[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 15.004634] audit: type=1400 audit(1515879237.353:6): avc: denied { map } for pid=3653 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.222' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 22.994919] audit: type=1400 audit(1515879245.343:7): avc: denied { map } for pid=3667 comm="syzkaller032162" path="/root/syzkaller032162503" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 23.160682] [ 23.162341] ========================= [ 23.166117] WARNING: held lock freed! [ 23.169890] 4.15.0-rc7-mm1+ #56 Not tainted [ 23.174192] ------------------------- [ 23.177977] syzkaller032162/3671 is freeing memory 00000000b58809c8-00000000f0f31c4a, with a lock still held there! [ 23.188528] (sk_lock-AF_INET6){+.+.}, at: [<00000000735ffa27>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 23.197543] 1 lock held by syzkaller032162/3671: [ 23.202272] #0: (sk_lock-AF_INET6){+.+.}, at: [<00000000735ffa27>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 23.211612] [ 23.211612] stack backtrace: [ 23.216088] CPU: 0 PID: 3671 Comm: syzkaller032162 Not tainted 4.15.0-rc7-mm1+ #56 [ 23.223768] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.233619] Call Trace: [ 23.236187] dump_stack+0x194/0x257 [ 23.239792] ? arch_local_irq_restore+0x53/0x53 [ 23.244442] debug_check_no_locks_freed+0x32f/0x3c0 [ 23.249440] kmem_cache_free+0x68/0x2b0 [ 23.253410] __sk_destruct+0x622/0x910 [ 23.257276] ? kfree+0xd9/0x260 [ 23.260541] ? sock_rfree+0x160/0x160 [ 23.264316] ? sock_sendmsg+0xca/0x110 [ 23.268182] ? SyS_sendto+0x40/0x50 [ 23.271786] ? entry_SYSCALL_64_fastpath+0x29/0xa0 [ 23.276782] ? debug_check_no_obj_freed+0x611/0xf1f [ 23.281787] ? check_noncircular+0x20/0x20 [ 23.286008] ? print_irqtrace_events+0x270/0x270 [ 23.290749] ? __local_bh_enable_ip+0x121/0x230 [ 23.295400] ? sctp_put_port+0x495/0x640 [ 23.299441] ? sctp_poll+0xc00/0xc00 [ 23.303136] ? refcount_sub_and_test+0x115/0x1b0 [ 23.307880] ? refcount_inc+0x50/0x50 [ 23.311747] ? refcount_inc+0x50/0x50 [ 23.315534] sk_destruct+0x47/0x80 [ 23.319079] __sk_free+0xf1/0x2b0 [ 23.322518] sk_free+0x2a/0x40 [ 23.325690] sctp_association_put+0x14c/0x2f0 [ 23.330173] ? sctp_association_hold+0x20/0x20 [ 23.334757] ? lock_sock_nested+0x91/0x110 [ 23.338974] ? trace_hardirqs_on+0xd/0x10 [ 23.343189] ? __local_bh_enable_ip+0x121/0x230 [ 23.347843] sctp_wait_for_sndbuf+0x673/0x8d0 [ 23.352325] ? sctp_init_sock+0x13b0/0x13b0 [ 23.356629] ? do_raw_spin_trylock+0x190/0x190 [ 23.361203] ? __local_bh_enable_ip+0x121/0x230 [ 23.365850] ? sctp_prsctp_prune+0x97/0x790 [ 23.370153] ? prepare_to_wait+0x4d0/0x4d0 [ 23.374366] ? trace_hardirqs_on+0xd/0x10 [ 23.378507] sctp_sendmsg+0x28f7/0x33f0 [ 23.382470] ? sctp_id2assoc+0x390/0x390 [ 23.386511] ? avc_has_perm+0x43e/0x680 [ 23.390468] ? avc_has_perm_noaudit+0x520/0x520 [ 23.395118] ? __fget+0x35c/0x570 [ 23.398555] ? iterate_fd+0x3f0/0x3f0 [ 23.402350] ? find_held_lock+0x35/0x1d0 [ 23.406396] ? sock_has_perm+0x2a4/0x420 [ 23.410440] ? lock_release+0x9a2/0xa40 [ 23.414393] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 23.420273] ? __check_object_size+0x8b/0x530 [ 23.424752] inet_sendmsg+0x11f/0x5e0 [ 23.428533] ? inet_sendmsg+0x11f/0x5e0 [ 