[....] Starting enhanced syslogd: rsyslogd[ 10.958656] audit: type=1400 audit(1514737110.039:5): avc: denied { syslog } for pid=3000 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.728965] audit: type=1400 audit(1514737115.809:6): avc: denied { map } for pid=3139 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.196' (ECDSA) to the list of known hosts. executing program [ 22.929603] audit: type=1400 audit(1514737122.010:7): avc: denied { map } for pid=3153 comm="syzkaller920384" path="/root/syzkaller920384627" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 22.932659] ================================================================== [ 22.932676] BUG: KASAN: use-after-free in ip6_xmit+0x1f92/0x1fc0 [ 22.932681] Read of size 8 at addr ffff8801ca6f9f18 by task syzkaller920384/3153 [ 22.932682] [ 22.932688] CPU: 1 PID: 3153 Comm: syzkaller920384 Not tainted 4.15.0-rc4-next-20171221+ #78 [ 22.932691] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.932693] Call Trace: [ 22.932701] dump_stack+0x194/0x257 [ 22.932709] ? arch_local_irq_restore+0x53/0x53 [ 22.932717] ? show_regs_print_info+0x18/0x18 [ 22.932727] ? ip6_xmit+0x1f92/0x1fc0 [ 22.932735] print_address_description+0x73/0x250 [ 22.932740] ? ip6_xmit+0x1f92/0x1fc0 [ 22.932747] kasan_report+0x25b/0x340 [ 22.932756] __asan_report_load8_noabort+0x14/0x20 [ 22.932761] ip6_xmit+0x1f92/0x1fc0 [ 22.932767] ? __sk_dst_check+0x1a5/0x380 [ 22.932782] ? ip6_finish_output2+0x2310/0x2310 [ 22.932792] ? fl6_update_dst+0x127/0x2b0 [ 22.932799] ? check_noncircular+0x20/0x20 [ 22.932804] ? inet6_csk_route_socket+0x691/0xe50 [ 22.932814] ? lock_acquire+0x1d5/0x580 [ 22.932817] ? memcpy+0x45/0x50 [ 22.932821] ? lock_acquire+0x1d5/0x580 [ 22.932825] ? inet6_csk_xmit+0x114/0x580 [ 22.932836] ? lock_release+0xa40/0xa40 [ 22.932844] ? __lock_is_held+0xb6/0x140 [ 22.932860] inet6_csk_xmit+0x2fc/0x580 [ 22.932866] ? inet6_csk_update_pmtu+0x160/0x160 [ 22.932877] ? rt_cpu_seq_show+0x2c0/0x2c0 [ 22.932884] ? refcount_add_not_zero+0x133/0x200 [ 22.932905] tcp_transmit_skb+0x1b12/0x38b0 [ 22.932924] ? __tcp_select_window+0x900/0x900 [ 22.932929] ? tcp_fastopen_cache_get+0x449/0x720 [ 22.932938] ? tcp_peer_is_proven+0xc60/0xc60 [ 22.932947] ? __lock_is_held+0xb6/0x140 [ 22.932967] ? tcp_try_fastopen+0x1b50/0x1b50 [ 22.932976] ? tcp_init_transfer+0x3d0/0x3d0 [ 22.932989] ? tcp_rbtree_insert+0x135/0x190 [ 22.932999] tcp_connect+0x1ed5/0x4090 [ 22.933019] ? tcp_push_one+0xf0/0xf0 [ 22.933024] ? lock_downgrade+0x967/0x980 [ 22.933043] ? pvclock_read_flags+0x160/0x160 [ 22.933048] ? mark_held_locks+0xaf/0x100 [ 22.933052] ? ip_route_output_key_hash+0x229/0x370 [ 22.933059] ? ktime_get_with_offset+0x188/0x420 [ 22.933071] ? kvm_clock_get_cycles+0x25/0x30 [ 22.933076] ? ktime_get_with_offset+0x2c1/0x420 [ 22.933086] ? do_gettimeofday+0x190/0x190 [ 22.933098] ? tcp_fastopen_defer_connect+0x163/0x4a0 [ 22.933101] ? ip_route_output_key_hash+0x252/0x370 [ 22.933111] ? siphash_1u64+0x18/0x270 [ 22.933133] tcp_v4_connect+0x15ef/0x1e70 [ 22.933139] ? SyS_sendto+0x40/0x50 [ 22.933156] ? tcp_v4_inbound_md5_hash+0x510/0x510 [ 22.933163] ? __lock_is_held+0xb6/0x140 [ 22.933175] __inet_stream_connect+0x2d4/0xf00 [ 22.933187] ? inet_bind+0x910/0x910 [ 22.933201] ? tcp_sendmsg_locked+0x2453/0x3b30 [ 