[....] Starting enhanced syslogd: rsyslogd[ 12.898941] audit: type=1400 audit(1515891739.117:5): avc: denied { syslog } for pid=3512 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.297495] audit: type=1400 audit(1515891745.516:6): avc: denied { map } for pid=3652 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.33' (ECDSA) to the list of known hosts. executing program [ 25.487590] audit: type=1400 audit(1515891751.706:7): avc: denied { map } for pid=3666 comm="syzkaller075947" path="/root/syzkaller075947484" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 25.620708] [ 25.622360] ========================= [ 25.626129] WARNING: held lock freed! [ 25.630507] 4.15.0-rc7-mm1+ #56 Not tainted [ 25.635151] ------------------------- [ 25.638920] syzkaller075947/3668 is freeing memory 000000003939371c-00000000a02595e7, with a lock still held there! [ 25.649454] (sk_lock-AF_INET6){+.+.}, at: [<0000000005833725>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 25.658356] 1 lock held by syzkaller075947/3668: [ 25.663073] #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000005833725>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 25.672401] [ 25.672401] stack backtrace: [ 25.676875] CPU: 0 PID: 3668 Comm: syzkaller075947 Not tainted 4.15.0-rc7-mm1+ #56 [ 25.684554] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.694047] Call Trace: [ 25.696607] dump_stack+0x194/0x257 [ 25.700203] ? arch_local_irq_restore+0x53/0x53 [ 25.704863] debug_check_no_locks_freed+0x32f/0x3c0 [ 25.709883] kmem_cache_free+0x68/0x2b0 [ 25.713836] __sk_destruct+0x622/0x910 [ 25.717693] ? kfree+0xd9/0x260 [ 25.720943] ? sock_rfree+0x160/0x160 [ 25.724717] ? sock_sendmsg+0xca/0x110 [ 25.728578] ? SyS_sendto+0x40/0x50 [ 25.732447] ? entry_SYSCALL_64_fastpath+0x29/0xa0 [ 25.737342] ? debug_check_no_obj_freed+0x611/0xf1f [ 25.742328] ? check_noncircular+0x20/0x20 [ 25.746528] ? print_irqtrace_events+0x270/0x270 [ 25.751255] ? __local_bh_enable_ip+0x121/0x230 [ 25.755891] ? sctp_put_port+0x495/0x640 [ 25.759921] ? sctp_poll+0xc00/0xc00 [ 25.763612] ? refcount_sub_and_test+0x115/0x1b0 [ 25.768332] ? refcount_inc+0x50/0x50 [ 25.772097] ? refcount_inc+0x50/0x50 [ 25.775864] sk_destruct+0x47/0x80 [ 25.779368] __sk_free+0xf1/0x2b0 [ 25.783395] sk_free+0x2a/0x40 [ 25.786554] sctp_association_put+0x14c/0x2f0 [ 25.791018] ? sctp_association_hold+0x20/0x20 [ 25.795672] ? lock_sock_nested+0x91/0x110 [ 25.799874] ? trace_hardirqs_on+0xd/0x10 [ 25.803999] ? __local_bh_enable_ip+0x121/0x230 [ 25.808644] sctp_wait_for_sndbuf+0x673/0x8d0 [ 25.813111] ? sctp_init_sock+0x13b0/0x13b0 [ 25.817399] ? do_raw_spin_trylock+0x190/0x190 [ 25.821946] ? __local_bh_enable_ip+0x121/0x230 [ 25.826580] ? sctp_prsctp_prune+0x97/0x790 [ 25.830870] ? prepare_to_wait+0x4d0/0x4d0 [ 25.835077] ? trace_hardirqs_on+0xd/0x10 [ 25.839194] sctp_sendmsg+0x28f7/0x33f0 [ 25.843143] ? sctp_id2assoc+0x390/0x390 [ 25.847172] ? avc_has_perm+0x43e/0x680 [ 25.851289] ? avc_has_perm_noaudit+0x520/0x520 [ 25.855932] ? __fget+0x35c/0x570 [ 25.859356] ? iterate_fd+0x3f0/0x3f0 [ 25.863127] ? find_held_lock+0x35/0x1d0 [ 25.867159] ? sock_has_perm+0x2a4/0x420 [ 25.871195] ? lock_release+0x9a2/0xa40 [ 25.875136] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 