[ 48.670926] audit: type=1800 audit(1547212205.025:30): pid=8159 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 54.153021] kauditd_printk_skb: 4 callbacks suppressed [ 54.153037] audit: type=1400 audit(1547212210.545:35): avc: denied { map } for pid=8333 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 60.884640] audit: type=1400 audit(1547212217.285:36): avc: denied { map } for pid=8345 comm="syz-executor508" path="/root/syz-executor508499290" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 60.922026] audit: type=1326 audit(1547212217.315:37): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8353 comm="syz-executor508" exe="/root/syz-executor508499290" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446349 code=0x0 [ 60.947035] audit: type=1326 audit(1547212217.315:38): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8352 comm="syz-executor508" exe="/root/syz-executor508499290" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446349 code=0x0 executing program executing program executing program executing program [ 60.976554] audit: type=1326 audit(1547212217.315:39): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8354 comm="syz-executor508" exe="/root/syz-executor508499290" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446349 code=0x0 [ 61.009838] audit: type=1326 audit(1547212217.315:40): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8360 comm="syz-executor508" exe="/root/syz-executor508499290" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446349 code=0x0 executing program executing program executing program executing program executing program [ 61.036141] audit: type=1326 audit(1547212217.365:41): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8353 comm="syz-executor508" exe="/root/syz-executor508499290" sig=31 arch=c000003e syscall=3 compat=0 ip=0x405451 code=0x0 [ 61.068413] ================================================================== [ 61.075788] BUG: KASAN: use-after-free in __lock_acquire+0x3556/0x4a30 [ 61.082441] Read of size 8 at addr ffff8880a5c7b680 by task syz-executor508/8368 [ 61.089955] [ 61.091591] CPU: 1 PID: 8368 Comm: syz-executor508 Not tainted 5.0.0-rc1+ #19 [ 61.098849] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.108190] Call Trace: [ 61.110772] dump_stack+0x1db/0x2d0 [ 61.114390] ? dump_stack_print_info.cold+0x20/0x20 [ 61.119396] ? mark_held_locks+0x100/0x100 [ 61.123633] ? __lock_acquire+0x3556/0x4a30 [ 61.128001] print_address_description.cold+0x7c/0x20d [ 61.133285] ? __lock_acquire+0x3556/0x4a30 [ 61.137610] ? __lock_acquire+0x3556/0x4a30 [ 61.141925] kasan_report.cold+0x1b/0x40 [ 61.145978] ? __lock_acquire+0x3556/0x4a30 [ 61.150377] __asan_report_load8_noabort+0x14/0x20 [ 61.155309] __lock_acquire+0x3556/0x4a30 [ 61.159455] ? lock_acquire+0x1db/0x570 [ 61.163430] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 61.168526] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 61.173621] ? lockdep_hardirqs_on+0x415/0x5d0 [ 61.178214] ? mark_held_locks+0x100/0x100 [ 61.182465] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 61.187576] ? __free_object+0x16c/0x350 [ 61.191628] ? debug_object_free+0x2ab/0x5f0 [ 61.196046] ? __list_del_entry_valid.cold+0x4f/0x4f [ 61.201142] ? do_raw_spin_trylock+0x270/0x270 [ 61.205721] ? debug_object_free+0x2b3/0x5f0 [ 61.210124] ? debug_object_destroy+0x250/0x250 [ 61.214789] lock_acquire+0x1db/0x570 [ 61.218585] ? seccomp_notify_release+0x54/0x270 [ 61.223335] ? ___might_sleep+0x1e7/0x310 [ 61.227478] ? lock_release+0xc40/0xc40 [ 61.231462] ? seccomp_notify_release+0x54/0x270 [ 61.236216] ? seccomp_notify_release+0x54/0x270 [ 61.240964] __mutex_lock+0x12f/0x1670 [ 61.244849] ? seccomp_notify_release+0x54/0x270 [ 61.249598] ? seccomp_notify_release+0x54/0x270 [ 61.254347] ? __lock_acquire+0x572/0x4a30 [ 61.258577] ? mutex_trylock+0x2d0/0x2d0 [ 61.262634] ? mark_held_locks+0x100/0x100 [ 61.266867] ? find_held_lock+0x35/0x120 [ 61.270924] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 61.276453] ? locks_remove_posix+0x488/0x860 [ 61.280937] ? mark_held_locks+0x100/0x100 [ 61.285162] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 61.290692] ? fsnotify+0x4f5/0xed0 [ 61.294311] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 