[....] Starting enhanced syslogd: rsyslogd[ 14.057774] audit: type=1400 audit(1516782284.729:5): avc: denied { syslog } for pid=3504 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.426772] audit: type=1400 audit(1516782289.098:6): avc: denied { map } for pid=3643 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts. [ 24.694394] audit: type=1400 audit(1516782295.366:7): avc: denied { map } for pid=3658 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/01/24 08:24:55 parsed 1 programs 2018/01/24 08:24:55 executed programs: 0 [ 24.915414] audit: type=1400 audit(1516782295.587:8): avc: denied { map } for pid=3658 comm="syz-execprog" path="/root/syzkaller-shm255388044" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 24.947070] audit: type=1400 audit(1516782295.618:9): avc: denied { sys_admin } for pid=3663 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 25.133432] audit: type=1400 audit(1516782295.805:10): avc: denied { sys_chroot } for pid=3666 comm="syz-executor0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 26.112380] ================================================================== [ 26.119815] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00 [ 26.126481] Read of size 8 at addr ffff8801d7fdd3a0 by task syz-executor6/3843 [ 26.133825] [ 26.135473] CPU: 1 PID: 3843 Comm: syz-executor6 Not tainted 4.15.0-rc9+ #187 [ 26.142750] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.152100] Call Trace: [ 26.154691] dump_stack+0x194/0x257 [ 26.158324] ? arch_local_irq_restore+0x53/0x53 [ 26.162994] ? show_regs_print_info+0x18/0x18 [ 26.167488] ? check_noncircular+0x20/0x20 [ 26.171718] ? __lock_acquire+0x3d4d/0x3e00 [ 26.176038] print_address_description+0x73/0x250 [ 26.180876] ? __lock_acquire+0x3d4d/0x3e00 [ 26.185190] kasan_report+0x25b/0x340 [ 26.188994] __asan_report_load8_noabort+0x14/0x20 [ 26.193913] __lock_acquire+0x3d4d/0x3e00 [ 26.198043] ? check_noncircular+0x20/0x20 [ 26.202265] ? remove_wait_queue+0x81/0x350 [ 26.206576] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.211741] ? lock_downgrade+0x980/0x980 [ 26.215872] ? __schedule+0x2060/0x2060 [ 26.219833] ? find_held_lock+0x35/0x1d0 [ 26.223870] ? wait_for_completion+0xe0/0x770 [ 26.228339] ? lock_downgrade+0x980/0x980 [ 26.232461] ? lock_release+0xa40/0xa40 [ 26.236414] ? usleep_range+0x190/0x190 [ 26.240371] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.246234] ? kasan_slab_free+0x71/0xc0 [ 26.250274] ? do_raw_spin_trylock+0x190/0x190 [ 26.254830] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.259304] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.264299] ? trace_hardirqs_on+0xd/0x10 [ 26.268421] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.272888] ? wait_for_completion+0xe0/0x770 [ 26.277357] ? wait_for_completion_interruptible+0x7e0/0x7e0 [ 26.283128] ? __lockdep_init_map+0xe4/0x650 [ 26.287511] ? llist_add_batch+0xf3/0x180 [ 26.291633] lock_acquire+0x1d5/0x580 [ 26.295415] ? lock_acquire+0x1d5/0x580 [ 26.299373] ? remove_wait_queue+0x81/0x350 [ 26.303674] ? wake_up_process+0x10/0x20 [ 26.307714] ? lock_release+0xa40/0xa40 [ 26.311673] ? vhost_work_queue+0xc0/0xc0 [ 26.315805] ? vhost_poll_stop+0x90/0x90 [ 26.319869] ? wait_for_completion+0x770/0x770 [ 26.324447] _raw_spin_lock_irqsave+0x96/0xc0 [ 26.328922] ? remove_wait_queue+0x81/0x350 [ 26.333232] remove_wait_queue+0x81/0x350 [ 26.337359] ? add_wait_queue+0x290/0x290 [ 26.341483] ? vhost_poll_flush+0x3f/0x60 [ 26.345608] ? vhost_net_flush+0x209/0x2a0 [ 26.349827] vhost_dev_stop+0x15c/0x2a0 [ 26.353783] ? vhost_net_compat_ioctl+0x30/0x30 [ 26.358440] vhost_net_release+0x6e/0x190 [ 26.362569] __fput+0x327/0x7e0 [ 26.365838] ? fput+0x140/0x140 [ 26.369098] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.374973] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.379448] ____fput+0x15/0x20 [ 26.382715] task_work_run+0x199/0x270 [ 26.386577] ? task_work_cancel+0x210/0x210 [ 26.390884] ? _raw_spin_unlock+0x22/0x30 [ 26.395004] ? switch_task_namespaces+0x87/0xc0 [ 26.399657] do_exit+0x9bb/0x1ad0 [ 26.403086] ? find_held_lock+0x35/0x1d0 [ 26.407132] ? mm_update_next_owner+0x930/0x930 [ 26.411773] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.416935] ? lock_downgrade+0x980/0x980 [ 26.421059] ? __unqueue_futex+0x1c0/0x290 [ 26.425265] ? lock_release+0xa40/0xa40 [ 26.429219] ? fault_in_user_writeable+0x90/0x90 [ 26.433958] ? do_raw_spin_trylock+0x190/0x190 [ 26.438536] ? futex_wake+0x680/0x680 [ 26.442317] ? drop_futex_key_refs.isra.12+0x63/0xb0 [ 26.447410] ? futex_wait+0x6a9/0x9a0 [ 26.451369] ? check_noncircular+0x20/0x20 [ 26.455577] ? switched_to_fair+0xb0/0xb0 [ 26.459702] ? __enqueue_entity+0x109/0x1e0 [ 26.464001] ? find_held_lock+0x35/0x1d0 [ 26.468049] ? get_signal+0x7ae/0x16c0 [ 26.471910] ? lock_downgrade+0x980/0x980 [ 26.476040] do_group_exit+0x149/0x400 [ 26.479907] ? do_raw_spin_trylock+0x190/0x190 [ 26.484471] ? SyS_exit+0x30/0x30 [ 26.487900] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.492369] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.497367] get_signal+0x73f/0x16c0 [ 26.501065] ? ptrace_notify+0x130/0x130 [ 26.505102] ? __schedule+0x8f3/0x2060 [ 26.508973] ? __sched_text_start+0x8/0x8 [ 26.513112] do_signal+0x90/0x1eb0 [ 26.516625] ? lock_downgrade+0x980/0x980 [ 26.520745] ? setup_sigcontext+0x7d0/0x7d0 [ 26.525045] ? schedule+0xf5/0x430 [ 26.528560] ? __schedule+0x2060/0x2060 [ 26.532508] ? get_unused_fd_flags+0x190/0x190 [ 26.537068] ? compat_SyS_epoll_pwait+0x4f0/0x4f0 [ 26.541886] ? __init_waitqueue_head+0x97/0x140 [ 26.546531] ? exit_to_usermode_loop+0x8c/0x310 [ 26.551186] exit_to_usermode_loop+0x214/0x310 [ 26.555748] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 26.561259] ? do_fast_syscall_32+0x156/0xf9d [ 26.565744] do_fast_syscall_32+0xbfd/0xf9d [ 26.570045] ? do_raw_spin_trylock+0x190/0x190 [ 26.574609] ? do_int80_syscall_32+0x9d0/0x9d0 [ 26.579175] ? syscall_return_slowpath+0x2ad/0x550 [ 26.584082] ? prepare_exit_to_usermode+0x340/0x340 [ 26.589078] ? sysret32_from_system_call+0x5/0x3b [ 26.593902] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.598726] entry_SYSENTER_compat+0x54/0x63 [ 26.603126] RIP: 0023:0xf7f0ac79 [ 26.606479] RSP: 002b:00000000f7ec410c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 26.614159] RAX: fffffffffffffe00 RBX: 000000000813b014 RCX: 0000000000000000 [ 26.621402] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 26.628646] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 26.635891] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 26.643135] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 26.650480] [ 26.652083] Allocated by task 3839: [ 26.655700] save_stack+0x43/0xd0 [ 26.659123] kasan_kmalloc+0xad/0xe0 [ 26.662809] kmem_cache_alloc_trace+0x136/0x750 [ 26.667453] eventfd_file_create.part.3+0x96/0x250 [ 26.672360] SyS_eventfd+0x2c/0x80 [ 26.675874] do_fast_syscall_32+0x3ee/0xf9d [ 26.680170] entry_SYSENTER_compat+0x54/0x63 [ 26.684556] [ 26.686156] Freed by task 3843: [ 26.689407] save_stack+0x43/0xd0 [ 26.692840] kasan_slab_free+0x71/0xc0 [ 26.696697] kfree+0xd6/0x260 [ 26.699773] eventfd_ctx_put+0x26/0x30 [ 26.703628] eventfd_release+0x52/0x60 [ 26.707486] __fput+0x327/0x7e0 [ 26.710735] ____fput+0x15/0x20 [ 26.713989] task_work_run+0x199/0x270 [ 