[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   12.382395] audit: type=1400 audit(1514380306.672:6): avc:  denied  { map } for  pid=3138 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   18.576903] audit: type=1400 audit(1514380312.866:7): avc:  denied  { map } for  pid=3152 comm="syzkaller004924" path="/root/syzkaller004924640" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   18.581574] binder: 3152:3152 transaction failed 29189/-22, size 0-0 line 2775
[   18.581587] binder: undelivered TRANSACTION_ERROR: 29189
[   18.582389] ==================================================================
[   18.582406] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   18.582411] Read of size 8 at addr ffff8801c9d83d30 by task syzkaller004924/3152
[   18.582412] 
[   18.582420] CPU: 1 PID: 3152 Comm: syzkaller004924 Not tainted 4.15.0-rc5+ #238
[   18.582423] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   18.582426] Call Trace:
[   18.582436]  dump_stack+0x194/0x257
[   18.582444]  ? arch_local_irq_restore+0x53/0x53
[   18.582452]  ? show_regs_print_info+0x18/0x18
[   18.582458]  ? print_irqtrace_events+0x270/0x270
[   18.582465]  ? __lock_acquire+0x664/0x3e00
[   18.582471]  ? __lock_acquire+0x3d4d/0x3e00
[   18.582480]  print_address_description+0x73/0x250
[   18.582486]  ? __lock_acquire+0x3d4d/0x3e00
[   18.582491]  kasan_report+0x25b/0x340
[   18.582499]  __asan_report_load8_noabort+0x14/0x20
[   18.582505]  __lock_acquire+0x3d4d/0x3e00
[   18.582510]  ? __lock_acquire+0x664/0x3e00
[   18.582516]  ? lock_downgrade+0x980/0x980
[   18.582521]  ? lock_downgrade+0x980/0x980
[   18.582530]  ? remove_wait_queue+0x81/0x350
[   18.582539]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   18.582545]  ? __lock_acquire+0x664/0x3e00
[   18.582551]  ? check_noncircular+0x20/0x20
[   18.582563]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   18.582570]  ? lock_acquire+0x1d5/0x580
[   18.582575]  ? lock_acquire+0x1d5/0x580
[   18.582582]  ? ep_free+0xf4/0x320
[   18.582590]  ? lock_release+0xa40/0xa40
[   18.582597]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   18.582603]  ? print_irqtrace_events+0x270/0x270
[   18.582611]  ? rcu_note_context_switch+0x710/0x710
[   18.582618]  ? __might_sleep+0x95/0x190
[   18.582623]  ? ep_free+0xf4/0x320
[   18.582630]  ? __mutex_lock+0x16f/0x1a80
[   18.582634]  ? ep_free+0xf4/0x320
[   18.582641]  ? print_irqtrace_events+0x270/0x270
[   18.582645]  ? ep_free+0xf4/0x320
[   18.582654]  lock_acquire+0x1d5/0x580
[   18.582659]  ? lock_acquire+0x1d5/0x580
[   18.582664]  ? remove_wait_queue+0x81/0x350
[   18.582670]  ? __lock_acquire+0x664/0x3e00
[   18.582677]  ? lock_release+0xa40/0xa40
[   18.582686]  ? lock_acquire+0x1d5/0x580
[   18.582691]  ? lock_acquire+0x1d5/0x580
[   18.582701]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   18.582708]  _raw_spin_lock_irqsave+0x96/0xc0
[   18.582714]  ? remove_wait_queue+0x81/0x350
[   18.582721]  remove_wait_queue+0x81/0x350
[   18.582728]  ? add_wait_queue+0x290/0x290
[   18.582734]  ? rcutorture_record_progress+0x10/0x10
[   18.582743]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   18.582751]  ? __kernel_text_address+0xd/0x40
[   18.582759]  ? clear_tfile_check_list+0x370/0x370
[   18.582766]  ? check_noncircular+0x20/0x20
