[....] Starting enhanced syslogd: rsyslogd[   11.996941] audit: type=1400 audit(1516068623.391:5): avc:  denied  { syslog } for  pid=3506 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   16.553609] audit: type=1400 audit(1516068627.948:6): avc:  denied  { map } for  pid=3644 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.201' (ECDSA) to the list of known hosts.
executing program
[   22.830693] audit: type=1400 audit(1516068634.225:7): avc:  denied  { map } for  pid=3658 comm="syzkaller968470" path="/root/syzkaller968470559" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   22.860901] TCP: request_sock_TCP: Possible SYN flooding on port 20000. Sending cookies.  Check SNMP counters.
[   22.876898] ==================================================================
[   22.884315] BUG: KASAN: use-after-free in tls_sk_proto_close+0x7a0/0x800
[   22.891131] Read of size 8 at addr ffff8801d1869488 by task syzkaller968470/3659
[   22.899764] 
[   22.901372] CPU: 0 PID: 3659 Comm: syzkaller968470 Not tainted 4.15.0-rc7-next-20180115+ #97
[   22.909916] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   22.919260] Call Trace:
[   22.921827]  dump_stack+0x194/0x257
[   22.925434]  ? arch_local_irq_restore+0x53/0x53
[   22.930077]  ? show_regs_print_info+0x18/0x18
[   22.934560]  ? mark_held_locks+0xaf/0x100
[   22.938684]  ? do_raw_spin_trylock+0x190/0x190
[   22.943243]  ? tls_sk_proto_close+0x7a0/0x800
[   22.947979]  print_address_description+0x73/0x250
[   22.952797]  ? tls_sk_proto_close+0x7a0/0x800
[   22.957273]  kasan_report+0x23b/0x360
[   22.961063]  __asan_report_load8_noabort+0x14/0x20
[   22.965972]  tls_sk_proto_close+0x7a0/0x800
[   22.970281]  ? lock_release+0xa40/0xa40
[   22.974231]  ? __dentry_kill+0x487/0x6d0
[   22.978275]  ? tls_write_space+0x2c0/0x2c0
[   22.982489]  ? locks_remove_file+0x3fa/0x5a0
[   22.986876]  ? fcntl_setlk+0x10c0/0x10c0
[   22.990921]  ? fsnotify+0x7b3/0x1140
[   22.994613]  ? ip_mc_drop_socket+0x1ce/0x230
[   22.999002]  inet_release+0xed/0x1c0
[   23.002693]  sock_release+0x8d/0x1e0
[   23.006386]  ? sock_alloc_file+0x560/0x560
[   23.010594]  sock_close+0x16/0x20
[   23.014024]  __fput+0x327/0x7e0
[   23.017284]  ? fput+0x140/0x140
[   23.020550]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.026420]  ? _raw_spin_unlock_irq+0x27/0x70
[   23.030897]  ____fput+0x15/0x20
[   23.034150]  task_work_run+0x199/0x270
[   23.038014]  ? task_work_cancel+0x210/0x210
[   23.042328]  ? _raw_spin_unlock+0x22/0x30
[   23.046458]  ? switch_task_namespaces+0x87/0xc0
[   23.051105]  do_exit+0x9bb/0x1ad0
[   23.054713]  ? mm_update_next_owner+0x930/0x930
[   23.059358]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.064538]  ? __might_sleep+0x95/0x190
[   23.068503]  ? find_held_lock+0x35/0x1d0
[   23.072547]  ? futex_wait+0x402/0x9a0
[   23.076326]  ? lock_downgrade+0x980/0x980
[   23.080452]  ? __unqueue_futex+0x1c0/0x290
[   23.084661]  ? lock_release+0xa40/0xa40
[   23.088611]  ? fault_in_user_writeable+0x90/0x90
[   23.093354]  ? do_raw_spin_trylock+0x190/0x190
[   23.097923]  ? futex_wake+0x680/0x680
[   23.101699]  ? check_noncircular+0x20/0x20
[   23.105910]  ? mmdrop+0x18/0x30
[   23.109165]  ? drop_futex_key_refs.isra.12+0x63/0xa0
