[....] Starting enhanced syslogd: rsyslogd[   10.620693] audit: type=1400 audit(1513620282.962:5): avc:  denied  { syslog } for  pid=2987 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   16.341770] audit: type=1400 audit(1513620288.683:6): avc:  denied  { map } for  pid=3125 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added 'ci-upstream-kasan-gce-386-3,10.128.0.22' (ECDSA) to the list of known hosts.
executing program
[   22.559073] audit: type=1400 audit(1513620294.900:7): avc:  denied  { map } for  pid=3139 comm="syzkaller647794" path="/root/syzkaller647794817" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   22.592032] ==================================================================
[   22.599429] BUG: KASAN: use-after-free in handle_userfault+0x21c1/0x24c0
[   22.606236] Read of size 8 at addr ffff8801c8f64da0 by task syzkaller647794/3146
[   22.613741] 
[   22.615338] CPU: 1 PID: 3146 Comm: syzkaller647794 Not tainted 4.15.0-rc4+ #137
[   22.622749] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   22.632070] Call Trace:
[   22.634632]  dump_stack+0x194/0x257
[   22.638232]  ? arch_local_irq_restore+0x53/0x53
[   22.642879]  ? show_regs_print_info+0x18/0x18
[   22.647347]  ? find_held_lock+0x35/0x1d0
[   22.651379]  ? handle_userfault+0x21c1/0x24c0
[   22.655845]  print_address_description+0x73/0x250
[   22.660655]  ? handle_userfault+0x21c1/0x24c0
[   22.665120]  kasan_report+0x25b/0x340
[   22.668892]  __asan_report_load8_noabort+0x14/0x20
[   22.673791]  handle_userfault+0x21c1/0x24c0
[   22.678082]  ? __lock_is_held+0xb6/0x140
[   22.682122]  ? userfaultfd_ioctl+0x4520/0x4520
[   22.686682]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   22.691849]  ? rcu_read_lock_sched_held+0x108/0x120
[   22.696836]  ? __alloc_pages_nodemask+0xadb/0xd80
[   22.701654]  ? __alloc_pages_slowpath+0x2d00/0x2d00
[   22.706641]  ? depot_save_stack+0x3b5/0x490
[   22.710936]  ? save_stack+0xa3/0xd0
[   22.714540]  ? save_stack+0x43/0xd0
[   22.718134]  ? kasan_kmalloc+0xad/0xe0
[   22.721988]  ? kasan_slab_alloc+0x12/0x20
[   22.726104]  ? kmem_cache_alloc+0x12e/0x760
[   22.730391]  ? ptlock_alloc+0x24/0x70
[   22.734159]  ? pte_alloc_one+0x59/0x100
[   22.738100]  ? do_huge_pmd_anonymous_page+0xc23/0x1b00
[   22.743346]  ? handle_mm_fault+0x334/0x8d0
[   22.747547]  ? __do_page_fault+0x5c9/0xc90
[   22.751748]  ? do_page_fault+0xee/0x720
[   22.755691]  ? page_fault+0x22/0x30
[   22.759312]  ? check_noncircular+0x20/0x20
[   22.763518]  ? check_noncircular+0x20/0x20
[   22.767724]  ? alloc_pages_current+0xbe/0x1e0
[   22.772203]  ? mm_get_huge_zero_page+0x12c/0x400
[   22.776936]  ? find_held_lock+0x35/0x1d0
[   22.780979]  ? do_huge_pmd_anonymous_page+0xe1f/0x1b00
[   22.786229]  ? lock_downgrade+0x980/0x980
[   22.790360]  ? lock_release+0xa40/0xa40
[   22.794308]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   22.799295]  ? do_raw_spin_trylock+0x190/0x190
[   22.803847]  ? lockdep_init_map+0x9/0x10
[   22.807884]  do_huge_pmd_anonymous_page+0xe2c/0x1b00
[   22.812962]  ? __thp_get_unmapped_area+0x130/0x130
[   22.817857]  ? __lock_acquire+0x664/0x3e00
