[....] Starting enhanced syslogd: rsyslogd[   14.909225] audit: type=1400 audit(1520596565.988:5): avc:  denied  { syslog } for  pid=4037 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.843154] audit: type=1400 audit(1520596569.921:6): avc:  denied  { map } for  pid=4177 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts.
executing program
[   39.938990] audit: type=1400 audit(1520596591.017:7): avc:  denied  { map } for  pid=4194 comm="syzkaller536848" path="/root/syzkaller536848646" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   39.966473] ==================================================================
[   39.973902] BUG: KASAN: use-after-free in ucma_close+0x2d7/0x2f0
[   39.980019] Read of size 8 at addr ffff8801bbe19e40 by task syzkaller536848/4194
[   39.987521] 
[   39.989123] CPU: 0 PID: 4194 Comm: syzkaller536848 Not tainted 4.16.0-rc4+ #346
[   39.996566] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.005893] Call Trace:
[   40.008458]  dump_stack+0x194/0x24d
[   40.012059]  ? arch_local_irq_restore+0x53/0x53
[   40.016698]  ? show_regs_print_info+0x18/0x18
[   40.021183]  ? ucma_close+0x2d7/0x2f0
[   40.024956]  print_address_description+0x73/0x250
[   40.029773]  ? ucma_close+0x2d7/0x2f0
[   40.033544]  kasan_report+0x23c/0x360
[   40.037326]  __asan_report_load8_noabort+0x14/0x20
[   40.042226]  ucma_close+0x2d7/0x2f0
[   40.045826]  ? __might_sleep+0x95/0x190
[   40.049775]  ? ucma_free_ctx+0xd90/0xd90
[   40.053807]  __fput+0x327/0x7e0
[   40.057061]  ? fput+0x140/0x140
[   40.060312]  ? _raw_spin_unlock_irq+0x27/0x70
[   40.064782]  ____fput+0x15/0x20
[   40.068033]  task_work_run+0x199/0x270
[   40.071894]  ? task_work_cancel+0x210/0x210
[   40.076183]  ? _raw_spin_unlock+0x22/0x30
[   40.080302]  ? switch_task_namespaces+0x87/0xc0
[   40.084953]  do_exit+0x9bb/0x1ad0
[   40.088375]  ? ucma_create_id+0x45b/0x620
[   40.092499]  ? mm_update_next_owner+0x930/0x930
[   40.097140]  ? ucma_create_id+0x17b/0x620
[   40.101258]  ? ucma_get_event+0xa90/0xa90
[   40.105381]  ? __might_sleep+0x95/0x190
[   40.109330]  ? kasan_check_write+0x14/0x20
[   40.113535]  ? _copy_from_user+0x99/0x110
[   40.117658]  ? ucma_write+0x11f/0x3d0
[   40.121428]  ? ucma_get_event+0xa90/0xa90
[   40.125548]  ? ucma_resolve_route+0x1a0/0x1a0
[   40.130022]  ? ucma_resolve_route+0x1a0/0x1a0
[   40.134488]  ? __vfs_write+0xf7/0x970
[   40.138261]  ? rcu_note_context_switch+0x710/0x710
[   40.143161]  ? kernel_read+0x120/0x120
[   40.147017]  ? __might_sleep+0x95/0x190
[   40.150967]  ? _cond_resched+0x14/0x30
[   40.154824]  ? __inode_security_revalidate+0xd9/0x130
[   40.159991]  ? avc_policy_seqno+0x9/0x20
[   40.164028]  ? security_file_permission+0x89/0x1e0
[   40.168929]  ? rw_verify_area+0xe5/0x2b0
[   40.172965]  ? __fdget_raw+0x20/0x20
[   40.176652]  ? vfs_write+0x224/0x510
[   40.180341]  do_group_exit+0x149/0x400
[   40.184199]  ? SyS_write+0x184/0x220
[   40.187880]  ? filp_open+0x70/0x70
[   40.191391]  ? SyS_exit+0x30/0x30
[   40.194812]  ? SyS_read+0x220/0x220
[   40.198415]  ? do_syscall_64+0xb7/0x940
[   40.202360]  ? do_group_exit+0x400/0x400
[   40.206393]  SyS_exit_group+0x1d/0x20
[   40.210164]  do_syscall_64+0x281/0x940
[   40.214021]  ? __do_page_fault+0xc90/0xc90
[   40.218225]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   40.222949]  ? syscall_return_slowpath+0x550/0x550