26.717852] do_exit+0x9bb/0x1ad0 [ 26.721277] do_group_exit+0x149/0x400 [ 26.725134] get_signal+0x73f/0x16c0 [ 26.728818] do_signal+0x90/0x1eb0 [ 26.732331] exit_to_usermode_loop+0x214/0x310 [ 26.736883] do_fast_syscall_32+0xbfd/0xf9d [ 26.741180] entry_SYSENTER_compat+0x54/0x63 [ 26.745555] [ 26.747157] The buggy address belongs to the object at ffff8801d7fdd380 [ 26.747157] which belongs to the cache kmalloc-96 of size 96 [ 26.759610] The buggy address is located 32 bytes inside of [ 26.759610] 96-byte region [ffff8801d7fdd380, ffff8801d7fdd3e0) [ 26.771276] The buggy address belongs to the page: [ 26.776175] page:ffffea00075ff740 count:1 mapcount:0 mapping:ffff8801d7fdd000 index:0x0 [ 26.784288] flags: 0x2fffc0000000100(slab) [ 26.788495] raw: 02fffc0000000100 ffff8801d7fdd000 0000000000000000 0000000100000020 [ 26.796347] raw: ffffea0007575520 ffffea00075ff920 ffff8801dac004c0 0000000000000000 [ 26.804194] page dumped because: kasan: bad access detected [ 26.809872] [ 26.811467] Memory state around the buggy address: [ 26.816366] ffff8801d7fdd280: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.823694] ffff8801d7fdd300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.831029] >ffff8801d7fdd380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.838358] ^ [ 26.842735] ffff8801d7fdd400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.850065] ffff8801d7fdd480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.857391] ================================================================== [ 26.864721] Disabling lock debugging due to kernel taint [ 26.870141] Kernel panic - not syncing: panic_on_warn set ... [ 26.870141] [ 26.877477] CPU: 1 PID: 3843 Comm: syz-executor6 Tainted: G B 4.15.0-rc9+ #187 [ 26.886024] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.895358] Call Trace: [ 26.897927] dump_stack+0x194/0x257 [ 26.901525] ? arch_local_irq_restore+0x53/0x53 [ 26.906167] ? kasan_end_report+0x32/0x50 [ 26.910291] ? lock_downgrade+0x980/0x980 [ 26.914408] ? vsnprintf+0x1ed/0x1900 [ 26.918179] ? __lock_acquire+0x3ca0/0x3e00 [ 26.922473] panic+0x1e4/0x41c [ 26.925635] ? refcount_error_report+0x214/0x214 [ 26.930370] ? add_taint+0x40/0x50 [ 26.933881] ? add_taint+0x1c/0x50 [ 26.937391] ? __lock_acquire+0x3d4d/0x3e00 [ 26.941683] kasan_end_report+0x50/0x50 [ 26.945627] kasan_report+0x144/0x340 [ 26.949402] __asan_report_load8_noabort+0x14/0x20 [ 26.954302] __lock_acquire+0x3d4d/0x3e00 [ 26.958436] ? check_noncircular+0x20/0x20 [ 26.962644] ? remove_wait_queue+0x81/0x350 [ 26.966936] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.972094] ? lock_downgrade+0x980/0x980 [ 26.976213] ? __schedule+0x2060/0x2060 [ 26.980160] ? find_held_lock+0x35/0x1d0 [ 26.984204] ? wait_for_completion+0xe0/0x770 [ 26.988670] ? lock_downgrade+0x980/0x980 [ 26.992790] ? lock_release+0xa40/0xa40 [ 26.996735] ? usleep_range+0x190/0x190 [ 27.000682] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.006541] ? kasan_slab_free+0x71/0xc0 [ 27.010574] ? do_raw_spin_trylock+0x190/0x190 [ 27.015128] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.019603] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.024589] ? trace_hardirqs_on+0xd/0x10 [ 27.028706] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.033172] ? wait_for_completion+0xe0/0x770 [ 27.037638] ? wait_for_completion_interruptible+0x7e0/0x7e0 [ 27.043419] ? __lockdep_init_map+0xe4/0x650 [ 27.047800] ? llist_add_batch+0xf3/0x180 [ 27.051928] lock_acquire+0x1d5/0x580 [ 27.055708] ? lock_acquire+0x1d5/0x580 [ 27.059651] ? remove_wait_queue+0x81/0x350 [ 27.063944] ? wake_up_process+0x10/0x20 [ 27.067977] ? lock_release+0xa40/0xa40 [ 