[....] Starting enhanced syslogd: rsyslogd[ 12.537901] audit: type=1400 audit(1515344522.886:5): avc: denied { syslog } for pid=3346 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.855962] audit: type=1400 audit(1515344529.204:6): avc: denied { map } for pid=3485 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.231' (ECDSA) to the list of known hosts. [ 40.833618] audit: type=1400 audit(1515344551.182:7): avc: denied { map } for pid=3502 comm="syzkaller734845" path="/root/syzkaller734845507" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program [ 41.260703] [ 41.262361] ========================= [ 41.266139] WARNING: held lock freed! [ 41.269924] 4.15.0-rc5+ #177 Not tainted [ 41.273961] ------------------------- [ 41.277757] syzkaller734845/3512 is freeing memory 000000000714dd3d-000000008e275246, with a lock still held there! [ 41.288307] (sk_lock-AF_INET6){+.+.}, at: [<00000000a518adb1>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 41.297215] 1 lock held by syzkaller734845/3512: [ 41.301941] #0: (sk_lock-AF_INET6){+.+.}, at: [<00000000a518adb1>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 41.311273] [ 41.311273] stack backtrace: [ 41.315739] CPU: 1 PID: 3512 Comm: syzkaller734845 Not tainted 4.15.0-rc5+ #177 [ 41.323149] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.332835] Call Trace: [ 41.335394] dump_stack+0x194/0x257 [ 41.339004] ? arch_local_irq_restore+0x53/0x53 [ 41.343648] debug_check_no_locks_freed+0x32f/0x3c0 [ 41.348656] kmem_cache_free+0x68/0x2a0 [ 41.352599] __sk_destruct+0x622/0x910 [ 41.356453] ? save_stack+0x43/0xd0 [ 41.360044] ? sock_rfree+0x160/0x160 [ 41.363808] ? sctp_sendmsg+0x28f7/0x33f0 [ 41.367918] ? sock_sendmsg+0xca/0x110 [ 41.371770] ? SYSC_sendto+0x361/0x5c0 [ 41.375622] ? SyS_sendto+0x40/0x50 [ 41.379222] ? entry_SYSCALL_64_fastpath+0x23/0x9a [ 41.384208] ? check_noncircular+0x20/0x20 [ 41.388408] ? print_irqtrace_events+0x270/0x270 [ 41.393134] ? __local_bh_enable_ip+0x121/0x230 [ 41.397768] ? sctp_put_port+0x495/0x640 [ 41.401796] ? sctp_poll+0xc00/0xc00 [ 41.405480] ? refcount_sub_and_test+0x115/0x1b0 [ 41.410210] ? refcount_inc+0x50/0x50 [ 41.413978] ? refcount_inc+0x50/0x50 [ 41.417744] sk_destruct+0x47/0x80 [ 41.421254] __sk_free+0xf1/0x2b0 [ 41.424681] sk_free+0x2a/0x40 [ 41.427846] sctp_association_put+0x14c/0x2f0 [ 41.432304] ? sctp_association_hold+0x20/0x20 [ 41.437291] ? lock_sock_nested+0x91/0x110 [ 41.441490] ? trace_hardirqs_on+0xd/0x10 [ 41.445610] ? __local_bh_enable_ip+0x121/0x230 [ 41.450248] sctp_wait_for_sndbuf+0x673/0x8d0 [ 41.454710] ? sctp_init_sock+0x13b0/0x13b0 [ 41.458996] ? do_raw_spin_trylock+0x190/0x190 [ 41.463544] ? __local_bh_enable_ip+0x121/0x230 [ 41.468176] ? sctp_prsctp_prune+0x97/0x790 [ 41.472467] ? prepare_to_wait+0x4d0/0x4d0 [ 41.476665] ? trace_hardirqs_on+0xd/0x10 [ 41.480782] sctp_sendmsg+0x28f7/0x33f0 [ 41.484736] ? sctp_id2assoc+0x390/0x390 [ 41.488763] ? avc_has_perm+0x43e/0x680 [ 41.492705] ? avc_has_perm_noaudit+0x520/0x520 [ 41.497346] ? __fget+0x35c/0x570 [ 41.500767] ? iterate_fd+0x3f0/0x3f0 [ 41.504537] ? find_held_lock+0x35/0x1d0 [ 41.508566] ? sock_has_perm+0x2a4/0x420 [ 41.512594] ? lock_release+0x982/0xa40 [ 41.516533] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 