[ 31.026819] audit: type=1400 audit(1520420115.636:10): avc: denied { sys_admin } for pid=4315 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 31.034218] IPVS: ftp: loaded support on port[0] = 21 [ 31.075632] audit: type=1400 audit(1520420115.685:11): avc: denied { net_admin } for pid=4316 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 31.396885] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 31.887241] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 31.893347] 8021q: adding VLAN 0 to HW filter on device bond0 [ 31.943663] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 31.993465] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.007379] audit: type=1400 audit(1520420116.617:12): avc: denied { sys_chroot } for pid=4316 comm="syz-executor0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 32.198468] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.0.27' (ECDSA) to the list of known hosts. 2018/03/07 10:55:23 parsed 1 programs 2018/03/07 10:55:23 executed programs: 0 [ 39.108457] IPVS: ftp: loaded support on port[0] = 21 [ 39.162902] IPVS: ftp: loaded support on port[0] = 21 [ 39.201981] IPVS: ftp: loaded support on port[0] = 21 [ 39.248888] IPVS: ftp: loaded support on port[0] = 21 [ 39.304232] IPVS: ftp: loaded support on port[0] = 21 [ 39.374741] IPVS: ftp: loaded support on port[0] = 21 [ 39.481564] IPVS: ftp: loaded support on port[0] = 21 [ 39.580789] IPVS: ftp: loaded support on port[0] = 21 [ 40.581557] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 40.695992] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 40.791770] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 40.816636] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 40.968682] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 41.128151] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 41.199632] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 41.259840] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 43.270572] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 43.276722] 8021q: adding VLAN 0 to HW filter on device bond0 [ 43.332218] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 43.338368] 8021q: adding VLAN 0 to HW filter on device bond0 [ 43.352454] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 43.358718] 8021q: adding VLAN 0 to HW filter on device bond0 [ 43.374141] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 43.380393] 8021q: adding VLAN 0 to HW filter on device bond0 [ 43.467475] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 43.473848] 8021q: adding VLAN 0 to HW filter on device bond0 [ 43.505586] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 43.611151] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 43.619764] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 43.629302] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 43.708740] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 43.715268] 8021q: adding VLAN 0 to HW filter on device bond0 [ 43.791827] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 43.801541] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 43.808236] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 43.815767] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.843558] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 43.849991] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 43.861512] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.878866] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 43.885059] 8021q: adding VLAN 0 to HW filter on device bond0 [ 43.903082] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 