[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 13.567644] audit: type=1400 audit(1515629166.198:6): avc: denied { map } for pid=3483 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 20.456622] audit: type=1400 audit(1515629173.087:7): avc: denied { map } for pid=3497 comm="syzkaller283912" path="/root/syzkaller283912618" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 20.642250] [ 20.643895] ========================= [ 20.647662] WARNING: held lock freed! [ 20.651429] 4.15.0-rc7+ #182 Not tainted [ 20.655461] ------------------------- [ 20.659236] syzkaller283912/3501 is freeing memory 000000007d19495e-000000002cd8bde9, with a lock still held there! [ 20.669778] (sk_lock-AF_INET6){+.+.}, at: [<00000000b627e956>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 20.678687] 1 lock held by syzkaller283912/3501: [ 20.683411] #0: (sk_lock-AF_INET6){+.+.}, at: [<00000000b627e956>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 20.692742] [ 20.692742] stack backtrace: [ 20.697208] CPU: 1 PID: 3501 Comm: syzkaller283912 Not tainted 4.15.0-rc7+ #182 [ 20.704621] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.713943] Call Trace: [ 20.716517] dump_stack+0x194/0x257 [ 20.720117] ? arch_local_irq_restore+0x53/0x53 [ 20.724764] debug_check_no_locks_freed+0x32f/0x3c0 [ 20.729764] kmem_cache_free+0x68/0x2a0 [ 20.733711] __sk_destruct+0x622/0x910 [ 20.737568] ? save_stack+0x43/0xd0 [ 20.741165] ? sock_rfree+0x160/0x160 [ 20.744936] ? sctp_sendmsg+0x28f7/0x33f0 [ 20.749056] ? sock_sendmsg+0xca/0x110 [ 20.752911] ? SYSC_sendto+0x361/0x5c0 [ 20.756775] ? SyS_sendto+0x40/0x50 [ 20.760379] ? entry_SYSCALL_64_fastpath+0x23/0x9a [ 20.765298] ? check_noncircular+0x20/0x20 [ 20.769503] ? print_irqtrace_events+0x270/0x270 [ 20.774233] ? __local_bh_enable_ip+0x121/0x230 [ 20.778871] ? sctp_put_port+0x495/0x640 [ 20.782905] ? sctp_poll+0xc00/0xc00 [ 20.786592] ? refcount_sub_and_test+0x115/0x1b0 [ 20.791319] ? refcount_inc+0x50/0x50 [ 20.795089] ? refcount_inc+0x50/0x50 [ 20.798861] sk_destruct+0x47/0x80 [ 20.802380] __sk_free+0xf1/0x2b0 [ 20.805803] sk_free+0x2a/0x40 [ 20.808968] sctp_association_put+0x14c/0x2f0 [ 20.813434] ? sctp_association_hold+0x20/0x20 [ 20.817986] ? lock_sock_nested+0x91/0x110 [ 20.822190] ? trace_hardirqs_on+0xd/0x10 [ 20.826309] ? __local_bh_enable_ip+0x121/0x230 [ 20.830953] sctp_wait_for_sndbuf+0x673/0x8d0 [ 20.835423] ? sctp_init_sock+0x13b0/0x13b0 [ 20.839715] ? do_raw_spin_trylock+0x190/0x190 [ 20.844265] ? __local_bh_enable_ip+0x121/0x230 [ 20.848902] ? sctp_prsctp_prune+0x97/0x790 [ 20.853198] ? prepare_to_wait+0x4d0/0x4d0 [ 20.857401] ? trace_hardirqs_on+0xd/0x10 [ 20.861532] sctp_sendmsg+0x28f7/0x33f0 [ 20.865483] ? sctp_id2assoc+0x390/0x390 [ 20.869525] ? avc_has_perm+0x43e/0x680 [ 20.873470] ? avc_has_perm_noaudit+0x520/0x520 [ 20.878111] ? __fget+0x35c/0x570 [ 20.881546] ? iterate_fd+0x3f0/0x3f0 [ 20.885322] ? find_held_lock+0x35/0x1d0 [ 20.889376] ? sock_has_perm+0x2a4/0x420 [ 20.893408] ? lock_release+0x9a2/0xa40 [ 20.897352] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 20.903295] ? __check_object_size+0x25d/0x4f0 [ 20.907857] inet_sendmsg+0x11f/0x5e0 [ 20.911633] ? inet_sendmsg+0x11f/0x5e0 [ 