[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.467882] audit: type=1400 audit(1520571661.857:6): avc:  denied  { map } for  pid=4216 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   22.501389] sshd (4213) used greatest stack depth: 16712 bytes left
Warning: Permanently added '10.128.0.35' (ECDSA) to the list of known hosts.
[   28.761765] audit: type=1400 audit(1520571668.151:7): avc:  denied  { map } for  pid=4230 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2018/03/09 05:01:08 parsed 1 programs
2018/03/09 05:01:08 executed programs: 0
[   28.995792] audit: type=1400 audit(1520571668.385:8): avc:  denied  { map } for  pid=4230 comm="syz-execprog" path="/root/syzkaller-shm475967695" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[   29.005953] IPVS: ftp: loaded support on port[0] = 21
[   29.274373] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[   29.619195] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   29.625326] 8021q: adding VLAN 0 to HW filter on device bond0
[   29.663412] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   29.701656] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   29.716838] ==================================================================
[   29.724293] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
[   29.730414] Read of size 8 at addr ffff8801d8f70818 by task syz-executor0/4395
[   29.737757] 
[   29.739365] CPU: 0 PID: 4395 Comm: syz-executor0 Not tainted 4.16.0-rc4+ #256
[   29.746612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.755944] Call Trace:
[   29.758521]  dump_stack+0x194/0x24d
[   29.762125]  ? arch_local_irq_restore+0x53/0x53
[   29.766767]  ? show_regs_print_info+0x18/0x18
[   29.771238]  ? ip6_xmit+0x1f76/0x2260
[   29.775015]  print_address_description+0x73/0x250
[   29.779833]  ? ip6_xmit+0x1f76/0x2260
[   29.783609]  kasan_report+0x23c/0x360
[   29.787384]  __asan_report_load8_noabort+0x14/0x20
[   29.792287]  ip6_xmit+0x1f76/0x2260
[   29.795899]  ? ip6_finish_output2+0x23a0/0x23a0
[   29.800542]  ? fl6_update_dst+0x127/0x2b0
[   29.804667]  ? inet6_csk_route_socket+0x691/0xe80
[   29.809486]  ? trace_hardirqs_off+0x10/0x10
[   29.813783]  ? lock_acquire+0x1d5/0x580
[   29.817733]  ? lock_acquire+0x1d5/0x580
[   29.821699]  ? inet6_csk_xmit+0x114/0x580
[   29.825824]  ? trace_hardirqs_off+0x10/0x10
[   29.830120]  ? lock_release+0xa40/0xa40
[   29.834091]  inet6_csk_xmit+0x2fc/0x580
[   29.838040]  ? inet6_csk_update_pmtu+0x160/0x160
[   29.842768]  ? __sk_dst_check+0x1a5/0x380
[   29.846888]  ? sock_kfree_s+0x60/0x60
[   29.850679]  l2tp_xmit_skb+0x105f/0x1410
[   29.854725]  ? l2tp_session_create+0xb80/0xb80
[   29.859282]  ? sock_wmalloc+0x15d/0x1d0
[   29.863234]  ? iov_iter_advance+0x13f0/0x13f0
[   29.867706]  ? pppol2tp_sendmsg+0x41b/0x670
[   29.872002]  pppol2tp_sendmsg+0x470/0x670
[   29.876126]  ? selinux_socket_sendmsg+0x36/0x40
[   29.880770]  ? pppol2tp_getsockopt+0x900/0x900
[   29.885325]  sock_sendmsg+0xca/0x110
[   29.889013]  ___sys_sendmsg+0x767/0x8b0
[   29.892971]  ? copy_msghdr_from_user+0x590/0x590
[   29.897708]  ? _raw_spin_unlock+0x22/0x30
[   29.901831]  ? __handle_mm_fault+0x5ba/0x38c0
[   29.906302]  ? __pmd_alloc+0x4e0/0x4e0
[   29.910173]  ? trace_hardirqs_off+0x10/0x10
[   29.914467]  ? release_sock+0x1d4/0x2a0
[   29.918413]  ? trace_hardirqs_on+0xd/0x10
[   29.922536]  ? __fget_light+0x2b2/0x3c0
[   29.926489]  ? fget_raw+0x20/0x20
[   29.929929]  ? find_held_lock+0x35/0x1d0
[   29.933979]  __sys_sendmsg+0xe5/0x210
[   29.937754]  ? __sys_sendmsg+0xe5/0x210
[   29.941701]  ? SyS_shutdown+0x290/0x290
[   29.945655]  ? compat_SyS_futex+0x288/0x380
