[....] Starting enhanced syslogd: rsyslogd[ 12.375901] audit: type=1400 audit(1515914314.133:5): avc: denied { syslog } for pid=3513 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.482280] audit: type=1400 audit(1515914320.239:6): avc: denied { map } for pid=3652 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.57' (ECDSA) to the list of known hosts. executing program [ 40.383796] audit: type=1400 audit(1515914342.141:7): avc: denied { map } for pid=3670 comm="syzkaller827891" path="/root/syzkaller827891909" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 40.549797] [ 40.551448] ========================= [ 40.555216] WARNING: held lock freed! [ 40.558996] 4.15.0-rc7-next-20180112+ #96 Not tainted [ 40.564162] ------------------------- [ 40.567932] syzkaller827891/3674 is freeing memory 000000003989776d-000000005d697573, with a lock still held there! [ 40.578474] (sk_lock-AF_INET6){+.+.}, at: [<000000006e5aa963>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 40.587386] 1 lock held by syzkaller827891/3674: [ 40.592108] #0: (sk_lock-AF_INET6){+.+.}, at: [<000000006e5aa963>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 40.601445] [ 40.601445] stack backtrace: [ 40.605913] CPU: 0 PID: 3674 Comm: syzkaller827891 Not tainted 4.15.0-rc7-next-20180112+ #96 [ 40.614454] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.623775] Call Trace: [ 40.626337] dump_stack+0x194/0x257 [ 40.629946] ? arch_local_irq_restore+0x53/0x53 [ 40.634600] debug_check_no_locks_freed+0x32f/0x3c0 [ 40.639590] kmem_cache_free+0x68/0x2b0 [ 40.643536] __sk_destruct+0x622/0x910 [ 40.647390] ? kfree+0xd9/0x260 [ 40.650642] ? sock_rfree+0x160/0x160 [ 40.654412] ? sock_sendmsg+0xca/0x110 [ 40.658268] ? SyS_sendto+0x40/0x50 [ 40.661864] ? entry_SYSCALL_64_fastpath+0x29/0xa0 [ 40.666765] ? debug_check_no_obj_freed+0x611/0xf1f [ 40.671754] ? check_noncircular+0x20/0x20 [ 40.675958] ? print_irqtrace_events+0x270/0x270 [ 40.680685] ? __local_bh_enable_ip+0x121/0x230 [ 40.685325] ? sctp_put_port+0x495/0x640 [ 40.689356] ? sctp_poll+0xc00/0xc00 [ 40.693043] ? refcount_sub_and_test+0x115/0x1b0 [ 40.697766] ? refcount_inc+0x50/0x50 [ 40.701534] ? refcount_inc+0x50/0x50 [ 40.705309] sk_destruct+0x47/0x80 [ 40.708822] __sk_free+0xf1/0x2b0 [ 40.712268] sk_free+0x2a/0x40 [ 40.715431] sctp_association_put+0x14c/0x2f0 [ 40.719897] ? sctp_association_hold+0x20/0x20 [ 40.724450] ? lock_sock_nested+0x91/0x110 [ 40.728653] ? trace_hardirqs_on+0xd/0x10 [ 40.732799] ? __local_bh_enable_ip+0x121/0x230 [ 40.737441] sctp_wait_for_sndbuf+0x673/0x8d0 [ 40.741920] ? sctp_init_sock+0x13b0/0x13b0 [ 40.746212] ? do_raw_spin_trylock+0x190/0x190 [ 40.750849] ? __local_bh_enable_ip+0x121/0x230 [ 40.755487] ? sctp_prsctp_prune+0x97/0x790 [ 40.759779] ? prepare_to_wait+0x4d0/0x4d0 [ 40.763983] ? trace_hardirqs_on+0xd/0x10 [ 40.768104] sctp_sendmsg+0x28f7/0x33f0 [ 40.772054] ? sctp_id2assoc+0x390/0x390 [ 40.776087] ? avc_has_perm+0x43e/0x680 [ 40.780032] ? avc_has_perm_noaudit+0x520/0x520 [ 40.784672] ? __fget+0x35c/0x570 [ 40.788107] ? iterate_fd+0x3f0/0x3f0 [ 40.791882] ? find_held_lock+0x35/0x1d0 [ 40.795925] ? sock_has_perm+0x2a4/0x420 [ 40.799956] ? lock_release+0x972/0xa40 [ 40.803900] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 40.809754] ? __check_object_size+0x8b/0x530 [ 40.814221] inet_sendmsg+0x11f/0x5e0 [ 40.817990] ? inet_sendmsg+0x11f/0x5e0 [ 40.821932] ? __might_sleep+0x95/0x190 [ 40.825883] ? inet_create+0xf50/0xf50 [ 40.829750] ? selinux_socket_sendmsg+0x36/0x40 [ 40.834391] ? security_socket_sendmsg+0x89/0xb0 [ 40.839117] ? inet_create+0xf50/0xf50 [ 40.842974] sock_sendmsg+0xca/0x110 [ 40.846656] SYSC_sendto+0x361/0x5c0 [ 40.850353] ? SYSC_connect+0x4a0/0x4a0 [ 40.854301] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 40.859635] ? __do_page_fault+0x3d6/0xc90 [ 40.863840] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 40.869097] ? SyS_futex+0x269/0x390 [ 40.872777] ? SyS_setsockopt+0x215/0x360 [ 40.876894] ? do_futex+0x22a0/0x22a0 [ 40.880665] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 40.885490] SyS_sendto+0x40/0x50 [ 40.888915] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 40.893642] RIP: 0033:0x4457e9 [ 40.896800] RSP: 002b:00007fae0d059da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 40.904476] RAX: ffffffffffffffda RBX: 00000000006dac6c RCX: 00000000004457e9 [ 40.911717] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 40.918958] RBP: 00000000006dac68 R08: 00000000204d9000 R09: 000000000000001c [ 40.926197] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 40.933436] R13: 00007fff75454fff R14: 00007fae0d05a9c0 R15: 0000000000000001 [ 40.940785] ================================================================== [ 40.948125] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 [ 40.954759] Read of size 4 at addr ffff8801d9fe608c by task syzkaller827891/3674 [ 40.962258] [ 40.963858] CPU: 0 PID: 3674 Comm: syzkaller827891 Not tainted 4.15.0-rc7-next-20180112+ #96 [ 40.972401] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.981726] Call Trace: [ 40.984288] dump_stack+0x194/0x257 [ 40.987888] ? arch_local_irq_restore+0x53/0x53 [ 40.992530] ? show_regs_print_info+0x18/0x18 [ 40.996994] ? lock_acquire+0x1d5/0x580 executing program [ 41.000939] ? trace_hardirqs_on+0xd/0x10 [ 41.005057] ? do_raw_spin_lock+0x1e0/0x220 [ 41.009350] print_address_description+0x73/0x250 [ 41.014164] ? do_raw_spin_lock+0x1e0/0x220 [ 41.018455] kasan_report+0x23b/0x360 [ 41.022227] __asan_report_load4_noabort+0x14/0x20 [ 41.027129] do_raw_spin_lock+0x1e0/0x220 [ 41.031250] _raw_spin_lock_bh+0x39/0x40 [ 41.035286] ? release_sock+0x74/0x2a0 [ 41.039141] release_sock+0x74/0x2a0 [ 41.042825] ? sctp_prsctp_prune+0x97/0x790 [ 41.047117] ? __release_sock+0x360/0x360 [ 41.051248] ? trace_hardirqs_on+0xd/0x10 [ 41.055372] sctp_sendmsg+0x2993/0x33f0 [ 41.059323] ? sctp_id2assoc+0x390/0x390 [ 41.063356] ? avc_has_perm+0x43e/0x680 [ 41.067302] ? avc_has_perm_noaudit+0x520/0x520 [ 41.071939] ? __fget+0x35c/0x570 [ 41.075364] ? iterate_fd+0x3f0/0x3f0 [ 41.079138] ? find_held_lock+0x35/0x1d0 [ 41.083173] ? sock_has_perm+0x2a4/0x420 [ 41.087207] ? lock_release+0x972/0xa40 [ 41.091151] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 41.097006] ? __check_object_size+0x8b/0x530 [ 41.101483] inet_sendmsg+0x11f/0x5e0 [ 41.105253] ? inet_sendmsg+0x11f/0x5e0 [ 41.109204] ? __might_sleep+0x95/0x190 [ 41.113150] ? inet_create+0xf50/0xf50 [ 41.117010] ? selinux_socket_sendmsg+0x36/0x40 [ 41.121648] ? security_socket_sendmsg+0x89/0xb0 [ 41.126376] ? inet_create+0xf50/0xf50 [ 41.130234] sock_sendmsg+0xca/0x110 [ 41.133927] SYSC_sendto+0x361/0x5c0 [ 41.137699] ? SYSC_connect+0x4a0/0x4a0 [ 41.141648] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 41.146983] ? __do_page_fault+0x3d6/0xc90 [ 41.151200] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 41.156460] ? SyS_futex+0x269/0x390 [ 41.160152] ? SyS_setsockopt+0x215/0x360 [ 41.164281] ? do_futex+0x22a0/0x22a0 [ 41.168053] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 41.172869] SyS_sendto+0x40/0x50 [ 41.176312] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 41.181048] RIP: 0033:0x4457e9 [ 41.184206] RSP: 002b:00007fae0d059da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 41.191884] RAX: ffffffffffffffda RBX: 00000000006dac6c RCX: 00000000004457e9 [ 41.199126] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 41.206364] RBP: 00000000006dac68 R08: 00000000204d9000 R09: 000000000000001c [ 41.213604] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 41.220845] R13: 00007fff75454fff R14: 00007fae0d05a9c0 R15: 0000000000000001 [ 41.228092] [ 41.229690] Allocated by task 3679: [ 41.233297] save_stack+0x43/0xd0 [ 41.236727] kasan_kmalloc+0xad/0xe0 [ 41.240410] kasan_slab_alloc+0x12/0x20 [ 41.244354] kmem_cache_alloc+0x12e/0x760 [ 41.248471] sk_prot_alloc+0x65/0x2a0 [ 41.252239] sk_alloc+0x105/0x1440 [ 41.255753] sctp_v6_create_accept_sk+0x15a/0x9b0 [ 41.260650] sctp_accept+0x5c4/0x970 [ 41.264349] inet_accept+0x12c/0x930 [ 41.268041] SYSC_accept4+0x38d/0x870 [ 41.271811] SyS_accept+0x26/0x30 [ 41.275235] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 41.279957] [ 41.281557] Freed by task 3674: [ 41.284807] save_stack+0x43/0xd0 [ 41.288228] __kasan_slab_free+0x11a/0x170 [ 41.292440] kasan_slab_free+0xe/0x10 [ 41.296212] kmem_cache_free+0x86/0x2b0 [ 41.300155] __sk_destruct+0x622/0x910 [ 41.304012] sk_destruct+0x47/0x80 [ 41.307607] __sk_free+0xf1/0x2b0 [ 41.311025] sk_free+0x2a/0x40 [ 41.314186] sctp_association_put+0x14c/0x2f0 [ 41.318651] sctp_wait_for_sndbuf+0x673/0x8d0 [ 41.323118] sctp_sendmsg+0x28f7/0x33f0 [ 41.327061] inet_sendmsg+0x11f/0x5e0 [ 41.330831] sock_sendmsg+0xca/0x110 [ 41.334513] SYSC_sendto+0x361/0x5c0 [ 41.338195] SyS_sendto+0x40/0x50 [ 41.341616] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 41.346335] [ 41.347934] The buggy address belongs to the object at ffff8801d9fe6000 [ 41.347934] which belongs to the cache SCTPv6 of size 1888 [ 41.360220] The buggy address is located 140 bytes inside of [ 41.360220] 1888-byte region [ffff8801d9fe6000, ffff8801d9fe6760) [ 41.372146] The buggy address belongs to the page: [ 41.377044] page:ffffea000767f980 count:1 mapcount:0 mapping:ffff8801d9fe6000 index:0x0 [ 41.385156] flags: 0x2fffc0000000100(slab) [ 41.389364] raw: 02fffc0000000100 ffff8801d9fe6000 0000000000000000 0000000100000002 [ 41.397212] raw: ffffea00074a0be0 ffffea0006eb48a0 ffff8801d2825500 0000000000000000 [ 41.405058] page dumped because: kasan: bad access detected [ 41.410740] [ 41.412335] Memory state around the buggy address: [ 41.417234] ffff8801d9fe5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.424564] ffff8801d9fe6000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.431893] >ffff8801d9fe6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.439228] ^ [ 