[....] Starting enhanced syslogd: rsyslogd[   10.807896] audit: type=1400 audit(1514114973.719:5): avc:  denied  { syslog } for  pid=2988 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   16.017581] audit: type=1400 audit(1514114978.929:6): avc:  denied  { map } for  pid=3128 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added 'ci-upstream-next-kasan-gce-0,10.128.15.197' (ECDSA) to the list of known hosts.
executing program
[   22.173896] audit: type=1400 audit(1514114985.085:7): avc:  denied  { map } for  pid=3142 comm="syzkaller429857" path="/root/syzkaller429857033" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   22.179295] ==================================================================
[   22.179309] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   22.179314] Read of size 8 at addr ffff8801ca1f28f8 by task syzkaller429857/3142
[   22.179315] 
[   22.179322] CPU: 1 PID: 3142 Comm: syzkaller429857 Not tainted 4.15.0-rc4-next-20171221+ #78
[   22.179326] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   22.179328] Call Trace:
[   22.179336]  dump_stack+0x194/0x257
[   22.179343]  ? arch_local_irq_restore+0x53/0x53
[   22.179351]  ? show_regs_print_info+0x18/0x18
[   22.179357]  ? print_irqtrace_events+0x270/0x270
[   22.179363]  ? __lock_acquire+0x664/0x3e00
[   22.179370]  ? __lock_acquire+0x3d4d/0x3e00
[   22.179379]  print_address_description+0x73/0x250
[   22.179385]  ? __lock_acquire+0x3d4d/0x3e00
[   22.179391]  kasan_report+0x25b/0x340
[   22.179399]  __asan_report_load8_noabort+0x14/0x20
[   22.179405]  __lock_acquire+0x3d4d/0x3e00
[   22.179411]  ? __lock_acquire+0x664/0x3e00
[   22.179417]  ? lock_downgrade+0x980/0x980
[   22.179422]  ? lock_downgrade+0x980/0x980
[   22.179431]  ? remove_wait_queue+0x81/0x350
[   22.179440]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   22.179446]  ? __lock_acquire+0x664/0x3e00
[   22.179452]  ? check_noncircular+0x20/0x20
[   22.179464]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   22.179472]  ? lock_acquire+0x1d5/0x580
[   22.179477]  ? lock_acquire+0x1d5/0x580
[   22.179484]  ? ep_free+0xf4/0x320
[   22.179493]  ? lock_release+0xa40/0xa40
[   22.179500]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   22.179506]  ? print_irqtrace_events+0x270/0x270
[   22.179514]  ? rcu_note_context_switch+0x710/0x710
[   22.179522]  ? __might_sleep+0x95/0x190
[   22.179528]  ? ep_free+0xf4/0x320
[   22.179535]  ? __mutex_lock+0x16f/0x1a80
[   22.179540]  ? ep_free+0xf4/0x320
[   22.179547]  ? print_irqtrace_events+0x270/0x270
[   22.179552]  ? ep_free+0xf4/0x320
[   22.179560]  lock_acquire+0x1d5/0x580
[   22.179565]  ? lock_acquire+0x1d5/0x580
[   22.179571]  ? remove_wait_queue+0x81/0x350
[   22.179577]  ? __lock_acquire+0x664/0x3e00
[   22.179585]  ? lock_release+0xa40/0xa40
[   22.179594]  ? lock_acquire+0x1d5/0x580
[   22.179599]  ? lock_acquire+0x1d5/0x580
[   22.179606]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   22.179613]  _raw_spin_lock_irqsave+0x96/0xc0
[   22.179619]  ? remove_wait_queue+0x81/0x350
[   22.179625]  remove_wait_queue+0x81/0x350
[   22.179633]  ? add_wait_queue+0x290/0x290
[   22.179639]  ? rcutorture_record_progress+0x10/0x10
[   22.179649]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   22.179657]  ? __kernel_text_address+0xd/0x40
[   22.179665]  ? clear_tfile_check_list+0x370/0x370
[   22.179673]  ? check_noncircular+0x20/0x20
[   22.179681]  ? locks_remove_file+0x3fa/0x5a0
[   22.179690]  ep_free+0x13f/0x320
[   22.179696]  ? ep_remove+0x800/0x800
[   22.179702]  ? fsnotify_first_mark+0x2b0/0x2b0
[   22.179710]  ? ep_free+0x320/0x320
[   22.179715]  ep_eventpoll_release+0x44/0x60
[   22.179722]  __fput+0x327/0x7e0
[   22.179730]  ? fput+0x140/0x140
[   22.179737]  ? _raw_spin_unlock_irq+0x27/0x70
[   22.179745]  ____fput+0x15/0x20
[   22.179751]  task_work_run+0x199/0x270
[   22.179759]  ? task_work_cancel+0x210/0x210
[   22.179765]  ? _raw_spin_unlock+0x22/0x30
[   22.179771]  ? switch_task_namespaces+0x87/0xc0
