[....] Starting enhanced syslogd: rsyslogd[ 12.900348] audit: type=1400 audit(1515343526.283:5): avc: denied { syslog } for pid=3344 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.437632] audit: type=1400 audit(1515343532.820:6): avc: denied { map } for pid=3484 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.212' (ECDSA) to the list of known hosts. [ 25.665516] audit: type=1400 audit(1515343539.048:7): avc: denied { map } for pid=3498 comm="syzkaller677230" path="/root/syzkaller677230034" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program [ 26.006380] [ 26.008033] ========================= [ 26.011799] WARNING: held lock freed! [ 26.015565] 4.15.0-rc5+ #177 Not tainted [ 26.019593] ------------------------- [ 26.023367] syzkaller677230/3503 is freeing memory 000000009c425cf7-0000000006fdc8dc, with a lock still held there! [ 26.033911] (sk_lock-AF_INET6){+.+.}, at: [<000000000314a3f4>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 26.042814] 1 lock held by syzkaller677230/3503: [ 26.047533] #0: (sk_lock-AF_INET6){+.+.}, at: [<000000000314a3f4>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 26.057383] [ 26.057383] stack backtrace: [ 26.061855] CPU: 1 PID: 3503 Comm: syzkaller677230 Not tainted 4.15.0-rc5+ #177 [ 26.069265] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.078592] Call Trace: [ 26.081154] dump_stack+0x194/0x257 [ 26.084753] ? arch_local_irq_restore+0x53/0x53 [ 26.089407] debug_check_no_locks_freed+0x32f/0x3c0 [ 26.094394] kmem_cache_free+0x68/0x2a0 [ 26.098340] __sk_destruct+0x622/0x910 [ 26.102368] ? save_stack+0x43/0xd0 [ 26.105969] ? sock_rfree+0x160/0x160 [ 26.109736] ? sctp_sendmsg+0x28f7/0x33f0 [ 26.113861] ? sock_sendmsg+0xca/0x110 [ 26.117721] ? SYSC_sendto+0x361/0x5c0 [ 26.121578] ? SyS_sendto+0x40/0x50 [ 26.125172] ? entry_SYSCALL_64_fastpath+0x23/0x9a [ 26.130073] ? check_noncircular+0x20/0x20 [ 26.134275] ? print_irqtrace_events+0x270/0x270 [ 26.139013] ? __local_bh_enable_ip+0x121/0x230 [ 26.143652] ? sctp_put_port+0x495/0x640 [ 26.147684] ? sctp_poll+0xc00/0xc00 [ 26.151370] ? refcount_sub_and_test+0x115/0x1b0 [ 26.156095] ? refcount_inc+0x50/0x50 [ 26.159862] ? refcount_inc+0x50/0x50 [ 26.163631] sk_destruct+0x47/0x80 [ 26.167149] __sk_free+0xf1/0x2b0 [ 26.170570] sk_free+0x2a/0x40 [ 26.174027] sctp_association_put+0x14c/0x2f0 [ 26.179184] ? sctp_association_hold+0x20/0x20 [ 26.185034] ? lock_sock_nested+0x91/0x110 [ 26.189236] ? trace_hardirqs_on+0xd/0x10 [ 26.193351] ? __local_bh_enable_ip+0x121/0x230 [ 26.197996] sctp_wait_for_sndbuf+0x673/0x8d0 [ 26.202466] ? sctp_init_sock+0x13b0/0x13b0 [ 26.206755] ? do_raw_spin_trylock+0x190/0x190 [ 26.211304] ? __local_bh_enable_ip+0x121/0x230 [ 26.215940] ? sctp_prsctp_prune+0x97/0x790 [ 26.220231] ? prepare_to_wait+0x4d0/0x4d0 [ 26.224432] ? trace_hardirqs_on+0xd/0x10 [ 26.228552] sctp_sendmsg+0x28f7/0x33f0 [ 26.232504] ? sctp_id2assoc+0x390/0x390 [ 26.236532] ? avc_has_perm+0x43e/0x680 [ 26.240474] ? avc_has_perm_noaudit+0x520/0x520 [ 26.245117] ? __fget+0x35c/0x570 [ 26.248553] ? iterate_fd+0x3f0/0x3f0 [ 26.252335] ? find_held_lock+0x35/0x1d0 [ 26.256371] ? sock_has_perm+0x2a4/0x420 [ 26.260400] ? lock_release+0x982/0xa40 [ 