[   23.114245]  ? futex_wait+0x6a9/0x9a0
[   23.118034]  ? find_held_lock+0x35/0x1d0
[   23.122094]  ? get_signal+0x7ae/0x16c0
[   23.125958]  ? lock_downgrade+0x980/0x980
[   23.130091]  do_group_exit+0x149/0x400
[   23.133954]  ? do_raw_spin_trylock+0x190/0x190
[   23.138511]  ? SyS_exit+0x30/0x30
[   23.141941]  ? _raw_spin_unlock_irq+0x27/0x70
[   23.146415]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.151423]  get_signal+0x73f/0x16c0
[   23.155129]  ? ptrace_notify+0x130/0x130
[   23.159184]  ? exit_robust_list+0x240/0x240
[   23.163480]  ? find_held_lock+0x35/0x1d0
[   23.167525]  ? handle_mm_fault+0x2a0/0x930
[   23.171737]  ? find_held_lock+0x35/0x1d0
[   23.175790]  do_signal+0x90/0x1eb0
[   23.179308]  ? __do_page_fault+0x5f7/0xc90
[   23.183520]  ? lock_downgrade+0x980/0x980
[   23.187648]  ? setup_sigcontext+0x7d0/0x7d0
[   23.191949]  ? handle_mm_fault+0x476/0x930
[   23.196159]  ? down_read_trylock+0xdb/0x170
[   23.200469]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   23.205030]  ? vmacache_find+0x5f/0x280
[   23.208994]  ? up_read+0x1a/0x40
[   23.212340]  ? __do_page_fault+0x3d6/0xc90
[   23.216548]  ? SYSC_accept4+0x4ff/0x870
[   23.220496]  ? release_sock+0x1d4/0x2a0
[   23.224458]  ? exit_to_usermode_loop+0x8c/0x2f0
[   23.229110]  exit_to_usermode_loop+0x258/0x2f0
[   23.233670]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   23.239202]  syscall_return_slowpath+0x490/0x550
[   23.243946]  ? prepare_exit_to_usermode+0x340/0x340
[   23.248939]  ? entry_SYSCALL_64_fastpath+0x73/0xa0
[   23.253847]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.258839]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.263579]  entry_SYSCALL_64_fastpath+0x9e/0xa0
[   23.268308] RIP: 0033:0x4457a9
[   23.271473] RSP: 002b:00007f57c47f2db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   23.279153] RAX: fffffffffffffe00 RBX: 00000000006dac24 RCX: 00000000004457a9
[   23.286397] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006dac24
[   23.293642] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
[   23.300885] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   23.308128] R13: 00007fffe4e1f12f R14: 00007f57c47f39c0 R15: 0000000000000001
[   23.315400] 
[   23.317003] Allocated by task 3659:
[   23.320616]  save_stack+0x43/0xd0
[   23.324044]  kasan_kmalloc+0xad/0xe0
[   23.327744]  kmem_cache_alloc_trace+0x136/0x750
[   23.332387]  tls_init+0x4b/0x240
[   23.335727]  tcp_set_ulp+0x159/0x3e0
[   23.339416]  do_tcp_setsockopt.isra.37+0x316/0x2130
[   23.344407]  tcp_setsockopt+0xb0/0xd0
[   23.348183]  sock_common_setsockopt+0x95/0xd0
[   23.352652]  SyS_setsockopt+0x189/0x360
[   23.356601]  entry_SYSCALL_64_fastpath+0x29/0xa0
[   23.361326] 
[   23.362925] Freed by task 3659:
[   23.366177]  save_stack+0x43/0xd0
[   23.369603]  __kasan_slab_free+0x11a/0x170
[   23.373810]  kasan_slab_free+0xe/0x10
[   23.377596]  kfree+0xd9/0x260
[   23.380675]  tls_sk_proto_close+0x4bf/0x800
[   23.384982]  inet_release+0xed/0x1c0
[   23.388684]  sock_release+0x8d/0x1e0
[   23.392370]  sock_close+0x16/0x20
[   23.395797]  __fput+0x327/0x7e0
[   23.399047]  ____fput+0x15/0x20
[   23.402304]  task_work_run+0x199/0x270
[   23.406165]  do_exit+0x9bb/0x1ad0
[   23.409602]  do_group_exit+0x149/0x400
