[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   11.811799] audit: type=1400 audit(1514136844.174:6): avc:  denied  { map } for  pid=3131 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-mmots-kasan-gce-2,10.128.15.237' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   42.649526] audit: type=1400 audit(1514136875.012:7): avc:  denied  { map } for  pid=3150 comm="syzkaller289225" path="/root/syzkaller289225872" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   42.654159] ==================================================================
[   42.654173] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   42.654177] Read of size 8 at addr ffff8801ce186378 by task syzkaller289225/3150
[   42.654178] 
[   42.654183] CPU: 1 PID: 3150 Comm: syzkaller289225 Not tainted 4.15.0-rc4-mm1+ #49
[   42.654186] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   42.654188] Call Trace:
[   42.654196]  dump_stack+0x194/0x257
[   42.654201]  ? arch_local_irq_restore+0x53/0x53
[   42.654208]  ? show_regs_print_info+0x18/0x18
[   42.654212]  ? print_irqtrace_events+0x270/0x270
[   42.654216]  ? __lock_acquire+0x664/0x3e00
[   42.654220]  ? __lock_acquire+0x3d4d/0x3e00
[   42.654227]  print_address_description+0x73/0x250
[   42.654231]  ? __lock_acquire+0x3d4d/0x3e00
[   42.654235]  kasan_report+0x23b/0x360
[   42.654240]  __asan_report_load8_noabort+0x14/0x20
[   42.654244]  __lock_acquire+0x3d4d/0x3e00
[   42.654247]  ? __lock_acquire+0x664/0x3e00
[   42.654251]  ? lock_downgrade+0x980/0x980
[   42.654254]  ? lock_downgrade+0x980/0x980
[   42.654260]  ? remove_wait_queue+0x81/0x350
[   42.654266]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.654270]  ? __lock_acquire+0x664/0x3e00
[   42.654273]  ? check_noncircular+0x20/0x20
[   42.654281]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.654285]  ? lock_acquire+0x1d5/0x580
[   42.654289]  ? lock_acquire+0x1d5/0x580
[   42.654294]  ? ep_free+0xf4/0x320
[   42.654300]  ? lock_release+0xa40/0xa40
[   42.654306]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   42.654309]  ? print_irqtrace_events+0x270/0x270
[   42.654316]  ? rcu_note_context_switch+0x710/0x710
[   42.654321]  ? __might_sleep+0x95/0x190
[   42.654324]  ? ep_free+0xf4/0x320
[   42.654329]  ? __mutex_lock+0x16f/0x1a80
[   42.654332]  ? ep_free+0xf4/0x320
[   42.654336]  ? print_irqtrace_events+0x270/0x270
[   42.654339]  ? ep_free+0xf4/0x320
[   42.654344]  lock_acquire+0x1d5/0x580
[   42.654347]  ? lock_acquire+0x1d5/0x580
[   42.654351]  ? remove_wait_queue+0x81/0x350
[   42.654354]  ? __lock_acquire+0x664/0x3e00
[   42.654359]  ? lock_release+0xa40/0xa40
[   42.654364]  ? lock_acquire+0x1d5/0x580
[   42.654367]  ? lock_acquire+0x1d5/0x580
[   42.654371]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   42.654376]  _raw_spin_lock_irqsave+0x96/0xc0
[   42.654380]  ? remove_wait_queue+0x81/0x350
[   42.654384]  remove_wait_queue+0x81/0x350
[   42.654388]  ? add_wait_queue+0x290/0x290
[   42.654392]  ? rcutorture_record_progress+0x10/0x10
[   42.654398]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   42.654406]  ? __kernel_text_address+0xd/0x40
[   42.654411]  ? clear_tfile_check_list+0x370/0x370
[   42.654415]  ? check_noncircular+0x20/0x20
[   42.654421]  ? locks_remove_file+0x3fa/0x5a0
[   42.654426]  ep_free+0x13f/0x320
[   42.654430]  ? ep_remove+0x800/0x800
[   42.654434]  ? fsnotify_first_mark+0x2b0/0x2b0
[   42.654438]  ? ep_free+0x320/0x320
[   42.654442]  ep_eventpoll_release+0x44/0x60
[   42.654447]  __fput+0x327/0x7e0
[   42.654452]  ? fput+0x140/0x140
[   42.654456]  ? _raw_spin_unlock_irq+0x27/0x70
[   42.654461]  ____fput+0x15/0x20
[   42.654465]  task_work_run+0x199/0x270
[   42.654470]  ? task_work_cancel+0x210/0x210
[   42.654474]  ? _raw_spin_unlock+0x22/0x30
[   42.654477]  ? switch_task_namespaces+0x87/0xc0
[   42.654483]  do_exit+0x9bb/0x1ad0
[   42.654489]  ? binder_ioctl+0x551/0x1417
