[....] Starting enhanced syslogd: rsyslogd[ 12.457560] audit: type=1400 audit(1515667064.114:5): avc: denied { syslog } for pid=3346 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.706559] audit: type=1400 audit(1515667071.363:6): avc: denied { map } for pid=3485 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. executing program [ 26.002802] audit: type=1400 audit(1515667077.659:7): avc: denied { map } for pid=3499 comm="syzkaller650002" path="/root/syzkaller650002430" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 26.008477] ================================================================== [ 26.008491] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00 [ 26.008496] Read of size 8 at addr ffff8801cdf6d0b0 by task syzkaller650002/3499 [ 26.008497] [ 26.008504] CPU: 1 PID: 3499 Comm: syzkaller650002 Not tainted 4.15.0-rc7+ #167 [ 26.008507] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.008510] Call Trace: [ 26.008519] dump_stack+0x194/0x257 [ 26.008526] ? arch_local_irq_restore+0x53/0x53 [ 26.008539] ? show_regs_print_info+0x18/0x18 [ 26.008545] ? print_irqtrace_events+0x270/0x270 [ 26.008552] ? __lock_acquire+0x664/0x3e00 [ 26.008558] ? __lock_acquire+0x3d4d/0x3e00 [ 26.008565] print_address_description+0x73/0x250 [ 26.008572] ? __lock_acquire+0x3d4d/0x3e00 [ 26.008578] kasan_report+0x25b/0x340 [ 26.008587] __asan_report_load8_noabort+0x14/0x20 [ 26.008592] __lock_acquire+0x3d4d/0x3e00 [ 26.008598] ? __lock_acquire+0x664/0x3e00 [ 26.008604] ? lock_downgrade+0x980/0x980 [ 26.008609] ? lock_downgrade+0x980/0x980 [ 26.008615] ? print_irqtrace_events+0x270/0x270 [ 26.008622] ? remove_wait_queue+0x81/0x350 [ 26.008631] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.008637] ? __lock_acquire+0x664/0x3e00 [ 26.008643] ? check_noncircular+0x20/0x20 [ 26.008655] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.008662] ? lock_acquire+0x1d5/0x580 [ 26.008667] ? lock_acquire+0x1d5/0x580 [ 26.008674] ? ep_free+0xf4/0x320 [ 26.008682] ? lock_release+0xa40/0xa40 [ 26.008688] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.008693] ? print_irqtrace_events+0x270/0x270 [ 26.008699] ? print_irqtrace_events+0x270/0x270 [ 26.008707] ? rcu_note_context_switch+0x710/0x710 [ 26.008714] ? __might_sleep+0x95/0x190 [ 26.008720] ? ep_free+0xf4/0x320 [ 26.008728] ? __mutex_lock+0x16f/0x1a80 [ 26.008732] ? ep_free+0xf4/0x320 [ 26.008739] ? print_irqtrace_events+0x270/0x270 [ 26.008744] ? ep_free+0xf4/0x320 [ 26.008753] lock_acquire+0x1d5/0x580 [ 26.008758] ? lock_acquire+0x1d5/0x580 [ 26.008764] ? remove_wait_queue+0x81/0x350 [ 26.008772] ? lock_release+0xa40/0xa40 [ 26.008780] ? lock_acquire+0x1d5/0x580 [ 26.008786] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.008791] ? lock_acquire+0x1d5/0x580 [ 26.008797] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 26.008806] _raw_spin_lock_irqsave+0x96/0xc0 [ 26.008811] ? remove_wait_queue+0x81/0x350 [ 26.008818] remove_wait_queue+0x81/0x350 [ 26.008825] ? depot_save_stack+0x3b5/0x490 [ 26.008832] ? add_wait_queue+0x290/0x290 [ 26.008838] ? rcutorture_record_progress+0x10/0x10 [ 26.008843] ? lock_release+0xa40/0xa40 [ 26.008852] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 26.008859] ? __kernel_text_address+0xd/0x40 [ 26.008867] ? clear_tfile_check_list+0x370/0x370 [ 26.008874] ? check_noncircular+0x20/0x20 [ 26.008883] ? locks_remove_file+0x3fa/0x5a0 [ 