25.880985] ? __check_object_size+0x8b/0x530 [ 25.885451] inet_sendmsg+0x11f/0x5e0 [ 25.889217] ? inet_sendmsg+0x11f/0x5e0 [ 25.893156] ? __might_sleep+0x95/0x190 [ 25.897107] ? inet_create+0xf50/0xf50 [ 25.901575] ? selinux_socket_sendmsg+0x36/0x40 [ 25.906998] ? security_socket_sendmsg+0x89/0xb0 [ 25.911718] ? inet_create+0xf50/0xf50 [ 25.915576] sock_sendmsg+0xca/0x110 [ 25.920131] SYSC_sendto+0x361/0x5c0 [ 25.925118] ? SYSC_connect+0x4a0/0x4a0 [ 25.929065] ? up_read+0x1a/0x40 [ 25.932396] ? __do_page_fault+0x3d6/0xc90 [ 25.936609] ? __do_page_fault+0xc90/0xc90 [ 25.940814] ? SyS_futex+0x269/0x390 [ 25.944497] ? SyS_setsockopt+0x215/0x360 [ 25.948618] ? do_futex+0x22a0/0x22a0 [ 25.952389] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 25.957208] SyS_sendto+0x40/0x50 [ 25.960631] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 25.965351] RIP: 0033:0x4457e9 [ 25.968509] RSP: 002b:00007f40b011eda8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 25.976764] RAX: ffffffffffffffda RBX: 00000000006dac3c RCX: 00000000004457e9 [ 25.984007] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 25.991256] RBP: 00000000006dac38 R08: 00000000204d9000 R09: 000000000000001c [ 25.998492] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 26.005730] R13: 00007ffe3be6c80f R14: 00007f40b011f9c0 R15: 0000000000000001 [ 26.013102] ================================================================== [ 26.020439] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 [ 26.027073] Read of size 4 at addr ffff8801d9a8808c by task syzkaller075947/3668 [ 26.034569] [ 26.036166] CPU: 0 PID: 3668 Comm: syzkaller075947 Not tainted 4.15.0-rc7-mm1+ #56 [ 26.043842] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.053164] Call Trace: [ 26.055723] dump_stack+0x194/0x257 [ 26.059319] ? arch_local_irq_restore+0x53/0x53 [ 26.063961] ? show_regs_print_info+0x18/0x18 [ 26.068424] ? lock_acquire+0x1d5/0x580 [ 26.072367] ? trace_hardirqs_on+0xd/0x10 [ 26.076482] ? do_raw_spin_lock+0x1e0/0x220 [ 26.080785] print_address_description+0x73/0x250 [ 26.085601] ? do_raw_spin_lock+0x1e0/0x220 [ 26.089888] kasan_report+0x23b/0x360 [ 26.093659] __asan_report_load4_noabort+0x14/0x20 [ 26.098564] do_raw_spin_lock+0x1e0/0x220 [ 26.102695] _raw_spin_lock_bh+0x39/0x40 [ 26.106725] ? release_sock+0x74/0x2a0 [ 26.110583] release_sock+0x74/0x2a0 [ 26.114266] ? sctp_prsctp_prune+0x97/0x790 [ 26.118552] ? __release_sock+0x360/0x360 [ 26.122674] ? trace_hardirqs_on+0xd/0x10 [ 26.126809] sctp_sendmsg+0x2993/0x33f0 [ 26.130765] ? sctp_id2assoc+0x390/0x390 [ 26.134793] ? avc_has_perm+0x43e/0x680 [ 26.138733] ? avc_has_perm_noaudit+0x520/0x520 [ 26.143378] ? __fget+0x35c/0x570 [ 26.146809] ? iterate_fd+0x3f0/0x3f0 [ 26.150587] ? find_held_lock+0x35/0x1d0 [ 26.154618] ? sock_has_perm+0x2a4/0x420 [ 26.158650] ? lock_release+0x9a2/0xa40 [ 26.162590] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.168442] ? __check_object_size+0x8b/0x530 [ 26.172915] inet_sendmsg+0x11f/0x5e0 [ 26.176688] ? inet_sendmsg+0x11f/0x5e0 [ 26.180633] ? __might_sleep+0x95/0x190 [ 26.184581] ? inet_create+0xf50/0xf50 [ 26.188436] ? selinux_socket_sendmsg+0x36/0x40 [ 26.193069] ? security_socket_sendmsg+0x89/0xb0 [ 