[....] Starting enhanced syslogd: rsyslogd[   11.613135] audit: type=1400 audit(1514235187.295:5): avc:  denied  { syslog } for  pid=2999 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   16.436167] audit: type=1400 audit(1514235192.118:6): avc:  denied  { map } for  pid=3138 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added 'ci-upstream-kasan-gce-386-4,10.128.15.203' (ECDSA) to the list of known hosts.
executing program
[   22.614140] audit: type=1400 audit(1514235198.296:7): avc:  denied  { map } for  pid=3152 comm="syzkaller855474" path="/root/syzkaller855474623" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   22.618539] ==================================================================
[   22.618554] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   22.618557] Read of size 8 at addr ffff8801ca1065f0 by task syzkaller855474/3152
[   22.618558] 
[   22.618564] CPU: 1 PID: 3152 Comm: syzkaller855474 Not tainted 4.15.0-rc5+ #147
[   22.618566] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   22.618568] Call Trace:
[   22.618576]  dump_stack+0x194/0x257
[   22.618581]  ? arch_local_irq_restore+0x53/0x53
[   22.618589]  ? show_regs_print_info+0x18/0x18
[   22.618593]  ? print_irqtrace_events+0x270/0x270
[   22.618599]  ? __lock_acquire+0x664/0x3e00
[   22.618604]  ? __lock_acquire+0x3d4d/0x3e00
[   22.618618]  print_address_description+0x73/0x250
[   22.618622]  ? __lock_acquire+0x3d4d/0x3e00
[   22.618627]  kasan_report+0x25b/0x340
[   22.618634]  __asan_report_load8_noabort+0x14/0x20
[   22.618638]  __lock_acquire+0x3d4d/0x3e00
[   22.618642]  ? __lock_acquire+0x664/0x3e00
[   22.618647]  ? lock_downgrade+0x980/0x980
[   22.618651]  ? lock_downgrade+0x980/0x980
[   22.618656]  ? print_irqtrace_events+0x270/0x270
[   22.618663]  ? remove_wait_queue+0x81/0x350
[   22.618670]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   22.618676]  ? __lock_acquire+0x664/0x3e00
[   22.618681]  ? check_noncircular+0x20/0x20
[   22.618691]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   22.618696]  ? lock_acquire+0x1d5/0x580
[   22.618701]  ? lock_acquire+0x1d5/0x580
[   22.618707]  ? ep_free+0xf4/0x320
[   22.618714]  ? lock_release+0xa40/0xa40
[   22.618721]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   22.618726]  ? print_irqtrace_events+0x270/0x270
[   22.618731]  ? print_irqtrace_events+0x270/0x270
[   22.618738]  ? rcu_note_context_switch+0x710/0x710
[   22.618744]  ? __might_sleep+0x95/0x190
[   22.618748]  ? ep_free+0xf4/0x320
[   22.618754]  ? __mutex_lock+0x16f/0x1a80
[   22.618758]  ? ep_free+0xf4/0x320
[   22.618763]  ? print_irqtrace_events+0x270/0x270
[   22.618767]  ? ep_free+0xf4/0x320
[   22.618774]  lock_acquire+0x1d5/0x580
[   22.618779]  ? lock_acquire+0x1d5/0x580
[   22.618782]  ? remove_wait_queue+0x81/0x350
[   22.618787]  ? lock_release+0xa40/0xa40
[   22.618792]  ? lock_acquire+0x1d5/0x580
[   22.618795]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   22.618798]  ? lock_acquire+0x1d5/0x580
[   22.618801]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   22.618807]  _raw_spin_lock_irqsave+0x96/0xc0
[   22.618811]  ? remove_wait_queue+0x81/0x350
[   22.618814]  remove_wait_queue+0x81/0x350
[   22.618821]  ? depot_save_stack+0x3b5/0x490
[   22.618825]  ? add_wait_queue+0x290/0x290
[   22.618829]  ? rcutorture_record_progress+0x10/0x10
[   22.618834]  ? lock_release+0xa40/0xa40
[   22.618841]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   22.618850]  ? __kernel_text_address+0xd/0x40
[   22.618856]  ? clear_tfile_check_list+0x370/0x370
[   22.618860]  ? check_noncircular+0x20/0x20
[   22.618866]  ? locks_remove_file+0x3fa/0x5a0
