Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 49.722758] sshd (8410) used greatest stack depth: 19480 bytes left [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 55.181528] kauditd_printk_skb: 4 callbacks suppressed [ 55.181544] audit: type=1400 audit(1547897041.716:35): avc: denied { map } for pid=8524 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.11' (ECDSA) to the list of known hosts. [ 61.977218] audit: type=1400 audit(1547897048.516:36): avc: denied { map } for pid=8536 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/01/19 11:24:09 parsed 1 programs [ 62.768966] audit: type=1400 audit(1547897049.306:37): avc: denied { map } for pid=8536 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=14817 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/01/19 11:24:10 executed programs: 0 [ 64.405346] IPVS: ftp: loaded support on port[0] = 21 [ 64.465090] chnl_net:caif_netlink_parms(): no params data found [ 64.495300] bridge0: port 1(bridge_slave_0) entered blocking state [ 64.503502] bridge0: port 1(bridge_slave_0) entered disabled state [ 64.510684] device bridge_slave_0 entered promiscuous mode [ 64.517942] bridge0: port 2(bridge_slave_1) entered blocking state [ 64.524354] bridge0: port 2(bridge_slave_1) entered disabled state [ 64.531232] device bridge_slave_1 entered promiscuous mode [ 64.546737] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 64.555634] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 64.573509] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 64.581051] team0: Port device team_slave_0 added [ 64.586849] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 64.594040] team0: Port device team_slave_1 added [ 64.599324] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 64.606814] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 64.673614] device hsr_slave_0 entered promiscuous mode [ 64.722262] device hsr_slave_1 entered promiscuous mode [ 64.782058] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 64.789044] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 64.804868] bridge0: port 2(bridge_slave_1) entered blocking state [ 64.811375] bridge0: port 2(bridge_slave_1) entered forwarding state [ 64.818378] bridge0: port 1(bridge_slave_0) entered blocking state [ 64.824833] bridge0: port 1(bridge_slave_0) entered forwarding state [ 64.859149] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 64.866757] 8021q: adding VLAN 0 to HW filter on device bond0 [ 64.876188] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 64.885843] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 64.907191] bridge0: port 1(bridge_slave_0) entered disabled state [ 64.915186] bridge0: port 2(bridge_slave_1) entered disabled state [ 64.923939] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 64.937070] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 64.943258] 8021q: adding VLAN 0 to HW filter on device team0 [ 64.952548] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 64.960251] bridge0: port 1(bridge_slave_0) entered blocking state [ 64.966727] bridge0: port 1(bridge_slave_0) entered forwarding state [ 64.982814] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 64.990593] bridge0: port 2(bridge_slave_1) entered blocking state [ 64.997048] bridge0: port 2(bridge_slave_1) entered forwarding state [ 65.008749] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 65.017638] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 65.027986] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 65.039561] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 65.051112] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 65.060950] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 65.067048] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 65.080877] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 65.092550] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 65.103997] audit: type=1400 audit(1547897051.646:38): avc: denied { associate } for pid=8549 comm="syz-executor0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 65.316034] ================================================================== [ 65.323650] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 