audit: type=1400 audit(1516278325.038:7): avc: denied { map } for pid=3661 comm="syzkaller305190" path="/root/syzkaller305190205" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 ================================================================== BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:192 [inline] BUG: KASAN: use-after-free in ip6_xmit+0x1ce9/0x2090 net/ipv6/ip6_output.c:264 Read of size 8 at addr ffff8801c1597018 by task syzkaller305190/3661 CPU: 0 PID: 3661 Comm: syzkaller305190 Not tainted 4.15.0-rc8-next-20180118+ #100 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x23b/0x360 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 ip6_dst_idev include/net/ip6_fib.h:192 [inline] ip6_xmit+0x1ce9/0x2090 net/ipv6/ip6_output.c:264 inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139 l2tp_xmit_core net/l2tp/l2tp_core.c:1099 [inline] l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1194 pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 ___sys_sendmsg+0x320/0x8b0 net/socket.c:2020 __sys_sendmmsg+0x1ee/0x620 net/socket.c:2110 SYSC_sendmmsg net/socket.c:2141 [inline] SyS_sendmmsg+0x35/0x60 net/socket.c:2136 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x440339 RSP: 002b:00007fff22989688 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440339 RDX: 0000000000000002 RSI: 0000000020091f88 RDI: 0000000000000004 RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000004004080 R11: 0000000000000217 R12: 0000000000401c60 R13: 0000000000401cf0 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 3424: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541 anon_vma_chain_alloc mm/rmap.c:128 [inline] __anon_vma_prepare+0xbc/0x6b0 mm/rmap.c:182 anon_vma_prepare include/linux/rmap.h:153 [inline] do_cow_fault mm/memory.c:3650 [inline] do_fault mm/memory.c:3736 [inline] handle_pte_fault mm/memory.c:3965 [inline] __handle_mm_fault+0x3099/0x3ce0 mm/memory.c:4089 handle_mm_fault+0x38f/0x930 mm/memory.c:4126 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1430 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1505 page_fault+0x4c/0x60 arch/x86/entry/entry_64.S:1260 Freed by task 3424: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527 __cache_free mm/slab.c:3485 [inline] kmem_cache_free+0x86/0x2b0 mm/slab.c:3743 anon_vma_chain_free mm/rmap.c:133 [inline] unlink_anon_vmas+0x20d/0x9f0 mm/rmap.c:400 free_pgtables+0x21e/0x330 mm/memory.c:641 exit_mmap+0x291/0x500 mm/mmap.c:3050 __mmput kernel/fork.c:966 [inline] mmput+0x223/0x6c0 kernel/fork.c:987 exit_mm kernel/exit.c:544 [inline] do_exit+0x90a/0x1ad0 kernel/exit.c:856 do_group_exit+0x149/0x400 kernel/exit.c:972 SYSC_exit_group kernel/exit.c:983 [inline] SyS_exit_group+0x1d/0x20 kernel/exit.c:981 entry_SYSCALL_64_fastpath+0x29/0xa0 The buggy address belongs to the object at ffff8801c1597000 which belongs to the cache anon_vma_chain of size 64 The buggy address is located 24 bytes inside of 64-byte region [ffff8801c1597000, ffff8801c1597040) The buggy address belongs to the page: page:ffffea00070565c0 count:1 mapcount:0 mapping:ffff8801c1597000 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801c1597000 0000000000000000 000000010000002a raw: ffffea000708fde0 ffffea000729ae60 ffff8801dad30500 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801c1596f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801c1596f80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc >ffff8801c1597000: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb ^ ffff8801c1597080: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb ffff8801c1597100: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================