syzkaller login: [ 43.298045] audit: type=1400 audit(1569203900.838:35): avc: denied { map } for pid=7594 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts. executing program [ 49.737750] audit: type=1400 audit(1569203907.278:36): avc: denied { map } for pid=7606 comm="syz-executor857" path="/root/syz-executor857973262" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 49.758348] FAULT_INJECTION: forcing a failure. [ 49.758348] name failslab, interval 1, probability 0, space 0, times 1 [ 49.775610] CPU: 0 PID: 7606 Comm: syz-executor857 Not tainted 4.19.75 #0 [ 49.782531] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.791959] Call Trace: [ 49.794533] dump_stack+0x172/0x1f0 [ 49.798149] should_fail.cold+0xa/0x1b [ 49.802020] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 49.807109] ? lock_downgrade+0x810/0x810 [ 49.811248] __should_failslab+0x121/0x190 [ 49.815467] should_failslab+0x9/0x14 [ 49.819256] kmem_cache_alloc_trace+0x2cc/0x760 [ 49.823925] ? kasan_check_read+0x11/0x20 [ 49.828080] cma_alloc_port+0x4d/0x190 [ 49.831951] rdma_bind_addr+0x165a/0x1f80 [ 49.836101] ? ucma_get_ctx+0x82/0x160 [ 49.839979] ? cma_ndev_work_handler+0x1b0/0x1b0 [ 49.844719] ? lock_downgrade+0x810/0x810 [ 49.848854] rdma_resolve_addr+0x438/0x2140 [ 49.853165] ? kasan_check_write+0x14/0x20 [ 49.857386] ? __mutex_unlock_slowpath+0xf8/0x6b0 [ 49.862214] ? lock_downgrade+0x810/0x810 [ 49.866345] ? __radix_tree_lookup+0x219/0x380 [ 49.870913] ? rdma_bind_addr+0x1f80/0x1f80 [ 49.875238] ucma_resolve_ip+0x153/0x210 [ 49.879299] ? ucma_query+0x820/0x820 [ 49.883106] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 49.888628] ? _copy_from_user+0xdd/0x150 [ 49.892776] ucma_write+0x2d7/0x3c0 [ 49.896403] ? ucma_query+0x820/0x820 [ 49.900202] ? ucma_open+0x290/0x290 [ 49.903904] __vfs_write+0x114/0x810 [ 49.907607] ? ucma_open+0x290/0x290 [ 49.911310] ? kernel_read+0x120/0x120 [ 49.915188] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 49.920711] ? __inode_security_revalidate+0xda/0x120 [ 49.925883] ? avc_policy_seqno+0xd/0x70 [ 49.929937] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 49.934936] ? selinux_file_permission+0x92/0x550 [ 49.939766] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.945303] ? security_file_permission+0x89/0x230 [ 49.950221] ? rw_verify_area+0x118/0x360 [ 49.954355] vfs_write+0x20c/0x560 [ 49.957884] ksys_write+0x14f/0x2d0 [ 49.961513] ? __ia32_sys_read+0xb0/0xb0 [ 49.965574] ? do_syscall_64+0x26/0x620 [ 49.969534] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.974903] ? do_syscall_64+0x26/0x620 [ 49.978868] __x64_sys_write+0x73/0xb0 [ 49.982742] do_syscall_64+0xfd/0x620 [ 49.986576] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.991762] RIP: 0033:0x4406d9 [ 49.994941] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 50.013830] RSP: 002b:00007ffd50d9f058 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 50.021525] RAX: ffffffffffffffda RBX: 00007ffd50d9f060 RCX: 00000000004406d9 [ 50.028819] RDX: 0000000000000048 RSI: 00000000200000c0 RDI: 0000000000000003 [ 50.036073] RBP: 0000000000000004 R08: 0000000000000001 R09: 00007ffd50d90031 [ 50.043355] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401fc0 [ 50.050608] R13: 0000000000402050 R14: 0000000000000000 R15: 0000000000000000 [ 50.061411] ================================================================== [ 50.068879] BUG: KASAN: use-after-free in wait_consider_task+0x1b51/0x3910 [ 50.075874] Read of size 4 at addr ffff88809f0ca46c by task sshd/7604 [ 50.082429] [ 50.084042] CPU: 1 PID: 7604 Comm: sshd Not tainted 4.19.75 #0 [ 50.090002] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.099335] Call