[....] Starting enhanced syslogd: rsyslogd[   11.886812] audit: type=1400 audit(1514579415.848:5): avc:  denied  { syslog } for  pid=2993 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   17.019982] audit: type=1400 audit(1514579420.981:6): avc:  denied  { map } for  pid=3133 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.56' (ECDSA) to the list of known hosts.
executing program
[   23.207133] audit: type=1400 audit(1514579427.166:7): avc:  denied  { map } for  pid=3147 comm="syzkaller269420" path="/root/syzkaller269420631" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   23.211047] ==================================================================
[   23.211062] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   23.211068] Read of size 8 at addr ffff8801ca14fd70 by task syzkaller269420/3147
[   23.211069] 
[   23.211076] CPU: 1 PID: 3147 Comm: syzkaller269420 Not tainted 4.15.0-rc5+ #150
[   23.211079] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.211081] Call Trace:
[   23.211090]  dump_stack+0x194/0x257
[   23.211098]  ? arch_local_irq_restore+0x53/0x53
[   23.211105]  ? show_regs_print_info+0x18/0x18
[   23.211111]  ? print_irqtrace_events+0x270/0x270
[   23.211117]  ? __lock_acquire+0x664/0x3e00
[   23.211124]  ? __lock_acquire+0x3d4d/0x3e00
[   23.211132]  print_address_description+0x73/0x250
[   23.211138]  ? __lock_acquire+0x3d4d/0x3e00
[   23.211144]  kasan_report+0x25b/0x340
[   23.211152]  __asan_report_load8_noabort+0x14/0x20
[   23.211157]  __lock_acquire+0x3d4d/0x3e00
[   23.211163]  ? __lock_acquire+0x664/0x3e00
[   23.211169]  ? lock_downgrade+0x980/0x980
[   23.211174]  ? lock_downgrade+0x980/0x980
[   23.211180]  ? print_irqtrace_events+0x270/0x270
[   23.211187]  ? remove_wait_queue+0x81/0x350
[   23.211196]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.211203]  ? __lock_acquire+0x664/0x3e00
[   23.211208]  ? check_noncircular+0x20/0x20
[   23.211220]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.211227]  ? lock_acquire+0x1d5/0x580
[   23.211233]  ? lock_acquire+0x1d5/0x580
[   23.211239]  ? ep_free+0xf4/0x320
[   23.211247]  ? lock_release+0xa40/0xa40
[   23.211254]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.211259]  ? print_irqtrace_events+0x270/0x270
[   23.211265]  ? print_irqtrace_events+0x270/0x270
[   23.211272]  ? rcu_note_context_switch+0x710/0x710
[   23.211279]  ? __might_sleep+0x95/0x190
[   23.211285]  ? ep_free+0xf4/0x320
[   23.211291]  ? __mutex_lock+0x16f/0x1a80
[   23.211295]  ? ep_free+0xf4/0x320
[   23.211302]  ? print_irqtrace_events+0x270/0x270
[   23.211307]  ? ep_free+0xf4/0x320
[   23.211314]  lock_acquire+0x1d5/0x580
[   23.211320]  ? lock_acquire+0x1d5/0x580
[   23.211326]  ? remove_wait_queue+0x81/0x350
[   23.211334]  ? lock_release+0xa40/0xa40
[   23.211343]  ? lock_acquire+0x1d5/0x580
[   23.211348]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.211353]  ? lock_acquire+0x1d5/0x580
[   23.211359]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   23.211366]  _raw_spin_lock_irqsave+0x96/0xc0
[   23.211372]  ? remove_wait_queue+0x81/0x350
[   23.211378]  remove_wait_queue+0x81/0x350
[   23.211385]  ? depot_save_stack+0x3b5/0x490
[   23.211392]  ? add_wait_queue+0x290/0x290
[   23.211398]  ? rcutorture_record_progress+0x10/0x10
[   23.211403]  ? lock_release+0xa40/0xa40
[   23.211412]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   23.211418]  ? __kernel_text_address+0xd/0x40
[   23.211426]  ? clear_tfile_check_list+0x370/0x370
[   23.211433]  ? check_noncircular+0x20/0x20
[   23.211441]  ? locks_remove_file+0x3fa/0x5a0
[   23.211449]  ep_free+0x13f/0x320
