[....] Starting enhanced syslogd: rsyslogd[   15.711957] audit: type=1400 audit(1520574624.597:5): avc:  denied  { syslog } for  pid=4061 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.777977] audit: type=1400 audit(1520574627.663:6): avc:  denied  { map } for  pid=4200 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts.
executing program
[   33.518631] audit: type=1400 audit(1520574642.404:7): avc:  denied  { map } for  pid=4216 comm="syzkaller231383" path="/root/syzkaller231383811" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   33.523544] ==================================================================
[   33.551872] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
[   33.557991] Read of size 8 at addr ffff8801ba338f18 by task syzkaller231383/4216
[   33.565504] 
[   33.567105] CPU: 1 PID: 4216 Comm: syzkaller231383 Not tainted 4.16.0-rc4+ #258
[   33.574520] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.583846] Call Trace:
[   33.586409]  dump_stack+0x194/0x24d
[   33.590015]  ? arch_local_irq_restore+0x53/0x53
[   33.594655]  ? show_regs_print_info+0x18/0x18
[   33.599126]  ? ip6_xmit+0x1f76/0x2260
[   33.602899]  print_address_description+0x73/0x250
[   33.607717]  ? ip6_xmit+0x1f76/0x2260
[   33.611490]  kasan_report+0x23c/0x360
[   33.615264]  __asan_report_load8_noabort+0x14/0x20
[   33.620169]  ip6_xmit+0x1f76/0x2260
[   33.623784]  ? ip6_finish_output2+0x23d0/0x23d0
[   33.628429]  ? fl6_update_dst+0x127/0x2b0
[   33.632559]  ? inet6_csk_route_socket+0x691/0xe80
[   33.637375]  ? trace_hardirqs_off+0x10/0x10
[   33.641668]  ? lock_acquire+0x1d5/0x580
[   33.645613]  ? lock_acquire+0x1d5/0x580
[   33.649557]  ? inet6_csk_xmit+0x114/0x580
[   33.653680]  ? trace_hardirqs_off+0x10/0x10
[   33.657987]  ? lock_release+0xa40/0xa40
[   33.661949]  inet6_csk_xmit+0x2fc/0x580
[   33.665895]  ? inet6_csk_update_pmtu+0x160/0x160
[   33.670630]  ? __sk_dst_check+0x1a5/0x380
[   33.674763]  ? sock_kzfree_s+0x60/0x60
[   33.678643]  l2tp_xmit_skb+0x105f/0x1410
[   33.682689]  ? l2tp_session_create+0xb80/0xb80
[   33.687244]  ? sock_wmalloc+0x15d/0x1d0
[   33.691191]  ? iov_iter_advance+0x13f0/0x13f0
[   33.695662]  ? pppol2tp_sendmsg+0x41b/0x670
[   33.699959]  pppol2tp_sendmsg+0x470/0x670
[   33.704084]  ? selinux_socket_sendmsg+0x36/0x40
[   33.708728]  ? pppol2tp_getsockopt+0x900/0x900
[   33.713283]  sock_sendmsg+0xca/0x110
[   33.716972]  ___sys_sendmsg+0x767/0x8b0
[   33.720925]  ? copy_msghdr_from_user+0x590/0x590
[   33.725658]  ? __pmd_alloc+0x4e0/0x4e0
[   33.729520]  ? trace_hardirqs_off+0x10/0x10
[   33.733820]  ? find_held_lock+0x35/0x1d0
[   33.737873]  ? __fget_light+0x2b2/0x3c0
[   33.741819]  ? fget_raw+0x20/0x20
[   33.745259]  ? __do_page_fault+0x5f7/0xc90
[   33.749464]  ? lock_downgrade+0x980/0x980
[   33.753591]  __sys_sendmsg+0xe5/0x210
[   33.757363]  ? __sys_sendmsg+0xe5/0x210
[   33.761308]  ? SyS_shutdown+0x290/0x290
[   33.765260]  ? __do_page_fault+0x3d6/0xc90
[   33.769475]  ? move_addr_to_kernel+0x60/0x60
[   33.773860]  SyS_sendmsg+0x2d/0x50
[   33.777372]  ? __sys_sendmsg+0x210/0x210
[   33.781404]  do_syscall_64+0x281/0x940
[   33.785263]  ? __do_page_fault+0xc90/0xc90
[   33.789470]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   33.794198]  ? syscall_return_slowpath+0x550/0x550
[   33.799102]  ? syscall_return_slowpath+0x2ac/0x550
