[....] Starting enhanced syslogd: rsyslogd[ 16.526784] audit: type=1400 audit(1519151754.987:5): avc: denied { syslog } for pid=4008 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.891495] audit: type=1400 audit(1519151760.352:6): avc: denied { map } for pid=4147 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.22' (ECDSA) to the list of known hosts. [ 28.157311] audit: type=1400 audit(1519151766.617:7): avc: denied { map } for pid=4161 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/02/20 18:36:06 parsed 1 programs 2018/02/20 18:36:06 executed programs: 0 [ 28.421986] audit: type=1400 audit(1519151766.881:8): avc: denied { map } for pid=4161 comm="syz-execprog" path="/root/syzkaller-shm974179878" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 28.447570] audit: type=1400 audit(1519151766.907:9): avc: denied { sys_admin } for pid=4167 comm="syz-executor5" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 28.450581] IPVS: ftp: loaded support on port[0] = 21 [ 28.500592] IPVS: ftp: loaded support on port[0] = 21 [ 28.505873] audit: type=1400 audit(1519151766.959:10): avc: denied { net_admin } for pid=4169 comm="syz-executor5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 28.551174] IPVS: ftp: loaded support on port[0] = 21 [ 28.580893] IPVS: ftp: loaded support on port[0] = 21 [ 28.623264] IPVS: ftp: loaded support on port[0] = 21 [ 28.667661] IPVS: ftp: loaded support on port[0] = 21 [ 28.713516] IPVS: ftp: loaded support on port[0] = 21 [ 28.774500] IPVS: ftp: loaded support on port[0] = 21 [ 29.104929] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 29.202302] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 29.321752] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 29.374037] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 29.394698] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 29.506451] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 29.567777] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 29.632979] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 30.512591] audit: type=1400 audit(1519151768.973:11): avc: denied { sys_chroot } for pid=4169 comm="syz-executor5" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 30.602590] ------------[ cut here ]------------ [ 30.607527] refcount_t: underflow; use-after-free. [ 30.612615] WARNING: CPU: 0 PID: 5074 at lib/refcount.c:187 refcount_sub_and_test+0x167/0x1b0 [ 30.621277] Kernel panic - not syncing: panic_on_warn set ... [ 30.621277] [ 30.628636] CPU: 0 PID: 5074 Comm: syz-executor5 Not tainted 4.16.0-rc2+ #322 [ 30.635899] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.645244] Call Trace: [ 30.647835] dump_stack+0x194/0x257 [ 30.651463] ? arch_local_irq_restore+0x53/0x53 [ 30.656141] ? vsnprintf+0x1ed/0x1900 [ 30.659957] panic+0x1e4/0x41c [ 30.663149] ? refcount_error_report+0x214/0x214 [ 30.667899] ? show_regs_print_info+0x18/0x18 [ 30.672405] ? __warn+0x1c1/0x200 [ 30.675861] ? refcount_sub_and_test+0x167/0x1b0 [ 30.680607] __warn+0x1dc/0x200 [ 30.683880] ? refcount_sub_and_test+0x167/0x1b0 [ 30.688634] report_bug+0x211/0x2d0 [ 30.692266] fixup_bug.part.11+0x37/0x80 [ 30.696321] do_error_trap+0x2d7/0x3e0 [ 30.700201] ? vprintk_default+0x28/0x30 [ 30.704262] ? math_error+0x400/0x400 [ 30.708052] ? printk+0xaa/0xca [ 30.711325] ? show_regs_print_info+0x18/0x18 [ 30.715824] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.720669] do_invalid_op+0x1b/0x20 [ 30.724374] invalid_op+0x58/0x80 [ 30.727822] RIP: 0010:refcount_sub_and_test+0x167/0x1b0 [ 30.733173] RSP: 0018:ffff8801cf2b6490 EFLAGS: 00010282 [ 30.738530] RAX: dffffc0000000008 RBX: 0000000000000401 