[ 36.632899][ T27] audit: type=1800 audit(1549240378.159:27): pid=7623 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 36.669645][ T27] audit: type=1800 audit(1549240378.159:28): pid=7623 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 37.274868][ T27] audit: type=1800 audit(1549240378.869:29): pid=7623 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 37.301346][ T27] audit: type=1800 audit(1549240378.869:30): pid=7623 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.50' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 47.653051][ T7775] ================================================================== [ 47.661221][ T7775] BUG: KASAN: double-free or invalid-free in sctp_stream_free+0xfa/0x190 [ 47.669626][ T7775] [ 47.671934][ T7775] CPU: 0 PID: 7775 Comm: syz-executor682 Not tainted 5.0.0-rc4-next-20190201 #25 [ 47.681011][ T7775] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.691040][ T7775] Call Trace: [ 47.694311][ T7775] dump_stack+0x172/0x1f0 [ 47.698627][ T7775] print_address_description.cold+0x7c/0x20d [ 47.704582][ T7775] ? sctp_stream_free+0xfa/0x190 [ 47.709499][ T7775] kasan_report_invalid_free+0x65/0xa0 [ 47.714933][ T7775] ? sctp_stream_free+0xfa/0x190 [ 47.719850][ T7775] __kasan_slab_free+0x13a/0x150 [ 47.724770][ T7775] ? sctp_stream_free+0xfa/0x190 [ 47.729685][ T7775] kasan_slab_free+0xe/0x10 [ 47.734164][ T7775] kfree+0xcf/0x230 [ 47.737951][ T7775] sctp_stream_free+0xfa/0x190 [ 47.742696][ T7775] sctp_association_free+0x235/0x79a [ 47.747961][ T7775] sctp_do_sm+0x3c4e/0x5380 [ 47.752438][ T7775] ? ____fput+0x16/0x20 [ 47.756570][ T7775] ? task_work_run+0x14a/0x1c0 [ 47.761320][ T7775] ? sctp_do_8_2_transport_strike.isra.0+0x940/0x940 [ 47.767971][ T7775] ? mark_held_locks+0xf0/0xf0 [ 47.772716][ T7775] ? sctp_assoc_bh_rcv+0x2fc/0x660 [ 47.777802][ T7775] ? find_held_lock+0x35/0x130 [ 47.782540][ T7775] ? sctp_assoc_bh_rcv+0x2fc/0x660 [ 47.787638][ T7775] ? kvm_clock_read+0x18/0x30 [ 47.792290][ T7775] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 47.797988][ T7775] ? ktime_get+0x208/0x300 [ 47.802384][ T7775] sctp_assoc_bh_rcv+0x343/0x660 [ 47.807306][ T7775] sctp_inq_push+0x1ea/0x290 [ 47.811873][ T7775] sctp_backlog_rcv+0x196/0xbe0 [ 47.816708][ T7775] ? __local_bh_enable_ip+0x15a/0x270 [ 47.822069][ T7775] ? _raw_spin_unlock_bh+0x31/0x40 [ 47.827157][ T7775] ? __local_bh_enable_ip+0x15a/0x270 [ 47.832504][ T7775] ? sctp_hash_obj+0x5e0/0x5e0 [ 47.837262][ T7775] ? __release_sock+0xca/0x3a0 [ 47.842005][ T7775] ? __local_bh_enable_ip+0x15a/0x270 [ 47.847359][ T7775] __release_sock+0x12e/0x3a0 [ 47.852014][ T7775] release_sock+0x59/0x1c0 [ 47.856406][ T7775] sctp_close+0x4a4/0x860 [ 47.860718][ T7775] ? sctp_init_sock+0x1360/0x1360 [ 47.865723][ T7775] ? lock_acquire+0x16f/0x3f0 [ 47.870377][ T7775] ? __sock_release+0x89/0x250 [ 47.875116][ T7775] ? ip_mc_drop_socket+0x20c/0x270 [ 47.880207][ T7775] inet_release+0x105/0x1f0 [ 47.884695][ T7775] __sock_release+0xd3/0x250 [ 47.889268][ T7775] ? __sock_release+0x250/0x250 [ 47.894093][ T7775] sock_close+0x1b/0x30 [ 47.898226][ T7775] __fput+0x2df/0x8d0 [ 47.902197][ T7775] ____fput+0x16/0x20 [ 47.906157][ T7775] task_work_run+0x14a/0x1c0 [ 47.910725][ T7775] do_exit+0x90a/0x2fa0 [ 47.914858][ T7775] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 47.921077][ T7775] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.927293][ T7775] ? __sys_sendmsg+0x51/0x1d0 [ 47.931947][ T7775] ? mm_update_next_owner+0x660/0x660 [ 47.937303][ T7775] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.942736][ T7775] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.948177][ T7775] do_group_exit+0x135/0x370 [ 47.952743][ T7775] __x64_sys_exit_group+0x44/0x50 [ 47.957748][ T7775] do_syscall_64+0x103/0x610 [ 47.962321][ T7775] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.968187][ T7775] RIP: 0033:0x43edd8 [ 47.972061][ T7775] Code: Bad RIP value. [ 47.976101][ T7775] RSP: 002b:00007fff92021088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 47.984503][ T7775] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043edd8 [ 47.992452][ T7775] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 48.000400][ T7775] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 48.008349][ T7775] R10: 0000000000000010 R11: 0000000000000246 R12: 0000000000000001 [ 48.016327][ T7775] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 48.024285][ T7775] [ 48.026590][ T7775] Allocated by task 7775: [ 48.030903][ T7775] save_stack+0x45/0xd0 [ 48.035033][ T7775] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 48.040639][ T7775] kasan_kmalloc+0x9/0x10 [ 48.044958][ T7775] kmem_cache_alloc_trace+0x151/0x760 [ 48.050324][ T7775] sctp_stream_init_ext+0x51/0x110 [ 48.055422][ T7775] sctp_sendmsg_to_asoc+0x1273/0x17b0 [ 48.060769][ T7775] sctp_sendmsg+0x81f/0x17f0 [ 48.065352][ T7775] inet_sendmsg+0x147/0x5d0 [ 48.069846][ T7775] sock_sendmsg+0xdd/0x130 [ 48.074240][ T7775] ___sys_sendmsg+0x806/0x930 [ 48.078897][ T7775] __sys_sendmsg+0x105/0x1d0 [ 48.083459][ T7775] __x64_sys_sendmsg+0x78/0xb0 [ 48.088200][ T7775] do_syscall_64+0x103/0x610 [ 48.092768][ T7775] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.098629][ T7775] [ 48.100935][ T7775] Freed by task 7775: [ 48.104907][ T7775] save_stack+0x45/0xd0 [ 48.109036][ T7775] __kasan_slab_free+0x102/0x150 [ 48.113949][ T7775] kasan_slab_free+0xe/0x10 [ 48.118427][ T7775] kfree+0xcf/0x230 [ 48.122208][ T7775] sctp_stream_outq_migrate+0x3e6/0x540 [ 48.127733][ T7775] sctp_stream_init+0xbc/0x410 [ 48.132474][ T7775] sctp_process_init+0x21c3/0x2b20 [ 48.137560][ T7775] sctp_do_sm+0x3145/0x5380 [ 48.142036][ T7775] sctp_assoc_bh_rcv+0x343/0x660 [ 48.146949][ T7775] sctp_inq_push+0x1ea/0x290 [ 48.151511][ T7775] sctp_backlog_rcv+0x196/0xbe0 [ 48.156335][ T7775] __release_sock+0x12e/0x3a0 [ 48.160988][ T7775] release_sock+0x59/0x1c0 [ 48.165376][ T7775] sctp_wait_for_connect+0x316/0x540 [ 48.170636][ T7775] sctp_sendmsg_to_asoc+0x13e3/0x17b0 [ 