[....] Starting enhanced syslogd: rsyslogd[   12.847183] audit: type=1400 audit(1515891227.755:5): avc:  denied  { syslog } for  pid=3496 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.532932] audit: type=1400 audit(1515891234.441:6): avc:  denied  { map } for  pid=3637 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts.
executing program
executing program
[   36.302086] audit: type=1400 audit(1515891251.210:7): avc:  denied  { map } for  pid=3654 comm="syzkaller266173" path="/root/syzkaller266173444" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
[   36.417346] 
[   36.419043] =========================
[   36.422825] WARNING: held lock freed!
[   36.426598] 4.15.0-rc7+ #170 Not tainted
[   36.430625] -------------------------
[   36.434410] syzkaller266173/3656 is freeing memory 000000004ec5c55a-00000000548139b2, with a lock still held there!
[   36.444952]  (sk_lock-AF_INET6){+.+.}, at: [<00000000ebad632e>] sctp_wait_for_sndbuf+0x509/0x8d0
[   36.453862] 1 lock held by syzkaller266173/3656:
[   36.458583]  #0:  (sk_lock-AF_INET6){+.+.}, at: [<00000000ebad632e>] sctp_wait_for_sndbuf+0x509/0x8d0
[   36.467911] 
[   36.467911] stack backtrace:
[   36.472376] CPU: 1 PID: 3656 Comm: syzkaller266173 Not tainted 4.15.0-rc7+ #170
[   36.479785] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.489106] Call Trace:
[   36.491665]  dump_stack+0x194/0x257
[   36.495263]  ? arch_local_irq_restore+0x53/0x53
[   36.499905]  debug_check_no_locks_freed+0x32f/0x3c0
[   36.504892]  kmem_cache_free+0x68/0x2a0
[   36.508838]  __sk_destruct+0x622/0x910
[   36.512693]  ? kasan_slab_free+0x71/0xc0
[   36.516721]  ? sock_rfree+0x160/0x160
[   36.520487]  ? inet_sendmsg+0x11f/0x5e0
[   36.524427]  ? SYSC_sendto+0x361/0x5c0
[   36.528277]  ? SyS_sendto+0x40/0x50
[   36.531880]  ? do_fast_syscall_32+0x3ee/0xf9d
[   36.536523]  ? entry_SYSENTER_compat+0x54/0x63
[   36.541088]  ? check_noncircular+0x20/0x20
[   36.545296]  ? print_irqtrace_events+0x270/0x270
[   36.550026]  ? free_obj_work+0x690/0x690
[   36.554058]  ? sctp_put_port+0x495/0x640
[   36.558113]  ? sctp_poll+0xc00/0xc00
[   36.561804]  ? refcount_sub_and_test+0x115/0x1b0
[   36.566528]  ? refcount_inc+0x50/0x50
[   36.570294]  ? refcount_inc+0x50/0x50
[   36.574066]  sk_destruct+0x47/0x80
[   36.577581]  __sk_free+0x57/0x230
[   36.581005]  sk_free+0x2a/0x40
[   36.584164]  sctp_association_put+0x14c/0x2f0
[   36.588627]  ? sctp_association_hold+0x20/0x20
[   36.593177]  ? lock_sock_nested+0x91/0x110
[   36.597380]  ? trace_hardirqs_on+0xd/0x10
[   36.601499]  ? __local_bh_enable_ip+0x121/0x230
[   36.606138]  sctp_wait_for_sndbuf+0x673/0x8d0
[   36.610603]  ? sctp_init_sock+0x13b0/0x13b0
[   36.614890]  ? do_raw_spin_trylock+0x190/0x190
[   36.619439]  ? __local_bh_enable_ip+0x121/0x230
[   36.624077]  ? sctp_prsctp_prune+0x97/0x6f0
[   36.628367]  ? prepare_to_wait+0x4d0/0x4d0
[   36.632567]  ? trace_hardirqs_on+0xd/0x10
[   36.636684]  sctp_sendmsg+0x277d/0x3360
[   36.640625]  ? __lock_acquire+0x22b0/0x3e00
[   36.644918]  ? sctp_id2assoc+0x390/0x390
[   36.648948]  ? avc_has_perm+0x43e/0x680
[   36.652897]  ? avc_has_perm_noaudit+0x520/0x520
[   36.657551]  ? __fget+0x35c/0x570
[   36.660977]  ? iterate_fd+0x3f0/0x3f0
[   36.664749]  ? find_held_lock+0x35/0x1d0
[   36.668781]  ? sock_has_perm+0x2a4/0x420
[   36.672811]  ? selinux_secmark_relabel_packet+0xc0/0xc0
[   36.678140]  ? lock_release+0x962/0xa40
[   36.682096]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   36.687952]  inet_sendmsg+0x11f/0x5e0
[   36.691721]  ? inet_sendmsg+0x11f/0x5e0
[   36.695662]  ? __might_sleep+0x95/0x190
[   36.699603]  ? inet_recvmsg+0x5f0/0x5f0
[   36.703544]  ? selinux_socket_sendmsg+0x36/0x40
[   36.708181]  ? security_socket_sendmsg+0x89/0xb0
