[....] Starting enhanced syslogd: rsyslogd[   13.179056] audit: type=1400 audit(1515899509.371:5): avc:  denied  { syslog } for  pid=3501 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.292116] audit: type=1400 audit(1515899515.484:6): avc:  denied  { map } for  pid=3641 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.48' (ECDSA) to the list of known hosts.
executing program
[   25.529403] audit: type=1400 audit(1515899521.722:7): avc:  denied  { map } for  pid=3657 comm="syzkaller476765" path="/root/syzkaller476765672" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   25.536093] ==================================================================
[   25.536111] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   25.536116] Read of size 8 at addr ffff8801bcd3f0f0 by task syzkaller476765/3657
[   25.536117] 
[   25.536125] CPU: 1 PID: 3657 Comm: syzkaller476765 Not tainted 4.15.0-rc7+ #261
[   25.536128] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.536131] Call Trace:
[   25.536142]  dump_stack+0x194/0x257
[   25.536151]  ? arch_local_irq_restore+0x53/0x53
[   25.536159]  ? show_regs_print_info+0x18/0x18
[   25.536165]  ? print_irqtrace_events+0x270/0x270
[   25.536172]  ? __lock_acquire+0x664/0x3e00
[   25.536178]  ? __lock_acquire+0x3d4d/0x3e00
[   25.536187]  print_address_description+0x73/0x250
[   25.536194]  ? __lock_acquire+0x3d4d/0x3e00
[   25.536200]  kasan_report+0x25b/0x340
[   25.536208]  __asan_report_load8_noabort+0x14/0x20
[   25.536213]  __lock_acquire+0x3d4d/0x3e00
[   25.536219]  ? __lock_acquire+0x664/0x3e00
[   25.536225]  ? lock_downgrade+0x980/0x980
[   25.536230]  ? lock_downgrade+0x980/0x980
[   25.536241]  ? remove_wait_queue+0x81/0x350
[   25.536250]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.536257]  ? __lock_acquire+0x664/0x3e00
[   25.536262]  ? check_noncircular+0x20/0x20
[   25.536275]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.536282]  ? lock_acquire+0x1d5/0x580
[   25.536287]  ? lock_acquire+0x1d5/0x580
[   25.536295]  ? ep_free+0xf4/0x320
[   25.536303]  ? lock_release+0xa40/0xa40
[   25.536310]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   25.536316]  ? print_irqtrace_events+0x270/0x270
[   25.536325]  ? rcu_note_context_switch+0x710/0x710
[   25.536333]  ? __might_sleep+0x95/0x190
[   25.536339]  ? ep_free+0xf4/0x320
[   25.536346]  ? __mutex_lock+0x16f/0x1a80
[   25.536351]  ? ep_free+0xf4/0x320
[   25.536358]  ? print_irqtrace_events+0x270/0x270
[   25.536363]  ? ep_free+0xf4/0x320
[   25.536372]  lock_acquire+0x1d5/0x580
[   25.536377]  ? lock_acquire+0x1d5/0x580
[   25.536383]  ? remove_wait_queue+0x81/0x350
[   25.536389]  ? __lock_acquire+0x664/0x3e00
[   25.536396]  ? lock_release+0xa40/0xa40
[   25.536405]  ? lock_acquire+0x1d5/0x580
[   25.536411]  ? lock_acquire+0x1d5/0x580
[   25.536417]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   25.536427]  _raw_spin_lock_irqsave+0x96/0xc0
[   25.536432]  ? remove_wait_queue+0x81/0x350
[   25.536439]  remove_wait_queue+0x81/0x350
[   25.536446]  ? add_wait_queue+0x290/0x290
[   25.536452]  ? rcutorture_record_progress+0x10/0x10
[   25.536462]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   25.536473]  ? __kernel_text_address+0xd/0x40
[   25.536481]  ? clear_tfile_check_list+0x370/0x370
[   25.536488]  ? check_noncircular+0x20/0x20
[   25.536498]  ? locks_remove_file+0x3fa/0x5a0
[   25.536508]  ep_free+0x13f/0x320
[   25.536514]  ? ep_remove+0x800/0x800
[   25.536521]  ? fsnotify_first_mark+0x2b0/0x2b0
[   25.536528]  ? ep_free+0x320/0x320
[   25.536534]  ep_eventpoll_release+0x44/0x60
[   25.536541]  __fput+0x327/0x7e0
[   25.536550]  ? fput+0x140/0x140
[   25.536557]  ? _raw_spin_unlock_irq+0x27/0x70
[   25.536566]  ____fput+0x15/0x20
[   25.536572]  task_work_run+0x199/0x270
[   25.536580]  ? task_work_cancel+0x210/0x210
[   25.536586]  ? _raw_spin_unlock+0x22/0x30
[   25.536592]  ? switch_task_namespaces+0x87/0xc0
