[....] Starting enhanced syslogd: rsyslogd[ 13.750354] audit: type=1400 audit(1516435366.471:5): avc: denied { syslog } for pid=3499 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.206658] audit: type=1400 audit(1516435370.927:6): avc: denied { map } for pid=3640 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.245' (ECDSA) to the list of known hosts. executing program [ 24.465187] audit: type=1400 audit(1516435377.185:7): avc: denied { map } for pid=3655 comm="syzkaller487774" path="/root/syzkaller487774929" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 24.474382] ================================================================== [ 24.474411] BUG: KASAN: use-after-free in ip6_xmit+0x1ce9/0x2090 [ 24.474418] Read of size 8 at addr ffff8801c3e8cb18 by task syzkaller487774/3655 [ 24.474420] [ 24.474429] CPU: 0 PID: 3655 Comm: syzkaller487774 Not tainted 4.15.0-rc8+ #198 [ 24.474433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.474436] Call Trace: [ 24.474448] dump_stack+0x194/0x257 [ 24.474462] ? arch_local_irq_restore+0x53/0x53 [ 24.474473] ? show_regs_print_info+0x18/0x18 [ 24.474490] ? ip6_xmit+0x1ce9/0x2090 [ 24.474503] print_address_description+0x73/0x250 [ 24.474512] ? ip6_xmit+0x1ce9/0x2090 [ 24.474522] kasan_report+0x25b/0x340 [ 24.474537] __asan_report_load8_noabort+0x14/0x20 [ 24.474545] ip6_xmit+0x1ce9/0x2090 [ 24.474574] ? ip6_finish_output2+0x23a0/0x23a0 [ 24.474590] ? fl6_update_dst+0x127/0x2b0 [ 24.474602] ? check_noncircular+0x20/0x20 [ 24.474612] ? inet6_csk_route_socket+0x691/0xe80 [ 24.474627] ? lock_acquire+0x1d5/0x580 [ 24.474633] ? lock_acquire+0x1d5/0x580 [ 24.474640] ? inet6_csk_xmit+0x114/0x580 [ 24.474648] ? __lock_is_held+0xb6/0x140 [ 24.474663] ? lock_release+0xa40/0xa40 [ 24.474676] ? __lock_is_held+0xb6/0x140 [ 24.474703] inet6_csk_xmit+0x2fc/0x580 [ 24.474713] ? inet6_csk_update_pmtu+0x160/0x160 [ 24.474727] ? rt_cpu_seq_show+0x2c0/0x2c0 [ 24.474737] ? refcount_add_not_zero+0x133/0x200 [ 24.474774] tcp_transmit_skb+0x1b1b/0x38c0 [ 24.474805] ? __tcp_select_window+0x900/0x900 [ 24.474814] ? tcp_fastopen_cache_get+0x449/0x720 [ 24.474829] ? tcp_peer_is_proven+0xc60/0xc60 [ 24.474843] ? __lock_is_held+0xb6/0x140 [ 24.474876] ? tcp_try_fastopen+0x1b50/0x1b50 [ 24.474896] ? tcp_init_transfer+0x3d0/0x3d0 [ 24.474918] ? tcp_rbtree_insert+0x135/0x190 [ 24.474935] tcp_connect+0x1edb/0x4090 [ 24.474963] ? tcp_push_one+0x100/0x100 [ 24.474970] ? lock_downgrade+0x8e7/0x980 [ 24.474996] ? pvclock_read_flags+0x160/0x160 [ 24.475008] ? mark_held_locks+0xaf/0x100 [ 24.475014] ? ip_route_output_key_hash+0x229/0x370 [ 24.475027] ? ktime_get_with_offset+0x188/0x420 [ 24.475046] ? kvm_clock_get_cycles+0x25/0x30 [ 24.475054] ? ktime_get_with_offset+0x2c1/0x420 [ 24.475070] ? do_gettimeofday+0x190/0x190 [ 24.475092] ? tcp_fastopen_defer_connect+0x163/0x4a0 [ 24.475104] ? tcp_fastopen_cookie_check+0x720/0x720 [ 24.475113] ? siphash_1u64+0x18/0x270 [ 24.475149] tcp_v4_connect+0x15ef/0x1e70 [ 24.475158] ? __sys_sendmsg+0xe5/0x210 [ 24.475187] ? tcp_v4_inbound_md5_hash+0x510/0x510 [ 24.475198] ? __lock_is_held+0xb6/0x140 [ 24.475218] __inet_stream_connect+0x2d4/0xf00 [ 24.475238] ? inet_bind+0x910/0x910 [ 24.475260] ? tcp_sendmsg_locked+0x1f71/0x3c70 [ 24.475268] ? rcu_read_lock_sched_held+0x108/0x120 [ 24.475277] ? kmem_cache_alloc_trace+0x456/0x750 [ 24.475285] ? lock_downgrade+0x980/0x980 [ 24.475308] tcp_sendmsg_locked+0x264e/0x3c70 [ 24.475327] ? avc_has_perm+0x35e/0x680 [ 24.475337] ? lock_downgrade+0x980/0x980 [ 24.475351] ? lock_release+0xa40/0xa40 [ 24.475374] ? tcp_sendpage+0x60/0x60 [ 24.475381] ? save_stack+0x43/0xd0 [ 24.475413] ? print_irqtrace_events+0x270/0x270 [ 24.475418] ? find_held_lock+0x35/0x1d0 [ 24.475438] ? lock_acquire+0x1d5/0x580 [ 24.475444] ? lock_acquire+0x1d5/0x580 [ 24.475452] ? tcp_sendmsg+0x21/0x50 [ 24.475476] ? mark_held_locks+0xaf/0x100 [ 24.475483] ? do_raw_spin_trylock+0x190/0x190 [ 24.475495] ? __local_bh_enable_ip+0x121/0x230 [ 24.475507] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.475514] ? lock_sock_nested+0x91/0x110 [ 24.475521] ? trace_hardirqs_on+0xd/0x10 [ 24.475529] ? __local_bh_enable_ip+0x121/0x230 [ 24.475548] tcp_sendmsg+0x2f/0x50 [ 24.475558] inet_sendmsg+0x11f/0x5e0 [ 24.475570] ? inet_create+0xf50/0xf50 [ 24.475581] ? selinux_socket_sendmsg+0x36/0x40 [ 24.475590] ? security_socket_sendmsg+0x89/0xb0 [ 24.475598] ? inet_create+0xf50/0xf50 [ 24.475609] sock_sendmsg+0xca/0x110 [ 24.475622] ___sys_sendmsg+0x767/0x8b0 [ 24.475638] ? copy_msghdr_from_user+0x590/0x590 [ 24.475679] ? __fget_light+0x297/0x380 [ 24.475690] ? fget_raw+0x20/0x20 [ 24.475702] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 24.475708] ? vmacache_find+0x5f/0x280 [ 24.475727] ? up_read+0x1a/0x40 [ 24.475738] ? __do_page_fault+0x3d6/0xc90 [ 24.475759] ? __fdget+0x18/0x20 [ 24.475775] __sys_sendmsg+0xe5/0x210 [ 24.475781] ? __sys_sendmsg+0xe5/0x210 [ 24.475792] ? SyS_shutdown+0x290/0x290 [ 24.475804] ? __do_page_fault+0xc90/0xc90 [ 24.475819] ? SyS_setsockopt+0x215/0x360 [ 24.475846] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.475863] SyS_sendmsg+0x2d/0x50 [ 24.475876] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 24.475888] RIP: 0033:0x440019 [ 24.475892] RSP: 002b:00007ffdee6eb768 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 24.475900] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440019 [ 24.475904] RDX: 0000000020004000 RSI: 000000002088b000 RDI: 0000000000000003 [ 24.475908] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 24.475912] R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000401940 [ 24.475916] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000 [ 24.475945] [ 24.475948] Allocated by task 3638: [ 24.475955] save_stack+0x43/0xd0 [ 24.475961] kasan_kmalloc+0xad/0xe0 [ 24.475967] kasan_slab_alloc+0x12/0x20 [ 24.475972] kmem_cache_alloc+0x12e/0x760 [ 24.475979] dst_alloc+0x11f/0x1a0 [ 24.475985] rt_dst_alloc+0xe9/0x520 [ 24.475991] ip_route_output_key_hash_rcu+0xa40/0x2c20 [ 24.475996] ip_route_output_key_hash+0x20b/0x370 [ 24.476002] __ip4_datagram_connect+0xa67/0x1240 [ 24.476007] __ip6_datagram_connect+0x6fa/0xf80 [ 24.476012] ip6_datagram_connect+0x2f/0x50 [ 24.476019] inet_dgram_connect+0x16b/0x1f0 [ 24.476024] SYSC_connect+0x213/0x4a0 [ 24.476030] SyS_connect+0x24/0x30 [ 24.476036] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 24.476038] [ 24.476040] Freed by task 0: [ 24.476047] save_stack+0x43/0xd0 [ 24.476053] kasan_slab_free+0x71/0xc0 [ 24.476058] kmem_cache_free+0x83/0x2a0 [ 24.476063] dst_destroy+0x257/0x370 [ 24.476069] dst_destroy_rcu+0x16/0x20 [ 24.476077] rcu_process_callbacks+0xd6c/0x17f0 [ 