x128 [ 19.832772] [] panic+0x1bc/0x3a8 [ 19.837756] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 19.845957] [] kasan_end_report+0x50/0x50 [ 19.851720] [] kasan_report+0x167/0x360 [ 19.857311] [] ? ip6_xmit+0x1bc7/0x1bd0 [ 19.862913] [] __asan_report_load8_noabort+0x14/0x20 [ 19.869630] [] ip6_xmit+0x1bc7/0x1bd0 [ 19.875047] [] ? save_stack_trace+0x16/0x20 [ 19.880985] [] ? save_trace+0xe0/0x270 [ 19.886488] [] ? ip6_finish_output2+0x1d20/0x1d20 [ 19.892946] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.899925] [] ? __lock_is_held+0xa1/0xf0 [ 19.905694] [] ? ipv4_dst_check+0x111/0x160 [ 19.911635] [] ? __sk_dst_check+0x10e/0x240 [ 19.917573] [] inet6_csk_xmit+0x27d/0x4d0 [ 19.923338] [] ? inet6_csk_xmit+0x100/0x4d0 [ 19.929276] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 19.935824] [] l2tp_xmit_skb+0xcdc/0xf50 [ 19.941501] [] pppol2tp_sendmsg+0x5c0/0x7a0 [ 19.947440] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 19.953910] [] ? pppol2tp_release+0x2e0/0x2e0 [ 19.960025] [] sock_sendmsg+0xca/0x110 [ 19.965529] [] ___sys_sendmsg+0x6d1/0x7e0 [ 19.971295] [] ? copy_msghdr_from_user+0x550/0x550 [ 19.978030] [] ? __lru_cache_add+0x187/0x250 [ 19.984092] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 19.991162] [] ? _raw_spin_unlock+0x2c/0x50 [ 19.997104] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 20.004455] [] ? handle_mm_fault+0x6ee/0x2530 [ 20.010567] [] ? __pmd_alloc+0x410/0x410 [ 20.016245] [] ? __fget_light+0x158/0x1e0 [ 20.022009] [] ? __fdget+0x18/0x20 [ 20.027167] [] __sys_sendmsg+0xd6/0x190 [ 20.032757] [] ? SyS_shutdown+0x1b0/0x1b0 [ 20.038525] [] ? __do_page_fault+0x5ec/0xd40 [ 20.044553] [] ? __do_page_fault+0x3bd/0xd40 [ 20.050579] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 20.057387] [] SyS_sendmsg+0x2d/0x50 [ 20.062812] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 20.069775] Dumping ftrace buffer: [ 20.073287] (ftrace buffer empty) [ 20.076967] Kernel Offset: disabled [ 20.080561] Rebooting in 86400 seconds..