[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 11.362425] audit: type=1400 audit(1514170028.558:6): avc: denied { map } for pid=3128 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-4,10.128.15.215' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.595538] audit: type=1400 audit(1514170046.791:7): avc: denied { map } for pid=3145 comm="syzkaller126474" path="/root/syzkaller126474306" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 29.623924] ================================================================== [ 29.631310] BUG: KASAN: use-after-free in refcount_inc_not_zero+0x16e/0x180 [ 29.638383] Read of size 4 at addr ffff8801c8cfce00 by task syzkaller126474/3146 [ 29.645881] [ 29.647483] CPU: 0 PID: 3146 Comm: syzkaller126474 Not tainted 4.15.0-rc4-next-20171221+ #78 [ 29.656634] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.666136] Call Trace: [ 29.668700] dump_stack+0x194/0x257 [ 29.672298] ? arch_local_irq_restore+0x53/0x53 [ 29.676935] ? show_regs_print_info+0x18/0x18 [ 29.681406] ? refcount_inc_not_zero+0x16e/0x180 [ 29.686133] print_address_description+0x73/0x250 [ 29.690968] ? refcount_inc_not_zero+0x16e/0x180 [ 29.695693] kasan_report+0x25b/0x340 [ 29.699464] __asan_report_load4_noabort+0x14/0x20 [ 29.704363] refcount_inc_not_zero+0x16e/0x180 [ 29.708915] ? refcount_add+0x60/0x60 [ 29.712685] ? print_irqtrace_events+0x270/0x270 [ 29.717414] ? do_mq_timedreceive+0xf40/0xf40 [ 29.721879] refcount_inc+0x15/0x50 [ 29.725476] mqueue_evict_inode+0x137/0x9c0 [ 29.729768] ? inode_wait_for_writeback+0x2f/0x40 [ 29.734577] ? lock_downgrade+0x980/0x980 [ 29.738697] ? do_mq_timedreceive+0xf40/0xf40 [ 29.743160] ? __inode_wait_for_writeback+0x292/0x330 [ 29.748320] ? do_raw_spin_trylock+0x190/0x190 [ 29.752875] ? bit_waitqueue+0x30/0x30 [ 29.756736] ? _raw_spin_unlock+0x22/0x30 [ 29.760853] ? do_mq_timedreceive+0xf40/0xf40 [ 29.765318] evict+0x481/0x920 [ 29.768483] ? destroy_inode+0x200/0x200 [ 29.772515] ? iput+0x7b1/0xaf0 [ 29.775775] ? lock_downgrade+0x980/0x980 [ 29.779897] ? _raw_spin_lock+0x32/0x40 [ 29.783838] ? _atomic_dec_and_lock+0x125/0x196 [ 29.788476] ? do_raw_spin_trylock+0x190/0x190 [ 29.793027] ? cpumask_local_spread+0x260/0x260 [ 29.797672] ? reacquire_held_locks+0x1f9/0x3e0 [ 29.802305] ? reacquire_held_locks+0x1f9/0x3e0 [ 29.806943] ? shrink_dentry_list+0x3b0/0xcf0 [ 29.811411] iput+0x7b9/0xaf0 [ 29.814492] ? evict_inodes+0x580/0x580 [ 29.818439] ? dentry_unlink_inode+0x38e/0x5e0 [ 29.822994] ? lock_downgrade+0x980/0x980 [ 29.827124] ? reacquire_held_locks+0x1f9/0x3e0 [ 29.831759] ? reacquire_held_locks+0x1f9/0x3e0 [ 29.836409] ? do_raw_spin_trylock+0x190/0x190 [ 29.840965] ? find_held_lock+0x138/0x1d0 [ 29.845087] dentry_unlink_inode+0x4b0/0x5e0 [ 29.849463] ? __dentry_kill+0x37b/0x6d0 [ 29.853495] ? release_dentry_name_snapshot+0x70/0x70 [ 29.858656] ? __lock_acquire+0x664/0x3e00 [ 29.862861] ? __d_drop+0x2b9/0x4b0 [ 29.866466] ? do_raw_spin_trylock+0x190/0x190 [ 