[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 11.411479] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 12.194890] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.122' (ECDSA) to the list of known hosts. 2019/02/25 10:04:49 parsed 1 programs 2019/02/25 10:04:51 executed programs: 0 syzkaller login: [ 37.391877] audit: type=1400 audit(1551089092.023:5): avc: denied { associate } for pid=2066 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2019/02/25 10:04:56 executed programs: 121 [ 44.253208] ================================================================== [ 44.260610] BUG: KASAN: use-after-free in perf_trace_filelock_lock+0x901/0x960 [ 44.267961] Read of size 8 at addr ffff8801d8321a00 by task syz-executor.0/2934 [ 44.275388] [ 44.277018] CPU: 0 PID: 2934 Comm: syz-executor.0 Not tainted 4.9.155+ #27 [ 44.284012] ffff8801d71a7968 ffffffff81b47871 0000000000000000 ffffea000760c840 [ 44.292041] ffff8801d8321a00 0000000000000008 ffffffff81606c21 ffff8801d71a79a0 [ 44.300076] ffffffff81502825 0000000000000000 ffff8801d8321a00 ffff8801d8321a00 [ 44.308142] Call Trace: [ 44.310715] [] dump_stack+0xc1/0x120 [ 44.316066] [] ? perf_trace_filelock_lock+0x901/0x960 [ 44.322886] [] print_address_description+0x6f/0x238 [ 44.329528] [] ? perf_trace_filelock_lock+0x901/0x960 [ 44.336453] [] kasan_report.cold+0x8c/0x2ba [ 44.342413] [] __asan_report_load8_noabort+0x14/0x20 [ 44.349150] [] perf_trace_filelock_lock+0x901/0x960 [ 44.355800] [] ? check_preemption_disabled+0x3c/0x200 [ 44.362625] [] ? check_preemption_disabled+0x3c/0x200 [ 44.369467] [] ? perf_trace_locks_get_lock_context+0x5d0/0x5d0 [ 44.377077] [] ? check_preemption_disabled+0x3c/0x200 [ 44.383899] [] ? check_preemption_disabled+0x3c/0x200 [ 44.390722] [] ? perf_trace_locks_get_lock_context+0x5d0/0x5d0 [ 44.398326] [] posix_lock_inode+0x1161/0x1aa0 [ 44.404452] [] ? vfs_lock_file+0x14f/0x1a0 [ 44.410338] [] ? avc_has_perm_noaudit+0x300/0x300 [ 44.416815] [] ? locks_remove_flock+0x3b0/0x3b0 [ 44.423117] [] ? trace_hardirqs_on+0x10/0x10 [ 44.429162] [] vfs_lock_file+0x14f/0x1a0 [ 44.434993] [] do_lock_file_wait.part.0+0xb4/0x1e0 [ 44.441558] [] ? lease_modify+0x2c0/0x2c0 [ 44.447333] [] ? selinux_file_lock+0x4f/0x60 [ 44.453364] [] fcntl_setlk+0x2cb/0xc30 [ 44.458887] [] ? fcntl_getlk+0x2d0/0x2d0 [ 44.464585] [] ? selinux_file_fcntl+0x6c/0x120 [ 44.470800] [] ? security_file_fcntl+0x8f/0xc0 [ 44.477049] [] SyS_fcntl+0x579/0xb50 [ 44.482417] [] ? __might_fault+0xe4/0x1d0 [ 44.488203] [] ? f_getown+0xb0/0xb0 [ 44.493460] [] ? do_syscall_64+0x4a/0x570 [ 44.499234] [] ? f_getown+0xb0/0xb0 [ 44.504490] [] do_syscall_64+0x1ad/0x570 [ 44.510178] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 44.517078] [ 44.518689] Allocated by task 2934: [ 44.522315] save_stack_trace+0x16/0x20 [ 44.526277] kasan_kmalloc.part.0+0x62/0xf0 [ 44.530583] kasan_kmalloc+0xb7/0xd0 [ 44.534278] kasan_slab_alloc+0xf/0x20 [ 44.538152] kmem_cache_alloc+0xd5/0x2b0 [ 44.542194] locks_alloc_lock+0x1d/0x170 [ 44.546257] posix_lock_inode+0x48c/0x1aa0 [ 44.550475] vfs_lock_file+0x14f/0x1a0 [ 44.554348] do_lock_file_wait.part.0+0xb4/0x1e0 [ 44.559083] fcntl_setlk+0x2cb/0xc30 [ 44.562781] SyS_fcntl+0x579/0xb50 [ 44.566317] do_syscall_64+0x1ad/0x570 [ 44.570187] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 44.575286] [ 44.576896] Freed by task 2933: [ 44.580160] save_stack_trace+0x16/0x20 [ 44.584113] kasan_slab_free+0xb0/0x190 [ 44.588071] kmem_cache_free+0xbe/0x310 [ 44.592030] locks_free_lock+0xea/0x140 [ 44.595988] locks_dispose_list+0x117/0x1e0 [ 