[....] Starting enhanced syslogd: rsyslogd[ 12.081051] audit: type=1400 audit(1515075250.276:5): avc: denied { syslog } for pid=3341 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.467707] audit: type=1400 audit(1515075254.663:6): avc: denied { map } for pid=3480 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.47' (ECDSA) to the list of known hosts. executing program [ 36.838418] audit: type=1400 audit(1515075275.034:7): avc: denied { map } for pid=3498 comm="syzkaller645515" path="/root/syzkaller645515638" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 36.841857] ================================================================== [ 36.841868] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00 [ 36.841872] Read of size 8 at addr ffff8801bf9e1b30 by task syzkaller645515/3498 [ 36.841872] [ 36.841877] CPU: 0 PID: 3498 Comm: syzkaller645515 Not tainted 4.15.0-rc6+ #157 [ 36.841879] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.841881] Call Trace: [ 36.841889] dump_stack+0x194/0x257 [ 36.841893] ? arch_local_irq_restore+0x53/0x53 [ 36.841899] ? show_regs_print_info+0x18/0x18 [ 36.841903] ? print_irqtrace_events+0x270/0x270 [ 36.841907] ? __lock_acquire+0x664/0x3e00 [ 36.841911] ? __lock_acquire+0x3d4d/0x3e00 [ 36.841917] print_address_description+0x73/0x250 [ 36.841921] ? __lock_acquire+0x3d4d/0x3e00 [ 36.841925] kasan_report+0x25b/0x340 [ 36.841930] __asan_report_load8_noabort+0x14/0x20 [ 36.841933] __lock_acquire+0x3d4d/0x3e00 [ 36.841937] ? __lock_acquire+0x664/0x3e00 [ 36.841940] ? lock_downgrade+0x980/0x980 [ 36.841943] ? lock_downgrade+0x980/0x980 [ 36.841947] ? print_irqtrace_events+0x270/0x270 [ 36.841952] ? remove_wait_queue+0x81/0x350 [ 36.841958] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.841961] ? __lock_acquire+0x664/0x3e00 [ 36.841965] ? check_noncircular+0x20/0x20 [ 36.841972] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.841976] ? lock_acquire+0x1d5/0x580 [ 36.841979] ? lock_acquire+0x1d5/0x580 [ 36.841984] ? ep_free+0xf4/0x320 [ 36.841989] ? lock_release+0xa40/0xa40 [ 36.841994] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 36.841998] ? print_irqtrace_events+0x270/0x270 [ 36.842005] ? print_irqtrace_events+0x270/0x270 [ 36.842011] ? rcu_note_context_switch+0x710/0x710 [ 36.842015] ? __might_sleep+0x95/0x190 [ 36.842019] ? ep_free+0xf4/0x320 [ 36.842023] ? __mutex_lock+0x16f/0x1a80 [ 36.842026] ? ep_free+0xf4/0x320 [ 36.842030] ? print_irqtrace_events+0x270/0x270 [ 36.842033] ? ep_free+0xf4/0x320 [ 36.842038] lock_acquire+0x1d5/0x580 [ 36.842041] ? lock_acquire+0x1d5/0x580 [ 36.842045] ? remove_wait_queue+0x81/0x350 [ 36.842049] ? lock_release+0xa40/0xa40 [ 36.842055] ? lock_acquire+0x1d5/0x580 [ 36.842058] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.842061] ? lock_acquire+0x1d5/0x580 [ 36.842065] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 36.842070] _raw_spin_lock_irqsave+0x96/0xc0 [ 36.842074] ? remove_wait_queue+0x81/0x350 [ 36.842078] remove_wait_queue+0x81/0x350 [ 36.842083] ? depot_save_stack+0x3b5/0x490 [ 36.842087] ? add_wait_queue+0x290/0x290 [ 36.842091] ? rcutorture_record_progress+0x10/0x10 [ 36.842094] ? lock_release+0xa40/0xa40 [ 36.842099] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 36.842104] ? __kernel_text_address+0xd/0x40 [ 36.842109] ? clear_tfile_check_list+0x370/0x370 [ 36.842113] ? check_noncircular+0x20/0x20 [ 36.842118] ? locks_remove_file+0x3fa/0x5a0 [ 