[   23.211455]  ? ep_remove+0x800/0x800
[   23.211462]  ? fsnotify_first_mark+0x2b0/0x2b0
[   23.211469]  ? ep_free+0x320/0x320
[   23.211474]  ep_eventpoll_release+0x44/0x60
[   23.211480]  __fput+0x327/0x7e0
[   23.211488]  ? fput+0x140/0x140
[   23.211495]  ? _raw_spin_unlock_irq+0x27/0x70
[   23.211503]  ____fput+0x15/0x20
[   23.211509]  task_work_run+0x199/0x270
[   23.211516]  ? task_work_cancel+0x210/0x210
[   23.211522]  ? _raw_spin_unlock+0x22/0x30
[   23.211528]  ? switch_task_namespaces+0x87/0xc0
[   23.211536]  do_exit+0x9bb/0x1ad0
[   23.211543]  ? __handle_mm_fault+0x2330/0x3ce0
[   23.211551]  ? mm_update_next_owner+0x930/0x930
[   23.211560]  ? do_raw_spin_trylock+0x190/0x190
[   23.211567]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.211573]  ? check_noncircular+0x20/0x20
[   23.211580]  ? _raw_spin_unlock+0x22/0x30
[   23.211586]  ? __handle_mm_fault+0x80e/0x3ce0
[   23.211593]  ? check_noncircular+0x20/0x20
[   23.211598]  ? __pmd_alloc+0x4e0/0x4e0
[   23.211603]  ? lock_downgrade+0x980/0x980
[   23.211611]  ? find_held_lock+0x35/0x1d0
[   23.211620]  ? handle_mm_fault+0x248/0x8d0
[   23.211627]  ? find_held_lock+0x35/0x1d0
[   23.211636]  ? __do_page_fault+0x5f7/0xc90
[   23.211642]  ? lock_downgrade+0x980/0x980
[   23.211651]  ? handle_mm_fault+0x410/0x8d0
[   23.211656]  ? down_read_trylock+0xdb/0x170
[   23.211661]  ? __do_page_fault+0x32d/0xc90
[   23.211667]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   23.211673]  ? vmacache_find+0x5f/0x280
[   23.211682]  do_group_exit+0x149/0x400
[   23.211688]  ? __do_page_fault+0x3d6/0xc90
[   23.211694]  ? SyS_exit+0x30/0x30
[   23.211702]  ? do_fast_syscall_32+0x156/0xf9d
[   23.211708]  ? do_group_exit+0x400/0x400
[   23.211714]  SyS_exit_group+0x1d/0x20
[   23.211720]  do_fast_syscall_32+0x3ee/0xf9d
[   23.211729]  ? do_int80_syscall_32+0x9d0/0x9d0
[   23.211734]  ? kasan_check_read+0x11/0x20
[   23.211741]  ? syscall_return_slowpath+0x550/0x550
[   23.211748]  ? SyS_rt_sigaction+0x94/0x1b0
[   23.211754]  ? SyS_sigprocmask+0x4b0/0x4b0
[   23.211759]  ? SyS_read+0x184/0x220
[   23.211765]  ? retint_user+0x18/0x18
[   23.211773]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   23.211782]  entry_SYSENTER_compat+0x54/0x63
[   23.211786] RIP: 0023:0xf7f62c79
[   23.211790] RSP: 002b:00000000fff36aac EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   23.211796] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   23.211799] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   23.211803] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   23.211806] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   23.211809] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   23.211817] 
[   23.211819] Allocated by task 3147:
[   23.211825]  save_stack+0x43/0xd0
[   23.211829]  kasan_kmalloc+0xad/0xe0
[   23.211835]  kmem_cache_alloc_trace+0x136/0x750
[   23.211842]  binder_get_thread+0x1cf/0x870
[   23.211846]  binder_poll+0x8c/0x390
[   23.211850]  ep_item_poll.isra.10+0xec/0x320
[   23.211855]  ep_insert+0x6a3/0x1b10
[   23.211859]  SyS_epoll_ctl+0x12e4/0x1ab0
[   23.211864]  do_fast_syscall_32+0x3ee/0xf9d
[   23.211870]  entry_SYSENTER_compat+0x54/0x63
[   23.211871] 
[   23.211873] Freed by task 3147:
[   23.211877]  save_stack+0x43/0xd0
[   23.211881]  kasan_slab_free+0x71/0xc0
[   23.211885]  kfree+0xd6/0x260
[   23.211890]  binder_thread_dec_tmpref+0x27f/0x310
[   23.211895]  binder_thread_release+0x27d/0x540
[   23.211900]  binder_ioctl+0xc02/0x1417
[   23.211905]  compat_SyS_ioctl+0x151/0x2a30
[   23.211910]  do_fast_syscall_32+0x3ee/0xf9d
[   23.211915]  entry_SYSENTER_compat+0x54/0x63
[   23.211916] 