[   22.822063]  ? __lock_acquire+0x664/0x3e00
[   22.826272]  ? lock_release+0xa40/0xa40
[   22.830224]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   22.835380]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   22.840537]  ? find_held_lock+0x35/0x1d0
[   22.844574]  ? finish_fault+0x1b4/0x2a0
[   22.848521]  ? lock_downgrade+0x980/0x980
[   22.852638]  ? do_swap_page+0x2c50/0x2c50
[   22.856765]  ? _cond_resched+0x14/0x30
[   22.860620]  ? __do_fault+0x2d5/0x30f
[   22.864386]  ? unlock_page+0x19f/0x270
[   22.868245]  ? wake_up_page_bit+0x530/0x530
[   22.872542]  ? check_noncircular+0x20/0x20
[   22.876743]  ? _raw_spin_unlock+0x22/0x30
[   22.880864]  __handle_mm_fault+0x1a0c/0x3ce0
[   22.885246]  ? __pmd_alloc+0x4e0/0x4e0
[   22.889107]  ? find_held_lock+0x35/0x1d0
[   22.893143]  ? handle_mm_fault+0x248/0x8d0
[   22.897345]  ? lock_downgrade+0x980/0x980
[   22.901484]  handle_mm_fault+0x334/0x8d0
[   22.905511]  ? down_read_trylock+0xdb/0x170
[   22.909799]  ? __do_page_fault+0x32d/0xc90
[   22.914002]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   22.918556]  ? vmacache_find+0x5f/0x280
[   22.922498]  ? vmacache_update+0xfe/0x130
[   22.926616]  ? find_vma+0x30/0x150
[   22.930129]  __do_page_fault+0x5c9/0xc90
[   22.934165]  ? mm_fault_error+0x2c0/0x2c0
[   22.938286]  ? __free_pages+0xd8/0x150
[   22.942145]  do_page_fault+0xee/0x720
[   22.945916]  ? __do_page_fault+0xc90/0xc90
[   22.950127]  ? syscall_return_slowpath+0x2ad/0x550
[   22.955032]  ? prepare_exit_to_usermode+0x340/0x340
[   22.960026]  ? retint_user+0x18/0x18
[   22.963716]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   22.968532]  page_fault+0x22/0x30
[   22.971952] RIP: 0023:0xf7fddc79
[   22.975282] RSP: 002b:0000000020687000 EFLAGS: 00010296
[   22.980613] RAX: 0000000000000000 RBX: 0000000000000600 RCX: 0000000020687000
[   22.987850] RDX: 0000000020b4c000 RSI: 0000000020552ffc RDI: 00000000207a4f71
[   22.995086] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   23.002322] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   23.009558] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   23.016811] 
[   23.018406] Allocated by task 3144:
[   23.022003]  save_stack+0x43/0xd0
[   23.025428]  kasan_kmalloc+0xad/0xe0
[   23.029107]  kasan_slab_alloc+0x12/0x20
[   23.033054]  kmem_cache_alloc+0x12e/0x760
[   23.037168]  dup_userfaultfd+0x21c/0x890
[   23.041200]  copy_mm+0xa38/0x1310
[   23.044621]  copy_process.part.38+0x1eb9/0x4ac0
[   23.049257]  _do_fork+0x1ef/0xfb0
[   23.052676]  SyS_clone+0x37/0x50
[   23.056013]  do_fast_syscall_32+0x3ee/0xf9d
[   23.060309]  entry_SYSENTER_compat+0x51/0x60
[   23.064681] 
[   23.066275] Freed by task 3144:
[   23.069522]  save_stack+0x43/0xd0
[   23.072948]  kasan_slab_free+0x71/0xc0
[   23.076803]  kmem_cache_free+0x77/0x280
[   23.080745]  userfaultfd_ctx_put+0x50c/0x740
[   23.085120]  userfaultfd_event_wait_completion+0x86d/0xae0
[   23.090721]  dup_userfaultfd_complete+0x2de/0x480
[   23.095529]  copy_mm+0xe9b/0x1310
[   23.098950]  copy_process.part.38+0x1eb9/0x4ac0
[   23.103586]  _do_fork+0x1ef/0xfb0
[   23.107008]  SyS_clone+0x37/0x50