[   36.712904]  ? inet_recvmsg+0x5f0/0x5f0
[   36.716860]  sock_sendmsg+0xca/0x110
[   36.720541]  SYSC_sendto+0x361/0x5c0
[   36.724219]  ? SYSC_connect+0x4a0/0x4a0
[   36.728164]  ? find_held_lock+0x35/0x1d0
[   36.732865]  ? lock_downgrade+0x980/0x980
[   36.736998]  ? handle_mm_fault+0x410/0x8d0
[   36.741200]  ? down_read_trylock+0xdb/0x170
[   36.745492]  ? __do_page_fault+0x32d/0xc90
[   36.749700]  ? up_read+0x1a/0x40
[   36.753033]  ? __do_page_fault+0x3d6/0xc90
[   36.757239]  SyS_sendto+0x40/0x50
[   36.760664]  ? SyS_getpeername+0x30/0x30
[   36.764692]  do_fast_syscall_32+0x3ee/0xf9d
[   36.768984]  ? do_int80_syscall_32+0x9d0/0x9d0
[   36.773538]  ? syscall_return_slowpath+0x2ad/0x550
[   36.778437]  ? prepare_exit_to_usermode+0x340/0x340
[   36.783423]  ? retint_user+0x18/0x18
[   36.787110]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.791925]  entry_SYSENTER_compat+0x54/0x63
[   36.796300] RIP: 0023:0xf7f89c79
[   36.799633] RSP: 002b:00000000f7f641dc EFLAGS: 00000292 ORIG_RAX: 0000000000000171
[   36.807307] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000002010bf14
[   36.814556] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000204d9000
[   36.821793] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
[   36.829031] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   36.836270] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   36.843618] ==================================================================
[   36.850961] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220
[   36.857609] Read of size 4 at addr ffff8801bc1bb08c by task syzkaller266173/3656
[   36.865119] 
[   36.866717] CPU: 1 PID: 3656 Comm: syzkaller266173 Not tainted 4.15.0-rc7+ #170
[   36.874130] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.883460] Call Trace:
[   36.886030]  dump_stack+0x194/0x257
[   36.889642]  ? arch_local_irq_restore+0x53/0x53
[   36.894282]  ? show_regs_print_info+0x18/0x18
[   36.898746]  ? lock_acquire+0x1d5/0x580
[   36.902699]  ? trace_hardirqs_on+0xd/0x10
[   36.906814]  ? do_raw_spin_lock+0x1e0/0x220
[   36.911103]  print_address_description+0x73/0x250
[   36.915913]  ? do_raw_spin_lock+0x1e0/0x220
[   36.920202]  kasan_report+0x25b/0x340
[   36.923974]  __asan_report_load4_noabort+0x14/0x20
[   36.928872]  do_raw_spin_lock+0x1e0/0x220
[   36.932990]  _raw_spin_lock_bh+0x39/0x40
[   36.937018]  ? release_sock+0x74/0x2a0
[   36.940870]  release_sock+0x74/0x2a0
[   36.944552]  ? sctp_prsctp_prune+0x97/0x6f0
[   36.948840]  ? __release_sock+0x360/0x360
[   36.952954]  ? trace_hardirqs_on+0xd/0x10
[   36.957074]  sctp_sendmsg+0x2c61/0x3360
[   36.961016]  ? __lock_acquire+0x22b0/0x3e00
[   36.965309]  ? sctp_id2assoc+0x390/0x390
[   36.969339]  ? avc_has_perm+0x43e/0x680
[   36.973279]  ? avc_has_perm_noaudit+0x520/0x520
[   36.977916]  ? __fget+0x35c/0x570
[   36.981338]  ? iterate_fd+0x3f0/0x3f0
[   36.985120]  ? find_held_lock+0x35/0x1d0
[   36.989153]  ? sock_has_perm+0x2a4/0x420
[   36.993182]  ? selinux_secmark_relabel_packet+0xc0/0xc0
[   36.998522]  ? lock_release+0x962/0xa40
[   37.002474]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   37.008328]  inet_sendmsg+0x11f/0x5e0
[   37.012095]  ? inet_sendmsg+0x11f/0x5e0
[   37.016035]  ? __might_sleep+0x95/0x190
[   37.019996]  ? inet_recvmsg+0x5f0/0x5f0
[   37.023954]  ? selinux_socket_sendmsg+0x36/0x40
[   37.028588]  ? security_socket_sendmsg+0x89/0xb0
[   37.033311]  ? inet_recvmsg+0x5f0/0x5f0
[   37.037251]  sock_sendmsg+0xca/0x110
[   37.040941]  SYSC_sendto+0x361/0x5c0
[   37.044631]  ? SYSC_connect+0x4a0/0x4a0
[   37.048584]  ? find_held_lock+0x35/0x1d0
[   37.052617]  ? lock_downgrade+0x980/0x980
[   37.056737]  ? handle_mm_fault+0x410/0x8d0
