[....] Starting enhanced syslogd: rsyslogd[   12.576016] audit: type=1400 audit(1513798940.599:5): avc:  denied  { syslog } for  pid=2990 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.213161] audit: type=1400 audit(1513798947.236:6): avc:  denied  { map } for  pid=3130 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added 'ci-upstream-mmots-kasan-gce-9,10.128.0.4' (ECDSA) to the list of known hosts.
executing program
[   40.611118] audit: type=1400 audit(1513798968.634:7): avc:  denied  { map } for  pid=3147 comm="syzkaller706405" path="/root/syzkaller706405158" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   40.639821] ==================================================================
[   40.647248] BUG: KASAN: use-after-free in refcount_inc_not_zero+0x16e/0x180
[   40.654323] Read of size 4 at addr ffff8801c4ac7200 by task syzkaller706405/3148
[   40.661829] 
[   40.663434] CPU: 0 PID: 3148 Comm: syzkaller706405 Not tainted 4.15.0-rc2-mm1+ #39
[   40.671111] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.680438] Call Trace:
[   40.683001]  dump_stack+0x194/0x257
[   40.686604]  ? arch_local_irq_restore+0x53/0x53
[   40.691245]  ? show_regs_print_info+0x18/0x18
[   40.695719]  ? refcount_inc_not_zero+0x16e/0x180
[   40.700453]  print_address_description+0x73/0x250
[   40.705270]  ? refcount_inc_not_zero+0x16e/0x180
[   40.709999]  kasan_report+0x25b/0x340
[   40.713784]  __asan_report_load4_noabort+0x14/0x20
[   40.718687]  refcount_inc_not_zero+0x16e/0x180
[   40.723240]  ? refcount_add+0x60/0x60
[   40.727018]  ? find_held_lock+0x39/0x1d0
[   40.731058]  ? do_mq_timedreceive+0xf50/0xf50
[   40.735537]  refcount_inc+0x15/0x50
[   40.739137]  mqueue_evict_inode+0x137/0x9c0
[   40.743435]  ? inode_wait_for_writeback+0x1f/0x40
[   40.748302]  ? evict+0x2c8/0x920
[   40.751645]  ? do_mq_timedreceive+0xf50/0xf50
[   40.756114]  ? __inode_wait_for_writeback+0x292/0x330
[   40.761281]  ? do_raw_spin_trylock+0x190/0x190
[   40.766360]  ? bit_waitqueue+0x30/0x30
[   40.770573]  ? _raw_spin_unlock+0x22/0x30
[   40.774690]  ? do_mq_timedreceive+0xf50/0xf50
[   40.779157]  evict+0x481/0x920
[   40.782328]  ? destroy_inode+0x200/0x200
[   40.786361]  ? lock_downgrade+0x980/0x980
[   40.790488]  ? __lock_acquire+0x6e9/0x47f0
[   40.794694]  ? kill_litter_super+0x72/0x90
[   40.798908]  ? _raw_spin_lock+0x32/0x40
[   40.802853]  ? _atomic_dec_and_lock+0x125/0x196
[   40.807497]  ? do_raw_spin_trylock+0x190/0x190
[   40.812054]  ? cpumask_local_spread+0x260/0x260
[   40.816709]  iput+0x7b9/0xaf0
[   40.819794]  ? evict_inodes+0x580/0x580
[   40.823746]  ? reacquire_held_locks+0x201/0x3e0
[   40.828390]  ? shrink_dentry_list+0x3b0/0xcf0
[   40.832862]  ? do_raw_spin_trylock+0x190/0x190
[   40.837430]  dentry_unlink_inode+0x4b0/0x5e0
[   40.841818]  ? release_dentry_name_snapshot+0x70/0x70
[   40.846983]  ? __lock_acquire+0x6e9/0x47f0
[   40.851189]  ? __d_drop+0x2b9/0x4b0
