[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 14.922231] audit: type=1400 audit(1516143881.377:6): avc: denied { map } for pid=3641 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.204' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 21.139658] audit: type=1400 audit(1516143887.594:7): avc: denied { map } for pid=3655 comm="syzkaller503558" path="/root/syzkaller503558177" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 21.144572] ================================================================== [ 21.144588] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00 [ 21.144593] Read of size 8 at addr ffff8801bbdb40f0 by task syzkaller503558/3655 [ 21.144595] [ 21.144602] CPU: 0 PID: 3655 Comm: syzkaller503558 Not tainted 4.15.0-rc8+ #174 [ 21.144605] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.144607] Call Trace: [ 21.144619] dump_stack+0x194/0x257 [ 21.144628] ? arch_local_irq_restore+0x53/0x53 [ 21.144635] ? show_regs_print_info+0x18/0x18 [ 21.144643] ? __lock_acquire+0x3d4d/0x3e00 [ 21.144652] print_address_description+0x73/0x250 [ 21.144658] ? __lock_acquire+0x3d4d/0x3e00 [ 21.144664] kasan_report+0x25b/0x340 [ 21.144672] __asan_report_load8_noabort+0x14/0x20 [ 21.144678] __lock_acquire+0x3d4d/0x3e00 [ 21.144685] ? print_irqtrace_events+0x270/0x270 [ 21.144692] ? print_irqtrace_events+0x270/0x270 [ 21.144699] ? remove_wait_queue+0x81/0x350 [ 21.144709] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.144715] ? __lock_acquire+0x664/0x3e00 [ 21.144721] ? print_irqtrace_events+0x270/0x270 [ 21.144727] ? __lock_acquire+0x664/0x3e00 [ 21.144738] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.144747] ? __lock_acquire+0x664/0x3e00 [ 21.144752] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.144758] ? __lock_acquire+0x664/0x3e00 [ 21.144764] ? check_noncircular+0x20/0x20 [ 21.144772] ? check_noncircular+0x20/0x20 [ 21.144778] ? __lock_acquire+0x664/0x3e00 [ 21.144784] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.144791] ? check_noncircular+0x20/0x20 [ 21.144796] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.144807] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.144815] lock_acquire+0x1d5/0x580 [ 21.144820] ? lock_acquire+0x1d5/0x580 [ 21.144826] ? remove_wait_queue+0x81/0x350 [ 21.144834] ? lock_release+0xa40/0xa40 [ 21.144841] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 21.144850] ? lock_acquire+0x1d5/0x580 [ 21.144855] ? lock_acquire+0x1d5/0x580 [ 21.144863] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 21.144872] _raw_spin_lock_irqsave+0x96/0xc0 [ 21.144878] ? remove_wait_queue+0x81/0x350 [ 21.144885] remove_wait_queue+0x81/0x350 [ 21.144891] ? eventpoll_release_file+0xba/0x140 [ 21.144898] ? add_wait_queue+0x290/0x290 [ 21.144904] ? rcutorture_record_progress+0x10/0x10 [ 21.144913] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 21.144920] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.144928] ? clear_tfile_check_list+0x370/0x370 [ 21.144935] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.144943] ? depot_save_stack+0x3b5/0x490 [ 21.144949] ? lock_downgrade+0x980/0x980 [ 21.144960] ? is_bpf_text_address+0xa4/0x120 [ 21.144967] ep_remove+0xcd/0x800 [ 21.144975] ? unwind_get_return_address+0x61/0xa0 [ 21.144982] ? ep_destroy_wakeup_source+0x240/0x240 [ 21.144987] ? check_noncircular+0x20/0x20 [ 21.144994] ? check_noncircular+0x20/0x20 [ 