[....] Starting enhanced syslogd: rsyslogd[   12.357931] audit: type=1400 audit(1515798350.788:5): avc:  denied  { syslog } for  pid=3345 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.136769] audit: type=1400 audit(1515798356.567:6): avc:  denied  { map } for  pid=3484 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.15' (ECDSA) to the list of known hosts.
executing program
[   24.309851] audit: type=1400 audit(1515798362.740:7): avc:  denied  { map } for  pid=3498 comm="syzkaller126338" path="/root/syzkaller126338419" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   24.314686] ==================================================================
[   24.314697] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   24.314700] Read of size 8 at addr ffff8801ce566db0 by task syzkaller126338/3498
[   24.314701] 
[   24.314706] CPU: 1 PID: 3498 Comm: syzkaller126338 Not tainted 4.15.0-rc7+ #169
[   24.314708] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.314710] Call Trace:
[   24.314717]  dump_stack+0x194/0x257
[   24.314722]  ? arch_local_irq_restore+0x53/0x53
[   24.314727]  ? show_regs_print_info+0x18/0x18
[   24.314732]  ? __lock_acquire+0x3d4d/0x3e00
[   24.314739]  print_address_description+0x73/0x250
[   24.314742]  ? __lock_acquire+0x3d4d/0x3e00
[   24.314746]  kasan_report+0x25b/0x340
[   24.314752]  __asan_report_load8_noabort+0x14/0x20
[   24.314755]  __lock_acquire+0x3d4d/0x3e00
[   24.314760]  ? print_irqtrace_events+0x270/0x270
[   24.314764]  ? print_irqtrace_events+0x270/0x270
[   24.314770]  ? remove_wait_queue+0x81/0x350
[   24.314775]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.314779]  ? __lock_acquire+0x664/0x3e00
[   24.314783]  ? print_irqtrace_events+0x270/0x270
[   24.314787]  ? __lock_acquire+0x664/0x3e00
[   24.314793]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.314798]  ? __lock_acquire+0x664/0x3e00
[   24.314801]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.314810]  ? __lock_acquire+0x664/0x3e00
[   24.314814]  ? check_noncircular+0x20/0x20
[   24.314818]  ? check_noncircular+0x20/0x20
[   24.314822]  ? __lock_acquire+0x664/0x3e00
[   24.314826]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.314830]  ? check_noncircular+0x20/0x20
[   24.314833]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.314839]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.314844]  lock_acquire+0x1d5/0x580
[   24.314847]  ? lock_acquire+0x1d5/0x580
[   24.314851]  ? remove_wait_queue+0x81/0x350
[   24.314855]  ? lock_release+0xa40/0xa40
[   24.314860]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.314865]  ? lock_acquire+0x1d5/0x580
[   24.314869]  ? lock_acquire+0x1d5/0x580
[   24.314874]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   24.314881]  _raw_spin_lock_irqsave+0x96/0xc0
[   24.314884]  ? remove_wait_queue+0x81/0x350
[   24.314888]  remove_wait_queue+0x81/0x350
[   24.314892]  ? eventpoll_release_file+0xba/0x140
[   24.314896]  ? add_wait_queue+0x290/0x290
[   24.314902]  ? rcutorture_record_progress+0x10/0x10
[   24.314908]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   24.314911]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.314916]  ? clear_tfile_check_list+0x370/0x370
[   24.314921]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.314926]  ? depot_save_stack+0x3b5/0x490
[   24.314930]  ? lock_downgrade+0x980/0x980
[   24.314937]  ? is_bpf_text_address+0xa4/0x120
[   24.314942]  ep_remove+0xcd/0x800
[   24.314947]  ? unwind_get_return_address+0x61/0xa0
[   24.314951]  ? ep_destroy_wakeup_source+0x240/0x240
[   24.314955]  ? check_noncircular+0x20/0x20
