[....] Starting enhanced syslogd: rsyslogd[ 15.519653] audit: type=1400 audit(1520391210.524:5): avc: denied { syslog } for pid=4069 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.604426] audit: type=1400 audit(1520391213.609:6): avc: denied { map } for pid=4208 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 24.913755] audit: type=1400 audit(1520391219.918:7): avc: denied { map } for pid=4222 comm="syzkaller092022" path="/root/syzkaller092022575" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 24.923289] IPVS: ftp: loaded support on port[0] = 21 RTNETLINK answers: File exists RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 25.191533] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 25.536116] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 25.542201] 8021q: adding VLAN 0 to HW filter on device bond0 [ 25.586575] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready executing program [ 25.640736] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.653132] ================================================================== [ 25.660546] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 25.666662] Read of size 8 at addr ffff8801cecbc918 by task syzkaller092022/4223 [ 25.674164] [ 25.675766] CPU: 1 PID: 4223 Comm: syzkaller092022 Not tainted 4.16.0-rc4+ #254 [ 25.683188] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.692519] Call Trace: [ 25.695081] dump_stack+0x194/0x24d [ 25.698691] ? arch_local_irq_restore+0x53/0x53 [ 25.703349] ? show_regs_print_info+0x18/0x18 [ 25.707831] ? ip6_xmit+0x1f76/0x2260 [ 25.711607] print_address_description+0x73/0x250 [ 25.716432] ? ip6_xmit+0x1f76/0x2260 [ 25.720220] kasan_report+0x23c/0x360 [ 25.724032] __asan_report_load8_noabort+0x14/0x20 [ 25.728938] ip6_xmit+0x1f76/0x2260 [ 25.732569] ? ip6_finish_output2+0x23d0/0x23d0 [ 25.737223] ? fl6_update_dst+0x127/0x2b0 [ 25.741345] ? inet6_csk_route_socket+0x691/0xe80 [ 25.746162] ? trace_hardirqs_off+0x10/0x10 [ 25.750459] ? lock_acquire+0x1d5/0x580 [ 25.754404] ? lock_acquire+0x1d5/0x580 [ 25.758358] ? inet6_csk_xmit+0x114/0x580 [ 25.762490] ? trace_hardirqs_off+0x10/0x10 [ 25.766789] ? lock_release+0xa40/0xa40 [ 25.770751] inet6_csk_xmit+0x2fc/0x580 [ 25.774698] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.779428] ? __sk_dst_check+0x1a5/0x380 [ 25.783548] ? sock_kzfree_s+0x60/0x60 [ 25.787422] l2tp_xmit_skb+0x105f/0x1410 [ 25.791466] ? l2tp_session_create+0xb80/0xb80 [ 25.796030] ? sock_wmalloc+0x15d/0x1d0 [ 25.799981] ? iov_iter_advance+0x13f0/0x13f0 [ 25.804458] ? pppol2tp_sendmsg+0x41b/0x670 [ 25.808755] pppol2tp_sendmsg+0x470/0x670 [ 25.812878] ? selinux_socket_sendmsg+0x36/0x40 [ 25.817520] ? pppol2tp_getsockopt+0x900/0x900 [ 25.822075] sock_sendmsg+0xca/0x110 [ 25.825761] ___sys_sendmsg+0x767/0x8b0 [ 25.829710] ? copy_msghdr_from_user+0x590/0x590 [ 25.834444] ? __pmd_alloc+0x4e0/0x4e0 [ 25.838309] ? selinux_socket_connect+0x311/0x730 [ 25.843126] ? trace_hardirqs_off+0x10/0x10 [ 25.847422] ? find_held_lock+0x35/0x1d0 [ 25.851464] ? __fget_light+0x2b2/0x3c0 [ 25.855413] ? fget_raw+0x20/0x20 [ 25.858854] ? __do_page_fault+0x5f7/0xc90 [ 25.863061] ? lock_downgrade+0x980/0x980 [ 25.867189] __sys_sendmsg+0xe5/0x210 [ 25.870958] ? __sys_sendmsg+0xe5/0x210 [ 25.874903] ? SyS_shutdown+0x290/0x290 [ 25.878856] ? __do_page_fault+0x3d6/0xc90 [ 25.883073] ? move_addr_to_kernel+0x60/0x60 [ 25.887462] SyS_sendmsg+0x2d/0x50 [ 25.890972] ? __sys_sendmsg+0x210/0x210 [ 25.895006] do_syscall_64+0x281/0x940 [ 25.898871] ? __do_page_fault+0xc90/0xc90 [ 25.903076] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.907803] ? syscall_return_slowpath+0x550/0x550 [ 25.912706] ? syscall_return_slowpath+0x2ac/0x550 [ 25.917608] ? prepare_exit_to_usermode+0x350/0x350 [ 25.922599] ? retint_user+0x18/0x18 [ 25.926290] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.931115] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.936277] RIP: 0033:0x442cd9 [ 25.939438] RSP: 002b:00007ffcf58e2608 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 25.947117] RAX: ffffffffffffffda RBX: 000000000000001a RCX: 0000000000442cd9 [ 25.954371] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 [ 25.961611] RBP: 00000000004a4da1 R08: 00000000004a4da1 R09: 00000000004a4da1 [ 25.968858] R10: 00000000004a4da1 R11: 0000000000000246 R12: 00007ffcf58e26e0 [ 25.976106] R13: 0000000000403a00 R14: 0000000000000000 R15: 0000000000000000 [ 25.983363] [ 25.984963] Allocated by task 4220: [ 25.988561] save_stack+0x43/0xd0 [ 25.991982] kasan_kmalloc+0xad/0xe0 [ 25.995663] kasan_slab_alloc+0x12/0x20 [ 25.999607] kmem_cache_alloc+0x12e/0x760 [ 26.003725] dst_alloc+0x11f/0x1a0 [ 26.007235] rt_dst_alloc+0xe9/0x4e0 [ 26.010919] ip_route_output_key_hash_rcu+0xa59/0x2fe0 [ 26.016165] ip_route_output_key_hash+0x20b/0x370 [ 26.020977] __ip4_datagram_connect+0xa67/0x1240 [ 26.025702] __ip6_datagram_connect+0x749/0x12d0 [ 26.030429] ip6_datagram_connect+0x2f/0x50 [ 26.034730] inet_dgram_connect+0x16b/0x1f0 [ 26.039030] SYSC_connect+0x213/0x4a0 [ 26.042803] SyS_connect+0x24/0x30 [ 26.046351] do_syscall_64+0x281/0x940 [ 26.050212] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.055368] [ 26.056966] Freed by task 0: [ 26.059955] save_stack+0x43/0xd0 [ 26.063377] __kasan_slab_free+0x11a/0x170 [ 26.067579] kasan_slab_free+0xe/0x10 [ 26.071349] kmem_cache_free+0x83/0x2a0 [ 26.075298] dst_destroy+0x257/0x370 [ 26.078985] dst_destroy_rcu+0x16/0x20 [ 26.082850] rcu_process_callbacks+0xd6c/0x17f0 [ 26.087489] __do_softirq+0x2d7/0xb85 [ 26.091259] [ 26.092857] The buggy address belongs to the object at ffff8801cecbc900 [ 26.092857] which belongs to the cache ip_dst_cache of size 160 [ 26.105567] The buggy address is located 24 bytes inside of [ 26.105567] 160-byte region [ffff8801cecbc900, ffff8801cecbc9a0) [ 26.117320] The buggy address belongs to the page: [ 26.122222] page:ffffea00073b2f00 count:1 mapcount:0 mapping:ffff8801cecbc000 index:0xffff8801cecbc000 [ 26.131638] flags: 0x2fffc0000000100(slab) [ 26.135845] raw: 02fffc0000000100 ffff8801cecbc000 ffff8801cecbc000 000000010000000b [ 26.143698] raw: ffffea0006e17060 ffff8801d6bdc438 ffff8801d6bd71c0 0000000000000000 [ 26.151547] page dumped because: kasan: bad access detected [ 26.157225] [ 26.158822] Memory state around the buggy address: [ 26.163720] ffff8801cecbc800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.171048] ffff8801cecbc880: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 26.178377] >ffff8801cecbc900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.185705] ^ [ 26.189820] ffff8801cecbc980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 26.197146] ffff8801cecbca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.204475] ================================================================== [ 26.211801] Disabling lock debugging due to kernel taint [ 26.217252] Kernel panic - not syncing: panic_on_warn set ... [ 26.217252] [ 26.224594] CPU: 1 PID: 4223 Comm: syzkaller092022 Tainted: G