[....] Starting enhanced syslogd: rsyslogd[ 12.528374] audit: type=1400 audit(1515343112.043:5): avc: denied { syslog } for pid=3343 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.284853] audit: type=1400 audit(1515343116.799:6): avc: denied { map } for pid=3482 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. [ 23.530467] audit: type=1400 audit(1515343123.045:7): avc: denied { map } for pid=3496 comm="syzkaller756175" path="/root/syzkaller756175942" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program [ 23.870410] [ 23.872070] ========================= [ 23.875839] WARNING: held lock freed! [ 23.879618] 4.15.0-rc6+ #250 Not tainted [ 23.883647] ------------------------- [ 23.887420] syzkaller756175/3501 is freeing memory 00000000585b7ed8-000000006600646b, with a lock still held there! [ 23.898565] (sk_lock-AF_INET6){+.+.}, at: [<000000008564c37e>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 23.907487] 1 lock held by syzkaller756175/3501: [ 23.912207] #0: (sk_lock-AF_INET6){+.+.}, at: [<000000008564c37e>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 23.921540] [ 23.921540] stack backtrace: [ 23.926032] CPU: 0 PID: 3501 Comm: syzkaller756175 Not tainted 4.15.0-rc6+ #250 [ 23.933455] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.942778] Call Trace: [ 23.945354] dump_stack+0x194/0x257 [ 23.948952] ? arch_local_irq_restore+0x53/0x53 [ 23.953597] debug_check_no_locks_freed+0x32f/0x3c0 [ 23.958587] kmem_cache_free+0x68/0x2a0 [ 23.962533] __sk_destruct+0x622/0x910 [ 23.966387] ? kasan_slab_free+0x71/0xc0 [ 23.970419] ? sock_rfree+0x160/0x160 [ 23.974189] ? inet_sendmsg+0x11f/0x5e0 [ 23.978131] ? SYSC_sendto+0x361/0x5c0 [ 23.981985] ? SyS_sendto+0x40/0x50 [ 23.985582] ? entry_SYSCALL_64_fastpath+0x23/0x9a [ 23.990484] ? check_noncircular+0x20/0x20 [ 23.994693] ? print_irqtrace_events+0x270/0x270 [ 23.999421] ? free_obj_work+0x690/0x690 [ 24.003453] ? sctp_put_port+0x495/0x640 [ 24.007486] ? sctp_poll+0xc00/0xc00 [ 24.011175] ? refcount_sub_and_test+0x115/0x1b0 [ 24.015899] ? refcount_inc+0x50/0x50 [ 24.019677] ? refcount_inc+0x50/0x50 [ 24.023451] sk_destruct+0x47/0x80 [ 24.026961] __sk_free+0x57/0x230 [ 24.030385] sk_free+0x2a/0x40 [ 24.033549] sctp_association_put+0x14c/0x2f0 [ 24.038030] ? sctp_association_hold+0x20/0x20 [ 24.042581] ? lock_sock_nested+0x91/0x110 [ 24.046794] ? trace_hardirqs_on+0xd/0x10 [ 24.050914] ? __local_bh_enable_ip+0x121/0x230 [ 24.055564] sctp_wait_for_sndbuf+0x673/0x8d0 [ 24.060035] ? sctp_init_sock+0x13b0/0x13b0 [ 24.064327] ? do_raw_spin_trylock+0x190/0x190 [ 24.068886] ? __local_bh_enable_ip+0x121/0x230 [ 24.073523] ? sctp_prsctp_prune+0x97/0x6f0 [ 24.077814] ? prepare_to_wait+0x4d0/0x4d0 [ 24.082018] ? trace_hardirqs_on+0xd/0x10 [ 24.086228] sctp_sendmsg+0x277d/0x3360 [ 24.090172] ? put_pi_state+0x3c0/0x560 [ 24.094134] ? sctp_id2assoc+0x390/0x390 [ 24.098167] ? avc_has_perm+0x43e/0x680 [ 24.102114] ? avc_has_perm_noaudit+0x520/0x520 [ 24.106752] ? __fget+0x35c/0x570 [ 24.110187] ? iterate_fd+0x3f0/0x3f0 [ 24.113961] ? find_held_lock+0x35/0x1d0 [ 24.117997] ? sock_has_perm+0x2a4/0x420 [ 24.122048] ? lock_release+0x962/0xa40 [ 24.125992] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.131846] ? __check_object_size+0x25d/0x4f0 [ 24.136400] inet_sendmsg+0x11f/0x5e0 [ 24.140174] ? inet_sendmsg+0x11f/0x5e0 [ 24.144124] ? __might_sleep+0x95/0x190 [ 24.148066] ? inet_recvmsg+0x5f0/0x5f0 [ 24.152014] ? selinux_socket_sendmsg+0x36/0x40 [ 24.156651] ? security_socket_sendmsg+0x89/0xb0 [ 24.161380] ? inet_recvmsg+0x5f0/0x5f0 [ 24.165326] sock_sendmsg+0xca/0x110 [ 24.169014] SYSC_sendto+0x361/0x5c0 [ 24.172698] ? SYSC_connect+0x4a0/0x4a0 [ 24.176644] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 24.181987] ? __do_page_fault+0x3d6/0xc90 [ 24.186196] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 24.191458] ? SyS_futex+0x269/0x390 [ 24.195137] ? SyS_setsockopt+0x215/0x360 [ 24.199254] ? do_futex+0x22a0/0x22a0 [ 24.203025] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 24.207840] SyS_sendto+0x40/0x50 [ 24.211266] entry_SYSCALL_64_fastpath+0x23/0x9a [ 24.215989] RIP: 0033:0x445db9 [ 24.219150] RSP: 002b:00007f1064c09d98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 24.226827] RAX: ffffffffffffffda RBX: 00000000006dbc6c RCX: 0000000000445db9 [ 24.234066] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 24.241319] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 24.248567] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc68 [ 24.255808] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 24.264144] ================================================================== [ 24.271499] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 [ 24.278145] Read of size 4 at addr ffff8801be83f88c by task syzkaller756175/3501 [ 24.285655] [ 24.287253] CPU: 0 PID: 3501 Comm: syzkaller756175 Not tainted 4.15.0-rc6+ #250 [ 24.294669] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.303992] Call Trace: [ 24.306555] dump_stack+0x194/0x257 [ 24.310154] ? arch_local_irq_restore+0x53/0x53 [ 24.314799] ? show_regs_print_info+0x18/0x18 executing program [ 24.319264] ? lock_acquire+0x1d5/0x580 [ 24.323206] ? trace_hardirqs_on+0xd/0x10 [ 24.327323] ? do_raw_spin_lock+0x1e0/0x220 [ 24.331612] print_address_description+0x73/0x250 [ 24.336437] ? do_raw_spin_lock+0x1e0/0x220 [ 24.340737] kasan_report+0x25b/0x340 [ 24.344514] __asan_report_load4_noabort+0x14/0x20 [ 24.349424] do_raw_spin_lock+0x1e0/0x220 [ 24.353548] _raw_spin_lock_bh+0x39/0x40 [ 24.357578] ? release_sock+0x74/0x2a0 [ 24.361448] release_sock+0x74/0x2a0 [ 24.365131] ? sctp_prsctp_prune+0x97/0x6f0 [ 24.369422] ? __release_sock+0x360/0x360 [ 24.373541] ? trace_hardirqs_on+0xd/0x10 [ 24.377662] sctp_sendmsg+0x2c61/0x3360 [ 24.381604] ? put_pi_state+0x3c0/0x560 [ 24.385553] ? sctp_id2assoc+0x390/0x390 [ 24.389584] ? avc_has_perm+0x43e/0x680 [ 24.393534] ? avc_has_perm_noaudit+0x520/0x520 [ 24.398171] ? __fget+0x35c/0x570 [ 24.401597] ? iterate_fd+0x3f0/0x3f0 [ 24.405378] ? find_held_lock+0x35/0x1d0 [ 24.409415] ? sock_has_perm+0x2a4/0x420 [ 24.413448] ? lock_release+0x962/0xa40 [ 24.417394] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.423250] ? __check_object_size+0x25d/0x4f0 [ 24.427805] inet_sendmsg+0x11f/0x5e0 [ 24.431574] ? inet_sendmsg+0x11f/0x5e0 [ 24.435515] ? __might_sleep+0x95/0x190 [ 24.439458] ? inet_recvmsg+0x5f0/0x5f0 [ 24.443403] ? selinux_socket_sendmsg+0x36/0x40 [ 24.448040] ? security_socket_sendmsg+0x89/0xb0 [ 