[....] Starting enhanced syslogd: rsyslogd[ 13.106053] audit: type=1400 audit(1515345453.409:5): avc: denied { syslog } for pid=3344 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.574695] audit: type=1400 audit(1515345455.878:6): avc: denied { map } for pid=3482 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.236' (ECDSA) to the list of known hosts. [ 24.120873] audit: type=1400 audit(1515345464.424:7): avc: denied { map } for pid=3497 comm="syzkaller661612" path="/root/syzkaller661612168" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program [ 24.465961] [ 24.467597] ========================= [ 24.471379] WARNING: held lock freed! [ 24.475320] 4.15.0-rc5+ #177 Not tainted [ 24.479346] ------------------------- [ 24.483127] syzkaller661612/3502 is freeing memory 00000000ec99ca73-00000000cde1dc65, with a lock still held there! [ 24.493664] (sk_lock-AF_INET6){+.+.}, at: [<00000000ba24a9e5>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 24.502573] 1 lock held by syzkaller661612/3502: [ 24.507292] #0: (sk_lock-AF_INET6){+.+.}, at: [<00000000ba24a9e5>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 24.516621] [ 24.516621] stack backtrace: [ 24.521082] CPU: 0 PID: 3502 Comm: syzkaller661612 Not tainted 4.15.0-rc5+ #177 [ 24.528493] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.537988] Call Trace: [ 24.540551] dump_stack+0x194/0x257 [ 24.544146] ? arch_local_irq_restore+0x53/0x53 [ 24.548789] debug_check_no_locks_freed+0x32f/0x3c0 [ 24.553779] kmem_cache_free+0x68/0x2a0 [ 24.557723] __sk_destruct+0x622/0x910 [ 24.561582] ? save_stack+0x43/0xd0 [ 24.565174] ? sock_rfree+0x160/0x160 [ 24.568940] ? sctp_sendmsg+0x28f7/0x33f0 [ 24.573055] ? sock_sendmsg+0xca/0x110 [ 24.576907] ? SYSC_sendto+0x361/0x5c0 [ 24.580758] ? SyS_sendto+0x40/0x50 [ 24.584356] ? entry_SYSCALL_64_fastpath+0x23/0x9a [ 24.589253] ? check_noncircular+0x20/0x20 [ 24.593456] ? print_irqtrace_events+0x270/0x270 [ 24.598188] ? __local_bh_enable_ip+0x121/0x230 [ 24.602823] ? sctp_put_port+0x495/0x640 [ 24.606852] ? sctp_poll+0xc00/0xc00 [ 24.610538] ? refcount_sub_and_test+0x115/0x1b0 [ 24.615260] ? refcount_inc+0x50/0x50 [ 24.619028] ? refcount_inc+0x50/0x50 [ 24.622800] sk_destruct+0x47/0x80 [ 24.626308] __sk_free+0xf1/0x2b0 [ 24.629822] sk_free+0x2a/0x40 [ 24.632989] sctp_association_put+0x14c/0x2f0 [ 24.637451] ? sctp_association_hold+0x20/0x20 [ 24.641996] ? lock_sock_nested+0x91/0x110 [ 24.646196] ? trace_hardirqs_on+0xd/0x10 [ 24.650309] ? __local_bh_enable_ip+0x121/0x230 [ 24.654946] sctp_wait_for_sndbuf+0x673/0x8d0 [ 24.659848] ? sctp_init_sock+0x13b0/0x13b0 [ 24.664145] ? do_raw_spin_trylock+0x190/0x190 [ 24.668693] ? __local_bh_enable_ip+0x121/0x230 [ 24.674204] ? sctp_prsctp_prune+0x97/0x790 [ 24.678494] ? prepare_to_wait+0x4d0/0x4d0 [ 24.682695] ? trace_hardirqs_on+0xd/0x10 [ 24.686820] sctp_sendmsg+0x28f7/0x33f0 [ 24.690769] ? sctp_id2assoc+0x390/0x390 [ 24.694805] ? avc_has_perm+0x43e/0x680 [ 24.698748] ? avc_has_perm_noaudit+0x520/0x520 [ 24.703477] ? __fget+0x35c/0x570 [ 24.706906] ? iterate_fd+0x3f0/0x3f0 [ 24.710679] ? find_held_lock+0x35/0x1d0 [ 24.714717] ? sock_has_perm+0x2a4/0x420 [ 24.718744] ? lock_release+0x982/0xa40 [ 