43.909662] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 43.926634] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.950607] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 43.959960] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 43.966084] 8021q: adding VLAN 0 to HW filter on device bond0 [ 43.972728] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 43.993828] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 2018/03/07 10:55:28 executed programs: 14 [ 44.067842] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 44.097103] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 44.106193] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 44.120222] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 44.177380] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 44.199342] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 44.263954] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 44.270368] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 44.278521] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 44.287690] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 44.295291] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 44.309955] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 44.318839] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 44.325342] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 44.334727] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 46.557224] ================================================================== [ 46.564817] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 46.570977] Read of size 8 at addr ffff8801aaa65a18 by task syz-executor6/6647 [ 46.578338] [ 46.579969] CPU: 0 PID: 6647 Comm: syz-executor6 Not tainted 4.16.0-rc4+ #64 [ 46.587150] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.596502] Call Trace: [ 46.599092] dump_stack+0x194/0x24d [ 46.602733] ? arch_local_irq_restore+0x53/0x53 [ 46.607411] ? show_regs_print_info+0x18/0x18 [ 46.611905] ? ip6_xmit+0x1f76/0x2260 [ 46.615716] print_address_description+0x73/0x250 [ 46.620582] ? ip6_xmit+0x1f76/0x2260 [ 46.624379] kasan_report+0x23c/0x360 [ 46.628177] __asan_report_load8_noabort+0x14/0x20 [ 46.633089] ip6_xmit+0x1f76/0x2260 [ 46.636725] ? ip6_finish_output2+0x23a0/0x23a0 [ 46.641396] ? fl6_update_dst+0x127/0x2b0 [ 46.645539] ? inet6_csk_route_socket+0x691/0xe80 [ 46.650367] ? trace_hardirqs_off+0x10/0x10 [ 46.654669] ? lock_acquire+0x1d5/0x580 [ 46.658625] ? lock_acquire+0x1d5/0x580 [ 46.662583] ? inet6_csk_xmit+0x114/0x580 [ 46.666709] ? trace_hardirqs_off+0x10/0x10 [ 46.671014] ? lock_release+0xa40/0xa40 [ 46.675001] inet6_csk_xmit+0x2fc/0x580 [ 46.678960] ? inet6_csk_update_pmtu+0x160/0x160 [ 46.683691] ? __sk_dst_check+0x1a5/0x380 [ 46.687818] ? sock_kfree_s+0x60/0x60 [ 46.691613] l2tp_xmit_skb+0x105f/0x1410 [ 46.695674] ? l2tp_session_create+0xb80/0xb80 [ 46.700231] ? sock_wmalloc+0x15d/0x1d0 [ 46.704182] ? iov_iter_advance+0x13f0/0x13f0 [ 46.708657] ? pppol2tp_sendmsg+0x41b/0x670 [ 46.712969] pppol2tp_sendmsg+0x470/0x670 [ 46.717097] ? selinux_socket_sendmsg+0x36/0x40 [ 46.721756] ? pppol2tp_getsockopt+0x900/0x900 [ 46.726324] sock_sendmsg+0xca/0x110 [ 46.730025] ___sys_sendmsg+0x767/0x8b0 [ 46.734002] ? copy_msghdr_from_user+0x590/0x590 [ 46.738751] ? __schedule+0x903/0x1ec0 [ 46.742621] ? __sched_text_start+0x8/0x8 [ 46.746770] ? __fget_light+0x2b2/0x3c0 [ 46.750729] ? fget_raw+0x20/0x20 [ 46.754164] ? __might_sleep+0x95/0x190 [ 46.758135] ? security_socket_connect+0x89/0xb0 [ 46.762877] __sys_sendmsg+0xe5/0x210 [ 46.766660] ? __sys_sendmsg+0xe5/0x210 [ 