[....] Starting enhanced syslogd: rsyslogd[ 16.852699] audit: type=1400 audit(1520995221.157:5): avc: denied { syslog } for pid=4094 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.940155] audit: type=1400 audit(1520995223.244:6): avc: denied { map } for pid=4233 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. executing program [ 25.247738] audit: type=1400 audit(1520995229.552:7): avc: denied { map } for pid=4247 comm="syzkaller316059" path="/root/syzkaller316059146" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.256653] ================================================================== [ 25.281021] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 25.287147] Read of size 8 at addr ffff8801aec79e18 by task syzkaller316059/4248 [ 25.294648] [ 25.296253] CPU: 0 PID: 4248 Comm: syzkaller316059 Not tainted 4.16.0-rc5+ #352 [ 25.303670] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.312992] Call Trace: [ 25.315565] dump_stack+0x194/0x24d [ 25.319169] ? arch_local_irq_restore+0x53/0x53 [ 25.323808] ? show_regs_print_info+0x18/0x18 [ 25.328282] ? ip6_xmit+0x1f76/0x2260 [ 25.332055] print_address_description+0x73/0x250 [ 25.336870] ? ip6_xmit+0x1f76/0x2260 [ 25.340643] kasan_report+0x23c/0x360 [ 25.344421] __asan_report_load8_noabort+0x14/0x20 [ 25.349322] ip6_xmit+0x1f76/0x2260 [ 25.352930] ? ip6_finish_output2+0x23a0/0x23a0 [ 25.357573] ? fl6_update_dst+0x127/0x2b0 [ 25.361696] ? inet6_csk_route_socket+0x691/0xe80 [ 25.366514] ? trace_hardirqs_off+0x10/0x10 [ 25.370806] ? lock_acquire+0x1d5/0x580 [ 25.374750] ? lock_acquire+0x1d5/0x580 [ 25.378695] ? inet6_csk_xmit+0x114/0x580 [ 25.382814] ? trace_hardirqs_off+0x10/0x10 [ 25.387113] ? lock_release+0xa40/0xa40 [ 25.391076] inet6_csk_xmit+0x2fc/0x580 [ 25.395022] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.399751] ? __sk_dst_check+0x1a5/0x380 [ 25.403875] ? sock_kfree_s+0x60/0x60 [ 25.407666] l2tp_xmit_skb+0x105f/0x1410 [ 25.411710] ? l2tp_session_create+0xb80/0xb80 [ 25.416277] ? sock_wmalloc+0x15d/0x1d0 [ 25.420225] ? iov_iter_advance+0x13f0/0x13f0 [ 25.424693] ? pppol2tp_sendmsg+0x41b/0x670 [ 25.428988] pppol2tp_sendmsg+0x470/0x670 [ 25.433115] ? selinux_socket_sendmsg+0x36/0x40 [ 25.437757] ? pppol2tp_getsockopt+0x900/0x900 [ 25.442314] sock_sendmsg+0xca/0x110 [ 25.446003] SYSC_sendto+0x361/0x5c0 [ 25.449690] ? SYSC_connect+0x4a0/0x4a0 [ 25.453649] ? inet_dgram_connect+0x172/0x1f0 [ 25.458119] ? SYSC_connect+0x2e0/0x4a0 [ 25.462092] ? mm_fault_error+0x2c0/0x2c0 [ 25.466212] ? move_addr_to_kernel+0x60/0x60 [ 25.470596] SyS_sendto+0x40/0x50 [ 25.474023] ? SyS_getpeername+0x30/0x30 [ 25.478059] do_syscall_64+0x281/0x940 [ 25.481915] ? __do_page_fault+0xc90/0xc90 [ 25.486120] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.490849] ? syscall_return_slowpath+0x550/0x550 [ 25.495749] ? syscall_return_slowpath+0x2ac/0x550 [ 25.500653] ? prepare_exit_to_usermode+0x350/0x350 [ 25.505652] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 25.510997] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.515816] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.520976] RIP: 