[....] Starting enhanced syslogd: rsyslogd[   12.661499] audit: type=1400 audit(1516233267.730:5): avc:  denied  { syslog } for  pid=3493 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.353203] audit: type=1400 audit(1516233273.421:6): avc:  denied  { map } for  pid=3634 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.222' (ECDSA) to the list of known hosts.
executing program
[   24.558739] audit: type=1400 audit(1516233279.627:7): avc:  denied  { map } for  pid=3648 comm="syzkaller187859" path="/root/syzkaller187859448" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   24.562140] ==================================================================
[   24.562150] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   24.562154] Read of size 8 at addr ffff8801bc56eab0 by task syzkaller187859/3648
[   24.562154] 
[   24.562159] CPU: 0 PID: 3648 Comm: syzkaller187859 Not tainted 4.15.0-rc8+ #176
[   24.562161] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.562163] Call Trace:
[   24.562171]  dump_stack+0x194/0x257
[   24.562176]  ? arch_local_irq_restore+0x53/0x53
[   24.562181]  ? show_regs_print_info+0x18/0x18
[   24.562184]  ? print_irqtrace_events+0x270/0x270
[   24.562188]  ? __lock_acquire+0x664/0x3e00
[   24.562192]  ? __lock_acquire+0x3d4d/0x3e00
[   24.562198]  print_address_description+0x73/0x250
[   24.562202]  ? __lock_acquire+0x3d4d/0x3e00
[   24.562206]  kasan_report+0x25b/0x340
[   24.562210]  __asan_report_load8_noabort+0x14/0x20
[   24.562214]  __lock_acquire+0x3d4d/0x3e00
[   24.562217]  ? __lock_acquire+0x664/0x3e00
[   24.562221]  ? lock_downgrade+0x980/0x980
[   24.562224]  ? lock_downgrade+0x980/0x980
[   24.562227]  ? print_irqtrace_events+0x270/0x270
[   24.562233]  ? remove_wait_queue+0x81/0x350
[   24.562239]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.562242]  ? __lock_acquire+0x664/0x3e00
[   24.562246]  ? check_noncircular+0x20/0x20
[   24.562253]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.562257]  ? lock_acquire+0x1d5/0x580
[   24.562260]  ? lock_acquire+0x1d5/0x580
[   24.562265]  ? ep_free+0xf4/0x320
[   24.562269]  ? lock_release+0xa40/0xa40
[   24.562274]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.562278]  ? print_irqtrace_events+0x270/0x270
[   24.562281]  ? print_irqtrace_events+0x270/0x270
[   24.562287]  ? rcu_note_context_switch+0x710/0x710
[   24.562291]  ? __might_sleep+0x95/0x190
[   24.562295]  ? ep_free+0xf4/0x320
[   24.562300]  ? __mutex_lock+0x16f/0x1a80
[   24.562303]  ? ep_free+0xf4/0x320
[   24.562307]  ? print_irqtrace_events+0x270/0x270
[   24.562310]  ? ep_free+0xf4/0x320
[   24.562314]  lock_acquire+0x1d5/0x580
[   24.562318]  ? lock_acquire+0x1d5/0x580
[   24.562321]  ? remove_wait_queue+0x81/0x350
[   24.562326]  ? lock_release+0xa40/0xa40
[   24.562331]  ? lock_acquire+0x1d5/0x580
[   24.562334]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.562337]  ? lock_acquire+0x1d5/0x580
[   24.562341]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   24.562346]  _raw_spin_lock_irqsave+0x96/0xc0
[   24.562350]  ? remove_wait_queue+0x81/0x350
[   24.562353]  remove_wait_queue+0x81/0x350
[   24.562359]  ? depot_save_stack+0x3b5/0x490
[   24.562363]  ? add_wait_queue+0x290/0x290
[   24.562367]  ? rcutorture_record_progress+0x10/0x10
[   24.562370]  ? lock_release+0xa40/0xa40
[   24.562375]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   24.562381]  ? __kernel_text_address+0xd/0x40
[   24.562386]  ? clear_tfile_check_list+0x370/0x370
[   24.562390]  ? check_noncircular+0x20/0x20
[   24.562396]  ? locks_remove_file+0x3fa/0x5a0
[   24.562402]  ep_free+0x13f/0x320
