[ 39.261221] audit: type=1800 audit(1561997833.468:33): pid=7002 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[ 39.282878] audit: type=1800 audit(1561997833.468:34): pid=7002 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 42.621143] random: sshd: uninitialized urandom read (32 bytes read)
[ 42.993269] audit: type=1400 audit(1561997837.198:35): avc: denied { map } for pid=7173 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[ 43.039763] random: sshd: uninitialized urandom read (32 bytes read)
[ 43.670517] random: sshd: uninitialized urandom read (32 bytes read)
[ 52.013984] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.181' (ECDSA) to the list of known hosts.
[ 57.647870] random: sshd: uninitialized urandom read (32 bytes read)
[ 57.837577] audit: type=1400 audit(1561997852.038:36): avc: denied { map } for pid=7185 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2019/07/01 16:17:32 parsed 1 programs
[ 58.754399] audit: type=1400 audit(1561997852.958:37): avc: denied { map } for pid=7185 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=29 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[ 59.005299] random: cc1: uninitialized urandom read (8 bytes read)
2019/07/01 16:17:33 executed programs: 0
[ 59.569953] audit: type=1400 audit(1561997853.768:38): avc: denied { map } for pid=7185 comm="syz-execprog" path="/root/syzkaller-shm065386436" dev="sda1" ino=16485 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[ 60.370291] IPVS: ftp: loaded support on port[0] = 21
[ 60.700444] chnl_net:caif_netlink_parms(): no params data found
[ 60.732156] bridge0: port 1(bridge_slave_0) entered blocking state
[ 60.738948] bridge0: port 1(bridge_slave_0) entered disabled state
[ 60.746898] device bridge_slave_0 entered promiscuous mode
[ 60.754559] bridge0: port 2(bridge_slave_1) entered blocking state
[ 60.761185] bridge0: port 2(bridge_slave_1) entered disabled state
[ 60.768557] device bridge_slave_1 entered promiscuous mode
[ 60.783623] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 60.792620] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 60.808597] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[ 60.816791] team0: Port device team_slave_0 added
[ 60.822617] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[ 60.830422] team0: Port device team_slave_1 added
[ 60.835982] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[ 60.843704] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[ 60.892281] device hsr_slave_0 entered promiscuous mode
[ 60.930452] device hsr_slave_1 entered promiscuous mode
[ 61.000705] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[ 61.008139] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[ 61.021847] bridge0: port 2(bridge_slave_1) entered blocking state
[ 61.028336] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 61.035503] bridge0: port 1(bridge_slave_0) entered blocking state
[ 61.042250] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 61.072367] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[ 61.095508] 8021q: adding VLAN 0 to HW filter on device bond0
[ 61.113545] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 61.123668] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 61.143570] bridge0: port 1(bridge_slave_0) entered disabled state
[ 61.151450] bridge0: port 2(bridge_slave_1) entered disabled state
[ 61.161657] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[ 61.167835] 8021q: adding VLAN 0 to HW filter on device team0
[ 61.177170] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 61.185906] bridge0: port 1(bridge_slave_0) entered blocking state
[ 61.192565] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 61.202317] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 61.210615] bridge0: port 2(bridge_slave_1) entered blocking state
[ 61.217006] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 61.233806] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 61.242013] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 61.252671] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 61.265652] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 61.276587] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 61.288520] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[ 61.295500] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 61.303795] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 61.312307] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 61.324624] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
[ 61.335883] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 61.691072] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
2019/07/01 16:17:38 executed programs: 75
[ 64.996014]
[ 64.997706] =====================================
[ 65.002525] WARNING: bad unlock balance detected!
[ 65.007530] 4.14.131 #25 Not tainted
[ 65.011689] -------------------------------------
[ 65.016550] syz-executor.0/7941 is trying to release lock (&file->mut) at:
[ 65.023868] [<ffffffff84789c6d>] ucma_destroy_id+0x20d/0x420
[ 65.029651] but there are no more locks to release!
