[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   18.196711] audit: type=1400 audit(1520372947.896:6): avc:  denied  { map } for  pid=4175 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.58' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   24.523458] audit: type=1400 audit(1520372954.223:7): avc:  denied  { map } for  pid=4189 comm="syzkaller505677" path="/root/syzkaller505677867" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   24.530139] ==================================================================
[   24.556802] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
[   24.562924] Read of size 8 at addr ffff8801cf206c18 by task syzkaller505677/4189
[   24.570427] 
[   24.572039] CPU: 0 PID: 4189 Comm: syzkaller505677 Not tainted 4.16.0-rc4+ #254
[   24.579458] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.588796] Call Trace:
[   24.591362]  dump_stack+0x194/0x24d
[   24.594968]  ? arch_local_irq_restore+0x53/0x53
[   24.599612]  ? show_regs_print_info+0x18/0x18
[   24.604088]  ? ip6_xmit+0x1f76/0x2260
[   24.607869]  print_address_description+0x73/0x250
[   24.612687]  ? ip6_xmit+0x1f76/0x2260
[   24.616480]  kasan_report+0x23c/0x360
[   24.620259]  __asan_report_load8_noabort+0x14/0x20
[   24.625162]  ip6_xmit+0x1f76/0x2260
[   24.628789]  ? ip6_finish_output2+0x23d0/0x23d0
[   24.633433]  ? fl6_update_dst+0x127/0x2b0
[   24.637555]  ? inet6_csk_route_socket+0x691/0xe80
[   24.642373]  ? trace_hardirqs_off+0x10/0x10
[   24.646669]  ? lock_acquire+0x1d5/0x580
[   24.650615]  ? lock_acquire+0x1d5/0x580
[   24.654563]  ? inet6_csk_xmit+0x114/0x580
[   24.658689]  ? trace_hardirqs_off+0x10/0x10
[   24.662987]  ? lock_release+0xa40/0xa40
[   24.666952]  inet6_csk_xmit+0x2fc/0x580
[   24.670900]  ? inet6_csk_update_pmtu+0x160/0x160
[   24.675634]  ? __sk_dst_check+0x1a5/0x380
[   24.679757]  ? sock_kzfree_s+0x60/0x60
[   24.683632]  l2tp_xmit_skb+0x105f/0x1410
[   24.687676]  ? l2tp_session_create+0xb80/0xb80
[   24.692231]  ? sock_wmalloc+0x15d/0x1d0
[   24.696181]  ? iov_iter_advance+0x13f0/0x13f0
[   24.700654]  ? pppol2tp_sendmsg+0x41b/0x670
[   24.704953]  pppol2tp_sendmsg+0x470/0x670
[   24.709078]  ? selinux_socket_sendmsg+0x36/0x40
[   24.713726]  ? pppol2tp_getsockopt+0x900/0x900
[   24.718295]  sock_sendmsg+0xca/0x110
[   24.721984]  ___sys_sendmsg+0x767/0x8b0
[   24.725938]  ? copy_msghdr_from_user+0x590/0x590
[   24.730673]  ? __pmd_alloc+0x4e0/0x4e0
[   24.734537]  ? selinux_socket_connect+0x311/0x730
[   24.739354]  ? trace_hardirqs_off+0x10/0x10
[   24.743651]  ? find_held_lock+0x35/0x1d0
[   24.747690]  ? __fget_light+0x2b2/0x3c0
[   24.751638]  ? fget_raw+0x20/0x20
[   24.755108]  ? __do_page_fault+0x5f7/0xc90
[   24.759329]  ? lock_downgrade+0x980/0x980
[   24.763460]  __sys_sendmsg+0xe5/0x210
[   24.767233]  ? __sys_sendmsg+0xe5/0x210
[   24.771182]  ? SyS_shutdown+0x290/0x290
[   24.775137]  ? __do_page_fault+0x3d6/0xc90
[   24.779355]  ? move_addr_to_kernel+0x60/0x60
[   24.783741]  SyS_sendmsg+0x2d/0x50
[   24.787255]  ? __sys_sendmsg+0x210/0x210
[   24.791290]  do_syscall_64+0x281/0x940
[   24.795149]  ? __do_page_fault+0xc90/0xc90
[   24.799358]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   24.804094]  ? syscall_return_slowpath+0x550/0x550
[   24.808996]  ? syscall_return_slowpath+0x2ac/0x550