0033:0x441889 [ 25.524138] RSP: 002b:00007ffcef5b6fe8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 25.531817] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441889 [ 25.539057] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 25.546296] RBP: 0000000000000003 R08: 00000000200021c0 R09: 0000000000000080 [ 25.553535] R10: 0000000000040001 R11: 0000000000000212 R12: 0000000000000000 [ 25.560774] R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 [ 25.568029] [ 25.569630] Allocated by task 7: [ 25.572967] save_stack+0x43/0xd0 [ 25.576389] kasan_kmalloc+0xad/0xe0 [ 25.580073] kasan_slab_alloc+0x12/0x20 [ 25.584016] kmem_cache_alloc+0x12e/0x760 [ 25.588134] dst_alloc+0x11f/0x1a0 [ 25.591646] rt_dst_alloc+0xe9/0x520 [ 25.595331] ip_route_input_rcu+0x1076/0x3200 [ 25.599795] ip_route_input_noref+0xf5/0x1e0 [ 25.604177] ip_rcv_finish+0x3a6/0x2040 [ 25.608119] ip_rcv+0xb76/0x1820 [ 25.611456] __netif_receive_skb_core+0x1a41/0x3460 [ 25.616439] __netif_receive_skb+0x2c/0x1b0 [ 25.620733] netif_receive_skb_internal+0x10b/0x670 [ 25.625720] napi_gro_receive+0x3d0/0x500 [ 25.629836] receive_buf+0xb6f/0x2530 [ 25.633605] virtnet_poll+0x320/0xb70 [ 25.637375] net_rx_action+0x792/0x1910 [ 25.641319] __do_softirq+0x2d7/0xb85 [ 25.645088] [ 25.646687] Freed by task 0: [ 25.649674] save_stack+0x43/0xd0 [ 25.653101] __kasan_slab_free+0x11a/0x170 [ 25.657307] kasan_slab_free+0xe/0x10 [ 25.661082] kmem_cache_free+0x83/0x2a0 [ 25.665034] dst_destroy+0x257/0x370 [ 25.668723] dst_destroy_rcu+0x16/0x20 [ 25.672582] rcu_process_callbacks+0xd6c/0x17f0 [ 25.677221] __do_softirq+0x2d7/0xb85 [ 25.680988] [ 25.682590] The buggy address belongs to the object at ffff8801aec79e00 [ 25.682590] which belongs to the cache ip_dst_cache of size 168 [ 25.695300] The buggy address is located 24 bytes inside of [ 25.695300] 168-byte region [ffff8801aec79e00, ffff8801aec79ea8) [ 25.707056] The buggy address belongs to the page: [ 25.711954] page:ffffea0006bb1e40 count:1 mapcount:0 mapping:ffff8801aec79000 index:0xffff8801aec79000 [ 25.721369] flags: 0x2fffc0000000100(slab) [ 25.725576] raw: 02fffc0000000100 ffff8801aec79000 ffff8801aec79000 000000010000000a [ 25.733430] raw: ffff8801d5b79738 ffffea000719e560 ffff8801d5b7cc80 0000000000000000 [ 25.741278] page dumped because: kasan: bad access detected [ 25.746955] [ 25.748561] Memory state around the buggy address: [ 25.753458] ffff8801aec79d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.760788] ffff8801aec79d80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 25.768115] >ffff8801aec79e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.775440] ^ [ 25.779556] ffff8801aec79e80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 25.786883] ffff8801aec79f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.794209] ================================================================== [ 25.801536] Disabling lock debugging due to kernel taint [ 25.806988] Kernel panic - not syncing: panic_on_warn set ... [ 25.806988] [ 25.814331] CPU: 0 PID: 4248 Comm: syzkaller316059 Tainted: G B 4.16.0-rc5+ #352 [ 