[....] Starting enhanced syslogd: rsyslogd[   13.464417] audit: type=1400 audit(1515874829.034:5): avc:  denied  { syslog } for  pid=3501 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.737307] audit: type=1400 audit(1515874835.307:6): avc:  denied  { map } for  pid=3643 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.234' (ECDSA) to the list of known hosts.
executing program
[   29.127953] audit: type=1400 audit(1515874844.697:7): avc:  denied  { map } for  pid=3658 comm="syzkaller832707" path="/root/syzkaller832707419" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   29.134389] ==================================================================
[   29.134405] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   29.134410] Read of size 8 at addr ffff8801bce42d70 by task syzkaller832707/3658
[   29.134411] 
[   29.134417] CPU: 1 PID: 3658 Comm: syzkaller832707 Not tainted 4.15.0-rc7+ #170
[   29.134420] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.134421] Call Trace:
[   29.134431]  dump_stack+0x194/0x257
[   29.134437]  ? arch_local_irq_restore+0x53/0x53
[   29.134443]  ? show_regs_print_info+0x18/0x18
[   29.134446]  ? print_irqtrace_events+0x270/0x270
[   29.134450]  ? __lock_acquire+0x664/0x3e00
[   29.134454]  ? __lock_acquire+0x3d4d/0x3e00
[   29.134461]  print_address_description+0x73/0x250
[   29.134465]  ? __lock_acquire+0x3d4d/0x3e00
[   29.134469]  kasan_report+0x25b/0x340
[   29.134474]  __asan_report_load8_noabort+0x14/0x20
[   29.134477]  __lock_acquire+0x3d4d/0x3e00
[   29.134481]  ? __lock_acquire+0x664/0x3e00
[   29.134484]  ? lock_downgrade+0x980/0x980
[   29.134488]  ? lock_downgrade+0x980/0x980
[   29.134492]  ? print_irqtrace_events+0x270/0x270
[   29.134498]  ? remove_wait_queue+0x81/0x350
[   29.134504]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   29.134508]  ? __lock_acquire+0x664/0x3e00
[   29.134511]  ? check_noncircular+0x20/0x20
[   29.134518]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   29.134523]  ? lock_acquire+0x1d5/0x580
[   29.134526]  ? lock_acquire+0x1d5/0x580
[   29.134531]  ? ep_free+0xf4/0x320
[   29.134536]  ? lock_release+0xa40/0xa40
[   29.134541]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   29.134544]  ? print_irqtrace_events+0x270/0x270
[   29.134548]  ? print_irqtrace_events+0x270/0x270
[   29.134555]  ? rcu_note_context_switch+0x710/0x710
[   29.134559]  ? __might_sleep+0x95/0x190
[   29.134563]  ? ep_free+0xf4/0x320
[   29.134568]  ? __mutex_lock+0x16f/0x1a80
[   29.134571]  ? ep_free+0xf4/0x320
[   29.134575]  ? print_irqtrace_events+0x270/0x270
[   29.134578]  ? ep_free+0xf4/0x320
[   29.134583]  lock_acquire+0x1d5/0x580
[   29.134586]  ? lock_acquire+0x1d5/0x580
[   29.134590]  ? remove_wait_queue+0x81/0x350
[   29.134595]  ? lock_release+0xa40/0xa40
[   29.134600]  ? lock_acquire+0x1d5/0x580
[   29.134604]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   29.134607]  ? lock_acquire+0x1d5/0x580
[   29.134610]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   29.134617]  _raw_spin_lock_irqsave+0x96/0xc0
[   29.134621]  ? remove_wait_queue+0x81/0x350
[   29.134625]  remove_wait_queue+0x81/0x350
[   29.134630]  ? depot_save_stack+0x3b5/0x490
[   29.134634]  ? add_wait_queue+0x290/0x290
[   29.134638]  ? rcutorture_record_progress+0x10/0x10
[   29.134641]  ? lock_release+0xa40/0xa40
[   29.134647]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   29.134652]  ? __kernel_text_address+0xd/0x40
[   29.134657]  ? clear_tfile_check_list+0x370/0x370
[   29.134661]  ? check_noncircular+0x20/0x20
[   29.134667]  ? locks_remove_file+0x3fa/0x5a0
[   29.134672]  ep_free+0x13f/0x320
