[....] Starting enhanced syslogd: rsyslogd[ 14.758303] audit: type=1400 audit(1521052929.992:5): avc: denied { syslog } for pid=4016 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.625399] audit: type=1400 audit(1521052933.859:6): avc: denied { map } for pid=4155 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts. executing program executing program [ 24.999071] audit: type=1400 audit(1521052940.232:7): avc: denied { map } for pid=4169 comm="syzkaller582898" path="/root/syzkaller582898232" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.040786] ================================================================== [ 25.048238] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 25.054358] Read of size 8 at addr ffff8801c2f8e018 by task syzkaller582898/4171 [ 25.061875] [ 25.063478] CPU: 1 PID: 4171 Comm: syzkaller582898 Not tainted 4.16.0-rc4+ #265 [ 25.070892] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.080218] Call Trace: [ 25.082789] dump_stack+0x194/0x24d [ 25.086392] ? arch_local_irq_restore+0x53/0x53 [ 25.091039] ? show_regs_print_info+0x18/0x18 [ 25.095516] ? ip6_xmit+0x1f76/0x2260 [ 25.099294] print_address_description+0x73/0x250 [ 25.104110] ? ip6_xmit+0x1f76/0x2260 [ 25.107884] kasan_report+0x23c/0x360 [ 25.111659] __asan_report_load8_noabort+0x14/0x20 [ 25.116572] ip6_xmit+0x1f76/0x2260 [ 25.120192] ? ip6_finish_output2+0x23d0/0x23d0 [ 25.124836] ? fl6_update_dst+0x127/0x2b0 [ 25.128975] ? inet6_csk_route_socket+0x691/0xe80 [ 25.133805] ? trace_hardirqs_off+0x10/0x10 [ 25.138109] ? lock_acquire+0x1d5/0x580 [ 25.142056] ? lock_acquire+0x1d5/0x580 [ 25.146006] ? inet6_csk_xmit+0x114/0x580 [ 25.150136] ? trace_hardirqs_off+0x10/0x10 [ 25.154436] ? lock_release+0xa40/0xa40 [ 25.158400] inet6_csk_xmit+0x2fc/0x580 [ 25.162348] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.167078] ? __sk_dst_check+0x1a5/0x380 [ 25.171202] ? sock_kzfree_s+0x60/0x60 [ 25.175082] l2tp_xmit_skb+0x105f/0x1410 [ 25.179128] ? l2tp_session_create+0xb80/0xb80 [ 25.183687] ? sock_wmalloc+0x15d/0x1d0 [ 25.187648] ? iov_iter_advance+0x13f0/0x13f0 [ 25.192146] ? pppol2tp_sendmsg+0x41b/0x670 [ 25.196459] pppol2tp_sendmsg+0x470/0x670 [ 25.200588] ? selinux_socket_sendmsg+0x36/0x40 [ 25.205236] ? pppol2tp_getsockopt+0x900/0x900 [ 25.209794] sock_sendmsg+0xca/0x110 [ 25.213483] SYSC_sendto+0x361/0x5c0 [ 25.217173] ? SYSC_connect+0x4a0/0x4a0 [ 25.221166] ? inet_dgram_connect+0x172/0x1f0 [ 25.225638] ? SYSC_connect+0x2e0/0x4a0 [ 25.229628] ? mm_fault_error+0x2c0/0x2c0 [ 25.233750] ? move_addr_to_kernel+0x60/0x60 [ 25.238137] SyS_sendto+0x40/0x50 [ 25.241568] ? SyS_getpeername+0x30/0x30 [ 25.245605] do_syscall_64+0x281/0x940 [ 25.249468] ? __do_page_fault+0xc90/0xc90 [ 25.253675] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.258407] ? syscall_return_slowpath+0x550/0x550 [ 25.263315] ? syscall_return_slowpath+0x2ac/0x550 [ 25.268221] ? prepare_exit_to_usermode+0x350/0x350 [ 25.273212] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 25.278562] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.283384] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.288546] RIP: 0033:0x4415e9 [ 25.291707] RSP: 002b:00007ffd575f8108 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 25.299388] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004415e9 [ 25.306631] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 25.313877] RBP: 00000000000061ac R08: 00000000200021c0 R09: 0000000000000080 [ 25.321120] R10: 0000000000040001 R11: 0000000000000216 R12: 0000000000000000 [ 25.328365] R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 [ 25.335629] [ 25.337237] Allocated by task 3658: [ 25.340882] save_stack+0x43/0xd0 [ 25.344313] kasan_kmalloc+0xad/0xe0 [ 25.348003] kasan_slab_alloc+0x12/0x20 [ 25.351958] kmem_cache_alloc+0x12e/0x760 [ 25.356077] getname_flags+0xcb/0x580 [ 25.359858] user_path_at_empty+0x2d/0x50 [ 25.363978] vfs_statx+0xe9/0x190 [ 25.367403] SYSC_newstat+0x87/0xf0 [ 25.371000] SyS_newstat+0x1d/0x30 [ 25.374521] do_syscall_64+0x281/0x940 [ 25.378383] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.383540] [ 25.385139] Freed by task 3658: [ 25.388388] save_stack+0x43/0xd0 [ 25.391812] __kasan_slab_free+0x11a/0x170 [ 25.396025] kasan_slab_free+0xe/0x10 [ 25.399814] kmem_cache_free+0x83/0x2a0 [ 25.403765] putname+0xee/0x130 [ 25.407020] filename_lookup+0x315/0x500 [ 25.411058] user_path_at_empty+0x40/0x50 [ 25.415179] vfs_statx+0xe9/0x190 [ 25.418609] SYSC_newstat+0x87/0xf0 [ 25.422205] SyS_newstat+0x1d/0x30 [ 25.425720] do_syscall_64+0x281/0x940 [ 25.429581] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.434739] [ 