[   22.618871]  ep_free+0x13f/0x320
[   22.618874]  ? ep_remove+0x800/0x800
[   22.618881]  ? fsnotify_first_mark+0x2b0/0x2b0
[   22.618885]  ? ep_free+0x320/0x320
[   22.618888]  ep_eventpoll_release+0x44/0x60
[   22.618894]  __fput+0x327/0x7e0
[   22.618899]  ? fput+0x140/0x140
[   22.618903]  ? _raw_spin_unlock_irq+0x27/0x70
[   22.618907]  ____fput+0x15/0x20
[   22.618911]  task_work_run+0x199/0x270
[   22.618915]  ? task_work_cancel+0x210/0x210
[   22.618919]  ? _raw_spin_unlock+0x22/0x30
[   22.618923]  ? switch_task_namespaces+0x87/0xc0
[   22.618930]  do_exit+0x9bb/0x1ad0
[   22.618935]  ? __handle_mm_fault+0x2330/0x3ce0
[   22.618940]  ? mm_update_next_owner+0x930/0x930
[   22.618947]  ? do_raw_spin_trylock+0x190/0x190
[   22.618951]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   22.618955]  ? check_noncircular+0x20/0x20
[   22.618959]  ? _raw_spin_unlock+0x22/0x30
[   22.618963]  ? __handle_mm_fault+0x80e/0x3ce0
[   22.618970]  ? check_noncircular+0x20/0x20
[   22.618974]  ? __pmd_alloc+0x4e0/0x4e0
[   22.618978]  ? lock_downgrade+0x980/0x980
[   22.618984]  ? find_held_lock+0x35/0x1d0
[   22.618991]  ? handle_mm_fault+0x248/0x8d0
[   22.618997]  ? find_held_lock+0x35/0x1d0
[   22.619010]  ? __do_page_fault+0x5f7/0xc90
[   22.619014]  ? lock_downgrade+0x980/0x980
[   22.619018]  ? handle_mm_fault+0x410/0x8d0
[   22.619022]  ? down_read_trylock+0xdb/0x170
[   22.619025]  ? __do_page_fault+0x32d/0xc90
[   22.619028]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   22.619034]  ? vmacache_find+0x5f/0x280
[   22.619039]  do_group_exit+0x149/0x400
[   22.619042]  ? __do_page_fault+0x3d6/0xc90
[   22.619046]  ? SyS_exit+0x30/0x30
[   22.619053]  ? do_fast_syscall_32+0x156/0xf9d
[   22.619056]  ? do_group_exit+0x400/0x400
[   22.619062]  SyS_exit_group+0x1d/0x20
[   22.619067]  do_fast_syscall_32+0x3ee/0xf9d
[   22.619074]  ? do_int80_syscall_32+0x9d0/0x9d0
[   22.619080]  ? kasan_check_read+0x11/0x20
[   22.619084]  ? syscall_return_slowpath+0x550/0x550
[   22.619090]  ? SyS_rt_sigaction+0x94/0x1b0
[   22.619094]  ? SyS_sigprocmask+0x4b0/0x4b0
[   22.619097]  ? SyS_read+0x184/0x220
[   22.619101]  ? retint_user+0x18/0x18
[   22.619106]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   22.619112]  entry_SYSENTER_compat+0x54/0x63
[   22.619116] RIP: 0023:0xf7f5fc79
[   22.619118] RSP: 002b:00000000fff9b63c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   22.619123] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   22.619125] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   22.619128] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   22.619130] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   22.619131] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   22.619136] 
[   22.619138] Allocated by task 3152:
[   22.619141]  save_stack+0x43/0xd0
[   22.619144]  kasan_kmalloc+0xad/0xe0
[   22.619151]  kmem_cache_alloc_trace+0x136/0x750
[   22.619157]  binder_get_thread+0x1cf/0x870
[   22.619160]  binder_poll+0x8c/0x390
[   22.619162]  ep_item_poll.isra.10+0xec/0x320
[   22.619165]  ep_insert+0x6a3/0x1b10
[   22.619167]  SyS_epoll_ctl+0x12e4/0x1ab0
[   22.619170]  do_fast_syscall_32+0x3ee/0xf9d
[   22.619174]  entry_SYSENTER_compat+0x54/0x63
[   22.619174] 
[   22.619176] Freed by task 3152:
[   22.619178]  save_stack+0x43/0xd0
[   22.619181]  kasan_slab_free+0x71/0xc0
[   22.619183]  kfree+0xd6/0x260
[   22.619187]  binder_thread_dec_tmpref+0x27f/0x310
[   22.619190]  binder_thread_release+0x27d/0x540
[   22.619193]  binder_ioctl+0xc02/0x1417
[   22.619196]  compat_SyS_ioctl+0x151/0x2a30
[   22.619199]  do_fast_syscall_32+0x3ee/0xf9d
[   22.619202]  entry_SYSENTER_compat+0x54/0x63
