[....] Starting enhanced syslogd: rsyslogd[ 16.327371] audit: type=1400 audit(1521924755.397:5): avc: denied { syslog } for pid=4087 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.633215] audit: type=1400 audit(1521924757.702:6): avc: denied { map } for pid=4223 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts. [ 25.079615] audit: type=1400 audit(1521924764.149:7): avc: denied { map } for pid=4237 comm="syzkaller401155" path="/root/syzkaller401155615" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.094951] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program [ 25.134464] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program [ 25.170860] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 25.197358] ================================================================== [ 25.204807] BUG: KASAN: use-after-free in __list_add_valid+0xc6/0xd0 [ 25.209803] IPVS: ftp: loaded support on port[0] = 21 [ 25.211279] Read of size 8 at addr ffff8801ca8adcd8 by task syzkaller401155/4288 [ 25.211284] [ 25.211293] CPU: 0 PID: 4288 Comm: syzkaller401155 Not tainted 4.16.0-rc6+ #365 [ 25.211299] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.242330] Call Trace: executing program [ 25.244904] dump_stack+0x194/0x24d [ 25.248526] ? arch_local_irq_restore+0x53/0x53 [ 25.253186] ? show_regs_print_info+0x18/0x18 [ 25.257684] ? __list_add_valid+0xc6/0xd0 [ 25.261824] print_address_description+0x73/0x250 [ 25.265677] IPVS: ftp: loaded support on port[0] = 21 [ 25.266652] ? __list_add_valid+0xc6/0xd0 [ 25.266665] kasan_report+0x23c/0x360 [ 25.266683] __asan_report_load8_noabort+0x14/0x20 [ 25.266690] __list_add_valid+0xc6/0xd0 [ 25.266702] rdma_listen+0x581/0x8e0 [ 25.292305] ? rdma_resolve_addr+0x26c0/0x26c0 executing program [ 25.296893] ucma_listen+0x172/0x1f0 [ 25.300596] ? ucma_accept+0x970/0x970 [ 25.304478] ? kasan_check_write+0x14/0x20 [ 25.308702] ? _copy_from_user+0x99/0x110 [ 25.312848] ucma_write+0x2d6/0x3d0 [ 25.313916] IPVS: ftp: loaded support on port[0] = 21 [ 25.316456] ? ucma_accept+0x970/0x970 [ 25.316468] ? ucma_close_id+0x60/0x60 [ 25.316493] ? ucma_close_id+0x60/0x60 [ 25.316504] __vfs_write+0xef/0x970 [ 25.336871] ? rcu_note_context_switch+0x710/0x710 [ 25.341795] ? kernel_read+0x120/0x120 executing program [ 25.345671] ? __might_sleep+0x95/0x190 [ 25.349638] ? _cond_resched+0x14/0x30 [ 25.353514] ? __inode_security_revalidate+0xd9/0x130 [ 25.358699] ? avc_policy_seqno+0x9/0x20 [ 25.362748] ? selinux_file_permission+0x82/0x460 [ 25.367594] ? security_file_permission+0x89/0x1e0 [ 25.372524] ? rw_verify_area+0xe5/0x2b0 [ 25.372584] IPVS: ftp: loaded support on port[0] = 21 [ 25.376565] ? __fdget_raw+0x20/0x20 [ 25.376581] vfs_write+0x189/0x510 [ 25.376599] SyS_write+0xef/0x220 [ 25.376608] ? exit_to_usermode_loop+0x198/0x2f0 executing program [ 25.376622] ? SyS_read+0x220/0x220 [ 25.376634] ? do_syscall_64+0xb7/0x940 [ 25.404727] ? SyS_read+0x220/0x220 [ 25.408349] do_syscall_64+0x281/0x940 [ 25.412230] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.416718] ? finish_task_switch+0x1c1/0x7e0 [ 25.419958] IPVS: ftp: loaded support on port[0] = 21 [ 25.421200] ? syscall_return_slowpath+0x550/0x550 [ 