[   22.179779]  do_exit+0x9bb/0x1ad0
[   22.179787]  ? binder_ioctl+0x491/0x1417
[   22.179794]  ? mm_update_next_owner+0x930/0x930
[   22.179801]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   22.179811]  ? avc_ss_reset+0x110/0x110
[   22.179817]  ? mutex_unlock+0xd/0x10
[   22.179823]  ? SyS_epoll_ctl+0x30a/0x1a80
[   22.179842]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   22.179847]  ? up_read+0x1a/0x40
[   22.179854]  ? rcu_note_context_switch+0x710/0x710
[   22.179859]  ? __fd_install+0x288/0x740
[   22.179868]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   22.179874]  ? do_vfs_ioctl+0x486/0x1520
[   22.179880]  ? _cond_resched+0x14/0x30
[   22.179887]  ? ioctl_preallocate+0x2b0/0x2b0
[   22.179894]  ? selinux_capable+0x40/0x40
[   22.179900]  ? __alloc_fd+0x750/0x750
[   22.179909]  do_group_exit+0x149/0x400
[   22.179916]  ? SyS_exit+0x30/0x30
[   22.179923]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   22.179930]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   22.179937]  SyS_exit_group+0x1d/0x20
[   22.179944]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   22.179948] RIP: 0033:0x4429f8
[   22.179951] RSP: 002b:00007ffcce13a198 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   22.179958] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   22.179962] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   22.179966] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   22.179969] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   22.179972] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   22.179980] 
[   22.179983] Allocated by task 3142:
[   22.179989]  save_stack+0x43/0xd0
[   22.179994]  kasan_kmalloc+0xad/0xe0
[   22.179999]  kmem_cache_alloc_trace+0x136/0x750
[   22.180007]  binder_get_thread+0x1cf/0x870
[   22.180011]  binder_poll+0x8c/0x390
[   22.180016]  ep_item_poll.isra.10+0xf2/0x320
[   22.180021]  ep_insert+0x6a2/0x1ac0
[   22.180025]  SyS_epoll_ctl+0x12bf/0x1a80
[   22.180030]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   22.180032] 
[   22.180034] Freed by task 3142:
[   22.180038]  save_stack+0x43/0xd0
[   22.180043]  kasan_slab_free+0x71/0xc0
[   22.180047]  kfree+0xd6/0x260
[   22.180052]  binder_thread_dec_tmpref+0x27f/0x310
[   22.180057]  binder_thread_release+0x27d/0x540
[   22.180061]  binder_ioctl+0xc02/0x1417
[   22.180065]  do_vfs_ioctl+0x1b1/0x1520
[   22.180069]  SyS_ioctl+0x8f/0xc0
[   22.180074]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   22.180076] 
[   22.180080] The buggy address belongs to the object at ffff8801ca1f2840
[   22.180080]  which belongs to the cache kmalloc-512 of size 512
[   22.180085] The buggy address is located 184 bytes inside of
[   22.180085]  512-byte region [ffff8801ca1f2840, ffff8801ca1f2a40)
[   22.180086] The buggy address belongs to the page:
[   22.180092] page:000000005830d4df count:1 mapcount:0 mapping:000000004bc5001e index:0x0
[   22.180097] flags: 0x2fffc0000000100(slab)
[   22.180106] raw: 02fffc0000000100 ffff8801ca1f20c0 0000000000000000 0000000100000006
[   22.180113] raw: ffffea000729d4e0 ffffea000729d420 ffff8801dac00940 0000000000000000
[   22.180115] page dumped because: kasan: bad access detected
[   22.180116] 
[   22.180118] Memory state around the buggy address:
[   22.180123]  ffff8801ca1f2780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.180127]  ffff8801ca1f2800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   22.180131] >ffff8801ca1f2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.180134]                                                                 ^
[   22.180138]  ffff8801ca1f2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.180143]  ffff8801ca1f2980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.180145] ==================================================================
[   22.180146] Disabling lock debugging due to kernel taint
[   22.180149] Kernel panic - not syncing: panic_on_warn set ...
