[....] Starting enhanced syslogd: rsyslogd[ 12.656421] audit: type=1400 audit(1515344120.218:5): avc: denied { syslog } for pid=3341 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.534553] audit: type=1400 audit(1515344127.096:6): avc: denied { map } for pid=3481 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.209' (ECDSA) to the list of known hosts. [ 26.443044] audit: type=1400 audit(1515344134.004:7): avc: denied { map } for pid=3495 comm="syzkaller036276" path="/root/syzkaller036276167" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program [ 26.792161] [ 26.793832] ========================= [ 26.797598] WARNING: held lock freed! [ 26.801366] 4.15.0-rc6+ #250 Not tainted [ 26.805393] ------------------------- [ 26.809172] syzkaller036276/3500 is freeing memory 000000001df0d9d1-000000009333333c, with a lock still held there! [ 26.819719] (sk_lock-AF_INET6){+.+.}, at: [<000000003e590925>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 26.828630] 1 lock held by syzkaller036276/3500: [ 26.833353] #0: (sk_lock-AF_INET6){+.+.}, at: [<000000003e590925>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 26.842686] [ 26.842686] stack backtrace: [ 26.847153] CPU: 0 PID: 3500 Comm: syzkaller036276 Not tainted 4.15.0-rc6+ #250 [ 26.854591] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.863915] Call Trace: [ 26.866478] dump_stack+0x194/0x257 [ 26.870080] ? arch_local_irq_restore+0x53/0x53 [ 26.874723] debug_check_no_locks_freed+0x32f/0x3c0 [ 26.879712] kmem_cache_free+0x68/0x2a0 [ 26.883655] __sk_destruct+0x622/0x910 [ 26.887512] ? kasan_slab_free+0x71/0xc0 [ 26.891544] ? sock_rfree+0x160/0x160 [ 26.895315] ? inet_sendmsg+0x11f/0x5e0 [ 26.899257] ? SYSC_sendto+0x361/0x5c0 [ 26.903108] ? SyS_sendto+0x40/0x50 [ 26.906703] ? entry_SYSCALL_64_fastpath+0x23/0x9a [ 26.911610] ? check_noncircular+0x20/0x20 [ 26.915812] ? print_irqtrace_events+0x270/0x270 [ 26.920569] ? free_obj_work+0x690/0x690 [ 26.924606] ? sctp_put_port+0x495/0x640 [ 26.928640] ? sctp_poll+0xc00/0xc00 [ 26.932324] ? refcount_sub_and_test+0x115/0x1b0 [ 26.937060] ? refcount_inc+0x50/0x50 [ 26.940830] ? refcount_inc+0x50/0x50 [ 26.944606] sk_destruct+0x47/0x80 [ 26.948113] __sk_free+0x57/0x230 [ 26.951533] sk_free+0x2a/0x40 [ 26.954697] sctp_association_put+0x14c/0x2f0 [ 26.959161] ? sctp_association_hold+0x20/0x20 [ 26.963710] ? lock_sock_nested+0x91/0x110 [ 26.967917] ? trace_hardirqs_on+0xd/0x10 [ 26.972041] ? __local_bh_enable_ip+0x121/0x230 [ 26.976683] sctp_wait_for_sndbuf+0x673/0x8d0 [ 26.981150] ? sctp_init_sock+0x13b0/0x13b0 [ 26.985529] ? do_raw_spin_trylock+0x190/0x190 [ 26.990078] ? __local_bh_enable_ip+0x121/0x230 [ 26.994714] ? sctp_prsctp_prune+0x97/0x6f0 [ 26.999004] ? prepare_to_wait+0x4d0/0x4d0 [ 27.003211] ? trace_hardirqs_on+0xd/0x10 [ 27.007332] sctp_sendmsg+0x277d/0x3360 [ 27.011276] ? put_pi_state+0x3c0/0x560 [ 27.015226] ? sctp_id2assoc+0x390/0x390 [ 27.019260] ? avc_has_perm+0x43e/0x680 [ 27.023210] ? avc_has_perm_noaudit+0x520/0x520 [ 27.027847] ? __fget+0x35c/0x570 [ 27.031272] ? iterate_fd+0x3f0/0x3f0 [ 27.035045] ? find_held_lock+0x35/0x1d0 [ 27.039079] ? sock_has_perm+0x2a4/0x420 [ 27.043119] ? lock_release+0x962/0xa40 [ 27.047065] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.052916] ? __check_object_size+0x25d/0x4f0 [ 27.057474] inet_sendmsg+0x11f/0x5e0 [ 27.061243] ? inet_sendmsg+0x11f/0x5e0 [ 27.065210] ? __might_sleep+0x95/0x190 [ 27.069152] ? inet_recvmsg+0x5f0/0x5f0 [ 27.073093] ? selinux_socket_sendmsg+0x36/0x40 [ 27.077730] ? security_socket_sendmsg+0x89/0xb0 [ 27.082457] ? inet_recvmsg+0x5f0/0x5f0 [ 27.086408] sock_sendmsg+0xca/0x110 [ 27.090096] SYSC_sendto+0x361/0x5c0 [ 27.093783] ? SYSC_connect+0x4a0/0x4a0 [ 27.097733] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.103064] ? __do_page_fault+0x3d6/0xc90 [ 27.107271] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 27.112527] ? SyS_futex+0x269/0x390 [ 27.116211] ? SyS_setsockopt+0x215/0x360 [ 27.120330] ? do_futex+0x22a0/0x22a0 [ 27.124102] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 27.128917] SyS_sendto+0x40/0x50 [ 27.132339] entry_SYSCALL_64_fastpath+0x23/0x9a [ 27.137070] RIP: 0033:0x445db9 [ 27.140229] RSP: 002b:00007fb3de9b6d98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 27.147912] RAX: ffffffffffffffda RBX: 00000000006dbc6c RCX: 0000000000445db9 [ 27.155159] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 27.162396] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 27.169644] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc68 [ 27.176883] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 27.184243] ================================================================== [ 27.191584] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 [ 27.198218] Read of size 4 at addr ffff8801c154188c by task syzkaller036276/3500 [ 27.205729] [ 27.207330] CPU: 0 PID: 3500 Comm: syzkaller036276 Not tainted 4.15.0-rc6+ #250 [ 27.214742] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.224074] Call Trace: [ 27.226634] dump_stack+0x194/0x257 [ 27.230229] ? arch_local_irq_restore+0x53/0x53 [ 27.234866] ? show_regs_print_info+0x18/0x18 [ 27.239329] ? lock_acquire+0x1d5/0x580 executing program [ 27.243272] ? trace_hardirqs_on+0xd/0x10 [ 27.247386] ? do_raw_spin_lock+0x1e0/0x220 [ 27.251677] print_address_description+0x73/0x250 [ 27.256493] ? do_raw_spin_lock+0x1e0/0x220 [ 27.260785] kasan_report+0x25b/0x340 [ 27.264556] __asan_report_load4_noabort+0x14/0x20 [ 27.269457] do_raw_spin_lock+0x1e0/0x220 [ 27.273581] _raw_spin_lock_bh+0x39/0x40 [ 27.277613] ? release_sock+0x74/0x2a0 [ 27.281469] release_sock+0x74/0x2a0 [ 27.285151] ? sctp_prsctp_prune+0x97/0x6f0 [ 27.289445] ? __release_sock+0x360/0x360 [ 27.293573] ? trace_hardirqs_on+0xd/0x10 [ 27.297696] sctp_sendmsg+0x2c61/0x3360 [ 27.301641] ? put_pi_state+0x3c0/0x560 [ 27.305591] ? sctp_id2assoc+0x390/0x390 [ 27.309620] ? avc_has_perm+0x43e/0x680 [ 27.313562] ? avc_has_perm_noaudit+0x520/0x520 [ 27.318200] ? __fget+0x35c/0x570 [ 27.321624] ? iterate_fd+0x3f0/0x3f0 [ 27.325397] ? find_held_lock+0x35/0x1d0 [ 27.329431] ? sock_has_perm+0x2a4/0x420 [ 27.333464] ? lock_release+0x962/0xa40 [ 27.337409] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.343262] ? __check_object_size+0x25d/0x4f0 [ 27.347815] inet_sendmsg+0x11f/0x5e0 [ 27.351582] ? inet_sendmsg+0x11f/0x5e0 [ 27.355524] ? __might_sleep+0x95/0x190 [ 27.359477] ? inet_recvmsg+0x5f0/0x5f0 [ 27.363423] ? selinux_socket_sendmsg+0x36/0x40 [ 27.368062] ? security_socket_sendmsg+0x89/0xb0 [ 