[....] Starting enhanced syslogd: rsyslogd[ 11.178848] audit: type=1400 audit(1514718165.047:5): avc: denied { syslog } for pid=3041 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.790007] audit: type=1400 audit(1514718169.658:6): avc: denied { map } for pid=3180 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.211' (ECDSA) to the list of known hosts. executing program [ 21.987261] audit: type=1400 audit(1514718175.856:7): avc: denied { map } for pid=3194 comm="syzkaller943459" path="/root/syzkaller943459292" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 21.992282] ================================================================== [ 21.992304] BUG: KASAN: use-after-free in ip6_xmit+0x2036/0x2080 [ 21.992310] Read of size 8 at addr ffff8801d13dae18 by task syzkaller943459/3194 [ 21.992312] [ 21.992319] CPU: 1 PID: 3194 Comm: syzkaller943459 Not tainted 4.15.0-rc5+ #170 [ 21.992323] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.992326] Call Trace: [ 21.992337] dump_stack+0x194/0x257 [ 21.992350] ? arch_local_irq_restore+0x53/0x53 [ 21.992361] ? show_regs_print_info+0x18/0x18 [ 21.992378] ? ip6_xmit+0x2036/0x2080 [ 21.992389] print_address_description+0x73/0x250 [ 21.992398] ? ip6_xmit+0x2036/0x2080 [ 21.992407] kasan_report+0x25b/0x340 [ 21.992422] __asan_report_load8_noabort+0x14/0x20 [ 21.992429] ip6_xmit+0x2036/0x2080 [ 21.992437] ? __sk_dst_check+0x1a5/0x380 [ 21.992463] ? ip6_finish_output2+0x2390/0x2390 [ 21.992475] ? fl6_update_dst+0x127/0x2b0 [ 21.992486] ? check_noncircular+0x20/0x20 [ 21.992493] ? inet6_csk_route_socket+0x691/0xe80 [ 21.992507] ? lock_acquire+0x1d5/0x580 [ 21.992512] ? memcpy+0x45/0x50 [ 21.992518] ? lock_acquire+0x1d5/0x580 [ 21.992525] ? inet6_csk_xmit+0x114/0x580 [ 21.992542] ? lock_release+0xa40/0xa40 [ 21.992555] ? __lock_is_held+0xb6/0x140 [ 21.992581] inet6_csk_xmit+0x2fc/0x580 [ 21.992592] ? inet6_csk_update_pmtu+0x160/0x160 [ 21.992605] ? rt_cpu_seq_show+0x2c0/0x2c0 [ 21.992615] ? refcount_add_not_zero+0x133/0x200 [ 21.992649] tcp_transmit_skb+0x1b12/0x38b0 [ 21.992679] ? __tcp_select_window+0x900/0x900 [ 21.992687] ? tcp_fastopen_cache_get+0x449/0x720 [ 21.992699] ? tcp_peer_is_proven+0xc60/0xc60 [ 21.992713] ? __lock_is_held+0xb6/0x140 [ 21.992744] ? tcp_try_fastopen+0x1b50/0x1b50 [ 21.992758] ? tcp_init_transfer+0x3d0/0x3d0 [ 21.992779] ? tcp_rbtree_insert+0x135/0x190 [ 21.992795] tcp_connect+0x1ed5/0x4090 [ 21.992822] ? tcp_push_one+0xf0/0xf0 [ 21.992829] ? lock_downgrade+0x947/0x980 [ 21.992854] ? pvclock_read_flags+0x160/0x160 [ 21.992862] ? mark_held_locks+0xaf/0x100 [ 21.992868] ? ip_route_output_key_hash+0x229/0x370 [ 21.992878] ? ktime_get_with_offset+0x188/0x420 [ 21.992894] ? kvm_clock_get_cycles+0x25/0x30 [ 21.992901] ? ktime_get_with_offset+0x2c1/0x420 [ 21.992917] ? do_gettimeofday+0x190/0x190 [ 21.992935] ? tcp_fastopen_defer_connect+0x163/0x4a0 [ 21.992941] ? ip_route_output_key_hash+0x252/0x370 [ 21.992954] ? siphash_1u64+0x18/0x270 [ 21.992989] tcp_v4_connect+0x15ef/0x1e70 [ 21.992995] ? SyS_sendto+0x40/0x50 [ 21.993031] ? tcp_v4_inbound_md5_hash+0x510/0x510 [ 21.993041] ? __lock_is_held+0xb6/0x140 [ 21.993059] __inet_stream_connect+0x2d4/0xf00 [ 21.993078] ? inet_bind+0x910/0x910 [ 21.993099] ? tcp_sendmsg_locked+0x1f56/0x3c40 [ 21.993106] ? rcu_read_lock_sched_held+0x108/0x120 [ 21.993114] ? kmem_cache_alloc_trace+0x456/0x750 [ 21.993122] ? __thp_get_unmapped_area+0x130/0x130 [ 21.993129] ? __lock_acquire+0x664/0x3e00 [ 21.993136] ? __lock_acquire+0x664/0x3e00 [ 21.993155] tcp_sendmsg_locked+0x2624/0x3c40 [ 21.993175] ? avc_has_perm+0x35e/0x680 [ 21.993184] ? lock_downgrade+0x980/0x980 [ 21.993197] ? lock_release+0xa40/0xa40 [ 21.993211] ? sock_common_setsockopt+0x95/0xd0 [ 21.993217] ? SyS_setsockopt+0x189/0x360 [ 21.993229] ? tcp_sendpage+0x60/0x60 [ 21.993261] ? print_irqtrace_events+0x270/0x270 [ 21.993267] ? find_held_lock+0x35/0x1d0 [ 21.993285] ? lock_acquire+0x1d5/0x580 [ 21.993290] ? lock_sock_nested+0xa3/0x110 [ 21.993296] ? lock_acquire+0x1d5/0x580 [ 21.993302] ? tcp_sendmsg+0x21/0x50 [ 21.993326] ? mark_held_locks+0xaf/0x100 [ 21.993333] ? do_raw_spin_trylock+0x190/0x190 [ 21.993343] ? __local_bh_enable_ip+0x121/0x230 [ 21.993354] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 21.993360] ? lock_sock_nested+0x91/0x110 [ 21.993367] ? trace_hardirqs_on+0xd/0x10 [ 21.993375] ? __local_bh_enable_ip+0x121/0x230 [ 21.993392] tcp_sendmsg+0x2f/0x50 [ 21.993402] inet_sendmsg+0x11f/0x5e0 [ 21.993410] ? __might_sleep+0x95/0x190 [ 21.993419] ? inet_recvmsg+0x5f0/0x5f0 [ 21.993429] ? selinux_socket_sendmsg+0x36/0x40 [ 21.993439] ? security_socket_sendmsg+0x89/0xb0 [ 21.993446] ? inet_recvmsg+0x5f0/0x5f0 [ 21.993457] sock_sendmsg+0xca/0x110 [ 21.993469] SYSC_sendto+0x361/0x5c0 [ 21.993483] ? SYSC_connect+0x4a0/0x4a0 [ 21.993492] ? up_read+0x1a/0x40 [ 21.993501] ? __do_page_fault+0x3d6/0xc90 [ 21.993546] ? __do_page_fault+0xc90/0xc90 [ 21.993561] ? SyS_setsockopt+0x215/0x360 [ 21.993576] ? SyS_recv+0x40/0x40 [ 21.993586] ? entry_SYSCALL_64_fastpath+0x5/0x96 [ 21.993606] SyS_sendto+0x40/0x50 [ 21.993620] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 21.993626] RIP: 0033:0x43fda9 [ 21.993630] RSP: 002b:00007ffdeebd2798 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 21.993638] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 000000000043fda9 [ 21.993642] RDX: 0000000000000000 RSI: 0000000020aa1000 RDI: 0000000000000003 [ 21.993646] RBP: 00000000006ca018 R08: 0000000020aa1000 R09: 0000000000000010 [ 21.993650] R10: 0000000023ffffff R11: 0000000000000217 R12: 0000000000401710 [ 21.993653] R13: 00000000004017a0 R14: 0000000000000000 R15: 0000000000000000 [ 21.993681] [ 21.993685] Allocated by task 3125: [ 21.993691] save_stack+0x43/0xd0 [ 21.993696] kasan_kmalloc+0xad/0xe0 [ 21.993701] kasan_slab_alloc+0x12/0x20 [ 21.993706] kmem_cache_alloc+0x12e/0x760 [ 21.993712] dst_alloc+0x11f/0x1a0 [ 21.993717] rt_dst_alloc+0xe9/0x520 [ 21.993723] ip_route_output_key_hash_rcu+0xa40/0x2c10 [ 21.993728] ip_route_output_key_hash+0x20b/0x370 [ 21.993734] __ip4_datagram_connect+0xa67/0x1240 [ 21.993739] __ip6_datagram_connect+0x709/0xf90 [ 21.993744] ip6_datagram_connect+0x2f/0x50 [ 21.993749] inet_dgram_connect+0x16b/0x1f0 [ 21.993754] SYSC_connect+0x213/0x4a0 [ 21.993760] SyS_connect+0x24/0x30 [ 21.993765] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 21.993767] [ 21.993770] Freed by task 3125: [ 21.993775] save_stack+0x43/0xd0 [ 21.993780] kasan_slab_free+0x71/0xc0 [ 21.993785] kmem_cache_free+0x83/0x2a0 [ 21.993791] dst_destroy+0x257/0x370 [ 21.993796] dst_destroy_rcu+0x16/0x20 [ 21.993802] rcu_process_callbacks+0xd6c/0x17f0 [ 21.993808] __do_softirq+0x2d7/0xb85 [ 21.993809] [ 21.993814] The buggy address belongs to the object at ffff8801d13dae00 [ 21.993814] which belongs to the cache ip_dst_cache of size 168 [ 21.993819] The buggy address is located 24 bytes inside of [ 21.993819] 168-byte region [ffff8801d13dae00, ffff8801d13daea8) [ 21.993822] The buggy address belongs to the page: [ 21.993828] page:0000000059abcf68 count:1 mapcount:0 mapping:00000000bd5cc5ad index:0xffff8801d13da000 [ 21.993834] flags: 0x2fffc0000000100(slab) [ 21.993843] raw: 02fffc0000000100 ffff8801d13da000 ffff8801d13da000 0000000100000006 [ 21.993851] raw: ffff8801d6dfbc38 ffffea000748d020 ffff8801d6dfcb00 0000000000000000 [ 21.993854] page dumped because: kasan: bad access detected [ 21.993855] [ 21.993858] Memory state around the buggy address: [ 21.993863] ffff8801d13dad00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.993868] ffff8801d13dad80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 21.993873] >ffff8801d13dae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.993875] ^ [ 21.993880] ffff8801d13dae80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 21.993885] ffff8801d13daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.993887] ================================================================== [ 21.993889] Disabling lock debugging due to kernel taint [ 21.993904] Kernel panic - not syncing: panic_on_warn set ... [ 21.993904] [ 21.993910] CPU: 1 PID: 3194 Comm: syzkaller943459 Tainted: G B 4.15.0-rc5+ #170 [ 21.993913] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.993915] Call Trace: [ 21.993921] dump_stack+0x194/0x257 [ 21.993929] ? arch_local_irq_restore+0x53/0x53 [ 21.993940] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 21.993947] ? vsnprintf+0x1ed/0x1900 [ 21.993955] ? ip6_xmit+0x1f40/0x2080 [ 21.993961] panic+0x1e4/0x41c [ 21.993968] ? refcount_error_report+0x214/0x214 [ 21.993977] ? add_taint+0x1c/0x50 [ 21.993984] ? add_taint+0x1c/0x50 [ 21.993992] ? ip6_xmit+0x2036/0x2080 [ 21.993998] kasan_end_report+0x50/0x50 [ 21.994008] kasan_report+0x144/0x340 [ 21.994018] __asan_report_load8_noabort+0x14/0x20 [ 21.994027] ip6_xmit+0x2036/0x2080 [ 21.994033] ? __sk_dst_check+0x1a5/0x380 [ 21.994049] ? ip6_finish_output2+0x2390/0x2390 [ 21.994057] ? fl6_update_dst+0x127/0x2b0 [ 21.994065] ? check_noncircular+0x20/0x20 [ 21.994071] ? inet6_csk_route_socket+0x691/0xe80 [ 21.994080] ? lock_acquire+0x1d5/0x580 [ 21.994085] ? memcpy+0x45/0x50 [ 21.994090] ? lock_acquire+0x1d5/0x580 [ 21.994096] ? inet6_csk_xmit+0x114/0x580 [ 21.994108] ? lock_release+0xa40/0xa40 [ 21.994117] ? __lock_is_held+0xb6/0x140 [ 21.994132] inet6_csk_xmit+0x2fc/0x580 [ 21.994140] ? inet6_csk_update_pmtu+0x160/0x160 [ 21.994148] ? rt_cpu_seq_show+0x2c0/0x2c0 [ 21.994155] ? refcount_add_not_zero+0x133/0x200 [ 21.994174] tcp_transmit_skb+0x1b12/0x38b0 [ 21.994192] ? __tcp_select_window+0x900/0x900 [ 21.994198] ? tcp_fastopen_cache_get+0x449/0x720 [ 21.994206] ? tcp_peer_is_proven+0xc60/0xc60 [ 21.994216] ? __lock_is_held+0xb6/0x140 [ 21.994233] ? tcp_try_fastopen+0x1b50/0x1b50 [ 21.994243] ? tcp_init_transfer+0x3d0/0x3d0 [ 21.994256] ? tcp_rbtree_insert+0x135/0x190 [ 21.994266] tcp_connect+0x1ed5/0x4090 [ 21.994282] ? tcp_push_one+0xf0/0xf0 [ 21.994289] ? lock_downgrade+0x947/0x980 [ 21.994302] ? pvclock_read_flags+0x160/0x160 [ 21.994309] ? mark_held_locks+0xaf/0x100 [ 21.994314] ? ip_route_output_key_hash+0x229/0x370 [ 21.994321] ? ktime_get_with_offset+0x188/0x420 [ 21.994332] ? kvm_clock_get_cycles+0x25/0x30 [ 21.994338] ? ktime_get_with_offset+0x2c1/0x420 [ 21.994348] ? do_gettimeofday+0x190/0x190 [ 21.994361] ? tcp_fastopen_defer_connect+0x163/0x4a0 [ 21.994366] ? ip_route_output_key_hash+0x252/0x370 [ 21.994375] ? siphash_1u64+0x18/0x270 [ 21.994395] tcp_v4_connect+0x15ef/0x1e70 [ 21.994400] ? SyS_sendto+0x40/0x50 [ 21.994417] ? tcp_v4_inbound_md5_hash+0x510/0x510 [ 21.994424] ? __lock_is_held+0xb6/0x140 [ 21.994435] __inet_stream_connect+0x2d4/0xf00 [ 21.994447] ? inet_bind+0x910/0x910 [ 21.994460] ? tcp_sendmsg_locked+0x1f56/0x3c40 [ 21.994466] ? rcu_read_lock_sched_held+0x108/0x120 [ 21.994472] ? kmem_cache_alloc_trace+0x456/0x750 [ 21.994478] ? __thp_get_unmapped_area+0x130/0x130 [ 21.994484] ? __lock_acquire+0x664/0x3e00 [ 21.994490] ? __lock_acquire+0x664/0x3e00 [ 21.994502] tcp_sendmsg_locked+0x2624/0x3c40 [ 21.994513] ? avc_has_perm+0x35e/0x680 [ 21.994520] ? lock_downgrade+0x980/0x980 [ 21.994529] ? lock_release+0xa40/0xa40 [ 21.994539] ? sock_common_setsockopt+0x95/0xd0 [ 21.994545] ? SyS_setsockopt+0x189/0x360 [ 21.994553] ? tcp_sendpage+0x60/0x60 [ 21.994571] ? print_irqtrace_events+0x270/0x270 [ 21.994576] ? find_held_lock+0x35/0x1d0 [ 21.994588] ? lock_acquire+0x1d5/0x580 [ 21.994592] ? lock_sock_nested+0xa3/0x110 [ 21.994598] ? lock_acquire+0x1d5/0x580 [ 21.994603] ? tcp_sendmsg+0x21/0x50 [ 21.994617] ? mark_held_locks+0xaf/0x100 [ 21.994623] ? do_raw_spin_trylock+0x190/0x190 [ 21.994630] ? __local_bh_enable_ip+0x121/0x230 [ 21.994638] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 21.994643] ? lock_sock_nested+0x91/0x110 [ 21.994649] ? trace_hardirqs_on+0xd/0x10 [ 21.994655] ? __local_bh_enable_ip+0x121/0x230 [ 21.994666] tcp_sendmsg+0x2f/0x50 [ 21.994673] inet_sendmsg+0x11f/0x5e0 [ 21.994679] ? __might_sleep+0x95/0x190 [ 21.994685] ? inet_recvmsg+0x5f0/0x5f0 [ 21.994693] ? selinux_socket_sendmsg+0x36/0x40 [ 21.994700] ? security_socket_sendmsg+0x89/0xb0 [ 21.994706] ? inet_recvmsg+0x5f0/0x5f0 [ 21.994714] sock_sendmsg+0xca/0x110 [ 21.994722] SYSC_sendto+0x361/0x5c0 [ 21.994732] ? SYSC_connect+0x4a0/0x4a0 [ 21.994738] ? up_read+0x1a/0x40 [ 21.994745] ? __do_page_fault+0x3d6/0xc90 [ 21.994770] ? __do_page_fault+0xc90/0xc90 [ 21.994780] ? SyS_setsockopt+0x215/0x360 [ 21.994789] ? SyS_recv+0x40/0x40 [ 21.994797] ? entry_SYSCALL_64_fastpath+0x5/0x96 [ 21.994809] SyS_sendto+0x40/0x50 [ 21.994819] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 21.994822] RIP: 0033:0x43fda9 [ 21.994826] RSP: 002b:00007ffdeebd2798 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 21.994832] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 000000000043fda9 [ 21.994835] RDX: 0000000000000000 RSI: 0000000020aa1000 RDI: 0000000000000003 [ 21.994839] RBP: 00000000006ca018 R08: 0000000020aa1000 R09: 0000000000000010 [ 21.994842] R10: 0000000023ffffff R11: 0000000000000217 R12: 0000000000401710 [ 21.994846] R13: 00000000004017a0 R14: 0000000000000000 R15: 0000000000000000 [ 22.013556] Dumping ftrace buffer: [ 22.013560] (ftrace buffer empty) [ 22.013563] Kernel Offset: disabled [ 23.233450] Rebooting in 86400 seconds..