29.871018] ? d_exact_alias+0x620/0x620 [ 29.875061] ? lock_acquire+0x1d5/0x580 [ 29.879003] ? lock_acquire+0x1d5/0x580 [ 29.882951] __dentry_kill+0x3b7/0x6d0 [ 29.886821] ? check_and_drop+0x170/0x170 [ 29.890938] ? lock_downgrade+0x980/0x980 [ 29.895074] shrink_dentry_list+0x3c5/0xcf0 [ 29.899720] ? d_add+0xa70/0xa70 [ 29.903844] ? d_shrink_add+0x280/0x280 [ 29.907787] ? dget_parent+0x5b0/0x5b0 [ 29.911651] ? trace_hardirqs_off+0xd/0x10 [ 29.915860] ? find_held_lock+0x35/0x1d0 [ 29.919897] shrink_dcache_parent+0xba/0x230 [ 29.924277] ? path_has_submounts+0x1a0/0x1a0 [ 29.928751] ? lock_release+0xa40/0xa40 [ 29.932693] ? check_noncircular+0x20/0x20 [ 29.936904] ? d_walk+0x1d2/0xb20 [ 29.940328] do_one_tree+0x15/0x50 [ 29.943835] shrink_dcache_for_umount+0xbb/0x290 [ 29.948556] ? d_walk+0x6f2/0xb20 [ 29.951982] ? d_set_mounted+0x2d0/0x2d0 [ 29.956022] ? d_find_any_alias+0x1c0/0x1c0 [ 29.960319] generic_shutdown_super+0xcd/0x540 [ 29.964873] ? trace_hardirqs_on+0xd/0x10 [ 29.968996] ? destroy_super_rcu+0x200/0x200 [ 29.973378] ? unregister_shrinker+0x22c/0x3a0 [ 29.977928] ? __might_sleep+0x95/0x190 [ 29.981872] ? perf_trace_mm_vmscan_writepage+0x790/0x790 [ 29.987375] ? down_write+0x87/0x120 [ 29.991063] kill_litter_super+0x72/0x90 [ 29.995615] deactivate_locked_super+0x88/0xd0 [ 30.000166] deactivate_super+0x141/0x1b0 [ 30.004370] ? __sb_start_write+0x2a0/0x2a0 [ 30.008671] cleanup_mnt+0xb2/0x150 [ 30.012265] __cleanup_mnt+0x16/0x20 [ 30.015950] task_work_run+0x199/0x270 [ 30.019809] ? task_work_cancel+0x210/0x210 [ 30.024113] ? free_nsproxy+0x185/0x1f0 [ 30.028063] ? switch_task_namespaces+0xa2/0xc0 [ 30.032708] do_exit+0x9bb/0x1ad0 [ 30.036137] ? mm_update_next_owner+0x930/0x930 [ 30.040775] ? __kernel_text_address+0xd/0x40 [ 30.045239] ? unwind_get_return_address+0x61/0xa0 [ 30.050398] ? __save_stack_trace+0x7e/0xd0 [ 30.055228] ? putname+0xee/0x130 [ 30.058649] ? save_stack+0xa3/0xd0 [ 30.062243] ? save_stack+0x43/0xd0 [ 30.065835] ? kasan_slab_free+0x71/0xc0 [ 30.069863] ? kmem_cache_free+0x83/0x2a0 [ 30.073978] ? putname+0xee/0x130 [ 30.077399] ? do_sys_open+0x31b/0x6d0 [ 30.081252] ? SyS_creat+0x27/0x30 [ 30.084760] ? entry_SYSCALL_64_fastpath+0x1f/0x96 [ 30.089662] ? debug_check_no_obj_freed+0x3da/0xf1f [ 30.094644] ? __lock_is_held+0xb6/0x140 [ 30.098687] ? free_obj_work+0x690/0x690 [ 30.102716] ? __fd_install+0x288/0x740 [ 30.106660] ? get_unused_fd_flags+0x190/0x190 [ 30.111210] ? may_open_dev+0xe0/0xe0 [ 30.114985] ? rcu_pm_notify+0xc0/0xc0 [ 30.118843] ? putname+0xee/0x130 [ 30.122264] ? putname+0xee/0x130 [ 30.125683] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.130669] ? kmem_cache_free+0x267/0x2a0 [ 30.134877] ? putname+0xf3/0x130 [ 30.138305] do_group_exit+0x149/0x400 [ 30.142425] ? SyS_exit+0x30/0x30 [ 30.146109] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.151093] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.155820] SyS_exit_group+0x1d/0x20 [ 30.159591] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 