24.452764] ? inet_recvmsg+0x5f0/0x5f0 [ 24.456708] sock_sendmsg+0xca/0x110 [ 24.460395] SYSC_sendto+0x361/0x5c0 [ 24.464078] ? SYSC_connect+0x4a0/0x4a0 [ 24.468025] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 24.473357] ? __do_page_fault+0x3d6/0xc90 [ 24.477562] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 24.482829] ? SyS_futex+0x269/0x390 [ 24.486511] ? SyS_setsockopt+0x215/0x360 [ 24.490648] ? do_futex+0x22a0/0x22a0 [ 24.494418] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 24.499232] SyS_sendto+0x40/0x50 [ 24.502658] entry_SYSCALL_64_fastpath+0x23/0x9a [ 24.507389] RIP: 0033:0x445db9 [ 24.510548] RSP: 002b:00007f1064c09d98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 24.518224] RAX: ffffffffffffffda RBX: 00000000006dbc6c RCX: 0000000000445db9 [ 24.525524] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 24.532772] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 24.540013] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc68 [ 24.547251] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 24.554499] [ 24.556094] Allocated by task 3506: [ 24.559694] save_stack+0x43/0xd0 [ 24.563117] kasan_kmalloc+0xad/0xe0 [ 24.566800] kasan_slab_alloc+0x12/0x20 [ 24.570743] kmem_cache_alloc+0x12e/0x760 [ 24.574858] sk_prot_alloc+0x65/0x2a0 [ 24.578630] sk_alloc+0x105/0x1410 [ 24.582141] sctp_v6_create_accept_sk+0x15a/0x9b0 [ 24.586953] sctp_accept+0x5c4/0x970 [ 24.590639] inet_accept+0x12c/0x930 [ 24.594319] SYSC_accept4+0x38d/0x870 [ 24.598086] SyS_accept+0x26/0x30 [ 24.601508] entry_SYSCALL_64_fastpath+0x23/0x9a [ 24.606226] [ 24.607822] Freed by task 3501: [ 24.611070] save_stack+0x43/0xd0 [ 24.614489] kasan_slab_free+0x71/0xc0 [ 24.618352] kmem_cache_free+0x83/0x2a0 [ 24.622309] __sk_destruct+0x622/0x910 [ 24.626181] sk_destruct+0x47/0x80 [ 24.629701] __sk_free+0x57/0x230 [ 24.633122] sk_free+0x2a/0x40 [ 24.636283] sctp_association_put+0x14c/0x2f0 [ 24.640746] sctp_wait_for_sndbuf+0x673/0x8d0 [ 24.645207] sctp_sendmsg+0x277d/0x3360 [ 24.649146] inet_sendmsg+0x11f/0x5e0 [ 24.652913] sock_sendmsg+0xca/0x110 [ 24.656593] SYSC_sendto+0x361/0x5c0 [ 24.660273] SyS_sendto+0x40/0x50 [ 24.663701] entry_SYSCALL_64_fastpath+0x23/0x9a [ 24.668420] [ 24.670021] The buggy address belongs to the object at ffff8801be83f800 [ 24.670021] which belongs to the cache SCTPv6 of size 1888 [ 24.682297] The buggy address is located 140 bytes inside of [ 24.682297] 1888-byte region [ffff8801be83f800, ffff8801be83ff60) [ 24.694227] The buggy address belongs to the page: [ 24.699133] page:ffffea0006fa0fc0 count:1 mapcount:0 mapping:ffff8801be83f000 index:0x0 [ 24.707249] flags: 0x2fffc0000000100(slab) [ 24.711454] raw: 02fffc0000000100 ffff8801be83f000 0000000000000000 0000000100000002 [ 24.719304] raw: ffffea0006fa3260 ffffea0006fa2420 ffff8801d32aa200 0000000000000000 [ 24.727148] page dumped because: kasan: bad access detected [ 24.732824] [ 24.734418] Memory state around the buggy address: [ 24.739314] ffff8801be83f780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.746641] ffff8801be83f800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.753967] >ffff8801be83f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.761310] ^ [ 