[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   16.874093] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.341742] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available)
[   21.835793] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available)
[   22.755419] random: sshd: uninitialized urandom read (32 bytes read, 117 bits of entropy available)
[   22.924589] random: sshd: uninitialized urandom read (32 bytes read, 121 bits of entropy available)
Warning: Permanently added '10.128.0.14' (ECDSA) to the list of known hosts.
[   28.335621] random: nonblocking pool is initialized
executing program
[   28.458051] ==================================================================
[   28.465453] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50
[   28.472093] Read of size 8 at addr ffff8801d0412fb8 by task syzkaller073170/3324
[   28.479589] 
[   28.481184] CPU: 0 PID: 3324 Comm: syzkaller073170 Not tainted 4.4.111-gf851888 #16
[   28.488941] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.498264]  0000000000000000 3e8c6184e6a857b7 ffff8801d16f7850 ffffffff81d0507d
[   28.506219]  ffffea0007410480 ffff8801d0412fb8 0000000000000000 ffff8801d0412fb8
[   28.514166]  0000000000000000 ffff8801d16f7888 ffffffff814fd433 ffff8801d0412fb8
[   28.522111] Call Trace:
[   28.524664]  [<ffffffff81d0507d>] dump_stack+0xc1/0x124
[   28.529993]  [<ffffffff814fd433>] print_address_description+0x73/0x260
[   28.536625]  [<ffffffff814fd945>] kasan_report+0x285/0x370
[   28.542219]  [<ffffffff81239cae>] ? __lock_acquire+0x387e/0x4b50
[   28.548327]  [<ffffffff814fdaa4>] __asan_report_load8_noabort+0x14/0x20
[   28.555043]  [<ffffffff81239cae>] __lock_acquire+0x387e/0x4b50
[   28.560978]  [<ffffffff81236f8f>] ? __lock_acquire+0xb5f/0x4b50
[   28.567006]  [<ffffffff81236430>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   28.573983]  [<ffffffff81235bfb>] ? trace_hardirqs_on_caller+0x38b/0x590
[   28.581309]  [<ffffffff81236430>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   28.590944]  [<ffffffff81236430>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   28.597928]  [<ffffffff8123c7ee>] lock_acquire+0x15e/0x460
[   28.603524]  [<ffffffff8121f194>] ? remove_wait_queue+0x14/0x40
[   28.609548]  [<ffffffff8377544e>] _raw_spin_lock_irqsave+0x4e/0x70
[   28.617481]  [<ffffffff8121f194>] ? remove_wait_queue+0x14/0x40
[   28.624979]  [<ffffffff8121f194>] remove_wait_queue+0x14/0x40
[   28.630830]  [<ffffffff815f6838>] ep_unregister_pollwait.isra.6+0xa8/0x220
[   28.637812]  [<ffffffff815f68a4>] ? ep_unregister_pollwait.isra.6+0x114/0x220
[   28.645051]  [<ffffffff815f7690>] ? ep_free+0x1c0/0x1c0
[   28.650379]  [<ffffffff815f7563>] ep_free+0x93/0x1c0
