[....] Starting enhanced syslogd: rsyslogd[   11.296119] audit: type=1400 audit(1515097071.552:5): avc:  denied  { syslog } for  pid=3340 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   15.872309] audit: type=1400 audit(1515097076.128:6): avc:  denied  { map } for  pid=3480 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.198' (ECDSA) to the list of known hosts.
executing program
[   52.735059] audit: type=1400 audit(1515097112.991:7): avc:  denied  { map } for  pid=3498 comm="syzkaller081358" path="/root/syzkaller081358695" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   52.739197] ==================================================================
[   52.739209] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   52.739213] Read of size 8 at addr ffff8801c6dbe3b0 by task syzkaller081358/3498
[   52.739214] 
[   52.739219] CPU: 1 PID: 3498 Comm: syzkaller081358 Not tainted 4.15.0-rc6+ #247
[   52.739222] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.739223] Call Trace:
[   52.739232]  dump_stack+0x194/0x257
[   52.739236]  ? arch_local_irq_restore+0x53/0x53
[   52.739242]  ? show_regs_print_info+0x18/0x18
[   52.739246]  ? print_irqtrace_events+0x270/0x270
[   52.739250]  ? __lock_acquire+0x664/0x3e00
[   52.739254]  ? __lock_acquire+0x3d4d/0x3e00
[   52.739263]  print_address_description+0x73/0x250
[   52.739268]  ? __lock_acquire+0x3d4d/0x3e00
[   52.739273]  kasan_report+0x25b/0x340
[   52.739281]  __asan_report_load8_noabort+0x14/0x20
[   52.739285]  __lock_acquire+0x3d4d/0x3e00
[   52.739289]  ? __lock_acquire+0x664/0x3e00
[   52.739294]  ? lock_downgrade+0x980/0x980
[   52.739298]  ? lock_downgrade+0x980/0x980
[   52.739305]  ? remove_wait_queue+0x81/0x350
[   52.739312]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   52.739317]  ? __lock_acquire+0x664/0x3e00
[   52.739322]  ? check_noncircular+0x20/0x20
[   52.739332]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   52.739337]  ? lock_acquire+0x1d5/0x580
[   52.739341]  ? lock_acquire+0x1d5/0x580
[   52.739348]  ? ep_free+0xf4/0x320
[   52.739355]  ? lock_release+0xa40/0xa40
[   52.739365]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   52.739369]  ? print_irqtrace_events+0x270/0x270
[   52.739375]  ? rcu_note_context_switch+0x710/0x710
[   52.739379]  ? __might_sleep+0x95/0x190
[   52.739383]  ? ep_free+0xf4/0x320
[   52.739387]  ? __mutex_lock+0x16f/0x1a80
[   52.739390]  ? ep_free+0xf4/0x320
[   52.739395]  ? print_irqtrace_events+0x270/0x270
[   52.739398]  ? ep_free+0xf4/0x320
[   52.739403]  lock_acquire+0x1d5/0x580
[   52.739406]  ? lock_acquire+0x1d5/0x580
[   52.739410]  ? remove_wait_queue+0x81/0x350
[   52.739414]  ? __lock_acquire+0x664/0x3e00
[   52.739418]  ? lock_release+0xa40/0xa40
[   52.739424]  ? lock_acquire+0x1d5/0x580
[   52.739427]  ? lock_acquire+0x1d5/0x580
[   52.739431]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   52.739436]  _raw_spin_lock_irqsave+0x96/0xc0
[   52.739440]  ? remove_wait_queue+0x81/0x350
[   52.739444]  remove_wait_queue+0x81/0x350
[   52.739449]  ? add_wait_queue+0x290/0x290
[   52.739453]  ? rcutorture_record_progress+0x10/0x10
[   52.739459]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   52.739465]  ? __kernel_text_address+0xd/0x40
[   52.739470]  ? clear_tfile_check_list+0x370/0x370
[   52.739474]  ? check_noncircular+0x20/0x20
[   52.739481]  ? locks_remove_file+0x3fa/0x5a0
[   52.739487]  ep_free+0x13f/0x320
[   52.739491]  ? ep_remove+0x800/0x800
[   52.739494]  ? fsnotify_first_mark+0x2b0/0x2b0
[   52.739499]  ? ep_free+0x320/0x320
[   52.739503]  ep_eventpoll_release+0x44/0x60
[   52.739509]  __fput+0x327/0x7e0
[   52.739514]  ? fput+0x140/0x140
[   52.739519]  ? _raw_spin_unlock_irq+0x27/0x70
[   52.739524]  ____fput+0x15/0x20
[   52.739528]  task_work_run+0x199/0x270
[   52.739533]  ? task_work_cancel+0x210/0x210
[   52.739537]  ? _raw_spin_unlock+0x22/0x30
[   52.739542]  ? switch_task_namespaces+0x87/0xc0
