[ 26.901431] IPVS: ftp: loaded support on port[0] = 21 [ 26.942217] audit: type=1400 audit(1520439844.818:11): avc: denied { net_admin } for pid=4120 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 27.234580] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 27.664450] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 27.670535] 8021q: adding VLAN 0 to HW filter on device bond0 [ 27.716713] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 27.761409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.773519] audit: type=1400 audit(1520439845.650:12): avc: denied { sys_chroot } for pid=4120 comm="syz-executor0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 27.852286] syz-executor0 (4120) used greatest stack depth: 16040 bytes left [ 27.966426] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts. 2018/03/07 16:24:12 parsed 1 programs 2018/03/07 16:24:12 executed programs: 0 [ 34.782870] IPVS: ftp: loaded support on port[0] = 21 [ 34.831975] IPVS: ftp: loaded support on port[0] = 21 [ 34.871751] IPVS: ftp: loaded support on port[0] = 21 [ 34.917920] IPVS: ftp: loaded support on port[0] = 21 [ 34.977207] IPVS: ftp: loaded support on port[0] = 21 [ 35.050213] IPVS: ftp: loaded support on port[0] = 21 [ 35.150823] IPVS: ftp: loaded support on port[0] = 21 [ 35.248174] IPVS: ftp: loaded support on port[0] = 21 [ 36.237769] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 36.341058] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 36.349328] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 36.422115] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 36.526315] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 36.694941] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 36.764817] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 36.915665] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 38.659200] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 38.665410] 8021q: adding VLAN 0 to HW filter on device bond0 [ 38.826700] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 38.832944] 8021q: adding VLAN 0 to HW filter on device bond0 [ 38.852278] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 38.858396] 8021q: adding VLAN 0 to HW filter on device bond0 [ 38.922097] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 38.930855] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 38.936952] 8021q: adding VLAN 0 to HW filter on device bond0 [ 38.997901] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 39.004203] 8021q: adding VLAN 0 to HW filter on device bond0 [ 39.080466] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.122738] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.151837] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 39.159104] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 39.166530] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.196527] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.214160] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 39.220255] 8021q: adding VLAN 0 to HW filter on device bond0 [ 39.246762] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 39.252986] 8021q: adding VLAN 0 to HW filter on device bond0 [ 39.281593] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.311579] l2tp_core: tunl 4: sock fd=3 is unconnected [ 39.375767] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 39.381905] 8021q: adding VLAN 0 to HW filter on device bond0 [ 39.399167] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 39.416983] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 39.428370] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.453200] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 39.459496] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 