46.770623] ? SyS_shutdown+0x290/0x290 [ 46.774582] ? exit_to_usermode_loop+0x8c/0x2f0 [ 46.779239] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 46.784763] SyS_sendmsg+0x2d/0x50 [ 46.788280] ? __sys_sendmsg+0x210/0x210 [ 46.792317] do_syscall_64+0x281/0x940 [ 46.796183] ? __do_page_fault+0xc90/0xc90 [ 46.800392] ? _raw_spin_unlock_irq+0x27/0x70 [ 46.804866] ? finish_task_switch+0x1c1/0x7e0 [ 46.809339] ? syscall_return_slowpath+0x550/0x550 [ 46.814259] ? syscall_return_slowpath+0x2ac/0x550 [ 46.819168] ? prepare_exit_to_usermode+0x350/0x350 [ 46.824166] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 46.829518] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 46.834344] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 46.839534] RIP: 0033:0x453e69 [ 46.842700] RSP: 002b:00007fd904722c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 46.850403] RAX: ffffffffffffffda RBX: 00007fd9047236d4 RCX: 0000000000453e69 [ 46.857668] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 [ 46.864916] RBP: 000000000072bf58 R08: 0000000000000000 R09: 0000000000000000 [ 46.872162] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 46.879420] R13: 00000000000004c3 R14: 00000000006f72e8 R15: 0000000000000001 [ 46.886685] [ 46.888294] Allocated by task 6642: [ 46.891904] save_stack+0x43/0xd0 [ 46.895331] kasan_kmalloc+0xad/0xe0 [ 46.899025] kasan_slab_alloc+0x12/0x20 [ 46.902979] kmem_cache_alloc+0x12e/0x760 [ 46.907102] dst_alloc+0x11f/0x1a0 [ 46.910615] rt_dst_alloc+0xe9/0x520 [ 46.914306] ip_route_output_key_hash_rcu+0xa59/0x2f00 [ 46.919560] ip_route_output_key_hash+0x20b/0x370 [ 46.924380] __ip4_datagram_connect+0xa67/0x1240 [ 46.929117] __ip6_datagram_connect+0xc12/0x12b0 [ 46.933845] ip6_datagram_connect+0x2f/0x50 [ 46.938139] inet_dgram_connect+0x16b/0x1f0 [ 46.942435] SYSC_connect+0x213/0x4a0 [ 46.946213] SyS_connect+0x24/0x30 [ 46.949737] do_syscall_64+0x281/0x940 [ 46.953599] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 46.958768] [ 46.960374] Freed by task 6651: [ 46.963640] save_stack+0x43/0xd0 [ 46.967079] __kasan_slab_free+0x11a/0x170 [ 46.971301] kasan_slab_free+0xe/0x10 [ 46.975081] kmem_cache_free+0x83/0x2a0 [ 46.979035] dst_destroy+0x257/0x370 [ 46.982731] dst_destroy_rcu+0x16/0x20 [ 46.986601] rcu_process_callbacks+0xd6c/0x17f0 [ 46.991248] __do_softirq+0x2d7/0xb85 [ 46.995019] [ 46.996627] The buggy address belongs to the object at ffff8801aaa65a00 [ 46.996627] which belongs to the cache ip_dst_cache of size 168 [ 47.009359] The buggy address is located 24 bytes inside of [ 47.009359] 168-byte region [ffff8801aaa65a00, ffff8801aaa65aa8) [ 47.021127] The buggy address belongs to the page: [ 47.026041] page:ffffea0006aa9940 count:1 mapcount:0 mapping:ffff8801aaa65000 index:0x0 [ 47.034171] flags: 0x2fffc0000000100(slab) [ 47.038384] raw: 02fffc0000000100 ffff8801aaa65000 0000000000000000 0000000100000010 [ 47.046242] raw: ffffea00075ddde0 ffffea0006e427e0 ffff8801d5b88680 0000000000000000 [ 47.054098] page dumped because: kasan: bad access detected [ 47.059785] [ 47.061394] Memory state around the buggy address: [ 47.066305] ffff8801aaa65900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 47.073639] ffff8801aaa65980: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 47.080977] >ffff8801aaa65a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.088311] ^ [ 47.092435] ffff8801aaa65a80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 47.099781] ffff8801aaa65b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.107116] ================================================================== [ 47.114448] Disabling lock debugging due to