[....] Starting enhanced syslogd: rsyslogd[ 12.723771] audit: type=1400 audit(1517027887.701:5): avc: denied { syslog } for pid=3496 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.727242] audit: type=1400 audit(1517027892.704:6): avc: denied { map } for pid=3636 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. executing program [ 26.447231] audit: type=1400 audit(1517027901.425:7): avc: denied { map } for pid=3650 comm="syzkaller695028" path="/root/syzkaller695028620" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 26.452253] ================================================================== [ 26.452266] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00 [ 26.452272] Read of size 8 at addr ffff8801bd604db0 by task syzkaller695028/3650 [ 26.452273] [ 26.452280] CPU: 1 PID: 3650 Comm: syzkaller695028 Not tainted 4.15.0-rc9+ #192 [ 26.452283] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.452285] Call Trace: [ 26.452296] dump_stack+0x194/0x257 [ 26.452304] ? arch_local_irq_restore+0x53/0x53 [ 26.452312] ? show_regs_print_info+0x18/0x18 [ 26.452318] ? print_irqtrace_events+0x270/0x270 [ 26.452324] ? __lock_acquire+0x664/0x3e00 [ 26.452331] ? __lock_acquire+0x3d4d/0x3e00 [ 26.452340] print_address_description+0x73/0x250 [ 26.452346] ? __lock_acquire+0x3d4d/0x3e00 [ 26.452353] kasan_report+0x25b/0x340 [ 26.452361] __asan_report_load8_noabort+0x14/0x20 [ 26.452367] __lock_acquire+0x3d4d/0x3e00 [ 26.452372] ? __lock_acquire+0x664/0x3e00 [ 26.452378] ? lock_downgrade+0x980/0x980 [ 26.452384] ? lock_downgrade+0x980/0x980 [ 26.452390] ? print_irqtrace_events+0x270/0x270 [ 26.452397] ? remove_wait_queue+0x81/0x350 [ 26.452406] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.452413] ? __lock_acquire+0x664/0x3e00 [ 26.452418] ? check_noncircular+0x20/0x20 [ 26.452430] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.452438] ? lock_acquire+0x1d5/0x580 [ 26.452443] ? lock_acquire+0x1d5/0x580 [ 26.452450] ? ep_free+0xf4/0x320 [ 26.452458] ? lock_release+0xa40/0xa40 [ 26.452465] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.452470] ? print_irqtrace_events+0x270/0x270 [ 26.452476] ? print_irqtrace_events+0x270/0x270 [ 26.452483] ? rcu_note_context_switch+0x710/0x710 [ 26.452490] ? __might_sleep+0x95/0x190 [ 26.452497] ? ep_free+0xf4/0x320 [ 26.452503] ? __mutex_lock+0x16f/0x1a80 [ 26.452508] ? ep_free+0xf4/0x320 [ 26.452515] ? print_irqtrace_events+0x270/0x270 [ 26.452520] ? ep_free+0xf4/0x320 [ 26.452529] lock_acquire+0x1d5/0x580 [ 26.452535] ? lock_acquire+0x1d5/0x580 [ 26.452541] ? remove_wait_queue+0x81/0x350 [ 26.452549] ? lock_release+0xa40/0xa40 [ 26.452558] ? lock_acquire+0x1d5/0x580 [ 26.452564] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.452569] ? lock_acquire+0x1d5/0x580 [ 26.452576] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 26.452583] _raw_spin_lock_irqsave+0x96/0xc0 [ 26.452588] ? remove_wait_queue+0x81/0x350 [ 26.452595] remove_wait_queue+0x81/0x350 [ 26.452602] ? depot_save_stack+0x3b5/0x490 [ 26.452610] ? add_wait_queue+0x290/0x290 [ 26.452616] ? rcutorture_record_progress+0x10/0x10 [ 26.452622] ? lock_release+0xa40/0xa40 [ 26.452631] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 26.452638] ? __kernel_text_address+0xd/0x40 [ 26.452647] ? clear_tfile_check_list+0x370/0x370 [ 26.452654] ? check_noncircular+0x20/0x20 [ 26.452663] ? locks_remove_file+0x3fa/0x5a0 [ 26.452673] ep_free+0x13f/0x320 [ 