[....] Starting enhanced syslogd: rsyslogd[   11.457961] audit: type=1400 audit(1514488700.816:5): avc:  denied  { syslog } for  pid=2997 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   16.996890] audit: type=1400 audit(1514488706.355:6): avc:  denied  { map } for  pid=3136 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.201' (ECDSA) to the list of known hosts.
executing program
[   23.177881] audit: type=1400 audit(1514488712.536:7): avc:  denied  { map } for  pid=3150 comm="syzkaller051064" path="/root/syzkaller051064825" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   23.183377] ==================================================================
[   23.183391] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   23.183397] Read of size 8 at addr ffff8801ca17ddb0 by task syzkaller051064/3150
[   23.183398] 
[   23.183405] CPU: 0 PID: 3150 Comm: syzkaller051064 Not tainted 4.15.0-rc5+ #149
[   23.183408] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.183410] Call Trace:
[   23.183419]  dump_stack+0x194/0x257
[   23.183426]  ? arch_local_irq_restore+0x53/0x53
[   23.183434]  ? show_regs_print_info+0x18/0x18
[   23.183440]  ? print_irqtrace_events+0x270/0x270
[   23.183446]  ? __lock_acquire+0x664/0x3e00
[   23.183452]  ? __lock_acquire+0x3d4d/0x3e00
[   23.183461]  print_address_description+0x73/0x250
[   23.183467]  ? __lock_acquire+0x3d4d/0x3e00
[   23.183473]  kasan_report+0x25b/0x340
[   23.183480]  __asan_report_load8_noabort+0x14/0x20
[   23.183486]  __lock_acquire+0x3d4d/0x3e00
[   23.183492]  ? __lock_acquire+0x664/0x3e00
[   23.183497]  ? lock_downgrade+0x980/0x980
[   23.183502]  ? lock_downgrade+0x980/0x980
[   23.183509]  ? print_irqtrace_events+0x270/0x270
[   23.183515]  ? remove_wait_queue+0x81/0x350
[   23.183524]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.183531]  ? __lock_acquire+0x664/0x3e00
[   23.183536]  ? check_noncircular+0x20/0x20
[   23.183548]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.183555]  ? lock_acquire+0x1d5/0x580
[   23.183560]  ? lock_acquire+0x1d5/0x580
[   23.183567]  ? ep_free+0xf4/0x320
[   23.183575]  ? lock_release+0xa40/0xa40
[   23.183581]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.183587]  ? print_irqtrace_events+0x270/0x270
[   23.183592]  ? print_irqtrace_events+0x270/0x270
[   23.183600]  ? rcu_note_context_switch+0x710/0x710
[   23.183607]  ? __might_sleep+0x95/0x190
[   23.183612]  ? ep_free+0xf4/0x320
[   23.183618]  ? __mutex_lock+0x16f/0x1a80
[   23.183623]  ? ep_free+0xf4/0x320
[   23.183630]  ? print_irqtrace_events+0x270/0x270
[   23.183634]  ? ep_free+0xf4/0x320
[   23.183642]  lock_acquire+0x1d5/0x580
[   23.183647]  ? lock_acquire+0x1d5/0x580
[   23.183653]  ? remove_wait_queue+0x81/0x350
[   23.183662]  ? lock_release+0xa40/0xa40
[   23.183670]  ? lock_acquire+0x1d5/0x580
[   23.183676]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.183681]  ? lock_acquire+0x1d5/0x580
[   23.183687]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   23.183694]  _raw_spin_lock_irqsave+0x96/0xc0
[   23.183700]  ? remove_wait_queue+0x81/0x350
[   23.183706]  remove_wait_queue+0x81/0x350
[   23.183713]  ? depot_save_stack+0x3b5/0x490
[   23.183720]  ? add_wait_queue+0x290/0x290
[   23.183726]  ? rcutorture_record_progress+0x10/0x10
[   23.183731]  ? lock_release+0xa40/0xa40
[   23.183740]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   23.183747]  ? __kernel_text_address+0xd/0x40
[   23.183755]  ? clear_tfile_check_list+0x370/0x370
[   23.183762]  ? check_noncircular+0x20/0x20
[   23.183771]  ? locks_remove_file+0x3fa/0x5a0
[   23.183779]  ep_free+0x13f/0x320