[   24.813902]  ? prepare_exit_to_usermode+0x350/0x350
[   24.818905]  ? retint_user+0x18/0x18
[   24.822594]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.827418]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.832580] RIP: 0033:0x440239
[   24.835742] RSP: 002b:00007ffc7dea0958 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
[   24.843421] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440239
[   24.850667] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
[   24.857911] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   24.865155] R10: 00000000004002c8 R11: 0000000000000217 R12: 0000000000401b60
[   24.872399] R13: 0000000000401bf0 R14: 0000000000000000 R15: 0000000000000000
[   24.879659] 
[   24.881261] Allocated by task 4136:
[   24.884864]  save_stack+0x43/0xd0
[   24.888289]  kasan_kmalloc+0xad/0xe0
[   24.891975]  kasan_slab_alloc+0x12/0x20
[   24.895938]  kmem_cache_alloc+0x12e/0x760
[   24.900062]  dst_alloc+0x11f/0x1a0
[   24.903580]  rt_dst_alloc+0xe9/0x4e0
[   24.907270]  ip_route_output_key_hash_rcu+0xa59/0x2fe0
[   24.912519]  ip_route_output_key_hash+0x20b/0x370
[   24.917338]  __ip4_datagram_connect+0xa67/0x1240
[   24.922069]  __ip6_datagram_connect+0x749/0x12d0
[   24.926802]  ip6_datagram_connect+0x2f/0x50
[   24.931103]  inet_dgram_connect+0x16b/0x1f0
[   24.935396]  SYSC_connect+0x213/0x4a0
[   24.939174]  SyS_connect+0x24/0x30
[   24.942688]  do_syscall_64+0x281/0x940
[   24.946550]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.951709] 
[   24.953311] Freed by task 4136:
[   24.956562]  save_stack+0x43/0xd0
[   24.959987]  __kasan_slab_free+0x11a/0x170
[   24.964197]  kasan_slab_free+0xe/0x10
[   24.967970]  kmem_cache_free+0x83/0x2a0
[   24.971916]  dst_destroy+0x257/0x370
[   24.975600]  dst_destroy_rcu+0x16/0x20
[   24.979472]  rcu_process_callbacks+0xd6c/0x17f0
[   24.984115]  __do_softirq+0x2d7/0xb85
[   24.987885] 
[   24.989487] The buggy address belongs to the object at ffff8801cf206c00
[   24.989487]  which belongs to the cache ip_dst_cache of size 160
[   25.002211] The buggy address is located 24 bytes inside of
[   25.002211]  160-byte region [ffff8801cf206c00, ffff8801cf206ca0)
[   25.013987] The buggy address belongs to the page:
[   25.018913] page:ffffea00073c8180 count:1 mapcount:0 mapping:ffff8801cf206000 index:0x0
[   25.027035] flags: 0x2fffc0000000100(slab)
[   25.031260] raw: 02fffc0000000100 ffff8801cf206000 0000000000000000 0000000100000010
[   25.039123] raw: ffff8801d6bce448 ffffea0007095aa0 ffff8801d5b92800 0000000000000000
[   25.046975] page dumped because: kasan: bad access detected
[   25.052655] 
[   25.054253] Memory state around the buggy address:
[   25.059154]  ffff8801cf206b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   25.066484]  ffff8801cf206b80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   25.073816] >ffff8801cf206c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.081147]                             ^
[   25.085267]  ffff8801cf206c80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   25.092596]  ffff8801cf206d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   25.099924] ==================================================================
[   25.107252] Disabling lock debugging due to kernel taint
[   25.112698] Kernel panic - not syncing: panic_on_warn set ...
