[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 18.269550] audit: type=1400 audit(1521133198.540:6): avc: denied { map } for pid=4082 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program syzkaller login: [ 24.668499] audit: type=1400 audit(1521133204.939:7): avc: denied { map } for pid=4096 comm="syzkaller144721" path="/root/syzkaller144721791" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 24.740230] ================================================================== [ 24.747669] BUG: KASAN: use-after-free in __list_del_entry_valid+0x144/0x150 [ 24.754833] Read of size 8 at addr ffff8801d2435ce0 by task syzkaller144721/4121 [ 24.762337] [ 24.763943] CPU: 0 PID: 4121 Comm: syzkaller144721 Not tainted 4.16.0-rc5+ #354 [ 24.771370] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.780699] Call Trace: [ 24.783265] dump_stack+0x194/0x24d [ 24.786876] ? arch_local_irq_restore+0x53/0x53 [ 24.791519] ? show_regs_print_info+0x18/0x18 [ 24.796031] ? rcu_note_context_switch+0x710/0x710 [ 24.800948] ? __list_del_entry_valid+0x144/0x150 [ 24.805774] print_address_description+0x73/0x250 [ 24.810601] ? __list_del_entry_valid+0x144/0x150 [ 24.815436] kasan_report+0x23c/0x360 [ 24.819226] __asan_report_load8_noabort+0x14/0x20 [ 24.824144] __list_del_entry_valid+0x144/0x150 [ 24.828791] cma_cancel_operation+0x455/0xd60 [ 24.833260] ? finish_task_switch+0x182/0x7e0 [ 24.837736] ? find_held_lock+0x35/0x1d0 [ 24.841773] ? rdma_destroy_id+0xda0/0xda0 [ 24.845991] ? rdma_destroy_id+0xf4/0xda0 [ 24.850123] ? lock_downgrade+0x980/0x980 [ 24.854249] ? lock_release+0xa40/0xa40 [ 24.858199] ? do_raw_spin_trylock+0x190/0x190 [ 24.862755] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 24.867838] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.872860] rdma_destroy_id+0xff/0xda0 [ 24.876809] ? lock_release+0xa40/0xa40 [ 24.880771] ? lock_downgrade+0x980/0x980 [ 24.884893] ? cma_release_dev+0x350/0x350 [ 24.889105] ? radix_tree_delete_item+0x146/0x280 [ 24.893948] ucma_close+0x100/0x2f0 [ 24.897554] ? ucma_free_ctx+0xd90/0xd90 [ 24.901587] __fput+0x327/0x7e0 [ 24.904847] ? fput+0x140/0x140 [ 24.908108] ? check_same_owner+0x320/0x320 [ 24.912403] ? _raw_spin_unlock_irq+0x27/0x70 [ 24.916886] ____fput+0x15/0x20 [ 24.920142] task_work_run+0x199/0x270 [ 24.924005] ? task_work_cancel+0x210/0x210 [ 24.928309] ? _raw_spin_unlock+0x22/0x30 [ 24.932439] ? switch_task_namespaces+0x87/0xc0 [ 24.937089] do_exit+0x9bb/0x1ad0 [ 24.940516] ? find_held_lock+0x35/0x1d0 [ 24.944555] ? mm_update_next_owner+0x930/0x930 [ 24.949208] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.954374] ? lock_downgrade+0x980/0x980 [ 24.958503] ? __unqueue_futex+0x1c0/0x290 [ 24.962715] ? lock_release+0xa40/0xa40 [ 24.966662] ? fault_in_user_writeable+0x90/0x90 [ 24.971392] ? do_raw_spin_trylock+0x190/0x190 [ 24.975952] ? futex_wake+0x680/0x680 [ 24.979734] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 24.984817] ? futex_wait+0x6a9/0x9a0 [ 24.988608] ? trace_hardirqs_off+0x10/0x10 [ 24.992920] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 24.997997] ? futex_wake+0x2ca/0x680 [ 25.001780] ? memset+0x31/0x40 [ 25.005049] ? find_held_lock+0x35/0x1d0 [ 25.009092] ? get_signal+0x7a9/0x16d0 [ 25.012961] ? lock_downgrade+0x980/0x980 [ 25.017091] do_group_exit+0x149/0x400 [ 25.020957] ? do_raw_spin_trylock+0x190/0x190 [ 25.025514] ? SyS_exit+0x30/0x30 [ 25.028945] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.033418] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.038419] get_signal+0x73a/0x16d0 [ 25.042118] ? ptrace_notify+0x130/0x130 [ 25.046152] ? ucma_resolve_addr+0x330/0x330 [ 25.050547] ? kasan_check_write+0x14/0x20 [ 25.054761] ? ucma_write+0x11f/0x3d0 [ 25.058534] ? ucma_resolve_addr+0x330/0x330 [ 25.062916] ? ucma_resolve_route+0x1a0/0x1a0 [ 25.067388] do_signal+0x90/0x1e90 [ 25.070912] ? ucma_resolve_route+0x1a0/0x1a0 [ 25.075384] ? __vfs_write+0xf7/0x970 [ 25.079167] ? rcu_note_context_switch+0x710/0x710 [ 25.084084] ? setup_sigcontext+0x7d0/0x7d0 [ 25.088385] ? kernel_read+0x120/0x120 [ 25.092254] ? __might_sleep+0x95/0x190 [ 25.096206] ? _cond_resched+0x14/0x30 [ 25.100074] ? __inode_security_revalidate+0xd9/0x130 [ 25.105238] ? avc_policy_seqno+0x9/0x20 [ 25.109312] ? selinux_file_permission+0x82/0x460 [ 25.114146] ? exit_to_usermode_loop+0x8c/0x2f0 [ 25.118795] exit_to_usermode_loop+0x258/0x2f0 [ 25.123354] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 25.128867] ? do_syscall_64+0xb7/0x940 [ 25.132836] do_syscall_64+0x6ec/0x940 [ 25.136700] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.141172] ? finish_task_switch+0x1c1/0x7e0 [ 25.145643] ? syscall_return_slowpath+0x550/0x550 [ 25.150549] ? syscall_return_slowpath+0x2ac/0x550 [ 25.155454] ? prepare_exit_to_usermode+0x350/0x350 [ 25.160448] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 25.165798] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.170628] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.175792] RIP: 0033:0x446af9 [ 25.178955] RSP: 002b:00007fc143953da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 25.186643] RAX: fffffffffffffe00 RBX: 00000000006e29fc RCX: 0000000000446af9 [ 25.193905] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006e29fc [ 25.201172] RBP: 00000000006e29f8 R08: 0000000000000000 R09: 0000000000000000 [ 25.208419] R10: 0000000000000000 R11: 0000000000000246 R12: 006d635f616d6472 [ 25.215662] R13: 2f646e6162696e69 R14: 666e692f7665642f R15: 0000000000000005 [ 25.222928] [ 25.224528] Allocated by task 4121: [ 25.228130] save_stack+0x43/0xd0 [ 25.231556] kasan_kmalloc+0xad/0xe0 [ 25.235243] kmem_cache_alloc_trace+0x136/0x740 [ 25.239884] rdma_create_id+0xd0/0x630 [ 25.243741] ucma_create_id+0x31a/0x620 [ 25.247688] ucma_write+0x2d6/0x3d0 [ 25.251295] __vfs_write+0xef/0x970 [ 25.254892] vfs_write+0x189/0x510 [ 25.258403] SyS_write+0xef/0x220 [ 25.261831] do_syscall_64+0x281/0x940 [ 25.265691] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.270850] [ 25.272452] Freed by task 4121: [ 25.275704] save_stack+0x43/0xd0 [ 25.279129] __kasan_slab_free+0x11a/0x170 [ 25.283334] kasan_slab_free+0xe/0x10 [ 25.287118] kfree+0xd9/0x260 [ 25.290202] rdma_destroy_id+0x821/0xda0 [ 25.294247] ucma_close+0x100/0x2f0 [ 25.297846] __fput+0x327/0x7e0 [ 25.301097] ____fput+0x15/0x20 [ 25.304349] task_work_run+0x199/0x270 [ 25.308209] do_exit+0x9bb/0x1ad0 [ 25.311644] do_group_exit+0x149/0x400 [ 25.315504] get_signal+0x73a/0x16d0 [ 25.319191] do_signal+0x90/0x1e90 [ 25.322712] exit_to_usermode_loop+0x258/0x2f0 [ 25.327271] do_syscall_64+0x6ec/0x940 [ 