Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts. executing program [ 49.861986] audit: type=1400 audit(1569334278.644:36): avc: denied { map } for pid=7589 comm="syz-executor388" path="/root/syz-executor388317035" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 49.875669] FAULT_INJECTION: forcing a failure. [ 49.875669] name failslab, interval 1, probability 0, space 0, times 1 [ 49.900202] CPU: 1 PID: 7589 Comm: syz-executor388 Not tainted 4.19.75 #0 [ 49.907161] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.916508] Call Trace: [ 49.919105] dump_stack+0x172/0x1f0 [ 49.922725] should_fail.cold+0xa/0x1b [ 49.926606] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 49.931703] ? lock_downgrade+0x810/0x810 [ 49.935843] __should_failslab+0x121/0x190 [ 49.940065] should_failslab+0x9/0x14 [ 49.943852] kmem_cache_alloc+0x2ae/0x700 [ 49.948002] ? save_stack+0xa9/0xd0 [ 49.951618] radix_tree_node_alloc.constprop.0+0x82/0x340 [ 49.957145] idr_get_free+0x50f/0xa13 [ 49.960944] idr_alloc_u32+0x1d6/0x390 [ 49.964820] ? __fprop_inc_percpu_max+0x230/0x230 [ 49.969648] ? cma_pernet_idr+0x13f/0x2e0 [ 49.973873] ? find_held_lock+0x35/0x130 [ 49.977921] ? cma_pernet_idr+0x13f/0x2e0 [ 49.982068] idr_alloc+0xe5/0x150 [ 49.985507] ? idr_alloc_u32+0x390/0x390 [ 49.989552] ? kasan_check_read+0x11/0x20 [ 49.993684] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 49.998874] cma_alloc_port+0xab/0x190 [ 50.002748] rdma_bind_addr+0x165a/0x1f80 [ 50.006882] ? ucma_get_ctx+0x82/0x160 [ 50.010755] ? cma_ndev_work_handler+0x1b0/0x1b0 [ 50.015501] ? lock_downgrade+0x810/0x810 [ 50.019648] rdma_resolve_addr+0x438/0x2140 [ 50.023956] ? kasan_check_write+0x14/0x20 [ 50.028177] ? __mutex_unlock_slowpath+0xf8/0x6b0 [ 50.033003] ? lock_downgrade+0x810/0x810 [ 50.037142] ? __radix_tree_lookup+0x219/0x380 [ 50.041722] ? rdma_bind_addr+0x1f80/0x1f80 [ 50.046035] ucma_resolve_ip+0x153/0x210 [ 50.050081] ? ucma_query+0x820/0x820 [ 50.053873] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 50.059515] ? _copy_from_user+0xdd/0x150 [ 50.063659] ucma_write+0x2d7/0x3c0 [ 50.067273] ? ucma_query+0x820/0x820 [ 50.071057] ? ucma_open+0x290/0x290 [ 50.074763] __vfs_write+0x114/0x810 [ 50.078464] ? ucma_open+0x290/0x290 [ 50.082164] ? kernel_read+0x120/0x120 [ 50.086049] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 50.091571] ? __inode_security_revalidate+0xda/0x120 [ 50.096766] ? avc_policy_seqno+0xd/0x70 [ 50.100836] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 50.105846] ? selinux_file_permission+0x92/0x550 [ 50.110679] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.116204] ? security_file_permission+0x89/0x230 [ 50.121133] ? rw_verify_area+0x118/0x360 [ 50.125270] vfs_write+0x20c/0x560 [ 50.128801] ksys_write+0x14f/0x2d0 [ 50.132416] ? __ia32_sys_read+0xb0/0xb0 [ 50.136464] ? do_syscall_64+0x26/0x620 [ 50.140436] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.145798] ? do_syscall_64+0x26/0x620 [ 50.149764] __x64_sys_write+0x73/0xb0 [ 50.153643] do_syscall_64+0xfd/0x620 [ 50.157432] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.162606] RIP: 0033:0x440719 [ 50.165796] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 50.184770] RSP: 002b:00007ffe4efd40b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 50.192478] RAX: ffffffffffffffda RBX: 00007ffe4efd40c0 RCX: 0000000000440719 [ 50.199734] RDX: 0000000000000048 RSI: 0000000020000200 RDI: 0000000000000003 [ 50.206991] RBP: 0000000000000004 R08: 0000000000000001 R09: 00007ffe4efd0032 [ 50.214259] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402000 [ 50.221519] R13: 0000000000402090 R14: 0000000000000000 R15: 0000000000000000 [ 50.232090] ================================================================== [ 