[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   17.840574] audit: type=1400 audit(1520526347.326:6): avc:  denied  { map } for  pid=4223 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   24.228039] audit: type=1400 audit(1520526353.713:7): avc:  denied  { map } for  pid=4237 comm="syzkaller094010" path="/root/syzkaller094010595" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   24.255625] ==================================================================
[   24.263033] BUG: KASAN: use-after-free in ucma_close+0x2d7/0x2f0
[   24.269157] Read of size 8 at addr ffff8801b0632840 by task syzkaller094010/4237
[   24.276656] 
[   24.278257] CPU: 1 PID: 4237 Comm: syzkaller094010 Not tainted 4.16.0-rc4+ #346
[   24.285678] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.295015] Call Trace:
[   24.297584]  dump_stack+0x194/0x24d
[   24.301191]  ? arch_local_irq_restore+0x53/0x53
[   24.305834]  ? show_regs_print_info+0x18/0x18
[   24.310310]  ? ucma_close+0x2d7/0x2f0
[   24.314084]  print_address_description+0x73/0x250
[   24.318899]  ? ucma_close+0x2d7/0x2f0
[   24.322671]  kasan_report+0x23c/0x360
[   24.326450]  __asan_report_load8_noabort+0x14/0x20
[   24.331354]  ucma_close+0x2d7/0x2f0
[   24.334953]  ? __might_sleep+0x95/0x190
[   24.338901]  ? ucma_free_ctx+0xd90/0xd90
[   24.342936]  __fput+0x327/0x7e0
[   24.346191]  ? fput+0x140/0x140
[   24.349446]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.353922]  ____fput+0x15/0x20
[   24.357173]  task_work_run+0x199/0x270
[   24.361032]  ? task_work_cancel+0x210/0x210
[   24.365328]  ? _raw_spin_unlock+0x22/0x30
[   24.369449]  ? switch_task_namespaces+0x87/0xc0
[   24.374094]  do_exit+0x9bb/0x1ad0
[   24.377518]  ? ucma_create_id+0x45b/0x620
[   24.381640]  ? mm_update_next_owner+0x930/0x930
[   24.386285]  ? ucma_create_id+0x17b/0x620
[   24.390413]  ? ucma_get_event+0xa90/0xa90
[   24.394551]  ? __might_sleep+0x95/0x190
[   24.398504]  ? kasan_check_write+0x14/0x20
[   24.402714]  ? _copy_from_user+0x99/0x110
[   24.406839]  ? ucma_write+0x11f/0x3d0
[   24.410611]  ? ucma_get_event+0xa90/0xa90
[   24.414731]  ? ucma_resolve_route+0x1a0/0x1a0
[   24.419204]  ? ucma_resolve_route+0x1a0/0x1a0
[   24.423675]  ? __vfs_write+0xf7/0x970
[   24.427473]  ? rcu_note_context_switch+0x710/0x710
[   24.432377]  ? kernel_read+0x120/0x120
[   24.436235]  ? __might_sleep+0x95/0x190
[   24.440184]  ? _cond_resched+0x14/0x30
[   24.444432]  ? __inode_security_revalidate+0xd9/0x130
[   24.449593]  ? avc_policy_seqno+0x9/0x20
[   24.453634]  ? security_file_permission+0x89/0x1e0
[   24.458537]  ? rw_verify_area+0xe5/0x2b0
[   24.462578]  ? __fdget_raw+0x20/0x20
[   24.466269]  ? vfs_write+0x224/0x510
[   24.469959]  do_group_exit+0x149/0x400
[   24.473823]  ? SyS_write+0x184/0x220
[   24.477507]  ? filp_open+0x70/0x70
[   24.481023]  ? SyS_exit+0x30/0x30
[   24.484447]  ? SyS_read+0x220/0x220
[   24.488047]  ? do_syscall_64+0xb7/0x940
[   24.491995]  ? do_group_exit+0x400/0x400
[   24.496028]  SyS_exit_group+0x1d/0x20
[   24.499799]  do_syscall_64+0x281/0x940
[   24.503655]  ? __do_page_fault+0xc90/0xc90
[   24.507945]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   24.512676]  ? syscall_return_slowpath+0x550/0x550