24.764915] ffff8801be83f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.772241] ffff8801be83f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.779566] ================================================================== [ 24.786925] Kernel panic - not syncing: panic_on_warn set ... [ 24.786925] [ 24.794304] CPU: 0 PID: 3501 Comm: syzkaller756175 Tainted: G B 4.15.0-rc6+ #250 [ 24.803046] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.812371] Call Trace: [ 24.814942] dump_stack+0x194/0x257 [ 24.818557] ? arch_local_irq_restore+0x53/0x53 executing program [ 24.823197] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.827921] ? vsnprintf+0x1ed/0x1900 [ 24.831693] ? do_raw_spin_lock+0x100/0x220 [ 24.836004] panic+0x1e4/0x41c [ 24.839174] ? refcount_error_report+0x214/0x214 [ 24.843902] ? add_taint+0x1c/0x50 [ 24.847413] ? add_taint+0x1c/0x50 [ 24.851015] ? do_raw_spin_lock+0x1e0/0x220 [ 24.855322] kasan_end_report+0x50/0x50 [ 24.859268] kasan_report+0x144/0x340 [ 24.863049] __asan_report_load4_noabort+0x14/0x20 [ 24.867958] do_raw_spin_lock+0x1e0/0x220 [ 24.872086] _raw_spin_lock_bh+0x39/0x40 [ 24.876118] ? release_sock+0x74/0x2a0 [ 24.879983] release_sock+0x74/0x2a0 [ 24.883667] ? sctp_prsctp_prune+0x97/0x6f0 [ 24.887957] ? __release_sock+0x360/0x360 [ 24.892077] ? trace_hardirqs_on+0xd/0x10 [ 24.896199] sctp_sendmsg+0x2c61/0x3360 [ 24.900143] ? put_pi_state+0x3c0/0x560 [ 24.904095] ? sctp_id2assoc+0x390/0x390 [ 24.908125] ? avc_has_perm+0x43e/0x680 [ 24.912078] ? avc_has_perm_noaudit+0x520/0x520 [ 24.916716] ? __fget+0x35c/0x570 [ 24.920140] ? iterate_fd+0x3f0/0x3f0 [ 24.923916] ? find_held_lock+0x35/0x1d0 [ 24.927950] ? sock_has_perm+0x2a4/0x420 [ 24.931991] ? lock_release+0x962/0xa40 [ 24.935937] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.941789] ? __check_object_size+0x25d/0x4f0 [ 24.946344] inet_sendmsg+0x11f/0x5e0 [ 24.950111] ? inet_sendmsg+0x11f/0x5e0 [ 24.954050] ? __might_sleep+0x95/0x190 [ 24.957993] ? inet_recvmsg+0x5f0/0x5f0 [ 24.961938] ? selinux_socket_sendmsg+0x36/0x40 [ 24.966574] ? security_socket_sendmsg+0x89/0xb0 [ 24.971300] ? inet_recvmsg+0x5f0/0x5f0 [ 24.975243] sock_sendmsg+0xca/0x110 [ 24.978928] SYSC_sendto+0x361/0x5c0 [ 24.982614] ? SYSC_connect+0x4a0/0x4a0 [ 24.986558] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 24.991901] ? __do_page_fault+0x3d6/0xc90 [ 24.996109] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 25.001368] ? SyS_futex+0x269/0x390 [ 25.005048] ? SyS_setsockopt+0x215/0x360 [ 25.009165] ? do_futex+0x22a0/0x22a0 [ 25.012936] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 25.017759] SyS_sendto+0x40/0x50 [ 25.021185] entry_SYSCALL_64_fastpath+0x23/0x9a [ 25.025994] RIP: 0033:0x445db9 [ 25.029154] RSP: 002b:00007f1064c09d98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 25.036830] RAX: ffffffffffffffda RBX: 00000000006dbc6c RCX: 0000000000445db9 [ 25.044071] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 25.051320] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 25.058563] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc68 [ 25.065803] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 25.073538] Dumping ftrace buffer: [ 25.077062] (ftrace buffer empty) [ 25.080738] Kernel Offset: disabled [ 25.084329] Rebooting in 86400 seconds..