[....] Starting enhanced syslogd: rsyslogd[   12.446954] audit: type=1400 audit(1515738035.394:5): avc:  denied  { syslog } for  pid=3349 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   17.399255] audit: type=1400 audit(1515738040.347:6): avc:  denied  { map } for  pid=3489 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.15' (ECDSA) to the list of known hosts.
executing program
[   37.632503] audit: type=1400 audit(1515738060.580:7): avc:  denied  { map } for  pid=3507 comm="syzkaller529877" path="/root/syzkaller529877203" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   37.640117] ==================================================================
[   37.640134] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   37.640139] Read of size 8 at addr ffff8801cd476670 by task syzkaller529877/3507
[   37.640140] 
[   37.640146] CPU: 0 PID: 3507 Comm: syzkaller529877 Not tainted 4.15.0-rc7+ #168
[   37.640149] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.640150] Call Trace:
[   37.640161]  dump_stack+0x194/0x257
[   37.640166]  ? arch_local_irq_restore+0x53/0x53
[   37.640173]  ? show_regs_print_info+0x18/0x18
[   37.640177]  ? print_irqtrace_events+0x270/0x270
[   37.640181]  ? __lock_acquire+0x664/0x3e00
[   37.640185]  ? __lock_acquire+0x3d4d/0x3e00
[   37.640192]  print_address_description+0x73/0x250
[   37.640196]  ? __lock_acquire+0x3d4d/0x3e00
[   37.640200]  kasan_report+0x25b/0x340
[   37.640206]  __asan_report_load8_noabort+0x14/0x20
[   37.640210]  __lock_acquire+0x3d4d/0x3e00
[   37.640213]  ? __lock_acquire+0x664/0x3e00
[   37.640217]  ? lock_downgrade+0x980/0x980
[   37.640220]  ? lock_downgrade+0x980/0x980
[   37.640224]  ? print_irqtrace_events+0x270/0x270
[   37.640231]  ? remove_wait_queue+0x81/0x350
[   37.640237]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   37.640241]  ? __lock_acquire+0x664/0x3e00
[   37.640245]  ? check_noncircular+0x20/0x20
[   37.640252]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   37.640256]  ? lock_acquire+0x1d5/0x580
[   37.640259]  ? lock_acquire+0x1d5/0x580
[   37.640266]  ? ep_free+0xf4/0x320
[   37.640270]  ? lock_release+0xa40/0xa40
[   37.640275]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   37.640279]  ? print_irqtrace_events+0x270/0x270
[   37.640282]  ? print_irqtrace_events+0x270/0x270
[   37.640290]  ? rcu_note_context_switch+0x710/0x710
[   37.640294]  ? __might_sleep+0x95/0x190
[   37.640298]  ? ep_free+0xf4/0x320
[   37.640304]  ? __mutex_lock+0x16f/0x1a80
[   37.640307]  ? ep_free+0xf4/0x320
[   37.640312]  ? print_irqtrace_events+0x270/0x270
[   37.640315]  ? ep_free+0xf4/0x320
[   37.640319]  lock_acquire+0x1d5/0x580
[   37.640323]  ? lock_acquire+0x1d5/0x580
[   37.640327]  ? remove_wait_queue+0x81/0x350
[   37.640332]  ? lock_release+0xa40/0xa40
[   37.640337]  ? lock_acquire+0x1d5/0x580
[   37.640340]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   37.640343]  ? lock_acquire+0x1d5/0x580
[   37.640347]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   37.640354]  _raw_spin_lock_irqsave+0x96/0xc0
[   37.640357]  ? remove_wait_queue+0x81/0x350
[   37.640361]  remove_wait_queue+0x81/0x350
[   37.640368]  ? depot_save_stack+0x3b5/0x490
[   37.640372]  ? add_wait_queue+0x290/0x290
[   37.640376]  ? rcutorture_record_progress+0x10/0x10
[   37.640380]  ? lock_release+0xa40/0xa40
[   37.640391]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   37.640399]  ? __kernel_text_address+0xd/0x40
[   37.640404]  ? clear_tfile_check_list+0x370/0x370
[   37.640409]  ? check_noncircular+0x20/0x20
[   37.640415]  ? locks_remove_file+0x3fa/0x5a0
[   37.640421]  ep_free+0x13f/0x320
