[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 39.036226] audit: type=1800 audit(1547223658.465:25): pid=7846 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 39.064268] audit: type=1800 audit(1547223658.465:26): pid=7846 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 39.096133] audit: type=1800 audit(1547223658.465:27): pid=7846 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 44.490980] sshd (7983) used greatest stack depth: 19848 bytes left Warning: Permanently added '10.128.0.232' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 51.212639] kauditd_printk_skb: 3 callbacks suppressed [ 51.212653] audit: type=1326 audit(1547223670.635:31): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=8007 comm="syz-executor281" exe="/root/syz-executor281640552" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446349 code=0x0 executing program executing program executing program executing program executing program [ 51.243261] audit: type=1326 audit(1547223670.645:32): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=8000 comm="syz-executor281" exe="/root/syz-executor281640552" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446349 code=0x0 [ 51.267688] audit: type=1326 audit(1547223670.665:33): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=8008 comm="syz-executor281" exe="/root/syz-executor281640552" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446349 code=0x0 executing program executing program executing program [ 51.301044] audit: type=1326 audit(1547223670.665:34): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=8006 comm="syz-executor281" exe="/root/syz-executor281640552" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446349 code=0x0 [ 51.323762] audit: type=1326 audit(1547223670.695:35): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=8000 comm="syz-executor281" exe="/root/syz-executor281640552" sig=31 arch=c000003e syscall=3 compat=0 ip=0x405451 code=0x0 executing program executing program executing program [ 51.347229] audit: type=1326 audit(1547223670.695:36): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=8007 comm="syz-executor281" exe="/root/syz-executor281640552" sig=31 arch=c000003e syscall=3 compat=0 ip=0x405451 code=0x0 [ 51.379204] audit: type=1326 audit(1547223670.715:37): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=8011 comm="syz-executor281" exe="/root/syz-executor281640552" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446349 code=0x0 executing program executing program executing program executing program executing program executing program [ 51.403015] audit: type=1326 audit(1547223670.715:38): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=8008 comm="syz-executor281" exe="/root/syz-executor281640552" sig=31 arch=c000003e syscall=3 compat=0 ip=0x405451 code=0x0 [ 51.437680] audit: type=1326 audit(1547223670.715:39): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=8006 comm="syz-executor281" exe="/root/syz-executor281640552" sig=31 arch=c000003e syscall=3 compat=0 ip=0x405451 code=0x0 [ 51.459928] audit: type=1326 audit(1547223670.715:40): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=8011 comm="syz-executor281" exe="/root/syz-executor281640552" sig=31 arch=c000003e syscall=3 compat=0 ip=0x405451 code=0x0 [ 51.485762] ================================================================== [ 51.493142] BUG: KASAN: use-after-free in __lock_acquire+0x3556/0x4a30 [ 51.499798] Read of size 8 at addr ffff8880a64f2880 by task syz-executor281/8041 [ 51.507310] [ 