25.436343] The buggy address belongs to the object at ffff8801c2f8e000 [ 25.436343] which belongs to the cache names_cache of size 4096 [ 25.449060] The buggy address is located 24 bytes inside of [ 25.449060] 4096-byte region [ffff8801c2f8e000, ffff8801c2f8f000) [ 25.460906] The buggy address belongs to the page: [ 25.465816] page:ffffea00070be380 count:1 mapcount:0 mapping:ffff8801c2f8e000 index:0x0 compound_mapcount: 0 [ 25.475757] flags: 0x2fffc0000008100(slab|head) [ 25.480405] raw: 02fffc0000008100 ffff8801c2f8e000 0000000000000000 0000000100000001 [ 25.488262] raw: ffffea00070be5a0 ffffea00070bd320 ffff8801da5d6600 0000000000000000 [ 25.496113] page dumped because: kasan: bad access detected [ 25.501792] [ 25.503395] Memory state around the buggy address: [ 25.508307] ffff8801c2f8df00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.515647] ffff8801c2f8df80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 25.522991] >ffff8801c2f8e000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.530344] ^ [ 25.534465] ffff8801c2f8e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.541807] ffff8801c2f8e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.549142] ================================================================== [ 25.556472] Disabling lock debugging due to kernel taint [ 25.561928] Kernel panic - not syncing: panic_on_warn set ... [ 25.561928] [ 25.569278] CPU: 1 PID: 4171 Comm: syzkaller582898 Tainted: G B 4.16.0-rc4+ #265 [ 25.578009] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.587342] Call Trace: [ 25.589907] dump_stack+0x194/0x24d [ 25.593508] ? arch_local_irq_restore+0x53/0x53 [ 25.598151] ? kasan_end_report+0x32/0x50 [ 25.602282] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.607024] ? vsnprintf+0x1ed/0x1900 [ 25.610803] ? ip6_xmit+0x1f40/0x2260 [ 25.614575] panic+0x1e4/0x41c [ 25.617738] ? refcount_error_report+0x214/0x214 [ 25.622464] ? add_taint+0x1c/0x50 [ 25.625980] ? add_taint+0x1c/0x50 [ 25.629492] ? ip6_xmit+0x1f76/0x2260 [ 25.633262] kasan_end_report+0x50/0x50 [ 25.637206] kasan_report+0x149/0x360 [ 25.640977] __asan_report_load8_noabort+0x14/0x20 [ 25.645878] ip6_xmit+0x1f76/0x2260 [ 25.649482] ? ip6_finish_output2+0x23d0/0x23d0 [ 25.654128] ? fl6_update_dst+0x127/0x2b0 [ 25.658264] ? inet6_csk_route_socket+0x691/0xe80 [ 25.663096] ? trace_hardirqs_off+0x10/0x10 [ 25.667388] ? lock_acquire+0x1d5/0x580 [ 25.671336] ? lock_acquire+0x1d5/0x580 [ 25.675285] ? inet6_csk_xmit+0x114/0x580 [ 25.679404] ? trace_hardirqs_off+0x10/0x10 [ 25.683699] ? lock_release+0xa40/0xa40 [ 25.687650] inet6_csk_xmit+0x2fc/0x580 [ 25.691597] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.696334] ? __sk_dst_check+0x1a5/0x380 [ 25.700455] ? sock_kzfree_s+0x60/0x60 [ 25.704323] l2tp_xmit_skb+0x105f/0x1410 [ 25.708358] ? l2tp_session_create+0xb80/0xb80 [ 25.712911] ? sock_wmalloc+0x15d/0x1d0 [ 25.716858] ? iov_iter_advance+0x13f0/0x13f0 [ 25.721328] ? pppol2tp_sendmsg+0x41b/0x670 [ 25.725620] pppol2tp_sendmsg+0x470/0x670 [ 25.729740] ? selinux_socket_sendmsg+0x36/0x40 [ 25.734382] ? pppol2tp_getsockopt+0x900/0x900 [ 25.738935] sock_sendmsg+0xca/0x110 [ 25.742619] SYSC_sendto+0x361/0x5c0 [ 25.746307] ? SYSC_connect+0x4a0/0x4a0 [ 25.750263] ? inet_dgram_connect+0x172/0x1f0 [ 25.754731] ? SYSC_connect+0x2e0/0x4a0 [ 25.758702] ? mm_fault_error+0x2c0/0x2c0 [ 25.762826] ? move_addr_to_kernel+0x60/0x60 [ 25.767207] SyS_sendto+0x40/0x50 [ 25.770630] ? SyS_getpeername+0x30/0x30 [ 25.774664] do_syscall_64+0x281/0x940 [ 25.778524] ? __do_page_fault+0xc90/0xc90 [ 25.782729] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.787456] ? syscall_return_slowpath+0x550/0x550 [ 25.792357] ? syscall_return_slowpath+0x2ac/0x550 [ 25.797259] ? prepare_exit_to_usermode+0x350/0x350 [ 25.802262] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 25.807610] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.812426] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.817586] RIP: 0033:0x4415e9 [ 25.820744] RSP: 002b:00007ffd575f8108 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 25.828422] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004415e9 [ 25.835663] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 25.842905] RBP: 00000000000061ac R08: 00000000200021c0 R09: 0000000000000080 [ 25.850144] R10: 0000000000040001 R11: 0000000000000216 R12: 0000000000000000 [ 25.857383] R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 [ 25.865044] Dumping ftrace buffer: [ 25.868552] (ftrace buffer empty) [ 25.872232] Kernel Offset: disabled [ 25.875830] Rebooting in 86400 seconds..