[....] Starting enhanced syslogd: rsyslogd[   17.229351] audit: type=1400 audit(1520577607.414:5): avc:  denied  { syslog } for  pid=4085 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.645928] audit: type=1400 audit(1520577613.830:6): avc:  denied  { map } for  pid=4226 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts.
executing program
[   30.184376] audit: type=1400 audit(1520577620.369:7): avc:  denied  { map } for  pid=4240 comm="syzkaller117659" path="/root/syzkaller117659320" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   30.189403] ==================================================================
[   30.217652] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
[   30.223780] Read of size 8 at addr ffff8801cb0e8b18 by task syzkaller117659/4240
[   30.231292] 
[   30.232895] CPU: 0 PID: 4240 Comm: syzkaller117659 Not tainted 4.16.0-rc4+ #346
[   30.240313] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.249640] Call Trace:
[   30.252205]  dump_stack+0x194/0x24d
[   30.255810]  ? arch_local_irq_restore+0x53/0x53
[   30.260452]  ? show_regs_print_info+0x18/0x18
[   30.264926]  ? ip6_xmit+0x1f76/0x2260
[   30.268700]  print_address_description+0x73/0x250
[   30.273517]  ? ip6_xmit+0x1f76/0x2260
[   30.277291]  kasan_report+0x23c/0x360
[   30.281071]  __asan_report_load8_noabort+0x14/0x20
[   30.285971]  ip6_xmit+0x1f76/0x2260
[   30.289581]  ? ip6_finish_output2+0x23a0/0x23a0
[   30.294224]  ? fl6_update_dst+0x127/0x2b0
[   30.298349]  ? inet6_csk_route_socket+0x691/0xe80
[   30.303166]  ? trace_hardirqs_off+0x10/0x10
[   30.307468]  ? lock_acquire+0x1d5/0x580
[   30.311414]  ? lock_acquire+0x1d5/0x580
[   30.315361]  ? inet6_csk_xmit+0x114/0x580
[   30.319490]  ? trace_hardirqs_off+0x10/0x10
[   30.323786]  ? lock_release+0xa40/0xa40
[   30.327746]  inet6_csk_xmit+0x2fc/0x580
[   30.331692]  ? inet6_csk_update_pmtu+0x160/0x160
[   30.336421]  ? __sk_dst_check+0x1a5/0x380
[   30.340544]  ? sock_kfree_s+0x60/0x60
[   30.344334]  l2tp_xmit_skb+0x105f/0x1410
[   30.348380]  ? l2tp_session_create+0xb80/0xb80
[   30.352945]  ? sock_wmalloc+0x15d/0x1d0
[   30.356894]  ? iov_iter_advance+0x13f0/0x13f0
[   30.361368]  ? pppol2tp_sendmsg+0x41b/0x670
[   30.365675]  pppol2tp_sendmsg+0x470/0x670
[   30.369801]  ? selinux_socket_sendmsg+0x36/0x40
[   30.374442]  ? pppol2tp_getsockopt+0x900/0x900
[   30.378996]  sock_sendmsg+0xca/0x110
[   30.382685]  ___sys_sendmsg+0x767/0x8b0
[   30.386645]  ? copy_msghdr_from_user+0x590/0x590
[   30.391386]  ? __pmd_alloc+0x4e0/0x4e0
[   30.395250]  ? trace_hardirqs_off+0x10/0x10
[   30.399542]  ? find_held_lock+0x35/0x1d0
[   30.403578]  ? __fget_light+0x2b2/0x3c0
[   30.407523]  ? fget_raw+0x20/0x20
[   30.410968]  ? __do_page_fault+0x5f7/0xc90
[   30.415175]  ? lock_downgrade+0x980/0x980
[   30.419303]  __sys_sendmsg+0xe5/0x210
[   30.423074]  ? __sys_sendmsg+0xe5/0x210
[   30.427026]  ? SyS_shutdown+0x290/0x290
[   30.430982]  ? __do_page_fault+0x3d6/0xc90
[   30.435201]  ? move_addr_to_kernel+0x60/0x60
[   30.439587]  SyS_sendmsg+0x2d/0x50
[   30.443102]  ? __sys_sendmsg+0x210/0x210
[   30.447141]  do_syscall_64+0x281/0x940
[   30.450999]  ? __do_page_fault+0xc90/0xc90
[   30.455210]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.459944]  ? syscall_return_slowpath+0x550/0x550
[   30.464847]  ? syscall_return_slowpath+0x2ac/0x550
