[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 11.085803] mcstransd (3052) used greatest stack depth: 14944 bytes left Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.809899] audit: type=1400 audit(1514131334.092:6): avc: denied { map } for pid=3136 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-1,10.128.0.9' (ECDSA) to the list of known hosts. executing program [ 34.854317] audit: type=1400 audit(1514131353.137:7): avc: denied { map } for pid=3154 comm="syzkaller530143" path="/root/syzkaller530143865" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 34.882904] ================================================================== [ 34.890292] BUG: KASAN: use-after-free in refcount_inc_not_zero+0x16e/0x180 [ 34.897393] Read of size 4 at addr ffff8801c7c96580 by task syzkaller530143/3155 [ 34.904899] [ 34.906507] CPU: 0 PID: 3155 Comm: syzkaller530143 Not tainted 4.15.0-rc4-mm1+ #49 [ 34.914180] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.923502] Call Trace: [ 34.926062] dump_stack+0x194/0x257 [ 34.929659] ? arch_local_irq_restore+0x53/0x53 [ 34.934310] ? show_regs_print_info+0x18/0x18 [ 34.938791] ? refcount_inc_not_zero+0x16e/0x180 [ 34.943525] print_address_description+0x73/0x250 [ 34.948336] ? refcount_inc_not_zero+0x16e/0x180 [ 34.953060] kasan_report+0x23b/0x360 [ 34.956848] __asan_report_load4_noabort+0x14/0x20 [ 34.961755] refcount_inc_not_zero+0x16e/0x180 [ 34.966314] ? refcount_add+0x60/0x60 [ 34.970085] ? print_irqtrace_events+0x270/0x270 [ 34.974826] ? do_mq_timedreceive+0xf40/0xf40 [ 34.979302] refcount_inc+0x15/0x50 [ 34.982900] mqueue_evict_inode+0x137/0x9c0 [ 34.987194] ? inode_wait_for_writeback+0x2f/0x40 [ 34.992021] ? lock_downgrade+0x980/0x980 [ 34.996148] ? do_mq_timedreceive+0xf40/0xf40 [ 35.000620] ? __inode_wait_for_writeback+0x292/0x330 [ 35.005785] ? do_raw_spin_trylock+0x190/0x190 [ 35.010339] ? bit_waitqueue+0x30/0x30 [ 35.014199] ? _raw_spin_unlock+0x22/0x30 [ 35.018325] ? do_mq_timedreceive+0xf40/0xf40 [ 35.022796] evict+0x481/0x920 [ 35.025968] ? destroy_inode+0x200/0x200 [ 35.030002] ? iput+0x7b1/0xaf0 [ 35.033263] ? lock_downgrade+0x980/0x980 [ 35.037394] ? _raw_spin_lock+0x32/0x40 [ 35.041338] ? _atomic_dec_and_lock+0x125/0x196 [ 35.045975] ? do_raw_spin_trylock+0x190/0x190 [ 35.050524] ? cpumask_local_spread+0x260/0x260 [ 35.055168] ? reacquire_held_locks+0x1f9/0x3e0 [ 35.059802] ? reacquire_held_locks+0x1f9/0x3e0 [ 35.064439] ? shrink_dentry_list+0x3b0/0xcf0 [ 35.068909] iput+0x7b9/0xaf0 [ 35.071991] ? evict_inodes+0x580/0x580 [ 35.075933] ? dentry_unlink_inode+0x38e/0x5e0 [ 35.080486] ? lock_downgrade+0x980/0x980 [ 35.084611] ? reacquire_held_locks+0x1f9/0x3e0 [ 35.089248] ? reacquire_held_locks+0x1f9/0x3e0 [ 35.093894] ? do_raw_spin_trylock+0x190/0x190 [ 35.098447] ? find_held_lock+0x138/0x1d0 [ 35.102570] dentry_unlink_inode+0x4b0/0x5e0 [ 35.106943] ? __dentry_kill+0x37b/0x6d0 [ 35.110978] ? release_dentry_name_snapshot+0x70/0x70 [ 35.116137] ? __lock_acquire+0x664/0x3e00 [ 