[....] Starting enhanced syslogd: rsyslogd[ 11.464377] audit: type=1400 audit(1515647700.415:5): avc: denied { syslog } for pid=3330 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.877587] audit: type=1400 audit(1515647704.828:6): avc: denied { map } for pid=3470 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 [ 27.942606] audit: type=1400 audit(1515647716.893:7): avc: denied { map } for pid=3486 comm="syzkaller967323" path="/root/syzkaller967323502" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program [ 28.015655] audit: type=1400 audit(1515647716.965:8): avc: denied { sys_admin } for pid=3486 comm="syzkaller967323" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 28.047391] audit: type=1400 audit(1515647716.998:9): avc: denied { sys_chroot } for pid=3508 comm="syzkaller967323" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 28.125699] [ 28.127346] ========================= [ 28.131111] WARNING: held lock freed! [ 28.134878] 4.15.0-rc7-mm1+ #53 Not tainted [ 28.139165] ------------------------- [ 28.142934] syzkaller967323/3513 is freeing memory 0000000009446ac4-00000000bf67c4f0, with a lock still held there! [ 28.153563] (sk_lock-AF_INET6){+.+.}, at: [<000000009757a45c>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 28.162465] 1 lock held by syzkaller967323/3513: [ 28.167186] #0: (sk_lock-AF_INET6){+.+.}, at: [<000000009757a45c>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 28.176513] [ 28.176513] stack backtrace: [ 28.180976] CPU: 1 PID: 3513 Comm: syzkaller967323 Not tainted 4.15.0-rc7-mm1+ #53 [ 28.188645] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.197966] Call Trace: [ 28.200522] dump_stack+0x194/0x257 [ 28.204117] ? arch_local_irq_restore+0x53/0x53 [ 28.208765] debug_check_no_locks_freed+0x32f/0x3c0 [ 28.213752] kmem_cache_free+0x68/0x2b0 [ 28.217695] __sk_destruct+0x622/0x910 [ 28.221546] ? kfree+0xd9/0x260 [ 28.224791] ? sock_rfree+0x160/0x160 [ 28.228558] ? sock_sendmsg+0xca/0x110 [ 28.232408] ? SyS_sendto+0x40/0x50 [ 28.235999] ? entry_SYSCALL_64_fastpath+0x29/0xa0 [ 28.240894] ? debug_check_no_obj_freed+0x611/0xf1f [ 28.245878] ? check_noncircular+0x20/0x20 [ 28.250082] ? print_irqtrace_events+0x270/0x270 [ 28.254819] ? __local_bh_enable_ip+0x121/0x230 [ 28.259456] ? sctp_put_port+0x495/0x640 [ 28.263485] ? sctp_poll+0xc00/0xc00 [ 28.267167] ? refcount_sub_and_test+0x115/0x1b0 [ 28.271890] ? refcount_inc+0x50/0x50 [ 28.275659] ? refcount_inc+0x50/0x50 [ 28.279438] sk_destruct+0x47/0x80 [ 28.282946] __sk_free+0xf1/0x2b0 [ 28.286365] sk_free+0x2a/0x40 [ 28.289524] sctp_association_put+0x14c/0x2f0 [ 28.293983] ? sctp_association_hold+0x20/0x20 [ 28.298527] ? lock_sock_nested+0x91/0x110 [ 28.302725] ? trace_hardirqs_on+0xd/0x10 [ 28.306836] ? __local_bh_enable_ip+0x121/0x230 [ 28.311472] sctp_wait_for_sndbuf+0x673/0x8d0 [ 28.315938] ? sctp_init_sock+0x13b0/0x13b0 [ 28.320227] ? do_raw_spin_trylock+0x190/0x190 [ 28.324774] ? __local_bh_enable_ip+0x121/0x230 [ 28.329407] ? sctp_prsctp_prune+0x97/0x790 [ 28.333696] ? prepare_to_wait+0x4d0/0x4d0 [ 28.337893] ? trace_hardirqs_on+0xd/0x10 [ 28.342010] sctp_sendmsg+0x28f7/0x33f0 [ 28.345958] ? sctp_id2assoc+0x390/0x390 [ 28.349985] ? avc_has_perm+0x43e/0x680 [ 28.353925] ? avc_has_perm_noaudit+0x520/0x520 [ 28.358559] ? __fget+0x35c/0x570 [ 28.361981] ? iterate_fd+0x3f0/0x3f0 [ 