[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   18.344386] audit: type=1400 audit(1521023825.052:6): avc:  denied  { map } for  pid=4239 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.48' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   37.163051] audit: type=1400 audit(1521023843.870:7): avc:  denied  { map } for  pid=4257 comm="syzkaller869714" path="/root/syzkaller869714341" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   37.190318] ==================================================================
[   37.197721] BUG: KASAN: use-after-free in ucma_close+0x2d7/0x2f0
[   37.203839] Read of size 8 at addr ffff8801ad9c86c0 by task syzkaller869714/4257
[   37.211339] 
[   37.212940] CPU: 0 PID: 4257 Comm: syzkaller869714 Not tainted 4.16.0-rc5+ #352
[   37.220364] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.229694] Call Trace:
[   37.232263]  dump_stack+0x194/0x24d
[   37.235874]  ? arch_local_irq_restore+0x53/0x53
[   37.240523]  ? show_regs_print_info+0x18/0x18
[   37.244999]  ? ucma_close+0x2d7/0x2f0
[   37.248775]  print_address_description+0x73/0x250
[   37.253586]  ? ucma_close+0x2d7/0x2f0
[   37.257355]  kasan_report+0x23c/0x360
[   37.261130]  __asan_report_load8_noabort+0x14/0x20
[   37.266041]  ucma_close+0x2d7/0x2f0
[   37.269649]  ? __might_sleep+0x95/0x190
[   37.273603]  ? ucma_free_ctx+0xd90/0xd90
[   37.277640]  __fput+0x327/0x7e0
[   37.280899]  ? fput+0x140/0x140
[   37.284150]  ? _raw_spin_unlock_irq+0x27/0x70
[   37.288620]  ____fput+0x15/0x20
[   37.291873]  task_work_run+0x199/0x270
[   37.295735]  ? task_work_cancel+0x210/0x210
[   37.300027]  ? _raw_spin_unlock+0x22/0x30
[   37.304147]  ? switch_task_namespaces+0x87/0xc0
[   37.308792]  do_exit+0x9bb/0x1ad0
[   37.312213]  ? ucma_create_id+0x45b/0x620
[   37.316339]  ? mm_update_next_owner+0x930/0x930
[   37.320986]  ? ucma_create_id+0x17b/0x620
[   37.325108]  ? ucma_get_event+0xa90/0xa90
[   37.329233]  ? __might_sleep+0x95/0x190
[   37.333186]  ? kasan_check_write+0x14/0x20
[   37.337392]  ? _copy_from_user+0x99/0x110
[   37.341513]  ? ucma_write+0x11f/0x3d0
[   37.345283]  ? ucma_get_event+0xa90/0xa90
[   37.349404]  ? ucma_resolve_route+0x1a0/0x1a0
[   37.353877]  ? ucma_resolve_route+0x1a0/0x1a0
[   37.358354]  ? __vfs_write+0xf7/0x970
[   37.362127]  ? rcu_note_context_switch+0x710/0x710
[   37.367032]  ? kernel_read+0x120/0x120
[   37.370895]  ? __might_sleep+0x95/0x190
[   37.374845]  ? _cond_resched+0x14/0x30
[   37.378707]  ? __inode_security_revalidate+0xd9/0x130
[   37.383873]  ? avc_policy_seqno+0x9/0x20
[   37.387917]  ? security_file_permission+0x89/0x1e0
[   37.392820]  ? rw_verify_area+0xe5/0x2b0
[   37.396851]  ? __fdget_raw+0x20/0x20
[   37.400541]  ? vfs_write+0x224/0x510
[   37.404235]  do_group_exit+0x149/0x400
[   37.408094]  ? SyS_write+0x184/0x220
[   37.411778]  ? filp_open+0x70/0x70
[   37.415290]  ? SyS_exit+0x30/0x30
[   37.418715]  ? SyS_read+0x220/0x220
[   37.422318]  ? do_syscall_64+0xb7/0x940
[   37.426263]  ? do_group_exit+0x400/0x400
[   37.430297]  SyS_exit_group+0x1d/0x20
[   37.434071]  do_syscall_64+0x281/0x940
[   37.437928]  ? __do_page_fault+0xc90/0xc90
[   37.442133]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   37.446858]  ? syscall_return_slowpath+0x550/0x550