[   23.211920] The buggy address belongs to the object at ffff8801ca14fcc0
[   23.211920]  which belongs to the cache kmalloc-512 of size 512
[   23.211932] The buggy address is located 176 bytes inside of
[   23.211932]  512-byte region [ffff8801ca14fcc0, ffff8801ca14fec0)
[   23.211934] The buggy address belongs to the page:
[   23.211939] page:00000000cbc923f1 count:1 mapcount:0 mapping:0000000081ef7f61 index:0x0
[   23.211944] flags: 0x2fffc0000000100(slab)
[   23.211953] raw: 02fffc0000000100 ffff8801ca14f040 0000000000000000 0000000100000006
[   23.211959] raw: ffffea0007283c60 ffffea0007285460 ffff8801db000940 0000000000000000
[   23.211962] page dumped because: kasan: bad access detected
[   23.211963] 
[   23.211964] Memory state around the buggy address:
[   23.211969]  ffff8801ca14fc00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   23.211973]  ffff8801ca14fc80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   23.211977] >ffff8801ca14fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.211980]                                                              ^
[   23.211984]  ffff8801ca14fd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.211988]  ffff8801ca14fe00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.211990] ==================================================================
[   23.211992] Disabling lock debugging due to kernel taint
[   23.211995] Kernel panic - not syncing: panic_on_warn set ...
[   23.211995] 
[   23.212004] CPU: 1 PID: 3147 Comm: syzkaller269420 Tainted: G    B            4.15.0-rc5+ #150
[   23.212006] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.212008] Call Trace:
[   23.212014]  dump_stack+0x194/0x257
[   23.212021]  ? arch_local_irq_restore+0x53/0x53
[   23.212026]  ? kasan_end_report+0x32/0x50
[   23.212032]  ? lock_downgrade+0x980/0x980
[   23.212038]  ? vsnprintf+0x1ed/0x1900
[   23.212045]  ? __lock_acquire+0x3cd0/0x3e00
[   23.212050]  panic+0x1e4/0x41c
[   23.212055]  ? refcount_error_report+0x214/0x214
[   23.212062]  ? add_taint+0x40/0x50
[   23.212067]  ? add_taint+0x1c/0x50
[   23.212074]  ? __lock_acquire+0x3d4d/0x3e00
[   23.212080]  kasan_end_report+0x50/0x50
[   23.212085]  kasan_report+0x144/0x340
[   23.212093]  __asan_report_load8_noabort+0x14/0x20
[   23.212098]  __lock_acquire+0x3d4d/0x3e00
[   23.212104]  ? __lock_acquire+0x664/0x3e00
[   23.212110]  ? lock_downgrade+0x980/0x980
[   23.212115]  ? lock_downgrade+0x980/0x980
[   23.212121]  ? print_irqtrace_events+0x270/0x270
[   23.212127]  ? remove_wait_queue+0x81/0x350
[   23.212136]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.212142]  ? __lock_acquire+0x664/0x3e00
[   23.212147]  ? check_noncircular+0x20/0x20
[   23.212159]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.212166]  ? lock_acquire+0x1d5/0x580
[   23.212171]  ? lock_acquire+0x1d5/0x580
[   23.212176]  ? ep_free+0xf4/0x320
[   23.212184]  ? lock_release+0xa40/0xa40
[   23.212190]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.212195]  ? print_irqtrace_events+0x270/0x270
[   23.212201]  ? print_irqtrace_events+0x270/0x270
[   23.212207]  ? rcu_note_context_switch+0x710/0x710
[   23.212214]  ? __might_sleep+0x95/0x190
[   23.212220]  ? ep_free+0xf4/0x320
[   23.212225]  ? __mutex_lock+0x16f/0x1a80
[   23.212229]  ? ep_free+0xf4/0x320
[   23.212236]  ? print_irqtrace_events+0x270/0x270
[   23.212240]  ? ep_free+0xf4/0x320
[   23.212248]  lock_acquire+0x1d5/0x580
[   23.212253]  ? lock_acquire+0x1d5/0x580
[   23.212259]  ? remove_wait_queue+0x81/0x350
[   23.212267]  ? lock_release+0xa40/0xa40
[   23.212276]  ? lock_acquire+0x1d5/0x580
