[....] Starting enhanced syslogd: rsyslogd[   13.281377] audit: type=1400 audit(1515910174.168:5): avc:  denied  { syslog } for  pid=3509 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   15.814476] audit: type=1400 audit(1515910176.701:6): avc:  denied  { map } for  pid=3648 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.5' (ECDSA) to the list of known hosts.
executing program
[   22.011494] audit: type=1400 audit(1515910182.898:7): avc:  denied  { map } for  pid=3662 comm="syzkaller961383" path="/root/syzkaller961383701" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
executing program
[   22.198229] 
[   22.199880] =========================
[   22.203650] WARNING: held lock freed!
[   22.207421] 4.15.0-rc7+ #171 Not tainted
[   22.211458] -------------------------
[   22.215234] syzkaller961383/3664 is freeing memory 00000000ca0ef181-00000000a60f5154, with a lock still held there!
[   22.225774]  (sk_lock-AF_INET6){+.+.}, at: [<000000000ef1dff3>] sctp_wait_for_sndbuf+0x509/0x8d0
[   22.234682] 1 lock held by syzkaller961383/3664:
[   22.239406]  #0:  (sk_lock-AF_INET6){+.+.}, at: [<000000000ef1dff3>] sctp_wait_for_sndbuf+0x509/0x8d0
[   22.248750] 
[   22.248750] stack backtrace:
[   22.253219] CPU: 0 PID: 3664 Comm: syzkaller961383 Not tainted 4.15.0-rc7+ #171
[   22.260634] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   22.269966] Call Trace:
[   22.272532]  dump_stack+0x194/0x257
[   22.276137]  ? arch_local_irq_restore+0x53/0x53
[   22.280786]  debug_check_no_locks_freed+0x32f/0x3c0
[   22.285780]  kmem_cache_free+0x68/0x2a0
[   22.289731]  __sk_destruct+0x622/0x910
[   22.293590]  ? kasan_slab_free+0x71/0xc0
[   22.297639]  ? sock_rfree+0x160/0x160
[   22.301416]  ? inet_sendmsg+0x11f/0x5e0
[   22.305366]  ? SYSC_sendto+0x361/0x5c0
[   22.309226]  ? SyS_sendto+0x40/0x50
[   22.312841]  ? do_fast_syscall_32+0x3ee/0xf9d
[   22.317320]  ? entry_SYSENTER_compat+0x54/0x63
[   22.321879]  ? check_noncircular+0x20/0x20
[   22.326089]  ? print_irqtrace_events+0x270/0x270
[   22.331670]  ? free_obj_work+0x690/0x690
[   22.335710]  ? sctp_put_port+0x495/0x640
[   22.339747]  ? sctp_poll+0xc00/0xc00
[   22.343439]  ? refcount_sub_and_test+0x115/0x1b0
[   22.348167]  ? refcount_inc+0x50/0x50
[   22.351938]  ? refcount_inc+0x50/0x50
[   22.355716]  sk_destruct+0x47/0x80
[   22.359229]  __sk_free+0x57/0x230
[   22.362659]  sk_free+0x2a/0x40
[   22.365825]  sctp_association_put+0x14c/0x2f0
[   22.370299]  ? sctp_association_hold+0x20/0x20
[   22.374855]  ? lock_sock_nested+0x91/0x110
[   22.379066]  ? trace_hardirqs_on+0xd/0x10
[   22.383189]  ? __local_bh_enable_ip+0x121/0x230
[   22.387835]  sctp_wait_for_sndbuf+0x673/0x8d0
[   22.392317]  ? sctp_init_sock+0x13b0/0x13b0
[   22.396612]  ? do_raw_spin_trylock+0x190/0x190
[   22.401168]  ? __local_bh_enable_ip+0x121/0x230
[   22.405810]  ? sctp_prsctp_prune+0x97/0x6f0
[   22.410113]  ? prepare_to_wait+0x4d0/0x4d0
[   22.414321]  ? trace_hardirqs_on+0xd/0x10
[   22.418447]  sctp_sendmsg+0x277d/0x3360
[   22.422395]  ? __lock_acquire+0x22b0/0x3e00
[   22.426699]  ? sctp_id2assoc+0x390/0x390
[   22.430733]  ? avc_has_perm+0x43e/0x680
[   22.434684]  ? avc_has_perm_noaudit+0x520/0x520
[   22.439331]  ? __fget+0x35c/0x570
[   22.442762]  ? iterate_fd+0x3f0/0x3f0
[   22.446543]  ? find_held_lock+0x35/0x1d0
[   22.450584]  ? sock_has_perm+0x2a4/0x420
[   22.454620]  ? selinux_secmark_relabel_packet+0xc0/0xc0
[   22.459956]  ? lock_release+0x962/0xa40
[   22.463903]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   22.469781]  inet_sendmsg+0x11f/0x5e0
[   22.473554]  ? inet_sendmsg+0x11f/0x5e0
[   22.477500]  ? __might_sleep+0x95/0x190
[   22.481449]  ? inet_recvmsg+0x5f0/0x5f0
[   22.485401]  ? selinux_socket_sendmsg+0x36/0x40
[   22.490044]  ? security_socket_sendmsg+0x89/0xb0