[   23.413467]  get_signal+0x73f/0x16c0
[   23.417155]  do_signal+0x90/0x1eb0
[   23.420669]  exit_to_usermode_loop+0x258/0x2f0
[   23.425226]  syscall_return_slowpath+0x490/0x550
[   23.429963]  entry_SYSCALL_64_fastpath+0x9e/0xa0
[   23.434688] 
[   23.436290] The buggy address belongs to the object at ffff8801d1869400
[   23.436290]  which belongs to the cache kmalloc-192 of size 192
[   23.448932] The buggy address is located 136 bytes inside of
[   23.448932]  192-byte region [ffff8801d1869400, ffff8801d18694c0)
[   23.460780] The buggy address belongs to the page:
[   23.465698] page:ffffea0007461a40 count:1 mapcount:0 mapping:ffff8801d1869000 index:0xffff8801d1869f00
[   23.475119] flags: 0x2fffc0000000100(slab)
[   23.479329] raw: 02fffc0000000100 ffff8801d1869000 ffff8801d1869f00 0000000100000008
[   23.487188] raw: ffffea0007548020 ffffea00074cfe60 ffff8801dac00040 0000000000000000
[   23.495040] page dumped because: kasan: bad access detected
[   23.500724] 
[   23.502325] Memory state around the buggy address:
[   23.507235]  ffff8801d1869380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   23.514582]  ffff8801d1869400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.521918] >ffff8801d1869480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   23.529253]                       ^
[   23.532853]  ffff8801d1869500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   23.540198]  ffff8801d1869580: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   23.547529] ==================================================================
[   23.554861] Disabling lock debugging due to kernel taint
[   23.560364] Kernel panic - not syncing: panic_on_warn set ...
[   23.560364] 
[   23.567715] CPU: 0 PID: 3659 Comm: syzkaller968470 Tainted: G    B            4.15.0-rc7-next-20180115+ #97
[   23.577568] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.586912] Call Trace:
[   23.589481]  dump_stack+0x194/0x257
[   23.593085]  ? arch_local_irq_restore+0x53/0x53
[   23.597728]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.602472]  ? vsnprintf+0x1ed/0x1900
[   23.606248]  ? tls_sk_proto_close+0x6b0/0x800
[   23.610716]  panic+0x1e4/0x41c
[   23.613881]  ? refcount_error_report+0x214/0x214
[   23.618614]  ? add_taint+0x1c/0x50
[   23.622128]  ? add_taint+0x1c/0x50
[   23.625641]  ? tls_sk_proto_close+0x7a0/0x800
[   23.630114]  kasan_end_report+0x50/0x50
[   23.634065]  kasan_report+0x148/0x360
[   23.637839]  __asan_report_load8_noabort+0x14/0x20
[   23.642740]  tls_sk_proto_close+0x7a0/0x800
[   23.647039]  ? lock_release+0xa40/0xa40
[   23.650989]  ? __dentry_kill+0x487/0x6d0
[   23.655032]  ? tls_write_space+0x2c0/0x2c0
[   23.659330]  ? locks_remove_file+0x3fa/0x5a0
[   23.663722]  ? fcntl_setlk+0x10c0/0x10c0
[   23.667755]  ? fsnotify+0x7b3/0x1140
[   23.671444]  ? ip_mc_drop_socket+0x1ce/0x230
[   23.675840]  inet_release+0xed/0x1c0
[   23.679528]  sock_release+0x8d/0x1e0
[   23.683216]  ? sock_alloc_file+0x560/0x560
[   23.687426]  sock_close+0x16/0x20
[   23.690852]  __fput+0x327/0x7e0
[   23.694128]  ? fput+0x140/0x140
[   23.697383]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.703241]  ? _raw_spin_unlock_irq+0x27/0x70
[   23.707714]  ____fput+0x15/0x20