61.299837] ? locks_remove_file+0x3d5/0x5c0 [ 61.304239] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 61.309774] ? ima_file_free+0x128/0x630 [ 61.313828] ? fcntl_setlk+0xfe0/0xfe0 [ 61.317709] mutex_lock_nested+0x16/0x20 [ 61.321762] ? mutex_lock_nested+0x16/0x20 [ 61.325988] seccomp_notify_release+0x54/0x270 [ 61.330567] __fput+0x3c5/0xb10 [ 61.333843] ? get_nth_filter.part.0+0x1d0/0x1d0 [ 61.338592] ? get_max_files+0x20/0x20 [ 61.342469] ? task_work_run+0x1bb/0x2b0 [ 61.346523] ? trace_hardirqs_off_caller+0x300/0x300 [ 61.351621] ? do_raw_spin_trylock+0x270/0x270 [ 61.356220] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 61.361756] ____fput+0x16/0x20 [ 61.365040] task_work_run+0x1f4/0x2b0 [ 61.368922] ? task_work_cancel+0x2c0/0x2c0 [ 61.373238] ? __close_fd+0x25f/0x3d0 [ 61.377039] ? do_syscall_64+0x8c/0x800 [ 61.381010] exit_to_usermode_loop+0x32a/0x3b0 [ 61.385601] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.390959] ? syscall_trace_enter+0x12a0/0x12a0 [ 61.395716] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 61.400470] do_syscall_64+0x696/0x800 [ 61.404379] ? syscall_return_slowpath+0x5f0/0x5f0 [ 61.409304] ? prepare_exit_to_usermode+0x232/0x3b0 [ 61.414318] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 61.419178] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.424369] RIP: 0033:0x405451 [ 61.427556] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 94 17 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 61.446447] RSP: 002b:00007fffe3de5fb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 61.454151] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000405451 [ 61.461434] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003 [ 61.468700] RBP: 00000000000003e8 R08: 00000000000003e8 R09: 0000000000000000 [ 61.475963] R10: 00007fffe3de5fc0 R11: 0000000000000293 R12: 00000000006dac3c [ 61.483223] R13: 0000000000000002 R14: 000000000000002d R15: 00000000006dac30 [ 61.490505] [ 61.492126] Allocated by task 8376: [ 61.495837] save_stack+0x45/0xd0 [ 61.499286] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 61.504217] kasan_kmalloc+0x9/0x10 [ 61.507850] kmem_cache_alloc_trace+0x151/0x760 [ 61.512515] do_seccomp+0x941/0x2cc0 [ 61.516248] __x64_sys_seccomp+0x73/0xb0 [ 61.520323] do_syscall_64+0x1a3/0x800 [ 61.524250] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.529437] [ 61.531066] Freed by task 8376: [ 61.534342] save_stack+0x45/0xd0 [ 61.537786] __kasan_slab_free+0x102/0x150 [ 61.542009] kasan_slab_free+0xe/0x10 [ 61.545797] kfree+0xcf/0x230 [ 61.548896] do_seccomp+0xda3/0x2cc0 [ 61.552601] __x64_sys_seccomp+0x73/0xb0 [ 61.556655] do_syscall_64+0x1a3/0x800 [ 61.560541] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.565717] [ 61.567334] The buggy address belongs to the object at ffff8880a5c7b600 [ 61.567334] which belongs to the cache kmalloc-192 of size 192 [ 61.579978] The buggy address is located 128 bytes inside of [ 61.579978] 192-byte region [ffff8880a5c7b600, ffff8880a5c7b6c0) [ 61.591835] The buggy address belongs to the page: [ 61.596757] page:ffffea0002971ec0 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0x0 [ 61.604891] flags: 0x1fffc0000000200(slab) [ 61.609138] raw: 01fffc0000000200 ffffea0002977488 ffffea0002962088 ffff88812c3f0040 [ 61.617010] raw: 0000000000000000 ffff8880a5c7b000 0000000100000010 0000000000000000 [ 61.624873] page dumped because: kasan: bad access detected [ 61.630576] [ 61.632188] Memory state around the buggy address: [ 61.637124] ffff8880a5c7b580: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 61.644472] ffff8880a5c7b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.651832] >ffff8880a5c7b680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 61.659175] ^ [ 61.662532] ffff8880a5c7b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.669878] ffff8880a5c7b780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 61.677219] ================================================================== [ 61.684566] Disabling lock debugging due to kernel taint [ 61.690001] Kernel panic - not syncing: panic_on_warn set ... [ 61.695883] CPU: 1 PID: 8368 Comm: syz-executor508 Tainted: G B 5.0.0-rc1+ #19 [ 61.704531] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.713884] Call