[....] Starting enhanced syslogd: rsyslogd[   12.342624] audit: type=1400 audit(1514777090.336:5): avc:  denied  { syslog } for  pid=3343 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.059439] audit: type=1400 audit(1514777097.053:6): avc:  denied  { map } for  pid=3483 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts.
executing program
[   25.260107] audit: type=1400 audit(1514777103.253:7): avc:  denied  { map } for  pid=3497 comm="syzkaller187012" path="/root/syzkaller187012461" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   25.264416] ==================================================================
[   25.264427] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   25.264430] Read of size 8 at addr ffff8801ce70b5b0 by task syzkaller187012/3497
[   25.264431] 
[   25.264436] CPU: 1 PID: 3497 Comm: syzkaller187012 Not tainted 4.15.0-rc6+ #155
[   25.264438] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.264440] Call Trace:
[   25.264447]  dump_stack+0x194/0x257
[   25.264452]  ? arch_local_irq_restore+0x53/0x53
[   25.264457]  ? show_regs_print_info+0x18/0x18
[   25.264461]  ? print_irqtrace_events+0x270/0x270
[   25.264465]  ? __lock_acquire+0x664/0x3e00
[   25.264469]  ? __lock_acquire+0x3d4d/0x3e00
[   25.264475]  print_address_description+0x73/0x250
[   25.264478]  ? __lock_acquire+0x3d4d/0x3e00
[   25.264482]  kasan_report+0x25b/0x340
[   25.264487]  __asan_report_load8_noabort+0x14/0x20
[   25.264491]  __lock_acquire+0x3d4d/0x3e00
[   25.264494]  ? __lock_acquire+0x664/0x3e00
[   25.264498]  ? lock_downgrade+0x980/0x980
[   25.264501]  ? lock_downgrade+0x980/0x980
[   25.264505]  ? print_irqtrace_events+0x270/0x270
[   25.264510]  ? remove_wait_queue+0x81/0x350
[   25.264515]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.264519]  ? __lock_acquire+0x664/0x3e00
[   25.264522]  ? check_noncircular+0x20/0x20
[   25.264529]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.264533]  ? lock_acquire+0x1d5/0x580
[   25.264536]  ? lock_acquire+0x1d5/0x580
[   25.264542]  ? ep_free+0xf4/0x320
[   25.264547]  ? lock_release+0xa40/0xa40
[   25.264551]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   25.264555]  ? print_irqtrace_events+0x270/0x270
[   25.264558]  ? print_irqtrace_events+0x270/0x270
[   25.264564]  ? rcu_note_context_switch+0x710/0x710
[   25.264569]  ? __might_sleep+0x95/0x190
[   25.264572]  ? ep_free+0xf4/0x320
[   25.264577]  ? __mutex_lock+0x16f/0x1a80
[   25.264580]  ? ep_free+0xf4/0x320
[   25.264584]  ? print_irqtrace_events+0x270/0x270
[   25.264587]  ? ep_free+0xf4/0x320
[   25.264592]  lock_acquire+0x1d5/0x580
[   25.264595]  ? lock_acquire+0x1d5/0x580
[   25.264599]  ? remove_wait_queue+0x81/0x350
[   25.264603]  ? lock_release+0xa40/0xa40
[   25.264608]  ? lock_acquire+0x1d5/0x580
[   25.264612]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.264615]  ? lock_acquire+0x1d5/0x580
[   25.264619]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   25.264624]  _raw_spin_lock_irqsave+0x96/0xc0
[   25.264627]  ? remove_wait_queue+0x81/0x350
[   25.264631]  remove_wait_queue+0x81/0x350
[   25.264636]  ? depot_save_stack+0x3b5/0x490
[   25.264640]  ? add_wait_queue+0x290/0x290
[   25.264644]  ? rcutorture_record_progress+0x10/0x10
[   25.264647]  ? lock_release+0xa40/0xa40
[   25.264653]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   25.264657]  ? __kernel_text_address+0xd/0x40
[   25.264662]  ? clear_tfile_check_list+0x370/0x370
[   25.264666]  ? check_noncircular+0x20/0x20
[   25.264672]  ? locks_remove_file+0x3fa/0x5a0
[   25.264677]  ep_free+0x13f/0x320
[   25.264681]  ? ep_remove+0x800/0x800
