[....] Starting enhanced syslogd: rsyslogd[ 17.765007] audit: type=1400 audit(1520770773.281:5): avc: denied { syslog } for pid=4104 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.023360] audit: type=1400 audit(1520770778.540:6): avc: denied { map } for pid=4242 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.44' (ECDSA) to the list of known hosts. executing program [ 29.321996] audit: type=1400 audit(1520770784.838:7): avc: denied { map } for pid=4256 comm="syzkaller797446" path="/root/syzkaller797446556" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 29.330823] ================================================================== [ 29.355392] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 29.361508] Read of size 8 at addr ffff8801cd244f18 by task syzkaller797446/4257 [ 29.369010] [ 29.370620] CPU: 0 PID: 4257 Comm: syzkaller797446 Not tainted 4.16.0-rc4+ #260 [ 29.378033] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.387356] Call Trace: [ 29.389920] dump_stack+0x194/0x24d [ 29.393520] ? arch_local_irq_restore+0x53/0x53 [ 29.398162] ? show_regs_print_info+0x18/0x18 [ 29.402645] ? ip6_xmit+0x1f76/0x2260 [ 29.406429] print_address_description+0x73/0x250 [ 29.411252] ? ip6_xmit+0x1f76/0x2260 [ 29.415027] kasan_report+0x23c/0x360 [ 29.418803] __asan_report_load8_noabort+0x14/0x20 [ 29.423704] ip6_xmit+0x1f76/0x2260 [ 29.427316] ? ip6_finish_output2+0x23d0/0x23d0 [ 29.431958] ? fl6_update_dst+0x127/0x2b0 [ 29.436080] ? inet6_csk_route_socket+0x691/0xe80 [ 29.440898] ? trace_hardirqs_off+0x10/0x10 [ 29.445189] ? lock_acquire+0x1d5/0x580 [ 29.449137] ? lock_acquire+0x1d5/0x580 [ 29.453084] ? inet6_csk_xmit+0x114/0x580 [ 29.457205] ? trace_hardirqs_off+0x10/0x10 [ 29.461500] ? lock_release+0xa40/0xa40 [ 29.465461] inet6_csk_xmit+0x2fc/0x580 [ 29.469411] ? inet6_csk_update_pmtu+0x160/0x160 [ 29.474141] ? __sk_dst_check+0x1a5/0x380 [ 29.478272] ? sock_kzfree_s+0x60/0x60 [ 29.482147] l2tp_xmit_skb+0x105f/0x1410 [ 29.486189] ? l2tp_session_create+0xb80/0xb80 [ 29.490742] ? sock_wmalloc+0x15d/0x1d0 [ 29.494690] ? iov_iter_advance+0x13f0/0x13f0 [ 29.499422] ? pppol2tp_sendmsg+0x41b/0x670 [ 29.503717] pppol2tp_sendmsg+0x470/0x670 [ 29.507839] ? selinux_socket_sendmsg+0x36/0x40 [ 29.512488] ? pppol2tp_getsockopt+0x900/0x900 [ 29.517051] sock_sendmsg+0xca/0x110 [ 29.520744] SYSC_sendto+0x361/0x5c0 [ 29.524432] ? SYSC_connect+0x4a0/0x4a0 [ 29.528389] ? inet_dgram_connect+0x172/0x1f0 [ 29.532857] ? SYSC_connect+0x2e0/0x4a0 [ 29.536843] ? mm_fault_error+0x2c0/0x2c0 [ 29.540964] ? move_addr_to_kernel+0x60/0x60 [ 29.545346] SyS_sendto+0x40/0x50 [ 29.548773] ? SyS_getpeername+0x30/0x30 [ 29.552807] do_syscall_64+0x281/0x940 [ 29.556666] ? __do_page_fault+0xc90/0xc90 [ 29.560873] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.565600] ? syscall_return_slowpath+0x550/0x550 [ 29.570500] ? syscall_return_slowpath+0x2ac/0x550 [ 29.575402] ? prepare_exit_to_usermode+0x350/0x350 [ 29.580391] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 29.585730] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.590549] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.595727] RIP: 