[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 18.181576] audit: type=1400 audit(1520745715.421:6): avc: denied { map } for pid=4212 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 24.557428] audit: type=1400 audit(1520745721.797:7): avc: denied { map } for pid=4226 comm="syzkaller040805" path="/root/syzkaller040805287" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 24.585055] ================================================================== [ 24.592485] BUG: KASAN: use-after-free in ucma_close+0x2d7/0x2f0 [ 24.598605] Read of size 8 at addr ffff8801b354e780 by task syzkaller040805/4226 [ 24.606106] [ 24.607708] CPU: 0 PID: 4226 Comm: syzkaller040805 Not tainted 4.16.0-rc4+ #349 [ 24.615127] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.624451] Call Trace: [ 24.627020] dump_stack+0x194/0x24d [ 24.630627] ? arch_local_irq_restore+0x53/0x53 [ 24.635269] ? show_regs_print_info+0x18/0x18 [ 24.639741] ? ucma_close+0x2d7/0x2f0 [ 24.643516] print_address_description+0x73/0x250 [ 24.648331] ? ucma_close+0x2d7/0x2f0 [ 24.652106] kasan_report+0x23c/0x360 [ 24.655884] __asan_report_load8_noabort+0x14/0x20 [ 24.660787] ucma_close+0x2d7/0x2f0 [ 24.664387] ? __might_sleep+0x95/0x190 [ 24.668335] ? ucma_free_ctx+0xd90/0xd90 [ 24.672371] __fput+0x327/0x7e0 [ 24.675631] ? fput+0x140/0x140 [ 24.678887] ? _raw_spin_unlock_irq+0x27/0x70 [ 24.683360] ____fput+0x15/0x20 [ 24.686613] task_work_run+0x199/0x270 [ 24.690484] ? task_work_cancel+0x210/0x210 [ 24.694782] ? _raw_spin_unlock+0x22/0x30 [ 24.698909] ? switch_task_namespaces+0x87/0xc0 [ 24.703557] do_exit+0x9bb/0x1ad0 [ 24.706984] ? ucma_create_id+0x45b/0x620 [ 24.711111] ? mm_update_next_owner+0x930/0x930 [ 24.715756] ? ucma_create_id+0x17b/0x620 [ 24.719878] ? ucma_get_event+0xa90/0xa90 [ 24.724006] ? __might_sleep+0x95/0x190 [ 24.727965] ? kasan_check_write+0x14/0x20 [ 24.732175] ? _copy_from_user+0x99/0x110 [ 24.736302] ? ucma_write+0x11f/0x3d0 [ 24.740076] ? ucma_get_event+0xa90/0xa90 [ 24.744199] ? ucma_resolve_route+0x1a0/0x1a0 [ 24.748678] ? ucma_resolve_route+0x1a0/0x1a0 [ 24.753147] ? __vfs_write+0xf7/0x970 [ 24.756951] ? rcu_note_context_switch+0x710/0x710 [ 24.761856] ? kernel_read+0x120/0x120 [ 24.765727] ? __might_sleep+0x95/0x190 [ 24.769680] ? _cond_resched+0x14/0x30 [ 24.773541] ? __inode_security_revalidate+0xd9/0x130 [ 24.778707] ? avc_policy_seqno+0x9/0x20 [ 24.782748] ? security_file_permission+0x89/0x1e0 [ 24.787656] ? rw_verify_area+0xe5/0x2b0 [ 24.791687] ? __fdget_raw+0x20/0x20 [ 24.795378] ? vfs_write+0x224/0x510 [ 24.799069] do_group_exit+0x149/0x400 [ 24.802930] ? SyS_write+0x184/0x220 [ 24.806644] ? filp_open+0x70/0x70 [ 24.810157] ? SyS_exit+0x30/0x30 [ 24.813583] ? SyS_read+0x220/0x220 [ 24.817185] ? do_syscall_64+0xb7/0x940 [ 24.821131] ? do_group_exit+0x400/0x400 [ 24.825168] SyS_exit_group+0x1d/0x20 [ 24.828939] do_syscall_64+0x281/0x940 [ 24.832800] ? __do_page_fault+0xc90/0xc90 [ 24.837009] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.841755] ? syscall_return_slowpath+0x550/0x550 [ 24.846658] ? syscall_return_slowpath+0x2ac/0x550 [ 24.851562] ? prepare_exit_to_usermode+0x350/0x350 [ 24.856558] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 