[   23.183785]  ? ep_remove+0x800/0x800
[   23.183791]  ? fsnotify_first_mark+0x2b0/0x2b0
[   23.183799]  ? ep_free+0x320/0x320
[   23.183804]  ep_eventpoll_release+0x44/0x60
[   23.183810]  __fput+0x327/0x7e0
[   23.183818]  ? fput+0x140/0x140
[   23.183824]  ? _raw_spin_unlock_irq+0x27/0x70
[   23.183832]  ____fput+0x15/0x20
[   23.183838]  task_work_run+0x199/0x270
[   23.183846]  ? task_work_cancel+0x210/0x210
[   23.183852]  ? _raw_spin_unlock+0x22/0x30
[   23.183858]  ? switch_task_namespaces+0x87/0xc0
[   23.183866]  do_exit+0x9bb/0x1ad0
[   23.183873]  ? __handle_mm_fault+0x2330/0x3ce0
[   23.183880]  ? mm_update_next_owner+0x930/0x930
[   23.183890]  ? do_raw_spin_trylock+0x190/0x190
[   23.183897]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.183903]  ? check_noncircular+0x20/0x20
[   23.183909]  ? _raw_spin_unlock+0x22/0x30
[   23.183915]  ? __handle_mm_fault+0x80e/0x3ce0
[   23.183923]  ? check_noncircular+0x20/0x20
[   23.183928]  ? __pmd_alloc+0x4e0/0x4e0
[   23.183933]  ? lock_downgrade+0x980/0x980
[   23.183941]  ? find_held_lock+0x35/0x1d0
[   23.183950]  ? handle_mm_fault+0x248/0x8d0
[   23.183956]  ? find_held_lock+0x35/0x1d0
[   23.183966]  ? __do_page_fault+0x5f7/0xc90
[   23.183972]  ? lock_downgrade+0x980/0x980
[   23.183981]  ? handle_mm_fault+0x410/0x8d0
[   23.183986]  ? down_read_trylock+0xdb/0x170
[   23.183991]  ? __do_page_fault+0x32d/0xc90
[   23.183997]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   23.184006]  ? vmacache_find+0x5f/0x280
[   23.184015]  do_group_exit+0x149/0x400
[   23.184021]  ? __do_page_fault+0x3d6/0xc90
[   23.184027]  ? SyS_exit+0x30/0x30
[   23.184035]  ? do_fast_syscall_32+0x156/0xf9d
[   23.184041]  ? do_group_exit+0x400/0x400
[   23.184048]  SyS_exit_group+0x1d/0x20
[   23.184054]  do_fast_syscall_32+0x3ee/0xf9d
[   23.184063]  ? do_int80_syscall_32+0x9d0/0x9d0
[   23.184068]  ? kasan_check_read+0x11/0x20
[   23.184075]  ? syscall_return_slowpath+0x550/0x550
[   23.184082]  ? SyS_rt_sigaction+0x94/0x1b0
[   23.184088]  ? SyS_sigprocmask+0x4b0/0x4b0
[   23.184093]  ? SyS_read+0x184/0x220
[   23.184099]  ? retint_user+0x18/0x18
[   23.184107]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   23.184116]  entry_SYSENTER_compat+0x54/0x63
[   23.184121] RIP: 0023:0xf7f26c79
[   23.184125] RSP: 002b:00000000ff8a310c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   23.184131] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   23.184135] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   23.184138] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   23.184141] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   23.184144] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   23.184152] 
[   23.184155] Allocated by task 3150:
[   23.184160]  save_stack+0x43/0xd0
[   23.184164]  kasan_kmalloc+0xad/0xe0
[   23.184170]  kmem_cache_alloc_trace+0x136/0x750
[   23.184176]  binder_get_thread+0x1cf/0x870
[   23.184181]  binder_poll+0x8c/0x390
[   23.184185]  ep_item_poll.isra.10+0xec/0x320
[   23.184190]  ep_insert+0x6a3/0x1b10
[   23.184194]  SyS_epoll_ctl+0x12e4/0x1ab0
[   23.184199]  do_fast_syscall_32+0x3ee/0xf9d
[   23.184205]  entry_SYSENTER_compat+0x54/0x63
[   23.184206] 
[   23.184208] Freed by task 3150:
[   23.184212]  save_stack+0x43/0xd0
[   23.184217]  kasan_slab_free+0x71/0xc0
[   23.184220]  kfree+0xd6/0x260
[   23.184225]  binder_thread_dec_tmpref+0x27f/0x310
[   23.184230]  binder_thread_release+0x27d/0x540
[   23.184235]  binder_ioctl+0xc02/0x1417
[   23.184239]  compat_SyS_ioctl+0x151/0x2a30
[   23.184244]  do_fast_syscall_32+0x3ee/0xf9d
[   23.184250]  entry_SYSENTER_compat+0x54/0x63
