[....] Starting enhanced syslogd: rsyslogd[ 13.077917] audit: type=1400 audit(1517220821.638:5): avc: denied { syslog } for pid=3535 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.725868] audit: type=1400 audit(1517220826.286:6): avc: denied { map } for pid=3675 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.234' (ECDSA) to the list of known hosts. executing program [ 28.661040] audit: type=1400 audit(1517220837.221:7): avc: denied { map } for pid=3690 comm="syzkaller052040" path="/root/syzkaller052040877" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 28.666759] ================================================================== [ 28.666773] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00 [ 28.666778] Read of size 8 at addr ffff8801bb97d0f0 by task syzkaller052040/3690 [ 28.666779] [ 28.666786] CPU: 0 PID: 3690 Comm: syzkaller052040 Not tainted 4.15.0-rc9+ #194 [ 28.666789] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.666791] Call Trace: [ 28.666801] dump_stack+0x194/0x257 [ 28.666808] ? arch_local_irq_restore+0x53/0x53 [ 28.666815] ? show_regs_print_info+0x18/0x18 [ 28.666821] ? print_irqtrace_events+0x270/0x270 [ 28.666827] ? __lock_acquire+0x664/0x3e00 [ 28.666834] ? __lock_acquire+0x3d4d/0x3e00 [ 28.666842] print_address_description+0x73/0x250 [ 28.666848] ? __lock_acquire+0x3d4d/0x3e00 [ 28.666854] kasan_report+0x25b/0x340 [ 28.666863] __asan_report_load8_noabort+0x14/0x20 [ 28.666868] __lock_acquire+0x3d4d/0x3e00 [ 28.666874] ? __lock_acquire+0x664/0x3e00 [ 28.666880] ? lock_downgrade+0x980/0x980 [ 28.666885] ? lock_downgrade+0x980/0x980 [ 28.666897] ? print_irqtrace_events+0x270/0x270 [ 28.666904] ? remove_wait_queue+0x81/0x350 [ 28.666913] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 28.666920] ? __lock_acquire+0x664/0x3e00 [ 28.666925] ? check_noncircular+0x20/0x20 [ 28.666938] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 28.666945] ? lock_acquire+0x1d5/0x580 [ 28.666950] ? lock_acquire+0x1d5/0x580 [ 28.666957] ? ep_free+0xf4/0x320 [ 28.666965] ? lock_release+0xa40/0xa40 [ 28.666972] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 28.666977] ? print_irqtrace_events+0x270/0x270 [ 28.666983] ? print_irqtrace_events+0x270/0x270 [ 28.666991] ? rcu_note_context_switch+0x710/0x710 [ 28.666998] ? __might_sleep+0x95/0x190 [ 28.667008] ? ep_free+0xf4/0x320 [ 28.667015] ? __mutex_lock+0x16f/0x1a80 [ 28.667020] ? ep_free+0xf4/0x320 [ 28.667027] ? print_irqtrace_events+0x270/0x270 [ 28.667032] ? ep_free+0xf4/0x320 [ 28.667040] lock_acquire+0x1d5/0x580 [ 28.667046] ? lock_acquire+0x1d5/0x580 [ 28.667051] ? remove_wait_queue+0x81/0x350 [ 28.667060] ? lock_release+0xa40/0xa40 [ 28.667069] ? lock_acquire+0x1d5/0x580 [ 28.667074] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 28.667079] ? lock_acquire+0x1d5/0x580 [ 28.667086] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 28.667093] _raw_spin_lock_irqsave+0x96/0xc0 [ 28.667099] ? remove_wait_queue+0x81/0x350 [ 28.667105] remove_wait_queue+0x81/0x350 [ 28.667112] ? depot_save_stack+0x3b5/0x490 [ 28.667119] ? add_wait_queue+0x290/0x290 [ 28.667125] ? rcutorture_record_progress+0x10/0x10 [ 28.667131] ? lock_release+0xa40/0xa40 [ 28.667140] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 28.667148] ? __kernel_text_address+0xd/0x40 [ 28.667156] ? clear_tfile_check_list+0x370/0x370 [ 28.667164] ? check_noncircular+0x20/0x20 [ 28.667172] ? locks_remove_file+0x3fa/0x5a0 [ 