[   52.739548]  do_exit+0x9bb/0x1ad0
[   52.739555]  ? binder_ioctl+0x551/0x1417
[   52.739559]  ? mm_update_next_owner+0x930/0x930
[   52.739564]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   52.739570]  ? avc_ss_reset+0x110/0x110
[   52.739574]  ? mutex_unlock+0xd/0x10
[   52.739578]  ? SyS_epoll_ctl+0x30a/0x1ab0
[   52.739590]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   52.739593]  ? up_read+0x1a/0x40
[   52.739597]  ? rcu_note_context_switch+0x710/0x710
[   52.739600]  ? __fd_install+0x288/0x740
[   52.739606]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   52.739610]  ? do_vfs_ioctl+0x486/0x1520
[   52.739612]  ? _cond_resched+0x14/0x30
[   52.739617]  ? ioctl_preallocate+0x2b0/0x2b0
[   52.739622]  ? selinux_capable+0x40/0x40
[   52.739626]  ? __alloc_fd+0x750/0x750
[   52.739632]  do_group_exit+0x149/0x400
[   52.739636]  ? SyS_exit+0x30/0x30
[   52.739640]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   52.739646]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   52.739650]  SyS_exit_group+0x1d/0x20
[   52.739654]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   52.739658] RIP: 0033:0x4429f8
[   52.739660] RSP: 002b:00007ffd6de34728 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   52.739664] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   52.739667] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   52.739669] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   52.739671] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   52.739673] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   52.739678] 
[   52.739681] Allocated by task 3498:
[   52.739684]  save_stack+0x43/0xd0
[   52.739687]  kasan_kmalloc+0xad/0xe0
[   52.739690]  kmem_cache_alloc_trace+0x136/0x750
[   52.739693]  binder_get_thread+0x1cf/0x870
[   52.739695]  binder_poll+0x8c/0x390
[   52.739699]  ep_item_poll.isra.10+0xec/0x320
[   52.739702]  ep_insert+0x6a3/0x1b10
[   52.739705]  SyS_epoll_ctl+0x12e4/0x1ab0
[   52.739708]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   52.739709] 
[   52.739710] Freed by task 3498:
[   52.739713]  save_stack+0x43/0xd0
[   52.739716]  kasan_slab_free+0x71/0xc0
[   52.739718]  kfree+0xd6/0x260
[   52.739721]  binder_thread_dec_tmpref+0x27f/0x310
[   52.739724]  binder_thread_release+0x27d/0x540
[   52.739726]  binder_ioctl+0xc02/0x1417
[   52.739729]  do_vfs_ioctl+0x1b1/0x1520
[   52.739732]  SyS_ioctl+0x8f/0xc0
[   52.739735]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   52.739736] 
[   52.739739] The buggy address belongs to the object at ffff8801c6dbe300
[   52.739739]  which belongs to the cache kmalloc-512 of size 512
[   52.739742] The buggy address is located 176 bytes inside of
[   52.739742]  512-byte region [ffff8801c6dbe300, ffff8801c6dbe500)
[   52.739743] The buggy address belongs to the page:
[   52.739747] page:000000002adaf546 count:1 mapcount:0 mapping:00000000d7cff7cf index:0x0
[   52.739750] flags: 0x2fffc0000000100(slab)
[   52.739756] raw: 02fffc0000000100 ffff8801c6dbe080 0000000000000000 0000000100000006
[   52.739760] raw: ffffea00071e38a0 ffff8801dac01748 ffff8801dac00940 0000000000000000
[   52.739761] page dumped because: kasan: bad access detected
[   52.739762] 
[   52.739763] Memory state around the buggy address:
[   52.739766]  ffff8801c6dbe280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   52.739768]  ffff8801c6dbe300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.739771] >ffff8801c6dbe380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.739773]                                      ^
[   52.739776]  ffff8801c6dbe400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.739778]  ffff8801c6dbe480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.739780] ==================================================================
[   52.739781] Disabling lock debugging due to kernel taint
[   52.739784] Kernel panic - not syncing: panic_on_warn set ...
