[....] Starting enhanced syslogd: rsyslogd[ 15.959595] audit: type=1400 audit(1519272423.532:5): avc: denied { syslog } for pid=4023 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.358243] audit: type=1400 audit(1519272426.931:6): avc: denied { map } for pid=4162 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.213' (ECDSA) to the list of known hosts. executing program [ 25.653052] audit: type=1400 audit(1519272433.225:7): avc: denied { map } for pid=4176 comm="syzkaller526503" path="/root/syzkaller526503939" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.693315] ================================================================== [ 25.700706] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00 [ 25.707356] Read of size 8 at addr ffff8801adc976c0 by task syzkaller526503/4176 [ 25.714855] [ 25.716453] CPU: 1 PID: 4176 Comm: syzkaller526503 Not tainted 4.16.0-rc2+ #323 [ 25.723875] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.733198] Call Trace: [ 25.735759] dump_stack+0x194/0x257 [ 25.739365] ? arch_local_irq_restore+0x53/0x53 [ 25.744001] ? show_regs_print_info+0x18/0x18 [ 25.748472] ? __lock_acquire+0x3d4d/0x3e00 [ 25.752762] print_address_description+0x73/0x250 [ 25.757573] ? __lock_acquire+0x3d4d/0x3e00 [ 25.761860] kasan_report+0x23b/0x360 [ 25.765626] __asan_report_load8_noabort+0x14/0x20 [ 25.770535] __lock_acquire+0x3d4d/0x3e00 [ 25.774745] ? remove_wait_queue+0x81/0x350 [ 25.779037] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 25.784197] ? __lock_acquire+0x664/0x3e00 [ 25.788400] ? lock_downgrade+0x980/0x980 [ 25.792518] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 25.797675] ? lock_acquire+0x1d5/0x580 [ 25.801621] ? lock_acquire+0x1d5/0x580 [ 25.805562] ? ep_free+0xf4/0x320 [ 25.808984] ? lock_release+0xa40/0xa40 [ 25.812925] ? trace_event_raw_event_sched_switch+0x810/0x810 [ 25.818776] ? check_noncircular+0x20/0x20 [ 25.822977] ? print_irqtrace_events+0x270/0x270 [ 25.827703] ? rcu_note_context_switch+0x710/0x710 [ 25.832603] ? __might_sleep+0x95/0x190 [ 25.836550] ? ep_free+0xf4/0x320 [ 25.839975] ? __mutex_lock+0x16f/0x1a80 [ 25.844006] ? ep_free+0xf4/0x320 [ 25.847442] ? print_irqtrace_events+0x270/0x270 [ 25.852177] ? ep_free+0xf4/0x320 [ 25.855614] lock_acquire+0x1d5/0x580 [ 25.859383] ? lock_acquire+0x1d5/0x580 [ 25.863326] ? remove_wait_queue+0x81/0x350 [ 25.867619] ? lock_release+0xa40/0xa40 [ 25.871563] ? lock_acquire+0x1d5/0x580 [ 25.875507] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 25.880666] ? lock_acquire+0x1d5/0x580 [ 25.884611] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 25.890035] _raw_spin_lock_irqsave+0x96/0xc0 [ 25.894507] ? remove_wait_queue+0x81/0x350 [ 25.898801] remove_wait_queue+0x81/0x350 [ 25.902920] ? rcutorture_record_progress+0x10/0x10 [ 25.907906] ? add_wait_queue+0x290/0x290 [ 25.912025] ? rcutorture_record_progress+0x10/0x10 [ 25.917029] ? is_bpf_text_address+0xa4/0x120 [ 25.921494] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 25.926740] ? unwind_get_return_address+0x61/0xa0 [ 25.931639] ? clear_tfile_check_list+0x370/0x370 [ 25.936458] ? locks_remove_file+0x3fa/0x5a0 [ 25.940835] ep_free+0x13f/0x320 [ 25.944169] ? ep_remove+0x800/0x800 [ 25.947850] ? fsnotify_first_mark+0x2b0/0x2b0 [ 25.952407] ? ep_free+0x320/0x320 [ 25.955918] ep_eventpoll_release+0x44/0x60 [ 