[....] Starting enhanced syslogd: rsyslogd[ 12.480777] audit: type=1400 audit(1513735645.498:5): avc: denied { syslog } for pid=2990 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.925907] audit: type=1400 audit(1513735650.943:6): avc: denied { map } for pid=3130 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-1,10.128.15.213' (ECDSA) to the list of known hosts. executing program [ 24.191224] audit: type=1400 audit(1513735657.209:7): avc: denied { map } for pid=3144 comm="syzkaller865002" path="/root/syzkaller865002210" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 24.196842] ================================================================== [ 24.196855] BUG: KASAN: use-after-free in __lock_acquire+0x465e/0x47f0 [ 24.196861] Read of size 8 at addr ffff8801c5347db8 by task syzkaller865002/3144 [ 24.196862] [ 24.196869] CPU: 0 PID: 3144 Comm: syzkaller865002 Not tainted 4.15.0-rc2-mm1+ #39 [ 24.196872] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.196875] Call Trace: [ 24.196883] dump_stack+0x194/0x257 [ 24.196891] ? arch_local_irq_restore+0x53/0x53 [ 24.196898] ? show_regs_print_info+0x18/0x18 [ 24.196906] ? __kernel_text_address+0xd/0x40 [ 24.196912] ? __lock_acquire+0x465e/0x47f0 [ 24.196921] print_address_description+0x73/0x250 [ 24.196927] ? __lock_acquire+0x465e/0x47f0 [ 24.196933] kasan_report+0x25b/0x340 [ 24.196940] __asan_report_load8_noabort+0x14/0x20 [ 24.196946] __lock_acquire+0x465e/0x47f0 [ 24.196952] ? print_usage_bug+0x3f0/0x3f0 [ 24.196961] ? unwind_next_frame.part.6+0x1a6/0xb40 [ 24.196967] ? print_usage_bug+0x3f0/0x3f0 [ 24.196978] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 24.196983] ? __lock_acquire+0x6e9/0x47f0 [ 24.196989] ? print_usage_bug+0x3f0/0x3f0 [ 24.196995] ? __lock_acquire+0x6e9/0x47f0 [ 24.197006] ? __lock_acquire+0x6e9/0x47f0 [ 24.197015] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 24.197022] ? __is_insn_slot_addr+0x1fc/0x330 [ 24.197028] ? __lock_acquire+0x6e9/0x47f0 [ 24.197037] ? lock_release+0xda0/0xda0 [ 24.197043] ? check_noncircular+0x20/0x20 [ 24.197049] ? bpf_prog_kallsyms_find+0xbd/0x440 [ 24.197056] ? modules_open+0xa0/0xa0 [ 24.197062] ? is_bpf_text_address+0x7b/0x120 [ 24.197068] ? lock_downgrade+0x980/0x980 [ 24.197077] ? lock_release+0xda0/0xda0 [ 24.197085] lock_acquire+0x1d5/0x580 [ 24.197091] ? remove_wait_queue+0x81/0x350 [ 24.197100] ? lock_release+0xda0/0xda0 [ 24.197106] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.197112] ? kernel_text_address+0x102/0x140 [ 24.197121] ? rcu_note_context_switch+0x710/0x710 [ 24.197128] ? lock_acquire+0x1d5/0x580 [ 24.197135] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 24.197144] _raw_spin_lock_irqsave+0x96/0xc0 [ 24.197149] ? remove_wait_queue+0x81/0x350 [ 24.197156] remove_wait_queue+0x81/0x350 [ 24.197163] ? add_wait_queue+0x290/0x290 [ 24.197169] ? rcutorture_record_progress+0x10/0x10 [ 24.197175] ? mutex_lock_io_nested+0x1900/0x1900 [ 24.197183] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 24.197192] ? clear_tfile_check_list+0x370/0x370 [ 24.197201] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 24.197206] ? rcutorture_record_progress+0x10/0x10 [ 24.197215] ? is_bpf_text_address+0xa4/0x120 [ 24.197221] ep_remove+0xcd/0x810 [ 24.197227] ? check_noncircular+0x20/0x20 [ 24.197234] ? ep_destroy_wakeup_source+0x240/0x240 [ 24.197241] ? check_noncircular+0x20/0x20 [ 24.197249] ? free_fs_struct+0x52/0x60 [ 24.197257] ? fsnotify+0x7b3/0x1140 [ 24.197269] eventpoll_release_file+0xb4/0x130 [ 24.197277] __fput+0x603/0x7f0 [ 24.197285] ? fput+0x140/0x140 [ 24.197291] ? _raw_spin_unlock_irq+0x27/0x70 [ 24.197299] ____fput+0x15/0x20 [ 24.197305] task_work_run+0x199/0x270 [ 24.197313] ? task_work_cancel+0x210/0x210 [ 24.197319] ? _raw_spin_unlock+0x22/0x30 [ 24.197325] ? switch_task_namespaces+0x87/0xc0 [ 24.197333] do_exit+0x9bb/0x1ae0 [ 24.197342] ? binder_ioctl+0x561/0x141a [ 24.197348] ? mm_update_next_owner+0x930/0x930 [ 24.197356] ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0 [ 24.197366] ? avc_ss_reset+0x110/0x110 [ 24.197372] ? mutex_unlock+0xd/0x10 [ 24.197385] ? down_read_trylock+0xdb/0x170 [ 24.197395] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.197400] ? up_read+0x1a/0x40 [ 24.197410] ? rcu_note_context_switch+0x710/0x710 [ 24.197419] ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0 [ 24.197426] ? do_vfs_ioctl+0x492/0x1530 [ 24.197431] ? _cond_resched+0x14/0x30 [ 24.197439] ? ioctl_preallocate+0x2b0/0x2b0 [ 24.197447] ? selinux_capable+0x40/0x40 [ 24.197453] ? putname+0xf3/0x130 [ 24.197461] do_group_exit+0x149/0x400 [ 24.197468] ? SyS_exit+0x30/0x30 [ 24.197474] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.197483] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.197490] SyS_exit_group+0x1d/0x20 [ 24.197496] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 24.197501] RIP: 0033:0x4429f8 [ 24.197504] RSP: 002b:00007ffeb29a9f68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 24.197510] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8 [ 24.197513] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 24.197517] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 24.197520] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40 [ 24.197523] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000 [ 24.197532] [ 24.197535] Allocated by task 3144: [ 24.197540] save_stack+0x43/0xd0 [ 24.197545] kasan_kmalloc+0xad/0xe0 [ 24.197551] kmem_cache_alloc_trace+0x136/0x750 [ 24.197556] binder_get_thread+0x1cf/0x870 [ 24.197561] binder_poll+0x8c/0x390 [ 24.197565] ep_item_poll.isra.10+0xf2/0x320 [ 24.197570] ep_insert+0x6a2/0x1b50 [ 24.197574] SyS_epoll_ctl+0x129b/0x1a60 [ 24.197580] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 24.197581] [ 24.197583] Freed by task 3144: [ 24.197587] save_stack+0x43/0xd0 [ 24.197591] kasan_slab_free+0x71/0xc0 [ 24.197596] kfree+0xca/0x250 [ 24.197601] binder_thread_dec_tmpref+0x27f/0x310 [ 24.197606] binder_thread_release+0x27d/0x540 [ 24.197611] binder_ioctl+0xc05/0x141a [ 24.197616] do_vfs_ioctl+0x1b1/0x1530 [ 24.197620] SyS_ioctl+0x8f/0xc0 [ 24.197626] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 24.197627] [ 24.197631] The buggy address belongs to the object at ffff8801c5347d00 [ 24.197631] which belongs to the cache kmalloc-512 of size 512 [ 24.197636] The buggy address is located 184 bytes inside of [ 24.197636] 512-byte region [ffff8801c5347d00, ffff8801c5347f00) [ 24.197638] The buggy address belongs to the page: [ 24.197643] page:00000000b537e532 count:1 mapcount:0 mapping:000000008c443d1e index:0x0 [ 24.197648] flags: 0x2fffc0000000100(slab) [ 24.197657] raw: 02fffc0000000100 ffff8801c5347080 0000000000000000 0000000100000006 [ 24.197663] raw: ffffea000714faa0 ffffea000714fc60 ffff8801dac00940 0000000000000000 [ 24.197666] page dumped because: kasan: bad access detected [ 24.197667] [ 24.197668] Memory state around the buggy address: [ 24.197673] ffff8801c5347c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.197677] ffff8801c5347d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.197682] >ffff8801c5347d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.197684] ^ [ 24.197688] ffff8801c5347e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.197692] ffff8801c5347e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.197694] ================================================================== [ 24.197696] Disabling lock debugging due to kernel taint [ 24.197699] Kernel panic - not syncing: panic_on_warn set ... [ 24.197699] [ 24.197704] CPU: 0 PID: 3144 Comm: syzkaller865002 Tainted: G B 4.15.0-rc2-mm1+ #39 [ 24.197707] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.197709] Call Trace: [ 24.197715] dump_stack+0x194/0x257 [ 24.197722] ? arch_local_irq_restore+0x53/0x53 [ 24.197728] ? vprintk_default+0x28/0x30 [ 24.197735] ? vsnprintf+0x1ed/0x1900 [ 24.197741] ? __lock_acquire+0x45b0/0x47f0 [ 24.197747] panic+0x1e4/0x41c [ 24.197752] ? refcount_error_report+0x214/0x214 [ 24.197759] ? add_taint+0x40/0x50 [ 24.197764] ? add_taint+0x1c/0x50 [ 24.197771] ? __lock_acquire+0x465e/0x47f0 [ 24.197776] kasan_end_report+0x50/0x50 [ 24.197782] kasan_report+0x144/0x340 [ 