[....] Starting enhanced syslogd: rsyslogd[   13.328832] audit: type=1400 audit(1515611154.149:5): avc:  denied  { syslog } for  pid=3342 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.969210] audit: type=1400 audit(1515611160.790:6): avc:  denied  { map } for  pid=3483 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.245' (ECDSA) to the list of known hosts.
executing program
[   26.139276] audit: type=1400 audit(1515611166.960:7): avc:  denied  { map } for  pid=3497 comm="syzkaller256183" path="/root/syzkaller256183357" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   26.143797] ==================================================================
[   26.143808] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   26.143812] Read of size 8 at addr ffff8801c7ccf830 by task syzkaller256183/3497
[   26.143813] 
[   26.143818] CPU: 0 PID: 3497 Comm: syzkaller256183 Not tainted 4.15.0-rc7+ #166
[   26.143821] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.143823] Call Trace:
[   26.143830]  dump_stack+0x194/0x257
[   26.143835]  ? arch_local_irq_restore+0x53/0x53
[   26.143840]  ? show_regs_print_info+0x18/0x18
[   26.143844]  ? print_irqtrace_events+0x270/0x270
[   26.143848]  ? __lock_acquire+0x664/0x3e00
[   26.143851]  ? __lock_acquire+0x3d4d/0x3e00
[   26.143858]  print_address_description+0x73/0x250
[   26.143861]  ? __lock_acquire+0x3d4d/0x3e00
[   26.143865]  kasan_report+0x25b/0x340
[   26.143871]  __asan_report_load8_noabort+0x14/0x20
[   26.143874]  __lock_acquire+0x3d4d/0x3e00
[   26.143878]  ? __lock_acquire+0x664/0x3e00
[   26.143881]  ? lock_downgrade+0x980/0x980
[   26.143884]  ? lock_downgrade+0x980/0x980
[   26.143888]  ? print_irqtrace_events+0x270/0x270
[   26.143895]  ? remove_wait_queue+0x81/0x350
[   26.143900]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   26.143904]  ? __lock_acquire+0x664/0x3e00
[   26.143907]  ? check_noncircular+0x20/0x20
[   26.143914]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   26.143918]  ? lock_acquire+0x1d5/0x580
[   26.143921]  ? lock_acquire+0x1d5/0x580
[   26.143926]  ? ep_free+0xf4/0x320
[   26.143931]  ? lock_release+0xa40/0xa40
[   26.143935]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   26.143939]  ? print_irqtrace_events+0x270/0x270
[   26.143942]  ? print_irqtrace_events+0x270/0x270
[   26.143948]  ? rcu_note_context_switch+0x710/0x710
[   26.143953]  ? __might_sleep+0x95/0x190
[   26.143956]  ? ep_free+0xf4/0x320
[   26.143961]  ? __mutex_lock+0x16f/0x1a80
[   26.143964]  ? ep_free+0xf4/0x320
[   26.143968]  ? print_irqtrace_events+0x270/0x270
[   26.143971]  ? ep_free+0xf4/0x320
[   26.143976]  lock_acquire+0x1d5/0x580
[   26.143979]  ? lock_acquire+0x1d5/0x580
[   26.143983]  ? remove_wait_queue+0x81/0x350
[   26.143988]  ? lock_release+0xa40/0xa40
[   26.143993]  ? lock_acquire+0x1d5/0x580
[   26.143996]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   26.143999]  ? lock_acquire+0x1d5/0x580
[   26.144007]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   26.144012]  _raw_spin_lock_irqsave+0x96/0xc0
[   26.144016]  ? remove_wait_queue+0x81/0x350
[   26.144019]  remove_wait_queue+0x81/0x350
[   26.144025]  ? depot_save_stack+0x3b5/0x490
[   26.144029]  ? add_wait_queue+0x290/0x290
[   26.144033]  ? rcutorture_record_progress+0x10/0x10
[   26.144036]  ? lock_release+0xa40/0xa40
[   26.144041]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   26.144046]  ? __kernel_text_address+0xd/0x40
[   26.144051]  ? clear_tfile_check_list+0x370/0x370
[   26.144055]  ? check_noncircular+0x20/0x20
[   26.144061]  ? locks_remove_file+0x3fa/0x5a0