[   24.517575]  ? syscall_return_slowpath+0x2ac/0x550
[   24.522475]  ? prepare_exit_to_usermode+0x350/0x350
[   24.527463]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   24.532799]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.537616]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.542773] RIP: 0033:0x43e938
[   24.545939] RSP: 002b:00007ffe7b0dc778 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   24.553632] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e938
[   24.560882] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   24.568128] RBP: 00000000004be3c0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   24.575366] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
[   24.582604] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000
[   24.589863] 
[   24.591469] Allocated by task 4237:
[   24.595067]  save_stack+0x43/0xd0
[   24.598488]  kasan_kmalloc+0xad/0xe0
[   24.602171]  kmem_cache_alloc_trace+0x136/0x740
[   24.606816]  ucma_alloc_ctx+0xce/0x610
[   24.610691]  ucma_create_id+0x205/0x620
[   24.614652]  ucma_write+0x2d6/0x3d0
[   24.618263]  __vfs_write+0xef/0x970
[   24.621862]  vfs_write+0x189/0x510
[   24.625372]  SyS_write+0xef/0x220
[   24.628794]  do_syscall_64+0x281/0x940
[   24.632651]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.637807] 
[   24.639406] Freed by task 4237:
[   24.642654]  save_stack+0x43/0xd0
[   24.646077]  __kasan_slab_free+0x11a/0x170
[   24.650282]  kasan_slab_free+0xe/0x10
[   24.654051]  kfree+0xd9/0x260
[   24.657128]  ucma_create_id+0x45b/0x620
[   24.661071]  ucma_write+0x2d6/0x3d0
[   24.664666]  __vfs_write+0xef/0x970
[   24.668267]  vfs_write+0x189/0x510
[   24.671791]  SyS_write+0xef/0x220
[   24.675217]  do_syscall_64+0x281/0x940
[   24.679077]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.684234] 
[   24.685838] The buggy address belongs to the object at ffff8801b06327c0
[   24.685838]  which belongs to the cache kmalloc-256 of size 256
[   24.698465] The buggy address is located 128 bytes inside of
[   24.698465]  256-byte region [ffff8801b06327c0, ffff8801b06328c0)
[   24.710312] The buggy address belongs to the page:
[   24.715211] page:ffffea0006c18c80 count:1 mapcount:0 mapping:ffff8801b0632040 index:0x0
[   24.723324] flags: 0x2fffc0000000100(slab)
[   24.727532] raw: 02fffc0000000100 ffff8801b0632040 0000000000000000 000000010000000c
[   24.735385] raw: ffffea0006d73c60 ffffea0006c04f20 ffff8801dac007c0 0000000000000000
[   24.743231] page dumped because: kasan: bad access detected
[   24.748911] 
[   24.750513] Memory state around the buggy address:
[   24.755412]  ffff8801b0632700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.762740]  ffff8801b0632780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   24.770068] >ffff8801b0632800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.777393]                                            ^
[   24.782810]  ffff8801b0632880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   24.790135]  ffff8801b0632900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   24.797462] ==================================================================
[   24.804785] Disabling lock debugging due to kernel taint
[   24.810526] Kernel panic - not syncing: panic_on_warn set ...
