[....] Starting enhanced syslogd: rsyslogd[   15.550161] audit: type=1400 audit(1520851272.389:5): avc:  denied  { syslog } for  pid=4041 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.084802] audit: type=1400 audit(1520851275.923:6): avc:  denied  { map } for  pid=4180 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts.
executing program
[   40.143924] audit: type=1400 audit(1520851296.982:7): avc:  denied  { map } for  pid=4198 comm="syzkaller955039" path="/root/syzkaller955039472" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   40.171754] ==================================================================
[   40.179193] BUG: KASAN: use-after-free in ucma_close+0x2d7/0x2f0
[   40.185316] Read of size 8 at addr ffff8801bb185500 by task syzkaller955039/4198
[   40.192822] 
[   40.194439] CPU: 0 PID: 4198 Comm: syzkaller955039 Not tainted 4.16.0-rc5+ #351
[   40.201859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.211189] Call Trace:
[   40.213754]  dump_stack+0x194/0x24d
[   40.217359]  ? arch_local_irq_restore+0x53/0x53
[   40.222624]  ? show_regs_print_info+0x18/0x18
[   40.227097]  ? ucma_close+0x2d7/0x2f0
[   40.230873]  print_address_description+0x73/0x250
[   40.235690]  ? ucma_close+0x2d7/0x2f0
[   40.239462]  kasan_report+0x23c/0x360
[   40.243235]  __asan_report_load8_noabort+0x14/0x20
[   40.248132]  ucma_close+0x2d7/0x2f0
[   40.251731]  ? __might_sleep+0x95/0x190
[   40.255675]  ? ucma_free_ctx+0xd90/0xd90
[   40.259710]  __fput+0x327/0x7e0
[   40.262969]  ? fput+0x140/0x140
[   40.266220]  ? _raw_spin_unlock_irq+0x27/0x70
[   40.270691]  ____fput+0x15/0x20
[   40.273941]  task_work_run+0x199/0x270
[   40.277801]  ? task_work_cancel+0x210/0x210
[   40.282092]  ? _raw_spin_unlock+0x22/0x30
[   40.286210]  ? switch_task_namespaces+0x87/0xc0
[   40.290859]  do_exit+0x9bb/0x1ad0
[   40.294291]  ? ucma_create_id+0x45b/0x620
[   40.298414]  ? mm_update_next_owner+0x930/0x930
[   40.303054]  ? ucma_create_id+0x17b/0x620
[   40.307172]  ? ucma_get_event+0xa90/0xa90
[   40.311295]  ? __might_sleep+0x95/0x190
[   40.315244]  ? kasan_check_write+0x14/0x20
[   40.319452]  ? _copy_from_user+0x99/0x110
[   40.323575]  ? ucma_write+0x11f/0x3d0
[   40.327342]  ? ucma_get_event+0xa90/0xa90
[   40.331460]  ? ucma_resolve_route+0x1a0/0x1a0
[   40.336057]  ? ucma_resolve_route+0x1a0/0x1a0
[   40.340528]  ? __vfs_write+0xf7/0x970
[   40.344302]  ? rcu_note_context_switch+0x710/0x710
[   40.349206]  ? kernel_read+0x120/0x120
[   40.353073]  ? __might_sleep+0x95/0x190
[   40.357026]  ? _cond_resched+0x14/0x30
[   40.360891]  ? __inode_security_revalidate+0xd9/0x130
[   40.366055]  ? avc_policy_seqno+0x9/0x20
[   40.370105]  ? security_file_permission+0x89/0x1e0
[   40.375010]  ? rw_verify_area+0xe5/0x2b0
[   40.379052]  ? __fdget_raw+0x20/0x20
[   40.382744]  ? vfs_write+0x224/0x510
[   40.386439]  do_group_exit+0x149/0x400
[   40.390300]  ? SyS_write+0x184/0x220
[   40.393983]  ? filp_open+0x70/0x70
[   40.397494]  ? SyS_exit+0x30/0x30
[   40.400919]  ? SyS_read+0x220/0x220
[   40.404519]  ? do_syscall_64+0xb7/0x940
[   40.408463]  ? do_group_exit+0x400/0x400
[   40.412497]  SyS_exit_group+0x1d/0x20
[   40.416269]  do_syscall_64+0x281/0x940
[   40.420125]  ? __do_page_fault+0xc90/0xc90
[   40.424331]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   40.429058]  ? syscall_return_slowpath+0x550/0x550