Trace: [ 50.101913] dump_stack+0x172/0x1f0 [ 50.105526] ? wait_consider_task+0x1b51/0x3910 [ 50.110182] print_address_description.cold+0x7c/0x20d [ 50.115443] ? wait_consider_task+0x1b51/0x3910 [ 50.120094] kasan_report.cold+0x8c/0x2ba [ 50.124227] __asan_report_load4_noabort+0x14/0x20 [ 50.129154] wait_consider_task+0x1b51/0x3910 [ 50.133671] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 50.138783] ? add_wait_queue+0x112/0x170 [ 50.142927] ? release_task+0x1630/0x1630 [ 50.147065] ? lock_acquire+0x16f/0x3f0 [ 50.151034] ? do_wait+0x3aa/0x9d0 [ 50.154563] ? kasan_check_write+0x14/0x20 [ 50.158785] do_wait+0x439/0x9d0 [ 50.162138] ? wait_consider_task+0x3910/0x3910 [ 50.166789] ? mark_held_locks+0x100/0x100 [ 50.171008] kernel_wait4+0x171/0x290 [ 50.174788] ? __ia32_sys_waitid+0x140/0x140 [ 50.179180] ? task_stopped_code+0x180/0x180 [ 50.183579] __do_sys_wait4+0x147/0x160 [ 50.187534] ? kernel_wait4+0x290/0x290 [ 50.191494] ? kasan_check_read+0x11/0x20 [ 50.195626] ? _copy_to_user+0xc9/0x120 [ 50.199600] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 50.205119] ? __x64_sys_rt_sigprocmask+0x21d/0x2e0 [ 50.210130] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.214868] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.219615] ? do_syscall_64+0x26/0x620 [ 50.223574] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.228927] ? do_syscall_64+0x26/0x620 [ 50.232886] __x64_sys_wait4+0x97/0xf0 [ 50.236756] do_syscall_64+0xfd/0x620 [ 50.240543] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.245731] RIP: 0033:0x7fd131f8da3e [ 50.249430] Code: 90 90 90 90 90 90 90 90 90 90 90 90 48 83 ec 28 8b 05 c2 eb 2d 00 85 c0 75 1d 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 48 83 c4 28 c3 89 54 24 08 48 89 74 24 10 [ 50.268315] RSP: 002b:00007ffeaf334e90 EFLAGS: 00000246 ORIG_RAX: 000000000000003d [ 50.276006] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd131f8da3e [ 50.283255] RDX: 0000000000000001 RSI: 00007ffeaf334ecc RDI: ffffffffffffffff [ 50.290514] RBP: 000055801abc5c88 R08: 00007ffeaf334f90 R09: 0101010101010101 [ 50.297764] R10: 0000000000000000 R11: 0000000000000246 R12: 000055801c2dfc00 [ 50.305023] R13: 000055801abc3fb4 R14: 0000000000000028 R15: 000055801abc5ca0 [ 50.312282] [ 50.313890] Allocated by task 7604: [ 50.317506] save_stack+0x45/0xd0 [ 50.320940] kasan_kmalloc+0xce/0xf0 [ 50.324636] kasan_slab_alloc+0xf/0x20 [ 50.328503] kmem_cache_alloc_node+0x144/0x710 [ 50.333065] copy_process.part.0+0x1ce0/0x7a30 [ 50.337633] _do_fork+0x257/0xfd0 [ 50.341063] __x64_sys_clone+0xbf/0x150 [ 50.345017] do_syscall_64+0xfd/0x620 [ 50.348805] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.353969] [ 50.355573] Freed by task 0: [ 50.358575] save_stack+0x45/0xd0 [ 50.362006] __kasan_slab_free+0x102/0x150 [ 50.366219] kasan_slab_free+0xe/0x10 [ 50.370001] kmem_cache_free+0x86/0x260 [ 50.373955] free_task+0xdd/0x120 [ 50.377388] __put_task_struct+0x20f/0x4c0 [ 50.381612] finish_task_switch+0x52b/0x780 [ 50.385922] __schedule+0x86e/0x1dc0 [ 50.389625] schedule_idle+0x58/0x80 [ 50.393318] do_idle+0x192/0x560 [ 50.396663] cpu_startup_entry+0xc8/0xe0 [ 50.400705] rest_init+0x219/0x222 [ 50.404228] start_kernel+0x88c/0x8c5 [ 50.408012] x86_64_start_reservations+0x29/0x2b [ 50.412756] x86_64_start_kernel+0x77/0x7b [ 50.416972] secondary_startup_64+0xa4/0xb0 [ 50.421270] [ 50.422883] The buggy address belongs to the object at ffff88809f0ca000 [ 50.422883] which belongs to the cache task_struct of size 6080 [ 50.435615] The buggy address is located 1132 bytes inside of [ 50.435615] 6080-byte region [ffff88809f0ca000, ffff88809f0cb7c0) [ 50.447650] The buggy address belongs to the page: [ 50.452580] page:ffffea00027c3280 count:1 mapcount:0 mapping:ffff88812c26d800 index:0x0 compound_mapcount: 0 [ 50.462540] flags: 0x1fffc0000008100(slab|head) [ 50.467202] raw: 01fffc0000008100 ffffea00023eea88 ffffea000200b788 ffff88812c26d800 [ 50.475061] raw: 0000000000000000 ffff88809f0ca000 0000000100000001 0000000000000000 [ 50.482927] page dumped because: kasan: bad access detected [ 50.488620] [ 50.490230] Memory state around the buggy address: [ 50.495148] ffff88809f0ca300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.502514] ffff88809f0ca380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.509872] >ffff88809f0ca400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.517213] ^ [ 50.523950] ffff88809f0ca480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.531290] ffff88809f0ca500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.538627] ================================================================== [ 50.545962] Disabling lock debugging due to kernel taint [ 50.551606] Kernel panic - not syncing: panic_on_warn set ... [ 50.551606] [ 50.558975] CPU: 1 PID: 7604 Comm: sshd Tainted: G B 4.19.75 #0 [ 50.566312] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.575657] Call Trace: [ 50.578236] dump_stack+0x172/0x1f0 [ 50.581860] ? wait_consider_task+0x1b51/0x3910 [ 50.586525] panic+0x263/0x507 [ 50.589707] ? __warn_printk+0xf3/0xf3 [ 50.593579] ? retint_kernel+0x2d/0x2d [ 50.597458] ? trace_hardirqs_on+0x5e/0x220 [ 50.601764] ? wait_consider_task+0x1b51/0x3910 [ 50.606420] kasan_end_report+0x47/0x4f [ 50.610377] kasan_report.cold+0xa9/0x2ba [ 50.614506] __asan_report_load4_noabort+0x14/0x20 [ 50.619417] wait_consider_task+0x1b51/0x3910 [ 50.623897] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 50.628980] ? add_wait_queue+0x112/0x170 [ 50.633107] ? release_task+0x1630/0x1630 [ 50.637233] ? lock_acquire+0x16f/0x3f0 [ 50.641186] ? do_wait+0x3aa/0x9d0 [ 50.644707] ? kasan_check_write+0x14/0x20 [ 50.648924] do_wait+0x439/0x9d0 [ 50.652274] ? wait_consider_task+0x3910/0x3910 [ 50.656931] ? mark_held_locks+0x100/0x100 [ 50.661144] kernel_wait4+0x171/0x290 [ 50.664924] ? __ia32_sys_waitid+0x140/0x140 [ 50.669313] ? task_stopped_code+0x180/0x180 [ 50.673700] __do_sys_wait4+0x147/0x160 [ 50.677653] ? kernel_wait4+0x290/0x290 [ 50.681620] ? kasan_check_read+0x11/0x20 [ 50.685750] ? _copy_to_user+0xc9/0x120 [ 50.689708] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 50.695239] ? __x64_sys_rt_sigprocmask+0x21d/0x2e0 [ 50.700237] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.704979] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.709713] ? do_syscall_64+0x26/0x620 [ 50.713670] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.719030] ? do_syscall_64+0x26/0x620 [ 50.723003] __x64_sys_wait4+0x97/0xf0 [ 50.726876] do_syscall_64+0xfd/0x620 [ 50.730750] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.735924] RIP: 0033:0x7fd131f8da3e [ 50.739623] Code: 90 90 90 90 90 90 90 90 90 90 90 90 48 83 ec 28 8b 05 c2 eb 2d 00 85 c0 75 1d 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 48 83 c4 28 c3 89 54 24 08 48 89 74 24 10 [ 50.758513] RSP: 002b:00007ffeaf334e90 EFLAGS: 00000246 ORIG_RAX: 000000000000003d [ 50.766220] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd131f8da3e [ 50.773486] RDX: 0000000000000001 RSI: 00007ffeaf334ecc RDI: ffffffffffffffff [ 50.780738] RBP: 000055801abc5c88 R08: 00007ffeaf334f90 R09: 0101010101010101 [ 50.787989] R10: 0000000000000000 R11: 0000000000000246 R12: 000055801c2dfc00 [ 50.795238] R13: 000055801abc3fb4 R14: 0000000000000028 R15: 000055801abc5ca0 [ 50.803849] Kernel Offset: disabled [ 50.807473] Rebooting in 86400 seconds..