[   25.264684]  ? fsnotify_first_mark+0x2b0/0x2b0
[   25.264688]  ? ep_free+0x320/0x320
[   25.264692]  ep_eventpoll_release+0x44/0x60
[   25.264696]  __fput+0x327/0x7e0
[   25.264701]  ? fput+0x140/0x140
[   25.264706]  ? _raw_spin_unlock_irq+0x27/0x70
[   25.264711]  ____fput+0x15/0x20
[   25.264715]  task_work_run+0x199/0x270
[   25.264719]  ? task_work_cancel+0x210/0x210
[   25.264723]  ? _raw_spin_unlock+0x22/0x30
[   25.264726]  ? switch_task_namespaces+0x87/0xc0
[   25.264732]  do_exit+0x9bb/0x1ad0
[   25.264736]  ? __handle_mm_fault+0x2330/0x3ce0
[   25.264741]  ? mm_update_next_owner+0x930/0x930
[   25.264746]  ? do_raw_spin_trylock+0x190/0x190
[   25.264751]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   25.264754]  ? check_noncircular+0x20/0x20
[   25.264758]  ? _raw_spin_unlock+0x22/0x30
[   25.264762]  ? __handle_mm_fault+0x80e/0x3ce0
[   25.264766]  ? check_noncircular+0x20/0x20
[   25.264769]  ? __pmd_alloc+0x4e0/0x4e0
[   25.264772]  ? lock_downgrade+0x980/0x980
[   25.264777]  ? find_held_lock+0x35/0x1d0
[   25.264782]  ? handle_mm_fault+0x248/0x8d0
[   25.264786]  ? find_held_lock+0x35/0x1d0
[   25.264792]  ? __do_page_fault+0x5f7/0xc90
[   25.264795]  ? lock_downgrade+0x980/0x980
[   25.264800]  ? handle_mm_fault+0x410/0x8d0
[   25.264803]  ? down_read_trylock+0xdb/0x170
[   25.264807]  ? __do_page_fault+0x32d/0xc90
[   25.264810]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   25.264815]  ? vmacache_find+0x5f/0x280
[   25.264820]  do_group_exit+0x149/0x400
[   25.264823]  ? __do_page_fault+0x3d6/0xc90
[   25.264827]  ? SyS_exit+0x30/0x30
[   25.264832]  ? do_fast_syscall_32+0x156/0xf9d
[   25.264836]  ? do_group_exit+0x400/0x400
[   25.264840]  SyS_exit_group+0x1d/0x20
[   25.264843]  do_fast_syscall_32+0x3ee/0xf9d
[   25.264849]  ? do_int80_syscall_32+0x9d0/0x9d0
[   25.264852]  ? kasan_check_read+0x11/0x20
[   25.264856]  ? syscall_return_slowpath+0x550/0x550
[   25.264861]  ? SyS_rt_sigaction+0x94/0x1b0
[   25.264865]  ? SyS_sigprocmask+0x4b0/0x4b0
[   25.264868]  ? SyS_read+0x184/0x220
[   25.264872]  ? retint_user+0x18/0x18
[   25.264876]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   25.264882]  entry_SYSENTER_compat+0x54/0x63
[   25.264885] RIP: 0023:0xf7f1ac79
[   25.264887] RSP: 002b:00000000ffbebe1c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   25.264891] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   25.264893] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   25.264895] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   25.264897] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   25.264899] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   25.264904] 
[   25.264906] Allocated by task 3497:
[   25.264909]  save_stack+0x43/0xd0
[   25.264912]  kasan_kmalloc+0xad/0xe0
[   25.264915]  kmem_cache_alloc_trace+0x136/0x750
[   25.264919]  binder_get_thread+0x1cf/0x870
[   25.264921]  binder_poll+0x8c/0x390
[   25.264924]  ep_item_poll.isra.10+0xec/0x320
[   25.264927]  ep_insert+0x6a3/0x1b10
[   25.264930]  SyS_epoll_ctl+0x12e4/0x1ab0
[   25.264933]  do_fast_syscall_32+0x3ee/0xf9d
[   25.264937]  entry_SYSENTER_compat+0x54/0x63
[   25.264938] 
[   25.264939] Freed by task 3497:
[   25.264942]  save_stack+0x43/0xd0
[   25.264944]  kasan_slab_free+0x71/0xc0
[   25.264947]  kfree+0xd6/0x260
[   25.264949]  binder_thread_dec_tmpref+0x27f/0x310
[   25.264952]  binder_thread_release+0x27d/0x540
[   25.264955]  binder_ioctl+0xc02/0x1417
[   25.264958]  compat_SyS_ioctl+0x151/0x2a30
[   25.264961]  do_fast_syscall_32+0x3ee/0xf9d
[   25.264964]  entry_SYSENTER_compat+0x54/0x63