[   22.180149] 
[   22.180155] CPU: 1 PID: 3142 Comm: syzkaller429857 Tainted: G    B            4.15.0-rc4-next-20171221+ #78
[   22.180158] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   22.180160] Call Trace:
[   22.180165]  dump_stack+0x194/0x257
[   22.180172]  ? arch_local_irq_restore+0x53/0x53
[   22.180178]  ? kasan_end_report+0x32/0x50
[   22.180184]  ? lock_downgrade+0x980/0x980
[   22.180189]  ? vsnprintf+0x1ed/0x1900
[   22.180196]  ? __lock_acquire+0x3d30/0x3e00
[   22.180201]  panic+0x1e4/0x41c
[   22.180207]  ? refcount_error_report+0x214/0x214
[   22.180214]  ? add_taint+0x40/0x50
[   22.180220]  ? add_taint+0x1c/0x50
[   22.180227]  ? __lock_acquire+0x3d4d/0x3e00
[   22.180233]  kasan_end_report+0x50/0x50
[   22.180238]  kasan_report+0x144/0x340
[   22.180246]  __asan_report_load8_noabort+0x14/0x20
[   22.180252]  __lock_acquire+0x3d4d/0x3e00
[   22.180258]  ? __lock_acquire+0x664/0x3e00
[   22.180264]  ? lock_downgrade+0x980/0x980
[   22.180269]  ? lock_downgrade+0x980/0x980
[   22.180276]  ? remove_wait_queue+0x81/0x350
[   22.180289]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   22.180296]  ? __lock_acquire+0x664/0x3e00
[   22.180301]  ? check_noncircular+0x20/0x20
[   22.180314]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   22.180321]  ? lock_acquire+0x1d5/0x580
[   22.180326]  ? lock_acquire+0x1d5/0x580
[   22.180331]  ? ep_free+0xf4/0x320
[   22.180339]  ? lock_release+0xa40/0xa40
[   22.180345]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   22.180352]  ? print_irqtrace_events+0x270/0x270
[   22.180358]  ? rcu_note_context_switch+0x710/0x710
[   22.180365]  ? __might_sleep+0x95/0x190
[   22.180371]  ? ep_free+0xf4/0x320
[   22.180377]  ? __mutex_lock+0x16f/0x1a80
[   22.180382]  ? ep_free+0xf4/0x320
[   22.180389]  ? print_irqtrace_events+0x270/0x270
[   22.180394]  ? ep_free+0xf4/0x320
[   22.180402]  lock_acquire+0x1d5/0x580
[   22.180407]  ? lock_acquire+0x1d5/0x580
[   22.180413]  ? remove_wait_queue+0x81/0x350
[   22.180419]  ? __lock_acquire+0x664/0x3e00
[   22.180426]  ? lock_release+0xa40/0xa40
[   22.180435]  ? lock_acquire+0x1d5/0x580
[   22.180440]  ? lock_acquire+0x1d5/0x580
[   22.180446]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   22.180454]  _raw_spin_lock_irqsave+0x96/0xc0
[   22.180459]  ? remove_wait_queue+0x81/0x350
[   22.180466]  remove_wait_queue+0x81/0x350
[   22.180473]  ? add_wait_queue+0x290/0x290
[   22.180479]  ? rcutorture_record_progress+0x10/0x10
[   22.180489]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   22.180496]  ? __kernel_text_address+0xd/0x40
[   22.180503]  ? clear_tfile_check_list+0x370/0x370
[   22.180511]  ? check_noncircular+0x20/0x20
[   22.180519]  ? locks_remove_file+0x3fa/0x5a0
[   22.180527]  ep_free+0x13f/0x320
[   22.180533]  ? ep_remove+0x800/0x800
[   22.180539]  ? fsnotify_first_mark+0x2b0/0x2b0
[   22.180546]  ? ep_free+0x320/0x320
[   22.180552]  ep_eventpoll_release+0x44/0x60
[   22.180558]  __fput+0x327/0x7e0
[   22.180566]  ? fput+0x140/0x140
[   22.180572]  ? _raw_spin_unlock_irq+0x27/0x70
[   22.180580]  ____fput+0x15/0x20
[   22.180587]  task_work_run+0x199/0x270
[   22.180595]  ? task_work_cancel+0x210/0x210
[   22.180600]  ? _raw_spin_unlock+0x22/0x30
[   22.180606]  ? switch_task_namespaces+0x87/0xc0
[   22.180614]  do_exit+0x9bb/0x1ad0
[   22.180621]  ? binder_ioctl+0x491/0x1417
[   22.180627]  ? mm_update_next_owner+0x930/0x930
[   22.180634]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   22.180642]  ? avc_ss_reset+0x110/0x110
[   22.180648]  ? mutex_unlock+0xd/0x10
[   22.180654]  ? SyS_epoll_ctl+0x30a/0x1a80
[   22.180672]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   22.180677]  ? up_read+0x1a/0x40
[   22.180684]  ? rcu_note_context_switch+0x710/0x710
[   22.180688]  ? __fd_install+0x288/0x740
[   22.180697]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   22.180702]  ? do_vfs_ioctl+0x486/0x1520
[   22.180707]  ? _cond_resched+0x14/0x30
[   22.180715]  ? ioctl_preallocate+0x2b0/0x2b0
[   22.180722]  ? selinux_capable+0x40/0x40
[   22.180728]  ? __alloc_fd+0x750/0x750
[   22.180736]  do_group_exit+0x149/0x400
[   22.180743]  ? SyS_exit+0x30/0x30
[   22.180750]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   22.180756]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   22.180764]  SyS_exit_group+0x1d/0x20
[   22.180770]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   22.180773] RIP: 0033:0x4429f8
[   22.180776] RSP: 002b:00007ffcce13a198 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   22.180782] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   22.180785] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   22.180788] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   22.180792] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   22.180795] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   22.200166] Dumping ftrace buffer:
[   22.200169]    (ftrace buffer empty)
[   22.200171] Kernel Offset: disabled
[   23.326700] Rebooting in 86400 seconds..