[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 13.651179] sshd (3024) used greatest stack depth: 14504 bytes left [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.619879] audit: type=1400 audit(1513772877.721:6): avc: denied { map } for pid=3134 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-8,10.128.0.2' (ECDSA) to the list of known hosts. executing program [ 23.932345] audit: type=1400 audit(1513772884.034:7): avc: denied { map } for pid=3148 comm="syzkaller472024" path="/root/syzkaller472024764" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 23.936913] ================================================================== [ 23.936927] BUG: KASAN: use-after-free in __lock_acquire+0x465e/0x47f0 [ 23.936933] Read of size 8 at addr ffff8801c4d07378 by task syzkaller472024/3148 [ 23.936934] [ 23.936942] CPU: 0 PID: 3148 Comm: syzkaller472024 Not tainted 4.15.0-rc2-mm1+ #39 [ 23.936945] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.936947] Call Trace: [ 23.936956] dump_stack+0x194/0x257 [ 23.936964] ? arch_local_irq_restore+0x53/0x53 [ 23.936971] ? show_regs_print_info+0x18/0x18 [ 23.936977] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 23.936983] ? __lock_acquire+0x6e9/0x47f0 [ 23.936990] ? __lock_acquire+0x465e/0x47f0 [ 23.936999] print_address_description+0x73/0x250 [ 23.937009] ? __lock_acquire+0x465e/0x47f0 [ 23.937015] kasan_report+0x25b/0x340 [ 23.937023] __asan_report_load8_noabort+0x14/0x20 [ 23.937028] __lock_acquire+0x465e/0x47f0 [ 23.937034] ? __lock_acquire+0x6e9/0x47f0 [ 23.937041] ? __save_stack_trace+0x61/0xd0 [ 23.937051] ? __is_insn_slot_addr+0x1fc/0x330 [ 23.937060] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 23.937065] ? __lock_acquire+0x6e9/0x47f0 [ 23.937072] ? lock_release+0xda0/0xda0 [ 23.937081] ? bpf_prog_kallsyms_find+0xbd/0x440 [ 23.937091] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 23.937097] ? lock_acquire+0x1d5/0x580 [ 23.937103] ? ep_free+0xfa/0x300 [ 23.937111] ? lock_release+0xda0/0xda0 [ 23.937122] ? rcu_note_context_switch+0x710/0x710 [ 23.937131] ? __might_sleep+0x95/0x190 [ 23.937136] ? ep_free+0xfa/0x300 [ 23.937143] ? __mutex_lock+0x16f/0x1a80 [ 23.937147] ? ep_free+0xfa/0x300 [ 23.937155] ? unwind_get_return_address+0x61/0xa0 [ 23.937160] ? ep_free+0xfa/0x300 [ 23.937169] lock_acquire+0x1d5/0x580 [ 23.937176] ? remove_wait_queue+0x81/0x350 [ 23.937182] ? save_stack_trace+0x1a/0x20 [ 23.937187] ? __lock_acquire+0x324e/0x47f0 [ 23.937194] ? lock_release+0xda0/0xda0 [ 23.937201] ? save_stack_trace+0x1a/0x20 [ 23.937206] ? __lock_acquire+0x324e/0x47f0 [ 23.937213] ? lock_acquire+0x1d5/0x580 [ 23.937218] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 23.937227] _raw_spin_lock_irqsave+0x96/0xc0 [ 23.937233] ? remove_wait_queue+0x81/0x350 [ 23.937239] remove_wait_queue+0x81/0x350 [ 23.937246] ? add_wait_queue+0x290/0x290 [ 23.937252] ? rcutorture_record_progress+0x10/0x10 [ 23.937261] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 23.937269] ? __kernel_text_address+0xd/0x40 [ 23.937277] ? clear_tfile_check_list+0x370/0x370 [ 23.937284] ? check_noncircular+0x20/0x20 [ 23.937292] ? free_fs_struct+0x52/0x60 [ 23.937299] ? locks_remove_file+0x3fa/0x5a0 [ 23.937308] ep_free+0x135/0x300 [ 23.937313] ? ep_remove+0x810/0x810 [ 23.937320] ? fsnotify_first_mark+0x2b0/0x2b0 [ 23.937327] ? ep_free+0x300/0x300 [ 23.937333] ep_eventpoll_release+0x44/0x60 [ 23.937339] __fput+0x333/0x7f0 [ 23.937347] ? fput+0x140/0x140 [ 23.937354] ? _raw_spin_unlock_irq+0x27/0x70 [ 23.937362] ____fput+0x15/0x20 [ 23.937368] task_work_run+0x199/0x270 [ 23.937376] ? task_work_cancel+0x210/0x210 [ 23.937382] ? _raw_spin_unlock+0x22/0x30 [ 23.937392] ? switch_task_namespaces+0x87/0xc0 [ 23.937400] do_exit+0x9bb/0x1ae0 [ 23.937410] ? binder_ioctl+0x561/0x141a [ 23.937416] ? mm_update_next_owner+0x930/0x930 [ 23.937425] ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0 [ 23.937435] ? avc_ss_reset+0x110/0x110 [ 23.937441] ? mutex_unlock+0xd/0x10 [ 23.937455] ? down_read_trylock+0xdb/0x170 [ 