25.823045] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.832369] Call Trace: [ 25.834935] dump_stack+0x194/0x24d [ 25.838532] ? arch_local_irq_restore+0x53/0x53 [ 25.843169] ? kasan_end_report+0x32/0x50 [ 25.847290] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.852021] ? vsnprintf+0x1ed/0x1900 [ 25.855796] ? ip6_xmit+0x1f30/0x2260 [ 25.859569] panic+0x1e4/0x41c [ 25.862732] ? refcount_error_report+0x214/0x214 [ 25.867465] ? add_taint+0x1c/0x50 [ 25.870975] ? add_taint+0x1c/0x50 [ 25.874485] ? ip6_xmit+0x1f76/0x2260 [ 25.878253] kasan_end_report+0x50/0x50 [ 25.882208] kasan_report+0x149/0x360 [ 25.885981] __asan_report_load8_noabort+0x14/0x20 [ 25.890878] ip6_xmit+0x1f76/0x2260 [ 25.894483] ? ip6_finish_output2+0x23a0/0x23a0 [ 25.899121] ? fl6_update_dst+0x127/0x2b0 [ 25.903241] ? inet6_csk_route_socket+0x691/0xe80 [ 25.908052] ? trace_hardirqs_off+0x10/0x10 [ 25.912341] ? lock_acquire+0x1d5/0x580 [ 25.916282] ? lock_acquire+0x1d5/0x580 [ 25.920226] ? inet6_csk_xmit+0x114/0x580 [ 25.924344] ? trace_hardirqs_off+0x10/0x10 [ 25.928636] ? lock_release+0xa40/0xa40 [ 25.932585] inet6_csk_xmit+0x2fc/0x580 [ 25.936533] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.941258] ? __sk_dst_check+0x1a5/0x380 [ 25.945374] ? sock_kfree_s+0x60/0x60 [ 25.949157] l2tp_xmit_skb+0x105f/0x1410 [ 25.953192] ? l2tp_session_create+0xb80/0xb80 [ 25.957744] ? sock_wmalloc+0x15d/0x1d0 [ 25.961687] ? iov_iter_advance+0x13f0/0x13f0 [ 25.966156] ? pppol2tp_sendmsg+0x41b/0x670 [ 25.970447] pppol2tp_sendmsg+0x470/0x670 [ 25.974566] ? selinux_socket_sendmsg+0x36/0x40 [ 25.979203] ? pppol2tp_getsockopt+0x900/0x900 [ 25.983753] sock_sendmsg+0xca/0x110 [ 25.987440] SYSC_sendto+0x361/0x5c0 [ 25.991130] ? SYSC_connect+0x4a0/0x4a0 [ 25.995087] ? inet_dgram_connect+0x172/0x1f0 [ 25.999551] ? SYSC_connect+0x2e0/0x4a0 [ 26.003511] ? mm_fault_error+0x2c0/0x2c0 [ 26.007629] ? move_addr_to_kernel+0x60/0x60 [ 26.012009] SyS_sendto+0x40/0x50 [ 26.015437] ? SyS_getpeername+0x30/0x30 [ 26.019468] do_syscall_64+0x281/0x940 [ 26.023322] ? __do_page_fault+0xc90/0xc90 [ 26.027526] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.032253] ? syscall_return_slowpath+0x550/0x550 [ 26.037151] ? syscall_return_slowpath+0x2ac/0x550 [ 26.042050] ? prepare_exit_to_usermode+0x350/0x350 [ 26.047040] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 26.052380] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.057200] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.062357] RIP: 0033:0x441889 [ 26.065517] RSP: 002b:00007ffcef5b6fe8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 26.073194] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441889 [ 26.080432] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 26.087672] RBP: 0000000000000003 R08: 00000000200021c0 R09: 0000000000000080 [ 26.094910] R10: 0000000000040001 R11: 0000000000000212 R12: 0000000000000000 [ 26.102148] R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 [ 26.109864] Dumping ftrace buffer: [ 26.113373] (ftrace buffer empty) [ 26.117054] Kernel Offset: disabled [ 26.120649] Rebooting in 86400 seconds..