[....] Starting enhanced syslogd: rsyslogd[ 12.936269] audit: type=1400 audit(1515897912.353:5): avc: denied { syslog } for pid=3508 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.421871] audit: type=1400 audit(1515897919.838:6): avc: denied { map } for pid=3647 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.218' (ECDSA) to the list of known hosts. executing program [ 26.657379] audit: type=1400 audit(1515897926.074:7): avc: denied { map } for pid=3661 comm="syzkaller549353" path="/root/syzkaller549353953" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program [ 26.841976] [ 26.843629] ========================= [ 26.847407] WARNING: held lock freed! [ 26.851174] 4.15.0-rc7-next-20180112+ #96 Not tainted [ 26.856336] ------------------------- [ 26.860109] syzkaller549353/3663 is freeing memory 00000000d0c08cd0-00000000a597f0c5, with a lock still held there! [ 26.870652] (sk_lock-AF_INET6){+.+.}, at: [<000000007472b787>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 26.879558] 1 lock held by syzkaller549353/3663: [ 26.884277] #0: (sk_lock-AF_INET6){+.+.}, at: [<000000007472b787>] sctp_wait_for_sndbuf+0x509/0x8d0 [ 26.893607] [ 26.893607] stack backtrace: [ 26.898071] CPU: 1 PID: 3663 Comm: syzkaller549353 Not tainted 4.15.0-rc7-next-20180112+ #96 [ 26.906612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.915932] Call Trace: [ 26.918492] dump_stack+0x194/0x257 [ 26.922097] ? arch_local_irq_restore+0x53/0x53 [ 26.926749] debug_check_no_locks_freed+0x32f/0x3c0 [ 26.931740] kmem_cache_free+0x68/0x2b0 [ 26.935686] __sk_destruct+0x622/0x910 [ 26.939542] ? kfree+0xd9/0x260 [ 26.942788] ? sock_rfree+0x160/0x160 [ 26.946556] ? sock_sendmsg+0xca/0x110 [ 26.950411] ? SyS_sendto+0x40/0x50 [ 26.954009] ? entry_SYSCALL_64_fastpath+0x29/0xa0 [ 26.958911] ? debug_check_no_obj_freed+0x611/0xf1f [ 26.963911] ? check_noncircular+0x20/0x20 [ 26.968114] ? print_irqtrace_events+0x270/0x270 [ 26.972841] ? __local_bh_enable_ip+0x121/0x230 [ 26.977482] ? sctp_put_port+0x495/0x640 [ 26.981513] ? sctp_poll+0xc00/0xc00 [ 26.985211] ? refcount_sub_and_test+0x115/0x1b0 [ 26.989936] ? refcount_inc+0x50/0x50 [ 26.993702] ? refcount_inc+0x50/0x50 [ 26.997473] sk_destruct+0x47/0x80 [ 27.000981] __sk_free+0xf1/0x2b0 [ 27.004404] sk_free+0x2a/0x40 [ 27.007567] sctp_association_put+0x14c/0x2f0 [ 27.012029] ? sctp_association_hold+0x20/0x20 [ 27.016589] ? lock_sock_nested+0x91/0x110 [ 27.020791] ? trace_hardirqs_on+0xd/0x10 [ 27.024908] ? __local_bh_enable_ip+0x121/0x230 [ 27.029549] sctp_wait_for_sndbuf+0x673/0x8d0 [ 27.034021] ? sctp_init_sock+0x13b0/0x13b0 [ 27.038318] ? do_raw_spin_trylock+0x190/0x190 [ 27.042876] ? __local_bh_enable_ip+0x121/0x230 [ 27.047523] ? sctp_prsctp_prune+0x97/0x790 [ 27.051816] ? prepare_to_wait+0x4d0/0x4d0 [ 27.056021] ? trace_hardirqs_on+0xd/0x10 [ 27.060142] sctp_sendmsg+0x28f7/0x33f0 [ 27.064096] ? sctp_id2assoc+0x390/0x390 [ 27.068126] ? avc_has_perm+0x43e/0x680 [ 27.072079] ? avc_has_perm_noaudit+0x520/0x520 [ 27.076717] ? __fget+0x35c/0x570 [ 27.080143] ? iterate_fd+0x3f0/0x3f0 [ 27.083916] ? find_held_lock+0x35/0x1d0 [ 27.087949] ? sock_has_perm+0x2a4/0x420 [ 27.091992] ? lock_release+0x972/0xa40 [ 27.095936] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.101789] ? __check_object_size+0x8b/0x530 [ 27.106257] inet_sendmsg+0x11f/0x5e0 [ 27.110026] ? inet_sendmsg+0x11f/0x5e0 [ 27.113969] ? __might_sleep+0x95/0x190 [ 27.117910] ? inet_create+0xf50/0xf50 [ 27.121765] ? selinux_socket_sendmsg+0x36/0x40 [ 27.126411] ? security_socket_sendmsg+0x89/0xb0 [ 27.131134] ? inet_create+0xf50/0xf50 [ 27.134991] sock_sendmsg+0xca/0x110 [ 27.138674] SYSC_sendto+0x361/0x5c0 [ 27.142359] ? SYSC_connect+0x4a0/0x4a0 [ 27.146301] ? up_read+0x1a/0x40 [ 27.149638] ? __do_page_fault+0x3d6/0xc90 [ 27.153857] ? __do_page_fault+0xc90/0xc90 [ 27.158064] ? SyS_futex+0x269/0x390 [ 27.161753] ? SyS_setsockopt+0x215/0x360 [ 27.165869] ? do_futex+0x22a0/0x22a0 [ 27.169638] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 27.174452] SyS_sendto+0x40/0x50 [ 27.177875] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.182597] RIP: 0033:0x4457e9 [ 27.185756] RSP: 002b:00007efd87daeda8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 27.193429] RAX: ffffffffffffffda RBX: 00000000006dac3c RCX: 00000000004457e9 [ 27.200668] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000005 [ 27.207905] RBP: 00000000006dac38 R08: 00000000204d9000 R09: 000000000000001c [ 27.215142] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 27.222389] R13: 00007fff1b26e56f R14: 00007efd87daf9c0 R15: 0000000000000001 [ 27.229719] ================================================================== [ 27.237069] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 executing program [ 27.243722] Read of size 4 at addr ffff8801bbd0c88c by task syzkaller549353/3663 [ 27.251240] [ 27.252840] CPU: 1 PID: 3663 Comm: syzkaller549353 Not tainted 4.15.0-rc7-next-20180112+ #96 [ 27.261387] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.270726] Call Trace: [ 27.273287] dump_stack+0x194/0x257 [ 27.276884] ? arch_local_irq_restore+0x53/0x53 [ 27.281528] ? show_regs_print_info+0x18/0x18 [ 27.285993] ? lock_acquire+0x1d5/0x580 [ 27.289951] ? trace_hardirqs_on+0xd/0x10 [ 27.294071] ? do_raw_spin_lock+0x1e0/0x220 [ 27.298361] print_address_description+0x73/0x250 [ 27.303174] ? do_raw_spin_lock+0x1e0/0x220 [ 27.307469] kasan_report+0x23b/0x360 [ 27.311244] __asan_report_load4_noabort+0x14/0x20 [ 27.316146] do_raw_spin_lock+0x1e0/0x220 [ 27.320265] _raw_spin_lock_bh+0x39/0x40 [ 27.324293] ? release_sock+0x74/0x2a0 [ 27.328150] release_sock+0x74/0x2a0 [ 27.331833] ? sctp_prsctp_prune+0x97/0x790 [ 27.336123] ? __release_sock+0x360/0x360 [ 27.340239] ? trace_hardirqs_on+0xd/0x10 [ 27.344358] sctp_sendmsg+0x2993/0x33f0 [ 27.348309] ? sctp_id2assoc+0x390/0x390 [ 27.352340] ? avc_has_perm+0x43e/0x680 [ 27.356285] ? avc_has_perm_noaudit+0x520/0x520 [ 27.360923] ? __fget+0x35c/0x570 [ 27.364348] ? iterate_fd+0x3f0/0x3f0 [ 27.368120] ? find_held_lock+0x35/0x1d0 [ 27.372155] ? sock_has_perm+0x2a4/0x420 [ 27.376187] ? lock_release+0x972/0xa40 [ 27.380128] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.385979] ? __check_object_size+0x8b/0x530 [ 27.390633] inet_sendmsg+0x11f/0x5e0 [ 27.394401] ? inet_sendmsg+0x11f/0x5e0 [ 27.398345] ? __might_sleep+0x95/0x190 [ 27.402290] ? inet_create+0xf50/0xf50 [ 27.406147] ? selinux_socket_sendmsg+0x36/0x40 [ 27.410783] ? security_socket_sendmsg+0x89/0xb0 [ 