26.452679] ? ep_remove+0x800/0x800 [ 26.452684] ? fsnotify_first_mark+0x2b0/0x2b0 [ 26.452692] ? ep_free+0x320/0x320 [ 26.452699] ep_eventpoll_release+0x44/0x60 [ 26.452706] __fput+0x327/0x7e0 [ 26.452714] ? fput+0x140/0x140 [ 26.452722] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.452730] ____fput+0x15/0x20 [ 26.452737] task_work_run+0x199/0x270 [ 26.452745] ? task_work_cancel+0x210/0x210 [ 26.452751] ? _raw_spin_unlock+0x22/0x30 [ 26.452758] ? switch_task_namespaces+0x87/0xc0 [ 26.452766] do_exit+0x9bb/0x1ad0 [ 26.452773] ? __handle_mm_fault+0x2330/0x3ce0 [ 26.452786] ? mm_update_next_owner+0x930/0x930 [ 26.452795] ? do_raw_spin_trylock+0x190/0x190 [ 26.452803] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.452809] ? check_noncircular+0x20/0x20 [ 26.452817] ? _raw_spin_unlock+0x22/0x30 [ 26.452823] ? __handle_mm_fault+0x80e/0x3ce0 [ 26.452831] ? check_noncircular+0x20/0x20 [ 26.452835] ? __pmd_alloc+0x4e0/0x4e0 [ 26.452841] ? lock_downgrade+0x980/0x980 [ 26.452849] ? find_held_lock+0x35/0x1d0 [ 26.452858] ? handle_mm_fault+0x248/0x8d0 [ 26.452865] ? find_held_lock+0x35/0x1d0 [ 26.452877] ? __do_page_fault+0x5f7/0xc90 [ 26.452883] ? lock_downgrade+0x980/0x980 [ 26.452892] ? handle_mm_fault+0x410/0x8d0 [ 26.452897] ? down_read_trylock+0xdb/0x170 [ 26.452903] ? __do_page_fault+0x32d/0xc90 [ 26.452909] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 26.452916] ? vmacache_find+0x5f/0x280 [ 26.452925] do_group_exit+0x149/0x400 [ 26.452931] ? __do_page_fault+0x3d6/0xc90 [ 26.452937] ? SyS_exit+0x30/0x30 [ 26.452948] ? do_fast_syscall_32+0x156/0xf9d [ 26.452954] ? do_group_exit+0x400/0x400 [ 26.452960] SyS_exit_group+0x1d/0x20 [ 26.452967] do_fast_syscall_32+0x3ee/0xf9d [ 26.452976] ? do_int80_syscall_32+0x9d0/0x9d0 [ 26.452981] ? kasan_check_read+0x11/0x20 [ 26.452989] ? syscall_return_slowpath+0x550/0x550 [ 26.452996] ? SyS_rt_sigaction+0x94/0x1b0 [ 26.453006] ? SyS_sigprocmask+0x4b0/0x4b0 [ 26.453011] ? SyS_read+0x184/0x220 [ 26.453017] ? retint_user+0x18/0x18 [ 26.453025] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.453034] entry_SYSENTER_compat+0x54/0x63 [ 26.453039] RIP: 0023:0xf7f9ac79 [ 26.453042] RSP: 002b:00000000ffb8cbec EFLAGS: 00000292 ORIG_RAX: 00000000000000fc [ 26.453049] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298 [ 26.453052] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0 [ 26.453056] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 26.453059] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 26.453062] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 26.453070] [ 26.453073] Allocated by task 3650: [ 26.453079] save_stack+0x43/0xd0 [ 26.453083] kasan_kmalloc+0xad/0xe0 [ 26.453088] kmem_cache_alloc_trace+0x136/0x750 [ 26.453095] binder_get_thread+0x1cf/0x870 [ 26.453100] binder_poll+0x8c/0x390 [ 26.453106] ep_item_poll.isra.10+0xec/0x320 [ 26.453111] ep_insert+0x6a3/0x1b10 [ 26.453116] SyS_epoll_ctl+0x12e4/0x1ab0 [ 26.453121] do_fast_syscall_32+0x3ee/0xf9d [ 26.453126] entry_SYSENTER_compat+0x54/0x63 [ 26.453127] [ 26.453129] Freed by task 3650: [ 26.453134] save_stack+0x43/0xd0 [ 26.453138] kasan_slab_free+0x71/0xc0 [ 26.453143] kfree+0xd6/0x260 [ 26.453148] binder_thread_dec_tmpref+0x27f/0x310 [ 26.453154] binder_thread_release+0x27d/0x540 [ 26.453158] binder_ioctl+0xc02/0x1417 [ 26.453163] compat_SyS_ioctl+0x151/0x2a30 [ 26.453168] do_fast_syscall_32+0x3ee/0xf9d [ 26.453173] entry_SYSENTER_compat+0x54/0x63 [ 26.453174] [ 26.453178] The buggy address belongs to the object at ffff8801bd604d00 [ 26.453178] which belongs to the cache kmalloc-512 of size 512 [ 26.453183] The buggy address is located 176 bytes inside of [ 26.453183] 512-byte region [ffff8801bd604d00, ffff8801bd604f00) [ 26.453184] The buggy address belongs to the page: [ 26.453189] page:ffffea0006f58100 count:1 mapcount:0 mapping:ffff8801bd604080 index:0x0 [ 26.453195] flags: 0x2fffc0000000100(slab) [ 26.453204] raw: 02fffc0000000100 ffff8801bd604080 0000000000000000 0000000100000006 [ 26.453210] raw: ffffea0006f3c5a0 ffff8801dac01748 ffff8801dac00940 0000000000000000 [ 26.453213] page dumped because: kasan: bad access detected [ 26.453214] [ 26.453216] Memory state around the buggy address: [ 26.453221] ffff8801bd604c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.453225] ffff8801bd604d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.453229] >ffff8801bd604d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.453232] ^ [ 26.453236] ffff8801bd604e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.453240] ffff8801bd604e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.453242] ================================================================== [ 26.453244] Disabling lock debugging due to kernel taint [ 26.453247] Kernel panic - not syncing: panic_on_warn set ... [ 26.453247] [ 26.453253] CPU: 1 PID: 3650 Comm: syzkaller695028 Tainted: G B 4.15.0-rc9+ #192 [ 26.453256] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.453257] Call Trace: [ 26.453264] dump_stack+0x194/0x257 [ 26.453272] ? arch_local_irq_restore+0x53/0x53 [ 26.453277] ? kasan_end_report+0x32/0x50 [ 26.453283] ? lock_downgrade+0x980/0x980 [ 26.453290] ? vsnprintf+0x1ed/0x1900 [ 26.453297] ? __lock_acquire+0x3ca0/0x3e00 [ 26.453302] panic+0x1e4/0x41c [ 26.453308] ? refcount_error_report+0x214/0x214 [ 26.453315] ? add_taint+0x40/0x50 [ 26.453320] ? add_taint+0x1c/0x50 [ 26.453327] ? __lock_acquire+0x3d4d/0x3e00 [ 26.453333] kasan_end_report+0x50/0x50 [ 26.453339] kasan_report+0x144/0x340 [ 26.453347] __asan_report_load8_noabort+0x14/0x20 [ 26.453353] __lock_acquire+0x3d4d/0x3e00 [ 26.453359] ? __lock_acquire+0x664/0x3e00 [ 26.453365] ? lock_downgrade+0x980/0x980 [ 26.453370] ? lock_downgrade+0x980/0x980 [ 26.453377] ? print_irqtrace_events+0x270/0x270 [ 26.453383] ? remove_wait_queue+0x81/0x350 [ 26.453392] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.453399] ? __lock_acquire+0x664/0x3e00 [ 26.453404] ? check_noncircular+0x20/0x20 [ 26.453416] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.453423] ? lock_acquire+0x1d5/0x580 [ 26.453429] ? lock_acquire+0x1d5/0x580 [ 26.453434] ? ep_free+0xf4/0x320 [ 26.453442] ? lock_release+0xa40/0xa40 [ 26.453449] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.453454] ? print_irqtrace_events+0x270/0x270 [ 26.453460] ? print_irqtrace_events+0x270/0x270 [ 26.453466] ? rcu_note_context_switch+0x710/0x710 [ 26.453473] ? __might_sleep+0x95/0x190 [ 26.453480] ? ep_free+0xf4/0x320 [ 26.453486] ? __mutex_lock+0x16f/0x1a80 [ 26.453491] ? ep_free+0xf4/0x320 [ 26.453498] ? print_irqtrace_events+0x270/0x270 [ 26.453503] ? ep_free+0xf4/0x320 [ 26.453511] lock_acquire+0x1d5/0x580 [ 26.453517] ? lock_acquire+0x1d5/0x580 [ 26.453522] ? remove_wait_queue+0x81/0x350 [ 26.453531] ? lock_release+0xa40/0xa40 [ 26.453540] ? lock_acquire+0x1d5/0x580 [ 