23.432487] ? __might_sleep+0x95/0x190 [ 23.436440] ? inet_create+0xf50/0xf50 [ 23.440329] ? selinux_socket_sendmsg+0x36/0x40 [ 23.444990] ? security_socket_sendmsg+0x89/0xb0 [ 23.449733] ? inet_create+0xf50/0xf50 [ 23.453698] sock_sendmsg+0xca/0x110 [ 23.457390] SYSC_sendto+0x361/0x5c0 [ 23.461086] ? SYSC_connect+0x4a0/0x4a0 [ 23.465052] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 23.470404] ? __do_page_fault+0x3d6/0xc90 [ 23.474623] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 23.479897] ? SyS_futex+0x269/0x390 [ 23.483605] ? SyS_setsockopt+0x215/0x360 [ 23.487746] ? do_futex+0x22a0/0x22a0 [ 23.491537] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 23.496362] SyS_sendto+0x40/0x50 [ 23.499796] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 23.504531] RIP: 0033:0x4457e9 [ 23.507700] RSP: 002b:00007f2cc86aeda8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 23.515388] RAX: ffffffffffffffda RBX: 00000000006dac6c RCX: 00000000004457e9 [ 23.522649] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 23.529907] RBP: 00000000006dac68 R08: 00000000204d9000 R09: 000000000000001c [ 23.537158] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 23.544407] R13: 00007ffd9b826d2f R14: 00007f2cc86af9c0 R15: 0000000000000001 [ 23.551797] ================================================================== [ 23.559337] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 [ 23.566011] Read of size 4 at addr ffff8801d97d108c by task syzkaller032162/3671 [ 23.573527] [ 23.575142] CPU: 0 PID: 3671 Comm: syzkaller032162 Not tainted 4.15.0-rc7-mm1+ #56 [ 23.582823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.592170] Call Trace: [ 23.595014] dump_stack+0x194/0x257 [ 23.598642] ? arch_local_irq_restore+0x53/0x53 [ 23.603318] ? show_regs_print_info+0x18/0x18 [ 23.607797] ? lock_acquire+0x1d5/0x580 executing program [ 23.611769] ? trace_hardirqs_on+0xd/0x10 [ 23.615898] ? do_raw_spin_lock+0x1e0/0x220 [ 23.620201] print_address_description+0x73/0x250 [ 23.625036] ? do_raw_spin_lock+0x1e0/0x220 [ 23.629367] kasan_report+0x23b/0x360 [ 23.633158] __asan_report_load4_noabort+0x14/0x20 [ 23.638086] do_raw_spin_lock+0x1e0/0x220 [ 23.642224] _raw_spin_lock_bh+0x39/0x40 [ 23.646270] ? release_sock+0x74/0x2a0 [ 23.650155] release_sock+0x74/0x2a0 [ 23.653864] ? sctp_prsctp_prune+0x97/0x790 [ 23.658171] ? __release_sock+0x360/0x360 [ 23.662302] ? trace_hardirqs_on+0xd/0x10 [ 23.666438] sctp_sendmsg+0x2993/0x33f0 [ 23.670401] ? sctp_id2assoc+0x390/0x390 [ 23.674448] ? avc_has_perm+0x43e/0x680 [ 23.678417] ? avc_has_perm_noaudit+0x520/0x520 [ 23.683088] ? __fget+0x35c/0x570 [ 23.686526] ? iterate_fd+0x3f0/0x3f0 [ 23.690313] ? find_held_lock+0x35/0x1d0 [ 23.694363] ? sock_has_perm+0x2a4/0x420 [ 23.698406] ? lock_release+0x9a2/0xa40 [ 23.702357] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 23.708222] ? __check_object_size+0x8b/0x530 [ 23.712698] inet_sendmsg+0x11f/0x5e0 [ 23.716475] ? inet_sendmsg+0x11f/0x5e0 [ 23.720429] ? __might_sleep+0x95/0x190 [ 23.724389] ? inet_create+0xf50/0xf50 [ 23.728278] ? selinux_socket_sendmsg+0x36/0x40 [ 23.732926] ? security_socket_sendmsg+0x89/0xb0 [ 23.737658] ? inet_create+0xf50/0xf50 [ 23.741526] sock_sendmsg+0xca/0x110 [ 23.745222] SYSC_sendto+0x361/0x5c0 [ 