[ 39.736829] audit: type=1800 audit(1574429875.087:30): pid=7571 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 44.966364] kauditd_printk_skb: 4 callbacks suppressed [ 44.966379] audit: type=1400 audit(1574429880.357:35): avc: denied { map } for pid=7746 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.56' (ECDSA) to the list of known hosts. executing program [ 51.681895] audit: type=1400 audit(1574429887.077:36): avc: denied { map } for pid=7758 comm="syz-executor818" path="/root/syz-executor818180628" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 51.702364] ------------[ cut here ]------------ [ 51.713518] refcount_t: underflow; use-after-free. [ 51.718862] WARNING: CPU: 1 PID: 7758 at lib/refcount.c:187 refcount_sub_and_test_checked+0x1c5/0x1f0 [ 51.728250] Kernel panic - not syncing: panic_on_warn set ... [ 51.728250] [ 51.735629] CPU: 1 PID: 7758 Comm: syz-executor818 Not tainted 4.19.85-syzkaller #0 [ 51.743415] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.752811] Call Trace: [ 51.755446] dump_stack+0x197/0x210 [ 51.759085] panic+0x26a/0x50e [ 51.762284] ? __warn_printk+0xf3/0xf3 [ 51.766468] ? refcount_sub_and_test_checked+0x1c5/0x1f0 [ 51.771916] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.777465] ? __warn.cold+0x5/0x53 [ 51.781107] ? __warn+0xe8/0x1d0 [ 51.784463] ? refcount_sub_and_test_checked+0x1c5/0x1f0 [ 51.789900] __warn.cold+0x20/0x53 [ 51.793429] ? refcount_sub_and_test_checked+0x1c5/0x1f0 [ 51.798880] report_bug+0x263/0x2b0 [ 51.802502] do_error_trap+0x204/0x360 [ 51.806388] ? math_error+0x340/0x340 [ 51.810173] ? vprintk_emit+0x1ab/0x690 [ 51.814134] ? error_entry+0x7c/0xe0 [ 51.817831] ? trace_hardirqs_off_caller+0x65/0x220 [ 51.822829] ? vprintk_default+0x28/0x30 [ 51.826876] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 51.831707] do_invalid_op+0x1b/0x20 [ 51.836370] invalid_op+0x14/0x20 [ 51.839810] RIP: 0010:refcount_sub_and_test_checked+0x1c5/0x1f0 [ 51.845853] Code: 1d 99 37 14 06 31 ff 89 de e8 d7 af 47 fe 84 db 75 1a e8 8e ae 47 fe 48 c7 c7 80 2c 82 87 c6 05 79 37 14 06 01 e8 d9 2c 1b fe <0f> 0b 45 31 e4 eb 90 e8 6f ae 47 fe e9 ce fe ff ff 48 89 df e8 12 [ 51.865959] RSP: 0018:ffff88809e6e7550 EFLAGS: 00010286 [ 51.871307] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 51.878573] RDX: 0000000000000000 RSI: ffffffff815595d6 RDI: ffffed1013cdce9c [ 51.885838] RBP: ffff88809e6e75e0 R08: ffff88809fca4540 R09: ffffed1015d23ee3 [ 51.893098] R10: ffffed1015d23ee2 R11: ffff8880ae91f717 R12: 00000000ffffff01 [ 51.900354] R13: 0000000000008001 R14: 1ffff11013cdceab R15: ffff88809e6e75b8 [ 51.907633] ? vprintk_func+0x86/0x189 [ 51.911525] ? refcount_inc_checked+0x70/0x70 [ 51.916001] ? refcount_inc_checked+0x70/0x70 [ 51.920501] sock_wfree+0xb6/0x180 [ 51.924052] sctp_wfree+0x395/0x960 [ 51.927664] ? __sctp_write_space+0x6b0/0x6b0 [ 51.932147] skb_release_head_state+0x15d/0x2d0 [ 51.936818] skb_release_all+0x16/0x60 [ 51.940820] consume_skb+0xe2/0x380 [ 51.944444] sctp_chunk_put+0x192/0x280 [ 51.948416] sctp_chunk_free+0x56/0x70 [ 51.952313] __sctp_outq_teardown+0x1d0/0xc60 [ 51.956818] sctp_outq_free+0x16/0x20 [ 51.960620] sctp_association_free+0x208/0x79a [ 51.965201] sctp_do_sm+0x3a73/0x5190 [ 51.969005] ? __lock_is_held+0xb6/0x140 [ 51.973089] ? sctp_do_8_2_transport_strike.isra.0+0x940/0x940 [ 51.979053] ? kmem_cache_alloc_node_trace+0x34f/0x720 [ 51.984329] ? __alloc_skb+0xd5/0x5f0 [ 51.988118] ? kasan_unpoison_shadow+0x35/0x50 [ 51.992700] ? __lock_is_held+0xb6/0x140 [ 51.996759] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 52.001768] ? sctp_init_cause+0x1b4/0x240 [ 52.005983] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 52.010984] ? skb_put+0x183/0x1e0 [ 52.014508] ? memcpy+0x46/0x50 [ 52.017793] sctp_primitive_ABORT+0xa0/0xd0 [ 52.022110] sctp_close+0x259/0x860 [ 52.025734] ? sctp_init_sock+0x1290/0x1290 [ 52.030049] ? lock_acquire+0x16f/0x3f0 [ 52.034050] ? __sock_release+0x89/0x2a0 [ 52.038094] ? ip_mc_drop_socket+0x20c/0x270 [ 52.042515] inet_release+0xff/0x1e0 [ 52.046234] __sock_release+0xce/0x2a0 [ 52.050118] ? __sock_release+0x2a0/0x2a0 [ 52.054263] sock_close+0x1b/0x30 [ 52.057722] __fput+0x2dd/0x8b0 [ 52.061092] ____fput+0x16/0x20 [ 52.064429] task_work_run+0x145/0x1c0 [ 52.068321] do_exit+0x994/0x2fa0 [ 52.071829] ? mm_update_next_owner+0x660/0x660 [ 52.076491] ? __sys_getsockopt+0x180/0x240 [ 52.080928] ? kernel_setsockopt+0x1d0/0x1d0 [ 52.085513] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.090319] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.095186] do_group_exit+0x135/0x370 [ 52.099093] __x64_sys_exit_group+0x44/0x50 [ 52.103415] do_syscall_64+0xfd/0x620 [ 52.107399] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.112575] RIP: 0033:0x43f268 [ 52.115767] Code: Bad RIP value. [ 52.119112] RSP: 002b:00007ffe2bf71e18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 52.127028] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f268 [ 52.134295] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 52.141567] RBP: 00000000004bea68 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 52.148823] R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001 [ 52.156076] R13: 00000000006d01a0 R14: 0000000000000000 R15: 0000000000000000 [ 52.164875] Kernel Offset: disabled [ 52.168575] Rebooting in 86400 seconds..