[   29.134676]  ? ep_remove+0x800/0x800
[   29.134679]  ? fsnotify_first_mark+0x2b0/0x2b0
[   29.134684]  ? ep_free+0x320/0x320
[   29.134688]  ep_eventpoll_release+0x44/0x60
[   29.134693]  __fput+0x327/0x7e0
[   29.134698]  ? fput+0x140/0x140
[   29.134702]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.134707]  ____fput+0x15/0x20
[   29.134711]  task_work_run+0x199/0x270
[   29.134716]  ? task_work_cancel+0x210/0x210
[   29.134720]  ? _raw_spin_unlock+0x22/0x30
[   29.134723]  ? switch_task_namespaces+0x87/0xc0
[   29.134730]  do_exit+0x9bb/0x1ad0
[   29.134736]  ? __handle_mm_fault+0x2330/0x3ce0
[   29.134741]  ? mm_update_next_owner+0x930/0x930
[   29.134747]  ? do_raw_spin_trylock+0x190/0x190
[   29.134751]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   29.134754]  ? check_noncircular+0x20/0x20
[   29.134759]  ? _raw_spin_unlock+0x22/0x30
[   29.134762]  ? __handle_mm_fault+0x80e/0x3ce0
[   29.134767]  ? check_noncircular+0x20/0x20
[   29.134770]  ? __pmd_alloc+0x4e0/0x4e0
[   29.134773]  ? lock_downgrade+0x980/0x980
[   29.134778]  ? find_held_lock+0x35/0x1d0
[   29.134783]  ? handle_mm_fault+0x248/0x8d0
[   29.134787]  ? find_held_lock+0x35/0x1d0
[   29.134794]  ? __do_page_fault+0x5f7/0xc90
[   29.134798]  ? lock_downgrade+0x980/0x980
[   29.134803]  ? handle_mm_fault+0x410/0x8d0
[   29.134806]  ? down_read_trylock+0xdb/0x170
[   29.134810]  ? __do_page_fault+0x32d/0xc90
[   29.134813]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   29.134818]  ? vmacache_find+0x5f/0x280
[   29.134823]  do_group_exit+0x149/0x400
[   29.134827]  ? __do_page_fault+0x3d6/0xc90
[   29.134830]  ? SyS_exit+0x30/0x30
[   29.134837]  ? do_fast_syscall_32+0x156/0xf9d
[   29.134840]  ? do_group_exit+0x400/0x400
[   29.134844]  SyS_exit_group+0x1d/0x20
[   29.134848]  do_fast_syscall_32+0x3ee/0xf9d
[   29.134853]  ? do_int80_syscall_32+0x9d0/0x9d0
[   29.134857]  ? kasan_check_read+0x11/0x20
[   29.134861]  ? syscall_return_slowpath+0x550/0x550
[   29.134866]  ? SyS_rt_sigaction+0x94/0x1b0
[   29.134870]  ? SyS_sigprocmask+0x4b0/0x4b0
[   29.134873]  ? SyS_read+0x184/0x220
[   29.134876]  ? retint_user+0x18/0x18
[   29.134881]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.134886]  entry_SYSENTER_compat+0x54/0x63
[   29.134890] RIP: 0023:0xf7f71c79
[   29.134892] RSP: 002b:00000000ffbb823c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   29.134897] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   29.134899] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   29.134901] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   29.134902] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   29.134904] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   29.134909] 
[   29.134911] Allocated by task 3658:
[   29.134915]  save_stack+0x43/0xd0
[   29.134918]  kasan_kmalloc+0xad/0xe0
[   29.134922]  kmem_cache_alloc_trace+0x136/0x750
[   29.134928]  binder_get_thread+0x1cf/0x870
[   29.134931]  binder_poll+0x8c/0x390
[   29.134934]  ep_item_poll.isra.10+0xec/0x320
[   29.134937]  ep_insert+0x6a3/0x1b10
[   29.134940]  SyS_epoll_ctl+0x12e4/0x1ab0
[   29.134943]  do_fast_syscall_32+0x3ee/0xf9d
[   29.134946]  entry_SYSENTER_compat+0x54/0x63
[   29.134947] 
[   29.134948] Freed by task 3658:
[   29.134951]  save_stack+0x43/0xd0
[   29.134954]  kasan_slab_free+0x71/0xc0
[   29.134956]  kfree+0xd6/0x260
[   29.134960]  binder_thread_dec_tmpref+0x27f/0x310
[   29.134963]  binder_thread_release+0x27d/0x540
[   29.134966]  binder_ioctl+0xc02/0x1417
[   29.134969]  compat_SyS_ioctl+0x151/0x2a30
[   29.134972]  do_fast_syscall_32+0x3ee/0xf9d
[   29.134975]  entry_SYSENTER_compat+0x54/0x63