[   28.655447]  [<ffffffff815f7690>] ? ep_free+0x1c0/0x1c0
[   28.660775]  [<ffffffff815f76d4>] ep_eventpoll_release+0x44/0x60
[   28.666888]  [<ffffffff81522a73>] __fput+0x233/0x6d0
[   28.671963]  [<ffffffff81522f95>] ____fput+0x15/0x20
[   28.677039]  [<ffffffff8118bae4>] task_work_run+0x104/0x180
[   28.683070]  [<ffffffff81132eb1>] do_exit+0x871/0x2a20
[   28.690057]  [<ffffffff814a0e1d>] ? handle_mm_fault+0x192d/0x3190
[   28.696514]  [<ffffffff8149f8e2>] ? handle_mm_fault+0x3f2/0x3190
[   28.702623]  [<ffffffff81132640>] ? release_task+0x1240/0x1240
[   28.708561]  [<ffffffff81139328>] do_group_exit+0x108/0x320
[   28.714236]  [<ffffffff8113955d>] SyS_exit_group+0x1d/0x20
[   28.719823]  [<ffffffff81139540>] ? do_group_exit+0x320/0x320
[   28.726108]  [<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890
[   28.734580]  [<ffffffff837771ea>] sysenter_flags_fixed+0xd/0x17
[   28.742423] 
[   28.744016] Allocated by task 3324:
[   28.747603]  [<ffffffff81035d26>] save_stack_trace+0x26/0x50
[   28.753479]  [<ffffffff814fc4a3>] save_stack+0x43/0xd0
[   28.758833]  [<ffffffff814fc76d>] kasan_kmalloc+0xad/0xe0
[   28.764447]  [<ffffffff814f86e0>] kmem_cache_alloc_trace+0x100/0x2b0
[   28.771019]  [<ffffffff82c7ec31>] binder_get_thread+0x181/0x7a0
[   28.777155]  [<ffffffff82c7f29a>] binder_poll+0x4a/0x210
[   28.782686]  [<ffffffff815fa6c1>] SyS_epoll_ctl+0x10b1/0x2050
[   28.790304]  [<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890
[   28.797056]  [<ffffffff837771ea>] sysenter_flags_fixed+0xd/0x17
[   28.803199] 
[   28.804792] Freed by task 3324:
[   28.808030]  [<ffffffff81035d26>] save_stack_trace+0x26/0x50
[   28.813903]  [<ffffffff814fc4a3>] save_stack+0x43/0xd0
[   28.819259]  [<ffffffff814fcdc2>] kasan_slab_free+0x72/0xc0
[   28.825042]  [<ffffffff814f984c>] kfree+0xfc/0x300
[   28.830048]  [<ffffffff82c78181>] binder_thread_dec_tmpref+0x1c1/0x250
[   28.836794]  [<ffffffff82c78cbd>] binder_thread_release+0x27d/0x540
[   28.843277]  [<ffffffff82c93924>] binder_ioctl+0xb94/0x12e0
[   28.849069]  [<ffffffff8161e0ba>] compat_SyS_ioctl+0x28a/0x2540
[   28.855205]  [<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890
[   28.861427]  [<ffffffff837771ea>] sysenter_flags_fixed+0xd/0x17
[   28.867565] 
[   28.869167] The buggy address belongs to the object at ffff8801d0412f00
[   28.869167]  which belongs to the cache kmalloc-512 of size 512
[   28.881792] The buggy address is located 184 bytes inside of
[   28.881792]  512-byte region [ffff8801d0412f00, ffff8801d0413100)
[   28.894006] The buggy address belongs to the page:
[   29.332570] SELinux:  Invalid class 0
[   29.336568] ------------[ cut here ]------------
[   29.341312] kernel BUG at security/selinux/avc.c:119!