[   18.582774]  ? locks_remove_file+0x3fa/0x5a0
[   18.582783]  ep_free+0x13f/0x320
[   18.582788]  ? ep_remove+0x800/0x800
[   18.582796]  ? fsnotify_first_mark+0x2b0/0x2b0
[   18.582803]  ? ep_free+0x320/0x320
[   18.582808]  ep_eventpoll_release+0x44/0x60
[   18.582815]  __fput+0x327/0x7e0
[   18.582822]  ? fput+0x140/0x140
[   18.582829]  ? _raw_spin_unlock_irq+0x27/0x70
[   18.582837]  ____fput+0x15/0x20
[   18.582843]  task_work_run+0x199/0x270
[   18.582850]  ? task_work_cancel+0x210/0x210
[   18.582856]  ? _raw_spin_unlock+0x22/0x30
[   18.582862]  ? switch_task_namespaces+0x87/0xc0
[   18.582871]  do_exit+0x9bb/0x1ad0
[   18.582881]  ? binder_ioctl+0x4a1/0x1417
[   18.582888]  ? mm_update_next_owner+0x930/0x930
[   18.582895]  ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0
[   18.582907]  ? avc_ss_reset+0x110/0x110
[   18.582912]  ? mutex_unlock+0xd/0x10
[   18.582917]  ? SyS_epoll_ctl+0x30a/0x1ab0
[   18.582922]  ? find_held_lock+0x35/0x1d0
[   18.582929]  ? check_noncircular+0x20/0x20
[   18.582938]  ? check_noncircular+0x20/0x20
[   18.582943]  ? check_noncircular+0x20/0x20
[   18.582951]  ? cpu_cgroup_fork+0x120/0x120
[   18.582959]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   18.582966]  ? rcu_note_context_switch+0x710/0x710
[   18.582976]  ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0
[   18.582983]  ? do_vfs_ioctl+0x486/0x1520
[   18.582989]  ? _cond_resched+0x14/0x30
[   18.582997]  ? ioctl_preallocate+0x2b0/0x2b0
[   18.583007]  ? selinux_capable+0x40/0x40
[   18.583017]  do_group_exit+0x149/0x400
[   18.583024]  ? SyS_exit+0x30/0x30
[   18.583030]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   18.583038]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   18.583046]  SyS_exit_group+0x1d/0x20
[   18.583052]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   18.583057] RIP: 0033:0x442b18
[   18.583060] RSP: 002b:00007ffc34b5ba88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   18.583067] RAX: ffffffffffffffda RBX: 6e69622f7665642f RCX: 0000000000442b18
[   18.583070] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   18.583074] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   18.583077] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b60
[   18.583081] R13: 0000000000401bf0 R14: 0000000000000000 R15: 0000000000000000
[   18.583089] 
[   18.583091] Allocated by task 3152:
[   18.583097]  save_stack+0x43/0xd0
[   18.583102]  kasan_kmalloc+0xad/0xe0
[   18.583110]  kmem_cache_alloc_trace+0x136/0x750
[   18.583115]  binder_get_thread+0x1cf/0x870
[   18.583119]  binder_poll+0x8c/0x390
[   18.583124]  ep_item_poll.isra.10+0xec/0x320
[   18.583128]  ep_insert+0x6a3/0x1b10
[   18.583133]  SyS_epoll_ctl+0x12e4/0x1ab0
[   18.583138]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   18.583139] 
[   18.583141] Freed by task 3152:
[   18.583146]  save_stack+0x43/0xd0
[   18.583150]  kasan_slab_free+0x71/0xc0
[   18.583154]  kfree+0xd6/0x260
[   18.583159]  binder_thread_dec_tmpref+0x27f/0x310
[   18.583163]  binder_thread_release+0x27d/0x540
[   18.583168]  binder_ioctl+0xc02/0x1417
[   18.583173]  do_vfs_ioctl+0x1b1/0x1520
[   18.583178]  SyS_ioctl+0x8f/0xc0
[   18.583183]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   18.583184] 