[   25.536602]  do_exit+0x9bb/0x1ad0
[   25.536612]  ? binder_ioctl+0x571/0x1417
[   25.536618]  ? mm_update_next_owner+0x930/0x930
[   25.536627]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   25.536637]  ? avc_ss_reset+0x110/0x110
[   25.536647]  ? mutex_unlock+0xd/0x10
[   25.536653]  ? SyS_epoll_ctl+0x30a/0x1ab0
[   25.536672]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   25.536677]  ? up_read+0x1a/0x40
[   25.536684]  ? rcu_note_context_switch+0x710/0x710
[   25.536690]  ? __fd_install+0x288/0x740
[   25.536699]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   25.536705]  ? do_vfs_ioctl+0x486/0x1520
[   25.536710]  ? _cond_resched+0x14/0x30
[   25.536718]  ? ioctl_preallocate+0x2b0/0x2b0
[   25.536728]  ? selinux_capable+0x40/0x40
[   25.536734]  ? __alloc_fd+0x750/0x750
[   25.536743]  do_group_exit+0x149/0x400
[   25.536749]  ? SyS_exit+0x30/0x30
[   25.536756]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.536766]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.536773]  SyS_exit_group+0x1d/0x20
[   25.536780]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   25.536786] RIP: 0033:0x4429f8
[   25.536789] RSP: 002b:00007fffadb66458 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   25.536796] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   25.536799] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   25.536803] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   25.536806] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   25.536809] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   25.536818] 
[   25.536821] Allocated by task 3657:
[   25.536827]  save_stack+0x43/0xd0
[   25.536832]  kasan_kmalloc+0xad/0xe0
[   25.536836]  kmem_cache_alloc_trace+0x136/0x750
[   25.536841]  binder_get_thread+0x1cf/0x870
[   25.536847]  binder_poll+0x8c/0x390
[   25.536852]  ep_item_poll.isra.10+0xec/0x320
[   25.536856]  ep_insert+0x6a3/0x1b10
[   25.536862]  SyS_epoll_ctl+0x12e4/0x1ab0
[   25.536867]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   25.536868] 
[   25.536870] Freed by task 3657:
[   25.536875]  save_stack+0x43/0xd0
[   25.536880]  kasan_slab_free+0x71/0xc0
[   25.536884]  kfree+0xd6/0x260
[   25.536889]  binder_thread_dec_tmpref+0x27f/0x310
[   25.536894]  binder_thread_release+0x27d/0x540
[   25.536900]  binder_ioctl+0xc02/0x1417
[   25.536904]  do_vfs_ioctl+0x1b1/0x1520
[   25.536908]  SyS_ioctl+0x8f/0xc0
[   25.536914]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   25.536915] 
[   25.536919] The buggy address belongs to the object at ffff8801bcd3f040
[   25.536919]  which belongs to the cache kmalloc-512 of size 512
[   25.536924] The buggy address is located 176 bytes inside of
[   25.536924]  512-byte region [ffff8801bcd3f040, ffff8801bcd3f240)
[   25.536926] The buggy address belongs to the page:
[   25.536931] page:ffffea0006f34fc0 count:1 mapcount:0 mapping:ffff8801bcd3f040 index:0x0
[   25.536936] flags: 0x2fffc0000000100(slab)
[   25.536945] raw: 02fffc0000000100 ffff8801bcd3f040 0000000000000000 0000000100000006
[   25.536952] raw: ffffea0006ef2ba0 ffff8801dac01748 ffff8801dac00940 0000000000000000
[   25.536954] page dumped because: kasan: bad access detected
[   25.536955] 
[   25.536957] Memory state around the buggy address:
[   25.536962]  ffff8801bcd3ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.536966]  ffff8801bcd3f000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   25.536971] >ffff8801bcd3f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.536973]                                                              ^
[   25.536977]  ffff8801bcd3f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.536981]  ffff8801bcd3f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.536983] ==================================================================
[   25.536985] Disabling lock debugging due to kernel taint
[   25.536988] Kernel panic - not syncing: panic_on_warn set ...