[   37.451759]  ? syscall_return_slowpath+0x2ac/0x550
[   37.456663]  ? prepare_exit_to_usermode+0x350/0x350
[   37.461651]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   37.466992]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   37.471814]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   37.476972] RIP: 0033:0x43e988
[   37.480135] RSP: 002b:00007fff8e5fabe8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   37.487814] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e988
[   37.495055] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   37.502295] RBP: 00000000004be320 R08: 00000000000000e7 R09: ffffffffffffffd0
[   37.509537] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   37.516775] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000
[   37.524033] 
[   37.525632] Allocated by task 4257:
[   37.529228]  save_stack+0x43/0xd0
[   37.532650]  kasan_kmalloc+0xad/0xe0
[   37.536334]  kmem_cache_alloc_trace+0x136/0x740
[   37.540970]  ucma_alloc_ctx+0xce/0x610
[   37.544828]  ucma_create_id+0x205/0x620
[   37.548773]  ucma_write+0x2d6/0x3d0
[   37.552368]  __vfs_write+0xef/0x970
[   37.555965]  vfs_write+0x189/0x510
[   37.559472]  SyS_write+0xef/0x220
[   37.562893]  do_syscall_64+0x281/0x940
[   37.566748]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   37.571903] 
[   37.573499] Freed by task 4257:
[   37.576745]  save_stack+0x43/0xd0
[   37.580168]  __kasan_slab_free+0x11a/0x170
[   37.584371]  kasan_slab_free+0xe/0x10
[   37.588139]  kfree+0xd9/0x260
[   37.591211]  ucma_create_id+0x45b/0x620
[   37.595152]  ucma_write+0x2d6/0x3d0
[   37.598759]  __vfs_write+0xef/0x970
[   37.602354]  vfs_write+0x189/0x510
[   37.605860]  SyS_write+0xef/0x220
[   37.609287]  do_syscall_64+0x281/0x940
[   37.613145]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   37.618301] 
[   37.619901] The buggy address belongs to the object at ffff8801ad9c8640
[   37.619901]  which belongs to the cache kmalloc-256 of size 256
[   37.632528] The buggy address is located 128 bytes inside of
[   37.632528]  256-byte region [ffff8801ad9c8640, ffff8801ad9c8740)
[   37.644379] The buggy address belongs to the page:
[   37.649281] page:ffffea0006b67200 count:1 mapcount:0 mapping:ffff8801ad9c8000 index:0x0
[   37.657395] flags: 0x2fffc0000000100(slab)
[   37.661605] raw: 02fffc0000000100 ffff8801ad9c8000 0000000000000000 000000010000000c
[   37.669456] raw: ffffea0006b7da20 ffffea0006b41760 ffff8801dac007c0 0000000000000000
[   37.677303] page dumped because: kasan: bad access detected
[   37.682981] 
[   37.684586] Memory state around the buggy address:
[   37.689485]  ffff8801ad9c8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.696815]  ffff8801ad9c8600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   37.704143] >ffff8801ad9c8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.711471]                                            ^
[   37.716889]  ffff8801ad9c8700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   37.724217]  ffff8801ad9c8780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   37.731542] ==================================================================
[   37.738872] Disabling lock debugging due to kernel taint
[   37.744457] Kernel panic - not syncing: panic_on_warn set ...
