[....] Starting enhanced syslogd: rsyslogd[   13.213654] audit: type=1400 audit(1516066726.381:5): avc:  denied  { syslog } for  pid=3505 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.862706] audit: type=1400 audit(1516066732.030:6): avc:  denied  { map } for  pid=3644 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.200' (ECDSA) to the list of known hosts.
executing program
[   25.116044] audit: type=1400 audit(1516066738.283:7): avc:  denied  { map } for  pid=3658 comm="syzkaller779455" path="/root/syzkaller779455735" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   25.152613] TCP: request_sock_TCP: Possible SYN flooding on port 20000. Sending cookies.  Check SNMP counters.
[   25.168019] ==================================================================
[   25.175422] BUG: KASAN: use-after-free in tls_sk_proto_close+0x7a0/0x800
[   25.182238] Read of size 8 at addr ffff8801d1c99788 by task syzkaller779455/3660
[   25.189739] 
[   25.191343] CPU: 1 PID: 3660 Comm: syzkaller779455 Not tainted 4.15.0-rc8+ #263
[   25.198760] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.208086] Call Trace:
[   25.210654]  dump_stack+0x194/0x257
[   25.214257]  ? arch_local_irq_restore+0x53/0x53
[   25.218899]  ? show_regs_print_info+0x18/0x18
[   25.223368]  ? mark_held_locks+0xaf/0x100
[   25.227489]  ? do_raw_spin_trylock+0x190/0x190
[   25.232049]  ? tls_sk_proto_close+0x7a0/0x800
[   25.236518]  print_address_description+0x73/0x250
[   25.241332]  ? tls_sk_proto_close+0x7a0/0x800
[   25.245802]  kasan_report+0x25b/0x340
[   25.249580]  __asan_report_load8_noabort+0x14/0x20
[   25.254482]  tls_sk_proto_close+0x7a0/0x800
[   25.258777]  ? lock_release+0xa40/0xa40
[   25.262725]  ? __dentry_kill+0x487/0x6d0
[   25.266767]  ? tls_write_space+0x2c0/0x2c0
[   25.270978]  ? locks_remove_file+0x3fa/0x5a0
[   25.275364]  ? fcntl_setlk+0x10c0/0x10c0
[   25.279397]  ? fsnotify+0x7b3/0x1140
[   25.283090]  ? ip_mc_drop_socket+0x1ce/0x230
[   25.287476]  inet_release+0xed/0x1c0
[   25.291171]  sock_release+0x8d/0x1e0
[   25.294858]  ? sock_alloc_file+0x560/0x560
[   25.299066]  sock_close+0x16/0x20
[   25.302493]  __fput+0x327/0x7e0
[   25.305759]  ? fput+0x140/0x140
[   25.309019]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   25.314881]  ? _raw_spin_unlock_irq+0x27/0x70
[   25.319354]  ____fput+0x15/0x20
[   25.322608]  task_work_run+0x199/0x270
[   25.326471]  ? task_work_cancel+0x210/0x210
[   25.330766]  ? _raw_spin_unlock+0x22/0x30
[   25.334895]  ? switch_task_namespaces+0x87/0xc0
[   25.339540]  do_exit+0x9bb/0x1ad0
[   25.342974]  ? mm_update_next_owner+0x930/0x930
[   25.347651]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.352841]  ? __might_sleep+0x95/0x190
[   25.356802]  ? find_held_lock+0x35/0x1d0
[   25.360848]  ? futex_wait+0x402/0x9a0
[   25.364626]  ? lock_downgrade+0x980/0x980
[   25.368750]  ? __unqueue_futex+0x1c0/0x290
[   25.372961]  ? lock_release+0xa40/0xa40
[   25.376920]  ? fault_in_user_writeable+0x90/0x90
[   25.381658]  ? do_raw_spin_trylock+0x190/0x190
[   25.386231]  ? futex_wake+0x680/0x680
[   25.390009]  ? check_noncircular+0x20/0x20
[   25.394226]  ? drop_futex_key_refs.isra.12+0x63/0xb0