23.937465] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 23.937470] ? up_read+0x1a/0x40 [ 23.937476] ? rcu_note_context_switch+0x710/0x710 [ 23.937483] ? __fd_install+0x288/0x740 [ 23.937492] ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0 [ 23.937499] ? do_vfs_ioctl+0x492/0x1530 [ 23.937504] ? _cond_resched+0x14/0x30 [ 23.937512] ? ioctl_preallocate+0x2b0/0x2b0 [ 23.937520] ? selinux_capable+0x40/0x40 [ 23.937527] ? __alloc_fd+0x750/0x750 [ 23.937535] do_group_exit+0x149/0x400 [ 23.937542] ? SyS_exit+0x30/0x30 [ 23.937548] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 23.937556] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 23.937564] SyS_exit_group+0x1d/0x20 [ 23.937570] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 23.937575] RIP: 0033:0x4429f8 [ 23.937578] RSP: 002b:00007ffee75fb968 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 23.937585] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8 [ 23.937588] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 23.937592] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 23.937595] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40 [ 23.937598] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000 [ 23.937606] [ 23.937609] Allocated by task 3148: [ 23.937615] save_stack+0x43/0xd0 [ 23.937620] kasan_kmalloc+0xad/0xe0 [ 23.937626] kmem_cache_alloc_trace+0x136/0x750 [ 23.937631] binder_get_thread+0x1cf/0x870 [ 23.937635] binder_poll+0x8c/0x390 [ 23.937640] ep_item_poll.isra.10+0xf2/0x320 [ 23.937644] ep_insert+0x6a2/0x1b50 [ 23.937648] SyS_epoll_ctl+0x129b/0x1a60 [ 23.937654] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 23.937655] [ 23.937657] Freed by task 3148: [ 23.937662] save_stack+0x43/0xd0 [ 23.937666] kasan_slab_free+0x71/0xc0 [ 23.937671] kfree+0xca/0x250 [ 23.937676] binder_thread_dec_tmpref+0x27f/0x310 [ 23.937681] binder_thread_release+0x27d/0x540 [ 23.937686] binder_ioctl+0xc05/0x141a [ 23.937691] do_vfs_ioctl+0x1b1/0x1530 [ 23.937696] SyS_ioctl+0x8f/0xc0 [ 23.937702] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 23.937703] [ 23.937707] The buggy address belongs to the object at ffff8801c4d072c0 [ 23.937707] which belongs to the cache kmalloc-512 of size 512 [ 23.937712] The buggy address is located 184 bytes inside of [ 23.937712] 512-byte region [ffff8801c4d072c0, ffff8801c4d074c0) [ 23.937713] The buggy address belongs to the page: [ 23.937719] page:00000000385e870b count:1 mapcount:0 mapping:0000000022ef5bfd index:0x0 [ 23.937723] flags: 0x2fffc0000000100(slab) [ 23.937732] raw: 02fffc0000000100 ffff8801c4d07040 0000000000000000 0000000100000006 [ 23.937739] raw: ffffea0007131360 ffffea0007129260 ffff8801dac00940 0000000000000000 [ 23.937741] page dumped because: kasan: bad access detected [ 23.937742] [ 23.937744] Memory state around the buggy address: [ 23.937749] ffff8801c4d07200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.937753] ffff8801c4d07280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 23.937758] >ffff8801c4d07300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.937760] ^ [ 23.937764] ffff8801c4d07380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.937768] ffff8801c4d07400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.937770] ================================================================== [ 23.937772] Disabling lock debugging due to kernel taint [ 23.937775] Kernel panic - not syncing: panic_on_warn set ... [ 23.937775] [ 23.937781] CPU: 0 PID: 3148 Comm: syzkaller472024 Tainted: G B 4.15.0-rc2-mm1+ #39 [ 23.937784] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.937785] Call Trace: [ 23.937791] dump_stack+0x194/0x257 [ 23.937798] ? arch_local_irq_restore+0x53/0x53 [ 23.937805] ? vprintk_default+0x28/0x30 [ 23.937812] ? vsnprintf+0x1ed/0x1900 [ 23.937818] ? __lock_acquire+0x45b0/0x47f0 [ 23.937823] panic+0x1e4/0x41c [ 23.937829] ? refcount_error_report+0x214/0x214 [ 23.937836] ? add_taint+0x40/0x50 [ 23.937841] ? add_taint+0x1c/0x50 [ 23.937847] ? __lock_acquire+0x465e/0x47f0 [ 23.937853] kasan_end_report+0x50/0x50 [ 23.937859] kasan_report+0x144/0x340 [ 23.937866] __asan_report_load8_noabort+0x14/0x20 [ 23.937871] __lock_acquire+0x465e/0x47f0 [ 23.937877] ? __lock_acquire+0x6e9/0x47f0 [ 23.937884] ? __save_stack_trace+0x61/0xd0 [ 23.937891] ? __is_insn_slot_addr+0x1fc/0x330 [ 23.937899] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 23.937904] ? __lock_acquire+0x6e9/0x47f0 [ 23.937911] ? lock_release+0xda0/0xda0 [ 23.937918] ? bpf_prog_kallsyms_find+0xbd/0x440 [ 23.937928] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 23.937933] ? lock_acquire+0x1d5/0x580 [ 23.937938] ? ep_free+0xfa/0x300 [ 23.937945] ? lock_release+0xda0/0xda0 [ 23.937953] ? rcu_note_context_switch+0x710/0x710 [ 23.937960] ? __might_sleep+0x95/0x190 [ 23.937965] ? ep_free+0xfa/0x300 [ 23.937971] ? __mutex_lock+0x16f/0x1a80 [ 23.937975] ? ep_free+0xfa/0x300 [ 23.937981] ? unwind_get_return_address+0x61/0xa0 [ 23.937986] ? ep_free+0xfa/0x300 [ 23.937994] lock_acquire+0x1d5/0x580 [ 23.938000] ? remove_wait_queue+0x81/0x350 [ 23.938006] ? save_stack_trace+0x1a/0x20 [ 23.938011] ? __lock_acquire+0x324e/0x47f0 [ 23.938018] ? lock_release+0xda0/0xda0 [ 23.938024] ? save_stack_trace+0x1a/0x20 [ 23.938029] ? __lock_acquire+0x324e/0x47f0 [ 23.938036] ? lock_acquire+0x1d5/0x580 [ 23.938042] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 23.938049] _raw_spin_lock_irqsave+0x96/0xc0 [ 23.938054] ? remove_wait_queue+0x81/0x350 [ 23.938060] remove_wait_queue+0x81/0x350 [ 23.938068] ? add_wait_queue+0x290/0x290 [ 23.938073] ? rcutorture_record_progress+0x10/0x10 [ 23.938082] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 23.938089] ? __kernel_text_address+0xd/0x40 [ 23.938096] ? clear_tfile_check_list+0x370/0x370 [ 23.938104] ? check_noncircular+0x20/0x20 [ 23.938110] ? free_fs_struct+0x52/0x60 [ 23.938116] ? locks_remove_file+0x3fa/0x5a0 [ 23.938124] ep_free+0x135/0x300 [ 23.938130] ? ep_remove+0x810/0x810 [ 23.938136] ? fsnotify_first_mark+0x2b0/0x2b0 [ 23.938143] ? ep_free+0x300/0x300 [ 23.938148] ep_eventpoll_release+0x44/0x60 [ 23.938154] __fput+0x333/0x7f0 [ 23.938161] ? fput+0x140/0x140 [ 23.938168] ? _raw_spin_unlock_irq+0x27/0x70 [ 23.938175] ____fput+0x15/0x20 [ 23.938181] task_work_run+0x199/0x270 [ 23.938189] ? task_work_cancel+0x210/0x210 [ 23.938195] ? _raw_spin_unlock+0x22/0x30 [ 23.938200] ? switch_task_namespaces+0x87/0xc0 [ 23.938208] do_exit+0x9bb/0x1ae0 [ 23.938215] ? binder_ioctl+0x561/0x141a [ 23.938221] ? mm_update_next_owner+0x930/0x930 [ 23.938229] ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0 [ 23.938237] ? avc_ss_reset+0x110/0x110 [ 23.938243] ? mutex_unlock+0xd/0x10 [ 23.938255] ? down_read_trylock+0xdb/0x170 [ 23.938265] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 23.938270] ? up_read+0x1a/0x40 [ 23.938276] ? rcu_note_context_switch+0x710/0x710 [ 23.938282] ? __fd_install+0x288/0x740 [ 23.938291] ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0 [ 23.938297] ? do_vfs_ioctl+0x492/0x1530 [ 23.938301] ? _cond_resched+0x14/0x30 [ 23.938309] ? ioctl_preallocate+0x2b0/0x2b0 [ 23.938316] ? selinux_capable+0x40/0x40 [ 23.938323] ? __alloc_fd+0x750/0x750 [ 23.938330] do_group_exit+0x149/0x400 [ 23.938337] ? SyS_exit+0x30/0x30 [ 23.938343] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 23.938350] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 23.938357] SyS_exit_group+0x1d/0x20 [ 23.938363] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 23.938367] RIP: 0033:0x4429f8 [ 23.938370] RSP: 002b:00007ffee75fb968 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 23.938375] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8 [ 23.938379] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 23.938382] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 23.938389] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40 [ 23.938392] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000 [ 23.958669] Dumping ftrace buffer: [ 23.958672] (ftrace buffer empty) [ 23.958674] Kernel Offset: disabled [ 25.070386] Rebooting in 86400 seconds..