[ 11.912235] rsyslogd (2988) used greatest stack depth: 15056 bytes left [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.845998] audit: type=1400 audit(1513275571.499:6): avc: denied { map } for pid=3137 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-7,10.128.0.12' (ECDSA) to the list of known hosts. executing program [ 38.476550] audit: type=1400 audit(1513275593.129:7): avc: denied { map } for pid=3155 comm="syzkaller711981" path="/root/syzkaller711981979" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 38.516584] ================================================================== [ 38.523991] BUG: KASAN: use-after-free in refcount_inc_not_zero+0x16e/0x180 [ 38.531064] Read of size 4 at addr ffff8801c51bb200 by task syzkaller711981/3156 [ 38.538567] [ 38.540169] CPU: 1 PID: 3156 Comm: syzkaller711981 Not tainted 4.15.0-rc2-mm1+ #39 [ 38.547847] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.557175] Call Trace: [ 38.559742] dump_stack+0x194/0x257 [ 38.563779] ? arch_local_irq_restore+0x53/0x53 [ 38.568421] ? show_regs_print_info+0x18/0x18 [ 38.572895] ? refcount_inc_not_zero+0x16e/0x180 [ 38.577625] print_address_description+0x73/0x250 [ 38.582441] ? refcount_inc_not_zero+0x16e/0x180 [ 38.587168] kasan_report+0x25b/0x340 [ 38.590944] __asan_report_load4_noabort+0x14/0x20 [ 38.595842] refcount_inc_not_zero+0x16e/0x180 [ 38.600395] ? refcount_add+0x60/0x60 [ 38.604168] ? find_held_lock+0x39/0x1d0 [ 38.608212] ? do_mq_timedreceive+0xf50/0xf50 [ 38.612678] refcount_inc+0x15/0x50 [ 38.616275] mqueue_evict_inode+0x137/0x9c0 [ 38.620573] ? inode_wait_for_writeback+0x1f/0x40 [ 38.625823] ? evict+0x2c8/0x920 [ 38.630728] ? do_mq_timedreceive+0xf50/0xf50 [ 38.635975] ? __inode_wait_for_writeback+0x292/0x330 [ 38.641146] ? do_raw_spin_trylock+0x190/0x190 [ 38.645706] ? bit_waitqueue+0x30/0x30 [ 38.649572] ? _raw_spin_unlock+0x22/0x30 [ 38.653693] ? do_mq_timedreceive+0xf50/0xf50 [ 38.658164] evict+0x481/0x920 [ 38.661333] ? destroy_inode+0x200/0x200 [ 38.665366] ? lock_downgrade+0x980/0x980 [ 38.669494] ? __lock_acquire+0x6e9/0x47f0 [ 38.673703] ? kill_litter_super+0x72/0x90 [ 38.677914] ? _raw_spin_lock+0x32/0x40 [ 38.681862] ? _atomic_dec_and_lock+0x125/0x196 [ 38.686505] ? do_raw_spin_trylock+0x190/0x190 [ 38.691060] ? cpumask_local_spread+0x260/0x260 [ 38.695712] iput+0x7b9/0xaf0 [ 38.698798] ? evict_inodes+0x580/0x580 [ 38.702753] ? reacquire_held_locks+0x201/0x3e0 [ 38.707394] ? shrink_dentry_list+0x3b0/0xcf0 [ 38.711865] ? do_raw_spin_trylock+0x190/0x190 [ 38.716432] dentry_unlink_inode+0x4b0/0x5e0 [ 38.720813] ? release_dentry_name_snapshot+0x70/0x70 [ 38.726933] ? __lock_acquire+0x6e9/0x47f0 [ 38.732788] ? __d_drop+0x2b9/0x4b0 [ 38.737429] ? do_raw_spin_trylock+0x190/0x190 [ 38.741993] ? d_exact_alias+0x620/0x620 [ 38.746029] ? lock_acquire+0x1d5/0x580 [ 38.749982] __dentry_kill+0x3b7/0x6d0 [ 38.753846] ? check_and_drop+0x170/0x170 [ 38.757985] shrink_dentry_list+0x3c5/0xcf0 [ 38.762288] ? d_add+0xa70/0xa70 [ 38.765632] ? d_shrink_add+0x280/0x280 [ 38.769579] ? dget_parent+0x5b0/0x5b0 [ 38.773442] ? find_held_lock+0x39/0x1d0 [ 38.777485] ? lock_downgrade+0x980/0x980 [ 38.781608] shrink_dcache_parent+0xba/0x230 [ 38.785998] ? path_has_submounts+0x1a0/0x1a0 [ 38.790463] ? lock_release+0xda0/0xda0 [ 38.794407] ? check_noncircular+0x20/0x20 [ 38.798620] ? d_walk+0x1d2/0xb20 [ 38.802048] do_one_tree+0x15/0x50 [ 38.805557] shrink_dcache_for_umount+0xbb/0x290 [ 38.810282] ? d_walk+0x6f2/0xb20 [ 38.813709] ? d_set_mounted+0x2d0/0x2d0 [ 38.817764] ? d_find_any_alias+0x1c0/0x1c0 [ 38.822065] generic_shutdown_super+0xcd/0x540 [ 38.826970] ? destroy_super_rcu+0x240/0x240 [ 38.832135] ? unregister_shrinker+0x1d1/0x300 [ 38.836694] ? perf_trace_mm_vmscan_writepage+0x790/0x790 [ 38.842205] ? down_write+0x87/0x120 [ 38.845908] kill_litter_super+0x72/0x90 [ 38.849947] deactivate_locked_super+0x88/0xd0 [ 38.854503] deactivate_super+0x141/0x1b0 [ 38.858626] ? __sb_start_write+0x290/0x290 [ 38.862931] cleanup_mnt+0xb2/0x150 [ 38.866529] __cleanup_mnt+0x16/0x20 [ 38.871258] task_work_run+0x199/0x270 [ 38.875132] ? task_work_cancel+0x210/0x210 [ 38.879436] ? free_nsproxy+0x185/0x1f0 [ 38.883387] ? switch_task_namespaces+0xa2/0xc0 [ 38.888033] do_exit+0x9bb/0x1ae0 [ 38.891462] ? check_noncircular+0x20/0x20 [ 38.895667] ? check_noncircular+0x20/0x20 [ 38.899878] ? mm_update_next_owner+0x930/0x930 [ 38.904523] ? check_noncircular+0x20/0x20 [ 38.908738] ? __d_instantiate+0xf8/0x710 [ 38.912860] ? check_noncircular+0x20/0x20 [ 38.917069] ? check_noncircular+0x20/0x20 [ 38.921275] ? do_raw_spin_trylock+0x190/0x190 [ 38.925834] ? find_held_lock+0x39/0x1d0 [ 38.930745] ? lock_downgrade+0x980/0x980 [ 38.935992] ? mnt_get_count+0x150/0x150 [ 38.941592] ? lock_release+0xda0/0xda0 [ 38.945541] ? lock_release+0xda0/0xda0 [ 38.949495] ? do_raw_spin_trylock+0x190/0x190 [ 38.954060] ? mntput_no_expire+0x15e/0xa90 [ 38.958358] ? mnt_get_count+0x150/0x150 [ 38.962395] ? dput.part.23+0x207/0x830 [ 38.966345] ? dentry_path_raw+0x30/0x30 [ 38.970388] ? mntput+0x66/0x90 [ 38.973650] do_group_exit+0x149/0x400 [ 38.977514] ? SyS_exit+0x30/0x30 [ 38.980944] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.985937] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.990671] SyS_exit_group+0x1d/0x20 [ 38.994451] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 38.999189] RIP: 0033:0x440729 [ 39.002354] RSP: 002b:00007ffd090ef228 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 39.010040] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440729 [ 39.017284] RDX: 0000000000440729 RSI: 0000000000000000 RDI: 0000000000000001 [ 39.024526] RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8 [ 39.031774] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000401bf0 [ 39.039022] R13: 0000000000401c80 R14: 0000000000000000 R15: 0000000000000000 [ 39.046584] [ 39.048188] Allocated by task 3156: [ 39.051792] save_stack+0x43/0xd0 [ 39.055227] kasan_kmalloc+0xad/0xe0 [ 39.059276] kmem_cache_alloc_trace+0x136/0x750 [ 39.063919] copy_ipcs+0x1b3/0x520 [ 39.067433] create_new_namespaces+0x278/0x880 [ 39.071985] unshare_nsproxy_namespaces+0xae/0x1e0 [ 39.076887] SyS_unshare+0x653/0xfa0 [ 39.081613] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 39.087117] [ 39.088718] Freed by task 3156: [ 39.091973] save_stack+0x43/0xd0 [ 39.095409] kasan_slab_free+0x71/0xc0 [ 39.099273] kfree+0xca/0x250 [ 39.102350] put_ipc_ns+0x112/0x150 [ 39.105952] free_nsproxy+0xc0/0x1f0 [ 39.109723] switch_task_namespaces+0x9d/0xc0 [ 39.114194] exit_task_namespaces+0x17/0x20 [ 39.118488] do_exit+0x9b6/0x1ae0 [ 39.121912] do_group_exit+0x149/0x400 [ 39.125771] SyS_exit_group+0x1d/0x20 [ 39.129545] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 39.134272] [ 39.135876] The buggy address