[....] Starting enhanced syslogd: rsyslogd[ 13.097519] audit: type=1400 audit(1516970846.192:5): avc: denied { syslog } for pid=3501 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.680842] audit: type=1400 audit(1516970851.775:6): avc: denied { map } for pid=3642 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. executing program [ 24.938915] audit: type=1400 audit(1516970858.033:7): avc: denied { map } for pid=3656 comm="syzkaller196674" path="/root/syzkaller196674338" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 24.945719] ================================================================== [ 24.945735] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00 [ 24.945740] Read of size 8 at addr ffff8801d95b7b70 by task syzkaller196674/3656 [ 24.945741] [ 24.945749] CPU: 1 PID: 3656 Comm: syzkaller196674 Not tainted 4.15.0-rc9+ #191 [ 24.945752] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.945754] Call Trace: [ 24.945765] dump_stack+0x194/0x257 [ 24.945773] ? arch_local_irq_restore+0x53/0x53 [ 24.945782] ? show_regs_print_info+0x18/0x18 [ 24.945788] ? print_irqtrace_events+0x270/0x270 [ 24.945794] ? __lock_acquire+0x664/0x3e00 [ 24.945800] ? __lock_acquire+0x3d4d/0x3e00 [ 24.945808] print_address_description+0x73/0x250 [ 24.945815] ? __lock_acquire+0x3d4d/0x3e00 [ 24.945821] kasan_report+0x25b/0x340 [ 24.945830] __asan_report_load8_noabort+0x14/0x20 [ 24.945835] __lock_acquire+0x3d4d/0x3e00 [ 24.945841] ? __lock_acquire+0x664/0x3e00 [ 24.945848] ? lock_downgrade+0x980/0x980 [ 24.945853] ? lock_downgrade+0x980/0x980 [ 24.945860] ? print_irqtrace_events+0x270/0x270 [ 24.945867] ? remove_wait_queue+0x81/0x350 [ 24.945876] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.945883] ? __lock_acquire+0x664/0x3e00 [ 24.945889] ? check_noncircular+0x20/0x20 [ 24.945901] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.945909] ? lock_acquire+0x1d5/0x580 [ 24.945914] ? lock_acquire+0x1d5/0x580 [ 24.945921] ? ep_free+0xf4/0x320 [ 24.945930] ? lock_release+0xa40/0xa40 [ 24.945936] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.945942] ? print_irqtrace_events+0x270/0x270 [ 24.945948] ? print_irqtrace_events+0x270/0x270 [ 24.945955] ? rcu_note_context_switch+0x710/0x710 [ 24.945963] ? __might_sleep+0x95/0x190 [ 24.945969] ? ep_free+0xf4/0x320 [ 24.945975] ? __mutex_lock+0x16f/0x1a80 [ 24.945981] ? ep_free+0xf4/0x320 [ 24.945988] ? print_irqtrace_events+0x270/0x270 [ 24.945993] ? ep_free+0xf4/0x320 [ 24.946007] lock_acquire+0x1d5/0x580 [ 24.946012] ? lock_acquire+0x1d5/0x580 [ 24.946018] ? remove_wait_queue+0x81/0x350 [ 24.946027] ? lock_release+0xa40/0xa40 [ 24.946036] ? lock_acquire+0x1d5/0x580 [ 24.946042] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.946047] ? lock_acquire+0x1d5/0x580 [ 24.946054] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 24.946061] _raw_spin_lock_irqsave+0x96/0xc0 [ 24.946067] ? remove_wait_queue+0x81/0x350 [ 24.946073] remove_wait_queue+0x81/0x350 [ 24.946080] ? depot_save_stack+0x3b5/0x490 [ 24.946087] ? add_wait_queue+0x290/0x290 [ 24.946093] ? rcutorture_record_progress+0x10/0x10 [ 24.946099] ? lock_release+0xa40/0xa40 [ 24.946109] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 24.946117] ? __kernel_text_address+0xd/0x40 [ 24.946126] ? clear_tfile_check_list+0x370/0x370 [ 24.946133] ? check_noncircular+0x20/0x20 [ 24.946143] ? locks_remove_file+0x3fa/0x5a0 [ 24.946153] ep_free+0x13f/0x320 [ 