[....] Starting enhanced syslogd: rsyslogd[ 15.758879] audit: type=1400 audit(1520647112.388:5): avc: denied { syslog } for pid=4072 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.485736] audit: type=1400 audit(1520647116.115:6): avc: denied { map } for pid=4212 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. executing program [ 25.825555] audit: type=1400 audit(1520647122.455:7): avc: denied { map } for pid=4226 comm="syzkaller839677" path="/root/syzkaller839677683" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.852566] audit: type=1400 audit(1520647122.482:8): avc: denied { map } for pid=4226 comm="syzkaller839677" path="/dev/binder0" dev="devtmpfs" ino=9399 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 [ 25.855536] ================================================================== [ 25.884799] BUG: KASAN: use-after-free in ucma_close+0x2d7/0x2f0 [ 25.890916] Read of size 8 at addr ffff8801adc574c0 by task syzkaller839677/4226 [ 25.898418] [ 25.900021] CPU: 1 PID: 4226 Comm: syzkaller839677 Not tainted 4.16.0-rc4+ #347 [ 25.907435] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.916760] Call Trace: [ 25.919323] dump_stack+0x194/0x24d [ 25.922927] ? arch_local_irq_restore+0x53/0x53 [ 25.927567] ? show_regs_print_info+0x18/0x18 [ 25.932044] ? ucma_close+0x2d7/0x2f0 [ 25.935819] print_address_description+0x73/0x250 [ 25.940637] ? ucma_close+0x2d7/0x2f0 [ 25.944412] kasan_report+0x23c/0x360 [ 25.948188] __asan_report_load8_noabort+0x14/0x20 [ 25.953094] ucma_close+0x2d7/0x2f0 [ 25.956693] ? __might_sleep+0x95/0x190 [ 25.960646] ? ucma_free_ctx+0xd90/0xd90 [ 25.964690] __fput+0x327/0x7e0 [ 25.967953] ? fput+0x140/0x140 [ 25.971209] ? check_same_owner+0x320/0x320 [ 25.975512] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.979995] ____fput+0x15/0x20 [ 25.983246] task_work_run+0x199/0x270 [ 25.987106] ? task_work_cancel+0x210/0x210 [ 25.991399] ? _raw_spin_unlock+0x22/0x30 [ 25.995524] ? switch_task_namespaces+0x87/0xc0 [ 26.000170] do_exit+0x9bb/0x1ad0 [ 26.003597] ? ucma_create_id+0x45b/0x620 [ 26.007732] ? mm_update_next_owner+0x930/0x930 [ 26.012382] ? ucma_create_id+0x17b/0x620 [ 26.016510] ? ucma_get_event+0xa90/0xa90 [ 26.020639] ? __might_sleep+0x95/0x190 [ 26.024591] ? kasan_check_write+0x14/0x20 [ 26.028798] ? _copy_from_user+0x99/0x110 [ 26.032920] ? ucma_write+0x11f/0x3d0 [ 26.036692] ? ucma_get_event+0xa90/0xa90 [ 26.040813] ? ucma_resolve_route+0x1a0/0x1a0 [ 26.045288] ? ucma_resolve_route+0x1a0/0x1a0 [ 26.049756] ? __vfs_write+0xf7/0x970 [ 26.053534] ? rcu_note_context_switch+0x710/0x710 [ 26.058437] ? kernel_read+0x120/0x120 [ 26.062295] ? __might_sleep+0x95/0x190 [ 26.066251] ? _cond_resched+0x14/0x30 [ 26.070111] ? __inode_security_revalidate+0xd9/0x130 [ 26.075274] ? avc_policy_seqno+0x9/0x20 [ 26.079315] ? security_file_permission+0x89/0x1e0 [ 26.084217] ? rw_verify_area+0xe5/0x2b0 [ 26.088249] ? __fdget_raw+0x20/0x20 [ 26.092368] ? vfs_write+0x224/0x510 [ 26.096497] do_group_exit+0x149/0x400 [ 26.100357] ? SyS_write+0x184/0x220 [ 26.104045] ? SyS_exit+0x30/0x30 [ 26.107468] ? SyS_read+0x220/0x220 [ 26.111069] ? do_syscall_64+0xb7/0x940 [ 26.115018] ? do_group_exit+0x400/0x400 [ 26.119052] SyS_exit_group+0x1d/0x20 [ 26.122828] do_syscall_64+0x281/0x940 [ 26.126687] ? __do_page_fault+0xc90/0xc90 [ 26.130893] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.135624] ? syscall_return_slowpath+0x550/0x550 [ 26.140527] ? syscall_return_slowpath+0x2ac/0x550 [ 26.145429] ? prepare_exit_to_usermode+0x350/0x350 [ 26.150418] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 26.155759] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.160581] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.165746] RIP: 0033:0x442aa8 [ 26.168908] RSP: 002b:00007fff9a845738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 26.176586] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000442aa8 [ 26.183826] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 26.191067] RBP: 00000000004c26c8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 26.198307] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000001 [ 26.205548] R13: 00000000006d4180 R14: 0000000000000000 R15: 0000000000000000 [ 26.212804] [ 26.214404] Allocated by task 4226: [ 26.218010] save_stack+0x43/0xd0 [ 26.221433] kasan_kmalloc+0xad/0xe0 [ 26.225117] kmem_cache_alloc_trace+0x136/0x740 [ 26.229757] ucma_alloc_ctx+0xce/0x610 [ 26.233615] ucma_create_id+0x205/0x620 [ 26.237568] ucma_write+0x2d6/0x3d0 [ 26.241167] __vfs_write+0xef/0x970 [ 26.244764] vfs_write+0x189/0x510 [ 26.248272] SyS_write+0xef/0x220 [ 26.251695] do_syscall_64+0x281/0x940 [ 26.255558] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.260720] [ 26.262322] Freed by task 4226: [ 26.265582] save_stack+0x43/0xd0 [ 26.269021] __kasan_slab_free+0x11a/0x170 [ 26.273239] kasan_slab_free+0xe/0x10 [ 26.277017] kfree+0xd9/0x260 [ 26.280098] ucma_create_id+0x45b/0x620 [ 26.284044] ucma_write+0x2d6/0x3d0 [ 26.287641] __vfs_write+0xef/0x970 [ 26.291239] vfs_write+0x189/0x510 [ 26.294756] SyS_write+0xef/0x220 [ 26.298180] do_syscall_64+0x281/0x940 [ 26.302039] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.307194] [ 26.308796] The buggy address belongs to the object at ffff8801adc57440 [ 26.308796] which belongs to the cache kmalloc-256 of size 256 [ 26.321422] The buggy address is located 128 bytes inside of [ 26.321422] 256-byte region [ffff8801adc57440, ffff8801adc57540) [ 26.333267] The buggy address belongs to the page: [ 26.338170] page:ffffea0006b715c0 count:1 mapcount:0 mapping:ffff8801adc57080 index:0x0 [ 26.346296] flags: 0x2fffc0000000100(slab) [ 26.350504] raw: 02fffc0000000100 ffff8801adc57080 0000000000000000 000000010000000c [ 26.358357] raw: ffffea0006b96a20 ffffea0006b8cc60 ffff8801dac007c0 0000000000000000 [ 26.366207] page dumped because: kasan: bad access detected [ 26.371886] [ 26.373481] Memory state around the buggy address: [ 26.378380] ffff8801adc57380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.385710] ffff8801adc57400: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 26.393043] >ffff8801adc57480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.400377] ^ [ 26.405797] ffff8801adc57500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.413127] ffff8801adc57580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.420453] ================================================================== [ 26.427781] Disabling lock debugging due to kernel taint [ 26.433396] Kernel panic - not syncing: panic_on_warn set ... [ 26.433396] [ 26.440759] CPU: 1 PID: 4226 Comm: syzkaller839677 Tainted: G B 4.16.0-rc4+ #347 [ 26.449482] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.458806] Call Trace: [ 26.461367] dump_stack+0x194/0x24d [ 26.464963] ? arch_local_irq_restore+0x53/0x53 [ 26.469603] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.474334] ? vsnprintf+0x1ed/0x1900 [ 26.478105] ? ucma_close+0x230/0x2f0 [ 26.481875] panic+0x1e4/0x41c [ 26.485037] ? refcount_error_report+0x214/0x214 [ 26.489768] ? add_taint+0x1c/0x50 [ 26.493278] ? add_taint+0x1c/0x50 [ 26.496790] ? ucma_close+0x2d7/0x2f0 [ 26.500562] kasan_end_report+0x50/0x50 [ 26.504508] kasan_report+0x149/0x360 [ 26.508279] __asan_report_load8_noabort+0x14/0x20 [ 26.513179] ucma_close+0x2d7/0x2f0 [ 26.516784] ? __might_sleep+0x95/0x190 [ 26.520729] ? ucma_free_ctx+0xd90/0xd90 [ 26.524765] __fput+0x327/0x7e0 [ 26.528025] ? fput+0x140/0x140 [ 26.531277] ? check_same_owner+0x320/0x320 [ 26.535565] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.540036] ____fput+0x15/0x20 [ 26.543290] task_work_run+0x199/0x270 [ 26.547145] ? task_work_cancel+0x210/0x210 [ 26.551435] ? _raw_spin_unlock+0x22/0x30 [ 26.555559] ? switch_task_namespaces+0x87/0xc0 [ 26.560198] do_exit+0x9bb/0x1ad0 [ 26.563626] ? ucma_create_id+0x45b/0x620 [ 26.567745] ? mm_update_next_owner+0x930/0x930 [ 26.572383] ? ucma_create_id+0x17b/0x620 [ 26.576503] ? ucma_get_event+0xa90/0xa90 [ 26.580632] ? __might_sleep+0x95/0x190 [ 26.584580] ? kasan_check_write+0x14/0x20 [ 26.588792] ? _copy_from_user+0x99/0x110 [ 26.592920] ? ucma_write+0x11f/0x3d0 [ 26.596690] ? ucma_get_event+0xa90/0xa90 [ 26.600816] ? ucma_resolve_route+0x1a0/0x1a0 [ 26.605291] ? ucma_resolve_route+0x1a0/0x1a0 [ 26.609762] ? __vfs_write+0xf7/0x970 [ 26.613536] ? rcu_note_context_switch+0x710/0x710 [ 26.618435] ? kernel_read+0x120/0x120 [ 26.622291] ? __might_sleep+0x95/0x190 [ 26.626238] ? _cond_resched+0x14/0x30 [ 26.630096] ? __inode_security_revalidate+0xd9/0x130 [ 26.635255] ? avc_policy_seqno+0x9/0x20 [ 26.639291] ? security_file_permission+0x89/0x1e0 [ 26.644192] ? rw_verify_area+0xe5/0x2b0 [ 26.648220] ? __fdget_raw+0x20/0x20 [ 26.651906] ? vfs_write+0x224/0x510 [ 26.655600] do_group_exit+0x149/0x400 [ 26.659465] ? SyS_write+0x184/0x220 [ 26.663149] ? SyS_exit+0x30/0x30 [ 26.666570] ? SyS_read+0x220/0x220 [ 26.670166] ? do_syscall_64+0xb7/0x940 [ 26.674111] ? do_group_exit+0x400/0x400 [ 26.678142] SyS_exit_group+0x1d/0x20 [ 26.681923] do_syscall_64+0x281/0x940 [ 26.685780] ? __do_page_fault+0xc90/0xc90 [ 26.689984] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.694710] ? syscall_return_slowpath+0x550/0x550 [ 26.699616] ? syscall_return_slowpath+0x2ac/0x550 [ 26.704517] ? prepare_exit_to_usermode+0x350/0x350 [ 26.709509] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 26.714846] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.719661] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.724818] RIP: 0033:0x442aa8 [ 26.727979] RSP: 002b:00007fff9a845738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 26.735655] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000442aa8 [ 26.742895] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 26.750134] RBP: 00000000004c26c8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 26.757375] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000001 [ 26.764619] R13: 00000000006d4180 R14: 0000000000000000 R15: 0000000000000000 [ 26.772325] Dumping ftrace buffer: [ 26.775838] (ftrace buffer empty) [ 26.779516] Kernel Offset: disabled [ 26.783115] Rebooting in 86400 seconds..