[....] Starting enhanced syslogd: rsyslogd[   11.330544] audit: type=1400 audit(1513632842.279:5): avc:  denied  { syslog } for  pid=2993 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   17.309059] audit: type=1400 audit(1513632848.257:6): avc:  denied  { map } for  pid=3135 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added 'ci-upstream-kasan-gce-3,10.128.0.21' (ECDSA) to the list of known hosts.
executing program
[   24.027255] audit: type=1400 audit(1513632854.976:7): avc:  denied  { map } for  pid=3149 comm="syzkaller213261" path="/root/syzkaller213261263" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   24.059838] ==================================================================
[   24.067242] BUG: KASAN: use-after-free in handle_userfault+0x21c1/0x24c0
[   24.074055] Read of size 8 at addr ffff8801ca0f4da0 by task syzkaller213261/3156
[   24.081559] 
[   24.083164] CPU: 1 PID: 3156 Comm: syzkaller213261 Not tainted 4.15.0-rc4+ #227
[   24.090574] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.099896] Call Trace:
[   24.102455]  dump_stack+0x194/0x257
[   24.106053]  ? arch_local_irq_restore+0x53/0x53
[   24.110690]  ? show_regs_print_info+0x18/0x18
[   24.115156]  ? find_held_lock+0x35/0x1d0
[   24.119187]  ? handle_userfault+0x21c1/0x24c0
[   24.123650]  print_address_description+0x73/0x250
[   24.128461]  ? handle_userfault+0x21c1/0x24c0
[   24.132922]  kasan_report+0x25b/0x340
[   24.136693]  __asan_report_load8_noabort+0x14/0x20
[   24.141586]  handle_userfault+0x21c1/0x24c0
[   24.145875]  ? __lock_is_held+0xb6/0x140
[   24.149912]  ? userfaultfd_ioctl+0x4520/0x4520
[   24.154462]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.159625]  ? rcu_read_lock_sched_held+0x108/0x120
[   24.164609]  ? __alloc_pages_nodemask+0xadb/0xd80
[   24.169428]  ? __alloc_pages_slowpath+0x2d00/0x2d00
[   24.174416]  ? depot_save_stack+0x3b5/0x490
[   24.178883]  ? save_stack+0xa3/0xd0
[   24.182477]  ? save_stack+0x43/0xd0
[   24.186074]  ? kasan_kmalloc+0xad/0xe0
[   24.189926]  ? kasan_slab_alloc+0x12/0x20
[   24.194039]  ? kmem_cache_alloc+0x12e/0x760
[   24.198326]  ? ptlock_alloc+0x24/0x70
[   24.202094]  ? pte_alloc_one+0x59/0x100
[   24.206037]  ? do_huge_pmd_anonymous_page+0xc23/0x1b00
[   24.211283]  ? handle_mm_fault+0x334/0x8d0
[   24.215489]  ? __do_page_fault+0x5c9/0xc90
[   24.219693]  ? do_page_fault+0xee/0x720
[   24.223647]  ? page_fault+0x22/0x30
[   24.227251]  ? check_noncircular+0x20/0x20
[   24.231456]  ? check_noncircular+0x20/0x20
[   24.235672]  ? alloc_pages_current+0xbe/0x1e0
[   24.240141]  ? mm_get_huge_zero_page+0x12c/0x400
[   24.244874]  ? find_held_lock+0x35/0x1d0
[   24.248912]  ? do_huge_pmd_anonymous_page+0xe1f/0x1b00
[   24.254188]  ? lock_downgrade+0x980/0x980
[   24.258311]  ? lock_release+0xa40/0xa40
[   24.262256]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   24.267238]  ? do_raw_spin_trylock+0x190/0x190
[   24.271792]  ? lockdep_init_map+0x9/0x10
[   24.275826]  do_huge_pmd_anonymous_page+0xe2c/0x1b00
[   24.280901]  ? kasan_slab_alloc+0x12/0x20
[   24.285024]  ? ptlock_alloc+0x24/0x70
[   24.288803]  ? pte_alloc_one+0x59/0x100
[   24.292756]  ? __thp_get_unmapped_area+0x130/0x130