[   26.144066]  ep_free+0x13f/0x320
[   26.144070]  ? ep_remove+0x800/0x800
[   26.144073]  ? fsnotify_first_mark+0x2b0/0x2b0
[   26.144078]  ? ep_free+0x320/0x320
[   26.144081]  ep_eventpoll_release+0x44/0x60
[   26.144087]  __fput+0x327/0x7e0
[   26.144091]  ? fput+0x140/0x140
[   26.144096]  ? _raw_spin_unlock_irq+0x27/0x70
[   26.144100]  ____fput+0x15/0x20
[   26.144104]  task_work_run+0x199/0x270
[   26.144109]  ? task_work_cancel+0x210/0x210
[   26.144113]  ? _raw_spin_unlock+0x22/0x30
[   26.144116]  ? switch_task_namespaces+0x87/0xc0
[   26.144123]  do_exit+0x9bb/0x1ad0
[   26.144129]  ? __handle_mm_fault+0x2330/0x3ce0
[   26.144133]  ? mm_update_next_owner+0x930/0x930
[   26.144140]  ? do_raw_spin_trylock+0x190/0x190
[   26.144144]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   26.144147]  ? check_noncircular+0x20/0x20
[   26.144152]  ? _raw_spin_unlock+0x22/0x30
[   26.144155]  ? __handle_mm_fault+0x80e/0x3ce0
[   26.144160]  ? check_noncircular+0x20/0x20
[   26.144163]  ? __pmd_alloc+0x4e0/0x4e0
[   26.144166]  ? lock_downgrade+0x980/0x980
[   26.144171]  ? find_held_lock+0x35/0x1d0
[   26.144175]  ? handle_mm_fault+0x248/0x8d0
[   26.144179]  ? find_held_lock+0x35/0x1d0
[   26.144187]  ? __do_page_fault+0x5f7/0xc90
[   26.144190]  ? lock_downgrade+0x980/0x980
[   26.144195]  ? handle_mm_fault+0x410/0x8d0
[   26.144198]  ? down_read_trylock+0xdb/0x170
[   26.144202]  ? __do_page_fault+0x32d/0xc90
[   26.144205]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   26.144210]  ? vmacache_find+0x5f/0x280
[   26.144215]  do_group_exit+0x149/0x400
[   26.144219]  ? __do_page_fault+0x3d6/0xc90
[   26.144222]  ? SyS_exit+0x30/0x30
[   26.144229]  ? do_fast_syscall_32+0x156/0xf9d
[   26.144233]  ? do_group_exit+0x400/0x400
[   26.144237]  SyS_exit_group+0x1d/0x20
[   26.144240]  do_fast_syscall_32+0x3ee/0xf9d
[   26.144245]  ? do_int80_syscall_32+0x9d0/0x9d0
[   26.144250]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   26.144254]  ? syscall_return_slowpath+0x550/0x550
[   26.144259]  ? SyS_rt_sigaction+0x94/0x1b0
[   26.144264]  ? retint_user+0x18/0x18
[   26.144268]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   26.144273]  entry_SYSENTER_compat+0x54/0x63
[   26.144277] RIP: 0023:0xf7f15c79
[   26.144279] RSP: 002b:00000000ffabba6c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   26.144283] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   26.144285] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   26.144287] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   26.144289] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   26.144290] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   26.144295] 
[   26.144297] Allocated by task 3497:
[   26.144300]  save_stack+0x43/0xd0
[   26.144303]  kasan_kmalloc+0xad/0xe0
[   26.144306]  kmem_cache_alloc_trace+0x136/0x750
[   26.144310]  binder_get_thread+0x1cf/0x870
[   26.144313]  binder_poll+0x8c/0x390
[   26.144316]  ep_item_poll.isra.10+0xec/0x320
[   26.144319]  ep_insert+0x6a3/0x1b10
[   26.144322]  SyS_epoll_ctl+0x12e4/0x1ab0
[   26.144325]  do_fast_syscall_32+0x3ee/0xf9d
[   26.144327]  entry_SYSENTER_compat+0x54/0x63
[   26.144328] 
[   26.144329] Freed by task 3497:
[   26.144332]  save_stack+0x43/0xd0
[   26.144335]  kasan_slab_free+0x71/0xc0
[   26.144337]  kfree+0xd6/0x260
[   26.144340]  binder_thread_dec_tmpref+0x27f/0x310
[   26.144343]  binder_thread_release+0x27d/0x540
[   26.144346]  binder_ioctl+0xc02/0x1417
[   26.144349]  compat_SyS_ioctl+0x151/0x2a30
[   26.144352]  do_fast_syscall_32+0x3ee/0xf9d
[   26.144354]  entry_SYSENTER_compat+0x54/0x63