35.120343] ? __d_drop+0x2b9/0x4b0 [ 35.123940] ? do_raw_spin_trylock+0x190/0x190 [ 35.128491] ? d_exact_alias+0x620/0x620 [ 35.132522] ? lock_acquire+0x1d5/0x580 [ 35.136463] ? lock_acquire+0x1d5/0x580 [ 35.140415] __dentry_kill+0x3b7/0x6d0 [ 35.144275] ? check_and_drop+0x170/0x170 [ 35.148392] ? lock_downgrade+0x980/0x980 [ 35.152521] shrink_dentry_list+0x3c5/0xcf0 [ 35.156816] ? d_add+0xa70/0xa70 [ 35.160168] ? d_shrink_add+0x280/0x280 [ 35.164122] ? dget_parent+0x5b0/0x5b0 [ 35.167988] ? trace_hardirqs_off+0xd/0x10 [ 35.172218] ? find_held_lock+0x35/0x1d0 [ 35.176259] shrink_dcache_parent+0xba/0x230 [ 35.180640] ? path_has_submounts+0x1a0/0x1a0 [ 35.185122] ? lock_release+0xa40/0xa40 [ 35.189074] ? check_noncircular+0x20/0x20 [ 35.193293] ? d_walk+0x1d2/0xb20 [ 35.196720] do_one_tree+0x15/0x50 [ 35.200238] shrink_dcache_for_umount+0xbb/0x290 [ 35.204962] ? d_walk+0x6f2/0xb20 [ 35.208388] ? d_set_mounted+0x2d0/0x2d0 [ 35.212417] ? d_find_any_alias+0x1c0/0x1c0 [ 35.216717] generic_shutdown_super+0xcd/0x540 [ 35.221269] ? trace_hardirqs_on+0xd/0x10 [ 35.225390] ? destroy_super_rcu+0x200/0x200 [ 35.229778] ? unregister_shrinker+0x22c/0x3a0 [ 35.234339] ? __might_sleep+0x95/0x190 [ 35.238295] ? perf_trace_mm_vmscan_writepage+0x790/0x790 [ 35.243805] ? down_write+0x87/0x120 [ 35.247495] kill_litter_super+0x72/0x90 [ 35.251525] deactivate_locked_super+0x88/0xd0 [ 35.256076] deactivate_super+0x141/0x1b0 [ 35.260204] ? __sb_start_write+0x2a0/0x2a0 [ 35.264508] cleanup_mnt+0xb2/0x150 [ 35.268105] __cleanup_mnt+0x16/0x20 [ 35.271787] task_work_run+0x199/0x270 [ 35.275652] ? task_work_cancel+0x210/0x210 [ 35.279949] ? free_nsproxy+0x185/0x1f0 [ 35.283903] ? switch_task_namespaces+0xa2/0xc0 [ 35.288565] do_exit+0x9bb/0x1ad0 [ 35.291999] ? mm_update_next_owner+0x930/0x930 [ 35.296638] ? __kernel_text_address+0xd/0x40 [ 35.301101] ? unwind_get_return_address+0x61/0xa0 [ 35.306001] ? __save_stack_trace+0x7e/0xd0 [ 35.310308] ? putname+0xee/0x130 [ 35.313730] ? save_stack+0xa3/0xd0 [ 35.317324] ? save_stack+0x43/0xd0 [ 35.320916] ? kasan_slab_free+0x71/0xc0 [ 35.324951] ? kmem_cache_free+0x83/0x2a0 [ 35.329063] ? putname+0xee/0x130 [ 35.332490] ? do_sys_open+0x31b/0x6d0 [ 35.336350] ? SyS_creat+0x27/0x30 [ 35.339864] ? entry_SYSCALL_64_fastpath+0x1f/0x96 [ 35.344768] ? debug_check_no_obj_freed+0x3da/0xf1f [ 35.349762] ? __lock_is_held+0xb6/0x140 [ 35.353825] ? free_obj_work+0x690/0x690 [ 35.357852] ? __fd_install+0x288/0x740 [ 35.361883] ? get_unused_fd_flags+0x190/0x190 [ 35.366434] ? may_open_dev+0xe0/0xe0 [ 35.370210] ? rcu_pm_notify+0xc0/0xc0 [ 35.374083] ? putname+0xee/0x130 [ 35.377506] ? putname+0xee/0x130 [ 35.380933] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.385917] ? kmem_cache_free+0x267/0x2a0 [ 35.390121] ? putname+0xf3/0x130 [ 35.393546] do_group_exit+0x149/0x400 [ 35.397403] ? SyS_exit+0x30/0x30 [ 35.400827] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 35.405814] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.410540] SyS_exit_group+0x1d/0x20 [ 35.414309] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 35.419029] RIP: 0033:0x4406f9 [ 35.422187] RSP: 002b:00007ffcfe661b08 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 35.429862] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004406f9 [ 35.437105] RDX: 00000000004406f9 RSI: 00000000004406f9 RDI: 0000000000000001 [ 35.444340] RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8 [ 35.451576] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401bc0 [ 35.458814] R13: 0000000000401c50 R14: 0000000000000000 R15: 0000000000000000 [ 35.466066] [ 35.467664] Allocated by task 3155: [ 35.471259] save_stack+0x43/0xd0 [ 35.474680] kasan_kmalloc+0xad/0xe0 [ 35.478358] kmem_cache_alloc_trace+0x136/0x750 [ 35.482995] copy_ipcs+0x1b3/0x520 [ 35.486503] create_new_namespaces+0x278/0x880 [ 35.491059] unshare_nsproxy_namespaces+0xae/0x1e0 [ 35.495978] SyS_unshare+0x653/0xfa0 [ 35.499668] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 35.504391] [ 35.505996] Freed by task 3155: [ 35.509246] save_stack+0x43/0xd0 [ 35.512669] kasan_slab_free+0x71/0xc0 [ 35.516524] kfree+0xd6/0x260 [ 35.519599] put_ipc_ns+0x112/0x150 [ 35.523196] free_nsproxy+0xc0/0x1f0 [ 35.526876] switch_task_namespaces+0x9d/0xc0 [ 35.531349] exit_task_namespaces+0x17/0x20 [ 35.535641] do_exit+0x9b6/0x1ad0 [ 35.539157] do_group_exit+0x149/0x400 [ 35.543019] SyS_exit_group+0x1d/0x20 [ 35.546788] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 35.551507] [ 35.553101] The buggy address belongs to the object at ffff8801c7c96580 [ 35.553101] which belongs to the cache kmalloc-2048 of size 2048 [ 35.565903] The buggy address is located 0 bytes inside of [ 35.565903] 2048-byte region [ffff8801c7c96580, ffff8801c7c96d80) [ 35.577672] The buggy address belongs to the page: [ 35.582571] page:ffffea00071f2580 count:1 mapcount:0 mapping:ffff8801c7c96580 index:0x0 compound_mapcount: 0 [ 35.592511] flags: 0x2fffc0000008100(slab|head) [ 35.597162] raw: 02fffc0000008100 ffff8801c7c96580 0000000000000000 0000000100000003 [ 35.605017] raw: ffffea000721cc20 ffffea00071f2320 ffff8801dac00c40 0000000000000000 [ 35.612861] page dumped because: kasan: bad access detected [ 35.618537] [ 35.620133] Memory state around the buggy address: [ 35.625031] ffff8801c7c96480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.632356] ffff8801c7c96500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.639681] >ffff8801c7c96580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.647010] ^ [ 35.650342] ffff8801c7c96600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.657668] ffff8801c7c96680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.664991] ================================================================== [ 35.672314] Disabling lock debugging due to kernel taint [ 35.677817] Kernel panic - not syncing: panic_on_warn set ... [ 35.677817] [ 35.685183] CPU: 0 PID: 3155 Comm: syzkaller530143 Tainted: G B 4.15.0-rc4-mm1+ #49 [ 