[....] Starting enhanced syslogd: rsyslogd[ 15.993690] audit: type=1400 audit(1520848538.663:5): avc: denied { syslog } for pid=4040 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.264811] audit: type=1400 audit(1520848541.934:6): avc: denied { map } for pid=4179 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. executing program [ 37.916306] audit: type=1400 audit(1520848560.586:7): avc: denied { map } for pid=4196 comm="syzkaller709056" path="/root/syzkaller709056920" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 37.919960] ================================================================== [ 37.949561] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 37.955676] Read of size 8 at addr ffff8801ce079f18 by task syzkaller709056/4196 [ 37.963177] [ 37.964780] CPU: 1 PID: 4196 Comm: syzkaller709056 Not tainted 4.16.0-rc4+ #261 [ 37.972209] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.981532] Call Trace: [ 37.984094] dump_stack+0x194/0x24d [ 37.987693] ? arch_local_irq_restore+0x53/0x53 [ 37.992334] ? show_regs_print_info+0x18/0x18 [ 37.996808] ? ip6_xmit+0x1f76/0x2260 [ 38.000582] print_address_description+0x73/0x250 [ 38.005396] ? ip6_xmit+0x1f76/0x2260 [ 38.009167] kasan_report+0x23c/0x360 [ 38.012944] __asan_report_load8_noabort+0x14/0x20 [ 38.017852] ip6_xmit+0x1f76/0x2260 [ 38.021464] ? ip6_finish_output2+0x23d0/0x23d0 [ 38.026104] ? fl6_update_dst+0x127/0x2b0 [ 38.030228] ? inet6_csk_route_socket+0x691/0xe80 [ 38.035044] ? trace_hardirqs_off+0x10/0x10 [ 38.039338] ? lock_acquire+0x1d5/0x580 [ 38.043287] ? lock_acquire+0x1d5/0x580 [ 38.047233] ? inet6_csk_xmit+0x114/0x580 [ 38.051353] ? trace_hardirqs_off+0x10/0x10 [ 38.055648] ? lock_release+0xa40/0xa40 [ 38.059611] inet6_csk_xmit+0x2fc/0x580 [ 38.063556] ? inet6_csk_update_pmtu+0x160/0x160 [ 38.068285] ? __sk_dst_check+0x1a5/0x380 [ 38.072406] ? sock_kzfree_s+0x60/0x60 [ 38.076281] l2tp_xmit_skb+0x105f/0x1410 [ 38.080321] ? l2tp_session_create+0xb80/0xb80 [ 38.084873] ? sock_wmalloc+0x15d/0x1d0 [ 38.088823] ? iov_iter_advance+0x13f0/0x13f0 [ 38.093293] ? pppol2tp_sendmsg+0x41b/0x670 [ 38.097588] pppol2tp_sendmsg+0x470/0x670 [ 38.101708] ? selinux_socket_sendmsg+0x36/0x40 [ 38.106354] ? pppol2tp_getsockopt+0x900/0x900 [ 38.110907] sock_sendmsg+0xca/0x110 [ 38.114593] SYSC_sendto+0x361/0x5c0 [ 38.118281] ? SYSC_connect+0x4a0/0x4a0 [ 38.122235] ? inet_dgram_connect+0x172/0x1f0 [ 38.126714] ? SYSC_connect+0x2e0/0x4a0 [ 38.130687] ? mm_fault_error+0x2c0/0x2c0 [ 38.134806] ? move_addr_to_kernel+0x60/0x60 [ 38.139196] SyS_sendto+0x40/0x50 [ 38.142618] ? SyS_getpeername+0x30/0x30 [ 38.146650] do_syscall_64+0x281/0x940 [ 38.150505] ? __do_page_fault+0xc90/0xc90 [ 38.154709] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.159438] ? syscall_return_slowpath+0x550/0x550 [ 38.164341] ? syscall_return_slowpath+0x2ac/0x550 [ 38.169243] ? prepare_exit_to_usermode+0x350/0x350 [ 38.174231] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 38.179569] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.184390] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.189549] RIP: 0033:0x440139 [ 