[....] Starting enhanced syslogd: rsyslogd[ 12.289898] audit: type=1400 audit(1515912084.821:5): avc: denied { syslog } for pid=3502 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.898209] audit: type=1400 audit(1515912093.429:6): avc: denied { map } for pid=3642 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.221' (ECDSA) to the list of known hosts. executing program executing program [ 45.093106] audit: type=1400 audit(1515912117.624:7): avc: denied { map } for pid=3658 comm="syzkaller104288" path="/root/syzkaller104288966" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program [ 45.264470] [ 45.266120] ========================= [ 45.269890] WARNING: held lock freed! [ 45.273662] 4.15.0-rc7-mm1+ #56 Not tainted [ 45.277952] ------------------------- [ 45.281729] syzkaller104288/3660 is freeing memory 00000000d45f3468-0000000093f5b7d0, with a lock still held there! [ 45.292276] (sk_lock-AF_INET6){+.+.}, at: [<0000000033231c56>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 45.301184] 1 lock held by syzkaller104288/3660: [ 45.305908] #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000033231c56>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 45.315244] [ 45.315244] stack backtrace: [ 45.319729] CPU: 1 PID: 3660 Comm: syzkaller104288 Not tainted 4.15.0-rc7-mm1+ #56 [ 45.327404] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.336730] Call Trace: [ 45.339292] dump_stack+0x194/0x257 [ 45.342892] ? arch_local_irq_restore+0x53/0x53 [ 45.347540] debug_check_no_locks_freed+0x32f/0x3c0 [ 45.352532] kmem_cache_free+0x68/0x2b0 [ 45.356482] __sk_destruct+0x622/0x910 [ 45.360340] ? kfree+0xd9/0x260 [ 45.363592] ? sock_rfree+0x160/0x160 [ 45.367366] ? sock_sendmsg+0xca/0x110 [ 45.371223] ? SyS_sendto+0x40/0x50 [ 45.374821] ? entry_SYSCALL_64_fastpath+0x29/0xa0 [ 45.379758] ? debug_check_no_obj_freed+0x611/0xf1f [ 45.384749] ? check_noncircular+0x20/0x20 [ 45.388955] ? print_irqtrace_events+0x270/0x270 [ 45.393688] ? __local_bh_enable_ip+0x121/0x230 [ 45.398337] ? sctp_put_port+0x495/0x640 [ 45.402372] ? sctp_poll+0xc00/0xc00 [ 45.406063] ? refcount_sub_and_test+0x115/0x1b0 [ 45.410805] ? refcount_inc+0x50/0x50 [ 45.414577] ? refcount_inc+0x50/0x50 [ 45.418350] sk_destruct+0x47/0x80 [ 45.421860] __sk_free+0xf1/0x2b0 [ 45.425284] sk_free+0x2a/0x40 [ 45.428452] sctp_association_put+0x14c/0x2f0 [ 45.432921] ? sctp_association_hold+0x20/0x20 [ 45.437475] ? lock_sock_nested+0x91/0x110 [ 45.441684] ? trace_hardirqs_on+0xd/0x10 [ 45.445805] ? __local_bh_enable_ip+0x121/0x230 [ 45.450455] sctp_wait_for_sndbuf+0x673/0x8d0 [ 45.454928] ? sctp_init_sock+0x13b0/0x13b0 [ 45.459273] ? do_raw_spin_trylock+0x190/0x190 [ 45.463830] ? __local_bh_enable_ip+0x121/0x230 [ 45.468473] ? sctp_prsctp_prune+0x97/0x790 [ 45.472766] ? prepare_to_wait+0x4d0/0x4d0 [ 45.476973] ? trace_hardirqs_on+0xd/0x10 [ 45.481097] sctp_sendmsg+0x28f7/0x33f0 [ 45.485060] ? sctp_id2assoc+0x390/0x390 [ 45.489095] ? avc_has_perm+0x43e/0x680 [ 45.493045] ? avc_has_perm_noaudit+0x520/0x520 [ 45.497688] ? __fget+0x35c/0x570 [ 45.501122] ? iterate_fd+0x3f0/0x3f0 [ 45.504897] ? find_held_lock+0x35/0x1d0 [ 45.508935] ? sock_has_perm+0x2a4/0x420 [ 45.512968] ? lock_release+0x9a2/0xa40 [ 45.516922] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 