27.372785] ? inet_recvmsg+0x5f0/0x5f0 [ 27.376730] sock_sendmsg+0xca/0x110 [ 27.380413] SYSC_sendto+0x361/0x5c0 [ 27.384094] ? SYSC_connect+0x4a0/0x4a0 [ 27.388037] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.393369] ? __do_page_fault+0x3d6/0xc90 [ 27.397588] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 27.402844] ? SyS_futex+0x269/0x390 [ 27.406524] ? SyS_setsockopt+0x215/0x360 [ 27.410640] ? do_futex+0x22a0/0x22a0 [ 27.414411] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 27.419232] SyS_sendto+0x40/0x50 [ 27.422655] entry_SYSCALL_64_fastpath+0x23/0x9a [ 27.427378] RIP: 0033:0x445db9 [ 27.430534] RSP: 002b:00007fb3de9b6d98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 27.438219] RAX: ffffffffffffffda RBX: 00000000006dbc6c RCX: 0000000000445db9 [ 27.445458] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 27.452696] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 27.459945] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc68 [ 27.467188] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 27.474437] [ 27.476035] Allocated by task 3505: [ 27.479637] save_stack+0x43/0xd0 [ 27.483055] kasan_kmalloc+0xad/0xe0 [ 27.486735] kasan_slab_alloc+0x12/0x20 [ 27.490674] kmem_cache_alloc+0x12e/0x760 [ 27.494790] sk_prot_alloc+0x65/0x2a0 [ 27.498567] sk_alloc+0x105/0x1410 [ 27.502074] sctp_v6_create_accept_sk+0x15a/0x9b0 [ 27.506883] sctp_accept+0x5c4/0x970 [ 27.510565] inet_accept+0x12c/0x930 [ 27.514257] SYSC_accept4+0x38d/0x870 [ 27.518023] SyS_accept+0x26/0x30 [ 27.521444] entry_SYSCALL_64_fastpath+0x23/0x9a [ 27.526165] [ 27.527758] Freed by task 3500: [ 27.531002] save_stack+0x43/0xd0 [ 27.534421] kasan_slab_free+0x71/0xc0 [ 27.538285] kmem_cache_free+0x83/0x2a0 [ 27.542225] __sk_destruct+0x622/0x910 [ 27.546079] sk_destruct+0x47/0x80 [ 27.549584] __sk_free+0x57/0x230 [ 27.553003] sk_free+0x2a/0x40 [ 27.556167] sctp_association_put+0x14c/0x2f0 [ 27.560631] sctp_wait_for_sndbuf+0x673/0x8d0 [ 27.565105] sctp_sendmsg+0x277d/0x3360 [ 27.569057] inet_sendmsg+0x11f/0x5e0 [ 27.572823] sock_sendmsg+0xca/0x110 [ 27.576501] SYSC_sendto+0x361/0x5c0 [ 27.580190] SyS_sendto+0x40/0x50 [ 27.583626] entry_SYSCALL_64_fastpath+0x23/0x9a [ 27.588344] [ 27.589942] The buggy address belongs to the object at ffff8801c1541800 [ 27.589942] which belongs to the cache SCTPv6 of size 1888 [ 27.602222] The buggy address is located 140 bytes inside of [ 27.602222] 1888-byte region [ffff8801c1541800, ffff8801c1541f60) [ 27.614166] The buggy address belongs to the page: [ 27.619068] page:ffffea0007055040 count:1 mapcount:0 mapping:ffff8801c1541000 index:0x0 [ 27.627182] flags: 0x2fffc0000000100(slab) [ 27.631383] raw: 02fffc0000000100 ffff8801c1541000 0000000000000000 0000000100000002 [ 27.639231] raw: ffffea000705afa0 ffffea00070306a0 ffff8801d31d4500 0000000000000000 [ 27.647078] page dumped because: kasan: bad access detected [ 27.652762] [ 27.654356] Memory state around the buggy address: [ 27.659251] ffff8801c1541780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.666586] ffff8801c1541800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.673912] >ffff8801c1541880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.681238] ^ [ 