[....] Starting enhanced syslogd: rsyslogd[ 16.540759] audit: type=1400 audit(1520823134.371:5): avc: denied { syslog } for pid=4073 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 199.443850] audit: type=1400 audit(1520823317.274:6): avc: denied { map } for pid=4217 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. executing program [ 205.555510] audit: type=1400 audit(1520823323.386:7): avc: denied { map } for pid=4229 comm="syzkaller020576" path="/root/syzkaller020576072" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 205.559145] ================================================================== [ 205.588826] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 205.594940] Read of size 8 at addr ffff8801bcb29d18 by task syzkaller020576/4229 [ 205.602439] [ 205.604040] CPU: 1 PID: 4229 Comm: syzkaller020576 Not tainted 4.16.0-rc4+ #350 [ 205.611453] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 205.620775] Call Trace: [ 205.623336] dump_stack+0x194/0x24d [ 205.626938] ? arch_local_irq_restore+0x53/0x53 [ 205.631580] ? show_regs_print_info+0x18/0x18 [ 205.636054] ? ip6_xmit+0x1f76/0x2260 [ 205.639842] print_address_description+0x73/0x250 [ 205.644655] ? ip6_xmit+0x1f76/0x2260 [ 205.648430] kasan_report+0x23c/0x360 [ 205.652204] __asan_report_load8_noabort+0x14/0x20 [ 205.657102] ip6_xmit+0x1f76/0x2260 [ 205.660712] ? ip6_finish_output2+0x23a0/0x23a0 [ 205.665355] ? fl6_update_dst+0x127/0x2b0 [ 205.669476] ? inet6_csk_route_socket+0x691/0xe80 [ 205.674292] ? trace_hardirqs_off+0x10/0x10 [ 205.678585] ? lock_acquire+0x1d5/0x580 [ 205.682530] ? lock_acquire+0x1d5/0x580 [ 205.686475] ? inet6_csk_xmit+0x114/0x580 [ 205.690594] ? trace_hardirqs_off+0x10/0x10 [ 205.694888] ? lock_release+0xa40/0xa40 [ 205.698849] inet6_csk_xmit+0x2fc/0x580 [ 205.702796] ? inet6_csk_update_pmtu+0x160/0x160 [ 205.707526] ? __sk_dst_check+0x1a5/0x380 [ 205.711645] ? sock_kfree_s+0x60/0x60 [ 205.715437] l2tp_xmit_skb+0x105f/0x1410 [ 205.719478] ? l2tp_session_create+0xb80/0xb80 [ 205.724030] ? sock_wmalloc+0x15d/0x1d0 [ 205.727977] ? iov_iter_advance+0x13f0/0x13f0 [ 205.732448] ? pppol2tp_sendmsg+0x41b/0x670 [ 205.736744] pppol2tp_sendmsg+0x470/0x670 [ 205.740862] ? selinux_socket_sendmsg+0x36/0x40 [ 205.745502] ? pppol2tp_getsockopt+0x900/0x900 [ 205.750057] sock_sendmsg+0xca/0x110 [ 205.753742] SYSC_sendto+0x361/0x5c0 [ 205.757428] ? SYSC_connect+0x4a0/0x4a0 [ 205.761380] ? inet_dgram_connect+0x172/0x1f0 [ 205.765855] ? SYSC_connect+0x2e0/0x4a0 [ 205.769826] ? mm_fault_error+0x2c0/0x2c0 [ 205.773947] ? move_addr_to_kernel+0x60/0x60 [ 205.778328] SyS_sendto+0x40/0x50 [ 205.781754] ? SyS_getpeername+0x30/0x30 [ 205.785788] do_syscall_64+0x281/0x940 [ 205.789645] ? __do_page_fault+0xc90/0xc90 [ 205.793849] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 205.798577] ? syscall_return_slowpath+0x550/0x550 [ 205.803478] ? syscall_return_slowpath+0x2ac/0x550 [ 205.808379] ? prepare_exit_to_usermode+0x350/0x350 [ 205.813369] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 205.818706] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 205.823522] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 