36.842124] ep_free+0x13f/0x320 [ 36.842127] ? ep_remove+0x800/0x800 [ 36.842131] ? fsnotify_first_mark+0x2b0/0x2b0 [ 36.842135] ? ep_free+0x320/0x320 [ 36.842139] ep_eventpoll_release+0x44/0x60 [ 36.842143] __fput+0x327/0x7e0 [ 36.842148] ? fput+0x140/0x140 [ 36.842152] ? _raw_spin_unlock_irq+0x27/0x70 [ 36.842157] ____fput+0x15/0x20 [ 36.842161] task_work_run+0x199/0x270 [ 36.842165] ? task_work_cancel+0x210/0x210 [ 36.842169] ? _raw_spin_unlock+0x22/0x30 [ 36.842173] ? switch_task_namespaces+0x87/0xc0 [ 36.842179] do_exit+0x9bb/0x1ad0 [ 36.842184] ? __handle_mm_fault+0x2330/0x3ce0 [ 36.842188] ? mm_update_next_owner+0x930/0x930 [ 36.842194] ? do_raw_spin_trylock+0x190/0x190 [ 36.842199] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 36.842202] ? check_noncircular+0x20/0x20 [ 36.842206] ? _raw_spin_unlock+0x22/0x30 [ 36.842210] ? __handle_mm_fault+0x80e/0x3ce0 [ 36.842214] ? check_noncircular+0x20/0x20 [ 36.842217] ? __pmd_alloc+0x4e0/0x4e0 [ 36.842220] ? lock_downgrade+0x980/0x980 [ 36.842225] ? find_held_lock+0x35/0x1d0 [ 36.842230] ? handle_mm_fault+0x248/0x8d0 [ 36.842234] ? find_held_lock+0x35/0x1d0 [ 36.842241] ? __do_page_fault+0x5f7/0xc90 [ 36.842244] ? lock_downgrade+0x980/0x980 [ 36.842249] ? handle_mm_fault+0x410/0x8d0 [ 36.842252] ? down_read_trylock+0xdb/0x170 [ 36.842256] ? __do_page_fault+0x32d/0xc90 [ 36.842259] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 36.842265] ? vmacache_find+0x5f/0x280 [ 36.842270] do_group_exit+0x149/0x400 [ 36.842274] ? __do_page_fault+0x3d6/0xc90 [ 36.842277] ? SyS_exit+0x30/0x30 [ 36.842283] ? do_fast_syscall_32+0x156/0xf9d [ 36.842287] ? do_group_exit+0x400/0x400 [ 36.842291] SyS_exit_group+0x1d/0x20 [ 36.842294] do_fast_syscall_32+0x3ee/0xf9d [ 36.842299] ? do_int80_syscall_32+0x9d0/0x9d0 [ 36.842303] ? kasan_check_read+0x11/0x20 [ 36.842307] ? syscall_return_slowpath+0x550/0x550 [ 36.842311] ? SyS_rt_sigaction+0x94/0x1b0 [ 36.842315] ? SyS_sigprocmask+0x4b0/0x4b0 [ 36.842319] ? SyS_read+0x184/0x220 [ 36.842322] ? retint_user+0x18/0x18 [ 36.842327] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.842333] entry_SYSENTER_compat+0x54/0x63 [ 36.842336] RIP: 0023:0xf7fb6c79 [ 36.842338] RSP: 002b:00000000ff890a4c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc [ 36.842342] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298 [ 36.842344] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0 [ 36.842346] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 36.842348] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 36.842350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 36.842354] [ 36.842357] Allocated by task 3498: [ 36.842360] save_stack+0x43/0xd0 [ 36.842363] kasan_kmalloc+0xad/0xe0 [ 36.842366] kmem_cache_alloc_trace+0x136/0x750 [ 36.842370] binder_get_thread+0x1cf/0x870 [ 36.842373] binder_poll+0x8c/0x390 [ 36.842376] ep_item_poll.isra.10+0xec/0x320 [ 36.842379] ep_insert+0x6a3/0x1b10 [ 36.842382] SyS_epoll_ctl+0x12e4/0x1ab0 [ 36.842385] do_fast_syscall_32+0x3ee/0xf9d [ 36.842388] entry_SYSENTER_compat+0x54/0x63 [ 36.842389] [ 36.842390] Freed by task 3498: [ 36.842393] save_stack+0x43/0xd0 [ 36.842396] kasan_slab_free+0x71/0xc0 [ 36.842398] kfree+0xd6/0x260 [ 36.842401] binder_thread_dec_tmpref+0x27f/0x310 [ 36.842403] binder_thread_release+0x27d/0x540 [ 36.842406] binder_ioctl+0xc02/0x1417 [ 36.842409] compat_SyS_ioctl+0x151/0x2a30 [ 36.842412] do_fast_syscall_32+0x3ee/0xf9d [ 