50.239600] BUG: KASAN: use-after-free in wait_consider_task+0x1b51/0x3910 [ 50.246637] Read of size 4 at addr ffff88809c1c856c by task sshd/7587 [ 50.253202] [ 50.254821] CPU: 0 PID: 7587 Comm: sshd Not tainted 4.19.75 #0 [ 50.261114] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.270466] Call Trace: [ 50.273056] dump_stack+0x172/0x1f0 [ 50.276684] ? wait_consider_task+0x1b51/0x3910 [ 50.281351] print_address_description.cold+0x7c/0x20d [ 50.286613] ? wait_consider_task+0x1b51/0x3910 [ 50.291271] kasan_report.cold+0x8c/0x2ba [ 50.295407] __asan_report_load4_noabort+0x14/0x20 [ 50.300320] wait_consider_task+0x1b51/0x3910 [ 50.304805] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 50.309903] ? add_wait_queue+0x112/0x170 [ 50.314037] ? release_task+0x1630/0x1630 [ 50.318184] ? lock_acquire+0x16f/0x3f0 [ 50.322157] ? do_wait+0x3aa/0x9d0 [ 50.325686] ? kasan_check_write+0x14/0x20 [ 50.329919] do_wait+0x439/0x9d0 [ 50.333274] ? wait_consider_task+0x3910/0x3910 [ 50.337927] ? mark_held_locks+0x100/0x100 [ 50.342147] kernel_wait4+0x171/0x290 [ 50.345933] ? __ia32_sys_waitid+0x140/0x140 [ 50.350329] ? task_stopped_code+0x180/0x180 [ 50.354729] __do_sys_wait4+0x147/0x160 [ 50.358718] ? kernel_wait4+0x290/0x290 [ 50.362687] ? kasan_check_read+0x11/0x20 [ 50.366832] ? _copy_to_user+0xc9/0x120 [ 50.370795] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 50.376341] ? __x64_sys_rt_sigprocmask+0x21d/0x2e0 [ 50.381358] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.386118] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.390868] ? do_syscall_64+0x26/0x620 [ 50.394842] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.400197] ? do_syscall_64+0x26/0x620 [ 50.404171] __x64_sys_wait4+0x97/0xf0 [ 50.408047] do_syscall_64+0xfd/0x620 [ 50.411835] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.417025] RIP: 0033:0x7f46eff2aa3e [ 50.420734] Code: 90 90 90 90 90 90 90 90 90 90 90 90 48 83 ec 28 8b 05 c2 eb 2d 00 85 c0 75 1d 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 48 83 c4 28 c3 89 54 24 08 48 89 74 24 10 [ 50.439623] RSP: 002b:00007fff3c8f87f0 EFLAGS: 00000246 ORIG_RAX: 000000000000003d [ 50.447325] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f46eff2aa3e [ 50.454594] RDX: 0000000000000001 RSI: 00007fff3c8f882c RDI: ffffffffffffffff [ 50.461848] RBP: 000056545c9cfc88 R08: 00007fff3c8f88f0 R09: 0101010101010101 [ 50.469116] R10: 0000000000000000 R11: 0000000000000246 R12: 000056545e29bc00 [ 50.476426] R13: 000056545c9cdfb4 R14: 0000000000000028 R15: 000056545c9cfca0 [ 50.483705] [ 50.485327] Allocated by task 7587: [ 50.488946] save_stack+0x45/0xd0 [ 50.492387] kasan_kmalloc+0xce/0xf0 [ 50.496087] kasan_slab_alloc+0xf/0x20 [ 50.499962] kmem_cache_alloc_node+0x144/0x710 [ 50.504586] copy_process.part.0+0x1ce0/0x7a30 [ 50.509199] _do_fork+0x257/0xfd0 [ 50.512637] __x64_sys_clone+0xbf/0x150 [ 50.516599] do_syscall_64+0xfd/0x620 [ 50.520385] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.525553] [ 50.527161] Freed by task 0: [ 50.530169] save_stack+0x45/0xd0 [ 50.533653] __kasan_slab_free+0x102/0x150 [ 50.537874] kasan_slab_free+0xe/0x10 [ 50.541658] kmem_cache_free+0x86/0x260 [ 50.545625] free_task+0xdd/0x120 [ 50.549103] __put_task_struct+0x20f/0x4c0 [ 50.553321] finish_task_switch+0x52b/0x780 [ 50.557683] __schedule+0x86e/0x1dc0 [ 50.561379] schedule_idle+0x58/0x80 [ 50.565077] do_idle+0x192/0x560 [ 50.568440] cpu_startup_entry+0xc8/0xe0 [ 50.572631] start_secondary+0x3e8/0x5b0 [ 50.576684] secondary_startup_64+0xa4/0xb0 [ 50.580986] [ 50.582670] The buggy address belongs to the object at ffff88809c1c8100 [ 50.582670] which belongs to the cache task_struct of size 6080 [ 50.595416] The buggy address is located 1132 bytes inside of [ 50.595416] 6080-byte