21.145008] ? fsnotify+0x7b3/0x1140 [ 21.145021] eventpoll_release_file+0xc5/0x140 [ 21.145032] __fput+0x5f1/0x7e0 [ 21.145040] ? fput+0x140/0x140 [ 21.145047] ? _raw_spin_unlock_irq+0x27/0x70 [ 21.145055] ____fput+0x15/0x20 [ 21.145063] task_work_run+0x199/0x270 [ 21.145071] ? task_work_cancel+0x210/0x210 [ 21.145077] ? _raw_spin_unlock+0x22/0x30 [ 21.145084] ? switch_task_namespaces+0x87/0xc0 [ 21.145094] do_exit+0x9bb/0x1ad0 [ 21.145102] ? __handle_mm_fault+0x2330/0x3ce0 [ 21.145109] ? mm_update_next_owner+0x930/0x930 [ 21.145119] ? do_raw_spin_trylock+0x190/0x190 [ 21.145126] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 21.145132] ? check_noncircular+0x20/0x20 [ 21.145140] ? _raw_spin_unlock+0x22/0x30 [ 21.145146] ? __handle_mm_fault+0x80e/0x3ce0 [ 21.145154] ? check_noncircular+0x20/0x20 [ 21.145159] ? __pmd_alloc+0x4e0/0x4e0 [ 21.145167] ? find_held_lock+0x35/0x1d0 [ 21.145176] ? handle_mm_fault+0x248/0x8d0 [ 21.145183] ? find_held_lock+0x35/0x1d0 [ 21.145193] ? __do_page_fault+0x5f7/0xc90 [ 21.145199] ? lock_downgrade+0x980/0x980 [ 21.145208] ? handle_mm_fault+0x410/0x8d0 [ 21.145213] ? down_read_trylock+0xdb/0x170 [ 21.145219] ? __do_page_fault+0x32d/0xc90 [ 21.145225] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 21.145232] ? vmacache_find+0x5f/0x280 [ 21.145241] do_group_exit+0x149/0x400 [ 21.145247] ? __do_page_fault+0x3d6/0xc90 [ 21.145253] ? SyS_exit+0x30/0x30 [ 21.145262] ? do_fast_syscall_32+0x156/0xf9d [ 21.145269] ? do_group_exit+0x400/0x400 [ 21.145275] SyS_exit_group+0x1d/0x20 [ 21.145281] do_fast_syscall_32+0x3ee/0xf9d [ 21.145290] ? do_int80_syscall_32+0x9d0/0x9d0 [ 21.145295] ? kasan_check_read+0x11/0x20 [ 21.145302] ? syscall_return_slowpath+0x550/0x550 [ 21.145309] ? SyS_rt_sigaction+0x94/0x1b0 [ 21.145316] ? SyS_sigprocmask+0x4b0/0x4b0 [ 21.145322] ? SyS_read+0x184/0x220 [ 21.145327] ? retint_user+0x18/0x18 [ 21.145335] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 21.145344] entry_SYSENTER_compat+0x54/0x63 [ 21.145349] RIP: 0023:0xf7f78c79 [ 21.145352] RSP: 002b:00000000ffbdbd3c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc [ 21.145358] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298 [ 21.145361] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0 [ 21.145364] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 21.145368] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 21.145371] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 21.145379] [ 21.145381] Allocated by task 3655: [ 21.145387] save_stack+0x43/0xd0 [ 21.145391] kasan_kmalloc+0xad/0xe0 [ 21.145396] kmem_cache_alloc_trace+0x136/0x750 [ 21.145408] binder_get_thread+0x1cf/0x870 [ 21.145413] binder_poll+0x8c/0x390 [ 21.145418] ep_item_poll.isra.10+0xec/0x320 [ 21.145423] ep_insert+0x6a3/0x1b10 [ 21.145428] SyS_epoll_ctl+0x12e4/0x1ab0 [ 21.145433] do_fast_syscall_32+0x3ee/0xf9d [ 21.145438] entry_SYSENTER_compat+0x54/0x63 [ 21.145439] [ 21.145441] Freed by task 3655: [ 21.145446] save_stack+0x43/0xd0 [ 21.145451] kasan_slab_free+0x71/0xc0 [ 21.145455] kfree+0xd6/0x260 [ 21.145461] binder_thread_dec_tmpref+0x27f/0x310 [ 21.145466] binder_thread_release+0x27d/0x540 [ 21.145471] binder_ioctl+0xc02/0x1417 [ 21.145478] compat_SyS_ioctl+0x151/0x2a30 [ 21.145483] do_fast_syscall_32+0x3ee/0xf9d [ 21.145487] entry_SYSENTER_compat+0x54/0x63 [ 21.145489] [ 21.145492] The buggy address belongs to the object at ffff8801bbdb4040 [ 21.145492] which belongs to the cache kmalloc-512 of size 512 [ 21.145497] The buggy address is located 176 bytes inside of [ 21.145497] 512-byte region [ffff8801bbdb4040, ffff8801bbdb4240) [ 21.145499] The buggy address belongs to the page: [ 21.145504] page:ffffea0006ef6d00 count:1 mapcount:0 mapping:ffff8801bbdb4040 index:0x0 [ 21.145509] flags: 0x2fffc0000000100(slab) [ 21.145518] raw: 02fffc0000000100 ffff8801bbdb4040 0000000000000000 0000000100000006 [ 21.145525] raw: ffffea0006ef7da0 ffff8801dac01748 ffff8801dac00940 0000000000000000 [ 21.145527] page dumped because: kasan: bad access detected [ 21.145528] [ 21.145529] Memory state around the buggy address: [ 21.145534] ffff8801bbdb3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.145539] ffff8801bbdb4000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 21.145543] >ffff8801bbdb4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.145545] ^ [ 21.145549] ffff8801bbdb4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.145553] ffff8801bbdb4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.145555] ================================================================== [ 21.145557] Disabling lock debugging due to kernel taint [ 21.145560] Kernel panic - not syncing: panic_on_warn set ... [ 21.145560] [ 21.145566] CPU: 0 PID: 3655 Comm: syzkaller503558 Tainted: G B 4.15.0-rc8+ #174 [ 21.145569] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.145571] Call Trace: [ 21.145577] dump_stack+0x194/0x257 [ 21.145585] ? arch_local_irq_restore+0x53/0x53 [ 21.145590] ? kasan_end_report+0x32/0x50 [ 21.145596] ? lock_downgrade+0x980/0x980 [ 21.145603] ? vsnprintf+0x1ed/0x1900 [ 21.145609] ? __lock_acquire+0x3c70/0x3e00 [ 21.145615] panic+0x1e4/0x41c [ 21.145621] ? refcount_error_report+0x214/0x214 [ 21.145628] ? add_taint+0x40/0x50 [ 21.145633] ? add_taint+0x1c/0x50 [ 21.145640] ? __lock_acquire+0x3d4d/0x3e00 [ 21.145646] kasan_end_report+0x50/0x50 [ 21.145652] kasan_report+0x144/0x340 [ 21.145660] __asan_report_load8_noabort+0x14/0x20 [ 21.145665] __lock_acquire+0x3d4d/0x3e00 [ 21.145672] ? print_irqtrace_events+0x270/0x270 [ 21.145679] ? print_irqtrace_events+0x270/0x270 [ 21.145685] ? remove_wait_queue+0x81/0x350 [ 21.145693] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.145700] ? __lock_acquire+0x664/0x3e00 [ 21.145707] ? print_irqtrace_events+0x270/0x270 [ 21.145713] ? __lock_acquire+0x664/0x3e00 [ 21.145723] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.145731] ? __lock_acquire+0x664/0x3e00 [ 21.145737] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.145743] ? __lock_acquire+0x664/0x3e00 [ 21.145748] ? check_noncircular+0x20/0x20 [ 21.145756] ? check_noncircular+0x20/0x20 [ 21.145762] ? __lock_acquire+0x664/0x3e00 [ 21.145769] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.145775] ? check_noncircular+0x20/0x20 [ 21.145780] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.145790] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.145798] lock_acquire+0x1d5/0x580 [ 21.145804] ? lock_acquire+0x1d5/0x580 [ 21.145809] ? remove_wait_queue+0x81/0x350 [ 21.145818] ? lock_release+0xa40/0xa40 [ 21.145823] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 21.145832] ? lock_acquire+0x1d5/0x580 [ 21.145837] ? lock_acquire+0x1d5/0x580 [ 21.145843] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 21.145851] _raw_spin_lock_irqsave+0x96/0xc0 [ 