[....] Starting enhanced syslogd: rsyslogd[ 12.549327] audit: type=1400 audit(1515087089.910:5): avc: denied { syslog } for pid=3349 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.924730] audit: type=1400 audit(1515087094.285:6): avc: denied { map } for pid=3489 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.33' (ECDSA) to the list of known hosts. executing program [ 24.925225] audit: type=1400 audit(1515087102.286:7): avc: denied { map } for pid=3505 comm="syzkaller232303" path="/root/syzkaller232303076" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 24.931876] ================================================================== [ 24.931890] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00 [ 24.931895] Read of size 8 at addr ffff8801c77fdaf0 by task syzkaller232303/3505 [ 24.931897] [ 24.931903] CPU: 1 PID: 3505 Comm: syzkaller232303 Not tainted 4.15.0-rc6+ #157 [ 24.931906] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.931909] Call Trace: [ 24.931919] dump_stack+0x194/0x257 [ 24.931926] ? arch_local_irq_restore+0x53/0x53 [ 24.931935] ? show_regs_print_info+0x18/0x18 [ 24.931940] ? print_irqtrace_events+0x270/0x270 [ 24.931946] ? __lock_acquire+0x664/0x3e00 [ 24.931953] ? __lock_acquire+0x3d4d/0x3e00 [ 24.931962] print_address_description+0x73/0x250 [ 24.931968] ? __lock_acquire+0x3d4d/0x3e00 [ 24.931974] kasan_report+0x25b/0x340 [ 24.931983] __asan_report_load8_noabort+0x14/0x20 [ 24.931988] __lock_acquire+0x3d4d/0x3e00 [ 24.931993] ? __lock_acquire+0x664/0x3e00 [ 24.931999] ? lock_downgrade+0x980/0x980 [ 24.932008] ? lock_downgrade+0x980/0x980 [ 24.932014] ? print_irqtrace_events+0x270/0x270 [ 24.932021] ? remove_wait_queue+0x81/0x350 [ 24.932031] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.932037] ? __lock_acquire+0x664/0x3e00 [ 24.932043] ? check_noncircular+0x20/0x20 [ 24.932054] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.932061] ? lock_acquire+0x1d5/0x580 [ 24.932067] ? lock_acquire+0x1d5/0x580 [ 24.932074] ? ep_free+0xf4/0x320 [ 24.932083] ? lock_release+0xa40/0xa40 [ 24.932089] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.932099] ? print_irqtrace_events+0x270/0x270 [ 24.932105] ? print_irqtrace_events+0x270/0x270 [ 24.932112] ? rcu_note_context_switch+0x710/0x710 [ 24.932119] ? __might_sleep+0x95/0x190 [ 24.932125] ? ep_free+0xf4/0x320 [ 24.932131] ? __mutex_lock+0x16f/0x1a80 [ 24.932137] ? ep_free+0xf4/0x320 [ 24.932143] ? print_irqtrace_events+0x270/0x270 [ 24.932148] ? ep_free+0xf4/0x320 [ 24.932156] lock_acquire+0x1d5/0x580 [ 24.932162] ? lock_acquire+0x1d5/0x580 [ 24.932168] ? remove_wait_queue+0x81/0x350 [ 24.932176] ? lock_release+0xa40/0xa40 [ 24.932185] ? lock_acquire+0x1d5/0x580 [ 24.932191] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.932196] ? lock_acquire+0x1d5/0x580 [ 24.932202] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 24.932210] _raw_spin_lock_irqsave+0x96/0xc0 [ 24.932215] ? remove_wait_queue+0x81/0x350 [ 24.932222] remove_wait_queue+0x81/0x350 [ 24.932228] ? depot_save_stack+0x3b5/0x490 [ 24.932235] ? add_wait_queue+0x290/0x290 [ 24.932241] ? rcutorture_record_progress+0x10/0x10 [ 24.932247] ? lock_release+0xa40/0xa40 [ 24.932256] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 24.932263] ? __kernel_text_address+0xd/0x40 [ 24.932271] ? clear_tfile_check_list+0x370/0x370 [ 24.932279] ? check_noncircular+0x20/0x20 [ 24.932287] ? locks_remove_file+0x3fa/0x5a0 [ 24.932297] ep_free+0x13f/0x320 [ 24.932303] ? ep_remove+0x800/0x800 [ 24.932309] ? fsnotify_first_mark+0x2b0/0x2b0 [ 24.932316] ? ep_free+0x320/0x320 [ 24.932322] ep_eventpoll_release+0x44/0x60 [ 24.932329] __fput+0x327/0x7e0 [ 24.932337] ? fput+0x140/0x140 [ 24.932344] ? _raw_spin_unlock_irq+0x27/0x70 [ 24.932352] ____fput+0x15/0x20 [ 24.932359] task_work_run+0x199/0x270 [ 24.932366] ? task_work_cancel+0x210/0x210 [ 24.932373] ? _raw_spin_unlock+0x22/0x30 [ 24.932379] ? switch_task_namespaces+0x87/0xc0 [ 24.932386] do_exit+0x9bb/0x1ad0 [ 24.932393] ? __handle_mm_fault+0x2330/0x3ce0 [ 24.932400] ? mm_update_next_owner+0x930/0x930 [ 24.932410] ? do_raw_spin_trylock+0x190/0x190 [ 24.932418] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.932423] ? check_noncircular+0x20/0x20 [ 24.932431] ? _raw_spin_unlock+0x22/0x30 [ 24.932436] ? __handle_mm_fault+0x80e/0x3ce0 [ 24.932444] ? check_noncircular+0x20/0x20 [ 24.932449] ? __pmd_alloc+0x4e0/0x4e0 [ 24.932454] ? lock_downgrade+0x980/0x980 [ 24.932462] ? find_held_lock+0x35/0x1d0 [ 24.932470] ? handle_mm_fault+0x248/0x8d0 [ 24.932477] ? find_held_lock+0x35/0x1d0 [ 24.932487] ? __do_page_fault+0x5f7/0xc90 [ 24.932493] ? lock_downgrade+0x980/0x980 [ 24.932502] ? handle_mm_fault+0x410/0x8d0 [ 24.932507] ? down_read_trylock+0xdb/0x170 [ 24.932512] ? __do_page_fault+0x32d/0xc90 [ 24.932518] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 24.932524] ? vmacache_find+0x5f/0x280 [ 24.932533] do_group_exit+0x149/0x400 [ 24.932539] ? __do_page_fault+0x3d6/0xc90 [ 24.932545] ? SyS_exit+0x30/0x30 [ 24.932553] ? do_fast_syscall_32+0x156/0xf9d [ 24.932559] ? do_group_exit+0x400/0x400 [ 24.932565] SyS_exit_group+0x1d/0x20 [ 24.932571] do_fast_syscall_32+0x3ee/0xf9d [ 24.932580] ? do_int80_syscall_32+0x9d0/0x9d0 [ 24.932586] ? kasan_check_read+0x11/0x20 [ 24.932593] ? syscall_return_slowpath+0x550/0x550 [ 24.932599] ? SyS_rt_sigaction+0x94/0x1b0 [ 24.932606] ? SyS_sigprocmask+0x4b0/0x4b0 [ 24.932611] ? SyS_read+0x184/0x220 [ 24.932617] ? retint_user+0x18/0x18 [ 24.932625] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.932634] entry_SYSENTER_compat+0x54/0x63 [ 24.932639] RIP: 0023:0xf7fbac79 [ 24.932642] RSP: 002b:00000000ffd3266c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc [ 24.932648] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298 [ 24.932651] RDX: 0000000000000000 RSI: 00000000080d9b18 RDI: 00000000080f02a0 [ 24.932654] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 24.932657] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 24.932660] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 24.932668] [ 24.932671] Allocated by task 3505: [ 24.932677] save_stack+0x43/0xd0 [ 24.932681] kasan_kmalloc+0xad/0xe0 [ 24.932686] kmem_cache_alloc_trace+0x136/0x750 [ 24.932692] binder_get_thread+0x1cf/0x870 [ 24.932696] binder_poll+0x8c/0x390 [ 24.932701] ep_item_poll.isra.10+0xec/0x320 [ 24.932706] ep_insert+0x6a3/0x1b10 [ 24.932711] SyS_epoll_ctl+0x12e4/0x1ab0 [ 24.932716] do_fast_syscall_32+0x3ee/0xf9d [ 24.932722] entry_SYSENTER_compat+0x54/0x63 [ 24.932723] [ 24.932725] Freed by task 3505: [ 24.932729] save_stack+0x43/0xd0 [ 24.932734] kasan_slab_free+0x71/0xc0 [ 24.932738] kfree+0xd6/0x260 [ 24.932742] binder_thread_dec_tmpref+0x27f/0x310 [ 24.932747] binder_thread_release+0x27d/0x540 [ 24.932751] binder_ioctl+0xc02/0x1417 [ 24.932757] compat_SyS_ioctl+0x151/0x2a30 [ 24.932761] do_fast_syscall_32+0x3ee/0xf9d [ 24.932767] entry_SYSENTER_compat+0x54/0x63 [ 24.932768] [ 24.932772] The buggy address belongs to the object at ffff8801c77fda40 [ 24.932772] which belongs to the cache kmalloc-512 of size 512 [ 24.932777] The buggy address is located 176 bytes inside of [ 24.932777] 512-byte region [ffff8801c77fda40, ffff8801c77fdc40) [ 24.932778] The buggy address belongs to the page: [ 24.932783] page:0000000000641c30 count:1 mapcount:0 mapping:0000000024805dc6 index:0x0 [ 24.932789] flags: 0x2fffc0000000100(slab) [ 24.932797] raw: 02fffc0000000100 ffff8801c77fd040 0000000000000000 0000000100000006 [ 24.932803] raw: ffffea00071d5da0 ffffea00071c0aa0 ffff8801dac00940 0000000000000000 [ 24.932806] page dumped because: kasan: bad access detected [ 24.932807] [ 24.932809] Memory state around the buggy address: [ 24.932813] ffff8801c77fd980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.932818] ffff8801c77fda00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 24.932822] >ffff8801c77fda80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.932825] ^ [ 24.932829] ffff8801c77fdb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.932833] ffff8801c77fdb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.932835] ================================================================== [ 24.932836] Disabling lock debugging due to kernel taint [ 24.932840] Kernel panic - not syncing: panic_on_warn set ... [ 24.932840] [ 24.932845] CPU: 1 PID: 3505 Comm: syzkaller232303 Tainted: G B 4.15.0-rc6+ #157 [ 24.932848] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.932850] Call Trace: [ 24.932856] dump_stack+0x194/0x257 [ 24.932862] ? arch_local_irq_restore+0x53/0x53 [ 24.932868] ? kasan_end_report+0x32/0x50 [ 24.932874] ? lock_downgrade+0x980/0x980 [ 24.932881] ? vsnprintf+0x1ed/0x1900 [ 24.932887] ? __lock_acquire+0x3cb0/0x3e00 [ 24.932892] panic+0x1e4/0x41c [ 24.932898] ? refcount_error_report+0x214/0x214 [ 24.932906] ? add_taint+0x40/0x50 [ 24.932910] ? add_taint+0x1c/0x50 [ 24.932917] ? __lock_acquire+0x3d4d/0x3e00 [ 24.932923] kasan_end_report+0x50/0x50 [ 24.932929] kasan_report+0x144/0x340 [ 24.932936] __asan_report_load8_noabort+0x14/0x20 [ 24.932942] __lock_acquire+0x3d4d/0x3e00 [ 24.932947] ? __lock_acquire+0x664/0x3e00 [ 24.932953] ? lock_downgrade+0x980/0x980 [ 24.932958] ? lock_downgrade+0x980/0x980 [ 24.932964] ? print_irqtrace_events+0x270/0x270 [ 24.932970] ? remove_wait_queue+0x81/0x350 [ 24.932979] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.932985] ? __lock_acquire+0x664/0x3e00 [ 24.932991] ? check_noncircular+0x20/0x20 [ 24.933002] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.933009] ? lock_acquire+0x1d5/0x580 [ 24.933014] ? lock_acquire+0x1d5/0x580 [ 24.933019] ? ep_free+0xf4/0x320 [ 24.933027] ? lock_release+0xa40/0xa40 [ 24.933033] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.933038] ? print_irqtrace_events+0x270/0x270 [ 24.933044] ? print_irqtrace_events+0x270/0x270 [ 24.933051] ? rcu_note_context_switch+0x710/0x710 [ 24.933058] ? __might_sleep+0x95/0x190 [ 24.933064] ? ep_free+0xf4/0x320 [ 24.933069] ? __mutex_lock+0x16f/0x1a80 [ 24.933074] ? ep_free+0xf4/0x320 [ 24.933080] ? print_irqtrace_events+0x270/0x270 [ 24.933085] ? ep_free+0xf4/0x320 [ 24.933097] lock_acquire+0x1d5/0x580 [ 24.933102] ? lock_acquire+0x1d5/0x580 [ 24.933108] ? remove_wait_queue+0x81/0x350 [ 24.933116] ? lock_release+0xa40/0xa40 [ 24.933124] ? lock_acquire+0x1d5/0x580 [ 