[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   11.350900] audit: type=1400 audit(1514782301.889:6): avc:  denied  { map } for  pid=3137 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.15.210' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   17.560083] audit: type=1400 audit(1514782308.098:7): avc:  denied  { map } for  pid=3151 comm="syzkaller544670" path="/root/syzkaller544670497" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   17.565865] ==================================================================
[   17.565881] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   17.565887] Read of size 8 at addr ffff8801c97a3138 by task syzkaller544670/3151
[   17.565888] 
[   17.565895] CPU: 1 PID: 3151 Comm: syzkaller544670 Not tainted 4.15.0-rc4-mm1+ #49
[   17.565899] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   17.565901] Call Trace:
[   17.565910]  dump_stack+0x194/0x257
[   17.565918]  ? arch_local_irq_restore+0x53/0x53
[   17.565927]  ? show_regs_print_info+0x18/0x18
[   17.565932]  ? print_irqtrace_events+0x270/0x270
[   17.565938]  ? __lock_acquire+0x664/0x3e00
[   17.565945]  ? __lock_acquire+0x3d4d/0x3e00
[   17.565955]  print_address_description+0x73/0x250
[   17.565961]  ? __lock_acquire+0x3d4d/0x3e00
[   17.565967]  kasan_report+0x23b/0x360
[   17.565976]  __asan_report_load8_noabort+0x14/0x20
[   17.565981]  __lock_acquire+0x3d4d/0x3e00
[   17.565987]  ? __lock_acquire+0x664/0x3e00
[   17.565993]  ? lock_downgrade+0x980/0x980
[   17.565998]  ? lock_downgrade+0x980/0x980
[   17.566010]  ? remove_wait_queue+0x81/0x350
[   17.566019]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   17.566026]  ? __lock_acquire+0x664/0x3e00
[   17.566031]  ? check_noncircular+0x20/0x20
[   17.566044]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   17.566051]  ? lock_acquire+0x1d5/0x580
[   17.566056]  ? lock_acquire+0x1d5/0x580
[   17.566063]  ? ep_free+0xf4/0x320
[   17.566072]  ? lock_release+0xa40/0xa40
[   17.566079]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   17.566085]  ? print_irqtrace_events+0x270/0x270
[   17.566092]  ? rcu_note_context_switch+0x710/0x710
[   17.566099]  ? __might_sleep+0x95/0x190
[   17.566105]  ? ep_free+0xf4/0x320
[   17.566112]  ? __mutex_lock+0x16f/0x1a80
[   17.566116]  ? ep_free+0xf4/0x320
[   17.566123]  ? print_irqtrace_events+0x270/0x270
[   17.566128]  ? ep_free+0xf4/0x320
[   17.566136]  lock_acquire+0x1d5/0x580
[   17.566142]  ? lock_acquire+0x1d5/0x580
[   17.566147]  ? remove_wait_queue+0x81/0x350
[   17.566153]  ? __lock_acquire+0x664/0x3e00
[   17.566161]  ? lock_release+0xa40/0xa40
[   17.566170]  ? lock_acquire+0x1d5/0x580
[   17.566175]  ? lock_acquire+0x1d5/0x580
[   17.566181]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   17.566189]  _raw_spin_lock_irqsave+0x96/0xc0
[   17.566195]  ? remove_wait_queue+0x81/0x350
[   17.566201]  remove_wait_queue+0x81/0x350
[   17.566209]  ? add_wait_queue+0x290/0x290
[   17.566215]  ? rcutorture_record_progress+0x10/0x10
[   17.566225]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   17.566235]  ? __kernel_text_address+0xd/0x40
[   17.566243]  ? clear_tfile_check_list+0x370/0x370
[   17.566251]  ? check_noncircular+0x20/0x20
[   17.566259]  ? locks_remove_file+0x3fa/0x5a0
[   17.566269]  ep_free+0x13f/0x320
[   17.566275]  ? ep_remove+0x800/0x800
[   17.566280]  ? fsnotify_first_mark+0x2b0/0x2b0
[   17.566288]  ? ep_free+0x320/0x320
[   17.566294]  ep_eventpoll_release+0x44/0x60
[   17.566301]  __fput+0x327/0x7e0
[   17.566309]  ? fput+0x140/0x140
[   17.566316]  ? _raw_spin_unlock_irq+0x27/0x70
[   17.566324]  ____fput+0x15/0x20
[   17.566330]  task_work_run+0x199/0x270
[   17.566342]  ? task_work_cancel+0x210/0x210
[   17.566348]  ? _raw_spin_unlock+0x22/0x30
[   17.566354]  ? switch_task_namespaces+0x87/0xc0
[   17.566363]  do_exit+0x9bb/0x1ad0