[   42.654493]  ? mm_update_next_owner+0x930/0x930
[   42.654498]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   42.654505]  ? avc_ss_reset+0x110/0x110
[   42.654509]  ? mutex_unlock+0xd/0x10
[   42.654513]  ? SyS_epoll_ctl+0x30a/0x1a80
[   42.654526]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   42.654529]  ? up_read+0x1a/0x40
[   42.654533]  ? rcu_note_context_switch+0x710/0x710
[   42.654536]  ? __fd_install+0x288/0x740
[   42.654542]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   42.654546]  ? do_vfs_ioctl+0x486/0x1520
[   42.654549]  ? _cond_resched+0x14/0x30
[   42.654554]  ? ioctl_preallocate+0x2b0/0x2b0
[   42.654559]  ? selinux_capable+0x40/0x40
[   42.654563]  ? __alloc_fd+0x750/0x750
[   42.654568]  do_group_exit+0x149/0x400
[   42.654572]  ? SyS_exit+0x30/0x30
[   42.654576]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   42.654582]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   42.654587]  SyS_exit_group+0x1d/0x20
[   42.654590]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   42.654594] RIP: 0033:0x4429f8
[   42.654596] RSP: 002b:00007ffc1e4e1488 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   42.654600] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   42.654602] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   42.654604] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   42.654606] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   42.654608] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   42.654613] 
[   42.654615] Allocated by task 3150:
[   42.654619]  save_stack+0x43/0xd0
[   42.654622]  kasan_kmalloc+0xad/0xe0
[   42.654626]  kmem_cache_alloc_trace+0x136/0x750
[   42.654628]  binder_get_thread+0x1cf/0x870
[   42.654631]  binder_poll+0x8c/0x390
[   42.654634]  ep_item_poll.isra.10+0xf2/0x320
[   42.654636]  ep_insert+0x6a2/0x1ac0
[   42.654639]  SyS_epoll_ctl+0x12bf/0x1a80
[   42.654642]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   42.654643] 
[   42.654644] Freed by task 3150:
[   42.654647]  save_stack+0x43/0xd0
[   42.654650]  kasan_slab_free+0x71/0xc0
[   42.654652]  kfree+0xd6/0x260
[   42.654655]  binder_thread_dec_tmpref+0x27f/0x310
[   42.654658]  binder_thread_release+0x27d/0x540
[   42.654660]  binder_ioctl+0xc02/0x1417
[   42.654663]  do_vfs_ioctl+0x1b1/0x1520
[   42.654665]  SyS_ioctl+0x8f/0xc0
[   42.654668]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   42.654669] 
[   42.654671] The buggy address belongs to the object at ffff8801ce1862c0
[   42.654671]  which belongs to the cache kmalloc-512 of size 512
[   42.654674] The buggy address is located 184 bytes inside of
[   42.654674]  512-byte region [ffff8801ce1862c0, ffff8801ce1864c0)
[   42.654675] The buggy address belongs to the page:
[   42.654679] page:ffffea0007386180 count:1 mapcount:0 mapping:ffff8801ce186040 index:0xffff8801ce186cc0
[   42.654682] flags: 0x2fffc0000000100(slab)
[   42.654688] raw: 02fffc0000000100 ffff8801ce186040 ffff8801ce186cc0 0000000100000004
[   42.654693] raw: ffffea0007386260 ffff8801dac01738 ffff8801dac00940 0000000000000000
[   42.654694] page dumped because: kasan: bad access detected
[   42.654695] 
[   42.654696] Memory state around the buggy address:
[   42.654699]  ffff8801ce186200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   42.654701]  ffff8801ce186280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   42.654704] >ffff8801ce186300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.654706]                                                                 ^
[   42.654708]  ffff8801ce186380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.654711]  ffff8801ce186400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.654712] ==================================================================
[   42.654713] Disabling lock debugging due to kernel taint
[   42.654715] Kernel panic - not syncing: panic_on_warn set ...