[   25.536988] 
[   25.536994] CPU: 1 PID: 3657 Comm: syzkaller476765 Tainted: G    B            4.15.0-rc7+ #261
[   25.536997] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.536999] Call Trace:
[   25.537009]  dump_stack+0x194/0x257
[   25.537016]  ? arch_local_irq_restore+0x53/0x53
[   25.537022]  ? kasan_end_report+0x32/0x50
[   25.537028]  ? lock_downgrade+0x980/0x980
[   25.537034]  ? vsnprintf+0x1ed/0x1900
[   25.537049]  ? __lock_acquire+0x3cb0/0x3e00
[   25.537055]  panic+0x1e4/0x41c
[   25.537061]  ? refcount_error_report+0x214/0x214
[   25.537068]  ? add_taint+0x40/0x50
[   25.537073]  ? add_taint+0x1c/0x50
[   25.537080]  ? __lock_acquire+0x3d4d/0x3e00
[   25.537085]  kasan_end_report+0x50/0x50
[   25.537091]  kasan_report+0x144/0x340
[   25.537099]  __asan_report_load8_noabort+0x14/0x20
[   25.537105]  __lock_acquire+0x3d4d/0x3e00
[   25.537111]  ? __lock_acquire+0x664/0x3e00
[   25.537116]  ? lock_downgrade+0x980/0x980
[   25.537121]  ? lock_downgrade+0x980/0x980
[   25.537128]  ? remove_wait_queue+0x81/0x350
[   25.537137]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.537143]  ? __lock_acquire+0x664/0x3e00
[   25.537148]  ? check_noncircular+0x20/0x20
[   25.537160]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.537167]  ? lock_acquire+0x1d5/0x580
[   25.537173]  ? lock_acquire+0x1d5/0x580
[   25.537178]  ? ep_free+0xf4/0x320
[   25.537186]  ? lock_release+0xa40/0xa40
[   25.537192]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   25.537198]  ? print_irqtrace_events+0x270/0x270
[   25.537205]  ? rcu_note_context_switch+0x710/0x710
[   25.537212]  ? __might_sleep+0x95/0x190
[   25.537218]  ? ep_free+0xf4/0x320
[   25.537223]  ? __mutex_lock+0x16f/0x1a80
[   25.537228]  ? ep_free+0xf4/0x320
[   25.537235]  ? print_irqtrace_events+0x270/0x270
[   25.537240]  ? ep_free+0xf4/0x320
[   25.537248]  lock_acquire+0x1d5/0x580
[   25.537253]  ? lock_acquire+0x1d5/0x580
[   25.537260]  ? remove_wait_queue+0x81/0x350
[   25.537265]  ? __lock_acquire+0x664/0x3e00
[   25.537273]  ? lock_release+0xa40/0xa40
[   25.537282]  ? lock_acquire+0x1d5/0x580
[   25.537287]  ? lock_acquire+0x1d5/0x580
[   25.537293]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   25.537301]  _raw_spin_lock_irqsave+0x96/0xc0
[   25.537306]  ? remove_wait_queue+0x81/0x350
[   25.537312]  remove_wait_queue+0x81/0x350
[   25.537320]  ? add_wait_queue+0x290/0x290
[   25.537326]  ? rcutorture_record_progress+0x10/0x10
[   25.537335]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   25.537342]  ? __kernel_text_address+0xd/0x40
[   25.537350]  ? clear_tfile_check_list+0x370/0x370
[   25.537357]  ? check_noncircular+0x20/0x20
[   25.537365]  ? locks_remove_file+0x3fa/0x5a0
[   25.537374]  ep_free+0x13f/0x320
[   25.537381]  ? ep_remove+0x800/0x800
[   25.537386]  ? fsnotify_first_mark+0x2b0/0x2b0
[   25.537394]  ? ep_free+0x320/0x320
[   25.537400]  ep_eventpoll_release+0x44/0x60
[   25.537406]  __fput+0x327/0x7e0
[   25.537414]  ? fput+0x140/0x140
[   25.537421]  ? _raw_spin_unlock_irq+0x27/0x70
[   25.537429]  ____fput+0x15/0x20
[   25.537435]  task_work_run+0x199/0x270
[   25.537443]  ? task_work_cancel+0x210/0x210
[   25.537450]  ? _raw_spin_unlock+0x22/0x30
[   25.537456]  ? switch_task_namespaces+0x87/0xc0
[   25.537463]  do_exit+0x9bb/0x1ad0
[   25.537471]  ? binder_ioctl+0x571/0x1417
[   25.537477]  ? mm_update_next_owner+0x930/0x930
[   25.537485]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   25.537493]  ? avc_ss_reset+0x110/0x110
[   25.537499]  ? mutex_unlock+0xd/0x10
[   25.537505]  ? SyS_epoll_ctl+0x30a/0x1ab0
[   25.537523]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   25.537527]  ? up_read+0x1a/0x40
[   25.537534]  ? rcu_note_context_switch+0x710/0x710
[   25.537539]  ? __fd_install+0x288/0x740
[   25.537548]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   25.537553]  ? do_vfs_ioctl+0x486/0x1520
[   25.537558]  ? _cond_resched+0x14/0x30
[   25.537566]  ? ioctl_preallocate+0x2b0/0x2b0
[   25.537573]  ? selinux_capable+0x40/0x40
[   25.537579]  ? __alloc_fd+0x750/0x750
[   25.537587]  do_group_exit+0x149/0x400
[   25.537594]  ? SyS_exit+0x30/0x30
[   25.537600]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.537607]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.537614]  SyS_exit_group+0x1d/0x20
[   25.537621]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   25.537625] RIP: 0033:0x4429f8
[   25.537628] RSP: 002b:00007fffadb66458 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   25.537633] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   25.537637] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   25.537644] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   25.537647] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   25.537650] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   25.555752] Dumping ftrace buffer:
[   25.555755]    (ftrace buffer empty)
[   25.555758] Kernel Offset: disabled
[   26.681593] Rebooting in 86400 seconds..