[....] Starting enhanced syslogd: rsyslogd[   11.359604] audit: type=1400 audit(1514089180.343:5): avc:  denied  { syslog } for  pid=2998 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.332192] audit: type=1400 audit(1514089187.316:6): avc:  denied  { map } for  pid=3138 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added 'ci-upstream-kasan-gce-386-4,10.128.0.37' (ECDSA) to the list of known hosts.
executing program
[   24.535143] audit: type=1400 audit(1514089193.518:7): avc:  denied  { map } for  pid=3152 comm="syzkaller099518" path="/root/syzkaller099518697" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   24.540629] ==================================================================
[   24.540644] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   24.540649] Read of size 8 at addr ffff8801c901b330 by task syzkaller099518/3152
[   24.540650] 
[   24.540657] CPU: 0 PID: 3152 Comm: syzkaller099518 Not tainted 4.15.0-rc4+ #146
[   24.540661] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.540663] Call Trace:
[   24.540672]  dump_stack+0x194/0x257
[   24.540679]  ? arch_local_irq_restore+0x53/0x53
[   24.540686]  ? show_regs_print_info+0x18/0x18
[   24.540692]  ? print_irqtrace_events+0x270/0x270
[   24.540698]  ? __lock_acquire+0x664/0x3e00
[   24.540705]  ? __lock_acquire+0x3d4d/0x3e00
[   24.540713]  print_address_description+0x73/0x250
[   24.540719]  ? __lock_acquire+0x3d4d/0x3e00
[   24.540725]  kasan_report+0x25b/0x340
[   24.540732]  __asan_report_load8_noabort+0x14/0x20
[   24.540738]  __lock_acquire+0x3d4d/0x3e00
[   24.540743]  ? __lock_acquire+0x664/0x3e00
[   24.540749]  ? lock_downgrade+0x980/0x980
[   24.540755]  ? lock_downgrade+0x980/0x980
[   24.540761]  ? print_irqtrace_events+0x270/0x270
[   24.540767]  ? remove_wait_queue+0x81/0x350
[   24.540776]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.540783]  ? __lock_acquire+0x664/0x3e00
[   24.540788]  ? check_noncircular+0x20/0x20
[   24.540800]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.540807]  ? lock_acquire+0x1d5/0x580
[   24.540812]  ? lock_acquire+0x1d5/0x580
[   24.540819]  ? ep_free+0xf4/0x320
[   24.540827]  ? lock_release+0xa40/0xa40
[   24.540834]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.540839]  ? print_irqtrace_events+0x270/0x270
[   24.540845]  ? print_irqtrace_events+0x270/0x270
[   24.540852]  ? rcu_note_context_switch+0x710/0x710
[   24.540860]  ? __might_sleep+0x95/0x190
[   24.540865]  ? ep_free+0xf4/0x320
[   24.540870]  ? __mutex_lock+0x16f/0x1a80
[   24.540875]  ? ep_free+0xf4/0x320
[   24.540882]  ? print_irqtrace_events+0x270/0x270
[   24.540886]  ? ep_free+0xf4/0x320
[   24.540899]  lock_acquire+0x1d5/0x580
[   24.540905]  ? lock_acquire+0x1d5/0x580
[   24.540911]  ? remove_wait_queue+0x81/0x350
[   24.540919]  ? lock_release+0xa40/0xa40
[   24.540928]  ? lock_acquire+0x1d5/0x580
[   24.540933]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.540938]  ? lock_acquire+0x1d5/0x580
[   24.540944]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   24.540951]  _raw_spin_lock_irqsave+0x96/0xc0
[   24.540957]  ? remove_wait_queue+0x81/0x350
[   24.540964]  remove_wait_queue+0x81/0x350
[   24.540971]  ? depot_save_stack+0x3b5/0x490
[   24.540978]  ? add_wait_queue+0x290/0x290
[   24.540984]  ? rcutorture_record_progress+0x10/0x10
[   24.540989]  ? lock_release+0xa40/0xa40
[   24.540998]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   24.541009]  ? __kernel_text_address+0xd/0x40
[   24.541017]  ? clear_tfile_check_list+0x370/0x370
[   24.541025]  ? check_noncircular+0x20/0x20
[   24.541033]  ? locks_remove_file+0x3fa/0x5a0