28.667182] ep_free+0x13f/0x320 [ 28.667188] ? ep_remove+0x800/0x800 [ 28.667194] ? fsnotify_first_mark+0x2b0/0x2b0 [ 28.667201] ? ep_free+0x320/0x320 [ 28.667208] ep_eventpoll_release+0x44/0x60 [ 28.667214] __fput+0x327/0x7e0 [ 28.667223] ? fput+0x140/0x140 [ 28.667229] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.667238] ____fput+0x15/0x20 [ 28.667244] task_work_run+0x199/0x270 [ 28.667252] ? task_work_cancel+0x210/0x210 [ 28.667258] ? _raw_spin_unlock+0x22/0x30 [ 28.667264] ? switch_task_namespaces+0x87/0xc0 [ 28.667272] do_exit+0x9bb/0x1ad0 [ 28.667279] ? __handle_mm_fault+0x2330/0x3ce0 [ 28.667287] ? mm_update_next_owner+0x930/0x930 [ 28.667296] ? do_raw_spin_trylock+0x190/0x190 [ 28.667303] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 28.667309] ? check_noncircular+0x20/0x20 [ 28.667316] ? _raw_spin_unlock+0x22/0x30 [ 28.667322] ? __handle_mm_fault+0x80e/0x3ce0 [ 28.667330] ? check_noncircular+0x20/0x20 [ 28.667335] ? __pmd_alloc+0x4e0/0x4e0 [ 28.667340] ? lock_downgrade+0x980/0x980 [ 28.667348] ? find_held_lock+0x35/0x1d0 [ 28.667357] ? handle_mm_fault+0x248/0x8d0 [ 28.667364] ? find_held_lock+0x35/0x1d0 [ 28.667374] ? __do_page_fault+0x5f7/0xc90 [ 28.667380] ? lock_downgrade+0x980/0x980 [ 28.667389] ? handle_mm_fault+0x410/0x8d0 [ 28.667394] ? down_read_trylock+0xdb/0x170 [ 28.667400] ? __do_page_fault+0x32d/0xc90 [ 28.667406] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 28.667412] ? vmacache_find+0x5f/0x280 [ 28.667420] do_group_exit+0x149/0x400 [ 28.667427] ? __do_page_fault+0x3d6/0xc90 [ 28.667433] ? SyS_exit+0x30/0x30 [ 28.667441] ? do_fast_syscall_32+0x156/0xf9d [ 28.667447] ? do_group_exit+0x400/0x400 [ 28.667454] SyS_exit_group+0x1d/0x20 [ 28.667460] do_fast_syscall_32+0x3ee/0xf9d [ 28.667469] ? do_int80_syscall_32+0x9d0/0x9d0 [ 28.667474] ? kasan_check_read+0x11/0x20 [ 28.667481] ? syscall_return_slowpath+0x550/0x550 [ 28.667489] ? SyS_rt_sigaction+0x94/0x1b0 [ 28.667496] ? SyS_sigprocmask+0x4b0/0x4b0 [ 28.667501] ? SyS_read+0x184/0x220 [ 28.667507] ? retint_user+0x18/0x18 [ 28.667515] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.667525] entry_SYSENTER_compat+0x54/0x63 [ 28.667529] RIP: 0023:0xf7fe6c79 [ 28.667533] RSP: 002b:00000000ffd48bfc EFLAGS: 00000296 ORIG_RAX: 00000000000000fc [ 28.667539] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298 [ 28.667543] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0 [ 28.667546] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 28.667549] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 28.667552] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 28.667560] [ 28.667563] Allocated by task 3690: [ 28.667569] save_stack+0x43/0xd0 [ 28.667573] kasan_kmalloc+0xad/0xe0 [ 28.667578] kmem_cache_alloc_trace+0x136/0x750 [ 28.667583] binder_get_thread+0x1cf/0x870 [ 28.667587] binder_poll+0x8c/0x390 [ 28.667592] ep_item_poll.isra.10+0xec/0x320 [ 28.667597] ep_insert+0x6a3/0x1b10 [ 28.667602] SyS_epoll_ctl+0x12e4/0x1ab0 [ 28.667607] do_fast_syscall_32+0x3ee/0xf9d [ 28.667613] entry_SYSENTER_compat+0x54/0x63 [ 28.667614] [ 28.667616] Freed by task 3690: [ 28.667620] save_stack+0x43/0xd0 [ 28.667625] kasan_slab_free+0x71/0xc0 [ 28.667629] kfree+0xd6/0x260 [ 28.667635] binder_thread_dec_tmpref+0x27f/0x310 [ 28.667640] binder_thread_release+0x27d/0x540 [ 28.667645] binder_ioctl+0xc02/0x1417 [ 28.667650] compat_SyS_ioctl+0x151/0x2a30 [ 28.667655] do_fast_syscall_32+0x3ee/0xf9d [ 