[....] Starting enhanced syslogd: rsyslogd[   10.458666] audit: type=1400 audit(1513620228.069:5): avc:  denied  { syslog } for  pid=2986 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   16.711328] audit: type=1400 audit(1513620234.322:6): avc:  denied  { map } for  pid=3125 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added 'ci-upstream-kasan-gce-6,10.128.0.8' (ECDSA) to the list of known hosts.
executing program
[   23.077796] audit: type=1400 audit(1513620240.688:7): avc:  denied  { map } for  pid=3139 comm="syzkaller598684" path="/root/syzkaller598684059" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   23.110007] ==================================================================
[   23.117396] BUG: KASAN: use-after-free in handle_userfault+0x21c1/0x24c0
[   23.124204] Read of size 8 at addr ffff8801ca8e8da0 by task syzkaller598684/3146
[   23.131709] 
[   23.133305] CPU: 0 PID: 3146 Comm: syzkaller598684 Not tainted 4.15.0-rc4+ #227
[   23.140724] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.150045] Call Trace:
[   23.152615]  dump_stack+0x194/0x257
[   23.156213]  ? arch_local_irq_restore+0x53/0x53
[   23.160852]  ? show_regs_print_info+0x18/0x18
[   23.165315]  ? find_held_lock+0x35/0x1d0
[   23.169346]  ? handle_userfault+0x21c1/0x24c0
[   23.173808]  print_address_description+0x73/0x250
[   23.178616]  ? handle_userfault+0x21c1/0x24c0
[   23.183078]  kasan_report+0x25b/0x340
[   23.186851]  __asan_report_load8_noabort+0x14/0x20
[   23.191745]  handle_userfault+0x21c1/0x24c0
[   23.196044]  ? __lock_is_held+0xb6/0x140
[   23.200079]  ? userfaultfd_ioctl+0x4520/0x4520
[   23.204640]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.209803]  ? rcu_read_lock_sched_held+0x108/0x120
[   23.214795]  ? __alloc_pages_nodemask+0xadb/0xd80
[   23.219616]  ? __alloc_pages_slowpath+0x2d00/0x2d00
[   23.224606]  ? depot_save_stack+0x3b5/0x490
[   23.228903]  ? save_stack+0xa3/0xd0
[   23.232498]  ? save_stack+0x43/0xd0
[   23.236092]  ? kasan_kmalloc+0xad/0xe0
[   23.239943]  ? kasan_slab_alloc+0x12/0x20
[   23.244055]  ? kmem_cache_alloc+0x12e/0x760
[   23.248340]  ? ptlock_alloc+0x24/0x70
[   23.252107]  ? pte_alloc_one+0x59/0x100
[   23.256044]  ? do_huge_pmd_anonymous_page+0xc23/0x1b00
[   23.261283]  ? handle_mm_fault+0x334/0x8d0
[   23.265483]  ? __do_page_fault+0x5c9/0xc90
[   23.269681]  ? do_page_fault+0xee/0x720
[   23.273617]  ? page_fault+0x22/0x30
[   23.277215]  ? check_noncircular+0x20/0x20
[   23.281415]  ? check_noncircular+0x20/0x20
[   23.285616]  ? alloc_pages_current+0xbe/0x1e0
[   23.290082]  ? mm_get_huge_zero_page+0x12c/0x400
[   23.294804]  ? find_held_lock+0x35/0x1d0
[   23.298841]  ? do_huge_pmd_anonymous_page+0xe1f/0x1b00
[   23.304084]  ? lock_downgrade+0x980/0x980
[   23.308198]  ? lock_release+0xa40/0xa40
[   23.312140]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.317121]  ? do_raw_spin_trylock+0x190/0x190
[   23.321671]  ? lockdep_init_map+0x9/0x10
[   23.325702]  do_huge_pmd_anonymous_page+0xe2c/0x1b00
[   23.330768]  ? kasan_slab_alloc+0x12/0x20
[   23.334879]  ? ptlock_alloc+0x24/0x70
[   23.338643]  ? pte_alloc_one+0x59/0x100
[   23.342585]  ? __thp_get_unmapped_area+0x130/0x130
