[....] Starting enhanced syslogd: rsyslogd[   11.192638] audit: type=1400 audit(1514959285.691:5): avc:  denied  { syslog } for  pid=3313 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   17.977810] audit: type=1400 audit(1514959292.476:6): avc:  denied  { map } for  pid=3452 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.203' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz1.accept_dad = 0
net.ipv6.conf.syz6.accept_dad = 0
net.ipv6.conf.syz5.accept_dad = 0
[  151.995341] audit: type=1400 audit(1514959426.493:7): avc:  denied  { map } for  pid=3469 comm="syzkaller982660" path="/root/syzkaller982660815" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
net.ipv6.conf.syz2.accept_dad = 0
net.ipv6.conf.syz7.accept_dad = 0
net.ipv6.conf.syz3.accept_dad = 0
net.ipv6.conf.syz4.accept_dad = 0
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz1.router_solicitations = 0
net.ipv6.conf.syz5.router_solicitations = 0
net.ipv6.conf.syz6.router_solicitations = 0
net.ipv6.conf.syz2.router_solicitations = 0
net.ipv6.conf.syz7.router_solicitations = 0
net.ipv6.conf.syz3.router_solicitations = 0
net.ipv6.conf.syz0.router_solicitations = 0
net.ipv6.conf.syz4.router_solicitations = 0
[  152.467139] audit: type=1400 audit(1514959426.962:8): avc:  denied  { sys_admin } for  pid=3476 comm="syzkaller982660" capability=21  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[  152.575661] audit: type=1400 audit(1514959427.074:9): avc:  denied  { sys_chroot } for  pid=3654 comm="syzkaller982660" capability=18  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[  152.630863] ==================================================================
[  152.638248] BUG: KASAN: use-after-free in __lock_acquire+0x3c41/0x3cf0
[  152.644887] Read of size 8 at addr ffff8801c7b826d0 by task syzkaller982660/3781
[  152.652387] 
[  152.653983] CPU: 0 PID: 3781 Comm: syzkaller982660 Not tainted 4.15.0-rc6-mm1+ #50
[  152.661651] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  152.670980] Call Trace:
[  152.673536]  dump_stack+0x137/0x198
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[  152.677127]  ? __lock_acquire+0x3c41/0x3cf0
[  152.681416]  print_address_description+0x73/0x250
[  152.686224]  ? __lock_acquire+0x3c41/0x3cf0
[  152.690511]  kasan_report+0x23b/0x360
[  152.694280]  __asan_report_load8_noabort+0x14/0x20
[  152.699176]  __lock_acquire+0x3c41/0x3cf0
[  152.703292]  ? trace_hardirqs_on_caller+0x421/0x5c0
[  152.708274]  ? trace_hardirqs_on+0xd/0x10
[  152.712394]  ? trace_hardirqs_on+0xd/0x10
[  152.716507]  ? shmem_fault+0x503/0x710
[  152.720365]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[  152.725521]  ? __free_pages+0x4f/0x80
executing program
executing program
executing program
executing program
executing program
[  152.729300]  ? put_task_stack+0x116/0x270
[  152.733415]  ? finish_task_switch+0x42f/0x5c0
[  152.737880]  ? __schedule+0x858/0x1e10
[  152.741735]  lock_acquire+0x16b/0x420
[  152.745501]  ? lock_acquire+0x16b/0x420
[  152.749440]  ? shmem_fault+0x503/0x710
[  152.753293]  _raw_spin_lock+0x2a/0x40
[  152.757059]  ? shmem_fault+0x503/0x710
[  152.760914]  shmem_fault+0x503/0x710
[  152.764595]  ? shmem_read_mapping_page_gfp+0x160/0x160
[  152.769838]  ? bpf_prog_kallsyms_find+0x39/0x270