[   29.346526] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[   29.352389] Dumping ftrace buffer:
[   29.355921]    (ftrace buffer empty)
[   29.359622] Modules linked in:
[   29.362933] CPU: 1 PID: 1734 Comm: udevd Not tainted 4.4.111-gf851888 #16
[   29.369851] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.379200] task: ffff8801d3ac0000 task.stack: ffff8801d3ac8000
[   29.385248] RIP: 0010:[<ffffffff81b498df>]  [<ffffffff81b498df>] avc_audit_pre_callback+0x25f/0x2b0
[   29.394583] RSP: 0018:ffff8801d3acf3d8  EFLAGS: 00010293
[   29.400026] RAX: ffff8801d3ac0000 RBX: 0000000000000000 RCX: ffffffff81b498df
[   29.407295] RDX: 0000000000000000 RSI: 000000000000000d RDI: ffff8801d3acf660
[   29.414560] RBP: ffff8801d3acf410 R08: ffffed003a0ab887 R09: ffffed003a0ab887
[   29.421822] R10: 0000000000000001 R11: ffffed003a0ab886 R12: ffffffff839c6cc0
[   29.429080] R13: 0000000000400000 R14: ffffffff81b49280 R15: ffffffff81b49680
[   29.436344] FS:  00007f1599d127a0(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
[   29.444563] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.450442] CR2: 00005642386330d0 CR3: 00000001d3ab6000 CR4: 0000000000160670
[   29.457728] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   29.464996] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   29.472255] Stack:
[   29.474391]  ffff8801d85fc600 08a85c184676e5c3 1ffff1003a759e88 ffff8801d3acf790
[   29.482428]  ffff8801d85fc600 ffffffff81b49280 ffffffff81b49680 ffff8801d3acf610
[   29.490457]  ffffffff81bad348 ffff8801d3acf4a8 0000000000000046 0000000000000000
[   29.501280] Call Trace:
[   29.504295]  [<ffffffff81b49280>] ? securityfs_remove+0x260/0x260
[   29.510525]  [<ffffffff81b49680>] ? avc_audit_post_callback+0x400/0x400
[   29.519039]  [<ffffffff81bad348>] common_lsm_audit+0x128/0x1a40
[   29.526420]  [<ffffffff81d67d0a>] ? debug_object_active_state+0xfa/0x420
[   29.533891]  [<ffffffff81bad220>] ? ipv6_skb_to_auditdata+0xd80/0xd80
[   29.542310]  [<ffffffff81d67ec4>] ? debug_object_active_state+0x2b4/0x420
[   29.549985]  [<ffffffff83774e35>] ? _raw_spin_unlock_irqrestore+0x45/0x70
[   29.557921]  [<ffffffff81d67ec4>] ? debug_object_active_state+0x2b4/0x420
[   29.564846]  [<ffffffff81d67c10>] ? debug_object_assert_init+0x360/0x360
[   29.571837]  [<ffffffff81d64e7b>] ? check_preemption_disabled+0x3b/0x200
[   29.578672]  [<ffffffff8122decd>] ? trace_hardirqs_off+0xd/0x10
[   29.585173]  [<ffffffff812931d3>] ? __call_rcu.constprop.69+0x223/0x930
[   29.591933]  [<ffffffff81b4ab9e>] ? avc_update_node+0x8e/0xa40
[   29.597915]  [<ffffffff81b4c0a1>] slow_avc_audit+0x181/0x210
[   29.603717]  [<ffffffff81b4bf20>] ? avc_get_hash_stats+0x230/0x230
[   29.610038]  [<ffffffff81b56eec>] audit_inode_permission+0x1ec/0x310
[   29.617308]  [<ffffffff81b56d00>] ? selinux_cred_prepare+0xa0/0xa0
[   29.624861]  [<ffffffff8376c8c4>] ? mutex_lock_nested+0x5d4/0x850
[   29.631098]  [<ffffffff81b58440>] selinux_inode_permission+0x3f0/0x4b0
[   29.637767]  [<ffffffff81b58050>] ? selinux_bprm_committed_creds+0x440/0x440
[   29.644949]  [<ffffffff81b442df>] security_inode_permission+0xaf/0xf0
[   29.651532]  [<ffffffff8153b8e3>] __inode_permission2+0x93/0x240
[   29.657685]  [<ffffffff8153baef>] inode_permission2+0x2f/0x100
[   29.663649]  [<ffffffff815481e8>] link_path_walk+0x8a8/0x16e0