44.600299] posix_lock_inode+0x369/0x1aa0 [ 44.604518] vfs_lock_file+0x14f/0x1a0 [ 44.608391] locks_remove_posix+0x1e4/0x500 [ 44.612697] filp_close+0xf4/0x140 [ 44.616225] __close_fd+0x15d/0x240 [ 44.619846] SyS_close+0x46/0xa0 [ 44.623193] do_syscall_64+0x1ad/0x570 [ 44.627065] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 44.632146] [ 44.633757] The buggy address belongs to the object at ffff8801d8321a00 [ 44.633757] which belongs to the cache file_lock_cache of size 256 [ 44.646752] The buggy address is located 0 bytes inside of [ 44.646752] 256-byte region [ffff8801d8321a00, ffff8801d8321b00) [ 44.658435] The buggy address belongs to the page: [ 44.663346] page:ffffea000760c840 count:1 mapcount:0 mapping: (null) index:0x0 [ 44.671606] flags: 0x4000000000000080(slab) [ 44.675923] page dumped because: kasan: bad access detected [ 44.681625] [ 44.683235] Memory state around the buggy address: [ 44.688156] ffff8801d8321900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.695498] ffff8801d8321980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 44.702842] >ffff8801d8321a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.710180] ^ [ 44.713530] ffff8801d8321a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.720886] ffff8801d8321b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 44.728224] ================================================================== [ 44.735571] Disabling lock debugging due to kernel taint [ 44.741115] Kernel panic - not syncing: panic_on_warn set ... [ 44.741115] [ 44.748477] CPU: 0 PID: 2934 Comm: syz-executor.0 Tainted: G B 4.9.155+ #27 [ 44.756692] ffff8801d71a78a8 ffffffff81b47871 ffff8801d71a7900 ffffffff82e43a22 [ 44.764766] 00000000ffffffff 0000000000000000 ffffffff81606c21 ffff8801d71a7988 [ 44.772768] ffffffff813f746a 0000000041b58ab3 ffffffff82e35b4a ffffffff813f7291 [ 44.780875] Call Trace: [ 44.783438] [] dump_stack+0xc1/0x120 [ 44.788778] [] ? perf_trace_filelock_lock+0x901/0x960 [ 44.795595] [] panic+0x1d9/0x3bd [ 44.800587] [] ? add_taint.cold+0x16/0x16 [ 44.806365] [] kasan_end_report+0x47/0x4f [ 44.812142] [] kasan_report.cold+0xa9/0x2ba [ 44.818098] [] __asan_report_load8_noabort+0x14/0x20 [ 44.824907] [] perf_trace_filelock_lock+0x901/0x960 [ 44.831591] [] ? check_preemption_disabled+0x3c/0x200 [ 44.838464] [] ? check_preemption_disabled+0x3c/0x200 [ 44.845292] [] ? perf_trace_locks_get_lock_context+0x5d0/0x5d0 [ 44.852890] [] ? check_preemption_disabled+0x3c/0x200 [ 44.859710] [] ? check_preemption_disabled+0x3c/0x200 [ 44.866524] [] ? perf_trace_locks_get_lock_context+0x5d0/0x5d0 [ 44.874120] [] posix_lock_inode+0x1161/0x1aa0 [ 44.880251] [] ? vfs_lock_file+0x14f/0x1a0 [ 44.886134] [] ? avc_has_perm_noaudit+0x300/0x300 [ 44.892672] [] ? locks_remove_flock+0x3b0/0x3b0 [ 44.898974] [] ? trace_hardirqs_on+0x10/0x10 [ 44.905008] [] vfs_lock_file+0x14f/0x1a0 [ 44.910695] [] do_lock_file_wait.part.0+0xb4/0x1e0 [ 44.917256] [] ? lease_modify+0x2c0/0x2c0 [ 44.923035] [] ? selinux_file_lock+0x4f/0x60 [ 44.929094] [] fcntl_setlk+0x2cb/0xc30 [ 44.934637] [] ? fcntl_getlk+0x2d0/0x2d0 [ 44.940364] [] ? selinux_file_fcntl+0x6c/0x120 [ 44.946580] [] ? security_file_fcntl+0x8f/0xc0 [ 44.952792] [] SyS_fcntl+0x579/0xb50 [ 44.958132] [] ? __might_fault+0xe4/0x1d0 [ 44.963910] [] ? f_getown+0xb0/0xb0 [ 44.969167] [] ? do_syscall_64+0x4a/0x570 [ 44.974998] [] ? f_getown+0xb0/0xb0 [ 44.980356] [] do_syscall_64+0x1ad/0x570 [ 44.986051] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 44.993318] Kernel Offset: disabled [ 44.996927] Rebooting in 86400 seconds..