[....] Starting enhanced syslogd: rsyslogd[ 16.714361] audit: type=1400 audit(1521057943.908:5): avc: denied { syslog } for pid=4087 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.014091] audit: type=1400 audit(1521057946.207:6): avc: denied { map } for pid=4227 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.36' (ECDSA) to the list of known hosts. executing program [ 25.365313] audit: type=1400 audit(1521057952.559:7): avc: denied { map } for pid=4241 comm="syzkaller443377" path="/root/syzkaller443377014" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.371234] ================================================================== [ 25.398589] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 25.404707] Read of size 8 at addr ffff8801cb841b18 by task syzkaller443377/4241 [ 25.412209] [ 25.413814] CPU: 0 PID: 4241 Comm: syzkaller443377 Not tainted 4.16.0-rc5+ #353 [ 25.421230] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.430551] Call Trace: [ 25.433110] dump_stack+0x194/0x24d [ 25.436713] ? arch_local_irq_restore+0x53/0x53 [ 25.441352] ? show_regs_print_info+0x18/0x18 [ 25.445826] ? ip6_xmit+0x1f76/0x2260 [ 25.449599] print_address_description+0x73/0x250 [ 25.454449] ? ip6_xmit+0x1f76/0x2260 [ 25.458220] kasan_report+0x23c/0x360 [ 25.461996] __asan_report_load8_noabort+0x14/0x20 [ 25.466902] ip6_xmit+0x1f76/0x2260 [ 25.470511] ? ip6_finish_output2+0x23a0/0x23a0 [ 25.475153] ? fl6_update_dst+0x127/0x2b0 [ 25.479274] ? inet6_csk_route_socket+0x691/0xe80 [ 25.484093] ? trace_hardirqs_off+0x10/0x10 [ 25.488384] ? lock_acquire+0x1d5/0x580 [ 25.492328] ? lock_acquire+0x1d5/0x580 [ 25.496273] ? inet6_csk_xmit+0x114/0x580 [ 25.500394] ? trace_hardirqs_off+0x10/0x10 [ 25.504689] ? lock_release+0xa40/0xa40 [ 25.508648] inet6_csk_xmit+0x2fc/0x580 [ 25.512595] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.517320] ? __sk_dst_check+0x1a5/0x380 [ 25.521440] ? sock_kfree_s+0x60/0x60 [ 25.525229] l2tp_xmit_skb+0x105f/0x1410 [ 25.529270] ? l2tp_session_create+0xb80/0xb80 [ 25.533834] ? sock_wmalloc+0x15d/0x1d0 [ 25.537779] ? iov_iter_advance+0x13f0/0x13f0 [ 25.542247] ? pppol2tp_sendmsg+0x41b/0x670 [ 25.546540] pppol2tp_sendmsg+0x470/0x670 [ 25.550661] ? selinux_socket_sendmsg+0x36/0x40 [ 25.555304] ? pppol2tp_getsockopt+0x900/0x900 [ 25.559858] sock_sendmsg+0xca/0x110 [ 25.563543] SYSC_sendto+0x361/0x5c0 [ 25.567231] ? SYSC_connect+0x4a0/0x4a0 [ 25.571185] ? inet_dgram_connect+0x172/0x1f0 [ 25.575653] ? SYSC_connect+0x2e0/0x4a0 [ 25.579624] ? mm_fault_error+0x2c0/0x2c0 [ 25.583746] ? move_addr_to_kernel+0x60/0x60 [ 25.588132] SyS_sendto+0x40/0x50 [ 25.591556] ? SyS_getpeername+0x30/0x30 [ 25.595589] do_syscall_64+0x281/0x940 [ 25.599460] ? __do_page_fault+0xc90/0xc90 [ 25.603669] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.608400] ? syscall_return_slowpath+0x550/0x550 [ 25.613303] ? syscall_return_slowpath+0x2ac/0x550 [ 25.618205] ? prepare_exit_to_usermode+0x350/0x350 [ 25.623194] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 25.628532] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.633351] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.638511] RIP: 