20.915576] ? __might_sleep+0x95/0x190 [ 20.919520] ? inet_create+0xf50/0xf50 [ 20.923387] ? selinux_socket_sendmsg+0x36/0x40 [ 20.928025] ? security_socket_sendmsg+0x89/0xb0 [ 20.932753] ? inet_create+0xf50/0xf50 [ 20.936612] sock_sendmsg+0xca/0x110 [ 20.940295] SYSC_sendto+0x361/0x5c0 [ 20.943991] ? SYSC_connect+0x4a0/0x4a0 [ 20.947941] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 20.953274] ? __do_page_fault+0x3d6/0xc90 [ 20.957491] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 20.962762] ? SyS_futex+0x269/0x390 [ 20.966454] ? SyS_setsockopt+0x215/0x360 [ 20.970573] ? do_futex+0x22a0/0x22a0 [ 20.974346] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 20.979164] SyS_sendto+0x40/0x50 [ 20.982589] entry_SYSCALL_64_fastpath+0x23/0x9a [ 20.987335] RIP: 0033:0x4457e9 [ 20.990493] RSP: 002b:00007fa645005da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 20.998176] RAX: ffffffffffffffda RBX: 00000000006dac6c RCX: 00000000004457e9 [ 21.005416] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 21.012656] RBP: 00000000006dac68 R08: 00000000204d9000 R09: 000000000000001c [ 21.019894] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 21.027141] R13: 00007ffc779fc65f R14: 00007fa6450069c0 R15: 0000000000000001 [ 21.034511] ================================================================== [ 21.041871] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 [ 21.048520] Read of size 4 at addr ffff8801c0bac08c by task syzkaller283912/3501 [ 21.056028] [ 21.057631] CPU: 1 PID: 3501 Comm: syzkaller283912 Not tainted 4.15.0-rc7+ #182 [ 21.065054] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.074385] Call Trace: [ 21.076955] dump_stack+0x194/0x257 [ 21.080559] ? arch_local_irq_restore+0x53/0x53 [ 21.085211] ? show_regs_print_info+0x18/0x18 [ 21.089682] ? lock_acquire+0x1d5/0x580 executing program [ 21.093633] ? trace_hardirqs_on+0xd/0x10 [ 21.097750] ? do_raw_spin_lock+0x1e0/0x220 [ 21.102046] print_address_description+0x73/0x250 [ 21.106887] ? do_raw_spin_lock+0x1e0/0x220 [ 21.111189] kasan_report+0x25b/0x340 [ 21.114965] __asan_report_load4_noabort+0x14/0x20 [ 21.119867] do_raw_spin_lock+0x1e0/0x220 [ 21.123993] _raw_spin_lock_bh+0x39/0x40 [ 21.128113] ? release_sock+0x74/0x2a0 [ 21.131993] release_sock+0x74/0x2a0 [ 21.135680] ? sctp_prsctp_prune+0x97/0x790 [ 21.139971] ? __release_sock+0x360/0x360 [ 21.144089] ? trace_hardirqs_on+0xd/0x10 [ 21.148211] sctp_sendmsg+0x2993/0x33f0 [ 21.152168] ? sctp_id2assoc+0x390/0x390 [ 21.156198] ? avc_has_perm+0x43e/0x680 [ 21.160143] ? avc_has_perm_noaudit+0x520/0x520 [ 21.164783] ? __fget+0x35c/0x570 [ 21.168216] ? iterate_fd+0x3f0/0x3f0 [ 21.171998] ? find_held_lock+0x35/0x1d0 [ 21.176042] ? sock_has_perm+0x2a4/0x420 [ 21.180082] ? lock_release+0x9a2/0xa40 [ 21.184029] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 21.189892] ? __check_object_size+0x25d/0x4f0 [ 21.194447] inet_sendmsg+0x11f/0x5e0 [ 21.198216] ? inet_sendmsg+0x11f/0x5e0 [ 21.202169] ? __might_sleep+0x95/0x190 [ 21.206124] ? inet_create+0xf50/0xf50 [ 21.209989] ? selinux_socket_sendmsg+0x36/0x40 [ 21.214629] ? security_socket_sendmsg+0x89/0xb0 [ 21.219361] ? inet_create+0xf50/0xf50 [ 21.223219] sock_sendmsg+0xca/0x110 [ 