45.522791] ? __check_object_size+0x8b/0x530 [ 45.527261] inet_sendmsg+0x11f/0x5e0 [ 45.531033] ? inet_sendmsg+0x11f/0x5e0 [ 45.534976] ? __might_sleep+0x95/0x190 [ 45.538923] ? inet_create+0xf50/0xf50 [ 45.542793] ? selinux_socket_sendmsg+0x36/0x40 [ 45.547437] ? security_socket_sendmsg+0x89/0xb0 [ 45.552164] ? inet_create+0xf50/0xf50 [ 45.556025] sock_sendmsg+0xca/0x110 [ 45.559715] SYSC_sendto+0x361/0x5c0 [ 45.563400] ? SYSC_connect+0x4a0/0x4a0 [ 45.567347] ? up_read+0x1a/0x40 [ 45.570688] ? __do_page_fault+0x3d6/0xc90 [ 45.574908] ? __do_page_fault+0xc90/0xc90 [ 45.579118] ? SyS_futex+0x269/0x390 [ 45.582810] ? SyS_setsockopt+0x215/0x360 [ 45.586931] ? do_futex+0x22a0/0x22a0 [ 45.590709] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 45.595527] SyS_sendto+0x40/0x50 [ 45.598953] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 45.603682] RIP: 0033:0x445819 [ 45.606854] RSP: 002b:00007fb75a80ada8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c executing program [ 45.614535] RAX: ffffffffffffffda RBX: 00000000006dac3c RCX: 0000000000445819 [ 45.621779] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000005 [ 45.629033] RBP: 00000000006dac38 R08: 00000000204d9000 R09: 000000000000001c [ 45.636284] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 45.643526] R13: 00007ffc1005197f R14: 00007fb75a80b9c0 R15: 0000000000000001 [ 45.650866] ================================================================== [ 45.658206] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 executing program [ 45.664847] Read of size 4 at addr ffff8801d997f08c by task syzkaller104288/3660 [ 45.672347] [ 45.673948] CPU: 1 PID: 3660 Comm: syzkaller104288 Not tainted 4.15.0-rc7-mm1+ #56 [ 45.681634] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.690959] Call Trace: [ 45.693533] dump_stack+0x194/0x257 [ 45.697136] ? arch_local_irq_restore+0x53/0x53 [ 45.701786] ? show_regs_print_info+0x18/0x18 [ 45.706255] ? lock_acquire+0x1d5/0x580 [ 45.710204] ? trace_hardirqs_on+0xd/0x10 [ 45.714322] ? do_raw_spin_lock+0x1e0/0x220 [ 45.718631] print_address_description+0x73/0x250 [ 45.723447] ? do_raw_spin_lock+0x1e0/0x220 [ 45.727742] kasan_report+0x23b/0x360 [ 45.731528] __asan_report_load4_noabort+0x14/0x20 [ 45.736428] do_raw_spin_lock+0x1e0/0x220 [ 45.740548] _raw_spin_lock_bh+0x39/0x40 [ 45.744582] ? release_sock+0x74/0x2a0 [ 45.748443] release_sock+0x74/0x2a0 [ 45.752134] ? sctp_prsctp_prune+0x97/0x790 [ 45.756427] ? __release_sock+0x360/0x360 [ 45.760548] ? trace_hardirqs_on+0xd/0x10 [ 45.764676] sctp_sendmsg+0x2993/0x33f0 [ 45.768633] ? sctp_id2assoc+0x390/0x390 [ 45.772684] ? avc_has_perm+0x43e/0x680 [ 45.776644] ? avc_has_perm_noaudit+0x520/0x520 [ 45.781289] ? __fget+0x35c/0x570 [ 45.784719] ? iterate_fd+0x3f0/0x3f0 [ 45.788498] ? find_held_lock+0x35/0x1d0 [ 45.792537] ? sock_has_perm+0x2a4/0x420 [ 45.796573] ? lock_release+0x9a2/0xa40 [ 45.800522] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 45.806378] ? __check_object_size+0x8b/0x530 [ 45.810845] inet_sendmsg+0x11f/0x5e0 [ 45.814616] ? inet_sendmsg+0x11f/0x5e0 [ 45.818560] ? __might_sleep+0x95/0x190 [ 45.822505] ? inet_create+0xf50/0xf50 [ 45.826366] ? selinux_socket_sendmsg+0x36/0x40 [ 45.831008] ? security_socket_sendmsg+0x89/0xb0 [ 45.835735] ? inet_create+0xf50/0xf50 [ 45.839595] sock_sendmsg+0xca/0x110 [ 45.843281] SYSC_sendto+0x361/0x5c0 [ 45.846966] ? SYSC_connect+0x4a0/0x4a0 [ 45.850915] ? up_read+0x1a/0x40 [ 45.854255] ? __do_page_fault+0x3d6/0xc90 [ 45.858474] ? __do_page_fault+0xc90/0xc90 [ 45.862680] ? SyS_futex+0x269/0x390 [ 45.866364] ? SyS_setsockopt+0x215/0x360 [ 45.870485] ? do_futex+0x22a0/0x22a0 [ 45.874267] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 45.879084] SyS_sendto+0x40/0x50 [ 45.882515] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 45.887242] RIP: 0033:0x445819 [ 45.890405] RSP: 002b:00007fb75a80ada8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 45.898082] RAX: ffffffffffffffda RBX: 00000000006dac3c RCX: 0000000000445819 [ 45.905325] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000005 [ 45.912568] RBP: 00000000006dac38 R08: 00000000204d9000 R09: 000000000000001c [ 45.919820] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 45.927061] R13: 00007ffc1005197f R14: 00007fb75a80b9c0 R15: 0000000000000001 [ 45.934311] [ 45.935918] Allocated by task 3661: [ 45.939523] save_stack+0x43/0xd0 [ 45.942958] kasan_kmalloc+0xad/0xe0 [ 45.946643] kasan_slab_alloc+0x12/0x20 [ 45.950587] kmem_cache_alloc+0x12e/0x760 [ 45.954705] sk_prot_alloc+0x65/0x2a0 [ 45.958476] sk_alloc+0x105/0x1440 [ 45.961995] sctp_v6_create_accept_sk+0x15a/0x9b0 [ 45.966811] sctp_accept+0x5c4/0x970 [ 45.970496] inet_accept+0x12c/0x930 [ 45.974180] SYSC_accept4+0x38d/0x870 [ 45.977952] SyS_accept4+0x2c/0x40 [ 45.981477] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 45.986197] [ 45.987807] Freed by task 3660: [ 45.991057] save_stack+0x43/0xd0 [ 45.994500] __kasan_slab_free+0x11a/0x170 [ 45.998706] kasan_slab_free+0xe/0x10 [ 46.002491] kmem_cache_free+0x86/0x2b0 [ 46.006448] __sk_destruct+0x622/0x910 [ 46.010307] sk_destruct+0x47/0x80 [ 46.013816] __sk_free+0xf1/0x2b0 [ 46.017239] sk_free+0x2a/0x40 [ 46.020405] sctp_association_put+0x14c/0x2f0 [ 46.024873] sctp_wait_for_sndbuf+0x673/0x8d0 [ 46.029352] sctp_sendmsg+0x28f7/0x33f0 [ 46.033299] inet_sendmsg+0x11f/0x5e0 [ 46.037073] sock_sendmsg+0xca/0x110 [ 46.040759] SYSC_sendto+0x361/0x5c0 [ 46.044442] SyS_sendto+0x40/0x50 [ 46.047868] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 46.052591] [ 46.054190] The buggy address belongs to the object at ffff8801d997f000 [ 46.054190] which belongs to the cache SCTPv6 of size 1888 [ 46.066472] The buggy address is located 140 bytes inside of [ 46.066472] 1888-byte region [ffff8801d997f000, ffff8801d997f760) [ 46.078402] The buggy address belongs to the page: [ 46.083302] page:ffffea0007665fc0 count:1 mapcount:0 mapping:ffff8801d997f000 index:0x0 [ 46.091416] flags: 0x2fffc0000000100(slab) [ 46.095624] raw: 02fffc0000000100 ffff8801d997f000 0000000000000000 0000000100000002 [ 46.103487] raw: ffffea0006f022e0 ffffea0006f0bfe0 ffff8801d2803b40 0000000000000000 [ 46.111339] page dumped because: kasan: bad access detected [ 46.117020] [ 46.118619] Memory state around the buggy address: [ 46.123519] ffff8801d997ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 46.130850] ffff8801d997f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.138882] >ffff8801d997f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.146212] ^ [ 46.149817] ffff8801d997f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.157147] ffff8801d997f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.164487] ================================================================== [ 46.171855] Kernel panic - not syncing: panic_on_warn set ... [ 46.171855] [ 46.179195] CPU: 1 PID: 3660 Comm: syzkaller104288 Tainted: G B 4.15.0-rc7-mm1+ #56 [ 46.188176] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.197513] Call Trace: [ 46.200086] dump_stack+0x194/0x257 [ 46.203692] ? arch_local_irq_restore+0x53/0x53 [ 46.208345] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 46.213078] ? vsnprintf+0x1ed/0x1900 [ 46.216865] ? do_raw_spin_lock+0x140/0x220 [ 46.221174] panic+0x1e4/0x41c [ 46.224344] ? refcount_error_report+0x214/0x214 [ 46.229090] ? add_taint+0x1c/0x50 [ 46.232607] ? add_taint+0x1c/0x50 [ 46.236121] ? do_raw_spin_lock+0x1e0/0x220 [ 46.240418] kasan_end_report+0x50/0x50 [ 46.244368] kasan_report+0x148/0x360 [ 46.248144] __asan_report_load4_noabort+0x14/0x20 [ 46.253048] do_raw_spin_lock+0x1e0/0x220 [ 46.257173] _raw_spin_lock_bh+0x39/0x40 [ 46.261223] ? release_sock+0x74/0x2a0 [ 46.265084] release_sock+0x74/0x2a0 [ 46.268785] ? sctp_prsctp_prune+0x97/0x790 [ 46.273081] ? __release_sock+0x360/0x360 [ 46.277203] ? trace_hardirqs_on+0xd/0x10 [ 46.281338] sctp_sendmsg+0x2993/0x33f0 [ 46.285302] ? sctp_id2assoc+0x390/0x390 [ 46.289345] ? avc_has_perm+0x43e/0x680 [ 46.293295] ? avc_has_perm_noaudit+0x520/0x520 [ 46.297939] ? __fget+0x35c/0x570 [ 46.301372] ? iterate_fd+0x3f0/0x3f0 [ 46.305150] ? find_held_lock+0x35/0x1d0 [ 46.309200] ? sock_has_perm+0x2a4/0x420 [ 46.313236] ? lock_release+0x9a2/0xa40 [ 46.317185] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 46.323044] ? __check_object_size+0x8b/0x530 [ 46.327517] inet_sendmsg+0x11f/0x5e0 [ 46.331289] ? inet_sendmsg+0x11f/0x5e0 [ 46.335235] ? __might_sleep+0x95/0x190 [ 46.339182] ? inet_create+0xf50/0xf50 [ 46.343045] ? selinux_socket_sendmsg+0x36/0x40 [ 46.347687] ? security_socket_sendmsg+0x89/0xb0 [ 46.352416] ? inet_create+0xf50/0xf50 [ 46.356279] sock_sendmsg+0xca/0x110 [ 46.359968] SYSC_sendto+0x361/0x5c0 [ 46.363656] ? SYSC_connect+0x4a0/0x4a0 [ 46.367608] ? up_read+0x1a/0x40 [ 46.370949] ? __do_page_fault+0x3d6/0xc90 [ 46.375168] ? __do_page_fault+0xc90/0xc90 [ 46.379378] ? SyS_futex+0x269/0x390 [ 46.383067] ? SyS_setsockopt+0x215/0x360 [ 46.387192] ? do_futex+0x22a0/0x22a0 [ 46.390983] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 46.395814] SyS_sendto+0x40/0x50 [ 46.399244] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 46.403973] RIP: 0033:0x445819 [ 46.407137] RSP: 002b:00007fb75a80ada8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 46.414817] RAX: ffffffffffffffda RBX: 00000000006dac3c RCX: 0000000000445819 [ 46.422061] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000005 [ 46.429306] RBP: 00000000006dac38 R08: 00000000204d9000 R09: 000000000000001c [ 46.436550] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 46.443794] R13: 00007ffc1005197f R14: 00007fb75a80b9c0 R15: 0000000000000001 [ 46.451409] Dumping ftrace buffer: [ 46.454924] (ftrace buffer empty) [ 46.458609] Kernel Offset: disabled [ 46.462209] Rebooting in 86400 seconds..