0033:0x4401b9 [ 25.641671] RSP: 002b:00007ffd8ef040e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 25.649348] RAX: ffffffffffffffda RBX: 00007ffd8ef04110 RCX: 00000000004401b9 [ 25.656586] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 25.663827] RBP: 00000000006cb018 R08: 00000000200021c0 R09: 0000000000000080 [ 25.671069] R10: 0000000000040001 R11: 0000000000000212 R12: 00000000004019f0 [ 25.678307] R13: 0000000000401a80 R14: 0000000000000000 R15: 0000000000000000 [ 25.685564] [ 25.687164] Allocated by task 4228: [ 25.690761] save_stack+0x43/0xd0 [ 25.694183] kasan_kmalloc+0xad/0xe0 [ 25.697863] kasan_slab_alloc+0x12/0x20 [ 25.701809] kmem_cache_alloc+0x12e/0x760 [ 25.705925] dst_alloc+0x11f/0x1a0 [ 25.709435] rt_dst_alloc+0xe9/0x520 [ 25.713121] ip_route_output_key_hash_rcu+0xa59/0x2f00 [ 25.718364] ip_route_output_key_hash+0x20b/0x370 [ 25.723175] __ip4_datagram_connect+0xa67/0x1240 [ 25.727901] __ip6_datagram_connect+0x749/0x12d0 [ 25.732625] ip6_datagram_connect+0x2f/0x50 [ 25.736917] inet_dgram_connect+0x16b/0x1f0 [ 25.741210] SYSC_connect+0x213/0x4a0 [ 25.744978] SyS_connect+0x24/0x30 [ 25.748487] do_syscall_64+0x281/0x940 [ 25.752346] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.757503] [ 25.759100] Freed by task 0: [ 25.762092] save_stack+0x43/0xd0 [ 25.765516] __kasan_slab_free+0x11a/0x170 [ 25.769721] kasan_slab_free+0xe/0x10 [ 25.773668] kmem_cache_free+0x83/0x2a0 [ 25.777623] dst_destroy+0x257/0x370 [ 25.781305] dst_destroy_rcu+0x16/0x20 [ 25.785164] rcu_process_callbacks+0xd6c/0x17f0 [ 25.789804] __do_softirq+0x2d7/0xb85 [ 25.793569] [ 25.795166] The buggy address belongs to the object at ffff8801cb841b00 [ 25.795166] which belongs to the cache ip_dst_cache of size 168 [ 25.807875] The buggy address is located 24 bytes inside of [ 25.807875] 168-byte region [ffff8801cb841b00, ffff8801cb841ba8) [ 25.819626] The buggy address belongs to the page: [ 25.824524] page:ffffea00072e1040 count:1 mapcount:0 mapping:ffff8801cb841000 index:0xffff8801cb841000 [ 25.833939] flags: 0x2fffc0000000100(slab) [ 25.838143] raw: 02fffc0000000100 ffff8801cb841000 ffff8801cb841000 000000010000000c [ 25.845995] raw: ffffea00072f5120 ffff8801d6bc7638 ffff8801d6bc61c0 0000000000000000 [ 25.853851] page dumped because: kasan: bad access detected [ 25.859527] [ 25.861123] Memory state around the buggy address: [ 25.866028] ffff8801cb841a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.873355] ffff8801cb841a80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 25.880683] >ffff8801cb841b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.888012] ^ [ 25.892134] ffff8801cb841b80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 25.899461] ffff8801cb841c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.906785] ================================================================== [ 25.914110] Disabling lock debugging due to kernel taint [ 25.919564] Kernel panic - not syncing: panic_on_warn set ... [ 25.919564] [ 25.926902] CPU: 0 PID: 4241 Comm: syzkaller443377 Tainted: G B 4.16.0-rc5+ #353 [ 