24.861902] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.866726] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.871887] RIP: 0033:0x43e978 [ 24.875052] RSP: 002b:00007ffd6731e858 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 24.882734] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978 [ 24.889979] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 24.897232] RBP: 00000000004be3e0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 24.904474] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 24.911717] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000 [ 24.918977] [ 24.920578] Allocated by task 4226: [ 24.924193] save_stack+0x43/0xd0 [ 24.927619] kasan_kmalloc+0xad/0xe0 [ 24.931305] kmem_cache_alloc_trace+0x136/0x740 [ 24.935947] ucma_alloc_ctx+0xce/0x610 [ 24.939806] ucma_create_id+0x205/0x620 [ 24.943754] ucma_write+0x2d6/0x3d0 [ 24.947365] __vfs_write+0xef/0x970 [ 24.950965] vfs_write+0x189/0x510 [ 24.954478] SyS_write+0xef/0x220 [ 24.957904] do_syscall_64+0x281/0x940 [ 24.961766] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.966924] [ 24.968526] Freed by task 4226: [ 24.971785] save_stack+0x43/0xd0 [ 24.975220] __kasan_slab_free+0x11a/0x170 [ 24.979440] kasan_slab_free+0xe/0x10 [ 24.983217] kfree+0xd9/0x260 [ 24.986296] ucma_create_id+0x45b/0x620 [ 24.990245] ucma_write+0x2d6/0x3d0 [ 24.993843] __vfs_write+0xef/0x970 [ 24.997443] vfs_write+0x189/0x510 [ 25.000954] SyS_write+0xef/0x220 [ 25.004395] do_syscall_64+0x281/0x940 [ 25.008262] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.013431] [ 25.015036] The buggy address belongs to the object at ffff8801b354e700 [ 25.015036] which belongs to the cache kmalloc-256 of size 256 [ 25.027674] The buggy address is located 128 bytes inside of [ 25.027674] 256-byte region [ffff8801b354e700, ffff8801b354e800) [ 25.039644] The buggy address belongs to the page: [ 25.044548] page:ffffea0006cd5380 count:1 mapcount:0 mapping:ffff8801b354e0c0 index:0x0 [ 25.052671] flags: 0x2fffc0000000100(slab) [ 25.056887] raw: 02fffc0000000100 ffff8801b354e0c0 0000000000000000 000000010000000c [ 25.064739] raw: ffffea0006ce6ea0 ffffea0006ce78e0 ffff8801dac007c0 0000000000000000 [ 25.072589] page dumped because: kasan: bad access detected [ 25.078269] [ 25.079869] Memory state around the buggy address: [ 25.084771] ffff8801b354e680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.092101] ffff8801b354e700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.099430] >ffff8801b354e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.106759] ^ [ 25.110098] ffff8801b354e800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 25.117427] ffff8801b354e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.124756] ================================================================== [ 25.132085] Disabling lock debugging due to kernel taint [ 25.137595] Kernel panic - not syncing: panic_on_warn set ... [ 25.137595] [ 25.144945] CPU: 0 PID: 4226 Comm: syzkaller040805 Tainted: G B 4.16.0-rc4+ #349 [ 25.153668] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.162994] Call Trace: [ 25.165560] dump_stack+0x194/0x24d [ 25.169159] ? arch_local_irq_restore+0x53/0x53 [ 25.173801] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.178529] ? vsnprintf+0x1ed/0x1900 [ 25.182302] ? ucma_close+0x280/0x2f0 [ 25.186074] panic+0x1e4/0x41c [ 25.189238] ? refcount_error_report+0x214/0x214 [ 25.193965] ? add_taint+0x1c/0x50 [ 25.197474] ? add_taint+0x1c/0x50 [ 25.200985] ? ucma_close+0x2d7/0x2f0 [ 25.204756] kasan_end_report+0x50/0x50 [ 25.208702] kasan_report+0x149/0x360 [ 25.212474] __asan_report_load8_noabort+0x14/0x20 [ 25.217375] ucma_close+0x2d7/0x2f0 [ 25.220972] ? __might_sleep+0x95/0x190 [ 25.224919] ? ucma_free_ctx+0xd90/0xd90 [ 25.228949] __fput+0x327/0x7e0 [ 25.232205] ? fput+0x140/0x140 [ 25.235460] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.239942] ____fput+0x15/0x20 [ 25.243196] task_work_run+0x199/0x270 [ 25.247058] ? task_work_cancel+0x210/0x210 [ 25.251352] ? _raw_spin_unlock+0x22/0x30 [ 25.255471] ? switch_task_namespaces+0x87/0xc0 [ 25.260111] do_exit+0x9bb/0x1ad0 [ 25.263534] ? ucma_create_id+0x45b/0x620 [ 25.267654] ? mm_update_next_owner+0x930/0x930 [ 25.272295] ? ucma_create_id+0x17b/0x620 [ 25.276413] ? ucma_get_event+0xa90/0xa90 [ 25.280535] ? __might_sleep+0x95/0x190 [ 25.284484] ? kasan_check_write+0x14/0x20 [ 25.288691] ? _copy_from_user+0x99/0x110 [ 25.292813] ? ucma_write+0x11f/0x3d0 [ 25.296581] ? ucma_get_event+0xa90/0xa90 [ 25.300698] ? ucma_resolve_route+0x1a0/0x1a0 [ 25.305169] ? ucma_resolve_route+0x1a0/0x1a0 [ 25.309632] ? __vfs_write+0xf7/0x970 [ 25.313403] ? rcu_note_context_switch+0x710/0x710 [ 25.318302] ? kernel_read+0x120/0x120 [ 25.322158] ? __might_sleep+0x95/0x190 [ 25.326104] ? _cond_resched+0x14/0x30 [ 25.329963] ? __inode_security_revalidate+0xd9/0x130 [ 25.335123] ? avc_policy_seqno+0x9/0x20 [ 25.339158] ? security_file_permission+0x89/0x1e0 [ 25.344076] ? rw_verify_area+0xe5/0x2b0 [ 25.348108] ? __fdget_raw+0x20/0x20 [ 25.351792] ? vfs_write+0x224/0x510 [ 25.355476] do_group_exit+0x149/0x400 [ 25.359334] ? SyS_write+0x184/0x220 [ 25.363022] ? filp_open+0x70/0x70 [ 25.366544] ? SyS_exit+0x30/0x30 [ 25.369966] ? SyS_read+0x220/0x220 [ 25.373563] ? do_syscall_64+0xb7/0x940 [ 25.377506] ? do_group_exit+0x400/0x400 [ 25.381536] SyS_exit_group+0x1d/0x20 [ 25.385309] do_syscall_64+0x281/0x940 [ 25.389165] ? __do_page_fault+0xc90/0xc90 [ 25.393372] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.398100] ? syscall_return_slowpath+0x550/0x550 [ 25.403002] ? syscall_return_slowpath+0x2ac/0x550 [ 25.407910] ? prepare_exit_to_usermode+0x350/0x350 [ 25.412895] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 25.418232] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.423049] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.428211] RIP: 0033:0x43e978 [ 25.431371] RSP: 002b:00007ffd6731e858 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 25.439049] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978 [ 25.446289] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 25.453527] RBP: 00000000004be3e0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 25.460766] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 25.468006] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000 [ 25.475692] Dumping ftrace buffer: [ 25.479202] (ftrace buffer empty) [ 25.482888] Kernel Offset: disabled [ 25.486486] Rebooting in 86400 seconds..