[   24.297655]  ? __lock_acquire+0x664/0x3e00
[   24.301862]  ? __lock_acquire+0x664/0x3e00
[   24.306062]  ? check_noncircular+0x20/0x20
[   24.310354]  ? check_noncircular+0x20/0x20
[   24.314563]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.319720]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.324885]  ? find_held_lock+0x35/0x1d0
[   24.328923]  ? __handle_mm_fault+0x2330/0x3ce0
[   24.333477]  ? lock_downgrade+0x980/0x980
[   24.337592]  ? mark_held_locks+0xaf/0x100
[   24.341709]  ? __raw_spin_lock_init+0x1c/0x100
[   24.346261]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   24.351244]  ? do_raw_spin_trylock+0x190/0x190
[   24.355800]  ? check_noncircular+0x20/0x20
[   24.360014]  __handle_mm_fault+0x1a0c/0x3ce0
[   24.364401]  ? __pmd_alloc+0x4e0/0x4e0
[   24.368263]  ? find_held_lock+0x35/0x1d0
[   24.372300]  ? handle_mm_fault+0x248/0x8d0
[   24.376502]  ? lock_downgrade+0x980/0x980
[   24.380637]  handle_mm_fault+0x334/0x8d0
[   24.384664]  ? down_read_trylock+0xdb/0x170
[   24.388956]  ? __do_page_fault+0x32d/0xc90
[   24.393158]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   24.397706]  ? vmacache_find+0x5f/0x280
[   24.401647]  ? vmacache_update+0xfe/0x130
[   24.405772]  ? find_vma+0x30/0x150
[   24.409289]  __do_page_fault+0x5c9/0xc90
[   24.413332]  ? mm_fault_error+0x2c0/0x2c0
[   24.417458]  ? __free_pages+0xd8/0x150
[   24.421320]  do_page_fault+0xee/0x720
[   24.425095]  ? __do_page_fault+0xc90/0xc90
[   24.429308]  ? syscall_return_slowpath+0x2ad/0x550
[   24.434210]  ? prepare_exit_to_usermode+0x340/0x340
[   24.439197]  ? retint_user+0x18/0x18
[   24.442883]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.447700]  page_fault+0x22/0x30
[   24.451119] RIP: 0033:0x4453e5
[   24.454274] RSP: 002b:0000000020687000 EFLAGS: 00010217
[   24.459604] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000004453d9
[   24.466839] RDX: 0000000020b4c000 RSI: 0000000020687000 RDI: 0000000000000600
[   24.474075] RBP: 0000000000000000 R08: 00000000207a4f71 R09: 00007fb416266700
[   24.481316] R10: 0000000020552ffc R11: 0000000000000202 R12: 0000000000000000
[   24.488555] R13: 00007ffe289b94df R14: 00007fb4162669c0 R15: 0000000000000000
[   24.495813] 
[   24.497410] Allocated by task 3154:
[   24.501032]  save_stack+0x43/0xd0
[   24.504461]  kasan_kmalloc+0xad/0xe0
[   24.508141]  kasan_slab_alloc+0x12/0x20
[   24.512084]  kmem_cache_alloc+0x12e/0x760
[   24.516201]  dup_userfaultfd+0x21c/0x890
[   24.520231]  copy_mm+0xa38/0x1310
[   24.523652]  copy_process.part.38+0x1eb9/0x4ac0
[   24.528285]  _do_fork+0x1ef/0xfb0
[   24.531702]  SyS_clone+0x37/0x50
[   24.535044]  do_syscall_64+0x26c/0x920
[   24.538898]  return_from_SYSCALL_64+0x0/0x75
[   24.543268] 
[   24.544864] Freed by task 3154:
[   24.548111]  save_stack+0x43/0xd0
[   24.551530]  kasan_slab_free+0x71/0xc0
[   24.555382]  kmem_cache_free+0x77/0x280
[   24.559321]  userfaultfd_ctx_put+0x50c/0x740
[   24.563694]  userfaultfd_event_wait_completion+0x86d/0xae0
[   24.569280]  dup_userfaultfd_complete+0x2de/0x480
[   24.574090]  copy_mm+0xe9b/0x1310
[   24.577511]  copy_process.part.38+0x1eb9/0x4ac0
[   24.582234]  _do_fork+0x1ef/0xfb0
[   24.585661]  SyS_clone+0x37/0x50