24.722684] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.728534] ? __check_object_size+0x25d/0x4f0 [ 24.733087] inet_sendmsg+0x11f/0x5e0 [ 24.736855] ? inet_sendmsg+0x11f/0x5e0 [ 24.740794] ? __might_sleep+0x95/0x190 [ 24.744733] ? inet_create+0xf50/0xf50 [ 24.748595] ? selinux_socket_sendmsg+0x36/0x40 [ 24.753233] ? security_socket_sendmsg+0x89/0xb0 [ 24.757962] ? inet_create+0xf50/0xf50 [ 24.761816] sock_sendmsg+0xca/0x110 [ 24.765497] SYSC_sendto+0x361/0x5c0 [ 24.769176] ? SYSC_connect+0x4a0/0x4a0 [ 24.773116] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 24.778446] ? __do_page_fault+0x3d6/0xc90 [ 24.782648] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 24.787901] ? SyS_futex+0x269/0x390 [ 24.791580] ? SyS_setsockopt+0x215/0x360 [ 24.795695] ? do_futex+0x22a0/0x22a0 [ 24.799464] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 24.804275] SyS_sendto+0x40/0x50 [ 24.807696] entry_SYSCALL_64_fastpath+0x23/0x9a [ 24.812419] RIP: 0033:0x445db9 [ 24.815574] RSP: 002b:00007f2887160d98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 24.823248] RAX: ffffffffffffffda RBX: 00000000006dbc6c RCX: 0000000000445db9 [ 24.832308] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 24.839546] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 24.846780] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc68 [ 24.854015] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 24.861359] ================================================================== [ 24.868695] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 [ 24.875327] Read of size 4 at addr ffff8801c024b88c by task syzkaller661612/3502 [ 24.882822] [ 24.884420] CPU: 0 PID: 3502 Comm: syzkaller661612 Not tainted 4.15.0-rc5+ #177 [ 24.891830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.901151] Call Trace: [ 24.903710] dump_stack+0x194/0x257 [ 24.907307] ? arch_local_irq_restore+0x53/0x53 [ 24.911943] ? show_regs_print_info+0x18/0x18 [ 24.916410] ? lock_acquire+0x1d5/0x580 [ 24.920697] ? trace_hardirqs_on+0xd/0x10 [ 24.924811] ? do_raw_spin_lock+0x1e0/0x220 [ 24.930854] print_address_description+0x73/0x250 [ 24.935669] ? do_raw_spin_lock+0x1e0/0x220 [ 24.939959] kasan_report+0x25b/0x340 [ 24.943729] __asan_report_load4_noabort+0x14/0x20 [ 24.948624] do_raw_spin_lock+0x1e0/0x220 [ 24.953784] _raw_spin_lock_bh+0x39/0x40 [ 24.958861] ? release_sock+0x74/0x2a0 [ 24.962715] release_sock+0x74/0x2a0 [ 24.966400] ? sctp_prsctp_prune+0x97/0x790 [ 24.970698] ? __release_sock+0x360/0x360 [ 24.974907] ? trace_hardirqs_on+0xd/0x10 [ 24.979024] sctp_sendmsg+0x2993/0x33f0 [ 24.982970] ? sctp_id2assoc+0x390/0x390 [ 24.987004] ? avc_has_perm+0x43e/0x680 [ 24.992072] ? avc_has_perm_noaudit+0x520/0x520 [ 24.996711] ? __fget+0x35c/0x570 [ 25.000145] ? iterate_fd+0x3f0/0x3f0 [ 25.003917] ? find_held_lock+0x35/0x1d0 [ 25.007949] ? sock_has_perm+0x2a4/0x420 [ 25.011984] ? lock_release+0x982/0xa40 [ 25.015925] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 25.021776] ? __check_object_size+0x25d/0x4f0 [ 25.026328] inet_sendmsg+0x11f/0x5e0 [ 25.030097] ? inet_sendmsg+0x11f/0x5e0 [ 25.034051] ? __might_sleep+0x95/0x190 [ 25.038000] ? inet_create+0xf50/0xf50 [ 25.041863] ? selinux_socket_sendmsg+0x36/0x40 [ 25.046507] ? security_socket_sendmsg+0x89/0xb0 [ 25.051231] ? inet_create+0xf50/0xf50 [ 25.055520] sock_sendmsg+0xca/0x110 [ 25.059210] SYSC_sendto+0x361/0x5c0 [ 25.063066] ? SYSC_connect+0x4a0/0x4a0 [ 25.068137] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 25.075037] ? __do_page_fault+0x3d6/0xc90 [ 25.079244] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 25.084496] ? SyS_futex+0x269/0x390 [ 25.088175] ? SyS_setsockopt+0x215/0x360 [ 25.092291] ? do_futex+0x22a0/0x22a0 [ 25.096057] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 25.101217] SyS_sendto+0x40/0x50 [ 25.104639] entry_SYSCALL_64_fastpath+0x23/0x9a [ 25.109361] RIP: 0033:0x445db9 [ 25.112516] RSP: 002b:00007f2887160d98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 25.120186] RAX: ffffffffffffffda RBX: 00000000006dbc6c RCX: 0000000000445db9 [ 25.127428] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 25.135106] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 25.143123] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc68 [ 25.150367] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 25.157626] [ 25.159221] Allocated by task 3507: [ 25.162816] save_stack+0x43/0xd0 [ 25.166234] kasan_kmalloc+0xad/0xe0 [ 25.169912] kasan_slab_alloc+0x12/0x20 [ 25.173849] kmem_cache_alloc+0x12e/0x760 [ 25.177962] sk_prot_alloc+0x65/0x2a0 [ 25.181725] sk_alloc+0x105/0x1440 [ 25.185234] sctp_v6_create_accept_sk+0x15a/0x9b0 [ 25.190047] sctp_accept+0x5c4/0x970 [ 25.193727] inet_accept+0x12c/0x930 [ 25.197406] SYSC_accept4+0x38d/0x870 [ 25.201172] SyS_accept+0x26/0x30 [ 25.204857] entry_SYSCALL_64_fastpath+0x23/0x9a [ 25.209581] [ 25.211176] Freed by task 3502: [ 25.214422] save_stack+0x43/0xd0 [ 25.217840] kasan_slab_free+0x71/0xc0 [ 25.221698] kmem_cache_free+0x83/0x2a0 [ 25.225636] __sk_destruct+0x622/0x910 [ 25.229493] sk_destruct+0x47/0x80 [ 25.232998] __sk_free+0xf1/0x2b0 [ 25.236414] sk_free+0x2a/0x40 [ 25.239575] sctp_association_put+0x14c/0x2f0 [ 25.244034] sctp_wait_for_sndbuf+0x673/0x8d0 [ 25.248496] sctp_sendmsg+0x28f7/0x33f0 [ 25.252434] inet_sendmsg+0x11f/0x5e0 [ 25.256199] sock_sendmsg+0xca/0x110 [ 25.259891] SYSC_sendto+0x361/0x5c0 [ 25.263570] SyS_sendto+0x40/0x50 [ 25.266989] entry_SYSCALL_64_fastpath+0x23/0x9a [ 25.271709] [ 25.273304] The buggy address belongs to the object at ffff8801c024b800 [ 25.273304] which belongs to the cache SCTPv6 of size 1888 [ 25.286274] The buggy address is located 140 bytes inside of [ 25.286274] 1888-byte region [ffff8801c024b800, ffff8801c024bf60) [ 25.298210] The buggy address belongs to the page: [ 25.303105] page:000000001495340c count:1 mapcount:0 mapping:000000001ed458be index:0x0 [ 25.311217] flags: 0x2fffc0000000100(slab) [ 25.315422] raw: 02fffc0000000100 ffff8801c024b000 0000000000000000 0000000100000002 [ 25.323270] raw: ffffea0007007b20 ffffea00070076e0 ffff8801d328de40 0000000000000000 [ 25.331119] page dumped because: kasan: bad access detected [ 25.339062] [ 25.340655] Memory state around the buggy address: [ 25.345547] ffff8801c024b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.352869] ffff8801c024b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.360197] >ffff8801c024b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.367524] ^ [ 