[   29.134976] 
[   29.134979] The buggy address belongs to the object at ffff8801bce42cc0
[   29.134979]  which belongs to the cache kmalloc-512 of size 512
[   29.134982] The buggy address is located 176 bytes inside of
[   29.134982]  512-byte region [ffff8801bce42cc0, ffff8801bce42ec0)
[   29.134982] The buggy address belongs to the page:
[   29.134986] page:ffffea0006f39080 count:1 mapcount:0 mapping:ffff8801bce42040 index:0x0
[   29.134990] flags: 0x2fffc0000000100(slab)
[   29.134996] raw: 02fffc0000000100 ffff8801bce42040 0000000000000000 0000000100000006
[   29.135000] raw: ffffea0006f04e60 ffff8801dac01748 ffff8801dac00940 0000000000000000
[   29.135006] page dumped because: kasan: bad access detected
[   29.135007] 
[   29.135008] Memory state around the buggy address:
[   29.135011]  ffff8801bce42c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.135013]  ffff8801bce42c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   29.135016] >ffff8801bce42d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.135018]                                                              ^
[   29.135020]  ffff8801bce42d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.135023]  ffff8801bce42e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.135024] ==================================================================
[   29.135025] Disabling lock debugging due to kernel taint
[   29.135027] Kernel panic - not syncing: panic_on_warn set ...
[   29.135027] 
[   29.135031] CPU: 1 PID: 3658 Comm: syzkaller832707 Tainted: G    B            4.15.0-rc7+ #170
[   29.135033] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.135034] Call Trace:
[   29.135038]  dump_stack+0x194/0x257
[   29.135043]  ? arch_local_irq_restore+0x53/0x53
[   29.135046]  ? kasan_end_report+0x32/0x50
[   29.135050]  ? lock_downgrade+0x980/0x980
[   29.135056]  ? vsnprintf+0x1ed/0x1900
[   29.135059]  ? __lock_acquire+0x3cb0/0x3e00
[   29.135063]  panic+0x1e4/0x41c
[   29.135066]  ? refcount_error_report+0x214/0x214
[   29.135070]  ? add_taint+0x40/0x50
[   29.135073]  ? add_taint+0x1c/0x50
[   29.135077]  ? __lock_acquire+0x3d4d/0x3e00
[   29.135081]  kasan_end_report+0x50/0x50
[   29.135084]  kasan_report+0x144/0x340
[   29.135089]  __asan_report_load8_noabort+0x14/0x20
[   29.135097]  __lock_acquire+0x3d4d/0x3e00
[   29.135100]  ? __lock_acquire+0x664/0x3e00
[   29.135104]  ? lock_downgrade+0x980/0x980
[   29.135107]  ? lock_downgrade+0x980/0x980
[   29.135111]  ? print_irqtrace_events+0x270/0x270
[   29.135114]  ? remove_wait_queue+0x81/0x350
[   29.135120]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   29.135125]  ? __lock_acquire+0x664/0x3e00
[   29.135128]  ? check_noncircular+0x20/0x20
[   29.135135]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   29.135139]  ? lock_acquire+0x1d5/0x580
[   29.135142]  ? lock_acquire+0x1d5/0x580
[   29.135146]  ? ep_free+0xf4/0x320
[   29.135150]  ? lock_release+0xa40/0xa40
[   29.135154]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   29.135158]  ? print_irqtrace_events+0x270/0x270
[   29.135161]  ? print_irqtrace_events+0x270/0x270
[   29.135165]  ? rcu_note_context_switch+0x710/0x710
[   29.135169]  ? __might_sleep+0x95/0x190
[   29.135172]  ? ep_free+0xf4/0x320
[   29.135176]  ? __mutex_lock+0x16f/0x1a80
[   29.135179]  ? ep_free+0xf4/0x320
[   29.135183]  ? print_irqtrace_events+0x270/0x270
[   29.135186]  ? ep_free+0xf4/0x320
[   29.135191]  lock_acquire+0x1d5/0x580
[   29.135194]  ? lock_acquire+0x1d5/0x580
[   29.135197]  ? remove_wait_queue+0x81/0x350
[   29.135202]  ? lock_release+0xa40/0xa40
[   29.135207]  ? lock_acquire+0x1d5/0x580
