[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   18.103311] audit: type=1400 audit(1518188115.009:6): avc:  denied  { map } for  pid=4152 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.53' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   34.228971] audit: type=1400 audit(1518188131.134:7): avc:  denied  { map } for  pid=4169 comm="syzkaller590168" path="/root/syzkaller590168089" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   34.256222] ==================================================================
[   34.263639] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
[   34.269760] Read of size 8 at addr ffff8801d7b05f18 by task syzkaller590168/4169
[   34.277264] 
[   34.278868] CPU: 0 PID: 4169 Comm: syzkaller590168 Not tainted 4.15.0+ #305
[   34.285939] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.295276] Call Trace:
[   34.297841]  dump_stack+0x194/0x257
[   34.301443]  ? arch_local_irq_restore+0x53/0x53
[   34.306084]  ? show_regs_print_info+0x18/0x18
[   34.310559]  ? ip6_xmit+0x1f76/0x2260
[   34.314337]  print_address_description+0x73/0x250
[   34.319151]  ? ip6_xmit+0x1f76/0x2260
[   34.322922]  kasan_report+0x23b/0x360
[   34.326697]  __asan_report_load8_noabort+0x14/0x20
[   34.331597]  ip6_xmit+0x1f76/0x2260
[   34.335212]  ? ip6_finish_output2+0x23a0/0x23a0
[   34.339856]  ? fl6_update_dst+0x127/0x2b0
[   34.343979]  ? inet6_csk_route_socket+0x691/0xe80
[   34.348797]  ? check_noncircular+0x20/0x20
[   34.353004]  ? lock_acquire+0x1d5/0x580
[   34.356949]  ? lock_acquire+0x1d5/0x580
[   34.360896]  ? inet6_csk_xmit+0x114/0x580
[   34.365016]  ? check_noncircular+0x20/0x20
[   34.369228]  ? lock_release+0xa40/0xa40
[   34.373192]  inet6_csk_xmit+0x2fc/0x580
[   34.377140]  ? inet6_csk_update_pmtu+0x160/0x160
[   34.381871]  ? __sk_dst_check+0x1a5/0x380
[   34.385995]  ? sk_wait_data+0x610/0x610
[   34.389960]  l2tp_xmit_skb+0x105f/0x1410
[   34.394005]  ? l2tp_session_create+0xb80/0xb80
[   34.398561]  ? sock_wmalloc+0x15d/0x1d0
[   34.402511]  ? iov_iter_advance+0x13f0/0x13f0
[   34.406981]  ? pppol2tp_sendmsg+0x41b/0x670
[   34.411291]  pppol2tp_sendmsg+0x470/0x670
[   34.415421]  ? selinux_socket_sendmsg+0x36/0x40
[   34.420064]  ? pppol2tp_session_ioctl+0xa90/0xa90
[   34.424884]  sock_sendmsg+0xca/0x110
[   34.428573]  sock_write_iter+0x31a/0x5d0
[   34.432611]  ? sock_sendmsg+0x110/0x110
[   34.436556]  ? find_held_lock+0x35/0x1d0
[   34.440598]  ? iov_iter_init+0xaf/0x1d0
[   34.444548]  __vfs_write+0x684/0x970
[   34.448238]  ? kernel_read+0x120/0x120
[   34.452095]  ? bpf_fd_pass+0x280/0x280
[   34.455958]  ? _cond_resched+0x14/0x30
[   34.459820]  ? selinux_file_permission+0x82/0x460
[   34.464641]  ? rw_verify_area+0xe5/0x2b0
[   34.468674]  ? __fdget_raw+0x20/0x20
[   34.472361]  vfs_write+0x189/0x510
[   34.475877]  SyS_write+0xef/0x220
[   34.479305]  ? SyS_read+0x220/0x220
[   34.482906]  ? do_syscall_64+0xb7/0x940
[   34.486852]  ? SyS_read+0x220/0x220
[   34.490453]  do_syscall_64+0x282/0x940
[   34.494323]  ? __do_page_fault+0xc90/0xc90
[   34.498530]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.503262]  ? syscall_return_slowpath+0x550/0x550
[   34.508163]  ? syscall_return_slowpath+0x2ac/0x550
[   34.513066]  ? prepare_exit_to_usermode+0x350/0x350
[   34.518055]  ? retint_user+0x18/0x18