[   23.184251] 
[   23.184255] The buggy address belongs to the object at ffff8801ca17dd00
[   23.184255]  which belongs to the cache kmalloc-512 of size 512
[   23.184260] The buggy address is located 176 bytes inside of
[   23.184260]  512-byte region [ffff8801ca17dd00, ffff8801ca17df00)
[   23.184261] The buggy address belongs to the page:
[   23.184266] page:0000000005803da1 count:1 mapcount:0 mapping:00000000768f8b97 index:0x0
[   23.184272] flags: 0x2fffc0000000100(slab)
[   23.184280] raw: 02fffc0000000100 ffff8801ca17d080 0000000000000000 0000000100000006
[   23.184287] raw: ffffea0007257be0 ffffea0007257d20 ffff8801db000940 0000000000000000
[   23.184289] page dumped because: kasan: bad access detected
[   23.184290] 
[   23.184292] Memory state around the buggy address:
[   23.184296]  ffff8801ca17dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.184301]  ffff8801ca17dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.184305] >ffff8801ca17dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.184307]                                      ^
[   23.184311]  ffff8801ca17de00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.184316]  ffff8801ca17de80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.184317] ==================================================================
[   23.184319] Disabling lock debugging due to kernel taint
[   23.184322] Kernel panic - not syncing: panic_on_warn set ...
[   23.184322] 
[   23.184328] CPU: 0 PID: 3150 Comm: syzkaller051064 Tainted: G    B            4.15.0-rc5+ #149
[   23.184332] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.184333] Call Trace:
[   23.184339]  dump_stack+0x194/0x257
[   23.184346]  ? arch_local_irq_restore+0x53/0x53
[   23.184351]  ? kasan_end_report+0x32/0x50
[   23.184357]  ? lock_downgrade+0x980/0x980
[   23.184369]  ? vsnprintf+0x1ed/0x1900
[   23.184375]  ? __lock_acquire+0x3cd0/0x3e00
[   23.184380]  panic+0x1e4/0x41c
[   23.184386]  ? refcount_error_report+0x214/0x214
[   23.184393]  ? add_taint+0x40/0x50
[   23.184398]  ? add_taint+0x1c/0x50
[   23.184404]  ? __lock_acquire+0x3d4d/0x3e00
[   23.184410]  kasan_end_report+0x50/0x50
[   23.184416]  kasan_report+0x144/0x340
[   23.184423]  __asan_report_load8_noabort+0x14/0x20
[   23.184429]  __lock_acquire+0x3d4d/0x3e00
[   23.184434]  ? __lock_acquire+0x664/0x3e00
[   23.184440]  ? lock_downgrade+0x980/0x980
[   23.184445]  ? lock_downgrade+0x980/0x980
[   23.184451]  ? print_irqtrace_events+0x270/0x270
[   23.184457]  ? remove_wait_queue+0x81/0x350
[   23.184465]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.184472]  ? __lock_acquire+0x664/0x3e00
[   23.184477]  ? check_noncircular+0x20/0x20
[   23.184488]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.184495]  ? lock_acquire+0x1d5/0x580
[   23.184501]  ? lock_acquire+0x1d5/0x580
[   23.184505]  ? ep_free+0xf4/0x320
[   23.184513]  ? lock_release+0xa40/0xa40
[   23.184519]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.184525]  ? print_irqtrace_events+0x270/0x270
[   23.184530]  ? print_irqtrace_events+0x270/0x270
[   23.184537]  ? rcu_note_context_switch+0x710/0x710
[   23.184543]  ? __might_sleep+0x95/0x190
[   23.184549]  ? ep_free+0xf4/0x320
[   23.184554]  ? __mutex_lock+0x16f/0x1a80
[   23.184558]  ? ep_free+0xf4/0x320
[   23.184565]  ? print_irqtrace_events+0x270/0x270
[   23.184569]  ? ep_free+0xf4/0x320
[   23.184577]  lock_acquire+0x1d5/0x580
[   23.184582]  ? lock_acquire+0x1d5/0x580
[   23.184588]  ? remove_wait_queue+0x81/0x350
[   23.184596]  ? lock_release+0xa40/0xa40
[   23.184605]  ? lock_acquire+0x1d5/0x580
