[....] Starting enhanced syslogd: rsyslogd[ 18.225069] audit: type=1400 audit(1521068953.571:5): avc: denied { syslog } for pid=4136 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.443245] audit: type=1400 audit(1521068958.790:6): avc: denied { map } for pid=4275 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.39' (ECDSA) to the list of known hosts. [ 29.757447] audit: type=1400 audit(1521068965.104:7): avc: denied { map } for pid=4289 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/03/14 23:09:25 parsed 1 programs 2018/03/14 23:09:25 executed programs: 0 [ 29.992059] audit: type=1400 audit(1521068965.338:8): avc: denied { map } for pid=4289 comm="syz-execprog" path="/root/syzkaller-shm571371270" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 30.002333] IPVS: ftp: loaded support on port[0] = 21 [ 30.049657] ================================================================== [ 30.057103] BUG: KASAN: use-after-free in ucma_close+0x2d7/0x2f0 [ 30.063225] Read of size 8 at addr ffff8801af2dc1c0 by task syz-executor0/4298 [ 30.070562] [ 30.072163] CPU: 1 PID: 4298 Comm: syz-executor0 Not tainted 4.16.0-rc5+ #263 [ 30.079406] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.088736] Call Trace: [ 30.091300] dump_stack+0x194/0x24d [ 30.094911] ? arch_local_irq_restore+0x53/0x53 [ 30.099553] ? show_regs_print_info+0x18/0x18 [ 30.104016] ? save_stack+0xa3/0xd0 [ 30.107621] ? ucma_close+0x2d7/0x2f0 [ 30.111393] print_address_description+0x73/0x250 [ 30.116212] ? ucma_close+0x2d7/0x2f0 [ 30.119982] kasan_report+0x23c/0x360 [ 30.123765] __asan_report_load8_noabort+0x14/0x20 [ 30.128675] ucma_close+0x2d7/0x2f0 [ 30.132274] ? __might_sleep+0x95/0x190 [ 30.136219] ? ucma_free_ctx+0xd90/0xd90 [ 30.140254] __fput+0x327/0x7e0 [ 30.143510] ? fput+0x140/0x140 [ 30.146764] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.151236] ____fput+0x15/0x20 [ 30.154490] task_work_run+0x199/0x270 [ 30.158350] ? task_work_cancel+0x210/0x210 [ 30.162647] ? _raw_spin_unlock+0x22/0x30 [ 30.166765] ? switch_task_namespaces+0x87/0xc0 [ 30.171413] do_exit+0x9bb/0x1ad0 [ 30.174838] ? ucma_create_id+0x45b/0x620 [ 30.178978] ? mm_update_next_owner+0x930/0x930 [ 30.183620] ? ucma_create_id+0x17b/0x620 [ 30.187738] ? ucma_get_event+0xa90/0xa90 [ 30.191868] ? __might_sleep+0x95/0x190 [ 30.195819] ? kasan_check_write+0x14/0x20 [ 30.200028] ? _copy_from_user+0x99/0x110 [ 30.204172] ? ucma_write+0x11f/0x3d0 [ 30.207944] ? ucma_get_event+0xa90/0xa90 [ 30.212067] ? ucma_resolve_route+0x1a0/0x1a0 [ 30.216551] ? ucma_resolve_route+0x1a0/0x1a0 [ 30.221018] ? __vfs_write+0xf7/0x970 [ 30.224792] ? rcu_note_context_switch+0x710/0x710 [ 30.229693] ? kernel_read+0x120/0x120 [ 30.233563] ? __might_sleep+0x95/0x190 [ 30.237516] ? _cond_resched+0x14/0x30 [ 30.241377] ? __inode_security_revalidate+0xd9/0x130 [ 30.246540] ? avc_policy_seqno+0x9/0x20 [ 30.250579] ? security_file_permission+0x89/0x1e0 [ 30.255501] ? compat_SyS_futex+0x288/0x380 [ 30.259791] ? vfs_write+0x224/0x510 [ 30.263497] do_group_exit+0x149/0x400 [ 30.267355] ? compat_SyS_get_robust_list+0x300/0x300 [ 30.272512] ? SyS_write+0x184/0x220 [ 30.276195] ? __do_page_fault+0x3d6/0xc90 [ 30.280405] ? SyS_exit+0x30/0x30 [ 30.283830] ? SyS_read+0x220/0x220 [ 30.287433] ? do_fast_syscall_32+0x156/0xf9f [ 30.291905] ? do_group_exit+0x400/0x400 [ 