65.330161] Read of size 8 at addr ffff888096a4ada0 by task syz-executor0/8581 [ 65.337514] [ 65.339139] CPU: 0 PID: 8581 Comm: syz-executor0 Not tainted 5.0.0-rc2+ #33 [ 65.346230] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.355571] Call Trace: [ 65.358180] dump_stack+0x1db/0x2d0 [ 65.361802] ? dump_stack_print_info.cold+0x20/0x20 [ 65.366809] ? trace_hardirqs_on+0xbd/0x310 [ 65.371120] ? __list_add_valid+0x9a/0xa0 [ 65.375270] print_address_description.cold+0x7c/0x20d [ 65.380542] ? __list_add_valid+0x9a/0xa0 [ 65.384727] ? __list_add_valid+0x9a/0xa0 [ 65.388878] kasan_report.cold+0x1b/0x40 [ 65.392940] ? __list_add_valid+0x9a/0xa0 [ 65.397076] __asan_report_load8_noabort+0x14/0x20 [ 65.401996] __list_add_valid+0x9a/0xa0 [ 65.405959] rdma_listen+0x6c9/0xa10 [ 65.409662] ? rdma_resolve_addr+0x2720/0x2720 [ 65.414269] ucma_listen+0x1bf/0x250 [ 65.417971] ? ucma_notify+0x220/0x220 [ 65.421866] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 65.427400] ? _copy_from_user+0xdd/0x150 [ 65.431541] ucma_write+0x36b/0x480 [ 65.435164] ? ucma_notify+0x220/0x220 [ 65.439039] ? ucma_open+0x400/0x400 [ 65.442748] ? __might_fault+0x12b/0x1e0 [ 65.446813] ? arch_local_save_flags+0x50/0x50 [ 65.451380] ? find_held_lock+0x35/0x120 [ 65.455446] __vfs_write+0x116/0xb40 [ 65.459172] ? ucma_open+0x400/0x400 [ 65.462881] ? kernel_read+0x120/0x120 [ 65.466755] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 65.472283] ? __inode_security_revalidate+0xda/0x120 [ 65.477461] ? avc_policy_seqno+0xd/0x70 [ 65.481511] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 65.486518] ? selinux_file_permission+0x92/0x550 [ 65.491360] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 65.496892] ? security_file_permission+0x94/0x320 [ 65.501823] ? rw_verify_area+0x118/0x360 [ 65.506018] vfs_write+0x20c/0x580 [ 65.509557] ksys_write+0x105/0x260 [ 65.513190] ? __ia32_sys_read+0xb0/0xb0 [ 65.517317] ? trace_hardirqs_off_caller+0x300/0x300 [ 65.522425] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 65.527177] __x64_sys_write+0x73/0xb0 [ 65.531068] do_syscall_64+0x1a3/0x800 [ 65.534958] ? syscall_return_slowpath+0x5f0/0x5f0 [ 65.539876] ? prepare_exit_to_usermode+0x232/0x3b0 [ 65.544884] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 65.549722] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.554898] RIP: 0033:0x458099 [ 65.558088] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 65.577000] RSP: 002b:00007fe299189c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 65.584724] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458099 [ 65.591996] RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003 [ 65.599381] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 65.606657] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe29918a6d4 [ 65.613919] R13: 00000000004c71fe R14: 00000000004dca18 R15: 00000000ffffffff [ 65.621264] [ 65.622892] Allocated by task 8575: [ 65.626523] save_stack+0x45/0xd0 [ 65.629983] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 65.634900] kasan_kmalloc+0x9/0x10 [ 65.638511] kmem_cache_alloc_trace+0x151/0x760 [ 65.643184] __rdma_create_id+0xce/0x630 [ 65.647235] ucma_create_id+0x30f/0x910 [ 65.651193] ucma_write+0x36b/0x480 [ 65.654831] __vfs_write+0x116/0xb40 [ 65.658610] vfs_write+0x20c/0x580 [ 65.662147] ksys_write+0x105/0x260 [ 65.665760] __x64_sys_write+0x73/0xb0 [ 65.669635] do_syscall_64+0x1a3/0x800 [ 65.673516] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.678684] [ 65.680294] Freed by task 8574: [ 65.683565] save_stack+0x45/0xd0 [ 65.687003] __kasan_slab_free+0x102/0x150 [ 65.691229] kasan_slab_free+0xe/0x10 [ 65.695022] kfree+0xcf/0x230 [ 65.698119] rdma_destroy_id+0x8be/0xd80 [ 65.702196] ucma_close+0x115/0x320 [ 65.705817] __fput+0x3c5/0xb10 [ 65.709085] ____fput+0x16/0x20 [ 65.712383] task_work_run+0x1f4/0x2b0 [ 65.716320] exit_to_usermode_loop+0x32a/0x3b0 [ 65.720891] do_syscall_64+0x696/0x800 [ 65.724791] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.729972] [ 65.731584] The buggy address belongs to the object at ffff888096a4abc0 [ 65.731584] which belongs to the cache kmalloc-2k of size 2048 [ 65.744234] The buggy address is