[   24.541042]  ep_free+0x13f/0x320
[   24.541048]  ? ep_remove+0x800/0x800
[   24.541055]  ? fsnotify_first_mark+0x2b0/0x2b0
[   24.541062]  ? ep_free+0x320/0x320
[   24.541068]  ep_eventpoll_release+0x44/0x60
[   24.541074]  __fput+0x327/0x7e0
[   24.541082]  ? fput+0x140/0x140
[   24.541089]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.541097]  ____fput+0x15/0x20
[   24.541103]  task_work_run+0x199/0x270
[   24.541110]  ? task_work_cancel+0x210/0x210
[   24.541117]  ? _raw_spin_unlock+0x22/0x30
[   24.541122]  ? switch_task_namespaces+0x87/0xc0
[   24.541131]  do_exit+0x9bb/0x1ad0
[   24.541139]  ? __handle_mm_fault+0x2330/0x3ce0
[   24.541147]  ? mm_update_next_owner+0x930/0x930
[   24.541156]  ? do_raw_spin_trylock+0x190/0x190
[   24.541163]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.541169]  ? check_noncircular+0x20/0x20
[   24.541176]  ? _raw_spin_unlock+0x22/0x30
[   24.541181]  ? __handle_mm_fault+0x80e/0x3ce0
[   24.541189]  ? check_noncircular+0x20/0x20
[   24.541194]  ? __pmd_alloc+0x4e0/0x4e0
[   24.541199]  ? lock_downgrade+0x980/0x980
[   24.541207]  ? find_held_lock+0x35/0x1d0
[   24.541215]  ? handle_mm_fault+0x248/0x8d0
[   24.541222]  ? find_held_lock+0x35/0x1d0
[   24.541232]  ? __do_page_fault+0x5f7/0xc90
[   24.541238]  ? lock_downgrade+0x980/0x980
[   24.541247]  ? handle_mm_fault+0x410/0x8d0
[   24.541252]  ? down_read_trylock+0xdb/0x170
[   24.541258]  ? __do_page_fault+0x32d/0xc90
[   24.541264]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   24.541270]  ? vmacache_find+0x5f/0x280
[   24.541278]  do_group_exit+0x149/0x400
[   24.541285]  ? __do_page_fault+0x3d6/0xc90
[   24.541290]  ? SyS_exit+0x30/0x30
[   24.541299]  ? do_fast_syscall_32+0x156/0xf9d
[   24.541305]  ? do_group_exit+0x400/0x400
[   24.541311]  SyS_exit_group+0x1d/0x20
[   24.541317]  do_fast_syscall_32+0x3ee/0xf9d
[   24.541326]  ? do_int80_syscall_32+0x9d0/0x9d0
[   24.541331]  ? kasan_check_read+0x11/0x20
[   24.541338]  ? syscall_return_slowpath+0x550/0x550
[   24.541345]  ? SyS_rt_sigaction+0x94/0x1b0
[   24.541352]  ? SyS_sigprocmask+0x4b0/0x4b0
[   24.541356]  ? SyS_read+0x184/0x220
[   24.541362]  ? retint_user+0x18/0x18
[   24.541370]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.541379]  entry_SYSENTER_compat+0x54/0x63
[   24.541384] RIP: 0023:0xf7f1bc79
[   24.541387] RSP: 002b:00000000fff1541c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   24.541393] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   24.541397] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   24.541400] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   24.541403] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   24.541406] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   24.541414] 
[   24.541417] Allocated by task 3152:
[   24.541422]  save_stack+0x43/0xd0
[   24.541427]  kasan_kmalloc+0xad/0xe0
[   24.541434]  kmem_cache_alloc_trace+0x136/0x750
[   24.541442]  binder_get_thread+0x1cf/0x870
[   24.541446]  binder_poll+0x8c/0x390
[   24.541450]  ep_item_poll.isra.10+0xec/0x320
[   24.541455]  ep_insert+0x6a3/0x1b10
[   24.541459]  SyS_epoll_ctl+0x12e4/0x1ab0
[   24.541464]  do_fast_syscall_32+0x3ee/0xf9d
[   24.541469]  entry_SYSENTER_compat+0x54/0x63
[   24.541470] 
[   24.541473] Freed by task 3152:
[   24.541477]  save_stack+0x43/0xd0
[   24.541481]  kasan_slab_free+0x71/0xc0
[   24.541485]  kfree+0xd6/0x260
[   24.541490]  binder_thread_dec_tmpref+0x27f/0x310
[   24.541495]  binder_thread_release+0x27d/0x540
[   24.541500]  binder_ioctl+0xc02/0x1417
[   24.541504]  compat_SyS_ioctl+0x151/0x2a30
[   24.541509]  do_fast_syscall_32+0x3ee/0xf9d
