[....] Starting enhanced syslogd: rsyslogd[   16.826442] audit: type=1400 audit(1520529501.136:5): avc:  denied  { syslog } for  pid=4093 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.740844] audit: type=1400 audit(1520529506.050:6): avc:  denied  { map } for  pid=4232 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.22' (ECDSA) to the list of known hosts.
executing program
[   28.128617] audit: type=1400 audit(1520529512.438:7): avc:  denied  { map } for  pid=4246 comm="syzkaller460708" path="/root/syzkaller460708996" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   28.134704] ==================================================================
[   28.161965] BUG: KASAN: use-after-free in ucma_close+0x2d7/0x2f0
[   28.168085] Read of size 8 at addr ffff8801ad00fd00 by task syzkaller460708/4246
[   28.175589] 
[   28.177189] CPU: 0 PID: 4246 Comm: syzkaller460708 Not tainted 4.16.0-rc4+ #346
[   28.184605] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.193931] Call Trace:
[   28.196496]  dump_stack+0x194/0x24d
[   28.200106]  ? arch_local_irq_restore+0x53/0x53
[   28.204747]  ? show_regs_print_info+0x18/0x18
[   28.209221]  ? ucma_close+0x2d7/0x2f0
[   28.212999]  print_address_description+0x73/0x250
[   28.217814]  ? ucma_close+0x2d7/0x2f0
[   28.221586]  kasan_report+0x23c/0x360
[   28.225364]  __asan_report_load8_noabort+0x14/0x20
[   28.230268]  ucma_close+0x2d7/0x2f0
[   28.233867]  ? __might_sleep+0x95/0x190
[   28.237817]  ? ucma_free_ctx+0xd90/0xd90
[   28.241848]  __fput+0x327/0x7e0
[   28.245124]  ? fput+0x140/0x140
[   28.248379]  ? _raw_spin_unlock_irq+0x27/0x70
[   28.252850]  ____fput+0x15/0x20
[   28.256106]  task_work_run+0x199/0x270
[   28.259966]  ? task_work_cancel+0x210/0x210
[   28.264259]  ? _raw_spin_unlock+0x22/0x30
[   28.268382]  ? switch_task_namespaces+0x87/0xc0
[   28.273027]  do_exit+0x9bb/0x1ad0
[   28.276449]  ? ucma_create_id+0x45b/0x620
[   28.280573]  ? mm_update_next_owner+0x930/0x930
[   28.285213]  ? ucma_create_id+0x17b/0x620
[   28.289333]  ? ucma_get_event+0xa90/0xa90
[   28.293459]  ? __might_sleep+0x95/0x190
[   28.297411]  ? kasan_check_write+0x14/0x20
[   28.301618]  ? _copy_from_user+0x99/0x110
[   28.305743]  ? ucma_write+0x11f/0x3d0
[   28.309514]  ? ucma_get_event+0xa90/0xa90
[   28.313659]  ? ucma_resolve_route+0x1a0/0x1a0
[   28.318139]  ? ucma_resolve_route+0x1a0/0x1a0
[   28.322611]  ? __vfs_write+0xf7/0x970
[   28.326399]  ? rcu_note_context_switch+0x710/0x710
[   28.331304]  ? kernel_read+0x120/0x120
[   28.335167]  ? __might_sleep+0x95/0x190
[   28.339120]  ? _cond_resched+0x14/0x30
[   28.342979]  ? __inode_security_revalidate+0xd9/0x130
[   28.348143]  ? avc_policy_seqno+0x9/0x20
[   28.352184]  ? security_file_permission+0x89/0x1e0
[   28.357090]  ? rw_verify_area+0xe5/0x2b0
[   28.361123]  ? __fdget_raw+0x20/0x20
[   28.364810]  ? vfs_write+0x224/0x510
[   28.368503]  do_group_exit+0x149/0x400
[   28.372364]  ? SyS_write+0x184/0x220
[   28.376047]  ? filp_open+0x70/0x70
[   28.379561]  ? SyS_exit+0x30/0x30
[   28.382996]  ? SyS_read+0x220/0x220
[   28.386598]  ? do_syscall_64+0xb7/0x940
[   28.390544]  ? do_group_exit+0x400/0x400
[   28.394579]  SyS_exit_group+0x1d/0x20
[   28.398354]  do_syscall_64+0x281/0x940
[   28.402214]  ? __do_page_fault+0xc90/0xc90
