[....] Starting enhanced syslogd: rsyslogd[   12.453051] audit: type=1400 audit(1512830379.704:5): avc:  denied  { syslog } for  pid=2995 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.252825] audit: type=1400 audit(1512830389.504:6): avc:  denied  { map } for  pid=3137 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added 'ci-upstream-net-kasan-gce-6,10.128.0.47' (ECDSA) to the list of known hosts.
executing program
[   28.524073] audit: type=1400 audit(1512830395.775:7): avc:  denied  { map } for  pid=3151 comm="syzkaller731875" path="/root/syzkaller731875863" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   28.528751] ==================================================================
[   28.528766] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0
[   28.528771] Read of size 4 at addr ffff8801c535b31c by task syzkaller731875/3151
[   28.528774] 
[   28.528780] CPU: 1 PID: 3151 Comm: syzkaller731875 Not tainted 4.15.0-rc2+ #147
[   28.528784] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.528787] Call Trace:
[   28.528795]  dump_stack+0x194/0x257
[   28.528804]  ? arch_local_irq_restore+0x53/0x53
[   28.528812]  ? show_regs_print_info+0x65/0x65
[   28.528822]  ? af_alg_make_sg+0x510/0x510
[   28.528828]  ? aead_recvmsg+0x1758/0x1bc0
[   28.528838]  print_address_description+0x73/0x250
[   28.528845]  ? aead_recvmsg+0x1758/0x1bc0
[   28.528852]  kasan_report+0x25b/0x340
[   28.528863]  __asan_report_load4_noabort+0x14/0x20
[   28.528868]  aead_recvmsg+0x1758/0x1bc0
[   28.528893]  ? aead_release+0x50/0x50
[   28.528904]  ? selinux_socket_recvmsg+0x36/0x40
[   28.528911]  ? security_socket_recvmsg+0x91/0xc0
[   28.528920]  ? aead_release+0x50/0x50
[   28.528928]  sock_recvmsg+0xc9/0x110
[   28.528934]  ? __sock_recv_wifi_status+0x210/0x210
[   28.528943]  ___sys_recvmsg+0x29b/0x630
[   28.528958]  ? ___sys_sendmsg+0x8a0/0x8a0
[   28.528984]  ? __handle_mm_fault+0x3e20/0x3e20
[   28.528990]  ? vmacache_find+0x5f/0x280
[   28.529008]  ? up_read+0x1a/0x40
[   28.529016]  ? __do_page_fault+0x3d6/0xc90
[   28.529022]  ? task_work_run+0x1f4/0x270
[   28.529041]  ? __fdget+0x18/0x20
[   28.529056]  __sys_recvmsg+0xe2/0x210
[   28.529061]  ? __sys_recvmsg+0xe2/0x210
[   28.529069]  ? SyS_sendmmsg+0x60/0x60
[   28.529077]  ? __do_page_fault+0xc90/0xc90
[   28.529103]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   28.529115]  SyS_recvmsg+0x2d/0x50
[   28.529125]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   28.529130] RIP: 0033:0x440009
[   28.529134] RSP: 002b:00007ffdafbd3c58 EFLAGS: 00000286 ORIG_RAX: 000000000000002f
[   28.529141] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440009
[   28.529145] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004
[   28.529149] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
[   28.529152] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000401970
[   28.529156] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
[   28.529179] 
[   28.529182] Allocated by task 3151:
[   28.529188]  save_stack+0x43/0xd0
[   28.529192]  kasan_kmalloc+0xad/0xe0
[   28.529199]  __kmalloc+0x162/0x760
[   28.529205]  crypto_create_tfm+0x82/0x2e0
[   28.529210]  crypto_alloc_tfm+0x10e/0x2f0
[   28.529216]  crypto_alloc_skcipher+0x2c/0x40
[   28.529223]  crypto_get_default_null_skcipher+0x5f/0x80
[   28.529227]  aead_bind+0x89/0x140
[   28.529231]  alg_bind+0x1ab/0x440
[   28.529236]  SYSC_bind+0x1b4/0x3f0
[   28.529241]  SyS_bind+0x24/0x30
[   28.529245]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   28.529248] 
[   28.529251] Freed by task 3151:
[   28.529255]  save_stack+0x43/0xd0
[   28.529259]  kasan_slab_free+0x71/0xc0
[   28.529264]  kfree+0xca/0x250
[   28.529269]  kzfree+0x28/0x30
[   28.529274]  crypto_destroy_tfm+0x140/0x2e0
[   28.529279]  crypto_put_default_null_skcipher+0x35/0x60
[   28.529284]  aead_sock_destruct+0x13c/0x220
[   28.529289]  __sk_destruct+0xfd/0x910
[   28.529294]  sk_destruct+0x47/0x80
[   28.529298]  __sk_free+0x57/0x230
[   28.529302]  sk_free+0x2a/0x40
[   28.529306]  af_alg_release+0x5d/0x70
[   28.529311]  sock_release+0x8d/0x1e0
[   28.529315]  sock_close+0x16/0x20