39.477478] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.491456] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 39.506369] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 39.513564] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.530493] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.538426] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.582998] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 39.589243] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 39.600108] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.685968] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.719262] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 39.725427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready 2018/03/07 16:24:17 executed programs: 21 [ 39.735211] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.752207] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 39.758742] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 39.766145] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.803366] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 39.809548] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 39.817501] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 2018/03/07 16:24:22 executed programs: 693 2018/03/07 16:24:27 executed programs: 1387 2018/03/07 16:24:32 executed programs: 2074 2018/03/07 16:24:37 executed programs: 2767 2018/03/07 16:24:42 executed programs: 3456 2018/03/07 16:24:47 executed programs: 4160 2018/03/07 16:24:52 executed programs: 4848 2018/03/07 16:24:57 executed programs: 5529 [ 82.898335] ================================================================== [ 82.905896] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 [ 82.912039] Read of size 8 at addr ffff8801bd949318 by task syz-executor4/23448 [ 82.919480] [ 82.921104] CPU: 0 PID: 23448 Comm: syz-executor4 Not tainted 4.16.0-rc4+ #65 [ 82.928362] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.937704] Call Trace: [ 82.940290] dump_stack+0x194/0x24d [ 82.943915] ? arch_local_irq_restore+0x53/0x53 [ 82.948567] ? show_regs_print_info+0x18/0x18 [ 82.953050] ? ip6_xmit+0x1f76/0x2260 [ 82.956838] print_address_description+0x73/0x250 [ 82.961659] ? ip6_xmit+0x1f76/0x2260 [ 82.965445] kasan_report+0x23c/0x360 [ 82.969239] __asan_report_load8_noabort+0x14/0x20 [ 82.974142] ip6_xmit+0x1f76/0x2260 [ 82.977757] ? ip6_finish_output2+0x23a0/0x23a0 [ 82.982402] ? fl6_update_dst+0x127/0x2b0 [ 82.986527] ? inet6_csk_route_socket+0x691/0xe80 [ 82.991352] ? trace_hardirqs_off+0x10/0x10 [ 82.995649] ? lock_acquire+0x1d5/0x580 [ 82.999594] ? lock_acquire+0x1d5/0x580 [ 83.003539] ? inet6_csk_xmit+0x114/0x580 [ 83.007662] ? trace_hardirqs_off+0x10/0x10 [ 83.011961] ? lock_release+0xa40/0xa40 [ 83.015924] inet6_csk_xmit+0x2fc/0x580 [ 83.019879] ? inet6_csk_update_pmtu+0x160/0x160 [ 83.024618] ? __sk_dst_check+0x1a5/0x380 [ 83.028742] ? sock_kfree_s+0x60/0x60 [ 83.032535] l2tp_xmit_skb+0x105f/0x1410 [ 83.036582] ? l2tp_session_create+0xb80/0xb80 [ 83.041151] ? sock_wmalloc+0x15d/0x1d0 [ 83.045107] ? iov_iter_advance+0x13f0/0x13f0 [ 83.049579] ? pppol2tp_sendmsg+0x41b/0x670 [ 83.053875] pppol2tp_sendmsg+0x470/0x670 [ 83.057999] ? selinux_socket_sendmsg+0x36/0x40 [ 83.062653] ? pppol2tp_getsockopt+0x900/0x900 [ 83.067215] sock_sendmsg+0xca/0x110 [ 83.070912] ___sys_sendmsg+0x767/0x8b0 [ 83.074873] ? copy_msghdr_from_user+0x590/0x590 [ 83.079615] ? selinux_socket_connect+0x311/0x730 [ 83.084439] ? __fget_light+0x2b2/0x3c0 [ 83.088390] ? fget_raw+0x20/0x20 [ 83.091832] ? __might_sleep+0x95/0x190 [ 83.095794] ? security_socket_connect+0x89/0xb0 [ 83.100533] __sys_sendmsg+0xe5/0x210 [ 83.104312] ? __sys_sendmsg+0xe5/0x210 [ 