24.946159] ? ep_remove+0x800/0x800 [ 24.946165] ? fsnotify_first_mark+0x2b0/0x2b0 [ 24.946174] ? ep_free+0x320/0x320 [ 24.946180] ep_eventpoll_release+0x44/0x60 [ 24.946188] __fput+0x327/0x7e0 [ 24.946196] ? fput+0x140/0x140 [ 24.946204] ? _raw_spin_unlock_irq+0x27/0x70 [ 24.946213] ____fput+0x15/0x20 [ 24.946219] task_work_run+0x199/0x270 [ 24.946227] ? task_work_cancel+0x210/0x210 [ 24.946234] ? _raw_spin_unlock+0x22/0x30 [ 24.946241] ? switch_task_namespaces+0x87/0xc0 [ 24.946250] do_exit+0x9bb/0x1ad0 [ 24.946257] ? __handle_mm_fault+0x2330/0x3ce0 [ 24.946265] ? mm_update_next_owner+0x930/0x930 [ 24.946275] ? do_raw_spin_trylock+0x190/0x190 [ 24.946283] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.946289] ? check_noncircular+0x20/0x20 [ 24.946297] ? _raw_spin_unlock+0x22/0x30 [ 24.946307] ? __handle_mm_fault+0x80e/0x3ce0 [ 24.946315] ? check_noncircular+0x20/0x20 [ 24.946320] ? __pmd_alloc+0x4e0/0x4e0 [ 24.946326] ? lock_downgrade+0x980/0x980 [ 24.946334] ? find_held_lock+0x35/0x1d0 [ 24.946343] ? handle_mm_fault+0x248/0x8d0 [ 24.946350] ? find_held_lock+0x35/0x1d0 [ 24.946360] ? __do_page_fault+0x5f7/0xc90 [ 24.946366] ? lock_downgrade+0x980/0x980 [ 24.946375] ? handle_mm_fault+0x410/0x8d0 [ 24.946381] ? down_read_trylock+0xdb/0x170 [ 24.946386] ? __do_page_fault+0x32d/0xc90 [ 24.946393] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 24.946399] ? vmacache_find+0x5f/0x280 [ 24.946408] do_group_exit+0x149/0x400 [ 24.946415] ? __do_page_fault+0x3d6/0xc90 [ 24.946421] ? SyS_exit+0x30/0x30 [ 24.946431] ? do_fast_syscall_32+0x156/0xf9d [ 24.946437] ? do_group_exit+0x400/0x400 [ 24.946444] SyS_exit_group+0x1d/0x20 [ 24.946450] do_fast_syscall_32+0x3ee/0xf9d [ 24.946459] ? do_int80_syscall_32+0x9d0/0x9d0 [ 24.946465] ? kasan_check_read+0x11/0x20 [ 24.946472] ? syscall_return_slowpath+0x550/0x550 [ 24.946480] ? SyS_rt_sigaction+0x94/0x1b0 [ 24.946487] ? SyS_sigprocmask+0x4b0/0x4b0 [ 24.946492] ? SyS_read+0x184/0x220 [ 24.946498] ? retint_user+0x18/0x18 [ 24.946506] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.946515] entry_SYSENTER_compat+0x54/0x63 [ 24.946520] RIP: 0023:0xf7fd2c79 [ 24.946523] RSP: 002b:00000000ffdb833c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc [ 24.946530] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298 [ 24.946534] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0 [ 24.946537] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 24.946540] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 24.946543] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 24.946551] [ 24.946554] Allocated by task 3656: [ 24.946560] save_stack+0x43/0xd0 [ 24.946564] kasan_kmalloc+0xad/0xe0 [ 24.946569] kmem_cache_alloc_trace+0x136/0x750 [ 24.946576] binder_get_thread+0x1cf/0x870 [ 24.946582] binder_poll+0x8c/0x390 [ 24.946587] ep_item_poll.isra.10+0xec/0x320 [ 24.946592] ep_insert+0x6a3/0x1b10 [ 24.946597] SyS_epoll_ctl+0x12e4/0x1ab0 [ 24.946603] do_fast_syscall_32+0x3ee/0xf9d [ 24.946607] entry_SYSENTER_compat+0x54/0x63 [ 24.946609] [ 24.946611] Freed by task 3656: [ 24.946615] save_stack+0x43/0xd0 [ 24.946620] kasan_slab_free+0x71/0xc0 [ 24.946624] kfree+0xd6/0x260 [ 24.946630] binder_thread_dec_tmpref+0x27f/0x310 [ 24.946636] binder_thread_release+0x27d/0x540 [ 24.946640] binder_ioctl+0xc02/0x1417 [ 24.946645] compat_SyS_ioctl+0x151/0x2a30 [ 24.946651] do_fast_syscall_32+0x3ee/0xf9d [ 24.946655] entry_SYSENTER_compat+0x54/0x63 [ 24.946657] [ 24.946661] The buggy address belongs to the object at ffff8801d95b7ac0 [ 24.946661] which belongs to the cache kmalloc-512 of size 512 [ 24.946666] The buggy address is located 176 bytes inside of [ 24.946666] 512-byte region [ffff8801d95b7ac0, ffff8801d95b7cc0) [ 24.946667] The buggy address belongs to the page: [ 24.946673] page:ffffea0007656dc0 count:1 mapcount:0 mapping:ffff8801d95b70c0 index:0x0 [ 24.946678] flags: 0x2fffc0000000100(slab) [ 24.946687] raw: 02fffc0000000100 ffff8801d95b70c0 0000000000000000 0000000100000006 [ 24.946693] raw: ffffea0006f0e0e0 ffff8801dac01748 ffff8801dac00940 0000000000000000 [ 24.946696] page dumped because: kasan: bad access detected [ 24.946697] [ 24.946699] Memory state around the buggy address: [ 24.946704] ffff8801d95b7a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.946708] ffff8801d95b7a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 24.946713] >ffff8801d95b7b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.946715] ^ [ 24.946719] ffff8801d95b7b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.946724] ffff8801d95b7c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.946726] ================================================================== [ 24.946727] Disabling lock debugging due to kernel taint [ 24.946730] Kernel panic - not syncing: panic_on_warn set ... [ 24.946730] [ 24.946736] CPU: 1 PID: 3656 Comm: syzkaller196674 Tainted: G B 4.15.0-rc9+ #191 [ 24.946739] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.946741] Call Trace: [ 24.946748] dump_stack+0x194/0x257 [ 24.946755] ? arch_local_irq_restore+0x53/0x53 [ 24.946761] ? kasan_end_report+0x32/0x50 [ 24.946767] ? lock_downgrade+0x980/0x980 [ 24.946774] ? vsnprintf+0x1ed/0x1900 [ 24.946780] ? __lock_acquire+0x3ca0/0x3e00 [ 24.946786] panic+0x1e4/0x41c [ 24.946792] ? refcount_error_report+0x214/0x214 [ 24.946799] ? add_taint+0x40/0x50 [ 24.946805] ? add_taint+0x1c/0x50 [ 24.946812] ? __lock_acquire+0x3d4d/0x3e00 [ 24.946818] kasan_end_report+0x50/0x50 [ 24.946824] kasan_report+0x144/0x340 [ 24.946832] __asan_report_load8_noabort+0x14/0x20 [ 24.946837] __lock_acquire+0x3d4d/0x3e00 [ 24.946843] ? __lock_acquire+0x664/0x3e00 [ 24.946849] ? lock_downgrade+0x980/0x980 [ 24.946855] ? lock_downgrade+0x980/0x980 [ 24.946862] ? print_irqtrace_events+0x270/0x270 [ 24.946868] ? remove_wait_queue+0x81/0x350 [ 24.946876] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.946883] ? __lock_acquire+0x664/0x3e00 [ 24.946889] ? check_noncircular+0x20/0x20 [ 24.946901] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.946908] ? lock_acquire+0x1d5/0x580 [ 24.946914] ? lock_acquire+0x1d5/0x580 [ 24.946919] ? ep_free+0xf4/0x320 [ 24.946927] ? lock_release+0xa40/0xa40 [ 24.946933] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.946939] ? print_irqtrace_events+0x270/0x270 [ 24.946945] ? print_irqtrace_events+0x270/0x270 [ 24.946951] ? rcu_note_context_switch+0x710/0x710 [ 24.946958] ? __might_sleep+0x95/0x190 [ 24.946964] ? ep_free+0xf4/0x320 [ 24.946971] ? __mutex_lock+0x16f/0x1a80 [ 24.946976] ? ep_free+0xf4/0x320 [ 24.946983] ? print_irqtrace_events+0x270/0x270 [ 24.946988] ? ep_free+0xf4/0x320 [ 24.946996] lock_acquire+0x1d5/0x580 [ 24.947002] ? lock_acquire+0x1d5/0x580 [ 24.947008] ? remove_wait_queue+0x81/0x350 [ 24.947016] ? lock_release+0xa40/0xa40 [ 24.947025] ? lock_acquire+0x1d5/0x580 [ 