28.365759] ? find_held_lock+0x35/0x1d0 [ 28.369796] ? sock_has_perm+0x2a4/0x420 [ 28.373826] ? lock_release+0x9e2/0xa40 [ 28.377763] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 28.383615] ? __check_object_size+0x8b/0x530 [ 28.388087] inet_sendmsg+0x11f/0x5e0 [ 28.391852] ? inet_sendmsg+0x11f/0x5e0 [ 28.395793] ? __might_sleep+0x95/0x190 [ 28.399731] ? inet_create+0xf50/0xf50 [ 28.403590] ? selinux_socket_sendmsg+0x36/0x40 [ 28.408224] ? security_socket_sendmsg+0x89/0xb0 [ 28.412943] ? inet_create+0xf50/0xf50 [ 28.416796] sock_sendmsg+0xca/0x110 [ 28.420476] SYSC_sendto+0x361/0x5c0 [ 28.424155] ? SYSC_connect+0x4a0/0x4a0 [ 28.428107] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 28.433444] ? __do_page_fault+0x3d6/0xc90 [ 28.437653] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 28.442912] ? SyS_futex+0x269/0x390 [ 28.446591] ? SyS_setsockopt+0x215/0x360 [ 28.450714] ? do_futex+0x22a0/0x22a0 [ 28.454478] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 28.459290] SyS_sendto+0x40/0x50 [ 28.462718] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 28.467439] RIP: 0033:0x44b8b9 [ 28.470594] RSP: 002b:00007f10b8140cd8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 28.478270] RAX: ffffffffffffffda RBX: 00000000006f0054 RCX: 000000000044b8b9 [ 28.485503] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 28.492739] RBP: 00000000006f0050 R08: 00000000204d9000 R09: 000000000000001c [ 28.499984] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 28.507219] R13: 00000000007ffe7f R14: 00007f10b81419c0 R15: 0000000000002710 [ 28.514705] ================================================================== [ 28.522042] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 [ 28.528678] Read of size 4 at addr ffff8801c07bd88c by task syzkaller967323/3513 [ 28.536177] [ 28.537774] CPU: 1 PID: 3513 Comm: syzkaller967323 Not tainted 4.15.0-rc7-mm1+ #53 [ 28.545443] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.554760] Call Trace: [ 28.557318] dump_stack+0x194/0x257 [ 28.560910] ? arch_local_irq_restore+0x53/0x53 [ 28.565543] ? show_regs_print_info+0x18/0x18 [ 28.570000] ? lock_acquire+0x1d5/0x580 [ 28.573947] ? trace_hardirqs_on+0xd/0x10 [ 28.578062] ? do_raw_spin_lock+0x1e0/0x220 [ 28.582351] print_address_description+0x73/0x250 [ 28.587162] ? do_raw_spin_lock+0x1e0/0x220 [ 28.591453] kasan_report+0x23b/0x360 [ 28.595219] __asan_report_load4_noabort+0x14/0x20 [ 28.600111] do_raw_spin_lock+0x1e0/0x220 [ 28.604229] _raw_spin_lock_bh+0x39/0x40 [ 28.608258] ? release_sock+0x74/0x2a0 [ 28.612117] release_sock+0x74/0x2a0 [ 28.615797] ? sctp_prsctp_prune+0x97/0x790 [ 28.620082] ? __release_sock+0x360/0x360 [ 28.624194] ? trace_hardirqs_on+0xd/0x10 [ 28.628310] sctp_sendmsg+0x2993/0x33f0 [ 28.632255] ? sctp_id2assoc+0x390/0x390 [ 28.636283] ? avc_has_perm+0x43e/0x680 [ 28.640223] ? avc_has_perm_noaudit+0x520/0x520 [ 28.644857] ? __fget+0x35c/0x570 [ 28.648280] ? iterate_fd+0x3f0/0x3f0 [ 28.652047] ? find_held_lock+0x35/0x1d0 [ 28.656078] ? sock_has_perm+0x2a4/0x420 [ 28.660116] ? lock_release+0x9e2/0xa40 [ 28.664054] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 28.669904] ? __check_object_size+0x8b/0x530 [ 28.674367] inet_sendmsg+0x11f/0x5e0 [ 28.678131] ? inet_sendmsg+0x11f/0x5e0 [ 28.682070] ? __might_sleep+0x95/0x190 [ 28.686009] ? inet_create+0xf50/0xf50 [ 