[....] Starting enhanced syslogd: rsyslogd[ 13.436414] audit: type=1400 audit(1517090947.697:5): avc: denied { syslog } for pid=3531 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.456528] audit: type=1400 audit(1517090953.717:6): avc: denied { map } for pid=3672 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.203' (ECDSA) to the list of known hosts. executing program [ 25.756725] audit: type=1400 audit(1517090960.017:7): avc: denied { map } for pid=3687 comm="syzkaller544407" path="/root/syzkaller544407246" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.786240] ================================================================== [ 25.793636] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 25.799765] Read of size 8 at addr ffff8801cb845f18 by task syzkaller544407/3687 [ 25.807798] [ 25.809409] CPU: 0 PID: 3687 Comm: syzkaller544407 Not tainted 4.15.0-rc9+ #212 [ 25.816831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.826165] Call Trace: [ 25.828742] dump_stack+0x194/0x257 [ 25.832350] ? arch_local_irq_restore+0x53/0x53 [ 25.837023] ? show_regs_print_info+0x18/0x18 [ 25.841505] ? ip6_xmit+0x1f76/0x2260 [ 25.845292] print_address_description+0x73/0x250 [ 25.850118] ? ip6_xmit+0x1f76/0x2260 [ 25.853901] kasan_report+0x25b/0x340 [ 25.857695] __asan_report_load8_noabort+0x14/0x20 [ 25.862612] ip6_xmit+0x1f76/0x2260 [ 25.866245] ? ip6_finish_output2+0x23a0/0x23a0 [ 25.870895] ? fl6_update_dst+0x127/0x2b0 [ 25.875024] ? check_noncircular+0x20/0x20 [ 25.879243] ? inet6_csk_route_socket+0x691/0xe80 [ 25.884082] ? lock_acquire+0x1d5/0x580 [ 25.888043] ? lock_acquire+0x1d5/0x580 [ 25.892005] ? inet6_csk_xmit+0x114/0x580 [ 25.896147] ? lock_release+0xa40/0xa40 [ 25.900124] inet6_csk_xmit+0x2fc/0x580 [ 25.904090] ? inet6_csk_update_pmtu+0x160/0x160 [ 25.908825] ? __sk_dst_check+0x1a5/0x380 [ 25.912952] ? sk_wait_data+0x610/0x610 [ 25.916931] l2tp_xmit_skb+0x105f/0x1410 [ 25.920981] ? l2tp_session_create+0xb80/0xb80 [ 25.925538] ? sock_wmalloc+0x15d/0x1d0 [ 25.929491] ? iov_iter_advance+0x13f0/0x13f0 [ 25.933965] ? pppol2tp_sendmsg+0x41b/0x670 [ 25.938266] pppol2tp_sendmsg+0x470/0x670 [ 25.942397] ? selinux_socket_sendmsg+0x36/0x40 [ 25.947042] ? pppol2tp_session_ioctl+0xa90/0xa90 [ 25.951866] sock_sendmsg+0xca/0x110 [ 25.955558] ___sys_sendmsg+0x767/0x8b0 [ 25.959523] ? copy_msghdr_from_user+0x590/0x590 [ 25.964266] ? __do_page_fault+0x5f7/0xc90 [ 25.968481] ? lock_downgrade+0x980/0x980 [ 25.972612] ? __fget_light+0x297/0x380 [ 25.976563] ? fget_raw+0x20/0x20 [ 25.979996] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 25.984558] ? vmacache_find+0x5f/0x280 [ 25.988521] ? up_read+0x1a/0x40 [ 25.991866] ? __do_page_fault+0x3d6/0xc90 [ 25.996100] ? __fdget+0x18/0x20 [ 25.999451] __sys_sendmsg+0xe5/0x210 [ 26.003226] ? __sys_sendmsg+0xe5/0x210 [ 26.007178] ? SyS_shutdown+0x290/0x290 [ 26.011147] ? __do_page_fault+0xc90/0xc90 [ 26.015377] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.020380] SyS_sendmsg+0x2d/0x50 [ 26.023904] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.028634] RIP: 