30.164316] RIP: 0033:0x4406f9 [ 30.167475] RSP: 002b:00007ffca4a8ec78 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 30.175163] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004406f9 [ 30.182406] RDX: 00000000004406f9 RSI: 00000000004406f9 RDI: 0000000000000001 [ 30.189642] RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8 [ 30.196881] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401bc0 [ 30.204120] R13: 0000000000401c50 R14: 0000000000000000 R15: 0000000000000000 [ 30.211375] [ 30.212969] Allocated by task 3146: [ 30.216573] save_stack+0x43/0xd0 [ 30.219992] kasan_kmalloc+0xad/0xe0 [ 30.223673] kmem_cache_alloc_trace+0x136/0x750 [ 30.228307] copy_ipcs+0x1b3/0x520 [ 30.231815] create_new_namespaces+0x278/0x880 [ 30.236364] unshare_nsproxy_namespaces+0xae/0x1e0 [ 30.241259] SyS_unshare+0x653/0xfa0 [ 30.244939] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 30.249658] [ 30.251251] Freed by task 3146: [ 30.254494] save_stack+0x43/0xd0 [ 30.257913] kasan_slab_free+0x71/0xc0 [ 30.261766] kfree+0xd6/0x260 [ 30.264840] put_ipc_ns+0x112/0x150 [ 30.268435] free_nsproxy+0xc0/0x1f0 [ 30.272811] switch_task_namespaces+0x9d/0xc0 [ 30.277270] exit_task_namespaces+0x17/0x20 [ 30.281556] do_exit+0x9b6/0x1ad0 [ 30.284974] do_group_exit+0x149/0x400 [ 30.288826] SyS_exit_group+0x1d/0x20 [ 30.292594] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 30.297313] [ 30.298912] The buggy address belongs to the object at ffff8801c8cfce00 [ 30.298912] which belongs to the cache kmalloc-2048 of size 2048 [ 30.311717] The buggy address is located 0 bytes inside of [ 30.311717] 2048-byte region [ffff8801c8cfce00, ffff8801c8cfd600) [ 30.323468] The buggy address belongs to the page: [ 30.328366] page:000000001d1dab07 count:1 mapcount:0 mapping:00000000b255226f index:0x0 compound_mapcount: 0 [ 30.338300] flags: 0x2fffc0000008100(slab|head) [ 30.342940] raw: 02fffc0000008100 ffff8801c8cfc580 0000000000000000 0000000100000003 [ 30.350788] raw: ffffea0007289d20 ffff8801dac01948 ffff8801dac00c40 0000000000000000 [ 30.358633] page dumped because: kasan: bad access detected [ 30.364307] [ 30.365900] Memory state around the buggy address: [ 30.370795] ffff8801c8cfcd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.378121] ffff8801c8cfcd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.385443] >ffff8801c8cfce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.392769] ^ [ 30.396102] ffff8801c8cfce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.403428] ffff8801c8cfcf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.410755] ================================================================== [ 30.418082] Disabling lock debugging due to kernel taint [ 30.423590] Kernel panic - not syncing: panic_on_warn set ... [ 30.423590] [ 30.430924] CPU: 0 PID: 3146 Comm: syzkaller126474 Tainted: G B 4.15.0-rc4-next-20171221+ #78 [ 30.441112] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.450433] Call Trace: [ 