kernel taint [ 47.119920] Kernel panic - not syncing: panic_on_warn set ... [ 47.119920] [ 47.127287] CPU: 0 PID: 6647 Comm: syz-executor6 Tainted: G B 4.16.0-rc4+ #64 [ 47.135775] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.145109] Call Trace: [ 47.147671] dump_stack+0x194/0x24d [ 47.151273] ? arch_local_irq_restore+0x53/0x53 [ 47.155912] ? kasan_end_report+0x32/0x50 [ 47.160039] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.164768] ? vsnprintf+0x1ed/0x1900 [ 47.168542] ? ip6_xmit+0x1f10/0x2260 [ 47.172317] panic+0x1e4/0x41c [ 47.175492] ? refcount_error_report+0x214/0x214 [ 47.180225] ? add_taint+0x1c/0x50 [ 47.183736] ? add_taint+0x1c/0x50 [ 47.187248] ? ip6_xmit+0x1f76/0x2260 [ 47.191025] kasan_end_report+0x50/0x50 [ 47.194973] kasan_report+0x149/0x360 [ 47.198747] __asan_report_load8_noabort+0x14/0x20 [ 47.203657] ip6_xmit+0x1f76/0x2260 [ 47.207263] ? ip6_finish_output2+0x23a0/0x23a0 [ 47.211904] ? fl6_update_dst+0x127/0x2b0 [ 47.216029] ? inet6_csk_route_socket+0x691/0xe80 [ 47.220845] ? trace_hardirqs_off+0x10/0x10 [ 47.225140] ? lock_acquire+0x1d5/0x580 [ 47.229083] ? lock_acquire+0x1d5/0x580 [ 47.233031] ? inet6_csk_xmit+0x114/0x580 [ 47.237152] ? trace_hardirqs_off+0x10/0x10 [ 47.241449] ? lock_release+0xa40/0xa40 [ 47.245404] inet6_csk_xmit+0x2fc/0x580 [ 47.249349] ? inet6_csk_update_pmtu+0x160/0x160 [ 47.254076] ? __sk_dst_check+0x1a5/0x380 [ 47.258195] ? sock_kfree_s+0x60/0x60 [ 47.261977] l2tp_xmit_skb+0x105f/0x1410 [ 47.266023] ? l2tp_session_create+0xb80/0xb80 [ 47.270580] ? sock_wmalloc+0x15d/0x1d0 [ 47.274526] ? iov_iter_advance+0x13f0/0x13f0 [ 47.278993] ? pppol2tp_sendmsg+0x41b/0x670 [ 47.283291] pppol2tp_sendmsg+0x470/0x670 [ 47.287412] ? selinux_socket_sendmsg+0x36/0x40 [ 47.292051] ? pppol2tp_getsockopt+0x900/0x900 [ 47.296604] sock_sendmsg+0xca/0x110 [ 47.300303] ___sys_sendmsg+0x767/0x8b0 [ 47.304252] ? copy_msghdr_from_user+0x590/0x590 [ 47.308982] ? __schedule+0x903/0x1ec0 [ 47.312845] ? __sched_text_start+0x8/0x8 [ 47.316969] ? __fget_light+0x2b2/0x3c0 [ 47.320914] ? fget_raw+0x20/0x20 [ 47.324344] ? __might_sleep+0x95/0x190 [ 47.328300] ? security_socket_connect+0x89/0xb0 [ 47.333037] __sys_sendmsg+0xe5/0x210 [ 47.336810] ? __sys_sendmsg+0xe5/0x210 [ 47.340760] ? SyS_shutdown+0x290/0x290 [ 47.344730] ? exit_to_usermode_loop+0x8c/0x2f0 [ 47.349377] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 47.354887] SyS_sendmsg+0x2d/0x50 [ 47.358399] ? __sys_sendmsg+0x210/0x210 [ 47.362429] do_syscall_64+0x281/0x940 [ 47.366290] ? __do_page_fault+0xc90/0xc90 [ 47.370495] ? _raw_spin_unlock_irq+0x27/0x70 [ 47.374963] ? finish_task_switch+0x1c1/0x7e0 [ 47.379432] ? syscall_return_slowpath+0x550/0x550 [ 47.384331] ? syscall_return_slowpath+0x2ac/0x550 [ 47.389229] ? prepare_exit_to_usermode+0x350/0x350 [ 47.394220] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 47.399559] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 47.404377] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 47.409537] RIP: 0033:0x453e69 [ 47.412702] RSP: 002b:00007fd904722c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 47.420380] RAX: ffffffffffffffda RBX: 00007fd9047236d4 RCX: 0000000000453e69 [ 47.427622] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 [ 47.434863] RBP: 000000000072bf58 R08: 0000000000000000 R09: 0000000000000000 [ 47.442102] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 47.449346] R13: 00000000000004c3 R14: 00000000006f72e8 R15: 0000000000000001 [ 47.457006] Dumping ftrace buffer: [ 47.460519] (ftrace buffer empty) [ 47.464200] Kernel Offset: disabled [ 47.467802] Rebooting in 86400 seconds..