27.415506] ? inet_create+0xf50/0xf50 [ 27.419365] sock_sendmsg+0xca/0x110 [ 27.423048] SYSC_sendto+0x361/0x5c0 [ 27.426734] ? SYSC_connect+0x4a0/0x4a0 [ 27.430676] ? up_read+0x1a/0x40 [ 27.434016] ? __do_page_fault+0x3d6/0xc90 [ 27.438245] ? __do_page_fault+0xc90/0xc90 [ 27.442452] ? SyS_futex+0x269/0x390 [ 27.446139] ? SyS_setsockopt+0x215/0x360 [ 27.450256] ? do_futex+0x22a0/0x22a0 [ 27.454028] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 27.458841] SyS_sendto+0x40/0x50 [ 27.462266] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.466989] RIP: 0033:0x4457e9 [ 27.470146] RSP: 002b:00007efd87daeda8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 27.477822] RAX: ffffffffffffffda RBX: 00000000006dac3c RCX: 00000000004457e9 [ 27.485060] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000005 [ 27.492297] RBP: 00000000006dac38 R08: 00000000204d9000 R09: 000000000000001c [ 27.499534] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 27.506772] R13: 00007fff1b26e56f R14: 00007efd87daf9c0 R15: 0000000000000001 [ 27.514027] [ 27.515622] Allocated by task 3664: [ 27.519221] save_stack+0x43/0xd0 [ 27.522641] kasan_kmalloc+0xad/0xe0 [ 27.526328] kasan_slab_alloc+0x12/0x20 [ 27.530269] kmem_cache_alloc+0x12e/0x760 [ 27.534383] sk_prot_alloc+0x65/0x2a0 [ 27.538149] sk_alloc+0x105/0x1440 [ 27.541658] sctp_v6_create_accept_sk+0x15a/0x9b0 [ 27.546467] sctp_accept+0x5c4/0x970 [ 27.550150] inet_accept+0x12c/0x930 [ 27.553828] SYSC_accept4+0x38d/0x870 [ 27.557594] SyS_accept4+0x2c/0x40 [ 27.561099] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.565824] [ 27.567419] Freed by task 3663: [ 27.570667] save_stack+0x43/0xd0 [ 27.574086] __kasan_slab_free+0x11a/0x170 [ 27.578289] kasan_slab_free+0xe/0x10 [ 27.582061] kmem_cache_free+0x86/0x2b0 [ 27.586000] __sk_destruct+0x622/0x910 [ 27.589855] sk_destruct+0x47/0x80 [ 27.593360] __sk_free+0xf1/0x2b0 [ 27.596778] sk_free+0x2a/0x40 [ 27.599940] sctp_association_put+0x14c/0x2f0 [ 27.604402] sctp_wait_for_sndbuf+0x673/0x8d0 [ 27.608863] sctp_sendmsg+0x28f7/0x33f0 [ 27.612804] inet_sendmsg+0x11f/0x5e0 [ 27.616573] sock_sendmsg+0xca/0x110 [ 27.620259] SYSC_sendto+0x361/0x5c0 [ 27.623939] SyS_sendto+0x40/0x50 [ 27.627360] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.632079] [ 27.633675] The buggy address belongs to the object at ffff8801bbd0c800 [ 27.633675] which belongs to the cache SCTPv6 of size 1888 [ 27.645948] The buggy address is located 140 bytes inside of [ 27.645948] 1888-byte region [ffff8801bbd0c800, ffff8801bbd0cf60) [ 27.657881] The buggy address belongs to the page: [ 27.662783] page:ffffea0006ef4300 count:1 mapcount:0 mapping:ffff8801bbd0c000 index:0x0 [ 27.670892] flags: 0x2fffc0000000100(slab) [ 27.675097] raw: 02fffc0000000100 ffff8801bbd0c000 0000000000000000 0000000100000002 [ 27.682953] raw: ffffea0006ef9a60 ffffea000765f020 ffff8801d2f4f500 0000000000000000 [ 27.690798] page dumped because: kasan: bad access detected [ 27.696472] [ 27.698067] Memory state around the buggy address: [ 27.702961] ffff8801bbd0c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.710287] ffff8801bbd0c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.717620] >ffff8801bbd0c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.724944] ^ [ 