35.694181] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.703502] Call Trace: [ 35.706060] dump_stack+0x194/0x257 [ 35.709654] ? arch_local_irq_restore+0x53/0x53 [ 35.714309] ? kasan_end_report+0x32/0x50 [ 35.718432] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.723166] ? vsnprintf+0x1ed/0x1900 [ 35.726934] ? refcount_inc_not_zero+0xf0/0x180 [ 35.731571] panic+0x1e4/0x41c [ 35.734731] ? refcount_error_report+0x214/0x214 [ 35.739454] ? add_taint+0x1c/0x50 [ 35.742957] ? add_taint+0x1c/0x50 [ 35.746463] ? refcount_inc_not_zero+0x16e/0x180 [ 35.751193] kasan_end_report+0x50/0x50 [ 35.755143] kasan_report+0x148/0x360 [ 35.758919] __asan_report_load4_noabort+0x14/0x20 [ 35.763914] refcount_inc_not_zero+0x16e/0x180 [ 35.768474] ? refcount_add+0x60/0x60 [ 35.772258] ? print_irqtrace_events+0x270/0x270 [ 35.777000] ? do_mq_timedreceive+0xf40/0xf40 [ 35.781471] refcount_inc+0x15/0x50 [ 35.785101] mqueue_evict_inode+0x137/0x9c0 [ 35.789408] ? inode_wait_for_writeback+0x2f/0x40 [ 35.794231] ? lock_downgrade+0x980/0x980 [ 35.798355] ? do_mq_timedreceive+0xf40/0xf40 [ 35.802820] ? __inode_wait_for_writeback+0x292/0x330 [ 35.807985] ? do_raw_spin_trylock+0x190/0x190 [ 35.812537] ? bit_waitqueue+0x30/0x30 [ 35.816406] ? _raw_spin_unlock+0x22/0x30 [ 35.820522] ? do_mq_timedreceive+0xf40/0xf40 [ 35.824986] evict+0x481/0x920 [ 35.828152] ? destroy_inode+0x200/0x200 [ 35.832203] ? iput+0x7b1/0xaf0 [ 35.835451] ? lock_downgrade+0x980/0x980 [ 35.839568] ? _raw_spin_lock+0x32/0x40 [ 35.843514] ? _atomic_dec_and_lock+0x125/0x196 [ 35.848153] ? do_raw_spin_trylock+0x190/0x190 [ 35.852707] ? cpumask_local_spread+0x260/0x260 [ 35.857344] ? reacquire_held_locks+0x1f9/0x3e0 [ 35.861979] ? reacquire_held_locks+0x1f9/0x3e0 [ 35.866619] ? shrink_dentry_list+0x3b0/0xcf0 [ 35.871094] iput+0x7b9/0xaf0 [ 35.874170] ? evict_inodes+0x580/0x580 [ 35.878109] ? dentry_unlink_inode+0x38e/0x5e0 [ 35.882658] ? lock_downgrade+0x980/0x980 [ 35.886774] ? reacquire_held_locks+0x1f9/0x3e0 [ 35.891407] ? reacquire_held_locks+0x1f9/0x3e0 [ 35.896041] ? do_raw_spin_trylock+0x190/0x190 [ 35.900607] ? find_held_lock+0x138/0x1d0 [ 35.904723] dentry_unlink_inode+0x4b0/0x5e0 [ 35.909097] ? __dentry_kill+0x37b/0x6d0 [ 35.913130] ? release_dentry_name_snapshot+0x70/0x70 [ 35.918287] ? __lock_acquire+0x664/0x3e00 [ 35.922486] ? __d_drop+0x2b9/0x4b0 [ 35.926079] ? do_raw_spin_trylock+0x190/0x190 [ 35.930633] ? d_exact_alias+0x620/0x620 [ 35.934661] ? lock_acquire+0x1d5/0x580 [ 35.938597] ? lock_acquire+0x1d5/0x580 [ 35.942538] __dentry_kill+0x3b7/0x6d0 [ 35.946401] ? check_and_drop+0x170/0x170 [ 35.950517] ? lock_downgrade+0x980/0x980 [ 35.954649] shrink_dentry_list+0x3c5/0xcf0 [ 35.958947] ? d_add+0xa70/0xa70 [ 35.962280] ? d_shrink_add+0x280/0x280 [ 35.966220] ? dget_parent+0x5b0/0x5b0 [ 35.970076] ? trace_hardirqs_off+0xd/0x10 [ 35.974280] ? find_held_lock+0x35/0x1d0 [ 35.978313] shrink_dcache_parent+0xba/0x230 [ 35.982698] ? path_has_submounts+0x1a0/0x1a0 [ 35.987159] ? lock_release+0xa40/0xa40 [ 35.991100] ? check_noncircular+0x20/0x20 [ 35.995304] ? d_walk+0x1d2/0xb20 [ 35.998726] do_one_tree+0x15/0x50 [ 36.002231] shrink_dcache_for_umount+0xbb/0x290 [ 36.006951] ? d_walk+0x6f2/0xb20 [ 36.010371] ? d_set_mounted+0x2d0/0x2d0 [ 36.014407] ? d_find_any_alias+0x1c0/0x1c0 [ 36.018708] generic_shutdown_super+0xcd/0x540 [ 36.023447] ? trace_hardirqs_on+0xd/0x10 [ 36.027564] ? destroy_super_rcu+0x200/0x200 [ 36.031944] ? unregister_shrinker+0x22c/0x3a0 [ 36.036498] ? __might_sleep+0x95/0x190 [ 36.040447] ? perf_trace_mm_vmscan_writepage+0x790/0x790 [ 36.045950] ? down_write+0x87/0x120 [ 36.049633] kill_litter_super+0x72/0x90 [ 36.053664] deactivate_locked_super+0x88/0xd0 [ 36.058222] deactivate_super+0x141/0x1b0 [ 36.062336] ? __sb_start_write+0x2a0/0x2a0 [ 36.066629] cleanup_mnt+0xb2/0x150 [ 36.070222] __cleanup_mnt+0x16/0x20 [ 36.073904] task_work_run+0x199/0x270 [ 36.077757] ? task_work_cancel+0x210/0x210 [ 36.082053] ? free_nsproxy+0x185/0x1f0 [ 36.086002] ? switch_task_namespaces+0xa2/0xc0 [ 36.090648] do_exit+0x9bb/0x1ad0 [ 36.094071] ? mm_update_next_owner+0x930/0x930 [ 36.098707] ? __kernel_text_address+0xd/0x40 [ 36.103177] ? unwind_get_return_address+0x61/0xa0 [ 36.108076] ? __save_stack_trace+0x7e/0xd0 [ 36.112370] ? putname+0xee/0x130 [ 36.115790] ? save_stack+0xa3/0xd0 [ 36.119386] ? save_stack+0x43/0xd0 [ 36.122986] ? kasan_slab_free+0x71/0xc0 [ 36.127014] ? kmem_cache_free+0x83/0x2a0 [ 36.131131] ? putname+0xee/0x130 [ 36.134547] ? do_sys_open+0x31b/0x6d0 [ 36.138934] ? SyS_creat+0x27/0x30 [ 36.142439] ? entry_SYSCALL_64_fastpath+0x1f/0x96 [ 36.147335] ? debug_check_no_obj_freed+0x3da/0xf1f [ 36.152323] ? __lock_is_held+0xb6/0x140 [ 36.156355] ? free_obj_work+0x690/0x690 [ 36.160379] ? __fd_install+0x288/0x740 [ 36.164320] ? get_unused_fd_flags+0x190/0x190 [ 36.168868] ? may_open_dev+0xe0/0xe0 [ 36.172639] ? rcu_pm_notify+0xc0/0xc0 [ 36.176492] ? putname+0xee/0x130 [ 36.179913] ? putname+0xee/0x130 [ 36.183333] ? rcu_read_lock_sched_held+0x108/0x120 [ 36.188315] ? kmem_cache_free+0x267/0x2a0 [ 36.192527] ? putname+0xf3/0x130 [ 36.195951] do_group_exit+0x149/0x400 [ 36.199808] ? SyS_exit+0x30/0x30 [ 36.203231] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.208216] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.212940] SyS_exit_group+0x1d/0x20 [ 36.216709] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 36.221436] RIP: 0033:0x4406f9 [ 36.224593] RSP: 002b:00007ffcfe661b08 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 36.232275] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004406f9 [ 36.239519] RDX: 00000000004406f9 RSI: 00000000004406f9 RDI: 0000000000000001 [ 36.246757] RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8 [ 36.254007] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401bc0 [ 36.261253] R13: 0000000000401c50 R14: 0000000000000000 R15: 0000000000000000 [ 36.268532] Dumping ftrace buffer: [ 36.272042] (ftrace buffer empty) [ 36.275721] Kernel Offset: disabled [ 36.279317] Rebooting in 86400 seconds..