51.508930] CPU: 1 PID: 8041 Comm: syz-executor281 Not tainted 5.0.0-rc1+ #19 [ 51.516185] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.525519] Call Trace: [ 51.528113] dump_stack+0x1db/0x2d0 [ 51.531738] ? dump_stack_print_info.cold+0x20/0x20 [ 51.536750] ? mark_held_locks+0x100/0x100 [ 51.541021] ? __lock_acquire+0x3556/0x4a30 [ 51.545356] print_address_description.cold+0x7c/0x20d [ 51.550627] ? __lock_acquire+0x3556/0x4a30 [ 51.554958] ? __lock_acquire+0x3556/0x4a30 [ 51.559277] kasan_report.cold+0x1b/0x40 [ 51.563332] ? __lock_acquire+0x3556/0x4a30 [ 51.567649] __asan_report_load8_noabort+0x14/0x20 [ 51.572586] __lock_acquire+0x3556/0x4a30 [ 51.576729] ? lock_acquire+0x1db/0x570 [ 51.580699] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 51.585796] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 51.590890] ? lockdep_hardirqs_on+0x415/0x5d0 [ 51.595474] ? mark_held_locks+0x100/0x100 [ 51.599709] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 51.604833] ? __free_object+0x16c/0x350 [ 51.608898] ? debug_object_free+0x2ab/0x5f0 [ 51.613299] ? __list_del_entry_valid.cold+0x4f/0x4f [ 51.618395] ? do_raw_spin_trylock+0x270/0x270 [ 51.622981] ? debug_object_free+0x2b3/0x5f0 [ 51.627401] ? debug_object_destroy+0x250/0x250 [ 51.632065] lock_acquire+0x1db/0x570 [ 51.635857] ? seccomp_notify_release+0x54/0x270 [ 51.640620] ? ___might_sleep+0x1e7/0x310 [ 51.644769] ? lock_release+0xc40/0xc40 [ 51.648738] ? seccomp_notify_release+0x54/0x270 [ 51.653490] ? seccomp_notify_release+0x54/0x270 [ 51.658249] __mutex_lock+0x12f/0x1670 [ 51.662128] ? seccomp_notify_release+0x54/0x270 [ 51.666876] ? seccomp_notify_release+0x54/0x270 [ 51.671639] ? __lock_acquire+0x572/0x4a30 [ 51.675885] ? mutex_trylock+0x2d0/0x2d0 [ 51.679943] ? mark_held_locks+0x100/0x100 [ 51.684169] ? find_held_lock+0x35/0x120 [ 51.688239] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 51.693787] ? locks_remove_posix+0x488/0x860 [ 51.698272] ? mark_held_locks+0x100/0x100 [ 51.702515] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.708059] ? fsnotify+0x4f5/0xed0 [ 51.711683] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 51.717210] ? locks_remove_file+0x3d5/0x5c0 [ 51.721607] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 51.727139] ? ima_file_free+0x128/0x630 [ 51.731191] ? fcntl_setlk+0xfe0/0xfe0 [ 51.735076] mutex_lock_nested+0x16/0x20 [ 51.739127] ? mutex_lock_nested+0x16/0x20 [ 51.743354] seccomp_notify_release+0x54/0x270 [ 51.747931] __fput+0x3c5/0xb10 [ 51.751201] ? get_nth_filter.part.0+0x1d0/0x1d0 [ 51.755963] ? get_max_files+0x20/0x20 [ 51.759844] ? task_work_run+0x1bb/0x2b0 [ 51.763914] ? trace_hardirqs_off_caller+0x300/0x300 [ 51.769023] ? do_raw_spin_trylock+0x270/0x270 [ 51.773596] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.779143] ____fput+0x16/0x20 [ 51.782411] task_work_run+0x1f4/0x2b0 [ 51.786318] ? task_work_cancel+0x2c0/0x2c0 [ 51.790633] ? __close_fd+0x25f/0x3d0 [ 51.794423] ? do_syscall_64+0x8c/0x800 [ 51.798394] exit_to_usermode_loop+0x32a/0x3b0 [ 51.802974] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.808330] ? syscall_trace_enter+0x12a0/0x12a0 [ 51.813076] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 51.817842] do_syscall_64+0x696/0x800 [ 51.821722] ? syscall_return_slowpath+0x5f0/0x5f0 [ 51.826646] ? prepare_exit_to_usermode+0x232/0x3b0 [ 51.831658] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 51.836498] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.841677] RIP: 0033:0x405451 [ 51.844860] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 