[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 18.829672] audit: type=1400 audit(1519801550.854:6): avc: denied { map } for pid=4219 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts. syzkaller login: [ 25.083925] audit: type=1400 audit(1519801557.108:7): avc: denied { map } for pid=4233 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/02/28 07:05:57 parsed 1 programs 2018/02/28 07:05:57 executed programs: 0 [ 25.344468] audit: type=1400 audit(1519801557.369:8): avc: denied { map } for pid=4233 comm="syz-execprog" path="/root/syzkaller-shm036123558" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 25.358661] IPVS: ftp: loaded support on port[0] = 21 [ 25.415310] ================================================================== [ 25.422683] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00 [ 25.429318] Read of size 8 at addr ffff8801b2669600 by task syz-executor0/4243 [ 25.436642] [ 25.438241] CPU: 0 PID: 4243 Comm: syz-executor0 Not tainted 4.16.0-rc3+ #242 [ 25.445480] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.454811] Call Trace: [ 25.457370] dump_stack+0x194/0x24d [ 25.460968] ? arch_local_irq_restore+0x53/0x53 [ 25.465604] ? show_regs_print_info+0x18/0x18 [ 25.470075] ? __lock_acquire+0x3d4d/0x3e00 [ 25.474371] print_address_description+0x73/0x250 [ 25.479183] ? __lock_acquire+0x3d4d/0x3e00 [ 25.483479] kasan_report+0x23b/0x360 [ 25.487248] __asan_report_load8_noabort+0x14/0x20 [ 25.492147] __lock_acquire+0x3d4d/0x3e00 [ 25.496267] ? print_irqtrace_events+0x270/0x270 [ 25.500991] ? remove_wait_queue+0x81/0x350 [ 25.505282] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 25.510444] ? __lock_acquire+0x664/0x3e00 [ 25.514651] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 25.519813] ? lock_acquire+0x1d5/0x580 [ 25.523761] ? lock_acquire+0x1d5/0x580 [ 25.527715] ? ep_free+0xf4/0x320 [ 25.531139] ? lock_release+0xa40/0xa40 [ 25.535089] ? check_same_owner+0x320/0x320 [ 25.539378] ? trace_hardirqs_off+0x10/0x10 [ 25.543670] ? print_irqtrace_events+0x270/0x270 [ 25.548397] ? rcu_note_context_switch+0x710/0x710 [ 25.553300] ? __might_sleep+0x95/0x190 [ 25.557242] ? ep_free+0xf4/0x320 [ 25.560667] ? __mutex_lock+0x16f/0x1a80 [ 25.564696] ? ep_free+0xf4/0x320 [ 25.568117] ? find_held_lock+0x35/0x1d0 [ 25.572148] ? print_irqtrace_events+0x270/0x270 [ 25.576869] ? ep_free+0xf4/0x320 [ 25.580293] lock_acquire+0x1d5/0x580 [ 25.584064] ? lock_acquire+0x1d5/0x580 [ 25.588009] ? remove_wait_queue+0x81/0x350 [ 25.592301] ? lock_release+0xa40/0xa40 [ 25.596248] ? lock_acquire+0x1d5/0x580 [ 25.600190] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 25.605348] ? lock_acquire+0x1d5/0x580 [ 25.609293] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 25.614719] _raw_spin_lock_irqsave+0x96/0xc0 [ 25.619195] ? remove_wait_queue+0x81/0x350 [ 25.623490] remove_wait_queue+0x81/0x350 [ 25.627614] ? depot_save_stack+0x2ca/0x460 [ 25.631905] ? add_wait_queue+0x290/0x290 [ 25.636028] ? rcutorture_record_progress+0x10/0x10 [ 25.641015] ? lock_release+0xa40/0xa40 [ 25.644964] ? is_bpf_text_address+0xa4/0x120 [ 25.649429] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 25.654676] ? unwind_get_return_address+0x61/0xa0 [ 25.659581] ? clear_tfile_check_list+0x370/0x370 [ 25.664392] ? depot_save_stack+0x2ca/0x460 [ 25.668685] ? save_stack+0xa3/0xd0 [ 25.672289] ? locks_remove_file+0x3fa/0x5a0 [ 