[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 18.634852] audit: type=1400 audit(1521923667.250:6): avc: denied { map } for pid=4214 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.15' (ECDSA) to the list of known hosts. syzkaller login: [ 24.949173] audit: type=1400 audit(1521923673.564:7): avc: denied { map } for pid=4229 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/03/24 20:34:33 parsed 1 programs 2018/03/24 20:34:33 executed programs: 0 [ 25.208966] audit: type=1400 audit(1521923673.824:8): avc: denied { map } for pid=4229 comm="syz-execprog" path="/root/syzkaller-shm086223256" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 25.224914] IPVS: ftp: loaded support on port[0] = 21 [ 27.250278] ================================================================== [ 27.257753] BUG: KASAN: use-after-free in __list_del_entry_valid+0x144/0x150 [ 27.264914] Read of size 8 at addr ffff8801afaf33e0 by task syz-executor0/4703 [ 27.272241] [ 27.273846] CPU: 0 PID: 4703 Comm: syz-executor0 Not tainted 4.16.0-rc6+ #275 [ 27.281092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.290418] Call Trace: [ 27.292991] dump_stack+0x194/0x24d [ 27.296613] ? arch_local_irq_restore+0x53/0x53 [ 27.301266] ? show_regs_print_info+0x18/0x18 [ 27.305739] ? rcu_note_context_switch+0x710/0x710 [ 27.310650] ? __list_del_entry_valid+0x144/0x150 [ 27.315473] print_address_description+0x73/0x250 [ 27.320289] ? __list_del_entry_valid+0x144/0x150 [ 27.325109] kasan_report+0x23c/0x360 [ 27.328888] __asan_report_load8_noabort+0x14/0x20 [ 27.333794] __list_del_entry_valid+0x144/0x150 [ 27.338438] cma_cancel_operation+0x455/0xd60 [ 27.342907] ? finish_task_switch+0x182/0x7e0 [ 27.347385] ? find_held_lock+0x35/0x1d0 [ 27.351419] ? rdma_destroy_id+0xda0/0xda0 [ 27.355638] ? rdma_destroy_id+0xf4/0xda0 [ 27.359772] ? lock_downgrade+0x980/0x980 [ 27.363901] ? lock_release+0xa40/0xa40 [ 27.367854] ? do_raw_spin_trylock+0x190/0x190 [ 27.372411] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 27.377488] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.382481] rdma_destroy_id+0xff/0xda0 [ 27.386429] ? lock_release+0xa40/0xa40 [ 27.390378] ? lock_downgrade+0x980/0x980 [ 27.394501] ? cma_release_dev+0x350/0x350 [ 27.398716] ? radix_tree_delete_item+0x146/0x280 [ 27.403556] ucma_close+0x100/0x2f0 [ 27.407160] ? ucma_free_ctx+0xd90/0xd90 [ 27.411195] __fput+0x327/0x7e0 [ 27.414460] ? fput+0x140/0x140 [ 27.417715] ? check_same_owner+0x320/0x320 [ 27.422017] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.426501] ____fput+0x15/0x20 [ 27.429756] task_work_run+0x199/0x270 [ 27.433619] ? task_work_cancel+0x210/0x210 [ 27.437918] ? _raw_spin_unlock+0x22/0x30 [ 27.442048] ? switch_task_namespaces+0x87/0xc0 [ 27.446704] do_exit+0x9bb/0x1ad0 [ 27.450134] ? find_held_lock+0x35/0x1d0 [ 27.454173] ? mm_update_next_owner+0x930/0x930 [ 27.458832] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.463996] ? lock_downgrade+0x980/0x980 [ 27.468125] ? __unqueue_futex+0x1c0/0x290 [ 27.472331] ? lock_release+0xa40/0xa40 [ 27.476283] ? fault_in_user_writeable+0x90/0x90 [ 27.481022] ? do_raw_spin_trylock+0x190/0x190 [ 27.485588] ? futex_wake+0x680/0x680 [ 27.489369] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 27.494446] ? futex_wait+0x6a9/0x9a0 [ 27.498236] ? trace_hardirqs_off+0x10/0x10 [ 