[....] Starting enhanced syslogd: rsyslogd[ 15.424957] audit: type=1400 audit(1520958081.717:5): avc: denied { syslog } for pid=4072 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.702887] audit: type=1400 audit(1520958085.995:6): avc: denied { map } for pid=4212 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. executing program [ 31.418780] audit: type=1400 audit(1520958097.711:7): avc: denied { map } for pid=4228 comm="syzkaller699486" path="/root/syzkaller699486073" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 31.423660] ================================================================== [ 31.452079] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 31.458197] Read of size 8 at addr ffff8801b433de18 by task syzkaller699486/4228 [ 31.465695] [ 31.467294] CPU: 0 PID: 4228 Comm: syzkaller699486 Not tainted 4.16.0-rc5+ #352 [ 31.474706] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.484037] Call Trace: [ 31.486607] dump_stack+0x194/0x24d [ 31.490212] ? arch_local_irq_restore+0x53/0x53 [ 31.494854] ? show_regs_print_info+0x18/0x18 [ 31.499327] ? ip6_xmit+0x1f76/0x2260 [ 31.503104] print_address_description+0x73/0x250 [ 31.507920] ? ip6_xmit+0x1f76/0x2260 [ 31.511692] kasan_report+0x23c/0x360 [ 31.515468] __asan_report_load8_noabort+0x14/0x20 [ 31.520366] ip6_xmit+0x1f76/0x2260 [ 31.523978] ? ip6_finish_output2+0x23a0/0x23a0 [ 31.528620] ? fl6_update_dst+0x127/0x2b0 [ 31.532743] ? inet6_csk_route_socket+0x691/0xe80 [ 31.537559] ? trace_hardirqs_off+0x10/0x10 [ 31.541852] ? lock_acquire+0x1d5/0x580 [ 31.545797] ? lock_acquire+0x1d5/0x580 [ 31.549746] ? inet6_csk_xmit+0x114/0x580 [ 31.553868] ? trace_hardirqs_off+0x10/0x10 [ 31.558165] ? lock_release+0xa40/0xa40 [ 31.562126] inet6_csk_xmit+0x2fc/0x580 [ 31.566075] ? inet6_csk_update_pmtu+0x160/0x160 [ 31.570804] ? __sk_dst_check+0x1a5/0x380 [ 31.574930] ? sock_kfree_s+0x60/0x60 [ 31.578718] l2tp_xmit_skb+0x105f/0x1410 [ 31.582763] ? l2tp_session_create+0xb80/0xb80 [ 31.587316] ? sock_wmalloc+0x15d/0x1d0 [ 31.591264] ? iov_iter_advance+0x13f0/0x13f0 [ 31.595734] ? pppol2tp_sendmsg+0x41b/0x670 [ 31.600038] pppol2tp_sendmsg+0x470/0x670 [ 31.604167] ? selinux_socket_sendmsg+0x36/0x40 [ 31.608815] ? pppol2tp_getsockopt+0x900/0x900 [ 31.613375] sock_sendmsg+0xca/0x110 [ 31.617062] SYSC_sendto+0x361/0x5c0 [ 31.620752] ? SYSC_connect+0x4a0/0x4a0 [ 31.624709] ? inet_dgram_connect+0x172/0x1f0 [ 31.629176] ? SYSC_connect+0x2e0/0x4a0 [ 31.633150] ? mm_fault_error+0x2c0/0x2c0 [ 31.637271] ? move_addr_to_kernel+0x60/0x60 [ 31.641654] SyS_sendto+0x40/0x50 [ 31.645077] ? SyS_getpeername+0x30/0x30 [ 31.649111] do_syscall_64+0x281/0x940 [ 31.652968] ? __do_page_fault+0xc90/0xc90 [ 31.657173] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 31.662681] ? syscall_return_slowpath+0x550/0x550 [ 31.667581] ? syscall_return_slowpath+0x2ac/0x550 [ 31.672487] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 31.677830] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.682668] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.687847] RIP: 0033:0x440249 [ 31.691020] RSP: 