[   29.949982]  compat_SyS_sendmsg+0x2a/0x40
[   29.954106]  ? compat_SyS_getsockopt+0x420/0x420
[   29.958838]  do_fast_syscall_32+0x3ec/0xf9f
[   29.963138]  ? do_int80_syscall_32+0x9c0/0x9c0
[   29.967712]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.972442]  ? syscall_return_slowpath+0x2ac/0x550
[   29.977345]  ? prepare_exit_to_usermode+0x350/0x350
[   29.982336]  ? sysret32_from_system_call+0x5/0x3c
[   29.987153]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.991973]  entry_SYSENTER_compat+0x70/0x7f
[   29.996351] RIP: 0023:0xf7faec99
[   29.999686] RSP: 002b:00000000ff94921c EFLAGS: 00000282 ORIG_RAX: 0000000000000172
[   30.007368] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000002037ffc8
[   30.014613] RDX: 0000000000000081 RSI: 0000000000000000 RDI: 0000000000000000
[   30.021855] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   30.029098] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   30.036341] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   30.043601] 
[   30.045199] Allocated by task 4228:
[   30.048799]  save_stack+0x43/0xd0
[   30.052220]  kasan_kmalloc+0xad/0xe0
[   30.055901]  kasan_slab_alloc+0x12/0x20
[   30.059849]  kmem_cache_alloc+0x12e/0x760
[   30.063967]  dst_alloc+0x11f/0x1a0
[   30.067478]  rt_dst_alloc+0xe9/0x520
[   30.071162]  ip_route_output_key_hash_rcu+0xa59/0x2f00
[   30.076409]  ip_route_output_key_hash+0x20b/0x370
[   30.081227]  __ip4_datagram_connect+0xa67/0x1240
[   30.085955]  __ip6_datagram_connect+0x749/0x12d0
[   30.090680]  ip6_datagram_connect+0x2f/0x50
[   30.094974]  inet_dgram_connect+0x16b/0x1f0
[   30.099269]  SYSC_connect+0x213/0x4a0
[   30.103056]  SyS_connect+0x24/0x30
[   30.106573]  do_syscall_64+0x281/0x940
[   30.110433]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   30.115592] 
[   30.117190] Freed by task 0:
[   30.120180]  save_stack+0x43/0xd0
[   30.123605]  __kasan_slab_free+0x11a/0x170
[   30.127811]  kasan_slab_free+0xe/0x10
[   30.131587]  kmem_cache_free+0x83/0x2a0
[   30.135530]  dst_destroy+0x257/0x370
[   30.139225]  dst_destroy_rcu+0x16/0x20
[   30.143088]  rcu_process_callbacks+0xd6c/0x17f0
[   30.147728]  __do_softirq+0x2d7/0xb85
[   30.151496] 
[   30.153097] The buggy address belongs to the object at ffff8801d8f70800
[   30.153097]  which belongs to the cache ip_dst_cache of size 168
[   30.165809] The buggy address is located 24 bytes inside of
[   30.165809]  168-byte region [ffff8801d8f70800, ffff8801d8f708a8)
[   30.177565] The buggy address belongs to the page:
[   30.182464] page:ffffea000763dc00 count:1 mapcount:0 mapping:ffff8801d8f70000 index:0xffff8801d8f70000
[   30.191879] flags: 0x2fffc0000000100(slab)
[   30.196102] raw: 02fffc0000000100 ffff8801d8f70000 ffff8801d8f70000 0000000100000009
[   30.203956] raw: ffffea00073c92e0 ffff8801d6bdb138 ffff8801d5b7f800 0000000000000000
[   30.211804] page dumped because: kasan: bad access detected
[   30.217482] 
[   30.219081] Memory state around the buggy address:
[   30.223979]  ffff8801d8f70700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.231306]  ffff8801d8f70780: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   30.238637] >ffff8801d8f70800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.245976]                             ^
[   30.250102]  ffff8801d8f70880: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   30.257431]  ffff8801d8f70900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.264758] ==================================================================
[   30.272098] Disabling lock debugging due to kernel taint
[   30.277574] Kernel panic - not syncing: panic_on_warn set ...