[   40.433959]  ? syscall_return_slowpath+0x2ac/0x550
[   40.438859]  ? prepare_exit_to_usermode+0x350/0x350
[   40.443867]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   40.449205]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.454024]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.459186] RIP: 0033:0x43e918
[   40.462345] RSP: 002b:00007ffef66ba0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   40.470034] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e918
[   40.477283] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   40.484523] RBP: 00000000004be2c0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   40.491765] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
[   40.499010] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000
[   40.506272] 
[   40.507873] Allocated by task 4198:
[   40.511485]  save_stack+0x43/0xd0
[   40.514908]  kasan_kmalloc+0xad/0xe0
[   40.518592]  kmem_cache_alloc_trace+0x136/0x740
[   40.523232]  ucma_alloc_ctx+0xce/0x610
[   40.527106]  ucma_create_id+0x205/0x620
[   40.531060]  ucma_write+0x2d6/0x3d0
[   40.534658]  __vfs_write+0xef/0x970
[   40.538253]  vfs_write+0x189/0x510
[   40.541762]  SyS_write+0xef/0x220
[   40.545188]  do_syscall_64+0x281/0x940
[   40.549046]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.554206] 
[   40.555804] Freed by task 4198:
[   40.559054]  save_stack+0x43/0xd0
[   40.562488]  __kasan_slab_free+0x11a/0x170
[   40.566693]  kasan_slab_free+0xe/0x10
[   40.570463]  kfree+0xd9/0x260
[   40.573537]  ucma_create_id+0x45b/0x620
[   40.577480]  ucma_write+0x2d6/0x3d0
[   40.581076]  __vfs_write+0xef/0x970
[   40.584673]  vfs_write+0x189/0x510
[   40.588181]  SyS_write+0xef/0x220
[   40.591601]  do_syscall_64+0x281/0x940
[   40.595456]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.600613] 
[   40.602213] The buggy address belongs to the object at ffff8801bb185480
[   40.602213]  which belongs to the cache kmalloc-256 of size 256
[   40.614838] The buggy address is located 128 bytes inside of
[   40.614838]  256-byte region [ffff8801bb185480, ffff8801bb185580)
[   40.626680] The buggy address belongs to the page:
[   40.631582] page:ffffea0006ec6140 count:1 mapcount:0 mapping:ffff8801bb1850c0 index:0xffff8801bb185e80
[   40.640995] flags: 0x2fffc0000000100(slab)
[   40.645201] raw: 02fffc0000000100 ffff8801bb1850c0 ffff8801bb185e80 000000010000000a
[   40.653051] raw: ffffea0006e45c60 ffffea0006eecfe0 ffff8801dac007c0 0000000000000000
[   40.660899] page dumped because: kasan: bad access detected
[   40.666577] 
[   40.668175] Memory state around the buggy address:
[   40.673083]  ffff8801bb185400: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[   40.680409]  ffff8801bb185480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.687736] >ffff8801bb185500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.695073]                    ^
[   40.698406]  ffff8801bb185580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   40.705733]  ffff8801bb185600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.713059] ==================================================================
[   40.720387] Disabling lock debugging due to kernel taint
[   40.725908] Kernel panic - not syncing: panic_on_warn set ...