[   24.562405]  ? ep_remove+0x800/0x800
[   24.562409]  ? fsnotify_first_mark+0x2b0/0x2b0
[   24.562413]  ? ep_free+0x320/0x320
[   24.562417]  ep_eventpoll_release+0x44/0x60
[   24.562423]  __fput+0x327/0x7e0
[   24.562428]  ? fput+0x140/0x140
[   24.562432]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.562437]  ____fput+0x15/0x20
[   24.562441]  task_work_run+0x199/0x270
[   24.562445]  ? task_work_cancel+0x210/0x210
[   24.562449]  ? _raw_spin_unlock+0x22/0x30
[   24.562453]  ? switch_task_namespaces+0x87/0xc0
[   24.562458]  do_exit+0x9bb/0x1ad0
[   24.562463]  ? __handle_mm_fault+0x2330/0x3ce0
[   24.562467]  ? mm_update_next_owner+0x930/0x930
[   24.562473]  ? do_raw_spin_trylock+0x190/0x190
[   24.562477]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.562481]  ? check_noncircular+0x20/0x20
[   24.562485]  ? _raw_spin_unlock+0x22/0x30
[   24.562488]  ? __handle_mm_fault+0x80e/0x3ce0
[   24.562493]  ? check_noncircular+0x20/0x20
[   24.562496]  ? __pmd_alloc+0x4e0/0x4e0
[   24.562499]  ? lock_downgrade+0x980/0x980
[   24.562503]  ? find_held_lock+0x35/0x1d0
[   24.562508]  ? handle_mm_fault+0x248/0x8d0
[   24.562512]  ? find_held_lock+0x35/0x1d0
[   24.562519]  ? __do_page_fault+0x5f7/0xc90
[   24.562522]  ? lock_downgrade+0x980/0x980
[   24.562527]  ? handle_mm_fault+0x410/0x8d0
[   24.562530]  ? down_read_trylock+0xdb/0x170
[   24.562534]  ? __do_page_fault+0x32d/0xc90
[   24.562537]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   24.562541]  ? vmacache_find+0x5f/0x280
[   24.562546]  do_group_exit+0x149/0x400
[   24.562550]  ? __do_page_fault+0x3d6/0xc90
[   24.562559]  ? SyS_exit+0x30/0x30
[   24.562566]  ? do_fast_syscall_32+0x156/0xf9d
[   24.562570]  ? do_group_exit+0x400/0x400
[   24.562574]  SyS_exit_group+0x1d/0x20
[   24.562577]  do_fast_syscall_32+0x3ee/0xf9d
[   24.562582]  ? do_int80_syscall_32+0x9d0/0x9d0
[   24.562586]  ? kasan_check_read+0x11/0x20
[   24.562590]  ? syscall_return_slowpath+0x550/0x550
[   24.562596]  ? SyS_rt_sigaction+0x94/0x1b0
[   24.562600]  ? SyS_sigprocmask+0x4b0/0x4b0
[   24.562603]  ? SyS_read+0x184/0x220
[   24.562607]  ? retint_user+0x18/0x18
[   24.562612]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.562617]  entry_SYSENTER_compat+0x54/0x63
[   24.562620] RIP: 0023:0xf7f28c79
[   24.562622] RSP: 002b:00000000ffa6c9cc EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   24.562627] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   24.562629] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0
[   24.562631] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   24.562633] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   24.562635] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   24.562639] 
[   24.562641] Allocated by task 3648:
[   24.562645]  save_stack+0x43/0xd0
[   24.562648]  kasan_kmalloc+0xad/0xe0
[   24.562651]  kmem_cache_alloc_trace+0x136/0x750
[   24.562656]  binder_get_thread+0x1cf/0x870
[   24.562659]  binder_poll+0x8c/0x390
[   24.562662]  ep_item_poll.isra.10+0xec/0x320
[   24.562665]  ep_insert+0x6a3/0x1b10
[   24.562668]  SyS_epoll_ctl+0x12e4/0x1ab0
[   24.562671]  do_fast_syscall_32+0x3ee/0xf9d
[   24.562674]  entry_SYSENTER_compat+0x54/0x63
[   24.562675] 
[   24.562676] Freed by task 3648:
[   24.562678]  save_stack+0x43/0xd0
[   24.562681]  kasan_slab_free+0x71/0xc0
[   24.562684]  kfree+0xd6/0x260
[   24.562687]  binder_thread_dec_tmpref+0x27f/0x310
[   24.562690]  binder_thread_release+0x27d/0x540
[   24.562694]  binder_ioctl+0xc02/0x1417
[   24.562697]  compat_SyS_ioctl+0x151/0x2a30
[   24.562700]  do_fast_syscall_32+0x3ee/0xf9d
[   24.562702]  entry_SYSENTER_compat+0x54/0x63
