[....] Starting enhanced syslogd: rsyslogd[ 15.261402] audit: type=1400 audit(1519170452.581:5): avc: denied { syslog } for pid=4022 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.994220] audit: type=1400 audit(1519170455.314:6): avc: denied { map } for pid=4161 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.36' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 [ 27.748995] audit: type=1400 audit(1519170465.068:7): avc: denied { map } for pid=4176 comm="syzkaller449282" path="/root/syzkaller449282051" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 27.754909] IPVS: ftp: loaded support on port[0] = 21 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 27.968270] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 28.265229] [ 28.266870] ===================================== [ 28.271679] WARNING: bad unlock balance detected! [ 28.276490] 4.16.0-rc2+ #235 Not tainted [ 28.280514] ------------------------------------- [ 28.285322] syzkaller449282/4177 is trying to release lock (rcu_read_lock_bh) at: [ 28.292916] [] hashlimit_mt_common.isra.10+0x1beb/0x2610 [ 28.299894] but there are no more locks to release! [ 28.304875] [ 28.304875] other info that might help us debug this: [ 28.311507] 5 locks held by syzkaller449282/4177: [ 28.316316] #0: (&xt[i].mutex){+.+.}, at: [<000000006abcb674>] xt_find_table_lock+0x273/0x3e0 [ 28.325131] #1: (&mm->mmap_sem){++++}, at: [<00000000ef83934a>] __do_page_fault+0x32d/0xc90 [ 28.333766] #2: ((&idev->mc_ifc_timer)){+.-.}, at: [<000000000d65b62c>] call_timer_fn+0x1c6/0x820 [ 28.342925] #3: (rcu_read_lock){....}, at: [<0000000004e3450f>] mld_sendpack+0x180/0xe70 [ 28.351302] #4: (rcu_read_lock){....}, at: [<000000002354c8a2>] nf_hook.constprop.37+0x0/0x830 [ 28.360199] [ 28.360199] stack backtrace: [ 28.364663] CPU: 1 PID: 4177 Comm: syzkaller449282 Not tainted 4.16.0-rc2+ #235 [ 28.372084] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.381408] Call Trace: [ 28.383968] [ 28.386089] dump_stack+0x194/0x257 [ 28.389684] ? arch_local_irq_restore+0x53/0x53 [ 28.394323] ? hashlimit_mt_common.isra.10+0x1beb/0x2610 [ 28.399744] print_unlock_imbalance_bug+0x12f/0x140 [ 28.404731] lock_release+0x6fe/0xa40 [ 28.408500] ? hashlimit_mt_common.isra.10+0x1beb/0x2610 [ 28.413927] ? lock_downgrade+0x980/0x980 [ 28.418050] ? lock_release+0xa40/0xa40 [ 28.421991] ? __raw_spin_lock_init+0x1c/0x100 [ 28.426540] ? do_raw_spin_trylock+0x190/0x190 [ 28.431112] hashlimit_mt_common.isra.10+0x1c08/0x2610 [ 28.436355] ? lock_downgrade+0x980/0x980 [ 28.440478] ? dsthash_find+0x5b0/0x5b0 [ 28.444424] ? __lock_acquire+0x664/0x3e00 [ 28.448628] ? is_bpf_text_address+0x7b/0x120 [ 28.453089] ? lock_downgrade+0x95a/0x980 [ 28.457216] ? rcutorture_record_progress+0x10/0x10 [ 28.462204] ? __kernel_text_address+0xd/0x40 [ 28.466670] ? unwind_get_return_address+0x61/0xa0 [ 28.471567] hashlimit_mt+0x78/0x90 [ 28.475162] ? hashlimit_mt+0x78/0x90 [ 28.478929] ip6t_do_table+0x98d/0x1a30 [ 28.482875] ? kmem_cache_alloc_trace+0x136/0x740 [ 28.487685] ? mld_sendpack+0x617/0xe70 [ 28.491629] ? ip6t_error+0x60/0x60 [ 28.495221] ? ipv6_setsockopt+0x10b/0x130 [ 28.499428] ? check_noncircular+0x20/0x20 [ 28.503629] ? lock_acquire+0x1d5/0x580 [ 28.507571] ? lock_acquire+0x1d5/0x580 [ 28.511512] ? igmp6_mcf_seq_next+0x660/0x660 [ 28.515975] ? lock_release+0xa40/0xa40 [ 28.519922] ip6table_raw_hook+0x65/0x80 [ 28.523953] nf_hook_slow+0xba/0x1a0 [ 28.527634] nf_hook.constprop.37+0x3f6/0x830 [ 28.532097] ? igmp6_mcf_seq_next+0x660/0x660 [ 28.536557] ? trace_hardirqs_on+0xd/0x10 [ 