[....] Starting enhanced syslogd: rsyslogd[ 15.765855] audit: type=1400 audit(1520369370.936:5): avc: denied { syslog } for pid=4085 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.651963] audit: type=1400 audit(1520369373.822:6): avc: denied { map } for pid=4223 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts. [ 24.928457] audit: type=1400 audit(1520369380.099:7): avc: denied { map } for pid=4237 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/03/06 20:49:40 parsed 1 programs 2018/03/06 20:49:40 executed programs: 0 [ 25.186639] audit: type=1400 audit(1520369380.357:8): avc: denied { map } for pid=4237 comm="syz-execprog" path="/root/syzkaller-shm258937575" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 25.202324] IPVS: ftp: loaded support on port[0] = 21 [ 25.245500] audit: type=1400 audit(1520369380.416:9): avc: denied { map } for pid=4247 comm="syz-executor0" path=2F6D656D66643A49202864656C6574656429 dev="tmpfs" ino=14589 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file permissive=1 [ 25.250146] ================================================================== [ 25.279207] BUG: KASAN: use-after-free in ucma_close+0x2d7/0x2f0 [ 25.285324] Read of size 8 at addr ffff8801afd38980 by task syz-executor0/4251 [ 25.292653] [ 25.294257] CPU: 0 PID: 4251 Comm: syz-executor0 Not tainted 4.16.0-rc4+ #253 [ 25.301498] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.310824] Call Trace: [ 25.313389] dump_stack+0x194/0x24d [ 25.316993] ? arch_local_irq_restore+0x53/0x53 [ 25.321640] ? show_regs_print_info+0x18/0x18 [ 25.326125] ? ucma_close+0x2d7/0x2f0 [ 25.329908] print_address_description+0x73/0x250 [ 25.334722] ? ucma_close+0x2d7/0x2f0 [ 25.338497] kasan_report+0x23c/0x360 [ 25.342273] __asan_report_load8_noabort+0x14/0x20 [ 25.347173] ucma_close+0x2d7/0x2f0 [ 25.350775] ? __might_sleep+0x95/0x190 [ 25.354724] ? ucma_free_ctx+0xd90/0xd90 [ 25.358757] __fput+0x327/0x7e0 [ 25.362034] ? fput+0x140/0x140 [ 25.365303] ? check_same_owner+0x320/0x320 [ 25.369605] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.374076] ____fput+0x15/0x20 [ 25.377330] task_work_run+0x199/0x270 [ 25.381194] ? task_work_cancel+0x210/0x210 [ 25.385488] ? _raw_spin_unlock+0x22/0x30 [ 25.389609] ? switch_task_namespaces+0x87/0xc0 [ 25.394264] do_exit+0x9bb/0x1ad0 [ 25.397694] ? find_held_lock+0x35/0x1d0 [ 25.401730] ? mm_update_next_owner+0x930/0x930 [ 25.406374] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 25.411535] ? lock_downgrade+0x980/0x980 [ 25.415659] ? __unqueue_futex+0x1c0/0x290 [ 25.419866] ? lock_release+0xa40/0xa40 [ 25.423815] ? fault_in_user_writeable+0x90/0x90 [ 25.428549] ? do_raw_spin_trylock+0x190/0x190 [ 25.433103] ? futex_wake+0x680/0x680 [ 25.436883] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 25.441969] ? futex_wait+0x6a9/0x9a0 [ 25.445755] ? switched_to_fair+0xa0/0xa0 [ 25.449886] ? trace_hardirqs_off+0x10/0x10 [ 25.454179] ? __enqueue_entity+0x109/0x1e0 [ 25.458480] ? memset+0x31/0x40 [ 25.461737] ? find_held_lock+0x35/0x1d0 [ 25.465779] ? get_signal+0x7a9/0x16d0 [ 25.469641] ? lock_downgrade+0x980/0x980 [ 25.473769] do_group_exit+0x149/0x400 [ 25.477629] ? do_raw_spin_trylock+0x190/0x190 [ 25.482183] ? SyS_exit+0x30/0x30 [ 25.485612] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.490086] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.495093] get_signal+0x73a/0x16d0 [ 25.498796] ? ptrace_notify+0x130/0x130 [ 25.502844] ? __schedule+0x903/0x1ec0 [ 25.506711] ? __sched_text_start+0x8/0x8 [ 25.510849] ? save_stack+0xa3/0xd0 [ 25.514449] ? save_stack+0x43/0xd0 [ 25.518142] ? __kasan_slab_free+0x11a/0x170 [ 25.522519] ? kasan_slab_free+0xe/0x10 [ 25.526466] ? kfree+0xd9/0x260 [ 25.529716] ? SyS_memfd_create+0x381/0x4c0 [ 25.534011] ? do_fast_syscall_32+0x3ec/0xf9f [ 25.538491] do_signal+0x90/0x1e90 [ 25.542005] ? debug_check_no_obj_freed+0x3da/0xf1f [ 25.547017] ? setup_sigcontext+0x7d0/0x7d0 [ 25.551321] ? free_obj_work+0x690/0x690 [ 25.555455] ? schedule+0xf5/0x430 [ 