25.960209] __fput+0x327/0x7e0 [ 25.963456] ? fput+0x140/0x140 [ 25.966716] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.971182] ____fput+0x15/0x20 [ 25.974437] task_work_run+0x199/0x270 [ 25.978293] ? task_work_cancel+0x210/0x210 [ 25.982584] ? _raw_spin_unlock+0x22/0x30 [ 25.986703] ? switch_task_namespaces+0x87/0xc0 [ 25.991341] do_exit+0x9bb/0x1ad0 [ 25.994762] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.999748] ? mm_update_next_owner+0x930/0x930 [ 26.004387] ? avc_has_extended_perms+0x7fa/0x12c0 [ 26.009285] ? __might_sleep+0x74/0x190 [ 26.013227] ? avc_ss_reset+0x110/0x110 [ 26.017167] ? mutex_unlock+0xd/0x10 [ 26.020847] ? SyS_epoll_ctl+0x30a/0x1a80 [ 26.024965] ? SyS_epoll_create+0x240/0x240 [ 26.029256] ? find_held_lock+0x35/0x1d0 [ 26.033293] ? rcu_note_context_switch+0x710/0x710 [ 26.038192] ? __do_page_fault+0x5f7/0xc90 [ 26.042397] ? ppp_unregister_channel+0x660/0x660 [ 26.047208] ? do_vfs_ioctl+0x486/0x1520 [ 26.051240] ? ioctl_preallocate+0x2b0/0x2b0 [ 26.055618] ? selinux_capable+0x40/0x40 [ 26.059648] ? up_read+0x1a/0x40 [ 26.062987] do_group_exit+0x149/0x400 [ 26.066844] ? SyS_exit+0x30/0x30 [ 26.070264] ? security_file_ioctl+0x7d/0xb0 [ 26.074640] ? security_file_ioctl+0x89/0xb0 [ 26.079022] ? do_syscall_64+0xb6/0x940 [ 26.082966] ? do_group_exit+0x400/0x400 [ 26.086993] SyS_exit_group+0x1d/0x20 [ 26.090763] do_syscall_64+0x280/0x940 [ 26.094618] ? __do_page_fault+0xc90/0xc90 [ 26.098820] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 26.104333] ? syscall_return_slowpath+0x550/0x550 [ 26.109229] ? syscall_return_slowpath+0x2ac/0x550 [ 26.114130] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 26.119461] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.124271] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.129425] RIP: 0033:0x43e958 [ 26.132584] RSP: 002b:00007ffe8dfef598 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 26.140263] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e958 [ 26.147500] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 26.154740] RBP: 00000000004be300 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 26.161985] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 26.169230] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000 [ 26.176470] [ 26.178069] Allocated by task 4176: [ 26.181669] save_stack+0x43/0xd0 [ 26.185090] kasan_kmalloc+0xad/0xe0 [ 26.188776] __kmalloc_node+0x47/0x70 [ 26.192543] kvmalloc_node+0x99/0xd0 [ 26.196229] alloc_netdev_mqs+0x16d/0xfb0 [ 26.200344] ppp_ioctl+0x1715/0x2a50 [ 26.204031] do_vfs_ioctl+0x1b1/0x1520 [ 26.207886] SyS_ioctl+0x8f/0xc0 [ 26.211220] do_syscall_64+0x280/0x940 [ 26.215076] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.220227] [ 26.221821] Freed by task 4176: [ 26.225071] save_stack+0x43/0xd0 [ 26.228504] __kasan_slab_free+0x11a/0x170 [ 26.232705] kasan_slab_free+0xe/0x10 [ 26.236473] kfree+0xd9/0x260 [ 26.239545] kvfree+0x36/0x60 [ 26.242620] netdev_freemem+0x4c/0x60 [ 26.246386] netdev_release+0x10a/0x160 [ 26.250328] device_release+0x7c/0x210 [ 26.254182] kobject_put+0x14c/0x250 [ 26.257861] put_device+0x20/0x30 [ 26.261284] free_netdev+0x2f5/0x400 [ 26.264968] ppp_destroy_interface+0x2bc/0x390 [ 26.269521] ppp_release+0x12b/0x1a0 [ 26.273202] ppp_ioctl+0x3b1/0x2a50 [ 26.276796] do_vfs_ioctl+0x1b1/0x1520 [ 