[   23.110356]  do_fast_syscall_32+0x3ee/0xf9d
[   23.114645]  entry_SYSENTER_compat+0x51/0x60
[   23.119020] 
[   23.120619] The buggy address belongs to the object at ffff8801c8f64c40
[   23.120619]  which belongs to the cache userfaultfd_ctx_cache of size 360
[   23.134109] The buggy address is located 352 bytes inside of
[   23.134109]  360-byte region [ffff8801c8f64c40, ffff8801c8f64da8)
[   23.145949] The buggy address belongs to the page:
[   23.150845] page:0000000027d368ed count:1 mapcount:0 mapping:000000009874fdbd index:0xffff8801c8f64ff7
[   23.160256] flags: 0x2fffc0000000100(slab)
[   23.164461] raw: 02fffc0000000100 ffff8801c8f64000 ffff8801c8f64ff7 0000000100000009
[   23.172310] raw: ffff8801d6aadf48 ffff8801d6aadf48 ffff8801d6aac900 0000000000000000
[   23.180165] page dumped because: kasan: bad access detected
[   23.185837] 
[   23.187429] Memory state around the buggy address:
[   23.192325]  ffff8801c8f64c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.199650]  ffff8801c8f64d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.206975] >ffff8801c8f64d80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   23.214307]                                ^
[   23.218681]  ffff8801c8f64e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.226007]  ffff8801c8f64e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.233345] ==================================================================
[   23.240667] Disabling lock debugging due to kernel taint
[   23.246154] Kernel panic - not syncing: panic_on_warn set ...
[   23.246154] 
[   23.253510] CPU: 1 PID: 3146 Comm: syzkaller647794 Tainted: G    B            4.15.0-rc4+ #137
[   23.262226] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.271547] Call Trace:
[   23.274107]  dump_stack+0x194/0x257
[   23.277703]  ? arch_local_irq_restore+0x53/0x53
[   23.282340]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.287077]  ? vsnprintf+0x1ed/0x1900
[   23.290846]  ? handle_userfault+0x2160/0x24c0
[   23.295308]  panic+0x1e4/0x41c
[   23.298467]  ? refcount_error_report+0x214/0x214
[   23.303199]  ? add_taint+0x1c/0x50
[   23.306710]  ? add_taint+0x1c/0x50
[   23.310219]  ? handle_userfault+0x21c1/0x24c0
[   23.314681]  kasan_end_report+0x50/0x50
[   23.318637]  kasan_report+0x144/0x340
[   23.322406]  __asan_report_load8_noabort+0x14/0x20
[   23.327304]  handle_userfault+0x21c1/0x24c0
[   23.331595]  ? __lock_is_held+0xb6/0x140
[   23.335626]  ? userfaultfd_ioctl+0x4520/0x4520
[   23.340172]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.345332]  ? rcu_read_lock_sched_held+0x108/0x120
[   23.350315]  ? __alloc_pages_nodemask+0xadb/0xd80
[   23.355126]  ? __alloc_pages_slowpath+0x2d00/0x2d00
[   23.360111]  ? depot_save_stack+0x3b5/0x490
[   23.364401]  ? save_stack+0xa3/0xd0
[   23.367993]  ? save_stack+0x43/0xd0
[   23.371589]  ? kasan_kmalloc+0xad/0xe0
[   23.375444]  ? kasan_slab_alloc+0x12/0x20
[   23.379565]  ? kmem_cache_alloc+0x12e/0x760
[   23.383853]  ? ptlock_alloc+0x24/0x70
[   23.387619]  ? pte_alloc_one+0x59/0x100
[   23.391558]  ? do_huge_pmd_anonymous_page+0xc23/0x1b00
