Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 26.946934] kauditd_printk_skb: 10 callbacks suppressed [ 26.946946] audit: type=1400 audit(1540057312.009:35): avc: denied { map } for pid=5391 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. syzkaller login: [ 799.815865] audit: type=1400 audit(1540058084.879:36): avc: denied { map } for pid=5408 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/10/20 17:54:45 parsed 1 programs [ 800.369103] audit: type=1400 audit(1540058085.429:37): avc: denied { map } for pid=5408 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=65 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2018/10/20 17:54:46 executed programs: 0 [ 801.804945] IPVS: ftp: loaded support on port[0] = 21 [ 802.058594] bridge0: port 1(bridge_slave_0) entered blocking state [ 802.065376] bridge0: port 1(bridge_slave_0) entered disabled state [ 802.073293] device bridge_slave_0 entered promiscuous mode [ 802.091474] bridge0: port 2(bridge_slave_1) entered blocking state [ 802.098174] bridge0: port 2(bridge_slave_1) entered disabled state [ 802.105492] device bridge_slave_1 entered promiscuous mode [ 802.122614] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 802.139785] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 802.190877] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 802.210409] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 802.283007] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 802.290357] team0: Port device team_slave_0 added [ 802.309089] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 802.316256] team0: Port device team_slave_1 added [ 802.333832] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 802.353530] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 802.373256] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 802.393166] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 802.536806] bridge0: port 2(bridge_slave_1) entered blocking state [ 802.543402] bridge0: port 2(bridge_slave_1) entered forwarding state [ 802.550315] bridge0: port 1(bridge_slave_0) entered blocking state [ 802.556722] bridge0: port 1(bridge_slave_0) entered forwarding state [ 803.058270] 8021q: adding VLAN 0 to HW filter on device bond0 [ 803.108123] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 803.158262] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 803.164723] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 803.171888] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 803.223750] 8021q: adding VLAN 0 to HW filter on device team0 [ 805.402046] [ 805.403719] ===================================== [ 805.408546] WARNING: bad unlock balance detected! [ 805.413374] 4.19.0-rc8+ #72 Not tainted [ 805.417334] ------------------------------------- [ 805.422162] syz-executor0/6237 is trying to release lock (&file->mut) at: [ 805.429231] [] ucma_destroy_id+0x2cb/0x550 [ 805.435014] but there are no more locks to release! [ 805.440015] [ 805.440015] other info that might help us debug this: [ 805.446669] 1 lock held by syz-executor0/6237: [ 805.451234] #0: 00000000bc2f1fb6 (&file->mut){+.+.}, at: ucma_destroy_id+0x26b/0x550 [ 805.459202] [ 805.459202] stack backtrace: [ 805.463690] CPU: 1 PID: 6237 Comm: syz-executor0 Not tainted 4.19.0-rc8+ #72 [ 805.470860] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 805.480200] Call Trace: [ 805.482827] dump_stack+0x1c4/0x2b4 [ 805.486446] ? dump_stack_print_info.cold.2+0x52/0x52 [ 805.491630] ? vprintk_func+0x85/0x181 [ 805.495518] ? ucma_destroy_id+0x2cb/0x550 [ 805.499788] print_unlock_imbalance_bug.cold.48+0xcc/0xd8 [ 805.505316] lock_release+0x785/0x970 [ 805.509105] ? ucma_destroy_id+0x2cb/0x550 [ 805.513327] ? lock_downgrade+0x900/0x900 [ 