[ 65.034932]
[ 65.034932] other info that might help us debug this:
[ 65.041616] 1 lock held by syz-executor.0/7941:
[ 65.046539] #0: (&file->mut){+.+.}, at: [<ffffffff84789c0a>] ucma_destroy_id+0x1aa/0x420
[ 65.055044]
[ 65.055044] stack backtrace:
[ 65.059757] CPU: 1 PID: 7941 Comm: syz-executor.0 Not tainted 4.14.131 #25
[ 65.066979] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 65.076652] Call Trace:
[ 65.079253] dump_stack+0x138/0x19c
[ 65.082998] ? ucma_destroy_id+0x20d/0x420
[ 65.087384] print_unlock_imbalance_bug.cold+0x114/0x123
[ 65.093269] ? ucma_destroy_id+0x20d/0x420
[ 65.097675] lock_release+0x616/0x940
[ 65.101610] ? ucma_destroy_id+0x1aa/0x420
[ 65.105967] ? lock_downgrade+0x6e0/0x6e0
[ 65.110139] ? __radix_tree_delete+0xe9/0x140
[ 65.114784] __mutex_unlock_slowpath+0x71/0x800
[ 65.119605] ? radix_tree_delete_item+0xe5/0x1a0
[ 65.124356] ? wait_for_completion+0x420/0x420
[ 65.128927] mutex_unlock+0xd/0x10
[ 65.132459] ucma_destroy_id+0x20d/0x420
[ 65.136694] ? ucma_close+0x310/0x310
[ 65.140707] ? _copy_from_user+0x99/0x110
[ 65.144953] ucma_write+0x231/0x310
[ 65.148739] ? ucma_close+0x310/0x310
[ 65.152531] ? ucma_open+0x290/0x290
[ 65.156714] __vfs_write+0x105/0x6b0
[ 65.160588] ? ucma_open+0x290/0x290
[ 65.164305] ? kernel_read+0x120/0x120
[ 65.168552] ? __inode_security_revalidate+0xd6/0x130
[ 65.174025] ? avc_policy_seqno+0x9/0x20
[ 65.178083] ? selinux_file_permission+0x85/0x480
[ 65.183181] ? security_file_permission+0x89/0x1f0
[ 65.188323] ? rw_verify_area+0xea/0x2b0
[ 65.192669] vfs_write+0x198/0x500
[ 65.196368] SyS_write+0xfd/0x230
[ 65.199813] ? SyS_read+0x230/0x230
[ 65.203452] ? do_syscall_64+0x53/0x640
[ 65.207683] ? SyS_read+0x230/0x230
[ 65.211557] do_syscall_64+0x1e8/0x640
[ 65.215629] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 65.221019] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 65.226467] RIP: 0033:0x459519
[ 65.229644] RSP: 002b:00007f5ffff83c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 65.237336] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459519
[ 65.244710] RDX: 0000000020000118 RSI: 0000000020000100 RDI: 0000000000000003
[ 65.252221] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
[ 65.259672] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5ffff846d4
[ 65.267401] R13: 00000000004d0138 R14: 00000000004e02c8 R15: 00000000ffffffff
[ 65.275980] ==================================================================
[ 65.283513] BUG: KASAN: use-after-free in ucma_destroy_id+0x3e2/0x420
[ 65.290083] Read of size 8 at addr ffff888089d48128 by task syz-executor.0/7941
[ 65.297619]
[ 65.299328] CPU: 1 PID: 7941 Comm: syz-executor.0 Not tainted 4.14.131 #25
[ 65.306839] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 65.316516] Call Trace:
[ 65.319099] dump_stack+0x138/0x19c
[ 65.322864] ? ucma_destroy_id+0x3e2/0x420
[ 65.327210] print_address_description.cold+0x7c/0x1dc
[ 65.332570] ? ucma_destroy_id+0x3e2/0x420
[ 65.336927] kasan_report.cold+0xa9/0x2af
[ 65.341341] __asan_report_load8_noabort+0x14/0x20
[ 65.346408] ucma_destroy_id+0x3e2/0x420
[ 65.350565] ? ucma_close+0x310/0x310
[ 65.354366] ? _copy_from_user+0x99/0x110
[ 65.364791] ucma_write+0x231/0x310
[ 65.377268] ? ucma_close+0x310/0x310
[ 65.381160] ? ucma_open+0x290/0x290
[ 65.384873] __vfs_write+0x105/0x6b0
[ 65.388573] ? ucma_open+0x290/0x290
[ 65.392386] ? kernel_read+0x120/0x120
[ 65.396386] ? __inode_security_revalidate+0xd6/0x130
[ 65.401576] ? avc_policy_seqno+0x9/0x20
[ 65.405630] ? selinux_file_permission+0x85/0x480
[ 65.415992] ? security_file_permission+0x89/0x1f0
[ 65.420912] ? rw_verify_area+0xea/0x2b0
[ 65.425004] vfs_write+0x198/0x500
[ 65.428529] SyS_write+0xfd/0x230
[ 65.432077] ? SyS_read+0x230/0x230
[ 65.435822] ? do_syscall_64+0x53/0x640
[ 65.440052] ? SyS_read+0x230/0x230
[ 65.443693] do_syscall_64+0x1e8/0x640
[ 65.447637] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 65.452476] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 65.457651] RIP: 0033:0x459519
[ 65.460917] RSP: 002b:00007f5ffff83c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 65.468610] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459519
[ 65.476043] RDX: 0000000020000118 RSI: 0000000020000100 RDI: 0000000000000003
[ 65.483304] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
[ 65.490813] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5ffff846d4
