[ 39.261221] audit: type=1800 audit(1561997833.468:33): pid=7002 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 39.282878] audit: type=1800 audit(1561997833.468:34): pid=7002 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 42.621143] random: sshd: uninitialized urandom read (32 bytes read) [ 42.993269] audit: type=1400 audit(1561997837.198:35): avc: denied { map } for pid=7173 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 43.039763] random: sshd: uninitialized urandom read (32 bytes read) [ 43.670517] random: sshd: uninitialized urandom read (32 bytes read) [ 52.013984] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.181' (ECDSA) to the list of known hosts. [ 57.647870] random: sshd: uninitialized urandom read (32 bytes read) [ 57.837577] audit: type=1400 audit(1561997852.038:36): avc: denied { map } for pid=7185 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/07/01 16:17:32 parsed 1 programs [ 58.754399] audit: type=1400 audit(1561997852.958:37): avc: denied { map } for pid=7185 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=29 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 59.005299] random: cc1: uninitialized urandom read (8 bytes read) 2019/07/01 16:17:33 executed programs: 0 [ 59.569953] audit: type=1400 audit(1561997853.768:38): avc: denied { map } for pid=7185 comm="syz-execprog" path="/root/syzkaller-shm065386436" dev="sda1" ino=16485 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 60.370291] IPVS: ftp: loaded support on port[0] = 21 [ 60.700444] chnl_net:caif_netlink_parms(): no params data found [ 60.732156] bridge0: port 1(bridge_slave_0) entered blocking state [ 60.738948] bridge0: port 1(bridge_slave_0) entered disabled state [ 60.746898] device bridge_slave_0 entered promiscuous mode [ 60.754559] bridge0: port 2(bridge_slave_1) entered blocking state [ 60.761185] bridge0: port 2(bridge_slave_1) entered disabled state [ 60.768557] device bridge_slave_1 entered promiscuous mode [ 60.783623] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 60.792620] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 60.808597] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 60.816791] team0: Port device team_slave_0 added [ 60.822617] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 60.830422] team0: Port device team_slave_1 added [ 60.835982] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 60.843704] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 60.892281] device hsr_slave_0 entered promiscuous mode [ 60.930452] device hsr_slave_1 entered promiscuous mode [ 61.000705] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 61.008139] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 61.021847] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.028336] bridge0: port 2(bridge_slave_1) entered forwarding state [ 61.035503] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.042250] bridge0: port 1(bridge_slave_0) entered forwarding state [ 61.072367] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 61.095508] 8021q: adding VLAN 0 to HW filter on device bond0 [ 61.113545] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 61.123668] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 61.143570] bridge0: port 1(bridge_slave_0) entered disabled state [ 61.151450] bridge0: port 2(bridge_slave_1) entered disabled state [ 61.161657] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 61.167835] 8021q: adding VLAN 0 to HW filter on device team0 [ 61.177170] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 61.185906] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.192565] bridge0: port 1(bridge_slave_0) entered forwarding state [ 61.202317] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 61.210615] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.217006] bridge0: port 2(bridge_slave_1) entered forwarding state [ 61.233806] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 61.242013] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 61.252671] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 61.265652] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 61.276587] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 61.288520] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 61.295500] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 61.303795] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 61.312307] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 61.324624] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 61.335883] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 61.691072] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready 2019/07/01 16:17:38 executed programs: 75 [ 64.996014] [ 64.997706] ===================================== [ 65.002525] WARNING: bad unlock balance detected! [ 65.007530] 4.14.131 #25 Not tainted [ 65.011689] ------------------------------------- [ 65.016550] syz-executor.0/7941 is trying to release lock (&file->mut) at: [ 65.023868] [] ucma_destroy_id+0x20d/0x420 [ 65.029651] but there are no more locks to release! [ 65.034932] [ 65.034932] other info that might help us debug this: [ 65.041616] 1 lock held by syz-executor.0/7941: [ 65.046539] #0: (&file->mut){+.