26.264341] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.270196] ? __check_object_size+0x25d/0x4f0 [ 26.274752] inet_sendmsg+0x11f/0x5e0 [ 26.278519] ? inet_sendmsg+0x11f/0x5e0 [ 26.282460] ? __might_sleep+0x95/0x190 [ 26.286403] ? inet_create+0xf50/0xf50 [ 26.290261] ? selinux_socket_sendmsg+0x36/0x40 [ 26.294897] ? security_socket_sendmsg+0x89/0xb0 [ 26.299880] ? inet_create+0xf50/0xf50 [ 26.303740] sock_sendmsg+0xca/0x110 [ 26.307425] SYSC_sendto+0x361/0x5c0 [ 26.311114] ? SYSC_connect+0x4a0/0x4a0 [ 26.315065] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.320395] ? __do_page_fault+0x3d6/0xc90 [ 26.324605] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 26.329866] ? SyS_futex+0x269/0x390 [ 26.333548] ? SyS_setsockopt+0x215/0x360 [ 26.337673] ? do_futex+0x22a0/0x22a0 [ 26.341442] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 26.346255] SyS_sendto+0x40/0x50 [ 26.349679] entry_SYSCALL_64_fastpath+0x23/0x9a [ 26.354403] RIP: 0033:0x445db9 [ 26.357559] RSP: 002b:00007f26c02dcd98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 26.365582] RAX: ffffffffffffffda RBX: 00000000006dbc6c RCX: 0000000000445db9 [ 26.375263] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 26.383195] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 26.390443] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc68 [ 26.397951] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 26.405312] ================================================================== [ 26.412654] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 [ 26.419294] Read of size 4 at addr ffff8801be94c88c by task syzkaller677230/3503 [ 26.426788] [ 26.428391] CPU: 1 PID: 3503 Comm: syzkaller677230 Not tainted 4.15.0-rc5+ #177 [ 26.435811] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.445136] Call Trace: [ 26.447698] dump_stack+0x194/0x257 [ 26.451295] ? arch_local_irq_restore+0x53/0x53 executing program [ 26.455940] ? show_regs_print_info+0x18/0x18 [ 26.460403] ? lock_acquire+0x1d5/0x580 [ 26.464345] ? trace_hardirqs_on+0xd/0x10 [ 26.468461] ? do_raw_spin_lock+0x1e0/0x220 [ 26.472749] print_address_description+0x73/0x250 [ 26.477569] ? do_raw_spin_lock+0x1e0/0x220 [ 26.481870] kasan_report+0x25b/0x340 [ 26.485642] __asan_report_load4_noabort+0x14/0x20 [ 26.490545] do_raw_spin_lock+0x1e0/0x220 [ 26.494665] _raw_spin_lock_bh+0x39/0x40 [ 26.498694] ? release_sock+0x74/0x2a0 [ 26.502547] release_sock+0x74/0x2a0 [ 26.506235] ? sctp_prsctp_prune+0x97/0x790 [ 26.510523] ? __release_sock+0x360/0x360 [ 26.514638] ? trace_hardirqs_on+0xd/0x10 [ 26.518757] sctp_sendmsg+0x2993/0x33f0 [ 26.522709] ? sctp_id2assoc+0x390/0x390 [ 26.526739] ? avc_has_perm+0x43e/0x680 [ 26.530685] ? avc_has_perm_noaudit+0x520/0x520 [ 26.535323] ? __fget+0x35c/0x570 [ 26.538747] ? iterate_fd+0x3f0/0x3f0 [ 26.542520] ? find_held_lock+0x35/0x1d0 [ 26.546564] ? sock_has_perm+0x2a4/0x420 [ 26.551376] ? lock_release+0x982/0xa40 [ 26.555676] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.561529] ? __check_object_size+0x25d/0x4f0 [ 26.566084] inet_sendmsg+0x11f/0x5e0 [ 26.569851] ? inet_sendmsg+0x11f/0x5e0 [ 26.573791] ? __might_sleep+0x95/0x190 [ 26.577732] ? inet_create+0xf50/0xf50 [ 26.581593] ? selinux_socket_sendmsg+0x36/0x40 [ 