24.933130] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.933135] ? lock_acquire+0x1d5/0x580 [ 24.933141] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 24.933148] _raw_spin_lock_irqsave+0x96/0xc0 [ 24.933154] ? remove_wait_queue+0x81/0x350 [ 24.933160] remove_wait_queue+0x81/0x350 [ 24.933166] ? depot_save_stack+0x3b5/0x490 [ 24.933172] ? add_wait_queue+0x290/0x290 [ 24.933178] ? rcutorture_record_progress+0x10/0x10 [ 24.933184] ? lock_release+0xa40/0xa40 [ 24.933193] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 24.933199] ? __kernel_text_address+0xd/0x40 [ 24.933207] ? clear_tfile_check_list+0x370/0x370 [ 24.933214] ? check_noncircular+0x20/0x20 [ 24.933222] ? locks_remove_file+0x3fa/0x5a0 [ 24.933231] ep_free+0x13f/0x320 [ 24.933237] ? ep_remove+0x800/0x800 [ 24.933243] ? fsnotify_first_mark+0x2b0/0x2b0 [ 24.933250] ? ep_free+0x320/0x320 [ 24.933256] ep_eventpoll_release+0x44/0x60 [ 24.933262] __fput+0x327/0x7e0 [ 24.933270] ? fput+0x140/0x140 [ 24.933277] ? _raw_spin_unlock_irq+0x27/0x70 [ 24.933285] ____fput+0x15/0x20 [ 24.933291] task_work_run+0x199/0x270 [ 24.933298] ? task_work_cancel+0x210/0x210 [ 24.933304] ? _raw_spin_unlock+0x22/0x30 [ 24.933310] ? switch_task_namespaces+0x87/0xc0 [ 24.933318] do_exit+0x9bb/0x1ad0 [ 24.933323] ? __handle_mm_fault+0x2330/0x3ce0 [ 24.933331] ? mm_update_next_owner+0x930/0x930 [ 24.933340] ? do_raw_spin_trylock+0x190/0x190 [ 24.933347] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 24.933352] ? check_noncircular+0x20/0x20 [ 24.933359] ? _raw_spin_unlock+0x22/0x30 [ 24.933365] ? __handle_mm_fault+0x80e/0x3ce0 [ 24.933373] ? check_noncircular+0x20/0x20 [ 24.933377] ? __pmd_alloc+0x4e0/0x4e0 [ 24.933383] ? lock_downgrade+0x980/0x980 [ 24.933391] ? find_held_lock+0x35/0x1d0 [ 24.933399] ? handle_mm_fault+0x248/0x8d0 [ 24.933406] ? find_held_lock+0x35/0x1d0 [ 24.933414] ? __do_page_fault+0x5f7/0xc90 [ 24.933420] ? lock_downgrade+0x980/0x980 [ 24.933429] ? handle_mm_fault+0x410/0x8d0 [ 24.933434] ? down_read_trylock+0xdb/0x170 [ 24.933439] ? __do_page_fault+0x32d/0xc90 [ 24.933445] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 24.933451] ? vmacache_find+0x5f/0x280 [ 24.933459] do_group_exit+0x149/0x400 [ 24.933465] ? __do_page_fault+0x3d6/0xc90 [ 24.933471] ? SyS_exit+0x30/0x30 [ 24.933478] ? do_fast_syscall_32+0x156/0xf9d [ 24.933485] ? do_group_exit+0x400/0x400 [ 24.933491] SyS_exit_group+0x1d/0x20 [ 24.933497] do_fast_syscall_32+0x3ee/0xf9d [ 24.933505] ? do_int80_syscall_32+0x9d0/0x9d0 [ 24.933510] ? kasan_check_read+0x11/0x20 [ 24.933517] ? syscall_return_slowpath+0x550/0x550 [ 24.933524] ? SyS_rt_sigaction+0x94/0x1b0 [ 24.933530] ? SyS_sigprocmask+0x4b0/0x4b0 [ 24.933535] ? SyS_read+0x184/0x220 [ 24.933541] ? retint_user+0x18/0x18 [ 24.933549] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.933558] entry_SYSENTER_compat+0x54/0x63 [ 24.933561] RIP: 0023:0xf7fbac79 [ 24.933564] RSP: 002b:00000000ffd3266c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc [ 24.933570] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298 [ 24.933573] RDX: 0000000000000000 RSI: 00000000080d9b18 RDI: 00000000080f02a0 [ 24.933576] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 24.933579] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 24.933582] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 24.951504] Dumping ftrace buffer: [ 24.951508] (ftrace buffer empty) [ 24.951510] Kernel Offset: disabled [ 26.235241] Rebooting in 86400 seconds..