25.421213] ? syscall_return_slowpath+0x2ac/0x550 [ 25.421226] ? prepare_exit_to_usermode+0x350/0x350 [ 25.421240] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 executing program [ 25.421256] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.451394] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.456572] RIP: 0033:0x44a9e9 [ 25.459749] RSP: 002b:00007f94303f3da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 25.467450] RAX: ffffffffffffffda RBX: 00000000006e29fc RCX: 000000000044a9e9 [ 25.474702] RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000004 [ 25.481947] RBP: 00000000006e29f8 R08: 0000000000000000 R09: 0000000000000000 [ 25.489193] R10: 0000000000000000 R11: 0000000000000246 R12: 2f646e6162696e69 [ 25.496440] R13: 666e692f7665642f R14: 7073642f7665642f R15: 0000000000000009 [ 25.503699] [ 25.505303] Allocated by task 4284: [ 25.508910] save_stack+0x43/0xd0 [ 25.512336] kasan_kmalloc+0xad/0xe0 [ 25.516028] kmem_cache_alloc_trace+0x136/0x740 [ 25.520669] rdma_create_id+0xd0/0x630 [ 25.524525] ucma_create_id+0x35f/0x920 [ 25.528466] ucma_write+0x2d6/0x3d0 [ 25.532065] __vfs_write+0xef/0x970 [ 25.535671] vfs_write+0x189/0x510 [ 25.539187] SyS_write+0xef/0x220 [ 25.542614] do_syscall_64+0x281/0x940 [ 25.546480] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.551636] [ 25.553237] Freed by task 4284: [ 25.556500] save_stack+0x43/0xd0 [ 25.559931] __kasan_slab_free+0x11a/0x170 [ 25.564140] kasan_slab_free+0xe/0x10 [ 25.567911] kfree+0xd9/0x260 [ 25.570986] rdma_destroy_id+0x821/0xda0 [ 25.575025] ucma_close+0x100/0x2f0 [ 25.578630] __fput+0x327/0x7e0 [ 25.581887] ____fput+0x15/0x20 [ 25.585143] task_work_run+0x199/0x270 [ 25.589000] do_exit+0x9bb/0x1ad0 [ 25.592429] do_group_exit+0x149/0x400 [ 25.596291] get_signal+0x73a/0x16d0 [ 25.599982] do_signal+0x90/0x1e90 [ 25.603492] exit_to_usermode_loop+0x258/0x2f0 [ 25.608048] do_syscall_64+0x6ec/0x940 [ 25.611907] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.617064] [ 25.618672] The buggy address belongs to the object at ffff8801ca8adb00 [ 25.618672] which belongs to the cache kmalloc-1024 of size 1024 [ 25.631478] The buggy address is located 472 bytes inside of [ 25.631478] 1024-byte region [ffff8801ca8adb00, ffff8801ca8adf00) [ 25.643404] The buggy address belongs to the page: [ 25.648310] page:ffffea00072a2b00 count:1 mapcount:0 mapping:ffff8801ca8ac000 index:0x0 compound_mapcount: 0 [ 25.658257] flags: 0x2fffc0000008100(slab|head) [ 25.662896] raw: 02fffc0000008100 ffff8801ca8ac000 0000000000000000 0000000100000007 [ 25.670749] raw: ffffea00072969a0 ffffea00072c5d20 ffff8801dac00ac0 0000000000000000 [ 25.678601] page dumped because: kasan: bad access detected [ 25.684286] [ 25.685884] Memory state around the buggy address: [ 25.690781] ffff8801ca8adb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.698114] ffff8801ca8adc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.705451] >ffff8801ca8adc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.712780] ^ [ 25.719283] ffff8801ca8add00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.726610] ffff8801ca8add80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.733941] ================================================================== [ 