located 480 bytes inside of [ 65.744234] 2048-byte region [ffff888096a4abc0, ffff888096a4b3c0) [ 65.756195] The buggy address belongs to the page: [ 65.761130] page:ffffea00025a9280 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0x0 compound_mapcount: 0 [ 65.771097] flags: 0x1fffc0000010200(slab|head) [ 65.775771] raw: 01fffc0000010200 ffffea00023d5388 ffffea00022ec588 ffff88812c3f0c40 [ 65.783655] raw: 0000000000000000 ffff888096a4a340 0000000100000003 0000000000000000 [ 65.791593] page dumped because: kasan: bad access detected [ 65.797290] [ 65.798911] Memory state around the buggy address: [ 65.803837] ffff888096a4ac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.811180] ffff888096a4ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.818527] >ffff888096a4ad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.825884] ^ [ 65.830301] ffff888096a4ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.837659] ffff888096a4ae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.844997] ================================================================== [ 65.852420] Disabling lock debugging due to kernel taint [ 65.862692] Kernel panic - not syncing: panic_on_warn set ... [ 65.868594] CPU: 0 PID: 8581 Comm: syz-executor0 Tainted: G B 5.0.0-rc2+ #33 [ 65.877162] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.886732] Call Trace: [ 65.889323] dump_stack+0x1db/0x2d0 [ 65.892941] ? dump_stack_print_info.cold+0x20/0x20 [ 65.897948] panic+0x2cb/0x65c [ 65.901126] ? add_taint.cold+0x16/0x16 [ 65.905153] ? __list_add_valid+0x9a/0xa0 [ 65.909288] ? preempt_schedule+0x4b/0x60 [ 65.913541] ? ___preempt_schedule+0x16/0x18 [ 65.917946] ? trace_hardirqs_on+0xb4/0x310 [ 65.922276] ? __list_add_valid+0x9a/0xa0 [ 65.926415] end_report+0x47/0x4f [ 65.929886] ? __list_add_valid+0x9a/0xa0 [ 65.934024] kasan_report.cold+0xe/0x40 [ 65.937988] ? __list_add_valid+0x9a/0xa0 [ 65.942145] __asan_report_load8_noabort+0x14/0x20 [ 65.947094] __list_add_valid+0x9a/0xa0 [ 65.951059] rdma_listen+0x6c9/0xa10 [ 65.954764] ? rdma_resolve_addr+0x2720/0x2720 [ 65.959356] ucma_listen+0x1bf/0x250 [ 65.963056] ? ucma_notify+0x220/0x220 [ 65.966932] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 65.972455] ? _copy_from_user+0xdd/0x150 [ 65.976633] ucma_write+0x36b/0x480 [ 65.980255] ? ucma_notify+0x220/0x220 [ 65.984139] ? ucma_open+0x400/0x400 [ 65.987847] ? __might_fault+0x12b/0x1e0 [ 65.991910] ? arch_local_save_flags+0x50/0x50 [ 65.996475] ? find_held_lock+0x35/0x120 [ 66.000666] __vfs_write+0x116/0xb40 [ 66.004413] ? ucma_open+0x400/0x400 [ 66.008150] ? kernel_read+0x120/0x120 [ 66.012075] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 66.017598] ? __inode_security_revalidate+0xda/0x120 [ 66.022773] ? avc_policy_seqno+0xd/0x70 [ 66.026833] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 66.031880] ? selinux_file_permission+0x92/0x550 [ 66.036709] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.042234] ? security_file_permission+0x94/0x320 [ 66.047160] ? rw_verify_area+0x118/0x360 [ 66.051421] vfs_write+0x20c/0x580 [ 66.054972] ksys_write+0x105/0x260 [ 66.058586] ? __ia32_sys_read+0xb0/0xb0 [ 66.062866] ? trace_hardirqs_off_caller+0x300/0x300 [ 66.067952] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 66.072693] __x64_sys_write+0x73/0xb0 [ 66.076567] do_syscall_64+0x1a3/0x800 [ 66.080451] ? syscall_return_slowpath+0x5f0/0x5f0 [ 66.085376] ? prepare_exit_to_usermode+0x232/0x3b0 [ 66.090391] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 66.095352] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.100529] RIP: 0033:0x458099 [ 66.103714] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 66.122623] RSP: 002b:00007fe299189c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 66.130336] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458099 [ 66.137619] RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003 [ 66.144884] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 66.152264] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe29918a6d4 [ 66.159530] R13: 00000000004c71fe R14: 00000000004dca18 R15: 00000000ffffffff [ 66.167754] Kernel Offset: disabled [ 66.171380] Rebooting in 86400 seconds..