[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 17.560745] audit: type=1400 audit(1520452219.264:6): avc: denied { map } for pid=4208 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 23.851313] audit: type=1400 audit(1520452225.555:7): avc: denied { map } for pid=4222 comm="syzkaller286100" path="/root/syzkaller286100095" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 23.878598] ================================================================== [ 23.885999] BUG: KASAN: use-after-free in ucma_close+0x2d7/0x2f0 [ 23.892120] Read of size 8 at addr ffff8801b016b8c0 by task syzkaller286100/4222 [ 23.899617] [ 23.901218] CPU: 1 PID: 4222 Comm: syzkaller286100 Not tainted 4.16.0-rc4+ #344 [ 23.908633] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.917956] Call Trace: [ 23.920515] dump_stack+0x194/0x24d [ 23.924116] ? arch_local_irq_restore+0x53/0x53 [ 23.928757] ? show_regs_print_info+0x18/0x18 [ 23.933227] ? ucma_close+0x2d7/0x2f0 [ 23.937001] print_address_description+0x73/0x250 [ 23.941819] ? ucma_close+0x2d7/0x2f0 [ 23.945589] kasan_report+0x23c/0x360 [ 23.949364] __asan_report_load8_noabort+0x14/0x20 [ 23.954263] ucma_close+0x2d7/0x2f0 [ 23.957860] ? __might_sleep+0x95/0x190 [ 23.961803] ? ucma_free_ctx+0xd90/0xd90 [ 23.965833] __fput+0x327/0x7e0 [ 23.969088] ? fput+0x140/0x140 [ 23.972338] ? _raw_spin_unlock_irq+0x27/0x70 [ 23.976813] ____fput+0x15/0x20 [ 23.980065] task_work_run+0x199/0x270 [ 23.983925] ? task_work_cancel+0x210/0x210 [ 23.988217] ? _raw_spin_unlock+0x22/0x30 [ 23.992336] ? switch_task_namespaces+0x87/0xc0 [ 23.996981] do_exit+0x9bb/0x1ad0 [ 24.000403] ? ucma_create_id+0x45b/0x620 [ 24.004527] ? mm_update_next_owner+0x930/0x930 [ 24.009166] ? ucma_create_id+0x17b/0x620 [ 24.013283] ? ucma_get_event+0xa90/0xa90 [ 24.017410] ? __might_sleep+0x95/0x190 [ 24.021361] ? kasan_check_write+0x14/0x20 [ 24.025568] ? _copy_from_user+0x99/0x110 [ 24.029691] ? ucma_write+0x11f/0x3d0 [ 24.033460] ? ucma_get_event+0xa90/0xa90 [ 24.037577] ? ucma_resolve_route+0x1a0/0x1a0 [ 24.042054] ? ucma_resolve_route+0x1a0/0x1a0 [ 24.046523] ? __vfs_write+0xf7/0x970 [ 24.050303] ? rcu_note_context_switch+0x710/0x710 [ 24.055208] ? kernel_read+0x120/0x120 [ 24.059072] ? __might_sleep+0x95/0x190 [ 24.063033] ? _cond_resched+0x14/0x30 [ 24.066904] ? __inode_security_revalidate+0xd9/0x130 [ 24.072067] ? avc_policy_seqno+0x9/0x20 [ 24.076104] ? security_file_permission+0x89/0x1e0 [ 24.081013] ? rw_verify_area+0xe5/0x2b0 [ 24.085052] ? __fdget_raw+0x20/0x20 [ 24.088737] ? vfs_write+0x224/0x510 [ 24.092423] do_group_exit+0x149/0x400 [ 24.096286] ? SyS_write+0x184/0x220 [ 24.099974] ? filp_open+0x70/0x70 [ 24.103485] ? SyS_exit+0x30/0x30 [ 24.106907] ? SyS_read+0x220/0x220 [ 24.110507] ? do_syscall_64+0xb7/0x940 [ 24.114453] ? do_group_exit+0x400/0x400 [ 24.118485] SyS_exit_group+0x1d/0x20 [ 24.122255] do_syscall_64+0x281/0x940 [ 24.126118] ? __do_page_fault+0xc90/0xc90 [ 24.130326] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.135074] ? syscall_return_slowpath+0x550/0x550 [ 24.139977] ? syscall_return_slowpath+0x2ac/0x550 [ 24.144879] ? prepare_exit_to_usermode+0x350/0x350 [ 24.149868] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 