[ 65.498398] R13: 00000000004d0138 R14: 00000000004e02c8 R15: 00000000ffffffff
[ 65.505866]
[ 65.507481] Allocated by task 7937:
[ 65.511201] save_stack_trace+0x16/0x20
[ 65.515168] save_stack+0x45/0xd0
[ 65.518809] kasan_kmalloc+0xce/0xf0
[ 65.522511] kmem_cache_alloc_trace+0x152/0x790
[ 65.527170] ucma_alloc_ctx+0x85/0x520
[ 65.531065] ucma_create_id+0xed/0x5b0
[ 65.534942] ucma_write+0x231/0x310
[ 65.538579] __vfs_write+0x105/0x6b0
[ 65.542274] vfs_write+0x198/0x500
[ 65.545880] SyS_write+0xfd/0x230
[ 65.549317] do_syscall_64+0x1e8/0x640
[ 65.553241] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 65.558559]
[ 65.560162] Freed by task 7936:
[ 65.563432] save_stack_trace+0x16/0x20
[ 65.567406] save_stack+0x45/0xd0
[ 65.570944] kasan_slab_free+0x75/0xc0
[ 65.574828] kfree+0xcc/0x270
[ 65.577925] ucma_free_ctx+0x73c/0xa30
[ 65.581794] ucma_close+0x11d/0x310
[ 65.585404] __fput+0x275/0x7a0
[ 65.588661] ____fput+0x16/0x20
[ 65.592016] task_work_run+0x114/0x190
[ 65.595885] exit_to_usermode_loop+0x1da/0x220
[ 65.600446] do_syscall_64+0x4bc/0x640
[ 65.604315] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 65.609482]
[ 65.611090] The buggy address belongs to the object at ffff888089d480c0
[ 65.611090] which belongs to the cache kmalloc-256 of size 256
[ 65.624002] The buggy address is located 104 bytes inside of
[ 65.624002] 256-byte region [ffff888089d480c0, ffff888089d481c0)
[ 65.635948] The buggy address belongs to the page:
[ 65.640881] page:ffffea0002275200 count:1 mapcount:0 mapping:ffff888089d480c0 index:0x0
[ 65.649253] flags: 0x1fffc0000000100(slab)
[ 65.653477] raw: 01fffc0000000100 ffff888089d480c0 0000000000000000 000000010000000c
[ 65.661351] raw: ffffea000228d2a0 ffffea0002a11820 ffff8880aa8007c0 0000000000000000
[ 65.669238] page dumped because: kasan: bad access detected
[ 65.674955]
[ 65.676568] Memory state around the buggy address:
[ 65.681479] ffff888089d48000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 65.689370] ffff888089d48080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 65.696778] >ffff888089d48100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.704316] ^
[ 65.708974] ffff888089d48180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 65.716599] ffff888089d48200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.724287] ==================================================================
[ 65.732281] Kernel panic - not syncing: panic_on_warn set ...
[ 65.732281]
[ 65.739789] CPU: 1 PID: 7941 Comm: syz-executor.0 Tainted: G B 4.14.131 #25
[ 65.748131] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 65.757495] Call Trace:
[ 65.760093] dump_stack+0x138/0x19c
[ 65.763719] ? ucma_destroy_id+0x3e2/0x420
[ 65.767955] panic+0x1f2/0x426
[ 65.771223] ? add_taint.cold+0x16/0x16
[ 65.775194] ? ___preempt_schedule+0x16/0x18
[ 65.779590] kasan_end_report+0x47/0x4f
[ 65.783551] kasan_report.cold+0x130/0x2af
[ 65.787781] __asan_report_load8_noabort+0x14/0x20
[ 65.792735] ucma_destroy_id+0x3e2/0x420
[ 65.796791] ? ucma_close+0x310/0x310
[ 65.800578] ? _copy_from_user+0x99/0x110
[ 65.804801] ucma_write+0x231/0x310
[ 65.808413] ? ucma_close+0x310/0x310
[ 65.812207] ? ucma_open+0x290/0x290
[ 65.816016] __vfs_write+0x105/0x6b0
[ 65.819726] ? ucma_open+0x290/0x290
[ 65.823420] ? kernel_read+0x120/0x120
[ 65.827404] ? __inode_security_revalidate+0xd6/0x130
[ 65.832635] ? avc_policy_seqno+0x9/0x20
[ 65.836801] ? selinux_file_permission+0x85/0x480
[ 65.841850] ? security_file_permission+0x89/0x1f0
[ 65.846861] ? rw_verify_area+0xea/0x2b0
[ 65.850912] vfs_write+0x198/0x500
[ 65.854454] SyS_write+0xfd/0x230
[ 65.857898] ? SyS_read+0x230/0x230
[ 65.861613] ? do_syscall_64+0x53/0x640
[ 65.865677] ? SyS_read+0x230/0x230
[ 65.869287] do_syscall_64+0x1e8/0x640
[ 65.873163] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 65.877991] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 65.883188] RIP: 0033:0x459519
[ 65.886353] RSP: 002b:00007f5ffff83c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 65.894792] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459519
[ 65.902048] RDX: 0000000020000118 RSI: 0000000020000100 RDI: 0000000000000003
[ 65.909388] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
[ 65.916660] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5ffff846d4
[ 65.923942] R13: 00000000004d0138 R14: 00000000004e02c8 R15: 00000000ffffffff
[ 65.932629] Kernel Offset: disabled
[ 65.936257] Rebooting in 86400 seconds..