26.280653] SyS_ioctl+0x8f/0xc0 [ 26.283988] do_syscall_64+0x280/0x940 [ 26.287845] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.292997] [ 26.294603] The buggy address belongs to the object at ffff8801adc96b40 [ 26.294603] which belongs to the cache kmalloc-4096 of size 4096 [ 26.307402] The buggy address is located 2944 bytes inside of [ 26.307402] 4096-byte region [ffff8801adc96b40, ffff8801adc97b40) [ 26.319423] The buggy address belongs to the page: [ 26.324322] page:ffffea0006b72580 count:1 mapcount:0 mapping:ffff8801adc96b40 index:0x0 compound_mapcount: 0 [ 26.334264] flags: 0x2fffc0000008100(slab|head) [ 26.338901] raw: 02fffc0000008100 ffff8801adc96b40 0000000000000000 0000000100000001 [ 26.346750] raw: ffffea0006cee820 ffffea0006c71ea0 ffff8801db000dc0 0000000000000000 [ 26.354602] page dumped because: kasan: bad access detected [ 26.360278] [ 26.361872] Memory state around the buggy address: [ 26.366773] ffff8801adc97580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.374098] ffff8801adc97600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.381425] >ffff8801adc97680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.388751] ^ [ 26.394170] ffff8801adc97700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.401495] ffff8801adc97780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.408820] ================================================================== [ 26.416150] Disabling lock debugging due to kernel taint [ 26.421569] Kernel panic - not syncing: panic_on_warn set ... [ 26.421569] [ 26.428904] CPU: 1 PID: 4176 Comm: syzkaller526503 Tainted: G B 4.16.0-rc2+ #323 [ 26.437618] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.446941] Call Trace: [ 26.449498] dump_stack+0x194/0x257 [ 26.453093] ? arch_local_irq_restore+0x53/0x53 [ 26.457729] ? kasan_end_report+0x32/0x50 [ 26.461847] ? lock_downgrade+0x980/0x980 [ 26.465964] ? vsnprintf+0x1ed/0x1900 [ 26.469732] ? __lock_acquire+0x3cf0/0x3e00 [ 26.474024] panic+0x1e4/0x41c [ 26.477189] ? refcount_error_report+0x214/0x214 [ 26.481913] ? add_taint+0x40/0x50 [ 26.485421] ? add_taint+0x1c/0x50 [ 26.488933] ? __lock_acquire+0x3d4d/0x3e00 [ 26.493222] kasan_end_report+0x50/0x50 [ 26.497165] kasan_report+0x148/0x360 [ 26.500933] __asan_report_load8_noabort+0x14/0x20 [ 26.505828] __lock_acquire+0x3d4d/0x3e00 [ 26.509944] ? remove_wait_queue+0x81/0x350 [ 26.514234] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.519393] ? __lock_acquire+0x664/0x3e00 [ 26.523594] ? lock_downgrade+0x980/0x980 [ 26.527718] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.532875] ? lock_acquire+0x1d5/0x580 [ 26.536818] ? lock_acquire+0x1d5/0x580 [ 26.540759] ? ep_free+0xf4/0x320 [ 26.544184] ? lock_release+0xa40/0xa40 [ 26.548126] ? trace_event_raw_event_sched_switch+0x810/0x810 [ 26.553977] ? check_noncircular+0x20/0x20 [ 26.558179] ? print_irqtrace_events+0x270/0x270 [ 26.562903] ? rcu_note_context_switch+0x710/0x710 [ 26.567803] ? __might_sleep+0x95/0x190 [ 26.571764] ? ep_free+0xf4/0x320 [ 26.575188] ? __mutex_lock+0x16f/0x1a80 [ 26.579222] ? ep_free+0xf4/0x320 [ 26.582648] ? print_irqtrace_events+0x270/0x270 [ 26.587371] ? ep_free+0xf4/0x320 [ 26.590795] lock_acquire+0x1d5/0x580 [ 26.594566] ? lock_acquire+0x1d5/0x580 [ 26.598507] ? remove_wait_queue+0x81/0x350 [ 26.602797] ? lock_release+0xa40/0xa40 [ 