[....] Starting enhanced syslogd: rsyslogd[   16.044122] audit: type=1400 audit(1517473748.333:5): avc:  denied  { syslog } for  pid=3997 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.326109] audit: type=1400 audit(1517473750.615:6): avc:  denied  { map } for  pid=4136 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts.
executing program
[   24.625174] audit: type=1400 audit(1517473756.914:7): avc:  denied  { map } for  pid=4150 comm="syzkaller752348" path="/root/syzkaller752348089" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   24.631322] ==================================================================
[   24.631342] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   24.631348] Read of size 8 at addr ffff8801b63110b0 by task syzkaller752348/4150
[   24.631349] 
[   24.631357] CPU: 1 PID: 4150 Comm: syzkaller752348 Not tainted 4.15.0+ #200
[   24.631361] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.631363] Call Trace:
[   24.631375]  dump_stack+0x194/0x257
[   24.631383]  ? arch_local_irq_restore+0x53/0x53
[   24.631393]  ? show_regs_print_info+0x18/0x18
[   24.631398]  ? print_irqtrace_events+0x270/0x270
[   24.631405]  ? __lock_acquire+0x664/0x3e00
[   24.631412]  ? __lock_acquire+0x3d4d/0x3e00
[   24.631422]  print_address_description+0x73/0x250
[   24.631428]  ? __lock_acquire+0x3d4d/0x3e00
[   24.631435]  kasan_report+0x25b/0x340
[   24.631444]  __asan_report_load8_noabort+0x14/0x20
[   24.631449]  __lock_acquire+0x3d4d/0x3e00
[   24.631455]  ? __lock_acquire+0x664/0x3e00
[   24.631461]  ? lock_downgrade+0x980/0x980
[   24.631467]  ? lock_downgrade+0x980/0x980
[   24.631473]  ? print_irqtrace_events+0x270/0x270
[   24.631481]  ? remove_wait_queue+0x81/0x350
[   24.631491]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.631497]  ? __lock_acquire+0x664/0x3e00
[   24.631510]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.631517]  ? lock_acquire+0x1d5/0x580
[   24.631523]  ? lock_acquire+0x1d5/0x580
[   24.631529]  ? ep_free+0xf4/0x320
[   24.631537]  ? lock_release+0xa40/0xa40
[   24.631545]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.631551]  ? print_irqtrace_events+0x270/0x270
[   24.631559]  ? rcu_note_context_switch+0x710/0x710
[   24.631567]  ? __might_sleep+0x95/0x190
[   24.631572]  ? ep_free+0xf4/0x320
[   24.631578]  ? __mutex_lock+0x16f/0x1a80
[   24.631582]  ? ep_free+0xf4/0x320
[   24.631589]  ? print_irqtrace_events+0x270/0x270
[   24.631593]  ? ep_free+0xf4/0x320
[   24.631599]  ? check_noncircular+0x20/0x20
[   24.631607]  lock_acquire+0x1d5/0x580
[   24.631613]  ? lock_acquire+0x1d5/0x580
[   24.631619]  ? remove_wait_queue+0x81/0x350
[   24.631627]  ? lock_release+0xa40/0xa40
[   24.631637]  ? lock_acquire+0x1d5/0x580
[   24.631642]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.631647]  ? lock_acquire+0x1d5/0x580
[   24.631653]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   24.631661]  _raw_spin_lock_irqsave+0x96/0xc0
[   24.631667]  ? remove_wait_queue+0x81/0x350
[   24.631674]  remove_wait_queue+0x81/0x350
[   24.631680]  ? depot_save_stack+0x3b5/0x490
[   24.631688]  ? add_wait_queue+0x290/0x290
[   24.631694]  ? rcutorture_record_progress+0x10/0x10
[   24.631700]  ? lock_release+0xa40/0xa40
[   24.631708]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   24.631715]  ? __kernel_text_address+0xd/0x40
[   24.631722]  ? clear_tfile_check_list+0x370/0x370
[   24.631729]  ? depot_save_stack+0x3b5/0x490
[   24.631738]  ? locks_remove_file+0x3fa/0x5a0
[   24.631747]  ep_free+0x13f/0x320
[   24.631752]  ? ep_remove+0x800/0x800
