[....] Starting enhanced syslogd: rsyslogd[ 15.686507] audit: type=1400 audit(1520778321.294:5): avc: denied { syslog } for pid=4075 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.176440] audit: type=1400 audit(1520778324.784:6): avc: denied { map } for pid=4215 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.48' (ECDSA) to the list of known hosts. executing program executing program [ 25.483821] audit: type=1400 audit(1520778331.091:7): avc: denied { map } for pid=4229 comm="syzkaller659001" path="/root/syzkaller659001812" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.522041] ================================================================== [ 25.529479] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 25.535595] Read of size 8 at addr ffff8801c9a22f18 by task syzkaller659001/4231 [ 25.543094] [ 25.544697] CPU: 1 PID: 4231 Comm: syzkaller659001 Not tainted 4.16.0-rc4+ #349 [ 25.552111] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.561433] Call Trace: [ 25.563995] dump_stack+0x194/0x24d [ 25.567606] ? arch_local_irq_restore+0x53/0x53 [ 25.572254] ? show_regs_print_info+0x18/0x18 [ 25.576732] ? ip6_xmit+0x1f76/0x2260 [ 25.580506] print_address_description+0x73/0x250 [ 25.585322] ? ip6_xmit+0x1f76/0x2260 [ 25.589095] kasan_report+0x23c/0x360 [ 25.592871] __asan_report_load8_noabort+0x14/0x20 [ 25.597773] ip6_xmit+0x1f76/0x2260 [ 25.601385] ? ip6_finish_output2+0x23a0/0x23a0 [ 25.606039] ? fl6_update_dst+0x127/0x2b0 [ 25.610171] ? inet6_csk_route_socket+0x691/0xe80 [ 25.614987] ? trace_hardirqs_off+0x10/0x10 [ 25.619280] ? lock_acquire+0x1d5/0x580 [ 25.623229] ? lock_acquire+0x1d5/0x580 [ 25.627177] ? inet6_csk_xmit+0x114/0x580 [ 25.631297] ? trace_hardirqs_off+0x10/0x10 [ 25.635596] ? lock_release+0xa40/0xa40 [ 25.639583] inet6_csk_xmit+0x2fc/0x580 [ 25.643543] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.648271] ? __sk_dst_check+0x1a5/0x380 [ 25.652392] ? sock_kfree_s+0x60/0x60 [ 25.656183] l2tp_xmit_skb+0x105f/0x1410 [ 25.660227] ? l2tp_session_create+0xb80/0xb80 [ 25.664780] ? sock_wmalloc+0x15d/0x1d0 [ 25.668725] ? iov_iter_advance+0x13f0/0x13f0 [ 25.673194] ? pppol2tp_sendmsg+0x41b/0x670 [ 25.677489] pppol2tp_sendmsg+0x470/0x670 [ 25.681612] ? selinux_socket_sendmsg+0x36/0x40 [ 25.686253] ? pppol2tp_getsockopt+0x900/0x900 [ 25.690812] sock_sendmsg+0xca/0x110 [ 25.694498] SYSC_sendto+0x361/0x5c0 [ 25.698193] ? SYSC_connect+0x4a0/0x4a0 [ 25.702158] ? inet_dgram_connect+0x172/0x1f0 [ 25.706625] ? SYSC_connect+0x2e0/0x4a0 [ 25.710599] ? mm_fault_error+0x2c0/0x2c0 [ 25.714718] ? move_addr_to_kernel+0x60/0x60 [ 25.719104] SyS_sendto+0x40/0x50 [ 25.722535] ? SyS_getpeername+0x30/0x30 [ 25.726572] do_syscall_64+0x281/0x940 [ 25.730431] ? __do_page_fault+0xc90/0xc90 [ 25.734639] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.739374] ? syscall_return_slowpath+0x550/0x550 [ 25.744290] ? syscall_return_slowpath+0x2ac/0x550 [ 25.749195] ? prepare_exit_to_usermode+0x350/0x350 [ 25.754183] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 25.759523] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.764351] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.769515] RIP: 