[....] Starting enhanced syslogd: rsyslogd[ 12.873934] audit: type=1400 audit(1516276823.758:4): avc: denied { syslog } for pid=3168 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 24.288026] ================================================================== [ 24.295404] BUG: KASAN: use-after-free in ip6_xmit+0x1bc7/0x1bd0 [ 24.301518] Read of size 8 at addr ffff8801cfac9298 by task syzkaller231529/3324 [ 24.309015] [ 24.310611] CPU: 0 PID: 3324 Comm: syzkaller231529 Not tainted 4.9.77-g033d019 #14 [ 24.318281] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.327606] ffff8801c8f675a0 ffffffff81d941c9 ffffea00073eb240 ffff8801cfac9298 [ 24.335574] 0000000000000000 ffff8801cfac9298 ffff8801caeced64 ffff8801c8f675d8 [ 24.343544] ffffffff8153db93 ffff8801cfac9298 0000000000000008 0000000000000000 [ 24.351502] Call Trace: [ 24.354057] [] dump_stack+0xc1/0x128 [ 24.359391] [] print_address_description+0x73/0x280 [ 24.366031] [] kasan_report+0x275/0x360 [ 24.371625] [] ? ip6_xmit+0x1bc7/0x1bd0 [ 24.377217] [] __asan_report_load8_noabort+0x14/0x20 [ 24.383939] [] ip6_xmit+0x1bc7/0x1bd0 [ 24.389360] [] ? save_stack_trace+0x16/0x20 [ 24.395320] [] ? save_trace+0xe0/0x270 [ 24.400850] [] ? ip6_finish_output2+0x1d20/0x1d20 [ 24.407320] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 24.414302] [] ? __lock_is_held+0xa1/0xf0 [ 24.420072] [] ? ipv4_dst_check+0x111/0x160 [ 24.426015] [] ? __sk_dst_check+0x10e/0x240 [ 24.431958] [] inet6_csk_xmit+0x27d/0x4d0 [ 24.437730] [] ? inet6_csk_xmit+0x100/0x4d0 [ 24.443671] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 24.450218] [] l2tp_xmit_skb+0xcdc/0xf50 [ 24.455899] [] pppol2tp_sendmsg+0x5c0/0x7a0 [ 24.461850] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 24.468319] [] ? pppol2tp_release+0x2e0/0x2e0 [ 24.474439] [] sock_sendmsg+0xca/0x110 [ 24.479946] [] ___sys_sendmsg+0x320/0x7e0 [ 24.485710] [] ? copy_msghdr_from_user+0x550/0x550 [ 24.492256] [] ? __pagevec_lru_add_fn+0x7b0/0x7b0 [ 24.498717] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 24.505618] [] ? __lru_cache_add+0x187/0x250 [ 24.511646] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 24.518714] [] ? _raw_spin_unlock+0x2c/0x50 [ 24.524654] [] ? __fget_light+0x158/0x1e0 [ 24.530418] [] ? __fdget+0x18/0x20 [ 24.535578] [] ? sockfd_lookup_light+0x118/0x160 [ 24.541954] [] __sys_sendmmsg+0x159/0x3a0 [ 24.547724] [] ? SyS_sendmsg+0x50/0x50 [ 24.553231] [] ? up_read+0x1a/0x40 [ 24.558391] [] ? __do_page_fault+0x3bd/0xd40 [ 24.564420] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 24.571229] [] SyS_sendmmsg+0x35/0x60 [ 24.576657] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 24.583201] [ 24.584796] Allocated by task 3258: [ 24.588392] save_stack_trace+0x16/0x20 [ 24.592335] save_stack+0x43/0xd0 [ 24.595756] kasan_kmalloc+0xad/0xe0 [ 24.599437] kasan_slab_alloc+0x12/0x20 [ 24.603377] kmem_cache_alloc+0xba/0x290 [ 24.607404] dst_alloc+0x11f/0x1a0 [ 24.610911] rt_dst_alloc+0x78/0x430 [ 24.614590] __ip_route_output_key_hash+0xa4e/0x23e0 [ 24.619664] __ip4_datagram_connect+0xa17/0x1160 [ 24.624387] __ip6_datagram_connect+0x6f9/0xdf0 [ 24.629019] ip6_datagram_connect+0x2f/0x50 [ 24.633312] inet_dgram_connect+0x16b/0x1f0 [ 24.637604] SYSC_connect+0x1b6/0x310 [ 24.641370] SyS_connect+0x24/0x30 [ 24.644877] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 24.649596] [ 24.651193] Freed by task 3281: [ 24.654440] save_stack_trace+0x16/0x20 [ 24.658381] save_stack+0x43/0xd0 [ 24.661800] kasan_slab_free+0x72/0xc0 [ 24.665653] kmem_cache_free+0xc7/0x300 [ 24.669593] dst_destroy+0x1fd/0x360 [ 24.673272] dst_destroy_rcu+0x15/0x40 [ 24.677128] rcu_process_callbacks+0x898/0x1300 [ 24.681763] __do_softirq+0x206/0x951 [ 24.685528] [ 24.687124] The buggy address belongs to the object at ffff8801cfac9280 [ 24.687124] which belongs to the cache ip_dst_cache of size 216 [ 24.699834] The buggy address is located 24 bytes inside of [ 24.699834] 216-byte region [ffff8801cfac9280, ffff8801cfac9358) [ 24.711588] The buggy address belongs to the page: [ 24.716487] page:ffffea00073eb240 count:1 mapcount:0 mapping: (null) index:0x0 [ 24.724710] flags: 0x8000000000000080(slab) [ 24.729008] page dumped because: kasan: bad access detected [ 24.734684] [ 24.736280] Memory state around the buggy address: [ 24.741180] ffff8801cfac9180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.748505] ffff8801cfac9200: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.755832] >ffff8801cfac9280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.763160] ^ [ 24.767276] ffff8801cfac9300: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 24.774603] ffff8801cfac9380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 24.781925] ================================================================== [ 24.789249] Disabling lock debugging due to kernel taint [ 24.794707] Kernel panic - not syncing: panic_on_warn set ... [ 24.794707] [ 24.802041] CPU: 0 PID: 3324 Comm: syzkaller231529 Tainted: G B 4.9.77-g033d019 #14 [ 24.810932] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.820257] ffff8801c8f674f8 ffffffff81d941c9 ffffffff841970ff ffff8801c8f675d0 [ 24.828241] 0000000000000000 ffff8801cfac9298 ffff8801caeced64 ffff8801c8f675c0 [ 24.836207] ffffffff8142f3c1 0000000041b58ab3 ffffffff8418ab70 ffffffff8142f205 [ 24.844170] Call Trace: [ 24.846727] [] dump_stack+0xc1/0x128 [ 24.852059] [] panic+0x1bc/0x3a8 [ 24.857048] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 24.865247] [] kasan_end_report+0x50/0x50 [ 24.871011] [] kasan_report+0x167/0x360 [ 24.876606] [] ? ip6_xmit+0x1bc7/0x1bd0 [ 24.882203] [] __asan_report_load8_noabort+0x14/0x20 [ 24.888923] [] ip6_xmit+0x1bc7/0x1bd0 [ 24.894343] [] ? save_stack_trace+0x16/0x20 [ 24.900283] [] ? save_trace+0xe0/0x270 [ 24.905793] [] ? ip6_finish_output2+0x1d20/0x1d20 [ 24.912255] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 24.919246] [] ? __lock_is_held+0xa1/0xf0 [ 24.925016] [] ? ipv4_dst_check+0x111/0x160 [ 24.930959] [] ? __sk_dst_check+0x10e/0x240 [ 24.936902] [] inet6_csk_xmit+0x27d/0x4d0 [ 24.942671] [] ? inet6_csk_xmit+0x100/0x4d0 [ 24.948609] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 24.955163] [] l2tp_xmit_skb+0xcdc/0xf50 [ 24.960846] [] pppol2tp_sendmsg+0x5c0/0x7a0 [ 24.966793] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 24.973271] [] ? pppol2tp_release+0x2e0/0x2e0 [ 24.979389] [] sock_sendmsg+0xca/0x110 [ 24.984896] [] ___sys_sendmsg+0x320/0x7e0 [ 24.990672] [] ? copy_msghdr_from_user+0x550/0x550 [ 24.997226] [] ? __pagevec_lru_add_fn+0x7b0/0x7b0 [ 25.003690] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 25.010590] [] ? __lru_cache_add+0x187/0x250 [ 25.016621] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 25.023694] [] ? _raw_spin_unlock+0x2c/0x50 [ 25.029639] [] ? __fget_light+0x158/0x1e0 [ 25.035409] [] ? __fdget+0x18/0x20 [ 25.040573] [] ? sockfd_lookup_light+0x118/0x160 [ 25.046949] [] __sys_sendmmsg+0x159/0x3a0 [ 25.052719] [] ? SyS_sendmsg+0x50/0x50 [ 25.058235] [] ? up_read+0x1a/0x40 [ 25.063401] [] ? __do_page_fault+0x3bd/0xd40 [ 25.069432] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 25.076243] [] SyS_sendmmsg+0x35/0x60 [ 25.081668] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 25.088621] Dumping ftrace buffer: [ 25.092133] (ftrace buffer empty) [ 25.095814] Kernel Offset: disabled [ 25.099410] Rebooting in 86400 seconds..