48.175977][ T7775] sctp_sendmsg+0x81f/0x17f0 [ 48.180541][ T7775] inet_sendmsg+0x147/0x5d0 [ 48.185038][ T7775] sock_sendmsg+0xdd/0x130 [ 48.189430][ T7775] ___sys_sendmsg+0x806/0x930 [ 48.194080][ T7775] __sys_sendmsg+0x105/0x1d0 [ 48.198646][ T7775] __x64_sys_sendmsg+0x78/0xb0 [ 48.203384][ T7775] do_syscall_64+0x103/0x610 [ 48.207950][ T7775] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.213827][ T7775] [ 48.216134][ T7775] The buggy address belongs to the object at ffff8880a7e2c480 [ 48.216134][ T7775] which belongs to the cache kmalloc-96 of size 96 [ 48.229988][ T7775] The buggy address is located 0 bytes inside of [ 48.229988][ T7775] 96-byte region [ffff8880a7e2c480, ffff8880a7e2c4e0) [ 48.242966][ T7775] The buggy address belongs to the page: [ 48.248575][ T7775] page:ffffea00029f8b00 count:1 mapcount:0 mapping:ffff88812c3f04c0 index:0xffff8880a7e2c300 [ 48.258723][ T7775] flags: 0x1fffc0000000200(slab) [ 48.263651][ T7775] raw: 01fffc0000000200 ffffea00029f9908 ffff88812c3f1438 ffff88812c3f04c0 [ 48.272227][ T7775] raw: ffff8880a7e2c300 ffff8880a7e2c000 0000000100000012 0000000000000000 [ 48.280805][ T7775] page dumped because: kasan: bad access detected [ 48.287185][ T7775] [ 48.289487][ T7775] Memory state around the buggy address: [ 48.295090][ T7775] ffff8880a7e2c380: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 48.303125][ T7775] ffff8880a7e2c400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 48.311159][ T7775] >ffff8880a7e2c480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 48.319191][ T7775] ^ [ 48.323256][ T7775] ffff8880a7e2c500: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 48.331293][ T7775] ffff8880a7e2c580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 48.339325][ T7775] ================================================================== [ 48.347391][ T7775] Disabling lock debugging due to kernel taint [ 48.353528][ T7775] Kernel panic - not syncing: panic_on_warn set ... [ 48.360092][ T7775] CPU: 0 PID: 7775 Comm: syz-executor682 Tainted: G B 5.0.0-rc4-next-20190201 #25 [ 48.370557][ T7775] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.380585][ T7775] Call Trace: [ 48.383851][ T7775] dump_stack+0x172/0x1f0 [ 48.388160][ T7775] panic+0x2cb/0x65c [ 48.392043][ T7775] ? __warn_printk+0xf3/0xf3 [ 48.396609][ T7775] ? lock_downgrade+0x880/0x880 [ 48.401437][ T7775] ? sctp_stream_free+0xfa/0x190 [ 48.406347][ T7775] ? trace_hardirqs_off+0x62/0x220 [ 48.411430][ T7775] ? trace_hardirqs_off+0x59/0x220 [ 48.416517][ T7775] ? sctp_stream_free+0xfa/0x190 [ 48.421435][ T7775] end_report+0x47/0x4f [ 48.425571][ T7775] kasan_report_invalid_free+0x82/0xa0 [ 48.431019][ T7775] ? sctp_stream_free+0xfa/0x190 [ 48.435947][ T7775] __kasan_slab_free+0x13a/0x150 [ 48.440872][ T7775] ? sctp_stream_free+0xfa/0x190 [ 48.445784][ T7775] kasan_slab_free+0xe/0x10 [ 48.450265][ T7775] kfree+0xcf/0x230 [ 48.454066][ T7775] sctp_stream_free+0xfa/0x190 [ 48.458805][ T7775] sctp_association_free+0x235/0x79a [ 