[   25.112698] 
[   25.120052] CPU: 0 PID: 4189 Comm: syzkaller505677 Tainted: G    B            4.16.0-rc4+ #254
[   25.128774] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.138103] Call Trace:
[   25.140669]  dump_stack+0x194/0x24d
[   25.144271]  ? arch_local_irq_restore+0x53/0x53
[   25.148912]  ? kasan_end_report+0x32/0x50
[   25.153036]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.157776]  ? vsnprintf+0x1ed/0x1900
[   25.161553]  ? ip6_xmit+0x1ec0/0x2260
[   25.165326]  panic+0x1e4/0x41c
[   25.168493]  ? refcount_error_report+0x214/0x214
[   25.173222]  ? add_taint+0x1c/0x50
[   25.176731]  ? add_taint+0x1c/0x50
[   25.180248]  ? ip6_xmit+0x1f76/0x2260
[   25.184033]  kasan_end_report+0x50/0x50
[   25.187982]  kasan_report+0x149/0x360
[   25.191754]  __asan_report_load8_noabort+0x14/0x20
[   25.196662]  ip6_xmit+0x1f76/0x2260
[   25.200268]  ? ip6_finish_output2+0x23d0/0x23d0
[   25.204910]  ? fl6_update_dst+0x127/0x2b0
[   25.209035]  ? inet6_csk_route_socket+0x691/0xe80
[   25.213851]  ? trace_hardirqs_off+0x10/0x10
[   25.218147]  ? lock_acquire+0x1d5/0x580
[   25.222092]  ? lock_acquire+0x1d5/0x580
[   25.226037]  ? inet6_csk_xmit+0x114/0x580
[   25.230157]  ? trace_hardirqs_off+0x10/0x10
[   25.234451]  ? lock_release+0xa40/0xa40
[   25.238405]  inet6_csk_xmit+0x2fc/0x580
[   25.242349]  ? inet6_csk_update_pmtu+0x160/0x160
[   25.247105]  ? __sk_dst_check+0x1a5/0x380
[   25.251254]  ? sock_kzfree_s+0x60/0x60
[   25.255147]  l2tp_xmit_skb+0x105f/0x1410
[   25.259196]  ? l2tp_session_create+0xb80/0xb80
[   25.263751]  ? sock_wmalloc+0x15d/0x1d0
[   25.267700]  ? iov_iter_advance+0x13f0/0x13f0
[   25.272171]  ? pppol2tp_sendmsg+0x41b/0x670
[   25.276464]  pppol2tp_sendmsg+0x470/0x670
[   25.280583]  ? selinux_socket_sendmsg+0x36/0x40
[   25.285222]  ? pppol2tp_getsockopt+0x900/0x900
[   25.289776]  sock_sendmsg+0xca/0x110
[   25.293464]  ___sys_sendmsg+0x767/0x8b0
[   25.297411]  ? copy_msghdr_from_user+0x590/0x590
[   25.302141]  ? __pmd_alloc+0x4e0/0x4e0
[   25.306000]  ? selinux_socket_connect+0x311/0x730
[   25.310819]  ? trace_hardirqs_off+0x10/0x10
[   25.315122]  ? find_held_lock+0x35/0x1d0
[   25.319164]  ? __fget_light+0x2b2/0x3c0
[   25.323122]  ? fget_raw+0x20/0x20
[   25.326556]  ? __do_page_fault+0x5f7/0xc90
[   25.330764]  ? lock_downgrade+0x980/0x980
[   25.334890]  __sys_sendmsg+0xe5/0x210
[   25.338664]  ? __sys_sendmsg+0xe5/0x210
[   25.342610]  ? SyS_shutdown+0x290/0x290
[   25.346561]  ? __do_page_fault+0x3d6/0xc90
[   25.350771]  ? move_addr_to_kernel+0x60/0x60
[   25.355152]  SyS_sendmsg+0x2d/0x50
[   25.358664]  ? __sys_sendmsg+0x210/0x210
[   25.362696]  do_syscall_64+0x281/0x940
[   25.366566]  ? __do_page_fault+0xc90/0xc90
[   25.370772]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.375500]  ? syscall_return_slowpath+0x550/0x550
[   25.380401]  ? syscall_return_slowpath+0x2ac/0x550
[   25.385305]  ? prepare_exit_to_usermode+0x350/0x350
[   25.390293]  ? retint_user+0x18/0x18
[   25.393980]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   25.398809]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   25.403971] RIP: 0033:0x440239
[   25.407132] RSP: 002b:00007ffc7dea0958 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
[   25.414811] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440239
[   25.422053] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
[   25.429300] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   25.436544] R10: 00000000004002c8 R11: 0000000000000217 R12: 0000000000401b60
[   25.443786] R13: 0000000000401bf0 R14: 0000000000000000 R15: 0000000000000000
[   25.451494] Dumping ftrace buffer:
[   25.455007]    (ftrace buffer empty)
[   25.458689] Kernel Offset: disabled
[   25.462291] Rebooting in 86400 seconds..