[   24.562703] 
[   24.562706] The buggy address belongs to the object at ffff8801bc56ea00
[   24.562706]  which belongs to the cache kmalloc-512 of size 512
[   24.562709] The buggy address is located 176 bytes inside of
[   24.562709]  512-byte region [ffff8801bc56ea00, ffff8801bc56ec00)
[   24.562710] The buggy address belongs to the page:
[   24.562713] page:ffffea0006f15b80 count:1 mapcount:0 mapping:ffff8801bc56e000 index:0x0
[   24.562716] flags: 0x2fffc0000000100(slab)
[   24.562722] raw: 02fffc0000000100 ffff8801bc56e000 0000000000000000 0000000100000006
[   24.562726] raw: ffffea0006f155a0 ffff8801dac01748 ffff8801dac00940 0000000000000000
[   24.562727] page dumped because: kasan: bad access detected
[   24.562729] 
[   24.562730] Memory state around the buggy address:
[   24.562732]  ffff8801bc56e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.562735]  ffff8801bc56ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.562737] >ffff8801bc56ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.562739]                                      ^
[   24.562741]  ffff8801bc56eb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.562744]  ffff8801bc56eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.562745] ==================================================================
[   24.562746] Disabling lock debugging due to kernel taint
[   24.562748] Kernel panic - not syncing: panic_on_warn set ...
[   24.562748] 
[   24.562752] CPU: 0 PID: 3648 Comm: syzkaller187859 Tainted: G    B            4.15.0-rc8+ #176
[   24.562753] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.562754] Call Trace:
[   24.562758]  dump_stack+0x194/0x257
[   24.562763]  ? arch_local_irq_restore+0x53/0x53
[   24.562766]  ? kasan_end_report+0x32/0x50
[   24.562770]  ? lock_downgrade+0x980/0x980
[   24.562774]  ? vsnprintf+0x1ed/0x1900
[   24.562778]  ? __lock_acquire+0x3c50/0x3e00
[   24.562782]  panic+0x1e4/0x41c
[   24.562785]  ? refcount_error_report+0x214/0x214
[   24.562789]  ? add_taint+0x40/0x50
[   24.562792]  ? add_taint+0x1c/0x50
[   24.562796]  ? __lock_acquire+0x3d4d/0x3e00
[   24.562800]  kasan_end_report+0x50/0x50
[   24.562803]  kasan_report+0x144/0x340
[   24.562808]  __asan_report_load8_noabort+0x14/0x20
[   24.562811]  __lock_acquire+0x3d4d/0x3e00
[   24.562814]  ? __lock_acquire+0x664/0x3e00
[   24.562818]  ? lock_downgrade+0x980/0x980
[   24.562821]  ? lock_downgrade+0x980/0x980
[   24.562824]  ? print_irqtrace_events+0x270/0x270
[   24.562828]  ? remove_wait_queue+0x81/0x350
[   24.562833]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.562837]  ? __lock_acquire+0x664/0x3e00
[   24.562840]  ? check_noncircular+0x20/0x20
[   24.562846]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.562850]  ? lock_acquire+0x1d5/0x580
[   24.562854]  ? lock_acquire+0x1d5/0x580
[   24.562857]  ? ep_free+0xf4/0x320
[   24.562861]  ? lock_release+0xa40/0xa40
[   24.562865]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.562868]  ? print_irqtrace_events+0x270/0x270
[   24.562871]  ? print_irqtrace_events+0x270/0x270
[   24.562875]  ? rcu_note_context_switch+0x710/0x710
[   24.562879]  ? __might_sleep+0x95/0x190
[   24.562883]  ? ep_free+0xf4/0x320
[   24.562886]  ? __mutex_lock+0x16f/0x1a80
[   24.562889]  ? ep_free+0xf4/0x320
[   24.562893]  ? print_irqtrace_events+0x270/0x270
[   24.562896]  ? ep_free+0xf4/0x320
[   24.562900]  lock_acquire+0x1d5/0x580
[   24.562904]  ? lock_acquire+0x1d5/0x580
[   24.562907]  ? remove_wait_queue+0x81/0x350
[   24.562912]  ? lock_release+0xa40/0xa40
[   24.562917]  ? lock_acquire+0x1d5/0x580