[   30.469750]  ? prepare_exit_to_usermode+0x350/0x350
[   30.474743]  ? retint_user+0x18/0x18
[   30.478448]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.483270]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   30.488430] RIP: 0033:0x43ffb9
[   30.491590] RSP: 002b:00007ffceefb1878 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
[   30.499278] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffb9
[   30.506522] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
[   30.513769] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   30.521015] R10: 00000000004002c8 R11: 0000000000000217 R12: 00000000004018e0
[   30.528257] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000
[   30.535516] 
[   30.537117] Allocated by task 4224:
[   30.540720]  save_stack+0x43/0xd0
[   30.544144]  kasan_kmalloc+0xad/0xe0
[   30.547831]  kasan_slab_alloc+0x12/0x20
[   30.551779]  kmem_cache_alloc+0x12e/0x760
[   30.555899]  dst_alloc+0x11f/0x1a0
[   30.559425]  rt_dst_alloc+0xe9/0x520
[   30.563113]  ip_route_output_key_hash_rcu+0xa59/0x2f00
[   30.568361]  ip_route_output_key_hash+0x20b/0x370
[   30.573187]  __ip4_datagram_connect+0xa67/0x1240
[   30.577923]  __ip6_datagram_connect+0x749/0x12d0
[   30.582659]  ip6_datagram_connect+0x2f/0x50
[   30.586954]  inet_dgram_connect+0x16b/0x1f0
[   30.591246]  SYSC_connect+0x213/0x4a0
[   30.595019]  SyS_connect+0x24/0x30
[   30.598536]  do_syscall_64+0x281/0x940
[   30.602408]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   30.607567] 
[   30.609168] Freed by task 0:
[   30.612163]  save_stack+0x43/0xd0
[   30.615588]  __kasan_slab_free+0x11a/0x170
[   30.619794]  kasan_slab_free+0xe/0x10
[   30.623563]  kmem_cache_free+0x83/0x2a0
[   30.627508]  dst_destroy+0x257/0x370
[   30.631192]  dst_destroy_rcu+0x16/0x20
[   30.635056]  rcu_process_callbacks+0xd6c/0x17f0
[   30.639702]  __do_softirq+0x2d7/0xb85
[   30.643473] 
[   30.645077] The buggy address belongs to the object at ffff8801cb0e8b00
[   30.645077]  which belongs to the cache ip_dst_cache of size 168
[   30.657794] The buggy address is located 24 bytes inside of
[   30.657794]  168-byte region [ffff8801cb0e8b00, ffff8801cb0e8ba8)
[   30.669552] The buggy address belongs to the page:
[   30.674454] page:ffffea00072c3a00 count:1 mapcount:0 mapping:ffff8801cb0e8000 index:0xffff8801cb0e8900
[   30.683871] flags: 0x2fffc0000000100(slab)
[   30.688078] raw: 02fffc0000000100 ffff8801cb0e8000 ffff8801cb0e8900 000000010000000f
[   30.695933] raw: ffffea00070d0560 ffff8801d5b9ca38 ffff8801d5ba3e00 0000000000000000
[   30.703797] page dumped because: kasan: bad access detected
[   30.709480] 
[   30.711079] Memory state around the buggy address:
[   30.715980]  ffff8801cb0e8a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.723324]  ffff8801cb0e8a80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   30.730666] >ffff8801cb0e8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.737994]                             ^
[   30.742112]  ffff8801cb0e8b80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   30.749442]  ffff8801cb0e8c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.756778] ==================================================================
[   30.764110] Disabling lock debugging due to kernel taint
[   30.769569] Kernel panic - not syncing: panic_on_warn set ...