[   22.619203] 
[   22.619206] The buggy address belongs to the object at ffff8801ca106540
[   22.619206]  which belongs to the cache kmalloc-512 of size 512
[   22.619209] The buggy address is located 176 bytes inside of
[   22.619209]  512-byte region [ffff8801ca106540, ffff8801ca106740)
[   22.619211] The buggy address belongs to the page:
[   22.619214] page:000000003f764477 count:1 mapcount:0 mapping:000000009ff408df index:0x0
[   22.619218] flags: 0x2fffc0000000100(slab)
[   22.619224] raw: 02fffc0000000100 ffff8801ca106040 0000000000000000 0000000100000006
[   22.619228] raw: ffffea0007284120 ffffea0007283e60 ffff8801db000940 0000000000000000
[   22.619230] page dumped because: kasan: bad access detected
[   22.619230] 
[   22.619231] Memory state around the buggy address:
[   22.619234]  ffff8801ca106480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   22.619237]  ffff8801ca106500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   22.619239] >ffff8801ca106580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.619241]                                                              ^
[   22.619244]  ffff8801ca106600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.619246]  ffff8801ca106680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.619247] ==================================================================
[   22.619248] Disabling lock debugging due to kernel taint
[   22.619251] Kernel panic - not syncing: panic_on_warn set ...
[   22.619251] 
[   22.619255] CPU: 1 PID: 3152 Comm: syzkaller855474 Tainted: G    B            4.15.0-rc5+ #147
[   22.619258] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   22.619259] Call Trace:
[   22.619264]  dump_stack+0x194/0x257
[   22.619268]  ? arch_local_irq_restore+0x53/0x53
[   22.619271]  ? kasan_end_report+0x32/0x50
[   22.619275]  ? lock_downgrade+0x980/0x980
[   22.619280]  ? vsnprintf+0x1ed/0x1900
[   22.619283]  ? __lock_acquire+0x3cd0/0x3e00
[   22.619287]  panic+0x1e4/0x41c
[   22.619290]  ? refcount_error_report+0x214/0x214
[   22.619294]  ? add_taint+0x40/0x50
[   22.619297]  ? add_taint+0x1c/0x50
[   22.619301]  ? __lock_acquire+0x3d4d/0x3e00
[   22.619304]  kasan_end_report+0x50/0x50
[   22.619307]  kasan_report+0x144/0x340
[   22.619311]  __asan_report_load8_noabort+0x14/0x20
[   22.619315]  __lock_acquire+0x3d4d/0x3e00
[   22.619318]  ? __lock_acquire+0x664/0x3e00
[   22.619321]  ? lock_downgrade+0x980/0x980
[   22.619324]  ? lock_downgrade+0x980/0x980
[   22.619328]  ? print_irqtrace_events+0x270/0x270
[   22.619331]  ? remove_wait_queue+0x81/0x350
[   22.619336]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   22.619340]  ? __lock_acquire+0x664/0x3e00
[   22.619343]  ? check_noncircular+0x20/0x20
[   22.619349]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   22.619353]  ? lock_acquire+0x1d5/0x580
[   22.619356]  ? lock_acquire+0x1d5/0x580
[   22.619359]  ? ep_free+0xf4/0x320
[   22.619364]  ? lock_release+0xa40/0xa40
[   22.619367]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   22.619370]  ? print_irqtrace_events+0x270/0x270
[   22.619373]  ? print_irqtrace_events+0x270/0x270
[   22.619377]  ? rcu_note_context_switch+0x710/0x710
[   22.619381]  ? __might_sleep+0x95/0x190
[   22.619384]  ? ep_free+0xf4/0x320
[   22.619387]  ? __mutex_lock+0x16f/0x1a80
[   22.619390]  ? ep_free+0xf4/0x320
[   22.619394]  ? print_irqtrace_events+0x270/0x270
[   22.619396]  ? ep_free+0xf4/0x320
[   22.619401]  lock_acquire+0x1d5/0x580
[   22.619404]  ? lock_acquire+0x1d5/0x580
[   22.619407]  ? remove_wait_queue+0x81/0x350
[   22.619412]  ? lock_release+0xa40/0xa40
[   22.619416]  ? lock_acquire+0x1d5/0x580