26.606743] ? lock_acquire+0x1d5/0x580 [ 26.610683] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.615838] ? lock_acquire+0x1d5/0x580 [ 26.619782] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 26.625207] _raw_spin_lock_irqsave+0x96/0xc0 [ 26.629682] ? remove_wait_queue+0x81/0x350 [ 26.633981] remove_wait_queue+0x81/0x350 [ 26.638103] ? rcutorture_record_progress+0x10/0x10 [ 26.643087] ? add_wait_queue+0x290/0x290 [ 26.647202] ? rcutorture_record_progress+0x10/0x10 [ 26.652185] ? is_bpf_text_address+0xa4/0x120 [ 26.656649] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 26.661894] ? unwind_get_return_address+0x61/0xa0 [ 26.666794] ? clear_tfile_check_list+0x370/0x370 [ 26.671608] ? locks_remove_file+0x3fa/0x5a0 [ 26.675985] ep_free+0x13f/0x320 [ 26.679317] ? ep_remove+0x800/0x800 [ 26.682999] ? fsnotify_first_mark+0x2b0/0x2b0 [ 26.687560] ? ep_free+0x320/0x320 [ 26.691068] ep_eventpoll_release+0x44/0x60 [ 26.695355] __fput+0x327/0x7e0 [ 26.698605] ? fput+0x140/0x140 [ 26.701856] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.706326] ____fput+0x15/0x20 [ 26.709572] task_work_run+0x199/0x270 [ 26.713425] ? task_work_cancel+0x210/0x210 [ 26.717714] ? _raw_spin_unlock+0x22/0x30 [ 26.721828] ? switch_task_namespaces+0x87/0xc0 [ 26.726465] do_exit+0x9bb/0x1ad0 [ 26.729887] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.734872] ? mm_update_next_owner+0x930/0x930 [ 26.739509] ? avc_has_extended_perms+0x7fa/0x12c0 [ 26.744406] ? __might_sleep+0x74/0x190 [ 26.748348] ? avc_ss_reset+0x110/0x110 [ 26.752288] ? mutex_unlock+0xd/0x10 [ 26.755968] ? SyS_epoll_ctl+0x30a/0x1a80 [ 26.760085] ? SyS_epoll_create+0x240/0x240 [ 26.764381] ? find_held_lock+0x35/0x1d0 [ 26.768416] ? rcu_note_context_switch+0x710/0x710 [ 26.773313] ? __do_page_fault+0x5f7/0xc90 [ 26.777517] ? ppp_unregister_channel+0x660/0x660 [ 26.782327] ? do_vfs_ioctl+0x486/0x1520 [ 26.786358] ? ioctl_preallocate+0x2b0/0x2b0 [ 26.790736] ? selinux_capable+0x40/0x40 [ 26.794767] ? up_read+0x1a/0x40 [ 26.798113] do_group_exit+0x149/0x400 [ 26.801974] ? SyS_exit+0x30/0x30 [ 26.805406] ? security_file_ioctl+0x7d/0xb0 [ 26.809780] ? security_file_ioctl+0x89/0xb0 [ 26.814159] ? do_syscall_64+0xb6/0x940 [ 26.818104] ? do_group_exit+0x400/0x400 [ 26.822131] SyS_exit_group+0x1d/0x20 [ 26.825898] do_syscall_64+0x280/0x940 [ 26.829755] ? __do_page_fault+0xc90/0xc90 [ 26.833957] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 26.839461] ? syscall_return_slowpath+0x550/0x550 [ 26.844357] ? syscall_return_slowpath+0x2ac/0x550 [ 26.849258] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 26.854589] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.859399] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.864560] RIP: 0033:0x43e958 [ 26.867717] RSP: 002b:00007ffe8dfef598 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 26.875392] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e958 [ 26.882631] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 26.889868] RBP: 00000000004be300 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 26.897104] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 26.904341] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000 [ 26.912009] Dumping ftrace buffer: [ 26.915528] (ftrace buffer empty) [ 26.919212] Kernel Offset: disabled [ 26.922806] Rebooting in 86400 seconds..