[....] Starting enhanced syslogd: rsyslogd[ 16.220959] audit: type=1400 audit(1518965259.039:5): avc: denied { syslog } for pid=4013 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.371846] audit: type=1400 audit(1518965262.190:6): avc: denied { map } for pid=4152 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 [ 31.093123] audit: type=1400 audit(1518965273.911:7): avc: denied { map } for pid=4167 comm="syzkaller752805" path="/root/syzkaller752805137" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 31.350762] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 31.686961] ================================================================== [ 31.694399] BUG: KASAN: use-after-free in nf_nat_ipv6_manip_pkt+0x47c/0x490 [ 31.701475] Write of size 16 at addr ffff8801ca885820 by task syzkaller752805/4167 [ 31.709149] [ 31.710752] CPU: 1 PID: 4167 Comm: syzkaller752805 Not tainted 4.16.0-rc1+ #318 [ 31.718169] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.727494] Call Trace: [ 31.730062] dump_stack+0x194/0x257 [ 31.733665] ? arch_local_irq_restore+0x53/0x53 [ 31.738831] ? show_regs_print_info+0x18/0x18 [ 31.743304] ? nf_nat_ipv6_manip_pkt+0x47c/0x490 [ 31.748034] print_address_description+0x73/0x250 [ 31.752858] ? nf_nat_ipv6_manip_pkt+0x47c/0x490 [ 31.757588] kasan_report+0x23b/0x360 [ 31.761363] __asan_report_store_n_noabort+0x12/0x14 [ 31.766438] nf_nat_ipv6_manip_pkt+0x47c/0x490 [ 31.770996] ? icmpv6_pkt_to_tuple+0x300/0x300 [ 31.775554] ? __lock_is_held+0xb6/0x140 [ 31.779601] nf_nat_packet+0x3cb/0x560 [ 31.783462] ? ip6t_error+0x60/0x60 [ 31.787064] ? __nf_nat_decode_session+0x280/0x280 [ 31.791995] nf_nat_ipv6_fn+0x679/0xa80 [ 31.795941] ? ip6table_nat_fn+0x40/0x40 [ 31.799977] ? nf_nat_ipv6_secure_port+0x30/0x30 [ 31.804711] ? ip6table_mangle_hook+0x117/0x920 [ 31.809357] ? check_noncircular+0x20/0x20 [ 31.813568] ? ip6table_mangle_net_exit+0xa0/0xa0 [ 31.818384] ? __ip6_make_skb+0x1450/0x2190 [ 31.822678] ? ip6table_nat_fn+0x40/0x40 [ 31.826714] nf_nat_ipv6_local_fn+0x33/0x5d0 [ 31.831100] ip6table_nat_local_fn+0x2c/0x40 [ 31.835487] nf_hook_slow+0xba/0x1a0 [ 31.839179] __ip6_local_out+0x517/0xaa0 [ 31.843213] ? dst_output+0x140/0x140 [ 31.846988] ? lock_acquire+0x1d5/0x580 [ 31.851024] ? rawv6_sendmsg+0x1d86/0x40c0 [ 31.855247] ? ipv6_select_ident+0x120/0x120 [ 31.859638] ip6_local_out+0x2d/0x160 [ 31.863426] ip6_send_skb+0xa1/0x330 [ 31.867117] ip6_push_pending_frames+0xb3/0xe0 [ 31.871672] rawv6_sendmsg+0x2f96/0x40c0 [ 31.875704] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 31.880880] ? rawv6_bind+0x8c0/0x8c0 [ 31.884661] ? avc_has_perm+0x35e/0x680 [ 31.888610] ? lock_downgrade+0x980/0x980 [ 31.892733] ? lock_release+0xa40/0xa40 [ 31.896691] ? find_held_lock+0x35/0x1d0 [ 31.900736] ? avc_has_perm+0x43e/0x680 [ 31.904694] ? avc_has_perm_noaudit+0x520/0x520 [ 31.909339] ? _raw_spin_unlock+0x22/0x30 [ 31.913644] ? __might_sleep+0x95/0x190 [ 31.917618] ? kasan_check_write+0x14/0x20 [ 31.921829] ? _copy_from_user+0x99/0x110 [ 31.925956] ? rw_copy_check_uvector+0x1be/0x280 [ 31.930706] inet_sendmsg+0x11f/0x5e0 [ 31.934479] ? inet_sendmsg+0x11f/0x5e0 [ 31.938431] ? copy_msghdr_from_user+0x3a6/0x590 [ 31.943172] ? inet_create+0xf50/0xf50 [ 31.947032] ? selinux_socket_sendmsg+0x36/0x40 [ 31.951673] ? security_socket_sendmsg+0x89/0xb0 [ 31.956400] ? inet_create+0xf50/0xf50 [ 31.960263] sock_sendmsg+0xca/0x110 [ 31.963950] ___sys_sendmsg+0x767/0x8b0 [ 31.967902] ? copy_msghdr_from_user+0x590/0x590 [ 31.972738] ? check_noncircular+0x20/0x20 [ 31.976946] ? find_held_lock+0x35/0x1d0 [ 31.980984] ? __fget_light+0x2b2/0x3c0 [ 31.984941] ? fget_raw+0x20/0x20 [ 31.988451] ? handle_mm_fault+0x270/0x970 [ 31.992663] ? find_held_lock+0x35/0x1d0 [ 31.996708] ? __do_page_fault+0x5f7/0xc90 [ 32.000917] ? lock_downgrade+0x980/0x980 [ 32.005057] __sys_sendmsg+0xe5/0x210 [ 32.008828] ? __sys_sendmsg+0xe5/0x210 [ 32.012776] ? SyS_shutdown+0x290/0x290 [ 32.016731] ? __do_page_fault+0x3d6/0xc90 [ 32.020962] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 32.026485] ? __sys_sendmsg+0x210/0x210 [ 32.030523] SyS_sendmsg+0x2d/0x50 [ 32.034037] do_syscall_64+0x280/0x940 [ 32.037896] ? __do_page_fault+0xc90/0xc90 [ 32.042107] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 32.047618] ? syscall_return_slowpath+0x550/0x550 [ 32.052527] ? syscall_return_slowpath+0x2ac/0x550 [ 32.057435] ? retint_user+0x18/0x18 [ 32.061135] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.065962] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.071123] RIP: 0033:0x446ea9 [ 32.074296] RSP: 002b:00007fffd288b578 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 32.081985] RAX: ffffffffffffffda RBX: 000000000000003e RCX: 0000000000446ea9 [ 32.089241] RDX: 0000000000000000 RSI: 00000000209f2fc8 RDI: 0000000000000004 [ 32.096491] RBP: 00007fffd288b688 R08: 0000000000008a7f R09: 0000000000008a7f [ 32.103735] R10: 0000000000000000 R11: 0000000000000217 R12: 00007fffd288b688 [ 32.110976] R13: 0000000000404370 R14: 0000000000000000 R15: 0000000000000000 [ 32.118256] [ 32.119859] Allocated by task 4167: [ 32.123466] save_stack+0x43/0xd0 [ 32.126895] kasan_kmalloc+0xad/0xe0 [ 32.130582] __kmalloc_node_track_caller+0x47/0x70 [ 32.135490] __kmalloc_reserve.isra.39+0x41/0xd0 [ 32.140225] __alloc_skb+0x13b/0x780 [ 32.143909] sock_wmalloc+0x140/0x1d0 [ 32.147689] __ip6_append_data.isra.44+0x26b9/0x3390 [ 32.152765] ip6_append_data+0x189/0x290 [ 32.156888] rawv6_sendmsg+0x1e09/0x40c0 [ 32.160929] inet_sendmsg+0x11f/0x5e0 [ 32.164703] sock_sendmsg+0xca/0x110 [ 32.168395] ___sys_sendmsg+0x767/0x8b0 [ 32.172948] __sys_sendmsg+0xe5/0x210 [ 32.176728] SyS_sendmsg+0x2d/0x50 [ 32.180243] do_syscall_64+0x280/0x940 [ 32.184115] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.190237] [ 32.191843] Freed by task 4167: [ 32.195097] save_stack+0x43/0xd0 [ 32.198518] __kasan_slab_free+0x11a/0x170 [ 32.202727] kasan_slab_free+0xe/0x10 [ 32.206496] kfree+0xd9/0x260 [ 32.209581] skb_free_head+0x74/0xb0 [ 32.213264] pskb_expand_head+0x36b/0x1210 [ 32.217467] __pskb_pull_tail+0x14a/0x17f0 [ 32.221680] skb_make_writable+0x15b/0x750 [ 32.225981] tcp_manip_pkt+0x82/0x2d0 [ 32.229757] nf_nat_ipv6_manip_pkt+0x22d/0x490 [ 32.234328] nf_nat_packet+0x3cb/0x560 [ 32.238187] nf_nat_ipv6_fn+0x679/0xa80 [ 32.242133] nf_nat_ipv6_local_fn+0x33/0x5d0 [ 32.246511] ip6table_nat_local_fn+0x2c/0x40 [ 32.250888] nf_hook_slow+0xba/0x1a0 [ 