[   40.854789]  ? do_raw_spin_trylock+0x190/0x190
[   40.859345]  ? d_exact_alias+0x620/0x620
[   40.863383]  ? lock_acquire+0x1d5/0x580
[   40.867335]  __dentry_kill+0x3b7/0x6d0
[   40.871201]  ? check_and_drop+0x170/0x170
[   40.875336]  shrink_dentry_list+0x3c5/0xcf0
[   40.879637]  ? d_add+0xa70/0xa70
[   40.882983]  ? d_shrink_add+0x280/0x280
[   40.886932]  ? dget_parent+0x5b0/0x5b0
[   40.890795]  ? find_held_lock+0x39/0x1d0
[   40.894838]  ? lock_downgrade+0x980/0x980
[   40.898961]  shrink_dcache_parent+0xba/0x230
[   40.903604]  ? path_has_submounts+0x1a0/0x1a0
[   40.908073]  ? lock_release+0xda0/0xda0
[   40.912021]  ? check_noncircular+0x20/0x20
[   40.916234]  ? d_walk+0x1d2/0xb20
[   40.919664]  do_one_tree+0x15/0x50
[   40.923176]  shrink_dcache_for_umount+0xbb/0x290
[   40.927901]  ? d_walk+0x6f2/0xb20
[   40.931330]  ? d_set_mounted+0x2d0/0x2d0
[   40.935373]  ? d_find_any_alias+0x1c0/0x1c0
[   40.939671]  generic_shutdown_super+0xcd/0x540
[   40.944227]  ? destroy_super_rcu+0x240/0x240
[   40.948618]  ? unregister_shrinker+0x1d1/0x300
[   40.953179]  ? perf_trace_mm_vmscan_writepage+0x790/0x790
[   40.958689]  ? down_write+0x87/0x120
[   40.962383]  kill_litter_super+0x72/0x90
[   40.966419]  deactivate_locked_super+0x88/0xd0
[   40.970976]  deactivate_super+0x141/0x1b0
[   40.975097]  ? __sb_start_write+0x290/0x290
[   40.979403]  cleanup_mnt+0xb2/0x150
[   40.983349]  __cleanup_mnt+0x16/0x20
[   40.987037]  task_work_run+0x199/0x270
[   40.990898]  ? task_work_cancel+0x210/0x210
[   40.995192]  ? free_nsproxy+0x185/0x1f0
[   40.999139]  ? switch_task_namespaces+0xa2/0xc0
[   41.003786]  do_exit+0x9bb/0x1ae0
[   41.007217]  ? mm_update_next_owner+0x930/0x930
[   41.011857]  ? __kernel_text_address+0xd/0x40
[   41.016325]  ? unwind_get_return_address+0x61/0xa0
[   41.021228]  ? __save_stack_trace+0x7e/0xd0
[   41.025531]  ? putname+0xee/0x130
[   41.028958]  ? save_stack+0xa3/0xd0
[   41.032556]  ? save_stack+0x43/0xd0
[   41.036154]  ? kasan_slab_free+0x71/0xc0
[   41.040187]  ? kmem_cache_free+0x77/0x280
[   41.044312]  ? putname+0xee/0x130
[   41.047742]  ? do_sys_open+0x31b/0x6d0
[   41.051606]  ? SyS_creat+0x27/0x30
[   41.055127]  ? entry_SYSCALL_64_fastpath+0x1f/0x96
[   41.060036]  ? __lock_is_held+0xbc/0x140
[   41.064085]  ? __fd_install+0x288/0x740
[   41.068038]  ? get_unused_fd_flags+0x190/0x190
[   41.072593]  ? may_open_dev+0xe0/0xe0
[   41.076375]  ? rcu_pm_notify+0xc0/0xc0
[   41.080240]  ? putname+0xee/0x130
[   41.083668]  ? putname+0xee/0x130
[   41.087096]  ? rcu_read_lock_sched_held+0x108/0x120
[   41.092085]  ? kmem_cache_free+0x249/0x280
[   41.096291]  ? putname+0xf3/0x130
[   41.099725]  do_group_exit+0x149/0x400
[   41.103591]  ? SyS_exit+0x30/0x30
[   41.107018]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   41.112012]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   41.116748]  SyS_exit_group+0x1d/0x20
