[ 46.698886] audit: type=1800 audit(1550506876.125:29): pid=8052 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 46.735658] audit: type=1800 audit(1550506876.125:30): pid=8052 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.162' (ECDSA) to the list of known hosts. syzkaller login: [ 70.773488] kauditd_printk_skb: 5 callbacks suppressed [ 70.773498] audit: type=1400 audit(1550506900.205:36): avc: denied { map } for pid=8238 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/02/18 16:21:40 parsed 1 programs [ 71.554030] audit: type=1400 audit(1550506900.985:37): avc: denied { map } for pid=8238 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=48 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/02/18 16:21:42 executed programs: 0 [ 73.411532] IPVS: ftp: loaded support on port[0] = 21 [ 73.475474] chnl_net:caif_netlink_parms(): no params data found [ 73.508845] bridge0: port 1(bridge_slave_0) entered blocking state [ 73.515669] bridge0: port 1(bridge_slave_0) entered disabled state [ 73.522784] device bridge_slave_0 entered promiscuous mode [ 73.529891] bridge0: port 2(bridge_slave_1) entered blocking state [ 73.536609] bridge0: port 2(bridge_slave_1) entered disabled state [ 73.543677] device bridge_slave_1 entered promiscuous mode [ 73.559986] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 73.569449] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 73.587602] team0: Port device team_slave_0 added [ 73.593964] team0: Port device team_slave_1 added [ 73.662623] device hsr_slave_0 entered promiscuous mode [ 73.730896] device hsr_slave_1 entered promiscuous mode [ 73.818816] bridge0: port 2(bridge_slave_1) entered blocking state [ 73.825277] bridge0: port 2(bridge_slave_1) entered forwarding state [ 73.832311] bridge0: port 1(bridge_slave_0) entered blocking state [ 73.838778] bridge0: port 1(bridge_slave_0) entered forwarding state [ 73.872419] 8021q: adding VLAN 0 to HW filter on device bond0 [ 73.882880] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 73.903090] bridge0: port 1(bridge_slave_0) entered disabled state [ 73.910328] bridge0: port 2(bridge_slave_1) entered disabled state [ 73.917977] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 73.928575] 8021q: adding VLAN 0 to HW filter on device team0 [ 73.937660] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 73.945588] bridge0: port 1(bridge_slave_0) entered blocking state [ 73.954732] bridge0: port 1(bridge_slave_0) entered forwarding state [ 73.972193] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 73.979728] bridge0: port 2(bridge_slave_1) entered blocking state [ 73.986097] bridge0: port 2(bridge_slave_1) entered forwarding state [ 73.993971] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 74.001610] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 74.009320] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 74.019036] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 74.028672] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 74.037593] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 74.053543] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 74.064019] audit: type=1400 audit(1550506903.495:38): avc: denied { associate } for pid=8252 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 75.899586] [ 75.901545] ===================================== [ 75.906454] WARNING: bad unlock balance detected! [ 75.911288] 5.0.0-rc6+ #76 Not tainted [ 75.915147] ------------------------------------- [ 75.919970] syz-executor.0/8871 is trying to release lock (&file->mut) at: [ 75.926982] [] ucma_destroy_id+0x24c/0x4a0 [ 75.932755] but there are no more locks to release! [ 75.937742] [ 75.937742] other info that might help us debug this: [ 75.944396] 1 lock held by syz-executor.0/8871: [ 75.949137] #0: 00000000808e5c33 (&file->mut){+.+.}, at: ucma_destroy_id+0x1e9/0x4a0 [ 75.957213] [ 75.957213] stack backtrace: [ 75.961688] CPU: 1 PID: 8871 Comm: syz-executor.0 Not tainted 5.0.0-rc6+ #76 [ 75.968848] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.978177] Call Trace: [ 75.980746] dump_stack+0x172/0x1f0 [ 75.984351] ? ucma_destroy_id+0x24c/0x4a0 [ 75.988574] print_unlock_imbalance_bug.cold+0x114/0x123 [ 75.994005] ? ucma_destroy_id+0x24c/0x4a0 [ 75.998225] lock_release+0x67e/0xa00 [ 76.002111] ? lock_downgrade+0x810/0x810 [ 76.006246] ? mutex_trylock+0x1e0/0x1e0 [ 76.010288] __mutex_unlock_slowpath+0x8e/0x6b0 [ 76.014937] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 76.020456] ? wait_for_completion+0x440/0x440 [ 76.025024] mutex_unlock+0xd/0x10 [ 76.028547] ucma_destroy_id+0x24c/0x4a0 [ 76.032588] ? ucma_close+0x320/0x320 [ 76.036370] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 76.041896] ? _copy_from_user+0xdd/0x150 [ 76.046055] ucma_write+0x2da/0x3c0 [ 76.049677] ? ucma_close+0x320/0x320 [ 76.053457] ? ucma_open+0x290/0x290 [ 76.057263] __vfs_write+0x116/0x8e0 [ 76.061129] ? ucma_open+0x290/0x290 [ 76.064822] ? kernel_read+0x120/0x120 [ 76.068721] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 76.074253] ? __inode_security_revalidate+0xda/0x120 [ 76.080834] ? avc_policy_seqno+0xd/0x70 [ 76.084891] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 76.089904] ? selinux_file_permission+0x92/0x550 [ 76.094759] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 76.100299] ? security_file_permission+0x94/0x320 [ 76.105254] ? rw_verify_area+0x118/0x360 [ 76.109395] vfs_write+0x20c/0x580 [ 76.112926] ksys_write+0xea/0x1f0 [ 76.116455] ? __ia32_sys_read+0xb0/0xb0 [ 76.120502] ? do_syscall_64+0x26/0x610 [ 76.124476] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.129835] ? do_syscall_64+0x26/0x610 [ 76.133800] __x64_sys_write+0x73/0xb0 [ 76.137685] do_syscall_64+0x103/0x610 [ 76.141557] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.146746] RIP: 0033:0x457e29 [ 76.149922] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 76.168817] RSP: 002b:00007fa7ac1e7c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 76.176520] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457e29 [ 76.183797] RDX: 0000000000000018 RSI: 0000000020000180 RDI: 0000000000000005 [ 76.191045] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 76.198292] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa7ac1e86d4 [ 76.205554] R13: 00000000004cd790 R14: 00000000004dc9d0 R15: 00000000ffffffff [ 76.215159] ================================================================== [ 76.222536] BUG: KASAN: use-after-free in ucma_destroy_id+0x44c/0x4a0 [ 76.229095] Read of size 8 at addr ffff888093cda928 by task syz-executor.0/8871 [ 76.237210] [ 76.238839] CPU: 1 PID: 8871 Comm: syz-executor.0 Not tainted 5.0.0-rc6+ #76 [ 76.246002] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.255335] Call Trace: [ 76.257904] dump_stack+0x172/0x1f0 [ 76.261555] ? ucma_destroy_id+0x44c/0x4a0 [ 76.265818] print_address_description.cold+0x7c/0x20d [ 76.271109] ? ucma_destroy_id+0x44c/0x4a0 [ 76.275326] ? ucma_destroy_id+0x44c/0x4a0 [ 76.279544] kasan_report.cold+0x1b/0x40 [ 76.283589] ? ucma_destroy_id+0x44c/0x4a0 [ 76.287808] __asan_report_load8_noabort+0x14/0x20 [ 76.292722] ucma_destroy_id+0x44c/0x4a0 [ 76.296792] ? ucma_close+0x320/0x320 [ 76.300586] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 76.306111] ? _copy_from_user+0xdd/0x150 [ 76.310245] ucma_write+0x2da/0x3c0 [ 76.313854] ? ucma_close+0x320/0x320 [ 76.317663] ? ucma_open+0x290/0x290 [ 76.321374] __vfs_write+0x116/0x8e0 [ 76.325076] ? ucma_open+0x290/0x290 [ 76.328779] ? kernel_read+0x120/0x120 [ 76.332651] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 76.338173] ? __inode_security_revalidate+0xda/0x120 [ 76.343363] ? avc_policy_seqno+0xd/0x70 [ 76.347405] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 76.352414] ? selinux_file_permission+0x92/0x550 [ 76.357238] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 76.362757] ? security_file_permission+0x94/0x320 [ 76.367685] ? rw_verify_area+0x118/0x360 [ 76.371833] vfs_write+0x20c/0x580 [ 76.375371] ksys_write+0xea/0x1f0 [ 76.378894] ? __ia32_sys_read+0xb0/0xb0 [ 76.382938] ? do_syscall_64+0x26/0x610 [ 76.386911] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.392274] ? do_syscall_64+0x26/0x610 [ 76.396232] __x64_sys_write+0x73/0xb0 [ 76.400105] do_syscall_64+0x103/0x610 [ 76.403976] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.409144] RIP: 0033:0x457e29 [ 76.412330] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 76.431226] RSP: 002b:00007fa7ac1e7c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 76.438953] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457e29 [ 76.446224] RDX: 0000000000000018 RSI: 0000000020000180 RDI: 0000000000000005 [ 76.453483] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 76.460731] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa7ac1e86d4 [ 76.467980] R13: 00000000004cd790 R14: 00000000004dc9d0 R15: 00000000ffffffff [ 76.475234] [ 76.476841] Allocated by task 8867: [ 76.480454] save_stack+0x45/0xd0 [ 76.483893] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 76.488803] kasan_kmalloc+0x9/0x10 [ 76.492438] kmem_cache_alloc_trace+0x151/0x760 [ 76.497097] ucma_alloc_ctx+0x4e/0x4e0 [ 76.500970] ucma_create_id+0x12d/0x640 [ 76.504926] ucma_write+0x2da/0x3c0 [ 