[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 18.207217] audit: type=1400 audit(1518188262.475:6): avc: denied { map } for pid=4150 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts. syzkaller login: [ 169.651487] audit: type=1400 audit(1518188413.920:7): avc: denied { map } for pid=4168 comm="syzkaller818560" path="/root/syzkaller818560833" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 169.666933] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz5.accept_dad = 0 net.ipv6.conf.syz7.accept_dad = 0 net.ipv6.conf.syz5.router_solicitations = 0 [ 169.677430] audit: type=1400 audit(1518188413.926:8): avc: denied { sys_admin } for pid=4176 comm="syzkaller818560" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 169.702643] IPVS: ftp: loaded support on port[0] = 21 [ 169.713155] audit: type=1400 audit(1518188413.981:9): avc: denied { net_admin } for pid=4178 comm="syzkaller818560" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 169.737053] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz7.router_solicitations = 0 [ 169.766007] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz3.accept_dad = 0 net.ipv6.conf.syz1.accept_dad = 0 net.ipv6.conf.syz3.router_solicitations = 0 net.ipv6.conf.syz1.router_solicitations = 0 [ 169.796616] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz6.accept_dad = 0 [ 169.844198] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz6.router_solicitations = 0 net.ipv6.conf.syz4.accept_dad = 0 [ 169.888864] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz4.router_solicitations = 0 [ 169.961167] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 net.ipv6.conf.syz2.accept_dad = 0 net.ipv6.conf.syz2.router_solicitations = 0 RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 170.383616] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 170.448093] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 170.496793] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 170.503986] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 170.615350] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 170.623366] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 170.721280] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 170.824201] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program executing program [ 171.700664] audit: type=1400 audit(1518188415.969:10): avc: denied { sys_chroot } for pid=4178 comm="syzkaller818560" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 RTNETLINK answers: Invalid argument executing program [ 171.787201] ================================================================== [ 171.794617] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 [ 171.801256] Read of size 4 at addr ffff8801db1608a4 by task syzkaller818560/5118 [ 171.808756] [ 171.810356] CPU: 1 PID: 5118 Comm: syzkaller818560 Not tainted 4.15.0+ #215 [ 171.817420] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 171.826741] Call Trace: [ 171.829301] dump_stack+0x194/0x257 [ 171.832900] ? arch_local_irq_restore+0x53/0x53 [ 171.837538] ? show_regs_print_info+0x18/0x18 [ 171.842004] ? lock_acquire+0x1d5/0x580 [ 171.845951] ? do_raw_spin_lock+0x1e0/0x220 [ 171.850249] print_address_description+0x73/0x250 [ 171.855062] ? do_raw_spin_lock+0x1e0/0x220 [ 171.859354] kasan_report+0x23b/0x360 [ 171.863130] __asan_report_load4_noabort+0x14/0x20 [ 171.868030] do_raw_spin_lock+0x1e0/0x220 [ 171.872154] _raw_spin_lock_irqsave+0x9e/0xc0 [ 171.876618] ? remove_wait_queue+0x81/0x350 [ 171.880911] remove_wait_queue+0x81/0x350 [ 171.885035] ? add_wait_queue+0x290/0x290 [ 171.889155] ? rcutorture_record_progress+0x10/0x10 [ 171.894145] ? finish_task_switch+0x1e2/0x890 [ 171.898613] ? check_noncircular+0x20/0x20 [ 171.902824] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 171.908078] ? clear_tfile_check_list+0x370/0x370 [ 171.912906] ? locks_remove_file+0x3fa/0x5a0 [ 171.917300] ep_free+0x13f/0x320 [ 171.920639] ? ep_remove+0x800/0x800 [ 171.924326] ? fsnotify_first_mark+0x2b0/0x2b0 [ 171.928885] ? ep_free+0x320/0x320 [ 171.932399] ep_eventpoll_release+0x44/0x60 [ 171.936698] __fput+0x327/0x7e0 [ 171.939964] ? fput+0x140/0x140 [ 171.943225] ? _raw_spin_unlock_irq+0x27/0x70 [ 171.947697] ____fput+0x15/0x20 [ 171.950950] task_work_run+0x199/0x270 [ 171.954811] ? task_work_cancel+0x210/0x210 [ 171.959114] ? exit_to_usermode_loop+0x8c/0x2f0 [ 171.963760] exit_to_usermode_loop+0x275/0x2f0 [ 171.968316] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 171.973833] ? do_fast_syscall_32+0x156/0xfa1 [ 171.978311] do_fast_syscall_32+0xbe8/0xfa1 [ 171.982610] ? do_int80_syscall_32+0x9d0/0x9d0 RTNETLINK answers: Invalid argument [ 171.987166] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 171.992690] ? syscall_return_slowpath+0x2ac/0x550 [ 171.997595] ? sysret32_from_system_call+0x5/0x3b [ 172.002436] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 172.007289] entry_SYSENTER_compat+0x54/0x63 [ 172.011690] RIP: 0023:0xf7f56c79 [ 172.015042] RSP: 002b:00000000f7f3112c EFLAGS: 00000286 ORIG_RAX: 000000000000014a [ 172.022738] RAX: 0000000000000009 RBX: 0000000000000008 RCX: 0000000000000009 [ 172.029999] RDX: 0000000000000000 RSI: 00000000000000f0 RDI: 0000000008120030 [ 172.037256] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 172.044511] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 172.051773] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 172.059054] [ 172.060667] Allocated by task 5105: [ 172.064301] save_stack+0x43/0xd0 [ 172.067752] kasan_kmalloc+0xad/0xe0 [ 172.071456] kmem_cache_alloc_trace+0x136/0x740 [ 172.076117] binder_get_thread+0x1cf/0x870 [ 172.080344] binder_poll+0x8c/0x390 [ 172.083961] ep_item_poll.isra.10+0xf2/0x320 [ 172.088356] ep_insert+0x6a2/0x1ac0 [ 172.091971] SyS_epoll_ctl+0x12bf/0x1a80 [ 172.096025] do_fast_syscall_32+0x3ee/0xfa1 [ 172.100337] entry_SYSENTER_compat+0x54/0x63 [ 172.104728] [ 172.106348] Freed by task 5105: [ 172.109621] save_stack+0x43/0xd0 [ 172.113067] __kasan_slab_free+0x11a/0x170 [ 172.117291] kasan_slab_free+0xe/0x10 [ 172.121078] kfree+0xd9/0x260 [ 172.124173] binder_thread_dec_tmpref+0x27f/0x310 [ 172.128999] binder_thread_release+0x4a1/0x6b0 [ 172.133559] binder_ioctl+0xc02/0x1417 [ 172.137417] compat_SyS_ioctl+0x151/0x2a30 [ 172.141633] do_fast_syscall_32+0x3ee/0xfa1 [ 172.145932] entry_SYSENTER_compat+0x54/0x63 [ 172.150316] [ 172.151918] The buggy address belongs to the object at ffff8801db160800 [ 172.151918] which belongs to the cache kmalloc-512 of size 512 [ 172.164545] The buggy address is located 164 bytes inside of [ 172.164545] 512-byte region [ffff8801db160800, ffff8801db160a00) [ 172.176393] The buggy address belongs to the page: [ 172.181298] page:ffffea00076c5800 count:1 mapcount:0 mapping:ffff8801db160080 index:0x0 [ 172.189415] flags: 0x2fffc0000000100(slab) [ 172.193627] raw: 02fffc0000000100 ffff8801db160080 0000000000000000 0000000100000006 [ 172.201487] raw: ffffea00073c6ea0 ffffea0007076ce0 ffff8801db000940 0000000000000000 [ 172.209335] page dumped because: kasan: bad access detected [ 172.215016] [ 172.216620] Memory state around the buggy address: [ 