27.071924] ? vhost_work_queue+0xc0/0xc0 [ 27.076043] ? vhost_poll_stop+0x90/0x90 [ 27.080075] ? wait_for_completion+0x770/0x770 [ 27.084635] _raw_spin_lock_irqsave+0x96/0xc0 [ 27.089110] ? remove_wait_queue+0x81/0x350 [ 27.093400] remove_wait_queue+0x81/0x350 [ 27.097517] ? add_wait_queue+0x290/0x290 [ 27.101647] ? vhost_poll_flush+0x3f/0x60 [ 27.105767] ? vhost_net_flush+0x209/0x2a0 [ 27.109971] vhost_dev_stop+0x15c/0x2a0 [ 27.113916] ? vhost_net_compat_ioctl+0x30/0x30 [ 27.118563] vhost_net_release+0x6e/0x190 [ 27.122684] __fput+0x327/0x7e0 [ 27.125944] ? fput+0x140/0x140 [ 27.129194] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 27.135052] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.139520] ____fput+0x15/0x20 [ 27.142781] task_work_run+0x199/0x270 [ 27.146638] ? task_work_cancel+0x210/0x210 [ 27.150931] ? _raw_spin_unlock+0x22/0x30 [ 27.155050] ? switch_task_namespaces+0x87/0xc0 [ 27.159692] do_exit+0x9bb/0x1ad0 [ 27.163119] ? find_held_lock+0x35/0x1d0 [ 27.167163] ? mm_update_next_owner+0x930/0x930 [ 27.171806] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.176967] ? lock_downgrade+0x980/0x980 [ 27.181093] ? __unqueue_futex+0x1c0/0x290 [ 27.185306] ? lock_release+0xa40/0xa40 [ 27.189251] ? fault_in_user_writeable+0x90/0x90 [ 27.193980] ? do_raw_spin_trylock+0x190/0x190 [ 27.198547] ? futex_wake+0x680/0x680 [ 27.202328] ? drop_futex_key_refs.isra.12+0x63/0xb0 [ 27.207403] ? futex_wait+0x6a9/0x9a0 [ 27.211197] ? check_noncircular+0x20/0x20 [ 27.215402] ? switched_to_fair+0xb0/0xb0 [ 27.219521] ? __enqueue_entity+0x109/0x1e0 [ 27.223826] ? find_held_lock+0x35/0x1d0 [ 27.227860] ? get_signal+0x7ae/0x16c0 [ 27.231716] ? lock_downgrade+0x980/0x980 [ 27.235836] do_group_exit+0x149/0x400 [ 27.239694] ? do_raw_spin_trylock+0x190/0x190 [ 27.244245] ? SyS_exit+0x30/0x30 [ 27.247673] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.252136] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.257122] get_signal+0x73f/0x16c0 [ 27.260806] ? ptrace_notify+0x130/0x130 [ 27.264838] ? __schedule+0x8f3/0x2060 [ 27.268698] ? __sched_text_start+0x8/0x8 [ 27.272821] do_signal+0x90/0x1eb0 [ 27.276332] ? lock_downgrade+0x980/0x980 [ 27.280459] ? setup_sigcontext+0x7d0/0x7d0 [ 27.284753] ? schedule+0xf5/0x430 [ 27.288270] ? __schedule+0x2060/0x2060 [ 27.292225] ? get_unused_fd_flags+0x190/0x190 [ 27.296789] ? compat_SyS_epoll_pwait+0x4f0/0x4f0 [ 27.301612] ? __init_waitqueue_head+0x97/0x140 [ 27.306259] ? exit_to_usermode_loop+0x8c/0x310 [ 27.310907] exit_to_usermode_loop+0x214/0x310 [ 27.315471] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 27.320981] ? do_fast_syscall_32+0x156/0xf9d [ 27.325456] do_fast_syscall_32+0xbfd/0xf9d [ 27.329759] ? do_raw_spin_trylock+0x190/0x190 [ 27.334311] ? do_int80_syscall_32+0x9d0/0x9d0 [ 27.338864] ? syscall_return_slowpath+0x2ad/0x550 [ 27.343762] ? prepare_exit_to_usermode+0x340/0x340 [ 27.348750] ? sysret32_from_system_call+0x5/0x3b [ 27.353563] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.358374] entry_SYSENTER_compat+0x54/0x63 [ 27.362753] RIP: 0023:0xf7f0ac79 [ 27.366107] RSP: 002b:00000000f7ec410c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 27.373784] RAX: fffffffffffffe00 RBX: 000000000813b014 RCX: 0000000000000000 [ 27.381031] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 27.388273] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 27.395513] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 27.402753] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 27.410478] Dumping ftrace buffer: [ 27.413997] (ftrace buffer empty) [ 27.417677] Kernel Offset: disabled [ 27.421273] Rebooting in 86400 seconds..