[ 46.001758][ T26] audit: type=1800 audit(1553456832.789:30): pid=8072 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 50.031818][ T26] kauditd_printk_skb: 4 callbacks suppressed [ 50.031834][ T26] audit: type=1400 audit(1553456836.859:35): avc: denied { map } for pid=8247 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.30' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 56.483317][ T26] audit: type=1400 audit(1553456843.309:36): avc: denied { map } for pid=8259 comm="syz-executor365" path="/root/syz-executor365894565" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 56.521623][ T26] audit: type=1326 audit(1553456843.349:37): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8268 comm="syz-executor365" exe="/root/syz-executor365894565" sig=31 arch=c000003e syscall=202 compat=0 ip=0x4467a9 code=0x0 [ 56.549864][ T8267] ================================================================== [ 56.557974][ T8267] BUG: KASAN: use-after-free in __lock_acquire+0x2d5e/0x3fb0 [ 56.565350][ T8267] Read of size 8 at addr ffff8880a621d080 by task syz-executor365/8267 [ 56.573590][ T8267] [ 56.575947][ T8267] CPU: 0 PID: 8267 Comm: syz-executor365 Not tainted 5.1.0-rc1+ #35 [ 56.583948][ T8267] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.594003][ T8267] Call Trace: [ 56.597320][ T8267] dump_stack+0x172/0x1f0 [ 56.601689][ T8267] ? __lock_acquire+0x2d5e/0x3fb0 [ 56.606725][ T8267] print_address_description.cold+0x7c/0x20d [ 56.612838][ T8267] ? __lock_acquire+0x2d5e/0x3fb0 [ 56.617879][ T8267] ? __lock_acquire+0x2d5e/0x3fb0 [ 56.622917][ T8267] kasan_report.cold+0x1b/0x40 [ 56.627699][ T8267] ? __lock_acquire+0x2d5e/0x3fb0 [ 56.632741][ T8267] __asan_report_load8_noabort+0x14/0x20 [ 56.638392][ T8267] __lock_acquire+0x2d5e/0x3fb0 [ 56.643268][ T8267] ? futex_wait_setup+0x390/0x390 [ 56.648303][ T8267] ? find_held_lock+0x35/0x130 [ 56.653075][ T8267] ? mark_held_locks+0xf0/0xf0 [ 56.657849][ T8267] ? futex_wake+0x179/0x4d0 [ 56.662353][ T8267] lock_acquire+0x16f/0x3f0 [ 56.666880][ T8267] ? seccomp_notify_release+0x62/0x280 [ 56.672353][ T8267] ? seccomp_notify_release+0x62/0x280 [ 56.677818][ T8267] __mutex_lock+0xf7/0x1310 [ 56.682332][ T8267] ? seccomp_notify_release+0x62/0x280 [ 56.687818][ T8267] ? find_held_lock+0x35/0x130 [ 56.692591][ T8267] ? seccomp_notify_release+0x62/0x280 [ 56.698076][ T8267] ? mutex_trylock+0x1e0/0x1e0 [ 56.702859][ T8267] ? __lock_acquire+0x548/0x3fb0 [ 56.707801][ T8267] ? vfs_lock_file+0xf0/0xf0 [ 56.712396][ T8267] ? __lock_acquire+0x548/0x3fb0 [ 56.717353][ T8267] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.723622][ T8267] ? fsnotify+0x811/0xbc0 [ 56.727993][ T8267] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 56.734243][ T8267] ? locks_remove_file+0x305/0x4a0 [ 56.739366][ T8267] ? get_nth_filter.part.0+0x1d0/0x1d0 [ 56.744869][ T8267] mutex_lock_nested+0x16/0x20 [ 56.749658][ T8267] ? mutex_lock_nested+0x16/0x20 [ 56.754613][ T8267] seccomp_notify_release+0x62/0x280 [ 56.760005][ T8267] ? ima_file_free+0xc9/0x4a0 [ 56.764695][ T8267] ? get_nth_filter.part.0+0x1d0/0x1d0 [ 56.770166][ T8267] __fput+0x2e5/0x8d0 [ 56.774157][ T8267] ____fput+0x16/0x20 [ 56.778145][ T8267] task_work_run+0x14a/0x1c0 [ 56.782825][ T8267] exit_to_usermode_loop+0x273/0x2c0 [ 56.788234][ T8267] do_syscall_64+0x52d/0x610 [ 56.792930][ T8267] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.798854][ T8267] RIP: 0033:0x405621 [ 56.802755][ T8267] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 56.822449][ T8267] RSP: 002b:00007ffe1ebba1e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 56.830870][ T8267] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000405621 [ 56.838847][ T8267] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003 [ 56.846824][ T8267] RBP: 0000000000000064 R08: 00007f28ae4ca700 R09: 0000000000000000 [ 56.854907][ T8267] R10: 00007ffe1ebba1f0 R11: 0000000000000293 R12: 00000000006dbc30 [ 56.862896][ T8267] R13: 0000000000000002 R14: 00000000006dbc3c R15: 000000000000002d [ 56.870916][ T8267] [ 56.873244][ T8267] Allocated by task 8278: [ 56.877581][ T8267] save_stack+0x45/0xd0 [ 56.881744][ T8267] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 56.887395][ T8267] kasan_kmalloc+0x9/0x10 [ 56.891733][ T8267] kmem_cache_alloc_trace+0x151/0x760 [ 56.897114][ T8267] do_seccomp+0x743/0x2250 [ 56.901554][ T8267] __x64_sys_seccomp+0x73/0xb0 [ 56.906433][ T8267] do_syscall_64+0x103/0x610 [ 56.911053][ T8267] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.916933][ T8267] [ 56.919262][ T8267] Freed by task 8278: [ 56.923246][ T8267] save_stack+0x45/0xd0 [ 56.927419][ T8267] __kasan_slab_free+0x102/0x150 [ 56.932382][ T8267] kasan_slab_free+0xe/0x10 [ 56.936899][ T8267] kfree+0xcf/0x230 [ 56.940724][ T8267] do_seccomp+0xb00/0x2250 [ 56.945146][ T8267] __x64_sys_seccomp+0x73/0xb0 [ 56.952452][ T8267] do_syscall_64+0x103/0x610 [ 56.957047][ T8267] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.962934][ T8267] [ 56.965262][ T8267] The buggy address belongs to the object at ffff8880a621d000 [ 56.965262][ T8267] which belongs to the cache kmalloc-192 of size 192 [ 56.980273][ T8267] The buggy address is located 128 bytes inside of [ 56.980273][ T8267] 192-byte region [ffff8880a621d000, ffff8880a621d0c0) [ 56.993541][ T8267] The buggy address belongs to the page: [ 56.999186][ T8267] page:ffffea0002988740 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0x0 [ 57.008039][ T8267] flags: 0x1fffc0000000200(slab) [ 57.012988][ T8267] raw: 01fffc0000000200 ffffea0002981048 ffffea0002988048 ffff88812c3f0040 [ 57.021582][ T8267] raw: 0000000000000000 ffff8880a621d000 0000000100000010 0000000000000000 [ 57.030165][ T8267] page dumped because: kasan: bad access detected [ 57.036576][ T8267] [ 57.038898][ T8267] Memory state around the buggy address: [ 57.044531][ T8267] ffff8880a621cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.052608][ T8267] ffff8880a621d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.060683][ T8267] >ffff8880a621d080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 57.068742][ T8267] ^ [ 57.072813][ T8267] ffff8880a621d100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 57.080887][ T8267] ffff8880a621d180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.088951][ T8267] ================================================================== [ 57.097025][ T8267] Disabling lock debugging due to kernel taint [ 57.103183][ T8267] Kernel panic - not syncing: panic_on_warn set ... [ 57.109784][ T8267] CPU: 0 PID: 8267 Comm: syz-executor365 Tainted: G B 5.1.0-rc1+ #35 [ 57.119157][ T8267] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.129932][ T8267] Call Trace: [ 57.133260][ T8267] dump_stack+0x172/0x1f0 [ 57.137599][ T8267] panic+0x2cb/0x65c [ 57.141513][ T8267] ? __warn_printk+0xf3/0xf3 [ 57.146114][ T8267] ? lock_downgrade+0x880/0x880 [ 57.151006][ T8267] ? __lock_acquire+0x2d5e/0x3fb0 [ 57.156074][ T8267] ? trace_hardirqs_off+0x62/0x220 [ 57.161198][ T8267] ? trace_hardirqs_off+0x59/0x220 [ 57.166318][ T8267] ? __lock_acquire+0x2d5e/0x3fb0 [ 57.171347][ T8267] end_report+0x47/0x4f [ 57.175504][ T8267] ? __lock_acquire+0x2d5e/0x3fb0 [ 57.180538][ T8267] kasan_report.cold+0xe/0x40 [ 57.185225][ T8267] ? __lock_acquire+0x2d5e/0x3fb0 [ 57.190263][ T8267] __asan_report_load8_noabort+0x14/0x20 [ 57.195906][ T8267] __lock_acquire+0x2d5e/0x3fb0 [ 57.200796][ T8267] ? futex_wait_setup+0x390/0x390 [ 57.205835][ T8267] ? find_held_lock+0x35/0x130 [ 57.210611][ T8267] ? mark_held_locks+0xf0/0xf0 [ 57.215383][ T8267] ? futex_wake+0x179/0x4d0 [ 57.219899][ T8267] lock_acquire+0x16f/0x3f0 [ 57.224433][ T8267] ? seccomp_notify_release+0x62/0x280 [ 57.229911][ T8267] ? seccomp_notify_release+0x62/0x280 [ 57.235378][ T8267] __mutex_lock+0xf7/0x1310 [ 57.239929][ T8267] ? seccomp_notify_release+0x62/0x280 [ 57.245403][ T8267] ? find_held_lock+0x35/0x130 [ 57.250183][ T8267] ? seccomp_notify_release+0x62/0x280 [ 57.255699][ T8267] ? mutex_trylock+0x1e0/0x1e0 [ 57.260742][ T8267] ? __lock_acquire+0x548/0x3fb0 [ 57.265784][ T8267] ? vfs_lock_file+0xf0/0xf0 [ 57.270408][ T8267] ? __lock_acquire+0x548/0x3fb0 [ 57.275372][ T8267] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 57.281627][ T8267] ? fsnotify+0x811/0xbc0 [ 57.285973][ T8267] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 57.292249][ T8267] ? locks_remove_file+0x305/0x4a0 [ 57.297386][ T8267] ? get_nth_filter.part.0+0x1d0/0x1d0 [ 57.302860][ T8267] mutex_lock_nested+0x16/0x20 [ 57.307632][ T8267] ? mutex_lock_nested+0x16/0x20 [ 57.312705][ T8267] seccomp_notify_release+0x62/0x280 [ 57.318027][ T8267] ? ima_file_free+0xc9/0x4a0 [ 57.322715][ T8267] ? get_nth_filter.part.0+0x1d0/0x1d0 [ 57.328181][ T8267] __fput+0x2e5/0x8d0 [ 57.332162][ T8267] ____fput+0x16/0x20 [ 57.336145][ T8267] task_work_run+0x14a/0x1c0 [ 57.340748][ T8267] exit_to_usermode_loop+0x273/0x2c0 [ 57.346071][ T8267] do_syscall_64+0x52d/0x610 [ 57.350681][ T8267] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.356686][ T8267] RIP: 0033:0x405621 [ 57.360586][ T8267] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 57.380191][ T8267] RSP: 002b:00007ffe1ebba1e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 57.388606][ T8267] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000405621 [ 57.396579][ T8267] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003 [ 57.404553][ T8267] RBP: 0000000000000064 R08: 00007f28ae4ca700 R09: 0000000000000000 [ 57.412535][ T8267] R10: 00007ffe1ebba1f0 R11: 0000000000000293 R12: 00000000006dbc30 [ 57.420518][ T8267] R13: 0000000000000002 R14: 00000000006dbc3c R15: 000000000000002d [ 57.429238][ T8267] Kernel Offset: disabled [ 57.433596][ T8267] Rebooting in 86400 seconds..