[   23.347477]  ? __lock_acquire+0x664/0x3e00
[   23.351677]  ? __lock_acquire+0x664/0x3e00
[   23.355875]  ? check_noncircular+0x20/0x20
[   23.360078]  ? check_noncircular+0x20/0x20
[   23.364287]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.369460]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.374621]  ? find_held_lock+0x35/0x1d0
[   23.378653]  ? __handle_mm_fault+0x2330/0x3ce0
[   23.383199]  ? lock_downgrade+0x980/0x980
[   23.387317]  ? mark_held_locks+0xaf/0x100
[   23.391432]  ? __raw_spin_lock_init+0x1c/0x100
[   23.395994]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.400978]  ? do_raw_spin_trylock+0x190/0x190
[   23.405530]  ? check_noncircular+0x20/0x20
[   23.409734]  __handle_mm_fault+0x1a0c/0x3ce0
[   23.414114]  ? __pmd_alloc+0x4e0/0x4e0
[   23.417973]  ? find_held_lock+0x35/0x1d0
[   23.422006]  ? handle_mm_fault+0x248/0x8d0
[   23.426210]  ? lock_downgrade+0x980/0x980
[   23.430343]  handle_mm_fault+0x334/0x8d0
[   23.434366]  ? down_read_trylock+0xdb/0x170
[   23.438653]  ? __do_page_fault+0x32d/0xc90
[   23.442852]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   23.447398]  ? vmacache_find+0x5f/0x280
[   23.451336]  ? vmacache_update+0xfe/0x130
[   23.455452]  ? find_vma+0x30/0x150
[   23.458961]  __do_page_fault+0x5c9/0xc90
[   23.462995]  ? mm_fault_error+0x2c0/0x2c0
[   23.467112]  ? __free_pages+0xd8/0x150
[   23.470974]  do_page_fault+0xee/0x720
[   23.474748]  ? __do_page_fault+0xc90/0xc90
[   23.478955]  ? syscall_return_slowpath+0x2ad/0x550
[   23.483848]  ? prepare_exit_to_usermode+0x340/0x340
[   23.488831]  ? retint_user+0x18/0x18
[   23.492515]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   23.497332]  page_fault+0x22/0x30
[   23.500751] RIP: 0033:0x4453e5
[   23.503907] RSP: 002b:0000000020687000 EFLAGS: 00010217
[   23.509243] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000004453d9
[   23.516481] RDX: 0000000020b4c000 RSI: 0000000020687000 RDI: 0000000000000600
[   23.523725] RBP: 0000000000000000 R08: 00000000207a4f71 R09: 00007f1df5209700
[   23.530961] R10: 0000000020552ffc R11: 0000000000000202 R12: 0000000000000000
[   23.538202] R13: 00007ffe34612c6f R14: 00007f1df52099c0 R15: 0000000000000000
[   23.545460] 
[   23.547054] Allocated by task 3144:
[   23.550654]  save_stack+0x43/0xd0
[   23.554078]  kasan_kmalloc+0xad/0xe0
[   23.557756]  kasan_slab_alloc+0x12/0x20
[   23.561698]  kmem_cache_alloc+0x12e/0x760
[   23.565812]  dup_userfaultfd+0x21c/0x890
[   23.569837]  copy_mm+0xa38/0x1310
[   23.573260]  copy_process.part.38+0x1eb9/0x4ac0
[   23.577895]  _do_fork+0x1ef/0xfb0
[   23.581310]  SyS_clone+0x37/0x50
[   23.584639]  do_syscall_64+0x26c/0x920
[   23.588492]  return_from_SYSCALL_64+0x0/0x75
[   23.592863] 
[   23.594456] Freed by task 3144:
[   23.597700]  save_stack+0x43/0xd0
[   23.601127]  kasan_slab_free+0x71/0xc0
[   23.604987]  kmem_cache_free+0x77/0x280
[   23.608927]  userfaultfd_ctx_put+0x50c/0x740
[   23.613298]  userfaultfd_event_wait_completion+0x86d/0xae0
[   23.618885]  dup_userfaultfd_complete+0x2de/0x480
[   23.623690]  copy_mm+0xe9b/0x1310
[   23.627105]  copy_process.part.38+0x1eb9/0x4ac0
[   23.631736]  _do_fork+0x1ef/0xfb0
[   23.635152]  SyS_clone+0x37/0x50