25.741270] Disabling lock debugging due to kernel taint [ 25.746904] Kernel panic - not syncing: panic_on_warn set ... [ 25.746904] [ 25.754253] CPU: 0 PID: 4288 Comm: syzkaller401155 Tainted: G B 4.16.0-rc6+ #365 [ 25.762976] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.772308] Call Trace: [ 25.774866] dump_stack+0x194/0x24d [ 25.778467] ? arch_local_irq_restore+0x53/0x53 [ 25.783110] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.787835] ? vsnprintf+0x1ed/0x1900 [ 25.791610] ? __list_add_valid+0x10/0xd0 [ 25.795728] panic+0x1e4/0x41c [ 25.798890] ? refcount_error_report+0x214/0x214 [ 25.803617] ? add_taint+0x1c/0x50 [ 25.807126] ? add_taint+0x1c/0x50 [ 25.810638] ? __list_add_valid+0xc6/0xd0 [ 25.814754] kasan_end_report+0x50/0x50 [ 25.818700] kasan_report+0x149/0x360 [ 25.822482] __asan_report_load8_noabort+0x14/0x20 [ 25.827390] __list_add_valid+0xc6/0xd0 [ 25.831362] rdma_listen+0x581/0x8e0 [ 25.835047] ? rdma_resolve_addr+0x26c0/0x26c0 [ 25.839606] ucma_listen+0x172/0x1f0 [ 25.843297] ? ucma_accept+0x970/0x970 [ 25.847154] ? kasan_check_write+0x14/0x20 [ 25.851363] ? _copy_from_user+0x99/0x110 [ 25.855479] ucma_write+0x2d6/0x3d0 [ 25.859073] ? ucma_accept+0x970/0x970 [ 25.862932] ? ucma_close_id+0x60/0x60 [ 25.866793] ? ucma_close_id+0x60/0x60 [ 25.870652] __vfs_write+0xef/0x970 [ 25.874249] ? rcu_note_context_switch+0x710/0x710 [ 25.879150] ? kernel_read+0x120/0x120 [ 25.883011] ? __might_sleep+0x95/0x190 [ 25.886966] ? _cond_resched+0x14/0x30 [ 25.890826] ? __inode_security_revalidate+0xd9/0x130 [ 25.895984] ? avc_policy_seqno+0x9/0x20 [ 25.900023] ? selinux_file_permission+0x82/0x460 [ 25.904839] ? security_file_permission+0x89/0x1e0 [ 25.909741] ? rw_verify_area+0xe5/0x2b0 [ 25.913777] ? __fdget_raw+0x20/0x20 [ 25.917469] vfs_write+0x189/0x510 [ 25.920982] SyS_write+0xef/0x220 [ 25.924408] ? exit_to_usermode_loop+0x198/0x2f0 [ 25.929134] ? SyS_read+0x220/0x220 [ 25.932734] ? do_syscall_64+0xb7/0x940 [ 25.936677] ? SyS_read+0x220/0x220 [ 25.940280] do_syscall_64+0x281/0x940 [ 25.944146] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.948609] ? finish_task_switch+0x1c1/0x7e0 [ 25.953075] ? syscall_return_slowpath+0x550/0x550 [ 25.957972] ? syscall_return_slowpath+0x2ac/0x550 [ 25.962871] ? prepare_exit_to_usermode+0x350/0x350 [ 25.967861] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 25.973201] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.978023] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.983184] RIP: 0033:0x44a9e9 [ 25.986344] RSP: 002b:00007f94303f3da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 25.994026] RAX: ffffffffffffffda RBX: 00000000006e29fc RCX: 000000000044a9e9 [ 26.001268] RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000004 [ 26.008506] RBP: 00000000006e29f8 R08: 0000000000000000 R09: 0000000000000000 [ 26.015744] R10: 0000000000000000 R11: 0000000000000246 R12: 2f646e6162696e69 [ 26.022984] R13: 666e692f7665642f R14: 7073642f7665642f R15: 0000000000000009 [ 26.030637] Dumping ftrace buffer: [ 26.034147] (ftrace buffer empty) [ 26.037827] Kernel Offset: disabled [ 26.041420] Rebooting in 86400 seconds..