[   24.631759]  ? fsnotify_first_mark+0x2b0/0x2b0
[   24.631766]  ? ep_free+0x320/0x320
[   24.631771]  ep_eventpoll_release+0x44/0x60
[   24.631778]  __fput+0x327/0x7e0
[   24.631785]  ? fput+0x140/0x140
[   24.631793]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.631801]  ____fput+0x15/0x20
[   24.631806]  task_work_run+0x199/0x270
[   24.631813]  ? task_work_cancel+0x210/0x210
[   24.631819]  ? _raw_spin_unlock+0x22/0x30
[   24.631825]  ? switch_task_namespaces+0x87/0xc0
[   24.631834]  do_exit+0x9bb/0x1ad0
[   24.631842]  ? __handle_mm_fault+0x2330/0x3ce0
[   24.631850]  ? mm_update_next_owner+0x930/0x930
[   24.631858]  ? do_raw_spin_trylock+0x190/0x190
[   24.631866]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.631874]  ? _raw_spin_unlock+0x22/0x30
[   24.631881]  ? __handle_mm_fault+0x80e/0x3ce0
[   24.631889]  ? __pmd_alloc+0x4e0/0x4e0
[   24.631894]  ? check_noncircular+0x20/0x20
[   24.631901]  ? check_noncircular+0x20/0x20
[   24.631907]  ? find_held_lock+0x35/0x1d0
[   24.631917]  ? handle_mm_fault+0x2a0/0x930
[   24.631924]  ? find_held_lock+0x35/0x1d0
[   24.631934]  ? __do_page_fault+0x5f7/0xc90
[   24.631940]  ? lock_downgrade+0x980/0x980
[   24.631950]  ? handle_mm_fault+0x476/0x930
[   24.631955]  ? down_read_trylock+0xdb/0x170
[   24.631962]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   24.631967]  ? vmacache_find+0x5f/0x280
[   24.631976]  do_group_exit+0x149/0x400
[   24.631982]  ? __do_page_fault+0x3d6/0xc90
[   24.631988]  ? SyS_exit+0x30/0x30
[   24.631997]  ? do_fast_syscall_32+0x156/0xf9d
[   24.632007]  ? do_group_exit+0x400/0x400
[   24.632014]  SyS_exit_group+0x1d/0x20
[   24.632020]  do_fast_syscall_32+0x3ee/0xf9d
[   24.632028]  ? do_int80_syscall_32+0x9d0/0x9d0
[   24.632035]  ? kasan_check_read+0x11/0x20
[   24.632042]  ? syscall_return_slowpath+0x550/0x550
[   24.632055]  ? SyS_rt_sigaction+0x94/0x1b0
[   24.632062]  ? SyS_sigprocmask+0x4b0/0x4b0
[   24.632066]  ? SyS_read+0x184/0x220
[   24.632072]  ? retint_user+0x18/0x18
[   24.632080]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.632089]  entry_SYSENTER_compat+0x54/0x63
[   24.632094] RIP: 0023:0xf7fc1c79
[   24.632097] RSP: 002b:00000000ff8eea6c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   24.632104] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   24.632108] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0
[   24.632111] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   24.632114] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   24.632117] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   24.632125] 
[   24.632128] Allocated by task 4150:
[   24.632134]  save_stack+0x43/0xd0
[   24.632140]  kasan_kmalloc+0xad/0xe0
[   24.632145]  kmem_cache_alloc_trace+0x136/0x750
[   24.632154]  binder_get_thread+0x1cf/0x870
[   24.632159]  binder_poll+0x8c/0x390
[   24.632163]  ep_item_poll.isra.10+0xf2/0x320
[   24.632168]  ep_insert+0x6a2/0x1ac0
[   24.632172]  SyS_epoll_ctl+0x12bf/0x1a80
[   24.632177]  do_fast_syscall_32+0x3ee/0xf9d
[   24.632182]  entry_SYSENTER_compat+0x54/0x63
[   24.632183] 
[   24.632185] Freed by task 4150:
[   24.632190]  save_stack+0x43/0xd0
[   24.632195]  kasan_slab_free+0x71/0xc0
[   24.632199]  kfree+0xd6/0x260
[   24.632205]  binder_thread_dec_tmpref+0x27f/0x310
[   24.632210]  binder_thread_release+0x27d/0x540
[   24.632215]  binder_ioctl+0xc02/0x1417
[   24.632220]  compat_SyS_ioctl+0x151/0x2a30
[   24.632225]  do_fast_syscall_32+0x3ee/0xf9d
[   24.632229]  entry_SYSENTER_compat+0x54/0x63
[   24.632230] 