[   17.566373]  ? binder_ioctl+0x551/0x1417
[   17.566380]  ? mm_update_next_owner+0x930/0x930
[   17.566387]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   17.566398]  ? avc_ss_reset+0x110/0x110
[   17.566406]  ? mutex_unlock+0xd/0x10
[   17.566412]  ? SyS_epoll_ctl+0x30a/0x1a80
[   17.566432]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   17.566436]  ? up_read+0x1a/0x40
[   17.566443]  ? rcu_note_context_switch+0x710/0x710
[   17.566450]  ? __fd_install+0x288/0x740
[   17.566458]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   17.566465]  ? do_vfs_ioctl+0x486/0x1520
[   17.566471]  ? _cond_resched+0x14/0x30
[   17.566478]  ? ioctl_preallocate+0x2b0/0x2b0
[   17.566487]  ? selinux_capable+0x40/0x40
[   17.566493]  ? __alloc_fd+0x750/0x750
[   17.566501]  do_group_exit+0x149/0x400
[   17.566508]  ? SyS_exit+0x30/0x30
[   17.566515]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   17.566523]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   17.566531]  SyS_exit_group+0x1d/0x20
[   17.566537]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   17.566542] RIP: 0033:0x4429f8
[   17.566545] RSP: 002b:00007ffd440fbf28 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   17.566551] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   17.566555] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   17.566558] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   17.566561] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   17.566564] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   17.566573] 
[   17.566575] Allocated by task 3151:
[   17.566582]  save_stack+0x43/0xd0
[   17.566587]  kasan_kmalloc+0xad/0xe0
[   17.566593]  kmem_cache_alloc_trace+0x136/0x750
[   17.566597]  binder_get_thread+0x1cf/0x870
[   17.566601]  binder_poll+0x8c/0x390
[   17.566606]  ep_item_poll.isra.10+0xf2/0x320
[   17.566611]  ep_insert+0x6a2/0x1ac0
[   17.566616]  SyS_epoll_ctl+0x12bf/0x1a80
[   17.566621]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   17.566622] 
[   17.566624] Freed by task 3151:
[   17.566628]  save_stack+0x43/0xd0
[   17.566633]  kasan_slab_free+0x71/0xc0
[   17.566637]  kfree+0xd6/0x260
[   17.566641]  binder_thread_dec_tmpref+0x27f/0x310
[   17.566646]  binder_thread_release+0x27d/0x540
[   17.566650]  binder_ioctl+0xc02/0x1417
[   17.566654]  do_vfs_ioctl+0x1b1/0x1520
[   17.566659]  SyS_ioctl+0x8f/0xc0
[   17.566663]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   17.566665] 
[   17.566668] The buggy address belongs to the object at ffff8801c97a3080
[   17.566668]  which belongs to the cache kmalloc-512 of size 512
[   17.566673] The buggy address is located 184 bytes inside of
[   17.566673]  512-byte region [ffff8801c97a3080, ffff8801c97a3280)
[   17.566675] The buggy address belongs to the page:
[   17.566680] page:ffffea000725e8c0 count:1 mapcount:0 mapping:ffff8801c97a3080 index:0x0
[   17.566685] flags: 0x2fffc0000000100(slab)
[   17.566694] raw: 02fffc0000000100 ffff8801c97a3080 0000000000000000 0000000100000006
[   17.566701] raw: ffffea000727d0a0 ffffea0007297960 ffff8801dac00940 0000000000000000
[   17.566704] page dumped because: kasan: bad access detected
[   17.566705] 
[   17.566706] Memory state around the buggy address:
[   17.566711]  ffff8801c97a3000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.566716]  ffff8801c97a3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.566720] >ffff8801c97a3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.566722]                                         ^
[   17.566727]  ffff8801c97a3180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.566731]  ffff8801c97a3200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.566733] ==================================================================
[   17.566734] Disabling lock debugging due to kernel taint
[   17.566738] Kernel panic - not syncing: panic_on_warn set ...