[   24.562920]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.562923]  ? lock_acquire+0x1d5/0x580
[   24.562927]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   24.562931]  _raw_spin_lock_irqsave+0x96/0xc0
[   24.562939]  ? remove_wait_queue+0x81/0x350
[   24.562942]  remove_wait_queue+0x81/0x350
[   24.562946]  ? depot_save_stack+0x3b5/0x490
[   24.562950]  ? add_wait_queue+0x290/0x290
[   24.562953]  ? rcutorture_record_progress+0x10/0x10
[   24.562957]  ? lock_release+0xa40/0xa40
[   24.562962]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   24.562966]  ? __kernel_text_address+0xd/0x40
[   24.562970]  ? clear_tfile_check_list+0x370/0x370
[   24.562975]  ? check_noncircular+0x20/0x20
[   24.562979]  ? locks_remove_file+0x3fa/0x5a0
[   24.562985]  ep_free+0x13f/0x320
[   24.562988]  ? ep_remove+0x800/0x800
[   24.562992]  ? fsnotify_first_mark+0x2b0/0x2b0
[   24.562996]  ? ep_free+0x320/0x320
[   24.562999]  ep_eventpoll_release+0x44/0x60
[   24.563006]  __fput+0x327/0x7e0
[   24.563011]  ? fput+0x140/0x140
[   24.563015]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.563020]  ____fput+0x15/0x20
[   24.563024]  task_work_run+0x199/0x270
[   24.563028]  ? task_work_cancel+0x210/0x210
[   24.563032]  ? _raw_spin_unlock+0x22/0x30
[   24.563036]  ? switch_task_namespaces+0x87/0xc0
[   24.563040]  do_exit+0x9bb/0x1ad0
[   24.563043]  ? __handle_mm_fault+0x2330/0x3ce0
[   24.563048]  ? mm_update_next_owner+0x930/0x930
[   24.563053]  ? do_raw_spin_trylock+0x190/0x190
[   24.563057]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.563061]  ? check_noncircular+0x20/0x20
[   24.563065]  ? _raw_spin_unlock+0x22/0x30
[   24.563068]  ? __handle_mm_fault+0x80e/0x3ce0
[   24.563073]  ? check_noncircular+0x20/0x20
[   24.563076]  ? __pmd_alloc+0x4e0/0x4e0
[   24.563079]  ? lock_downgrade+0x980/0x980
[   24.563083]  ? find_held_lock+0x35/0x1d0
[   24.563088]  ? handle_mm_fault+0x248/0x8d0
[   24.563092]  ? find_held_lock+0x35/0x1d0
[   24.563097]  ? __do_page_fault+0x5f7/0xc90
[   24.563101]  ? lock_downgrade+0x980/0x980
[   24.563106]  ? handle_mm_fault+0x410/0x8d0
[   24.563109]  ? down_read_trylock+0xdb/0x170
[   24.563112]  ? __do_page_fault+0x32d/0xc90
[   24.563115]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   24.563119]  ? vmacache_find+0x5f/0x280
[   24.563124]  do_group_exit+0x149/0x400
[   24.563127]  ? __do_page_fault+0x3d6/0xc90
[   24.563131]  ? SyS_exit+0x30/0x30
[   24.563135]  ? do_fast_syscall_32+0x156/0xf9d
[   24.563139]  ? do_group_exit+0x400/0x400
[   24.563142]  SyS_exit_group+0x1d/0x20
[   24.563146]  do_fast_syscall_32+0x3ee/0xf9d
[   24.563151]  ? do_int80_syscall_32+0x9d0/0x9d0
[   24.563154]  ? kasan_check_read+0x11/0x20
[   24.563158]  ? syscall_return_slowpath+0x550/0x550
[   24.563162]  ? SyS_rt_sigaction+0x94/0x1b0
[   24.563166]  ? SyS_sigprocmask+0x4b0/0x4b0
[   24.563169]  ? SyS_read+0x184/0x220
[   24.563172]  ? retint_user+0x18/0x18
[   24.563177]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.563181]  entry_SYSENTER_compat+0x54/0x63
[   24.563184] RIP: 0023:0xf7f28c79
[   24.563185] RSP: 002b:00000000ffa6c9cc EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   24.563189] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   24.563191] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0
[   24.563193] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   24.563195] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   24.563196] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   24.584992] Dumping ftrace buffer:
[   24.584995]    (ftrace buffer empty)
[   24.584997] Kernel Offset: disabled
[   25.865589] Rebooting in 86400 seconds..