B 4.16.0-rc4+ #254 [ 26.233312] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.242634] Call Trace: [ 26.245196] dump_stack+0x194/0x24d [ 26.248793] ? arch_local_irq_restore+0x53/0x53 [ 26.253432] ? kasan_end_report+0x32/0x50 [ 26.257549] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.262274] ? vsnprintf+0x1ed/0x1900 [ 26.266049] ? ip6_xmit+0x1ec0/0x2260 [ 26.269820] panic+0x1e4/0x41c [ 26.272993] ? refcount_error_report+0x214/0x214 [ 26.277724] ? add_taint+0x1c/0x50 [ 26.281233] ? add_taint+0x1c/0x50 [ 26.284745] ? ip6_xmit+0x1f76/0x2260 [ 26.288514] kasan_end_report+0x50/0x50 [ 26.292456] kasan_report+0x149/0x360 [ 26.296227] __asan_report_load8_noabort+0x14/0x20 [ 26.301128] ip6_xmit+0x1f76/0x2260 [ 26.304733] ? ip6_finish_output2+0x23d0/0x23d0 [ 26.309373] ? fl6_update_dst+0x127/0x2b0 [ 26.313489] ? inet6_csk_route_socket+0x691/0xe80 [ 26.318306] ? trace_hardirqs_off+0x10/0x10 [ 26.322595] ? lock_acquire+0x1d5/0x580 [ 26.326537] ? lock_acquire+0x1d5/0x580 [ 26.330486] ? inet6_csk_xmit+0x114/0x580 [ 26.334611] ? trace_hardirqs_off+0x10/0x10 [ 26.338903] ? lock_release+0xa40/0xa40 [ 26.342857] inet6_csk_xmit+0x2fc/0x580 [ 26.346800] ? inet6_csk_update_pmtu+0x160/0x160 [ 26.351525] ? __sk_dst_check+0x1a5/0x380 [ 26.355646] ? sock_kzfree_s+0x60/0x60 [ 26.359511] l2tp_xmit_skb+0x105f/0x1410 [ 26.363548] ? l2tp_session_create+0xb80/0xb80 [ 26.368102] ? sock_wmalloc+0x15d/0x1d0 [ 26.372047] ? iov_iter_advance+0x13f0/0x13f0 [ 26.376514] ? pppol2tp_sendmsg+0x41b/0x670 [ 26.380807] pppol2tp_sendmsg+0x470/0x670 [ 26.384925] ? selinux_socket_sendmsg+0x36/0x40 [ 26.389569] ? pppol2tp_getsockopt+0x900/0x900 [ 26.394126] sock_sendmsg+0xca/0x110 [ 26.397809] ___sys_sendmsg+0x767/0x8b0 [ 26.401754] ? copy_msghdr_from_user+0x590/0x590 [ 26.406482] ? __pmd_alloc+0x4e0/0x4e0 [ 26.410339] ? selinux_socket_connect+0x311/0x730 [ 26.415151] ? trace_hardirqs_off+0x10/0x10 [ 26.419442] ? find_held_lock+0x35/0x1d0 [ 26.423474] ? __fget_light+0x2b2/0x3c0 [ 26.427429] ? fget_raw+0x20/0x20 [ 26.430867] ? __do_page_fault+0x5f7/0xc90 [ 26.435074] ? lock_downgrade+0x980/0x980 [ 26.439198] __sys_sendmsg+0xe5/0x210 [ 26.442968] ? __sys_sendmsg+0xe5/0x210 [ 26.446914] ? SyS_shutdown+0x290/0x290 [ 26.450864] ? __do_page_fault+0x3d6/0xc90 [ 26.455075] ? move_addr_to_kernel+0x60/0x60 [ 26.459455] SyS_sendmsg+0x2d/0x50 [ 26.462964] ? __sys_sendmsg+0x210/0x210 [ 26.467003] do_syscall_64+0x281/0x940 [ 26.470866] ? __do_page_fault+0xc90/0xc90 [ 26.475071] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.479813] ? syscall_return_slowpath+0x550/0x550 [ 26.484722] ? syscall_return_slowpath+0x2ac/0x550 [ 26.489620] ? prepare_exit_to_usermode+0x350/0x350 [ 26.494609] ? retint_user+0x18/0x18 [ 26.498293] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.503123] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.508280] RIP: 0033:0x442cd9 [ 26.511439] RSP: 002b:00007ffcf58e2608 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 26.519115] RAX: ffffffffffffffda RBX: 000000000000001a RCX: 0000000000442cd9 [ 26.526356] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 [ 26.533593] RBP: 00000000004a4da1 R08: 00000000004a4da1 R09: 00000000004a4da1 [ 26.540840] R10: 00000000004a4da1 R11: 0000000000000246 R12: 00007ffcf58e26e0 [ 26.548081] R13: 0000000000403a00 R14: 0000000000000000 R15: 0000000000000000 [ 26.555745] Dumping ftrace buffer: [ 26.559275] (ftrace buffer empty) [ 26.562957] Kernel Offset: disabled [ 26.566552] Rebooting in 86400 seconds..