[....] Starting enhanced syslogd: rsyslogd[ 11.377960] audit: type=1400 audit(1516826825.006:4): avc: denied { syslog } for pid=3172 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.198' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.262551] ================================================================== [ 29.269941] BUG: KASAN: use-after-free in ip6_xmit+0x1bc7/0x1bd0 [ 29.276054] Read of size 8 at addr ffff8801d80eb298 by task syzkaller904214/3330 [ 29.283554] [ 29.285156] CPU: 0 PID: 3330 Comm: syzkaller904214 Not tainted 4.9.78-ge9dabe6 #19 [ 29.292833] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.302170] ffff8801cd5af5a0 ffffffff81d943a9 ffffea0007603ac0 ffff8801d80eb298 [ 29.310138] 0000000000000000 ffff8801d80eb298 ffff8801c8e6c064 ffff8801cd5af5d8 [ 29.318106] ffffffff8153dc23 ffff8801d80eb298 0000000000000008 0000000000000000 [ 29.326067] Call Trace: [ 29.328627] [] dump_stack+0xc1/0x128 [ 29.333962] [] print_address_description+0x73/0x280 [ 29.340596] [] kasan_report+0x275/0x360 [ 29.346202] [] ? ip6_xmit+0x1bc7/0x1bd0 [ 29.351794] [] __asan_report_load8_noabort+0x14/0x20 [ 29.358525] [] ip6_xmit+0x1bc7/0x1bd0 [ 29.363941] [] ? save_stack_trace+0x16/0x20 [ 29.369882] [] ? save_trace+0xe0/0x270 [ 29.375388] [] ? ip6_finish_output2+0x1d20/0x1d20 [ 29.381860] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 29.388845] [] ? __lock_is_held+0xa1/0xf0 [ 29.394612] [] ? ipv4_dst_check+0x111/0x160 [ 29.400561] [] ? __sk_dst_check+0x10e/0x240 [ 29.406503] [] inet6_csk_xmit+0x27d/0x4d0 [ 29.412270] [] ? inet6_csk_xmit+0x100/0x4d0 [ 29.418297] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 29.424854] [] l2tp_xmit_skb+0xcdc/0xf50 [ 29.430534] [] pppol2tp_sendmsg+0x5c0/0x7a0 [ 29.436561] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 29.443027] [] ? pppol2tp_release+0x2e0/0x2e0 [ 29.449143] [] sock_sendmsg+0xca/0x110 [ 29.454649] [] ___sys_sendmsg+0x320/0x7e0 [ 29.460415] [] ? copy_msghdr_from_user+0x550/0x550 [ 29.466962] [] ? kasan_unpoison_shadow+0x35/0x50 [ 29.473339] [] ? __lru_cache_add+0x187/0x250 [ 29.479375] [] ? __fget_light+0x158/0x1e0 [ 29.485141] [] ? __fdget+0x18/0x20 [ 29.490301] [] ? sockfd_lookup_light+0x118/0x160 [ 29.496851] [] __sys_sendmmsg+0x159/0x3a0 [ 29.502619] [] ? SyS_sendmsg+0x50/0x50 [ 29.508125] [] ? up_read+0x1a/0x40 [ 29.513292] [] ? __do_page_fault+0x3bd/0xd40 [ 29.519318] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 29.526127] [] SyS_sendmmsg+0x35/0x60 [ 29.531547] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 29.538447] [ 29.540047] Allocated by task 3272: [ 29.543646] save_stack_trace+0x16/0x20 [ 29.547587] save_stack+0x43/0xd0 [ 29.551011] kasan_kmalloc+0xad/0xe0 [ 29.554691] kasan_slab_alloc+0x12/0x20 [ 29.558632] kmem_cache_alloc+0xba/0x290 [ 29.562662] dst_alloc+0x11f/0x1a0 [ 29.566171] rt_dst_alloc+0x78/0x430 [ 29.569852] __ip_route_output_key_hash+0xa4e/0x23e0 [ 29.574924] __ip4_datagram_connect+0xa17/0x1160 [ 29.579647] __ip6_datagram_connect+0x6f9/0xdf0 [ 29.584282] ip6_datagram_connect+0x2f/0x50 [ 29.588570] inet_dgram_connect+0x16b/0x1f0 [ 29.592859] SYSC_connect+0x1b6/0x310 [ 29.596638] SyS_connect+0x24/0x30 [ 29.600149] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 29.604871] [ 29.606464] Freed by task 3286: [ 29.609712] save_stack_trace+0x16/0x20 [ 29.613653] save_stack+0x43/0xd0 [ 29.617073] kasan_slab_free+0x72/0xc0 [ 29.620929] kmem_cache_free+0xc7/0x300 [ 29.624872] dst_destroy+0x1fd/0x360 [ 29.628554] dst_destroy_rcu+0x15/0x40 [ 29.633032] rcu_process_callbacks+0x898/0x1300 [ 29.637667] __do_softirq+0x206/0x951 [ 29.641434] [ 29.643033] The buggy address belongs to the object at ffff8801d80eb280 [ 29.643033] which belongs to the cache ip_dst_cache of size 216 [ 29.655742] The buggy address is located 24 bytes inside of [ 29.655742] 216-byte region [ffff8801d80eb280, ffff8801d80eb358) [ 29.667496] The buggy address belongs to the page: [ 29.672394] page:ffffea0007603ac0 count:1 mapcount:0 mapping: (null) index:0x0 [ 29.680888] flags: 0x8000000000000080(slab) [ 29.686563] page dumped because: kasan: bad access detected [ 29.692240] [ 29.693833] Memory state around the buggy address: [ 29.698729] ffff8801d80eb180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.707366] ffff8801d80eb200: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.714696] >ffff8801d80eb280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.722024] ^ [ 29.726140] ffff8801d80eb300: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 29.733467] ffff8801d80eb380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 29.740808] ================================================================== [ 29.748141] Disabling lock debugging due to kernel taint [ 29.753586] Kernel panic - not syncing: panic_on_warn set ... [ 29.753586] [ 29.760929] CPU: 0 PID: 3330 Comm: syzkaller904214 Tainted: G B 4.9.78-ge9dabe6 #19 [ 29.769821] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.779144] ffff8801cd5af4f8 ffffffff81d943a9 ffffffff841971bf ffff8801cd5af5d0 [ 29.787805] 0000000000000000 ffff8801d80eb298 ffff8801c8e6c064 ffff8801cd5af5c0 [ 29.795766] ffffffff8142f451 0000000041b58ab3 ffffffff8418ac30 ffffffff8142f295 [ 29.806086] Call Trace: [ 29.808643] [] dump_stack+0xc1/0x128 [ 29.816302] [] panic+0x1bc/0x3a8 [ 29.822677] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 29.833218] [] kasan_end_report+0x50/0x50 [ 29.838985] [] kasan_report+0x167/0x360 [ 29.844592] [] ? ip6_xmit+0x1bc7/0x1bd0 [ 29.850200] [] __asan_report_load8_noabort+0x14/0x20 [ 29.856923] [] ip6_xmit+0x1bc7/0x1bd0 [ 29.862345] [] ? save_stack_trace+0x16/0x20 [ 29.868288] [] ? save_trace+0xe0/0x270 [ 29.873807] [] ? ip6_finish_output2+0x1d20/0x1d20 [ 29.880802] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 29.887794] [] ? __lock_is_held+0xa1/0xf0 [ 29.893581] [] ? ipv4_dst_check+0x111/0x160 [ 29.899548] [] ? __sk_dst_check+0x10e/0x240 [ 29.905490] [] inet6_csk_xmit+0x27d/0x4d0 [ 29.911260] [] ? inet6_csk_xmit+0x100/0x4d0 [ 29.917201] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 29.923770] [] l2tp_xmit_skb+0xcdc/0xf50 [ 29.929454] [] pppol2tp_sendmsg+0x5c0/0x7a0 [ 29.935393] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 29.941854] [] ? pppol2tp_release+0x2e0/0x2e0 [ 29.947971] [] sock_sendmsg+0xca/0x110 [ 29.953475] [] ___sys_sendmsg+0x320/0x7e0 [ 29.959242] [] ? copy_msghdr_from_user+0x550/0x550 [ 29.965789] [] ? kasan_unpoison_shadow+0x35/0x50 [ 29.972163] [] ? __lru_cache_add+0x187/0x250 [ 29.978194] [] ? __fget_light+0x158/0x1e0 [ 29.983973] [] ? __fdget+0x18/0x20 [ 29.989132] [] ? sockfd_lookup_light+0x118/0x160 [ 29.995506] [] __sys_sendmmsg+0x159/0x3a0 [ 30.001281] [] ? SyS_sendmsg+0x50/0x50 [ 30.006788] [] ? up_read+0x1a/0x40 [ 30.011947] [] ? __do_page_fault+0x3bd/0xd40 [ 30.018586] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 30.025394] [] SyS_sendmmsg+0x35/0x60 [ 30.030814] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 30.037817] Dumping ftrace buffer: [ 30.041329] (ftrace buffer empty) [ 30.045008] Kernel Offset: disabled [ 30.048600] Rebooting in 86400 seconds..