[....] Starting enhanced syslogd: rsyslogd[    9.809694] audit: type=1400 audit(1515134552.954:5): avc:  denied  { syslog } for  pid=3310 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   12.432854] audit: type=1400 audit(1515134555.577:6): avc:  denied  { map } for  pid=3445 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.236' (ECDSA) to the list of known hosts.
executing program
[   18.554840] audit: type=1400 audit(1515134561.699:7): avc:  denied  { map } for  pid=3459 comm="syzkaller805016" path="/root/syzkaller805016755" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   18.559914] ==================================================================
[   18.559928] BUG: KASAN: use-after-free in __lock_acquire+0x3c41/0x3cf0
[   18.559933] Read of size 8 at addr ffff8801cacf95f8 by task syzkaller805016/3459
[   18.559934] 
[   18.559942] CPU: 0 PID: 3459 Comm: syzkaller805016 Not tainted 4.15.0-rc6-mm1+ #50
[   18.559945] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   18.559947] Call Trace:
[   18.559957]  dump_stack+0x137/0x198
[   18.559963]  ? __lock_acquire+0x3c41/0x3cf0
[   18.559973]  print_address_description+0x73/0x250
[   18.559979]  ? __lock_acquire+0x3c41/0x3cf0
[   18.559986]  kasan_report+0x23b/0x360
[   18.559993]  __asan_report_load8_noabort+0x14/0x20
[   18.559999]  __lock_acquire+0x3c41/0x3cf0
[   18.560011]  ? bpf_prog_kallsyms_find+0x39/0x270
[   18.560018]  ? __lock_acquire+0x63e/0x3cf0
[   18.560024]  ? remove_wait_queue+0x24/0x1b0
[   18.560033]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   18.560041]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   18.560051]  ? __mutex_lock+0xec/0x1550
[   18.560057]  ? ep_free+0x72/0x230
[   18.560063]  ? save_stack+0x43/0xd0
[   18.560068]  ? __kasan_slab_free+0x11a/0x170
[   18.560074]  ? kasan_slab_free+0xe/0x10
[   18.560081]  lock_acquire+0x16b/0x420
[   18.560086]  ? lock_acquire+0x16b/0x420
[   18.560092]  ? remove_wait_queue+0x24/0x1b0
[   18.560101]  _raw_spin_lock_irqsave+0x96/0xc0
[   18.560106]  ? remove_wait_queue+0x24/0x1b0
[   18.560113]  remove_wait_queue+0x24/0x1b0
[   18.560121]  ep_unregister_pollwait.isra.7+0x9d/0x360
[   18.560128]  ? ep_free+0x230/0x230
[   18.560134]  ep_free+0xae/0x230
[   18.560140]  ? ep_free+0x230/0x230
[   18.560146]  ep_eventpoll_release+0x44/0x60
[   18.560151]  __fput+0x291/0x6e0
[   18.560159]  ____fput+0x15/0x20
[   18.560165]  task_work_run+0x122/0x1a0
[   18.560174]  do_exit+0x7f4/0x2da0
[   18.560181]  ? binder_ioctl_write_read.isra.39+0x8e0/0x8e0
[   18.560188]  ? do_vfs_ioctl+0x439/0xfe0
[   18.560195]  ? mm_update_next_owner+0x690/0x690
[   18.560201]  ? ioctl_preallocate+0x1c0/0x1c0
[   18.560210]  ? __do_page_fault+0x3c3/0xca0
[   18.560220]  ? entry_SYSCALL_64_fastpath+0x5/0x9a
[   18.560227]  do_group_exit+0x108/0x320
[   18.560234]  SyS_exit_group+0x1d/0x20
[   18.560241]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   18.560245] RIP: 0033:0x4429f8
[   18.560248] RSP: 002b:00007fffe74c3318 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   18.560255] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   18.560258] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   18.560262] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   18.560265] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   18.560268] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   18.560275] 
[   18.560278] Allocated by task 3459:
[   18.560284]  save_stack+0x43/0xd0
[   18.560288]  kasan_kmalloc+0xad/0xe0
[   18.560293]  kmem_cache_alloc_trace+0x136/0x750
[   18.560298]  binder_get_thread+0x15d/0x700
[   18.560302]  binder_poll+0x4a/0x210
[   18.560307]  ep_item_poll.isra.10+0xf2/0x320
[   18.560313]  SyS_epoll_ctl+0x11c4/0x27b0
[   18.560318]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   18.560319] 
[   18.560321] Freed by task 3459:
[   18.560326]  save_stack+0x43/0xd0
[   18.560331]  __kasan_slab_free+0x11a/0x170
[   18.560336]  kasan_slab_free+0xe/0x10
[   18.560340]  kfree+0xd9/0x260
[   18.560345]  binder_thread_dec_tmpref+0x17d/0x1e0
[   18.560349]  binder_thread_release+0x27d/0x540
[   18.560354]  binder_ioctl+0xa1b/0x10ee
[   18.560358]  do_vfs_ioctl+0x190/0xfe0
[   18.560363]  SyS_ioctl+0x8f/0xc0
[   18.560368]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   18.560369] 
[   18.560373] The buggy address belongs to the object at ffff8801cacf9540
[   18.560373]  which belongs to the cache kmalloc-512 of size 512
[   18.560378] The buggy address is located 184 bytes inside of
[   18.560378]  512-byte region [ffff8801cacf9540, ffff8801cacf9740)
[   18.560380] The buggy address belongs to the page:
[   18.560385] page:ffffea00072b3e40 count:1 mapcount:0 mapping:ffff8801cacf9040 index:0x0
[   18.560390] flags: 0x2fffc0000000100(slab)
[   18.560398] raw: 02fffc0000000100 ffff8801cacf9040 0000000000000000 0000000100000006
[   18.560404] raw: ffffea0007240460 ffffea0007396be0 ffff8801db000940 0000000000000000
[   18.560407] page dumped because: kasan: bad access detected
[   18.560408] 
[   18.560409] Memory state around the buggy address:
[   18.560414]  ffff8801cacf9480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   18.560418]  ffff8801cacf9500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   18.560423] >ffff8801cacf9580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.560425]                                                                 ^
[   18.560429]  ffff8801cacf9600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.560433]  ffff8801cacf9680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.560435] ==================================================================
[   18.560437] Disabling lock debugging due to kernel taint
[   18.560440] Kernel panic - not syncing: panic_on_warn set ...