[   24.810526] 
[   24.817875] CPU: 1 PID: 4237 Comm: syzkaller094010 Tainted: G    B            4.16.0-rc4+ #346
[   24.826598] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.835929] Call Trace:
[   24.838500]  dump_stack+0x194/0x24d
[   24.842112]  ? arch_local_irq_restore+0x53/0x53
[   24.846754]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   24.851476]  ? vsnprintf+0x1ed/0x1900
[   24.855246]  ? ucma_close+0x240/0x2f0
[   24.859022]  panic+0x1e4/0x41c
[   24.862183]  ? refcount_error_report+0x214/0x214
[   24.866907]  ? add_taint+0x1c/0x50
[   24.870428]  ? add_taint+0x1c/0x50
[   24.873958]  ? ucma_close+0x2d7/0x2f0
[   24.877739]  kasan_end_report+0x50/0x50
[   24.881685]  kasan_report+0x149/0x360
[   24.885455]  __asan_report_load8_noabort+0x14/0x20
[   24.890356]  ucma_close+0x2d7/0x2f0
[   24.893953]  ? __might_sleep+0x95/0x190
[   24.897897]  ? ucma_free_ctx+0xd90/0xd90
[   24.901930]  __fput+0x327/0x7e0
[   24.905182]  ? fput+0x140/0x140
[   24.908432]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.912900]  ____fput+0x15/0x20
[   24.916147]  task_work_run+0x199/0x270
[   24.920016]  ? task_work_cancel+0x210/0x210
[   24.924314]  ? _raw_spin_unlock+0x22/0x30
[   24.928436]  ? switch_task_namespaces+0x87/0xc0
[   24.933099]  do_exit+0x9bb/0x1ad0
[   24.936524]  ? ucma_create_id+0x45b/0x620
[   24.940649]  ? mm_update_next_owner+0x930/0x930
[   24.945290]  ? ucma_create_id+0x17b/0x620
[   24.949408]  ? ucma_get_event+0xa90/0xa90
[   24.953532]  ? __might_sleep+0x95/0x190
[   24.957484]  ? kasan_check_write+0x14/0x20
[   24.961689]  ? _copy_from_user+0x99/0x110
[   24.965811]  ? ucma_write+0x11f/0x3d0
[   24.969580]  ? ucma_get_event+0xa90/0xa90
[   24.973696]  ? ucma_resolve_route+0x1a0/0x1a0
[   24.978168]  ? ucma_resolve_route+0x1a0/0x1a0
[   24.982640]  ? __vfs_write+0xf7/0x970
[   24.986414]  ? rcu_note_context_switch+0x710/0x710
[   24.991315]  ? kernel_read+0x120/0x120
[   24.995171]  ? __might_sleep+0x95/0x190
[   24.999117]  ? _cond_resched+0x14/0x30
[   25.002975]  ? __inode_security_revalidate+0xd9/0x130
[   25.008134]  ? avc_policy_seqno+0x9/0x20
[   25.012166]  ? security_file_permission+0x89/0x1e0
[   25.017064]  ? rw_verify_area+0xe5/0x2b0
[   25.021092]  ? __fdget_raw+0x20/0x20
[   25.024776]  ? vfs_write+0x224/0x510
[   25.028459]  do_group_exit+0x149/0x400
[   25.032314]  ? SyS_write+0x184/0x220
[   25.035995]  ? filp_open+0x70/0x70
[   25.039516]  ? SyS_exit+0x30/0x30
[   25.042938]  ? SyS_read+0x220/0x220
[   25.046532]  ? do_syscall_64+0xb7/0x940
[   25.050473]  ? do_group_exit+0x400/0x400
[   25.054501]  SyS_exit_group+0x1d/0x20
[   25.058269]  do_syscall_64+0x281/0x940
[   25.062124]  ? __do_page_fault+0xc90/0xc90
[   25.066327]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.071053]  ? syscall_return_slowpath+0x550/0x550
[   25.075948]  ? syscall_return_slowpath+0x2ac/0x550
[   25.080850]  ? prepare_exit_to_usermode+0x350/0x350
[   25.085835]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   25.091173]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   25.095989]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   25.101154] RIP: 0033:0x43e938
[   25.104310] RSP: 002b:00007ffe7b0dc778 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   25.111986] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e938
[   25.119235] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   25.126473] RBP: 00000000004be3c0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   25.133715] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
[   25.140952] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000
[   25.148646] Dumping ftrace buffer:
[   25.152163]    (ftrace buffer empty)
[   25.155847] Kernel Offset: disabled
[   25.159452] Rebooting in 86400 seconds..