[....] Starting enhanced syslogd: rsyslogd[   12.863394] audit: type=1400 audit(1515576105.163:5): avc:  denied  { syslog } for  pid=3353 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.260668] audit: type=1400 audit(1515576111.560:6): avc:  denied  { map } for  pid=3493 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts.
executing program
[   30.457145] audit: type=1400 audit(1515576122.756:7): avc:  denied  { map } for  pid=3509 comm="syzkaller295013" path="/root/syzkaller295013825" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   30.460725] ==================================================================
[   30.460737] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   30.460740] Read of size 8 at addr ffff8801cdcc3330 by task syzkaller295013/3509
[   30.460741] 
[   30.460746] CPU: 0 PID: 3509 Comm: syzkaller295013 Not tainted 4.15.0-rc7+ #166
[   30.460748] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.460750] Call Trace:
[   30.460757]  dump_stack+0x194/0x257
[   30.460762]  ? arch_local_irq_restore+0x53/0x53
[   30.460767]  ? show_regs_print_info+0x18/0x18
[   30.460771]  ? print_irqtrace_events+0x270/0x270
[   30.460776]  ? __lock_acquire+0x664/0x3e00
[   30.460781]  ? __lock_acquire+0x3d4d/0x3e00
[   30.460789]  print_address_description+0x73/0x250
[   30.460794]  ? __lock_acquire+0x3d4d/0x3e00
[   30.460799]  kasan_report+0x25b/0x340
[   30.460804]  __asan_report_load8_noabort+0x14/0x20
[   30.460808]  __lock_acquire+0x3d4d/0x3e00
[   30.460811]  ? __lock_acquire+0x664/0x3e00
[   30.460815]  ? lock_downgrade+0x980/0x980
[   30.460818]  ? lock_downgrade+0x980/0x980
[   30.460822]  ? print_irqtrace_events+0x270/0x270
[   30.460828]  ? remove_wait_queue+0x81/0x350
[   30.460833]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   30.460837]  ? __lock_acquire+0x664/0x3e00
[   30.460840]  ? check_noncircular+0x20/0x20
[   30.460847]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   30.460852]  ? lock_acquire+0x1d5/0x580
[   30.460855]  ? lock_acquire+0x1d5/0x580
[   30.460860]  ? ep_free+0xf4/0x320
[   30.460864]  ? lock_release+0xa40/0xa40
[   30.460869]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   30.460872]  ? print_irqtrace_events+0x270/0x270
[   30.460876]  ? print_irqtrace_events+0x270/0x270
[   30.460882]  ? rcu_note_context_switch+0x710/0x710
[   30.460887]  ? __might_sleep+0x95/0x190
[   30.460890]  ? ep_free+0xf4/0x320
[   30.460895]  ? __mutex_lock+0x16f/0x1a80
[   30.460898]  ? ep_free+0xf4/0x320
[   30.460902]  ? print_irqtrace_events+0x270/0x270
[   30.460905]  ? ep_free+0xf4/0x320
[   30.460910]  lock_acquire+0x1d5/0x580
[   30.460913]  ? lock_acquire+0x1d5/0x580
[   30.460916]  ? remove_wait_queue+0x81/0x350
[   30.460921]  ? lock_release+0xa40/0xa40
[   30.460926]  ? lock_acquire+0x1d5/0x580
[   30.460930]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   30.460933]  ? lock_acquire+0x1d5/0x580
[   30.460937]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   30.460942]  _raw_spin_lock_irqsave+0x96/0xc0
[   30.460946]  ? remove_wait_queue+0x81/0x350
[   30.460950]  remove_wait_queue+0x81/0x350
[   30.460955]  ? depot_save_stack+0x3b5/0x490
[   30.460959]  ? add_wait_queue+0x290/0x290
[   30.460963]  ? rcutorture_record_progress+0x10/0x10
[   30.460966]  ? lock_release+0xa40/0xa40
[   30.460972]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   30.460978]  ? __kernel_text_address+0xd/0x40
[   30.460983]  ? clear_tfile_check_list+0x370/0x370
[   30.460987]  ? check_noncircular+0x20/0x20
[   30.460993]  ? locks_remove_file+0x3fa/0x5a0
[   30.460999]  ep_free+0x13f/0x320
[   30.461007]  ? ep_remove+0x800/0x800