28.689865] ? selinux_socket_sendmsg+0x36/0x40 [ 28.694500] ? security_socket_sendmsg+0x89/0xb0 [ 28.699221] ? inet_create+0xf50/0xf50 [ 28.703076] sock_sendmsg+0xca/0x110 [ 28.706760] SYSC_sendto+0x361/0x5c0 [ 28.710440] ? SYSC_connect+0x4a0/0x4a0 [ 28.714379] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 28.719706] ? __do_page_fault+0x3d6/0xc90 [ 28.723907] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 28.729164] ? SyS_futex+0x269/0x390 [ 28.732859] ? SyS_setsockopt+0x215/0x360 [ 28.736990] ? do_futex+0x22a0/0x22a0 [ 28.740765] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 28.745584] SyS_sendto+0x40/0x50 [ 28.749005] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 28.753734] RIP: 0033:0x44b8b9 [ 28.756890] RSP: 002b:00007f10b8140cd8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 28.764562] RAX: ffffffffffffffda RBX: 00000000006f0054 RCX: 000000000044b8b9 [ 28.771806] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 28.779043] RBP: 00000000006f0050 R08: 00000000204d9000 R09: 000000000000001c [ 28.786284] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 28.793521] R13: 00000000007ffe7f R14: 00007f10b81419c0 R15: 0000000000002710 [ 28.800777] [ 28.802371] Allocated by task 3514: [ 28.805967] save_stack+0x43/0xd0 [ 28.809383] kasan_kmalloc+0xad/0xe0 [ 28.813060] kasan_slab_alloc+0x12/0x20 [ 28.816997] kmem_cache_alloc+0x12e/0x760 [ 28.821108] sk_prot_alloc+0x65/0x2a0 [ 28.824882] sk_alloc+0x105/0x1440 [ 28.828388] sctp_v6_create_accept_sk+0x15a/0x9b0 [ 28.833197] sctp_accept+0x5c4/0x970 [ 28.836873] inet_accept+0x12c/0x930 [ 28.840549] SYSC_accept4+0x38d/0x870 [ 28.844316] SyS_accept+0x26/0x30 [ 28.847735] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 28.852461] [ 28.854054] Freed by task 3513: [ 28.857304] save_stack+0x43/0xd0 [ 28.860723] __kasan_slab_free+0x11a/0x170 [ 28.864926] kasan_slab_free+0xe/0x10 [ 28.868692] kmem_cache_free+0x86/0x2b0 [ 28.872629] __sk_destruct+0x622/0x910 [ 28.876481] sk_destruct+0x47/0x80 [ 28.879983] __sk_free+0xf1/0x2b0 [ 28.883399] sk_free+0x2a/0x40 [ 28.886554] sctp_association_put+0x14c/0x2f0 [ 28.891016] sctp_wait_for_sndbuf+0x673/0x8d0 [ 28.895477] sctp_sendmsg+0x28f7/0x33f0 [ 28.899416] inet_sendmsg+0x11f/0x5e0 [ 28.903188] sock_sendmsg+0xca/0x110 [ 28.906872] SYSC_sendto+0x361/0x5c0 [ 28.910550] SyS_sendto+0x40/0x50 [ 28.913967] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 28.918682] [ 28.920278] The buggy address belongs to the object at ffff8801c07bd800 [ 28.920278] which belongs to the cache SCTPv6 of size 1888 [ 28.932548] The buggy address is located 140 bytes inside of [ 28.932548] 1888-byte region [ffff8801c07bd800, ffff8801c07bdf60) [ 28.944472] The buggy address belongs to the page: [ 28.949364] page:ffffea000701ef40 count:1 mapcount:0 mapping:ffff8801c07bd000 index:0x0 [ 28.957468] flags: 0x2fffc0000000100(slab) [ 28.961669] raw: 02fffc0000000100 ffff8801c07bd000 0000000000000000 0000000100000002 [ 28.969519] raw: ffffea00070083a0 ffff8801d2da1348 ffff8801d2da2080 0000000000000000 [ 28.977360] page dumped because: kasan: bad access detected [ 28.983030] [ 28.984621] Memory state around the buggy address: [ 28.989516] ffff8801c07bd780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.996837] ffff8801c07bd800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.004158] >ffff8801c07bd880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.011479] ^ [ 29.015069] ffff8801c07bd900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.022390] ffff8801c07bd980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.029710] ================================================================== [ 29.037069] Kernel panic - not syncing: panic_on_warn set ... [ 29.037069] [ 29.044400] CPU: 1 PID: 3513 Comm: syzkaller967323 Tainted: G B 4.15.0-rc7-mm1+ #53 [ 29.053370] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.062689] Call Trace: [ 29.065246] dump_stack+0x194/0x257 [ 29.068841] ? arch_local_irq_restore+0x53/0x53 [ 29.073476] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.078197] ? vsnprintf+0x1ed/0x1900 [ 29.081963] ? do_raw_spin_lock+0x180/0x220 [ 29.086255] panic+0x1e4/0x41c [ 29.089411] ? refcount_error_report+0x214/0x214 [ 29.094132] ? add_taint+0x1c/0x50 [ 29.097634] ? add_taint+0x1c/0x50 [ 29.101137] ? do_raw_spin_lock+0x1e0/0x220 [ 29.105425] kasan_end_report+0x50/0x50 [ 29.109361] kasan_report+0x148/0x360 [ 29.113127] __asan_report_load4_noabort+0x14/0x20 [ 29.118021] do_raw_spin_lock+0x1e0/0x220 [ 29.122143] _raw_spin_lock_bh+0x39/0x40 [ 29.126171] ? release_sock+0x74/0x2a0 [ 29.130023] release_sock+0x74/0x2a0 [ 29.133704] ? sctp_prsctp_prune+0x97/0x790 [ 29.137990] ? __release_sock+0x360/0x360 [ 29.142106] ? trace_hardirqs_on+0xd/0x10 [ 29.146224] sctp_sendmsg+0x2993/0x33f0 [ 29.150171] ? sctp_id2assoc+0x390/0x390 [ 29.154199] ? avc_has_perm+0x43e/0x680 [ 29.158151] ? avc_has_perm_noaudit+0x520/0x520 [ 29.162786] ? __fget+0x35c/0x570 [ 29.166211] ? iterate_fd+0x3f0/0x3f0 [ 29.169981] ? find_held_lock+0x35/0x1d0 [ 29.174014] ? sock_has_perm+0x2a4/0x420 [ 29.178042] ? lock_release+0x9e2/0xa40 [ 29.181980] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 29.187828] ? __check_object_size+0x8b/0x530 [ 29.192292] inet_sendmsg+0x11f/0x5e0 [ 29.196056] ? inet_sendmsg+0x11f/0x5e0 [ 29.199996] ? __might_sleep+0x95/0x190 [ 29.203945] ? inet_create+0xf50/0xf50 [ 29.207801] ? selinux_socket_sendmsg+0x36/0x40 [ 29.212522] ? security_socket_sendmsg+0x89/0xb0 [ 29.217244] ? inet_create+0xf50/0xf50 [ 29.221106] sock_sendmsg+0xca/0x110 [ 29.224784] SYSC_sendto+0x361/0x5c0 [ 29.228464] ? SYSC_connect+0x4a0/0x4a0 [ 29.232406] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 29.237731] ? __do_page_fault+0x3d6/0xc90 [ 29.241934] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 29.247192] ? SyS_futex+0x269/0x390 [ 29.250869] ? SyS_setsockopt+0x215/0x360 [ 29.254981] ? do_futex+0x22a0/0x22a0 [ 29.258745] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 29.263554] SyS_sendto+0x40/0x50 [ 29.266973] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 29.271690] RIP: 0033:0x44b8b9 [ 29.274843] RSP: 002b:00007f10b8140cd8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 29.282515] RAX: ffffffffffffffda RBX: 00000000006f0054 RCX: 000000000044b8b9 [ 29.289752] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004 [ 29.296987] RBP: 00000000006f0050 R08: 00000000204d9000 R09: 000000000000001c [ 29.304221] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 29.311456] R13: 00000000007ffe7f R14: 00007f10b81419c0 R15: 0000000000002710 [ 29.318734] Dumping ftrace buffer: [ 29.322238] (ftrace buffer empty) [ 29.325914] Kernel Offset: disabled [ 29.329508] Rebooting in 86400 seconds..