36.842415] entry_SYSENTER_compat+0x54/0x63 [ 36.842416] [ 36.842419] The buggy address belongs to the object at ffff8801bf9e1a80 [ 36.842419] which belongs to the cache kmalloc-512 of size 512 [ 36.842421] The buggy address is located 176 bytes inside of [ 36.842421] 512-byte region [ffff8801bf9e1a80, ffff8801bf9e1c80) [ 36.842422] The buggy address belongs to the page: [ 36.842426] page:00000000cde89eee count:1 mapcount:0 mapping:000000000fc0577f index:0x0 [ 36.842430] flags: 0x2fffc0000000100(slab) [ 36.842436] raw: 02fffc0000000100 ffff8801bf9e1080 0000000000000000 0000000100000006 [ 36.842439] raw: ffffea0006ff4720 ffffea0006fdb3a0 ffff8801dac00940 0000000000000000 [ 36.842441] page dumped because: kasan: bad access detected [ 36.842442] [ 36.842443] Memory state around the buggy address: [ 36.842446] ffff8801bf9e1a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.842449] ffff8801bf9e1a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.842451] >ffff8801bf9e1b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.842453] ^ [ 36.842455] ffff8801bf9e1b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.842458] ffff8801bf9e1c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.842459] ================================================================== [ 36.842460] Disabling lock debugging due to kernel taint [ 36.842462] Kernel panic - not syncing: panic_on_warn set ... [ 36.842462] [ 36.842466] CPU: 0 PID: 3498 Comm: syzkaller645515 Tainted: G B 4.15.0-rc6+ #157 [ 36.842468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.842469] Call Trace: [ 36.842472] dump_stack+0x194/0x257 [ 36.842477] ? arch_local_irq_restore+0x53/0x53 [ 36.842480] ? kasan_end_report+0x32/0x50 [ 36.842484] ? lock_downgrade+0x980/0x980 [ 36.842488] ? vsnprintf+0x1ed/0x1900 [ 36.842492] ? __lock_acquire+0x3cb0/0x3e00 [ 36.842495] panic+0x1e4/0x41c [ 36.842498] ? refcount_error_report+0x214/0x214 [ 36.842502] ? add_taint+0x40/0x50 [ 36.842505] ? add_taint+0x1c/0x50 [ 36.842509] ? __lock_acquire+0x3d4d/0x3e00 [ 36.842513] kasan_end_report+0x50/0x50 [ 36.842516] kasan_report+0x144/0x340 [ 36.842521] __asan_report_load8_noabort+0x14/0x20 [ 36.842524] __lock_acquire+0x3d4d/0x3e00 [ 36.842527] ? __lock_acquire+0x664/0x3e00 [ 36.842531] ? lock_downgrade+0x980/0x980 [ 36.842534] ? lock_downgrade+0x980/0x980 [ 36.842538] ? print_irqtrace_events+0x270/0x270 [ 36.842541] ? remove_wait_queue+0x81/0x350 [ 36.842546] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.842550] ? __lock_acquire+0x664/0x3e00 [ 36.842553] ? check_noncircular+0x20/0x20 [ 36.842560] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.842564] ? lock_acquire+0x1d5/0x580 [ 36.842567] ? lock_acquire+0x1d5/0x580 [ 36.842570] ? ep_free+0xf4/0x320 [ 36.842575] ? lock_release+0xa40/0xa40 [ 36.842578] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 36.842582] ? print_irqtrace_events+0x270/0x270 [ 36.842585] ? print_irqtrace_events+0x270/0x270 [ 36.842589] ? rcu_note_context_switch+0x710/0x710 [ 36.842593] ? __might_sleep+0x95/0x190 [ 36.842596] ? ep_free+0xf4/0x320 [ 36.842599] ? __mutex_lock+0x16f/0x1a80 [ 36.842602] ? ep_free+0xf4/0x320 [ 36.842606] ? print_irqtrace_events+0x270/0x270 [ 36.842609] ? ep_free+0xf4/0x320 [ 36.842618] lock_acquire+0x1d5/0x580 [ 36.842621] ? lock_acquire+0x1d5/0x580 [ 36.842625] ? remove_wait_queue+0x81/0x350 [ 36.842629] ? lock_release+0xa40/0xa40 [ 36.842634] ? lock_acquire+0x1d5/0x580 [ 