[....] Starting enhanced syslogd: rsyslogd[ 12.026057] audit: type=1400 audit(1515647047.348:5): avc: denied { syslog } for pid=3339 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.586879] audit: type=1400 audit(1515647055.909:6): avc: denied { map } for pid=3480 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.245' (ECDSA) to the list of known hosts. executing program [ 26.806679] audit: type=1400 audit(1515647062.129:7): avc: denied { map } for pid=3494 comm="syzkaller064042" path="/root/syzkaller064042286" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program [ 27.135225] [ 27.136887] ========================= [ 27.140653] WARNING: held lock freed! [ 27.144422] 4.15.0-rc7+ #182 Not tainted [ 27.148445] ------------------------- [ 27.152213] syzkaller064042/3504 is freeing memory 000000002e671021-000000004daf7af0, with a lock still held there! [ 27.162750] (sk_lock-AF_INET6){+.+.}, at: [<0000000069dcaab1>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 27.171658] 1 lock held by syzkaller064042/3504: [ 27.176379] #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000069dcaab1>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 27.185709] [ 27.185709] stack backtrace: [ 27.190173] CPU: 0 PID: 3504 Comm: syzkaller064042 Not tainted 4.15.0-rc7+ #182 [ 27.197585] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.206905] Call Trace: [ 27.209469] dump_stack+0x194/0x257 [ 27.213066] ? arch_local_irq_restore+0x53/0x53 [ 27.217721] debug_check_no_locks_freed+0x32f/0x3c0 [ 27.222709] kmem_cache_free+0x68/0x2a0 [ 27.226654] __sk_destruct+0x622/0x910 [ 27.230508] ? save_stack+0x43/0xd0 [ 27.234103] ? sock_rfree+0x160/0x160 [ 27.237872] ? sctp_sendmsg+0x28f7/0x33f0 [ 27.241988] ? sock_sendmsg+0xca/0x110 [ 27.245842] ? SYSC_sendto+0x361/0x5c0 [ 27.249704] ? SyS_sendto+0x40/0x50 [ 27.253299] ? entry_SYSCALL_64_fastpath+0x23/0x9a [ 27.258220] ? check_noncircular+0x20/0x20 [ 27.262423] ? print_irqtrace_events+0x270/0x270 [ 27.267165] ? __local_bh_enable_ip+0x121/0x230 [ 27.271803] ? sctp_put_port+0x495/0x640 [ 27.275832] ? sctp_poll+0xc00/0xc00 [ 27.279519] ? refcount_sub_and_test+0x115/0x1b0 [ 27.284252] ? refcount_inc+0x50/0x50 [ 27.288023] ? refcount_inc+0x50/0x50 [ 27.291796] sk_destruct+0x47/0x80 [ 27.295304] __sk_free+0xf1/0x2b0 [ 27.298741] sk_free+0x2a/0x40 [ 27.301903] sctp_association_put+0x14c/0x2f0 [ 27.306367] ? sctp_association_hold+0x20/0x20 [ 27.310918] ? lock_sock_nested+0x91/0x110 [ 27.315124] ? trace_hardirqs_on+0xd/0x10 [ 27.319240] ? __local_bh_enable_ip+0x121/0x230 [ 27.323879] sctp_wait_for_sndbuf+0x673/0x8d0 [ 27.328362] ? sctp_init_sock+0x13b0/0x13b0 [ 27.332655] ? sctp_prsctp_prune+0x97/0x790 [ 27.336956] ? prepare_to_wait+0x4d0/0x4d0 [ 27.341160] ? sctp_sendmsg+0x1a05/0x33f0 [ 27.345278] sctp_sendmsg+0x28f7/0x33f0 [ 27.349228] ? sctp_id2assoc+0x390/0x390 [ 27.353261] ? avc_has_perm+0x43e/0x680 [ 27.357208] ? avc_has_perm_noaudit+0x520/0x520 [ 27.361844] ? __fget+0x35c/0x570 [ 27.365270] ? iterate_fd+0x3f0/0x3f0 [ 27.369046] ? find_held_lock+0x35/0x1d0 [ 27.373094] ? sock_has_perm+0x2a4/0x420 [ 27.377135] ? lock_release+0x9a2/0xa40 [ 27.381082] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.386933] ? __check_object_size+0x25d/0x4f0 [ 27.391487] inet_sendmsg+0x11f/0x5e0 [ 27.395255] ? inet_sendmsg+0x11f/0x5e0 [ 27.399208] ? __might_sleep+0x95/0x190 [ 27.403149] ? inet_create+0xf50/0xf50 [ 27.407007] ? selinux_socket_sendmsg+0x36/0x40 [ 27.411647] ? security_socket_sendmsg+0x89/0xb0 [ 27.416370] ? inet_create+0xf50/0xf50 [ 27.420242] sock_sendmsg+0xca/0x110 [ 27.423936] SYSC_sendto+0x361/0x5c0 [ 27.427621] ? SYSC_connect+0x4a0/0x4a0 [ 27.431568] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.436901] ? __do_page_fault+0x3d6/0xc90 [ 27.441109] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 27.446356] ? exit_to_usermode_loop+0x8c/0x310 [ 27.450999] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 27.456510] ? SyS_futex+0x269/0x390 [ 27.460194] ? do_futex+0x22a0/0x22a0 [ 27.463964] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 27.468790] SyS_sendto+0x40/0x50 [ 27.472216] entry_SYSCALL_64_fastpath+0x23/0x9a [ 27.476947] RIP: 0033:0x4457e9 executing program [ 27.480103] RSP: 002b:00007feb342b7da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 27.487777] RAX: ffffffffffffffda RBX: 00000000006dac9c RCX: 00000000004457e9 [ 27.495019] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000006 [ 27.502260] RBP: 00000000006dac98 R08: 00000000204d9000 R09: 000000000000001c [ 27.509496] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 27.516733] R13: 00007ffc4c53147f R14: 00007feb342b89c0 R15: 0000000000000001 [ 27.524101] ================================================================== [ 27.531460] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 [ 27.538098] Read of size 4 at addr ffff8801c07af08c by task syzkaller064042/3504 [ 27.545608] [ 27.547208] CPU: 0 PID: 3504 Comm: syzkaller064042 Not tainted 4.15.0-rc7+ #182 [ 27.554621] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.563944] Call Trace: [ 27.566504] dump_stack+0x194/0x257 [ 27.570116] ? arch_local_irq_restore+0x53/0x53 [ 27.574756] ? show_regs_print_info+0x18/0x18 [ 27.579225] ? lock_acquire+0x1d5/0x580 [ 27.583172] ? trace_hardirqs_on+0xd/0x10 [ 27.587290] ? do_raw_spin_lock+0x1e0/0x220 [ 27.591583] print_address_description+0x73/0x250 [ 27.596394] ? do_raw_spin_lock+0x1e0/0x220 [ 27.600684] kasan_report+0x25b/0x340 [ 27.604455] __asan_report_load4_noabort+0x14/0x20 [ 27.609353] do_raw_spin_lock+0x1e0/0x220 [ 27.613473] _raw_spin_lock_bh+0x39/0x40 [ 27.617503] ? release_sock+0x74/0x2a0 [ 27.621359] release_sock+0x74/0x2a0 [ 27.625040] ? sctp_prsctp_prune+0x97/0x790 [ 27.629332] ? __release_sock+0x360/0x360 [ 27.633449] ? sctp_sendmsg+0x1a05/0x33f0 [ 27.637568] sctp_sendmsg+0x2993/0x33f0 [ 27.641519] ? sctp_id2assoc+0x390/0x390 [ 27.645552] ? avc_has_perm+0x43e/0x680 [ 27.649499] ? avc_has_perm_noaudit+0x520/0x520 [ 27.654152] ? __fget+0x35c/0x570 [ 27.657577] ? iterate_fd+0x3f0/0x3f0 [ 27.661352] ? find_held_lock+0x35/0x1d0 [ 27.665387] ? sock_has_perm+0x2a4/0x420 [ 27.669420] ? lock_release+0x9a2/0xa40 [ 27.673364] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.679218] ? __check_object_size+0x25d/0x4f0 [ 27.683773] inet_sendmsg+0x11f/0x5e0 [ 27.687540] ? inet_sendmsg+0x11f/0x5e0 [ 27.691481] ? __might_sleep+0x95/0x190 [ 27.695434] ? inet_create+0xf50/0xf50 [ 27.699292] ? selinux_socket_sendmsg+0x36/0x40 [ 27.703935] ? security_socket_sendmsg+0x89/0xb0 [ 27.708660] ? inet_create+0xf50/0xf50 [ 27.712527] sock_sendmsg+0xca/0x110 [ 27.716213] SYSC_sendto+0x361/0x5c0 [ 27.719897] ? SYSC_connect+0x4a0/0x4a0 [ 27.723842] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.729184] ? __do_page_fault+0x3d6/0xc90 [ 27.733405] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 27.738652] ? exit_to_usermode_loop+0x8c/0x310 [ 27.743315] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 27.748838] ? SyS_futex+0x269/0x390 [ 27.752522] ? do_futex+0x22a0/0x22a0 [ 27.756300] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 27.761115] SyS_sendto+0x40/0x50 [ 27.764541] entry_SYSCALL_64_fastpath+0x23/0x9a [ 27.769266] RIP: 0033:0x4457e9 [ 27.772426] RSP: 002b:00007feb342b7da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 27.780112] RAX: ffffffffffffffda RBX: 00000000006dac9c RCX: 00000000004457e9 [ 27.787353] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000006 [ 27.794591] RBP: 00000000006dac98 R08: 00000000204d9000 R09: 000000000000001c [ 27.801841] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 27.809093] R13: 00007ffc4c53147f R14: 00007feb342b89c0 R15: 0000000000000001 [ 27.816342] [ 27.817939] Allocated by task 3506: [ 27.821537] save_stack+0x43/0xd0 [ 27.824957] kasan_kmalloc+0xad/0xe0 [ 27.828637] kasan_slab_alloc+0x12/0x20 [ 27.832578] kmem_cache_alloc+0x12e/0x760 [ 27.836694] sk_prot_alloc+0x65/0x2a0 [ 27.840463] sk_alloc+0x105/0x1440 [ 27.843974] sctp_v6_create_accept_sk+0x15a/0x9b0 [ 27.848785] sctp_accept+0x5c4/0x970 [ 27.852477] inet_accept+0x12c/0x930 [ 27.856157] SYSC_accept4+0x38d/0x870 [ 27.859928] SyS_accept+0x26/0x30 [ 27.863351] entry_SYSCALL_64_fastpath+0x23/0x9a [ 27.868069] [ 27.869666] Freed by task 3504: [ 27.872914] save_stack+0x43/0xd0 [ 27.876335] kasan_slab_free+0x71/0xc0 [ 27.880212] kmem_cache_free+0x83/0x2a0 [ 27.884153] __sk_destruct+0x622/0x910 [ 27.888009] sk_destruct+0x47/0x80 [ 27.891518] __sk_free+0xf1/0x2b0 [ 27.894946] sk_free+0x2a/0x40 [ 27.898110] sctp_association_put+0x14c/0x2f0 [ 27.902573] sctp_wait_for_sndbuf+0x673/0x8d0 [ 27.907037] sctp_sendmsg+0x28f7/0x33f0 [ 27.910980] inet_sendmsg+0x11f/0x5e0 [ 27.914759] sock_sendmsg+0xca/0x110 [ 27.918450] SYSC_sendto+0x361/0x5c0 [ 27.922151] SyS_sendto+0x40/0x50 [ 27.925584] entry_SYSCALL_64_fastpath+0x23/0x9a [ 27.930313] [ 27.931913] The buggy address belongs to the object at ffff8801c07af000 [ 27.931913] which belongs to the cache SCTPv6 of size 1888 [ 27.944193] The buggy address is located 140 bytes inside of [ 27.944193] 1888-byte region [ffff8801c07af000, ffff8801c07af760) [ 27.956131] The buggy address belongs to the page: [ 27.961031] page:ffffea000701ebc0 count:1 mapcount:0 mapping:ffff8801c07af000 index:0x0 [ 27.969150] flags: 0x2fffc0000000100(slab) [ 27.973356] raw: 02fffc0000000100 ffff8801c07af000 0000000000000000 0000000100000002 [ 27.981207] raw: ffffea0007011460 ffff8801d319ec48 ffff8801d319d080 0000000000000000 [ 27.989053] page dumped because: kasan: bad access detected [ 27.994728] [ 27.996332] Memory state around the buggy address: [ 28.001230] ffff8801c07aef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.008556] ffff8801c07af000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.015883] >ffff8801c07af080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.023208] ^ [ 