38.192709] RSP: 002b:00007ffc81465de8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 38.200389] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440139 [ 38.207634] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 38.214873] RBP: 00000000006ca018 R08: 00000000200021c0 R09: 0000000000000080 [ 38.222112] R10: 0000000000040001 R11: 0000000000000212 R12: 0000000000401a60 [ 38.229350] R13: 0000000000401af0 R14: 0000000000000000 R15: 0000000000000000 [ 38.236606] [ 38.238202] Allocated by task 1695: [ 38.241801] save_stack+0x43/0xd0 [ 38.245223] kasan_kmalloc+0xad/0xe0 [ 38.248904] kasan_slab_alloc+0x12/0x20 [ 38.252849] kmem_cache_alloc+0x12e/0x760 [ 38.256965] dst_alloc+0x11f/0x1a0 [ 38.260473] rt_dst_alloc+0xe9/0x4e0 [ 38.264154] ip_route_input_slow+0x1284/0x3c80 [ 38.268702] ip_route_input_rcu+0xf1/0xd20 [ 38.272904] ip_route_input_noref+0xf5/0x1e0 [ 38.277279] ip_rcv_finish+0x3a6/0x2040 [ 38.281220] ip_rcv+0xb76/0x1820 [ 38.284558] __netif_receive_skb_core+0x1a41/0x3460 [ 38.289543] __netif_receive_skb+0x2c/0x1b0 [ 38.293836] netif_receive_skb_internal+0x10b/0x670 [ 38.298822] napi_gro_receive+0x3d0/0x500 [ 38.302939] receive_buf+0xb6f/0x2530 [ 38.306708] virtnet_poll+0x320/0xb70 [ 38.310475] net_rx_action+0x792/0x1910 [ 38.314418] __do_softirq+0x2d7/0xb85 [ 38.318185] [ 38.319783] Freed by task 3874: [ 38.323032] save_stack+0x43/0xd0 [ 38.326454] __kasan_slab_free+0x11a/0x170 [ 38.330657] kasan_slab_free+0xe/0x10 [ 38.334428] kmem_cache_free+0x83/0x2a0 [ 38.338374] dst_destroy+0x257/0x370 [ 38.342055] dst_destroy_rcu+0x16/0x20 [ 38.345911] rcu_process_callbacks+0xd6c/0x17f0 [ 38.350548] __do_softirq+0x2d7/0xb85 [ 38.354314] [ 38.355915] The buggy address belongs to the object at ffff8801ce079f00 [ 38.355915] which belongs to the cache ip_dst_cache of size 160 [ 38.368623] The buggy address is located 24 bytes inside of [ 38.368623] 160-byte region [ffff8801ce079f00, ffff8801ce079fa0) [ 38.380380] The buggy address belongs to the page: [ 38.385280] page:ffffea0007381e40 count:1 mapcount:0 mapping:ffff8801ce079000 index:0xffff8801ce079d00 [ 38.394695] flags: 0x2fffc0000000100(slab) [ 38.398900] raw: 02fffc0000000100 ffff8801ce079000 ffff8801ce079d00 000000010000000f [ 38.406835] raw: ffff8801d5bcad38 ffff8801d5bcad38 ffff8801d5bc94c0 0000000000000000 [ 38.414683] page dumped because: kasan: bad access detected [ 38.420360] [ 38.421960] Memory state around the buggy address: [ 38.426858] ffff8801ce079e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.434184] ffff8801ce079e80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 38.441509] >ffff8801ce079f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.448834] ^ [ 38.452958] ffff8801ce079f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 38.460289] ffff8801ce07a000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.467614] ================================================================== [ 38.474941] Disabling lock debugging due to kernel taint [ 38.480401] Kernel panic - not syncing: panic_on_warn set ... [ 38.480401] [ 38.487733] CPU: 1 PID: 4196 Comm: syzkaller709056 Tainted: G B 4.16.0-rc4+ #261 [ 38.496446] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.505769] Call Trace: [ 38.508329] dump_stack+0x194/0x24d [ 38.511924] ? arch_local_irq_restore+0x53/0x53 [ 38.516564] ? kasan_end_report+0x32/0x50 [ 38.520685] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.525410] ? vsnprintf+0x1ed/0x1900 [ 38.529180] ? ip6_xmit+0x1eb0/0x2260 [ 38.532949] panic+0x1e4/0x41c [ 38.536110] ? refcount_error_report+0x214/0x214 [ 38.540837] ? add_taint+0x1c/0x50 [ 38.544346] ? add_taint+0x1c/0x50 [ 38.547857] ? ip6_xmit+0x1f76/0x2260 [ 38.551627] kasan_end_report+0x50/0x50 [ 38.555572] kasan_report+0x149/0x360 [ 38.559345] __asan_report_load8_noabort+0x14/0x20 [ 38.564241] ip6_xmit+0x1f76/0x2260 [ 38.567843] ? ip6_finish_output2+0x23d0/0x23d0 [ 38.572483] ? fl6_update_dst+0x127/0x2b0 [ 38.576600] ? inet6_csk_route_socket+0x691/0xe80 [ 38.581412] ? trace_hardirqs_off+0x10/0x10 [ 38.585700] ? lock_acquire+0x1d5/0x580 [ 38.589640] ? lock_acquire+0x1d5/0x580 [ 38.593582] ? inet6_csk_xmit+0x114/0x580 [ 38.597697] ? trace_hardirqs_off+0x10/0x10 [ 38.601989] ? lock_release+0xa40/0xa40 [ 38.605938] inet6_csk_xmit+0x2fc/0x580 [ 38.609883] ? inet6_csk_update_pmtu+0x160/0x160 [ 38.614607] ? __sk_dst_check+0x1a5/0x380 [ 38.618725] ? sock_kzfree_s+0x60/0x60 [ 38.622588] l2tp_xmit_skb+0x105f/0x1410 [ 38.626624] ? l2tp_session_create+0xb80/0xb80 [ 38.631173] ? sock_wmalloc+0x15d/0x1d0 [ 38.635115] ? iov_iter_advance+0x13f0/0x13f0 [ 38.639581] ? pppol2tp_sendmsg+0x41b/0x670 [ 38.643871] pppol2tp_sendmsg+0x470/0x670 [ 38.647989] ? selinux_socket_sendmsg+0x36/0x40 [ 38.652625] ? pppol2tp_getsockopt+0x900/0x900 [ 38.657174] sock_sendmsg+0xca/0x110 [ 38.660856] SYSC_sendto+0x361/0x5c0 [ 38.664540] ? SYSC_connect+0x4a0/0x4a0 [ 38.668485] ? inet_dgram_connect+0x172/0x1f0 [ 38.672947] ? SYSC_connect+0x2e0/0x4a0 [ 38.676903] ? mm_fault_error+0x2c0/0x2c0 [ 38.681020] ? move_addr_to_kernel+0x60/0x60 [ 38.685399] SyS_sendto+0x40/0x50 [ 38.688823] ? SyS_getpeername+0x30/0x30 [ 38.692863] do_syscall_64+0x281/0x940 [ 38.696718] ? __do_page_fault+0xc90/0xc90 [ 38.700923] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.705648] ? syscall_return_slowpath+0x550/0x550 [ 38.710553] ? syscall_return_slowpath+0x2ac/0x550 [ 38.715461] ? prepare_exit_to_usermode+0x350/0x350 [ 38.720452] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 38.725789] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.730604] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.735760] RIP: 0033:0x440139 [ 38.738920] RSP: 002b:00007ffc81465de8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 38.746595] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440139 [ 38.753834] RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004 [ 38.761075] RBP: 00000000006ca018 R08: 00000000200021c0 R09: 0000000000000080 [ 38.768315] R10: 0000000000040001 R11: 0000000000000212 R12: 0000000000401a60 [ 38.775552] R13: 0000000000401af0 R14: 0000000000000000 R15: 0000000000000000 [ 38.783192] Dumping ftrace buffer: [ 38.786698] (ftrace buffer empty) [ 38.790381] Kernel Offset: disabled [ 38.793977] Rebooting in 86400 seconds..