36.842638] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.842640] ? lock_acquire+0x1d5/0x580 [ 36.842644] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 36.842649] _raw_spin_lock_irqsave+0x96/0xc0 [ 36.842652] ? remove_wait_queue+0x81/0x350 [ 36.842656] remove_wait_queue+0x81/0x350 [ 36.842659] ? depot_save_stack+0x3b5/0x490 [ 36.842663] ? add_wait_queue+0x290/0x290 [ 36.842667] ? rcutorture_record_progress+0x10/0x10 [ 36.842670] ? lock_release+0xa40/0xa40 [ 36.842675] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 36.842679] ? __kernel_text_address+0xd/0x40 [ 36.842684] ? clear_tfile_check_list+0x370/0x370 [ 36.842688] ? check_noncircular+0x20/0x20 [ 36.842692] ? locks_remove_file+0x3fa/0x5a0 [ 36.842698] ep_free+0x13f/0x320 [ 36.842701] ? ep_remove+0x800/0x800 [ 36.842704] ? fsnotify_first_mark+0x2b0/0x2b0 [ 36.842709] ? ep_free+0x320/0x320 [ 36.842712] ep_eventpoll_release+0x44/0x60 [ 36.842716] __fput+0x327/0x7e0 [ 36.842721] ? fput+0x140/0x140 [ 36.842725] ? _raw_spin_unlock_irq+0x27/0x70 [ 36.842729] ____fput+0x15/0x20 [ 36.842733] task_work_run+0x199/0x270 [ 36.842738] ? task_work_cancel+0x210/0x210 [ 36.842741] ? _raw_spin_unlock+0x22/0x30 [ 36.842745] ? switch_task_namespaces+0x87/0xc0 [ 36.842749] do_exit+0x9bb/0x1ad0 [ 36.842753] ? __handle_mm_fault+0x2330/0x3ce0 [ 36.842757] ? mm_update_next_owner+0x930/0x930 [ 36.842762] ? do_raw_spin_trylock+0x190/0x190 [ 36.842766] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 36.842770] ? check_noncircular+0x20/0x20 [ 36.842774] ? _raw_spin_unlock+0x22/0x30 [ 36.842777] ? __handle_mm_fault+0x80e/0x3ce0 [ 36.842782] ? check_noncircular+0x20/0x20 [ 36.842784] ? __pmd_alloc+0x4e0/0x4e0 [ 36.842788] ? lock_downgrade+0x980/0x980 [ 36.842792] ? find_held_lock+0x35/0x1d0 [ 36.842797] ? handle_mm_fault+0x248/0x8d0 [ 36.842801] ? find_held_lock+0x35/0x1d0 [ 36.842806] ? __do_page_fault+0x5f7/0xc90 [ 36.842810] ? lock_downgrade+0x980/0x980 [ 36.842814] ? handle_mm_fault+0x410/0x8d0 [ 36.842817] ? down_read_trylock+0xdb/0x170 [ 36.842821] ? __do_page_fault+0x32d/0xc90 [ 36.842824] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 36.842828] ? vmacache_find+0x5f/0x280 [ 36.842832] do_group_exit+0x149/0x400 [ 36.842836] ? __do_page_fault+0x3d6/0xc90 [ 36.842839] ? SyS_exit+0x30/0x30 [ 36.842844] ? do_fast_syscall_32+0x156/0xf9d [ 36.842847] ? do_group_exit+0x400/0x400 [ 36.842851] SyS_exit_group+0x1d/0x20 [ 36.842855] do_fast_syscall_32+0x3ee/0xf9d [ 36.842859] ? do_int80_syscall_32+0x9d0/0x9d0 [ 36.842863] ? kasan_check_read+0x11/0x20 [ 36.842867] ? syscall_return_slowpath+0x550/0x550 [ 36.842871] ? SyS_rt_sigaction+0x94/0x1b0 [ 36.842875] ? SyS_sigprocmask+0x4b0/0x4b0 [ 36.842878] ? SyS_read+0x184/0x220 [ 36.842881] ? retint_user+0x18/0x18 [ 36.842886] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.842891] entry_SYSENTER_compat+0x54/0x63 [ 36.842893] RIP: 0023:0xf7fb6c79 [ 36.842895] RSP: 002b:00000000ff890a4c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc [ 36.842899] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298 [ 36.842901] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0 [ 36.842903] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 36.842904] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 36.842906] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 36.864293] Dumping ftrace buffer: [ 36.864295] (ftrace buffer empty) [ 36.864297] Kernel Offset: disabled [ 38.143371] Rebooting in 86400 seconds..