205.828681] RIP: 0033:0x43ff49 [ 205.831839] RSP: 002b:00007ffeeaeb0088 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 205.839515] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff49 [ 205.846754] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 205.853996] RBP: 00000000006ca018 R08: 00000000200021c0 R09: 0000000000000080 [ 205.861236] R10: 0000000000040001 R11: 0000000000000212 R12: 0000000000401870 [ 205.868477] R13: 0000000000401900 R14: 0000000000000000 R15: 0000000000000000 [ 205.875730] [ 205.877329] Allocated by task 4221: [ 205.880925] save_stack+0x43/0xd0 [ 205.884346] kasan_kmalloc+0xad/0xe0 [ 205.888026] kasan_slab_alloc+0x12/0x20 [ 205.891971] kmem_cache_alloc+0x12e/0x760 [ 205.896090] dst_alloc+0x11f/0x1a0 [ 205.899600] rt_dst_alloc+0xe9/0x520 [ 205.903281] ip_route_output_key_hash_rcu+0xa59/0x2f00 [ 205.908524] ip_route_output_key_hash+0x20b/0x370 [ 205.913335] __ip4_datagram_connect+0xa67/0x1240 [ 205.918061] __ip6_datagram_connect+0x749/0x12d0 [ 205.922783] ip6_datagram_connect+0x2f/0x50 [ 205.927077] inet_dgram_connect+0x16b/0x1f0 [ 205.931367] SYSC_connect+0x213/0x4a0 [ 205.935136] SyS_connect+0x24/0x30 [ 205.938647] do_syscall_64+0x281/0x940 [ 205.942504] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 205.947659] [ 205.949256] Freed by task 4221: [ 205.952505] save_stack+0x43/0xd0 [ 205.955925] __kasan_slab_free+0x11a/0x170 [ 205.960126] kasan_slab_free+0xe/0x10 [ 205.963894] kmem_cache_free+0x83/0x2a0 [ 205.967837] dst_destroy+0x257/0x370 [ 205.971518] dst_destroy_rcu+0x16/0x20 [ 205.975375] rcu_process_callbacks+0xd6c/0x17f0 [ 205.980012] __do_softirq+0x2d7/0xb85 [ 205.983776] [ 205.985375] The buggy address belongs to the object at ffff8801bcb29d00 [ 205.985375] which belongs to the cache ip_dst_cache of size 168 [ 205.998086] The buggy address is located 24 bytes inside of [ 205.998086] 168-byte region [ffff8801bcb29d00, ffff8801bcb29da8) [ 206.009840] The buggy address belongs to the page: [ 206.014735] page:ffffea0006f2ca40 count:1 mapcount:0 mapping:ffff8801bcb29000 index:0xffff8801bcb29900 [ 206.024147] flags: 0x2fffc0000000100(slab) [ 206.028351] raw: 02fffc0000000100 ffff8801bcb29000 ffff8801bcb29900 000000010000000c [ 206.036203] raw: ffffea0006eeab60 ffff8801d6fdf338 ffff8801d54344c0 0000000000000000 [ 206.044052] page dumped because: kasan: bad access detected [ 206.049728] [ 206.051323] Memory state around the buggy address: [ 206.056218] ffff8801bcb29c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 206.063546] ffff8801bcb29c80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 206.070875] >ffff8801bcb29d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 206.078206] ^ [ 206.082322] ffff8801bcb29d80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 206.089647] ffff8801bcb29e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 206.096970] ================================================================== [ 206.104294] Disabling lock debugging due to kernel taint [ 206.109750] Kernel panic - not syncing: panic_on_warn set ... [ 206.109750] [ 206.117083] CPU: 1 PID: 4229 Comm: syzkaller020576 Tainted: G B 4.16.0-rc4+ #350 [ 