94 17 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 51.863768] RSP: 002b:00007ffc796c4320 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 51.871470] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000405451 [ 51.878730] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003 [ 51.885994] RBP: 00000000000003e8 R08: 00000000000003e8 R09: 0000000000000000 [ 51.893268] R10: 00007ffc796c4330 R11: 0000000000000293 R12: 00000000006dac3c [ 51.900529] R13: 0000000000000002 R14: 000000000000002d R15: 00000000006dac30 [ 51.907796] [ 51.909428] Allocated by task 8051: [ 51.913044] save_stack+0x45/0xd0 [ 51.916496] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 51.921413] kasan_kmalloc+0x9/0x10 [ 51.925291] kmem_cache_alloc_trace+0x151/0x760 [ 51.929949] do_seccomp+0x941/0x2cc0 [ 51.933674] __x64_sys_seccomp+0x73/0xb0 [ 51.937724] do_syscall_64+0x1a3/0x800 [ 51.941618] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.946791] [ 51.948408] Freed by task 8051: [ 51.951678] save_stack+0x45/0xd0 [ 51.955123] __kasan_slab_free+0x102/0x150 [ 51.959349] kasan_slab_free+0xe/0x10 [ 51.963139] kfree+0xcf/0x230 [ 51.966230] do_seccomp+0xda3/0x2cc0 [ 51.969929] __x64_sys_seccomp+0x73/0xb0 [ 51.973982] do_syscall_64+0x1a3/0x800 [ 51.977876] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.983046] [ 51.984669] The buggy address belongs to the object at ffff8880a64f2800 [ 51.984669] which belongs to the cache kmalloc-192 of size 192 [ 51.997317] The buggy address is located 128 bytes inside of [ 51.997317] 192-byte region [ffff8880a64f2800, ffff8880a64f28c0) [ 52.009176] The buggy address belongs to the page: [ 52.014096] page:ffffea0002993c80 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0x0 [ 52.022226] flags: 0x1fffc0000000200(slab) [ 52.026455] raw: 01fffc0000000200 ffffea00029ebe08 ffffea00029ec188 ffff88812c3f0040 [ 52.034336] raw: 0000000000000000 ffff8880a64f2000 0000000100000010 0000000000000000 [ 52.042199] page dumped because: kasan: bad access detected [ 52.047890] [ 52.049520] Memory state around the buggy address: [ 52.054896] ffff8880a64f2780: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 52.062243] ffff8880a64f2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.069591] >ffff8880a64f2880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 52.076951] ^ [ 52.080309] ffff8880a64f2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.087657] ffff8880a64f2980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 52.095001] ================================================================== [ 52.102392] Disabling lock debugging due to kernel taint [ 52.107827] Kernel panic - not syncing: panic_on_warn set ... [ 52.113707] CPU: 1 PID: 8041 Comm: syz-executor281 Tainted: G B 5.0.0-rc1+ #19 [ 52.122366] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.131706] Call Trace: [ 52.134283] dump_stack+0x1db/0x2d0 [ 52.137905] ? dump_stack_print_info.cold+0x20/0x20 [ 52.142920] panic+0x2cb/0x65c [ 52.146121] ? add_taint.cold+0x16/0x16 [ 52.150084] ? kasan_check_read+0x11/0x20 [ 52.154252] ? trace_hardirqs_on_caller+0x310/0x310 [ 52.159275] ? do_raw_spin_trylock+0x270/0x270 [ 52.163852] ? add_taint.cold+0x5/0x16 [ 52.167731] ? trace_hardirqs_off+0xaf/0x310 [ 52.172180] ? __lock_acquire+0x3556/0x4a30 [ 52.176497] end_report+0x47/0x4f [ 52.179941] ? __lock_acquire+0x3556/0x4a30 [ 52.184257] kasan_report.cold+0xe/0x40 [ 52.188224] ? __lock_acquire+0x3556/0x4a30 [ 52.192556] __asan_report_load8_noabort+0x14/0x20 [ 