48.464064][ T7775] sctp_do_sm+0x3c4e/0x5380 [ 48.468539][ T7775] ? ____fput+0x16/0x20 [ 48.472667][ T7775] ? task_work_run+0x14a/0x1c0 [ 48.477408][ T7775] ? sctp_do_8_2_transport_strike.isra.0+0x940/0x940 [ 48.484054][ T7775] ? mark_held_locks+0xf0/0xf0 [ 48.488798][ T7775] ? sctp_assoc_bh_rcv+0x2fc/0x660 [ 48.493879][ T7775] ? find_held_lock+0x35/0x130 [ 48.498620][ T7775] ? sctp_assoc_bh_rcv+0x2fc/0x660 [ 48.503709][ T7775] ? kvm_clock_read+0x18/0x30 [ 48.508360][ T7775] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 48.514051][ T7775] ? ktime_get+0x208/0x300 [ 48.518442][ T7775] sctp_assoc_bh_rcv+0x343/0x660 [ 48.523356][ T7775] sctp_inq_push+0x1ea/0x290 [ 48.527919][ T7775] sctp_backlog_rcv+0x196/0xbe0 [ 48.532742][ T7775] ? __local_bh_enable_ip+0x15a/0x270 [ 48.538091][ T7775] ? _raw_spin_unlock_bh+0x31/0x40 [ 48.543173][ T7775] ? __local_bh_enable_ip+0x15a/0x270 [ 48.548517][ T7775] ? sctp_hash_obj+0x5e0/0x5e0 [ 48.553275][ T7775] ? __release_sock+0xca/0x3a0 [ 48.558015][ T7775] ? __local_bh_enable_ip+0x15a/0x270 [ 48.563359][ T7775] __release_sock+0x12e/0x3a0 [ 48.568010][ T7775] release_sock+0x59/0x1c0 [ 48.572398][ T7775] sctp_close+0x4a4/0x860 [ 48.576717][ T7775] ? sctp_init_sock+0x1360/0x1360 [ 48.581760][ T7775] ? lock_acquire+0x16f/0x3f0 [ 48.586410][ T7775] ? __sock_release+0x89/0x250 [ 48.591149][ T7775] ? ip_mc_drop_socket+0x20c/0x270 [ 48.596259][ T7775] inet_release+0x105/0x1f0 [ 48.600753][ T7775] __sock_release+0xd3/0x250 [ 48.605321][ T7775] ? __sock_release+0x250/0x250 [ 48.610144][ T7775] sock_close+0x1b/0x30 [ 48.614277][ T7775] __fput+0x2df/0x8d0 [ 48.618240][ T7775] ____fput+0x16/0x20 [ 48.622199][ T7775] task_work_run+0x14a/0x1c0 [ 48.626764][ T7775] do_exit+0x90a/0x2fa0 [ 48.630895][ T7775] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 48.637109][ T7775] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 48.643319][ T7775] ? __sys_sendmsg+0x51/0x1d0 [ 48.647969][ T7775] ? mm_update_next_owner+0x660/0x660 [ 48.653317][ T7775] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 48.658772][ T7775] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 48.664218][ T7775] do_group_exit+0x135/0x370 [ 48.668787][ T7775] __x64_sys_exit_group+0x44/0x50 [ 48.673782][ T7775] do_syscall_64+0x103/0x610 [ 48.678349][ T7775] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.684213][ T7775] RIP: 0033:0x43edd8 [ 48.688109][ T7775] Code: Bad RIP value. [ 48.692143][ T7775] RSP: 002b:00007fff92021088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 48.700527][ T7775] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043edd8 [ 48.708478][ T7775] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 48.716421][ T7775] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 48.724381][ T7775] R10: 0000000000000010 R11: 0000000000000246 R12: 0000000000000001 [ 48.732325][ T7775] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 48.741160][ T7775] Kernel Offset: disabled [ 48.745476][ T7775] Rebooting in 86400 seconds..