206.125798] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 206.135119] Call Trace: [ 206.137678] dump_stack+0x194/0x24d [ 206.141273] ? arch_local_irq_restore+0x53/0x53 [ 206.145911] ? kasan_end_report+0x32/0x50 [ 206.150030] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 206.154752] ? vsnprintf+0x1ed/0x1900 [ 206.158524] ? ip6_xmit+0x1f30/0x2260 [ 206.162293] panic+0x1e4/0x41c [ 206.165454] ? refcount_error_report+0x214/0x214 [ 206.170178] ? add_taint+0x1c/0x50 [ 206.173689] ? add_taint+0x1c/0x50 [ 206.177208] ? ip6_xmit+0x1f76/0x2260 [ 206.180977] kasan_end_report+0x50/0x50 [ 206.184920] kasan_report+0x149/0x360 [ 206.188691] __asan_report_load8_noabort+0x14/0x20 [ 206.193586] ip6_xmit+0x1f76/0x2260 [ 206.197189] ? ip6_finish_output2+0x23a0/0x23a0 [ 206.201826] ? fl6_update_dst+0x127/0x2b0 [ 206.205942] ? inet6_csk_route_socket+0x691/0xe80 [ 206.210753] ? trace_hardirqs_off+0x10/0x10 [ 206.215041] ? lock_acquire+0x1d5/0x580 [ 206.218982] ? lock_acquire+0x1d5/0x580 [ 206.222924] ? inet6_csk_xmit+0x114/0x580 [ 206.227040] ? trace_hardirqs_off+0x10/0x10 [ 206.231330] ? lock_release+0xa40/0xa40 [ 206.235280] inet6_csk_xmit+0x2fc/0x580 [ 206.239225] ? inet6_csk_update_pmtu+0x160/0x160 [ 206.243949] ? __sk_dst_check+0x1a5/0x380 [ 206.248067] ? sock_kfree_s+0x60/0x60 [ 206.251845] l2tp_xmit_skb+0x105f/0x1410 [ 206.255879] ? l2tp_session_create+0xb80/0xb80 [ 206.260430] ? sock_wmalloc+0x15d/0x1d0 [ 206.264372] ? iov_iter_advance+0x13f0/0x13f0 [ 206.268836] ? pppol2tp_sendmsg+0x41b/0x670 [ 206.273127] pppol2tp_sendmsg+0x470/0x670 [ 206.277245] ? selinux_socket_sendmsg+0x36/0x40 [ 206.281882] ? pppol2tp_getsockopt+0x900/0x900 [ 206.286432] sock_sendmsg+0xca/0x110 [ 206.290115] SYSC_sendto+0x361/0x5c0 [ 206.293796] ? SYSC_connect+0x4a0/0x4a0 [ 206.297744] ? inet_dgram_connect+0x172/0x1f0 [ 206.302209] ? SYSC_connect+0x2e0/0x4a0 [ 206.306166] ? mm_fault_error+0x2c0/0x2c0 [ 206.310290] ? move_addr_to_kernel+0x60/0x60 [ 206.314666] SyS_sendto+0x40/0x50 [ 206.318088] ? SyS_getpeername+0x30/0x30 [ 206.322119] do_syscall_64+0x281/0x940 [ 206.325972] ? __do_page_fault+0xc90/0xc90 [ 206.330177] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 206.334901] ? syscall_return_slowpath+0x550/0x550 [ 206.339797] ? syscall_return_slowpath+0x2ac/0x550 [ 206.344692] ? prepare_exit_to_usermode+0x350/0x350 [ 206.349676] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 206.355007] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 206.359823] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 206.364981] RIP: 0033:0x43ff49 [ 206.368139] RSP: 002b:00007ffeeaeb0088 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 206.375813] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff49 [ 206.383053] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 206.390290] RBP: 00000000006ca018 R08: 00000000200021c0 R09: 0000000000000080 [ 206.397528] R10: 0000000000040001 R11: 0000000000000212 R12: 0000000000401870 [ 206.404767] R13: 0000000000401900 R14: 0000000000000000 R15: 0000000000000000 [ 206.412362] Dumping ftrace buffer: [ 206.415871] (ftrace buffer empty) [ 206.419550] Kernel Offset: disabled [ 206.423145] Rebooting in 86400 seconds..