26.586231] ? security_socket_sendmsg+0x89/0xb0 [ 26.590956] ? inet_create+0xf50/0xf50 [ 26.594814] sock_sendmsg+0xca/0x110 [ 26.598508] SYSC_sendto+0x361/0x5c0 [ 26.602193] ? SYSC_connect+0x4a0/0x4a0 [ 26.606143] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.611474] ? __do_page_fault+0x3d6/0xc90 [ 26.615681] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 26.620953] ? SyS_futex+0x269/0x390 [ 26.624634] ? SyS_setsockopt+0x215/0x360 [ 26.629700] ? do_futex+0x22a0/0x22a0 [ 26.633471] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 26.638286] SyS_sendto+0x40/0x50 [ 26.641712] entry_SYSCALL_64_fastpath+0x23/0x9a [ 26.646435] RIP: 0033:0x445db9 [ 26.649592] RSP: 002b:00007f26c02dcd98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 26.657272] RAX: ffffffffffffffda RBX: 00000000006dbc6c RCX: 0000000000445db9 [ 26.664511] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 26.671753] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 26.678992] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc68 [ 26.686238] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 26.693491] [ 26.695085] Allocated by task 3508: [ 26.698680] save_stack+0x43/0xd0 [ 26.702100] kasan_kmalloc+0xad/0xe0 [ 26.705779] kasan_slab_alloc+0x12/0x20 [ 26.709718] kmem_cache_alloc+0x12e/0x760 [ 26.713834] sk_prot_alloc+0x65/0x2a0 [ 26.717600] sk_alloc+0x105/0x1440 [ 26.721107] sctp_v6_create_accept_sk+0x15a/0x9b0 [ 26.725916] sctp_accept+0x5c4/0x970 [ 26.729597] inet_accept+0x12c/0x930 [ 26.733282] SYSC_accept4+0x38d/0x870 [ 26.737047] SyS_accept+0x26/0x30 [ 26.740467] entry_SYSCALL_64_fastpath+0x23/0x9a [ 26.745532] [ 26.747123] Freed by task 3503: [ 26.750379] save_stack+0x43/0xd0 [ 26.753807] kasan_slab_free+0x71/0xc0 [ 26.757668] kmem_cache_free+0x83/0x2a0 [ 26.761606] __sk_destruct+0x622/0x910 [ 26.765464] sk_destruct+0x47/0x80 [ 26.768968] __sk_free+0xf1/0x2b0 [ 26.772386] sk_free+0x2a/0x40 [ 26.775544] sctp_association_put+0x14c/0x2f0 [ 26.780009] sctp_wait_for_sndbuf+0x673/0x8d0 [ 26.784484] sctp_sendmsg+0x28f7/0x33f0 [ 26.788425] inet_sendmsg+0x11f/0x5e0 [ 26.792195] sock_sendmsg+0xca/0x110 [ 26.795881] SYSC_sendto+0x361/0x5c0 [ 26.799561] SyS_sendto+0x40/0x50 [ 26.802979] entry_SYSCALL_64_fastpath+0x23/0x9a [ 26.807699] [ 26.809297] The buggy address belongs to the object at ffff8801be94c800 [ 26.809297] which belongs to the cache SCTPv6 of size 1888 [ 26.821570] The buggy address is located 140 bytes inside of [ 26.821570] 1888-byte region [ffff8801be94c800, ffff8801be94cf60) [ 26.833503] The buggy address belongs to the page: [ 26.838399] page:0000000093e6f977 count:1 mapcount:0 mapping:00000000f418c947 index:0x0 [ 26.846507] flags: 0x2fffc0000000100(slab) [ 26.850710] raw: 02fffc0000000100 ffff8801be94c000 0000000000000000 0000000100000002 [ 26.858558] raw: ffffea0006fbcb20 ffffea0006fb2820 ffff8801d331dc80 0000000000000000 [ 26.866400] page dumped because: kasan: bad access detected [ 26.872074] [ 26.873675] Memory state around the buggy address: [ 26.878571] ffff8801be94c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.885896] ffff8801be94c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.893221] >ffff8801be94c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.900543] ^ [ 