32.254573] __ip6_local_out+0x517/0xaa0 [ 32.258604] ip6_local_out+0x2d/0x160 [ 32.262375] ip6_send_skb+0xa1/0x330 [ 32.266751] ip6_push_pending_frames+0xb3/0xe0 [ 32.271303] rawv6_sendmsg+0x2f96/0x40c0 [ 32.275338] inet_sendmsg+0x11f/0x5e0 [ 32.279123] sock_sendmsg+0xca/0x110 [ 32.282805] ___sys_sendmsg+0x767/0x8b0 [ 32.286748] __sys_sendmsg+0xe5/0x210 [ 32.290517] SyS_sendmsg+0x2d/0x50 [ 32.294051] do_syscall_64+0x280/0x940 [ 32.297914] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.303074] [ 32.304674] The buggy address belongs to the object at ffff8801ca885780 [ 32.304674] which belongs to the cache kmalloc-512 of size 512 [ 32.317474] The buggy address is located 160 bytes inside of [ 32.317474] 512-byte region [ffff8801ca885780, ffff8801ca885980) [ 32.329317] The buggy address belongs to the page: [ 32.334214] page:ffffea00072a2140 count:1 mapcount:0 mapping:ffff8801ca885000 index:0x0 [ 32.342328] flags: 0x2fffc0000000100(slab) [ 32.346535] raw: 02fffc0000000100 ffff8801ca885000 0000000000000000 0000000100000006 [ 32.354395] raw: ffffea00072a20e0 ffffea00072a2220 ffff8801db000940 0000000000000000 [ 32.362242] page dumped because: kasan: bad access detected [ 32.367922] [ 32.369516] Memory state around the buggy address: [ 32.374413] ffff8801ca885700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.381740] ffff8801ca885780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.389079] >ffff8801ca885800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.396407] ^ [ 32.400786] ffff8801ca885880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.408116] ffff8801ca885900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.415443] ================================================================== [ 32.422771] Disabling lock debugging due to kernel taint [ 32.428493] Kernel panic - not syncing: panic_on_warn set ... [ 32.428493] [ 32.435835] CPU: 1 PID: 4167 Comm: syzkaller752805 Tainted: G B 4.16.0-rc1+ #318 [ 32.444550] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.453871] Call Trace: [ 32.456433] dump_stack+0x194/0x257 [ 32.460048] ? arch_local_irq_restore+0x53/0x53 [ 32.464689] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.469414] ? vsnprintf+0x1ed/0x1900 [ 32.473185] ? nf_nat_ipv6_manip_pkt+0x3e0/0x490 [ 32.477912] panic+0x1e4/0x41c [ 32.481073] ? refcount_error_report+0x214/0x214 [ 32.485799] ? add_taint+0x1c/0x50 [ 32.489316] ? add_taint+0x1c/0x50 [ 32.492828] ? nf_nat_ipv6_manip_pkt+0x47c/0x490 [ 32.497551] kasan_end_report+0x50/0x50 [ 32.501495] kasan_report+0x148/0x360 [ 32.505267] __asan_report_store_n_noabort+0x12/0x14 [ 32.510354] nf_nat_ipv6_manip_pkt+0x47c/0x490 [ 32.514908] ? icmpv6_pkt_to_tuple+0x300/0x300 [ 32.519464] ? __lock_is_held+0xb6/0x140 [ 32.523499] nf_nat_packet+0x3cb/0x560 [ 32.527354] ? ip6t_error+0x60/0x60 [ 32.530960] ? __nf_nat_decode_session+0x280/0x280 [ 32.535870] nf_nat_ipv6_fn+0x679/0xa80 [ 32.539813] ? ip6table_nat_fn+0x40/0x40 [ 32.543844] ? nf_nat_ipv6_secure_port+0x30/0x30 [ 32.548570] ? ip6table_mangle_hook+0x117/0x920 [ 32.553212] ? check_noncircular+0x20/0x20 [ 32.557419] ? ip6table_mangle_net_exit+0xa0/0xa0 [ 32.562242] ? __ip6_make_skb+0x1450/0x2190 [ 32.566535] ? ip6table_nat_fn+0x40/0x40 [ 32.570566] nf_nat_ipv6_local_fn+0x33/0x5d0 [ 32.574945] ip6table_nat_local_fn+0x2c/0x40 [ 32.579323] nf_hook_slow+0xba/0x1a0 [ 32.583014] __ip6_local_out+0x517/0xaa0 [ 32.587045] ? dst_output+0x140/0x140 [ 32.590902] ? lock_acquire+0x1d5/0x580 [ 32.594846] ? rawv6_sendmsg+0x1d86/0x40c0 [ 32.599050] ? ipv6_select_ident+0x120/0x120 [ 32.603437] ip6_local_out+0x2d/0x160 [ 32.607208] ip6_send_skb+0xa1/0x330 [ 32.610892] ip6_push_pending_frames+0xb3/0xe0 [ 32.615442] rawv6_sendmsg+0x2f96/0x40c0 [ 32.619471] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 32.624637] ? rawv6_bind+0x8c0/0x8c0 [ 32.628413] ? avc_has_perm+0x35e/0x680 [ 32.632358] ? lock_downgrade+0x980/0x980 [ 32.636475] ? lock_release+0xa40/0xa40 [ 32.640419] ? find_held_lock+0x35/0x1d0 [ 32.644459] ? avc_has_perm+0x43e/0x680 [ 32.648403] ? avc_has_perm_noaudit+0x520/0x520 [ 32.653042] ? _raw_spin_unlock+0x22/0x30 [ 32.657164] ? __might_sleep+0x95/0x190 [ 32.661129] ? kasan_check_write+0x14/0x20 [ 32.665335] ? _copy_from_user+0x99/0x110 [ 32.669453] ? rw_copy_check_uvector+0x1be/0x280 [ 32.674192] inet_sendmsg+0x11f/0x5e0 [ 32.677977] ? inet_sendmsg+0x11f/0x5e0 [ 32.681923] ? copy_msghdr_from_user+0x3a6/0x590 [ 32.686647] ? inet_create+0xf50/0xf50 [ 32.690507] ? selinux_socket_sendmsg+0x36/0x40 [ 32.695152] ? security_socket_sendmsg+0x89/0xb0 [ 32.699877] ? inet_create+0xf50/0xf50 [ 32.703737] sock_sendmsg+0xca/0x110 [ 32.707421] ___sys_sendmsg+0x767/0x8b0 [ 32.711367] ? copy_msghdr_from_user+0x590/0x590 [ 32.716102] ? check_noncircular+0x20/0x20 [ 32.720310] ? find_held_lock+0x35/0x1d0 [ 32.724346] ? __fget_light+0x2b2/0x3c0 [ 32.728302] ? fget_raw+0x20/0x20 [ 32.731723] ? handle_mm_fault+0x270/0x970 [ 32.735935] ? find_held_lock+0x35/0x1d0 [ 32.739974] ? __do_page_fault+0x5f7/0xc90 [ 32.744178] ? lock_downgrade+0x980/0x980 [ 32.748302] __sys_sendmsg+0xe5/0x210 [ 32.752075] ? __sys_sendmsg+0xe5/0x210 [ 32.756019] ? SyS_shutdown+0x290/0x290 [ 32.759966] ? __do_page_fault+0x3d6/0xc90 [ 32.764207] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 32.769714] ? __sys_sendmsg+0x210/0x210 [ 32.773745] SyS_sendmsg+0x2d/0x50 [ 32.777257] do_syscall_64+0x280/0x940 [ 32.781117] ? __do_page_fault+0xc90/0xc90 [ 32.785321] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 32.790826] ? syscall_return_slowpath+0x550/0x550 [ 32.795726] ? syscall_return_slowpath+0x2ac/0x550 [ 32.800627] ? retint_user+0x18/0x18 [ 32.804311] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.809125] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.814284] RIP: 0033:0x446ea9 [ 32.817445] RSP: 002b:00007fffd288b578 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 32.825122] RAX: ffffffffffffffda RBX: 000000000000003e RCX: 0000000000446ea9 [ 32.832359] RDX: 0000000000000000 RSI: 00000000209f2fc8 RDI: 0000000000000004 [ 32.839596] RBP: 00007fffd288b688 R08: 0000000000008a7f R09: 0000000000008a7f [ 32.846836] R10: 0000000000000000 R11: 0000000000000217 R12: 00007fffd288b688 [ 32.854079] R13: 0000000000404370 R14: 0000000000000000 R15: 0000000000000000 [ 32.861701] Dumping ftrace buffer: [ 32.865210] (ftrace buffer empty) [ 32.868888] Kernel Offset: disabled [ 32.872489] Rebooting in 86400 seconds..