30.452993] dump_stack+0x194/0x257 [ 30.456588] ? arch_local_irq_restore+0x53/0x53 [ 30.461235] ? kasan_end_report+0x32/0x50 [ 30.465352] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.470071] ? vsnprintf+0x1ed/0x1900 [ 30.473837] ? refcount_inc_not_zero+0xd0/0x180 [ 30.478472] panic+0x1e4/0x41c [ 30.481635] ? refcount_error_report+0x214/0x214 [ 30.486357] ? add_taint+0x1c/0x50 [ 30.489860] ? add_taint+0x1c/0x50 [ 30.493367] ? refcount_inc_not_zero+0x16e/0x180 [ 30.498088] kasan_end_report+0x50/0x50 [ 30.502028] kasan_report+0x144/0x340 [ 30.505796] __asan_report_load4_noabort+0x14/0x20 [ 30.510687] refcount_inc_not_zero+0x16e/0x180 [ 30.515231] ? refcount_add+0x60/0x60 [ 30.518997] ? print_irqtrace_events+0x270/0x270 [ 30.523730] ? do_mq_timedreceive+0xf40/0xf40 [ 30.528195] refcount_inc+0x15/0x50 [ 30.531787] mqueue_evict_inode+0x137/0x9c0 [ 30.536076] ? inode_wait_for_writeback+0x2f/0x40 [ 30.540891] ? lock_downgrade+0x980/0x980 [ 30.545012] ? do_mq_timedreceive+0xf40/0xf40 [ 30.549470] ? __inode_wait_for_writeback+0x292/0x330 [ 30.554626] ? do_raw_spin_trylock+0x190/0x190 [ 30.559182] ? bit_waitqueue+0x30/0x30 [ 30.563036] ? _raw_spin_unlock+0x22/0x30 [ 30.567669] ? do_mq_timedreceive+0xf40/0xf40 [ 30.572129] evict+0x481/0x920 [ 30.575293] ? destroy_inode+0x200/0x200 [ 30.579320] ? iput+0x7b1/0xaf0 [ 30.582565] ? lock_downgrade+0x980/0x980 [ 30.586679] ? _raw_spin_lock+0x32/0x40 [ 30.591523] ? _atomic_dec_and_lock+0x125/0x196 [ 30.596160] ? do_raw_spin_trylock+0x190/0x190 [ 30.600706] ? cpumask_local_spread+0x260/0x260 [ 30.605340] ? reacquire_held_locks+0x1f9/0x3e0 [ 30.609973] ? reacquire_held_locks+0x1f9/0x3e0 [ 30.614605] ? shrink_dentry_list+0x3b0/0xcf0 [ 30.619068] iput+0x7b9/0xaf0 [ 30.622145] ? evict_inodes+0x580/0x580 [ 30.627386] ? dentry_unlink_inode+0x38e/0x5e0 [ 30.633498] ? lock_downgrade+0x980/0x980 [ 30.638393] ? reacquire_held_locks+0x1f9/0x3e0 [ 30.643025] ? reacquire_held_locks+0x1f9/0x3e0 [ 30.647658] ? do_raw_spin_trylock+0x190/0x190 [ 30.652204] ? find_held_lock+0x138/0x1d0 [ 30.656841] dentry_unlink_inode+0x4b0/0x5e0 [ 30.661214] ? __dentry_kill+0x37b/0x6d0 [ 30.665240] ? release_dentry_name_snapshot+0x70/0x70 [ 30.670400] ? __lock_acquire+0x664/0x3e00 [ 30.674600] ? __d_drop+0x2b9/0x4b0 [ 30.678191] ? do_raw_spin_trylock+0x190/0x190 [ 30.682737] ? d_exact_alias+0x620/0x620 [ 30.686762] ? lock_acquire+0x1d5/0x580 [ 30.690698] ? lock_acquire+0x1d5/0x580 [ 30.694639] __dentry_kill+0x3b7/0x6d0 [ 30.698494] ? check_and_drop+0x170/0x170 [ 30.702606] ? lock_downgrade+0x980/0x980 [ 30.706727] shrink_dentry_list+0x3c5/0xcf0 [ 30.711014] ? d_add+0xa70/0xa70 [ 30.714350] ? d_shrink_add+0x280/0x280 [ 30.718291] ? dget_parent+0x5b0/0x5b0 [ 30.722145] ? trace_hardirqs_off+0xd/0x10 [ 30.726348] ? find_held_lock+0x35/0x1d0 [ 30.730465] shrink_dcache_parent+0xba/0x230 [ 30.734841] ? path_has_submounts+0x1a0/0x1a0 [ 30.739300] ? lock_release+0xa40/0xa40 [ 30.743241] ? check_noncircular+0x20/0x20 [ 