76.508549] __vfs_write+0x116/0x8e0 [ 76.512282] vfs_write+0x20c/0x580 [ 76.515813] ksys_write+0xea/0x1f0 [ 76.519334] __x64_sys_write+0x73/0xb0 [ 76.523203] do_syscall_64+0x103/0x610 [ 76.527073] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.532236] [ 76.533875] Freed by task 8866: [ 76.537139] save_stack+0x45/0xd0 [ 76.540585] __kasan_slab_free+0x102/0x150 [ 76.544830] kasan_slab_free+0xe/0x10 [ 76.548616] kfree+0xcf/0x230 [ 76.551705] ucma_free_ctx+0x801/0xb90 [ 76.555596] ucma_close+0x122/0x320 [ 76.559230] __fput+0x2df/0x8d0 [ 76.562510] ____fput+0x16/0x20 [ 76.565772] task_work_run+0x14a/0x1c0 [ 76.569641] exit_to_usermode_loop+0x273/0x2c0 [ 76.574204] do_syscall_64+0x52d/0x610 [ 76.578079] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.583240] [ 76.584851] The buggy address belongs to the object at ffff888093cda8c0 [ 76.584851] which belongs to the cache kmalloc-256 of size 256 [ 76.597486] The buggy address is located 104 bytes inside of [ 76.597486] 256-byte region [ffff888093cda8c0, ffff888093cda9c0) [ 76.609334] The buggy address belongs to the page: [ 76.614245] page:ffffea00024f3680 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0 [ 76.622379] flags: 0x1fffc0000000200(slab) [ 76.626628] raw: 01fffc0000000200 ffffea0002062a08 ffff88812c3f1648 ffff88812c3f07c0 [ 76.634525] raw: 0000000000000000 ffff888093cda000 000000010000000c 0000000000000000 [ 76.642397] page dumped because: kasan: bad access detected [ 76.648102] [ 76.649714] Memory state around the buggy address: [ 76.654622] ffff888093cda800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.661991] ffff888093cda880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 76.669333] >ffff888093cda900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.676671] ^ [ 76.681323] ffff888093cda980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 76.688665] ffff888093cdaa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.696000] ================================================================== [ 76.704757] Kernel panic - not syncing: panic_on_warn set ... [ 76.710657] CPU: 1 PID: 8871 Comm: syz-executor.0 Tainted: G B 5.0.0-rc6+ #76 [ 76.719221] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.728561] Call Trace: [ 76.731133] dump_stack+0x172/0x1f0 [ 76.734776] panic+0x2cb/0x65c [ 76.737971] ? __warn_printk+0xf3/0xf3 [ 76.741854] ? ucma_destroy_id+0x44c/0x4a0 [ 76.746074] ? preempt_schedule+0x4b/0x60 [ 76.750204] ? ___preempt_schedule+0x16/0x18 [ 76.754600] ? trace_hardirqs_on+0x5e/0x230 [ 76.758911] ? ucma_destroy_id+0x44c/0x4a0 [ 76.763399] end_report+0x47/0x4f [ 76.766836] ? ucma_destroy_id+0x44c/0x4a0 [ 76.771109] kasan_report.cold+0xe/0x40 [ 76.775068] ? ucma_destroy_id+0x44c/0x4a0 [ 76.779286] __asan_report_load8_noabort+0x14/0x20 [ 76.784221] ucma_destroy_id+0x44c/0x4a0 [ 76.788267] ? ucma_close+0x320/0x320 [ 76.792051] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 76.797611] ? _copy_from_user+0xdd/0x150 [ 76.801763] ucma_write+0x2da/0x3c0 [ 76.805373] ? ucma_close+0x320/0x320 [ 76.809155] ? ucma_open+0x290/0x290 [ 76.812852] __vfs_write+0x116/0x8e0 [ 76.816547] ? ucma_open+0x290/0x290 [ 76.820240] ? kernel_read+0x120/0x120 [ 76.824110] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 76.829634] ? __inode_security_revalidate+0xda/0x120 [ 76.834811] ? avc_policy_seqno+0xd/0x70 [ 76.838875] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 76.843883] ? selinux_file_permission+0x92/0x550 [ 76.848712] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 76.854235] ? security_file_permission+0x94/0x320 [ 76.859149] ? rw_verify_area+0x118/0x360 [ 76.863277] vfs_write+0x20c/0x580 [ 76.866799] ksys_write+0xea/0x1f0 [ 76.870322] ? __ia32_sys_read+0xb0/0xb0 [ 76.874385] ? do_syscall_64+0x26/0x610 [ 76.878385] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.883745] ? do_syscall_64+0x26/0x610 [ 76.887708] __x64_sys_write+0x73/0xb0 [ 76.891591] do_syscall_64+0x103/0x610 [ 76.895463] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.900653] RIP: 0033:0x457e29 [ 76.903827] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 76.922713] RSP: 002b:00007fa7ac1e7c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 76.930402] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457e29 [ 76.937652] RDX: 0000000000000018 RSI: 0000000020000180 RDI: 0000000000000005 [ 76.944900] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 76.952147] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa7ac1e86d4 [ 76.959395] R13: 00000000004cd790 R14: 00000000004dc9d0 R15: 00000000ffffffff [ 76.967573] Kernel Offset: disabled [ 76.971195] Rebooting in 86400 seconds..