[   34.521748]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.526570]  entry_SYSCALL_64_after_hwframe+0x26/0x9b
[   34.531732] RIP: 0033:0x4401f9
[   34.534894] RSP: 002b:00007ffc6419ae28 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
[   34.542574] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004401f9
[   34.549816] RDX: 000000000000002a RSI: 0000000020147fd6 RDI: 0000000000000004
[   34.557056] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
[   34.564301] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401b20
[   34.571554] R13: 0000000000401bb0 R14: 0000000000000000 R15: 0000000000000000
[   34.578809] 
[   34.580407] Allocated by task 1999:
[   34.584009]  save_stack+0x43/0xd0
[   34.587432]  kasan_kmalloc+0xad/0xe0
[   34.591114]  kasan_slab_alloc+0x12/0x20
[   34.595059]  kmem_cache_alloc+0x12e/0x760
[   34.599191]  dst_alloc+0x11f/0x1a0
[   34.602702]  rt_dst_alloc+0xe9/0x520
[   34.606385]  ip_route_input_rcu+0x1076/0x3200
[   34.610850]  ip_route_input_noref+0xf5/0x1e0
[   34.615238]  ip_rcv_finish+0x3a6/0x2040
[   34.619183]  ip_rcv+0xc5a/0x1840
[   34.622523]  __netif_receive_skb_core+0x1a41/0x3460
[   34.627509]  __netif_receive_skb+0x2c/0x1b0
[   34.631801]  netif_receive_skb_internal+0x10b/0x670
[   34.636786]  napi_gro_receive+0x3d0/0x500
[   34.640907]  receive_buf+0xb6e/0x2530
[   34.644686]  virtnet_poll+0x320/0xb70
[   34.648455]  net_rx_action+0x792/0x1910
[   34.652401]  __do_softirq+0x2d7/0xb85
[   34.656169] 
[   34.657766] Freed by task 3845:
[   34.661018]  save_stack+0x43/0xd0
[   34.664452]  __kasan_slab_free+0x11a/0x170
[   34.668655]  kasan_slab_free+0xe/0x10
[   34.672426]  kmem_cache_free+0x83/0x2a0
[   34.676374]  dst_destroy+0x257/0x370
[   34.680066]  dst_destroy_rcu+0x16/0x20
[   34.683925]  rcu_process_callbacks+0xd6c/0x17f0
[   34.688565]  __do_softirq+0x2d7/0xb85
[   34.692335] 
[   34.693936] The buggy address belongs to the object at ffff8801d7b05f00
[   34.693936]  which belongs to the cache ip_dst_cache of size 168
[   34.706648] The buggy address is located 24 bytes inside of
[   34.706648]  168-byte region [ffff8801d7b05f00, ffff8801d7b05fa8)
[   34.718405] The buggy address belongs to the page:
[   34.723306] page:ffffea00075ec140 count:1 mapcount:0 mapping:ffff8801d7b05000 index:0xffff8801d7b05000
[   34.732720] flags: 0x2fffc0000000100(slab)
[   34.736924] raw: 02fffc0000000100 ffff8801d7b05000 ffff8801d7b05000 000000010000000c
[   34.744775] raw: ffff8801d5e84b38 ffff8801d5e84b38 ffff8801d5e83680 0000000000000000
[   34.752625] page dumped because: kasan: bad access detected
[   34.758304] 
[   34.759900] Memory state around the buggy address:
[   34.764796]  ffff8801d7b05e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   34.772123]  ffff8801d7b05e80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   34.779450] >ffff8801d7b05f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.786779]                             ^
[   34.790893]  ffff8801d7b05f80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   34.798223]  ffff8801d7b06000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.805552] ==================================================================
[   34.812877] Disabling lock debugging due to kernel taint
[   34.818326] Kernel panic - not syncing: panic_on_warn set ...