25.558969] ? __schedule+0x1ec0/0x1ec0 [ 25.562934] ? __check_object_size+0x8b/0x530 [ 25.567419] ? exit_to_usermode_loop+0x8c/0x2f0 [ 25.572068] exit_to_usermode_loop+0x258/0x2f0 [ 25.576624] ? SyS_memfd_create+0x175/0x4c0 [ 25.580919] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 25.586430] ? do_fast_syscall_32+0x156/0xf9f [ 25.590903] do_fast_syscall_32+0xbe6/0xf9f [ 25.595194] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.599668] ? do_int80_syscall_32+0x9c0/0x9c0 [ 25.604220] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.608689] ? finish_task_switch+0x1c1/0x7e0 [ 25.613163] ? syscall_return_slowpath+0x2ac/0x550 [ 25.618068] ? prepare_exit_to_usermode+0x350/0x350 [ 25.623068] ? sysret32_from_system_call+0x5/0x3c [ 25.627888] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.632724] entry_SYSENTER_compat+0x70/0x7f [ 25.637107] RIP: 0023:0xf7f1fc99 [ 25.640441] RSP: 002b:00000000f7efa10c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 25.648122] RAX: fffffffffffffe00 RBX: 000000000813af98 RCX: 0000000000000000 [ 25.655365] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 25.662606] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 25.669846] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 25.677105] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 25.684371] [ 25.685971] Allocated by task 4248: [ 25.689573] save_stack+0x43/0xd0 [ 25.692999] kasan_kmalloc+0xad/0xe0 [ 25.696692] kmem_cache_alloc_trace+0x136/0x740 [ 25.701333] ucma_alloc_ctx+0xce/0x610 [ 25.705189] ucma_create_id+0x205/0x620 [ 25.709138] ucma_write+0x2d6/0x3d0 [ 25.712737] __vfs_write+0xef/0x970 [ 25.716335] vfs_write+0x189/0x510 [ 25.719854] SyS_write+0xef/0x220 [ 25.723281] do_fast_syscall_32+0x3ec/0xf9f [ 25.727575] entry_SYSENTER_compat+0x70/0x7f [ 25.731952] [ 25.733552] Freed by task 4248: [ 25.736803] save_stack+0x43/0xd0 [ 25.740634] __kasan_slab_free+0x11a/0x170 [ 25.744842] kasan_slab_free+0xe/0x10 [ 25.748620] kfree+0xd9/0x260 [ 25.751706] ucma_create_id+0x45b/0x620 [ 25.755652] ucma_write+0x2d6/0x3d0 [ 25.759252] __vfs_write+0xef/0x970 [ 25.762849] vfs_write+0x189/0x510 [ 25.766359] SyS_write+0xef/0x220 [ 25.769784] do_fast_syscall_32+0x3ec/0xf9f [ 25.774076] entry_SYSENTER_compat+0x70/0x7f [ 25.778450] [ 25.780053] The buggy address belongs to the object at ffff8801afd38900 [ 25.780053] which belongs to the cache kmalloc-256 of size 256 [ 25.792678] The buggy address is located 128 bytes inside of [ 25.792678] 256-byte region [ffff8801afd38900, ffff8801afd38a00) [ 25.804520] The buggy address belongs to the page: [ 25.809421] page:ffffea0006bf4e00 count:1 mapcount:0 mapping:ffff8801afd38040 index:0x0 [ 25.817534] flags: 0x2fffc0000000100(slab) [ 25.821740] raw: 02fffc0000000100 ffff8801afd38040 0000000000000000 000000010000000c [ 25.829591] raw: ffffea0006c09660 ffffea0006bf24e0 ffff8801dac007c0 0000000000000000 [ 25.837439] page dumped because: kasan: bad access detected [ 25.843116] [ 25.844713] Memory state around the buggy address: [ 25.849611] ffff8801afd38880: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 25.856947] ffff8801afd38900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.864284] >ffff8801afd38980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.871611] ^ [ 25.874947] ffff8801afd38a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 25.882276] ffff8801afd38a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.889604] ================================================================== [ 25.896930] Disabling lock debugging due to kernel taint [ 25.902484] Kernel panic - not syncing: panic_on_warn set ... [ 25.902484] [ 25.909833] CPU: 0 PID: 4251 Comm: syz-executor0 Tainted: G B 4.16.0-rc4+ #253 [ 25.918377] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.927701] Call Trace: [ 25.930265] dump_stack+0x194/0x24d [ 25.933863] ? arch_local_irq_restore+0x53/0x53 [ 25.938501] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.943228] ? vsnprintf+0x1ed/0x1900 [ 25.947000] ? ucma_close+0x2d0/0x2f0 [ 25.950779] panic+0x1e4/0x41c [ 25.953942] ? refcount_error_report+0x214/0x214 [ 25.958669] ? add_taint+0x1c/0x50 [ 25.962179] ? add_taint+0x1c/0x50 [ 25.965694] ? ucma_close+0x2d7/0x2f0 [ 25.969464] kasan_end_report+0x50/0x50 [ 25.973408] kasan_report+0x149/0x360 [ 25.977270] __asan_report_load8_noabort+0x14/0x20 [ 25.982172] ucma_close+0x2d7/0x2f0 [ 25.985771] ? __might_sleep+0x95/0x190 [ 25.989715] ? ucma_free_ctx+0xd90/0xd90 [ 25.993746] __fput+0x327/0x7e0 [ 25.996997] ? fput+0x140/0x140 [ 26.000249] ? check_same_owner+0x320/0x320 [ 26.004542] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.009019] ____fput+0x15/0x20 [ 26.012285] task_work_run+0x199/0x270 [ 26.016143] ? task_work_cancel+0x210/0x210 [ 26.020434] ? _raw_spin_unlock+0x22/0x30 [ 26.024555] ? switch_task_namespaces+0x87/0xc0 [ 26.029196] do_exit+0x9bb/0x1ad0 [ 26.032620] ? find_held_lock+0x35/0x1d0 [ 26.036652] ? mm_update_next_owner+0x930/0x930 [ 26.041291] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.046450] ? lock_downgrade+0x980/0x980 [ 26.050569] ? __unqueue_futex+0x1c0/0x290 [ 26.054771] ? lock_release+0xa40/0xa40 [ 26.058715] ? fault_in_user_writeable+0x90/0x90 [ 26.063440] ? do_raw_spin_trylock+0x190/0x190 [ 26.067992] ? futex_wake+0x680/0x680 [ 26.071769] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 26.076840] ? futex_wait+0x6a9/0x9a0 [ 26.080620] ? switched_to_fair+0xa0/0xa0 [ 26.084737] ? trace_hardirqs_off+0x10/0x10 [ 26.089030] ? __enqueue_entity+0x109/0x1e0 [ 26.093324] ? memset+0x31/0x40 [ 26.096576] ? find_held_lock+0x35/0x1d0 [ 26.100611] ? get_signal+0x7a9/0x16d0 [ 26.104469] ? lock_downgrade+0x980/0x980 [ 26.108592] do_group_exit+0x149/0x400 [ 26.112450] ? do_raw_spin_trylock+0x190/0x190 [ 26.117001] ? SyS_exit+0x30/0x30 [ 26.120429] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.124897] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.129890] get_signal+0x73a/0x16d0 [ 26.133579] ? ptrace_notify+0x130/0x130 [ 26.137612] ? __schedule+0x903/0x1ec0 [ 26.141474] ? __sched_text_start+0x8/0x8 [ 26.145591] ? save_stack+0xa3/0xd0 [ 26.149189] ? save_stack+0x43/0xd0 [ 26.152782] ? __kasan_slab_free+0x11a/0x170 [ 26.157156] ? kasan_slab_free+0xe/0x10 [ 26.161104] ? kfree+0xd9/0x260 [ 26.164359] ? SyS_memfd_create+0x381/0x4c0 [ 26.168654] ? do_fast_syscall_32+0x3ec/0xf9f [ 26.173124] do_signal+0x90/0x1e90 [ 26.176638] ? debug_check_no_obj_freed+0x3da/0xf1f [ 26.181625] ? setup_sigcontext+0x7d0/0x7d0 [ 26.185917] ? free_obj_work+0x690/0x690 [ 26.189962] ? schedule+0xf5/0x430 [ 26.193474] ? __schedule+0x1ec0/0x1ec0 [ 26.197417] ? __check_object_size+0x8b/0x530 [ 26.201893] ? exit_to_usermode_loop+0x8c/0x2f0 [ 26.206534] exit_to_usermode_loop+0x258/0x2f0 [ 26.211090] ? SyS_memfd_create+0x175/0x4c0 [ 26.215383] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 26.220890] ? do_fast_syscall_32+0x156/0xf9f [ 26.225357] do_fast_syscall_32+0xbe6/0xf9f [ 26.229649] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.234117] ? do_int80_syscall_32+0x9c0/0x9c0 [ 26.238668] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.243135] ? finish_task_switch+0x1c1/0x7e0 [ 26.247611] ? syscall_return_slowpath+0x2ac/0x550 [ 26.252511] ? prepare_exit_to_usermode+0x350/0x350 [ 26.257498] ? sysret32_from_system_call+0x5/0x3c [ 26.262313] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.267130] entry_SYSENTER_compat+0x70/0x7f [ 26.271508] RIP: 0023:0xf7f1fc99 [ 26.274840] RSP: 002b:00000000f7efa10c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 26.282517] RAX: fffffffffffffe00 RBX: 000000000813af98 RCX: 0000000000000000 [ 26.289756] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 26.296996] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 26.304237] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 26.311477] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 26.319177] Dumping ftrace buffer: [ 26.322688] (ftrace buffer empty) [ 26.326367] Kernel Offset: disabled [ 26.329962] Rebooting in 86400 seconds..