[   41.120521]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   41.125247] RIP: 0033:0x4406f9
[   41.128410] RSP: 002b:00007fff4b804598 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   41.136092] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004406f9
[   41.143333] RDX: 00000000004406f9 RSI: 00000000004406f9 RDI: 0000000000000001
[   41.150577] RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8
[   41.157819] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000401bc0
[   41.165062] R13: 0000000000401c50 R14: 0000000000000000 R15: 0000000000000000
[   41.172322] 
[   41.173921] Allocated by task 3148:
[   41.177531]  save_stack+0x43/0xd0
[   41.180953]  kasan_kmalloc+0xad/0xe0
[   41.184637]  kmem_cache_alloc_trace+0x136/0x750
[   41.189279]  copy_ipcs+0x1b3/0x520
[   41.192790]  create_new_namespaces+0x278/0x880
[   41.197345]  unshare_nsproxy_namespaces+0xae/0x1e0
[   41.202254]  SyS_unshare+0x653/0xfa0
[   41.205941]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   41.210668] 
[   41.212270] Freed by task 3148:
[   41.215521]  save_stack+0x43/0xd0
[   41.218949]  kasan_slab_free+0x71/0xc0
[   41.222822]  kfree+0xca/0x250
[   41.225901]  put_ipc_ns+0x112/0x150
[   41.230109]  free_nsproxy+0xc0/0x1f0
[   41.233797]  switch_task_namespaces+0x9d/0xc0
[   41.238265]  exit_task_namespaces+0x17/0x20
[   41.242560]  do_exit+0x9b6/0x1ae0
[   41.245985]  do_group_exit+0x149/0x400
[   41.249852]  SyS_exit_group+0x1d/0x20
[   41.253627]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   41.258366] 
[   41.259972] The buggy address belongs to the object at ffff8801c4ac7200
[   41.259972]  which belongs to the cache kmalloc-2048 of size 2048
[   41.272861] The buggy address is located 0 bytes inside of
[   41.272861]  2048-byte region [ffff8801c4ac7200, ffff8801c4ac7a00)
[   41.284628] The buggy address belongs to the page:
[   41.289531] page:000000007a18834b count:1 mapcount:0 mapping:0000000033dfeba7 index:0x0 compound_mapcount: 0
[   41.299476] flags: 0x2fffc0000008100(slab|head)
[   41.304119] raw: 02fffc0000008100 ffff8801c4ac6100 0000000000000000 0000000100000003
[   41.311975] raw: ffffea0007127aa0 ffff8801dac01950 ffff8801dac00c40 0000000000000000
[   41.319824] page dumped because: kasan: bad access detected
[   41.325511] 
[   41.327113] Memory state around the buggy address:
[   41.332015]  ffff8801c4ac7100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   41.340304]  ffff8801c4ac7180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   41.347634] >ffff8801c4ac7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.354964]                    ^
[   41.358302]  ffff8801c4ac7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.365635]  ffff8801c4ac7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.372966] ==================================================================
[   41.380294] Disabling lock debugging due to kernel taint
[   41.385782] Kernel panic - not syncing: panic_on_warn set ...