23.748918] ? SYSC_connect+0x4a0/0x4a0 [ 23.752873] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 23.758566] ? __do_page_fault+0x3d6/0xc90 [ 23.762805] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 23.768096] ? SyS_futex+0x269/0x390 [ 23.771791] ? SyS_setsockopt+0x215/0x360 [ 23.775931] ? do_futex+0x22a0/0x22a0 [ 23.779715] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 23.784544] SyS_sendto+0x40/0x50 [ 23.787983] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 23.792716] RIP: 0033:0x4457e9 [ 23.795884] RSP: 002b:00007f2cc86aeda8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 23.803580] RAX: ffffffffffffffda RBX: 00000000006dac6c RCX: 00000000004457e9 [ 23.811185] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 23.818431] RBP: 00000000006dac68 R08: 00000000204d9000 R09: 000000000000001c [ 23.825689] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 23.832947] R13: 00007ffd9b826d2f R14: 00007f2cc86af9c0 R15: 0000000000000001 [ 23.840205] [ 23.841814] Allocated by task 3676: [ 23.845424] save_stack+0x43/0xd0 [ 23.848866] kasan_kmalloc+0xad/0xe0 [ 23.852571] kasan_slab_alloc+0x12/0x20 [ 23.856530] kmem_cache_alloc+0x12e/0x760 [ 23.860657] sk_prot_alloc+0x65/0x2a0 [ 23.864527] sk_alloc+0x105/0x1440 [ 23.868050] sctp_v6_create_accept_sk+0x15a/0x9b0 [ 23.872876] sctp_accept+0x5c4/0x970 [ 23.876567] inet_accept+0x12c/0x930 [ 23.880255] SYSC_accept4+0x38d/0x870 [ 23.884032] SyS_accept+0x26/0x30 [ 23.887475] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 23.892203] [ 23.893827] Freed by task 3671: [ 23.897088] save_stack+0x43/0xd0 [ 23.900518] __kasan_slab_free+0x11a/0x170 [ 23.904728] kasan_slab_free+0xe/0x10 [ 23.908505] kmem_cache_free+0x86/0x2b0 [ 23.912455] __sk_destruct+0x622/0x910 [ 23.916318] sk_destruct+0x47/0x80 [ 23.919836] __sk_free+0xf1/0x2b0 [ 23.923268] sk_free+0x2a/0x40 [ 23.926435] sctp_association_put+0x14c/0x2f0 [ 23.930909] sctp_wait_for_sndbuf+0x673/0x8d0 [ 23.935380] sctp_sendmsg+0x28f7/0x33f0 [ 23.939331] inet_sendmsg+0x11f/0x5e0 [ 23.943116] sock_sendmsg+0xca/0x110 [ 23.946803] SYSC_sendto+0x361/0x5c0 [ 23.950511] SyS_sendto+0x40/0x50 [ 23.953941] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 23.958676] [ 23.960289] The buggy address belongs to the object at ffff8801d97d1000 [ 23.960289] which belongs to the cache SCTPv6 of size 1888 [ 23.972663] The buggy address is located 140 bytes inside of [ 23.972663] 1888-byte region [ffff8801d97d1000, ffff8801d97d1760) [ 23.984599] The buggy address belongs to the page: [ 23.989510] page:ffffea000765f440 count:1 mapcount:0 mapping:ffff8801d97d1000 index:0x0 [ 23.997634] flags: 0x2fffc0000000100(slab) [ 24.001856] raw: 02fffc0000000100 ffff8801d97d1000 0000000000000000 0000000100000002 [ 24.009712] raw: ffffea00074beba0 ffffea00076614a0 ffff8801d2fabb40 0000000000000000 [ 24.017565] page dumped because: kasan: bad access detected [ 24.023245] [ 24.024845] Memory state around the buggy address: [ 24.029750] ffff8801d97d0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.037174] ffff8801d97d1000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.044526] >ffff8801d97d1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.051863] ^ [ 