[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 12.308559] audit: type=1400 audit(1515629164.655:6): avc: denied { map } for pid=3453 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.54' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 18.520068] audit: type=1400 audit(1515629170.866:7): avc: denied { map } for pid=3467 comm="syzkaller870416" path="/root/syzkaller870416159" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 18.687125] [ 18.688775] ========================= [ 18.692541] WARNING: held lock freed! [ 18.696311] 4.15.0-rc6-mm1+ #52 Not tainted [ 18.700600] ------------------------- [ 18.704371] syzkaller870416/3471 is freeing memory 000000009de76a56-0000000050e66cc9, with a lock still held there! [ 18.714908] (sk_lock-AF_INET6){+.+.}, at: [<00000000b40c2a4c>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 18.723812] 1 lock held by syzkaller870416/3471: [ 18.728536] #0: (sk_lock-AF_INET6){+.+.}, at: [<00000000b40c2a4c>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 18.737871] [ 18.737871] stack backtrace: [ 18.742333] CPU: 0 PID: 3471 Comm: syzkaller870416 Not tainted 4.15.0-rc6-mm1+ #52 [ 18.750005] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 18.759328] Call Trace: [ 18.761886] dump_stack+0x194/0x257 [ 18.765482] ? arch_local_irq_restore+0x53/0x53 [ 18.770127] debug_check_no_locks_freed+0x32f/0x3c0 [ 18.775116] kmem_cache_free+0x68/0x2b0 [ 18.779061] __sk_destruct+0x622/0x910 [ 18.782913] ? kfree+0xd9/0x260 [ 18.786161] ? sock_rfree+0x160/0x160 [ 18.789929] ? sock_sendmsg+0xca/0x110 [ 18.793784] ? SyS_sendto+0x40/0x50 [ 18.797379] ? entry_SYSCALL_64_fastpath+0x23/0x9a [ 18.802278] ? debug_check_no_obj_freed+0x611/0xf1f [ 18.807266] ? check_noncircular+0x20/0x20 [ 18.811468] ? print_irqtrace_events+0x270/0x270 [ 18.816195] ? __local_bh_enable_ip+0x121/0x230 [ 18.820832] ? sctp_put_port+0x495/0x640 [ 18.824863] ? sctp_poll+0xc00/0xc00 [ 18.828552] ? refcount_sub_and_test+0x115/0x1b0 [ 18.833276] ? refcount_inc+0x50/0x50 [ 18.837046] ? refcount_inc+0x50/0x50 [ 18.840824] sk_destruct+0x47/0x80 [ 18.844331] __sk_free+0xf1/0x2b0 [ 18.847752] sk_free+0x2a/0x40 [ 18.850920] sctp_association_put+0x14c/0x2f0 [ 18.855385] ? sctp_association_hold+0x20/0x20 [ 18.859936] ? lock_sock_nested+0x91/0x110 [ 18.864143] ? trace_hardirqs_on+0xd/0x10 [ 18.868258] ? __local_bh_enable_ip+0x121/0x230 [ 18.872899] sctp_wait_for_sndbuf+0x673/0x8d0 [ 18.877367] ? sctp_init_sock+0x13b0/0x13b0 [ 18.881658] ? do_raw_spin_trylock+0x190/0x190 [ 18.886208] ? __local_bh_enable_ip+0x121/0x230 [ 18.890843] ? sctp_prsctp_prune+0x97/0x790 [ 18.895133] ? prepare_to_wait+0x4d0/0x4d0 [ 18.899334] ? trace_hardirqs_on+0xd/0x10 [ 18.903455] sctp_sendmsg+0x28f7/0x33f0 [ 18.907406] ? sctp_id2assoc+0x390/0x390 [ 18.911436] ? avc_has_perm+0x43e/0x680 [ 18.915383] ? avc_has_perm_noaudit+0x520/0x520 [ 18.920021] ? __fget+0x35c/0x570 [ 18.923448] ? iterate_fd+0x3f0/0x3f0 [ 18.927222] ? find_held_lock+0x35/0x1d0 [ 18.931263] ? sock_has_perm+0x2a4/0x420 [ 18.935293] ? lock_release+0xa02/0xa40 [ 18.939234] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 18.945087] ? __check_object_size+0x8b/0x530 [ 18.949555] inet_sendmsg+0x11f/0x5e0 [ 18.953323] ? inet_sendmsg+0x11f/0x5e0 [ 18.957265] ? __might_sleep+0x95/0x190 [ 18.961208] ? inet_recvmsg+0x5f0/0x5f0 [ 18.965152] ? selinux_socket_sendmsg+0x36/0x40 [ 18.969796] ? security_socket_sendmsg+0x89/0xb0 [ 18.974518] ? inet_recvmsg+0x5f0/0x5f0 [ 18.978471] sock_sendmsg+0xca/0x110 [ 18.982153] SYSC_sendto+0x361/0x5c0 [ 18.985837] ? SYSC_connect+0x4a0/0x4a0 [ 18.989779] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 18.995111] ? __do_page_fault+0x3d6/0xc90 [ 18.999317] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 19.004584] ? SyS_futex+0x269/0x390 [ 19.008270] ? SyS_setsockopt+0x215/0x360 [ 19.012387] ? do_futex+0x22a0/0x22a0 [ 19.016162] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 19.020977] SyS_sendto+0x40/0x50 [ 19.024400] entry_SYSCALL_64_fastpath+0x23/0x9a [ 19.029128] RIP: 0033:0x4457e9 [ 19.032288] RSP: 002b:00007f31a3120da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 19.039960] RAX: ffffffffffffffda RBX: 00000000006dac6c RCX: 00000000004457e9 [ 19.047203] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 19.054452] RBP: 00000000006dac68 R08: 00000000204d9000 R09: 000000000000001c [ 19.061691] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 19.068927] R13: 00007ffe4218281f R14: 00007f31a31219c0 R15: 0000000000000001 [ 19.076273] ================================================================== [ 19.083622] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 [ 19.090259] Read of size 4 at addr ffff8801c066c08c by task syzkaller870416/3471 [ 19.097758] [ 19.099357] CPU: 0 PID: 3471 Comm: syzkaller870416 Not tainted 4.15.0-rc6-mm1+ #52 [ 19.107036] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.116366] Call Trace: [ 19.118924] dump_stack+0x194/0x257 [ 19.122529] ? arch_local_irq_restore+0x53/0x53 [ 19.127167] ? show_regs_print_info+0x18/0x18 [ 19.131628] ? lock_acquire+0x1d5/0x580 [ 19.135567] ? trace_hardirqs_on+0xd/0x10 [ 19.139679] ? do_raw_spin_lock+0x1e0/0x220 [ 19.143976] print_address_description+0x73/0x250 [ 19.148795] ? do_raw_spin_lock+0x1e0/0x220 [ 19.153086] kasan_report+0x23b/0x360 [ 19.156863] __asan_report_load4_noabort+0x14/0x20 [ 19.161773] do_raw_spin_lock+0x1e0/0x220 [ 19.165893] _raw_spin_lock_bh+0x39/0x40 [ 19.169931] ? release_sock+0x74/0x2a0 [ 19.173783] release_sock+0x74/0x2a0 [ 19.177465] ? sctp_prsctp_prune+0x97/0x790 [ 19.181762] ? __release_sock+0x360/0x360 [ 19.185878] ? trace_hardirqs_on+0xd/0x10 [ 19.189997] sctp_sendmsg+0x2993/0x33f0 [ 19.193948] ? sctp_id2assoc+0x390/0x390 [ 19.197979] ? avc_has_perm+0x43e/0x680 [ 19.201932] ? avc_has_perm_noaudit+0x520/0x520 [ 19.206570] ? __fget+0x35c/0x570 [ 19.209995] ? iterate_fd+0x3f0/0x3f0 [ 19.213772] ? find_held_lock+0x35/0x1d0 [ 19.218624] ? sock_has_perm+0x2a4/0x420 [ 19.222656] ? lock_release+0xa02/0xa40 [ 19.226611] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 19.232466] ? __check_object_size+0x8b/0x530 [ 19.236937] inet_sendmsg+0x11f/0x5e0 [ 19.240703] ? inet_sendmsg+0x11f/0x5e0 [ 19.244650] ? __might_sleep+0x95/0x190 [ 19.248595] ? inet_recvmsg+0x5f0/0x5f0 [ 19.252544] ? selinux_socket_sendmsg+0x36/0x40 [ 19.257179] ? security_socket_sendmsg+0x89/0xb0 [ 19.261901] ? inet_recvmsg+0x5f0/0x5f0 [ 19.265846] sock_sendmsg+0xca/0x110 [ 