[   18.583189] The buggy address belongs to the object at ffff8801c9d83c80
[   18.583189]  which belongs to the cache kmalloc-512 of size 512
[   18.583194] The buggy address is located 176 bytes inside of
[   18.583194]  512-byte region [ffff8801c9d83c80, ffff8801c9d83e80)
[   18.583195] The buggy address belongs to the page:
[   18.583201] page:0000000052499f81 count:1 mapcount:0 mapping:00000000e91bdc9a index:0x0
[   18.583206] flags: 0x2fffc0000000100(slab)
[   18.583215] raw: 02fffc0000000100 ffff8801c9d83000 0000000000000000 0000000100000006
[   18.583221] raw: ffffea000725d9e0 ffffea0007233720 ffff8801db000940 0000000000000000
[   18.583223] page dumped because: kasan: bad access detected
[   18.583224] 
[   18.583226] Memory state around the buggy address:
[   18.583230]  ffff8801c9d83c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.583235]  ffff8801c9d83c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.583239] >ffff8801c9d83d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.583241]                                      ^
[   18.583246]  ffff8801c9d83d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.583250]  ffff8801c9d83e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.583252] ==================================================================
[   18.583253] Disabling lock debugging due to kernel taint
[   18.583257] Kernel panic - not syncing: panic_on_warn set ...
[   18.583257] 
[   18.583263] CPU: 1 PID: 3152 Comm: syzkaller004924 Tainted: G    B            4.15.0-rc5+ #238
[   18.583266] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   18.583267] Call Trace:
[   18.583273]  dump_stack+0x194/0x257
[   18.583280]  ? arch_local_irq_restore+0x53/0x53
[   18.583285]  ? kasan_end_report+0x32/0x50
[   18.583291]  ? lock_downgrade+0x980/0x980
[   18.583297]  ? vsnprintf+0x1ed/0x1900
[   18.583303]  ? __lock_acquire+0x3cd0/0x3e00
[   18.583308]  panic+0x1e4/0x41c
[   18.583314]  ? refcount_error_report+0x214/0x214
[   18.583321]  ? add_taint+0x40/0x50
[   18.583326]  ? add_taint+0x1c/0x50
[   18.583333]  ? __lock_acquire+0x3d4d/0x3e00
[   18.583338]  kasan_end_report+0x50/0x50
[   18.583344]  kasan_report+0x144/0x340
[   18.583351]  __asan_report_load8_noabort+0x14/0x20
[   18.583357]  __lock_acquire+0x3d4d/0x3e00
[   18.583362]  ? __lock_acquire+0x664/0x3e00
[   18.583368]  ? lock_downgrade+0x980/0x980
[   18.583373]  ? lock_downgrade+0x980/0x980
[   18.583380]  ? remove_wait_queue+0x81/0x350
[   18.583389]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   18.583395]  ? __lock_acquire+0x664/0x3e00
[   18.583400]  ? check_noncircular+0x20/0x20
[   18.583412]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   18.583419]  ? lock_acquire+0x1d5/0x580
[   18.583424]  ? lock_acquire+0x1d5/0x580
[   18.583429]  ? ep_free+0xf4/0x320
[   18.583437]  ? lock_release+0xa40/0xa40
[   18.583443]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   18.583449]  ? print_irqtrace_events+0x270/0x270
[   18.583455]  ? rcu_note_context_switch+0x710/0x710
[   18.583462]  ? __might_sleep+0x95/0x190
[   18.583467]  ? ep_free+0xf4/0x320
[   18.583472]  ? __mutex_lock+0x16f/0x1a80
[   18.583476]  ? ep_free+0xf4/0x320
[   18.583483]  ? print_irqtrace_events+0x270/0x270
[   18.583487]  ? ep_free+0xf4/0x320
[   18.583495]  lock_acquire+0x1d5/0x580