[   33.804013]  ? prepare_exit_to_usermode+0x350/0x350
[   33.809002]  ? retint_user+0x18/0x18
[   33.812691]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.817529]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   33.822710] RIP: 0033:0x43ffb9
[   33.825873] RSP: 002b:00007fff101b57c8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
[   33.833553] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffb9
[   33.840795] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
[   33.848037] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   33.855275] R10: 00000000004002c8 R11: 0000000000000217 R12: 00000000004018e0
[   33.862513] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000
[   33.869768] 
[   33.871370] Allocated by task 4153:
[   33.874980]  save_stack+0x43/0xd0
[   33.878418]  kasan_kmalloc+0xad/0xe0
[   33.882105]  kasan_slab_alloc+0x12/0x20
[   33.886049]  kmem_cache_alloc+0x12e/0x760
[   33.890171]  dst_alloc+0x11f/0x1a0
[   33.893682]  rt_dst_alloc+0xe9/0x4e0
[   33.897367]  ip_route_output_key_hash_rcu+0xa59/0x2fe0
[   33.902611]  ip_route_output_key_hash+0x20b/0x370
[   33.907427]  __ip4_datagram_connect+0xa67/0x1240
[   33.912152]  __ip6_datagram_connect+0x749/0x12d0
[   33.916877]  ip6_datagram_connect+0x2f/0x50
[   33.921166]  inet_dgram_connect+0x16b/0x1f0
[   33.925458]  SYSC_connect+0x213/0x4a0
[   33.929227]  SyS_connect+0x24/0x30
[   33.932740]  do_syscall_64+0x281/0x940
[   33.936598]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   33.941754] 
[   33.943354] Freed by task 4153:
[   33.946606]  save_stack+0x43/0xd0
[   33.950030]  __kasan_slab_free+0x11a/0x170
[   33.954234]  kasan_slab_free+0xe/0x10
[   33.958004]  kmem_cache_free+0x83/0x2a0
[   33.961948]  dst_destroy+0x257/0x370
[   33.965629]  dst_destroy_rcu+0x16/0x20
[   33.969486]  rcu_process_callbacks+0xd6c/0x17f0
[   33.974125]  __do_softirq+0x2d7/0xb85
[   33.977896] 
[   33.979497] The buggy address belongs to the object at ffff8801ba338f00
[   33.979497]  which belongs to the cache ip_dst_cache of size 160
[   33.992216] The buggy address is located 24 bytes inside of
[   33.992216]  160-byte region [ffff8801ba338f00, ffff8801ba338fa0)
[   34.003975] The buggy address belongs to the page:
[   34.008875] page:ffffea0006e8ce00 count:1 mapcount:0 mapping:ffff8801ba338000 index:0x0
[   34.016986] flags: 0x2fffc0000000100(slab)
[   34.021193] raw: 02fffc0000000100 ffff8801ba338000 0000000000000000 0000000100000010
[   34.029043] raw: ffff8801d6bd5248 ffff8801d6bd5248 ffff8801d5bac4c0 0000000000000000
[   34.036892] page dumped because: kasan: bad access detected
[   34.042568] 
[   34.044165] Memory state around the buggy address:
[   34.049065]  ffff8801ba338e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   34.056392]  ffff8801ba338e80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   34.063722] >ffff8801ba338f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.071049]                             ^
[   34.075166]  ffff8801ba338f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   34.082493]  ffff8801ba339000: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
[   34.089823] ==================================================================
[   34.097152] Disabling lock debugging due to kernel taint
[   34.102610] Kernel panic - not syncing: panic_on_warn set ...