30.747446] ? d_walk+0x1d2/0xb20 [ 30.750864] do_one_tree+0x15/0x50 [ 30.754369] shrink_dcache_for_umount+0xbb/0x290 [ 30.759089] ? d_walk+0x6f2/0xb20 [ 30.762511] ? d_set_mounted+0x2d0/0x2d0 [ 30.766536] ? d_find_any_alias+0x1c0/0x1c0 [ 30.770827] generic_shutdown_super+0xcd/0x540 [ 30.775374] ? trace_hardirqs_on+0xd/0x10 [ 30.779486] ? destroy_super_rcu+0x200/0x200 [ 30.783862] ? unregister_shrinker+0x22c/0x3a0 [ 30.788409] ? __might_sleep+0x95/0x190 [ 30.792348] ? perf_trace_mm_vmscan_writepage+0x790/0x790 [ 30.797849] ? down_write+0x87/0x120 [ 30.801531] kill_litter_super+0x72/0x90 [ 30.805556] deactivate_locked_super+0x88/0xd0 [ 30.810102] deactivate_super+0x141/0x1b0 [ 30.814213] ? __sb_start_write+0x2a0/0x2a0 [ 30.818502] cleanup_mnt+0xb2/0x150 [ 30.822094] __cleanup_mnt+0x16/0x20 [ 30.825776] task_work_run+0x199/0x270 [ 30.829628] ? task_work_cancel+0x210/0x210 [ 30.833927] ? free_nsproxy+0x185/0x1f0 [ 30.837866] ? switch_task_namespaces+0xa2/0xc0 [ 30.842503] do_exit+0x9bb/0x1ad0 [ 30.845923] ? mm_update_next_owner+0x930/0x930 [ 30.850556] ? __kernel_text_address+0xd/0x40 [ 30.855019] ? unwind_get_return_address+0x61/0xa0 [ 30.859913] ? __save_stack_trace+0x7e/0xd0 [ 30.864207] ? putname+0xee/0x130 [ 30.867627] ? save_stack+0xa3/0xd0 [ 30.871221] ? save_stack+0x43/0xd0 [ 30.874809] ? kasan_slab_free+0x71/0xc0 [ 30.878835] ? kmem_cache_free+0x83/0x2a0 [ 30.882962] ? putname+0xee/0x130 [ 30.886381] ? do_sys_open+0x31b/0x6d0 [ 30.890232] ? SyS_creat+0x27/0x30 [ 30.893737] ? entry_SYSCALL_64_fastpath+0x1f/0x96 [ 30.898634] ? debug_check_no_obj_freed+0x3da/0xf1f [ 30.903962] ? __lock_is_held+0xb6/0x140 [ 30.908008] ? free_obj_work+0x690/0x690 [ 30.912047] ? __fd_install+0x288/0x740 [ 30.915987] ? get_unused_fd_flags+0x190/0x190 [ 30.921006] ? may_open_dev+0xe0/0xe0 [ 30.925036] ? rcu_pm_notify+0xc0/0xc0 [ 30.928892] ? putname+0xee/0x130 [ 30.932325] ? putname+0xee/0x130 [ 30.935742] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.940723] ? kmem_cache_free+0x267/0x2a0 [ 30.944922] ? putname+0xf3/0x130 [ 30.948350] do_group_exit+0x149/0x400 [ 30.952204] ? SyS_exit+0x30/0x30 [ 30.955625] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.960606] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.967351] SyS_exit_group+0x1d/0x20 [ 30.972077] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 30.976800] RIP: 0033:0x4406f9 [ 30.979954] RSP: 002b:00007ffca4a8ec78 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 30.987634] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004406f9 [ 30.994873] RDX: 00000000004406f9 RSI: 00000000004406f9 RDI: 0000000000000001 [ 31.002283] RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8 [ 31.009518] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401bc0 [ 31.016750] R13: 0000000000401c50 R14: 0000000000000000 R15: 0000000000000000 [ 31.024033] Dumping ftrace buffer: [ 31.027538] (ftrace buffer empty) [ 31.031217] Kernel Offset: disabled [ 31.034813] Rebooting in 86400 seconds..