[   41.385782] 
[   41.393119] CPU: 0 PID: 3148 Comm: syzkaller706405 Tainted: G    B            4.15.0-rc2-mm1+ #39
[   41.402096] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.411419] Call Trace:
[   41.413982]  dump_stack+0x194/0x257
[   41.417578]  ? arch_local_irq_restore+0x53/0x53
[   41.422218]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   41.426941]  ? vsnprintf+0x1ed/0x1900
[   41.430712]  ? refcount_inc_not_zero+0xd0/0x180
[   41.435349]  panic+0x1e4/0x41c
[   41.438510]  ? refcount_error_report+0x214/0x214
[   41.443234]  ? add_taint+0x1c/0x50
[   41.446741]  ? add_taint+0x1c/0x50
[   41.450250]  ? refcount_inc_not_zero+0x16e/0x180
[   41.454977]  kasan_end_report+0x50/0x50
[   41.458920]  kasan_report+0x144/0x340
[   41.462689]  __asan_report_load4_noabort+0x14/0x20
[   41.467585]  refcount_inc_not_zero+0x16e/0x180
[   41.472133]  ? refcount_add+0x60/0x60
[   41.475901]  ? find_held_lock+0x39/0x1d0
[   41.479932]  ? do_mq_timedreceive+0xf50/0xf50
[   41.484395]  refcount_inc+0x15/0x50
[   41.487989]  mqueue_evict_inode+0x137/0x9c0
[   41.492277]  ? inode_wait_for_writeback+0x1f/0x40
[   41.498055]  ? evict+0x2c8/0x920
[   41.501390]  ? do_mq_timedreceive+0xf50/0xf50
[   41.505863]  ? __inode_wait_for_writeback+0x292/0x330
[   41.511020]  ? do_raw_spin_trylock+0x190/0x190
[   41.515571]  ? bit_waitqueue+0x30/0x30
[   41.519426]  ? _raw_spin_unlock+0x22/0x30
[   41.523540]  ? do_mq_timedreceive+0xf50/0xf50
[   41.528001]  evict+0x481/0x920
[   41.531162]  ? destroy_inode+0x200/0x200
[   41.535189]  ? lock_downgrade+0x980/0x980
[   41.539305]  ? __lock_acquire+0x6e9/0x47f0
[   41.543506]  ? kill_litter_super+0x72/0x90
[   41.547710]  ? _raw_spin_lock+0x32/0x40
[   41.551651]  ? _atomic_dec_and_lock+0x125/0x196
[   41.556286]  ? do_raw_spin_trylock+0x190/0x190
[   41.560833]  ? cpumask_local_spread+0x260/0x260
[   41.565471]  iput+0x7b9/0xaf0
[   41.568549]  ? evict_inodes+0x580/0x580
[   41.572490]  ? reacquire_held_locks+0x201/0x3e0
[   41.577124]  ? shrink_dentry_list+0x3b0/0xcf0
[   41.581589]  ? do_raw_spin_trylock+0x190/0x190
[   41.586143]  dentry_unlink_inode+0x4b0/0x5e0
[   41.590519]  ? release_dentry_name_snapshot+0x70/0x70
[   41.596109]  ? __lock_acquire+0x6e9/0x47f0
[   41.600310]  ? __d_drop+0x2b9/0x4b0
[   41.603903]  ? do_raw_spin_trylock+0x190/0x190
[   41.608450]  ? d_exact_alias+0x620/0x620
[   41.612477]  ? lock_acquire+0x1d5/0x580
[   41.616416]  __dentry_kill+0x3b7/0x6d0
[   41.620282]  ? check_and_drop+0x170/0x170
[   41.624419]  shrink_dentry_list+0x3c5/0xcf0
[   41.628710]  ? d_add+0xa70/0xa70
[   41.632045]  ? d_shrink_add+0x280/0x280
[   41.635986]  ? dget_parent+0x5b0/0x5b0
[   41.639840]  ? find_held_lock+0x39/0x1d0
[   41.643879]  ? lock_downgrade+0x980/0x980
[   41.648000]  shrink_dcache_parent+0xba/0x230
[   41.652376]  ? path_has_submounts+0x1a0/0x1a0
[   41.656836]  ? lock_release+0xda0/0xda0
[   41.660778]  ? check_noncircular+0x20/0x20
[   41.664987]  ? d_walk+0x1d2/0xb20