[   42.654715] 
[   42.654720] CPU: 1 PID: 3150 Comm: syzkaller289225 Tainted: G    B            4.15.0-rc4-mm1+ #49
[   42.654721] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   42.654722] Call Trace:
[   42.654726]  dump_stack+0x194/0x257
[   42.654730]  ? arch_local_irq_restore+0x53/0x53
[   42.654733]  ? kasan_end_report+0x32/0x50
[   42.654737]  ? lock_downgrade+0x980/0x980
[   42.654741]  ? vsnprintf+0x1ed/0x1900
[   42.654744]  ? __lock_acquire+0x3c90/0x3e00
[   42.654748]  panic+0x1e4/0x41c
[   42.654751]  ? refcount_error_report+0x214/0x214
[   42.654755]  ? add_taint+0x40/0x50
[   42.654758]  ? add_taint+0x1c/0x50
[   42.654762]  ? __lock_acquire+0x3d4d/0x3e00
[   42.654766]  kasan_end_report+0x50/0x50
[   42.654769]  kasan_report+0x148/0x360
[   42.654774]  __asan_report_load8_noabort+0x14/0x20
[   42.654777]  __lock_acquire+0x3d4d/0x3e00
[   42.654781]  ? __lock_acquire+0x664/0x3e00
[   42.654784]  ? lock_downgrade+0x980/0x980
[   42.654787]  ? lock_downgrade+0x980/0x980
[   42.654791]  ? remove_wait_queue+0x81/0x350
[   42.654796]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.654800]  ? __lock_acquire+0x664/0x3e00
[   42.654803]  ? check_noncircular+0x20/0x20
[   42.654810]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.654814]  ? lock_acquire+0x1d5/0x580
[   42.654817]  ? lock_acquire+0x1d5/0x580
[   42.654820]  ? ep_free+0xf4/0x320
[   42.654825]  ? lock_release+0xa40/0xa40
[   42.654828]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   42.654832]  ? print_irqtrace_events+0x270/0x270
[   42.654836]  ? rcu_note_context_switch+0x710/0x710
[   42.654845]  ? __might_sleep+0x95/0x190
[   42.654849]  ? ep_free+0xf4/0x320
[   42.654852]  ? __mutex_lock+0x16f/0x1a80
[   42.654855]  ? ep_free+0xf4/0x320
[   42.654859]  ? print_irqtrace_events+0x270/0x270
[   42.654862]  ? ep_free+0xf4/0x320
[   42.654866]  lock_acquire+0x1d5/0x580
[   42.654869]  ? lock_acquire+0x1d5/0x580
[   42.654873]  ? remove_wait_queue+0x81/0x350
[   42.654876]  ? __lock_acquire+0x664/0x3e00
[   42.654880]  ? lock_release+0xa40/0xa40
[   42.654885]  ? lock_acquire+0x1d5/0x580
[   42.654888]  ? lock_acquire+0x1d5/0x580
[   42.654892]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   42.654896]  _raw_spin_lock_irqsave+0x96/0xc0
[   42.654900]  ? remove_wait_queue+0x81/0x350
[   42.654903]  remove_wait_queue+0x81/0x350
[   42.654908]  ? add_wait_queue+0x290/0x290
[   42.654911]  ? rcutorture_record_progress+0x10/0x10
[   42.654917]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   42.654921]  ? __kernel_text_address+0xd/0x40
[   42.654925]  ? clear_tfile_check_list+0x370/0x370
[   42.654930]  ? check_noncircular+0x20/0x20
[   42.654934]  ? locks_remove_file+0x3fa/0x5a0
[   42.654939]  ep_free+0x13f/0x320
[   42.654943]  ? ep_remove+0x800/0x800
[   42.654946]  ? fsnotify_first_mark+0x2b0/0x2b0
[   42.654950]  ? ep_free+0x320/0x320
[   42.654953]  ep_eventpoll_release+0x44/0x60
[   42.654957]  __fput+0x327/0x7e0
[   42.654961]  ? fput+0x140/0x140
[   42.654965]  ? _raw_spin_unlock_irq+0x27/0x70
[   42.654970]  ____fput+0x15/0x20
[   42.654974]  task_work_run+0x199/0x270
[   42.654978]  ? task_work_cancel+0x210/0x210
[   42.654981]  ? _raw_spin_unlock+0x22/0x30
[   42.654985]  ? switch_task_namespaces+0x87/0xc0
[   42.654989]  do_exit+0x9bb/0x1ad0
[   42.654993]  ? binder_ioctl+0x551/0x1417
[   42.654997]  ? mm_update_next_owner+0x930/0x930
[   42.655004]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   42.655008]  ? avc_ss_reset+0x110/0x110
[   42.655012]  ? mutex_unlock+0xd/0x10
[   42.655015]  ? SyS_epoll_ctl+0x30a/0x1a80
[   42.655025]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   42.655028]  ? up_read+0x1a/0x40
[   42.655032]  ? rcu_note_context_switch+0x710/0x710
[   42.655035]  ? __fd_install+0x288/0x740
[   42.655040]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   42.655043]  ? do_vfs_ioctl+0x486/0x1520
[   42.655046]  ? _cond_resched+0x14/0x30
[   42.655050]  ? ioctl_preallocate+0x2b0/0x2b0
[   42.655055]  ? selinux_capable+0x40/0x40
[   42.655058]  ? __alloc_fd+0x750/0x750
[   42.655063]  do_group_exit+0x149/0x400
[   42.655066]  ? SyS_exit+0x30/0x30
[   42.655070]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   42.655074]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   42.655078]  SyS_exit_group+0x1d/0x20
[   42.655082]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   42.655085] RIP: 0033:0x4429f8
[   42.655086] RSP: 002b:00007ffc1e4e1488 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   42.655090] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   42.655092] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   42.655094] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   42.655096] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   42.655098] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   42.675409] Dumping ftrace buffer:
[   42.675413]    (ftrace buffer empty)
[   42.675416] Kernel Offset: disabled
[   43.801521] Rebooting in 86400 seconds..