22.933206] ? rcu_read_lock_sched_held+0x108/0x120 [ 22.933212] ? kmem_cache_alloc_trace+0x456/0x750 [ 22.933215] ? __thp_get_unmapped_area+0x130/0x130 [ 22.933220] ? __lock_acquire+0x664/0x3e00 [ 22.933224] ? __lock_acquire+0x664/0x3e00 [ 22.933236] tcp_sendmsg_locked+0x27e4/0x3b30 [ 22.933248] ? avc_has_perm+0x35e/0x680 [ 22.933254] ? lock_downgrade+0x980/0x980 [ 22.933262] ? lock_release+0xa40/0xa40 [ 22.933270] ? sock_common_setsockopt+0x95/0xd0 [ 22.933279] ? tcp_sendpage+0x60/0x60 [ 22.933299] ? print_irqtrace_events+0x270/0x270 [ 22.933302] ? find_held_lock+0x35/0x1d0 [ 22.933313] ? lock_acquire+0x1d5/0x580 [ 22.933316] ? lock_sock_nested+0xa3/0x110 [ 22.933320] ? lock_acquire+0x1d5/0x580 [ 22.933324] ? tcp_sendmsg+0x21/0x50 [ 22.933339] ? mark_held_locks+0xaf/0x100 [ 22.933344] ? do_raw_spin_trylock+0x190/0x190 [ 22.933350] ? __local_bh_enable_ip+0x121/0x230 [ 22.933357] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 22.933361] ? lock_sock_nested+0x91/0x110 [ 22.933365] ? trace_hardirqs_on+0xd/0x10 [ 22.933370] ? __local_bh_enable_ip+0x121/0x230 [ 22.933381] tcp_sendmsg+0x2f/0x50 [ 22.933389] inet_sendmsg+0x11f/0x5e0 [ 22.933394] ? __might_sleep+0x95/0x190 [ 22.933400] ? inet_recvmsg+0x5f0/0x5f0 [ 22.933407] ? selinux_socket_sendmsg+0x36/0x40 [ 22.933413] ? security_socket_sendmsg+0x89/0xb0 [ 22.933419] ? inet_recvmsg+0x5f0/0x5f0 [ 22.933425] sock_sendmsg+0xca/0x110 [ 22.933433] SYSC_sendto+0x361/0x5c0 [ 22.933442] ? SYSC_connect+0x4a0/0x4a0 [ 22.933447] ? up_read+0x1a/0x40 [ 22.933453] ? __do_page_fault+0x3d6/0xc90 [ 22.933481] ? __do_page_fault+0xc90/0xc90 [ 22.933490] ? SyS_setsockopt+0x215/0x360 [ 22.933499] ? SyS_recv+0x40/0x40 [ 22.933506] ? entry_SYSCALL_64_fastpath+0x5/0x96 [ 22.933517] SyS_sendto+0x40/0x50 [ 22.933527] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 22.933531] RIP: 0033:0x43fda9 [ 22.933533] RSP: 002b:00007ffc9b8bd818 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 22.933538] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 000000000043fda9 [ 22.933541] RDX: 0000000000000000 RSI: 0000000020aa1000 RDI: 0000000000000003 [ 22.933543] RBP: 00000000006ca018 R08: 0000000020aa1000 R09: 0000000000000010 [ 22.933546] R10: 0000000023ffffff R11: 0000000000000217 R12: 0000000000401710 [ 22.933548] R13: 00000000004017a0 R14: 0000000000000000 R15: 0000000000000000 [ 22.933565] [ 22.933567] Allocated by task 3140: [ 22.933572] save_stack+0x43/0xd0 [ 22.933575] kasan_kmalloc+0xad/0xe0 [ 22.933579] kasan_slab_alloc+0x12/0x20 [ 22.933582] kmem_cache_alloc+0x12e/0x760 [ 22.933586] dst_alloc+0x11f/0x1a0 [ 22.933590] rt_dst_alloc+0xe9/0x520 [ 22.933593] ip_route_output_key_hash_rcu+0xa40/0x2c10 [ 22.933597] ip_route_output_key_hash+0x20b/0x370 [ 22.933601] __ip4_datagram_connect+0xa67/0x1240 [ 22.933605] __ip6_datagram_connect+0x709/0xf90 [ 22.933608] ip6_datagram_connect+0x2f/0x50 [ 22.933612] inet_dgram_connect+0x16b/0x1f0 [ 22.933615] SYSC_connect+0x213/0x4a0 [ 22.933619] SyS_connect+0x24/0x30 [ 22.933622] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 22.933623] [ 22.933625] Freed by task 0: [ 22.933628] save_stack+0x43/0xd0 [ 22.933632] kasan_slab_free+0x71/0xc0 [ 22.933635] kmem_cache_free+0x83/0x2a0 [ 22.933638] dst_destroy+0x219/0x310 [ 22.933641] dst_destroy_rcu+0x16/0x20 [ 22.933646] rcu_process_callbacks+0xd6c/0x17f0 [ 22.933650] __do_softirq+0x2d7/0xb85 [ 22.933651] [ 22.933654] The buggy address belongs to the object at ffff8801ca6f9f00 [ 22.933654] which belongs to the cache ip_dst_cache of size 168 [ 22.933658] The buggy address is located 24 bytes inside of [ 22.933658] 168-byte region [ffff8801ca6f9f00, ffff8801ca6f9fa8) [ 22.933659] The buggy address belongs to the page: [ 22.933663] page:00000000637e5443 count:1 mapcount:0 mapping:0000000000ddf2d5 index:0xffff8801ca6f9000 [ 22.933668] flags: 0x2fffc0000000100(slab) [ 22.933674] raw: 02fffc0000000100 ffff8801ca6f9000 ffff8801ca6f9000 000000010000000a [ 22.933678] raw: ffff8801d794f138 ffffea0007515320 ffff8801d6d724c0 0000000000000000 [ 22.933680] page dumped because: kasan: bad access detected [ 22.933682] [ 22.933683] Memory state around the buggy address: [ 22.933686] ffff8801ca6f9e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.933690] ffff8801ca6f9e80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 22.933693] >ffff8801ca6f9f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.933694] ^ [ 22.933697] ffff8801ca6f9f80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 22.933700] ffff8801ca6fa000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.933702] ================================================================== [ 22.933703] Disabling lock debugging due to kernel taint [ 22.933717] Kernel panic - not syncing: panic_on_warn set ... [ 22.933717] [ 22.933721] CPU: 1 PID: 3153 Comm: syzkaller920384 Tainted: G B 4.15.0-rc4-next-20171221+ #78 [ 22.933723] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.933724] Call Trace: [ 22.933728] dump_stack+0x194/0x257 [ 22.933733] ? arch_local_irq_restore+0x53/0x53 [ 22.933740] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 22.933745] ? vsnprintf+0x1ed/0x1900 [ 22.933749] ? ip6_xmit+0x1f00/0x1fc0 [ 22.933754] panic+0x1e4/0x41c [ 22.933758] ? refcount_error_report+0x214/0x214 [ 22.933764] ? add_taint+0x1c/0x50 [ 22.933768] ? add_taint+0x1c/0x50 [ 22.933773] ? ip6_xmit+0x1f92/0x1fc0 [ 22.933778] kasan_end_report+0x50/0x50 [ 22.933782] kasan_report+0x144/0x340 [ 22.933788] __asan_report_load8_noabort+0x14/0x20 [ 22.933792] ip6_xmit+0x1f92/0x1fc0 [ 22.933796] ? __sk_dst_check+0x1a5/0x380 [ 22.933805] ? ip6_finish_output2+0x2310/0x2310 [ 22.933811] ? fl6_update_dst+0x127/0x2b0 [ 22.933816] ? check_noncircular+0x20/0x20 [ 22.933819] ? inet6_csk_route_socket+0x691/0xe50 [ 22.933825] ? lock_acquire+0x1d5/0x580 [ 22.933828] ? memcpy+0x45/0x50 [ 22.933832] ? lock_acquire+0x1d5/0x580 [ 22.933835] ? inet6_csk_xmit+0x114/0x580 [ 22.933842] ? lock_release+0xa40/0xa40 [ 22.933848] ? __lock_is_held+0xb6/0x140 [ 22.933857] inet6_csk_xmit+0x2fc/0x580 [ 22.933862] ? inet6_csk_update_pmtu+0x160/0x160 [ 22.933868] ? rt_cpu_seq_show+0x2c0/0x2c0 [ 22.933872] ? refcount_add_not_zero+0x133/0x200 [ 22.933884] tcp_transmit_skb+0x1b12/0x38b0 [ 22.933895] ? __tcp_select_window+0x900/0x900 [ 22.933899] ? tcp_fastopen_cache_get+0x449/0x720 [ 22.933905] ? tcp_peer_is_proven+0xc60/0xc60 [ 22.933911] ? __lock_is_held+0xb6/0x140 [ 22.933923] ? tcp_try_fastopen+0x1b50/0x1b50 [ 22.933929] ? tcp_init_transfer+0x3d0/0x3d0 [ 22.933937] ? tcp_rbtree_insert+0x135/0x190 [ 22.933944] tcp_connect+0x1ed5/0x4090 [ 22.933953] ? tcp_push_one+0xf0/0xf0 [ 