belongs to the object at ffff8801c51bb200 [ 39.135876] which belongs to the cache kmalloc-2048 of size 2048 [ 39.148682] The buggy address is located 0 bytes inside of [ 39.148682] 2048-byte region [ffff8801c51bb200, ffff8801c51bba00) [ 39.161221] The buggy address belongs to the page: [ 39.166122] page:000000007764ba6d count:1 mapcount:0 mapping:000000002c36623f index:0x0 compound_mapcount: 0 [ 39.176071] flags: 0x2fffc0000008100(slab|head) [ 39.180714] raw: 02fffc0000008100 ffff8801c51ba100 0000000000000000 0000000100000003 [ 39.188565] raw: ffffea000715d320 ffff8801dac01950 ffff8801dac00c40 0000000000000000 [ 39.196415] page dumped because: kasan: bad access detected [ 39.202094] [ 39.203694] Memory state around the buggy address: [ 39.208594] ffff8801c51bb100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.215928] ffff8801c51bb180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.223256] >ffff8801c51bb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.230602] ^ [ 39.234201] ffff8801c51bb280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.241540] ffff8801c51bb300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.248870] ================================================================== [ 39.256201] Disabling lock debugging due to kernel taint [ 39.261786] Kernel panic - not syncing: panic_on_warn set ... [ 39.261786] [ 39.269124] CPU: 1 PID: 3156 Comm: syzkaller711981 Tainted: G B 4.15.0-rc2-mm1+ #39 [ 39.278097] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.287420] Call Trace: [ 39.289978] dump_stack+0x194/0x257 [ 39.293575] ? arch_local_irq_restore+0x53/0x53 [ 39.298215] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 39.302946] ? vsnprintf+0x1ed/0x1900 [ 39.308543] ? refcount_inc_not_zero+0xd0/0x180 [ 39.313700] panic+0x1e4/0x41c [ 39.316858] ? refcount_error_report+0x214/0x214 [ 39.321583] ? add_taint+0x1c/0x50 [ 39.325087] ? add_taint+0x1c/0x50 [ 39.328605] ? refcount_inc_not_zero+0x16e/0x180 [ 39.333325] kasan_end_report+0x50/0x50 [ 39.337272] kasan_report+0x144/0x340 [ 39.341481] __asan_report_load4_noabort+0x14/0x20 [ 39.346374] refcount_inc_not_zero+0x16e/0x180 [ 39.350922] ? refcount_add+0x60/0x60 [ 39.354689] ? find_held_lock+0x39/0x1d0 [ 39.358718] ? do_mq_timedreceive+0xf50/0xf50 [ 39.363181] refcount_inc+0x15/0x50 [ 39.366773] mqueue_evict_inode+0x137/0x9c0 [ 39.371064] ? inode_wait_for_writeback+0x1f/0x40 [ 39.375872] ? evict+0x2c8/0x920 [ 39.379205] ? do_mq_timedreceive+0xf50/0xf50 [ 39.383664] ? __inode_wait_for_writeback+0x292/0x330 [ 39.388827] ? do_raw_spin_trylock+0x190/0x190 [ 39.393388] ? bit_waitqueue+0x30/0x30 [ 39.397592] ? _raw_spin_unlock+0x22/0x30 [ 39.401706] ? do_mq_timedreceive+0xf50/0xf50 [ 39.406173] evict+0x481/0x920 [ 39.409334] ? destroy_inode+0x200/0x200 [ 39.413360] ? lock_downgrade+0x980/0x980 [ 39.417474] ? __lock_acquire+0x6e9/0x47f0 [ 39.421688] ? kill_litter_super+0x72/0x90 [ 39.425898] ? _raw_spin_lock+0x32/0x40 [ 39.429838] ? _atomic_dec_and_lock+0x125/0x196 [ 39.434479] ? do_raw_spin_trylock+0x190/0x190 [ 39.439029] ? cpumask_local_spread+0x260/0x260 [ 39.443671] iput+0x7b9/0xaf0 [ 39.447701] ? evict_inodes+0x580/0x580 [ 39.452954] ? reacquire_held_locks+0x201/0x3e0 [ 39.457596] ? shrink_dentry_list+0x3b0/0xcf0 [ 39.462061] ? do_raw_spin_trylock+0x190/0x190 [ 39.466614] dentry_unlink_inode+0x4b0/0x5e0 [ 39.470990] ? release_dentry_name_snapshot+0x70/0x70 [ 39.476148] ? __lock_acquire+0x6e9/0x47f0 [ 39.480610] ? __d_drop+0x2b9/0x4b0 [ 39.484204] ? do_raw_spin_trylock+0x190/0x190 [ 39.488750] ? d_exact_alias+0x620/0x620 [ 39.492777] ? lock_acquire+0x1d5/0x580 [ 39.496722] __dentry_kill+0x3b7/0x6d0 [ 39.500575] ? check_and_drop+0x170/0x170 [ 39.504699] shrink_dentry_list+0x3c5/0xcf0 [ 39.508992] ? d_add+0xa70/0xa70 [ 39.512330] ? d_shrink_add+0x280/0x280 [ 39.516271] ? dget_parent+0x5b0/0x5b0 [ 39.520126] ? find_held_lock+0x39/0x1d0 [ 39.524158] ? lock_downgrade+0x980/0x980 [ 39.528274] shrink_dcache_parent+0xba/0x230 [ 39.532649] ? path_has_submounts+0x1a0/0x1a0 [ 39.537113] ? lock_release+0xda0/0xda0 [ 39.541054] ? check_noncircular+0x20/0x20 [ 39.545265] ? d_walk+0x1d2/0xb20 [ 39.548688] do_one_tree+0x15/0x50 [ 39.552195] shrink_dcache_for_umount+0xbb/0x290 [ 39.556915] ? d_walk+0x6f2/0xb20 [ 39.560334] ? d_set_mounted+0x2d0/0x2d0 [ 39.564361] ? d_find_any_alias+0x1c0/0x1c0 [ 39.568676] generic_shutdown_super+0xcd/0x540 [ 39.573225] ? destroy_super_rcu+0x240/0x240 [ 39.577603] ? unregister_shrinker+0x1d1/0x300 [ 39.582151] ? perf_trace_mm_vmscan_writepage+0x790/0x790 [ 39.587655] ? down_write+0x87/0x120 [ 39.591341] kill_litter_super+0x72/0x90 [ 39.595367] deactivate_locked_super+0x88/0xd0 [ 39.599915] deactivate_super+0x141/0x1b0 [ 39.604029] ? __sb_start_write+0x290/0x290 [ 39.608320] cleanup_mnt+0xb2/0x150 [ 39.611912] __cleanup_mnt+0x16/0x20 [ 39.615592] task_work_run+0x199/0x270 [ 39.619448] ? task_work_cancel+0x210/0x210 [ 39.623734] ? free_nsproxy+0x185/0x1f0 [ 39.627672] ? switch_task_namespaces+0xa2/0xc0 [ 39.632319] do_exit+0x9bb/0x1ae0 [ 39.635738] ? check_noncircular+0x20/0x20 [ 39.639936] ? check_noncircular+0x20/0x20 [ 39.644136] ? mm_update_next_owner+0x930/0x930 [ 39.648778] ? check_noncircular+0x20/0x20 [ 39.652978] ? __d_instantiate+0xf8/0x710 [ 39.657091] ? check_noncircular+0x20/0x20 [ 39.661291] ? check_noncircular+0x20/0x20 [ 39.665491] ? do_raw_spin_trylock+0x190/0x190 [ 39.670038] ? find_held_lock+0x39/0x1d0 [ 39.674070] ? lock_downgrade+0x980/0x980 [ 39.678184] ? mnt_get_count+0x150/0x150 [ 39.682223] ? lock_release+0xda0/0xda0 [ 39.686172] ? lock_release+0xda0/0xda0 [ 39.690124] ? do_raw_spin_trylock+0x190/0x190 [ 39.694673] ? mntput_no_expire+0x15e/0xa90 [ 39.698962] ? mnt_get_count+0x150/0x150 [ 39.702991] ? dput.part.23+0x207/0x830 [ 39.706935] ? dentry_path_raw+0x30/0x30 [ 39.710965] ? mntput+0x66/0x90 [ 39.714215] do_group_exit+0x149/0x400 [ 39.718069] ? SyS_exit+0x30/0x30 [ 39.721486] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 39.727512] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 39.733711] SyS_exit_group+0x1d/0x20 [ 39.739385] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 39.745408] RIP: 0033:0x440729 [ 39.749867] RSP: 002b:00007ffd090ef228 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 39.758322] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440729 [ 39.765556] RDX: 0000000000440729 RSI: 0000000000000000 RDI: 0000000000000001 [ 39.772792] RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8 [ 39.780037] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000401bf0 [ 39.787281] R13: 0000000000401c80 R14: 0000000000000000 R15: 0000000000000000 [ 39.794562] Dumping ftrace buffer: [ 39.798069] (ftrace buffer empty) [ 39.801747] Kernel Offset: disabled [ 39.805342] Rebooting in 86400 seconds..