24.476082] __do_softirq+0x2d7/0xb85 [ 24.476084] [ 24.476089] The buggy address belongs to the object at ffff8801c3e8cb00 [ 24.476089] which belongs to the cache ip_dst_cache of size 168 [ 24.476095] The buggy address is located 24 bytes inside of [ 24.476095] 168-byte region [ffff8801c3e8cb00, ffff8801c3e8cba8) [ 24.476097] The buggy address belongs to the page: [ 24.476103] page:ffffea00070fa300 count:1 mapcount:0 mapping:ffff8801c3e8c000 index:0x0 [ 24.476110] flags: 0x2fffc0000000100(slab) [ 24.476120] raw: 02fffc0000000100 ffff8801c3e8c000 0000000000000000 0000000100000010 [ 24.476128] raw: ffff8801d6f43748 ffffea0007055520 ffff8801d6f46b00 0000000000000000 [ 24.476131] page dumped because: kasan: bad access detected [ 24.476133] [ 24.476135] Memory state around the buggy address: [ 24.476140] ffff8801c3e8ca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.476145] ffff8801c3e8ca80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 24.476150] >ffff8801c3e8cb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.476153] ^ [ 24.476158] ffff8801c3e8cb80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 24.476163] ffff8801c3e8cc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.476165] ================================================================== [ 24.476168] Disabling lock debugging due to kernel taint [ 24.476189] Kernel panic - not syncing: panic_on_warn set ... [ 24.476189] [ 24.476196] CPU: 0 PID: 3655 Comm: syzkaller487774 Tainted: G B 4.15.0-rc8+ #198 [ 24.476199] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.476201] Call Trace: [ 24.476208] dump_stack+0x194/0x257 [ 24.476217] ? arch_local_irq_restore+0x53/0x53 [ 24.476223] ? kasan_end_report+0x32/0x50 [ 24.476233] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.476241] ? vsnprintf+0x1ed/0x1900 [ 24.476249] ? ip6_xmit+0x1c10/0x2090 [ 24.476256] panic+0x1e4/0x41c [ 24.476263] ? refcount_error_report+0x214/0x214 [ 24.476273] ? add_taint+0x1c/0x50 [ 24.476279] ? add_taint+0x1c/0x50 [ 24.476288] ? ip6_xmit+0x1ce9/0x2090 [ 24.476295] kasan_end_report+0x50/0x50 [ 24.476302] kasan_report+0x144/0x340 [ 24.476312] __asan_report_load8_noabort+0x14/0x20 [ 24.476319] ip6_xmit+0x1ce9/0x2090 [ 24.476336] ? ip6_finish_output2+0x23a0/0x23a0 [ 24.476345] ? fl6_update_dst+0x127/0x2b0 [ 24.476353] ? check_noncircular+0x20/0x20 [ 24.476359] ? inet6_csk_route_socket+0x691/0xe80 [ 24.476369] ? lock_acquire+0x1d5/0x580 [ 24.476375] ? lock_acquire+0x1d5/0x580 [ 24.476380] ? inet6_csk_xmit+0x114/0x580 [ 24.476387] ? __lock_is_held+0xb6/0x140 [ 24.476397] ? lock_release+0xa40/0xa40 [ 24.476406] ? __lock_is_held+0xb6/0x140 [ 24.476421] inet6_csk_xmit+0x2fc/0x580 [ 24.476429] ? inet6_csk_update_pmtu+0x160/0x160 [ 24.476437] ? rt_cpu_seq_show+0x2c0/0x2c0 [ 24.476443] ? refcount_add_not_zero+0x133/0x200 [ 24.476463] tcp_transmit_skb+0x1b1b/0x38c0 [ 24.476481] ? __tcp_select_window+0x900/0x900 [ 24.476488] ? tcp_fastopen_cache_get+0x449/0x720 [ 24.476498] ? tcp_peer_is_proven+0xc60/0xc60 [ 24.476508] ? __lock_is_held+0xb6/0x140 [ 24.476527] ? tcp_try_fastopen+0x1b50/0x1b50 [ 24.476538] ? tcp_init_transfer+0x3d0/0x3d0 [ 24.476551] ? tcp_rbtree_insert+0x135/0x190 [ 24.476561] tcp_connect+0x1edb/0x4090 [ 24.476578] ? tcp_push_one+0x100/0x100 [ 24.476584] ? lock_downgrade+0x8e7/0x980 [ 24.476598] ? pvclock_read_flags+0x160/0x160 [ 24.476605] ? mark_held_locks+0xaf/0x100 [ 24.476611] ? ip_route_output_key_hash+0x229/0x370 [ 24.476618] ? ktime_get_with_offset+0x188/0x420 [ 24.476629] ? kvm_clock_get_cycles+0x25/0x30 [ 24.476636] ? ktime_get_with_offset+0x2c1/0x420 [ 24.476647] ? do_gettimeofday+0x190/0x190 [ 24.476660] ? tcp_fastopen_defer_connect+0x163/0x4a0 [ 24.476669] ? tcp_fastopen_cookie_check+0x720/0x720 [ 24.476675] ? siphash_1u64+0x18/0x270 [ 24.476695] tcp_v4_connect+0x15ef/0x1e70 [ 24.476701] ? __sys_sendmsg+0xe5/0x210 [ 24.476718] ? tcp_v4_inbound_md5_hash+0x510/0x510 [ 24.476726] ? __lock_is_held+0xb6/0x140 [ 24.476739] __inet_stream_connect+0x2d4/0xf00 [ 24.476751] ? inet_bind+0x910/0x910 [ 24.476765] ? tcp_sendmsg_locked+0x1f71/0x3c70 [ 24.476771] ? rcu_read_lock_sched_held+0x108/0x120 [ 24.476778] ? kmem_cache_alloc_trace+0x456/0x750 [ 24.476785] ? lock_downgrade+0x980/0x980 [ 24.476799] tcp_sendmsg_locked+0x264e/0x3c70 [ 24.476810] ? avc_has_perm+0x35e/0x680 [ 24.476818] ? lock_downgrade+0x980/0x980 [ 24.476827] ? lock_release+0xa40/0xa40 [ 24.476842] ? tcp_sendpage+0x60/0x60 [ 24.476847] ? save_stack+0x43/0xd0 [ 24.476865] ? print_irqtrace_events+0x270/0x270 [ 24.476870] ? find_held_lock+0x35/0x1d0 [ 24.476887] ? lock_acquire+0x1d5/0x580 [ 24.476893] ? lock_acquire+0x1d5/0x580 [ 24.476899] ? tcp_sendmsg+0x21/0x50 [ 24.476914] ? mark_held_locks+0xaf/0x100 [ 24.476920] ? do_raw_spin_trylock+0x190/0x190 [ 24.476927] ? __local_bh_enable_ip+0x121/0x230 [ 24.476936] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.476942] ? lock_sock_nested+0x91/0x110 [ 24.476948] ? trace_hardirqs_on+0xd/0x10 [ 24.476954] ? __local_bh_enable_ip+0x121/0x230 [ 24.476966] tcp_sendmsg+0x2f/0x50 [ 24.476973] inet_sendmsg+0x11f/0x5e0 [ 24.476981] ? inet_create+0xf50/0xf50 [ 24.476990] ? selinux_socket_sendmsg+0x36/0x40 [ 24.476997] ? security_socket_sendmsg+0x89/0xb0 [ 24.477006] ? inet_create+0xf50/0xf50 [ 24.477014] sock_sendmsg+0xca/0x110 [ 24.477022] ___sys_sendmsg+0x767/0x8b0 [ 24.477033] ? copy_msghdr_from_user+0x590/0x590 [ 24.477055] ? __fget_light+0x297/0x380 [ 24.477062] ? fget_raw+0x20/0x20 [ 24.477070] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 24.477075] ? vmacache_find+0x5f/0x280 [ 24.477086] ? up_read+0x1a/0x40 [ 24.477094] ? __do_page_fault+0x3d6/0xc90 [ 24.477107] ? __fdget+0x18/0x20 [ 24.477117] __sys_sendmsg+0xe5/0x210 [ 24.477123] ? __sys_sendmsg+0xe5/0x210 [ 24.477132] ? SyS_shutdown+0x290/0x290 [ 24.477140] ? __do_page_fault+0xc90/0xc90 [ 24.477151] ? SyS_setsockopt+0x215/0x360 [ 24.477167] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.477178] SyS_sendmsg+0x2d/0x50 [ 24.477187] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 24.477191] RIP: 0033:0x440019 [ 24.477194] RSP: 002b:00007ffdee6eb768 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 24.477201] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440019 [ 24.477204] RDX: 0000000020004000 RSI: 000000002088b000 RDI: 0000000000000003 [ 24.477208] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 24.477211] R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000401940 [ 24.477215] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000 [ 24.491554] Dumping ftrace buffer: [ 24.491558] (ftrace buffer empty) [ 24.491561] Kernel Offset: disabled [ 25.722165] Rebooting in 86400 seconds..