[   30.461015]  ? fsnotify_first_mark+0x2b0/0x2b0
[   30.461020]  ? ep_free+0x320/0x320
[   30.461024]  ep_eventpoll_release+0x44/0x60
[   30.461029]  __fput+0x327/0x7e0
[   30.461034]  ? fput+0x140/0x140
[   30.461038]  ? _raw_spin_unlock_irq+0x27/0x70
[   30.461043]  ____fput+0x15/0x20
[   30.461047]  task_work_run+0x199/0x270
[   30.461052]  ? task_work_cancel+0x210/0x210
[   30.461056]  ? _raw_spin_unlock+0x22/0x30
[   30.461060]  ? switch_task_namespaces+0x87/0xc0
[   30.461067]  do_exit+0x9bb/0x1ad0
[   30.461072]  ? __handle_mm_fault+0x2330/0x3ce0
[   30.461077]  ? mm_update_next_owner+0x930/0x930
[   30.461083]  ? do_raw_spin_trylock+0x190/0x190
[   30.461088]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   30.461091]  ? check_noncircular+0x20/0x20
[   30.461096]  ? _raw_spin_unlock+0x22/0x30
[   30.461099]  ? __handle_mm_fault+0x80e/0x3ce0
[   30.461104]  ? check_noncircular+0x20/0x20
[   30.461106]  ? __pmd_alloc+0x4e0/0x4e0
[   30.461110]  ? lock_downgrade+0x980/0x980
[   30.461114]  ? find_held_lock+0x35/0x1d0
[   30.461119]  ? handle_mm_fault+0x248/0x8d0
[   30.461123]  ? find_held_lock+0x35/0x1d0
[   30.461130]  ? __do_page_fault+0x5f7/0xc90
[   30.461134]  ? lock_downgrade+0x980/0x980
[   30.461139]  ? handle_mm_fault+0x410/0x8d0
[   30.461142]  ? down_read_trylock+0xdb/0x170
[   30.461146]  ? __do_page_fault+0x32d/0xc90
[   30.461149]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   30.461154]  ? vmacache_find+0x5f/0x280
[   30.461159]  do_group_exit+0x149/0x400
[   30.461163]  ? __do_page_fault+0x3d6/0xc90
[   30.461166]  ? SyS_exit+0x30/0x30
[   30.461172]  ? do_fast_syscall_32+0x156/0xf9d
[   30.461176]  ? do_group_exit+0x400/0x400
[   30.461179]  SyS_exit_group+0x1d/0x20
[   30.461183]  do_fast_syscall_32+0x3ee/0xf9d
[   30.461188]  ? do_int80_syscall_32+0x9d0/0x9d0
[   30.461192]  ? kasan_check_read+0x11/0x20
[   30.461196]  ? syscall_return_slowpath+0x550/0x550
[   30.461201]  ? SyS_rt_sigaction+0x94/0x1b0
[   30.461205]  ? SyS_sigprocmask+0x4b0/0x4b0
[   30.461208]  ? SyS_read+0x184/0x220
[   30.461212]  ? retint_user+0x18/0x18
[   30.461217]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.461222]  entry_SYSENTER_compat+0x54/0x63
[   30.461226] RIP: 0023:0xf7fcec79
[   30.461228] RSP: 002b:00000000ffa6ca2c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   30.461232] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   30.461234] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   30.461236] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   30.461237] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   30.461239] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   30.461244] 
[   30.461246] Allocated by task 3509:
[   30.461250]  save_stack+0x43/0xd0
[   30.461252]  kasan_kmalloc+0xad/0xe0
[   30.461255]  kmem_cache_alloc_trace+0x136/0x750
[   30.461259]  binder_get_thread+0x1cf/0x870
[   30.461262]  binder_poll+0x8c/0x390
[   30.461265]  ep_item_poll.isra.10+0xec/0x320
[   30.461268]  ep_insert+0x6a3/0x1b10
[   30.461271]  SyS_epoll_ctl+0x12e4/0x1ab0
[   30.461274]  do_fast_syscall_32+0x3ee/0xf9d
[   30.461277]  entry_SYSENTER_compat+0x54/0x63
[   30.461277] 
[   30.461279] Freed by task 3509:
[   30.461281]  save_stack+0x43/0xd0
[   30.461284]  kasan_slab_free+0x71/0xc0
[   30.461286]  kfree+0xd6/0x260
[   30.461289]  binder_thread_dec_tmpref+0x27f/0x310
[   30.461292]  binder_thread_release+0x27d/0x540
[   30.461295]  binder_ioctl+0xc02/0x1417
[   30.461298]  compat_SyS_ioctl+0x151/0x2a30
[   30.461301]  do_fast_syscall_32+0x3ee/0xf9d
[   30.461303]  entry_SYSENTER_compat+0x54/0x63
[   30.461304] 
