[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.161681] audit: type=1400 audit(1520569743.837:6): avc:  denied  { map } for  pid=4222 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   22.202980] sshd (4219) used greatest stack depth: 16584 bytes left
Warning: Permanently added '10.128.0.48' (ECDSA) to the list of known hosts.
executing program
[   28.521935] audit: type=1400 audit(1520569750.197:7): avc:  denied  { map } for  pid=4236 comm="syzkaller722999" path="/root/syzkaller722999240" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   28.529430] ==================================================================
[   28.555472] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
[   28.561770] Read of size 8 at addr ffff8801c64d9d18 by task syzkaller722999/4236
[   28.569271] 
[   28.570874] CPU: 1 PID: 4236 Comm: syzkaller722999 Not tainted 4.16.0-rc4+ #258
[   28.578290] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.587633] Call Trace:
[   28.590198]  dump_stack+0x194/0x24d
[   28.593843]  ? arch_local_irq_restore+0x53/0x53
[   28.598486]  ? show_regs_print_info+0x18/0x18
[   28.602962]  ? ip6_xmit+0x1f76/0x2260
[   28.606824]  print_address_description+0x73/0x250
[   28.611637]  ? ip6_xmit+0x1f76/0x2260
[   28.615410]  kasan_report+0x23c/0x360
[   28.619188]  __asan_report_load8_noabort+0x14/0x20
[   28.624089]  ip6_xmit+0x1f76/0x2260
[   28.627702]  ? ip6_finish_output2+0x23d0/0x23d0
[   28.632347]  ? fl6_update_dst+0x127/0x2b0
[   28.636472]  ? inet6_csk_route_socket+0x691/0xe80
[   28.641291]  ? trace_hardirqs_off+0x10/0x10
[   28.645674]  ? lock_acquire+0x1d5/0x580
[   28.649621]  ? lock_acquire+0x1d5/0x580
[   28.653565]  ? inet6_csk_xmit+0x114/0x580
[   28.657687]  ? trace_hardirqs_off+0x10/0x10
[   28.661985]  ? lock_release+0xa40/0xa40
[   28.665948]  inet6_csk_xmit+0x2fc/0x580
[   28.669895]  ? inet6_csk_update_pmtu+0x160/0x160
[   28.674627]  ? __sk_dst_check+0x1a5/0x380
[   28.678750]  ? sock_kzfree_s+0x60/0x60
[   28.682626]  l2tp_xmit_skb+0x105f/0x1410
[   28.686667]  ? l2tp_session_create+0xb80/0xb80
[   28.691220]  ? sock_wmalloc+0x15d/0x1d0
[   28.695170]  ? iov_iter_advance+0x13f0/0x13f0
[   28.699642]  ? pppol2tp_sendmsg+0x41b/0x670
[   28.703937]  pppol2tp_sendmsg+0x470/0x670
[   28.708058]  ? selinux_socket_sendmsg+0x36/0x40
[   28.712701]  ? pppol2tp_getsockopt+0x900/0x900
[   28.717257]  sock_sendmsg+0xca/0x110
[   28.720943]  ___sys_sendmsg+0x767/0x8b0
[   28.725075]  ? copy_msghdr_from_user+0x590/0x590
[   28.729813]  ? __pmd_alloc+0x4e0/0x4e0
[   28.733678]  ? trace_hardirqs_off+0x10/0x10
[   28.737971]  ? find_held_lock+0x35/0x1d0
[   28.742012]  ? __fget_light+0x2b2/0x3c0
[   28.745962]  ? fget_raw+0x20/0x20
[   28.749404]  ? __do_page_fault+0x5f7/0xc90
[   28.753613]  ? lock_downgrade+0x980/0x980
[   28.757747]  __sys_sendmsg+0xe5/0x210
[   28.761518]  ? __sys_sendmsg+0xe5/0x210
[   28.765467]  ? SyS_shutdown+0x290/0x290
[   28.769421]  ? __do_page_fault+0x3d6/0xc90
[   28.773640]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   28.779156]  SyS_sendmsg+0x2d/0x50
[   28.782667]  ? __sys_sendmsg+0x210/0x210
[   28.786701]  do_syscall_64+0x281/0x940
[   28.790563]  ? __do_page_fault+0xc90/0xc90
[   28.794778]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   28.799599]  ? syscall_return_slowpath+0x550/0x550
[   28.804502]  ? syscall_return_slowpath+0x2ac/0x550