region [ffff88809c1c8100, ffff88809c1c98c0) [ 50.607459] The buggy address belongs to the page: [ 50.612373] page:ffffea0002707200 count:1 mapcount:0 mapping:ffff88812c26d800 index:0x0 compound_mapcount: 0 [ 50.622566] flags: 0x1fffc0000008100(slab|head) [ 50.627338] raw: 01fffc0000008100 ffffea00026d9688 ffffea00021ba388 ffff88812c26d800 [ 50.635238] raw: 0000000000000000 ffff88809c1c8100 0000000100000001 0000000000000000 [ 50.643113] page dumped because: kasan: bad access detected [ 50.649082] [ 50.650691] Memory state around the buggy address: [ 50.655688] ffff88809c1c8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.663030] ffff88809c1c8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.670423] >ffff88809c1c8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.677776] ^ [ 50.684522] ffff88809c1c8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.692061] ffff88809c1c8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.700027] ================================================================== [ 50.707369] Disabling lock debugging due to kernel taint [ 50.712944] Kernel panic - not syncing: panic_on_warn set ... [ 50.712944] [ 50.720318] CPU: 0 PID: 7587 Comm: sshd Tainted: G B 4.19.75 #0 [ 50.727661] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.737014] Call Trace: [ 50.739594] dump_stack+0x172/0x1f0 [ 50.743206] ? wait_consider_task+0x1b51/0x3910 [ 50.747858] panic+0x263/0x507 [ 50.751033] ? __warn_printk+0xf3/0xf3 [ 50.754918] ? retint_kernel+0x2d/0x2d [ 50.758789] ? trace_hardirqs_on+0x5e/0x220 [ 50.763093] ? wait_consider_task+0x1b51/0x3910 [ 50.767747] kasan_end_report+0x47/0x4f [ 50.771716] kasan_report.cold+0xa9/0x2ba [ 50.775851] __asan_report_load4_noabort+0x14/0x20 [ 50.780765] wait_consider_task+0x1b51/0x3910 [ 50.785264] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 50.790356] ? add_wait_queue+0x112/0x170 [ 50.794494] ? release_task+0x1630/0x1630 [ 50.798643] ? lock_acquire+0x16f/0x3f0 [ 50.802634] ? do_wait+0x3aa/0x9d0 [ 50.806159] ? kasan_check_write+0x14/0x20 [ 50.810380] do_wait+0x439/0x9d0 [ 50.813734] ? wait_consider_task+0x3910/0x3910 [ 50.818386] ? mark_held_locks+0x100/0x100 [ 50.822604] kernel_wait4+0x171/0x290 [ 50.826402] ? __ia32_sys_waitid+0x140/0x140 [ 50.830793] ? task_stopped_code+0x180/0x180 [ 50.835202] __do_sys_wait4+0x147/0x160 [ 50.839161] ? kernel_wait4+0x290/0x290 [ 50.843120] ? kasan_check_read+0x11/0x20 [ 50.847249] ? _copy_to_user+0xc9/0x120 [ 50.851207] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 50.856814] ? __x64_sys_rt_sigprocmask+0x21d/0x2e0 [ 50.861826] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.866563] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.871308] ? do_syscall_64+0x26/0x620 [ 50.875282] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.880628] ? do_syscall_64+0x26/0x620 [ 50.884601] __x64_sys_wait4+0x97/0xf0 [ 50.888472] do_syscall_64+0xfd/0x620 [ 50.892256] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.897438] RIP: 0033:0x7f46eff2aa3e [ 50.901136] Code: 90 90 90 90 90 90 90 90 90 90 90 90 48 83 ec 28 8b 05 c2 eb 2d 00 85 c0 75 1d 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 48 83 c4 28 c3 89 54 24 08 48 89 74 24 10 [ 50.920026] RSP: 002b:00007fff3c8f87f0 EFLAGS: 00000246 ORIG_RAX: 000000000000003d [ 50.927823] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f46eff2aa3e [ 50.935089] RDX: 0000000000000001 RSI: 00007fff3c8f882c RDI: ffffffffffffffff [ 50.942367] RBP: 000056545c9cfc88 R08: 00007fff3c8f88f0 R09: 0101010101010101 [ 50.949620] R10: 0000000000000000 R11: 0000000000000246 R12: 000056545e29bc00 [ 50.956872] R13: 000056545c9cdfb4 R14: 0000000000000028 R15: 000056545c9cfca0 [ 50.965504] Kernel Offset: disabled [ 50.969144] Rebooting in 86400 seconds..