[   24.589003]  do_syscall_64+0x26c/0x920
[   24.592865]  return_from_SYSCALL_64+0x0/0x75
[   24.597238] 
[   24.598840] The buggy address belongs to the object at ffff8801ca0f4c40
[   24.598840]  which belongs to the cache userfaultfd_ctx_cache of size 360
[   24.612346] The buggy address is located 352 bytes inside of
[   24.612346]  360-byte region [ffff8801ca0f4c40, ffff8801ca0f4da8)
[   24.624184] The buggy address belongs to the page:
[   24.629079] page:000000003fea5f5a count:1 mapcount:0 mapping:00000000e8b86b1a index:0xffff8801ca0f4ff7
[   24.638490] flags: 0x2fffc0000000100(slab)
[   24.642698] raw: 02fffc0000000100 ffff8801ca0f4000 ffff8801ca0f4ff7 0000000100000009
[   24.650544] raw: ffff8801d6b32a48 ffff8801d6b32a48 ffff8801d6a7c000 0000000000000000
[   24.658386] page dumped because: kasan: bad access detected
[   24.664062] 
[   24.665655] Memory state around the buggy address:
[   24.670548]  ffff8801ca0f4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.677870]  ffff8801ca0f4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.685195] >ffff8801ca0f4d80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   24.692520]                                ^
[   24.696892]  ffff8801ca0f4e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.704214]  ffff8801ca0f4e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.711539] ==================================================================
[   24.718862] Disabling lock debugging due to kernel taint
[   24.724495] Kernel panic - not syncing: panic_on_warn set ...
[   24.724495] 
[   24.731839] CPU: 1 PID: 3156 Comm: syzkaller213261 Tainted: G    B            4.15.0-rc4+ #227
[   24.740553] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.749875] Call Trace:
[   24.752442]  dump_stack+0x194/0x257
[   24.756042]  ? arch_local_irq_restore+0x53/0x53
[   24.760678]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   24.765398]  ? vsnprintf+0x1ed/0x1900
[   24.769164]  ? handle_userfault+0x2160/0x24c0
[   24.773633]  panic+0x1e4/0x41c
[   24.776793]  ? refcount_error_report+0x214/0x214
[   24.781515]  ? add_taint+0x1c/0x50
[   24.785029]  ? add_taint+0x1c/0x50
[   24.788550]  ? handle_userfault+0x21c1/0x24c0
[   24.793024]  kasan_end_report+0x50/0x50
[   24.796971]  kasan_report+0x144/0x340
[   24.800751]  __asan_report_load8_noabort+0x14/0x20
[   24.805647]  handle_userfault+0x21c1/0x24c0
[   24.809936]  ? __lock_is_held+0xb6/0x140
[   24.813968]  ? userfaultfd_ioctl+0x4520/0x4520
[   24.818520]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.823684]  ? rcu_read_lock_sched_held+0x108/0x120
[   24.828672]  ? __alloc_pages_nodemask+0xadb/0xd80
[   24.833493]  ? __alloc_pages_slowpath+0x2d00/0x2d00
[   24.838487]  ? depot_save_stack+0x3b5/0x490
[   24.842777]  ? save_stack+0xa3/0xd0
[   24.846370]  ? save_stack+0x43/0xd0
[   24.850046]  ? kasan_kmalloc+0xad/0xe0
[   24.853895]  ? kasan_slab_alloc+0x12/0x20
[   24.858012]  ? kmem_cache_alloc+0x12e/0x760
[   24.862303]  ? ptlock_alloc+0x24/0x70
[   24.866068]  ? pte_alloc_one+0x59/0x100
[   24.870008]  ? do_huge_pmd_anonymous_page+0xc23/0x1b00
[   24.875254]  ? handle_mm_fault+0x334/0x8d0
[   24.879451]  ? __do_page_fault+0x5c9/0xc90