[   30.769569] 
[   30.776910] CPU: 0 PID: 4240 Comm: syzkaller117659 Tainted: G    B            4.16.0-rc4+ #346
[   30.785637] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.794966] Call Trace:
[   30.797530]  dump_stack+0x194/0x24d
[   30.801132]  ? arch_local_irq_restore+0x53/0x53
[   30.805776]  ? kasan_end_report+0x32/0x50
[   30.809901]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.814631]  ? vsnprintf+0x1ed/0x1900
[   30.818406]  ? ip6_xmit+0x1f30/0x2260
[   30.822181]  panic+0x1e4/0x41c
[   30.825347]  ? refcount_error_report+0x214/0x214
[   30.830080]  ? add_taint+0x1c/0x50
[   30.833594]  ? add_taint+0x1c/0x50
[   30.837108]  ? ip6_xmit+0x1f76/0x2260
[   30.840882]  kasan_end_report+0x50/0x50
[   30.844827]  kasan_report+0x149/0x360
[   30.848609]  __asan_report_load8_noabort+0x14/0x20
[   30.853524]  ip6_xmit+0x1f76/0x2260
[   30.857130]  ? ip6_finish_output2+0x23a0/0x23a0
[   30.861779]  ? fl6_update_dst+0x127/0x2b0
[   30.865900]  ? inet6_csk_route_socket+0x691/0xe80
[   30.870717]  ? trace_hardirqs_off+0x10/0x10
[   30.875015]  ? lock_acquire+0x1d5/0x580
[   30.878974]  ? lock_acquire+0x1d5/0x580
[   30.882918]  ? inet6_csk_xmit+0x114/0x580
[   30.887035]  ? trace_hardirqs_off+0x10/0x10
[   30.891329]  ? lock_release+0xa40/0xa40
[   30.895283]  inet6_csk_xmit+0x2fc/0x580
[   30.899239]  ? inet6_csk_update_pmtu+0x160/0x160
[   30.903969]  ? __sk_dst_check+0x1a5/0x380
[   30.908089]  ? sock_kfree_s+0x60/0x60
[   30.911870]  l2tp_xmit_skb+0x105f/0x1410
[   30.915907]  ? l2tp_session_create+0xb80/0xb80
[   30.920458]  ? sock_wmalloc+0x15d/0x1d0
[   30.924410]  ? iov_iter_advance+0x13f0/0x13f0
[   30.928879]  ? pppol2tp_sendmsg+0x41b/0x670
[   30.933173]  pppol2tp_sendmsg+0x470/0x670
[   30.937293]  ? selinux_socket_sendmsg+0x36/0x40
[   30.941933]  ? pppol2tp_getsockopt+0x900/0x900
[   30.946484]  sock_sendmsg+0xca/0x110
[   30.950167]  ___sys_sendmsg+0x767/0x8b0
[   30.954114]  ? copy_msghdr_from_user+0x590/0x590
[   30.958843]  ? __pmd_alloc+0x4e0/0x4e0
[   30.962703]  ? trace_hardirqs_off+0x10/0x10
[   30.966993]  ? find_held_lock+0x35/0x1d0
[   30.971043]  ? __fget_light+0x2b2/0x3c0
[   30.974989]  ? fget_raw+0x20/0x20
[   30.978423]  ? __do_page_fault+0x5f7/0xc90
[   30.982630]  ? lock_downgrade+0x980/0x980
[   30.986762]  __sys_sendmsg+0xe5/0x210
[   30.990532]  ? __sys_sendmsg+0xe5/0x210
[   30.994479]  ? SyS_shutdown+0x290/0x290
[   30.998427]  ? __do_page_fault+0x3d6/0xc90
[   31.002635]  ? move_addr_to_kernel+0x60/0x60
[   31.007021]  SyS_sendmsg+0x2d/0x50
[   31.010533]  ? __sys_sendmsg+0x210/0x210
[   31.014576]  do_syscall_64+0x281/0x940
[   31.018437]  ? __do_page_fault+0xc90/0xc90
[   31.022643]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.027373]  ? syscall_return_slowpath+0x550/0x550
[   31.032274]  ? syscall_return_slowpath+0x2ac/0x550
[   31.037174]  ? prepare_exit_to_usermode+0x350/0x350
[   31.042161]  ? retint_user+0x18/0x18
[   31.045849]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.050666]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   31.055827] RIP: 0033:0x43ffb9
[   31.058991] RSP: 002b:00007ffceefb1878 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
[   31.066680] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffb9
[   31.073925] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
[   31.081167] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   31.088409] R10: 00000000004002c8 R11: 0000000000000217 R12: 00000000004018e0
[   31.095650] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000
[   31.103253] Dumping ftrace buffer:
[   31.106765]    (ftrace buffer empty)
[   31.110446] Kernel Offset: disabled
[   31.114057] Rebooting in 86400 seconds..