[   37.640425]  ? ep_remove+0x800/0x800
[   37.640429]  ? fsnotify_first_mark+0x2b0/0x2b0
[   37.640434]  ? ep_free+0x320/0x320
[   37.640437]  ep_eventpoll_release+0x44/0x60
[   37.640444]  __fput+0x327/0x7e0
[   37.640449]  ? fput+0x140/0x140
[   37.640454]  ? _raw_spin_unlock_irq+0x27/0x70
[   37.640459]  ____fput+0x15/0x20
[   37.640463]  task_work_run+0x199/0x270
[   37.640467]  ? task_work_cancel+0x210/0x210
[   37.640472]  ? _raw_spin_unlock+0x22/0x30
[   37.640476]  ? switch_task_namespaces+0x87/0xc0
[   37.640484]  do_exit+0x9bb/0x1ad0
[   37.640491]  ? __handle_mm_fault+0x2330/0x3ce0
[   37.640495]  ? mm_update_next_owner+0x930/0x930
[   37.640502]  ? do_raw_spin_trylock+0x190/0x190
[   37.640507]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   37.640511]  ? check_noncircular+0x20/0x20
[   37.640515]  ? _raw_spin_unlock+0x22/0x30
[   37.640519]  ? __handle_mm_fault+0x80e/0x3ce0
[   37.640523]  ? check_noncircular+0x20/0x20
[   37.640526]  ? __pmd_alloc+0x4e0/0x4e0
[   37.640529]  ? lock_downgrade+0x980/0x980
[   37.640534]  ? find_held_lock+0x35/0x1d0
[   37.640539]  ? handle_mm_fault+0x248/0x8d0
[   37.640544]  ? find_held_lock+0x35/0x1d0
[   37.640552]  ? __do_page_fault+0x5f7/0xc90
[   37.640556]  ? lock_downgrade+0x980/0x980
[   37.640561]  ? handle_mm_fault+0x410/0x8d0
[   37.640564]  ? down_read_trylock+0xdb/0x170
[   37.640567]  ? __do_page_fault+0x32d/0xc90
[   37.640571]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   37.640577]  ? vmacache_find+0x5f/0x280
[   37.640582]  do_group_exit+0x149/0x400
[   37.640586]  ? __do_page_fault+0x3d6/0xc90
[   37.640590]  ? SyS_exit+0x30/0x30
[   37.640597]  ? do_fast_syscall_32+0x156/0xf9d
[   37.640600]  ? do_group_exit+0x400/0x400
[   37.640604]  SyS_exit_group+0x1d/0x20
[   37.640608]  do_fast_syscall_32+0x3ee/0xf9d
[   37.640613]  ? do_int80_syscall_32+0x9d0/0x9d0
[   37.640617]  ? kasan_check_read+0x11/0x20
[   37.640621]  ? syscall_return_slowpath+0x550/0x550
[   37.640627]  ? SyS_rt_sigaction+0x94/0x1b0
[   37.640631]  ? SyS_sigprocmask+0x4b0/0x4b0
[   37.640634]  ? SyS_read+0x184/0x220
[   37.640638]  ? retint_user+0x18/0x18
[   37.640643]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   37.640648]  entry_SYSENTER_compat+0x54/0x63
[   37.640653] RIP: 0023:0xf7f7bc79
[   37.640655] RSP: 002b:00000000ffe0c43c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   37.640659] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   37.640662] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   37.640664] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   37.640665] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   37.640667] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   37.640672] 
[   37.640674] Allocated by task 3507:
[   37.640679]  save_stack+0x43/0xd0
[   37.640682]  kasan_kmalloc+0xad/0xe0
[   37.640685]  kmem_cache_alloc_trace+0x136/0x750
[   37.640690]  binder_get_thread+0x1cf/0x870
[   37.640692]  binder_poll+0x8c/0x390
[   37.640695]  ep_item_poll.isra.10+0xec/0x320
[   37.640698]  ep_insert+0x6a3/0x1b10
[   37.640702]  SyS_epoll_ctl+0x12e4/0x1ab0
[   37.640705]  do_fast_syscall_32+0x3ee/0xf9d
[   37.640707]  entry_SYSENTER_compat+0x54/0x63
[   37.640708] 
[   37.640709] Freed by task 3507:
[   37.640712]  save_stack+0x43/0xd0
[   37.640715]  kasan_slab_free+0x71/0xc0
[   37.640718]  kfree+0xd6/0x260
[   37.640721]  binder_thread_dec_tmpref+0x27f/0x310
[   37.640723]  binder_thread_release+0x27d/0x540
[   37.640726]  binder_ioctl+0xc02/0x1417
[   37.640729]  compat_SyS_ioctl+0x151/0x2a30
[   37.640733]  do_fast_syscall_32+0x3ee/0xf9d
[   37.640735]  entry_SYSENTER_compat+0x54/0x63
[   37.640736] 