24.947031] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.947036] ? lock_acquire+0x1d5/0x580 [ 24.947043] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 24.947049] _raw_spin_lock_irqsave+0x96/0xc0 [ 24.947055] ? remove_wait_queue+0x81/0x350 [ 24.947062] remove_wait_queue+0x81/0x350 [ 24.947068] ? depot_save_stack+0x3b5/0x490 [ 24.947075] ? add_wait_queue+0x290/0x290 [ 24.947081] ? rcutorture_record_progress+0x10/0x10 [ 24.947086] ? lock_release+0xa40/0xa40 [ 24.947096] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 24.947102] ? __kernel_text_address+0xd/0x40 [ 24.947110] ? clear_tfile_check_list+0x370/0x370 [ 24.947118] ? check_noncircular+0x20/0x20 [ 24.947126] ? locks_remove_file+0x3fa/0x5a0 [ 24.947135] ep_free+0x13f/0x320 [ 24.947141] ? ep_remove+0x800/0x800 [ 24.947147] ? fsnotify_first_mark+0x2b0/0x2b0 [ 24.947155] ? ep_free+0x320/0x320 [ 24.947162] ep_eventpoll_release+0x44/0x60 [ 24.947168] __fput+0x327/0x7e0 [ 24.947176] ? fput+0x140/0x140 [ 24.947183] ? _raw_spin_unlock_irq+0x27/0x70 [ 24.947192] ____fput+0x15/0x20 [ 24.947198] task_work_run+0x199/0x270 [ 24.947206] ? task_work_cancel+0x210/0x210 [ 24.947213] ? _raw_spin_unlock+0x22/0x30 [ 24.947219] ? switch_task_namespaces+0x87/0xc0 [ 24.947226] do_exit+0x9bb/0x1ad0 [ 24.947233] ? __handle_mm_fault+0x2330/0x3ce0 [ 24.947241] ? mm_update_next_owner+0x930/0x930 [ 24.947250] ? do_raw_spin_trylock+0x190/0x190 [ 24.947257] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.947263] ? check_noncircular+0x20/0x20 [ 24.947271] ? _raw_spin_unlock+0x22/0x30 [ 24.947277] ? __handle_mm_fault+0x80e/0x3ce0 [ 24.947285] ? check_noncircular+0x20/0x20 [ 24.947290] ? __pmd_alloc+0x4e0/0x4e0 [ 24.947295] ? lock_downgrade+0x980/0x980 [ 24.947307] ? find_held_lock+0x35/0x1d0 [ 24.947315] ? handle_mm_fault+0x248/0x8d0 [ 24.947323] ? find_held_lock+0x35/0x1d0 [ 24.947332] ? __do_page_fault+0x5f7/0xc90 [ 24.947338] ? lock_downgrade+0x980/0x980 [ 24.947347] ? handle_mm_fault+0x410/0x8d0 [ 24.947352] ? down_read_trylock+0xdb/0x170 [ 24.947358] ? __do_page_fault+0x32d/0xc90 [ 24.947364] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 24.947370] ? vmacache_find+0x5f/0x280 [ 24.947378] do_group_exit+0x149/0x400 [ 24.947385] ? __do_page_fault+0x3d6/0xc90 [ 24.947391] ? SyS_exit+0x30/0x30 [ 24.947399] ? do_fast_syscall_32+0x156/0xf9d [ 24.947405] ? do_group_exit+0x400/0x400 [ 24.947411] SyS_exit_group+0x1d/0x20 [ 24.947417] do_fast_syscall_32+0x3ee/0xf9d [ 24.947426] ? do_int80_syscall_32+0x9d0/0x9d0 [ 24.947432] ? kasan_check_read+0x11/0x20 [ 24.947439] ? syscall_return_slowpath+0x550/0x550 [ 24.947446] ? SyS_rt_sigaction+0x94/0x1b0 [ 24.947453] ? SyS_sigprocmask+0x4b0/0x4b0 [ 24.947458] ? SyS_read+0x184/0x220 [ 24.947463] ? retint_user+0x18/0x18 [ 24.947471] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.947480] entry_SYSENTER_compat+0x54/0x63 [ 24.947483] RIP: 0023:0xf7fd2c79 [ 24.947486] RSP: 002b:00000000ffdb833c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc [ 24.947492] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298 [ 24.947496] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0 [ 24.947499] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 24.947502] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 24.947505] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 24.965344] Dumping ftrace buffer: [ 24.965348] (ftrace buffer empty) [ 24.965351] Kernel Offset: disabled [ 26.248464] Rebooting in 86400 seconds..