[   25.264965] 
[   25.264968] The buggy address belongs to the object at ffff8801ce70b500
[   25.264968]  which belongs to the cache kmalloc-512 of size 512
[   25.264971] The buggy address is located 176 bytes inside of
[   25.264971]  512-byte region [ffff8801ce70b500, ffff8801ce70b700)
[   25.264972] The buggy address belongs to the page:
[   25.264975] page:00000000d74a5580 count:1 mapcount:0 mapping:00000000a252dfe5 index:0x0
[   25.264979] flags: 0x2fffc0000000100(slab)
[   25.264985] raw: 02fffc0000000100 ffff8801ce70b000 0000000000000000 0000000100000006
[   25.264989] raw: ffffea00071e37a0 ffffea00071e3820 ffff8801dac00940 0000000000000000
[   25.264991] page dumped because: kasan: bad access detected
[   25.264991] 
[   25.264992] Memory state around the buggy address:
[   25.264995]  ffff8801ce70b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.264998]  ffff8801ce70b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.265000] >ffff8801ce70b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.265005]                                      ^
[   25.265008]  ffff8801ce70b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.265010]  ffff8801ce70b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.265011] ==================================================================
[   25.265012] Disabling lock debugging due to kernel taint
[   25.265015] Kernel panic - not syncing: panic_on_warn set ...
[   25.265015] 
[   25.265019] CPU: 1 PID: 3497 Comm: syzkaller187012 Tainted: G    B            4.15.0-rc6+ #155
[   25.265021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.265022] Call Trace:
[   25.265025]  dump_stack+0x194/0x257
[   25.265030]  ? arch_local_irq_restore+0x53/0x53
[   25.265033]  ? kasan_end_report+0x32/0x50
[   25.265037]  ? lock_downgrade+0x980/0x980
[   25.265041]  ? vsnprintf+0x1ed/0x1900
[   25.265045]  ? __lock_acquire+0x3c70/0x3e00
[   25.265048]  panic+0x1e4/0x41c
[   25.265052]  ? refcount_error_report+0x214/0x214
[   25.265056]  ? add_taint+0x40/0x50
[   25.265059]  ? add_taint+0x1c/0x50
[   25.265063]  ? __lock_acquire+0x3d4d/0x3e00
[   25.265066]  kasan_end_report+0x50/0x50
[   25.265070]  kasan_report+0x144/0x340
[   25.265074]  __asan_report_load8_noabort+0x14/0x20
[   25.265078]  __lock_acquire+0x3d4d/0x3e00
[   25.265081]  ? __lock_acquire+0x664/0x3e00
[   25.265085]  ? lock_downgrade+0x980/0x980
[   25.265088]  ? lock_downgrade+0x980/0x980
[   25.265091]  ? print_irqtrace_events+0x270/0x270
[   25.265095]  ? remove_wait_queue+0x81/0x350
[   25.265100]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.265104]  ? __lock_acquire+0x664/0x3e00
[   25.265107]  ? check_noncircular+0x20/0x20
[   25.265114]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.265118]  ? lock_acquire+0x1d5/0x580
[   25.265121]  ? lock_acquire+0x1d5/0x580
[   25.265124]  ? ep_free+0xf4/0x320
[   25.265128]  ? lock_release+0xa40/0xa40
[   25.265132]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   25.265135]  ? print_irqtrace_events+0x270/0x270
[   25.265139]  ? print_irqtrace_events+0x270/0x270
[   25.265142]  ? rcu_note_context_switch+0x710/0x710
[   25.265147]  ? __might_sleep+0x95/0x190
[   25.265150]  ? ep_free+0xf4/0x320
[   25.265153]  ? __mutex_lock+0x16f/0x1a80
[   25.265156]  ? ep_free+0xf4/0x320
[   25.265160]  ? print_irqtrace_events+0x270/0x270
[   25.265163]  ? ep_free+0xf4/0x320
[   25.265168]  lock_acquire+0x1d5/0x580
[   25.265171]  ? lock_acquire+0x1d5/0x580
[   25.265175]  ? remove_wait_queue+0x81/0x350
[   25.265179]  ? lock_release+0xa40/0xa40
[   25.265184]  ? lock_acquire+0x1d5/0x580