[   26.144355] 
[   26.144358] The buggy address belongs to the object at ffff8801c7ccf780
[   26.144358]  which belongs to the cache kmalloc-512 of size 512
[   26.144361] The buggy address is located 176 bytes inside of
[   26.144361]  512-byte region [ffff8801c7ccf780, ffff8801c7ccf980)
[   26.144362] The buggy address belongs to the page:
[   26.144365] page:ffffea00071f33c0 count:1 mapcount:0 mapping:ffff8801c7ccf000 index:0x0
[   26.144368] flags: 0x2fffc0000000100(slab)
[   26.144374] raw: 02fffc0000000100 ffff8801c7ccf000 0000000000000000 0000000100000006
[   26.144378] raw: ffffea000739c160 ffffea00071f4da0 ffff8801dac00940 0000000000000000
[   26.144379] page dumped because: kasan: bad access detected
[   26.144380] 
[   26.144381] Memory state around the buggy address:
[   26.144383]  ffff8801c7ccf700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.144386]  ffff8801c7ccf780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.144388] >ffff8801c7ccf800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.144390]                                      ^
[   26.144392]  ffff8801c7ccf880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.144395]  ffff8801c7ccf900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.144396] ==================================================================
[   26.144397] Disabling lock debugging due to kernel taint
[   26.144399] Kernel panic - not syncing: panic_on_warn set ...
[   26.144399] 
[   26.144403] CPU: 0 PID: 3497 Comm: syzkaller256183 Tainted: G    B            4.15.0-rc7+ #166
[   26.144405] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.144406] Call Trace:
[   26.144410]  dump_stack+0x194/0x257
[   26.144414]  ? arch_local_irq_restore+0x53/0x53
[   26.144418]  ? kasan_end_report+0x32/0x50
[   26.144421]  ? lock_downgrade+0x980/0x980
[   26.144426]  ? vsnprintf+0x1ed/0x1900
[   26.144430]  ? __lock_acquire+0x3cb0/0x3e00
[   26.144433]  panic+0x1e4/0x41c
[   26.144437]  ? refcount_error_report+0x214/0x214
[   26.144441]  ? add_taint+0x40/0x50
[   26.144444]  ? add_taint+0x1c/0x50
[   26.144448]  ? __lock_acquire+0x3d4d/0x3e00
[   26.144451]  kasan_end_report+0x50/0x50
[   26.144455]  kasan_report+0x144/0x340
[   26.144459]  __asan_report_load8_noabort+0x14/0x20
[   26.144463]  __lock_acquire+0x3d4d/0x3e00
[   26.144466]  ? __lock_acquire+0x664/0x3e00
[   26.144470]  ? lock_downgrade+0x980/0x980
[   26.144473]  ? lock_downgrade+0x980/0x980
[   26.144481]  ? print_irqtrace_events+0x270/0x270
[   26.144484]  ? remove_wait_queue+0x81/0x350
[   26.144490]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   26.144493]  ? __lock_acquire+0x664/0x3e00
[   26.144497]  ? check_noncircular+0x20/0x20
[   26.144503]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   26.144507]  ? lock_acquire+0x1d5/0x580
[   26.144510]  ? lock_acquire+0x1d5/0x580
[   26.144513]  ? ep_free+0xf4/0x320
[   26.144518]  ? lock_release+0xa40/0xa40
[   26.144522]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   26.144525]  ? print_irqtrace_events+0x270/0x270
[   26.144528]  ? print_irqtrace_events+0x270/0x270
[   26.144532]  ? rcu_note_context_switch+0x710/0x710
[   26.144536]  ? __might_sleep+0x95/0x190
[   26.144540]  ? ep_free+0xf4/0x320
[   26.144543]  ? __mutex_lock+0x16f/0x1a80
[   26.144546]  ? ep_free+0xf4/0x320
[   26.144550]  ? print_irqtrace_events+0x270/0x270
[   26.144553]  ? ep_free+0xf4/0x320
[   26.144557]  lock_acquire+0x1d5/0x580
[   26.144561]  ? lock_acquire+0x1d5/0x580
[   26.144564]  ? remove_wait_queue+0x81/0x350
[   26.144569]  ? lock_release+0xa40/0xa40
[   26.144574]  ? lock_acquire+0x1d5/0x580