0033:0x440719 [ 26.031796] RSP: 002b:00007ffe4a9a7a38 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 26.039479] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440719 [ 26.046729] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 [ 26.053978] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 26.061225] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401fe0 [ 26.068471] R13: 0000000000402070 R14: 0000000000000000 R15: 0000000000000000 [ 26.075737] [ 26.077343] Allocated by task 1740: [ 26.080957] save_stack+0x43/0xd0 [ 26.084400] kasan_kmalloc+0xad/0xe0 [ 26.088098] kasan_slab_alloc+0x12/0x20 [ 26.092049] kmem_cache_alloc+0x12e/0x760 [ 26.096177] dst_alloc+0x11f/0x1a0 [ 26.099692] rt_dst_alloc+0xe9/0x520 [ 26.103380] ip_route_input_rcu+0x1076/0x3200 [ 26.107848] ip_route_input_noref+0xf5/0x1e0 [ 26.112226] ip_rcv_finish+0x3a6/0x2040 [ 26.116173] ip_rcv+0xc5a/0x1840 [ 26.119516] __netif_receive_skb_core+0x1a41/0x3460 [ 26.124504] __netif_receive_skb+0x2c/0x1b0 [ 26.128799] netif_receive_skb_internal+0x10b/0x670 [ 26.133785] napi_gro_receive+0x3d0/0x500 [ 26.137906] receive_buf+0xb6e/0x2530 [ 26.141681] virtnet_poll+0x320/0xb70 [ 26.145457] net_rx_action+0x792/0x1910 [ 26.149408] __do_softirq+0x2d7/0xb85 [ 26.153176] [ 26.154775] Freed by task 3237: [ 26.158032] save_stack+0x43/0xd0 [ 26.161460] kasan_slab_free+0x71/0xc0 [ 26.165338] kmem_cache_free+0x83/0x2a0 [ 26.169288] dst_destroy+0x257/0x370 [ 26.172973] dst_destroy_rcu+0x16/0x20 [ 26.176835] rcu_process_callbacks+0xd6c/0x17f0 [ 26.181481] __do_softirq+0x2d7/0xb85 [ 26.185254] [ 26.186863] The buggy address belongs to the object at ffff8801cb845f00 [ 26.186863] which belongs to the cache ip_dst_cache of size 168 [ 26.199594] The buggy address is located 24 bytes inside of [ 26.199594] 168-byte region [ffff8801cb845f00, ffff8801cb845fa8) [ 26.211357] The buggy address belongs to the page: [ 26.216263] page:ffffea00072e1140 count:1 mapcount:0 mapping:ffff8801cb845000 index:0xffff8801cb845600 [ 26.225714] flags: 0x2fffc0000000100(slab) [ 26.229935] raw: 02fffc0000000100 ffff8801cb845000 ffff8801cb845600 0000000100000006 [ 26.237805] raw: ffff8801d6cdf638 ffffea0007255360 ffff8801d68084c0 0000000000000000 [ 26.245668] page dumped because: kasan: bad access detected [ 26.251359] [ 26.252959] Memory state around the buggy address: [ 26.257861] ffff8801cb845e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.265195] ffff8801cb845e80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 26.272525] >ffff8801cb845f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.279877] ^ [ 26.283998] ffff8801cb845f80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 26.291335] ffff8801cb846000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.298669] ================================================================== [ 26.306017] Disabling lock debugging due to kernel taint [ 26.312126] Kernel panic - not syncing: panic_on_warn set ... [ 26.312126] [ 26.319494] CPU: 0 PID: 3687 Comm: syzkaller544407 Tainted: G B 4.15.0-rc9+ #212 [ 26.328218] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.337546] Call Trace: [ 26.340116] dump_stack+0x194/0x257 [ 26.343723] ? arch_local_irq_restore+0x53/0x53 [ 26.348364] ? kasan_end_report+0x32/0x50 [ 26.352493] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.357225] ? vsnprintf+0x1ed/0x1900 [ 26.361003] ? ip6_xmit+0x1f10/0x2260 [ 26.364799] panic+0x1e4/0x41c [ 26.367965] ? refcount_error_report+0x214/0x214 [ 26.372703] ? add_taint+0x1c/0x50 [ 26.376215] ? add_taint+0x1c/0x50 [ 26.379731] ? ip6_xmit+0x1f76/0x2260 [ 26.383507] kasan_end_report+0x50/0x50 [ 26.387452] kasan_report+0x144/0x340 [ 26.391227] __asan_report_load8_noabort+0x14/0x20 [ 26.396129] ip6_xmit+0x1f76/0x2260 [ 26.399742] ? ip6_finish_output2+0x23a0/0x23a0 [ 26.404388] ? fl6_update_dst+0x127/0x2b0 [ 26.408511] ? check_noncircular+0x20/0x20 [ 26.412723] ? inet6_csk_route_socket+0x691/0xe80 [ 26.417541] ? lock_acquire+0x1d5/0x580 [ 26.421488] ? lock_acquire+0x1d5/0x580 [ 26.425451] ? inet6_csk_xmit+0x114/0x580 [ 26.429585] ? lock_release+0xa40/0xa40 [ 26.433540] inet6_csk_xmit+0x2fc/0x580 [ 26.437497] ? inet6_csk_update_pmtu+0x160/0x160 [ 26.442226] ? __sk_dst_check+0x1a5/0x380 [ 26.446353] ? sk_wait_data+0x610/0x610 [ 26.450325] l2tp_xmit_skb+0x105f/0x1410 [ 26.454366] ? l2tp_session_create+0xb80/0xb80 [ 26.458920] ? sock_wmalloc+0x15d/0x1d0 [ 26.462875] ? iov_iter_advance+0x13f0/0x13f0 [ 26.467365] ? pppol2tp_sendmsg+0x41b/0x670 [ 26.471661] pppol2tp_sendmsg+0x470/0x670 [ 26.475788] ? selinux_socket_sendmsg+0x36/0x40 [ 26.480434] ? pppol2tp_session_ioctl+0xa90/0xa90 [ 26.485256] sock_sendmsg+0xca/0x110 [ 26.488943] ___sys_sendmsg+0x767/0x8b0 [ 26.492894] ? copy_msghdr_from_user+0x590/0x590 [ 26.497629] ? __do_page_fault+0x5f7/0xc90 [ 26.501848] ? lock_downgrade+0x980/0x980 [ 26.505983] ? __fget_light+0x297/0x380 [ 26.509933] ? fget_raw+0x20/0x20 [ 26.513363] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 26.517915] ? vmacache_find+0x5f/0x280 [ 26.521866] ? up_read+0x1a/0x40 [ 26.525207] ? __do_page_fault+0x3d6/0xc90 [ 26.529419] ? __fdget+0x18/0x20 [ 26.532763] __sys_sendmsg+0xe5/0x210 [ 26.536537] ? __sys_sendmsg+0xe5/0x210 [ 26.540485] ? SyS_shutdown+0x290/0x290 [ 26.544444] ? __do_page_fault+0xc90/0xc90 [ 26.548672] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.553669] SyS_sendmsg+0x2d/0x50 [ 26.557190] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.561916] RIP: 0033:0x440719 [ 26.565080] RSP: 002b:00007ffe4a9a7a38 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 26.572867] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440719 [ 26.580111] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 [ 26.587358] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 26.594601] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401fe0 [ 26.601844] R13: 0000000000402070 R14: 0000000000000000 R15: 0000000000000000 [ 26.609561] Dumping ftrace buffer: [ 26.613081] (ftrace buffer empty) [ 26.616763] Kernel Offset: disabled [ 26.620364] Rebooting in 86400 seconds..