25.676674] ep_free+0x13f/0x320 [ 25.680009] ? ep_remove+0x800/0x800 [ 25.683695] ? fsnotify_first_mark+0x2b0/0x2b0 [ 25.688249] ? ep_free+0x320/0x320 [ 25.691764] ep_eventpoll_release+0x44/0x60 [ 25.696055] __fput+0x327/0x7e0 [ 25.699315] ? fput+0x140/0x140 [ 25.702564] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.707026] ____fput+0x15/0x20 [ 25.710274] task_work_run+0x199/0x270 [ 25.714128] ? task_work_cancel+0x210/0x210 [ 25.718418] ? _raw_spin_unlock+0x22/0x30 [ 25.722534] ? switch_task_namespaces+0x87/0xc0 [ 25.727177] do_exit+0x9bb/0x1ad0 [ 25.730602] ? mm_update_next_owner+0x930/0x930 [ 25.735245] ? avc_ss_reset+0x110/0x110 [ 25.739192] ? mutex_unlock+0xd/0x10 [ 25.742878] ? SyS_epoll_ctl+0x30a/0x1a80 [ 25.747001] ? find_held_lock+0x35/0x1d0 [ 25.751033] ? SyS_epoll_create+0x240/0x240 [ 25.755322] ? lock_downgrade+0x980/0x980 [ 25.759441] ? check_same_owner+0x320/0x320 [ 25.763743] ? ppp_unregister_channel+0x660/0x660 [ 25.768556] ? do_vfs_ioctl+0x486/0x1520 [ 25.772585] ? ioctl_preallocate+0x2b0/0x2b0 [ 25.776962] ? selinux_capable+0x40/0x40 [ 25.781002] ? compat_SyS_epoll_pwait+0x4f0/0x4f0 [ 25.785824] ? compat_SyS_futex+0x288/0x380 [ 25.790122] do_group_exit+0x149/0x400 [ 25.793980] ? compat_SyS_get_robust_list+0x300/0x300 [ 25.799139] ? security_file_ioctl+0x89/0xb0 [ 25.803519] ? SyS_exit+0x30/0x30 [ 25.806950] ? compat_SyS_ioctl+0x77/0x2a30 [ 25.811243] ? do_fast_syscall_32+0x156/0xf9f [ 25.815707] ? do_group_exit+0x400/0x400 [ 25.819735] SyS_exit_group+0x1d/0x20 [ 25.823507] do_fast_syscall_32+0x3ec/0xf9f [ 25.827797] ? do_int80_syscall_32+0x9c0/0x9c0 [ 25.832346] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.837079] ? syscall_return_slowpath+0x2ac/0x550 [ 25.841986] ? prepare_exit_to_usermode+0x350/0x350 [ 25.846978] ? sysret32_from_system_call+0x5/0x3c [ 25.851790] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.856601] entry_SYSENTER_compat+0x70/0x7f [ 25.860986] RIP: 0023:0xf7fc4c99 [ 25.864319] RSP: 002b:00000000ff9c601c EFLAGS: 00000286 ORIG_RAX: 00000000000000fc [ 25.871999] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000 [ 25.879237] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 25.886477] RBP: 00000000080a2b05 R08: 0000000000000000 R09: 0000000000000000 [ 25.893717] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 25.900955] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 25.908200] [ 25.909797] Allocated by task 4243: [ 25.913396] save_stack+0x43/0xd0 [ 25.916816] kasan_kmalloc+0xad/0xe0 [ 25.920496] __kmalloc_node+0x47/0x70 [ 25.924263] kvmalloc_node+0x99/0xd0 [ 25.927944] alloc_netdev_mqs+0x16d/0xfb0 [ 25.932057] ppp_ioctl+0x1715/0x2a50 [ 25.935737] do_vfs_ioctl+0x1b1/0x1520 [ 25.939591] compat_SyS_ioctl+0x4ef/0x2a30 [ 25.943792] do_fast_syscall_32+0x3ec/0xf9f [ 25.948082] entry_SYSENTER_compat+0x70/0x7f [ 25.952456] [ 25.954050] Freed by task 4243: [ 25.957293] save_stack+0x43/0xd0 [ 25.960713] __kasan_slab_free+0x11a/0x170 [ 25.964914] kasan_slab_free+0xe/0x10 [ 25.968681] kfree+0xd9/0x260 [ 25.971751] kvfree+0x36/0x60 [ 25.974823] netdev_freemem+0x4c/0x60 [ 25.978587] netdev_release+0x10a/0x160 [ 25.982529] device_release+0x7c/0x210 [ 25.986381] kobject_put+0x14c/0x250 [ 25.990064] put_device+0x20/0x30 [ 25.993484] free_netdev+0x2f5/0x400 [ 25.997162] ppp_destroy_interface+0x2bc/0x390 [ 26.001707] ppp_release+0x12b/0x1a0 [ 26.005386] ppp_ioctl+0x3b1/0x2a50 [ 