[   23.212281]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.212286]  ? lock_acquire+0x1d5/0x580
[   23.212292]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   23.212299]  _raw_spin_lock_irqsave+0x96/0xc0
[   23.212304]  ? remove_wait_queue+0x81/0x350
[   23.212311]  remove_wait_queue+0x81/0x350
[   23.212316]  ? depot_save_stack+0x3b5/0x490
[   23.212323]  ? add_wait_queue+0x290/0x290
[   23.212329]  ? rcutorture_record_progress+0x10/0x10
[   23.212334]  ? lock_release+0xa40/0xa40
[   23.212342]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   23.212349]  ? __kernel_text_address+0xd/0x40
[   23.212356]  ? clear_tfile_check_list+0x370/0x370
[   23.212363]  ? check_noncircular+0x20/0x20
[   23.212371]  ? locks_remove_file+0x3fa/0x5a0
[   23.212379]  ep_free+0x13f/0x320
[   23.212385]  ? ep_remove+0x800/0x800
[   23.212391]  ? fsnotify_first_mark+0x2b0/0x2b0
[   23.212398]  ? ep_free+0x320/0x320
[   23.212403]  ep_eventpoll_release+0x44/0x60
[   23.212409]  __fput+0x327/0x7e0
[   23.212416]  ? fput+0x140/0x140
[   23.212422]  ? _raw_spin_unlock_irq+0x27/0x70
[   23.212430]  ____fput+0x15/0x20
[   23.212436]  task_work_run+0x199/0x270
[   23.212443]  ? task_work_cancel+0x210/0x210
[   23.212449]  ? _raw_spin_unlock+0x22/0x30
[   23.212455]  ? switch_task_namespaces+0x87/0xc0
[   23.212463]  do_exit+0x9bb/0x1ad0
[   23.212469]  ? __handle_mm_fault+0x2330/0x3ce0
[   23.212476]  ? mm_update_next_owner+0x930/0x930
[   23.212485]  ? do_raw_spin_trylock+0x190/0x190
[   23.212492]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.212498]  ? check_noncircular+0x20/0x20
[   23.212505]  ? _raw_spin_unlock+0x22/0x30
[   23.212510]  ? __handle_mm_fault+0x80e/0x3ce0
[   23.212518]  ? check_noncircular+0x20/0x20
[   23.212523]  ? __pmd_alloc+0x4e0/0x4e0
[   23.212528]  ? lock_downgrade+0x980/0x980
[   23.212536]  ? find_held_lock+0x35/0x1d0
[   23.212544]  ? handle_mm_fault+0x248/0x8d0
[   23.212551]  ? find_held_lock+0x35/0x1d0
[   23.212559]  ? __do_page_fault+0x5f7/0xc90
[   23.212566]  ? lock_downgrade+0x980/0x980
[   23.212574]  ? handle_mm_fault+0x410/0x8d0
[   23.212579]  ? down_read_trylock+0xdb/0x170
[   23.212584]  ? __do_page_fault+0x32d/0xc90
[   23.212590]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   23.212596]  ? vmacache_find+0x5f/0x280
[   23.212604]  do_group_exit+0x149/0x400
[   23.212610]  ? __do_page_fault+0x3d6/0xc90
[   23.212616]  ? SyS_exit+0x30/0x30
[   23.212623]  ? do_fast_syscall_32+0x156/0xf9d
[   23.212629]  ? do_group_exit+0x400/0x400
[   23.212635]  SyS_exit_group+0x1d/0x20
[   23.212641]  do_fast_syscall_32+0x3ee/0xf9d
[   23.212649]  ? do_int80_syscall_32+0x9d0/0x9d0
[   23.212655]  ? kasan_check_read+0x11/0x20
[   23.212662]  ? syscall_return_slowpath+0x550/0x550
[   23.212668]  ? SyS_rt_sigaction+0x94/0x1b0
[   23.212675]  ? SyS_sigprocmask+0x4b0/0x4b0
[   23.212679]  ? SyS_read+0x184/0x220
[   23.212685]  ? retint_user+0x18/0x18
[   23.212693]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   23.212702]  entry_SYSENTER_compat+0x54/0x63
[   23.212705] RIP: 0023:0xf7f62c79
[   23.212708] RSP: 002b:00000000fff36aac EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   23.212714] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   23.212717] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   23.212720] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   23.212723] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   23.212726] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   23.233464] Dumping ftrace buffer:
[   23.233468]    (ftrace buffer empty)
[   23.233471] Kernel Offset: disabled
[   24.516350] Rebooting in 86400 seconds..