27.728539] ffff8801bbd0c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.735876] ffff8801bbd0c980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.743199] ================================================================== [ 27.750570] Kernel panic - not syncing: panic_on_warn set ... [ 27.750570] [ 27.757920] CPU: 1 PID: 3663 Comm: syzkaller549353 Tainted: G B 4.15.0-rc7-next-20180112+ #96 [ 27.767782] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.777111] Call Trace: [ 27.779680] dump_stack+0x194/0x257 [ 27.783282] ? arch_local_irq_restore+0x53/0x53 [ 27.787919] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.792644] ? vsnprintf+0x1ed/0x1900 [ 27.796412] ? do_raw_spin_lock+0x110/0x220 [ 27.800702] panic+0x1e4/0x41c [ 27.803864] ? refcount_error_report+0x214/0x214 [ 27.808605] ? add_taint+0x1c/0x50 [ 27.812123] ? add_taint+0x1c/0x50 [ 27.815637] ? do_raw_spin_lock+0x1e0/0x220 [ 27.819929] kasan_end_report+0x50/0x50 [ 27.823872] kasan_report+0x148/0x360 [ 27.827642] __asan_report_load4_noabort+0x14/0x20 [ 27.832550] do_raw_spin_lock+0x1e0/0x220 [ 27.836669] _raw_spin_lock_bh+0x39/0x40 [ 27.840698] ? release_sock+0x74/0x2a0 [ 27.844554] release_sock+0x74/0x2a0 [ 27.848235] ? sctp_prsctp_prune+0x97/0x790 [ 27.852529] ? __release_sock+0x360/0x360 [ 27.856653] ? trace_hardirqs_on+0xd/0x10 [ 27.860783] sctp_sendmsg+0x2993/0x33f0 [ 27.864734] ? sctp_id2assoc+0x390/0x390 [ 27.868764] ? avc_has_perm+0x43e/0x680 [ 27.872707] ? avc_has_perm_noaudit+0x520/0x520 [ 27.877346] ? __fget+0x35c/0x570 [ 27.880770] ? iterate_fd+0x3f0/0x3f0 [ 27.884542] ? find_held_lock+0x35/0x1d0 [ 27.888577] ? sock_has_perm+0x2a4/0x420 [ 27.892607] ? lock_release+0x972/0xa40 [ 27.896550] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.902401] ? __check_object_size+0x8b/0x530 [ 27.906873] inet_sendmsg+0x11f/0x5e0 [ 27.910641] ? inet_sendmsg+0x11f/0x5e0 [ 27.914581] ? __might_sleep+0x95/0x190 [ 27.918524] ? inet_create+0xf50/0xf50 [ 27.922381] ? selinux_socket_sendmsg+0x36/0x40 [ 27.927021] ? security_socket_sendmsg+0x89/0xb0 [ 27.931747] ? inet_create+0xf50/0xf50 [ 27.935604] sock_sendmsg+0xca/0x110 [ 27.939284] SYSC_sendto+0x361/0x5c0 [ 27.942964] ? SYSC_connect+0x4a0/0x4a0 [ 27.946904] ? up_read+0x1a/0x40 [ 27.950239] ? __do_page_fault+0x3d6/0xc90 [ 27.954451] ? __do_page_fault+0xc90/0xc90 [ 27.958656] ? SyS_futex+0x269/0x390 [ 27.962337] ? SyS_setsockopt+0x215/0x360 [ 27.966453] ? do_futex+0x22a0/0x22a0 [ 27.970224] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 27.975048] SyS_sendto+0x40/0x50 [ 27.978477] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 27.983205] RIP: 0033:0x4457e9 [ 27.986362] RSP: 002b:00007efd87daeda8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 27.994036] RAX: ffffffffffffffda RBX: 00000000006dac3c RCX: 00000000004457e9 [ 28.001278] RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000005 [ 28.008534] RBP: 00000000006dac38 R08: 00000000204d9000 R09: 000000000000001c [ 28.015771] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 28.023011] R13: 00007fff1b26e56f R14: 00007efd87daf9c0 R15: 0000000000000001 [ 28.030745] Dumping ftrace buffer: [ 28.034261] (ftrace buffer empty) [ 28.037941] Kernel Offset: disabled [ 28.041536] Rebooting in 86400 seconds..