[   28.809412]  ? prepare_exit_to_usermode+0x350/0x350
[   28.814401]  ? retint_user+0x18/0x18
[   28.818101]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   28.822923]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   28.828083] RIP: 0033:0x440829
[   28.831244] RSP: 002b:00007ffc2c742808 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
[   28.838924] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440829
[   28.846163] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
[   28.853403] RBP: 00000000006ca018 R08: 0000000000000001 R09: 0000000000000001
[   28.860646] R10: 0000000000000001 R11: 0000000000000217 R12: 0000000000402150
[   28.867888] R13: 00000000004021e0 R14: 0000000000000000 R15: 0000000000000000
[   28.875159] 
[   28.876760] Allocated by task 4182:
[   28.880362]  save_stack+0x43/0xd0
[   28.883791]  kasan_kmalloc+0xad/0xe0
[   28.887474]  kasan_slab_alloc+0x12/0x20
[   28.891429]  kmem_cache_alloc+0x12e/0x760
[   28.895663]  dst_alloc+0x11f/0x1a0
[   28.899183]  rt_dst_alloc+0xe9/0x4e0
[   28.902866]  ip_route_output_key_hash_rcu+0xa59/0x2fe0
[   28.908120]  ip_route_output_key_hash+0x20b/0x370
[   28.912932]  __ip4_datagram_connect+0xa67/0x1240
[   28.917658]  __ip6_datagram_connect+0x749/0x12d0
[   28.922383]  ip6_datagram_connect+0x2f/0x50
[   28.926677]  inet_dgram_connect+0x16b/0x1f0
[   28.930969]  SYSC_connect+0x213/0x4a0
[   28.934738]  SyS_connect+0x24/0x30
[   28.938251]  do_syscall_64+0x281/0x940
[   28.942111]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   28.947279] 
[   28.948877] Freed by task 4184:
[   28.952142]  save_stack+0x43/0xd0
[   28.955565]  __kasan_slab_free+0x11a/0x170
[   28.959768]  kasan_slab_free+0xe/0x10
[   28.963541]  kmem_cache_free+0x83/0x2a0
[   28.967490]  dst_destroy+0x257/0x370
[   28.971176]  dst_destroy_rcu+0x16/0x20
[   28.975042]  rcu_process_callbacks+0xd6c/0x17f0
[   28.979701]  __do_softirq+0x2d7/0xb85
[   28.983486] 
[   28.985088] The buggy address belongs to the object at ffff8801c64d9d00
[   28.985088]  which belongs to the cache ip_dst_cache of size 160
[   28.997810] The buggy address is located 24 bytes inside of
[   28.997810]  160-byte region [ffff8801c64d9d00, ffff8801c64d9da0)
[   29.009569] The buggy address belongs to the page:
[   29.014470] page:ffffea0007193640 count:1 mapcount:0 mapping:ffff8801c64d9000 index:0xffff8801c64d9000
[   29.023889] flags: 0x2fffc0000000100(slab)
[   29.028096] raw: 02fffc0000000100 ffff8801c64d9000 ffff8801c64d9000 0000000100000006
[   29.036129] raw: ffffea00071db320 ffff8801d5433b38 ffff8801d6bc8340 0000000000000000
[   29.043977] page dumped because: kasan: bad access detected
[   29.049654] 
[   29.051356] Memory state around the buggy address:
[   29.056253]  ffff8801c64d9c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.063584]  ffff8801c64d9c80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   29.070911] >ffff8801c64d9d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.078247]                             ^
[   29.082382]  ffff8801c64d9d80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   29.089709]  ffff8801c64d9e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.097045] ==================================================================
[   29.104372] Disabling lock debugging due to kernel taint
[   29.109844] Kernel panic - not syncing: panic_on_warn set ...