[   25.265187]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.265190]  ? lock_acquire+0x1d5/0x580
[   25.265194]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   25.265198]  _raw_spin_lock_irqsave+0x96/0xc0
[   25.265202]  ? remove_wait_queue+0x81/0x350
[   25.265205]  remove_wait_queue+0x81/0x350
[   25.265209]  ? depot_save_stack+0x3b5/0x490
[   25.265213]  ? add_wait_queue+0x290/0x290
[   25.265216]  ? rcutorture_record_progress+0x10/0x10
[   25.265224]  ? lock_release+0xa40/0xa40
[   25.265229]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   25.265233]  ? __kernel_text_address+0xd/0x40
[   25.265238]  ? clear_tfile_check_list+0x370/0x370
[   25.265242]  ? check_noncircular+0x20/0x20
[   25.265246]  ? locks_remove_file+0x3fa/0x5a0
[   25.265251]  ep_free+0x13f/0x320
[   25.265255]  ? ep_remove+0x800/0x800
[   25.265258]  ? fsnotify_first_mark+0x2b0/0x2b0
[   25.265263]  ? ep_free+0x320/0x320
[   25.265266]  ep_eventpoll_release+0x44/0x60
[   25.265270]  __fput+0x327/0x7e0
[   25.265274]  ? fput+0x140/0x140
[   25.265278]  ? _raw_spin_unlock_irq+0x27/0x70
[   25.265283]  ____fput+0x15/0x20
[   25.265287]  task_work_run+0x199/0x270
[   25.265291]  ? task_work_cancel+0x210/0x210
[   25.265295]  ? _raw_spin_unlock+0x22/0x30
[   25.265299]  ? switch_task_namespaces+0x87/0xc0
[   25.265303]  do_exit+0x9bb/0x1ad0
[   25.265306]  ? __handle_mm_fault+0x2330/0x3ce0
[   25.265311]  ? mm_update_next_owner+0x930/0x930
[   25.265316]  ? do_raw_spin_trylock+0x190/0x190
[   25.265320]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   25.265324]  ? check_noncircular+0x20/0x20
[   25.265328]  ? _raw_spin_unlock+0x22/0x30
[   25.265331]  ? __handle_mm_fault+0x80e/0x3ce0
[   25.265336]  ? check_noncircular+0x20/0x20
[   25.265339]  ? __pmd_alloc+0x4e0/0x4e0
[   25.265342]  ? lock_downgrade+0x980/0x980
[   25.265346]  ? find_held_lock+0x35/0x1d0
[   25.265351]  ? handle_mm_fault+0x248/0x8d0
[   25.265355]  ? find_held_lock+0x35/0x1d0
[   25.265360]  ? __do_page_fault+0x5f7/0xc90
[   25.265364]  ? lock_downgrade+0x980/0x980
[   25.265369]  ? handle_mm_fault+0x410/0x8d0
[   25.265372]  ? down_read_trylock+0xdb/0x170
[   25.265375]  ? __do_page_fault+0x32d/0xc90
[   25.265378]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   25.265382]  ? vmacache_find+0x5f/0x280
[   25.265387]  do_group_exit+0x149/0x400
[   25.265390]  ? __do_page_fault+0x3d6/0xc90
[   25.265394]  ? SyS_exit+0x30/0x30
[   25.265398]  ? do_fast_syscall_32+0x156/0xf9d
[   25.265402]  ? do_group_exit+0x400/0x400
[   25.265405]  SyS_exit_group+0x1d/0x20
[   25.265409]  do_fast_syscall_32+0x3ee/0xf9d
[   25.265414]  ? do_int80_syscall_32+0x9d0/0x9d0
[   25.265417]  ? kasan_check_read+0x11/0x20
[   25.265421]  ? syscall_return_slowpath+0x550/0x550
[   25.265425]  ? SyS_rt_sigaction+0x94/0x1b0
[   25.265429]  ? SyS_sigprocmask+0x4b0/0x4b0
[   25.265432]  ? SyS_read+0x184/0x220
[   25.265436]  ? retint_user+0x18/0x18
[   25.265440]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   25.265445]  entry_SYSENTER_compat+0x54/0x63
[   25.265448] RIP: 0023:0xf7f1ac79
[   25.265450] RSP: 002b:00000000ffbebe1c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   25.265453] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   25.265455] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   25.265457] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   25.265459] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   25.265461] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   25.286092] Dumping ftrace buffer:
[   25.286096]    (ftrace buffer empty)
[   25.286097] Kernel Offset: disabled
[   26.566098] Rebooting in 86400 seconds..