[   17.566738] 
[   17.566744] CPU: 1 PID: 3151 Comm: syzkaller544670 Tainted: G    B            4.15.0-rc4-mm1+ #49
[   17.566747] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   17.566748] Call Trace:
[   17.566754]  dump_stack+0x194/0x257
[   17.566761]  ? arch_local_irq_restore+0x53/0x53
[   17.566766]  ? kasan_end_report+0x32/0x50
[   17.566772]  ? lock_downgrade+0x980/0x980
[   17.566778]  ? vsnprintf+0x1ed/0x1900
[   17.566784]  ? __lock_acquire+0x3c90/0x3e00
[   17.566789]  panic+0x1e4/0x41c
[   17.566795]  ? refcount_error_report+0x214/0x214
[   17.566802]  ? add_taint+0x40/0x50
[   17.566807]  ? add_taint+0x1c/0x50
[   17.566814]  ? __lock_acquire+0x3d4d/0x3e00
[   17.566820]  kasan_end_report+0x50/0x50
[   17.566826]  kasan_report+0x148/0x360
[   17.566833]  __asan_report_load8_noabort+0x14/0x20
[   17.566839]  __lock_acquire+0x3d4d/0x3e00
[   17.566844]  ? __lock_acquire+0x664/0x3e00
[   17.566850]  ? lock_downgrade+0x980/0x980
[   17.566855]  ? lock_downgrade+0x980/0x980
[   17.566862]  ? remove_wait_queue+0x81/0x350
[   17.566871]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   17.566877]  ? __lock_acquire+0x664/0x3e00
[   17.566882]  ? check_noncircular+0x20/0x20
[   17.566894]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   17.566901]  ? lock_acquire+0x1d5/0x580
[   17.566906]  ? lock_acquire+0x1d5/0x580
[   17.566911]  ? ep_free+0xf4/0x320
[   17.566919]  ? lock_release+0xa40/0xa40
[   17.566925]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   17.566931]  ? print_irqtrace_events+0x270/0x270
[   17.566937]  ? rcu_note_context_switch+0x710/0x710
[   17.566945]  ? __might_sleep+0x95/0x190
[   17.566950]  ? ep_free+0xf4/0x320
[   17.566955]  ? __mutex_lock+0x16f/0x1a80
[   17.566960]  ? ep_free+0xf4/0x320
[   17.566967]  ? print_irqtrace_events+0x270/0x270
[   17.566972]  ? ep_free+0xf4/0x320
[   17.566979]  lock_acquire+0x1d5/0x580
[   17.566985]  ? lock_acquire+0x1d5/0x580
[   17.566991]  ? remove_wait_queue+0x81/0x350
[   17.566996]  ? __lock_acquire+0x664/0x3e00
[   17.567003]  ? lock_release+0xa40/0xa40
[   17.567012]  ? lock_acquire+0x1d5/0x580
[   17.567017]  ? lock_acquire+0x1d5/0x580
[   17.567024]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   17.567031]  _raw_spin_lock_irqsave+0x96/0xc0
[   17.567036]  ? remove_wait_queue+0x81/0x350
[   17.567042]  remove_wait_queue+0x81/0x350
[   17.567050]  ? add_wait_queue+0x290/0x290
[   17.567055]  ? rcutorture_record_progress+0x10/0x10
[   17.567065]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   17.567071]  ? __kernel_text_address+0xd/0x40
[   17.567079]  ? clear_tfile_check_list+0x370/0x370
[   17.567086]  ? check_noncircular+0x20/0x20
[   17.567094]  ? locks_remove_file+0x3fa/0x5a0
[   17.567103]  ep_free+0x13f/0x320
[   17.567109]  ? ep_remove+0x800/0x800
[   17.567114]  ? fsnotify_first_mark+0x2b0/0x2b0
[   17.567121]  ? ep_free+0x320/0x320
[   17.567127]  ep_eventpoll_release+0x44/0x60
[   17.567133]  __fput+0x327/0x7e0
[   17.567141]  ? fput+0x140/0x140
[   17.567147]  ? _raw_spin_unlock_irq+0x27/0x70
[   17.567155]  ____fput+0x15/0x20
[   17.567161]  task_work_run+0x199/0x270
[   17.567168]  ? task_work_cancel+0x210/0x210
[   17.567174]  ? _raw_spin_unlock+0x22/0x30
[   17.567180]  ? switch_task_namespaces+0x87/0xc0
[   17.567187]  do_exit+0x9bb/0x1ad0
[   17.567194]  ? binder_ioctl+0x551/0x1417
[   17.567200]  ? mm_update_next_owner+0x930/0x930
[   17.567208]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   17.567215]  ? avc_ss_reset+0x110/0x110
[   17.567221]  ? mutex_unlock+0xd/0x10
[   17.567227]  ? SyS_epoll_ctl+0x30a/0x1a80
[   17.567245]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   17.567250]  ? up_read+0x1a/0x40
[   17.567256]  ? rcu_note_context_switch+0x710/0x710
[   17.567261]  ? __fd_install+0x288/0x740
[   17.567270]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   17.567275]  ? do_vfs_ioctl+0x486/0x1520
[   17.567280]  ? _cond_resched+0x14/0x30
[   17.567287]  ? ioctl_preallocate+0x2b0/0x2b0
[   17.567294]  ? selinux_capable+0x40/0x40
[   17.567300]  ? __alloc_fd+0x750/0x750
[   17.567308]  do_group_exit+0x149/0x400
[   17.567315]  ? SyS_exit+0x30/0x30
[   17.567321]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   17.567327]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   17.567335]  SyS_exit_group+0x1d/0x20
[   17.567344]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   17.567348] RIP: 0033:0x4429f8
[   17.567351] RSP: 002b:00007ffd440fbf28 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   17.567357] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   17.567360] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   17.567363] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   17.567366] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   17.567370] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   17.586448] Dumping ftrace buffer:
[   17.586452]    (ftrace buffer empty)
[   17.586455] Kernel Offset: disabled
[   18.710872] Rebooting in 86400 seconds..