[   18.560440] 
[   18.560446] CPU: 0 PID: 3459 Comm: syzkaller805016 Tainted: G    B            4.15.0-rc6-mm1+ #50
[   18.560449] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   18.560450] Call Trace:
[   18.560456]  dump_stack+0x137/0x198
[   18.560463]  ? __lock_acquire+0x3bc0/0x3cf0
[   18.560468]  panic+0x1e4/0x41c
[   18.560474]  ? refcount_error_report+0x214/0x214
[   18.560481]  ? add_taint+0x40/0x50
[   18.560486]  ? add_taint+0x1c/0x50
[   18.560493]  ? __lock_acquire+0x3c41/0x3cf0
[   18.560499]  kasan_end_report+0x50/0x50
[   18.560505]  kasan_report+0x148/0x360
[   18.560512]  __asan_report_load8_noabort+0x14/0x20
[   18.560518]  __lock_acquire+0x3c41/0x3cf0
[   18.560524]  ? bpf_prog_kallsyms_find+0x39/0x270
[   18.560531]  ? __lock_acquire+0x63e/0x3cf0
[   18.560537]  ? remove_wait_queue+0x24/0x1b0
[   18.560546]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   18.560554]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   18.560561]  ? __mutex_lock+0xec/0x1550
[   18.560567]  ? ep_free+0x72/0x230
[   18.560572]  ? save_stack+0x43/0xd0
[   18.560577]  ? __kasan_slab_free+0x11a/0x170
[   18.560583]  ? kasan_slab_free+0xe/0x10
[   18.560589]  lock_acquire+0x16b/0x420
[   18.560595]  ? lock_acquire+0x16b/0x420
[   18.560601]  ? remove_wait_queue+0x24/0x1b0
[   18.560609]  _raw_spin_lock_irqsave+0x96/0xc0
[   18.560615]  ? remove_wait_queue+0x24/0x1b0
[   18.560621]  remove_wait_queue+0x24/0x1b0
[   18.560629]  ep_unregister_pollwait.isra.7+0x9d/0x360
[   18.560636]  ? ep_free+0x230/0x230
[   18.560642]  ep_free+0xae/0x230
[   18.560648]  ? ep_free+0x230/0x230
[   18.560654]  ep_eventpoll_release+0x44/0x60
[   18.560658]  __fput+0x291/0x6e0
[   18.560666]  ____fput+0x15/0x20
[   18.560671]  task_work_run+0x122/0x1a0
[   18.560678]  do_exit+0x7f4/0x2da0
[   18.560685]  ? binder_ioctl_write_read.isra.39+0x8e0/0x8e0
[   18.560697]  ? do_vfs_ioctl+0x439/0xfe0
[   18.560704]  ? mm_update_next_owner+0x690/0x690
[   18.560709]  ? ioctl_preallocate+0x1c0/0x1c0
[   18.560716]  ? __do_page_fault+0x3c3/0xca0
[   18.560725]  ? entry_SYSCALL_64_fastpath+0x5/0x9a
[   18.560732]  do_group_exit+0x108/0x320
[   18.560739]  SyS_exit_group+0x1d/0x20
[   18.560745]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   18.560749] RIP: 0033:0x4429f8
[   18.560751] RSP: 002b:00007fffe74c3318 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   18.560757] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   18.560760] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   18.560764] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   18.560767] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   18.560770] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   18.581147] Dumping ftrace buffer:
[   18.581150]    (ftrace buffer empty)
[   18.581153] Kernel Offset: disabled
[   19.321274] Rebooting in 86400 seconds..