[   52.739784] 
[   52.739788] CPU: 1 PID: 3498 Comm: syzkaller081358 Tainted: G    B            4.15.0-rc6+ #247
[   52.739790] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.739791] Call Trace:
[   52.739795]  dump_stack+0x194/0x257
[   52.739800]  ? arch_local_irq_restore+0x53/0x53
[   52.739803]  ? kasan_end_report+0x32/0x50
[   52.739807]  ? lock_downgrade+0x980/0x980
[   52.739811]  ? vsnprintf+0x1ed/0x1900
[   52.739815]  ? __lock_acquire+0x3cb0/0x3e00
[   52.739818]  panic+0x1e4/0x41c
[   52.739822]  ? refcount_error_report+0x214/0x214
[   52.739826]  ? add_taint+0x40/0x50
[   52.739829]  ? add_taint+0x1c/0x50
[   52.739833]  ? __lock_acquire+0x3d4d/0x3e00
[   52.739836]  kasan_end_report+0x50/0x50
[   52.739840]  kasan_report+0x144/0x340
[   52.739844]  __asan_report_load8_noabort+0x14/0x20
[   52.739848]  __lock_acquire+0x3d4d/0x3e00
[   52.739851]  ? __lock_acquire+0x664/0x3e00
[   52.739854]  ? lock_downgrade+0x980/0x980
[   52.739857]  ? lock_downgrade+0x980/0x980
[   52.739862]  ? remove_wait_queue+0x81/0x350
[   52.739867]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   52.739871]  ? __lock_acquire+0x664/0x3e00
[   52.739874]  ? check_noncircular+0x20/0x20
[   52.739881]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   52.739885]  ? lock_acquire+0x1d5/0x580
[   52.739888]  ? lock_acquire+0x1d5/0x580
[   52.739891]  ? ep_free+0xf4/0x320
[   52.739896]  ? lock_release+0xa40/0xa40
[   52.739900]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   52.739904]  ? print_irqtrace_events+0x270/0x270
[   52.739907]  ? rcu_note_context_switch+0x710/0x710
[   52.739911]  ? __might_sleep+0x95/0x190
[   52.739915]  ? ep_free+0xf4/0x320
[   52.739918]  ? __mutex_lock+0x16f/0x1a80
[   52.739921]  ? ep_free+0xf4/0x320
[   52.739925]  ? print_irqtrace_events+0x270/0x270
[   52.739928]  ? ep_free+0xf4/0x320
[   52.739933]  lock_acquire+0x1d5/0x580
[   52.739936]  ? lock_acquire+0x1d5/0x580
[   52.739939]  ? remove_wait_queue+0x81/0x350
[   52.739943]  ? __lock_acquire+0x664/0x3e00
[   52.739947]  ? lock_release+0xa40/0xa40
[   52.739952]  ? lock_acquire+0x1d5/0x580
[   52.739955]  ? lock_acquire+0x1d5/0x580
[   52.739959]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   52.739963]  _raw_spin_lock_irqsave+0x96/0xc0
[   52.739967]  ? remove_wait_queue+0x81/0x350
[   52.739970]  remove_wait_queue+0x81/0x350
[   52.739975]  ? add_wait_queue+0x290/0x290
[   52.739978]  ? rcutorture_record_progress+0x10/0x10
[   52.739984]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   52.739988]  ? __kernel_text_address+0xd/0x40
[   52.739993]  ? clear_tfile_check_list+0x370/0x370
[   52.739997]  ? check_noncircular+0x20/0x20
[   52.740005]  ? locks_remove_file+0x3fa/0x5a0
[   52.740010]  ep_free+0x13f/0x320
[   52.740014]  ? ep_remove+0x800/0x800
[   52.740017]  ? fsnotify_first_mark+0x2b0/0x2b0
[   52.740022]  ? ep_free+0x320/0x320
[   52.740025]  ep_eventpoll_release+0x44/0x60
[   52.740029]  __fput+0x327/0x7e0
[   52.740034]  ? fput+0x140/0x140
[   52.740038]  ? _raw_spin_unlock_irq+0x27/0x70
[   52.740042]  ____fput+0x15/0x20
[   52.740046]  task_work_run+0x199/0x270
[   52.740051]  ? task_work_cancel+0x210/0x210
[   52.740055]  ? _raw_spin_unlock+0x22/0x30
[   52.740058]  ? switch_task_namespaces+0x87/0xc0
[   52.740062]  do_exit+0x9bb/0x1ad0
[   52.740067]  ? binder_ioctl+0x551/0x1417
[   52.740070]  ? mm_update_next_owner+0x930/0x930
[   52.740075]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   52.740079]  ? avc_ss_reset+0x110/0x110
[   52.740082]  ? mutex_unlock+0xd/0x10
[   52.740086]  ? SyS_epoll_ctl+0x30a/0x1ab0
[   52.740096]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   52.740099]  ? up_read+0x1a/0x40
[   52.740103]  ? rcu_note_context_switch+0x710/0x710
[   52.740106]  ? __fd_install+0x288/0x740
[   52.740111]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   52.740114]  ? do_vfs_ioctl+0x486/0x1520
[   52.740117]  ? _cond_resched+0x14/0x30
[   52.740121]  ? ioctl_preallocate+0x2b0/0x2b0
[   52.740125]  ? selinux_capable+0x40/0x40
[   52.740129]  ? __alloc_fd+0x750/0x750
[   52.740134]  do_group_exit+0x149/0x400
[   52.740138]  ? SyS_exit+0x30/0x30
[   52.740142]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   52.740146]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   52.740150]  SyS_exit_group+0x1d/0x20
[   52.740154]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   52.740156] RIP: 0033:0x4429f8
[   52.740158] RSP: 002b:00007ffd6de34728 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   52.740161] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   52.740163] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   52.740165] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   52.740167] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   52.740169] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   52.760970] Dumping ftrace buffer:
[   52.760973]    (ftrace buffer empty)
[   52.760975] Kernel Offset: disabled
[   53.883207] Rebooting in 86400 seconds..