[   30.461307] The buggy address belongs to the object at ffff8801cdcc3280
[   30.461307]  which belongs to the cache kmalloc-512 of size 512
[   30.461310] The buggy address is located 176 bytes inside of
[   30.461310]  512-byte region [ffff8801cdcc3280, ffff8801cdcc3480)
[   30.461311] The buggy address belongs to the page:
[   30.461314] page:ffffea00073730c0 count:1 mapcount:0 mapping:ffff8801cdcc3000 index:0x0
[   30.461317] flags: 0x2fffc0000000100(slab)
[   30.461323] raw: 02fffc0000000100 ffff8801cdcc3000 0000000000000000 0000000100000006
[   30.461327] raw: ffffea00071c1be0 ffff8801dac01748 ffff8801dac00940 0000000000000000
[   30.461329] page dumped because: kasan: bad access detected
[   30.461329] 
[   30.461330] Memory state around the buggy address:
[   30.461333]  ffff8801cdcc3200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.461336]  ffff8801cdcc3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.461338] >ffff8801cdcc3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.461339]                                      ^
[   30.461342]  ffff8801cdcc3380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.461344]  ffff8801cdcc3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.461345] ==================================================================
[   30.461347] Disabling lock debugging due to kernel taint
[   30.461349] Kernel panic - not syncing: panic_on_warn set ...
[   30.461349] 
[   30.461353] CPU: 0 PID: 3509 Comm: syzkaller295013 Tainted: G    B            4.15.0-rc7+ #166
[   30.461355] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.461356] Call Trace:
[   30.461360]  dump_stack+0x194/0x257
[   30.461364]  ? arch_local_irq_restore+0x53/0x53
[   30.461367]  ? kasan_end_report+0x32/0x50
[   30.461371]  ? lock_downgrade+0x980/0x980
[   30.461375]  ? vsnprintf+0x1ed/0x1900
[   30.461379]  ? __lock_acquire+0x3cb0/0x3e00
[   30.461382]  panic+0x1e4/0x41c
[   30.461386]  ? refcount_error_report+0x214/0x214
[   30.461390]  ? add_taint+0x40/0x50
[   30.461393]  ? add_taint+0x1c/0x50
[   30.461397]  ? __lock_acquire+0x3d4d/0x3e00
[   30.461401]  kasan_end_report+0x50/0x50
[   30.461404]  kasan_report+0x144/0x340
[   30.461409]  __asan_report_load8_noabort+0x14/0x20
[   30.461412]  __lock_acquire+0x3d4d/0x3e00
[   30.461416]  ? __lock_acquire+0x664/0x3e00
[   30.461419]  ? lock_downgrade+0x980/0x980
[   30.461422]  ? lock_downgrade+0x980/0x980
[   30.461426]  ? print_irqtrace_events+0x270/0x270
[   30.461430]  ? remove_wait_queue+0x81/0x350
[   30.461435]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   30.461438]  ? __lock_acquire+0x664/0x3e00
[   30.461442]  ? check_noncircular+0x20/0x20
[   30.461448]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   30.461452]  ? lock_acquire+0x1d5/0x580
[   30.461455]  ? lock_acquire+0x1d5/0x580
[   30.461459]  ? ep_free+0xf4/0x320
[   30.461463]  ? lock_release+0xa40/0xa40
[   30.461467]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   30.461470]  ? print_irqtrace_events+0x270/0x270
[   30.461474]  ? print_irqtrace_events+0x270/0x270
[   30.461478]  ? rcu_note_context_switch+0x710/0x710
[   30.461482]  ? __might_sleep+0x95/0x190
[   30.461485]  ? ep_free+0xf4/0x320
[   30.461488]  ? __mutex_lock+0x16f/0x1a80
[   30.461491]  ? ep_free+0xf4/0x320
[   30.461495]  ? print_irqtrace_events+0x270/0x270
[   30.461498]  ? ep_free+0xf4/0x320
[   30.461503]  lock_acquire+0x1d5/0x580
[   30.461506]  ? lock_acquire+0x1d5/0x580
[   30.461510]  ? remove_wait_queue+0x81/0x350
[   30.461514]  ? lock_release+0xa40/0xa40
[   30.461519]  ? lock_acquire+0x1d5/0x580