0033:0x441809 [ 29.598888] RSP: 002b:00007ffe4ee9efb8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 29.606566] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441809 [ 29.613814] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 29.621058] RBP: 0000000000000003 R08: 00000000200021c0 R09: 0000000000000080 [ 29.628308] R10: 0000000000040001 R11: 0000000000000212 R12: 0000000000000000 [ 29.635547] R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 [ 29.642804] [ 29.644403] Allocated by task 2067: [ 29.648001] save_stack+0x43/0xd0 [ 29.651426] kasan_kmalloc+0xad/0xe0 [ 29.655109] kasan_slab_alloc+0x12/0x20 [ 29.659053] kmem_cache_alloc+0x12e/0x760 [ 29.663171] dst_alloc+0x11f/0x1a0 [ 29.666684] rt_dst_alloc+0xe9/0x4e0 [ 29.670369] ip_route_input_slow+0x1284/0x3c80 [ 29.674921] ip_route_input_rcu+0xf1/0xd20 [ 29.679124] ip_route_input_noref+0xf5/0x1e0 [ 29.683502] ip_rcv_finish+0x3a6/0x2040 [ 29.687445] ip_rcv+0xb76/0x1820 [ 29.690782] __netif_receive_skb_core+0x1a41/0x3460 [ 29.695768] __netif_receive_skb+0x2c/0x1b0 [ 29.700057] netif_receive_skb_internal+0x10b/0x670 [ 29.705050] napi_gro_receive+0x3d0/0x500 [ 29.709178] receive_buf+0xb6f/0x2530 [ 29.712949] virtnet_poll+0x320/0xb70 [ 29.716719] net_rx_action+0x792/0x1910 [ 29.720663] __do_softirq+0x2d7/0xb85 [ 29.724433] [ 29.726031] Freed by task 23: [ 29.729112] save_stack+0x43/0xd0 [ 29.732538] __kasan_slab_free+0x11a/0x170 [ 29.736742] kasan_slab_free+0xe/0x10 [ 29.740511] kmem_cache_free+0x83/0x2a0 [ 29.744457] dst_destroy+0x257/0x370 [ 29.748142] dst_destroy_rcu+0x16/0x20 [ 29.752000] rcu_process_callbacks+0xd6c/0x17f0 [ 29.756640] __do_softirq+0x2d7/0xb85 [ 29.760411] [ 29.762012] The buggy address belongs to the object at ffff8801cd244f00 [ 29.762012] which belongs to the cache ip_dst_cache of size 160 [ 29.774723] The buggy address is located 24 bytes inside of [ 29.774723] 160-byte region [ffff8801cd244f00, ffff8801cd244fa0) [ 29.786480] The buggy address belongs to the page: [ 29.791380] page:ffffea0007349100 count:1 mapcount:0 mapping:ffff8801cd244000 index:0x0 [ 29.799583] flags: 0x2fffc0000000100(slab) [ 29.803792] raw: 02fffc0000000100 ffff8801cd244000 0000000000000000 0000000100000010 [ 29.811642] raw: ffff8801d5b78a48 ffff8801d5b78a48 ffff8801d5b79c80 0000000000000000 [ 29.819492] page dumped because: kasan: bad access detected [ 29.825170] [ 29.826769] Memory state around the buggy address: [ 29.831669] ffff8801cd244e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.838999] ffff8801cd244e80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 29.846328] >ffff8801cd244f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.853660] ^ [ 29.857780] ffff8801cd244f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 29.865108] ffff8801cd245000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 29.872434] ================================================================== [ 29.879763] Disabling lock debugging due to kernel taint [ 29.885223] Kernel panic - not syncing: panic_on_warn set ... [ 29.885223] [ 29.892568] CPU: 0 PID: 4257 Comm: syzkaller797446 Tainted: G B 4.16.0-rc4+ #260 [ 29.901287] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.910610] Call Trace: [ 29.913171] dump_stack+0x194/0x24d [ 29.916772] ? arch_local_irq_restore+0x53/0x53 [ 29.921411] ? kasan_end_report+0x32/0x50 [ 29.925542] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.930277] ? vsnprintf+0x1ed/0x1900 [ 29.934052] ? ip6_xmit+0x1eb0/0x2260 [ 29.937825] panic+0x1e4/0x41c [ 29.940987] ? refcount_error_report+0x214/0x214 [ 29.945716] ? add_taint+0x1c/0x50 [ 29.949228] ? add_taint+0x1c/0x50 [ 29.952739] ? ip6_xmit+0x1f76/0x2260 [ 29.956510] kasan_end_report+0x50/0x50 [ 29.960452] kasan_report+0x149/0x360 [ 29.964224] __asan_report_load8_noabort+0x14/0x20 [ 29.969128] ip6_xmit+0x1f76/0x2260 [ 29.972729] ? ip6_finish_output2+0x23d0/0x23d0 [ 29.977372] ? fl6_update_dst+0x127/0x2b0 [ 29.981490] ? inet6_csk_route_socket+0x691/0xe80 [ 29.986305] ? trace_hardirqs_off+0x10/0x10 [ 29.990612] ? lock_acquire+0x1d5/0x580 [ 29.994554] ? lock_acquire+0x1d5/0x580 [ 29.998499] ? inet6_csk_xmit+0x114/0x580 [ 30.002616] ? trace_hardirqs_off+0x10/0x10 [ 30.006907] ? lock_release+0xa40/0xa40 [ 30.010860] inet6_csk_xmit+0x2fc/0x580 [ 30.014806] ? inet6_csk_update_pmtu+0x160/0x160 [ 30.019530] ? __sk_dst_check+0x1a5/0x380 [ 30.023655] ? sock_kzfree_s+0x60/0x60 [ 30.027523] l2tp_xmit_skb+0x105f/0x1410 [ 30.031558] ? l2tp_session_create+0xb80/0xb80 [ 30.036112] ? sock_wmalloc+0x15d/0x1d0 [ 30.040056] ? iov_iter_advance+0x13f0/0x13f0 [ 30.044525] ? pppol2tp_sendmsg+0x41b/0x670 [ 30.048818] pppol2tp_sendmsg+0x470/0x670 [ 30.052941] ? selinux_socket_sendmsg+0x36/0x40 [ 30.057580] ? pppol2tp_getsockopt+0x900/0x900 [ 30.062133] sock_sendmsg+0xca/0x110 [ 30.065818] SYSC_sendto+0x361/0x5c0 [ 30.069502] ? SYSC_connect+0x4a0/0x4a0 [ 30.073451] ? inet_dgram_connect+0x172/0x1f0 [ 30.077918] ? SYSC_connect+0x2e0/0x4a0 [ 30.081879] ? mm_fault_error+0x2c0/0x2c0 [ 30.086016] ? move_addr_to_kernel+0x60/0x60 [ 30.090401] SyS_sendto+0x40/0x50 [ 30.093824] ? SyS_getpeername+0x30/0x30 [ 30.097860] do_syscall_64+0x281/0x940 [ 30.101717] ? __do_page_fault+0xc90/0xc90 [ 30.105923] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.110657] ? syscall_return_slowpath+0x550/0x550 [ 30.115554] ? syscall_return_slowpath+0x2ac/0x550 [ 30.120464] ? prepare_exit_to_usermode+0x350/0x350 [ 30.125452] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 30.130789] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.135605] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.140773] RIP: 0033:0x441809 [ 30.143934] RSP: 002b:00007ffe4ee9efb8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 30.151611] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441809 [ 30.158849] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 30.166093] RBP: 0000000000000003 R08: 00000000200021c0 R09: 0000000000000080 [ 30.173341] R10: 0000000000040001 R11: 0000000000000212 R12: 0000000000000000 [ 30.180581] R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 [ 30.188333] Dumping ftrace buffer: [ 30.191845] (ftrace buffer empty) [ 30.195524] Kernel Offset: disabled [ 30.199119] Rebooting in 86400 seconds..