[   22.494780]  ? inet_recvmsg+0x5f0/0x5f0
[   22.498736]  sock_sendmsg+0xca/0x110
[   22.502428]  SYSC_sendto+0x361/0x5c0
[   22.506120]  ? SYSC_connect+0x4a0/0x4a0
[   22.510070]  ? find_held_lock+0x35/0x1d0
[   22.514111]  ? lock_downgrade+0x980/0x980
[   22.518245]  ? handle_mm_fault+0x410/0x8d0
[   22.522452]  ? down_read_trylock+0xdb/0x170
[   22.526749]  ? __do_page_fault+0x32d/0xc90
[   22.530960]  ? up_read+0x1a/0x40
[   22.534302]  ? __do_page_fault+0x3d6/0xc90
[   22.538515]  SyS_sendto+0x40/0x50
[   22.541943]  ? SyS_getpeername+0x30/0x30
[   22.545979]  do_fast_syscall_32+0x3ee/0xf9d
[   22.550291]  ? do_int80_syscall_32+0x9d0/0x9d0
[   22.554850]  ? syscall_return_slowpath+0x2ad/0x550
[   22.559755]  ? prepare_exit_to_usermode+0x340/0x340
[   22.564756]  ? retint_user+0x18/0x18
[   22.568446]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   22.573264]  entry_SYSENTER_compat+0x54/0x63
[   22.577644] RIP: 0023:0xf7f2bc79
[   22.580982] RSP: 002b:00000000f7f061dc EFLAGS: 00000292 ORIG_RAX: 0000000000000171
[   22.588663] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 000000002010bf14
[   22.595908] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000204d9000
[   22.603150] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
[   22.610392] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   22.617638] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   22.624987] ==================================================================
[   22.632357] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220
[   22.638996] Read of size 4 at addr ffff8801d9a2408c by task syzkaller961383/3664
[   22.646501] 
executing program
[   22.648103] CPU: 0 PID: 3664 Comm: syzkaller961383 Not tainted 4.15.0-rc7+ #171
[   22.655532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   22.664858] Call Trace:
[   22.667436]  dump_stack+0x194/0x257
[   22.671040]  ? arch_local_irq_restore+0x53/0x53
[   22.675695]  ? show_regs_print_info+0x18/0x18
[   22.680176]  ? lock_acquire+0x1d5/0x580
[   22.684127]  ? trace_hardirqs_on+0xd/0x10
[   22.688248]  ? do_raw_spin_lock+0x1e0/0x220
[   22.692543]  print_address_description+0x73/0x250
[   22.697359]  ? do_raw_spin_lock+0x1e0/0x220
[   22.701655]  kasan_report+0x25b/0x340
[   22.705430]  __asan_report_load4_noabort+0x14/0x20
[   22.710332]  do_raw_spin_lock+0x1e0/0x220
[   22.714456]  _raw_spin_lock_bh+0x39/0x40
[   22.718489]  ? release_sock+0x74/0x2a0
[   22.722349]  release_sock+0x74/0x2a0
[   22.726041]  ? sctp_prsctp_prune+0x97/0x6f0
[   22.730422]  ? __release_sock+0x360/0x360
[   22.734543]  ? trace_hardirqs_on+0xd/0x10
[   22.738669]  sctp_sendmsg+0x2c61/0x3360
[   22.742616]  ? __lock_acquire+0x22b0/0x3e00
[   22.746917]  ? sctp_id2assoc+0x390/0x390
[   22.750952]  ? avc_has_perm+0x43e/0x680
[   22.754912]  ? avc_has_perm_noaudit+0x520/0x520
[   22.759554]  ? __fget+0x35c/0x570
[   22.762995]  ? iterate_fd+0x3f0/0x3f0
[   22.766782]  ? find_held_lock+0x35/0x1d0
[   22.770833]  ? sock_has_perm+0x2a4/0x420
[   22.774870]  ? selinux_secmark_relabel_packet+0xc0/0xc0
[   22.780205]  ? lock_release+0x962/0xa40
[   22.784153]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   22.790019]  inet_sendmsg+0x11f/0x5e0
[   22.793793]  ? inet_sendmsg+0x11f/0x5e0
[   22.797738]  ? __might_sleep+0x95/0x190
[   22.801685]  ? inet_recvmsg+0x5f0/0x5f0
[   22.805632]  ? selinux_socket_sendmsg+0x36/0x40
[   22.810273]  ? security_socket_sendmsg+0x89/0xb0
[   22.815002]  ? inet_recvmsg+0x5f0/0x5f0
[   22.818954]  sock_sendmsg+0xca/0x110
[   22.822644]  SYSC_sendto+0x361/0x5c0
[   22.826332]  ? SYSC_connect+0x4a0/0x4a0
[   22.830283]  ? find_held_lock+0x35/0x1d0
[   22.834324]  ? lock_downgrade+0x980/0x980
[   22.838453]  ? handle_mm_fault+0x410/0x8d0