[   30.461522]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   30.461525]  ? lock_acquire+0x1d5/0x580
[   30.461529]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   30.461534]  _raw_spin_lock_irqsave+0x96/0xc0
[   30.461537]  ? remove_wait_queue+0x81/0x350
[   30.461541]  remove_wait_queue+0x81/0x350
[   30.461544]  ? depot_save_stack+0x3b5/0x490
[   30.461548]  ? add_wait_queue+0x290/0x290
[   30.461552]  ? rcutorture_record_progress+0x10/0x10
[   30.461555]  ? lock_release+0xa40/0xa40
[   30.461560]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   30.461565]  ? __kernel_text_address+0xd/0x40
[   30.461569]  ? clear_tfile_check_list+0x370/0x370
[   30.461573]  ? check_noncircular+0x20/0x20
[   30.461578]  ? locks_remove_file+0x3fa/0x5a0
[   30.461583]  ep_free+0x13f/0x320
[   30.461587]  ? ep_remove+0x800/0x800
[   30.461590]  ? fsnotify_first_mark+0x2b0/0x2b0
[   30.461594]  ? ep_free+0x320/0x320
[   30.461598]  ep_eventpoll_release+0x44/0x60
[   30.461602]  __fput+0x327/0x7e0
[   30.461606]  ? fput+0x140/0x140
[   30.461610]  ? _raw_spin_unlock_irq+0x27/0x70
[   30.461615]  ____fput+0x15/0x20
[   30.461619]  task_work_run+0x199/0x270
[   30.461624]  ? task_work_cancel+0x210/0x210
[   30.461627]  ? _raw_spin_unlock+0x22/0x30
[   30.461631]  ? switch_task_namespaces+0x87/0xc0
[   30.461635]  do_exit+0x9bb/0x1ad0
[   30.461639]  ? __handle_mm_fault+0x2330/0x3ce0
[   30.461643]  ? mm_update_next_owner+0x930/0x930
[   30.461648]  ? do_raw_spin_trylock+0x190/0x190
[   30.461652]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   30.461656]  ? check_noncircular+0x20/0x20
[   30.461660]  ? _raw_spin_unlock+0x22/0x30
[   30.461664]  ? __handle_mm_fault+0x80e/0x3ce0
[   30.461668]  ? check_noncircular+0x20/0x20
[   30.461671]  ? __pmd_alloc+0x4e0/0x4e0
[   30.461674]  ? lock_downgrade+0x980/0x980
[   30.461679]  ? find_held_lock+0x35/0x1d0
[   30.461683]  ? handle_mm_fault+0x248/0x8d0
[   30.461687]  ? find_held_lock+0x35/0x1d0
[   30.461693]  ? __do_page_fault+0x5f7/0xc90
[   30.461696]  ? lock_downgrade+0x980/0x980
[   30.461701]  ? handle_mm_fault+0x410/0x8d0
[   30.461704]  ? down_read_trylock+0xdb/0x170
[   30.461708]  ? __do_page_fault+0x32d/0xc90
[   30.461711]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   30.461715]  ? vmacache_find+0x5f/0x280
[   30.461720]  do_group_exit+0x149/0x400
[   30.461724]  ? __do_page_fault+0x3d6/0xc90
[   30.461727]  ? SyS_exit+0x30/0x30
[   30.461732]  ? do_fast_syscall_32+0x156/0xf9d
[   30.461735]  ? do_group_exit+0x400/0x400
[   30.461739]  SyS_exit_group+0x1d/0x20
[   30.461742]  do_fast_syscall_32+0x3ee/0xf9d
[   30.461747]  ? do_int80_syscall_32+0x9d0/0x9d0
[   30.461751]  ? kasan_check_read+0x11/0x20
[   30.461755]  ? syscall_return_slowpath+0x550/0x550
[   30.461759]  ? SyS_rt_sigaction+0x94/0x1b0
[   30.461763]  ? SyS_sigprocmask+0x4b0/0x4b0
[   30.461766]  ? SyS_read+0x184/0x220
[   30.461770]  ? retint_user+0x18/0x18
[   30.461774]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.461779]  entry_SYSENTER_compat+0x54/0x63
[   30.461781] RIP: 0023:0xf7fcec79
[   30.461783] RSP: 002b:00000000ffa6ca2c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   30.461786] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   30.461788] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   30.461790] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   30.461792] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   30.461794] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   30.483373] Dumping ftrace buffer:
[   30.483376]    (ftrace buffer empty)
[   30.483378] Kernel Offset: disabled
[   31.764742] Rebooting in 86400 seconds..