[   25.399306]  ? futex_wait+0x6a9/0x9a0
[   25.403093]  ? find_held_lock+0x35/0x1d0
[   25.407136]  ? get_signal+0x7ae/0x16c0
[   25.410999]  ? lock_downgrade+0x980/0x980
[   25.415131]  do_group_exit+0x149/0x400
[   25.419000]  ? do_raw_spin_trylock+0x190/0x190
[   25.423559]  ? SyS_exit+0x30/0x30
[   25.426987]  ? _raw_spin_unlock_irq+0x27/0x70
[   25.431462]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.436462]  get_signal+0x73f/0x16c0
[   25.440162]  ? ptrace_notify+0x130/0x130
[   25.444202]  ? exit_robust_list+0x240/0x240
[   25.448509]  ? __sched_text_start+0x8/0x8
[   25.452642]  ? release_sock+0x1d4/0x2a0
[   25.456597]  do_signal+0x90/0x1eb0
[   25.460109]  ? lock_release+0xa40/0xa40
[   25.464057]  ? __inet_stream_connect+0x1a2/0xf00
[   25.468795]  ? __local_bh_enable_ip+0x121/0x230
[   25.473444]  ? setup_sigcontext+0x7d0/0x7d0
[   25.477743]  ? release_sock+0x1d4/0x2a0
[   25.481692]  ? trace_hardirqs_on+0xd/0x10
[   25.485814]  ? __local_bh_enable_ip+0x121/0x230
[   25.490462]  ? schedule+0xf5/0x430
[   25.493979]  ? __schedule+0x2060/0x2060
[   25.497938]  ? inet_stream_connect+0x7b/0xa0
[   25.502328]  ? fput+0xd2/0x140
[   25.505499]  ? exit_to_usermode_loop+0x8c/0x310
[   25.510152]  exit_to_usermode_loop+0x214/0x310
[   25.514716]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   25.520245]  syscall_return_slowpath+0x490/0x550
[   25.524979]  ? prepare_exit_to_usermode+0x340/0x340
[   25.529974]  ? entry_SYSCALL_64_fastpath+0x73/0xa0
[   25.534879]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.539874]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.544619]  entry_SYSCALL_64_fastpath+0x9e/0xa0
[   25.549350] RIP: 0033:0x4457a9
[   25.552513] RSP: 002b:00007f9379be4db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   25.560223] RAX: fffffffffffffe00 RBX: 00000000006dac3c RCX: 00000000004457a9
[   25.567466] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006dac3c
[   25.574707] RBP: 00000000006dac38 R08: 0000000000000000 R09: 0000000000000000
[   25.581951] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   25.589211] R13: 00007ffeda932daf R14: 00007f9379be59c0 R15: 0000000000000001
[   25.596475] 
[   25.598088] Allocated by task 3659:
[   25.601692]  save_stack+0x43/0xd0
[   25.605118]  kasan_kmalloc+0xad/0xe0
[   25.608804]  kmem_cache_alloc_trace+0x136/0x750
[   25.613448]  tls_init+0x4b/0x240
[   25.616800]  tcp_set_ulp+0x159/0x3e0
[   25.620491]  do_tcp_setsockopt.isra.38+0x316/0x2130
[   25.625478]  tcp_setsockopt+0xb0/0xd0
[   25.629251]  sock_common_setsockopt+0x95/0xd0
[   25.633719]  SyS_setsockopt+0x189/0x360
[   25.637670]  entry_SYSCALL_64_fastpath+0x29/0xa0
[   25.642394] 
[   25.643995] Freed by task 3660:
[   25.647248]  save_stack+0x43/0xd0
[   25.650674]  kasan_slab_free+0x71/0xc0
[   25.654534]  kfree+0xd6/0x260
[   25.657619]  tls_sk_proto_close+0x4bf/0x800
[   25.661928]  inet_release+0xed/0x1c0
[   25.665623]  sock_release+0x8d/0x1e0
[   25.669306]  sock_close+0x16/0x20
[   25.672738]  __fput+0x327/0x7e0
[   25.675991]  ____fput+0x15/0x20
[   25.679257]  task_work_run+0x199/0x270
[   25.683121]  do_exit+0x9bb/0x1ad0
[   25.686546]  do_group_exit+0x149/0x400