[   24.314959]  ? check_noncircular+0x20/0x20
[   24.314965]  ? fsnotify+0x7b3/0x1140
[   24.314972]  eventpoll_release_file+0xc5/0x140
[   24.314978]  __fput+0x5f1/0x7e0
[   24.314983]  ? fput+0x140/0x140
[   24.314987]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.314992]  ____fput+0x15/0x20
[   24.314998]  task_work_run+0x199/0x270
[   24.315006]  ? task_work_cancel+0x210/0x210
[   24.315010]  ? _raw_spin_unlock+0x22/0x30
[   24.315014]  ? switch_task_namespaces+0x87/0xc0
[   24.315019]  do_exit+0x9bb/0x1ad0
[   24.315024]  ? __handle_mm_fault+0x2330/0x3ce0
[   24.315028]  ? mm_update_next_owner+0x930/0x930
[   24.315035]  ? do_raw_spin_trylock+0x190/0x190
[   24.315040]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.315043]  ? check_noncircular+0x20/0x20
[   24.315048]  ? _raw_spin_unlock+0x22/0x30
[   24.315051]  ? __handle_mm_fault+0x80e/0x3ce0
[   24.315056]  ? check_noncircular+0x20/0x20
[   24.315059]  ? __pmd_alloc+0x4e0/0x4e0
[   24.315064]  ? find_held_lock+0x35/0x1d0
[   24.315069]  ? handle_mm_fault+0x248/0x8d0
[   24.315073]  ? find_held_lock+0x35/0x1d0
[   24.315079]  ? __do_page_fault+0x5f7/0xc90
[   24.315083]  ? lock_downgrade+0x980/0x980
[   24.315088]  ? handle_mm_fault+0x410/0x8d0
[   24.315091]  ? down_read_trylock+0xdb/0x170
[   24.315094]  ? __do_page_fault+0x32d/0xc90
[   24.315098]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   24.315103]  ? vmacache_find+0x5f/0x280
[   24.315107]  ? vmacache_update+0xfe/0x130
[   24.315112]  do_group_exit+0x149/0x400
[   24.315116]  ? __do_page_fault+0x3d6/0xc90
[   24.315119]  ? SyS_exit+0x30/0x30
[   24.315125]  ? do_fast_syscall_32+0x156/0xf9d
[   24.315129]  ? do_group_exit+0x400/0x400
[   24.315133]  SyS_exit_group+0x1d/0x20
[   24.315136]  do_fast_syscall_32+0x3ee/0xf9d
[   24.315141]  ? do_int80_syscall_32+0x9d0/0x9d0
[   24.315145]  ? kasan_check_read+0x11/0x20
[   24.315149]  ? syscall_return_slowpath+0x550/0x550
[   24.315155]  ? SyS_rt_sigaction+0x94/0x1b0
[   24.315159]  ? SyS_sigprocmask+0x4b0/0x4b0
[   24.315162]  ? SyS_read+0x184/0x220
[   24.315166]  ? retint_user+0x18/0x18
[   24.315171]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.315176]  entry_SYSENTER_compat+0x54/0x63
[   24.315179] RIP: 0023:0xf7f90c79
[   24.315181] RSP: 002b:00000000ffca46fc EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   24.315185] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   24.315187] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0
[   24.315189] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   24.315191] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   24.315192] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   24.315197] 
[   24.315199] Allocated by task 3498:
[   24.315203]  save_stack+0x43/0xd0
[   24.315206]  kasan_kmalloc+0xad/0xe0
[   24.315209]  kmem_cache_alloc_trace+0x136/0x750
[   24.315213]  binder_get_thread+0x1cf/0x870
[   24.315215]  binder_poll+0x8c/0x390
[   24.315218]  ep_item_poll.isra.10+0xec/0x320
[   24.315221]  ep_insert+0x6a3/0x1b10
[   24.315225]  SyS_epoll_ctl+0x12e4/0x1ab0
[   24.315228]  do_fast_syscall_32+0x3ee/0xf9d
[   24.315230]  entry_SYSENTER_compat+0x54/0x63
[   24.315231] 
[   24.315232] Freed by task 3498:
[   24.315235]  save_stack+0x43/0xd0
[   24.315238]  kasan_slab_free+0x71/0xc0
[   24.315240]  kfree+0xd6/0x260
[   24.315243]  binder_thread_dec_tmpref+0x27f/0x310
[   24.315246]  binder_thread_release+0x27d/0x540
[   24.315248]  binder_ioctl+0xc02/0x1417
[   24.315252]  compat_SyS_ioctl+0x151/0x2a30
[   24.315255]  do_fast_syscall_32+0x3ee/0xf9d
[   24.315258]  entry_SYSENTER_compat+0x54/0x63
[   24.315259] 
