[....] Starting enhanced syslogd: rsyslogd[ 17.502055] audit: type=1400 audit(1520959872.145:5): avc: denied { syslog } for pid=4089 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.754292] audit: type=1400 audit(1520959877.398:6): avc: denied { map } for pid=4229 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. executing program [ 29.176999] audit: type=1400 audit(1520959883.820:7): avc: denied { map } for pid=4243 comm="syzkaller484805" path="/root/syzkaller484805214" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 29.186031] ================================================================== [ 29.210349] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 29.216471] Read of size 8 at addr ffff8801d0ffa018 by task syzkaller484805/4244 [ 29.223969] [ 29.225574] CPU: 1 PID: 4244 Comm: syzkaller484805 Not tainted 4.16.0-rc4+ #263 [ 29.232990] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.242318] Call Trace: [ 29.244877] dump_stack+0x194/0x24d [ 29.248479] ? arch_local_irq_restore+0x53/0x53 [ 29.253118] ? show_regs_print_info+0x18/0x18 [ 29.257589] ? ip6_xmit+0x1f76/0x2260 [ 29.261367] print_address_description+0x73/0x250 [ 29.266182] ? ip6_xmit+0x1f76/0x2260 [ 29.269952] kasan_report+0x23c/0x360 [ 29.273725] __asan_report_load8_noabort+0x14/0x20 [ 29.278622] ip6_xmit+0x1f76/0x2260 [ 29.282236] ? ip6_finish_output2+0x23d0/0x23d0 [ 29.286878] ? fl6_update_dst+0x127/0x2b0 [ 29.291001] ? inet6_csk_route_socket+0x691/0xe80 [ 29.295815] ? trace_hardirqs_off+0x10/0x10 [ 29.300109] ? lock_acquire+0x1d5/0x580 [ 29.304050] ? lock_acquire+0x1d5/0x580 [ 29.307992] ? inet6_csk_xmit+0x114/0x580 [ 29.312121] ? trace_hardirqs_off+0x10/0x10 [ 29.316418] ? lock_release+0xa40/0xa40 [ 29.320380] inet6_csk_xmit+0x2fc/0x580 [ 29.324334] ? inet6_csk_update_pmtu+0x160/0x160 [ 29.329060] ? __sk_dst_check+0x1a5/0x380 [ 29.333181] ? sock_kzfree_s+0x60/0x60 [ 29.337056] l2tp_xmit_skb+0x105f/0x1410 [ 29.341099] ? l2tp_session_create+0xb80/0xb80 [ 29.345650] ? sock_wmalloc+0x15d/0x1d0 [ 29.349595] ? iov_iter_advance+0x13f0/0x13f0 [ 29.354062] ? pppol2tp_sendmsg+0x41b/0x670 [ 29.358358] pppol2tp_sendmsg+0x470/0x670 [ 29.362478] ? selinux_socket_sendmsg+0x36/0x40 [ 29.367118] ? pppol2tp_getsockopt+0x900/0x900 [ 29.371671] sock_sendmsg+0xca/0x110 [ 29.375371] SYSC_sendto+0x361/0x5c0 [ 29.379061] ? SYSC_connect+0x4a0/0x4a0 [ 29.383018] ? inet_dgram_connect+0x172/0x1f0 [ 29.387490] ? SYSC_connect+0x2e0/0x4a0 [ 29.391465] ? mm_fault_error+0x2c0/0x2c0 [ 29.395584] ? move_addr_to_kernel+0x60/0x60 [ 29.399965] SyS_sendto+0x40/0x50 [ 29.403387] ? SyS_getpeername+0x30/0x30 [ 29.407420] do_syscall_64+0x281/0x940 [ 29.411279] ? __do_page_fault+0xc90/0xc90 [ 29.415485] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.420217] ? syscall_return_slowpath+0x550/0x550 [ 29.425117] ? syscall_return_slowpath+0x2ac/0x550 [ 29.430016] ? prepare_exit_to_usermode+0x350/0x350 [ 29.435005] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 29.440343] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.445161] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.450319] RIP: 0033:0x441659 [ 29.453485] RSP: 002b:00007ffca16de468 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 29.461168] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441659 [ 29.468409] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 29.475650] RBP: 0000000000000003 R08: 00000000200021c0 R09: 0000000000000080 [ 29.482888] R10: 0000000000040001 R11: 0000000000000216 R12: 0000000000000000 [ 29.490133] R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 [ 29.497397] [ 29.499002] Allocated by task 2679: [ 29.502606] save_stack+0x43/0xd0 [ 29.506047] kasan_kmalloc+0xad/0xe0 [ 29.509733] kasan_slab_alloc+0x12/0x20 [ 29.513686] kmem_cache_alloc+0x12e/0x760 [ 29.517807] anon_vma_clone+0x139/0x700 [ 29.521757] anon_vma_fork+0xe4/0x870 [ 29.525541] copy_mm+0xb4d/0x131f [ 29.528967] copy_process.part.38+0x1f56/0x4b60 [ 29.533608] _do_fork+0x1f7/0xf70 [ 29.537035] SyS_clone+0x37/0x50 [ 29.540376] do_syscall_64+0x281/0x940 [ 29.544243] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.549407] [ 29.551012] Freed by task 2685: [ 29.554273] save_stack+0x43/0xd0 [ 29.557700] __kasan_slab_free+0x11a/0x170 [ 29.561905] kasan_slab_free+0xe/0x10 [ 29.565680] kmem_cache_free+0x83/0x2a0 [ 29.569631] unlink_anon_vmas+0x20d/0x9f0 [ 29.573754] free_pgtables+0xe7/0x330 [ 29.577529] exit_mmap+0x291/0x500 [ 29.581045] mmput+0x223/0x6d0 [ 29.584213] flush_old_exec+0xc8b/0x2010 [ 29.588250] load_elf_binary+0x87b/0x4c10 [ 29.592371] search_binary_handler+0x142/0x6b0 [ 29.596930] do_execveat_common.isra.30+0x1754/0x23c0 [ 29.602093] SyS_execve+0x39/0x50 [ 29.605522] do_syscall_64+0x281/0x940 [ 29.609386] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.614545] [ 29.616148] The buggy address belongs to the object at ffff8801d0ffa000 [ 29.616148] which belongs to the cache anon_vma_chain of size 64 [ 29.628952] The buggy address is located 24 bytes inside of [ 29.628952] 64-byte region [ffff8801d0ffa000, ffff8801d0ffa040) [ 29.640622] The buggy address belongs to the page: [ 29.645523] page:ffffea000743fe80 count:1 mapcount:0 mapping:ffff8801d0ffa000 index:0x0 [ 29.653642] flags: 0x2fffc0000000100(slab) [ 29.657851] raw: 02fffc0000000100 ffff8801d0ffa000 0000000000000000 000000010000002a [ 29.665708] raw: ffffea000741f2a0 ffffea000743f5a0 ffff8801dad33500 0000000000000000 [ 29.673561] page dumped because: kasan: bad access detected [ 29.679242] [ 29.680842] Memory state around the buggy address: [ 29.685742] ffff8801d0ff9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.693078] ffff8801d0ff9f80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 29.700417] >ffff8801d0ffa000: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 29.707748] ^ [ 29.711869] ffff8801d0ffa080: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb [ 29.719207] ffff8801d0ffa100: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 29.726539] ================================================================== [ 29.733868] Disabling lock debugging due to kernel taint [ 29.739336] Kernel panic - not syncing: panic_on_warn set ... [ 29.739336] [ 29.746687] CPU: 1 PID: 4244 Comm: syzkaller484805 Tainted: G B 