[   25.690407]  get_signal+0x73f/0x16c0
[   25.694107]  do_signal+0x90/0x1eb0
[   25.697622]  exit_to_usermode_loop+0x214/0x310
[   25.702176]  syscall_return_slowpath+0x490/0x550
[   25.706908]  entry_SYSCALL_64_fastpath+0x9e/0xa0
[   25.711631] 
[   25.713232] The buggy address belongs to the object at ffff8801d1c99700
[   25.713232]  which belongs to the cache kmalloc-192 of size 192
[   25.725866] The buggy address is located 136 bytes inside of
[   25.725866]  192-byte region [ffff8801d1c99700, ffff8801d1c997c0)
[   25.737730] The buggy address belongs to the page:
[   25.742659] page:ffffea0007472640 count:1 mapcount:0 mapping:ffff8801d1c99000 index:0xffff8801d1c99000
[   25.752097] flags: 0x2fffc0000000100(slab)
[   25.756310] raw: 02fffc0000000100 ffff8801d1c99000 ffff8801d1c99000 000000010000000d
[   25.764166] raw: ffffea0007661ae0 ffffea00075741e0 ffff8801dac00040 0000000000000000
[   25.772023] page dumped because: kasan: bad access detected
[   25.777702] 
[   25.779299] Memory state around the buggy address:
[   25.784201]  ffff8801d1c99680: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   25.791535]  ffff8801d1c99700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.798870] >ffff8801d1c99780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   25.806201]                       ^
[   25.809810]  ffff8801d1c99800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.817163]  ffff8801d1c99880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   25.824509] ==================================================================
[   25.831844] Disabling lock debugging due to kernel taint
[   25.837372] Kernel panic - not syncing: panic_on_warn set ...
[   25.837372] 
[   25.844714] CPU: 1 PID: 3660 Comm: syzkaller779455 Tainted: G    B            4.15.0-rc8+ #263
[   25.853432] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.862768] Call Trace:
[   25.865342]  dump_stack+0x194/0x257
[   25.868959]  ? arch_local_irq_restore+0x53/0x53
[   25.873612]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.878364]  ? vsnprintf+0x1ed/0x1900
[   25.882141]  ? tls_sk_proto_close+0x6c0/0x800
[   25.886607]  panic+0x1e4/0x41c
[   25.889781]  ? refcount_error_report+0x214/0x214
[   25.894512]  ? add_taint+0x1c/0x50
[   25.898025]  ? add_taint+0x1c/0x50
[   25.901539]  ? tls_sk_proto_close+0x7a0/0x800
[   25.906006]  kasan_end_report+0x50/0x50
[   25.909951]  kasan_report+0x144/0x340
[   25.913726]  __asan_report_load8_noabort+0x14/0x20
[   25.918629]  tls_sk_proto_close+0x7a0/0x800
[   25.922937]  ? lock_release+0xa40/0xa40
[   25.926887]  ? __dentry_kill+0x487/0x6d0
[   25.930922]  ? tls_write_space+0x2c0/0x2c0
[   25.935134]  ? locks_remove_file+0x3fa/0x5a0
[   25.939516]  ? fcntl_setlk+0x10c0/0x10c0
[   25.943563]  ? fsnotify+0x7b3/0x1140
[   25.947253]  ? ip_mc_drop_socket+0x1ce/0x230
[   25.951635]  inet_release+0xed/0x1c0
[   25.955329]  sock_release+0x8d/0x1e0
[   25.959013]  ? sock_alloc_file+0x560/0x560
[   25.963217]  sock_close+0x16/0x20
[   25.966649]  __fput+0x327/0x7e0
[   25.969902]  ? fput+0x140/0x140
[   25.973169]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   25.979026]  ? _raw_spin_unlock_irq+0x27/0x70
[   25.983503]  ____fput+0x15/0x20