RCX: ffffffff815abdbe [ 30.745789] RDX: 0000000000000000 RSI: 1ffff10039e56c42 RDI: 1ffff10039e56c17 [ 30.753050] RBP: ffff8801cf2b6520 R08: 1ffff10039e56bd9 R09: 0000000000000000 [ 30.760310] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff10039e56c93 [ 30.767575] R13: 00000000ffffff01 R14: 0000000000000500 R15: ffff8801ae3c69fc [ 30.774860] ? vprintk_func+0x5e/0xc0 [ 30.778672] ? refcount_inc+0x50/0x50 [ 30.782470] ? refcount_sub_and_test+0x115/0x1b0 [ 30.787221] ? refcount_inc+0x50/0x50 [ 30.791015] ? sctp_do_sm+0x32e3/0x6ed0 [ 30.794982] ? sctp_close+0x266/0x9a0 [ 30.798774] ? inet_release+0xed/0x1c0 [ 30.802665] sock_wfree+0xa6/0x140 [ 30.806203] sctp_wfree+0x2eb/0x670 [ 30.809824] ? __sctp_write_space+0x910/0x910 [ 30.814317] skb_release_head_state+0x124/0x260 [ 30.818986] skb_release_all+0x15/0x60 [ 30.822868] consume_skb+0x153/0x490 [ 30.826576] ? sctp_chunk_put+0x99/0x420 [ 30.830630] ? alloc_skb_with_frags+0x750/0x750 [ 30.835294] ? sctp_chunk_hold+0x20/0x20 [ 30.839356] ? refcount_sub_and_test+0x115/0x1b0 [ 30.844105] ? refcount_inc+0x50/0x50 [ 30.847898] ? mark_held_locks+0xaf/0x100 [ 30.852045] ? sctp_datamsg_put+0x46f/0x5b0 [ 30.856374] sctp_chunk_put+0x29c/0x420 [ 30.860346] ? sctp_chunk_hold+0x20/0x20 [ 30.864404] ? sctp_transport_dst_confirm+0x50/0x50 [ 30.869417] ? save_stack+0xa3/0xd0 [ 30.873056] sctp_chunk_free+0x53/0x60 [ 30.876936] __sctp_outq_teardown+0x244/0x1230 [ 30.882292] ? get_signal+0x73a/0x16d0 [ 30.886170] ? do_signal+0x90/0x1e90 [ 30.889889] ? sctp_inq_set_th_handler+0x1d0/0x1d0 [ 30.894811] ? free_obj_work+0x690/0x690 [ 30.898866] ? kfree+0xf3/0x260 [ 30.902138] ? skb_free_head+0x74/0xb0 [ 30.906020] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.911033] ? trace_hardirqs_on+0xd/0x10 [ 30.915181] ? __lock_is_held+0xb6/0x140 [ 30.919244] ? kfree_skbmem+0x1a1/0x1d0 [ 30.923223] ? check_noncircular+0x20/0x20 [ 30.927456] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.932470] ? kmem_cache_free+0x258/0x2a0 [ 30.936705] ? kfree_skbmem+0xe2/0x1d0 [ 30.940592] ? skb_to_sgvec_nomark+0x40/0x40 [ 30.944995] ? sctp_sock_rfree+0x18c/0x200 [ 30.949232] ? find_held_lock+0x35/0x1d0 [ 30.953306] ? sock_def_wakeup+0x1fc/0x350 [ 30.957540] ? lock_downgrade+0x980/0x980 [ 30.961690] ? lock_release+0xa40/0xa40 [ 30.965668] sctp_outq_free+0x15/0x20 [ 30.969463] sctp_association_free+0x2d0/0x930 [ 30.974045] ? sctp_asconf_queue_teardown+0x700/0x700 [ 30.979228] ? sock_def_wakeup+0x225/0x350 [ 30.983456] ? sctp_ulpq_tail_event+0x164/0xc50 [ 30.988118] ? sk_dst_check+0x550/0x550 [ 30.992094] ? sctp_ulpq_reasm_drain+0x430/0x430 [ 30.996842] ? sctp_ulpevent_make_assoc_change+0x66d/0x8a0 [ 31.002474] sctp_do_sm+0x32e3/0x6ed0 [ 31.006296] ? sctp_do_8_2_transport_strike.isra.15+0x8a0/0x8a0 [ 31.012366] ? sctp_chunkify+0x2fc/0x3f0 [ 31.016423] ? sctp_chunk_iif+0xa0/0xa0 [ 31.020390] ? kfree_skbmem+0x1a1/0x1d0 [ 31.024356] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.029366] ? kmem_cache_free+0x258/0x2a0 [ 31.033603] ? print_irqtrace_events+0x270/0x270 [ 31.038360] ? skb_dequeue+0x12a/0x180 [ 31.042238] ? skb_put+0x155/0x1d0 [ 31.045778] ? sctp_auth_send_cid+0xc4/0x140 [ 31.050184] ? _sctp_make_chunk+0x1f4/0x270 [ 31.054495] ? lock_release+0xa40/0xa40 [ 31.058468] ? skb_put+0x155/0x1d0 [ 31.062001] ? memcpy+0x45/0x50 [ 31.065295] ? sctp_make_abort_no_data+0x290/0x290 [ 31.070229] sctp_primitive_ABORT+0xa0/0xd0 [ 31.074558] sctp_close+0x266/0x9a0 [ 31.078193] ? sctp_apply_peer_addr_params+0xf30/0xf30 [ 31.083465] ? __dentry_kill+0x4ae/0x700 [ 31.087531] ? trace_event_raw_event_sched_switch+0x810/0x810 [ 31.093420] ? locks_remove_file+0x3fa/0x5a0 [ 