[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   11.056650] audit: type=1400 audit(1514577817.202:6): avc:  denied  { map } for  pid=3131 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   30.371666] audit: type=1400 audit(1514577836.517:7): avc:  denied  { map } for  pid=3149 comm="syzkaller419692" path="/root/syzkaller419692922" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   30.375729] ==================================================================
[   30.375740] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   30.375744] Read of size 8 at addr ffff8801c91fc378 by task syzkaller419692/3149
[   30.375745] 
[   30.375750] CPU: 0 PID: 3149 Comm: syzkaller419692 Not tainted 4.15.0-rc4-next-20171221+ #78
[   30.375752] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.375754] Call Trace:
[   30.375761]  dump_stack+0x194/0x257
[   30.375766]  ? arch_local_irq_restore+0x53/0x53
[   30.375772]  ? show_regs_print_info+0x18/0x18
[   30.375776]  ? print_irqtrace_events+0x270/0x270
[   30.375780]  ? __lock_acquire+0x664/0x3e00
[   30.375784]  ? __lock_acquire+0x3d4d/0x3e00
[   30.375790]  print_address_description+0x73/0x250
[   30.375794]  ? __lock_acquire+0x3d4d/0x3e00
[   30.375798]  kasan_report+0x25b/0x340
[   30.375803]  __asan_report_load8_noabort+0x14/0x20
[   30.375807]  __lock_acquire+0x3d4d/0x3e00
[   30.375810]  ? __lock_acquire+0x664/0x3e00
[   30.375813]  ? lock_downgrade+0x980/0x980
[   30.375817]  ? lock_downgrade+0x980/0x980
[   30.375823]  ? remove_wait_queue+0x81/0x350
[   30.375828]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   30.375832]  ? __lock_acquire+0x664/0x3e00
[   30.375836]  ? check_noncircular+0x20/0x20
[   30.375844]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   30.375848]  ? lock_acquire+0x1d5/0x580
[   30.375852]  ? lock_acquire+0x1d5/0x580
[   30.375856]  ? ep_free+0xf4/0x320
[   30.375862]  ? lock_release+0xa40/0xa40
[   30.375867]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   30.375871]  ? print_irqtrace_events+0x270/0x270
[   30.375877]  ? rcu_note_context_switch+0x710/0x710
[   30.375882]  ? __might_sleep+0x95/0x190
[   30.375885]  ? ep_free+0xf4/0x320
[   30.375891]  ? __mutex_lock+0x16f/0x1a80
[   30.375894]  ? ep_free+0xf4/0x320
[   30.375898]  ? print_irqtrace_events+0x270/0x270
[   30.375901]  ? ep_free+0xf4/0x320
[   30.375906]  lock_acquire+0x1d5/0x580
[   30.375910]  ? lock_acquire+0x1d5/0x580
[   30.375913]  ? remove_wait_queue+0x81/0x350
[   30.375917]  ? __lock_acquire+0x664/0x3e00
[   30.375922]  ? lock_release+0xa40/0xa40
[   30.375927]  ? lock_acquire+0x1d5/0x580
[   30.375930]  ? lock_acquire+0x1d5/0x580
[   30.375934]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   30.375939]  _raw_spin_lock_irqsave+0x96/0xc0
[   30.375943]  ? remove_wait_queue+0x81/0x350
[   30.375947]  remove_wait_queue+0x81/0x350
[   30.375951]  ? add_wait_queue+0x290/0x290
[   30.375955]  ? rcutorture_record_progress+0x10/0x10
[   30.375961]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   30.375967]  ? __kernel_text_address+0xd/0x40
[   30.375972]  ? clear_tfile_check_list+0x370/0x370
[   30.375977]  ? check_noncircular+0x20/0x20
[   30.375982]  ? locks_remove_file+0x3fa/0x5a0
[   30.375988]  ep_free+0x13f/0x320
[   30.375991]  ? ep_remove+0x800/0x800
[   30.375995]  ? fsnotify_first_mark+0x2b0/0x2b0
[   30.376000]  ? ep_free+0x320/0x320
[   30.376008]  ep_eventpoll_release+0x44/0x60
[   30.376014]  __fput+0x327/0x7e0
[   30.376019]  ? fput+0x140/0x140
[   30.376023]  ? _raw_spin_unlock_irq+0x27/0x70
[   30.376028]  ____fput+0x15/0x20
[   30.376032]  task_work_run+0x199/0x270
[   30.376037]  ? task_work_cancel+0x210/0x210
[   30.376041]  ? _raw_spin_unlock+0x22/0x30
[   30.376045]  ? switch_task_namespaces+0x87/0xc0
[   30.376051]  do_exit+0x9bb/0x1ad0
[   30.376058]  ? binder_ioctl+0x491/0x1417
