[....] Starting enhanced syslogd: rsyslogd[ 17.070845] audit: type=1400 audit(1521088912.175:5): avc: denied { syslog } for pid=4091 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.705908] audit: type=1400 audit(1521088917.810:6): avc: denied { map } for pid=4231 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts. executing program executing program [ 29.051825] audit: type=1400 audit(1521088924.156:7): avc: denied { map } for pid=4245 comm="syzkaller618201" path="/root/syzkaller618201737" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 29.068283] ================================================================== [ 29.085120] BUG: KASAN: use-after-free in __list_add_valid+0xc6/0xd0 [ 29.091591] Read of size 8 at addr ffff8801ae29c218 by task syzkaller618201/4248 [ 29.099105] [ 29.100712] CPU: 1 PID: 4248 Comm: syzkaller618201 Not tainted 4.16.0-rc5+ #353 [ 29.108138] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.117480] Call Trace: [ 29.120045] dump_stack+0x194/0x24d [ 29.123647] ? arch_local_irq_restore+0x53/0x53 [ 29.128288] ? show_regs_print_info+0x18/0x18 [ 29.132760] ? __list_add_valid+0xc6/0xd0 [ 29.136885] print_address_description+0x73/0x250 [ 29.141732] ? __list_add_valid+0xc6/0xd0 [ 29.145858] kasan_report+0x23c/0x360 [ 29.149635] __asan_report_load8_noabort+0x14/0x20 [ 29.154536] __list_add_valid+0xc6/0xd0 [ 29.158487] rdma_listen+0x581/0x8e0 [ 29.162197] ? rdma_resolve_addr+0x26c0/0x26c0 [ 29.166762] ucma_listen+0x172/0x1f0 [ 29.170453] ? ucma_accept+0x970/0x970 [ 29.174326] ? kasan_check_write+0x14/0x20 [ 29.178534] ? _copy_from_user+0x99/0x110 [ 29.182918] ucma_write+0x2d6/0x3d0 [ 29.186517] ? ucma_accept+0x970/0x970 [ 29.190377] ? ucma_resolve_route+0x1a0/0x1a0 [ 29.194850] ? handle_mm_fault+0x35b/0xb10 [ 29.199072] ? ucma_resolve_route+0x1a0/0x1a0 [ 29.203546] __vfs_write+0xef/0x970 [ 29.207159] ? rcu_note_context_switch+0x710/0x710 [ 29.212090] ? kernel_read+0x120/0x120 [ 29.215967] ? __might_sleep+0x95/0x190 [ 29.219929] ? _cond_resched+0x14/0x30 [ 29.223796] ? __inode_security_revalidate+0xd9/0x130 [ 29.228968] ? avc_policy_seqno+0x9/0x20 [ 29.233012] ? selinux_file_permission+0x82/0x460 [ 29.237855] ? security_file_permission+0x89/0x1e0 [ 29.242781] ? rw_verify_area+0xe5/0x2b0 [ 29.246829] ? __fdget_raw+0x20/0x20 [ 29.250531] vfs_write+0x189/0x510 [ 29.254049] SyS_write+0xef/0x220 [ 29.257485] ? exit_to_usermode_loop+0x198/0x2f0 [ 29.262215] ? SyS_read+0x220/0x220 [ 29.265819] ? do_syscall_64+0xb7/0x940 [ 29.269773] ? SyS_read+0x220/0x220 [ 29.273387] do_syscall_64+0x281/0x940 [ 29.277250] ? __do_page_fault+0xc90/0xc90 [ 29.281458] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.286188] ? syscall_return_slowpath+0x550/0x550 [ 29.291091] ? syscall_return_slowpath+0x2ac/0x550 [ 29.296001] ? prepare_exit_to_usermode+0x350/0x350 [ 29.300992] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 29.306333] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.311156] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.316324] RIP: 0033:0x441859 [ 29.319485] RSP: 002b:00007ffec59ea058 EFLAGS: 00000207 ORIG_RAX: 0000000000000001 [ 29.327167] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441859 [ 29.334412] RDX: 000000000000003a RSI: 0000000020000100 RDI: 0000000000000003 [ 29.341662] RBP: 000000000000717f R08: 00007ffec59ea218 R09: 00007ffec59ea218 [ 29.348924] R10: 00007ffec59ea218 R11: 0000000000000207 R12: 0000000000000000 [ 29.356190] R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 [ 29.363475] [ 29.365079] Allocated by task 4246: [ 29.368712] save_stack+0x43/0xd0 [ 29.372155] kasan_kmalloc+0xad/0xe0 [ 29.375861] kmem_cache_alloc_trace+0x136/0x740 [ 29.380506] rdma_create_id+0xd0/0x630 [ 29.384365] ucma_create_id+0x31a/0x620 [ 29.388321] ucma_write+0x2d6/0x3d0 [ 29.391922] __vfs_write+0xef/0x970 [ 29.395519] vfs_write+0x189/0x510 [ 29.399028] SyS_write+0xef/0x220 [ 29.402458] do_syscall_64+0x281/0x940 [ 29.406315] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.411483] [ 29.413081] Freed by task 4246: [ 29.416330] save_stack+0x43/0xd0 [ 29.419755] __kasan_slab_free+0x11a/0x170 [ 29.423960] kasan_slab_free+0xe/0x10 [ 29.427731] kfree+0xd9/0x260 [ 29.430807] rdma_destroy_id+0x821/0xda0 [ 29.434840] ucma_close+0x100/0x2f0 [ 29.438437] __fput+0x327/0x7e0 [ 29.441686] ____fput+0x15/0x20 [ 29.444940] task_work_run+0x199/0x270 [ 29.448829] do_exit+0x9bb/0x1ad0 [ 29.452255] do_group_exit+0x149/0x400 [ 29.456111] SyS_exit_group+0x1d/0x20 [ 29.459891] do_syscall_64+0x281/0x940 [ 29.463752] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.468910] [ 29.470511] The buggy address belongs to the object at ffff8801ae29c040 [ 29.470511] which belongs to the cache kmalloc-1024 of size 1024 [ 29.483325] The buggy address is located 472 bytes inside of [ 29.483325] 1024-byte region [ffff8801ae29c040, ffff8801ae29c440) [ 29.495257] The buggy address belongs to the page: [ 29.500163] page:ffffea0006b8a700 count:1 mapcount:0 mapping:ffff8801ae29c040 index:0x0 compound_mapcount: 0 [ 29.510119] flags: 0x2fffc0000008100(slab|head) [ 29.514762] raw: 02fffc0000008100 ffff8801ae29c040 0000000000000000 0000000100000007 [ 29.522612] raw: ffffea0006c11120 ffffea0006c15d20 ffff8801dac00ac0 0000000000000000 [ 29.530460] page dumped because: kasan: bad access detected [ 29.536137] [ 29.537738] Memory state around the buggy address: [ 29.542638] ffff8801ae29c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.549965] ffff8801ae29c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.557296] >ffff8801ae29c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.564638] ^ [ 29.568757] ffff8801ae29c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.576084] ffff8801ae29c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.583426] ================================================================== [ 29.590755] Disabling lock debugging due to kernel taint [ 29.596328] Kernel panic - not syncing: panic_on_warn set ... [ 29.596328] [ 29.603686] CPU: 1 PID: 4248 Comm: syzkaller618201 Tainted: G B 4.16.0-rc5+ #353 [ 29.612422] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.621751] Call Trace: [ 29.624312] dump_stack+0x194/0x24d [ 29.627912] ? arch_local_irq_restore+0x53/0x53 [ 29.632553] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.637279] ? vsnprintf+0x1ed/0x1900 [ 29.641050] ? assoc_array_gc+0x1390/0x13c0 [ 29.645358] panic+0x1e4/0x41c [ 29.648528] ? refcount_error_report+0x214/0x214 [ 29.653252] ? add_taint+0x1c/0x50 [ 29.656763] ? add_taint+0x1c/0x50 [ 29.660274] ? __list_add_valid+0xc6/0xd0 [ 29.664393] kasan_end_report+0x50/0x50 [ 29.668335] kasan_report+0x149/0x360 [ 29.672107] __asan_report_load8_noabort+0x14/0x20 [ 29.677012] __list_add_valid+0xc6/0xd0 [ 29.680957] rdma_listen+0x581/0x8e0 [ 29.684650] ? rdma_resolve_addr+0x26c0/0x26c0 [ 29.689203] ucma_listen+0x172/0x1f0 [ 29.692886] ? ucma_accept+0x970/0x970 [ 29.696744] ? kasan_check_write+0x14/0x20 [ 29.700951] ? _copy_from_user+0x99/0x110 [ 29.705067] ucma_write+0x2d6/0x3d0 [ 29.708663] ? ucma_accept+0x970/0x970 [ 29.712517] ? ucma_resolve_route+0x1a0/0x1a0 [ 29.716981] ? handle_mm_fault+0x35b/0xb10 [ 29.721189] ? ucma_resolve_route+0x1a0/0x1a0 [ 29.725651] __vfs_write+0xef/0x970 [ 29.729247] ? rcu_note_context_switch+0x710/0x710 [ 29.734151] ? kernel_read+0x120/0x120 [ 29.738006] ? __might_sleep+0x95/0x190 [ 29.741954] ? _cond_resched+0x14/0x30 [ 29.745823] ? __inode_security_revalidate+0xd9/0x130 [ 29.750980] ? avc_policy_seqno+0x9/0x20 [ 29.755011] ? selinux_file_permission+0x82/0x460 [ 29.759828] ? security_file_permission+0x89/0x1e0 [ 29.764730] ? rw_verify_area+0xe5/0x2b0 [ 29.769203] ? __fdget_raw+0x20/0x20 [ 29.772885] vfs_write+0x189/0x510 [ 29.776396] SyS_write+0xef/0x220 [ 29.779818] ? exit_to_usermode_loop+0x198/0x2f0 [ 29.784543] ? SyS_read+0x220/0x220 [ 29.788145] ? do_syscall_64+0xb7/0x940 [ 29.792090] ? SyS_read+0x220/0x220 [ 29.795692] do_syscall_64+0x281/0x940 [ 29.799550] ? __do_page_fault+0xc90/0xc90 [ 29.803753] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.808482] ? syscall_return_slowpath+0x550/0x550 [ 29.813379] ? syscall_return_slowpath+0x2ac/0x550 [ 29.818275] ? prepare_exit_to_usermode+0x350/0x350 [ 29.823264] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 29.828600] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.833422] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.838580] RIP: 0033:0x441859 [ 29.841749] RSP: 002b:00007ffec59ea058 EFLAGS: 00000207 ORIG_RAX: 0000000000000001 [ 29.849438] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441859 [ 29.856680] RDX: 000000000000003a RSI: 0000000020000100 RDI: 0000000000000003 [ 29.863920] RBP: 000000000000717f R08: 00007ffec59ea218 R09: 00007ffec59ea218 [ 29.871158] R10: 00007ffec59ea218 R11: 0000000000000207 R12: 0000000000000000 [ 29.878401] R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 [ 29.886054] Dumping ftrace buffer: [ 29.889566] (ftrace buffer empty) [ 29.893249] Kernel Offset: disabled [ 29.896847] Rebooting in 86400 seconds..