27.502530] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 27.507618] ? futex_wake+0x2ca/0x680 [ 27.511400] ? memset+0x31/0x40 [ 27.514661] ? find_held_lock+0x35/0x1d0 [ 27.518707] ? get_signal+0x7a9/0x16d0 [ 27.522580] ? lock_downgrade+0x980/0x980 [ 27.526713] do_group_exit+0x149/0x400 [ 27.530577] ? do_raw_spin_trylock+0x190/0x190 [ 27.535139] ? SyS_exit+0x30/0x30 [ 27.538586] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.543062] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.548060] get_signal+0x73a/0x16d0 [ 27.551757] ? ptrace_notify+0x130/0x130 [ 27.555804] ? ucma_put_ctx+0x26/0x30 [ 27.559576] ? ucma_listen+0x182/0x1f0 [ 27.563437] ? ucma_accept+0x970/0x970 [ 27.567303] ? kasan_check_write+0x14/0x20 [ 27.571516] ? _copy_from_user+0x99/0x110 [ 27.575639] ? ucma_write+0x11f/0x3d0 [ 27.579414] ? ucma_accept+0x970/0x970 [ 27.583274] ? ucma_close_id+0x60/0x60 [ 27.587140] do_signal+0x90/0x1e90 [ 27.590662] ? ucma_close_id+0x60/0x60 [ 27.594526] ? __vfs_write+0xf7/0x970 [ 27.598303] ? rcu_note_context_switch+0x710/0x710 [ 27.603209] ? setup_sigcontext+0x7d0/0x7d0 [ 27.607504] ? kernel_read+0x120/0x120 [ 27.611367] ? __might_sleep+0x95/0x190 [ 27.615323] ? fsnotify+0x7b3/0x1140 [ 27.619017] ? __inode_security_revalidate+0xd9/0x130 [ 27.624192] ? avc_policy_seqno+0x9/0x20 [ 27.628253] ? exit_to_usermode_loop+0x8c/0x2f0 [ 27.632912] exit_to_usermode_loop+0x258/0x2f0 [ 27.637484] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 27.642998] ? do_fast_syscall_32+0x156/0xf9f [ 27.647479] do_fast_syscall_32+0xbe6/0xf9f [ 27.651781] ? do_int80_syscall_32+0x9c0/0x9c0 [ 27.656337] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.660806] ? finish_task_switch+0x1c1/0x7e0 [ 27.665293] ? syscall_return_slowpath+0x2ac/0x550 [ 27.671067] ? prepare_exit_to_usermode+0x350/0x350 [ 27.676059] ? sysret32_from_system_call+0x5/0x3c [ 27.680877] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.685700] entry_SYSENTER_compat+0x70/0x7f [ 27.690079] RIP: 0023:0xf7f03c99 [ 27.693416] RSP: 002b:00000000f7ede10c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 27.701099] RAX: fffffffffffffe00 RBX: 000000000813af98 RCX: 0000000000000000 [ 27.708341] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 27.715580] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 27.722819] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 27.730058] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 27.737325] [ 27.738926] Allocated by task 4703: [ 27.742531] save_stack+0x43/0xd0 [ 27.745954] kasan_kmalloc+0xad/0xe0 [ 27.749642] kmem_cache_alloc_trace+0x136/0x740 [ 27.754282] rdma_create_id+0xd0/0x630 [ 27.758142] ucma_create_id+0x35f/0x920 [ 27.762084] ucma_write+0x2d6/0x3d0 [ 27.765682] __vfs_write+0xef/0x970 [ 27.769277] vfs_write+0x189/0x510 [ 27.772787] SyS_write+0xef/0x220 [ 27.776212] do_fast_syscall_32+0x3ec/0xf9f [ 27.780504] entry_SYSENTER_compat+0x70/0x7f [ 27.784879] [ 27.786476] Freed by task 4703: [ 27.789725] save_stack+0x43/0xd0 [ 27.793150] __kasan_slab_free+0x11a/0x170 [ 27.797356] kasan_slab_free+0xe/0x10 [ 27.801127] kfree+0xd9/0x260 [ 27.804205] rdma_destroy_id+0x821/0xda0 [ 27.808239] ucma_close+0x100/0x2f0 [ 27.811857] __fput+0x327/0x7e0 [ 27.815110] ____fput+0x15/0x20 [ 27.818365] task_work_run+0x199/0x270 [ 27.822226] do_exit+0x9bb/0x1ad0 [ 27.825648] do_group_exit+0x149/0x400 [ 27.829509] get_signal+0x73a/0x16d0 [ 27.833679] do_signal+0x90/0x1e90 [ 27.837191] exit_to_usermode_loop+0x258/0x2f0 [ 27.841743] do_fast_syscall_32+0xbe6/0xf9f [ 27.846038] entry_SYSENTER_compat+0x70/0x7f [ 27.850414] [ 27.852020] The buggy address belongs to the object at ffff8801afaf3200 [ 27.852020] which belongs to the cache kmalloc-1024 of size 1024 [ 27.864825] The buggy address is located 480 bytes inside of [ 27.864825] 1024-byte region [ffff8801afaf3200, ffff8801afaf3600) [ 27.876762] The buggy address belongs to the page: [ 27.881662] page:ffffea0006bebc80 count:1 mapcount:0 mapping:ffff8801afaf2000 index:0x0 compound_mapcount: 0 [ 27.891607] flags: 0x2fffc0000008100(slab|head) [ 27.896246] raw: 02fffc0000008100 ffff8801afaf2000 0000000000000000 0000000100000007 [ 27.904096] raw: ffffea0007272f20 ffffea0006bc6520 ffff8801dac00ac0 0000000000000000 [ 27.911944] page dumped because: kasan: bad access detected [ 27.917622] [ 27.919221] Memory state around the buggy address: [ 27.924122] ffff8801afaf3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.931451] ffff8801afaf3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.938781] >ffff8801afaf3380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.946107] ^ [ 27.952574] ffff8801afaf3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.959907] ffff8801afaf3480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.967240] ================================================================== [ 27.974565] Disabling lock debugging due to kernel taint [ 27.980083] Kernel panic - not syncing: panic_on_warn set ... [ 27.980083] [ 27.987437] CPU: 0 PID: 4703 Comm: syz-executor0 Tainted: G B 4.16.0-rc6+ #275 [ 27.995985] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.005307] Call Trace: [ 28.007866] dump_stack+0x194/0x24d [ 28.011466] ? arch_local_irq_restore+0x53/0x53 [ 28.016107] ? kasan_end_report+0x32/0x50 [ 28.020226] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.024952] ? vsnprintf+0x1ed/0x1900 [ 28.028723] ? __list_del_entry_valid+0x140/0x150 [ 28.033534] panic+0x1e4/0x41c [ 28.036696] ? refcount_error_report+0x214/0x214 [ 28.041423] ? add_taint+0x1c/0x50 [ 28.044931] ? add_taint+0x1c/0x50 [ 28.048441] ? __list_del_entry_valid+0x144/0x150 [ 28.053252] kasan_end_report+0x50/0x50 [ 28.057193] kasan_report+0x149/0x360 [ 28.060965] __asan_report_load8_noabort+0x14/0x20 [ 28.065864] __list_del_entry_valid+0x144/0x150 [ 28.070506] cma_cancel_operation+0x455/0xd60 [ 28.074969] ? finish_task_switch+0x182/0x7e0 [ 28.079442] ? find_held_lock+0x35/0x1d0 [ 28.083475] ? rdma_destroy_id+0xda0/0xda0 [ 28.087679] ? rdma_destroy_id+0xf4/0xda0 [ 28.091797] ? lock_downgrade+0x980/0x980 [ 28.095913] ? lock_release+0xa40/0xa40 [ 28.099860] ? do_raw_spin_trylock+0x190/0x190 [ 28.104417] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 28.109493] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.114483] rdma_destroy_id+0xff/0xda0 [ 28.118426] ? lock_release+0xa40/0xa40 [ 28.122369] ? lock_downgrade+0x980/0x980 [ 28.126488] ? cma_release_dev+0x350/0x350 [ 28.130696] ? radix_tree_delete_item+0x146/0x280 [ 28.135519] ucma_close+0x100/0x2f0 [ 28.139115] ? ucma_free_ctx+0xd90/0xd90 [ 28.143145] __fput+0x327/0x7e0 [ 28.146395] ? fput+0x140/0x140 [ 28.149647] ? check_same_owner+0x320/0x320 [ 28.153941] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.158414] ____fput+0x15/0x20 [ 28.161663] task_work_run+0x199/0x270 [ 28.165520] ? task_work_cancel+0x210/0x210 [ 28.169811] ? _raw_spin_unlock+0x22/0x30 [ 28.173928] ? switch_task_namespaces+0x87/0xc0 [ 28.178572] do_exit+0x9bb/0x1ad0 [ 28.181996] ? find_held_lock+0x35/0x1d0 [ 28.186037] ? mm_update_next_owner+0x930/0x930 [ 28.190679] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 28.195842] ? lock_downgrade+0x980/0x980 [ 28.199961] ? __unqueue_futex+0x1c0/0x290 [ 28.204162] ? lock_release+0xa40/0xa40 [ 28.208106] ? fault_in_user_writeable+0x90/0x90 [ 28.212834] ? do_raw_spin_trylock+0x190/0x190 [ 28.217388] ? futex_wake+0x680/0x680 [ 28.221166] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 28.226238] ? futex_wait+0x6a9/0x9a0 [ 28.230050] ? trace_hardirqs_off+0x10/0x10 [ 28.234345] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 28.239420] ? futex_wake+0x2ca/0x680 [ 28.243191] ? memset+0x31/0x40 [ 28.246444] ? find_held_lock+0x35/0x1d0 [ 28.250482] ? get_signal+0x7a9/0x16d0 [ 28.254340] ? lock_downgrade+0x980/0x980 [ 28.258463] do_group_exit+0x149/0x400 [ 28.262321] ? do_raw_spin_trylock+0x190/0x190 [ 28.266871] ? SyS_exit+0x30/0x30 [ 28.270295] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.274768] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.279756] get_signal+0x73a/0x16d0 [ 28.283445] ? ptrace_notify+0x130/0x130 [ 28.287475] ? ucma_put_ctx+0x26/0x30 [ 28.291248] ? ucma_listen+0x182/0x1f0 [ 28.295105] ? ucma_accept+0x970/0x970 [ 28.298962] ? kasan_check_write+0x14/0x20 [ 28.303166] ? _copy_from_user+0x99/0x110 [ 28.307290] ? ucma_write+0x11f/0x3d0 [ 28.311064] ? ucma_accept+0x970/0x970 [ 28.314930] ? ucma_close_id+0x60/0x60 [ 28.318790] do_signal+0x90/0x1e90 [ 28.322307] ? ucma_close_id+0x60/0x60 [ 28.326171] ? __vfs_write+0xf7/0x970 [ 28.329943] ? rcu_note_context_switch+0x710/0x710 [ 28.334841] ? setup_sigcontext+0x7d0/0x7d0 [ 28.339132] ? kernel_read+0x120/0x120 [ 28.342987] ? __might_sleep+0x95/0x190 [ 28.346935] ? fsnotify+0x7b3/0x1140 [ 28.350621] ? __inode_security_revalidate+0xd9/0x130 [ 28.355780] ? avc_policy_seqno+0x9/0x20 [ 28.359820] ? exit_to_usermode_loop+0x8c/0x2f0 [ 28.364461] exit_to_usermode_loop+0x258/0x2f0 [ 28.369021] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 28.374531] ? do_fast_syscall_32+0x156/0xf9f [ 28.378998] do_fast_syscall_32+0xbe6/0xf9f [ 28.383297] ? do_int80_syscall_32+0x9c0/0x9c0 [ 28.387861] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.392348] ? finish_task_switch+0x1c1/0x7e0 [ 28.396824] ? syscall_return_slowpath+0x2ac/0x550 [ 28.401723] ? prepare_exit_to_usermode+0x350/0x350 [ 28.406711] ? sysret32_from_system_call+0x5/0x3c [ 28.411525] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.416342] entry_SYSENTER_compat+0x70/0x7f [ 28.420720] RIP: 0023:0xf7f03c99 [ 28.424052] RSP: 002b:00000000f7ede10c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 28.431728] RAX: fffffffffffffe00 RBX: 000000000813af98 RCX: 0000000000000000 [ 28.438974] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 28.446211] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 28.453451] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 28.460696] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 28.468387] Dumping ftrace buffer: [ 28.471900] (ftrace buffer empty) [ 28.475578] Kernel Offset: disabled [ 28.479175] Rebooting in 86400 seconds..