[   29.109844] 
[   29.117181] CPU: 1 PID: 4236 Comm: syzkaller722999 Tainted: G    B            4.16.0-rc4+ #258
[   29.125898] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.135219] Call Trace:
[   29.137781]  dump_stack+0x194/0x24d
[   29.141377]  ? arch_local_irq_restore+0x53/0x53
[   29.146013]  ? kasan_end_report+0x32/0x50
[   29.150131]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.154868]  ? vsnprintf+0x1ed/0x1900
[   29.158644]  ? ip6_xmit+0x1ee0/0x2260
[   29.162417]  panic+0x1e4/0x41c
[   29.165581]  ? refcount_error_report+0x214/0x214
[   29.170309]  ? add_taint+0x1c/0x50
[   29.173840]  ? add_taint+0x1c/0x50
[   29.177365]  ? ip6_xmit+0x1f76/0x2260
[   29.181133]  kasan_end_report+0x50/0x50
[   29.185078]  kasan_report+0x149/0x360
[   29.188852]  __asan_report_load8_noabort+0x14/0x20
[   29.193749]  ip6_xmit+0x1f76/0x2260
[   29.197363]  ? ip6_finish_output2+0x23d0/0x23d0
[   29.202006]  ? fl6_update_dst+0x127/0x2b0
[   29.206570]  ? inet6_csk_route_socket+0x691/0xe80
[   29.211383]  ? trace_hardirqs_off+0x10/0x10
[   29.215684]  ? lock_acquire+0x1d5/0x580
[   29.219630]  ? lock_acquire+0x1d5/0x580
[   29.223572]  ? inet6_csk_xmit+0x114/0x580
[   29.227691]  ? trace_hardirqs_off+0x10/0x10
[   29.231984]  ? lock_release+0xa40/0xa40
[   29.235935]  inet6_csk_xmit+0x2fc/0x580
[   29.239877]  ? inet6_csk_update_pmtu+0x160/0x160
[   29.244604]  ? __sk_dst_check+0x1a5/0x380
[   29.248723]  ? sock_kzfree_s+0x60/0x60
[   29.252590]  l2tp_xmit_skb+0x105f/0x1410
[   29.256642]  ? l2tp_session_create+0xb80/0xb80
[   29.261196]  ? sock_wmalloc+0x15d/0x1d0
[   29.265141]  ? iov_iter_advance+0x13f0/0x13f0
[   29.269608]  ? pppol2tp_sendmsg+0x41b/0x670
[   29.274080]  pppol2tp_sendmsg+0x470/0x670
[   29.278199]  ? selinux_socket_sendmsg+0x36/0x40
[   29.282836]  ? pppol2tp_getsockopt+0x900/0x900
[   29.287477]  sock_sendmsg+0xca/0x110
[   29.291159]  ___sys_sendmsg+0x767/0x8b0
[   29.295106]  ? copy_msghdr_from_user+0x590/0x590
[   29.299838]  ? __pmd_alloc+0x4e0/0x4e0
[   29.303697]  ? trace_hardirqs_off+0x10/0x10
[   29.307988]  ? find_held_lock+0x35/0x1d0
[   29.312023]  ? __fget_light+0x2b2/0x3c0
[   29.315965]  ? fget_raw+0x20/0x20
[   29.319396]  ? __do_page_fault+0x5f7/0xc90
[   29.323600]  ? lock_downgrade+0x980/0x980
[   29.327721]  __sys_sendmsg+0xe5/0x210
[   29.331493]  ? __sys_sendmsg+0xe5/0x210
[   29.335438]  ? SyS_shutdown+0x290/0x290
[   29.339390]  ? __do_page_fault+0x3d6/0xc90
[   29.343601]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   29.349120]  SyS_sendmsg+0x2d/0x50
[   29.352627]  ? __sys_sendmsg+0x210/0x210
[   29.356661]  do_syscall_64+0x281/0x940
[   29.360518]  ? __do_page_fault+0xc90/0xc90
[   29.364723]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.369447]  ? syscall_return_slowpath+0x550/0x550
[   29.374359]  ? syscall_return_slowpath+0x2ac/0x550
[   29.379259]  ? prepare_exit_to_usermode+0x350/0x350
[   29.384244]  ? retint_user+0x18/0x18
[   29.387929]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.392744]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   29.397901] RIP: 0033:0x440829
[   29.401061] RSP: 002b:00007ffc2c742808 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
[   29.408737] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440829
[   29.415975] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
[   29.423213] RBP: 00000000006ca018 R08: 0000000000000001 R09: 0000000000000001
[   29.430626] R10: 0000000000000001 R11: 0000000000000217 R12: 0000000000402150
[   29.437956] R13: 00000000004021e0 R14: 0000000000000000 R15: 0000000000000000
[   29.445556] Dumping ftrace buffer:
[   29.449066]    (ftrace buffer empty)
[   29.452746] Kernel Offset: disabled
[   29.456344] Rebooting in 86400 seconds..