41.522387] ? __check_object_size+0x25d/0x4f0 [ 41.526937] inet_sendmsg+0x11f/0x5e0 [ 41.530701] ? inet_sendmsg+0x11f/0x5e0 [ 41.534642] ? __might_sleep+0x95/0x190 [ 41.538586] ? inet_create+0xf50/0xf50 [ 41.542438] ? selinux_socket_sendmsg+0x36/0x40 [ 41.547077] ? security_socket_sendmsg+0x89/0xb0 [ 41.551799] ? inet_create+0xf50/0xf50 [ 41.555661] sock_sendmsg+0xca/0x110 [ 41.559343] SYSC_sendto+0x361/0x5c0 [ 41.563036] ? SYSC_connect+0x4a0/0x4a0 [ 41.566974] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 41.572303] ? __do_page_fault+0x3d6/0xc90 [ 41.576512] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 41.581763] ? SyS_futex+0x269/0x390 [ 41.585443] ? SyS_setsockopt+0x215/0x360 [ 41.589557] ? do_futex+0x22a0/0x22a0 [ 41.593321] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 41.598132] SyS_sendto+0x40/0x50 [ 41.601562] entry_SYSCALL_64_fastpath+0x23/0x9a [ 41.606288] RIP: 0033:0x445db9 [ 41.609446] RSP: 002b:00007f45582a5d98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 41.617117] RAX: ffffffffffffffda RBX: 00000000006dbc84 RCX: 0000000000445db9 [ 41.624366] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000005 [ 41.631614] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 41.638856] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc80 [ 41.646091] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 41.653414] ================================================================== [ 41.660747] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 [ 41.667381] Read of size 4 at addr ffff8801bffa308c by task syzkaller734845/3512 [ 41.674876] [ 41.676472] CPU: 1 PID: 3512 Comm: syzkaller734845 Not tainted 4.15.0-rc5+ #177 [ 41.683880] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.693206] Call Trace: [ 41.695764] dump_stack+0x194/0x257 [ 41.699359] ? arch_local_irq_restore+0x53/0x53 [ 41.703999] ? show_regs_print_info+0x18/0x18 [ 41.708458] ? lock_acquire+0x1d5/0x580 executing program [ 41.712399] ? trace_hardirqs_on+0xd/0x10 [ 41.716514] ? do_raw_spin_lock+0x1e0/0x220 [ 41.720805] print_address_description+0x73/0x250 [ 41.725614] ? do_raw_spin_lock+0x1e0/0x220 [ 41.729902] kasan_report+0x25b/0x340 [ 41.733669] __asan_report_load4_noabort+0x14/0x20 [ 41.738563] do_raw_spin_lock+0x1e0/0x220 [ 41.742696] _raw_spin_lock_bh+0x39/0x40 [ 41.746728] ? release_sock+0x74/0x2a0 [ 41.750588] release_sock+0x74/0x2a0 [ 41.754268] ? sctp_prsctp_prune+0x97/0x790 [ 41.758562] ? __release_sock+0x360/0x360 [ 41.762676] ? trace_hardirqs_on+0xd/0x10 [ 41.766794] sctp_sendmsg+0x2993/0x33f0 [ 41.770743] ? sctp_id2assoc+0x390/0x390 [ 41.774767] ? avc_has_perm+0x43e/0x680 [ 41.778707] ? avc_has_perm_noaudit+0x520/0x520 [ 41.783344] ? __fget+0x35c/0x570 [ 41.786767] ? iterate_fd+0x3f0/0x3f0 [ 41.790537] ? find_held_lock+0x35/0x1d0 [ 41.794748] ? sock_has_perm+0x2a4/0x420 [ 41.798775] ? lock_release+0x982/0xa40 [ 41.802716] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 41.808564] ? __check_object_size+0x25d/0x4f0 [ 41.813461] inet_sendmsg+0x11f/0x5e0 [ 41.817227] ? inet_sendmsg+0x11f/0x5e0 [ 41.821166] ? __might_sleep+0x95/0x190 [ 41.825108] ? inet_create+0xf50/0xf50 [ 41.828961] ? selinux_socket_sendmsg+0x36/0x40 [ 41.833594] ? security_socket_sendmsg+0x89/0xb0 [ 41.838314] ? inet_create+0xf50/0xf50 [ 41.842166] sock_sendmsg+0xca/0x110 [ 41.845846] SYSC_sendto+0x361/0x5c0 [ 41.849526] ? SYSC_connect+0x4a0/0x4a0 [ 41.853466] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 41.858797] ? __do_page_fault+0x3d6/0xc90 [ 41.862999] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 41.868258] ? SyS_futex+0x269/0x390 [ 41.871934] ? SyS_setsockopt+0x215/0x360 [ 41.876046] ? do_futex+0x22a0/0x22a0 [ 41.880079] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 41.884896] SyS_sendto+0x40/0x50 [ 41.888318] entry_SYSCALL_64_fastpath+0x23/0x9a [ 41.893041] RIP: 0033:0x445db9 [ 41.896198] RSP: 002b:00007f45582a5d98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 41.903873] RAX: ffffffffffffffda RBX: 00000000006dbc84 RCX: 0000000000445db9 [ 41.911117] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000005 [ 41.918356] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 41.925591] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc80 [ 41.932825] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 41.940069] [ 41.941663] Allocated by task 3513: [ 41.945258] save_stack+0x43/0xd0 [ 41.948676] kasan_kmalloc+0xad/0xe0 [ 41.952356] kasan_slab_alloc+0x12/0x20 [ 41.956293] kmem_cache_alloc+0x12e/0x760 [ 41.960404] sk_prot_alloc+0x65/0x2a0 [ 41.964165] sk_alloc+0x105/0x1440 [ 41.967684] sctp_v6_create_accept_sk+0x15a/0x9b0 [ 41.972489] sctp_accept+0x5c4/0x970 [ 41.976168] inet_accept+0x12c/0x930 [ 41.979845] SYSC_accept4+0x38d/0x870 [ 41.983611] SyS_accept+0x26/0x30 [ 41.987033] entry_SYSCALL_64_fastpath+0x23/0x9a [ 41.991751] [ 41.993354] Freed by task 3512: [ 41.996601] save_stack+0x43/0xd0 [ 42.000017] kasan_slab_free+0x71/0xc0 [ 42.003873] kmem_cache_free+0x83/0x2a0 [ 42.007812] __sk_destruct+0x622/0x910 [ 42.011665] sk_destruct+0x47/0x80 [ 42.015168] __sk_free+0xf1/0x2b0 [ 42.018583] sk_free+0x2a/0x40 [ 42.021744] sctp_association_put+0x14c/0x2f0 [ 42.026212] sctp_wait_for_sndbuf+0x673/0x8d0 [ 42.030676] sctp_sendmsg+0x28f7/0x33f0 [ 42.034615] inet_sendmsg+0x11f/0x5e0 [ 42.038387] sock_sendmsg+0xca/0x110 [ 42.042069] SYSC_sendto+0x361/0x5c0 [ 42.045747] SyS_sendto+0x40/0x50 [ 42.049164] entry_SYSCALL_64_fastpath+0x23/0x9a [ 42.053881] [ 42.055480] The buggy address belongs to the object at ffff8801bffa3000 [ 42.055480] which belongs to the cache SCTPv6 of size 1888 [ 42.067751] The buggy address is located 140 bytes inside of [ 42.067751] 1888-byte region [ffff8801bffa3000, ffff8801bffa3760) [ 42.079680] The buggy address belongs to the page: [ 42.084581] page:000000005588d992 count:1 mapcount:0 mapping:000000000714dd3d index:0x0 [ 42.092694] flags: 0x2fffc0000000100(slab) [ 42.096902] raw: 02fffc0000000100 ffff8801bffa3000 0000000000000000 0000000100000002 [ 42.104754] raw: ffffea0006ff2c20 ffffea0006ffe8a0 ffff8801d32ac680 0000000000000000 [ 42.112595] page dumped because: kasan: bad access detected [ 42.118267] [ 42.119858] Memory state around the buggy address: [ 42.124752] ffff8801bffa2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.132081] ffff8801bffa3000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.139406] >ffff8801bffa3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.146728] ^ [ 