[  152.774558]  ? shmem_file_setup_with_mnt+0x70/0x70
executing program
executing program
executing program
executing program
executing program
[  152.779456]  __do_fault+0x8a/0x1d0
[  152.782962]  __handle_mm_fault+0x1b1f/0x3210
[  152.787336]  ? __pmd_alloc+0x4e0/0x4e0
[  152.791198]  ? find_held_lock+0x35/0x1e0
[  152.795229]  handle_mm_fault+0x305/0x840
[  152.799259]  __do_page_fault+0x59e/0xca0
[  152.803286]  ? mm_fault_error+0x2c0/0x2c0
[  152.807399]  do_page_fault+0x78/0x490
[  152.811166]  page_fault+0x2c/0x60
[  152.814584] RIP: 0010:__clear_user+0x42/0x70
[  152.818955] RSP: 0000:ffff8801d96a7bc8 EFLAGS: 00010202
[  152.824280] RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000008
executing program
executing program
executing program
executing program
executing program
[  152.831515] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 000000002098ce40
[  152.838750] RBP: ffff8801d96a7bd8 R08: 0000000000000000 R09: 0000000000000000
[  152.845984] R10: ffff8801d96a7b18 R11: 0000000000000001 R12: 000000002098ce40
[  152.853219] R13: ffff8801d7126700 R14: 000000002098cc40 R15: 00007ffffffff000
[  152.860459]  ? __clear_user+0x23/0x70
[  152.864224]  copy_fpstate_to_sigframe+0x196/0x470
[  152.869037]  get_sigframe.isra.11.constprop.12+0x52f/0x8b0
[  152.874626]  ? restore_sigcontext+0x780/0x780
executing program
executing program
executing program
executing program
[  152.879095]  ? get_signal+0xc35/0x1460
[  152.882951]  do_signal+0x3a4/0x1980
[  152.886546]  ? bad_area+0x53/0x80
[  152.889975]  ? setup_sigcontext+0x7d0/0x7d0
[  152.894261]  ? __bad_area_nosemaphore+0x1f4/0x3e0
[  152.899072]  ? __do_page_fault+0x3c3/0xca0
[  152.903286]  ? exit_to_usermode_loop+0x3f/0x210
[  152.907919]  exit_to_usermode_loop+0x1aa/0x210
[  152.913602]  prepare_exit_to_usermode+0x22f/0x280
[  152.918412]  ? page_fault+0x36/0x60
[  152.922003]  retint_user+0x8/0x18
[  152.925417] RIP: 0033:          (null)
executing program
executing program
executing program
executing program
executing program
[  152.929265] RSP: 002b:000000002098d008 EFLAGS: 00010217
[  152.934590] RAX: 0000000000000000 RBX: 00000000006f0024 RCX: 000000000044ad09
[  152.941823] RDX: 0000000020651000 RSI: 000000002098d000 RDI: 00000000000001fe
[  152.949058] RBP: 00000000006f0020 R08: 000000002095c000 R09: 0000000000000000
[  152.956294] R10: 0000000020c6f000 R11: 0000000000000246 R12: 0000000000000000
[  152.963528] R13: 00000000007ffe5f R14: 00007f4c6a1ac9c0 R15: 0000000000000003
[  152.970764] 
[  152.972354] Allocated by task 3721:
[  152.975948]  save_stack+0x43/0xd0
executing program
executing program
executing program
executing program
executing program
[  152.979362]  kasan_kmalloc+0xad/0xe0
[  152.983038]  kasan_slab_alloc+0x12/0x20
[  152.986972]  kmem_cache_alloc+0x12e/0x760
[  152.991084]  shmem_alloc_inode+0x1b/0x40
[  152.995107]  alloc_inode+0x65/0x180
[  152.998697]  new_inode_pseudo+0x17/0xe0
[  153.002646]  new_inode+0x1c/0x40
[  153.005974]  shmem_get_inode+0x71/0x760
[  153.009910]  __shmem_file_setup.part.44+0x33f/0x420
[  153.014894]  shmem_zero_setup+0xd9/0x3e0
[  153.018921]  mmap_region+0xdb8/0x1010
[  153.022686]  do_mmap+0x623/0xda0
[  153.026015]  vm_mmap_pgoff+0x19c/0x1f0
executing program
executing program
executing program
executing program