19.269529] SYSC_sendto+0x361/0x5c0 [ 19.273213] ? SYSC_connect+0x4a0/0x4a0 [ 19.277158] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 19.282490] ? __do_page_fault+0x3d6/0xc90 [ 19.286699] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 19.291957] ? SyS_futex+0x269/0x390 [ 19.295638] ? SyS_setsockopt+0x215/0x360 [ 19.299755] ? do_futex+0x22a0/0x22a0 [ 19.303527] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 19.308340] SyS_sendto+0x40/0x50 [ 19.311763] entry_SYSCALL_64_fastpath+0x23/0x9a [ 19.316484] RIP: 0033:0x4457e9 [ 19.319644] RSP: 002b:00007f31a3120da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 19.327321] RAX: ffffffffffffffda RBX: 00000000006dac6c RCX: 00000000004457e9 [ 19.334566] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 19.341808] RBP: 00000000006dac68 R08: 00000000204d9000 R09: 000000000000001c [ 19.349049] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 19.356285] R13: 00007ffe4218281f R14: 00007f31a31219c0 R15: 0000000000000001 [ 19.363538] [ 19.365132] Allocated by task 3476: [ 19.368725] save_stack+0x43/0xd0 [ 19.372146] kasan_kmalloc+0xad/0xe0 [ 19.375827] kasan_slab_alloc+0x12/0x20 [ 19.379768] kmem_cache_alloc+0x12e/0x760 [ 19.383890] sk_prot_alloc+0x65/0x2a0 [ 19.387657] sk_alloc+0x105/0x1440 [ 19.391168] sctp_v6_create_accept_sk+0x15a/0x9b0 [ 19.395978] sctp_accept+0x5c4/0x970 [ 19.399659] inet_accept+0x12c/0x930 [ 19.403339] SYSC_accept4+0x38d/0x870 [ 19.407107] SyS_accept+0x26/0x30 [ 19.410531] entry_SYSCALL_64_fastpath+0x23/0x9a [ 19.415252] [ 19.416846] Freed by task 3471: [ 19.420096] save_stack+0x43/0xd0 [ 19.423522] __kasan_slab_free+0x11a/0x170 [ 19.427722] kasan_slab_free+0xe/0x10 [ 19.431488] kmem_cache_free+0x86/0x2b0 [ 19.435431] __sk_destruct+0x622/0x910 [ 19.439283] sk_destruct+0x47/0x80 [ 19.442788] __sk_free+0xf1/0x2b0 [ 19.446216] sk_free+0x2a/0x40 [ 19.449377] sctp_association_put+0x14c/0x2f0 [ 19.453840] sctp_wait_for_sndbuf+0x673/0x8d0 [ 19.458307] sctp_sendmsg+0x28f7/0x33f0 [ 19.462254] inet_sendmsg+0x11f/0x5e0 [ 19.466020] sock_sendmsg+0xca/0x110 [ 19.469703] SYSC_sendto+0x361/0x5c0 [ 19.473384] SyS_sendto+0x40/0x50 [ 19.476803] entry_SYSCALL_64_fastpath+0x23/0x9a [ 19.481522] [ 19.483118] The buggy address belongs to the object at ffff8801c066c000 [ 19.483118] which belongs to the cache SCTPv6 of size 1888 [ 19.495392] The buggy address is located 140 bytes inside of [ 19.495392] 1888-byte region [ffff8801c066c000, ffff8801c066c760) [ 19.507318] The buggy address belongs to the page: [ 19.512213] page:ffffea0007019b00 count:1 mapcount:0 mapping:ffff8801c066c000 index:0x0 [ 19.520321] flags: 0x2fffc0000000100(slab) [ 19.524525] raw: 02fffc0000000100 ffff8801c066c000 0000000000000000 0000000100000002 [ 19.532376] raw: ffffea00074ccaa0 ffffea000702dd20 ffff8801d3328980 0000000000000000 [ 19.540222] page dumped because: kasan: bad access detected [ 19.545895] [ 19.547493] Memory state around the buggy address: [ 19.552389] ffff8801c066bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.559714] ffff8801c066c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.567039] >ffff8801c066c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.574363] ^ [ 