[....] Starting enhanced syslogd: rsyslogd[   13.182472] audit: type=1400 audit(1516296802.159:5): avc:  denied  { syslog } for  pid=3492 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.875079] audit: type=1400 audit(1516296808.851:6): avc:  denied  { map } for  pid=3632 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts.
executing program
[   26.113767] audit: type=1400 audit(1516296815.090:7): avc:  denied  { map } for  pid=3646 comm="syzkaller031403" path="/root/syzkaller031403522" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   26.141585] ==================================================================
[   26.148958] BUG: KASAN: use-after-free in ip6_xmit+0x1ce9/0x2090
[   26.155069] Read of size 8 at addr ffff8801ce2e4b18 by task syzkaller031403/3646
[   26.162566] 
[   26.164164] CPU: 0 PID: 3646 Comm: syzkaller031403 Not tainted 4.15.0-rc8+ #195
[   26.171597] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.180922] Call Trace:
[   26.183480]  dump_stack+0x194/0x257
[   26.187082]  ? arch_local_irq_restore+0x53/0x53
[   26.191720]  ? show_regs_print_info+0x18/0x18
[   26.196190]  ? ip6_xmit+0x1ce9/0x2090
[   26.199963]  print_address_description+0x73/0x250
[   26.204774]  ? ip6_xmit+0x1ce9/0x2090
[   26.208543]  kasan_report+0x25b/0x340
[   26.212317]  __asan_report_load8_noabort+0x14/0x20
[   26.217216]  ip6_xmit+0x1ce9/0x2090
[   26.220814]  ? __sk_dst_check+0x1a5/0x380
[   26.224943]  ? ip6_finish_output2+0x23a0/0x23a0
[   26.229585]  ? fl6_update_dst+0x127/0x2b0
[   26.233717]  ? check_noncircular+0x20/0x20
[   26.237923]  ? inet6_csk_route_socket+0x691/0xe80
[   26.242741]  ? lock_acquire+0x1d5/0x580
[   26.246681]  ? lock_acquire+0x1d5/0x580
[   26.250628]  ? inet6_csk_xmit+0x114/0x580
[   26.254752]  ? lock_release+0xa40/0xa40
[   26.258709]  inet6_csk_xmit+0x2fc/0x580
[   26.262653]  ? inet6_csk_update_pmtu+0x160/0x160
[   26.267377]  ? __sk_dst_check+0x1a5/0x380
[   26.271496]  ? sk_wait_data+0x610/0x610
[   26.275457]  l2tp_xmit_skb+0x105f/0x1410
[   26.279496]  ? l2tp_session_create+0xbf0/0xbf0
[   26.284047]  ? sock_wmalloc+0x15d/0x1d0
[   26.287993]  ? iov_iter_advance+0x13f0/0x13f0
[   26.292467]  ? pppol2tp_sendmsg+0x41b/0x670
[   26.296765]  pppol2tp_sendmsg+0x470/0x670
[   26.300886]  ? selinux_socket_sendmsg+0x36/0x40
[   26.305526]  ? pppol2tp_session_ioctl+0xa90/0xa90
[   26.310341]  sock_sendmsg+0xca/0x110
[   26.314025]  SYSC_sendto+0x361/0x5c0
[   26.317714]  ? SYSC_connect+0x4a0/0x4a0
[   26.321660]  ? up_read+0x1a/0x40
[   26.324998]  ? __do_page_fault+0x3d6/0xc90
[   26.329223]  ? __do_page_fault+0xc90/0xc90
[   26.333432]  ? sock_map_fd+0x53/0x90
[   26.337117]  ? SyS_socket+0x12d/0x1d0
[   26.340889]  ? entry_SYSCALL_64_fastpath+0x5/0xa0
[   26.345710]  SyS_sendto+0x40/0x50
[   26.349135]  entry_SYSCALL_64_fastpath+0x29/0xa0
[   26.353857] RIP: 0033:0x440029
[   26.357015] RSP: 002b:00007ffca653f1d8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