805.517463] ? radix_tree_descend+0x2e0/0x2e0 [ 805.521981] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 805.527512] ? node_tag_set+0xc6/0x170 [ 805.531409] __mutex_unlock_slowpath+0x102/0x8c0 [ 805.536157] ? wait_for_completion+0x8a0/0x8a0 [ 805.540730] ? radix_tree_delete_item+0x188/0x350 [ 805.545559] ? radix_tree_lookup+0x30/0x30 [ 805.549786] mutex_unlock+0xd/0x10 [ 805.553320] ucma_destroy_id+0x2cb/0x550 [ 805.557371] ? ucma_close+0x310/0x310 [ 805.561163] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 805.566719] ? _copy_from_user+0xdf/0x150 [ 805.570857] ? ucma_close+0x310/0x310 [ 805.574649] ucma_write+0x365/0x460 [ 805.578264] ? ucma_open+0x3f0/0x3f0 [ 805.582081] ? ___might_sleep+0x1ed/0x300 [ 805.586242] __vfs_write+0x119/0x9f0 [ 805.589967] ? __fget_light+0x2e9/0x430 [ 805.593932] ? ucma_open+0x3f0/0x3f0 [ 805.597653] ? kernel_read+0x120/0x120 [ 805.601525] ? __might_sleep+0x95/0x190 [ 805.605492] ? arch_local_save_flags+0x40/0x40 [ 805.610065] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 805.615616] ? __inode_security_revalidate+0xd9/0x120 [ 805.620797] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 805.625830] ? selinux_file_permission+0x90/0x540 [ 805.630665] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 805.636212] ? security_file_permission+0x1c2/0x230 [ 805.641222] ? rw_verify_area+0x118/0x360 [ 805.645358] vfs_write+0x1fc/0x560 [ 805.648887] ksys_write+0x101/0x260 [ 805.652503] ? __ia32_sys_read+0xb0/0xb0 [ 805.656651] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 805.662093] __x64_sys_write+0x73/0xb0 [ 805.665997] do_syscall_64+0x1b9/0x820 [ 805.669898] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 805.675251] ? syscall_return_slowpath+0x5e0/0x5e0 [ 805.680172] ? trace_hardirqs_on_caller+0x310/0x310 [ 805.685178] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 805.690219] ? recalc_sigpending_tsk+0x180/0x180 [ 805.694999] ? kasan_check_write+0x14/0x20 [ 805.699226] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 805.704064] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 805.709242] RIP: 0033:0x457569 [ 805.712423] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 805.731587] RSP: 002b:00007ff00c054c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 805.739287] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 805.746547] RDX: 0000000000000018 RSI: 0000000020000280 RDI: 0000000000000005 [ 805.753806] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 805.761069] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff00c0556d4 [ 805.768327] R13: 00000000004cb4f8 R14: 00000000004d8b68 R15: 00000000ffffffff [ 805.777500] ================================================================== [ 805.784885] BUG: KASAN: use-after-free in ucma_destroy_id+0x524/0x550 [ 805.791450] Read of size 8 at addr ffff8801d95f2da8 by task syz-executor0/6237 [ 805.798796] [ 805.800421] CPU: 1 PID: 6237 Comm: syz-executor0 Not tainted 4.19.0-rc8+ #72 [ 805.807592] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 805.816944] Call Trace: [ 805.819528] dump_stack+0x1c4/0x2b4 [ 805.823154] ? dump_stack_print_info.cold.2+0x52/0x52 [ 805.828337] ? printk+0xa7/0xcf [ 805.831618] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 805.836387] print_address_description.cold.8+0x9/0x1ff [ 805.841743] kasan_report.cold.9+0x242/0x309 [ 805.846144] ? ucma_destroy_id+0x524/0x550 [ 805.850371] __asan_report_load8_noabort+0x14/0x20 [ 805.855291] ucma_destroy_id+0x524/0x550 [ 805.859451] ? ucma_close+0x310/0x310 [ 805.863253] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 805.868784] ? _copy_from_user+0xdf/0x150 [ 805.872941] ? ucma_close+0x310/0x310 [ 805.876736] ucma_write+0x365/0x460 [ 805.880355] ? ucma_open+0x3f0/0x3f0 [ 805.884062] ? ___might_sleep+0x1ed/0x300 [ 805.888214] __vfs_write+0x119/0x9f0 [ 805.891940] ? __fget_light+0x2e9/0x430 [ 805.895933] ? ucma_open+0x3f0/0x3f0 [ 805.899654] ? kernel_read+0x120/0x120 [ 805.903529] ? __might_sleep+0x95/0x190 [ 805.907492] ? arch_local_save_flags+0x40/0x40 [ 805.912066] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 805.917594] ? __inode_security_revalidate+0xd9/0x120 [ 805.922777] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 805.927785] ? selinux_file_permission+0x90/0x540 [ 805.932641] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 805.938182] ? security_file_permission+0x1c2/0x230 [ 805.943251] ? rw_verify_area+0x118/0x360 [ 805.947393] vfs_write+0x1fc/0x560 [ 805.950946] ksys_write+0x101/0x260 [ 805.954570] ? __ia32_sys_read+0xb0/0xb0 [ 805.958627] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 805.964130] __x64_sys_write+0x73/0xb0 [ 805.968013] do_syscall_64+0x1b9/0x820 [ 805.971892] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 805.977262] ? syscall_return_slowpath+0x5e0/0x5e0 [ 805.982182] ? trace_hardirqs_on_caller+0x310/0x310 [ 805.987188] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 805.992196] ? recalc_sigpending_tsk+0x180/0x180 [ 805.996961] ? kasan_check_write+0x14/0x20 [ 806.001190] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 806.006029] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 806.011208] RIP: 0033:0x457569 [ 806.014393] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 806.033287] RSP: 002b:00007ff00c054c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 806.040988] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 806.048248] RDX: 0000000000000018 RSI: 0000000020000280 RDI: 0000000000000005 [ 806.055548] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 806.062852] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff00c0556d4 [ 806.070151] R13: 00000000004cb4f8 R14: 00000000004d8b68 R15: 00000000ffffffff [ 806.077455] [ 806.079074] Allocated by task 6233: [ 806.082698] save_stack+0x43/0xd0 [ 806.086142] kasan_kmalloc+0xc7/0xe0 [ 806.089913] kmem_cache_alloc_trace+0x152/0x750 [ 806.094623] ucma_alloc_ctx+0xce/0x690 [ 806.098500] ucma_create_id+0x27d/0x990 [ 806.102475] ucma_write+0x365/0x460 [ 806.106102] __vfs_write+0x119/0x9f0 [ 806.109804] vfs_write+0x1fc/0x560 [ 806.113346] ksys_write+0x101/0x260 [ 806.117015] __x64_sys_write+0x73/0xb0 [ 806.120911] do_syscall_64+0x1b9/0x820 [ 806.124793] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 806.129974] [ 806.131588] Freed by task 6231: [ 806.134854] save_stack+0x43/0xd0 [ 806.138302] __kasan_slab_free+0x102/0x150 [ 806.142707] kasan_slab_free+0xe/0x10 [ 806.146505] kfree+0xcf/0x230 [ 806.149614] ucma_free_ctx+0x9e6/0xdb0 [ 806.153533] ucma_close+0x121/0x310 [ 806.157152] __fput+0x385/0xa30 [ 806.160419] ____fput+0x15/0x20 [ 806.163736] task_work_run+0x1e8/0x2a0 [ 806.167655] exit_to_usermode_loop+0x318/0x380 [ 806.172227] do_syscall_64+0x6be/0x820 [ 806.176108] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 806.181284] [ 806.182928] The buggy address belongs to the object at ffff8801d95f2d40 [ 806.182928] which belongs to the cache kmalloc-256 of size 256 [ 806.195621] The buggy address is located 104 bytes inside of [ 806.195621] 256-byte region [ffff8801d95f2d40, ffff8801d95f2e40) [ 806.207486] The buggy address belongs to the page: [ 806.212407] page:ffffea0007657c80 count:1 mapcount:0 mapping:ffff8801da8007c0 index:0x0 [ 806.220542] flags: 0x2fffc0000000100(slab) [ 806.224771] raw: 02fffc0000000100 ffffea0007644408 ffffea000761a7c8 ffff8801da8007c0 [ 806.232651] raw: 0000000000000000 ffff8801d95f20c0 000000010000000c 0000000000000000 [ 806.240532] page dumped because: kasan: bad access detected [ 806.246235] [ 806.247849] Memory state around the buggy address: [ 806.252769] ffff8801d95f2c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 806.260119] ffff8801d95f2d00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 806.267468] >ffff8801d95f2d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 806.274818] ^ [ 806.279475] ffff8801d95f2e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 806.286823] ffff8801d95f2e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 806.294168] ================================================================== [ 806.301797] Kernel panic - not syncing: panic_on_warn set ... [ 806.301797] [ 806.309173] CPU: 1 PID: 6237 Comm: syz-executor0 Tainted: G B 4.19.0-rc8+ #72 [ 806.317735] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 806.327086] Call Trace: [ 806.329676] dump_stack+0x1c4/0x2b4 [ 806.333339] ? dump_stack_print_info.cold.2+0x52/0x52 [ 806.338534] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 806.343341] panic+0x238/0x4e7 [ 806.346567] ? add_taint.cold.5+0x16/0x16 [ 806.350716] ? preempt_schedule+0x4d/0x60 [ 806.354856] ? ___preempt_schedule+0x16/0x18 [ 806.359274] ? trace_hardirqs_on+0xb4/0x310 [ 806.363590] kasan_end_report+0x47/0x4f [ 806.367557] kasan_report.cold.9+0x76/0x309 [ 806.371885] ? ucma_destroy_id+0x524/0x550 [ 806.376115] __asan_report_load8_noabort+0x14/0x20 [ 806.381037] ucma_destroy_id+0x524/0x550 [ 806.385091] ? ucma_close+0x310/0x310 [ 806.389020] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 806.394550] ? _copy_from_user+0xdf/0x150 [ 806.398690] ? ucma_close+0x310/0x310 [ 806.402482] ucma_write+0x365/0x460 [ 806.406101] ? ucma_open+0x3f0/0x3f0 [ 806.409806] ? ___might_sleep+0x1ed/0x300 [ 806.413952] __vfs_write+0x119/0x9f0 [ 806.417661] ? __fget_light+0x2e9/0x430 [ 806.421628] ? ucma_open+0x3f0/0x3f0 [ 806.425334] ? kernel_read+0x120/0x120 [ 806.429214] ? __might_sleep+0x95/0x190 [ 806.433181] ? arch_local_save_flags+0x40/0x40 [ 806.437754] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 806.443287] ? __inode_security_revalidate+0xd9/0x120 [ 806.448477] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 806.453484] ? selinux_file_permission+0x90/0x540 [ 806.458318] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 806.463849] ? security_file_permission+0x1c2/0x230 [ 806.468886] ? rw_verify_area+0x118/0x360 [ 806.473066] vfs_write+0x1fc/0x560 [ 806.476599] ksys_write+0x101/0x260 [ 806.480218] ? __ia32_sys_read+0xb0/0xb0 [ 806.484289] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 806.489743] __x64_sys_write+0x73/0xb0 [ 806.493626] do_syscall_64+0x1b9/0x820 [ 806.497507] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 806.502882] ? syscall_return_slowpath+0x5e0/0x5e0 [ 806.507821] ? trace_hardirqs_on_caller+0x310/0x310 [ 806.512837] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 806.517882] ? recalc_sigpending_tsk+0x180/0x180 [ 806.522635] ? kasan_check_write+0x14/0x20 [ 806.526886] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 806.531724] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 806.536910] RIP: 0033:0x457569 [ 806.540097] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 806.559074] RSP: 002b:00007ff00c054c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 806.566776] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 806.574035] RDX: 0000000000000018 RSI: 0000000020000280 RDI: 0000000000000005 [ 806.581303] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 806.588570] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff00c0556d4 [ 806.595828] R13: 00000000004cb4f8 R14: 00000000004d8b68 R15: 00000000ffffffff [ 806.604463] Kernel Offset: disabled [ 806.608144] Rebooting in 86400 seconds..