19.577961] ffff8801c066c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.585285] ffff8801c066c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.592608] ================================================================== [ 19.599973] Kernel panic - not syncing: panic_on_warn set ... [ 19.599973] [ 19.607329] CPU: 0 PID: 3471 Comm: syzkaller870416 Tainted: G B 4.15.0-rc6-mm1+ #52 [ 19.616312] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.625634] Call Trace: [ 19.628202] dump_stack+0x194/0x257 [ 19.631804] ? arch_local_irq_restore+0x53/0x53 [ 19.636444] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 19.641165] ? vsnprintf+0x1ed/0x1900 [ 19.644934] ? do_raw_spin_lock+0x1a0/0x220 [ 19.649226] panic+0x1e4/0x41c [ 19.652388] ? refcount_error_report+0x214/0x214 [ 19.657112] ? add_taint+0x1c/0x50 [ 19.660620] ? add_taint+0x1c/0x50 [ 19.664131] ? do_raw_spin_lock+0x1e0/0x220 [ 19.668424] kasan_end_report+0x50/0x50 [ 19.672370] kasan_report+0x148/0x360 [ 19.676148] __asan_report_load4_noabort+0x14/0x20 [ 19.681050] do_raw_spin_lock+0x1e0/0x220 [ 19.685177] _raw_spin_lock_bh+0x39/0x40 [ 19.689210] ? release_sock+0x74/0x2a0 [ 19.693064] release_sock+0x74/0x2a0 [ 19.696746] ? sctp_prsctp_prune+0x97/0x790 [ 19.701036] ? __release_sock+0x360/0x360 [ 19.705154] ? trace_hardirqs_on+0xd/0x10 [ 19.709275] sctp_sendmsg+0x2993/0x33f0 [ 19.713225] ? sctp_id2assoc+0x390/0x390 [ 19.717261] ? avc_has_perm+0x43e/0x680 [ 19.721205] ? avc_has_perm_noaudit+0x520/0x520 [ 19.725842] ? __fget+0x35c/0x570 [ 19.729268] ? iterate_fd+0x3f0/0x3f0 [ 19.733042] ? find_held_lock+0x35/0x1d0 [ 19.737080] ? sock_has_perm+0x2a4/0x420 [ 19.741112] ? lock_release+0xa02/0xa40 [ 19.745054] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 19.750907] ? __check_object_size+0x8b/0x530 [ 19.755373] inet_sendmsg+0x11f/0x5e0 [ 19.759140] ? inet_sendmsg+0x11f/0x5e0 [ 19.763081] ? __might_sleep+0x95/0x190 [ 19.767025] ? inet_recvmsg+0x5f0/0x5f0 [ 19.770967] ? selinux_socket_sendmsg+0x36/0x40 [ 19.775603] ? security_socket_sendmsg+0x89/0xb0 [ 19.780333] ? inet_recvmsg+0x5f0/0x5f0 [ 19.784277] sock_sendmsg+0xca/0x110 [ 19.787960] SYSC_sendto+0x361/0x5c0 [ 19.791643] ? SYSC_connect+0x4a0/0x4a0 [ 19.795588] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 19.800919] ? __do_page_fault+0x3d6/0xc90 [ 19.805127] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 19.810393] ? SyS_futex+0x269/0x390 [ 19.814076] ? SyS_setsockopt+0x215/0x360 [ 19.818193] ? do_futex+0x22a0/0x22a0 [ 19.821962] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 19.826776] SyS_sendto+0x40/0x50 [ 19.830199] entry_SYSCALL_64_fastpath+0x23/0x9a [ 19.834924] RIP: 0033:0x4457e9 [ 19.838082] RSP: 002b:00007f31a3120da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 19.845775] RAX: ffffffffffffffda RBX: 00000000006dac6c RCX: 00000000004457e9 [ 19.853014] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 19.860252] RBP: 00000000006dac68 R08: 00000000204d9000 R09: 000000000000001c [ 19.867488] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 19.874727] R13: 00007ffe4218281f R14: 00007f31a31219c0 R15: 0000000000000001 [ 19.882361] Dumping ftrace buffer: [ 19.885878] (ftrace buffer empty) [ 19.889561] Kernel Offset: disabled [ 19.893164] Rebooting in 86400 seconds..