[   30.277574] 
[   30.284911] CPU: 0 PID: 4395 Comm: syz-executor0 Tainted: G    B            4.16.0-rc4+ #256
[   30.293455] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.302784] Call Trace:
[   30.305354]  dump_stack+0x194/0x24d
[   30.308953]  ? arch_local_irq_restore+0x53/0x53
[   30.313594]  ? kasan_end_report+0x32/0x50
[   30.317716]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.322457]  ? vsnprintf+0x1ed/0x1900
[   30.326250]  ? ip6_xmit+0x1f30/0x2260
[   30.330040]  panic+0x1e4/0x41c
[   30.333205]  ? refcount_error_report+0x214/0x214
[   30.337930]  ? add_taint+0x1c/0x50
[   30.341439]  ? add_taint+0x1c/0x50
[   30.344951]  ? ip6_xmit+0x1f76/0x2260
[   30.348721]  kasan_end_report+0x50/0x50
[   30.352662]  kasan_report+0x149/0x360
[   30.356432]  __asan_report_load8_noabort+0x14/0x20
[   30.361330]  ip6_xmit+0x1f76/0x2260
[   30.364932]  ? ip6_finish_output2+0x23a0/0x23a0
[   30.369572]  ? fl6_update_dst+0x127/0x2b0
[   30.373691]  ? inet6_csk_route_socket+0x691/0xe80
[   30.378522]  ? trace_hardirqs_off+0x10/0x10
[   30.382820]  ? lock_acquire+0x1d5/0x580
[   30.386771]  ? lock_acquire+0x1d5/0x580
[   30.390716]  ? inet6_csk_xmit+0x114/0x580
[   30.394833]  ? trace_hardirqs_off+0x10/0x10
[   30.399124]  ? lock_release+0xa40/0xa40
[   30.403074]  inet6_csk_xmit+0x2fc/0x580
[   30.407017]  ? inet6_csk_update_pmtu+0x160/0x160
[   30.411744]  ? __sk_dst_check+0x1a5/0x380
[   30.415861]  ? sock_kfree_s+0x60/0x60
[   30.419640]  l2tp_xmit_skb+0x105f/0x1410
[   30.423674]  ? l2tp_session_create+0xb80/0xb80
[   30.428222]  ? sock_wmalloc+0x15d/0x1d0
[   30.432177]  ? iov_iter_advance+0x13f0/0x13f0
[   30.436646]  ? pppol2tp_sendmsg+0x41b/0x670
[   30.440936]  pppol2tp_sendmsg+0x470/0x670
[   30.445056]  ? selinux_socket_sendmsg+0x36/0x40
[   30.449704]  ? pppol2tp_getsockopt+0x900/0x900
[   30.454254]  sock_sendmsg+0xca/0x110
[   30.457936]  ___sys_sendmsg+0x767/0x8b0
[   30.461880]  ? copy_msghdr_from_user+0x590/0x590
[   30.466607]  ? _raw_spin_unlock+0x22/0x30
[   30.470726]  ? __handle_mm_fault+0x5ba/0x38c0
[   30.475191]  ? __pmd_alloc+0x4e0/0x4e0
[   30.479059]  ? trace_hardirqs_off+0x10/0x10
[   30.483347]  ? release_sock+0x1d4/0x2a0
[   30.487291]  ? trace_hardirqs_on+0xd/0x10
[   30.491409]  ? __fget_light+0x2b2/0x3c0
[   30.495350]  ? fget_raw+0x20/0x20
[   30.498780]  ? find_held_lock+0x35/0x1d0
[   30.502817]  __sys_sendmsg+0xe5/0x210
[   30.506592]  ? __sys_sendmsg+0xe5/0x210
[   30.510540]  ? SyS_shutdown+0x290/0x290
[   30.514486]  ? compat_SyS_futex+0x288/0x380
[   30.518787]  compat_SyS_sendmsg+0x2a/0x40
[   30.522902]  ? compat_SyS_getsockopt+0x420/0x420
[   30.527626]  do_fast_syscall_32+0x3ec/0xf9f
[   30.531918]  ? do_int80_syscall_32+0x9c0/0x9c0
[   30.536557]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.541290]  ? syscall_return_slowpath+0x2ac/0x550
[   30.546186]  ? prepare_exit_to_usermode+0x350/0x350
[   30.551173]  ? sysret32_from_system_call+0x5/0x3c
[   30.555985]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.560798]  entry_SYSENTER_compat+0x70/0x7f
[   30.565173] RIP: 0023:0xf7faec99
[   30.568504] RSP: 002b:00000000ff94921c EFLAGS: 00000282 ORIG_RAX: 0000000000000172
[   30.576182] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000002037ffc8
[   30.583419] RDX: 0000000000000081 RSI: 0000000000000000 RDI: 0000000000000000
[   30.590665] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   30.597902] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   30.605139] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   30.612777] Dumping ftrace buffer:
[   30.616284]    (ftrace buffer empty)
[   30.619962] Kernel Offset: disabled
[   30.623559] Rebooting in 86400 seconds..