[   24.315261] The buggy address belongs to the object at ffff8801ce566d00
[   24.315261]  which belongs to the cache kmalloc-512 of size 512
[   24.315264] The buggy address is located 176 bytes inside of
[   24.315264]  512-byte region [ffff8801ce566d00, ffff8801ce566f00)
[   24.315265] The buggy address belongs to the page:
[   24.315269] page:ffffea0007395980 count:1 mapcount:0 mapping:ffff8801ce566080 index:0x0
[   24.315273] flags: 0x2fffc0000000100(slab)
[   24.315279] raw: 02fffc0000000100 ffff8801ce566080 0000000000000000 0000000100000006
[   24.315283] raw: ffffea0007395920 ffffea000721a520 ffff8801dac00940 0000000000000000
[   24.315284] page dumped because: kasan: bad access detected
[   24.315285] 
[   24.315286] Memory state around the buggy address:
[   24.315289]  ffff8801ce566c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.315291]  ffff8801ce566d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.315294] >ffff8801ce566d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.315295]                                      ^
[   24.315297]  ffff8801ce566e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.315300]  ffff8801ce566e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.315301] ==================================================================
[   24.315302] Disabling lock debugging due to kernel taint
[   24.315304] Kernel panic - not syncing: panic_on_warn set ...
[   24.315304] 
[   24.315308] CPU: 1 PID: 3498 Comm: syzkaller126338 Tainted: G    B            4.15.0-rc7+ #169
[   24.315310] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.315311] Call Trace:
[   24.315315]  dump_stack+0x194/0x257
[   24.315319]  ? arch_local_irq_restore+0x53/0x53
[   24.315323]  ? kasan_end_report+0x32/0x50
[   24.315327]  ? lock_downgrade+0x980/0x980
[   24.315331]  ? vsnprintf+0x1ed/0x1900
[   24.315335]  ? __lock_acquire+0x3cb0/0x3e00
[   24.315338]  panic+0x1e4/0x41c
[   24.315342]  ? refcount_error_report+0x214/0x214
[   24.315346]  ? add_taint+0x40/0x50
[   24.315349]  ? add_taint+0x1c/0x50
[   24.315355]  ? __lock_acquire+0x3d4d/0x3e00
[   24.315360]  kasan_end_report+0x50/0x50
[   24.315365]  kasan_report+0x144/0x340
[   24.315371]  __asan_report_load8_noabort+0x14/0x20
[   24.315377]  __lock_acquire+0x3d4d/0x3e00
[   24.315382]  ? print_irqtrace_events+0x270/0x270
[   24.315388]  ? print_irqtrace_events+0x270/0x270
[   24.315393]  ? remove_wait_queue+0x81/0x350
[   24.315400]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.315406]  ? __lock_acquire+0x664/0x3e00
[   24.315411]  ? print_irqtrace_events+0x270/0x270
[   24.315415]  ? __lock_acquire+0x664/0x3e00
[   24.315421]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.315426]  ? __lock_acquire+0x664/0x3e00
[   24.315430]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.315433]  ? __lock_acquire+0x664/0x3e00
[   24.315437]  ? check_noncircular+0x20/0x20
[   24.315441]  ? check_noncircular+0x20/0x20
[   24.315445]  ? __lock_acquire+0x664/0x3e00
[   24.315449]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.315452]  ? check_noncircular+0x20/0x20
[   24.315455]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.315461]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.315466]  lock_acquire+0x1d5/0x580
[   24.315469]  ? lock_acquire+0x1d5/0x580
[   24.315472]  ? remove_wait_queue+0x81/0x350
[   24.315477]  ? lock_release+0xa40/0xa40
[   24.315481]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.315485]  ? lock_acquire+0x1d5/0x580
[   24.315488]  ? lock_acquire+0x1d5/0x580
[   24.315492]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   24.315497]  _raw_spin_lock_irqsave+0x96/0xc0