Trace: [ 61.716471] dump_stack+0x1db/0x2d0 [ 61.720092] ? dump_stack_print_info.cold+0x20/0x20 [ 61.725126] panic+0x2cb/0x65c [ 61.728315] ? add_taint.cold+0x16/0x16 [ 61.732282] ? kasan_check_read+0x11/0x20 [ 61.736439] ? trace_hardirqs_on_caller+0x310/0x310 [ 61.741448] ? do_raw_spin_trylock+0x270/0x270 [ 61.746030] ? add_taint.cold+0x5/0x16 [ 61.749909] ? trace_hardirqs_off+0xaf/0x310 [ 61.754310] ? __lock_acquire+0x3556/0x4a30 [ 61.758658] end_report+0x47/0x4f [ 61.762127] ? __lock_acquire+0x3556/0x4a30 [ 61.766446] kasan_report.cold+0xe/0x40 [ 61.770412] ? __lock_acquire+0x3556/0x4a30 [ 61.774731] __asan_report_load8_noabort+0x14/0x20 [ 61.779650] __lock_acquire+0x3556/0x4a30 [ 61.783815] ? lock_acquire+0x1db/0x570 [ 61.787800] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 61.792893] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 61.797989] ? lockdep_hardirqs_on+0x415/0x5d0 [ 61.802578] ? mark_held_locks+0x100/0x100 [ 61.806813] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 61.811942] ? __free_object+0x16c/0x350 [ 61.816011] ? debug_object_free+0x2ab/0x5f0 [ 61.820410] ? __list_del_entry_valid.cold+0x4f/0x4f [ 61.825605] ? do_raw_spin_trylock+0x270/0x270 [ 61.830202] ? debug_object_free+0x2b3/0x5f0 [ 61.834752] ? debug_object_destroy+0x250/0x250 [ 61.839445] lock_acquire+0x1db/0x570 [ 61.843242] ? seccomp_notify_release+0x54/0x270 [ 61.847991] ? ___might_sleep+0x1e7/0x310 [ 61.852149] ? lock_release+0xc40/0xc40 [ 61.856115] ? seccomp_notify_release+0x54/0x270 [ 61.860895] ? seccomp_notify_release+0x54/0x270 [ 61.865644] __mutex_lock+0x12f/0x1670 [ 61.869526] ? seccomp_notify_release+0x54/0x270 [ 61.874303] ? seccomp_notify_release+0x54/0x270 [ 61.879062] ? __lock_acquire+0x572/0x4a30 [ 61.883285] ? mutex_trylock+0x2d0/0x2d0 [ 61.887340] ? mark_held_locks+0x100/0x100 [ 61.891564] ? find_held_lock+0x35/0x120 [ 61.895618] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 61.901150] ? locks_remove_posix+0x488/0x860 [ 61.905639] ? mark_held_locks+0x100/0x100 [ 61.909874] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 61.915400] ? fsnotify+0x4f5/0xed0 [ 61.919023] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 61.924565] ? locks_remove_file+0x3d5/0x5c0 [ 61.928961] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 61.934495] ? ima_file_free+0x128/0x630 [ 61.938547] ? fcntl_setlk+0xfe0/0xfe0 [ 61.942425] mutex_lock_nested+0x16/0x20 [ 61.946488] ? mutex_lock_nested+0x16/0x20 [ 61.950737] seccomp_notify_release+0x54/0x270 [ 61.955315] __fput+0x3c5/0xb10 [ 61.958588] ? get_nth_filter.part.0+0x1d0/0x1d0 [ 61.963335] ? get_max_files+0x20/0x20 [ 61.967739] ? task_work_run+0x1bb/0x2b0 [ 61.971791] ? trace_hardirqs_off_caller+0x300/0x300 [ 61.976887] ? do_raw_spin_trylock+0x270/0x270 [ 61.981477] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 61.987023] ____fput+0x16/0x20 [ 61.990304] task_work_run+0x1f4/0x2b0 [ 61.994190] ? task_work_cancel+0x2c0/0x2c0 [ 61.998506] ? __close_fd+0x25f/0x3d0 [ 62.002315] ? do_syscall_64+0x8c/0x800 [ 62.006298] exit_to_usermode_loop+0x32a/0x3b0 [ 62.010879] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.016233] ? syscall_trace_enter+0x12a0/0x12a0 [ 62.020980] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 62.025729] do_syscall_64+0x696/0x800 [ 62.029648] ? syscall_return_slowpath+0x5f0/0x5f0 [ 62.034590] ? prepare_exit_to_usermode+0x232/0x3b0 [ 62.039602] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 62.044449] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.049631] RIP: 0033:0x405451 [ 62.052818] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 94 17 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 62.071708] RSP: 002b:00007fffe3de5fb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 62.079403] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000405451 [ 62.086678] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003 [ 62.093948] RBP: 00000000000003e8 R08: 00000000000003e8 R09: 0000000000000000 [ 62.101222] R10: 00007fffe3de5fc0 R11: 0000000000000293 R12: 00000000006dac3c [ 62.108482] R13: 0000000000000002 R14: 000000000000002d R15: 00000000006dac30 [ 62.116638] Kernel Offset: disabled [ 62.120284] Rebooting in 86400 seconds..