28.667660] entry_SYSENTER_compat+0x54/0x63 [ 28.667661] [ 28.667665] The buggy address belongs to the object at ffff8801bb97d040 [ 28.667665] which belongs to the cache kmalloc-512 of size 512 [ 28.667670] The buggy address is located 176 bytes inside of [ 28.667670] 512-byte region [ffff8801bb97d040, ffff8801bb97d240) [ 28.667672] The buggy address belongs to the page: [ 28.667676] page:ffffea0006ee5f40 count:1 mapcount:0 mapping:ffff8801bb97d040 index:0x0 [ 28.667681] flags: 0x2fffc0000000100(slab) [ 28.667690] raw: 02fffc0000000100 ffff8801bb97d040 0000000000000000 0000000100000006 [ 28.667696] raw: ffffea0007657da0 ffffea00076695e0 ffff8801dac00940 0000000000000000 [ 28.667699] page dumped because: kasan: bad access detected [ 28.667700] [ 28.667702] Memory state around the buggy address: [ 28.667706] ffff8801bb97cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.667711] ffff8801bb97d000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 28.667715] >ffff8801bb97d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.667717] ^ [ 28.667722] ffff8801bb97d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.667726] ffff8801bb97d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.667727] ================================================================== [ 28.667729] Disabling lock debugging due to kernel taint [ 28.667732] Kernel panic - not syncing: panic_on_warn set ... [ 28.667732] [ 28.667738] CPU: 0 PID: 3690 Comm: syzkaller052040 Tainted: G B 4.15.0-rc9+ #194 [ 28.667741] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.667742] Call Trace: [ 28.667748] dump_stack+0x194/0x257 [ 28.667755] ? arch_local_irq_restore+0x53/0x53 [ 28.667761] ? kasan_end_report+0x32/0x50 [ 28.667767] ? lock_downgrade+0x980/0x980 [ 28.667773] ? vsnprintf+0x1ed/0x1900 [ 28.667779] ? __lock_acquire+0x3cd0/0x3e00 [ 28.667785] panic+0x1e4/0x41c [ 28.667790] ? refcount_error_report+0x214/0x214 [ 28.667798] ? add_taint+0x40/0x50 [ 28.667803] ? add_taint+0x1c/0x50 [ 28.667810] ? __lock_acquire+0x3d4d/0x3e00 [ 28.667815] kasan_end_report+0x50/0x50 [ 28.667821] kasan_report+0x144/0x340 [ 28.667829] __asan_report_load8_noabort+0x14/0x20 [ 28.667835] __lock_acquire+0x3d4d/0x3e00 [ 28.667840] ? __lock_acquire+0x664/0x3e00 [ 28.667846] ? lock_downgrade+0x980/0x980 [ 28.667851] ? lock_downgrade+0x980/0x980 [ 28.667858] ? print_irqtrace_events+0x270/0x270 [ 28.667863] ? remove_wait_queue+0x81/0x350 [ 28.667872] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 28.667878] ? __lock_acquire+0x664/0x3e00 [ 28.667884] ? check_noncircular+0x20/0x20 [ 28.667902] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 28.667909] ? lock_acquire+0x1d5/0x580 [ 28.667915] ? lock_acquire+0x1d5/0x580 [ 28.667920] ? ep_free+0xf4/0x320 [ 28.667928] ? lock_release+0xa40/0xa40 [ 28.667934] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 28.667939] ? print_irqtrace_events+0x270/0x270 [ 28.667945] ? print_irqtrace_events+0x270/0x270 [ 28.667951] ? rcu_note_context_switch+0x710/0x710 [ 28.667959] ? __might_sleep+0x95/0x190 [ 28.667965] ? ep_free+0xf4/0x320 [ 28.667970] ? __mutex_lock+0x16f/0x1a80 [ 28.667975] ? ep_free+0xf4/0x320 [ 28.667982] ? print_irqtrace_events+0x270/0x270 [ 28.667987] ? ep_free+0xf4/0x320 [ 28.667995] lock_acquire+0x1d5/0x580 [ 28.668000] ? lock_acquire+0x1d5/0x580 [ 28.668006] ? remove_wait_queue+0x81/0x350 [ 28.668014] ? lock_release+0xa40/0xa40 [ 28.668023] ? lock_acquire+0x1d5/0x580 [ 