[   37.060945]  ? down_read_trylock+0xdb/0x170
[   37.065242]  ? __do_page_fault+0x32d/0xc90
[   37.069452]  ? up_read+0x1a/0x40
[   37.072787]  ? __do_page_fault+0x3d6/0xc90
[   37.076994]  SyS_sendto+0x40/0x50
[   37.080413]  ? SyS_getpeername+0x30/0x30
[   37.084440]  do_fast_syscall_32+0x3ee/0xf9d
[   37.088731]  ? do_int80_syscall_32+0x9d0/0x9d0
[   37.093293]  ? syscall_return_slowpath+0x2ad/0x550
[   37.098204]  ? prepare_exit_to_usermode+0x340/0x340
[   37.103189]  ? retint_user+0x18/0x18
[   37.106871]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   37.111694]  entry_SYSENTER_compat+0x54/0x63
[   37.116069] RIP: 0023:0xf7f89c79
[   37.119399] RSP: 002b:00000000f7f641dc EFLAGS: 00000292 ORIG_RAX: 0000000000000171
[   37.127083] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000002010bf14
[   37.134328] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000204d9000
[   37.141575] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
[   37.148824] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   37.156060] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   37.163316] 
[   37.164914] Allocated by task 3657:
[   37.168514]  save_stack+0x43/0xd0
[   37.171933]  kasan_kmalloc+0xad/0xe0
[   37.175610]  kasan_slab_alloc+0x12/0x20
[   37.179549]  kmem_cache_alloc+0x12e/0x760
[   37.183676]  sk_prot_alloc+0x65/0x2a0
[   37.187439]  sk_alloc+0x105/0x1410
[   37.190948]  sctp_v6_create_accept_sk+0x15a/0x9b0
[   37.195768]  sctp_accept+0x5c4/0x970
[   37.199447]  inet_accept+0x12c/0x930
[   37.203125]  SYSC_accept4+0x38d/0x870
[   37.206889]  SyS_accept4+0x2c/0x40
[   37.210394]  do_fast_syscall_32+0x3ee/0xf9d
[   37.214680]  entry_SYSENTER_compat+0x54/0x63
[   37.219050] 
[   37.220642] Freed by task 3656:
[   37.223892]  save_stack+0x43/0xd0
[   37.227311]  kasan_slab_free+0x71/0xc0
[   37.231160]  kmem_cache_free+0x83/0x2a0
[   37.235100]  __sk_destruct+0x622/0x910
[   37.238952]  sk_destruct+0x47/0x80
[   37.242455]  __sk_free+0x57/0x230
[   37.245874]  sk_free+0x2a/0x40
[   37.249031]  sctp_association_put+0x14c/0x2f0
[   37.253489]  sctp_wait_for_sndbuf+0x673/0x8d0
[   37.257959]  sctp_sendmsg+0x277d/0x3360
[   37.261909]  inet_sendmsg+0x11f/0x5e0
[   37.265679]  sock_sendmsg+0xca/0x110
[   37.269359]  SYSC_sendto+0x361/0x5c0
[   37.273039]  SyS_sendto+0x40/0x50
[   37.276458]  do_fast_syscall_32+0x3ee/0xf9d
[   37.280745]  entry_SYSENTER_compat+0x54/0x63
[   37.285116] 
[   37.286715] The buggy address belongs to the object at ffff8801bc1bb000
[   37.286715]  which belongs to the cache SCTPv6 of size 1888
[   37.298988] The buggy address is located 140 bytes inside of
[   37.298988]  1888-byte region [ffff8801bc1bb000, ffff8801bc1bb760)
[   37.310928] The buggy address belongs to the page:
[   37.315835] page:ffffea0006f06ec0 count:1 mapcount:0 mapping:ffff8801bc1bb000 index:0x0
[   37.323942] flags: 0x2fffc0000000100(slab)
[   37.328146] raw: 02fffc0000000100 ffff8801bc1bb000 0000000000000000 0000000100000002
[   37.335994] raw: ffffea0006f09aa0 ffffea00076515e0 ffff8801d2cd1cc0 0000000000000000
[   37.343839] page dumped because: kasan: bad access detected
[   37.349511] 
[   37.351101] Memory state around the buggy address:
[   37.355995]  ffff8801bc1baf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.363318]  ffff8801bc1bb000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.370640] >ffff8801bc1bb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.377961]                       ^
[   37.381550]  ffff8801bc1bb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.388975]  ffff8801bc1bb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.396309] ==================================================================
[   37.403688] Kernel panic - not syncing: panic_on_warn set ...