42.150319] ffff8801bffa3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.157657] ffff8801bffa3180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.164977] ================================================================== [ 42.172340] Kernel panic - not syncing: panic_on_warn set ... [ 42.172340] [ 42.179671] CPU: 1 PID: 3512 Comm: syzkaller734845 Tainted: G B 4.15.0-rc5+ #177 [ 42.188390] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.197710] Call Trace: [ 42.200264] dump_stack+0x194/0x257 [ 42.203859] ? arch_local_irq_restore+0x53/0x53 [ 42.208504] ? trace_hardirqs_on_thunk+0x1a/0x1c executing program [ 42.213225] ? vsnprintf+0x1ed/0x1900 [ 42.216993] ? do_raw_spin_lock+0x120/0x220 [ 42.221281] panic+0x1e4/0x41c [ 42.224439] ? refcount_error_report+0x214/0x214 [ 42.229161] ? add_taint+0x1c/0x50 [ 42.232668] ? add_taint+0x1c/0x50 [ 42.236522] ? do_raw_spin_lock+0x1e0/0x220 [ 42.240810] kasan_end_report+0x50/0x50 [ 42.244751] kasan_report+0x144/0x340 [ 42.248530] __asan_report_load4_noabort+0x14/0x20 [ 42.253433] do_raw_spin_lock+0x1e0/0x220 [ 42.257555] _raw_spin_lock_bh+0x39/0x40 [ 42.261585] ? release_sock+0x74/0x2a0 [ 42.265442] release_sock+0x74/0x2a0 [ 42.269121] ? sctp_prsctp_prune+0x97/0x790 [ 42.273409] ? __release_sock+0x360/0x360 [ 42.277529] ? trace_hardirqs_on+0xd/0x10 [ 42.281657] sctp_sendmsg+0x2993/0x33f0 [ 42.285607] ? sctp_id2assoc+0x390/0x390 [ 42.289642] ? avc_has_perm+0x43e/0x680 [ 42.293587] ? avc_has_perm_noaudit+0x520/0x520 [ 42.298231] ? __fget+0x35c/0x570 [ 42.301671] ? iterate_fd+0x3f0/0x3f0 [ 42.305443] ? find_held_lock+0x35/0x1d0 [ 42.309474] ? sock_has_perm+0x2a4/0x420 [ 42.313503] ? lock_release+0x982/0xa40 [ 42.317442] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 42.323293] ? __check_object_size+0x25d/0x4f0 [ 42.327846] inet_sendmsg+0x11f/0x5e0 [ 42.331618] ? inet_sendmsg+0x11f/0x5e0 [ 42.335556] ? __might_sleep+0x95/0x190 [ 42.339495] ? inet_create+0xf50/0xf50 [ 42.343359] ? selinux_socket_sendmsg+0x36/0x40 [ 42.347993] ? security_socket_sendmsg+0x89/0xb0 [ 42.352724] ? inet_create+0xf50/0xf50 [ 42.356579] sock_sendmsg+0xca/0x110 [ 42.360258] SYSC_sendto+0x361/0x5c0 [ 42.363938] ? SYSC_connect+0x4a0/0x4a0 [ 42.367882] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 42.373213] ? __do_page_fault+0x3d6/0xc90 [ 42.377417] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 42.382683] ? SyS_futex+0x269/0x390 [ 42.386361] ? SyS_setsockopt+0x215/0x360 [ 42.390478] ? do_futex+0x22a0/0x22a0 [ 42.394246] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 42.399057] SyS_sendto+0x40/0x50 [ 42.402476] entry_SYSCALL_64_fastpath+0x23/0x9a [ 42.407195] RIP: 0033:0x445db9 [ 42.410358] RSP: 002b:00007f45582a5d98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 42.418030] RAX: ffffffffffffffda RBX: 00000000006dbc84 RCX: 0000000000445db9 [ 42.425267] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000005 [ 42.432512] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 42.439747] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc80 [ 42.446982] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 42.454252] Dumping ftrace buffer: [ 42.457757] (ftrace buffer empty) [ 42.461436] Kernel Offset: disabled [ 42.465030] Rebooting in 86400 seconds..