[   24.632235] The buggy address belongs to the object at ffff8801b6311000
[   24.632235]  which belongs to the cache kmalloc-512 of size 512
[   24.632239] The buggy address is located 176 bytes inside of
[   24.632239]  512-byte region [ffff8801b6311000, ffff8801b6311200)
[   24.632241] The buggy address belongs to the page:
[   24.632246] page:ffffea0006d8c440 count:1 mapcount:0 mapping:ffff8801b6311000 index:0x0
[   24.632252] flags: 0x2fffc0000000100(slab)
[   24.632261] raw: 02fffc0000000100 ffff8801b6311000 0000000000000000 0000000100000006
[   24.632268] raw: ffffea0006d12b20 ffff8801db001748 ffff8801db000940 0000000000000000
[   24.632271] page dumped because: kasan: bad access detected
[   24.632272] 
[   24.632273] Memory state around the buggy address:
[   24.632278]  ffff8801b6310f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   24.632283]  ffff8801b6311000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.632287] >ffff8801b6311080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.632289]                                      ^
[   24.632293]  ffff8801b6311100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.632298]  ffff8801b6311180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.632299] ==================================================================
[   24.632301] Disabling lock debugging due to kernel taint
[   24.632305] Kernel panic - not syncing: panic_on_warn set ...
[   24.632305] 
[   24.632311] CPU: 1 PID: 4150 Comm: syzkaller752348 Tainted: G    B            4.15.0+ #200
[   24.632314] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.632315] Call Trace:
[   24.632322]  dump_stack+0x194/0x257
[   24.632329]  ? arch_local_irq_restore+0x53/0x53
[   24.632335]  ? kasan_end_report+0x32/0x50
[   24.632341]  ? lock_downgrade+0x980/0x980
[   24.632348]  ? vsnprintf+0x1ed/0x1900
[   24.632354]  ? __lock_acquire+0x3c70/0x3e00
[   24.632360]  panic+0x1e4/0x41c
[   24.632366]  ? refcount_error_report+0x214/0x214
[   24.632373]  ? add_taint+0x40/0x50
[   24.632378]  ? add_taint+0x1c/0x50
[   24.632385]  ? __lock_acquire+0x3d4d/0x3e00
[   24.632392]  kasan_end_report+0x50/0x50
[   24.632398]  kasan_report+0x144/0x340
[   24.632406]  __asan_report_load8_noabort+0x14/0x20
[   24.632412]  __lock_acquire+0x3d4d/0x3e00
[   24.632418]  ? __lock_acquire+0x664/0x3e00
[   24.632424]  ? lock_downgrade+0x980/0x980
[   24.632429]  ? lock_downgrade+0x980/0x980
[   24.632436]  ? print_irqtrace_events+0x270/0x270
[   24.632442]  ? remove_wait_queue+0x81/0x350
[   24.632451]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.632458]  ? __lock_acquire+0x664/0x3e00
[   24.632470]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.632477]  ? lock_acquire+0x1d5/0x580
[   24.632483]  ? lock_acquire+0x1d5/0x580
[   24.632487]  ? ep_free+0xf4/0x320
[   24.632496]  ? lock_release+0xa40/0xa40
[   24.632502]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.632507]  ? print_irqtrace_events+0x270/0x270
[   24.632514]  ? rcu_note_context_switch+0x710/0x710
[   24.632522]  ? __might_sleep+0x95/0x190
[   24.632527]  ? ep_free+0xf4/0x320
[   24.632533]  ? __mutex_lock+0x16f/0x1a80
[   24.632537]  ? ep_free+0xf4/0x320
[   24.632544]  ? print_irqtrace_events+0x270/0x270
[   24.632548]  ? ep_free+0xf4/0x320
[   24.632554]  ? check_noncircular+0x20/0x20
[   24.632561]  lock_acquire+0x1d5/0x580
[   24.632567]  ? lock_acquire+0x1d5/0x580
[   24.632573]  ? remove_wait_queue+0x81/0x350
[   24.632581]  ? lock_release+0xa40/0xa40
[   24.632590]  ? lock_acquire+0x1d5/0x580