[   24.541515]  entry_SYSENTER_compat+0x54/0x63
[   24.541516] 
[   24.541520] The buggy address belongs to the object at ffff8801c901b280
[   24.541520]  which belongs to the cache kmalloc-512 of size 512
[   24.541525] The buggy address is located 176 bytes inside of
[   24.541525]  512-byte region [ffff8801c901b280, ffff8801c901b480)
[   24.541526] The buggy address belongs to the page:
[   24.541531] page:00000000544cb846 count:1 mapcount:0 mapping:00000000ab217f13 index:0x0
[   24.541537] flags: 0x2fffc0000000100(slab)
[   24.541545] raw: 02fffc0000000100 ffff8801c901b000 0000000000000000 0000000100000006
[   24.541552] raw: ffffea00072492e0 ffffea0007244220 ffff8801db000940 0000000000000000
[   24.541555] page dumped because: kasan: bad access detected
[   24.541556] 
[   24.541557] Memory state around the buggy address:
[   24.541562]  ffff8801c901b200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.541566]  ffff8801c901b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.541571] >ffff8801c901b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.541573]                                      ^
[   24.541577]  ffff8801c901b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.541581]  ffff8801c901b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.541583] ==================================================================
[   24.541585] Disabling lock debugging due to kernel taint
[   24.541588] Kernel panic - not syncing: panic_on_warn set ...
[   24.541588] 
[   24.541594] CPU: 0 PID: 3152 Comm: syzkaller099518 Tainted: G    B            4.15.0-rc4+ #146
[   24.541597] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.541598] Call Trace:
[   24.541604]  dump_stack+0x194/0x257
[   24.541611]  ? arch_local_irq_restore+0x53/0x53
[   24.541616]  ? kasan_end_report+0x32/0x50
[   24.541622]  ? lock_downgrade+0x980/0x980
[   24.541628]  ? vsnprintf+0x1ed/0x1900
[   24.541634]  ? __lock_acquire+0x3cd0/0x3e00
[   24.541640]  panic+0x1e4/0x41c
[   24.541645]  ? refcount_error_report+0x214/0x214
[   24.541652]  ? add_taint+0x40/0x50
[   24.541657]  ? add_taint+0x1c/0x50
[   24.541664]  ? __lock_acquire+0x3d4d/0x3e00
[   24.541670]  kasan_end_report+0x50/0x50
[   24.541675]  kasan_report+0x144/0x340
[   24.541683]  __asan_report_load8_noabort+0x14/0x20
[   24.541688]  __lock_acquire+0x3d4d/0x3e00
[   24.541694]  ? __lock_acquire+0x664/0x3e00
[   24.541700]  ? lock_downgrade+0x980/0x980
[   24.541705]  ? lock_downgrade+0x980/0x980
[   24.541711]  ? print_irqtrace_events+0x270/0x270
[   24.541717]  ? remove_wait_queue+0x81/0x350
[   24.541725]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.541732]  ? __lock_acquire+0x664/0x3e00
[   24.541737]  ? check_noncircular+0x20/0x20
[   24.541748]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.541755]  ? lock_acquire+0x1d5/0x580
[   24.541761]  ? lock_acquire+0x1d5/0x580
[   24.541765]  ? ep_free+0xf4/0x320
[   24.541773]  ? lock_release+0xa40/0xa40
[   24.541779]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.541784]  ? print_irqtrace_events+0x270/0x270
[   24.541790]  ? print_irqtrace_events+0x270/0x270
[   24.541796]  ? rcu_note_context_switch+0x710/0x710
[   24.541803]  ? __might_sleep+0x95/0x190
[   24.541808]  ? ep_free+0xf4/0x320
[   24.541813]  ? __mutex_lock+0x16f/0x1a80
[   24.541818]  ? ep_free+0xf4/0x320
[   24.541825]  ? print_irqtrace_events+0x270/0x270
[   24.541829]  ? ep_free+0xf4/0x320
[   24.541837]  lock_acquire+0x1d5/0x580
[   24.541842]  ? lock_acquire+0x1d5/0x580
[   24.541848]  ? remove_wait_queue+0x81/0x350
[   24.541856]  ? lock_release+0xa40/0xa40
[   24.541864]  ? lock_acquire+0x1d5/0x580
