[....] Starting enhanced syslogd: rsyslogd[ 16.916724] audit: type=1400 audit(1519140684.803:5): avc: denied { syslog } for pid=4017 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.935916] audit: type=1400 audit(1519140689.822:6): avc: denied { map } for pid=4158 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 [ 28.303434] audit: type=1400 audit(1519140696.190:7): avc: denied { map } for pid=4172 comm="syzkaller343670" path="/root/syzkaller343670767" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 28.314083] IPVS: ftp: loaded support on port[0] = 21 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 28.538524] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 28.866249] [ 28.867911] ===================================== [ 28.872728] WARNING: bad unlock balance detected! [ 28.877547] 4.16.0-rc2+ #234 Not tainted [ 28.881581] ------------------------------------- [ 28.886400] syzkaller343670/4173 is trying to release lock (rcu_read_lock_bh) at: [ 28.894033] [] hashlimit_mt_common.isra.10+0x1beb/0x2610 [ 28.901026] but there are no more locks to release! [ 28.906022] [ 28.906022] other info that might help us debug this: [ 28.912668] 5 locks held by syzkaller343670/4173: [ 28.917481] #0: (&xt[i].mutex){+.+.}, at: [<00000000c98e46d8>] xt_find_table_lock+0x273/0x3e0 [ 28.926304] #1: (&mm->mmap_sem){++++}, at: [<000000001666d2fb>] __do_page_fault+0x32d/0xc90 [ 28.934948] #2: ((&idev->mc_ifc_timer)){+.-.}, at: [<00000000c6d4759a>] call_timer_fn+0x1c6/0x820 [ 28.944118] #3: (rcu_read_lock){....}, at: [<0000000082fb120b>] mld_sendpack+0x180/0xe70 [ 28.952505] #4: (rcu_read_lock){....}, at: [<0000000031921c9e>] nf_hook.constprop.37+0x0/0x830 [ 28.961411] [ 28.961411] stack backtrace: [ 28.965886] CPU: 1 PID: 4173 Comm: syzkaller343670 Not tainted 4.16.0-rc2+ #234 [ 28.973308] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.982640] Call Trace: [ 28.985203] [ 28.987344] dump_stack+0x194/0x257 [ 28.990947] ? arch_local_irq_restore+0x53/0x53 [ 28.995593] ? hashlimit_mt_common.isra.10+0x1beb/0x2610 [ 29.001026] print_unlock_imbalance_bug+0x12f/0x140 [ 29.006028] lock_release+0x6fe/0xa40 [ 29.009807] ? hashlimit_mt_common.isra.10+0x1beb/0x2610 [ 29.015232] ? lock_downgrade+0x980/0x980 [ 29.019359] ? lock_release+0xa40/0xa40 [ 29.023312] ? __raw_spin_lock_init+0x1c/0x100 [ 29.027870] ? do_raw_spin_trylock+0x190/0x190 [ 29.032433] hashlimit_mt_common.isra.10+0x1c08/0x2610 [ 29.037686] ? lock_downgrade+0x980/0x980 [ 29.041814] ? dsthash_find+0x5b0/0x5b0 [ 29.045766] ? __lock_acquire+0x664/0x3e00 [ 29.049975] ? is_bpf_text_address+0x7b/0x120 [ 29.054447] ? lock_downgrade+0x95a/0x980 [ 29.058574] ? rcutorture_record_progress+0x10/0x10 [ 29.063569] ? __kernel_text_address+0xd/0x40 [ 29.068047] ? unwind_get_return_address+0x61/0xa0 [ 29.072952] hashlimit_mt+0x78/0x90 [ 29.076572] ? hashlimit_mt+0x78/0x90 [ 29.080355] ip6t_do_table+0x98d/0x1a30 [ 29.084311] ? kmem_cache_alloc_trace+0x136/0x740 [ 29.089133] ? mld_sendpack+0x617/0xe70 [ 29.093087] ? ip6t_error+0x60/0x60 [ 29.096693] ? sock_common_setsockopt+0x95/0xd0 [ 29.101339] ? check_noncircular+0x20/0x20 [ 29.105559] ? lock_acquire+0x1d5/0x580 [ 29.109513] ? lock_acquire+0x1d5/0x580 [ 29.113468] ? igmp6_mcf_seq_next+0x660/0x660 [ 29.117944] ? lock_release+0xa40/0xa40 [ 29.121895] ip6table_raw_hook+0x65/0x80 [ 29.125934] nf_hook_slow+0xba/0x1a0 [ 29.129628] nf_hook.constprop.37+0x3f6/0x830 [ 29.134102] ? igmp6_mcf_seq_next+0x660/0x660 [ 29.138572] ? trace_hardirqs_on+0xd/0x10 [ 29.142698] ? __local_bh_enable_ip+0x121/0x230 [ 29.147345] ? _raw_spin_unlock_bh+0x30/0x40 [ 29.151732] ? rt6_uncached_list_add+0x1b7/0x240 [ 29.156465] ? rt6_fill_node+0x18b0/0x18b0 [ 29.160679] ? icmp6_dst_alloc+0x475/0x660 [ 29.164895] ? ip6_mc_leave_src+0x1d0/0x1d0 [ 29.169193] ? icmpv6_flow_init+0x1f6/0x270 [ 29.173493] mld_sendpack+0x6c2/0xe70 [ 29.177272] ? nf_hook.constprop.37+0x830/0x830 [ 29.181927] ? mark_held_locks+0xaf/0x100 [ 29.186057] ? trace_hardirqs_on+0xd/0x10 [ 29.190183] ? __local_bh_enable_ip+0x121/0x230 [ 29.194832] mld_ifc_timer_expire+0x3d9/0x770 [ 29.199309] call_timer_fn+0x228/0x820 [ 29.203176] ? mld_dad_timer_expire+0x100/0x100 [ 29.207834] ? process_timeout+0x40/0x40 [ 29.211873] ? __run_timers+0x7e3/0xb70 [ 29.215827] ? lock_downgrade+0x980/0x980 [ 29.219953] ? debug_object_deactivate+0x364/0x560 [ 29.224859] ? lock_release+0xa40/0xa40 [ 29.228814] ? mark_held_locks+0xaf/0x100 [ 29.232940] ? trace_hardirqs_on_caller+0x19e/0x5c0 [ 29.237933] ? mld_dad_timer_expire+0x100/0x100 [ 29.242580] ? mld_dad_timer_expire+0x100/0x100 [ 29.247228] __run_timers+0x7ee/0xb70 [ 29.251012] ? trigger_dyntick_cpu.isra.29+0x150/0x150 [ 29.256272] ? timerqueue_add+0x1e9/0x280 [ 29.260397] ? check_noncircular+0x20/0x20 [ 29.264607] ? enqueue_hrtimer+0x177/0x4b0 [ 29.268824] ? lock_release+0xa40/0xa40 [ 29.272777] ? retrigger_next_event+0x1e0/0x1e0 [ 29.277422] ? print_irqtrace_events+0x270/0x270 [ 29.282154] ? check_noncircular+0x20/0x20 [ 29.286366] ? clockevents_program_event+0x163/0x2e0 [ 29.291444] ? lock_downgrade+0x980/0x980 [ 29.295569] ? __lock_is_held+0xb6/0x140 [ 29.299611] run_timer_softirq+0x4c/0x70 [ 29.303651] __do_softirq+0x2d7/0xb85 [ 29.307428] ? ktime_get+0x26f/0x3a0 [ 29.311118] ? __irqentry_text_end+0x1f8ad4/0x1f8ad4 [ 29.316199] ? check_noncircular+0x20/0x20 [ 29.320409] ? native_apic_msr_write+0x5c/0x80 [ 29.324970] ? lapic_next_event+0x54/0x80 [ 29.329107] ? clockevents_program_event+0x108/0x2e0 [ 29.334188] ? tick_program_event+0x83/0x100 [ 29.338583] ? __lock_is_held+0xb6/0x140 [ 29.342633] irq_exit+0x1cc/0x200 [ 29.346065] smp_apic_timer_interrupt+0x16b/0x700 [ 29.350884] ? smp_call_function_single_interrupt+0x640/0x640 [ 29.356743] ? _raw_spin_lock+0x32/0x40 [ 29.360696] ? _raw_spin_unlock+0x22/0x30 [ 29.364824] ? handle_edge_irq+0x2b4/0x7c0 [ 29.369043] ? task_prio+0x50/0x50 [ 29.372563] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.377385] apic_timer_interrupt+0x8e/0xa0 [ 29.381683] [ 29.383897] RIP: 0010:clear_huge_page+0x112/0x730 [ 29.388717] RSP: 0018:ffff8801b2167060 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff12 [ 29.396401] RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000 [ 29.403648] RDX: ffff8801af99e200 RSI: 0000160000000000 RDI: ffff8801b93dd000 [ 29.410893] RBP: ffff8801b21670a8 R08: 000000000002fc50 R09: 0000000000000000 [ 29.418138] R10: ffffffffffffffe8 R11: 0000000000000000 R12: ffffea0006e48000 [ 29.425383] R13: 0000000000000092 R14: 0000000000000049 R15: 00000000000001dc [ 29.432638] ? __raw_spin_lock_init+0x2d/0x100 [ 29.437209] do_huge_pmd_anonymous_page+0x599/0x1b00 [ 29.442292] ? __thp_get_unmapped_area+0x130/0x130 [ 29.447196] ? __lock_acquire+0x664/0x3e00 [ 29.451411] ? __lock_acquire+0x664/0x3e00 [ 29.455625] ? kernel_text_address+0x102/0x140 [ 29.460183] ? __is_insn_slot_addr+0x1fc/0x330 [ 29.464744] ? lock_downgrade+0x980/0x980 [ 29.468869] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 29.474041] ? modules_open+0xa0/0xa0 [ 29.477820] ? trace_raw_output_xdp_redirect_map_err+0x440/0x440 [ 29.483944] ? is_bpf_text_address+0x7b/0x120 [ 29.488419] ? lock_downgrade+0x980/0x980 [ 29.492546] ? lock_release+0xa40/0xa40 [ 29.496496] ? __free_insn_slot+0x5c0/0x5c0 [ 29.500795] ? rcutorture_record_progress+0x10/0x10 [ 29.505789] ? is_bpf_text_address+0xa4/0x120 [ 29.510260] ? kernel_text_address+0x102/0x140 [ 29.514821] __handle_mm_fault+0x1a0c/0x3ce0 [ 29.519209] ? __pmd_alloc+0x4e0/0x4e0 [ 29.523080] ? check_noncircular+0x20/0x20 [ 29.527302] ? print_lockdep_cache.isra.32+0x109/0x109 [ 29.532558] ? find_held_lock+0x35/0x1d0 [ 29.536599] ? handle_mm_fault+0x270/0x970 [ 29.540813] ? lock_downgrade+0x980/0x980 [ 29.544943] handle_mm_fault+0x35c/0x970 [ 29.548988] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 29.553547] ? vmacache_find+0x5f/0x280 [ 29.557497] ? find_vma+0x30/0x150 [ 29.561023] __do_page_fault+0x5c9/0xc90 [ 29.565079] ? mm_fault_error+0x2c0/0x2c0 [ 29.569202] ? kfree+0xd9/0x260 [ 29.572459] ? xt_free_table_info+0x110/0x170 [ 29.576930] ? __do_replace+0x810/0xa70 [ 29.580896] ? check_noncircular+0x20/0x20 [ 29.585108] ? rawv6_setsockopt+0x4a/0xf0 [ 29.589229] ? sock_common_setsockopt+0x95/0xd0 [ 29.593873] do_page_fault+0xee/0x730 [ 29.597649] ? __do_page_fault+0xc90/0xc90 [ 29.601863] ? find_held_lock+0x35/0x1d0 [ 29.605902] ? __might_fault+0x110/0x1d0 [ 29.609939] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.614764] page_fault+0x62/0x90 [ 29.618196] RIP: 0010:copy_user_generic_unrolled+0x89/0xc0 [ 29.623797] RSP: 0018:ffff8801b21679b8 EFLAGS: 00010206 [ 29.629135] RAX: fffff520002fee06 RBX: 0000000000000030 RCX: 0000000000000006 [ 29.636383] RDX: 0000000000000000 RSI: ffffc900017f7000 RDI: 0000000020849fd0 [ 29.643641] RBP: ffff8801b21679e8 R08: 0000000000000000 R09: fffff520002fee06 [ 29.650889] R10: 0000000000000006 R11: fffff520002fee05 R12: 0000000020849fd0 [ 29.658137] R13: ffffc900017f7000 R14: 00007ffffffff000 R15: 000000002084a000 [ 29.665396] ? _copy_to_user+0x9b/0xc0 [ 29.669260] __do_replace+0x840/0xa70 [ 29.673045] ? compat_table_info+0x4a0/0x4a0 [ 29.677434] ? kasan_check_write+0x14/0x20 [ 29.681643] ? _copy_from_user+0x99/0x110 [ 29.685765] do_ip6t_set_ctl+0x40f/0x5f0 [ 29.689806] ? translate_compat_table+0x1c50/0x1c50 [ 29.694803] ? mutex_unlock+0xd/0x10 [ 29.698494] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 29.703745] nf_setsockopt+0x67/0xc0 [ 29.707437] ipv6_setsockopt+0x10b/0x130 [ 29.711475] rawv6_setsockopt+0x4a/0xf0 [ 29.715426] sock_common_setsockopt+0x95/0xd0 [ 29.719899] SyS_setsockopt+0x189/0x360 [ 29.723849] ? SyS_recv+0x40/0x40 [ 29.727281] ? vfs_writev+0x340/0x340 [ 29.731062] ? mm_fault_error+0x2c0/0x2c0 [ 29.735190] ? move_addr_to_kernel+0x60/0x60 [ 29.739577] ? do_syscall_64+0xb6/0x940 [ 29.743540] ? SyS_recv+0x40/0x40 [ 29.746973] do_syscall_64+0x280/0x940 [ 29.750835] ? __do_page_fault+0xc90/0xc90 [ 29.755047] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.759778] ? syscall_return_slowpath+0x550/0x550 [ 29.764686] ? syscall_return_slowpath+0x2ac/0x550 [ 29.769593] ? prepare_exit_to_usermode+0x350/0x350 [ 29.774588] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 29.779931] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.784750] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.789916] RIP: 0033:0x44be49 [ 29.793088] RSP: 002b:00007fff0ae65de8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 29.800771] RAX: ffffffffffffffda RBX: 0000000000000068 RCX: 000000000044be49 [ 29.808026] RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000004 [ 29.815274] RBP: 00000000004adf58 R08: 00000000000004a8 R0