[   28.406427]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   28.411170]  ? syscall_return_slowpath+0x550/0x550
[   28.416071]  ? syscall_return_slowpath+0x2ac/0x550
[   28.420975]  ? prepare_exit_to_usermode+0x350/0x350
[   28.425964]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   28.431303]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   28.436134]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   28.441305] RIP: 0033:0x43e918
[   28.444479] RSP: 002b:00007ffce1400f68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   28.452161] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e918
[   28.459403] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   28.466644] RBP: 00000000004be2c0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   28.473885] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
[   28.481130] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000
[   28.488386] 
[   28.489986] Allocated by task 4246:
[   28.493591]  save_stack+0x43/0xd0
[   28.497013]  kasan_kmalloc+0xad/0xe0
[   28.500697]  kmem_cache_alloc_trace+0x136/0x740
[   28.505337]  ucma_alloc_ctx+0xce/0x610
[   28.509196]  ucma_create_id+0x205/0x620
[   28.513144]  ucma_write+0x2d6/0x3d0
[   28.516742]  __vfs_write+0xef/0x970
[   28.520338]  vfs_write+0x189/0x510
[   28.523847]  SyS_write+0xef/0x220
[   28.527277]  do_syscall_64+0x281/0x940
[   28.531137]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   28.536291] 
[   28.537890] Freed by task 4246:
[   28.541141]  save_stack+0x43/0xd0
[   28.544563]  __kasan_slab_free+0x11a/0x170
[   28.548766]  kasan_slab_free+0xe/0x10
[   28.552535]  kfree+0xd9/0x260
[   28.555611]  ucma_create_id+0x45b/0x620
[   28.559558]  ucma_write+0x2d6/0x3d0
[   28.563153]  __vfs_write+0xef/0x970
[   28.566749]  vfs_write+0x189/0x510
[   28.570261]  SyS_write+0xef/0x220
[   28.573684]  do_syscall_64+0x281/0x940
[   28.577542]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   28.582698] 
[   28.584297] The buggy address belongs to the object at ffff8801ad00fc80
[   28.584297]  which belongs to the cache kmalloc-256 of size 256
[   28.596922] The buggy address is located 128 bytes inside of
[   28.596922]  256-byte region [ffff8801ad00fc80, ffff8801ad00fd80)
[   28.608765] The buggy address belongs to the page:
[   28.613665] page:ffffea0006b403c0 count:1 mapcount:0 mapping:ffff8801ad00f000 index:0x0
[   28.621779] flags: 0x2fffc0000000100(slab)
[   28.625985] raw: 02fffc0000000100 ffff8801ad00f000 0000000000000000 000000010000000c
[   28.633838] raw: ffffea0006b6ffe0 ffffea0006b4b220 ffff8801dac007c0 0000000000000000
[   28.641687] page dumped because: kasan: bad access detected
[   28.647365] 
[   28.648963] Memory state around the buggy address:
[   28.653861]  ffff8801ad00fc00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   28.661204]  ffff8801ad00fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   28.668534] >ffff8801ad00fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   28.675860]                    ^
[   28.679194]  ffff8801ad00fd80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   28.686524]  ffff8801ad00fe00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   28.693850] ==================================================================
[   28.701182] Disabling lock debugging due to kernel taint
[   28.706763] Kernel panic - not syncing: panic_on_warn set ...