21.145857] ? remove_wait_queue+0x81/0x350 [ 21.145863] remove_wait_queue+0x81/0x350 [ 21.145869] ? eventpoll_release_file+0xba/0x140 [ 21.145876] ? add_wait_queue+0x290/0x290 [ 21.145882] ? rcutorture_record_progress+0x10/0x10 [ 21.145892] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 21.145898] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.145906] ? clear_tfile_check_list+0x370/0x370 [ 21.145912] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.145918] ? depot_save_stack+0x3b5/0x490 [ 21.145925] ? lock_downgrade+0x980/0x980 [ 21.145934] ? is_bpf_text_address+0xa4/0x120 [ 21.145941] ep_remove+0xcd/0x800 [ 21.145947] ? unwind_get_return_address+0x61/0xa0 [ 21.145954] ? ep_destroy_wakeup_source+0x240/0x240 [ 21.145960] ? check_noncircular+0x20/0x20 [ 21.145967] ? check_noncircular+0x20/0x20 [ 21.145976] ? fsnotify+0x7b3/0x1140 [ 21.145988] eventpoll_release_file+0xc5/0x140 [ 21.145995] __fput+0x5f1/0x7e0 [ 21.146004] ? fput+0x140/0x140 [ 21.146011] ? _raw_spin_unlock_irq+0x27/0x70 [ 21.146019] ____fput+0x15/0x20 [ 21.146025] task_work_run+0x199/0x270 [ 21.146033] ? task_work_cancel+0x210/0x210 [ 21.146039] ? _raw_spin_unlock+0x22/0x30 [ 21.146045] ? switch_task_namespaces+0x87/0xc0 [ 21.146053] do_exit+0x9bb/0x1ad0 [ 21.146059] ? __handle_mm_fault+0x2330/0x3ce0 [ 21.146066] ? mm_update_next_owner+0x930/0x930 [ 21.146076] ? do_raw_spin_trylock+0x190/0x190 [ 21.146083] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 21.146089] ? check_noncircular+0x20/0x20 [ 21.146096] ? _raw_spin_unlock+0x22/0x30 [ 21.146102] ? __handle_mm_fault+0x80e/0x3ce0 [ 21.146109] ? check_noncircular+0x20/0x20 [ 21.146114] ? __pmd_alloc+0x4e0/0x4e0 [ 21.146123] ? find_held_lock+0x35/0x1d0 [ 21.146131] ? handle_mm_fault+0x248/0x8d0 [ 21.146138] ? find_held_lock+0x35/0x1d0 [ 21.146147] ? __do_page_fault+0x5f7/0xc90 [ 21.146153] ? lock_downgrade+0x980/0x980 [ 21.146161] ? handle_mm_fault+0x410/0x8d0 [ 21.146166] ? down_read_trylock+0xdb/0x170 [ 21.146172] ? __do_page_fault+0x32d/0xc90 [ 21.146178] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 21.146183] ? vmacache_find+0x5f/0x280 [ 21.146192] do_group_exit+0x149/0x400 [ 21.146198] ? __do_page_fault+0x3d6/0xc90 [ 21.146204] ? SyS_exit+0x30/0x30 [ 21.146211] ? do_fast_syscall_32+0x156/0xf9d [ 21.146217] ? do_group_exit+0x400/0x400 [ 21.146224] SyS_exit_group+0x1d/0x20 [ 21.146230] do_fast_syscall_32+0x3ee/0xf9d [ 21.146238] ? do_int80_syscall_32+0x9d0/0x9d0 [ 21.146244] ? kasan_check_read+0x11/0x20 [ 21.146251] ? syscall_return_slowpath+0x550/0x550 [ 21.146257] ? SyS_rt_sigaction+0x94/0x1b0 [ 21.146264] ? SyS_sigprocmask+0x4b0/0x4b0 [ 21.146269] ? SyS_read+0x184/0x220 [ 21.146274] ? retint_user+0x18/0x18 [ 21.146282] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 21.146290] entry_SYSENTER_compat+0x54/0x63 [ 21.146293] RIP: 0023:0xf7f78c79 [ 21.146296] RSP: 002b:00000000ffbdbd3c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc [ 21.146302] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298 [ 21.146305] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0 [ 21.146308] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 21.146311] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 21.146314] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 21.165993] Dumping ftrace buffer: [ 21.165996] (ftrace buffer empty) [ 21.165999] Kernel Offset: disabled [ 22.436526] Rebooting in 86400 seconds..