[   26.364693] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440029
[   26.371929] RDX: 0000000000000000 RSI: 0000000020de7000 RDI: 0000000000000004
[   26.379166] RBP: 9b036f82b49af77e R08: 000000002064eff0 R09: 0000000000000010
[   26.386403] R10: c3fe68eda9554f8b R11: 0000000000000217 R12: be19e5a44cbf42e5
[   26.393646] R13: c3fe68eda9554f8b R14: 0000000000000000 R15: 0000000000000000
[   26.400900] 
[   26.402507] Allocated by task 3630:
[   26.406106]  save_stack+0x43/0xd0
[   26.409526]  kasan_kmalloc+0xad/0xe0
[   26.413208]  kasan_slab_alloc+0x12/0x20
[   26.417150]  kmem_cache_alloc+0x12e/0x760
[   26.421263]  dst_alloc+0x11f/0x1a0
[   26.424775]  rt_dst_alloc+0xe9/0x520
[   26.428455]  ip_route_output_key_hash_rcu+0xa40/0x2c20
[   26.433697]  ip_route_output_key_hash+0x20b/0x370
[   26.438505]  __ip4_datagram_connect+0xa67/0x1240
[   26.443229]  __ip6_datagram_connect+0x6fa/0xf80
[   26.447864]  ip6_datagram_connect+0x2f/0x50
[   26.452155]  inet_dgram_connect+0x16b/0x1f0
[   26.456441]  SYSC_connect+0x213/0x4a0
[   26.460207]  SyS_connect+0x24/0x30
[   26.463717]  entry_SYSCALL_64_fastpath+0x29/0xa0
[   26.468435] 
[   26.470033] Freed by task 0:
[   26.473021]  save_stack+0x43/0xd0
[   26.476440]  kasan_slab_free+0x71/0xc0
[   26.480294]  kmem_cache_free+0x83/0x2a0
[   26.484234]  dst_destroy+0x257/0x370
[   26.487917]  dst_destroy_rcu+0x16/0x20
[   26.491773]  rcu_process_callbacks+0xd6c/0x17f0
[   26.496406]  __do_softirq+0x2d7/0xb85
[   26.500170] 
[   26.501769] The buggy address belongs to the object at ffff8801ce2e4b00
[   26.501769]  which belongs to the cache ip_dst_cache of size 168
[   26.514479] The buggy address is located 24 bytes inside of
[   26.514479]  168-byte region [ffff8801ce2e4b00, ffff8801ce2e4ba8)
[   26.526232] The buggy address belongs to the page:
[   26.531130] page:ffffea000738b900 count:1 mapcount:0 mapping:ffff8801ce2e4000 index:0xffff8801ce2e4000
[   26.540541] flags: 0x2fffc0000000100(slab)
[   26.544746] raw: 02fffc0000000100 ffff8801ce2e4000 ffff8801ce2e4000 000000010000000c
[   26.552596] raw: ffff8801d7f7a538 ffff8801d7f7a538 ffff8801d6f0c4c0 0000000000000000
[   26.560443] page dumped because: kasan: bad access detected
[   26.566116] 
[   26.567713] Memory state around the buggy address:
[   26.572610]  ffff8801ce2e4a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   26.579936]  ffff8801ce2e4a80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   26.587263] >ffff8801ce2e4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.594601]                             ^
[   26.598714]  ffff8801ce2e4b80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   26.606039]  ffff8801ce2e4c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   26.613363] ==================================================================
[   26.620686] Disabling lock debugging due to kernel taint
[   26.626137] Kernel panic - not syncing: panic_on_warn set ...