21.226904] SYSC_sendto+0x361/0x5c0 [ 21.230590] ? SYSC_connect+0x4a0/0x4a0 [ 21.234536] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 21.239869] ? __do_page_fault+0x3d6/0xc90 [ 21.244078] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 21.249339] ? SyS_futex+0x269/0x390 [ 21.253025] ? SyS_setsockopt+0x215/0x360 [ 21.257145] ? do_futex+0x22a0/0x22a0 [ 21.260921] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 21.265744] SyS_sendto+0x40/0x50 [ 21.269175] entry_SYSCALL_64_fastpath+0x23/0x9a [ 21.273904] RIP: 0033:0x4457e9 [ 21.277063] RSP: 002b:00007fa645005da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 21.284740] RAX: ffffffffffffffda RBX: 00000000006dac6c RCX: 00000000004457e9 [ 21.291979] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 21.299225] RBP: 00000000006dac68 R08: 00000000204d9000 R09: 000000000000001c [ 21.306472] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 21.313710] R13: 00007ffc779fc65f R14: 00007fa6450069c0 R15: 0000000000000001 [ 21.320963] [ 21.322562] Allocated by task 3506: [ 21.326161] save_stack+0x43/0xd0 [ 21.329582] kasan_kmalloc+0xad/0xe0 [ 21.333263] kasan_slab_alloc+0x12/0x20 [ 21.337218] kmem_cache_alloc+0x12e/0x760 [ 21.341339] sk_prot_alloc+0x65/0x2a0 [ 21.345112] sk_alloc+0x105/0x1440 [ 21.348628] sctp_v6_create_accept_sk+0x15a/0x9b0 [ 21.353440] sctp_accept+0x5c4/0x970 [ 21.357128] inet_accept+0x12c/0x930 [ 21.360816] SYSC_accept4+0x38d/0x870 [ 21.364584] SyS_accept+0x26/0x30 [ 21.368006] entry_SYSCALL_64_fastpath+0x23/0x9a [ 21.372730] [ 21.374325] Freed by task 3501: [ 21.377577] save_stack+0x43/0xd0 [ 21.380996] kasan_slab_free+0x71/0xc0 [ 21.384855] kmem_cache_free+0x83/0x2a0 [ 21.388802] __sk_destruct+0x622/0x910 [ 21.392657] sk_destruct+0x47/0x80 [ 21.396162] __sk_free+0xf1/0x2b0 [ 21.399585] sk_free+0x2a/0x40 [ 21.402751] sctp_association_put+0x14c/0x2f0 [ 21.407222] sctp_wait_for_sndbuf+0x673/0x8d0 [ 21.411684] sctp_sendmsg+0x28f7/0x33f0 [ 21.415633] inet_sendmsg+0x11f/0x5e0 [ 21.419410] sock_sendmsg+0xca/0x110 [ 21.423094] SYSC_sendto+0x361/0x5c0 [ 21.426775] SyS_sendto+0x40/0x50 [ 21.430199] entry_SYSCALL_64_fastpath+0x23/0x9a [ 21.434920] [ 21.436525] The buggy address belongs to the object at ffff8801c0bac000 [ 21.436525] which belongs to the cache SCTPv6 of size 1888 [ 21.448802] The buggy address is located 140 bytes inside of [ 21.448802] 1888-byte region [ffff8801c0bac000, ffff8801c0bac760) [ 21.460749] The buggy address belongs to the page: [ 21.465648] page:ffffea000702eb00 count:1 mapcount:0 mapping:ffff8801c0bac000 index:0x0 [ 21.473766] flags: 0x2fffc0000000100(slab) [ 21.477977] raw: 02fffc0000000100 ffff8801c0bac000 0000000000000000 0000000100000002 [ 21.485827] raw: ffffea00074cabe0 ffffea00072e48a0 ffff8801d32ab500 0000000000000000 [ 21.493681] page dumped because: kasan: bad access detected [ 21.499360] [ 21.500956] Memory state around the buggy address: [ 21.505860] ffff8801c0babf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.513186] ffff8801c0bac000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.520518] >ffff8801c0bac080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.527851] ^ [ 