executing program
[  153.029865]  SyS_mmap_pgoff+0x1fc/0x580
[  153.033803]  SyS_mmap+0x16/0x20
[  153.037044]  entry_SYSCALL_64_fastpath+0x23/0x9a
[  153.041760] 
[  153.043349] Freed by task 3721:
[  153.047052]  save_stack+0x43/0xd0
[  153.050466]  __kasan_slab_free+0x11a/0x170
[  153.054665]  kasan_slab_free+0xe/0x10
[  153.058428]  kmem_cache_free+0x86/0x2b0
[  153.062367]  shmem_destroy_callback+0x5a/0xa0
[  153.066827]  rcu_process_callbacks+0x5cf/0x1200
[  153.071458]  __do_softirq+0x23f/0x99f
[  153.075218] 
executing program
executing program
executing program
executing program
executing program
[  153.076812] The buggy address belongs to the object at ffff8801c7b82530
[  153.076812]  which belongs to the cache shmem_inode_cache of size 1200
[  153.090040] The buggy address is located 416 bytes inside of
[  153.090040]  1200-byte region [ffff8801c7b82530, ffff8801c7b829e0)
[  153.101968] The buggy address belongs to the page:
[  153.106864] page:ffffea00071ee080 count:1 mapcount:0 mapping:ffff8801c7b82000 index:0xffff8801c7b82ffd
[  153.116272] flags: 0x2fffc0000000100(slab)
[  153.120476] raw: 02fffc0000000100 ffff8801c7b82000 ffff8801c7b82ffd 0000000100000003
executing program
executing program
executing program
executing program
[  153.128320] raw: ffffea00071edd20 ffffea0006fb86e0 ffff8801da2a44c0 0000000000000000
[  153.136160] page dumped because: kasan: bad access detected
[  153.141831] 
[  153.143426] Memory state around the buggy address:
[  153.148317]  ffff8801c7b82580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  153.155637]  ffff8801c7b82600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  153.162958] >ffff8801c7b82680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  153.170276]                                                  ^
[  153.176210]  ffff8801c7b82700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
executing program
executing program
executing program
executing program
[  153.183533]  ffff8801c7b82780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  153.190853] ==================================================================
[  153.198172] Disabling lock debugging due to kernel taint
[  153.203583] Kernel panic - not syncing: panic_on_warn set ...
[  153.203583] 
[  153.210907] CPU: 0 PID: 3781 Comm: syzkaller982660 Tainted: G    B            4.15.0-rc6-mm1+ #50
[  153.219878] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  153.229198] Call Trace:
executing program
executing program
executing program
executing program
executing program
[  153.231752]  dump_stack+0x137/0x198
[  153.235346]  ? __lock_acquire+0x3bc0/0x3cf0
[  153.239634]  panic+0x1e4/0x41c
[  153.242791]  ? refcount_error_report+0x214/0x214
[  153.247511]  ? add_taint+0x40/0x50
[  153.251014]  ? add_taint+0x1c/0x50
[  153.254517]  ? __lock_acquire+0x3c41/0x3cf0
[  153.258803]  kasan_end_report+0x50/0x50
[  153.262742]  kasan_report+0x148/0x360
[  153.266506]  __asan_report_load8_noabort+0x14/0x20
[  153.271398]  __lock_acquire+0x3c41/0x3cf0
[  153.275511]  ? trace_hardirqs_on_caller+0x421/0x5c0
executing program
executing program
executing program
executing program
executing program
[  153.280493]  ? trace_hardirqs_on+0xd/0x10
[  153.284605]  ? trace_hardirqs_on+0xd/0x10
[  153.288717]  ? shmem_fault+0x503/0x710