[   23.638482]  do_syscall_64+0x26c/0x920
[   23.642341]  return_from_SYSCALL_64+0x0/0x75
[   23.646710] 
[   23.648303] The buggy address belongs to the object at ffff8801ca8e8c40
[   23.648303]  which belongs to the cache userfaultfd_ctx_cache of size 360
[   23.661791] The buggy address is located 352 bytes inside of
[   23.661791]  360-byte region [ffff8801ca8e8c40, ffff8801ca8e8da8)
[   23.673627] The buggy address belongs to the page:
[   23.678522] page:000000002fbb7edc count:1 mapcount:0 mapping:00000000dcc89141 index:0xffff8801ca8e8ff7
[   23.687937] flags: 0x2fffc0000000100(slab)
[   23.692141] raw: 02fffc0000000100 ffff8801ca8e8000 ffff8801ca8e8ff7 0000000100000009
[   23.699988] raw: ffff8801d6af2648 ffff8801d6af2648 ffff8801d6af4dc0 0000000000000000
[   23.707831] page dumped because: kasan: bad access detected
[   23.713503] 
[   23.715097] Memory state around the buggy address:
[   23.719990]  ffff8801ca8e8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.727313]  ffff8801ca8e8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.734636] >ffff8801ca8e8d80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   23.741958]                                ^
[   23.746335]  ffff8801ca8e8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.753659]  ffff8801ca8e8e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.760978] ==================================================================
[   23.768296] Disabling lock debugging due to kernel taint
[   23.773779] Kernel panic - not syncing: panic_on_warn set ...
[   23.773779] 
[   23.781107] CPU: 0 PID: 3146 Comm: syzkaller598684 Tainted: G    B            4.15.0-rc4+ #227
[   23.789819] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.799139] Call Trace:
[   23.801696]  dump_stack+0x194/0x257
[   23.805288]  ? arch_local_irq_restore+0x53/0x53
[   23.809923]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.814640]  ? vsnprintf+0x1ed/0x1900
[   23.818405]  ? handle_userfault+0x2160/0x24c0
[   23.822866]  panic+0x1e4/0x41c
[   23.826020]  ? refcount_error_report+0x214/0x214
[   23.830738]  ? add_taint+0x1c/0x50
[   23.834242]  ? add_taint+0x1c/0x50
[   23.837747]  ? handle_userfault+0x21c1/0x24c0
[   23.842207]  kasan_end_report+0x50/0x50
[   23.846144]  kasan_report+0x144/0x340
[   23.849924]  __asan_report_load8_noabort+0x14/0x20
[   23.854816]  handle_userfault+0x21c1/0x24c0
[   23.859101]  ? __lock_is_held+0xb6/0x140
[   23.863133]  ? userfaultfd_ioctl+0x4520/0x4520
[   23.867678]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.872834]  ? rcu_read_lock_sched_held+0x108/0x120
[   23.877815]  ? __alloc_pages_nodemask+0xadb/0xd80
[   23.882622]  ? __alloc_pages_slowpath+0x2d00/0x2d00
[   23.887602]  ? depot_save_stack+0x3b5/0x490
[   23.891889]  ? save_stack+0xa3/0xd0
[   23.895479]  ? save_stack+0x43/0xd0
[   23.899079]  ? kasan_kmalloc+0xad/0xe0
[   23.902927]  ? kasan_slab_alloc+0x12/0x20
[   23.907038]  ? kmem_cache_alloc+0x12e/0x760
[   23.911321]  ? ptlock_alloc+0x24/0x70
[   23.915085]  ? pte_alloc_one+0x59/0x100
[   23.919023]  ? do_huge_pmd_anonymous_page+0xc23/0x1b00
[   23.924262]  ? handle_mm_fault+0x334/0x8d0
[   23.928459]  ? __do_page_fault+0x5c9/0xc90
