[....] Starting enhanced syslogd: rsyslogd[ 12.917051] audit: type=1400 audit(1516586274.549:4): avc: denied { syslog } for pid=3165 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 24.955657] ================================================================== [ 24.963045] BUG: KASAN: use-after-free in ip6_xmit+0x1bc7/0x1bd0 [ 24.969165] Read of size 8 at addr ffff8801d02763d8 by task syzkaller729199/3325 [ 24.976674] [ 24.978274] CPU: 1 PID: 3325 Comm: syzkaller729199 Not tainted 4.9.77-ge12a9c4 #18 [ 24.985946] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.995270] ffff8801c9377690 ffffffff81d941c9 ffffea0007409d80 ffff8801d02763d8 [ 25.003241] 0000000000000000 ffff8801d02763d8 ffff8801c14c0064 ffff8801c93776c8 [ 25.011204] ffffffff8153db93 ffff8801d02763d8 0000000000000008 0000000000000000 [ 25.019168] Call Trace: [ 25.021729] [] dump_stack+0xc1/0x128 [ 25.027062] [] print_address_description+0x73/0x280 [ 25.033700] [] kasan_report+0x275/0x360 [ 25.039297] [] ? ip6_xmit+0x1bc7/0x1bd0 [ 25.044891] [] __asan_report_load8_noabort+0x14/0x20 [ 25.051613] [] ip6_xmit+0x1bc7/0x1bd0 [ 25.057034] [] ? save_stack_trace+0x16/0x20 [ 25.062977] [] ? save_trace+0xe0/0x270 [ 25.068486] [] ? ip6_finish_output2+0x1d20/0x1d20 [ 25.074948] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 25.081931] [] ? __lock_is_held+0xa1/0xf0 [ 25.087697] [] ? ipv4_dst_check+0x111/0x160 [ 25.093638] [] ? __sk_dst_check+0x10e/0x240 [ 25.099579] [] inet6_csk_xmit+0x27d/0x4d0 [ 25.105342] [] ? inet6_csk_xmit+0x100/0x4d0 [ 25.111278] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.117825] [] l2tp_xmit_skb+0xcdc/0xf50 [ 25.123504] [] pppol2tp_sendmsg+0x5c0/0x7a0 [ 25.129446] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 25.135907] [] ? pppol2tp_release+0x2e0/0x2e0 [ 25.142021] [] sock_sendmsg+0xca/0x110 [ 25.147532] [] ___sys_sendmsg+0x6d1/0x7e0 [ 25.153301] [] ? copy_msghdr_from_user+0x550/0x550 [ 25.159849] [] ? __lru_cache_add+0x187/0x250 [ 25.165878] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 25.172947] [] ? _raw_spin_unlock+0x2c/0x50 [ 25.178888] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 25.185958] [] ? handle_mm_fault+0x6ee/0x2530 [ 25.192072] [] ? __pmd_alloc+0x410/0x410 [ 25.197755] [] ? __fget_light+0x158/0x1e0 [ 25.203527] [] ? __fdget+0x18/0x20 [ 25.208683] [] __sys_sendmsg+0xd6/0x190 [ 25.214275] [] ? SyS_shutdown+0x1b0/0x1b0 [ 25.220054] [] ? __do_page_fault+0x5ec/0xd40 [ 25.226084] [] ? __do_page_fault+0x3bd/0xd40 [ 25.232113] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 25.238921] [] SyS_sendmsg+0x2d/0x50 [ 25.244260] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 25.250803] [ 25.252400] Allocated by task 3252: [ 25.255995] save_stack_trace+0x16/0x20 [ 25.259937] save_stack+0x43/0xd0 [ 25.263357] kasan_kmalloc+0xad/0xe0 [ 25.267041] kasan_slab_alloc+0x12/0x20 [ 25.270991] kmem_cache_alloc+0xba/0x290 [ 25.275027] dst_alloc+0x11f/0x1a0 [ 25.278536] rt_dst_alloc+0x78/0x430 [ 25.282218] __ip_route_output_key_hash+0xa4e/0x23e0 [ 25.287289] __ip4_datagram_connect+0xa17/0x1160 [ 25.292013] __ip6_datagram_connect+0x6f9/0xdf0 [ 25.296650] ip6_datagram_connect+0x2f/0x50 [ 25.300937] inet_dgram_connect+0x16b/0x1f0 [ 25.305230] SYSC_connect+0x1b6/0x310 [ 25.308998] SyS_connect+0x24/0x30 [ 25.312507] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 25.317233] [ 25.318838] Freed by task 17: [ 25.321915] save_stack_trace+0x16/0x20 [ 25.325857] save_stack+0x43/0xd0 [ 25.329276] kasan_slab_free+0x72/0xc0 [ 25.333130] kmem_cache_free+0xc7/0x300 [ 25.337072] dst_destroy+0x1fd/0x360 [ 25.340751] dst_destroy_rcu+0x15/0x40 [ 25.344606] rcu_process_callbacks+0x898/0x1300 [ 25.349242] __do_softirq+0x206/0x951 [ 25.353007] [ 25.354603] The buggy address belongs to the object at ffff8801d02763c0 [ 25.354603] which belongs to the cache ip_dst_cache of size 216 [ 25.367311] The buggy address is located 24 bytes inside of [ 25.367311] 216-byte region [ffff8801d02763c0, ffff8801d0276498) [ 25.379062] The buggy address belongs to the page: [ 25.383958] page:ffffea0007409d80 count:1 mapcount:0 mapping: (null) index:0x0 [ 25.392190] flags: 0x8000000000000080(slab) [ 25.396476] page dumped because: kasan: bad access detected [ 25.402150] [ 25.403745] Memory state around the buggy address: [ 25.408637] ffff8801d0276280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.415961] ffff8801d0276300: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 25.423294] >ffff8801d0276380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 25.430617] ^ [ 25.436817] ffff8801d0276400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.444143] ffff8801d0276480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.451469] ================================================================== [ 25.458791] Disabling lock debugging due to kernel taint [ 25.464250] Kernel panic - not syncing: panic_on_warn set ... [ 25.464250] [ 25.471581] CPU: 1 PID: 3325 Comm: syzkaller729199 Tainted: G B 4.9.77-ge12a9c4 #18 [ 25.480473] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.489803] ffff8801c93775e8 ffffffff81d941c9 ffffffff841970ff ffff8801c93776c0 [ 25.497776] 0000000000000000 ffff8801d02763d8 ffff8801c14c0064 ffff8801c93776b0 [ 25.505739] ffffffff8142f3c1 0000000041b58ab3 ffffffff8418ab70 ffffffff8142f205 [ 25.513696] Call Trace: [ 25.516257] [] dump_stack+0xc1/0x128 [ 25.521592] [] panic+0x1bc/0x3a8 [ 25.526579] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 25.534779] [] kasan_end_report+0x50/0x50 [ 25.540546] [] kasan_report+0x167/0x360 [ 25.546145] [] ? ip6_xmit+0x1bc7/0x1bd0 [ 25.551742] [] __asan_report_load8_noabort+0x14/0x20 [ 25.558464] [] ip6_xmit+0x1bc7/0x1bd0 [ 25.563885] [] ? save_stack_trace+0x16/0x20 [ 25.569829] [] ? save_trace+0xe0/0x270 [ 25.575341] [] ? ip6_finish_output2+0x1d20/0x1d20 [ 25.581808] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 25.588801] [] ? __lock_is_held+0xa1/0xf0 [ 25.594572] [] ? ipv4_dst_check+0x111/0x160 [ 25.600513] [] ? __sk_dst_check+0x10e/0x240 [ 25.606455] [] inet6_csk_xmit+0x27d/0x4d0 [ 25.612221] [] ? inet6_csk_xmit+0x100/0x4d0 [ 25.618161] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.624708] [] l2tp_xmit_skb+0xcdc/0xf50 [ 25.630388] [] pppol2tp_sendmsg+0x5c0/0x7a0 [ 25.636331] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 25.642791] [] ? pppol2tp_release+0x2e0/0x2e0 [ 25.648913] [] sock_sendmsg+0xca/0x110 [ 25.654417] [] ___sys_sendmsg+0x6d1/0x7e0 [ 25.660183] [] ? copy_msghdr_from_user+0x550/0x550 [ 25.666735] [] ? __lru_cache_add+0x187/0x250 [ 25.672768] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 25.679839] [] ? _raw_spin_unlock+0x2c/0x50 [ 25.685789] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 25.692862] [] ? handle_mm_fault+0x6ee/0x2530 [ 25.698979] [] ? __pmd_alloc+0x410/0x410 [ 25.704660] [] ? __fget_light+0x158/0x1e0 [ 25.710424] [] ? __fdget+0x18/0x20 [ 25.715582] [] __sys_sendmsg+0xd6/0x190 [ 25.721174] [] ? SyS_shutdown+0x1b0/0x1b0 [ 25.726958] [] ? __do_page_fault+0x5ec/0xd40 [ 25.732985] [] ? __do_page_fault+0x3bd/0xd40 [ 25.739018] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 25.745826] [] SyS_sendmsg+0x2d/0x50 [ 25.751158] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 25.758060] Dumping ftrace buffer: [ 25.761567] (ftrace buffer empty) [ 25.765244] Kernel Offset: disabled [ 25.768839] Rebooting in 86400 seconds..