[   22.619420]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   22.619423]  ? lock_acquire+0x1d5/0x580
[   22.619426]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   22.619430]  _raw_spin_lock_irqsave+0x96/0xc0
[   22.619433]  ? remove_wait_queue+0x81/0x350
[   22.619437]  remove_wait_queue+0x81/0x350
[   22.619440]  ? depot_save_stack+0x3b5/0x490
[   22.619444]  ? add_wait_queue+0x290/0x290
[   22.619448]  ? rcutorture_record_progress+0x10/0x10
[   22.619452]  ? lock_release+0xa40/0xa40
[   22.619459]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   22.619465]  ? __kernel_text_address+0xd/0x40
[   22.619471]  ? clear_tfile_check_list+0x370/0x370
[   22.619476]  ? check_noncircular+0x20/0x20
[   22.619482]  ? locks_remove_file+0x3fa/0x5a0
[   22.619488]  ep_free+0x13f/0x320
[   22.619493]  ? ep_remove+0x800/0x800
[   22.619498]  ? fsnotify_first_mark+0x2b0/0x2b0
[   22.619503]  ? ep_free+0x320/0x320
[   22.619508]  ep_eventpoll_release+0x44/0x60
[   22.619512]  __fput+0x327/0x7e0
[   22.619518]  ? fput+0x140/0x140
[   22.619523]  ? _raw_spin_unlock_irq+0x27/0x70
[   22.619530]  ____fput+0x15/0x20
[   22.619536]  task_work_run+0x199/0x270
[   22.619540]  ? task_work_cancel+0x210/0x210
[   22.619544]  ? _raw_spin_unlock+0x22/0x30
[   22.619552]  ? switch_task_namespaces+0x87/0xc0
[   22.619556]  do_exit+0x9bb/0x1ad0
[   22.619560]  ? __handle_mm_fault+0x2330/0x3ce0
[   22.619564]  ? mm_update_next_owner+0x930/0x930
[   22.619569]  ? do_raw_spin_trylock+0x190/0x190
[   22.619573]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   22.619576]  ? check_noncircular+0x20/0x20
[   22.619580]  ? _raw_spin_unlock+0x22/0x30
[   22.619584]  ? __handle_mm_fault+0x80e/0x3ce0
[   22.619588]  ? check_noncircular+0x20/0x20
[   22.619591]  ? __pmd_alloc+0x4e0/0x4e0
[   22.619594]  ? lock_downgrade+0x980/0x980
[   22.619598]  ? find_held_lock+0x35/0x1d0
[   22.619603]  ? handle_mm_fault+0x248/0x8d0
[   22.619611]  ? find_held_lock+0x35/0x1d0
[   22.619616]  ? __do_page_fault+0x5f7/0xc90
[   22.619620]  ? lock_downgrade+0x980/0x980
[   22.619624]  ? handle_mm_fault+0x410/0x8d0
[   22.619627]  ? down_read_trylock+0xdb/0x170
[   22.619631]  ? __do_page_fault+0x32d/0xc90
[   22.619634]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   22.619638]  ? vmacache_find+0x5f/0x280
[   22.619643]  do_group_exit+0x149/0x400
[   22.619646]  ? __do_page_fault+0x3d6/0xc90
[   22.619649]  ? SyS_exit+0x30/0x30
[   22.619656]  ? do_fast_syscall_32+0x156/0xf9d
[   22.619662]  ? do_group_exit+0x400/0x400
[   22.619666]  SyS_exit_group+0x1d/0x20
[   22.619670]  do_fast_syscall_32+0x3ee/0xf9d
[   22.619675]  ? do_int80_syscall_32+0x9d0/0x9d0
[   22.619678]  ? kasan_check_read+0x11/0x20
[   22.619684]  ? syscall_return_slowpath+0x550/0x550
[   22.619688]  ? SyS_rt_sigaction+0x94/0x1b0
[   22.619692]  ? SyS_sigprocmask+0x4b0/0x4b0
[   22.619695]  ? SyS_read+0x184/0x220
[   22.619698]  ? retint_user+0x18/0x18
[   22.619703]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   22.619708]  entry_SYSENTER_compat+0x54/0x63
[   22.619710] RIP: 0023:0xf7f5fc79
[   22.619712] RSP: 002b:00000000fff9b63c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   22.619716] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   22.619718] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   22.619719] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   22.619721] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   22.619723] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   22.640043] Dumping ftrace buffer:
[   22.640049]    (ftrace buffer empty)
[   22.640052] Kernel Offset: disabled
[   23.923067] Rebooting in 86400 seconds..