[   30.376061]  ? mm_update_next_owner+0x930/0x930
[   30.376066]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   30.376073]  ? avc_ss_reset+0x110/0x110
[   30.376076]  ? mutex_unlock+0xd/0x10
[   30.376080]  ? SyS_epoll_ctl+0x30a/0x1a80
[   30.376092]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   30.376095]  ? up_read+0x1a/0x40
[   30.376100]  ? rcu_note_context_switch+0x710/0x710
[   30.376108]  ? __fd_install+0x288/0x740
[   30.376114]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   30.376118]  ? do_vfs_ioctl+0x486/0x1520
[   30.376121]  ? _cond_resched+0x14/0x30
[   30.376126]  ? ioctl_preallocate+0x2b0/0x2b0
[   30.376133]  ? selinux_capable+0x40/0x40
[   30.376136]  ? __alloc_fd+0x750/0x750
[   30.376142]  do_group_exit+0x149/0x400
[   30.376146]  ? SyS_exit+0x30/0x30
[   30.376150]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.376156]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.376161]  SyS_exit_group+0x1d/0x20
[   30.376165]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   30.376168] RIP: 0033:0x4429f8
[   30.376170] RSP: 002b:00007ffc501a0fc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   30.376174] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   30.376177] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   30.376179] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   30.376181] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   30.376184] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   30.376189] 
[   30.376191] Allocated by task 3149:
[   30.376195]  save_stack+0x43/0xd0
[   30.376198]  kasan_kmalloc+0xad/0xe0
[   30.376202]  kmem_cache_alloc_trace+0x136/0x750
[   30.376204]  binder_get_thread+0x1cf/0x870
[   30.376207]  binder_poll+0x8c/0x390
[   30.376210]  ep_item_poll.isra.10+0xf2/0x320
[   30.376212]  ep_insert+0x6a2/0x1ac0
[   30.376215]  SyS_epoll_ctl+0x12bf/0x1a80
[   30.376218]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   30.376219] 
[   30.376220] Freed by task 3149:
[   30.376223]  save_stack+0x43/0xd0
[   30.376226]  kasan_slab_free+0x71/0xc0
[   30.376228]  kfree+0xd6/0x260
[   30.376231]  binder_thread_dec_tmpref+0x27f/0x310
[   30.376234]  binder_thread_release+0x27d/0x540
[   30.376237]  binder_ioctl+0xc02/0x1417
[   30.376239]  do_vfs_ioctl+0x1b1/0x1520
[   30.376241]  SyS_ioctl+0x8f/0xc0
[   30.376244]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   30.376245] 
[   30.376248] The buggy address belongs to the object at ffff8801c91fc2c0
[   30.376248]  which belongs to the cache kmalloc-512 of size 512
[   30.376251] The buggy address is located 184 bytes inside of
[   30.376251]  512-byte region [ffff8801c91fc2c0, ffff8801c91fc4c0)
[   30.376252] The buggy address belongs to the page:
[   30.376255] page:0000000002c2339c count:1 mapcount:0 mapping:00000000565f6b99 index:0x0
[   30.376259] flags: 0x2fffc0000000100(slab)
[   30.376265] raw: 02fffc0000000100 ffff8801c91fc040 0000000000000000 0000000100000006
[   30.376269] raw: ffffea0007247b60 ffffea000728e1a0 ffff8801dac00940 0000000000000000
[   30.376271] page dumped because: kasan: bad access detected
[   30.376272] 
[   30.376273] Memory state around the buggy address:
[   30.376275]  ffff8801c91fc200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.376278]  ffff8801c91fc280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   30.376281] >ffff8801c91fc300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.376282]                                                                 ^
[   30.376285]  ffff8801c91fc380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.376287]  ffff8801c91fc400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.376288] ==================================================================
[   30.376289] Disabling lock debugging due to kernel taint
[   30.376292] Kernel panic - not syncing: panic_on_warn set ...