[   37.640739] The buggy address belongs to the object at ffff8801cd4765c0
[   37.640739]  which belongs to the cache kmalloc-512 of size 512
[   37.640742] The buggy address is located 176 bytes inside of
[   37.640742]  512-byte region [ffff8801cd4765c0, ffff8801cd4767c0)
[   37.640743] The buggy address belongs to the page:
[   37.640747] page:ffffea0007351d80 count:1 mapcount:0 mapping:ffff8801cd4760c0 index:0x0
[   37.640752] flags: 0x2fffc0000000100(slab)
[   37.640758] raw: 02fffc0000000100 ffff8801cd4760c0 0000000000000000 0000000100000006
[   37.640762] raw: ffffea00071cffa0 ffffea00071894e0 ffff8801dac00940 0000000000000000
[   37.640764] page dumped because: kasan: bad access detected
[   37.640765] 
[   37.640766] Memory state around the buggy address:
[   37.640769]  ffff8801cd476500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   37.640772]  ffff8801cd476580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   37.640774] >ffff8801cd476600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.640776]                                                              ^
[   37.640779]  ffff8801cd476680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.640781]  ffff8801cd476700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.640783] ==================================================================
[   37.640784] Disabling lock debugging due to kernel taint
[   37.640787] Kernel panic - not syncing: panic_on_warn set ...
[   37.640787] 
[   37.640791] CPU: 0 PID: 3507 Comm: syzkaller529877 Tainted: G    B            4.15.0-rc7+ #168
[   37.640793] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.640794] Call Trace:
[   37.640798]  dump_stack+0x194/0x257
[   37.640802]  ? arch_local_irq_restore+0x53/0x53
[   37.640806]  ? kasan_end_report+0x32/0x50
[   37.640810]  ? lock_downgrade+0x980/0x980
[   37.640815]  ? vsnprintf+0x1ed/0x1900
[   37.640819]  ? __lock_acquire+0x3cb0/0x3e00
[   37.640823]  panic+0x1e4/0x41c
[   37.640826]  ? refcount_error_report+0x214/0x214
[   37.640830]  ? add_taint+0x40/0x50
[   37.640833]  ? add_taint+0x1c/0x50
[   37.640837]  ? __lock_acquire+0x3d4d/0x3e00
[   37.640841]  kasan_end_report+0x50/0x50
[   37.640845]  kasan_report+0x144/0x340
[   37.640849]  __asan_report_load8_noabort+0x14/0x20
[   37.640853]  __lock_acquire+0x3d4d/0x3e00
[   37.640856]  ? __lock_acquire+0x664/0x3e00
[   37.640860]  ? lock_downgrade+0x980/0x980
[   37.640863]  ? lock_downgrade+0x980/0x980
[   37.640867]  ? print_irqtrace_events+0x270/0x270
[   37.640871]  ? remove_wait_queue+0x81/0x350
[   37.640876]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   37.640880]  ? __lock_acquire+0x664/0x3e00
[   37.640883]  ? check_noncircular+0x20/0x20
[   37.640890]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   37.640895]  ? lock_acquire+0x1d5/0x580
[   37.640898]  ? lock_acquire+0x1d5/0x580
[   37.640902]  ? ep_free+0xf4/0x320
[   37.640906]  ? lock_release+0xa40/0xa40
[   37.640910]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   37.640914]  ? print_irqtrace_events+0x270/0x270
[   37.640917]  ? print_irqtrace_events+0x270/0x270
[   37.640921]  ? rcu_note_context_switch+0x710/0x710
[   37.640925]  ? __might_sleep+0x95/0x190
[   37.640929]  ? ep_free+0xf4/0x320
[   37.640932]  ? __mutex_lock+0x16f/0x1a80
[   37.640935]  ? ep_free+0xf4/0x320
[   37.640940]  ? print_irqtrace_events+0x270/0x270
[   37.640943]  ? ep_free+0xf4/0x320
[   37.640948]  lock_acquire+0x1d5/0x580
[   37.640951]  ? lock_acquire+0x1d5/0x580
[   37.640955]  ? remove_wait_queue+0x81/0x350
[   37.640959]  ? lock_release+0xa40/0xa40
[   37.640964]  ? lock_acquire+0x1d5/0x580