4.16.0-rc4+ #263 [ 29.755420] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.764746] Call Trace: [ 29.767311] dump_stack+0x194/0x24d [ 29.770918] ? arch_local_irq_restore+0x53/0x53 [ 29.775567] ? kasan_end_report+0x32/0x50 [ 29.779689] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.784422] ? vsnprintf+0x1ed/0x1900 [ 29.788205] ? ip6_xmit+0x1f40/0x2260 [ 29.791987] panic+0x1e4/0x41c [ 29.795154] ? refcount_error_report+0x214/0x214 [ 29.799887] ? add_taint+0x1c/0x50 [ 29.803405] ? add_taint+0x1c/0x50 [ 29.806918] ? ip6_xmit+0x1f76/0x2260 [ 29.810691] kasan_end_report+0x50/0x50 [ 29.814645] kasan_report+0x149/0x360 [ 29.818422] __asan_report_load8_noabort+0x14/0x20 [ 29.823324] ip6_xmit+0x1f76/0x2260 [ 29.826942] ? ip6_finish_output2+0x23d0/0x23d0 [ 29.831587] ? fl6_update_dst+0x127/0x2b0 [ 29.835711] ? inet6_csk_route_socket+0x691/0xe80 [ 29.840544] ? trace_hardirqs_off+0x10/0x10 [ 29.844848] ? lock_acquire+0x1d5/0x580 [ 29.848796] ? lock_acquire+0x1d5/0x580 [ 29.852747] ? inet6_csk_xmit+0x114/0x580 [ 29.856872] ? trace_hardirqs_off+0x10/0x10 [ 29.861178] ? lock_release+0xa40/0xa40 [ 29.865134] inet6_csk_xmit+0x2fc/0x580 [ 29.869082] ? inet6_csk_update_pmtu+0x160/0x160 [ 29.873810] ? __sk_dst_check+0x1a5/0x380 [ 29.877937] ? sock_kzfree_s+0x60/0x60 [ 29.881807] l2tp_xmit_skb+0x105f/0x1410 [ 29.885845] ? l2tp_session_create+0xb80/0xb80 [ 29.890401] ? sock_wmalloc+0x15d/0x1d0 [ 29.894349] ? iov_iter_advance+0x13f0/0x13f0 [ 29.898818] ? pppol2tp_sendmsg+0x41b/0x670 [ 29.903117] pppol2tp_sendmsg+0x470/0x670 [ 29.907238] ? selinux_socket_sendmsg+0x36/0x40 [ 29.911883] ? pppol2tp_getsockopt+0x900/0x900 [ 29.916437] sock_sendmsg+0xca/0x110 [ 29.920123] SYSC_sendto+0x361/0x5c0 [ 29.923811] ? SYSC_connect+0x4a0/0x4a0 [ 29.927768] ? inet_dgram_connect+0x172/0x1f0 [ 29.932238] ? SYSC_connect+0x2e0/0x4a0 [ 29.936202] ? mm_fault_error+0x2c0/0x2c0 [ 29.940325] ? move_addr_to_kernel+0x60/0x60 [ 29.944707] SyS_sendto+0x40/0x50 [ 29.948134] ? SyS_getpeername+0x30/0x30 [ 29.952170] do_syscall_64+0x281/0x940 [ 29.956034] ? __do_page_fault+0xc90/0xc90 [ 29.960244] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.964984] ? syscall_return_slowpath+0x550/0x550 [ 29.969889] ? syscall_return_slowpath+0x2ac/0x550 [ 29.974795] ? prepare_exit_to_usermode+0x350/0x350 [ 29.979785] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 29.985125] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.989943] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.995107] RIP: 0033:0x441659 [ 29.998271] RSP: 002b:00007ffca16de468 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 30.005953] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441659 [ 30.013198] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 30.020440] RBP: 0000000000000003 R08: 00000000200021c0 R09: 0000000000000080 [ 30.027682] R10: 0000000000040001 R11: 0000000000000216 R12: 0000000000000000 [ 30.034931] R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 [ 30.042626] Dumping ftrace buffer: [ 30.046147] (ftrace buffer empty) [ 30.049829] Kernel Offset: disabled [ 30.053432] Rebooting in 86400 seconds..