+.}, at: [] ucma_destroy_id+0x1aa/0x420 [ 65.055044] [ 65.055044] stack backtrace: [ 65.059757] CPU: 1 PID: 7941 Comm: syz-executor.0 Not tainted 4.14.131 #25 [ 65.066979] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.076652] Call Trace: [ 65.079253] dump_stack+0x138/0x19c [ 65.082998] ? ucma_destroy_id+0x20d/0x420 [ 65.087384] print_unlock_imbalance_bug.cold+0x114/0x123 [ 65.093269] ? ucma_destroy_id+0x20d/0x420 [ 65.097675] lock_release+0x616/0x940 [ 65.101610] ? ucma_destroy_id+0x1aa/0x420 [ 65.105967] ? lock_downgrade+0x6e0/0x6e0 [ 65.110139] ? __radix_tree_delete+0xe9/0x140 [ 65.114784] __mutex_unlock_slowpath+0x71/0x800 [ 65.119605] ? radix_tree_delete_item+0xe5/0x1a0 [ 65.124356] ? wait_for_completion+0x420/0x420 [ 65.128927] mutex_unlock+0xd/0x10 [ 65.132459] ucma_destroy_id+0x20d/0x420 [ 65.136694] ? ucma_close+0x310/0x310 [ 65.140707] ? _copy_from_user+0x99/0x110 [ 65.144953] ucma_write+0x231/0x310 [ 65.148739] ? ucma_close+0x310/0x310 [ 65.152531] ? ucma_open+0x290/0x290 [ 65.156714] __vfs_write+0x105/0x6b0 [ 65.160588] ? ucma_open+0x290/0x290 [ 65.164305] ? kernel_read+0x120/0x120 [ 65.168552] ? __inode_security_revalidate+0xd6/0x130 [ 65.174025] ? avc_policy_seqno+0x9/0x20 [ 65.178083] ? selinux_file_permission+0x85/0x480 [ 65.183181] ? security_file_permission+0x89/0x1f0 [ 65.188323] ? rw_verify_area+0xea/0x2b0 [ 65.192669] vfs_write+0x198/0x500 [ 65.196368] SyS_write+0xfd/0x230 [ 65.199813] ? SyS_read+0x230/0x230 [ 65.203452] ? do_syscall_64+0x53/0x640 [ 65.207683] ? SyS_read+0x230/0x230 [ 65.211557] do_syscall_64+0x1e8/0x640 [ 65.215629] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 65.221019] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 65.226467] RIP: 0033:0x459519 [ 65.229644] RSP: 002b:00007f5ffff83c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 65.237336] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459519 [ 65.244710] RDX: 0000000020000118 RSI: 0000000020000100 RDI: 0000000000000003 [ 65.252221] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 65.259672] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5ffff846d4 [ 65.267401] R13: 00000000004d0138 R14: 00000000004e02c8 R15: 00000000ffffffff [ 65.275980] ================================================================== [ 65.283513] BUG: KASAN: use-after-free in ucma_destroy_id+0x3e2/0x420 [ 65.290083] Read of size 8 at addr ffff888089d48128 by task syz-executor.0/7941 [ 65.297619] [ 65.299328] CPU: 1 PID: 7941 Comm: syz-executor.0 Not tainted 4.14.131 #25 [ 65.306839] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.316516] Call Trace: [ 65.319099] dump_stack+0x138/0x19c [ 65.322864] ? ucma_destroy_id+0x3e2/0x420 [ 65.327210] print_address_description.cold+0x7c/0x1dc [ 65.332570] ? ucma_destroy_id+0x3e2/0x420 [ 65.336927] kasan_report.cold+0xa9/0x2af [ 65.341341] __asan_report_load8_noabort+0x14/0x20 [ 65.346408] ucma_destroy_id+0x3e2/0x420 [ 65.350565] ? ucma_close+0x310/0x310 [ 65.354366] ? _copy_from_user+0x99/0x110 [ 65.364791] ucma_write+0x231/0x310 [ 65.377268] ? ucma_close+0x310/0x310 [ 65.381160] ? ucma_open+0x290/0x290 [ 65.384873] __vfs_write+0x105/0x6b0 [ 65.388573] ? ucma_open+0x290/0x290 [ 65.392386] ? kernel_read+0x120/0x120 [ 65.396386] ? __inode_security_revalidate+0xd6/0x130 [ 65.401576] ? avc_policy_seqno+0x9/0x20 [ 65.405630] ? selinux_file_permission+0x85/0x480 [ 65.415992] ? security_file_permission+0x89/0x1f0 [ 65.420912] ? rw_verify_area+0xea/0x2b0 [ 65.425004] vfs_write+0x198/0x500 [ 65.428529] SyS_write+0xfd/0x230 [ 65.432077] ? SyS_read+0x230/0x230 [ 65.435822] ? do_syscall_64+0x53/0x640 [ 65.440052] ? SyS_read+0x230/0x230 [ 65.443693] do_syscall_64+0x1e8/0x640 [ 65.447637] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 65.452476] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 65.457651] RIP: 0033:0x459519 [ 65.460917] RSP: 002b:00007f5ffff83c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 65.468610] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459519 [ 65.476043] RDX: 0000000020000118 RSI: 