26.008892] ep_free+0x13f/0x320 [ 26.008898] ? ep_remove+0x800/0x800 [ 26.008904] ? fsnotify_first_mark+0x2b0/0x2b0 [ 26.008912] ? ep_free+0x320/0x320 [ 26.008918] ep_eventpoll_release+0x44/0x60 [ 26.008925] __fput+0x327/0x7e0 [ 26.008933] ? fput+0x140/0x140 [ 26.008940] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.008949] ____fput+0x15/0x20 [ 26.008955] task_work_run+0x199/0x270 [ 26.008962] ? task_work_cancel+0x210/0x210 [ 26.008969] ? _raw_spin_unlock+0x22/0x30 [ 26.008976] ? switch_task_namespaces+0x87/0xc0 [ 26.008984] do_exit+0x9bb/0x1ad0 [ 26.008991] ? __handle_mm_fault+0x2330/0x3ce0 [ 26.008999] ? mm_update_next_owner+0x930/0x930 [ 26.009012] ? do_raw_spin_trylock+0x190/0x190 [ 26.009019] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.009025] ? check_noncircular+0x20/0x20 [ 26.009032] ? _raw_spin_unlock+0x22/0x30 [ 26.009037] ? __handle_mm_fault+0x80e/0x3ce0 [ 26.009045] ? check_noncircular+0x20/0x20 [ 26.009050] ? __pmd_alloc+0x4e0/0x4e0 [ 26.009055] ? lock_downgrade+0x980/0x980 [ 26.009064] ? find_held_lock+0x35/0x1d0 [ 26.009072] ? handle_mm_fault+0x248/0x8d0 [ 26.009079] ? find_held_lock+0x35/0x1d0 [ 26.009089] ? __do_page_fault+0x5f7/0xc90 [ 26.009095] ? lock_downgrade+0x980/0x980 [ 26.009104] ? handle_mm_fault+0x410/0x8d0 [ 26.009109] ? down_read_trylock+0xdb/0x170 [ 26.009114] ? __do_page_fault+0x32d/0xc90 [ 26.009120] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 26.009127] ? vmacache_find+0x5f/0x280 [ 26.009135] do_group_exit+0x149/0x400 [ 26.009141] ? __do_page_fault+0x3d6/0xc90 [ 26.009147] ? SyS_exit+0x30/0x30 [ 26.009155] ? do_fast_syscall_32+0x156/0xf9d [ 26.009162] ? do_group_exit+0x400/0x400 [ 26.009168] SyS_exit_group+0x1d/0x20 [ 26.009174] do_fast_syscall_32+0x3ee/0xf9d [ 26.009183] ? do_int80_syscall_32+0x9d0/0x9d0 [ 26.009190] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 26.009196] ? syscall_return_slowpath+0x550/0x550 [ 26.009204] ? SyS_rt_sigaction+0x94/0x1b0 [ 26.009212] ? retint_user+0x18/0x18 [ 26.009220] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.009228] entry_SYSENTER_compat+0x54/0x63 [ 26.009233] RIP: 0023:0xf7fbcc79 [ 26.009236] RSP: 002b:00000000ff8e476c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc [ 26.009242] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298 [ 26.009246] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0 [ 26.009249] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 26.009252] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 26.009255] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 26.009263] [ 26.009266] Allocated by task 3499: [ 26.009272] save_stack+0x43/0xd0 [ 26.009276] kasan_kmalloc+0xad/0xe0 [ 26.009281] kmem_cache_alloc_trace+0x136/0x750 [ 26.009287] binder_get_thread+0x1cf/0x870 [ 26.009291] binder_poll+0x8c/0x390 [ 26.009296] ep_item_poll.isra.10+0xec/0x320 [ 26.009301] ep_insert+0x6a3/0x1b10 [ 26.009306] SyS_epoll_ctl+0x12e4/0x1ab0 [ 26.009311] do_fast_syscall_32+0x3ee/0xf9d [ 26.009315] entry_SYSENTER_compat+0x54/0x63 [ 26.009316] [ 26.009318] Freed by task 3499: [ 26.009322] save_stack+0x43/0xd0 [ 26.009327] kasan_slab_free+0x71/0xc0 [ 26.009331] kfree+0xd6/0x260 [ 26.009336] binder_thread_dec_tmpref+0x27f/0x310 [ 26.009340] binder_thread_release+0x27d/0x540 [ 26.009344] binder_ioctl+0xc02/0x1417 [ 26.009350] compat_SyS_ioctl+0x151/0x2a30 [ 26.009355] do_fast_syscall_32+0x3ee/0xf9d [ 26.009359] entry_SYSENTER_compat+0x54/0x63 [ 26.009360] [ 26.009364] The buggy address belongs to the object at ffff8801cdf6d000 [ 26.009364] which belongs to the cache kmalloc-512 of size 512 [ 26.009368] The buggy address is located 176 bytes inside of [ 26.009368] 512-byte region [ffff8801cdf6d000, ffff8801cdf6d200) [ 26.009370] The buggy address belongs to the page: [ 26.009375] page:ffffea000737db40 count:1 mapcount:0 mapping:ffff8801cdf6d000 index:0x0 [ 26.009380] flags: 0x2fffc0000000100(slab) [ 26.009388] raw: 02fffc0000000100 ffff8801cdf6d000 0000000000000000 0000000100000006 [ 26.009394] raw: ffffea00071e3820 ffffea0007366260 ffff8801dac00940 0000000000000000 [ 26.009397] page dumped because: kasan: bad access detected [ 26.009398] [ 26.009399] Memory state around the buggy address: [ 26.009404] ffff8801cdf6cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.009408] ffff8801cdf6d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.009412] >ffff8801cdf6d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.009414] ^ [ 26.009418] ffff8801cdf6d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.009422] ffff8801cdf6d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.009424] ================================================================== [ 26.009426] Disabling lock debugging due to kernel taint [ 26.009429] Kernel panic - not syncing: panic_on_warn set ... [ 26.009429] [ 26.009435] CPU: 1 PID: 3499 Comm: syzkaller650002 Tainted: G B 4.15.0-rc7+ #167 [ 26.009438] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.009439] Call Trace: [ 26.009445] dump_stack+0x194/0x257 [ 26.009452] ? arch_local_irq_restore+0x53/0x53 [ 26.009457] ? kasan_end_report+0x32/0x50 [ 26.009464] ? lock_downgrade+0x980/0x980 [ 26.009470] ? vsnprintf+0x1ed/0x1900 [ 26.009476] ? __lock_acquire+0x3cb0/0x3e00 [ 26.009481] panic+0x1e4/0x41c [ 26.009487] ? refcount_error_report+0x214/0x214 [ 26.009494] ? add_taint+0x40/0x50 [ 26.009499] ? add_taint+0x1c/0x50 [ 26.009506] ? __lock_acquire+0x3d4d/0x3e00 [ 26.009512] kasan_end_report+0x50/0x50 [ 26.009517] kasan_report+0x144/0x340 [ 26.009525] __asan_report_load8_noabort+0x14/0x20 [ 26.009535] __lock_acquire+0x3d4d/0x3e00 [ 26.009540] ? __lock_acquire+0x664/0x3e00 [ 26.009546] ? lock_downgrade+0x980/0x980 [ 26.009551] ? lock_downgrade+0x980/0x980 [ 26.009558] ? print_irqtrace_events+0x270/0x270 [ 26.009564] ? remove_wait_queue+0x81/0x350 [ 26.009573] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.009579] ? __lock_acquire+0x664/0x3e00 [ 26.009585] ? check_noncircular+0x20/0x20 [ 26.009596] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.009603] ? lock_acquire+0x1d5/0x580 [ 26.009608] ? lock_acquire+0x1d5/0x580 [ 26.009613] ? ep_free+0xf4/0x320 [ 26.009622] ? lock_release+0xa40/0xa40 [ 26.009627] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.009633] ? print_irqtrace_events+0x270/0x270 [ 26.009639] ? print_irqtrace_events+0x270/0x270 [ 26.009645] ? rcu_note_context_switch+0x710/0x710 [ 26.009652] ? __might_sleep+0x95/0x190 [ 26.009658] ? ep_free+0xf4/0x320 [ 26.009663] ? __mutex_lock+0x16f/0x1a80 [ 26.009668] ? ep_free+0xf4/0x320 [ 26.009675] ? print_irqtrace_events+0x270/0x270 [ 26.009680] ? ep_free+0xf4/0x320 [ 26.009688] lock_acquire+0x1d5/0x580 [ 26.009693] ? lock_acquire+0x1d5/0x580 [ 26.009699] ? remove_wait_queue+0x81/0x350 [ 26.009707] ? lock_release+0xa40/0xa40 [ 26.009716] ? lock_acquire+0x1d5/0x580 [ 