172.221522] ffff8801db160780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 172.228851] ffff8801db160800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 172.236179] >ffff8801db160880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 172.243506] ^ [ 172.247883] ffff8801db160900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 172.255212] ffff8801db160980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 172.262540] ================================================================== [ 172.269867] Disabling lock debugging due to kernel taint [ 172.275284] Kernel panic - not syncing: panic_on_warn set ... [ 172.275284] [ 172.282622] CPU: 1 PID: 5118 Comm: syzkaller818560 Tainted: G B 4.15.0+ #215 [ 172.290989] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 172.300313] Call Trace: [ 172.302873] dump_stack+0x194/0x257 [ 172.306476] ? arch_local_irq_restore+0x53/0x53 [ 172.311118] ? kasan_end_report+0x32/0x50 [ 172.315245] ? lock_downgrade+0x980/0x980 [ 172.319364] ? vsnprintf+0x1ed/0x1900 [ 172.323151] ? do_raw_spin_lock+0x1a0/0x220 [ 172.327443] panic+0x1e4/0x41c [ 172.330610] ? refcount_error_report+0x214/0x214 [ 172.335339] ? add_taint+0x40/0x50 [ 172.338853] ? add_taint+0x1c/0x50 [ 172.342366] ? do_raw_spin_lock+0x1e0/0x220 [ 172.346663] kasan_end_report+0x50/0x50 [ 172.350611] kasan_report+0x148/0x360 [ 172.354385] __asan_report_load4_noabort+0x14/0x20 [ 172.359284] do_raw_spin_lock+0x1e0/0x220 [ 172.363410] _raw_spin_lock_irqsave+0x9e/0xc0 [ 172.367876] ? remove_wait_queue+0x81/0x350 [ 172.372171] remove_wait_queue+0x81/0x350 [ 172.376293] ? add_wait_queue+0x290/0x290 [ 172.380413] ? rcutorture_record_progress+0x10/0x10 [ 172.385402] ? finish_task_switch+0x1e2/0x890 [ 172.389869] ? check_noncircular+0x20/0x20 [ 172.394078] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 172.399328] ? clear_tfile_check_list+0x370/0x370 [ 172.404146] ? locks_remove_file+0x3fa/0x5a0 [ 172.408530] ep_free+0x13f/0x320 [ 172.411870] ? ep_remove+0x800/0x800 [ 172.415554] ? fsnotify_first_mark+0x2b0/0x2b0 [ 172.420109] ? ep_free+0x320/0x320 [ 172.423618] ep_eventpoll_release+0x44/0x60 [ 172.427910] __fput+0x327/0x7e0 [ 172.431166] ? fput+0x140/0x140 [ 172.434420] ? _raw_spin_unlock_irq+0x27/0x70 [ 172.438887] ____fput+0x15/0x20 [ 172.442138] task_work_run+0x199/0x270 [ 172.445997] ? task_work_cancel+0x210/0x210 [ 172.450297] ? exit_to_usermode_loop+0x8c/0x2f0 [ 172.454938] exit_to_usermode_loop+0x275/0x2f0 [ 172.459492] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 172.465004] ? do_fast_syscall_32+0x156/0xfa1 [ 172.469478] do_fast_syscall_32+0xbe8/0xfa1 [ 172.473772] ? do_int80_syscall_32+0x9d0/0x9d0 [ 172.478324] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 172.483833] ? syscall_return_slowpath+0x2ac/0x550 [ 172.488733] ? sysret32_from_system_call+0x5/0x3b [ 172.493550] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 172.498370] entry_SYSENTER_compat+0x54/0x63 [ 172.502747] RIP: 0023:0xf7f56c79 [ 172.506080] RSP: 002b:00000000f7f3112c EFLAGS: 00000286 ORIG_RAX: 000000000000014a [ 172.513755] RAX: 0000000000000009 RBX: 0000000000000008 RCX: 0000000000000009 [ 172.520995] RDX: 0000000000000000 RSI: 00000000000000f0 RDI: 0000000008120030 [ 172.528243] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 172.535490] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 172.542731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 172.550436] Dumping ftrace buffer: [ 172.553945] (ftrace buffer empty) [ 172.557622] Kernel Offset: disabled [ 172.561219] Rebooting in 86400 seconds..