[   24.632596]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.632601]  ? lock_acquire+0x1d5/0x580
[   24.632607]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   24.632614]  _raw_spin_lock_irqsave+0x96/0xc0
[   24.632620]  ? remove_wait_queue+0x81/0x350
[   24.632627]  remove_wait_queue+0x81/0x350
[   24.632632]  ? depot_save_stack+0x3b5/0x490
[   24.632639]  ? add_wait_queue+0x290/0x290
[   24.632644]  ? rcutorture_record_progress+0x10/0x10
[   24.632650]  ? lock_release+0xa40/0xa40
[   24.632658]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   24.632664]  ? __kernel_text_address+0xd/0x40
[   24.632671]  ? clear_tfile_check_list+0x370/0x370
[   24.632677]  ? depot_save_stack+0x3b5/0x490
[   24.632685]  ? locks_remove_file+0x3fa/0x5a0
[   24.632693]  ep_free+0x13f/0x320
[   24.632698]  ? ep_remove+0x800/0x800
[   24.632704]  ? fsnotify_first_mark+0x2b0/0x2b0
[   24.632711]  ? ep_free+0x320/0x320
[   24.632716]  ep_eventpoll_release+0x44/0x60
[   24.632722]  __fput+0x327/0x7e0
[   24.632729]  ? fput+0x140/0x140
[   24.632736]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.632744]  ____fput+0x15/0x20
[   24.632749]  task_work_run+0x199/0x270
[   24.632756]  ? task_work_cancel+0x210/0x210
[   24.632762]  ? _raw_spin_unlock+0x22/0x30
[   24.632768]  ? switch_task_namespaces+0x87/0xc0
[   24.632775]  do_exit+0x9bb/0x1ad0
[   24.632782]  ? __handle_mm_fault+0x2330/0x3ce0
[   24.632790]  ? mm_update_next_owner+0x930/0x930
[   24.632798]  ? do_raw_spin_trylock+0x190/0x190
[   24.632805]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.632813]  ? _raw_spin_unlock+0x22/0x30
[   24.632819]  ? __handle_mm_fault+0x80e/0x3ce0
[   24.632827]  ? __pmd_alloc+0x4e0/0x4e0
[   24.632832]  ? check_noncircular+0x20/0x20
[   24.632839]  ? check_noncircular+0x20/0x20
[   24.632846]  ? find_held_lock+0x35/0x1d0
[   24.632855]  ? handle_mm_fault+0x2a0/0x930
[   24.632862]  ? find_held_lock+0x35/0x1d0
[   24.632871]  ? __do_page_fault+0x5f7/0xc90
[   24.632877]  ? lock_downgrade+0x980/0x980
[   24.632887]  ? handle_mm_fault+0x476/0x930
[   24.632892]  ? down_read_trylock+0xdb/0x170
[   24.632899]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   24.632904]  ? vmacache_find+0x5f/0x280
[   24.632912]  do_group_exit+0x149/0x400
[   24.632919]  ? __do_page_fault+0x3d6/0xc90
[   24.632925]  ? SyS_exit+0x30/0x30
[   24.632932]  ? do_fast_syscall_32+0x156/0xf9d
[   24.632938]  ? do_group_exit+0x400/0x400
[   24.632945]  SyS_exit_group+0x1d/0x20
[   24.632951]  do_fast_syscall_32+0x3ee/0xf9d
[   24.632959]  ? do_int80_syscall_32+0x9d0/0x9d0
[   24.632965]  ? kasan_check_read+0x11/0x20
[   24.632973]  ? syscall_return_slowpath+0x550/0x550
[   24.632979]  ? SyS_rt_sigaction+0x94/0x1b0
[   24.632986]  ? SyS_sigprocmask+0x4b0/0x4b0
[   24.632991]  ? SyS_read+0x184/0x220
[   24.632996]  ? retint_user+0x18/0x18
[   24.633005]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.633013]  entry_SYSENTER_compat+0x54/0x63
[   24.633016] RIP: 0023:0xf7fc1c79
[   24.633019] RSP: 002b:00000000ff8eea6c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   24.633025] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   24.633028] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0
[   24.633031] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   24.633034] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   24.633037] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   24.651481] Dumping ftrace buffer:
[   24.651485]    (ftrace buffer empty)
[   24.651488] Kernel Offset: disabled
[   25.906820] Rebooting in 86400 seconds..