28.026800] ffff8801c07af100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.034127] ffff8801c07af180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.041451] ================================================================== [ 28.048833] Kernel panic - not syncing: panic_on_warn set ... [ 28.048833] [ 28.056189] CPU: 0 PID: 3504 Comm: syzkaller064042 Tainted: G B 4.15.0-rc7+ #182 [ 28.064927] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.074252] Call Trace: [ 28.076825] dump_stack+0x194/0x257 [ 28.080444] ? arch_local_irq_restore+0x53/0x53 executing program [ 28.085102] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.089827] ? vsnprintf+0x1ed/0x1900 [ 28.093598] ? do_raw_spin_lock+0x140/0x220 [ 28.097904] panic+0x1e4/0x41c [ 28.101080] ? refcount_error_report+0x214/0x214 [ 28.105804] ? add_taint+0x1c/0x50 [ 28.109311] ? add_taint+0x1c/0x50 [ 28.112823] ? do_raw_spin_lock+0x1e0/0x220 [ 28.117114] kasan_end_report+0x50/0x50 [ 28.121061] kasan_report+0x144/0x340 [ 28.124835] __asan_report_load4_noabort+0x14/0x20 [ 28.129733] do_raw_spin_lock+0x1e0/0x220 [ 28.133877] _raw_spin_lock_bh+0x39/0x40 [ 28.137923] ? release_sock+0x74/0x2a0 [ 28.141778] release_sock+0x74/0x2a0 [ 28.145460] ? sctp_prsctp_prune+0x97/0x790 [ 28.149750] ? __release_sock+0x360/0x360 [ 28.153869] ? sctp_sendmsg+0x1a05/0x33f0 [ 28.157997] sctp_sendmsg+0x2993/0x33f0 [ 28.161952] ? sctp_id2assoc+0x390/0x390 [ 28.165984] ? avc_has_perm+0x43e/0x680 [ 28.169944] ? avc_has_perm_noaudit+0x520/0x520 [ 28.174584] ? __fget+0x35c/0x570 [ 28.178012] ? iterate_fd+0x3f0/0x3f0 [ 28.181789] ? find_held_lock+0x35/0x1d0 [ 28.185827] ? sock_has_perm+0x2a4/0x420 [ 28.189860] ? lock_release+0x9a2/0xa40 [ 28.193806] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 28.199662] ? __check_object_size+0x25d/0x4f0 [ 28.204218] inet_sendmsg+0x11f/0x5e0 [ 28.207996] ? inet_sendmsg+0x11f/0x5e0 [ 28.211948] ? __might_sleep+0x95/0x190 [ 28.215890] ? inet_create+0xf50/0xf50 [ 28.219750] ? selinux_socket_sendmsg+0x36/0x40 [ 28.224397] ? security_socket_sendmsg+0x89/0xb0 [ 28.229132] ? inet_create+0xf50/0xf50 [ 28.232990] sock_sendmsg+0xca/0x110 [ 28.236685] SYSC_sendto+0x361/0x5c0 [ 28.240370] ? SYSC_connect+0x4a0/0x4a0 [ 28.244318] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 28.249651] ? __do_page_fault+0x3d6/0xc90 [ 28.253860] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 28.259111] ? exit_to_usermode_loop+0x8c/0x310 [ 28.263759] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 28.269274] ? SyS_futex+0x269/0x390 [ 28.272958] ? do_futex+0x22a0/0x22a0 [ 28.276732] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 28.281549] SyS_sendto+0x40/0x50 [ 28.284972] entry_SYSCALL_64_fastpath+0x23/0x9a [ 28.289794] RIP: 0033:0x4457e9 [ 28.292952] RSP: 002b:00007feb342b7da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 28.300628] RAX: ffffffffffffffda RBX: 00000000006dac9c RCX: 00000000004457e9 [ 28.307867] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000006 [ 28.315106] RBP: 00000000006dac98 R08: 00000000204d9000 R09: 000000000000001c [ 28.322345] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 28.329584] R13: 00007ffc4c53147f R14: 00007feb342b89c0 R15: 0000000000000001 [ 28.337259] Dumping ftrace buffer: [ 28.340768] (ftrace buffer empty) [ 28.344446] Kernel Offset: disabled [ 28.348041] Rebooting in 86400 seconds..