[   40.227850]  ? syscall_return_slowpath+0x2ac/0x550
[   40.232748]  ? prepare_exit_to_usermode+0x350/0x350
[   40.237735]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   40.243071]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.247888]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.253049] RIP: 0033:0x43e938
[   40.256206] RSP: 002b:00007ffda9fe0b18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   40.263886] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e938
[   40.271124] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   40.278371] RBP: 00000000004be300 R08: 00000000000000e7 R09: ffffffffffffffd0
[   40.285609] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
[   40.292854] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000
[   40.300108] 
[   40.301708] Allocated by task 4194:
[   40.305306]  save_stack+0x43/0xd0
[   40.308727]  kasan_kmalloc+0xad/0xe0
[   40.312410]  kmem_cache_alloc_trace+0x136/0x740
[   40.317046]  ucma_alloc_ctx+0xce/0x610
[   40.320899]  ucma_create_id+0x205/0x620
[   40.324840]  ucma_write+0x2d6/0x3d0
[   40.328433]  __vfs_write+0xef/0x970
[   40.332029]  vfs_write+0x189/0x510
[   40.335542]  SyS_write+0xef/0x220
[   40.338962]  do_syscall_64+0x281/0x940
[   40.342820]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.347973] 
[   40.349570] Freed by task 4194:
[   40.352818]  save_stack+0x43/0xd0
[   40.356240]  __kasan_slab_free+0x11a/0x170
[   40.360441]  kasan_slab_free+0xe/0x10
[   40.364207]  kfree+0xd9/0x260
[   40.367282]  ucma_create_id+0x45b/0x620
[   40.371225]  ucma_write+0x2d6/0x3d0
[   40.374821]  __vfs_write+0xef/0x970
[   40.378413]  vfs_write+0x189/0x510
[   40.381919]  SyS_write+0xef/0x220
[   40.385337]  do_syscall_64+0x281/0x940
[   40.389190]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.394344] 
[   40.395941] The buggy address belongs to the object at ffff8801bbe19dc0
[   40.395941]  which belongs to the cache kmalloc-256 of size 256
[   40.408563] The buggy address is located 128 bytes inside of
[   40.408563]  256-byte region [ffff8801bbe19dc0, ffff8801bbe19ec0)
[   40.420401] The buggy address belongs to the page:
[   40.425300] page:ffffea0006ef8640 count:1 mapcount:0 mapping:ffff8801bbe19000 index:0x0
[   40.433412] flags: 0x2fffc0000000100(slab)
[   40.437616] raw: 02fffc0000000100 ffff8801bbe19000 0000000000000000 000000010000000c
[   40.445465] raw: ffffea0006efc2a0 ffffea0006e753e0 ffff8801dac007c0 0000000000000000
[   40.453309] page dumped because: kasan: bad access detected
[   40.458994] 
[   40.460589] Memory state around the buggy address:
[   40.465494]  ffff8801bbe19d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
[   40.472821]  ffff8801bbe19d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   40.480149] >ffff8801bbe19e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.487478]                                            ^
[   40.492894]  ffff8801bbe19e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   40.500218]  ffff8801bbe19f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.507545] ==================================================================
[   40.514869] Disabling lock debugging due to kernel taint
[   40.520366] Kernel panic - not syncing: panic_on_warn set ...