[   34.818326] 
[   34.825663] CPU: 0 PID: 4169 Comm: syzkaller590168 Tainted: G    B            4.15.0+ #305
[   34.834030] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.843354] Call Trace:
[   34.845913]  dump_stack+0x194/0x257
[   34.849512]  ? arch_local_irq_restore+0x53/0x53
[   34.854151]  ? kasan_end_report+0x32/0x50
[   34.858270]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.862998]  ? vsnprintf+0x1ed/0x1900
[   34.866769]  ? ip6_xmit+0x1ef0/0x2260
[   34.870539]  panic+0x1e4/0x41c
[   34.873701]  ? refcount_error_report+0x214/0x214
[   34.878428]  ? add_taint+0x1c/0x50
[   34.881936]  ? add_taint+0x1c/0x50
[   34.885449]  ? ip6_xmit+0x1f76/0x2260
[   34.889220]  kasan_end_report+0x50/0x50
[   34.893161]  kasan_report+0x148/0x360
[   34.896931]  __asan_report_load8_noabort+0x14/0x20
[   34.901830]  ip6_xmit+0x1f76/0x2260
[   34.905436]  ? ip6_finish_output2+0x23a0/0x23a0
[   34.910075]  ? fl6_update_dst+0x127/0x2b0
[   34.914209]  ? inet6_csk_route_socket+0x691/0xe80
[   34.919020]  ? check_noncircular+0x20/0x20
[   34.923222]  ? lock_acquire+0x1d5/0x580
[   34.927165]  ? lock_acquire+0x1d5/0x580
[   34.931109]  ? inet6_csk_xmit+0x114/0x580
[   34.935225]  ? check_noncircular+0x20/0x20
[   34.939429]  ? lock_release+0xa40/0xa40
[   34.943379]  inet6_csk_xmit+0x2fc/0x580
[   34.947322]  ? inet6_csk_update_pmtu+0x160/0x160
[   34.952048]  ? __sk_dst_check+0x1a5/0x380
[   34.956168]  ? sk_wait_data+0x610/0x610
[   34.960118]  l2tp_xmit_skb+0x105f/0x1410
[   34.964155]  ? l2tp_session_create+0xb80/0xb80
[   34.968709]  ? sock_wmalloc+0x15d/0x1d0
[   34.972654]  ? iov_iter_advance+0x13f0/0x13f0
[   34.977120]  ? pppol2tp_sendmsg+0x41b/0x670
[   34.981413]  pppol2tp_sendmsg+0x470/0x670
[   34.985532]  ? selinux_socket_sendmsg+0x36/0x40
[   34.990172]  ? pppol2tp_session_ioctl+0xa90/0xa90
[   34.994987]  sock_sendmsg+0xca/0x110
[   34.998669]  sock_write_iter+0x31a/0x5d0
[   35.002698]  ? sock_sendmsg+0x110/0x110
[   35.006640]  ? find_held_lock+0x35/0x1d0
[   35.010675]  ? iov_iter_init+0xaf/0x1d0
[   35.014617]  __vfs_write+0x684/0x970
[   35.018300]  ? kernel_read+0x120/0x120
[   35.022162]  ? bpf_fd_pass+0x280/0x280
[   35.026018]  ? _cond_resched+0x14/0x30
[   35.029878]  ? selinux_file_permission+0x82/0x460
[   35.034703]  ? rw_verify_area+0xe5/0x2b0
[   35.038732]  ? __fdget_raw+0x20/0x20
[   35.042416]  vfs_write+0x189/0x510
[   35.045927]  SyS_write+0xef/0x220
[   35.049351]  ? SyS_read+0x220/0x220
[   35.052950]  ? do_syscall_64+0xb7/0x940
[   35.056894]  ? SyS_read+0x220/0x220
[   35.060495]  do_syscall_64+0x282/0x940
[   35.064351]  ? __do_page_fault+0xc90/0xc90
[   35.068555]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.073282]  ? syscall_return_slowpath+0x550/0x550
[   35.078179]  ? syscall_return_slowpath+0x2ac/0x550
[   35.083076]  ? prepare_exit_to_usermode+0x350/0x350
[   35.088066]  ? retint_user+0x18/0x18
[   35.091752]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.096575]  entry_SYSCALL_64_after_hwframe+0x26/0x9b
[   35.101736] RIP: 0033:0x4401f9
[   35.104897] RSP: 002b:00007ffc6419ae28 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
[   35.112571] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004401f9
[   35.119812] RDX: 000000000000002a RSI: 0000000020147fd6 RDI: 0000000000000004
[   35.127053] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
[   35.134294] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401b20
[   35.141535] R13: 0000000000401bb0 R14: 0000000000000000 R15: 0000000000000000
[   35.149211] Dumping ftrace buffer:
[   35.152722]    (ftrace buffer empty)
[   35.156404] Kernel Offset: disabled
[   35.160001] Rebooting in 86400 seconds..