[   26.626137] 
[   26.633469] CPU: 0 PID: 3646 Comm: syzkaller031403 Tainted: G    B            4.15.0-rc8+ #195
[   26.642182] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.651505] Call Trace:
[   26.654062]  dump_stack+0x194/0x257
[   26.657661]  ? arch_local_irq_restore+0x53/0x53
[   26.662302]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   26.667028]  ? vsnprintf+0x1ed/0x1900
[   26.670799]  ? ip6_xmit+0x1c20/0x2090
[   26.674567]  panic+0x1e4/0x41c
[   26.677729]  ? refcount_error_report+0x214/0x214
[   26.682454]  ? add_taint+0x1c/0x50
[   26.685962]  ? add_taint+0x1c/0x50
[   26.689469]  ? ip6_xmit+0x1ce9/0x2090
[   26.693239]  kasan_end_report+0x50/0x50
[   26.697180]  kasan_report+0x144/0x340
[   26.700951]  __asan_report_load8_noabort+0x14/0x20
[   26.705846]  ip6_xmit+0x1ce9/0x2090
[   26.709441]  ? __sk_dst_check+0x1a5/0x380
[   26.713561]  ? ip6_finish_output2+0x23a0/0x23a0
[   26.718199]  ? fl6_update_dst+0x127/0x2b0
[   26.722316]  ? check_noncircular+0x20/0x20
[   26.726517]  ? inet6_csk_route_socket+0x691/0xe80
[   26.731330]  ? lock_acquire+0x1d5/0x580
[   26.735273]  ? lock_acquire+0x1d5/0x580
[   26.739215]  ? inet6_csk_xmit+0x114/0x580
[   26.743333]  ? lock_release+0xa40/0xa40
[   26.747281]  inet6_csk_xmit+0x2fc/0x580
[   26.751224]  ? inet6_csk_update_pmtu+0x160/0x160
[   26.755947]  ? __sk_dst_check+0x1a5/0x380
[   26.760063]  ? sk_wait_data+0x610/0x610
[   26.764014]  l2tp_xmit_skb+0x105f/0x1410
[   26.768049]  ? l2tp_session_create+0xbf0/0xbf0
[   26.772598]  ? sock_wmalloc+0x15d/0x1d0
[   26.776541]  ? iov_iter_advance+0x13f0/0x13f0
[   26.781003]  ? pppol2tp_sendmsg+0x41b/0x670
[   26.785293]  pppol2tp_sendmsg+0x470/0x670
[   26.789409]  ? selinux_socket_sendmsg+0x36/0x40
[   26.794044]  ? pppol2tp_session_ioctl+0xa90/0xa90
[   26.798857]  sock_sendmsg+0xca/0x110
[   26.802542]  SYSC_sendto+0x361/0x5c0
[   26.806223]  ? SYSC_connect+0x4a0/0x4a0
[   26.810164]  ? up_read+0x1a/0x40
[   26.813500]  ? __do_page_fault+0x3d6/0xc90
[   26.817714]  ? __do_page_fault+0xc90/0xc90
[   26.821919]  ? sock_map_fd+0x53/0x90
[   26.825606]  ? SyS_socket+0x12d/0x1d0
[   26.829378]  ? entry_SYSCALL_64_fastpath+0x5/0xa0
[   26.834191]  SyS_sendto+0x40/0x50
[   26.837617]  entry_SYSCALL_64_fastpath+0x29/0xa0
[   26.842339] RIP: 0033:0x440029
[   26.845494] RSP: 002b:00007ffca653f1d8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
[   26.853169] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440029
[   26.860406] RDX: 0000000000000000 RSI: 0000000020de7000 RDI: 0000000000000004
[   26.867645] RBP: 9b036f82b49af77e R08: 000000002064eff0 R09: 0000000000000010
[   26.874886] R10: c3fe68eda9554f8b R11: 0000000000000217 R12: be19e5a44cbf42e5
[   26.882126] R13: c3fe68eda9554f8b R14: 0000000000000000 R15: 0000000000000000
[   26.889777] Dumping ftrace buffer:
[   26.893287]    (ftrace buffer empty)
[   26.896969] Kernel Offset: disabled
[   26.900566] Rebooting in 86400 seconds..