28.540677] ? __local_bh_enable_ip+0x121/0x230 [ 28.545318] ? _raw_spin_unlock_bh+0x30/0x40 [ 28.549696] ? rt6_uncached_list_add+0x1b7/0x240 [ 28.554422] ? rt6_fill_node+0x18b0/0x18b0 [ 28.558626] ? icmp6_dst_alloc+0x475/0x660 [ 28.562833] ? ip6_mc_leave_src+0x1d0/0x1d0 [ 28.567123] ? icmpv6_flow_init+0x1f6/0x270 [ 28.571412] mld_sendpack+0x6c2/0xe70 [ 28.575181] ? nf_hook.constprop.37+0x830/0x830 [ 28.579817] ? mark_held_locks+0xaf/0x100 [ 28.583933] ? trace_hardirqs_on+0xd/0x10 [ 28.588051] ? __local_bh_enable_ip+0x121/0x230 [ 28.592686] mld_ifc_timer_expire+0x3d9/0x770 [ 28.597149] call_timer_fn+0x228/0x820 [ 28.601006] ? mld_dad_timer_expire+0x100/0x100 [ 28.605641] ? process_timeout+0x40/0x40 [ 28.609669] ? __run_timers+0x7e3/0xb70 [ 28.613608] ? lock_downgrade+0x980/0x980 [ 28.617723] ? debug_object_deactivate+0x364/0x560 [ 28.622620] ? lock_release+0xa40/0xa40 [ 28.626563] ? mark_held_locks+0xaf/0x100 [ 28.630678] ? trace_hardirqs_on_caller+0x19e/0x5c0 [ 28.635661] ? mld_dad_timer_expire+0x100/0x100 [ 28.640294] ? mld_dad_timer_expire+0x100/0x100 [ 28.644931] __run_timers+0x7ee/0xb70 [ 28.648701] ? trigger_dyntick_cpu.isra.29+0x150/0x150 [ 28.653948] ? timerqueue_add+0x1e9/0x280 [ 28.658063] ? check_noncircular+0x20/0x20 [ 28.662267] ? enqueue_hrtimer+0x177/0x4b0 [ 28.666467] ? lock_release+0xa40/0xa40 [ 28.670410] ? retrigger_next_event+0x1e0/0x1e0 [ 28.675049] ? print_irqtrace_events+0x270/0x270 [ 28.679773] ? check_noncircular+0x20/0x20 [ 28.683976] ? clockevents_program_event+0x163/0x2e0 [ 28.689044] ? lock_downgrade+0x980/0x980 [ 28.693162] ? __lock_is_held+0xb6/0x140 [ 28.697190] run_timer_softirq+0x4c/0x70 [ 28.701216] __do_softirq+0x2d7/0xb85 [ 28.704985] ? ktime_get+0x26f/0x3a0 [ 28.708669] ? __irqentry_text_end+0x1f8ad4/0x1f8ad4 [ 28.713738] ? check_noncircular+0x20/0x20 [ 28.717940] ? native_apic_msr_write+0x5c/0x80 [ 28.722489] ? lapic_next_event+0x54/0x80 [ 28.726603] ? clockevents_program_event+0x108/0x2e0 [ 28.731672] ? tick_program_event+0x83/0x100 [ 28.736051] ? __lock_is_held+0xb6/0x140 [ 28.740083] irq_exit+0x1cc/0x200 [ 28.743505] smp_apic_timer_interrupt+0x16b/0x700 [ 28.748315] ? smp_call_function_single_interrupt+0x640/0x640 [ 28.754167] ? _raw_spin_lock+0x32/0x40 [ 28.758109] ? _raw_spin_unlock+0x22/0x30 [ 28.762224] ? handle_edge_irq+0x2b4/0x7c0 [ 28.766426] ? task_prio+0x50/0x50 [ 28.769939] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.774750] apic_timer_interrupt+0x8e/0xa0 [ 28.779036] [ 28.781242] RIP: 0010:lock_is_held_type+0x18b/0x210 [ 28.786221] RSP: 0018:ffff8801b1a26fa0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff12 [ 28.793895] RAX: dffffc0000000000 RBX: 0000000000000282 RCX: ffffffff819dd382 [ 28.801132] RDX: 1ffffffff0d592d5 RSI: ffffffff86b42680 RDI: 0000000000000282 [ 28.808372] RBP: ffff8801b1a26fc0 R08: 000000000002fc50 R09: 0000000000000000 [ 28.815610] R10: ffffffffffffffe8 R11: 0000000000000000 R12: ffff8801b23fa0c0 [ 28.822850] R13: 0000000000000000 R14: 0000000000001205 R15: 0000000000000147 [ 28.830097] ? clear_huge_page+0x92/0x730 [ 28.834214] ? trace_event_raw_event_sched_switch+0x810/0x810 [ 28.840064] ___might_sleep+0x3d8/0x470 [ 28.844005] ? trace_event_raw_event_sched_switch+0x810/0x810 [ 28.849856] ? __might_sleep+0x95/0x190 [ 28.853797] clear_huge_page+0xa5/0x730 [ 28.857738] ? __raw_spin_lock_init+0x2d/0x100 [ 28.862293] do_huge_pmd_anonymous_page+0x599/0x1b00 [ 28.867373] ? __thp_get_unmapped_area+0x130/0x130 [ 28.872269] ? __lock_acquire+0x664/0x3e00 [ 28.876471] ? __lock_acquire+0x664/0x3e00 [ 28.880673] ? kernel_text_address+0x102/0x140 [ 28.885222] ? __is_insn_slot_addr+0x1fc/0x330 [ 28.889772] ? lock_downgrade+0x980/0x980 [ 28.893891] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 28.899051] ? modules_open+0xa0/0xa0 [ 28.902826] ? trace_raw_output_xdp_redirect_map_err+0x440/0x440 [ 28.908941] ? is_bpf_text_address+0x7b/0x120 [ 28.913405] ? lock_downgrade+0x980/0x980 [ 28.917519] ? lock_release+0xa40/0xa40 [ 28.921466] ? __free_insn_slot+0x5c0/0x5c0 [ 28.925761] ? rcutorture_record_progress+0x10/0x10 [ 28.930745] ? is_bpf_text_address+0xa4/0x120 [ 28.935207] ? kernel_text_address+0x102/0x140 [ 28.939757] __handle_mm_fault+0x1a0c/0x3ce0 [ 28.944135] ? __pmd_alloc+0x4e0/0x4e0 [ 28.947989] ? check_noncircular+0x20/0x20 [ 28.952193] ? print_lockdep_cache.isra.32+0x109/0x109 [ 28.957436] ? find_held_lock+0x35/0x1d0 [ 28.961465] ? handle_mm_fault+0x270/0x970 [ 28.965665] ? lock_downgrade+0x980/0x980 [ 28.969787] handle_mm_fault+0x35c/0x970 [ 28.973817] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 28.978363] ? vmacache_find+0x5f/0x280 [ 28.982310] ? find_vma+0x30/0x150 [ 28.985822] __do_page_fault+0x5c9/0xc90 [ 28.989867] ? mm_fault_error+0x2c0/0x2c0 [ 28.993983] ? kfree+0xd9/0x260 [ 28.997231] ? xt_free_table_info+0x110/0x170 [ 29.001692] ? __do_replace+0x810/0xa70 [ 29.005633] ? check_noncircular+0x20/0x20 [ 29.009837] ? rawv6_setsockopt+0x4a/0xf0 [ 29.013950] ? sock_common_setsockopt+0x95/0xd0 [ 29.018587] do_page_fault+0xee/0x730 [ 29.022357] ? __do_page_fault+0xc90/0xc90 [ 29.026559] ? find_held_lock+0x35/0x1d0 [ 29.030588] ? __might_fault+0x110/0x1d0 [ 29.034617] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.039430] page_fault+0x62/0x90 [ 29.042852] RIP: 0010:copy_user_generic_unrolled+0x89/0xc0 [ 29.048440] RSP: 0018:ffff8801b1a279b8 EFLAGS: 00010206 [ 29.053770] RAX: fffff52000304206 RBX: 0000000000000030 RCX: 0000000000000006 [ 29.061008] RDX: 0000000000000000 RSI: ffffc90001821000 RDI: 0000000020849fd0 [ 29.068253] RBP: ffff8801b1a279e8 R08: 0000000000000000 R09: fffff52000304206 [ 29.075491] R10: 0000000000000006 R11: fffff52000304205 R12: 0000000020849fd0 [ 29.082730] R13: ffffc90001821000 R14: 00007ffffffff000 R15: 000000002084a000 [ 29.089976] ? _copy_to_user+0x9b/0xc0 [ 29.093833] __do_replace+0x840/0xa70 [ 29.097601] ? compat_table_info+0x4a0/0x4a0 [ 29.101977] ? kasan_check_write+0x14/0x20 [ 29.106180] ? _copy_from_user+0x99/0x110 [ 29.110295] do_ip6t_set_ctl+0x40f/0x5f0 [ 29.114324] ? translate_compat_table+0x1c50/0x1c50 [ 29.119312] ? mutex_unlock+0xd/0x10 [ 29.122994] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 29.128246] nf_setsockopt+0x67/0xc0 [ 29.131930] ipv6_setsockopt+0x10b/0x130 [ 29.135959] rawv6_setsockopt+0x4a/0xf0 [ 29.139901] sock_common_setsockopt+0x95/0xd0 [ 29.144364] SyS_setsockopt+0x189/0x360 [ 29.148308] ? SyS_recv+0x40/0x40 [ 29.151729] ? mm_fault_error+0x2c0/0x2c0 [ 29.155843] ? move_addr_to_kernel+0x60/0x60 [ 29.160218] ? do_syscall_64+0xb6/0x940 [ 29.164160] ? SyS_recv+0x40/0x40 [ 29.167581] do_syscall_64+0x280/0x940 [ 29.171435] ? __do_page_fault+0xc90/0xc90 [ 29.175634] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.180356] ? syscall_return_slowpath+0x550/0x550 [ 29.185252] ? syscall_return_slowpath+0x2ac/0x550 [ 29.190149] ? prepare_exit_to_usermode+0x350/0x350 [ 29.195134] ? retint_user+0x18/0x18 [ 29.198826] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.203642] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.208809] RIP: 0033:0x44c0d9 [ 29.211967] RSP: 002b:00007fff013b5e58 EFLAGS: 00000246 ORIG_RAX: 0000000000000036