21.531451] ffff8801c0bac100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.538781] ffff8801c0bac180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.546104] ================================================================== [ 21.553467] Kernel panic - not syncing: panic_on_warn set ... [ 21.553467] [ 21.560820] CPU: 1 PID: 3501 Comm: syzkaller283912 Tainted: G B 4.15.0-rc7+ #182 [ 21.569549] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.578873] Call Trace: [ 21.581440] dump_stack+0x194/0x257 [ 21.585050] ? arch_local_irq_restore+0x53/0x53 [ 21.589699] ? trace_hardirqs_on_thunk+0x1a/0x1c executing program [ 21.594426] ? vsnprintf+0x1ed/0x1900 [ 21.598195] ? do_raw_spin_lock+0x140/0x220 [ 21.602494] panic+0x1e4/0x41c [ 21.605672] ? refcount_error_report+0x214/0x214 [ 21.610404] ? add_taint+0x1c/0x50 [ 21.613909] ? add_taint+0x1c/0x50 [ 21.617418] ? do_raw_spin_lock+0x1e0/0x220 [ 21.621710] kasan_end_report+0x50/0x50 [ 21.625664] kasan_report+0x144/0x340 [ 21.629444] __asan_report_load4_noabort+0x14/0x20 [ 21.634345] do_raw_spin_lock+0x1e0/0x220 [ 21.638472] _raw_spin_lock_bh+0x39/0x40 [ 21.642504] ? release_sock+0x74/0x2a0 [ 21.646536] release_sock+0x74/0x2a0 [ 21.650218] ? sctp_prsctp_prune+0x97/0x790 [ 21.654509] ? __release_sock+0x360/0x360 [ 21.658625] ? trace_hardirqs_on+0xd/0x10 [ 21.662746] sctp_sendmsg+0x2993/0x33f0 [ 21.666700] ? sctp_id2assoc+0x390/0x390 [ 21.670734] ? avc_has_perm+0x43e/0x680 [ 21.674682] ? avc_has_perm_noaudit+0x520/0x520 [ 21.679322] ? __fget+0x35c/0x570 [ 21.682749] ? iterate_fd+0x3f0/0x3f0 [ 21.686527] ? find_held_lock+0x35/0x1d0 [ 21.690574] ? sock_has_perm+0x2a4/0x420 [ 21.694607] ? lock_release+0x9a2/0xa40 [ 21.698551] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 21.704415] ? __check_object_size+0x25d/0x4f0 [ 21.708972] inet_sendmsg+0x11f/0x5e0 [ 21.712750] ? inet_sendmsg+0x11f/0x5e0 [ 21.716703] ? __might_sleep+0x95/0x190 [ 21.720647] ? inet_create+0xf50/0xf50 [ 21.724511] ? selinux_socket_sendmsg+0x36/0x40 [ 21.729149] ? security_socket_sendmsg+0x89/0xb0 [ 21.733873] ? inet_create+0xf50/0xf50 [ 21.737734] sock_sendmsg+0xca/0x110 [ 21.741419] SYSC_sendto+0x361/0x5c0 [ 21.745104] ? SYSC_connect+0x4a0/0x4a0 [ 21.749049] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 21.754384] ? __do_page_fault+0x3d6/0xc90 [ 21.758592] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 21.763856] ? SyS_futex+0x269/0x390 [ 21.767538] ? SyS_setsockopt+0x215/0x360 [ 21.771657] ? do_futex+0x22a0/0x22a0 [ 21.775431] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 21.780251] SyS_sendto+0x40/0x50 [ 21.783675] entry_SYSCALL_64_fastpath+0x23/0x9a [ 21.788397] RIP: 0033:0x4457e9 [ 21.791558] RSP: 002b:00007fa645005da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 21.799235] RAX: ffffffffffffffda RBX: 00000000006dac6c RCX: 00000000004457e9 [ 21.806483] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 21.813730] RBP: 00000000006dac68 R08: 00000000204d9000 R09: 000000000000001c [ 21.820969] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 21.828209] R13: 00007ffc779fc65f R14: 00007fa6450069c0 R15: 0000000000000001 [ 21.835943] Dumping ftrace buffer: [ 21.839458] (ftrace buffer empty) [ 21.843139] Kernel Offset: disabled [ 21.846732] Rebooting in 86400 seconds..