[....] Starting enhanced syslogd: rsyslogd[ 12.974378] audit: type=1400 audit(1517027558.266:4): avc: denied { syslog } for pid=3180 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.39' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.614685] ================================================================== [ 26.622065] BUG: KASAN: use-after-free in ip6_xmit+0x1bc7/0x1bd0 [ 26.628178] Read of size 8 at addr ffff8801cfc333d8 by task syzkaller322434/3337 [ 26.635679] [ 26.637284] CPU: 0 PID: 3337 Comm: syzkaller322434 Not tainted 4.9.78-g68d447c #23 [ 26.644958] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.654281] ffff8801c7fff5a0 ffffffff81d943a9 ffffea00073f0cc0 ffff8801cfc333d8 [ 26.662248] 0000000000000000 ffff8801cfc333d8 ffff8801c8e004e4 ffff8801c7fff5d8 [ 26.670203] ffffffff8153dc23 ffff8801cfc333d8 0000000000000008 0000000000000000 [ 26.678162] Call Trace: [ 26.680717] [] dump_stack+0xc1/0x128 [ 26.686050] [] print_address_description+0x73/0x280 [ 26.692681] [] kasan_report+0x275/0x360 [ 26.698272] [] ? ip6_xmit+0x1bc7/0x1bd0 [ 26.703861] [] __asan_report_load8_noabort+0x14/0x20 [ 26.710581] [] ip6_xmit+0x1bc7/0x1bd0 [ 26.715997] [] ? save_stack_trace+0x16/0x20 [ 26.721966] [] ? save_trace+0xe0/0x270 [ 26.727476] [] ? ip6_finish_output2+0x1d20/0x1d20 [ 26.733941] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.740921] [] ? __lock_is_held+0xa1/0xf0 [ 26.746688] [] ? ipv4_dst_check+0x111/0x160 [ 26.752625] [] ? __sk_dst_check+0x10e/0x240 [ 26.758564] [] inet6_csk_xmit+0x27d/0x4d0 [ 26.764330] [] ? inet6_csk_xmit+0x100/0x4d0 [ 26.770266] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 26.776812] [] l2tp_xmit_skb+0xcdc/0xf50 [ 26.782490] [] pppol2tp_sendmsg+0x5c0/0x7a0 [ 26.788705] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 26.795167] [] ? pppol2tp_release+0x2e0/0x2e0 [ 26.801281] [] sock_sendmsg+0xca/0x110 [ 26.807240] [] ___sys_sendmsg+0x320/0x7e0 [ 26.813006] [] ? copy_msghdr_from_user+0x550/0x550 [ 26.819554] [] ? __pagevec_lru_add_fn+0x7b0/0x7b0 [ 26.826011] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 26.832914] [] ? __lru_cache_add+0x187/0x250 [ 26.838951] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 26.846021] [] ? _raw_spin_unlock+0x2c/0x50 [ 26.851957] [] ? __fget_light+0x158/0x1e0 [ 26.857721] [] ? __fdget+0x18/0x20 [ 26.862882] [] ? sockfd_lookup_light+0x118/0x160 [ 26.869253] [] __sys_sendmmsg+0x159/0x3a0 [ 26.875018] [] ? SyS_sendmsg+0x50/0x50 [ 26.880523] [] ? up_read+0x1a/0x40 [ 26.885689] [] ? __do_page_fault+0x3bd/0xd40 [ 26.891716] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.898521] [] SyS_sendmmsg+0x35/0x60 [ 26.903941] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 26.910485] [ 26.912106] Allocated by task 3263: [ 26.915699] save_stack_trace+0x16/0x20 [ 26.919642] save_stack+0x43/0xd0 [ 26.923061] kasan_kmalloc+0xad/0xe0 [ 26.926739] kasan_slab_alloc+0x12/0x20 [ 26.930677] kmem_cache_alloc+0xba/0x290 [ 26.934704] dst_alloc+0x11f/0x1a0 [ 26.938216] rt_dst_alloc+0x78/0x430 [ 26.941893] __ip_route_output_key_hash+0xa4e/0x23e0 [ 26.946969] __ip4_datagram_connect+0xa17/0x1160 [ 26.951705] __ip6_datagram_connect+0x6f9/0xdf0 [ 26.956341] ip6_datagram_connect+0x2f/0x50 [ 26.960630] inet_dgram_connect+0x16b/0x1f0 [ 26.964918] SYSC_connect+0x1b6/0x310 [ 26.968684] SyS_connect+0x24/0x30 [ 26.972190] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 26.976909] [ 26.978507] Freed by task 3284: [ 26.981757] save_stack_trace+0x16/0x20 [ 26.985697] save_stack+0x43/0xd0 [ 26.989115] kasan_slab_free+0x72/0xc0 [ 26.992969] kmem_cache_free+0xc7/0x300 [ 26.996908] dst_destroy+0x1fd/0x360 [ 27.000587] dst_destroy_rcu+0x15/0x40 [ 27.004441] rcu_process_callbacks+0x898/0x1300 [ 