[   22.842660]  ? down_read_trylock+0xdb/0x170
[   22.846961]  ? __do_page_fault+0x32d/0xc90
[   22.851176]  ? up_read+0x1a/0x40
[   22.854515]  ? __do_page_fault+0x3d6/0xc90
[   22.858729]  SyS_sendto+0x40/0x50
[   22.862155]  ? SyS_getpeername+0x30/0x30
[   22.866191]  do_fast_syscall_32+0x3ee/0xf9d
[   22.870489]  ? do_int80_syscall_32+0x9d0/0x9d0
[   22.875047]  ? syscall_return_slowpath+0x2ad/0x550
[   22.879950]  ? prepare_exit_to_usermode+0x340/0x340
[   22.884941]  ? retint_user+0x18/0x18
[   22.888630]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   22.893451]  entry_SYSENTER_compat+0x54/0x63
[   22.897833] RIP: 0023:0xf7f2bc79
[   22.901170] RSP: 002b:00000000f7f061dc EFLAGS: 00000292 ORIG_RAX: 0000000000000171
[   22.908850] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 000000002010bf14
[   22.916095] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000204d9000
[   22.923350] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
[   22.930605] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   22.937849] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   22.945101] 
[   22.946700] Allocated by task 3665:
[   22.950318]  save_stack+0x43/0xd0
[   22.953743]  kasan_kmalloc+0xad/0xe0
[   22.957429]  kasan_slab_alloc+0x12/0x20
[   22.961378]  kmem_cache_alloc+0x12e/0x760
[   22.965499]  sk_prot_alloc+0x65/0x2a0
[   22.969269]  sk_alloc+0x105/0x1410
[   22.972781]  sctp_v6_create_accept_sk+0x15a/0x9b0
[   22.977594]  sctp_accept+0x5c4/0x970
[   22.981278]  inet_accept+0x12c/0x930
[   22.984973]  SYSC_accept4+0x38d/0x870
[   22.988746]  SyS_accept4+0x2c/0x40
[   22.992257]  do_fast_syscall_32+0x3ee/0xf9d
[   22.996551]  entry_SYSENTER_compat+0x54/0x63
[   23.000928] 
[   23.002527] Freed by task 3664:
[   23.005780]  save_stack+0x43/0xd0
[   23.009204]  kasan_slab_free+0x71/0xc0
[   23.013062]  kmem_cache_free+0x83/0x2a0
[   23.017010]  __sk_destruct+0x622/0x910
[   23.020880]  sk_destruct+0x47/0x80
[   23.024394]  __sk_free+0x57/0x230
[   23.027816]  sk_free+0x2a/0x40
[   23.030981]  sctp_association_put+0x14c/0x2f0
[   23.035450]  sctp_wait_for_sndbuf+0x673/0x8d0
[   23.039922]  sctp_sendmsg+0x277d/0x3360
[   23.043869]  inet_sendmsg+0x11f/0x5e0
[   23.047642]  sock_sendmsg+0xca/0x110
[   23.051333]  SYSC_sendto+0x361/0x5c0
[   23.055024]  SyS_sendto+0x40/0x50
[   23.058454]  do_fast_syscall_32+0x3ee/0xf9d
[   23.062747]  entry_SYSENTER_compat+0x54/0x63
[   23.067138] 
[   23.068741] The buggy address belongs to the object at ffff8801d9a24000
[   23.068741]  which belongs to the cache SCTPv6 of size 1888
[   23.081038] The buggy address is located 140 bytes inside of
[   23.081038]  1888-byte region [ffff8801d9a24000, ffff8801d9a24760)
[   23.092969] The buggy address belongs to the page:
[   23.097872] page:ffffea0007668900 count:1 mapcount:0 mapping:ffff8801d9a24000 index:0x0
[   23.105989] flags: 0x2fffc0000000100(slab)
[   23.110204] raw: 02fffc0000000100 ffff8801d9a24000 0000000000000000 0000000100000002
[   23.118057] raw: ffffea00071f31a0 ffffea000765cfa0 ffff8801d2c04200 0000000000000000
[   23.125911] page dumped because: kasan: bad access detected
[   23.131593] 
[   23.133192] Memory state around the buggy address:
[   23.138092]  ffff8801d9a23f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.145437]  ffff8801d9a24000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.152768] >ffff8801d9a24080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.160098]                       ^
[   23.163697]  ffff8801d9a24100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.171027]  ffff8801d9a24180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.178361] ==================================================================
[   23.185723] Kernel panic - not syncing: panic_on_warn set ...