26.453545] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.453550] ? lock_acquire+0x1d5/0x580 [ 26.453557] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 26.453564] _raw_spin_lock_irqsave+0x96/0xc0 [ 26.453569] ? remove_wait_queue+0x81/0x350 [ 26.453576] remove_wait_queue+0x81/0x350 [ 26.453582] ? depot_save_stack+0x3b5/0x490 [ 26.453589] ? add_wait_queue+0x290/0x290 [ 26.453595] ? rcutorture_record_progress+0x10/0x10 [ 26.453601] ? lock_release+0xa40/0xa40 [ 26.453610] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 26.453617] ? __kernel_text_address+0xd/0x40 [ 26.453624] ? clear_tfile_check_list+0x370/0x370 [ 26.453632] ? check_noncircular+0x20/0x20 [ 26.453640] ? locks_remove_file+0x3fa/0x5a0 [ 26.453649] ep_free+0x13f/0x320 [ 26.453655] ? ep_remove+0x800/0x800 [ 26.453661] ? fsnotify_first_mark+0x2b0/0x2b0 [ 26.453669] ? ep_free+0x320/0x320 [ 26.453675] ep_eventpoll_release+0x44/0x60 [ 26.453681] __fput+0x327/0x7e0 [ 26.453689] ? fput+0x140/0x140 [ 26.453697] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.453705] ____fput+0x15/0x20 [ 26.453712] task_work_run+0x199/0x270 [ 26.453719] ? task_work_cancel+0x210/0x210 [ 26.453726] ? _raw_spin_unlock+0x22/0x30 [ 26.453732] ? switch_task_namespaces+0x87/0xc0 [ 26.453740] do_exit+0x9bb/0x1ad0 [ 26.453746] ? __handle_mm_fault+0x2330/0x3ce0 [ 26.453753] ? mm_update_next_owner+0x930/0x930 [ 26.453763] ? do_raw_spin_trylock+0x190/0x190 [ 26.453770] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.453780] ? check_noncircular+0x20/0x20 [ 26.453788] ? _raw_spin_unlock+0x22/0x30 [ 26.453793] ? __handle_mm_fault+0x80e/0x3ce0 [ 26.453801] ? check_noncircular+0x20/0x20 [ 26.453806] ? __pmd_alloc+0x4e0/0x4e0 [ 26.453811] ? lock_downgrade+0x980/0x980 [ 26.453820] ? find_held_lock+0x35/0x1d0 [ 26.453828] ? handle_mm_fault+0x248/0x8d0 [ 26.453835] ? find_held_lock+0x35/0x1d0 [ 26.453844] ? __do_page_fault+0x5f7/0xc90 [ 26.453851] ? lock_downgrade+0x980/0x980 [ 26.453859] ? handle_mm_fault+0x410/0x8d0 [ 26.453864] ? down_read_trylock+0xdb/0x170 [ 26.453870] ? __do_page_fault+0x32d/0xc90 [ 26.453876] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 26.453882] ? vmacache_find+0x5f/0x280 [ 26.453890] do_group_exit+0x149/0x400 [ 26.453897] ? __do_page_fault+0x3d6/0xc90 [ 26.453902] ? SyS_exit+0x30/0x30 [ 26.453910] ? do_fast_syscall_32+0x156/0xf9d [ 26.453916] ? do_group_exit+0x400/0x400 [ 26.453923] SyS_exit_group+0x1d/0x20 [ 26.453929] do_fast_syscall_32+0x3ee/0xf9d [ 26.453938] ? do_int80_syscall_32+0x9d0/0x9d0 [ 26.453943] ? kasan_check_read+0x11/0x20 [ 26.453950] ? syscall_return_slowpath+0x550/0x550 [ 26.453957] ? SyS_rt_sigaction+0x94/0x1b0 [ 26.453964] ? SyS_sigprocmask+0x4b0/0x4b0 [ 26.453969] ? SyS_read+0x184/0x220 [ 26.453974] ? retint_user+0x18/0x18 [ 26.453982] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.453991] entry_SYSENTER_compat+0x54/0x63 [ 26.453994] RIP: 0023:0xf7f9ac79 [ 26.453997] RSP: 002b:00000000ffb8cbec EFLAGS: 00000292 ORIG_RAX: 00000000000000fc [ 26.454003] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298 [ 26.454007] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0 [ 26.454010] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 26.454013] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 26.454016] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 26.473533] Dumping ftrace buffer: [ 26.473537] (ftrace buffer empty) [ 26.473540] Kernel Offset: disabled [ 27.754946] Rebooting in 86400 seconds..