[   26.144577]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   26.144580]  ? lock_acquire+0x1d5/0x580
[   26.144584]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   26.144588]  _raw_spin_lock_irqsave+0x96/0xc0
[   26.144592]  ? remove_wait_queue+0x81/0x350
[   26.144596]  remove_wait_queue+0x81/0x350
[   26.144599]  ? depot_save_stack+0x3b5/0x490
[   26.144603]  ? add_wait_queue+0x290/0x290
[   26.144606]  ? rcutorture_record_progress+0x10/0x10
[   26.144610]  ? lock_release+0xa40/0xa40
[   26.144615]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   26.144619]  ? __kernel_text_address+0xd/0x40
[   26.144624]  ? clear_tfile_check_list+0x370/0x370
[   26.144628]  ? check_noncircular+0x20/0x20
[   26.144632]  ? locks_remove_file+0x3fa/0x5a0
[   26.144638]  ep_free+0x13f/0x320
[   26.144641]  ? ep_remove+0x800/0x800
[   26.144645]  ? fsnotify_first_mark+0x2b0/0x2b0
[   26.144649]  ? ep_free+0x320/0x320
[   26.144652]  ep_eventpoll_release+0x44/0x60
[   26.144656]  __fput+0x327/0x7e0
[   26.144661]  ? fput+0x140/0x140
[   26.144665]  ? _raw_spin_unlock_irq+0x27/0x70
[   26.144670]  ____fput+0x15/0x20
[   26.144673]  task_work_run+0x199/0x270
[   26.144678]  ? task_work_cancel+0x210/0x210
[   26.144682]  ? _raw_spin_unlock+0x22/0x30
[   26.144685]  ? switch_task_namespaces+0x87/0xc0
[   26.144689]  do_exit+0x9bb/0x1ad0
[   26.144693]  ? __handle_mm_fault+0x2330/0x3ce0
[   26.144697]  ? mm_update_next_owner+0x930/0x930
[   26.144703]  ? do_raw_spin_trylock+0x190/0x190
[   26.144707]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   26.144710]  ? check_noncircular+0x20/0x20
[   26.144715]  ? _raw_spin_unlock+0x22/0x30
[   26.144718]  ? __handle_mm_fault+0x80e/0x3ce0
[   26.144722]  ? check_noncircular+0x20/0x20
[   26.144726]  ? __pmd_alloc+0x4e0/0x4e0
[   26.144729]  ? lock_downgrade+0x980/0x980
[   26.144733]  ? find_held_lock+0x35/0x1d0
[   26.144738]  ? handle_mm_fault+0x248/0x8d0
[   26.144742]  ? find_held_lock+0x35/0x1d0
[   26.144747]  ? __do_page_fault+0x5f7/0xc90
[   26.144751]  ? lock_downgrade+0x980/0x980
[   26.144756]  ? handle_mm_fault+0x410/0x8d0
[   26.144758]  ? down_read_trylock+0xdb/0x170
[   26.144762]  ? __do_page_fault+0x32d/0xc90
[   26.144765]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   26.144769]  ? vmacache_find+0x5f/0x280
[   26.144774]  do_group_exit+0x149/0x400
[   26.144778]  ? __do_page_fault+0x3d6/0xc90
[   26.144781]  ? SyS_exit+0x30/0x30
[   26.144785]  ? do_fast_syscall_32+0x156/0xf9d
[   26.144789]  ? do_group_exit+0x400/0x400
[   26.144793]  SyS_exit_group+0x1d/0x20
[   26.144796]  do_fast_syscall_32+0x3ee/0xf9d
[   26.144801]  ? do_int80_syscall_32+0x9d0/0x9d0
[   26.144805]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   26.144809]  ? syscall_return_slowpath+0x550/0x550
[   26.144813]  ? SyS_rt_sigaction+0x94/0x1b0
[   26.144817]  ? retint_user+0x18/0x18
[   26.144822]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   26.144827]  entry_SYSENTER_compat+0x54/0x63
[   26.144829] RIP: 0023:0xf7f15c79
[   26.144831] RSP: 002b:00000000ffabba6c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   26.144834] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   26.144836] RDX: 0000000000000000 RSI: 00000000080d9ad8 RDI: 00000000080f02a0
[   26.144838] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   26.144840] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   26.144842] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   26.165177] Dumping ftrace buffer:
[   26.165180]    (ftrace buffer empty)
[   26.165182] Kernel Offset: disabled
[   27.433156] Rebooting in 86400 seconds..