83.108269] ? SyS_shutdown+0x290/0x290 [ 83.112226] ? SyS_futex+0x269/0x390 [ 83.115924] ? move_addr_to_kernel+0x60/0x60 [ 83.120310] SyS_sendmsg+0x2d/0x50 [ 83.123821] ? __sys_sendmsg+0x210/0x210 [ 83.127858] do_syscall_64+0x281/0x940 [ 83.131718] ? __do_page_fault+0xc90/0xc90 [ 83.135924] ? _raw_spin_unlock_irq+0x27/0x70 [ 83.140390] ? finish_task_switch+0x1c1/0x7e0 [ 83.144857] ? syscall_return_slowpath+0x550/0x550 [ 83.149761] ? syscall_return_slowpath+0x2ac/0x550 [ 83.154674] ? prepare_exit_to_usermode+0x350/0x350 [ 83.159668] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 83.165013] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 83.169841] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 83.175004] RIP: 0033:0x453e69 [ 83.178176] RSP: 002b:00007f819593cc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 83.185858] RAX: ffffffffffffffda RBX: 00007f819593d6d4 RCX: 0000000000453e69 [ 83.193103] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 [ 83.200345] RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 [ 83.207585] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 83.214835] R13: 00000000000004c3 R14: 00000000006f72e8 R15: 0000000000000000 [ 83.222097] [ 83.223698] Allocated by task 23363: [ 83.227397] save_stack+0x43/0xd0 [ 83.230821] kasan_kmalloc+0xad/0xe0 [ 83.234508] kasan_slab_alloc+0x12/0x20 [ 83.238467] kmem_cache_alloc+0x12e/0x760 [ 83.242589] dst_alloc+0x11f/0x1a0 [ 83.246099] rt_dst_alloc+0xe9/0x520 [ 83.249786] ip_route_input_rcu+0x194f/0x3200 [ 83.254251] ip_route_input_noref+0xf5/0x1e0 [ 83.258629] ip_rcv_finish+0x3a6/0x2040 [ 83.262576] ip_rcv+0xb76/0x1820 [ 83.265915] __netif_receive_skb_core+0x1a41/0x3460 [ 83.270903] __netif_receive_skb+0x2c/0x1b0 [ 83.275197] netif_receive_skb_internal+0x10b/0x670 [ 83.280185] netif_receive_skb+0xae/0x390 [ 83.284304] tun_rx_batched.isra.52+0x5ee/0x870 [ 83.288949] tun_get_user+0x25a5/0x3810 [ 83.292904] tun_chr_write_iter+0xb9/0x160 [ 83.297117] do_iter_readv_writev+0x55c/0x830 [ 83.301592] do_iter_write+0x154/0x540 [ 83.305465] vfs_writev+0x18a/0x340 [ 83.309069] do_writev+0xfc/0x2a0 [ 83.312493] SyS_writev+0x27/0x30 [ 83.315919] do_syscall_64+0x281/0x940 [ 83.319776] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 83.324933] [ 83.326530] Freed by task 23357: [ 83.329867] save_stack+0x43/0xd0 [ 83.333288] __kasan_slab_free+0x11a/0x170 [ 83.337491] kasan_slab_free+0xe/0x10 [ 83.341262] kmem_cache_free+0x83/0x2a0 [ 83.345206] dst_destroy+0x257/0x370 [ 83.348889] dst_destroy_rcu+0x16/0x20 [ 83.352750] rcu_process_callbacks+0xd6c/0x17f0 [ 83.357393] __do_softirq+0x2d7/0xb85 [ 83.361162] [ 83.362762] The buggy address belongs to the object at ffff8801bd949300 [ 83.362762] which belongs to the cache ip_dst_cache of size 168 [ 83.375481] The buggy address is located 24 bytes inside of [ 83.375481] 168-byte region [ffff8801bd949300, ffff8801bd9493a8) [ 83.387238] The buggy address belongs to the page: [ 83.392138] page:ffffea0006f65240 count:1 mapcount:0 mapping:ffff8801bd949000 index:0x0 [ 83.400249] flags: 0x2fffc0000000100(slab) [ 83.404458] raw: 02fffc0000000100 ffff8801bd949000 0000000000000000 0000000100000010 [ 83.412319] raw: ffffea0006f6eb60 ffffea00073e64a0 ffff8801d6bc2040 0000000000000000 [ 83.420167] page dumped because: kasan: bad access detected [ 83.425845] [ 83.427451] Memory state around the buggy address: [ 83.432348] ffff8801bd949200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 83.439686] ffff8801bd949280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 83.447022] >ffff8801bd949300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.454354] ^ [ 83.458475] ffff8801bd949380: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 