[   23.710965]  task_work_run+0x199/0x270
[   23.714825]  ? task_work_cancel+0x210/0x210
[   23.719122]  ? _raw_spin_unlock+0x22/0x30
[   23.723244]  ? switch_task_namespaces+0x87/0xc0
[   23.727887]  do_exit+0x9bb/0x1ad0
[   23.731320]  ? mm_update_next_owner+0x930/0x930
[   23.735962]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.741124]  ? __might_sleep+0x95/0x190
[   23.745090]  ? find_held_lock+0x35/0x1d0
[   23.749132]  ? futex_wait+0x402/0x9a0
[   23.752915]  ? lock_downgrade+0x980/0x980
[   23.757039]  ? __unqueue_futex+0x1c0/0x290
[   23.761246]  ? lock_release+0xa40/0xa40
[   23.765204]  ? fault_in_user_writeable+0x90/0x90
[   23.769938]  ? do_raw_spin_trylock+0x190/0x190
[   23.774497]  ? futex_wake+0x680/0x680
[   23.778273]  ? check_noncircular+0x20/0x20
[   23.782495]  ? mmdrop+0x18/0x30
[   23.785749]  ? drop_futex_key_refs.isra.12+0x63/0xa0
[   23.790826]  ? futex_wait+0x6a9/0x9a0
[   23.794622]  ? find_held_lock+0x35/0x1d0
[   23.798661]  ? get_signal+0x7ae/0x16c0
[   23.802533]  ? lock_downgrade+0x980/0x980
[   23.806659]  do_group_exit+0x149/0x400
[   23.810521]  ? do_raw_spin_trylock+0x190/0x190
[   23.815086]  ? SyS_exit+0x30/0x30
[   23.818515]  ? _raw_spin_unlock_irq+0x27/0x70
[   23.822985]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.828004]  get_signal+0x73f/0x16c0
[   23.831714]  ? ptrace_notify+0x130/0x130
[   23.835752]  ? exit_robust_list+0x240/0x240
[   23.840054]  ? find_held_lock+0x35/0x1d0
[   23.844109]  ? handle_mm_fault+0x2a0/0x930
[   23.848319]  ? find_held_lock+0x35/0x1d0
[   23.852354]  do_signal+0x90/0x1eb0
[   23.855884]  ? __do_page_fault+0x5f7/0xc90
[   23.860105]  ? lock_downgrade+0x980/0x980
[   23.864231]  ? setup_sigcontext+0x7d0/0x7d0
[   23.868530]  ? handle_mm_fault+0x476/0x930
[   23.872747]  ? down_read_trylock+0xdb/0x170
[   23.877046]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   23.881599]  ? vmacache_find+0x5f/0x280
[   23.885550]  ? up_read+0x1a/0x40
[   23.888901]  ? __do_page_fault+0x3d6/0xc90
[   23.893110]  ? SYSC_accept4+0x4ff/0x870
[   23.897054]  ? release_sock+0x1d4/0x2a0
[   23.901022]  ? exit_to_usermode_loop+0x8c/0x2f0
[   23.905672]  exit_to_usermode_loop+0x258/0x2f0
[   23.910247]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   23.915760]  syscall_return_slowpath+0x490/0x550
[   23.920498]  ? prepare_exit_to_usermode+0x340/0x340
[   23.925489]  ? entry_SYSCALL_64_fastpath+0x73/0xa0
[   23.930403]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.935395]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.940141]  entry_SYSCALL_64_fastpath+0x9e/0xa0
[   23.944871] RIP: 0033:0x4457a9
[   23.948035] RSP: 002b:00007f57c47f2db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   23.955726] RAX: fffffffffffffe00 RBX: 00000000006dac24 RCX: 00000000004457a9
[   23.962972] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006dac24
[   23.970220] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
[   23.977466] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   23.984709] R13: 00007fffe4e1f12f R14: 00007f57c47f39c0 R15: 0000000000000001
[   23.992463] Dumping ftrace buffer:
[   23.995983]    (ftrace buffer empty)
[   23.999665] Kernel Offset: disabled
[   24.003268] Rebooting in 86400 seconds..