52.197564] __lock_acquire+0x3556/0x4a30 [ 52.201704] ? lock_acquire+0x1db/0x570 [ 52.205676] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 52.210773] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 52.215866] ? lockdep_hardirqs_on+0x415/0x5d0 [ 52.220441] ? mark_held_locks+0x100/0x100 [ 52.224683] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 52.229780] ? __free_object+0x16c/0x350 [ 52.233846] ? debug_object_free+0x2ab/0x5f0 [ 52.238266] ? __list_del_entry_valid.cold+0x4f/0x4f [ 52.243362] ? do_raw_spin_trylock+0x270/0x270 [ 52.247944] ? debug_object_free+0x2b3/0x5f0 [ 52.252348] ? debug_object_destroy+0x250/0x250 [ 52.257010] lock_acquire+0x1db/0x570 [ 52.260843] ? seccomp_notify_release+0x54/0x270 [ 52.265605] ? ___might_sleep+0x1e7/0x310 [ 52.269746] ? lock_release+0xc40/0xc40 [ 52.273716] ? seccomp_notify_release+0x54/0x270 [ 52.278472] ? seccomp_notify_release+0x54/0x270 [ 52.283218] __mutex_lock+0x12f/0x1670 [ 52.287094] ? seccomp_notify_release+0x54/0x270 [ 52.291854] ? seccomp_notify_release+0x54/0x270 [ 52.296603] ? __lock_acquire+0x572/0x4a30 [ 52.300850] ? mutex_trylock+0x2d0/0x2d0 [ 52.304911] ? mark_held_locks+0x100/0x100 [ 52.309163] ? find_held_lock+0x35/0x120 [ 52.313234] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 52.318760] ? locks_remove_posix+0x488/0x860 [ 52.323262] ? mark_held_locks+0x100/0x100 [ 52.327495] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.333021] ? fsnotify+0x4f5/0xed0 [ 52.336656] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 52.342185] ? locks_remove_file+0x3d5/0x5c0 [ 52.346608] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 52.352141] ? ima_file_free+0x128/0x630 [ 52.356192] ? fcntl_setlk+0xfe0/0xfe0 [ 52.360089] mutex_lock_nested+0x16/0x20 [ 52.364141] ? mutex_lock_nested+0x16/0x20 [ 52.368370] seccomp_notify_release+0x54/0x270 [ 52.372948] __fput+0x3c5/0xb10 [ 52.376253] ? get_nth_filter.part.0+0x1d0/0x1d0 [ 52.381017] ? get_max_files+0x20/0x20 [ 52.384896] ? task_work_run+0x1bb/0x2b0 [ 52.388944] ? trace_hardirqs_off_caller+0x300/0x300 [ 52.394040] ? do_raw_spin_trylock+0x270/0x270 [ 52.398613] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.404141] ____fput+0x16/0x20 [ 52.407441] task_work_run+0x1f4/0x2b0 [ 52.411327] ? task_work_cancel+0x2c0/0x2c0 [ 52.415643] ? __close_fd+0x25f/0x3d0 [ 52.419435] ? do_syscall_64+0x8c/0x800 [ 52.423407] exit_to_usermode_loop+0x32a/0x3b0 [ 52.427987] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.433343] ? syscall_trace_enter+0x12a0/0x12a0 [ 52.438094] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.442844] do_syscall_64+0x696/0x800 [ 52.446726] ? syscall_return_slowpath+0x5f0/0x5f0 [ 52.451647] ? prepare_exit_to_usermode+0x232/0x3b0 [ 52.456660] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 52.461503] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.466684] RIP: 0033:0x405451 [ 52.469867] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 94 17 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 52.488773] RSP: 002b:00007ffc796c4320 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 52.496489] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000405451 [ 52.503765] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003 [ 52.511039] RBP: 00000000000003e8 R08: 00000000000003e8 R09: 0000000000000000 [ 52.518327] R10: 00007ffc796c4330 R11: 0000000000000293 R12: 00000000006dac3c [ 52.525595] R13: 0000000000000002 R14: 000000000000002d R15: 00000000006dac30 [ 52.533792] Kernel Offset: disabled [ 52.537411] Rebooting in 86400 seconds..