24.155204] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.160034] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.165192] RIP: 0033:0x43e938 [ 24.168351] RSP: 002b:00007ffedea296c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 24.176031] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e938 [ 24.183273] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 24.190513] RBP: 00000000004be300 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 24.197752] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 24.204992] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000 [ 24.212256] [ 24.213860] Allocated by task 4222: [ 24.217468] save_stack+0x43/0xd0 [ 24.220890] kasan_kmalloc+0xad/0xe0 [ 24.224575] kmem_cache_alloc_trace+0x136/0x740 [ 24.229211] ucma_alloc_ctx+0xce/0x610 [ 24.233064] ucma_create_id+0x205/0x620 [ 24.237012] ucma_write+0x2d6/0x3d0 [ 24.240614] __vfs_write+0xef/0x970 [ 24.244206] vfs_write+0x189/0x510 [ 24.247713] SyS_write+0xef/0x220 [ 24.251134] do_syscall_64+0x281/0x940 [ 24.254992] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.260158] [ 24.261754] Freed by task 4222: [ 24.265002] save_stack+0x43/0xd0 [ 24.268428] __kasan_slab_free+0x11a/0x170 [ 24.272631] kasan_slab_free+0xe/0x10 [ 24.276418] kfree+0xd9/0x260 [ 24.279502] ucma_create_id+0x45b/0x620 [ 24.283444] ucma_write+0x2d6/0x3d0 [ 24.287042] __vfs_write+0xef/0x970 [ 24.290635] vfs_write+0x189/0x510 [ 24.294142] SyS_write+0xef/0x220 [ 24.297564] do_syscall_64+0x281/0x940 [ 24.301425] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.306581] [ 24.308179] The buggy address belongs to the object at ffff8801b016b840 [ 24.308179] which belongs to the cache kmalloc-256 of size 256 [ 24.320803] The buggy address is located 128 bytes inside of [ 24.320803] 256-byte region [ffff8801b016b840, ffff8801b016b940) [ 24.332644] The buggy address belongs to the page: [ 24.337543] page:ffffea0006c05ac0 count:1 mapcount:0 mapping:ffff8801b016b0c0 index:0x0 [ 24.345659] flags: 0x2fffc0000000100(slab) [ 24.349867] raw: 02fffc0000000100 ffff8801b016b0c0 0000000000000000 000000010000000c [ 24.357718] raw: ffffea0006c059a0 ffffea0006c05ce0 ffff8801dac007c0 0000000000000000 [ 24.365575] page dumped because: kasan: bad access detected [ 24.371260] [ 24.372854] Memory state around the buggy address: [ 24.377765] ffff8801b016b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.385093] ffff8801b016b800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 24.392419] >ffff8801b016b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.399744] ^ [ 24.405161] ffff8801b016b900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.412486] ffff8801b016b980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.419813] ================================================================== [ 24.427136] Disabling lock debugging due to kernel taint [ 24.432616] Kernel panic - not syncing: panic_on_warn set ... [ 24.432616] [ 24.439958] CPU: 1 PID: 4222 Comm: syzkaller286100 Tainted: G B 4.16.0-rc4+ #344 [ 24.448672] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.457994] Call Trace: [ 24.460553] dump_stack+0x194/0x24d [ 24.464152] ? arch_local_irq_restore+0x53/0x53 [ 