[   29.669528]  [<ffffffff81547940>] ? walk_component+0xff0/0xff0
[   29.675494]  [<ffffffff8122ad8a>] ? __mutex_init+0xca/0x100
[   29.681215]  [<ffffffff8154b7fd>] path_openat+0x22d/0x3b60
[   29.686838]  [<ffffffff8154b5d0>] ? path_mountpoint+0x830/0x830
[   29.692891]  [<ffffffff8154f66b>] ? getname_flags+0xcb/0x580
[   29.701027]  [<ffffffff8154fb39>] ? getname+0x19/0x20
[   29.706911]  [<ffffffff8151b615>] ? do_sys_open+0x205/0x4b0
[   29.713315]  [<ffffffff8151b8ed>] ? SyS_open+0x2d/0x40
[   29.719291]  [<ffffffff83775859>] ? entry_SYSCALL_64_fastpath+0x16/0x92
[   29.726053]  [<ffffffff81236430>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   29.733073]  [<ffffffff8122f161>] ? __lock_is_held+0xa1/0xf0
[   29.738878]  [<ffffffff81551db7>] do_filp_open+0x197/0x290
[   29.744504]  [<ffffffff81551c20>] ? user_path_mountpoint_at+0x40/0x40
[   29.751172]  [<ffffffff83774d3c>] ? _raw_spin_unlock+0x2c/0x50
[   29.757138]  [<ffffffff81579323>] ? __alloc_fd+0x1e3/0x500
[   29.762760]  [<ffffffff8151b753>] do_sys_open+0x343/0x4b0
[   29.768295]  [<ffffffff8151b410>] ? filp_open+0x70/0x70
[   29.773655]  [<ffffffff81520c40>] ? SyS_read+0x1b0/0x1b0
[   29.779114]  [<ffffffff8151b8ed>] SyS_open+0x2d/0x40
[   29.784218]  [<ffffffff83775859>] entry_SYSCALL_64_fastpath+0x16/0x92
[   29.790782] Code: ea 48 c7 c6 40 6e 9c 83 e8 4f 07 7f ff eb ad e8 b8 65 81 ff 48 8b 7d c8 48 c7 c6 80 6d 9c 83 e8 38 07 7f ff eb ab e8 a1 65 81 ff <0f> 0b e8 6a 41 9b ff e9 c2 fe ff ff 48 89 df e8 9d 41 9b ff e9 
[   29.817930] RIP  [<ffffffff81b498df>] avc_audit_pre_callback+0x25f/0x2b0
[   29.825067]  RSP <ffff8801d3acf3d8>
[   29.828846] ---[ end trace 38b944db3c1cb7b6 ]---
[   29.833680] Kernel panic - not syncing: Fatal exception
[   30.682293] PANIC: double fault, error_code: 0x0
[   30.687063] CPU: 0 PID: 3324 Comm: syzkaller073170 Tainted: G      D         4.4.111-gf851888 #16
[   30.696040] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.705363] task: ffff8801d1dc8000 task.stack: ffff8801d16f0000
[   30.711393] RIP: 0010:[<ffffffff8148f81a>]  [<ffffffff8148f81a>] dump_page_badflags+0x1a/0x250
[   30.720235] RSP: 0018:ffff880100000000  EFLAGS: 00010086
[   30.725650] RAX: ffff8801d1dc8000 RBX: ffffea0007410480 RCX: ffffffff8148f980
[   30.732888] RDX: 0000000000000000 RSI: ffffffff838a83a0 RDI: ffffea0007410480
[   30.740136] RBP: ffff880100000030 R08: 0000000000000001 R09: 0000000000000000
[   30.749111] R10: 0000000000000002 R11: fffffbfff0ad781e R12: 0000000000000000
[   30.756350] R13: ffffffff838a83a0 R14: 0000000000000000 R15: 0000000000000000
[   30.763596] FS:  0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
[   30.771791] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[   30.777647] CR2: ffff8800fffffff8 CR3: 000000000420c000 CR4: 0000000000160670
[   30.784886] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   30.792124] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   30.799361] Stack:
[   30.801475] 
[   30.803069] Call Trace:
[   30.805890]  <UNK> 
[   30.808524] Code: e2 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 <e8> 61 06 ed ff 48 8d 7b 10 48 b8 00 00 00 00 00 fc ff df 48 89 
[   30.963061] Shutting down cpus with NMI
[   30.967443] Dumping ftrace buffer:
[   30.970950]    (ftrace buffer empty)
[   30.974631] Kernel Offset: disabled
[   30.978222] Rebooting in 86400 seconds..