002b:00007ffd808c9a48 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 31.698698] RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 0000000000440249 [ 31.705942] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 31.713184] RBP: 00000000006ca018 R08: 00000000200021c0 R09: 0000000000000080 [ 31.720427] R10: 0000000000040001 R11: 0000000000000212 R12: 0000000000401b70 [ 31.727668] R13: 0000000000401c00 R14: 0000000000000000 R15: 0000000000000000 [ 31.734925] [ 31.736526] Allocated by task 2068: [ 31.740127] save_stack+0x43/0xd0 [ 31.743552] kasan_kmalloc+0xad/0xe0 [ 31.747236] kasan_slab_alloc+0x12/0x20 [ 31.751181] kmem_cache_alloc+0x12e/0x760 [ 31.755297] dst_alloc+0x11f/0x1a0 [ 31.758806] rt_dst_alloc+0xe9/0x520 [ 31.762493] ip_route_input_rcu+0x1076/0x3200 [ 31.766956] ip_route_input_noref+0xf5/0x1e0 [ 31.771333] ip_rcv_finish+0x3a6/0x2040 [ 31.775276] ip_rcv+0xb76/0x1820 [ 31.778613] __netif_receive_skb_core+0x1a41/0x3460 [ 31.783598] __netif_receive_skb+0x2c/0x1b0 [ 31.787891] netif_receive_skb_internal+0x10b/0x670 [ 31.792873] napi_gro_receive+0x3d0/0x500 [ 31.796991] receive_buf+0xb6f/0x2530 [ 31.800758] virtnet_poll+0x320/0xb70 [ 31.804525] net_rx_action+0x792/0x1910 [ 31.808466] __do_softirq+0x2d7/0xb85 [ 31.812234] [ 31.813830] Freed by task 0: [ 31.816819] save_stack+0x43/0xd0 [ 31.820241] __kasan_slab_free+0x11a/0x170 [ 31.824442] kasan_slab_free+0xe/0x10 [ 31.828211] kmem_cache_free+0x83/0x2a0 [ 31.832153] dst_destroy+0x257/0x370 [ 31.835835] dst_destroy_rcu+0x16/0x20 [ 31.839694] rcu_process_callbacks+0xd6c/0x17f0 [ 31.844333] __do_softirq+0x2d7/0xb85 [ 31.848097] [ 31.849697] The buggy address belongs to the object at ffff8801b433de00 [ 31.849697] which belongs to the cache ip_dst_cache of size 168 [ 31.862407] The buggy address is located 24 bytes inside of [ 31.862407] 168-byte region [ffff8801b433de00, ffff8801b433dea8) [ 31.874161] The buggy address belongs to the page: [ 31.879062] page:ffffea0006d0cf40 count:1 mapcount:0 mapping:ffff8801b433d000 index:0xffff8801b433d000 [ 31.888472] flags: 0x2fffc0000000100(slab) [ 31.892679] raw: 02fffc0000000100 ffff8801b433d000 ffff8801b433d000 0000000100000007 [ 31.900531] raw: ffffea0006d3ab20 ffff8801d5b97f38 ffff8801d5b96e00 0000000000000000 [ 31.908378] page dumped because: kasan: bad access detected [ 31.914055] [ 31.915649] Memory state around the buggy address: [ 31.920546] ffff8801b433dd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.927875] ffff8801b433dd80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 31.935202] >ffff8801b433de00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.942530] ^ [ 31.946648] ffff8801b433de80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 31.953976] ffff8801b433df00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.961303] ================================================================== [ 31.968748] Disabling lock debugging due to kernel taint [ 31.974213] Kernel panic - not syncing: panic_on_warn set ... [ 31.974213] [ 31.981546] CPU: 0 PID: 4228 Comm: syzkaller699486 Tainted: G B 4.16.0-rc5+ #352 [ 31.990259] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.999584] Call Trace: [ 32.002145] dump_stack+0x194/0x24d [ 32.005742] ? arch_local_irq_restore+0x53/0x53 [ 32.010383] ? kasan_end_report+0x32/0x50 [ 32.014504] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.019229] ? vsnprintf+0x1ed/0x1900 [ 32.023001] ? ip6_xmit+0x1f30/0x2260 [ 32.026769] panic+0x1e4/0x41c [ 32.029931] ? refcount_error_report+0x214/0x214 [ 32.034657] ? add_taint+0x1c/0x50 [ 32.038164] ? add_taint+0x1c/0x50 [ 32.041671] ? ip6_xmit+0x1f76/0x2260 [ 32.045439] kasan_end_report+0x50/0x50 [ 32.049383] kasan_report+0x149/0x360 [ 32.053156] __asan_report_load8_noabort+0x14/0x20 [ 32.058053] ip6_xmit+0x1f76/0x2260 [ 32.061655] ? ip6_finish_output2+0x23a0/0x23a0 [ 32.066296] ? fl6_update_dst+0x127/0x2b0 [ 32.070414] ? inet6_csk_route_socket+0x691/0xe80 [ 32.075229] ? trace_hardirqs_off+0x10/0x10 [ 32.079517] ? lock_acquire+0x1d5/0x580 [ 32.083457] ? lock_acquire+0x1d5/0x580 [ 32.087397] ? inet6_csk_xmit+0x114/0x580 [ 32.091513] ? trace_hardirqs_off+0x10/0x10 [ 32.095805] ? lock_release+0xa40/0xa40 [ 32.099753] inet6_csk_xmit+0x2fc/0x580 [ 32.103693] ? inet6_csk_update_pmtu+0x160/0x160 [ 32.108417] ? __sk_dst_check+0x1a5/0x380 [ 32.112532] ? sock_kfree_s+0x60/0x60 [ 32.116310] l2tp_xmit_skb+0x105f/0x1410 [ 32.120344] ? l2tp_session_create+0xb80/0xb80 [ 32.124894] ? sock_wmalloc+0x15d/0x1d0 [ 32.128840] ? iov_iter_advance+0x13f0/0x13f0 [ 32.133302] ? pppol2tp_sendmsg+0x41b/0x670 [ 32.137593] pppol2tp_sendmsg+0x470/0x670 [ 32.141709] ? selinux_socket_sendmsg+0x36/0x40 [ 32.146345] ? pppol2tp_getsockopt+0x900/0x900 [ 32.150893] sock_sendmsg+0xca/0x110 [ 32.154578] SYSC_sendto+0x361/0x5c0 [ 32.158259] ? SYSC_connect+0x4a0/0x4a0 [ 32.162209] ? inet_dgram_connect+0x172/0x1f0 [ 32.166671] ? SYSC_connect+0x2e0/0x4a0 [ 32.170629] ? mm_fault_error+0x2c0/0x2c0 [ 32.174744] ? move_addr_to_kernel+0x60/0x60 [ 32.179123] SyS_sendto+0x40/0x50 [ 32.182543] ? SyS_getpeername+0x30/0x30 [ 32.186575] do_syscall_64+0x281/0x940 [ 32.190428] ? __do_page_fault+0xc90/0xc90 [ 32.194630] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 32.200133] ? syscall_return_slowpath+0x550/0x550 [ 32.205030] ? syscall_return_slowpath+0x2ac/0x550 [ 32.209928] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 32.215261] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.220075] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.225232] RIP: 0033:0x440249 [ 32.228387] RSP: 002b:00007ffd808c9a48 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 32.236061] RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 0000000000440249 [ 32.243296] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 32.250532] RBP: 00000000006ca018 R08: 00000000200021c0 R09: 0000000000000080 [ 32.257769] R10: 0000000000040001 R11: 0000000000000212 R12: 0000000000401b70 [ 32.265006] R13: 0000000000401c00 R14: 0000000000000000 R15: 0000000000000000 [ 32.272598] Dumping ftrace buffer: [ 32.276105] (ftrace buffer empty) [ 32.279782] Kernel Offset: disabled [ 32.283376] Rebooting in 86400 seconds..