[   30.376292] 
[   30.376296] CPU: 0 PID: 3149 Comm: syzkaller419692 Tainted: G    B            4.15.0-rc4-next-20171221+ #78
[   30.376298] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.376299] Call Trace:
[   30.376303]  dump_stack+0x194/0x257
[   30.376307]  ? arch_local_irq_restore+0x53/0x53
[   30.376310]  ? kasan_end_report+0x32/0x50
[   30.376314]  ? lock_downgrade+0x980/0x980
[   30.376317]  ? vsnprintf+0x1ed/0x1900
[   30.376321]  ? __lock_acquire+0x3d30/0x3e00
[   30.376325]  panic+0x1e4/0x41c
[   30.376328]  ? refcount_error_report+0x214/0x214
[   30.376333]  ? add_taint+0x40/0x50
[   30.376336]  ? add_taint+0x1c/0x50
[   30.376340]  ? __lock_acquire+0x3d4d/0x3e00
[   30.376344]  kasan_end_report+0x50/0x50
[   30.376347]  kasan_report+0x144/0x340
[   30.376352]  __asan_report_load8_noabort+0x14/0x20
[   30.376355]  __lock_acquire+0x3d4d/0x3e00
[   30.376359]  ? __lock_acquire+0x664/0x3e00
[   30.376362]  ? lock_downgrade+0x980/0x980
[   30.376365]  ? lock_downgrade+0x980/0x980
[   30.376370]  ? remove_wait_queue+0x81/0x350
[   30.376375]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   30.376379]  ? __lock_acquire+0x664/0x3e00
[   30.376382]  ? check_noncircular+0x20/0x20
[   30.376389]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   30.376393]  ? lock_acquire+0x1d5/0x580
[   30.376397]  ? lock_acquire+0x1d5/0x580
[   30.376400]  ? ep_free+0xf4/0x320
[   30.376404]  ? lock_release+0xa40/0xa40
[   30.376408]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   30.376412]  ? print_irqtrace_events+0x270/0x270
[   30.376416]  ? rcu_note_context_switch+0x710/0x710
[   30.376420]  ? __might_sleep+0x95/0x190
[   30.376423]  ? ep_free+0xf4/0x320
[   30.376427]  ? __mutex_lock+0x16f/0x1a80
[   30.376430]  ? ep_free+0xf4/0x320
[   30.376434]  ? print_irqtrace_events+0x270/0x270
[   30.376437]  ? ep_free+0xf4/0x320
[   30.376442]  lock_acquire+0x1d5/0x580
[   30.376445]  ? lock_acquire+0x1d5/0x580
[   30.376449]  ? remove_wait_queue+0x81/0x350
[   30.376452]  ? __lock_acquire+0x664/0x3e00
[   30.376456]  ? lock_release+0xa40/0xa40
[   30.376462]  ? lock_acquire+0x1d5/0x580
[   30.376465]  ? lock_acquire+0x1d5/0x580
[   30.376468]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   30.376473]  _raw_spin_lock_irqsave+0x96/0xc0
[   30.376476]  ? remove_wait_queue+0x81/0x350
[   30.376480]  remove_wait_queue+0x81/0x350
[   30.376484]  ? add_wait_queue+0x290/0x290
[   30.376488]  ? rcutorture_record_progress+0x10/0x10
[   30.376493]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   30.376497]  ? __kernel_text_address+0xd/0x40
[   30.376502]  ? clear_tfile_check_list+0x370/0x370
[   30.376507]  ? check_noncircular+0x20/0x20
[   30.376511]  ? locks_remove_file+0x3fa/0x5a0
[   30.376516]  ep_free+0x13f/0x320
[   30.376520]  ? ep_remove+0x800/0x800
[   30.376523]  ? fsnotify_first_mark+0x2b0/0x2b0
[   30.376527]  ? ep_free+0x320/0x320
[   30.376531]  ep_eventpoll_release+0x44/0x60
[   30.376534]  __fput+0x327/0x7e0
[   30.376539]  ? fput+0x140/0x140
[   30.376543]  ? _raw_spin_unlock_irq+0x27/0x70
[   30.376548]  ____fput+0x15/0x20
[   30.376552]  task_work_run+0x199/0x270
[   30.376556]  ? task_work_cancel+0x210/0x210
[   30.376560]  ? _raw_spin_unlock+0x22/0x30
[   30.376563]  ? switch_task_namespaces+0x87/0xc0
[   30.376568]  do_exit+0x9bb/0x1ad0
[   30.376572]  ? binder_ioctl+0x491/0x1417
[   30.376576]  ? mm_update_next_owner+0x930/0x930
[   30.376580]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   30.376585]  ? avc_ss_reset+0x110/0x110
[   30.376588]  ? mutex_unlock+0xd/0x10
[   30.376592]  ? SyS_epoll_ctl+0x30a/0x1a80
[   30.376602]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   30.376605]  ? up_read+0x1a/0x40
[   30.376609]  ? rcu_note_context_switch+0x710/0x710
[   30.376612]  ? __fd_install+0x288/0x740
[   30.376617]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   30.376620]  ? do_vfs_ioctl+0x486/0x1520
[   30.376623]  ? _cond_resched+0x14/0x30
[   30.376627]  ? ioctl_preallocate+0x2b0/0x2b0
[   30.376632]  ? selinux_capable+0x40/0x40
[   30.376635]  ? __alloc_fd+0x750/0x750
[   30.376640]  do_group_exit+0x149/0x400
[   30.376644]  ? SyS_exit+0x30/0x30
[   30.376648]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.376652]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.376657]  SyS_exit_group+0x1d/0x20
[   30.376660]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   30.376663] RIP: 0033:0x4429f8
[   30.376664] RSP: 002b:00007ffc501a0fc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   30.376668] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   30.376670] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   30.376672] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   30.376674] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   30.376676] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   30.397561] Dumping ftrace buffer:
[   30.397564]    (ftrace buffer empty)
[   30.397567] Kernel Offset: disabled
[   31.524961] Rebooting in 86400 seconds..