22.933957] ? lock_downgrade+0x967/0x980 [ 22.933966] ? pvclock_read_flags+0x160/0x160 [ 22.933970] ? mark_held_locks+0xaf/0x100 [ 22.933973] ? ip_route_output_key_hash+0x229/0x370 [ 22.933978] ? ktime_get_with_offset+0x188/0x420 [ 22.933985] ? kvm_clock_get_cycles+0x25/0x30 [ 22.933989] ? ktime_get_with_offset+0x2c1/0x420 [ 22.933995] ? do_gettimeofday+0x190/0x190 [ 22.934006] ? tcp_fastopen_defer_connect+0x163/0x4a0 [ 22.934009] ? ip_route_output_key_hash+0x252/0x370 [ 22.934014] ? siphash_1u64+0x18/0x270 [ 22.934027] tcp_v4_connect+0x15ef/0x1e70 [ 22.934030] ? SyS_sendto+0x40/0x50 [ 22.934044] ? tcp_v4_inbound_md5_hash+0x510/0x510 [ 22.934048] ? __lock_is_held+0xb6/0x140 [ 22.934056] __inet_stream_connect+0x2d4/0xf00 [ 22.934063] ? inet_bind+0x910/0x910 [ 22.934072] ? tcp_sendmsg_locked+0x2453/0x3b30 [ 22.934076] ? rcu_read_lock_sched_held+0x108/0x120 [ 22.934080] ? kmem_cache_alloc_trace+0x456/0x750 [ 22.934083] ? __thp_get_unmapped_area+0x130/0x130 [ 22.934087] ? __lock_acquire+0x664/0x3e00 [ 22.934091] ? __lock_acquire+0x664/0x3e00 [ 22.934098] tcp_sendmsg_locked+0x27e4/0x3b30 [ 22.934105] ? avc_has_perm+0x35e/0x680 [ 22.934109] ? lock_downgrade+0x980/0x980 [ 22.934115] ? lock_release+0xa40/0xa40 [ 22.934120] ? sock_common_setsockopt+0x95/0xd0 [ 22.934127] ? tcp_sendpage+0x60/0x60 [ 22.934138] ? print_irqtrace_events+0x270/0x270 [ 22.934141] ? find_held_lock+0x35/0x1d0 [ 22.934148] ? lock_acquire+0x1d5/0x580 [ 22.934151] ? lock_sock_nested+0xa3/0x110 [ 22.934155] ? lock_acquire+0x1d5/0x580 [ 22.934159] ? tcp_sendmsg+0x21/0x50 [ 22.934168] ? mark_held_locks+0xaf/0x100 [ 22.934171] ? do_raw_spin_trylock+0x190/0x190 [ 22.934176] ? __local_bh_enable_ip+0x121/0x230 [ 22.934181] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 22.934184] ? lock_sock_nested+0x91/0x110 [ 22.934188] ? trace_hardirqs_on+0xd/0x10 [ 22.934192] ? __local_bh_enable_ip+0x121/0x230 [ 22.934199] tcp_sendmsg+0x2f/0x50 [ 22.934204] inet_sendmsg+0x11f/0x5e0 [ 22.934208] ? __might_sleep+0x95/0x190 [ 22.934212] ? inet_recvmsg+0x5f0/0x5f0 [ 22.934217] ? selinux_socket_sendmsg+0x36/0x40 [ 22.934222] ? security_socket_sendmsg+0x89/0xb0 [ 22.934226] ? inet_recvmsg+0x5f0/0x5f0 [ 22.934231] sock_sendmsg+0xca/0x110 [ 22.934236] SYSC_sendto+0x361/0x5c0 [ 22.934243] ? SYSC_connect+0x4a0/0x4a0 [ 22.934247] ? up_read+0x1a/0x40 [ 22.934251] ? __do_page_fault+0x3d6/0xc90 [ 22.934267] ? __do_page_fault+0xc90/0xc90 [ 22.934273] ? SyS_setsockopt+0x215/0x360 [ 22.934279] ? SyS_recv+0x40/0x40 [ 22.934284] ? entry_SYSCALL_64_fastpath+0x5/0x96 [ 22.934292] SyS_sendto+0x40/0x50 [ 22.934298] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 22.934300] RIP: 0033:0x43fda9 [ 22.934302] RSP: 002b:00007ffc9b8bd818 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 22.934306] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 000000000043fda9 [ 22.934309] RDX: 0000000000000000 RSI: 0000000020aa1000 RDI: 0000000000000003 [ 22.934311] RBP: 00000000006ca018 R08: 0000000020aa1000 R09: 0000000000000010 [ 22.934313] R10: 0000000023ffffff R11: 0000000000000217 R12: 0000000000401710 [ 22.934315] R13: 00000000004017a0 R14: 0000000000000000 R15: 0000000000000000 [ 22.955835] Dumping ftrace buffer: [ 22.955838] (ftrace buffer empty) [ 22.955840] Kernel Offset: disabled [ 24.171788] Rebooting in 86400 seconds..