[   18.583500]  ? lock_acquire+0x1d5/0x580
[   18.583506]  ? remove_wait_queue+0x81/0x350
[   18.583512]  ? __lock_acquire+0x664/0x3e00
[   18.583519]  ? lock_release+0xa40/0xa40
[   18.583528]  ? lock_acquire+0x1d5/0x580
[   18.583533]  ? lock_acquire+0x1d5/0x580
[   18.583539]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   18.583546]  _raw_spin_lock_irqsave+0x96/0xc0
[   18.583551]  ? remove_wait_queue+0x81/0x350
[   18.583558]  remove_wait_queue+0x81/0x350
[   18.583565]  ? add_wait_queue+0x290/0x290
[   18.583571]  ? rcutorture_record_progress+0x10/0x10
[   18.583580]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   18.583587]  ? __kernel_text_address+0xd/0x40
[   18.583594]  ? clear_tfile_check_list+0x370/0x370
[   18.583601]  ? check_noncircular+0x20/0x20
[   18.583608]  ? locks_remove_file+0x3fa/0x5a0
[   18.583617]  ep_free+0x13f/0x320
[   18.583622]  ? ep_remove+0x800/0x800
[   18.583628]  ? fsnotify_first_mark+0x2b0/0x2b0
[   18.583635]  ? ep_free+0x320/0x320
[   18.583641]  ep_eventpoll_release+0x44/0x60
[   18.583646]  __fput+0x327/0x7e0
[   18.583653]  ? fput+0x140/0x140
[   18.583660]  ? _raw_spin_unlock_irq+0x27/0x70
[   18.583668]  ____fput+0x15/0x20
[   18.583674]  task_work_run+0x199/0x270
[   18.583681]  ? task_work_cancel+0x210/0x210
[   18.583687]  ? _raw_spin_unlock+0x22/0x30
[   18.583693]  ? switch_task_namespaces+0x87/0xc0
[   18.583703]  do_exit+0x9bb/0x1ad0
[   18.583710]  ? binder_ioctl+0x4a1/0x1417
[   18.583716]  ? mm_update_next_owner+0x930/0x930
[   18.583724]  ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0
[   18.583733]  ? avc_ss_reset+0x110/0x110
[   18.583738]  ? mutex_unlock+0xd/0x10
[   18.583743]  ? SyS_epoll_ctl+0x30a/0x1ab0
[   18.583748]  ? find_held_lock+0x35/0x1d0
[   18.583755]  ? check_noncircular+0x20/0x20
[   18.583764]  ? check_noncircular+0x20/0x20
[   18.583769]  ? check_noncircular+0x20/0x20
[   18.583777]  ? cpu_cgroup_fork+0x120/0x120
[   18.583785]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   18.583792]  ? rcu_note_context_switch+0x710/0x710
[   18.583801]  ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0
[   18.583807]  ? do_vfs_ioctl+0x486/0x1520
[   18.583812]  ? _cond_resched+0x14/0x30
[   18.583820]  ? ioctl_preallocate+0x2b0/0x2b0
[   18.583828]  ? selinux_capable+0x40/0x40
[   18.583838]  do_group_exit+0x149/0x400
[   18.583845]  ? SyS_exit+0x30/0x30
[   18.583851]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   18.583857]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   18.583865]  SyS_exit_group+0x1d/0x20
[   18.583871]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   18.583874] RIP: 0033:0x442b18
[   18.583877] RSP: 002b:00007ffc34b5ba88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   18.583883] RAX: ffffffffffffffda RBX: 6e69622f7665642f RCX: 0000000000442b18
[   18.583886] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   18.583890] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   18.583893] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b60
[   18.583896] R13: 0000000000401bf0 R14: 0000000000000000 R15: 0000000000000000
[   18.603162] Dumping ftrace buffer:
[   18.603165]    (ftrace buffer empty)
[   18.603168] Kernel Offset: disabled
[   19.757059] Rebooting in 86400 seconds..