24.055486] ffff8801d97d1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.062820] ffff8801d97d1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.070167] ================================================================== [ 24.077541] Kernel panic - not syncing: panic_on_warn set ... [ 24.077541] [ 24.084905] CPU: 0 PID: 3671 Comm: syzkaller032162 Tainted: G B 4.15.0-rc7-mm1+ #56 [ 24.093910] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.103241] Call Trace: [ 24.105821] dump_stack+0x194/0x257 [ 24.109449] ? arch_local_irq_restore+0x53/0x53 executing program [ 24.114099] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.118837] ? vsnprintf+0x1ed/0x1900 [ 24.122618] ? do_raw_spin_lock+0x140/0x220 [ 24.126930] panic+0x1e4/0x41c [ 24.130116] ? refcount_error_report+0x214/0x214 [ 24.134868] ? add_taint+0x1c/0x50 [ 24.138401] ? add_taint+0x1c/0x50 [ 24.141931] ? do_raw_spin_lock+0x1e0/0x220 [ 24.146251] kasan_end_report+0x50/0x50 [ 24.150206] kasan_report+0x148/0x360 [ 24.153993] __asan_report_load4_noabort+0x14/0x20 [ 24.158904] do_raw_spin_lock+0x1e0/0x220 [ 24.163048] _raw_spin_lock_bh+0x39/0x40 [ 24.167091] ? release_sock+0x74/0x2a0 [ 24.170958] release_sock+0x74/0x2a0 [ 24.174648] ? sctp_prsctp_prune+0x97/0x790 [ 24.178949] ? __release_sock+0x360/0x360 [ 24.183085] ? trace_hardirqs_on+0xd/0x10 [ 24.187487] sctp_sendmsg+0x2993/0x33f0 [ 24.191460] ? sctp_id2assoc+0x390/0x390 [ 24.195504] ? avc_has_perm+0x43e/0x680 [ 24.199457] ? avc_has_perm_noaudit+0x520/0x520 [ 24.204105] ? __fget+0x35c/0x570 [ 24.207542] ? iterate_fd+0x3f0/0x3f0 [ 24.211329] ? find_held_lock+0x35/0x1d0 [ 24.215376] ? sock_has_perm+0x2a4/0x420 [ 24.219415] ? lock_release+0x9a2/0xa40 [ 24.223379] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.229330] ? __check_object_size+0x8b/0x530 [ 24.233809] inet_sendmsg+0x11f/0x5e0 [ 24.237586] ? inet_sendmsg+0x11f/0x5e0 [ 24.241540] ? __might_sleep+0x95/0x190 [ 24.245495] ? inet_create+0xf50/0xf50 [ 24.249363] ? selinux_socket_sendmsg+0x36/0x40 [ 24.254019] ? security_socket_sendmsg+0x89/0xb0 [ 24.258786] ? inet_create+0xf50/0xf50 [ 24.262666] sock_sendmsg+0xca/0x110 [ 24.266359] SYSC_sendto+0x361/0x5c0 [ 24.270064] ? SYSC_connect+0x4a0/0x4a0 [ 24.274023] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 24.279369] ? __do_page_fault+0x3d6/0xc90 [ 24.283585] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 24.288858] ? SyS_futex+0x269/0x390 [ 24.292551] ? SyS_setsockopt+0x215/0x360 [ 24.296691] ? do_futex+0x22a0/0x22a0 [ 24.300474] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 24.305303] SyS_sendto+0x40/0x50 [ 24.308741] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 24.313474] RIP: 0033:0x4457e9 [ 24.316640] RSP: 002b:00007f2cc86aeda8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 24.324330] RAX: ffffffffffffffda RBX: 00000000006dac6c RCX: 00000000004457e9 [ 24.331578] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 24.338828] RBP: 00000000006dac68 R08: 00000000204d9000 R09: 000000000000001c [ 24.346180] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 24.353428] R13: 00007ffd9b826d2f R14: 00007f2cc86af9c0 R15: 0000000000000001 [ 24.361199] Dumping ftrace buffer: [ 24.364721] (ftrace buffer empty) [ 24.368451] Kernel Offset: disabled [ 24.372052] Rebooting in 86400 seconds..