31.097833] ? fcntl_setlk+0x1100/0x1100 [ 31.101886] ? fsnotify+0x7b3/0x1140 [ 31.105692] ? ip_mc_drop_socket+0x1ce/0x230 [ 31.110110] inet_release+0xed/0x1c0 [ 31.113822] sock_release+0x8d/0x1e0 [ 31.117533] ? sock_alloc_file+0x560/0x560 [ 31.121849] sock_close+0x16/0x20 [ 31.125298] __fput+0x327/0x7e0 [ 31.128583] ? fput+0x140/0x140 [ 31.131862] ? trace_event_raw_event_sched_switch+0x810/0x810 [ 31.137740] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.142246] ____fput+0x15/0x20 [ 31.145521] task_work_run+0x199/0x270 [ 31.149409] ? task_work_cancel+0x210/0x210 [ 31.153729] ? _raw_spin_unlock+0x22/0x30 [ 31.157874] ? switch_task_namespaces+0x87/0xc0 [ 31.162545] do_exit+0x9bb/0x1ad0 [ 31.165992] ? find_held_lock+0x35/0x1d0 [ 31.170050] ? mm_update_next_owner+0x930/0x930 [ 31.174706] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 31.179870] ? lock_downgrade+0x980/0x980 [ 31.183992] ? __unqueue_futex+0x1c0/0x290 [ 31.188202] ? lock_release+0xa40/0xa40 [ 31.192147] ? fault_in_user_writeable+0x90/0x90 [ 31.196875] ? do_raw_spin_trylock+0x190/0x190 [ 31.201427] ? futex_wake+0x680/0x680 [ 31.205205] ? mmdrop+0x18/0x30 [ 31.208454] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 31.213528] ? futex_wait+0x6a9/0x9a0 [ 31.217310] ? select_task_rq_fair+0x2910/0x2910 [ 31.222037] ? check_noncircular+0x20/0x20 [ 31.226245] ? __enqueue_entity+0x109/0x1e0 [ 31.230548] ? memset+0x31/0x40 [ 31.233801] ? find_held_lock+0x35/0x1d0 [ 31.237839] ? get_signal+0x7a9/0x16d0 [ 31.241698] ? lock_downgrade+0x980/0x980 [ 31.245826] do_group_exit+0x149/0x400 [ 31.249685] ? do_raw_spin_trylock+0x190/0x190 [ 31.254248] ? SyS_exit+0x30/0x30 [ 31.257673] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.262142] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.267134] get_signal+0x73a/0x16d0 [ 31.270826] ? ptrace_notify+0x130/0x130 [ 31.274865] ? __schedule+0x90d/0x2070 [ 31.278729] ? __sched_text_start+0x8/0x8 [ 31.282853] ? vfs_writev+0x210/0x340 [ 31.286627] do_signal+0x90/0x1e90 [ 31.290137] ? vfs_writev+0x215/0x340 [ 31.293909] ? vfs_iter_write+0xb0/0xb0 [ 31.297859] ? setup_sigcontext+0x7d0/0x7d0 [ 31.302154] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 31.307493] ? schedule+0xf5/0x430 [ 31.311006] ? __schedule+0x2070/0x2070 [ 31.314971] ? exit_to_usermode_loop+0x8c/0x2f0 [ 31.319619] exit_to_usermode_loop+0x258/0x2f0 [ 31.324170] ? vfs_writev+0x340/0x340 [ 31.327943] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 31.333454] ? do_syscall_64+0xb6/0x940 [ 31.337404] do_syscall_64+0x6e5/0x940 [ 31.341261] ? __do_page_fault+0xc90/0xc90 [ 31.345462] ? mmdrop+0x18/0x30 [ 31.348739] ? finish_task_switch+0x279/0x860 [ 31.353209] ? syscall_return_slowpath+0x550/0x550 [ 31.358113] ? syscall_return_slowpath+0x2ac/0x550 [ 31.363023] ? prepare_exit_to_usermode+0x350/0x350 [ 31.368020] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 31.373367] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.378188] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.383357] RIP: 0033:0x453da9 [ 31.386516] RSP: 002b:00007f297546ace8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 31.394193] RAX: fffffffffffffe00 RBX: 000000000072bf80 RCX: 0000000000453da9 [ 31.401435] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000072bf80 [ 31.408676] RBP: 000000000072bf80 R08: 0000000000000000 R09: 000000000072bf58 [ 31.415936] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 31.423176] R13: 0000000000a3e8ef R14: 00007f297546b9c0 R15: 0000000000000001 [ 31.431054] Dumping ftrace buffer: [ 31.434650] (ftrace buffer empty) [ 31.438331] Kernel Offset: disabled [ 31.441930] Rebooting in 86400 seconds..