83.465803] ffff8801bd949400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.473132] ================================================================== [ 83.480459] Disabling lock debugging due to kernel taint [ 83.485930] Kernel panic - not syncing: panic_on_warn set ... [ 83.485930] [ 83.493275] CPU: 0 PID: 23448 Comm: syz-executor4 Tainted: G B 4.16.0-rc4+ #65 [ 83.501824] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 83.511151] Call Trace: [ 83.513715] dump_stack+0x194/0x24d [ 83.517319] ? arch_local_irq_restore+0x53/0x53 [ 83.521959] ? kasan_end_report+0x32/0x50 [ 83.526078] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 83.530806] ? vsnprintf+0x1ed/0x1900 [ 83.534579] ? ip6_xmit+0x1f10/0x2260 [ 83.538351] panic+0x1e4/0x41c [ 83.541518] ? refcount_error_report+0x214/0x214 [ 83.546256] ? add_taint+0x1c/0x50 [ 83.549775] ? add_taint+0x1c/0x50 [ 83.553286] ? ip6_xmit+0x1f76/0x2260 [ 83.557059] kasan_end_report+0x50/0x50 [ 83.561005] kasan_report+0x149/0x360 [ 83.564787] __asan_report_load8_noabort+0x14/0x20 [ 83.569685] ip6_xmit+0x1f76/0x2260 [ 83.573290] ? ip6_finish_output2+0x23a0/0x23a0 [ 83.577929] ? fl6_update_dst+0x127/0x2b0 [ 83.582053] ? inet6_csk_route_socket+0x691/0xe80 [ 83.586871] ? trace_hardirqs_off+0x10/0x10 [ 83.591162] ? lock_acquire+0x1d5/0x580 [ 83.595106] ? lock_acquire+0x1d5/0x580 [ 83.599056] ? inet6_csk_xmit+0x114/0x580 [ 83.603176] ? trace_hardirqs_off+0x10/0x10 [ 83.607469] ? lock_release+0xa40/0xa40 [ 83.611425] inet6_csk_xmit+0x2fc/0x580 [ 83.615380] ? inet6_csk_update_pmtu+0x160/0x160 [ 83.620114] ? __sk_dst_check+0x1a5/0x380 [ 83.624281] ? sock_kfree_s+0x60/0x60 [ 83.628061] l2tp_xmit_skb+0x105f/0x1410 [ 83.632098] ? l2tp_session_create+0xb80/0xb80 [ 83.636653] ? sock_wmalloc+0x15d/0x1d0 [ 83.640600] ? iov_iter_advance+0x13f0/0x13f0 [ 83.645066] ? pppol2tp_sendmsg+0x41b/0x670 [ 83.649361] pppol2tp_sendmsg+0x470/0x670 [ 83.653481] ? selinux_socket_sendmsg+0x36/0x40 [ 83.658122] ? pppol2tp_getsockopt+0x900/0x900 [ 83.662675] sock_sendmsg+0xca/0x110 [ 83.666360] ___sys_sendmsg+0x767/0x8b0 [ 83.670315] ? copy_msghdr_from_user+0x590/0x590 [ 83.675050] ? selinux_socket_connect+0x311/0x730 [ 83.679869] ? __fget_light+0x2b2/0x3c0 [ 83.683820] ? fget_raw+0x20/0x20 [ 83.687247] ? __might_sleep+0x95/0x190 [ 83.691198] ? security_socket_connect+0x89/0xb0 [ 83.695933] __sys_sendmsg+0xe5/0x210 [ 83.699713] ? __sys_sendmsg+0xe5/0x210 [ 83.703657] ? SyS_shutdown+0x290/0x290 [ 83.707606] ? SyS_futex+0x269/0x390 [ 83.711300] ? move_addr_to_kernel+0x60/0x60 [ 83.715683] SyS_sendmsg+0x2d/0x50 [ 83.719194] ? __sys_sendmsg+0x210/0x210 [ 83.723226] do_syscall_64+0x281/0x940 [ 83.727085] ? __do_page_fault+0xc90/0xc90 [ 83.731289] ? _raw_spin_unlock_irq+0x27/0x70 [ 83.735755] ? finish_task_switch+0x1c1/0x7e0 [ 83.740221] ? syscall_return_slowpath+0x550/0x550 [ 83.745120] ? syscall_return_slowpath+0x2ac/0x550 [ 83.750027] ? prepare_exit_to_usermode+0x350/0x350 [ 83.755029] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 83.760369] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 83.765188] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 83.770354] RIP: 0033:0x453e69 [ 83.773519] RSP: 002b:00007f819593cc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 83.781197] RAX: ffffffffffffffda RBX: 00007f819593d6d4 RCX: 0000000000453e69 [ 83.788442] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 [ 83.795683] RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 [ 83.802923] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 83.810166] R13: 00000000000004c3 R14: 00000000006f72e8 R15: 0000000000000000 [ 83.817862] Dumping ftrace buffer: [ 83.821373] (ftrace buffer empty) [ 83.825063] Kernel Offset: disabled [ 83.828666] Rebooting in 86400 seconds..