[   28.529321]  __fput+0x333/0x7f0
[   28.529325]  ____fput+0x15/0x20
[   28.529330]  task_work_run+0x199/0x270
[   28.529336]  exit_to_usermode_loop+0x296/0x310
[   28.529341]  syscall_return_slowpath+0x490/0x550
[   28.529346]  entry_SYSCALL_64_fastpath+0x94/0x96
[   28.529348] 
[   28.529352] The buggy address belongs to the object at ffff8801c535b300
[   28.529352]  which belongs to the cache kmalloc-128 of size 128
[   28.529357] The buggy address is located 28 bytes inside of
[   28.529357]  128-byte region [ffff8801c535b300, ffff8801c535b380)
[   28.529360] The buggy address belongs to the page:
[   28.529365] page:00000000f9c0935e count:1 mapcount:0 mapping:000000007ed35bfb index:0x0
[   28.529373] flags: 0x2fffc0000000100(slab)
[   28.529383] raw: 02fffc0000000100 ffff8801c535b000 0000000000000000 0000000100000015
[   28.529389] raw: ffffea0007122620 ffffea00071108a0 ffff8801db000640 0000000000000000
[   28.529392] page dumped because: kasan: bad access detected
[   28.529395] 
[   28.529397] Memory state around the buggy address:
[   28.529402]  ffff8801c535b200: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   28.529406]  ffff8801c535b280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   28.529410] >ffff8801c535b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   28.529413]                             ^
[   28.529417]  ffff8801c535b380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   28.529422]  ffff8801c535b400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   28.529424] ==================================================================
[   28.529426] Disabling lock debugging due to kernel taint
[   28.529439] Kernel panic - not syncing: panic_on_warn set ...
[   28.529439] 
[   28.529443] CPU: 1 PID: 3151 Comm: syzkaller731875 Tainted: G    B            4.15.0-rc2+ #147
[   28.529445] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.529446] Call Trace:
[   28.529450]  dump_stack+0x194/0x257
[   28.529455]  ? arch_local_irq_restore+0x53/0x53
[   28.529460]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   28.529465]  ? vsnprintf+0x1ed/0x1900
[   28.529470]  ? aead_recvmsg+0x1700/0x1bc0
[   28.529475]  panic+0x1e4/0x41c
[   28.529478]  ? refcount_error_report+0x214/0x214
[   28.529484]  ? add_taint+0x1c/0x50
[   28.529488]  ? add_taint+0x1c/0x50
[   28.529493]  ? aead_recvmsg+0x1758/0x1bc0
[   28.529497]  kasan_end_report+0x50/0x50
[   28.529501]  kasan_report+0x144/0x340
[   28.529507]  __asan_report_load4_noabort+0x14/0x20
[   28.529511]  aead_recvmsg+0x1758/0x1bc0
[   28.529523]  ? aead_release+0x50/0x50
[   28.529529]  ? selinux_socket_recvmsg+0x36/0x40
[   28.529533]  ? security_socket_recvmsg+0x91/0xc0
[   28.529538]  ? aead_release+0x50/0x50
[   28.529542]  sock_recvmsg+0xc9/0x110
[   28.529546]  ? __sock_recv_wifi_status+0x210/0x210
[   28.529551]  ___sys_recvmsg+0x29b/0x630
[   28.529560]  ? ___sys_sendmsg+0x8a0/0x8a0
[   28.529573]  ? __handle_mm_fault+0x3e20/0x3e20
[   28.529577]  ? vmacache_find+0x5f/0x280
[   28.529587]  ? up_read+0x1a/0x40
[   28.529592]  ? __do_page_fault+0x3d6/0xc90
[   28.529595]  ? task_work_run+0x1f4/0x270
[   28.529603]  ? __fdget+0x18/0x20
[   28.529609]  __sys_recvmsg+0xe2/0x210
[   28.529613]  ? __sys_recvmsg+0xe2/0x210
[   28.529618]  ? SyS_sendmmsg+0x60/0x60
[   28.529623]  ? __do_page_fault+0xc90/0xc90
[   28.529636]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   28.529643]  SyS_recvmsg+0x2d/0x50
[   28.529647]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   28.529650] RIP: 0033:0x440009
[   28.529652] RSP: 002b:00007ffdafbd3c58 EFLAGS: 00000286 ORIG_RAX: 000000000000002f
[   28.529656] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440009
[   28.529658] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004
[   28.529660] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
[   28.529662] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000401970
[   28.529664] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
[   28.550276] Dumping ftrace buffer:
[   28.550280]    (ftrace buffer empty)
[   28.550282] Kernel Offset: disabled
[   29.253500] Rebooting in 86400 seconds..