[   24.541870]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.541875]  ? lock_acquire+0x1d5/0x580
[   24.541881]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   24.541888]  _raw_spin_lock_irqsave+0x96/0xc0
[   24.541898]  ? remove_wait_queue+0x81/0x350
[   24.541904]  remove_wait_queue+0x81/0x350
[   24.541910]  ? depot_save_stack+0x3b5/0x490
[   24.541916]  ? add_wait_queue+0x290/0x290
[   24.541922]  ? rcutorture_record_progress+0x10/0x10
[   24.541928]  ? lock_release+0xa40/0xa40
[   24.541936]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   24.541942]  ? __kernel_text_address+0xd/0x40
[   24.541950]  ? clear_tfile_check_list+0x370/0x370
[   24.541957]  ? check_noncircular+0x20/0x20
[   24.541964]  ? locks_remove_file+0x3fa/0x5a0
[   24.541972]  ep_free+0x13f/0x320
[   24.541978]  ? ep_remove+0x800/0x800
[   24.541984]  ? fsnotify_first_mark+0x2b0/0x2b0
[   24.541991]  ? ep_free+0x320/0x320
[   24.541997]  ep_eventpoll_release+0x44/0x60
[   24.542002]  __fput+0x327/0x7e0
[   24.542010]  ? fput+0x140/0x140
[   24.542016]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.542024]  ____fput+0x15/0x20
[   24.542030]  task_work_run+0x199/0x270
[   24.542037]  ? task_work_cancel+0x210/0x210
[   24.542043]  ? _raw_spin_unlock+0x22/0x30
[   24.542049]  ? switch_task_namespaces+0x87/0xc0
[   24.542056]  do_exit+0x9bb/0x1ad0
[   24.542062]  ? __handle_mm_fault+0x2330/0x3ce0
[   24.542069]  ? mm_update_next_owner+0x930/0x930
[   24.542079]  ? do_raw_spin_trylock+0x190/0x190
[   24.542086]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.542091]  ? check_noncircular+0x20/0x20
[   24.542098]  ? _raw_spin_unlock+0x22/0x30
[   24.542104]  ? __handle_mm_fault+0x80e/0x3ce0
[   24.542111]  ? check_noncircular+0x20/0x20
[   24.542116]  ? __pmd_alloc+0x4e0/0x4e0
[   24.542121]  ? lock_downgrade+0x980/0x980
[   24.542129]  ? find_held_lock+0x35/0x1d0
[   24.542137]  ? handle_mm_fault+0x248/0x8d0
[   24.542143]  ? find_held_lock+0x35/0x1d0
[   24.542152]  ? __do_page_fault+0x5f7/0xc90
[   24.542158]  ? lock_downgrade+0x980/0x980
[   24.542167]  ? handle_mm_fault+0x410/0x8d0
[   24.542172]  ? down_read_trylock+0xdb/0x170
[   24.542177]  ? __do_page_fault+0x32d/0xc90
[   24.542183]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   24.542189]  ? vmacache_find+0x5f/0x280
[   24.542197]  do_group_exit+0x149/0x400
[   24.542203]  ? __do_page_fault+0x3d6/0xc90
[   24.542209]  ? SyS_exit+0x30/0x30
[   24.542217]  ? do_fast_syscall_32+0x156/0xf9d
[   24.542223]  ? do_group_exit+0x400/0x400
[   24.542229]  SyS_exit_group+0x1d/0x20
[   24.542235]  do_fast_syscall_32+0x3ee/0xf9d
[   24.542243]  ? do_int80_syscall_32+0x9d0/0x9d0
[   24.542248]  ? kasan_check_read+0x11/0x20
[   24.542255]  ? syscall_return_slowpath+0x550/0x550
[   24.542261]  ? SyS_rt_sigaction+0x94/0x1b0
[   24.542268]  ? SyS_sigprocmask+0x4b0/0x4b0
[   24.542273]  ? SyS_read+0x184/0x220
[   24.542278]  ? retint_user+0x18/0x18
[   24.542286]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.542294]  entry_SYSENTER_compat+0x54/0x63
[   24.542298] RIP: 0023:0xf7f1bc79
[   24.542301] RSP: 002b:00000000fff1541c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   24.542307] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   24.542310] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   24.542313] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   24.542316] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   24.542319] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   24.561466] Dumping ftrace buffer:
[   24.561469]    (ftrace buffer empty)
[   24.561472] Kernel Offset: disabled
[   25.841079] Rebooting in 86400 seconds..