[   37.403688] 
[   37.411023] CPU: 1 PID: 3656 Comm: syzkaller266173 Tainted: G    B            4.15.0-rc7+ #170
[   37.419748] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.429078] Call Trace:
[   37.431639]  dump_stack+0x194/0x257
[   37.435237]  ? arch_local_irq_restore+0x53/0x53
[   37.439876]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   37.444599]  ? vsnprintf+0x1ed/0x1900
[   37.448367]  ? do_raw_spin_lock+0x100/0x220
[   37.452666]  panic+0x1e4/0x41c
[   37.455829]  ? refcount_error_report+0x214/0x214
[   37.460557]  ? add_taint+0x1c/0x50
[   37.464067]  ? add_taint+0x1c/0x50
[   37.467575]  ? do_raw_spin_lock+0x1e0/0x220
[   37.471864]  kasan_end_report+0x50/0x50
[   37.475805]  kasan_report+0x144/0x340
[   37.479574]  __asan_report_load4_noabort+0x14/0x20
[   37.484470]  do_raw_spin_lock+0x1e0/0x220
[   37.488586]  _raw_spin_lock_bh+0x39/0x40
[   37.492615]  ? release_sock+0x74/0x2a0
[   37.496469]  release_sock+0x74/0x2a0
[   37.500153]  ? sctp_prsctp_prune+0x97/0x6f0
[   37.504452]  ? __release_sock+0x360/0x360
[   37.508567]  ? trace_hardirqs_on+0xd/0x10
[   37.512683]  sctp_sendmsg+0x2c61/0x3360
[   37.516621]  ? __lock_acquire+0x22b0/0x3e00
[   37.520914]  ? sctp_id2assoc+0x390/0x390
[   37.524942]  ? avc_has_perm+0x43e/0x680
[   37.528884]  ? avc_has_perm_noaudit+0x520/0x520
[   37.533523]  ? __fget+0x35c/0x570
[   37.536959]  ? iterate_fd+0x3f0/0x3f0
[   37.540745]  ? find_held_lock+0x35/0x1d0
[   37.544787]  ? sock_has_perm+0x2a4/0x420
[   37.548819]  ? selinux_secmark_relabel_packet+0xc0/0xc0
[   37.554166]  ? lock_release+0x962/0xa40
[   37.558111]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   37.563969]  inet_sendmsg+0x11f/0x5e0
[   37.567744]  ? inet_sendmsg+0x11f/0x5e0
[   37.571685]  ? __might_sleep+0x95/0x190
[   37.575627]  ? inet_recvmsg+0x5f0/0x5f0
[   37.579570]  ? selinux_socket_sendmsg+0x36/0x40
[   37.584204]  ? security_socket_sendmsg+0x89/0xb0
[   37.588927]  ? inet_recvmsg+0x5f0/0x5f0
[   37.592871]  sock_sendmsg+0xca/0x110
[   37.596555]  SYSC_sendto+0x361/0x5c0
[   37.600235]  ? SYSC_connect+0x4a0/0x4a0
[   37.604177]  ? find_held_lock+0x35/0x1d0
[   37.608209]  ? lock_downgrade+0x980/0x980
[   37.612331]  ? handle_mm_fault+0x410/0x8d0
[   37.616530]  ? down_read_trylock+0xdb/0x170
[   37.620818]  ? __do_page_fault+0x32d/0xc90
[   37.625027]  ? up_read+0x1a/0x40
[   37.628363]  ? __do_page_fault+0x3d6/0xc90
[   37.632572]  SyS_sendto+0x40/0x50
[   37.636010]  ? SyS_getpeername+0x30/0x30
[   37.640040]  do_fast_syscall_32+0x3ee/0xf9d
[   37.644329]  ? do_int80_syscall_32+0x9d0/0x9d0
[   37.648885]  ? syscall_return_slowpath+0x2ad/0x550
[   37.653782]  ? prepare_exit_to_usermode+0x340/0x340
[   37.658765]  ? retint_user+0x18/0x18
[   37.662447]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   37.667258]  entry_SYSENTER_compat+0x54/0x63
[   37.671649] RIP: 0023:0xf7f89c79
[   37.674980] RSP: 002b:00000000f7f641dc EFLAGS: 00000292 ORIG_RAX: 0000000000000171
[   37.682655] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000002010bf14
[   37.689892] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000204d9000
[   37.697127] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
[   37.704364] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   37.711600] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   37.718886] Dumping ftrace buffer:
[   37.722406]    (ftrace buffer empty)
[   37.726086] Kernel Offset: disabled
[   37.729682] Rebooting in 86400 seconds..