0000000020000100 RDI: 0000000000000003 [ 65.483304] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 65.490813] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5ffff846d4 [ 65.498398] R13: 00000000004d0138 R14: 00000000004e02c8 R15: 00000000ffffffff [ 65.505866] [ 65.507481] Allocated by task 7937: [ 65.511201] save_stack_trace+0x16/0x20 [ 65.515168] save_stack+0x45/0xd0 [ 65.518809] kasan_kmalloc+0xce/0xf0 [ 65.522511] kmem_cache_alloc_trace+0x152/0x790 [ 65.527170] ucma_alloc_ctx+0x85/0x520 [ 65.531065] ucma_create_id+0xed/0x5b0 [ 65.534942] ucma_write+0x231/0x310 [ 65.538579] __vfs_write+0x105/0x6b0 [ 65.542274] vfs_write+0x198/0x500 [ 65.545880] SyS_write+0xfd/0x230 [ 65.549317] do_syscall_64+0x1e8/0x640 [ 65.553241] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 65.558559] [ 65.560162] Freed by task 7936: [ 65.563432] save_stack_trace+0x16/0x20 [ 65.567406] save_stack+0x45/0xd0 [ 65.570944] kasan_slab_free+0x75/0xc0 [ 65.574828] kfree+0xcc/0x270 [ 65.577925] ucma_free_ctx+0x73c/0xa30 [ 65.581794] ucma_close+0x11d/0x310 [ 65.585404] __fput+0x275/0x7a0 [ 65.588661] ____fput+0x16/0x20 [ 65.592016] task_work_run+0x114/0x190 [ 65.595885] exit_to_usermode_loop+0x1da/0x220 [ 65.600446] do_syscall_64+0x4bc/0x640 [ 65.604315] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 65.609482] [ 65.611090] The buggy address belongs to the object at ffff888089d480c0 [ 65.611090] which belongs to the cache kmalloc-256 of size 256 [ 65.624002] The buggy address is located 104 bytes inside of [ 65.624002] 256-byte region [ffff888089d480c0, ffff888089d481c0) [ 65.635948] The buggy address belongs to the page: [ 65.640881] page:ffffea0002275200 count:1 mapcount:0 mapping:ffff888089d480c0 index:0x0 [ 65.649253] flags: 0x1fffc0000000100(slab) [ 65.653477] raw: 01fffc0000000100 ffff888089d480c0 0000000000000000 000000010000000c [ 65.661351] raw: ffffea000228d2a0 ffffea0002a11820 ffff8880aa8007c0 0000000000000000 [ 65.669238] page dumped because: kasan: bad access detected [ 65.674955] [ 65.676568] Memory state around the buggy address: [ 65.681479] ffff888089d48000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.689370] ffff888089d48080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 65.696778] >ffff888089d48100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.704316] ^ [ 65.708974] ffff888089d48180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 65.716599] ffff888089d48200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.724287] ================================================================== [ 65.732281] Kernel panic - not syncing: panic_on_warn set ... [ 65.732281] [ 65.739789] CPU: 1 PID: 7941 Comm: syz-executor.0 Tainted: G B 4.14.131 #25 [ 65.748131] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.757495] Call Trace: [ 65.760093] dump_stack+0x138/0x19c [ 65.763719] ? ucma_destroy_id+0x3e2/0x420 [ 65.767955] panic+0x1f2/0x426 [ 65.771223] ? add_taint.cold+0x16/0x16 [ 65.775194] ? ___preempt_schedule+0x16/0x18 [ 65.779590] kasan_end_report+0x47/0x4f [ 65.783551] kasan_report.cold+0x130/0x2af [ 65.787781] __asan_report_load8_noabort+0x14/0x20 [ 65.792735] ucma_destroy_id+0x3e2/0x420 [ 65.796791] ? ucma_close+0x310/0x310 [ 65.800578] ? _copy_from_user+0x99/0x110 [ 65.804801] ucma_write+0x231/0x310 [ 65.808413] ? ucma_close+0x310/0x310 [ 65.812207] ? ucma_open+0x290/0x290 [ 65.816016] __vfs_write+0x105/0x6b0 [ 65.819726] ? ucma_open+0x290/0x290 [ 65.823420] ? kernel_read+0x120/0x120 [ 65.827404] ? __inode_security_revalidate+0xd6/0x130 [ 65.832635] ? avc_policy_seqno+0x9/0x20 [ 65.836801] ? selinux_file_permission+0x85/0x480 [ 65.841850] ? security_file_permission+0x89/0x1f0 [ 65.846861] ? rw_verify_area+0xea/0x2b0 [ 65.850912] vfs_write+0x198/0x500 [ 65.854454] SyS_write+0xfd/0x230 [ 65.857898] ? SyS_read+0x230/0x230 [ 65.861613] ? do_syscall_64+0x53/0x640 [ 65.865677] ? SyS_read+0x230/0x230 [ 65.869287] do_syscall_64+0x1e8/0x640 [ 65.873163] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 65.877991] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 65.883188] RIP: 0033:0x459519 [ 65.886353] RSP: 002b:00007f5ffff83c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 65.894792] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459519 [ 65.902048] RDX: 0000000020000118 RSI: 0000000020000100 RDI: 0000000000000003 [ 65.909388] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 65.916660] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5ffff846d4 [ 65.923942] R13: 00000000004d0138 R14: 00000000004e02c8 R15: 00000000ffffffff [ 65.932629] Kernel Offset: disabled [ 65.936257] Rebooting in 86400 seconds..