27.684832] ffff8801c1541900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.692178] ffff8801c1541980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.699501] ================================================================== [ 27.706873] Kernel panic - not syncing: panic_on_warn set ... [ 27.706873] [ 27.714209] CPU: 0 PID: 3500 Comm: syzkaller036276 Tainted: G B 4.15.0-rc6+ #250 [ 27.722926] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.732247] Call Trace: [ 27.734811] dump_stack+0x194/0x257 [ 27.738411] ? arch_local_irq_restore+0x53/0x53 executing program [ 27.743085] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.747824] ? vsnprintf+0x1ed/0x1900 [ 27.751609] ? do_raw_spin_lock+0x100/0x220 [ 27.755901] panic+0x1e4/0x41c [ 27.759076] ? refcount_error_report+0x214/0x214 [ 27.763812] ? add_taint+0x1c/0x50 [ 27.767328] ? add_taint+0x1c/0x50 [ 27.770839] ? do_raw_spin_lock+0x1e0/0x220 [ 27.775135] kasan_end_report+0x50/0x50 [ 27.779084] kasan_report+0x144/0x340 [ 27.782860] __asan_report_load4_noabort+0x14/0x20 [ 27.787765] do_raw_spin_lock+0x1e0/0x220 [ 27.791889] _raw_spin_lock_bh+0x39/0x40 [ 27.795923] ? release_sock+0x74/0x2a0 [ 27.799783] release_sock+0x74/0x2a0 [ 27.803480] ? sctp_prsctp_prune+0x97/0x6f0 [ 27.807781] ? __release_sock+0x360/0x360 [ 27.811899] ? trace_hardirqs_on+0xd/0x10 [ 27.816035] sctp_sendmsg+0x2c61/0x3360 [ 27.819996] ? put_pi_state+0x3c0/0x560 [ 27.823957] ? sctp_id2assoc+0x390/0x390 [ 27.827989] ? avc_has_perm+0x43e/0x680 [ 27.831932] ? avc_has_perm_noaudit+0x520/0x520 [ 27.836573] ? __fget+0x35c/0x570 [ 27.839997] ? iterate_fd+0x3f0/0x3f0 [ 27.843775] ? find_held_lock+0x35/0x1d0 [ 27.847812] ? sock_has_perm+0x2a4/0x420 [ 27.851845] ? lock_release+0x962/0xa40 [ 27.855790] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.861648] ? __check_object_size+0x25d/0x4f0 [ 27.866207] inet_sendmsg+0x11f/0x5e0 [ 27.869979] ? inet_sendmsg+0x11f/0x5e0 [ 27.873934] ? __might_sleep+0x95/0x190 [ 27.877877] ? inet_recvmsg+0x5f0/0x5f0 [ 27.881823] ? selinux_socket_sendmsg+0x36/0x40 [ 27.886459] ? security_socket_sendmsg+0x89/0xb0 [ 27.891182] ? inet_recvmsg+0x5f0/0x5f0 [ 27.895129] sock_sendmsg+0xca/0x110 [ 27.898812] SYSC_sendto+0x361/0x5c0 [ 27.902498] ? SYSC_connect+0x4a0/0x4a0 [ 27.906443] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 27.911785] ? __do_page_fault+0x3d6/0xc90 [ 27.915995] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 27.921254] ? SyS_futex+0x269/0x390 [ 27.924937] ? SyS_setsockopt+0x215/0x360 [ 27.929058] ? do_futex+0x22a0/0x22a0 [ 27.932830] ? entry_SYSCALL_64_fastpath+0x5/0x9a [ 27.937645] SyS_sendto+0x40/0x50 [ 27.941070] entry_SYSCALL_64_fastpath+0x23/0x9a [ 27.945800] RIP: 0033:0x445db9 [ 27.948961] RSP: 002b:00007fb3de9b6d98 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 27.956636] RAX: ffffffffffffffda RBX: 00000000006dbc6c RCX: 0000000000445db9 [ 27.963877] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 27.971117] RBP: 0000000000000000 R08: 00000000204d9000 R09: 000000000000001c [ 27.978357] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc68 [ 27.985599] R13: 00000000209a9000 R14: 0100000000000000 R15: 0000000000000001 [ 27.993237] Dumping ftrace buffer: [ 27.996749] (ftrace buffer empty) [ 28.000440] Kernel Offset: disabled [ 28.004040] Rebooting in 86400 seconds..