[   23.185723] 
[   23.193079] CPU: 0 PID: 3664 Comm: syzkaller961383 Tainted: G    B            4.15.0-rc7+ #171
[   23.201811] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.211149] Call Trace:
[   23.213723]  dump_stack+0x194/0x257
[   23.217334]  ? arch_local_irq_restore+0x53/0x53
[   23.221994]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.226739]  ? vsnprintf+0x1ed/0x1900
[   23.230514]  ? do_raw_spin_lock+0x100/0x220
[   23.234805]  panic+0x1e4/0x41c
[   23.237969]  ? refcount_error_report+0x214/0x214
[   23.242711]  ? add_taint+0x1c/0x50
[   23.246225]  ? add_taint+0x1c/0x50
[   23.249750]  ? do_raw_spin_lock+0x1e0/0x220
[   23.254047]  kasan_end_report+0x50/0x50
[   23.257992]  kasan_report+0x144/0x340
[   23.261776]  __asan_report_load4_noabort+0x14/0x20
[   23.266685]  do_raw_spin_lock+0x1e0/0x220
[   23.270808]  _raw_spin_lock_bh+0x39/0x40
[   23.274840]  ? release_sock+0x74/0x2a0
[   23.278696]  release_sock+0x74/0x2a0
[   23.282381]  ? sctp_prsctp_prune+0x97/0x6f0
[   23.286682]  ? __release_sock+0x360/0x360
[   23.290802]  ? trace_hardirqs_on+0xd/0x10
[   23.294925]  sctp_sendmsg+0x2c61/0x3360
[   23.298870]  ? __lock_acquire+0x22b0/0x3e00
[   23.303168]  ? sctp_id2assoc+0x390/0x390
[   23.307200]  ? avc_has_perm+0x43e/0x680
[   23.311148]  ? avc_has_perm_noaudit+0x520/0x520
[   23.315793]  ? __fget+0x35c/0x570
[   23.319231]  ? iterate_fd+0x3f0/0x3f0
[   23.323031]  ? find_held_lock+0x35/0x1d0
[   23.327078]  ? sock_has_perm+0x2a4/0x420
[   23.331119]  ? selinux_secmark_relabel_packet+0xc0/0xc0
[   23.336462]  ? lock_release+0x962/0xa40
[   23.340408]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.346276]  inet_sendmsg+0x11f/0x5e0
[   23.350048]  ? inet_sendmsg+0x11f/0x5e0
[   23.353991]  ? __might_sleep+0x95/0x190
[   23.357939]  ? inet_recvmsg+0x5f0/0x5f0
[   23.361885]  ? selinux_socket_sendmsg+0x36/0x40
[   23.366526]  ? security_socket_sendmsg+0x89/0xb0
[   23.371263]  ? inet_recvmsg+0x5f0/0x5f0
[   23.375214]  sock_sendmsg+0xca/0x110
[   23.378900]  SYSC_sendto+0x361/0x5c0
[   23.382587]  ? SYSC_connect+0x4a0/0x4a0
[   23.386534]  ? find_held_lock+0x35/0x1d0
[   23.390573]  ? lock_downgrade+0x980/0x980
[   23.394697]  ? handle_mm_fault+0x410/0x8d0
[   23.398912]  ? down_read_trylock+0xdb/0x170
[   23.403206]  ? __do_page_fault+0x32d/0xc90
[   23.407417]  ? up_read+0x1a/0x40
[   23.410755]  ? __do_page_fault+0x3d6/0xc90
[   23.414966]  SyS_sendto+0x40/0x50
[   23.418394]  ? SyS_getpeername+0x30/0x30
[   23.422430]  do_fast_syscall_32+0x3ee/0xf9d
[   23.426726]  ? do_int80_syscall_32+0x9d0/0x9d0
[   23.431285]  ? syscall_return_slowpath+0x2ad/0x550
[   23.436193]  ? prepare_exit_to_usermode+0x340/0x340
[   23.441178]  ? retint_user+0x18/0x18
[   23.444874]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   23.449700]  entry_SYSENTER_compat+0x54/0x63
[   23.454080] RIP: 0023:0xf7f2bc79
[   23.457414] RSP: 002b:00000000f7f061dc EFLAGS: 00000292 ORIG_RAX: 0000000000000171
[   23.465103] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 000000002010bf14
[   23.472350] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000204d9000
[   23.479592] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
[   23.486839] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   23.494080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   23.501780] Dumping ftrace buffer:
[   23.505295]    (ftrace buffer empty)
[   23.508983] Kernel Offset: disabled
[   23.512583] Rebooting in 86400 seconds..