[   37.744457] 
[   37.751797] CPU: 0 PID: 4257 Comm: syzkaller869714 Tainted: G    B            4.16.0-rc5+ #352
[   37.760524] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.769849] Call Trace:
[   37.772421]  dump_stack+0x194/0x24d
[   37.776018]  ? arch_local_irq_restore+0x53/0x53
[   37.780658]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   37.785385]  ? vsnprintf+0x1ed/0x1900
[   37.789154]  ? ucma_close+0x1f0/0x2f0
[   37.792925]  panic+0x1e4/0x41c
[   37.796086]  ? refcount_error_report+0x214/0x214
[   37.800811]  ? add_taint+0x1c/0x50
[   37.804320]  ? add_taint+0x1c/0x50
[   37.807829]  ? ucma_close+0x2d7/0x2f0
[   37.811597]  kasan_end_report+0x50/0x50
[   37.815539]  kasan_report+0x149/0x360
[   37.819310]  __asan_report_load8_noabort+0x14/0x20
[   37.824216]  ucma_close+0x2d7/0x2f0
[   37.827815]  ? __might_sleep+0x95/0x190
[   37.831759]  ? ucma_free_ctx+0xd90/0xd90
[   37.835787]  __fput+0x327/0x7e0
[   37.839039]  ? fput+0x140/0x140
[   37.842290]  ? _raw_spin_unlock_irq+0x27/0x70
[   37.846758]  ____fput+0x15/0x20
[   37.850007]  task_work_run+0x199/0x270
[   37.853868]  ? task_work_cancel+0x210/0x210
[   37.858156]  ? _raw_spin_unlock+0x22/0x30
[   37.862272]  ? switch_task_namespaces+0x87/0xc0
[   37.866911]  do_exit+0x9bb/0x1ad0
[   37.870334]  ? ucma_create_id+0x45b/0x620
[   37.874455]  ? mm_update_next_owner+0x930/0x930
[   37.879091]  ? ucma_create_id+0x17b/0x620
[   37.883206]  ? ucma_get_event+0xa90/0xa90
[   37.887323]  ? __might_sleep+0x95/0x190
[   37.891268]  ? kasan_check_write+0x14/0x20
[   37.895472]  ? _copy_from_user+0x99/0x110
[   37.899591]  ? ucma_write+0x11f/0x3d0
[   37.903359]  ? ucma_get_event+0xa90/0xa90
[   37.907473]  ? ucma_resolve_route+0x1a0/0x1a0
[   37.911940]  ? ucma_resolve_route+0x1a0/0x1a0
[   37.916403]  ? __vfs_write+0xf7/0x970
[   37.920173]  ? rcu_note_context_switch+0x710/0x710
[   37.925073]  ? kernel_read+0x120/0x120
[   37.928929]  ? __might_sleep+0x95/0x190
[   37.932879]  ? _cond_resched+0x14/0x30
[   37.936744]  ? __inode_security_revalidate+0xd9/0x130
[   37.941902]  ? avc_policy_seqno+0x9/0x20
[   37.945956]  ? security_file_permission+0x89/0x1e0
[   37.950861]  ? rw_verify_area+0xe5/0x2b0
[   37.954889]  ? __fdget_raw+0x20/0x20
[   37.958572]  ? vfs_write+0x224/0x510
[   37.962256]  do_group_exit+0x149/0x400
[   37.966111]  ? SyS_write+0x184/0x220
[   37.969791]  ? filp_open+0x70/0x70
[   37.973300]  ? SyS_exit+0x30/0x30
[   37.976722]  ? SyS_read+0x220/0x220
[   37.980321]  ? do_syscall_64+0xb7/0x940
[   37.984262]  ? do_group_exit+0x400/0x400
[   37.988291]  SyS_exit_group+0x1d/0x20
[   37.992061]  do_syscall_64+0x281/0x940
[   37.995916]  ? __do_page_fault+0xc90/0xc90
[   38.000117]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   38.004843]  ? syscall_return_slowpath+0x550/0x550
[   38.009745]  ? syscall_return_slowpath+0x2ac/0x550
[   38.014644]  ? prepare_exit_to_usermode+0x350/0x350
[   38.019629]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   38.024967]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   38.029785]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   38.035208] RIP: 0033:0x43e988
[   38.038367] RSP: 002b:00007fff8e5fabe8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   38.046043] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e988
[   38.053291] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   38.060529] RBP: 00000000004be320 R08: 00000000000000e7 R09: ffffffffffffffd0
[   38.067770] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   38.075008] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000
[   38.082626] Dumping ftrace buffer:
[   38.086134]    (ftrace buffer empty)
[   38.089813] Kernel Offset: disabled
[   38.093412] Rebooting in 86400 seconds..