[  153.292570]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[  153.297725]  ? __free_pages+0x4f/0x80
[  153.301489]  ? put_task_stack+0x116/0x270
[  153.305602]  ? finish_task_switch+0x42f/0x5c0
[  153.310061]  ? __schedule+0x858/0x1e10
[  153.313914]  lock_acquire+0x16b/0x420
[  153.317678]  ? lock_acquire+0x16b/0x420
[  153.321624]  ? shmem_fault+0x503/0x710
[  153.325478]  _raw_spin_lock+0x2a/0x40
[  153.329243]  ? shmem_fault+0x503/0x710
executing program
executing program
executing program
executing program
executing program
[  153.333098]  shmem_fault+0x503/0x710
[  153.336781]  ? shmem_read_mapping_page_gfp+0x160/0x160
[  153.342022]  ? bpf_prog_kallsyms_find+0x39/0x270
[  153.346745]  ? shmem_file_setup_with_mnt+0x70/0x70
[  153.351641]  __do_fault+0x8a/0x1d0
[  153.355148]  __handle_mm_fault+0x1b1f/0x3210
[  153.359520]  ? __pmd_alloc+0x4e0/0x4e0
[  153.363371]  ? find_held_lock+0x35/0x1e0
[  153.367398]  handle_mm_fault+0x305/0x840
[  153.371428]  __do_page_fault+0x59e/0xca0
[  153.375463]  ? mm_fault_error+0x2c0/0x2c0
[  153.379577]  do_page_fault+0x78/0x490
executing program
executing program
executing program
executing program
executing program
[  153.383345]  page_fault+0x2c/0x60
[  153.386765] RIP: 0010:__clear_user+0x42/0x70
[  153.391136] RSP: 0000:ffff8801d96a7bc8 EFLAGS: 00010202
[  153.396469] RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000008
[  153.403711] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 000000002098ce40
[  153.410945] RBP: ffff8801d96a7bd8 R08: 0000000000000000 R09: 0000000000000000
[  153.418180] R10: ffff8801d96a7b18 R11: 0000000000000001 R12: 000000002098ce40
[  153.425416] R13: ffff8801d7126700 R14: 000000002098cc40 R15: 00007ffffffff000
executing program
executing program
executing program
executing program
executing program
[  153.432665]  ? __clear_user+0x23/0x70
[  153.436433]  copy_fpstate_to_sigframe+0x196/0x470
[  153.441245]  get_sigframe.isra.11.constprop.12+0x52f/0x8b0
[  153.446835]  ? restore_sigcontext+0x780/0x780
[  153.451296]  ? get_signal+0xc35/0x1460
[  153.455151]  do_signal+0x3a4/0x1980
[  153.458743]  ? bad_area+0x53/0x80
[  153.462167]  ? setup_sigcontext+0x7d0/0x7d0
[  153.466453]  ? __bad_area_nosemaphore+0x1f4/0x3e0
[  153.471269]  ? __do_page_fault+0x3c3/0xca0
[  153.475469]  ? exit_to_usermode_loop+0x3f/0x210
[  153.480103]  exit_to_usermode_loop+0x1aa/0x210
executing program
executing program
executing program
executing program
[  153.484649]  prepare_exit_to_usermode+0x22f/0x280
[  153.489456]  ? page_fault+0x36/0x60
[  153.493048]  retint_user+0x8/0x18
[  153.496465] RIP: 0033:          (null)
[  153.500312] RSP: 002b:000000002098d008 EFLAGS: 00010217
[  153.505642] RAX: 0000000000000000 RBX: 00000000006f0024 RCX: 000000000044ad09
[  153.512883] RDX: 0000000020651000 RSI: 000000002098d000 RDI: 00000000000001fe
[  153.520310] RBP: 00000000006f0020 R08: 000000002095c000 R09: 0000000000000000
[  153.527546] R10: 0000000020c6f000 R11: 0000000000000246 R12: 0000000000000000
executing program
[  153.534781] R13: 00000000007ffe5f R14: 00007f4c6a1ac9c0 R15: 0000000000000003
[  153.542378] Dumping ftrace buffer:
[  153.545881]    (ftrace buffer empty)
[  153.549556] Kernel Offset: disabled
[  153.553148] Rebooting in 86400 seconds..