[   24.315500]  ? remove_wait_queue+0x81/0x350
[   24.315504]  remove_wait_queue+0x81/0x350
[   24.315508]  ? eventpoll_release_file+0xba/0x140
[   24.315512]  ? add_wait_queue+0x290/0x290
[   24.315516]  ? rcutorture_record_progress+0x10/0x10
[   24.315521]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   24.315525]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.315530]  ? clear_tfile_check_list+0x370/0x370
[   24.315534]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.315538]  ? depot_save_stack+0x3b5/0x490
[   24.315541]  ? lock_downgrade+0x980/0x980
[   24.315547]  ? is_bpf_text_address+0xa4/0x120
[   24.315551]  ep_remove+0xcd/0x800
[   24.315555]  ? unwind_get_return_address+0x61/0xa0
[   24.315559]  ? ep_destroy_wakeup_source+0x240/0x240
[   24.315563]  ? check_noncircular+0x20/0x20
[   24.315567]  ? check_noncircular+0x20/0x20
[   24.315572]  ? fsnotify+0x7b3/0x1140
[   24.315579]  eventpoll_release_file+0xc5/0x140
[   24.315583]  __fput+0x5f1/0x7e0
[   24.315588]  ? fput+0x140/0x140
[   24.315592]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.315597]  ____fput+0x15/0x20
[   24.315601]  task_work_run+0x199/0x270
[   24.315606]  ? task_work_cancel+0x210/0x210
[   24.315609]  ? _raw_spin_unlock+0x22/0x30
[   24.315613]  ? switch_task_namespaces+0x87/0xc0
[   24.315618]  do_exit+0x9bb/0x1ad0
[   24.315622]  ? __handle_mm_fault+0x2330/0x3ce0
[   24.315626]  ? mm_update_next_owner+0x930/0x930
[   24.315632]  ? do_raw_spin_trylock+0x190/0x190
[   24.315638]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.315642]  ? check_noncircular+0x20/0x20
[   24.315649]  ? _raw_spin_unlock+0x22/0x30
[   24.315652]  ? __handle_mm_fault+0x80e/0x3ce0
[   24.315657]  ? check_noncircular+0x20/0x20
[   24.315660]  ? __pmd_alloc+0x4e0/0x4e0
[   24.315665]  ? find_held_lock+0x35/0x1d0
[   24.315670]  ? handle_mm_fault+0x248/0x8d0
[   24.315674]  ? find_held_lock+0x35/0x1d0
[   24.315679]  ? __do_page_fault+0x5f7/0xc90
[   24.315683]  ? lock_downgrade+0x980/0x980
[   24.315688]  ? handle_mm_fault+0x410/0x8d0
[   24.315691]  ? down_read_trylock+0xdb/0x170
[   24.315694]  ? __do_page_fault+0x32d/0xc90
[   24.315698]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   24.315701]  ? vmacache_find+0x5f/0x280
[   24.315705]  ? vmacache_update+0xfe/0x130
[   24.315709]  do_group_exit+0x149/0x400
[   24.315713]  ? __do_page_fault+0x3d6/0xc90
[   24.315717]  ? SyS_exit+0x30/0x30
[   24.315722]  ? do_fast_syscall_32+0x156/0xf9d
[   24.315727]  ? do_group_exit+0x400/0x400
[   24.315732]  SyS_exit_group+0x1d/0x20
[   24.315736]  do_fast_syscall_32+0x3ee/0xf9d
[   24.315743]  ? do_int80_syscall_32+0x9d0/0x9d0
[   24.315747]  ? kasan_check_read+0x11/0x20
[   24.315751]  ? syscall_return_slowpath+0x550/0x550
[   24.315755]  ? SyS_rt_sigaction+0x94/0x1b0
[   24.315759]  ? SyS_sigprocmask+0x4b0/0x4b0
[   24.315762]  ? SyS_read+0x184/0x220
[   24.315766]  ? retint_user+0x18/0x18
[   24.315771]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.315775]  entry_SYSENTER_compat+0x54/0x63
[   24.315778] RIP: 0023:0xf7f90c79
[   24.315780] RSP: 002b:00000000ffca46fc EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   24.315783] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   24.315785] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0
[   24.315787] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   24.315789] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   24.315790] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   24.335734] Dumping ftrace buffer:
[   24.335738]    (ftrace buffer empty)
[   24.335742] Kernel Offset: disabled
[   25.612603] Rebooting in 86400 seconds..