24.468791] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.473514] ? vsnprintf+0x1ed/0x1900 [ 24.477282] ? ucma_close+0x1f0/0x2f0 [ 24.481050] panic+0x1e4/0x41c [ 24.484209] ? refcount_error_report+0x214/0x214 [ 24.488935] ? add_taint+0x1c/0x50 [ 24.492445] ? add_taint+0x1c/0x50 [ 24.495954] ? ucma_close+0x2d7/0x2f0 [ 24.499724] kasan_end_report+0x50/0x50 [ 24.503666] kasan_report+0x149/0x360 [ 24.507437] __asan_report_load8_noabort+0x14/0x20 [ 24.512335] ucma_close+0x2d7/0x2f0 [ 24.515932] ? __might_sleep+0x95/0x190 [ 24.519873] ? ucma_free_ctx+0xd90/0xd90 [ 24.523904] __fput+0x327/0x7e0 [ 24.527156] ? fput+0x140/0x140 [ 24.530406] ? _raw_spin_unlock_irq+0x27/0x70 [ 24.534873] ____fput+0x15/0x20 [ 24.538119] task_work_run+0x199/0x270 [ 24.541974] ? task_work_cancel+0x210/0x210 [ 24.546266] ? _raw_spin_unlock+0x22/0x30 [ 24.550382] ? switch_task_namespaces+0x87/0xc0 [ 24.555027] do_exit+0x9bb/0x1ad0 [ 24.558447] ? ucma_create_id+0x45b/0x620 [ 24.562564] ? mm_update_next_owner+0x930/0x930 [ 24.567200] ? ucma_create_id+0x17b/0x620 [ 24.571315] ? ucma_get_event+0xa90/0xa90 [ 24.575434] ? __might_sleep+0x95/0x190 [ 24.579378] ? kasan_check_write+0x14/0x20 [ 24.583582] ? _copy_from_user+0x99/0x110 [ 24.587701] ? ucma_write+0x11f/0x3d0 [ 24.591466] ? ucma_get_event+0xa90/0xa90 [ 24.595582] ? ucma_resolve_route+0x1a0/0x1a0 [ 24.600051] ? ucma_resolve_route+0x1a0/0x1a0 [ 24.604514] ? __vfs_write+0xf7/0x970 [ 24.608284] ? rcu_note_context_switch+0x710/0x710 [ 24.613181] ? kernel_read+0x120/0x120 [ 24.617035] ? __might_sleep+0x95/0x190 [ 24.620980] ? _cond_resched+0x14/0x30 [ 24.624835] ? __inode_security_revalidate+0xd9/0x130 [ 24.629994] ? avc_policy_seqno+0x9/0x20 [ 24.634035] ? security_file_permission+0x89/0x1e0 [ 24.638934] ? rw_verify_area+0xe5/0x2b0 [ 24.642962] ? __fdget_raw+0x20/0x20 [ 24.646646] ? vfs_write+0x224/0x510 [ 24.650331] do_group_exit+0x149/0x400 [ 24.654185] ? SyS_write+0x184/0x220 [ 24.657864] ? filp_open+0x70/0x70 [ 24.661373] ? SyS_exit+0x30/0x30 [ 24.664796] ? SyS_read+0x220/0x220 [ 24.668394] ? do_syscall_64+0xb7/0x940 [ 24.672338] ? do_group_exit+0x400/0x400 [ 24.676365] SyS_exit_group+0x1d/0x20 [ 24.680134] do_syscall_64+0x281/0x940 [ 24.683989] ? __do_page_fault+0xc90/0xc90 [ 24.688196] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.692919] ? syscall_return_slowpath+0x550/0x550 [ 24.697817] ? syscall_return_slowpath+0x2ac/0x550 [ 24.702717] ? prepare_exit_to_usermode+0x350/0x350 [ 24.707700] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 24.713042] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.717859] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.723026] RIP: 0033:0x43e938 [ 24.726184] RSP: 002b:00007ffedea296c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 24.733858] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e938 [ 24.741097] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 24.748333] RBP: 00000000004be300 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 24.755571] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 24.762808] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000 [ 24.770425] Dumping ftrace buffer: [ 24.773937] (ftrace buffer empty) [ 24.777617] Kernel Offset: disabled [ 24.781214] Rebooting in 86400 seconds..