[   37.640968]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   37.640971]  ? lock_acquire+0x1d5/0x580
[   37.640975]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   37.640979]  _raw_spin_lock_irqsave+0x96/0xc0
[   37.640983]  ? remove_wait_queue+0x81/0x350
[   37.640987]  remove_wait_queue+0x81/0x350
[   37.640990]  ? depot_save_stack+0x3b5/0x490
[   37.640995]  ? add_wait_queue+0x290/0x290
[   37.640998]  ? rcutorture_record_progress+0x10/0x10
[   37.641004]  ? lock_release+0xa40/0xa40
[   37.641010]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   37.641014]  ? __kernel_text_address+0xd/0x40
[   37.641019]  ? clear_tfile_check_list+0x370/0x370
[   37.641023]  ? check_noncircular+0x20/0x20
[   37.641028]  ? locks_remove_file+0x3fa/0x5a0
[   37.641033]  ep_free+0x13f/0x320
[   37.641037]  ? ep_remove+0x800/0x800
[   37.641040]  ? fsnotify_first_mark+0x2b0/0x2b0
[   37.641045]  ? ep_free+0x320/0x320
[   37.641048]  ep_eventpoll_release+0x44/0x60
[   37.641052]  __fput+0x327/0x7e0
[   37.641057]  ? fput+0x140/0x140
[   37.641061]  ? _raw_spin_unlock_irq+0x27/0x70
[   37.641066]  ____fput+0x15/0x20
[   37.641070]  task_work_run+0x199/0x270
[   37.641075]  ? task_work_cancel+0x210/0x210
[   37.641079]  ? _raw_spin_unlock+0x22/0x30
[   37.641082]  ? switch_task_namespaces+0x87/0xc0
[   37.641087]  do_exit+0x9bb/0x1ad0
[   37.641090]  ? __handle_mm_fault+0x2330/0x3ce0
[   37.641095]  ? mm_update_next_owner+0x930/0x930
[   37.641100]  ? do_raw_spin_trylock+0x190/0x190
[   37.641105]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   37.641108]  ? check_noncircular+0x20/0x20
[   37.641112]  ? _raw_spin_unlock+0x22/0x30
[   37.641116]  ? __handle_mm_fault+0x80e/0x3ce0
[   37.641121]  ? check_noncircular+0x20/0x20
[   37.641124]  ? __pmd_alloc+0x4e0/0x4e0
[   37.641127]  ? lock_downgrade+0x980/0x980
[   37.641131]  ? find_held_lock+0x35/0x1d0
[   37.641136]  ? handle_mm_fault+0x248/0x8d0
[   37.641140]  ? find_held_lock+0x35/0x1d0
[   37.641146]  ? __do_page_fault+0x5f7/0xc90
[   37.641150]  ? lock_downgrade+0x980/0x980
[   37.641155]  ? handle_mm_fault+0x410/0x8d0
[   37.641158]  ? down_read_trylock+0xdb/0x170
[   37.641161]  ? __do_page_fault+0x32d/0xc90
[   37.641165]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   37.641169]  ? vmacache_find+0x5f/0x280
[   37.641174]  do_group_exit+0x149/0x400
[   37.641178]  ? __do_page_fault+0x3d6/0xc90
[   37.641181]  ? SyS_exit+0x30/0x30
[   37.641186]  ? do_fast_syscall_32+0x156/0xf9d
[   37.641189]  ? do_group_exit+0x400/0x400
[   37.641193]  SyS_exit_group+0x1d/0x20
[   37.641197]  do_fast_syscall_32+0x3ee/0xf9d
[   37.641202]  ? do_int80_syscall_32+0x9d0/0x9d0
[   37.641206]  ? kasan_check_read+0x11/0x20
[   37.641210]  ? syscall_return_slowpath+0x550/0x550
[   37.641214]  ? SyS_rt_sigaction+0x94/0x1b0
[   37.641218]  ? SyS_sigprocmask+0x4b0/0x4b0
[   37.641221]  ? SyS_read+0x184/0x220
[   37.641225]  ? retint_user+0x18/0x18
[   37.641230]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   37.641235]  entry_SYSENTER_compat+0x54/0x63
[   37.641237] RIP: 0023:0xf7f7bc79
[   37.641239] RSP: 002b:00000000ffe0c43c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   37.641243] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   37.641245] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   37.641246] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   37.641248] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   37.641250] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   37.658399] Dumping ftrace buffer:
[   37.658403]    (ftrace buffer empty)
[   37.658406] Kernel Offset: disabled
[   38.946419] Rebooting in 86400 seconds..