[....] Starting enhanced syslogd: rsyslogd[ 11.185404] audit: type=1400 audit(1516327063.699:4): avc: denied { syslog } for pid=3173 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.444996] ================================================================== [ 33.446189] BUG: KASAN: use-after-free in ip6_xmit+0x1bc7/0x1bd0 [ 33.447067] Read of size 8 at addr ffff8801d078d3d8 by task syzkaller928974/3338 [ 33.448086] [ 33.448358] CPU: 0 PID: 3338 Comm: syzkaller928974 Not tainted 4.9.77-g8788313 #25 [ 33.449470] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.450740] ffff8801c991f620 ffffffff81d941c9 ffffea000741e340 ffff8801d078d3d8 [ 33.452043] 0000000000000000 ffff8801d078d3d8 ffff8801c91c0064 ffff8801c991f658 [ 33.453331] ffffffff8153db93 ffff8801d078d3d8 0000000000000008 0000000000000000 [ 33.454599] Call Trace: [ 33.455028] [] dump_stack+0xc1/0x128 [ 33.455805] [] print_address_description+0x73/0x280 [ 33.456753] [] kasan_report+0x275/0x360 [ 33.457556] [] ? ip6_xmit+0x1bc7/0x1bd0 [ 33.458355] [] __asan_report_load8_noabort+0x14/0x20 [ 33.459546] [] ip6_xmit+0x1bc7/0x1bd0 [ 33.460410] [] ? save_stack_trace+0x16/0x20 [ 33.461285] [] ? save_trace+0xe0/0x270 [ 33.462115] [] ? ip6_finish_output2+0x1d20/0x1d20 [ 33.463496] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.464573] [] ? __lock_is_held+0xa1/0xf0 [ 33.466607] [] ? ipv4_dst_check+0x111/0x160 [ 33.472552] [] ? __sk_dst_check+0x10e/0x240 [ 33.478756] [] inet6_csk_xmit+0x27d/0x4d0 [ 33.497204] [] ? inet6_csk_xmit+0x100/0x4d0 [ 33.503159] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 33.509715] [] l2tp_xmit_skb+0xcdc/0xf50 [ 33.515429] [] pppol2tp_sendmsg+0x5c0/0x7a0 [ 33.521389] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 33.527852] [] ? pppol2tp_release+0x2e0/0x2e0 [ 33.533970] [] sock_sendmsg+0xca/0x110 [ 33.539481] [] ___sys_sendmsg+0x6d1/0x7e0 [ 33.545252] [] ? copy_msghdr_from_user+0x550/0x550 [ 33.551805] [] ? __lru_cache_add+0x187/0x250 [ 33.557838] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 33.565126] [] ? _raw_spin_unlock+0x2c/0x50 [ 33.571095] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 33.578195] [] ? handle_mm_fault+0x6ee/0x2530 [ 33.584342] [] ? __fget_light+0x158/0x1e0 [ 33.596127] [] ? __fdget+0x18/0x20 [ 33.601326] [] ? sockfd_lookup_light+0x118/0x160 [ 33.608251] [] __sys_sendmsg+0xd6/0x190 [ 33.613852] [] ? SyS_shutdown+0x1b0/0x1b0 [ 33.619624] [] ? __do_page_fault+0x5ec/0xd40 [ 33.625657] [] compat_SyS_sendmsg+0x2a/0x40 [ 33.631599] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 33.638151] [] do_fast_syscall_32+0x2f7/0x890 [ 33.644265] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.650909] [] entry_SYSENTER_compat+0x74/0x83 [ 33.657113] [ 33.658713] Allocated by task 3317: [ 33.662319] save_stack_trace+0x16/0x20 [ 33.666265] save_stack+0x43/0xd0 [ 33.669687] kasan_kmalloc+0xad/0xe0 [ 33.673369] kasan_slab_alloc+0x12/0x20 [ 33.677314] kmem_cache_alloc+0xba/0x290 [ 33.681344] dst_alloc+0x11f/0x1a0 [ 33.684855] rt_dst_alloc+0x78/0x430 [ 33.688550] __ip_route_output_key_hash+0xa4e/0x23e0 [ 33.693655] __ip4_datagram_connect+0xa17/0x1160 [ 33.698390] __ip6_datagram_connect+0x6f9/0xdf0 [ 33.703032] ip6_datagram_connect+0x2f/0x50 [ 33.707326] inet_dgram_connect+0x16b/0x1f0 [ 33.711968] SYSC_connect+0x1b6/0x310 [ 33.715749] SyS_connect+0x24/0x30 [ 33.719279] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 33.724003] [ 33.725604] Freed by task 0: [ 33.728600] save_stack_trace+0x16/0x20 [ 33.732542] save_stack+0x43/0xd0 [ 33.735974] kasan_slab_free+0x72/0xc0 [ 33.739831] kmem_cache_free+0xc7/0x300 [ 33.743783] dst_destroy+0x1fd/0x360 [ 33.747466] dst_destroy_rcu+0x15/0x40 [ 33.753093] rcu_process_callbacks+0x898/0x1300 [ 33.757750] __do_softirq+0x206/0x951 [ 33.761521] [ 33.763122] The buggy address belongs to the object at ffff8801d078d3c0 [ 33.763122] which belongs to the cache ip_dst_cache of size 216 [ 33.775839] The buggy address is located 24 bytes inside of [ 33.775839] 216-byte region [ffff8801d078d3c0, ffff8801d078d498) [ 33.787596] The buggy address belongs to the page: [ 33.792501] page:ffffea000741e340 count:1 mapcount:0 mapping: (null) index:0x0 [ 33.800732] flags: 0x8000000000000080(slab) [ 33.805022] page dumped because: kasan: bad access detected [ 33.810699] [ 33.812296] Memory state around the buggy address: [ 33.817196] ffff8801d078d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.824525] ffff8801d078d300: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 33.831859] >ffff8801d078d380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 33.839197] ^ [ 33.845397] ffff8801d078d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.852724] ffff8801d078d480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.860052] ================================================================== [ 33.867390] Disabling lock debugging due to kernel taint [ 33.872848] Kernel panic - not syncing: panic_on_warn set ... [ 33.872848] [ 33.880186] CPU: 0 PID: 3338 Comm: syzkaller928974 Tainted: G B 4.9.77-g8788313 #25 [ 33.889090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.898421] ffff8801c991f578 ffffffff81d941c9 ffffffff841970ff ffff8801c991f650 [ 33.906418] 0000000000000000 ffff8801d078d3d8 ffff8801c91c0064 ffff8801c991f640 [ 33.914422] ffffffff8142f3c1 0000000041b58ab3 ffffffff8418ab70 ffffffff8142f205 [ 33.922416] Call Trace: [ 33.924978] [] dump_stack+0xc1/0x128 [ 33.930318] [] panic+0x1bc/0x3a8 [ 33.935317] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 33.943521] [] kasan_end_report+0x50/0x50 [ 33.949293] [] kasan_report+0x167/0x360 [ 33.954891] [] ? ip6_xmit+0x1bc7/0x1bd0 [ 33.960487] [] __asan_report_load8_noabort+0x14/0x20 [ 33.967232] [] ip6_xmit+0x1bc7/0x1bd0 [ 33.972667] [] ? save_stack_trace+0x16/0x20 [ 33.978614] [] ? save_trace+0xe0/0x270 [ 33.984124] [] ? ip6_finish_output2+0x1d20/0x1d20 [ 33.990589] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.997572] [] ? __lock_is_held+0xa1/0xf0 [ 34.003340] [] ? ipv4_dst_check+0x111/0x160 [ 34.009287] [] ? __sk_dst_check+0x10e/0x240 [ 34.015229] [] inet6_csk_xmit+0x27d/0x4d0 [ 34.020998] [] ? inet6_csk_xmit+0x100/0x4d0 [ 34.026965] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 34.033517] [] l2tp_xmit_skb+0xcdc/0xf50 [ 34.039202] [] pppol2tp_sendmsg+0x5c0/0x7a0 [ 34.045145] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 34.051606] [] ? pppol2tp_release+0x2e0/0x2e0 [ 34.057736] [] sock_sendmsg+0xca/0x110 [ 34.063244] [] ___sys_sendmsg+0x6d1/0x7e0 [ 34.069015] [] ? copy_msghdr_from_user+0x550/0x550 [ 34.075571] [] ? __lru_cache_add+0x187/0x250 [ 34.081604] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 34.088676] [] ? _raw_spin_unlock+0x2c/0x50 [ 34.094619] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 34.101801] [] ? handle_mm_fault+0x6ee/0x2530 [ 34.107919] [] ? __fget_light+0x158/0x1e0 [ 34.113684] [] ? __fdget+0x18/0x20 [ 34.118847] [] ? sockfd_lookup_light+0x118/0x160 [ 34.125219] [] __sys_sendmsg+0xd6/0x190 [ 34.130822] [] ? SyS_shutdown+0x1b0/0x1b0 [ 34.136596] [] ? __do_page_fault+0x5ec/0xd40 [ 34.142625] [] compat_SyS_sendmsg+0x2a/0x40 [ 34.148588] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 34.155138] [] do_fast_syscall_32+0x2f7/0x890 [ 34.161255] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.167893] [] entry_SYSENTER_compat+0x74/0x83 [ 34.174494] Dumping ftrace buffer: [ 34.178007] (ftrace buffer empty) [ 34.181692] Kernel Offset: disabled [ 34.185298] Rebooting in 86400 seconds..