24.197789] __asan_report_load8_noabort+0x14/0x20 [ 24.197794] __lock_acquire+0x465e/0x47f0 [ 24.197800] ? print_usage_bug+0x3f0/0x3f0 [ 24.197807] ? unwind_next_frame.part.6+0x1a6/0xb40 [ 24.197813] ? print_usage_bug+0x3f0/0x3f0 [ 24.197823] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 24.197828] ? __lock_acquire+0x6e9/0x47f0 [ 24.197834] ? print_usage_bug+0x3f0/0x3f0 [ 24.197840] ? __lock_acquire+0x6e9/0x47f0 [ 24.197847] ? __lock_acquire+0x6e9/0x47f0 [ 24.197855] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 24.197861] ? __is_insn_slot_addr+0x1fc/0x330 [ 24.197867] ? __lock_acquire+0x6e9/0x47f0 [ 24.197876] ? lock_release+0xda0/0xda0 [ 24.197881] ? check_noncircular+0x20/0x20 [ 24.197887] ? bpf_prog_kallsyms_find+0xbd/0x440 [ 24.197893] ? modules_open+0xa0/0xa0 [ 24.197898] ? is_bpf_text_address+0x7b/0x120 [ 24.197904] ? lock_downgrade+0x980/0x980 [ 24.197913] ? lock_release+0xda0/0xda0 [ 24.197921] lock_acquire+0x1d5/0x580 [ 24.197926] ? remove_wait_queue+0x81/0x350 [ 24.197934] ? lock_release+0xda0/0xda0 [ 24.197940] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.197946] ? kernel_text_address+0x102/0x140 [ 24.197953] ? rcu_note_context_switch+0x710/0x710 [ 24.197959] ? lock_acquire+0x1d5/0x580 [ 24.197965] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 24.197972] _raw_spin_lock_irqsave+0x96/0xc0 [ 24.197978] ? remove_wait_queue+0x81/0x350 [ 24.197984] remove_wait_queue+0x81/0x350 [ 24.197991] ? add_wait_queue+0x290/0x290 [ 24.197997] ? rcutorture_record_progress+0x10/0x10 [ 24.198003] ? mutex_lock_io_nested+0x1900/0x1900 [ 24.198011] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 24.198019] ? clear_tfile_check_list+0x370/0x370 [ 24.198027] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 24.198033] ? rcutorture_record_progress+0x10/0x10 [ 24.198041] ? is_bpf_text_address+0xa4/0x120 [ 24.198047] ep_remove+0xcd/0x810 [ 24.198053] ? check_noncircular+0x20/0x20 [ 24.198059] ? ep_destroy_wakeup_source+0x240/0x240 [ 24.198066] ? check_noncircular+0x20/0x20 [ 24.198073] ? free_fs_struct+0x52/0x60 [ 24.198081] ? fsnotify+0x7b3/0x1140 [ 24.198093] eventpoll_release_file+0xb4/0x130 [ 24.198099] __fput+0x603/0x7f0 [ 24.198106] ? fput+0x140/0x140 [ 24.198113] ? _raw_spin_unlock_irq+0x27/0x70 [ 24.198120] ____fput+0x15/0x20 [ 24.198126] task_work_run+0x199/0x270 [ 24.198134] ? task_work_cancel+0x210/0x210 [ 24.198140] ? _raw_spin_unlock+0x22/0x30 [ 24.198146] ? switch_task_namespaces+0x87/0xc0 [ 24.198153] do_exit+0x9bb/0x1ae0 [ 24.198160] ? binder_ioctl+0x561/0x141a [ 24.198166] ? mm_update_next_owner+0x930/0x930 [ 24.198174] ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0 [ 24.198183] ? avc_ss_reset+0x110/0x110 [ 24.198188] ? mutex_unlock+0xd/0x10 [ 24.198201] ? down_read_trylock+0xdb/0x170 [ 24.198211] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.198215] ? up_read+0x1a/0x40 [ 24.198221] ? rcu_note_context_switch+0x710/0x710 [ 24.198231] ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0 [ 24.198236] ? do_vfs_ioctl+0x492/0x1530 [ 24.198241] ? _cond_resched+0x14/0x30 [ 24.198249] ? ioctl_preallocate+0x2b0/0x2b0 [ 24.198255] ? selinux_capable+0x40/0x40 [ 24.198262] ? putname+0xf3/0x130 [ 24.198269] do_group_exit+0x149/0x400 [ 24.198276] ? SyS_exit+0x30/0x30 [ 24.198282] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.198288] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.198295] SyS_exit_group+0x1d/0x20 [ 24.198302] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 24.198305] RIP: 0033:0x4429f8 [ 24.198308] RSP: 002b:00007ffeb29a9f68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 24.198314] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8 [ 24.198317] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 24.198320] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 24.198324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40 [ 24.198327] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000 [ 24.217867] Dumping ftrace buffer: [ 24.217870] (ftrace buffer empty) [ 24.217873] Kernel Offset: disabled [ 25.340997] Rebooting in 86400 seconds..