25.935619] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.944940] Call Trace: [ 25.947497] dump_stack+0x194/0x24d [ 25.951096] ? arch_local_irq_restore+0x53/0x53 [ 25.955733] ? kasan_end_report+0x32/0x50 [ 25.959853] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.964583] ? vsnprintf+0x1ed/0x1900 [ 25.968357] ? ip6_xmit+0x1f30/0x2260 [ 25.972126] panic+0x1e4/0x41c [ 25.975291] ? refcount_error_report+0x214/0x214 [ 25.980023] ? add_taint+0x1c/0x50 [ 25.983534] ? add_taint+0x1c/0x50 [ 25.987050] ? ip6_xmit+0x1f76/0x2260 [ 25.990822] kasan_end_report+0x50/0x50 [ 25.994765] kasan_report+0x149/0x360 [ 25.998536] __asan_report_load8_noabort+0x14/0x20 [ 26.003441] ip6_xmit+0x1f76/0x2260 [ 26.007044] ? ip6_finish_output2+0x23a0/0x23a0 [ 26.011687] ? fl6_update_dst+0x127/0x2b0 [ 26.015807] ? inet6_csk_route_socket+0x691/0xe80 [ 26.020622] ? trace_hardirqs_off+0x10/0x10 [ 26.024914] ? lock_acquire+0x1d5/0x580 [ 26.028854] ? lock_acquire+0x1d5/0x580 [ 26.032794] ? inet6_csk_xmit+0x114/0x580 [ 26.036910] ? trace_hardirqs_off+0x10/0x10 [ 26.041202] ? lock_release+0xa40/0xa40 [ 26.045156] inet6_csk_xmit+0x2fc/0x580 [ 26.049097] ? inet6_csk_update_pmtu+0x160/0x160 [ 26.053824] ? __sk_dst_check+0x1a5/0x380 [ 26.057944] ? sock_kfree_s+0x60/0x60 [ 26.061723] l2tp_xmit_skb+0x105f/0x1410 [ 26.065767] ? l2tp_session_create+0xb80/0xb80 [ 26.070321] ? sock_wmalloc+0x15d/0x1d0 [ 26.074267] ? iov_iter_advance+0x13f0/0x13f0 [ 26.078732] ? pppol2tp_sendmsg+0x41b/0x670 [ 26.083026] pppol2tp_sendmsg+0x470/0x670 [ 26.087147] ? selinux_socket_sendmsg+0x36/0x40 [ 26.091785] ? pppol2tp_getsockopt+0x900/0x900 [ 26.096336] sock_sendmsg+0xca/0x110 [ 26.100022] SYSC_sendto+0x361/0x5c0 [ 26.103706] ? SYSC_connect+0x4a0/0x4a0 [ 26.107656] ? inet_dgram_connect+0x172/0x1f0 [ 26.112130] ? SYSC_connect+0x2e0/0x4a0 [ 26.116098] ? mm_fault_error+0x2c0/0x2c0 [ 26.120234] ? move_addr_to_kernel+0x60/0x60 [ 26.124612] SyS_sendto+0x40/0x50 [ 26.128038] ? SyS_getpeername+0x30/0x30 [ 26.132069] do_syscall_64+0x281/0x940 [ 26.135925] ? __do_page_fault+0xc90/0xc90 [ 26.140127] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.144852] ? syscall_return_slowpath+0x550/0x550 [ 26.149753] ? syscall_return_slowpath+0x2ac/0x550 [ 26.154650] ? prepare_exit_to_usermode+0x350/0x350 [ 26.159637] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 26.164991] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.169820] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.174981] RIP: 0033:0x4401b9 [ 26.178147] RSP: 002b:00007ffd8ef040e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 26.185824] RAX: ffffffffffffffda RBX: 00007ffd8ef04110 RCX: 00000000004401b9 [ 26.193062] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 26.200299] RBP: 00000000006cb018 R08: 00000000200021c0 R09: 0000000000000080 [ 26.207535] R10: 0000000000040001 R11: 0000000000000212 R12: 00000000004019f0 [ 26.214776] R13: 0000000000401a80 R14: 0000000000000000 R15: 0000000000000000 [ 26.222456] Dumping ftrace buffer: [ 26.225974] (ftrace buffer empty) [ 26.229651] Kernel Offset: disabled [ 26.233247] Rebooting in 86400 seconds..