[   23.396801]  ? handle_mm_fault+0x334/0x8d0
[   23.401011]  ? __do_page_fault+0x5c9/0xc90
[   23.405218]  ? do_page_fault+0xee/0x720
[   23.409158]  ? page_fault+0x22/0x30
[   23.412752]  ? check_noncircular+0x20/0x20
[   23.416953]  ? check_noncircular+0x20/0x20
[   23.421156]  ? alloc_pages_current+0xbe/0x1e0
[   23.425620]  ? mm_get_huge_zero_page+0x12c/0x400
[   23.430347]  ? find_held_lock+0x35/0x1d0
[   23.434378]  ? do_huge_pmd_anonymous_page+0xe1f/0x1b00
[   23.439630]  ? lock_downgrade+0x980/0x980
[   23.443745]  ? lock_release+0xa40/0xa40
[   23.447683]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.452668]  ? do_raw_spin_trylock+0x190/0x190
[   23.457220]  ? lockdep_init_map+0x9/0x10
[   23.461261]  do_huge_pmd_anonymous_page+0xe2c/0x1b00
[   23.466334]  ? __thp_get_unmapped_area+0x130/0x130
[   23.471229]  ? __lock_acquire+0x664/0x3e00
[   23.475427]  ? __lock_acquire+0x664/0x3e00
[   23.479628]  ? lock_release+0xa40/0xa40
[   23.483582]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.488738]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.493892]  ? find_held_lock+0x35/0x1d0
[   23.497922]  ? finish_fault+0x1b4/0x2a0
[   23.501860]  ? lock_downgrade+0x980/0x980
[   23.505973]  ? do_swap_page+0x2c50/0x2c50
[   23.510092]  ? _cond_resched+0x14/0x30
[   23.513945]  ? __do_fault+0x2d5/0x30f
[   23.517711]  ? unlock_page+0x19f/0x270
[   23.521565]  ? wake_up_page_bit+0x530/0x530
[   23.525856]  ? check_noncircular+0x20/0x20
[   23.530068]  ? _raw_spin_unlock+0x22/0x30
[   23.534188]  __handle_mm_fault+0x1a0c/0x3ce0
[   23.538572]  ? __pmd_alloc+0x4e0/0x4e0
[   23.542427]  ? find_held_lock+0x35/0x1d0
[   23.546456]  ? handle_mm_fault+0x248/0x8d0
[   23.550656]  ? lock_downgrade+0x980/0x980
[   23.554780]  handle_mm_fault+0x334/0x8d0
[   23.558806]  ? down_read_trylock+0xdb/0x170
[   23.563096]  ? __do_page_fault+0x32d/0xc90
[   23.567297]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   23.571848]  ? vmacache_find+0x5f/0x280
[   23.575787]  ? vmacache_update+0xfe/0x130
[   23.579904]  ? find_vma+0x30/0x150
[   23.583421]  __do_page_fault+0x5c9/0xc90
[   23.587452]  ? mm_fault_error+0x2c0/0x2c0
[   23.591568]  ? __free_pages+0xd8/0x150
[   23.595422]  do_page_fault+0xee/0x720
[   23.599192]  ? __do_page_fault+0xc90/0xc90
[   23.603399]  ? syscall_return_slowpath+0x2ad/0x550
[   23.608293]  ? prepare_exit_to_usermode+0x340/0x340
[   23.613275]  ? retint_user+0x18/0x18
[   23.616955]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   23.621767]  page_fault+0x22/0x30
[   23.625199] RIP: 0023:0xf7fddc79
[   23.628529] RSP: 002b:0000000020687000 EFLAGS: 00010296
[   23.633855] RAX: 0000000000000000 RBX: 0000000000000600 RCX: 0000000020687000
[   23.641092] RDX: 0000000020b4c000 RSI: 0000000020552ffc RDI: 00000000207a4f71
[   23.648327] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   23.655564] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   23.662800] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   23.670084] Dumping ftrace buffer:
[   23.673592]    (ftrace buffer empty)
[   23.677270] Kernel Offset: disabled
[   23.680871] Rebooting in 86400 seconds..