25.371122] ffff8801c024b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.378449] ffff8801c024b980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.385772] ================================================================== [ 25.393139] Kernel panic - not syncing: panic_on_warn set ... [ 25.393139] [ 25.400482] CPU: 0 PID: 3502 Comm: syzkaller661612 Tainted: G B 4.15.0-rc5+ #177 [ 25.409806] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.419136] Call Trace: [ 25.421696] dump_stack+0x194/0x257 [ 25.425300] ? arch_local_irq_restore+0x53/0x53 [ 25.429945] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.434677] ? vsnprintf+0x1ed/0x1900 [ 25.438446] ? do_raw_spin_lock+0x120/0x220 [ 25.442735] panic+0x1e4/0x41c [ 25.445897] ? refcount_error_report+0x214/0x214 [ 25.450622] ? add_taint+0x1c/0x50 [ 25.454133] ? add_taint+0x1c/0x50 [ 25.457640] ? do_raw_spin_lock+0x1e0/0x220 [ 25.461934] kasan_end_report+0x50/0x50 [ 25.465876] kasan_report+0x144/0x340 [ 25.469647] __asan_report_load4_noabort+0x14/0x20 [ 25.474542] do_raw_spin_lock+0x1e0/0x220 [ 25.478660] _raw_spin_lock_bh+0x39/0x40 [ 25.482690] ? release_sock+0x74/0x2a0 [ 25.486549] release_sock+0x74/0x2a0 [ 25.490237] ? sctp_prsctp_prune+0x97/0x790 [ 25.494531] ? __release_sock+0x360/0x360 [ 25.500142] ? trace_hardirqs_on+0xd/0x10 [ 25.504264] sctp_sendmsg+0x2993/0x33f0 [ 25.508211] ? sctp_id2assoc+0x390/0x390 [ 25.512238] ? avc_has_perm+0x43e/0x680 [ 25.516179] ? avc_has_perm_noaudit+0x520/0x520 [ 25.520814] ? __fget+0x35c/0x570 [ 25.524245] ? iterate_fd+0x3f0/0x3f0 [ 25.528883] ? find_held_lock+0x35/0x1d0 [ 25.532916] ? sock_has_perm+0x2a4/0x420 [ 25.536944] ? lock_release+0x982/0xa40 [ 25.540884] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 25.546750] ? __check_object_size+0x25d/0x4f0 [ 25.551307] inet_sendmsg+0x11f/0x5e0 [ 25.555072] ? inet_sendmsg+0x11f/0x5e0 [ 25.559020] ? __might_sleep+0x95/0x190 [ 25.562961] ? inet_create+0xf50/0xf50 [ 25.566814] ? selinux_socket_sendmsg+0x36/0x40 [ 25.571447] ? security_socket_sendmsg+0x89/0xb0 [ 25.576168] ? inet_create+0xf50/0xf50 [ 25.580022] sock_sendmsg+0xca/0x110 [ 25.583701] SYSC_sendto+0x361/0x5c0 [ 25.587380] ? SYSC_connect+0x4a0/0x4a0 [ 25.591321] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 25.596662] ? __do_page_fault+0x3d6/0xc90 [ 25.600868] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 25.606123] ? SyS_futex+0x269/0x390 [ 25.609803] ? SyS_setsockopt+0x215/0x360 [ 25.613918] ? do_futex+0x22a0/0x22a0 [ 25.617772] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 25.622582] SyS_sendto+0x40/0x50 [ 25.626011] entry_SYSCALL_64_fastpath+0x23/0x9a [ 25.630735] RIP: 0033:0x445db9 [ 25.633891] RSP: 002b:00007f2887160d98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 25.641565] RAX: ffffffffffffffda RBX: 00000000006dbc6c RCX: 0000000000445db9 [ 25.648799] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 25.656043] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 25.663281] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc68 [ 25.670517] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 25.678114] Dumping ftrace buffer: [ 25.681620] (ftrace buffer empty) [ 25.685296] Kernel Offset: disabled [ 25.688889] Rebooting in 86400 seconds..