[   25.986758]  task_work_run+0x199/0x270
[   25.990624]  ? task_work_cancel+0x210/0x210
[   25.994928]  ? _raw_spin_unlock+0x22/0x30
[   25.999052]  ? switch_task_namespaces+0x87/0xc0
[   26.003694]  do_exit+0x9bb/0x1ad0
[   26.007122]  ? mm_update_next_owner+0x930/0x930
[   26.011765]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   26.016931]  ? __might_sleep+0x95/0x190
[   26.020883]  ? find_held_lock+0x35/0x1d0
[   26.024922]  ? futex_wait+0x402/0x9a0
[   26.028703]  ? lock_downgrade+0x980/0x980
[   26.032830]  ? __unqueue_futex+0x1c0/0x290
[   26.037039]  ? lock_release+0xa40/0xa40
[   26.040989]  ? fault_in_user_writeable+0x90/0x90
[   26.045722]  ? do_raw_spin_trylock+0x190/0x190
[   26.050277]  ? futex_wake+0x680/0x680
[   26.054062]  ? check_noncircular+0x20/0x20
[   26.058277]  ? drop_futex_key_refs.isra.12+0x63/0xb0
[   26.063368]  ? futex_wait+0x6a9/0x9a0
[   26.067149]  ? find_held_lock+0x35/0x1d0
[   26.071197]  ? get_signal+0x7ae/0x16c0
[   26.075066]  ? lock_downgrade+0x980/0x980
[   26.079194]  do_group_exit+0x149/0x400
[   26.083593]  ? do_raw_spin_trylock+0x190/0x190
[   26.088164]  ? SyS_exit+0x30/0x30
[   26.091596]  ? _raw_spin_unlock_irq+0x27/0x70
[   26.096064]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   26.101054]  get_signal+0x73f/0x16c0
[   26.104744]  ? ptrace_notify+0x130/0x130
[   26.108783]  ? exit_robust_list+0x240/0x240
[   26.113084]  ? __sched_text_start+0x8/0x8
[   26.117210]  ? release_sock+0x1d4/0x2a0
[   26.121168]  do_signal+0x90/0x1eb0
[   26.124683]  ? lock_release+0xa40/0xa40
[   26.128637]  ? __inet_stream_connect+0x1a2/0xf00
[   26.133395]  ? __local_bh_enable_ip+0x121/0x230
[   26.138058]  ? setup_sigcontext+0x7d0/0x7d0
[   26.142363]  ? release_sock+0x1d4/0x2a0
[   26.146334]  ? trace_hardirqs_on+0xd/0x10
[   26.150468]  ? __local_bh_enable_ip+0x121/0x230
[   26.155114]  ? schedule+0xf5/0x430
[   26.158627]  ? __schedule+0x2060/0x2060
[   26.162576]  ? inet_stream_connect+0x7b/0xa0
[   26.166958]  ? fput+0xd2/0x140
[   26.170123]  ? exit_to_usermode_loop+0x8c/0x310
[   26.174765]  exit_to_usermode_loop+0x214/0x310
[   26.179322]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   26.184836]  syscall_return_slowpath+0x490/0x550
[   26.189575]  ? prepare_exit_to_usermode+0x340/0x340
[   26.194563]  ? entry_SYSCALL_64_fastpath+0x73/0xa0
[   26.199466]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   26.204453]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   26.209183]  entry_SYSCALL_64_fastpath+0x9e/0xa0
[   26.213913] RIP: 0033:0x4457a9
[   26.217075] RSP: 002b:00007f9379be4db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   26.224752] RAX: fffffffffffffe00 RBX: 00000000006dac3c RCX: 00000000004457a9
[   26.231991] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006dac3c
[   26.239245] RBP: 00000000006dac38 R08: 0000000000000000 R09: 0000000000000000
[   26.246485] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   26.253742] R13: 00007ffeda932daf R14: 00007f9379be59c0 R15: 0000000000000001
[   26.261466] Dumping ftrace buffer:
[   26.264979]    (ftrace buffer empty)
[   26.268662] Kernel Offset: disabled
[   26.272262] Rebooting in 86400 seconds..