[   41.668408]  do_one_tree+0x15/0x50
[   41.671915]  shrink_dcache_for_umount+0xbb/0x290
[   41.676635]  ? d_walk+0x6f2/0xb20
[   41.680056]  ? d_set_mounted+0x2d0/0x2d0
[   41.684086]  ? d_find_any_alias+0x1c0/0x1c0
[   41.688376]  generic_shutdown_super+0xcd/0x540
[   41.692925]  ? destroy_super_rcu+0x240/0x240
[   41.697309]  ? unregister_shrinker+0x1d1/0x300
[   41.701866]  ? perf_trace_mm_vmscan_writepage+0x790/0x790
[   41.707367]  ? down_write+0x87/0x120
[   41.711060]  kill_litter_super+0x72/0x90
[   41.715088]  deactivate_locked_super+0x88/0xd0
[   41.719644]  deactivate_super+0x141/0x1b0
[   41.723767]  ? __sb_start_write+0x290/0x290
[   41.728059]  cleanup_mnt+0xb2/0x150
[   41.731651]  __cleanup_mnt+0x16/0x20
[   41.735333]  task_work_run+0x199/0x270
[   41.739188]  ? task_work_cancel+0x210/0x210
[   41.743477]  ? free_nsproxy+0x185/0x1f0
[   41.747417]  ? switch_task_namespaces+0xa2/0xc0
[   41.753013]  do_exit+0x9bb/0x1ae0
[   41.757216]  ? mm_update_next_owner+0x930/0x930
[   41.761851]  ? __kernel_text_address+0xd/0x40
[   41.766311]  ? unwind_get_return_address+0x61/0xa0
[   41.771989]  ? __save_stack_trace+0x7e/0xd0
[   41.777410]  ? putname+0xee/0x130
[   41.782132]  ? save_stack+0xa3/0xd0
[   41.785733]  ? save_stack+0x43/0xd0
[   41.789326]  ? kasan_slab_free+0x71/0xc0
[   41.793354]  ? kmem_cache_free+0x77/0x280
[   41.797468]  ? putname+0xee/0x130
[   41.800887]  ? do_sys_open+0x31b/0x6d0
[   41.804737]  ? SyS_creat+0x27/0x30
[   41.808714]  ? entry_SYSCALL_64_fastpath+0x1f/0x96
[   41.813611]  ? __lock_is_held+0xbc/0x140
[   41.817646]  ? __fd_install+0x288/0x740
[   41.821585]  ? get_unused_fd_flags+0x190/0x190
[   41.826134]  ? may_open_dev+0xe0/0xe0
[   41.829902]  ? rcu_pm_notify+0xc0/0xc0
[   41.833756]  ? putname+0xee/0x130
[   41.837175]  ? putname+0xee/0x130
[   41.840594]  ? rcu_read_lock_sched_held+0x108/0x120
[   41.845577]  ? kmem_cache_free+0x249/0x280
[   41.849777]  ? putname+0xf3/0x130
[   41.853198]  do_group_exit+0x149/0x400
[   41.857061]  ? SyS_exit+0x30/0x30
[   41.860481]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   41.865465]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   41.870192]  SyS_exit_group+0x1d/0x20
[   41.873960]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   41.878681] RIP: 0033:0x4406f9
[   41.881837] RSP: 002b:00007fff4b804598 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   41.889520] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004406f9
[   41.896767] RDX: 00000000004406f9 RSI: 00000000004406f9 RDI: 0000000000000001
[   41.904012] RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8
[   41.911247] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000401bc0
[   41.918492] R13: 0000000000401c50 R14: 0000000000000000 R15: 0000000000000000
[   41.925936] Dumping ftrace buffer:
[   41.929440]    (ftrace buffer empty)
[   41.933117] Kernel Offset: disabled
[   41.936710] Rebooting in 86400 seconds..