41.442832] ffff8801d9fe6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.450160] ffff8801d9fe6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.457486] ================================================================== [ 41.464854] Kernel panic - not syncing: panic_on_warn set ... [ 41.464854] [ 41.472197] CPU: 0 PID: 3674 Comm: syzkaller827891 Tainted: G B 4.15.0-rc7-next-20180112+ #96 [ 41.482059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.491383] Call Trace: [ 41.493946] dump_stack+0x194/0x257 [ 41.497549] ? arch_local_irq_restore+0x53/0x53 executing program [ 41.502192] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.506917] ? vsnprintf+0x1ed/0x1900 [ 41.510687] ? do_raw_spin_lock+0x110/0x220 [ 41.515085] panic+0x1e4/0x41c [ 41.518263] ? refcount_error_report+0x214/0x214 [ 41.522999] ? add_taint+0x1c/0x50 [ 41.526510] ? add_taint+0x1c/0x50 [ 41.530021] ? do_raw_spin_lock+0x1e0/0x220 [ 41.534316] kasan_end_report+0x50/0x50 [ 41.538276] kasan_report+0x148/0x360 [ 41.542050] __asan_report_load4_noabort+0x14/0x20 [ 41.546947] do_raw_spin_lock+0x1e0/0x220 [ 41.551067] _raw_spin_lock_bh+0x39/0x40 [ 41.555099] ? release_sock+0x74/0x2a0 [ 41.558963] release_sock+0x74/0x2a0 [ 41.562654] ? sctp_prsctp_prune+0x97/0x790 [ 41.566946] ? __release_sock+0x360/0x360 [ 41.571062] ? trace_hardirqs_on+0xd/0x10 [ 41.575184] sctp_sendmsg+0x2993/0x33f0 [ 41.579134] ? sctp_id2assoc+0x390/0x390 [ 41.583167] ? avc_has_perm+0x43e/0x680 [ 41.587111] ? avc_has_perm_noaudit+0x520/0x520 [ 41.591750] ? __fget+0x35c/0x570 [ 41.595174] ? iterate_fd+0x3f0/0x3f0 [ 41.598949] ? find_held_lock+0x35/0x1d0 [ 41.602992] ? sock_has_perm+0x2a4/0x420 [ 41.607025] ? lock_release+0x972/0xa40 [ 41.610969] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 41.616832] ? __check_object_size+0x8b/0x530 [ 41.621301] inet_sendmsg+0x11f/0x5e0 [ 41.625072] ? inet_sendmsg+0x11f/0x5e0 [ 41.629015] ? __might_sleep+0x95/0x190 [ 41.632960] ? inet_create+0xf50/0xf50 [ 41.636822] ? selinux_socket_sendmsg+0x36/0x40 [ 41.642063] ? security_socket_sendmsg+0x89/0xb0 [ 41.646797] ? inet_create+0xf50/0xf50 [ 41.650657] sock_sendmsg+0xca/0x110 [ 41.654353] SYSC_sendto+0x361/0x5c0 [ 41.658038] ? SYSC_connect+0x4a0/0x4a0 [ 41.661984] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 41.667322] ? __do_page_fault+0x3d6/0xc90 [ 41.671537] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 41.676799] ? SyS_futex+0x269/0x390 [ 41.680484] ? SyS_setsockopt+0x215/0x360 [ 41.684613] ? do_futex+0x22a0/0x22a0 [ 41.688387] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 41.693202] SyS_sendto+0x40/0x50 [ 41.696630] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 41.701353] RIP: 0033:0x4457e9 [ 41.704513] RSP: 002b:00007fae0d059da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 41.712201] RAX: ffffffffffffffda RBX: 00000000006dac6c RCX: 00000000004457e9 [ 41.719441] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 41.726682] RBP: 00000000006dac68 R08: 00000000204d9000 R09: 000000000000001c [ 41.733924] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 41.741170] R13: 00007fff75454fff R14: 00007fae0d05a9c0 R15: 0000000000000001 [ 41.748801] Dumping ftrace buffer: [ 41.752310] (ftrace buffer empty) [ 41.755991] Kernel Offset: disabled [ 41.759587] Rebooting in 86400 seconds..