[   23.184610]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.184615]  ? lock_acquire+0x1d5/0x580
[   23.184621]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   23.184628]  _raw_spin_lock_irqsave+0x96/0xc0
[   23.184634]  ? remove_wait_queue+0x81/0x350
[   23.184640]  remove_wait_queue+0x81/0x350
[   23.184645]  ? depot_save_stack+0x3b5/0x490
[   23.184652]  ? add_wait_queue+0x290/0x290
[   23.184658]  ? rcutorture_record_progress+0x10/0x10
[   23.184664]  ? lock_release+0xa40/0xa40
[   23.184672]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   23.184678]  ? __kernel_text_address+0xd/0x40
[   23.184686]  ? clear_tfile_check_list+0x370/0x370
[   23.184693]  ? check_noncircular+0x20/0x20
[   23.184700]  ? locks_remove_file+0x3fa/0x5a0
[   23.184708]  ep_free+0x13f/0x320
[   23.184714]  ? ep_remove+0x800/0x800
[   23.184720]  ? fsnotify_first_mark+0x2b0/0x2b0
[   23.184727]  ? ep_free+0x320/0x320
[   23.184732]  ep_eventpoll_release+0x44/0x60
[   23.184738]  __fput+0x327/0x7e0
[   23.184745]  ? fput+0x140/0x140
[   23.184752]  ? _raw_spin_unlock_irq+0x27/0x70
[   23.184759]  ____fput+0x15/0x20
[   23.184765]  task_work_run+0x199/0x270
[   23.184773]  ? task_work_cancel+0x210/0x210
[   23.184779]  ? _raw_spin_unlock+0x22/0x30
[   23.184784]  ? switch_task_namespaces+0x87/0xc0
[   23.184792]  do_exit+0x9bb/0x1ad0
[   23.184797]  ? __handle_mm_fault+0x2330/0x3ce0
[   23.184805]  ? mm_update_next_owner+0x930/0x930
[   23.184814]  ? do_raw_spin_trylock+0x190/0x190
[   23.184821]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.184826]  ? check_noncircular+0x20/0x20
[   23.184833]  ? _raw_spin_unlock+0x22/0x30
[   23.184839]  ? __handle_mm_fault+0x80e/0x3ce0
[   23.184846]  ? check_noncircular+0x20/0x20
[   23.184851]  ? __pmd_alloc+0x4e0/0x4e0
[   23.184856]  ? lock_downgrade+0x980/0x980
[   23.184864]  ? find_held_lock+0x35/0x1d0
[   23.184872]  ? handle_mm_fault+0x248/0x8d0
[   23.184879]  ? find_held_lock+0x35/0x1d0
[   23.184887]  ? __do_page_fault+0x5f7/0xc90
[   23.184893]  ? lock_downgrade+0x980/0x980
[   23.184902]  ? handle_mm_fault+0x410/0x8d0
[   23.184907]  ? down_read_trylock+0xdb/0x170
[   23.184912]  ? __do_page_fault+0x32d/0xc90
[   23.184918]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   23.184924]  ? vmacache_find+0x5f/0x280
[   23.184932]  do_group_exit+0x149/0x400
[   23.184938]  ? __do_page_fault+0x3d6/0xc90
[   23.184944]  ? SyS_exit+0x30/0x30
[   23.184951]  ? do_fast_syscall_32+0x156/0xf9d
[   23.184957]  ? do_group_exit+0x400/0x400
[   23.184963]  SyS_exit_group+0x1d/0x20
[   23.184969]  do_fast_syscall_32+0x3ee/0xf9d
[   23.184978]  ? do_int80_syscall_32+0x9d0/0x9d0
[   23.184983]  ? kasan_check_read+0x11/0x20
[   23.184990]  ? syscall_return_slowpath+0x550/0x550
[   23.184996]  ? SyS_rt_sigaction+0x94/0x1b0
[   23.185003]  ? SyS_sigprocmask+0x4b0/0x4b0
[   23.185007]  ? SyS_read+0x184/0x220
[   23.185013]  ? retint_user+0x18/0x18
[   23.185021]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   23.185029]  entry_SYSENTER_compat+0x54/0x63
[   23.185033] RIP: 0023:0xf7f26c79
[   23.185035] RSP: 002b:00000000ff8a310c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   23.185041] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   23.185045] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   23.185048] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   23.185051] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   23.185054] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   23.204167] Dumping ftrace buffer:
[   23.204170]    (ftrace buffer empty)
[   23.204172] Kernel Offset: disabled
[   24.509697] Rebooting in 86400 seconds..