[   28.706763] 
[   28.714113] CPU: 0 PID: 4246 Comm: syzkaller460708 Tainted: G    B            4.16.0-rc4+ #346
[   28.722844] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.732167] Call Trace:
[   28.734729]  dump_stack+0x194/0x24d
[   28.738325]  ? arch_local_irq_restore+0x53/0x53
[   28.742964]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   28.747689]  ? vsnprintf+0x1ed/0x1900
[   28.751467]  ? ucma_close+0x240/0x2f0
[   28.755239]  panic+0x1e4/0x41c
[   28.758403]  ? refcount_error_report+0x214/0x214
[   28.763139]  ? add_taint+0x1c/0x50
[   28.766646]  ? add_taint+0x1c/0x50
[   28.770161]  ? ucma_close+0x2d7/0x2f0
[   28.773935]  kasan_end_report+0x50/0x50
[   28.777879]  kasan_report+0x149/0x360
[   28.781650]  __asan_report_load8_noabort+0x14/0x20
[   28.786547]  ucma_close+0x2d7/0x2f0
[   28.790146]  ? __might_sleep+0x95/0x190
[   28.794092]  ? ucma_free_ctx+0xd90/0xd90
[   28.798124]  __fput+0x327/0x7e0
[   28.801375]  ? fput+0x140/0x140
[   28.804629]  ? _raw_spin_unlock_irq+0x27/0x70
[   28.809096]  ____fput+0x15/0x20
[   28.812348]  task_work_run+0x199/0x270
[   28.816205]  ? task_work_cancel+0x210/0x210
[   28.820494]  ? _raw_spin_unlock+0x22/0x30
[   28.824620]  ? switch_task_namespaces+0x87/0xc0
[   28.829260]  do_exit+0x9bb/0x1ad0
[   28.832682]  ? ucma_create_id+0x45b/0x620
[   28.836799]  ? mm_update_next_owner+0x930/0x930
[   28.841444]  ? ucma_create_id+0x17b/0x620
[   28.845561]  ? ucma_get_event+0xa90/0xa90
[   28.849683]  ? __might_sleep+0x95/0x190
[   28.853630]  ? kasan_check_write+0x14/0x20
[   28.857836]  ? _copy_from_user+0x99/0x110
[   28.861954]  ? ucma_write+0x11f/0x3d0
[   28.865720]  ? ucma_get_event+0xa90/0xa90
[   28.869838]  ? ucma_resolve_route+0x1a0/0x1a0
[   28.874308]  ? ucma_resolve_route+0x1a0/0x1a0
[   28.878772]  ? __vfs_write+0xf7/0x970
[   28.882544]  ? rcu_note_context_switch+0x710/0x710
[   28.887448]  ? kernel_read+0x120/0x120
[   28.891304]  ? __might_sleep+0x95/0x190
[   28.895265]  ? _cond_resched+0x14/0x30
[   28.899123]  ? __inode_security_revalidate+0xd9/0x130
[   28.904281]  ? avc_policy_seqno+0x9/0x20
[   28.908317]  ? security_file_permission+0x89/0x1e0
[   28.913216]  ? rw_verify_area+0xe5/0x2b0
[   28.917246]  ? __fdget_raw+0x20/0x20
[   28.920929]  ? vfs_write+0x224/0x510
[   28.924614]  do_group_exit+0x149/0x400
[   28.928470]  ? SyS_write+0x184/0x220
[   28.932154]  ? filp_open+0x70/0x70
[   28.935663]  ? SyS_exit+0x30/0x30
[   28.939085]  ? SyS_read+0x220/0x220
[   28.942692]  ? do_syscall_64+0xb7/0x940
[   28.946634]  ? do_group_exit+0x400/0x400
[   28.950665]  SyS_exit_group+0x1d/0x20
[   28.954437]  do_syscall_64+0x281/0x940
[   28.958294]  ? __do_page_fault+0xc90/0xc90
[   28.962498]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   28.967224]  ? syscall_return_slowpath+0x550/0x550
[   28.972124]  ? syscall_return_slowpath+0x2ac/0x550
[   28.977027]  ? prepare_exit_to_usermode+0x350/0x350
[   28.982022]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   28.987361]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   28.992175]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   28.997333] RIP: 0033:0x43e918
[   29.000492] RSP: 002b:00007ffce1400f68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   29.008168] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e918
[   29.015406] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   29.022644] RBP: 00000000004be2c0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   29.029882] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
[   29.037131] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000
[   29.044880] Dumping ftrace buffer:
[   29.048405]    (ftrace buffer empty)
[   29.052094] Kernel Offset: disabled
[   29.055696] Rebooting in 86400 seconds..