27.009075] __do_softirq+0x206/0x951 [ 27.012839] [ 27.014437] The buggy address belongs to the object at ffff8801cfc333c0 [ 27.014437] which belongs to the cache ip_dst_cache of size 216 [ 27.027144] The buggy address is located 24 bytes inside of [ 27.027144] 216-byte region [ffff8801cfc333c0, ffff8801cfc33498) [ 27.038896] The buggy address belongs to the page: [ 27.043792] page:ffffea00073f0cc0 count:1 mapcount:0 mapping: (null) index:0x0 [ 27.052018] flags: 0x8000000000000080(slab) [ 27.056305] page dumped because: kasan: bad access detected [ 27.061976] [ 27.063569] Memory state around the buggy address: [ 27.068464] ffff8801cfc33280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.075803] ffff8801cfc33300: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 27.083126] >ffff8801cfc33380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 27.090455] ^ [ 27.096651] ffff8801cfc33400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.103974] ffff8801cfc33480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.111295] ================================================================== [ 27.118620] Disabling lock debugging due to kernel taint [ 27.124063] Kernel panic - not syncing: panic_on_warn set ... [ 27.124063] [ 27.131396] CPU: 0 PID: 3337 Comm: syzkaller322434 Tainted: G B 4.9.78-g68d447c #23 [ 27.140284] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.149609] ffff8801c7fff4f8 ffffffff81d943a9 ffffffff841971bf ffff8801c7fff5d0 [ 27.157587] 0000000000000000 ffff8801cfc333d8 ffff8801c8e004e4 ffff8801c7fff5c0 [ 27.165546] ffffffff8142f451 0000000041b58ab3 ffffffff8418ac30 ffffffff8142f295 [ 27.173499] Call Trace: [ 27.176054] [] dump_stack+0xc1/0x128 [ 27.181382] [] panic+0x1bc/0x3a8 [ 27.186366] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 27.194563] [] kasan_end_report+0x50/0x50 [ 27.200331] [] kasan_report+0x167/0x360 [ 27.205935] [] ? ip6_xmit+0x1bc7/0x1bd0 [ 27.211527] [] __asan_report_load8_noabort+0x14/0x20 [ 27.218246] [] ip6_xmit+0x1bc7/0x1bd0 [ 27.223666] [] ? save_stack_trace+0x16/0x20 [ 27.229605] [] ? save_trace+0xe0/0x270 [ 27.235110] [] ? ip6_finish_output2+0x1d20/0x1d20 [ 27.241571] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.248550] [] ? __lock_is_held+0xa1/0xf0 [ 27.254315] [] ? ipv4_dst_check+0x111/0x160 [ 27.260257] [] ? __sk_dst_check+0x10e/0x240 [ 27.266198] [] inet6_csk_xmit+0x27d/0x4d0 [ 27.271963] [] ? inet6_csk_xmit+0x100/0x4d0 [ 27.277909] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 27.284459] [] l2tp_xmit_skb+0xcdc/0xf50 [ 27.290139] [] pppol2tp_sendmsg+0x5c0/0x7a0 [ 27.296076] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 27.302533] [] ? pppol2tp_release+0x2e0/0x2e0 [ 27.308644] [] sock_sendmsg+0xca/0x110 [ 27.314155] [] ___sys_sendmsg+0x320/0x7e0 [ 27.319921] [] ? copy_msghdr_from_user+0x550/0x550 [ 27.326468] [] ? __pagevec_lru_add_fn+0x7b0/0x7b0 [ 27.332926] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 27.339840] [] ? __lru_cache_add+0x187/0x250 [ 27.345867] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 27.352936] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.358874] [] ? __fget_light+0x158/0x1e0 [ 27.364637] [] ? __fdget+0x18/0x20 [ 27.369793] [] ? sockfd_lookup_light+0x118/0x160 [ 27.376165] [] __sys_sendmmsg+0x159/0x3a0 [ 27.381935] [] ? SyS_sendmsg+0x50/0x50 [ 27.387441] [] ? up_read+0x1a/0x40 [ 27.392599] [] ? __do_page_fault+0x3bd/0xd40 [ 27.398621] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.405427] [] SyS_sendmmsg+0x35/0x60 [ 27.410842] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 27.417760] Dumping ftrace buffer: [ 27.421269] (ftrace buffer empty) [ 27.424953] Kernel Offset: disabled [ 27.428546] Rebooting in 86400 seconds..