28.668029] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 28.668033] ? lock_acquire+0x1d5/0x580 [ 28.668040] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 28.668047] _raw_spin_lock_irqsave+0x96/0xc0 [ 28.668053] ? remove_wait_queue+0x81/0x350 [ 28.668059] remove_wait_queue+0x81/0x350 [ 28.668064] ? depot_save_stack+0x3b5/0x490 [ 28.668071] ? add_wait_queue+0x290/0x290 [ 28.668077] ? rcutorture_record_progress+0x10/0x10 [ 28.668083] ? lock_release+0xa40/0xa40 [ 28.668092] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 28.668098] ? __kernel_text_address+0xd/0x40 [ 28.668106] ? clear_tfile_check_list+0x370/0x370 [ 28.668113] ? check_noncircular+0x20/0x20 [ 28.668121] ? locks_remove_file+0x3fa/0x5a0 [ 28.668130] ep_free+0x13f/0x320 [ 28.668136] ? ep_remove+0x800/0x800 [ 28.668142] ? fsnotify_first_mark+0x2b0/0x2b0 [ 28.668150] ? ep_free+0x320/0x320 [ 28.668156] ep_eventpoll_release+0x44/0x60 [ 28.668162] __fput+0x327/0x7e0 [ 28.668170] ? fput+0x140/0x140 [ 28.668176] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.668185] ____fput+0x15/0x20 [ 28.668191] task_work_run+0x199/0x270 [ 28.668198] ? task_work_cancel+0x210/0x210 [ 28.668204] ? _raw_spin_unlock+0x22/0x30 [ 28.668210] ? switch_task_namespaces+0x87/0xc0 [ 28.668217] do_exit+0x9bb/0x1ad0 [ 28.668223] ? __handle_mm_fault+0x2330/0x3ce0 [ 28.668231] ? mm_update_next_owner+0x930/0x930 [ 28.668240] ? do_raw_spin_trylock+0x190/0x190 [ 28.668247] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 28.668253] ? check_noncircular+0x20/0x20 [ 28.668260] ? _raw_spin_unlock+0x22/0x30 [ 28.668266] ? __handle_mm_fault+0x80e/0x3ce0 [ 28.668273] ? check_noncircular+0x20/0x20 [ 28.668278] ? __pmd_alloc+0x4e0/0x4e0 [ 28.668283] ? lock_downgrade+0x980/0x980 [ 28.668291] ? find_held_lock+0x35/0x1d0 [ 28.668299] ? handle_mm_fault+0x248/0x8d0 [ 28.668306] ? find_held_lock+0x35/0x1d0 [ 28.668315] ? __do_page_fault+0x5f7/0xc90 [ 28.668321] ? lock_downgrade+0x980/0x980 [ 28.668330] ? handle_mm_fault+0x410/0x8d0 [ 28.668335] ? down_read_trylock+0xdb/0x170 [ 28.668340] ? __do_page_fault+0x32d/0xc90 [ 28.668347] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 28.668352] ? vmacache_find+0x5f/0x280 [ 28.668361] do_group_exit+0x149/0x400 [ 28.668367] ? __do_page_fault+0x3d6/0xc90 [ 28.668373] ? SyS_exit+0x30/0x30 [ 28.668380] ? do_fast_syscall_32+0x156/0xf9d [ 28.668386] ? do_group_exit+0x400/0x400 [ 28.668392] SyS_exit_group+0x1d/0x20 [ 28.668398] do_fast_syscall_32+0x3ee/0xf9d [ 28.668406] ? do_int80_syscall_32+0x9d0/0x9d0 [ 28.668412] ? kasan_check_read+0x11/0x20 [ 28.668418] ? syscall_return_slowpath+0x550/0x550 [ 28.668425] ? SyS_rt_sigaction+0x94/0x1b0 [ 28.668432] ? SyS_sigprocmask+0x4b0/0x4b0 [ 28.668437] ? SyS_read+0x184/0x220 [ 28.668443] ? retint_user+0x18/0x18 [ 28.668451] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.668459] entry_SYSENTER_compat+0x54/0x63 [ 28.668463] RIP: 0023:0xf7fe6c79 [ 28.668466] RSP: 002b:00000000ffd48bfc EFLAGS: 00000296 ORIG_RAX: 00000000000000fc [ 28.668471] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298 [ 28.668475] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0 [ 28.668478] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 28.668481] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 28.668484] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 28.687347] Dumping ftrace buffer: [ 28.687352] (ftrace buffer empty) [ 28.687353] Kernel Offset: disabled [ 29.970319] Rebooting in 86400 seconds..