[   29.135211]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   29.135214]  ? lock_acquire+0x1d5/0x580
[   29.135218]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   29.135222]  _raw_spin_lock_irqsave+0x96/0xc0
[   29.135226]  ? remove_wait_queue+0x81/0x350
[   29.135229]  remove_wait_queue+0x81/0x350
[   29.135233]  ? depot_save_stack+0x3b5/0x490
[   29.135237]  ? add_wait_queue+0x290/0x290
[   29.135241]  ? rcutorture_record_progress+0x10/0x10
[   29.135244]  ? lock_release+0xa40/0xa40
[   29.135249]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   29.135253]  ? __kernel_text_address+0xd/0x40
[   29.135258]  ? clear_tfile_check_list+0x370/0x370
[   29.135262]  ? check_noncircular+0x20/0x20
[   29.135267]  ? locks_remove_file+0x3fa/0x5a0
[   29.135272]  ep_free+0x13f/0x320
[   29.135276]  ? ep_remove+0x800/0x800
[   29.135279]  ? fsnotify_first_mark+0x2b0/0x2b0
[   29.135284]  ? ep_free+0x320/0x320
[   29.135287]  ep_eventpoll_release+0x44/0x60
[   29.135291]  __fput+0x327/0x7e0
[   29.135296]  ? fput+0x140/0x140
[   29.135300]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.135305]  ____fput+0x15/0x20
[   29.135309]  task_work_run+0x199/0x270
[   29.135313]  ? task_work_cancel+0x210/0x210
[   29.135317]  ? _raw_spin_unlock+0x22/0x30
[   29.135321]  ? switch_task_namespaces+0x87/0xc0
[   29.135325]  do_exit+0x9bb/0x1ad0
[   29.135329]  ? __handle_mm_fault+0x2330/0x3ce0
[   29.135333]  ? mm_update_next_owner+0x930/0x930
[   29.135338]  ? do_raw_spin_trylock+0x190/0x190
[   29.135343]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   29.135346]  ? check_noncircular+0x20/0x20
[   29.135350]  ? _raw_spin_unlock+0x22/0x30
[   29.135354]  ? __handle_mm_fault+0x80e/0x3ce0
[   29.135358]  ? check_noncircular+0x20/0x20
[   29.135361]  ? __pmd_alloc+0x4e0/0x4e0
[   29.135364]  ? lock_downgrade+0x980/0x980
[   29.135369]  ? find_held_lock+0x35/0x1d0
[   29.135374]  ? handle_mm_fault+0x248/0x8d0
[   29.135378]  ? find_held_lock+0x35/0x1d0
[   29.135383]  ? __do_page_fault+0x5f7/0xc90
[   29.135387]  ? lock_downgrade+0x980/0x980
[   29.135392]  ? handle_mm_fault+0x410/0x8d0
[   29.135395]  ? down_read_trylock+0xdb/0x170
[   29.135398]  ? __do_page_fault+0x32d/0xc90
[   29.135402]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   29.135406]  ? vmacache_find+0x5f/0x280
[   29.135411]  do_group_exit+0x149/0x400
[   29.135415]  ? __do_page_fault+0x3d6/0xc90
[   29.135418]  ? SyS_exit+0x30/0x30
[   29.135423]  ? do_fast_syscall_32+0x156/0xf9d
[   29.135426]  ? do_group_exit+0x400/0x400
[   29.135430]  SyS_exit_group+0x1d/0x20
[   29.135434]  do_fast_syscall_32+0x3ee/0xf9d
[   29.135439]  ? do_int80_syscall_32+0x9d0/0x9d0
[   29.135442]  ? kasan_check_read+0x11/0x20
[   29.135446]  ? syscall_return_slowpath+0x550/0x550
[   29.135450]  ? SyS_rt_sigaction+0x94/0x1b0
[   29.135454]  ? SyS_sigprocmask+0x4b0/0x4b0
[   29.135457]  ? SyS_read+0x184/0x220
[   29.135460]  ? retint_user+0x18/0x18
[   29.135465]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.135470]  entry_SYSENTER_compat+0x54/0x63
[   29.135472] RIP: 0023:0xf7f71c79
[   29.135474] RSP: 002b:00000000ffbb823c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   29.135477] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   29.135479] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   29.135481] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   29.135483] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   29.135485] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   29.154223] Dumping ftrace buffer:
[   29.154227]    (ftrace buffer empty)
[   29.154229] Kernel Offset: disabled
[   30.440676] Rebooting in 86400 seconds..