26.008983] do_vfs_ioctl+0x1b1/0x1520 [ 26.012839] compat_SyS_ioctl+0x4ef/0x2a30 [ 26.017044] do_fast_syscall_32+0x3ec/0xf9f [ 26.021332] entry_SYSENTER_compat+0x70/0x7f [ 26.025701] [ 26.027296] The buggy address belongs to the object at ffff8801b2668a80 [ 26.027296] which belongs to the cache kmalloc-4096 of size 4096 [ 26.040090] The buggy address is located 2944 bytes inside of [ 26.040090] 4096-byte region [ffff8801b2668a80, ffff8801b2669a80) [ 26.052103] The buggy address belongs to the page: [ 26.056996] page:ffffea0006c99a00 count:1 mapcount:0 mapping:ffff8801b2668a80 index:0x0 compound_mapcount: 0 [ 26.066930] flags: 0x2fffc0000008100(slab|head) [ 26.071566] raw: 02fffc0000008100 ffff8801b2668a80 0000000000000000 0000000100000001 [ 26.079411] raw: ffffea0006c84e20 ffffea0006c99aa0 ffff8801dac00dc0 0000000000000000 [ 26.087257] page dumped because: kasan: bad access detected [ 26.092929] [ 26.094534] Memory state around the buggy address: [ 26.099427] ffff8801b2669500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.106749] ffff8801b2669580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.114079] >ffff8801b2669600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.121405] ^ [ 26.124738] ffff8801b2669680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.132061] ffff8801b2669700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.139386] ================================================================== [ 26.146711] Disabling lock debugging due to kernel taint [ 26.152125] Kernel panic - not syncing: panic_on_warn set ... [ 26.152125] [ 26.159454] CPU: 0 PID: 4243 Comm: syz-executor0 Tainted: G B 4.16.0-rc3+ #242 [ 26.167994] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.177317] Call Trace: [ 26.179875] dump_stack+0x194/0x24d [ 26.183469] ? arch_local_irq_restore+0x53/0x53 [ 26.188108] ? kasan_end_report+0x32/0x50 [ 26.192224] ? lock_downgrade+0x980/0x980 [ 26.196338] ? vsnprintf+0x1ed/0x1900 [ 26.200108] ? __lock_acquire+0x3d30/0x3e00 [ 26.204398] panic+0x1e4/0x41c [ 26.207563] ? refcount_error_report+0x214/0x214 [ 26.212284] ? add_taint+0x40/0x50 [ 26.215793] ? add_taint+0x1c/0x50 [ 26.219298] ? __lock_acquire+0x3d4d/0x3e00 [ 26.223587] kasan_end_report+0x50/0x50 [ 26.227527] kasan_report+0x148/0x360 [ 26.231309] __asan_report_load8_noabort+0x14/0x20 [ 26.236205] __lock_acquire+0x3d4d/0x3e00 [ 26.240334] ? print_irqtrace_events+0x270/0x270 [ 26.245063] ? remove_wait_queue+0x81/0x350 [ 26.249356] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.254512] ? __lock_acquire+0x664/0x3e00 [ 26.258718] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.263874] ? lock_acquire+0x1d5/0x580 [ 26.267822] ? lock_acquire+0x1d5/0x580 [ 26.271764] ? ep_free+0xf4/0x320 [ 26.275186] ? lock_release+0xa40/0xa40 [ 26.279126] ? check_same_owner+0x320/0x320 [ 26.283412] ? trace_hardirqs_off+0x10/0x10 [ 26.287701] ? print_irqtrace_events+0x270/0x270 [ 26.292423] ? rcu_note_context_switch+0x710/0x710 [ 26.297321] ? __might_sleep+0x95/0x190 [ 26.301267] ? ep_free+0xf4/0x320 [ 26.304687] ? __mutex_lock+0x16f/0x1a80 [ 26.308711] ? ep_free+0xf4/0x320 [ 26.312133] ? find_held_lock+0x35/0x1d0 [ 26.316160] ? print_irqtrace_events+0x270/0x270 [ 26.320880] ? ep_free+0xf4/0x320 [ 26.324299] lock_acquire+0x1d5/0x580 [ 26.328067] ? lock_acquire+0x1d5/0x580 [ 26.332011] ? remove_wait_queue+0x81/0x350 [ 26.336311] ? lock_release+0xa40/0xa40 [ 26.340257] ? lock_acquire+0x1d5/0x580 [ 26.344197] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.349359] ? lock_acquire+0x1d5/0x580 [ 26.353301] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 26.358718] _raw_spin_lock_irqsave+0x96/0xc0 [ 26.363177] ? remove_wait_queue+0x81/0x350 [ 26.367463] remove_wait_queue+0x81/0x350 [ 26.371587] ? depot_save_stack+0x2ca/0x460 [ 26.375873] ? add_wait_queue+0x290/0x290 [ 26.379987] ? rcutorture_record_progress+0x10/0x10 [ 26.384970] ? lock_release+0xa40/0xa40 [ 26.388913] ? is_bpf_text_address+0xa4/0x120 [ 26.393374] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 26.398617] ? unwind_get_return_address+0x61/0xa0 [ 26.403512] ? clear_tfile_check_list+0x370/0x370 [ 26.408324] ? depot_save_stack+0x2ca/0x460 [ 26.412613] ? save_stack+0xa3/0xd0 [ 26.416207] ? locks_remove_file+0x3fa/0x5a0 [ 26.420581] ep_free+0x13f/0x320 [ 26.423915] ? ep_remove+0x800/0x800 [ 26.427596] ? fsnotify_first_mark+0x2b0/0x2b0 [ 26.432143] ? ep_free+0x320/0x320 [ 26.435647] ep_eventpoll_release+0x44/0x60 [ 26.439934] __fput+0x327/0x7e0 [ 26.443181] ? fput+0x140/0x140 [ 26.446430] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.450890] ____fput+0x15/0x20 [ 26.454137] task_work_run+0x199/0x270 [ 26.457993] ? task_work_cancel+0x210/0x210 [ 26.462282] ? _raw_spin_unlock+0x22/0x30 [ 26.466395] ? switch_task_namespaces+0x87/0xc0 [ 26.471033] do_exit+0x9bb/0x1ad0 [ 26.474455] ? mm_update_next_owner+0x930/0x930 [ 26.479092] ? avc_ss_reset+0x110/0x110 [ 26.483038] ? mutex_unlock+0xd/0x10 [ 26.486719] ? SyS_epoll_ctl+0x30a/0x1a80 [ 26.490833] ? find_held_lock+0x35/0x1d0 [ 26.494862] ? SyS_epoll_create+0x240/0x240 [ 26.499148] ? lock_downgrade+0x980/0x980 [ 26.503265] ? check_same_owner+0x320/0x320 [ 26.507556] ? ppp_unregister_channel+0x660/0x660 [ 26.512365] ? do_vfs_ioctl+0x486/0x1520 [ 26.516399] ? ioctl_preallocate+0x2b0/0x2b0 [ 26.520774] ? selinux_capable+0x40/0x40 [ 26.524799] ? compat_SyS_epoll_pwait+0x4f0/0x4f0 [ 26.529609] ? compat_SyS_futex+0x288/0x380 [ 26.533897] do_group_exit+0x149/0x400 [ 26.537753] ? compat_SyS_get_robust_list+0x300/0x300 [ 26.542909] ? security_file_ioctl+0x89/0xb0 [ 26.547283] ? SyS_exit+0x30/0x30 [ 26.550705] ? compat_SyS_ioctl+0x77/0x2a30 [ 26.555001] ? do_fast_syscall_32+0x156/0xf9f [ 26.559464] ? do_group_exit+0x400/0x400 [ 26.563491] SyS_exit_group+0x1d/0x20 [ 26.567256] do_fast_syscall_32+0x3ec/0xf9f [ 26.571545] ? do_int80_syscall_32+0x9c0/0x9c0 [ 26.576095] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.580816] ? syscall_return_slowpath+0x2ac/0x550 [ 26.585714] ? prepare_exit_to_usermode+0x350/0x350 [ 26.590699] ? sysret32_from_system_call+0x5/0x3c [ 26.595511] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.600320] entry_SYSENTER_compat+0x70/0x7f [ 26.604693] RIP: 0023:0xf7fc4c99 [ 26.608023] RSP: 002b:00000000ff9c601c EFLAGS: 00000286 ORIG_RAX: 00000000000000fc [ 26.615699] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000 [ 26.622935] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 26.630175] RBP: 00000000080a2b05 R08: 0000000000000000 R09: 0000000000000000 [ 26.637412] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 26.644648] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 26.652336] Dumping ftrace buffer: [ 26.655849] (ftrace buffer empty) [ 26.659532] Kernel Offset: disabled [ 26.663129] Rebooting in 86400 seconds..