[   24.883651]  ? do_page_fault+0xee/0x720
[   24.887590]  ? page_fault+0x22/0x30
[   24.891191]  ? check_noncircular+0x20/0x20
[   24.895391]  ? check_noncircular+0x20/0x20
[   24.899592]  ? alloc_pages_current+0xbe/0x1e0
[   24.904055]  ? mm_get_huge_zero_page+0x12c/0x400
[   24.908777]  ? find_held_lock+0x35/0x1d0
[   24.912807]  ? do_huge_pmd_anonymous_page+0xe1f/0x1b00
[   24.918049]  ? lock_downgrade+0x980/0x980
[   24.922161]  ? lock_release+0xa40/0xa40
[   24.926098]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   24.931079]  ? do_raw_spin_trylock+0x190/0x190
[   24.935626]  ? lockdep_init_map+0x9/0x10
[   24.939656]  do_huge_pmd_anonymous_page+0xe2c/0x1b00
[   24.944724]  ? kasan_slab_alloc+0x12/0x20
[   24.948836]  ? ptlock_alloc+0x24/0x70
[   24.952599]  ? pte_alloc_one+0x59/0x100
[   24.956539]  ? __thp_get_unmapped_area+0x130/0x130
[   24.961432]  ? __lock_acquire+0x664/0x3e00
[   24.965636]  ? __lock_acquire+0x664/0x3e00
[   24.969833]  ? check_noncircular+0x20/0x20
[   24.974035]  ? check_noncircular+0x20/0x20
[   24.978239]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.983393]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.988549]  ? find_held_lock+0x35/0x1d0
[   24.992578]  ? __handle_mm_fault+0x2330/0x3ce0
[   24.997125]  ? lock_downgrade+0x980/0x980
[   25.001236]  ? mark_held_locks+0xaf/0x100
[   25.005354]  ? __raw_spin_lock_init+0x1c/0x100
[   25.009900]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.014879]  ? do_raw_spin_trylock+0x190/0x190
[   25.019429]  ? check_noncircular+0x20/0x20
[   25.023631]  __handle_mm_fault+0x1a0c/0x3ce0
[   25.028013]  ? __pmd_alloc+0x4e0/0x4e0
[   25.031876]  ? find_held_lock+0x35/0x1d0
[   25.035909]  ? handle_mm_fault+0x248/0x8d0
[   25.040109]  ? lock_downgrade+0x980/0x980
[   25.044233]  handle_mm_fault+0x334/0x8d0
[   25.048260]  ? down_read_trylock+0xdb/0x170
[   25.052555]  ? __do_page_fault+0x32d/0xc90
[   25.056759]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   25.061309]  ? vmacache_find+0x5f/0x280
[   25.065250]  ? vmacache_update+0xfe/0x130
[   25.069362]  ? find_vma+0x30/0x150
[   25.072870]  __do_page_fault+0x5c9/0xc90
[   25.076900]  ? mm_fault_error+0x2c0/0x2c0
[   25.081027]  ? __free_pages+0xd8/0x150
[   25.084886]  do_page_fault+0xee/0x720
[   25.088651]  ? __do_page_fault+0xc90/0xc90
[   25.092857]  ? syscall_return_slowpath+0x2ad/0x550
[   25.097754]  ? prepare_exit_to_usermode+0x340/0x340
[   25.102735]  ? retint_user+0x18/0x18
[   25.106420]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   25.111237]  page_fault+0x22/0x30
[   25.114656] RIP: 0033:0x4453e5
[   25.117897] RSP: 002b:0000000020687000 EFLAGS: 00010217
[   25.123231] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000004453d9
[   25.130464] RDX: 0000000020b4c000 RSI: 0000000020687000 RDI: 0000000000000600
[   25.137703] RBP: 0000000000000000 R08: 00000000207a4f71 R09: 00007fb416266700
[   25.144937] R10: 0000000020552ffc R11: 0000000000000202 R12: 0000000000000000
[   25.152175] R13: 00007ffe289b94df R14: 00007fb4162669c0 R15: 0000000000000000
[   25.159871] Dumping ftrace buffer:
[   25.163387]    (ftrace buffer empty)
[   25.167060] Kernel Offset: disabled
[   25.170658] Rebooting in 86400 seconds..