[   40.725908] 
[   40.733245] CPU: 0 PID: 4198 Comm: syzkaller955039 Tainted: G    B            4.16.0-rc5+ #351
[   40.741966] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.751290] Call Trace:
[   40.753854]  dump_stack+0x194/0x24d
[   40.757455]  ? arch_local_irq_restore+0x53/0x53
[   40.762096]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   40.766823]  ? vsnprintf+0x1ed/0x1900
[   40.770594]  ? ucma_close+0x240/0x2f0
[   40.774365]  panic+0x1e4/0x41c
[   40.777528]  ? refcount_error_report+0x214/0x214
[   40.782255]  ? add_taint+0x1c/0x50
[   40.785779]  ? add_taint+0x1c/0x50
[   40.789291]  ? ucma_close+0x2d7/0x2f0
[   40.793061]  kasan_end_report+0x50/0x50
[   40.797022]  kasan_report+0x149/0x360
[   40.800795]  __asan_report_load8_noabort+0x14/0x20
[   40.805694]  ucma_close+0x2d7/0x2f0
[   40.809293]  ? __might_sleep+0x95/0x190
[   40.813240]  ? ucma_free_ctx+0xd90/0xd90
[   40.817282]  __fput+0x327/0x7e0
[   40.820533]  ? fput+0x140/0x140
[   40.823783]  ? _raw_spin_unlock_irq+0x27/0x70
[   40.828266]  ____fput+0x15/0x20
[   40.831516]  task_work_run+0x199/0x270
[   40.835376]  ? task_work_cancel+0x210/0x210
[   40.839667]  ? _raw_spin_unlock+0x22/0x30
[   40.843787]  ? switch_task_namespaces+0x87/0xc0
[   40.848427]  do_exit+0x9bb/0x1ad0
[   40.851938]  ? ucma_create_id+0x45b/0x620
[   40.856060]  ? mm_update_next_owner+0x930/0x930
[   40.860699]  ? ucma_create_id+0x17b/0x620
[   40.864817]  ? ucma_get_event+0xa90/0xa90
[   40.868942]  ? __might_sleep+0x95/0x190
[   40.872888]  ? kasan_check_write+0x14/0x20
[   40.877096]  ? _copy_from_user+0x99/0x110
[   40.881213]  ? ucma_write+0x11f/0x3d0
[   40.884983]  ? ucma_get_event+0xa90/0xa90
[   40.889104]  ? ucma_resolve_route+0x1a0/0x1a0
[   40.893583]  ? ucma_resolve_route+0x1a0/0x1a0
[   40.898049]  ? __vfs_write+0xf7/0x970
[   40.901823]  ? rcu_note_context_switch+0x710/0x710
[   40.906725]  ? kernel_read+0x120/0x120
[   40.910583]  ? __might_sleep+0x95/0x190
[   40.914531]  ? _cond_resched+0x14/0x30
[   40.918390]  ? __inode_security_revalidate+0xd9/0x130
[   40.923551]  ? avc_policy_seqno+0x9/0x20
[   40.927586]  ? security_file_permission+0x89/0x1e0
[   40.932488]  ? rw_verify_area+0xe5/0x2b0
[   40.936519]  ? __fdget_raw+0x20/0x20
[   40.940205]  ? vfs_write+0x224/0x510
[   40.943893]  do_group_exit+0x149/0x400
[   40.947755]  ? SyS_write+0x184/0x220
[   40.951437]  ? filp_open+0x70/0x70
[   40.954948]  ? SyS_exit+0x30/0x30
[   40.958370]  ? SyS_read+0x220/0x220
[   40.961971]  ? do_syscall_64+0xb7/0x940
[   40.965914]  ? do_group_exit+0x400/0x400
[   40.969959]  SyS_exit_group+0x1d/0x20
[   40.973732]  do_syscall_64+0x281/0x940
[   40.977603]  ? __do_page_fault+0xc90/0xc90
[   40.981810]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   40.986547]  ? syscall_return_slowpath+0x550/0x550
[   40.991459]  ? syscall_return_slowpath+0x2ac/0x550
[   40.996361]  ? prepare_exit_to_usermode+0x350/0x350
[   41.001350]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   41.006685]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   41.011502]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.016663] RIP: 0033:0x43e918
[   41.019824] RSP: 002b:00007ffef66ba0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   41.027502] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e918
[   41.034744] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   41.041986] RBP: 00000000004be2c0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   41.049234] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
[   41.056472] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000
[   41.064118] Dumping ftrace buffer:
[   41.067633]    (ftrace buffer empty)
[   41.071316] Kernel Offset: disabled
[   41.074913] Rebooting in 86400 seconds..