[   34.102610] 
[   34.109943] CPU: 1 PID: 4216 Comm: syzkaller231383 Tainted: G    B            4.16.0-rc4+ #258
[   34.118661] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.127987] Call Trace:
[   34.130550]  dump_stack+0x194/0x24d
[   34.134146]  ? arch_local_irq_restore+0x53/0x53
[   34.138782]  ? kasan_end_report+0x32/0x50
[   34.142901]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.147630]  ? vsnprintf+0x1ed/0x1900
[   34.151405]  ? ip6_xmit+0x1ee0/0x2260
[   34.155176]  panic+0x1e4/0x41c
[   34.158346]  ? refcount_error_report+0x214/0x214
[   34.163088]  ? add_taint+0x1c/0x50
[   34.166595]  ? add_taint+0x1c/0x50
[   34.170105]  ? ip6_xmit+0x1f76/0x2260
[   34.173879]  kasan_end_report+0x50/0x50
[   34.177821]  kasan_report+0x149/0x360
[   34.181596]  __asan_report_load8_noabort+0x14/0x20
[   34.186496]  ip6_xmit+0x1f76/0x2260
[   34.190098]  ? ip6_finish_output2+0x23d0/0x23d0
[   34.194739]  ? fl6_update_dst+0x127/0x2b0
[   34.198859]  ? inet6_csk_route_socket+0x691/0xe80
[   34.203673]  ? trace_hardirqs_off+0x10/0x10
[   34.207963]  ? lock_acquire+0x1d5/0x580
[   34.211906]  ? lock_acquire+0x1d5/0x580
[   34.215858]  ? inet6_csk_xmit+0x114/0x580
[   34.219979]  ? trace_hardirqs_off+0x10/0x10
[   34.224272]  ? lock_release+0xa40/0xa40
[   34.228222]  inet6_csk_xmit+0x2fc/0x580
[   34.232165]  ? inet6_csk_update_pmtu+0x160/0x160
[   34.236887]  ? __sk_dst_check+0x1a5/0x380
[   34.241003]  ? sock_kzfree_s+0x60/0x60
[   34.244869]  l2tp_xmit_skb+0x105f/0x1410
[   34.248906]  ? l2tp_session_create+0xb80/0xb80
[   34.253460]  ? sock_wmalloc+0x15d/0x1d0
[   34.257402]  ? iov_iter_advance+0x13f0/0x13f0
[   34.261866]  ? pppol2tp_sendmsg+0x41b/0x670
[   34.266164]  pppol2tp_sendmsg+0x470/0x670
[   34.270285]  ? selinux_socket_sendmsg+0x36/0x40
[   34.274925]  ? pppol2tp_getsockopt+0x900/0x900
[   34.279476]  sock_sendmsg+0xca/0x110
[   34.283161]  ___sys_sendmsg+0x767/0x8b0
[   34.287105]  ? copy_msghdr_from_user+0x590/0x590
[   34.291833]  ? __pmd_alloc+0x4e0/0x4e0
[   34.295693]  ? trace_hardirqs_off+0x10/0x10
[   34.299985]  ? find_held_lock+0x35/0x1d0
[   34.304016]  ? __fget_light+0x2b2/0x3c0
[   34.307959]  ? fget_raw+0x20/0x20
[   34.311394]  ? __do_page_fault+0x5f7/0xc90
[   34.315603]  ? lock_downgrade+0x980/0x980
[   34.319727]  __sys_sendmsg+0xe5/0x210
[   34.323497]  ? __sys_sendmsg+0xe5/0x210
[   34.327439]  ? SyS_shutdown+0x290/0x290
[   34.331391]  ? __do_page_fault+0x3d6/0xc90
[   34.335597]  ? move_addr_to_kernel+0x60/0x60
[   34.339976]  SyS_sendmsg+0x2d/0x50
[   34.343481]  ? __sys_sendmsg+0x210/0x210
[   34.347512]  do_syscall_64+0x281/0x940
[   34.351369]  ? __do_page_fault+0xc90/0xc90
[   34.355575]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.360300]  ? syscall_return_slowpath+0x550/0x550
[   34.365196]  ? syscall_return_slowpath+0x2ac/0x550
[   34.370093]  ? prepare_exit_to_usermode+0x350/0x350
[   34.375102]  ? retint_user+0x18/0x18
[   34.378791]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.383607]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   34.388763] RIP: 0033:0x43ffb9
[   34.391920] RSP: 002b:00007fff101b57c8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
[   34.399594] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffb9
[   34.406834] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
[   34.414085] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   34.421328] R10: 00000000004002c8 R11: 0000000000000217 R12: 00000000004018e0
[   34.428567] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000
[   34.436178] Dumping ftrace buffer:
[   34.439686]    (ftrace buffer empty)
[   34.443366] Kernel Offset: disabled
[   34.446968] Rebooting in 86400 seconds..