26.197794] ? inet_create+0xf50/0xf50 [ 26.201649] sock_sendmsg+0xca/0x110 [ 26.205328] SYSC_sendto+0x361/0x5c0 [ 26.209019] ? SYSC_connect+0x4a0/0x4a0 [ 26.212961] ? up_read+0x1a/0x40 [ 26.216296] ? __do_page_fault+0x3d6/0xc90 [ 26.220508] ? __do_page_fault+0xc90/0xc90 [ 26.224711] ? SyS_futex+0x269/0x390 [ 26.228391] ? SyS_setsockopt+0x215/0x360 [ 26.232512] ? do_futex+0x22a0/0x22a0 [ 26.236284] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 26.241100] SyS_sendto+0x40/0x50 [ 26.244524] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.249247] RIP: 0033:0x4457e9 [ 26.252409] RSP: 002b:00007f40b011eda8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 26.260082] RAX: ffffffffffffffda RBX: 00000000006dac3c RCX: 00000000004457e9 [ 26.267318] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 26.274558] RBP: 00000000006dac38 R08: 00000000204d9000 R09: 000000000000001c [ 26.281796] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 26.289032] R13: 00007ffe3be6c80f R14: 00007f40b011f9c0 R15: 0000000000000001 [ 26.296280] [ 26.297875] Allocated by task 3669: [ 26.301470] save_stack+0x43/0xd0 [ 26.304888] kasan_kmalloc+0xad/0xe0 [ 26.308570] kasan_slab_alloc+0x12/0x20 [ 26.312515] kmem_cache_alloc+0x12e/0x760 [ 26.316629] sk_prot_alloc+0x65/0x2a0 [ 26.320393] sk_alloc+0x105/0x1440 [ 26.323900] sctp_v6_create_accept_sk+0x15a/0x9b0 [ 26.328710] sctp_accept+0x5c4/0x970 [ 26.332397] inet_accept+0x12c/0x930 [ 26.336076] SYSC_accept4+0x38d/0x870 [ 26.339840] SyS_accept4+0x2c/0x40 [ 26.343346] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.348063] [ 26.349654] Freed by task 3668: [ 26.352904] save_stack+0x43/0xd0 [ 26.356328] __kasan_slab_free+0x11a/0x170 [ 26.360538] kasan_slab_free+0xe/0x10 [ 26.364309] kmem_cache_free+0x86/0x2b0 [ 26.368249] __sk_destruct+0x622/0x910 [ 26.372099] sk_destruct+0x47/0x80 [ 26.375608] __sk_free+0xf1/0x2b0 [ 26.379023] sk_free+0x2a/0x40 [ 26.382185] sctp_association_put+0x14c/0x2f0 [ 26.386647] sctp_wait_for_sndbuf+0x673/0x8d0 [ 26.391118] sctp_sendmsg+0x28f7/0x33f0 [ 26.395059] inet_sendmsg+0x11f/0x5e0 [ 26.398826] sock_sendmsg+0xca/0x110 [ 26.402505] SYSC_sendto+0x361/0x5c0 [ 26.406192] SyS_sendto+0x40/0x50 [ 26.409611] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.414331] [ 26.415925] The buggy address belongs to the object at ffff8801d9a88000 [ 26.415925] which belongs to the cache SCTPv6 of size 1888 [ 26.428197] The buggy address is located 140 bytes inside of [ 26.428197] 1888-byte region [ffff8801d9a88000, ffff8801d9a88760) [ 26.440121] The buggy address belongs to the page: [ 26.445023] page:ffffea000766a200 count:1 mapcount:0 mapping:ffff8801d9a88000 index:0x0 [ 26.453131] flags: 0x2fffc0000000100(slab) [ 26.457331] raw: 02fffc0000000100 ffff8801d9a88000 0000000000000000 0000000100000002 [ 26.465178] raw: ffffea0007650ba0 ffffea00076b8160 ffff8801d2801800 0000000000000000 [ 26.473020] page dumped because: kasan: bad access detected [ 26.478697] [ 26.480288] Memory state around the buggy address: [ 26.485185] ffff8801d9a87f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.492514] ffff8801d9a88000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.499838] >ffff8801d9a88080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.507176] ^ [ 26.510767] ffff8801d9a88100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.518103] ffff8801d9a88180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.525424] ================================================================== [ 26.532791] Kernel panic - not syncing: panic_on_warn set ... [ 26.532791] [ 26.540125] CPU: 0 PID: 3668 Comm: syzkaller075947 Tainted: G B 4.15.0-rc7-mm1+ #56 [ 26.549100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.558419] Call Trace: [ 26.560984] dump_stack+0x194/0x257 [ 26.564589] ? arch_local_irq_restore+0x53/0x53 [ 26.569228] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.574040] ? vsnprintf+0x1ed/0x1900 [ 26.577809] ? do_raw_spin_lock+0x140/0x220 [ 26.582101] panic+0x1e4/0x41c [ 26.585260] ? refcount_error_report+0x214/0x214 [ 26.589987] ? add_taint+0x1c/0x50 [ 26.593502] ? add_taint+0x1c/0x50 [ 26.597018] ? do_raw_spin_lock+0x1e0/0x220 [ 26.601308] kasan_end_report+0x50/0x50 [ 26.605255] kasan_report+0x148/0x360 [ 26.609030] __asan_report_load4_noabort+0x14/0x20 [ 26.613928] do_raw_spin_lock+0x1e0/0x220 [ 26.618042] _raw_spin_lock_bh+0x39/0x40 [ 26.622070] ? release_sock+0x74/0x2a0 [ 26.625924] release_sock+0x74/0x2a0 [ 26.629646] ? sctp_prsctp_prune+0x97/0x790 [ 26.633934] ? __release_sock+0x360/0x360 [ 26.638051] ? trace_hardirqs_on+0xd/0x10 [ 26.642171] sctp_sendmsg+0x2993/0x33f0 [ 26.646125] ? sctp_id2assoc+0x390/0x390 [ 26.650154] ? avc_has_perm+0x43e/0x680 [ 26.654096] ? avc_has_perm_noaudit+0x520/0x520 [ 26.658732] ? __fget+0x35c/0x570 [ 26.662154] ? iterate_fd+0x3f0/0x3f0 [ 26.665933] ? find_held_lock+0x35/0x1d0 [ 26.669965] ? sock_has_perm+0x2a4/0x420 [ 26.673992] ? lock_release+0x9a2/0xa40 [ 26.677933] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.683788] ? __check_object_size+0x8b/0x530 [ 26.688254] inet_sendmsg+0x11f/0x5e0 [ 26.692020] ? inet_sendmsg+0x11f/0x5e0 [ 26.696052] ? __might_sleep+0x95/0x190 [ 26.699994] ? inet_create+0xf50/0xf50 [ 26.703849] ? selinux_socket_sendmsg+0x36/0x40 [ 26.708485] ? security_socket_sendmsg+0x89/0xb0 [ 26.713213] ? inet_create+0xf50/0xf50 [ 26.717068] sock_sendmsg+0xca/0x110 [ 26.720751] SYSC_sendto+0x361/0x5c0 [ 26.724440] ? SYSC_connect+0x4a0/0x4a0 [ 26.728381] ? up_read+0x1a/0x40 [ 26.731714] ? __do_page_fault+0x3d6/0xc90 [ 26.735934] ? __do_page_fault+0xc90/0xc90 [ 26.740138] ? SyS_futex+0x269/0x390 [ 26.743821] ? SyS_setsockopt+0x215/0x360 [ 26.747937] ? do_futex+0x22a0/0x22a0 [ 26.751708] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 26.756521] SyS_sendto+0x40/0x50 [ 26.759953] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.764678] RIP: 0033:0x4457e9 [ 26.767837] RSP: 002b:00007f40b011eda8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 26.775522] RAX: ffffffffffffffda RBX: 00000000006dac3c RCX: 00000000004457e9 [ 26.782760] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 26.789996] RBP: 00000000006dac38 R08: 00000000204d9000 R09: 000000000000001c [ 26.797238] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 26.804483] R13: 00007ffe3be6c80f R14: 00007f40b011f9c0 R15: 0000000000000001 [ 26.811765] Dumping ftrace buffer: [ 26.815273] (ftrace buffer empty) [ 26.818952] Kernel Offset: disabled [ 26.822546] Rebooting in 86400 seconds..