25.331131] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.336292] [ 25.337892] The buggy address belongs to the object at ffff8801d2435b00 [ 25.337892] which belongs to the cache kmalloc-1024 of size 1024 [ 25.350699] The buggy address is located 480 bytes inside of [ 25.350699] 1024-byte region [ffff8801d2435b00, ffff8801d2435f00) [ 25.362640] The buggy address belongs to the page: [ 25.367547] page:ffffea0007490d00 count:1 mapcount:0 mapping:ffff8801d2434000 index:0x0 compound_mapcount: 0 [ 25.377492] flags: 0x2fffc0000008100(slab|head) [ 25.382137] raw: 02fffc0000008100 ffff8801d2434000 0000000000000000 0000000100000007 [ 25.390167] raw: ffffea000730eb20 ffff8801dac01848 ffff8801dac00ac0 0000000000000000 [ 25.398020] page dumped because: kasan: bad access detected [ 25.403706] [ 25.405307] Memory state around the buggy address: [ 25.410208] ffff8801d2435b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.417538] ffff8801d2435c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.424887] >ffff8801d2435c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.432222] ^ [ 25.438696] ffff8801d2435d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.446043] ffff8801d2435d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.453376] ================================================================== [ 25.460707] Disabling lock debugging due to kernel taint [ 25.466184] Kernel panic - not syncing: panic_on_warn set ... [ 25.466184] [ 25.473540] CPU: 0 PID: 4121 Comm: syzkaller144721 Tainted: G B 4.16.0-rc5+ #354 [ 25.482281] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.491619] Call Trace: [ 25.494185] dump_stack+0x194/0x24d [ 25.497788] ? arch_local_irq_restore+0x53/0x53 [ 25.502435] ? kasan_end_report+0x32/0x50 [ 25.507309] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.512044] ? vsnprintf+0x1ed/0x1900 [ 25.515818] ? __list_del_entry_valid+0x120/0x150 [ 25.520632] panic+0x1e4/0x41c [ 25.523808] ? refcount_error_report+0x214/0x214 [ 25.528537] ? add_taint+0x1c/0x50 [ 25.532051] ? add_taint+0x1c/0x50 [ 25.535566] ? __list_del_entry_valid+0x144/0x150 [ 25.540469] kasan_end_report+0x50/0x50 [ 25.544415] kasan_report+0x149/0x360 [ 25.548189] __asan_report_load8_noabort+0x14/0x20 [ 25.553092] __list_del_entry_valid+0x144/0x150 [ 25.557732] cma_cancel_operation+0x455/0xd60 [ 25.562206] ? finish_task_switch+0x182/0x7e0 [ 25.566680] ? find_held_lock+0x35/0x1d0 [ 25.570718] ? rdma_destroy_id+0xda0/0xda0 [ 25.574929] ? rdma_destroy_id+0xf4/0xda0 [ 25.579059] ? lock_downgrade+0x980/0x980 [ 25.583190] ? lock_release+0xa40/0xa40 [ 25.587269] ? do_raw_spin_trylock+0x190/0x190 [ 25.591827] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 25.596906] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.601897] rdma_destroy_id+0xff/0xda0 [ 25.605846] ? lock_release+0xa40/0xa40 [ 25.609826] ? lock_downgrade+0x980/0x980 [ 25.613967] ? cma_release_dev+0x350/0x350 [ 25.618194] ? radix_tree_delete_item+0x146/0x280 [ 25.623038] ucma_close+0x100/0x2f0 [ 25.626646] ? ucma_free_ctx+0xd90/0xd90 [ 25.630691] __fput+0x327/0x7e0 [ 25.633948] ? fput+0x140/0x140 [ 25.637202] ? check_same_owner+0x320/0x320 [ 25.641498] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.645972] ____fput+0x15/0x20 [ 25.649226] task_work_run+0x199/0x270 [ 25.653088] ? task_work_cancel+0x210/0x210 [ 25.657381] ? _raw_spin_unlock+0x22/0x30 [ 25.661502] ? switch_task_namespaces+0x87/0xc0 [ 25.666146] do_exit+0x9bb/0x1ad0 [ 25.669574] ? find_held_lock+0x35/0x1d0 [ 25.673607] ? mm_update_next_owner+0x930/0x930 [ 25.678251] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 25.683413] ? lock_downgrade+0x980/0x980 [ 25.687534] ? __unqueue_futex+0x1c0/0x290 [ 25.691746] ? lock_release+0xa40/0xa40 [ 25.695692] ? fault_in_user_writeable+0x90/0x90 [ 25.700428] ? do_raw_spin_trylock+0x190/0x190 [ 25.704984] ? futex_wake+0x680/0x680 [ 25.708766] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 25.713853] ? futex_wait+0x6a9/0x9a0 [ 25.717638] ? trace_hardirqs_off+0x10/0x10 [ 25.721934] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 25.727015] ? futex_wake+0x2ca/0x680 [ 25.730800] ? memset+0x31/0x40 [ 25.734056] ? find_held_lock+0x35/0x1d0 [ 25.738098] ? get_signal+0x7a9/0x16d0 [ 25.741960] ? lock_downgrade+0x980/0x980 [ 25.746085] do_group_exit+0x149/0x400 [ 25.749947] ? do_raw_spin_trylock+0x190/0x190 [ 25.754501] ? SyS_exit+0x30/0x30 [ 25.757934] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.762405] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.767397] get_signal+0x73a/0x16d0 [ 25.771088] ? ptrace_notify+0x130/0x130 [ 25.775125] ? ucma_resolve_addr+0x330/0x330 [ 25.779512] ? kasan_check_write+0x14/0x20 [ 25.783720] ? ucma_write+0x11f/0x3d0 [ 25.787492] ? ucma_resolve_addr+0x330/0x330 [ 25.791869] ? ucma_resolve_route+0x1a0/0x1a0 [ 25.796340] do_signal+0x90/0x1e90 [ 25.799867] ? ucma_resolve_route+0x1a0/0x1a0 [ 25.804336] ? __vfs_write+0xf7/0x970 [ 25.808112] ? rcu_note_context_switch+0x710/0x710 [ 25.813016] ? setup_sigcontext+0x7d0/0x7d0 [ 25.817316] ? kernel_read+0x120/0x120 [ 25.821175] ? __might_sleep+0x95/0x190 [ 25.825125] ? _cond_resched+0x14/0x30 [ 25.828987] ? __inode_security_revalidate+0xd9/0x130 [ 25.834155] ? avc_policy_seqno+0x9/0x20 [ 25.838198] ? selinux_file_permission+0x82/0x460 [ 25.843029] ? exit_to_usermode_loop+0x8c/0x2f0 [ 25.847679] exit_to_usermode_loop+0x258/0x2f0 [ 25.852233] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 25.857741] ? do_syscall_64+0xb7/0x940 [ 25.861687] do_syscall_64+0x6ec/0x940 [ 25.865554] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.870032] ? finish_task_switch+0x1c1/0x7e0 [ 25.874500] ? syscall_return_slowpath+0x550/0x550 [ 25.879402] ? syscall_return_slowpath+0x2ac/0x550 [ 25.884304] ? prepare_exit_to_usermode+0x350/0x350 [ 25.889291] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 25.894627] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.899444] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.904605] RIP: 0033:0x446af9 [ 25.907776] RSP: 002b:00007fc143953da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 25.915461] RAX: fffffffffffffe00 RBX: 00000000006e29fc RCX: 0000000000446af9 [ 25.922710] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006e29fc [ 25.929952] RBP: 00000000006e29f8 R08: 0000000000000000 R09: 0000000000000000 [ 25.937193] R10: 0000000000000000 R11: 0000000000000246 R12: 006d635f616d6472 [ 25.944433] R13: 2f646e6162696e69 R14: 666e692f7665642f R15: 0000000000000005 [ 25.952322] Dumping ftrace buffer: [ 25.955836] (ftrace buffer empty) [ 25.959517] Kernel Offset: disabled [ 25.963115] Rebooting in 86400 seconds..