26.009721] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.009726] ? lock_acquire+0x1d5/0x580 [ 26.009732] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 26.009740] _raw_spin_lock_irqsave+0x96/0xc0 [ 26.009745] ? remove_wait_queue+0x81/0x350 [ 26.009752] remove_wait_queue+0x81/0x350 [ 26.009757] ? depot_save_stack+0x3b5/0x490 [ 26.009764] ? add_wait_queue+0x290/0x290 [ 26.009770] ? rcutorture_record_progress+0x10/0x10 [ 26.009776] ? lock_release+0xa40/0xa40 [ 26.009785] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 26.009791] ? __kernel_text_address+0xd/0x40 [ 26.009799] ? clear_tfile_check_list+0x370/0x370 [ 26.009806] ? check_noncircular+0x20/0x20 [ 26.009814] ? locks_remove_file+0x3fa/0x5a0 [ 26.009822] ep_free+0x13f/0x320 [ 26.009829] ? ep_remove+0x800/0x800 [ 26.009834] ? fsnotify_first_mark+0x2b0/0x2b0 [ 26.009842] ? ep_free+0x320/0x320 [ 26.009848] ep_eventpoll_release+0x44/0x60 [ 26.009854] __fput+0x327/0x7e0 [ 26.009862] ? fput+0x140/0x140 [ 26.009868] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.009883] ____fput+0x15/0x20 [ 26.009889] task_work_run+0x199/0x270 [ 26.009897] ? task_work_cancel+0x210/0x210 [ 26.009903] ? _raw_spin_unlock+0x22/0x30 [ 26.009909] ? switch_task_namespaces+0x87/0xc0 [ 26.009916] do_exit+0x9bb/0x1ad0 [ 26.009922] ? __handle_mm_fault+0x2330/0x3ce0 [ 26.009930] ? mm_update_next_owner+0x930/0x930 [ 26.009939] ? do_raw_spin_trylock+0x190/0x190 [ 26.009946] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 26.009952] ? check_noncircular+0x20/0x20 [ 26.009959] ? _raw_spin_unlock+0x22/0x30 [ 26.009964] ? __handle_mm_fault+0x80e/0x3ce0 [ 26.009972] ? check_noncircular+0x20/0x20 [ 26.009977] ? __pmd_alloc+0x4e0/0x4e0 [ 26.009982] ? lock_downgrade+0x980/0x980 [ 26.009990] ? find_held_lock+0x35/0x1d0 [ 26.009998] ? handle_mm_fault+0x248/0x8d0 [ 26.010005] ? find_held_lock+0x35/0x1d0 [ 26.010013] ? __do_page_fault+0x5f7/0xc90 [ 26.010019] ? lock_downgrade+0x980/0x980 [ 26.010028] ? handle_mm_fault+0x410/0x8d0 [ 26.010033] ? down_read_trylock+0xdb/0x170 [ 26.010038] ? __do_page_fault+0x32d/0xc90 [ 26.010044] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 26.010050] ? vmacache_find+0x5f/0x280 [ 26.010058] do_group_exit+0x149/0x400 [ 26.010064] ? __do_page_fault+0x3d6/0xc90 [ 26.010070] ? SyS_exit+0x30/0x30 [ 26.010078] ? do_fast_syscall_32+0x156/0xf9d [ 26.010083] ? do_group_exit+0x400/0x400 [ 26.010089] SyS_exit_group+0x1d/0x20 [ 26.010096] do_fast_syscall_32+0x3ee/0xf9d [ 26.010104] ? do_int80_syscall_32+0x9d0/0x9d0 [ 26.010111] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 26.010117] ? syscall_return_slowpath+0x550/0x550 [ 26.010124] ? SyS_rt_sigaction+0x94/0x1b0 [ 26.010131] ? retint_user+0x18/0x18 [ 26.010139] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.010147] entry_SYSENTER_compat+0x54/0x63 [ 26.010150] RIP: 0023:0xf7fbcc79 [ 26.010153] RSP: 002b:00000000ff8e476c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc [ 26.010159] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298 [ 26.010162] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0 [ 26.010165] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 26.010168] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 26.010171] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 26.029122] Dumping ftrace buffer: [ 26.029126] (ftrace buffer empty) [ 26.029128] Kernel Offset: disabled [ 27.297447] Rebooting in 86400 seconds..