[   23.932658]  ? do_page_fault+0xee/0x720
[   23.936595]  ? page_fault+0x22/0x30
[   23.940188]  ? check_noncircular+0x20/0x20
[   23.944385]  ? check_noncircular+0x20/0x20
[   23.948582]  ? alloc_pages_current+0xbe/0x1e0
[   23.953043]  ? mm_get_huge_zero_page+0x12c/0x400
[   23.957764]  ? find_held_lock+0x35/0x1d0
[   23.961791]  ? do_huge_pmd_anonymous_page+0xe1f/0x1b00
[   23.967033]  ? lock_downgrade+0x980/0x980
[   23.971154]  ? lock_release+0xa40/0xa40
[   23.975099]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.980079]  ? do_raw_spin_trylock+0x190/0x190
[   23.984626]  ? lockdep_init_map+0x9/0x10
[   23.988653]  do_huge_pmd_anonymous_page+0xe2c/0x1b00
[   23.993720]  ? kasan_slab_alloc+0x12/0x20
[   23.997831]  ? ptlock_alloc+0x24/0x70
[   24.001594]  ? pte_alloc_one+0x59/0x100
[   24.005542]  ? __thp_get_unmapped_area+0x130/0x130
[   24.010433]  ? __lock_acquire+0x664/0x3e00
[   24.014639]  ? __lock_acquire+0x664/0x3e00
[   24.018840]  ? check_noncircular+0x20/0x20
[   24.023040]  ? check_noncircular+0x20/0x20
[   24.027243]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.032396]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.037568]  ? find_held_lock+0x35/0x1d0
[   24.041602]  ? __handle_mm_fault+0x2330/0x3ce0
[   24.046160]  ? lock_downgrade+0x980/0x980
[   24.050270]  ? mark_held_locks+0xaf/0x100
[   24.054391]  ? __raw_spin_lock_init+0x1c/0x100
[   24.058940]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   24.063923]  ? do_raw_spin_trylock+0x190/0x190
[   24.068468]  ? check_noncircular+0x20/0x20
[   24.072670]  __handle_mm_fault+0x1a0c/0x3ce0
[   24.077048]  ? __pmd_alloc+0x4e0/0x4e0
[   24.080902]  ? find_held_lock+0x35/0x1d0
[   24.084932]  ? handle_mm_fault+0x248/0x8d0
[   24.089130]  ? lock_downgrade+0x980/0x980
[   24.093251]  handle_mm_fault+0x334/0x8d0
[   24.097275]  ? down_read_trylock+0xdb/0x170
[   24.101561]  ? __do_page_fault+0x32d/0xc90
[   24.105759]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   24.110304]  ? vmacache_find+0x5f/0x280
[   24.114243]  ? vmacache_update+0xfe/0x130
[   24.118356]  ? find_vma+0x30/0x150
[   24.121861]  __do_page_fault+0x5c9/0xc90
[   24.125891]  ? mm_fault_error+0x2c0/0x2c0
[   24.130006]  ? __free_pages+0xd8/0x150
[   24.133860]  do_page_fault+0xee/0x720
[   24.137627]  ? __do_page_fault+0xc90/0xc90
[   24.141831]  ? syscall_return_slowpath+0x2ad/0x550
[   24.146725]  ? prepare_exit_to_usermode+0x340/0x340
[   24.151707]  ? retint_user+0x18/0x18
[   24.155386]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.160195]  page_fault+0x22/0x30
[   24.163610] RIP: 0033:0x4453e5
[   24.166762] RSP: 002b:0000000020687000 EFLAGS: 00010217
[   24.172088] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000004453d9
[   24.179322] RDX: 0000000020b4c000 RSI: 0000000020687000 RDI: 0000000000000600
[   24.186563] RBP: 0000000000000000 R08: 00000000207a4f71 R09: 00007f1df5209700
[   24.193799] R10: 0000000020552ffc R11: 0000000000000202 R12: 0000000000000000
[   24.201034] R13: 00007ffe34612c6f R14: 00007f1df52099c0 R15: 0000000000000000
[   24.208648] Dumping ftrace buffer:
[   24.212149]    (ftrace buffer empty)
[   24.215824] Kernel Offset: disabled
[   24.219415] Rebooting in 86400 seconds..