26.904137] ffff8801be94c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.911462] ffff8801be94c980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.918783] ================================================================== [ 26.926157] Kernel panic - not syncing: panic_on_warn set ... [ 26.926157] [ 26.933524] CPU: 1 PID: 3503 Comm: syzkaller677230 Tainted: G B 4.15.0-rc5+ #177 [ 26.942248] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.951572] Call Trace: [ 26.954136] dump_stack+0x194/0x257 [ 26.957742] ? arch_local_irq_restore+0x53/0x53 [ 26.962385] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.968068] ? vsnprintf+0x1ed/0x1900 [ 26.971841] ? do_raw_spin_lock+0x120/0x220 [ 26.976131] panic+0x1e4/0x41c [ 26.979294] ? refcount_error_report+0x214/0x214 [ 26.984023] ? add_taint+0x1c/0x50 [ 26.987536] ? add_taint+0x1c/0x50 [ 26.991045] ? do_raw_spin_lock+0x1e0/0x220 [ 26.995333] kasan_end_report+0x50/0x50 [ 26.999291] kasan_report+0x144/0x340 [ 27.003090] __asan_report_load4_noabort+0x14/0x20 [ 27.007989] do_raw_spin_lock+0x1e0/0x220 [ 27.012120] _raw_spin_lock_bh+0x39/0x40 [ 27.016148] ? release_sock+0x74/0x2a0 [ 27.020019] release_sock+0x74/0x2a0 [ 27.025350] ? sctp_prsctp_prune+0x97/0x790 [ 27.029645] ? __release_sock+0x360/0x360 [ 27.033763] ? trace_hardirqs_on+0xd/0x10 [ 27.037885] sctp_sendmsg+0x2993/0x33f0 [ 27.041847] ? sctp_id2assoc+0x390/0x390 [ 27.045887] ? avc_has_perm+0x43e/0x680 [ 27.049844] ? avc_has_perm_noaudit+0x520/0x520 [ 27.054480] ? __fget+0x35c/0x570 [ 27.057905] ? iterate_fd+0x3f0/0x3f0 [ 27.061677] ? find_held_lock+0x35/0x1d0 [ 27.065713] ? sock_has_perm+0x2a4/0x420 [ 27.069742] ? lock_release+0x982/0xa40 [ 27.073684] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.079535] ? __check_object_size+0x25d/0x4f0 [ 27.084088] inet_sendmsg+0x11f/0x5e0 [ 27.088471] ? inet_sendmsg+0x11f/0x5e0 [ 27.092411] ? __might_sleep+0x95/0x190 [ 27.096360] ? inet_create+0xf50/0xf50 [ 27.100217] ? selinux_socket_sendmsg+0x36/0x40 [ 27.104852] ? security_socket_sendmsg+0x89/0xb0 [ 27.109576] ? inet_create+0xf50/0xf50 [ 27.113432] sock_sendmsg+0xca/0x110 [ 27.117118] SYSC_sendto+0x361/0x5c0 [ 27.120812] ? SYSC_connect+0x4a0/0x4a0 [ 27.124758] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.130089] ? __do_page_fault+0x3d6/0xc90 [ 27.134297] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 27.139556] ? SyS_futex+0x269/0x390 [ 27.143236] ? SyS_setsockopt+0x215/0x360 [ 27.147355] ? do_futex+0x22a0/0x22a0 [ 27.151125] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 27.155948] SyS_sendto+0x40/0x50 [ 27.159373] entry_SYSCALL_64_fastpath+0x23/0x9a [ 27.164095] RIP: 0033:0x445db9 [ 27.167252] RSP: 002b:00007f26c02dcd98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 27.174927] RAX: ffffffffffffffda RBX: 00000000006dbc6c RCX: 0000000000445db9 [ 27.182164] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 27.189407] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 27.196650] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc68 [ 27.203889] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 27.211605] Dumping ftrace buffer: [ 27.215119] (ftrace buffer empty) [ 27.218794] Kernel Offset: disabled [ 27.222386] Rebooting in 86400 seconds..