[   40.520366] 
[   40.527705] CPU: 0 PID: 4194 Comm: syzkaller536848 Tainted: G    B            4.16.0-rc4+ #346
[   40.536422] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.545749] Call Trace:
[   40.548310]  dump_stack+0x194/0x24d
[   40.551919]  ? arch_local_irq_restore+0x53/0x53
[   40.556559]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   40.561285]  ? vsnprintf+0x1ed/0x1900
[   40.565054]  ? ucma_close+0x240/0x2f0
[   40.568826]  panic+0x1e4/0x41c
[   40.571986]  ? refcount_error_report+0x214/0x214
[   40.576711]  ? add_taint+0x1c/0x50
[   40.580218]  ? add_taint+0x1c/0x50
[   40.583728]  ? ucma_close+0x2d7/0x2f0
[   40.587501]  kasan_end_report+0x50/0x50
[   40.591445]  kasan_report+0x149/0x360
[   40.595214]  __asan_report_load8_noabort+0x14/0x20
[   40.600117]  ucma_close+0x2d7/0x2f0
[   40.603716]  ? __might_sleep+0x95/0x190
[   40.607681]  ? ucma_free_ctx+0xd90/0xd90
[   40.611731]  __fput+0x327/0x7e0
[   40.614986]  ? fput+0x140/0x140
[   40.618235]  ? _raw_spin_unlock_irq+0x27/0x70
[   40.622707]  ____fput+0x15/0x20
[   40.625956]  task_work_run+0x199/0x270
[   40.629810]  ? task_work_cancel+0x210/0x210
[   40.634109]  ? _raw_spin_unlock+0x22/0x30
[   40.638224]  ? switch_task_namespaces+0x87/0xc0
[   40.642863]  do_exit+0x9bb/0x1ad0
[   40.646283]  ? ucma_create_id+0x45b/0x620
[   40.650400]  ? mm_update_next_owner+0x930/0x930
[   40.655037]  ? ucma_create_id+0x17b/0x620
[   40.659154]  ? ucma_get_event+0xa90/0xa90
[   40.663272]  ? __might_sleep+0x95/0x190
[   40.667217]  ? kasan_check_write+0x14/0x20
[   40.671422]  ? _copy_from_user+0x99/0x110
[   40.675542]  ? ucma_write+0x11f/0x3d0
[   40.679317]  ? ucma_get_event+0xa90/0xa90
[   40.683434]  ? ucma_resolve_route+0x1a0/0x1a0
[   40.687901]  ? ucma_resolve_route+0x1a0/0x1a0
[   40.692365]  ? __vfs_write+0xf7/0x970
[   40.696402]  ? rcu_note_context_switch+0x710/0x710
[   40.701301]  ? kernel_read+0x120/0x120
[   40.705156]  ? __might_sleep+0x95/0x190
[   40.709192]  ? _cond_resched+0x14/0x30
[   40.713050]  ? __inode_security_revalidate+0xd9/0x130
[   40.718226]  ? avc_policy_seqno+0x9/0x20
[   40.722258]  ? security_file_permission+0x89/0x1e0
[   40.727158]  ? rw_verify_area+0xe5/0x2b0
[   40.731185]  ? __fdget_raw+0x20/0x20
[   40.734868]  ? vfs_write+0x224/0x510
[   40.738551]  do_group_exit+0x149/0x400
[   40.742405]  ? SyS_write+0x184/0x220
[   40.746086]  ? filp_open+0x70/0x70
[   40.749595]  ? SyS_exit+0x30/0x30
[   40.753015]  ? SyS_read+0x220/0x220
[   40.756613]  ? do_syscall_64+0xb7/0x940
[   40.760555]  ? do_group_exit+0x400/0x400
[   40.764583]  SyS_exit_group+0x1d/0x20
[   40.768353]  do_syscall_64+0x281/0x940
[   40.772222]  ? __do_page_fault+0xc90/0xc90
[   40.776428]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   40.781152]  ? syscall_return_slowpath+0x550/0x550
[   40.786050]  ? syscall_return_slowpath+0x2ac/0x550
[   40.790946]  ? prepare_exit_to_usermode+0x350/0x350
[   40.795931]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   40.801265]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.806079]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.811243] RIP: 0033:0x43e938
[   40.814401] RSP: 002b:00007ffda9fe0b18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   40.822162] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e938
[   40.829486] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   40.836724] RBP: 00000000004be300 R08: 00000000000000e7 R09: ffffffffffffffd0
[   40.843964] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
[   40.851201] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000
[   40.858814] Dumping ftrace buffer:
[   40.862322]    (ftrace buffer empty)
[   40.866000] Kernel Offset: disabled
[   40.869600] Rebooting in 86400 seconds..