30.295943] SyS_exit_group+0x1d/0x20 [ 30.299719] do_fast_syscall_32+0x3ec/0xf9f [ 30.304018] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.308574] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.313303] ? syscall_return_slowpath+0x2ac/0x550 [ 30.318204] ? prepare_exit_to_usermode+0x350/0x350 [ 30.323201] ? sysret32_from_system_call+0x5/0x3c [ 30.328033] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.332856] entry_SYSENTER_compat+0x70/0x7f [ 30.337238] RIP: 0023:0xf7f2cc99 [ 30.340574] RSP: 002b:00000000ff9d630c EFLAGS: 00000282 ORIG_RAX: 00000000000000fc [ 30.348267] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000 [ 30.355509] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 30.362751] RBP: 00000000080a2c25 R08: 0000000000000000 R09: 0000000000000000 [ 30.370005] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.377249] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.384515] [ 30.386123] Allocated by task 4298: [ 30.389729] save_stack+0x43/0xd0 [ 30.393154] kasan_kmalloc+0xad/0xe0 [ 30.396839] kmem_cache_alloc_trace+0x136/0x740 [ 30.401480] ucma_alloc_ctx+0xce/0x610 [ 30.405339] ucma_create_id+0x205/0x620 [ 30.409290] ucma_write+0x2d6/0x3d0 [ 30.412893] __vfs_write+0xef/0x970 [ 30.416489] vfs_write+0x189/0x510 [ 30.420001] SyS_write+0xef/0x220 [ 30.423430] do_fast_syscall_32+0x3ec/0xf9f [ 30.427725] entry_SYSENTER_compat+0x70/0x7f [ 30.432103] [ 30.433702] Freed by task 4298: [ 30.436955] save_stack+0x43/0xd0 [ 30.440381] __kasan_slab_free+0x11a/0x170 [ 30.444600] kasan_slab_free+0xe/0x10 [ 30.448374] kfree+0xd9/0x260 [ 30.451453] ucma_create_id+0x45b/0x620 [ 30.455416] ucma_write+0x2d6/0x3d0 [ 30.459015] __vfs_write+0xef/0x970 [ 30.462621] vfs_write+0x189/0x510 [ 30.466144] SyS_write+0xef/0x220 [ 30.469570] do_fast_syscall_32+0x3ec/0xf9f [ 30.473865] entry_SYSENTER_compat+0x70/0x7f [ 30.478242] [ 30.479846] The buggy address belongs to the object at ffff8801af2dc140 [ 30.479846] which belongs to the cache kmalloc-256 of size 256 [ 30.492484] The buggy address is located 128 bytes inside of [ 30.492484] 256-byte region [ffff8801af2dc140, ffff8801af2dc240) [ 30.504330] The buggy address belongs to the page: [ 30.509231] page:ffffea0006bcb700 count:1 mapcount:0 mapping:ffff8801af2dc000 index:0x0 [ 30.517356] flags: 0x2fffc0000000100(slab) [ 30.521566] raw: 02fffc0000000100 ffff8801af2dc000 0000000000000000 000000010000000c [ 30.529427] raw: ffffea0006bcc820 ffffea0006bcbba0 ffff8801dac007c0 0000000000000000 [ 30.537286] page dumped because: kasan: bad access detected [ 30.542969] [ 30.544568] Memory state around the buggy address: [ 30.549470] ffff8801af2dc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.556810] ffff8801af2dc100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 30.564154] >ffff8801af2dc180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.571489] ^ [ 30.576909] ffff8801af2dc200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.584239] ffff8801af2dc280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.591567] ================================================================== [ 30.598895] Disabling lock debugging due to kernel taint [ 30.604373] Kernel panic - not syncing: panic_on_warn set ... [ 30.604373] [ 30.611734] CPU: 1 PID: 4298 Comm: syz-executor0 Tainted: G B 4.16.0-rc5+ #263 [ 30.620279] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.629611] Call