0033:0x441689 [ 25.772677] RSP: 002b:00007ffe6d8c7f58 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 25.780355] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441689 [ 25.787594] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 25.794834] RBP: 0000000000006390 R08: 00000000200021c0 R09: 0000000000000080 [ 25.802077] R10: 0000000000040001 R11: 0000000000000212 R12: 0000000000000000 [ 25.809321] R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 [ 25.816576] [ 25.818175] Allocated by task 3892: [ 25.821774] save_stack+0x43/0xd0 [ 25.825196] kasan_kmalloc+0xad/0xe0 [ 25.828880] kasan_slab_alloc+0x12/0x20 [ 25.832826] kmem_cache_alloc+0x12e/0x760 [ 25.836945] dst_alloc+0x11f/0x1a0 [ 25.840460] rt_dst_alloc+0xe9/0x520 [ 25.844155] ip_route_input_rcu+0x1076/0x3200 [ 25.848619] ip_route_input_noref+0xf5/0x1e0 [ 25.852997] ip_rcv_finish+0x3a6/0x2040 [ 25.856947] ip_rcv+0xb76/0x1820 [ 25.860286] __netif_receive_skb_core+0x1a41/0x3460 [ 25.865271] __netif_receive_skb+0x2c/0x1b0 [ 25.869572] netif_receive_skb_internal+0x10b/0x670 [ 25.874562] napi_gro_receive+0x3d0/0x500 [ 25.878679] receive_buf+0xb6f/0x2530 [ 25.882450] virtnet_poll+0x320/0xb70 [ 25.886220] net_rx_action+0x792/0x1910 [ 25.890167] __do_softirq+0x2d7/0xb85 [ 25.893936] [ 25.895537] Freed by task 3907: [ 25.898798] save_stack+0x43/0xd0 [ 25.902228] __kasan_slab_free+0x11a/0x170 [ 25.906434] kasan_slab_free+0xe/0x10 [ 25.910203] kmem_cache_free+0x83/0x2a0 [ 25.914152] dst_destroy+0x257/0x370 [ 25.917838] dst_destroy_rcu+0x16/0x20 [ 25.921706] rcu_process_callbacks+0xd6c/0x17f0 [ 25.926350] __do_softirq+0x2d7/0xb85 [ 25.930120] [ 25.931717] The buggy address belongs to the object at ffff8801c9a22f00 [ 25.931717] which belongs to the cache ip_dst_cache of size 168 [ 25.944429] The buggy address is located 24 bytes inside of [ 25.944429] 168-byte region [ffff8801c9a22f00, ffff8801c9a22fa8) [ 25.956190] The buggy address belongs to the page: [ 25.961089] page:ffffea0007268880 count:1 mapcount:0 mapping:ffff8801c9a22000 index:0xffff8801c9a22000 [ 25.970502] flags: 0x2fffc0000000100(slab) [ 25.974709] raw: 02fffc0000000100 ffff8801c9a22000 ffff8801c9a22000 000000010000000d [ 25.982559] raw: ffff8801d5bf1d38 ffff8801d5bf1d38 ffff8801d5bf0980 0000000000000000 [ 25.990405] page dumped because: kasan: bad access detected [ 25.996081] [ 25.997678] Memory state around the buggy address: [ 26.002576] ffff8801c9a22e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.009903] ffff8801c9a22e80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 26.017233] >ffff8801c9a22f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.024562] ^ [ 26.028678] ffff8801c9a22f80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 26.036009] ffff8801c9a23000: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 26.043341] ================================================================== [ 26.050664] Disabling lock debugging due to kernel taint [ 26.056107] Kernel panic - not syncing: panic_on_warn set ... [ 26.056107] [ 26.063448] CPU: 1 PID: 4231 Comm: syzkaller659001 Tainted: G B 4.16.0-rc4+ #349 [ 26.072163] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.081485] Call Trace: [ 26.084050] dump_stack+0x194/0x24d [ 26.087647] ? arch_local_irq_restore+0x53/0x53 [ 26.092287] ? kasan_end_report+0x32/0x50 [ 26.096408] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.101134] ? vsnprintf+0x1ed/0x1900 [ 26.104905] ? ip6_xmit+0x1f30/0x2260 [ 26.108675] panic+0x1e4/0x41c [ 26.111839] ? refcount_error_report+0x214/0x214 [ 26.116564] ? add_taint+0x1c/0x50 [ 26.120073] ? add_taint+0x1c/0x50 [ 26.123585] ? ip6_xmit+0x1f76/0x2260 [ 26.127353] kasan_end_report+0x50/0x50 [ 26.131294] kasan_report+0x149/0x360 [ 26.135069] __asan_report_load8_noabort+0x14/0x20 [ 26.139968] ip6_xmit+0x1f76/0x2260 [ 26.143571] ? ip6_finish_output2+0x23a0/0x23a0 [ 26.148223] ? fl6_update_dst+0x127/0x2b0 [ 26.152341] ? inet6_csk_route_socket+0x691/0xe80 [ 26.157153] ? trace_hardirqs_off+0x10/0x10 [ 26.161443] ? lock_acquire+0x1d5/0x580 [ 26.165383] ? lock_acquire+0x1d5/0x580 [ 26.169325] ? inet6_csk_xmit+0x114/0x580 [ 26.173443] ? trace_hardirqs_off+0x10/0x10 [ 26.177735] ? lock_release+0xa40/0xa40 [ 26.181687] inet6_csk_xmit+0x2fc/0x580 [ 26.185634] ? inet6_csk_update_pmtu+0x160/0x160 [ 26.190363] ? __sk_dst_check+0x1a5/0x380 [ 26.194483] ? sock_kfree_s+0x60/0x60 [ 26.198266] l2tp_xmit_skb+0x105f/0x1410 [ 26.202303] ? l2tp_session_create+0xb80/0xb80 [ 26.206855] ? sock_wmalloc+0x15d/0x1d0 [ 26.210801] ? iov_iter_advance+0x13f0/0x13f0 [ 26.215266] ? pppol2tp_sendmsg+0x41b/0x670 [ 26.219558] pppol2tp_sendmsg+0x470/0x670 [ 26.223678] ? selinux_socket_sendmsg+0x36/0x40 [ 26.228315] ? pppol2tp_getsockopt+0x900/0x900 [ 26.232866] sock_sendmsg+0xca/0x110 [ 26.236550] SYSC_sendto+0x361/0x5c0 [ 26.240237] ? SYSC_connect+0x4a0/0x4a0 [ 26.244187] ? inet_dgram_connect+0x172/0x1f0 [ 26.248653] ? SYSC_connect+0x2e0/0x4a0 [ 26.252626] ? mm_fault_error+0x2c0/0x2c0 [ 26.256746] ? move_addr_to_kernel+0x60/0x60 [ 26.261125] SyS_sendto+0x40/0x50 [ 26.264548] ? SyS_getpeername+0x30/0x30 [ 26.268583] do_syscall_64+0x281/0x940 [ 26.272440] ? __do_page_fault+0xc90/0xc90 [ 26.276645] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.281374] ? syscall_return_slowpath+0x550/0x550 [ 26.286273] ? syscall_return_slowpath+0x2ac/0x550 [ 26.291170] ? prepare_exit_to_usermode+0x350/0x350 [ 26.296159] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 26.301498] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.306311] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.311469] RIP: 0033:0x441689 [ 26.314626] RSP: 002b:00007ffe6d8c7f58 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 26.322301] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441689 [ 26.329543] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 26.336782] RBP: 0000000000006390 R08: 00000000200021c0 R09: 0000000000000080 [ 26.344027] R10: 0000000000040001 R11: 0000000000000212 R12: 0000000000000000 [ 26.351266] R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 [ 26.358916] Dumping ftrace buffer: [ 26.362426] (ftrace buffer empty) [ 26.366102] Kernel Offset: disabled [ 26.369698] Rebooting in 86400 seconds..