Trace: [ 30.632174] dump_stack+0x194/0x24d [ 30.635777] ? arch_local_irq_restore+0x53/0x53 [ 30.640428] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.645158] ? vsnprintf+0x1ed/0x1900 [ 30.648929] ? ucma_close+0x210/0x2f0 [ 30.652699] panic+0x1e4/0x41c [ 30.655862] ? refcount_error_report+0x214/0x214 [ 30.660589] ? add_taint+0x1c/0x50 [ 30.664099] ? add_taint+0x1c/0x50 [ 30.667611] ? ucma_close+0x2d7/0x2f0 [ 30.671406] kasan_end_report+0x50/0x50 [ 30.675361] kasan_report+0x149/0x360 [ 30.679134] __asan_report_load8_noabort+0x14/0x20 [ 30.684033] ucma_close+0x2d7/0x2f0 [ 30.687640] ? __might_sleep+0x95/0x190 [ 30.691585] ? ucma_free_ctx+0xd90/0xd90 [ 30.695619] __fput+0x327/0x7e0 [ 30.698875] ? fput+0x140/0x140 [ 30.702126] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.706595] ____fput+0x15/0x20 [ 30.709847] task_work_run+0x199/0x270 [ 30.713707] ? task_work_cancel+0x210/0x210 [ 30.718010] ? _raw_spin_unlock+0x22/0x30 [ 30.722128] ? switch_task_namespaces+0x87/0xc0 [ 30.726766] do_exit+0x9bb/0x1ad0 [ 30.730190] ? ucma_create_id+0x45b/0x620 [ 30.734309] ? mm_update_next_owner+0x930/0x930 [ 30.738951] ? ucma_create_id+0x17b/0x620 [ 30.743073] ? ucma_get_event+0xa90/0xa90 [ 30.747197] ? __might_sleep+0x95/0x190 [ 30.751146] ? kasan_check_write+0x14/0x20 [ 30.755362] ? _copy_from_user+0x99/0x110 [ 30.759490] ? ucma_write+0x11f/0x3d0 [ 30.763257] ? ucma_get_event+0xa90/0xa90 [ 30.767373] ? ucma_resolve_route+0x1a0/0x1a0 [ 30.771850] ? ucma_resolve_route+0x1a0/0x1a0 [ 30.776318] ? __vfs_write+0xf7/0x970 [ 30.780090] ? rcu_note_context_switch+0x710/0x710 [ 30.784998] ? kernel_read+0x120/0x120 [ 30.788856] ? __might_sleep+0x95/0x190 [ 30.792801] ? _cond_resched+0x14/0x30 [ 30.796661] ? __inode_security_revalidate+0xd9/0x130 [ 30.801819] ? avc_policy_seqno+0x9/0x20 [ 30.805858] ? security_file_permission+0x89/0x1e0 [ 30.810768] ? compat_SyS_futex+0x288/0x380 [ 30.815055] ? vfs_write+0x224/0x510 [ 30.818742] do_group_exit+0x149/0x400 [ 30.822598] ? compat_SyS_get_robust_list+0x300/0x300 [ 30.827756] ? SyS_write+0x184/0x220 [ 30.831449] ? __do_page_fault+0x3d6/0xc90 [ 30.835652] ? SyS_exit+0x30/0x30 [ 30.839076] ? SyS_read+0x220/0x220 [ 30.842674] ? do_fast_syscall_32+0x156/0xf9f [ 30.847140] ? do_group_exit+0x400/0x400 [ 30.851174] SyS_exit_group+0x1d/0x20 [ 30.854945] do_fast_syscall_32+0x3ec/0xf9f [ 30.859237] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.863790] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.868519] ? syscall_return_slowpath+0x2ac/0x550 [ 30.873419] ? prepare_exit_to_usermode+0x350/0x350 [ 30.878407] ? sysret32_from_system_call+0x5/0x3c [ 30.883223] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.888057] entry_SYSENTER_compat+0x70/0x7f [ 30.892453] RIP: 0023:0xf7f2cc99 [ 30.895801] RSP: 002b:00000000ff9d630c EFLAGS: 00000282 ORIG_RAX: 00000000000000fc [ 30.903499] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000 [ 30.910754] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 30.917997] RBP: 00000000080a2c25 R08: 0000000000000000 R09: 0000000000000000 [ 30.925245] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.932483] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.940412] Dumping ftrace buffer: [ 30.943927] (ftrace buffer empty) [ 30.947613] Kernel Offset: disabled [ 30.951215] Rebooting in 86400 seconds..