[....] Starting enhanced syslogd: rsyslogd[   10.905230] audit: type=1400 audit(1514403920.934:5): avc:  denied  { syslog } for  pid=2987 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   16.826293] audit: type=1400 audit(1514403926.854:6): avc:  denied  { map } for  pid=3131 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.214' (ECDSA) to the list of known hosts.
executing program
[   42.538286] audit: type=1400 audit(1514403952.567:7): avc:  denied  { map } for  pid=3149 comm="syzkaller202667" path="/root/syzkaller202667979" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   42.543309] ==================================================================
[   42.543321] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   42.543325] Read of size 8 at addr ffff8801c8f34db0 by task syzkaller202667/3149
[   42.543326] 
[   42.543330] CPU: 0 PID: 3149 Comm: syzkaller202667 Not tainted 4.15.0-rc5+ #148
[   42.543333] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   42.543334] Call Trace:
[   42.543341]  dump_stack+0x194/0x257
[   42.543346]  ? arch_local_irq_restore+0x53/0x53
[   42.543351]  ? show_regs_print_info+0x18/0x18
[   42.543356]  ? __lock_acquire+0x3d4d/0x3e00
[   42.543362]  print_address_description+0x73/0x250
[   42.543365]  ? __lock_acquire+0x3d4d/0x3e00
[   42.543369]  kasan_report+0x25b/0x340
[   42.543373]  __asan_report_load8_noabort+0x14/0x20
[   42.543377]  __lock_acquire+0x3d4d/0x3e00
[   42.543381]  ? print_irqtrace_events+0x270/0x270
[   42.543385]  ? print_irqtrace_events+0x270/0x270
[   42.543389]  ? remove_wait_queue+0x81/0x350
[   42.543394]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.543398]  ? __lock_acquire+0x664/0x3e00
[   42.543402]  ? print_irqtrace_events+0x270/0x270
[   42.543405]  ? __lock_acquire+0x664/0x3e00
[   42.543411]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.543416]  ? __lock_acquire+0x664/0x3e00
[   42.543419]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.543423]  ? __lock_acquire+0x664/0x3e00
[   42.543426]  ? check_noncircular+0x20/0x20
[   42.543431]  ? check_noncircular+0x20/0x20
[   42.543434]  ? __lock_acquire+0x664/0x3e00
[   42.543438]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.543441]  ? check_noncircular+0x20/0x20
[   42.543444]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.543450]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.543455]  lock_acquire+0x1d5/0x580
[   42.543458]  ? lock_acquire+0x1d5/0x580
[   42.543461]  ? remove_wait_queue+0x81/0x350
[   42.543466]  ? lock_release+0xa40/0xa40
[   42.543470]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   42.543475]  ? lock_acquire+0x1d5/0x580
[   42.543478]  ? lock_acquire+0x1d5/0x580
[   42.543483]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   42.543488]  _raw_spin_lock_irqsave+0x96/0xc0
[   42.543492]  ? remove_wait_queue+0x81/0x350
[   42.543496]  remove_wait_queue+0x81/0x350
[   42.543499]  ? eventpoll_release_file+0xba/0x140
[   42.543503]  ? add_wait_queue+0x290/0x290
[   42.543508]  ? rcutorture_record_progress+0x10/0x10
[   42.543513]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   42.543517]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.543521]  ? clear_tfile_check_list+0x370/0x370
[   42.543525]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.543530]  ? depot_save_stack+0x3b5/0x490
[   42.543534]  ? lock_downgrade+0x980/0x980
[   42.543541]  ? is_bpf_text_address+0xa4/0x120
[   42.543544]  ep_remove+0xcd/0x800
[   42.543550]  ? unwind_get_return_address+0x61/0xa0
[   42.543553]  ? ep_destroy_wakeup_source+0x240/0x240
[   42.543557]  ? check_noncircular+0x20/0x20
[   42.543561]  ? check_noncircular+0x20/0x20
[   42.543568]  ? fsnotify+0x7b3/0x1140
[   42.543574]  eventpoll_release_file+0xc5/0x140
[   42.543579]  __fput+0x5f1/0x7e0
[   42.543583]  ? fput+0x140/0x140
[   42.543587]  ? _raw_spin_unlock_irq+0x27/0x70
[   42.543591]  ____fput+0x15/0x20
[   42.543596]  task_work_run+0x199/0x270
[   42.543600]  ? task_work_cancel+0x210/0x210
[   42.543604]  ? _raw_spin_unlock+0x22/0x30
[   42.543607]  ? switch_task_namespaces+0x87/0xc0
[   42.543612]  do_exit+0x9bb/0x1ad0
[   42.543617]  ? __handle_mm_fault+0x2330/0x3ce0
[   42.543621]  ? mm_update_next_owner+0x930/0x930
[   42.543627]  ? do_raw_spin_trylock+0x190/0x190
[   42.543631]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   42.543635]  ? check_noncircular+0x20/0x20
[   42.543638]  ? _raw_spin_unlock+0x22/0x30
[   42.543642]  ? __handle_mm_fault+0x80e/0x3ce0
[   42.543646]  ? check_noncircular+0x20/0x20
[   42.543649]  ? __pmd_alloc+0x4e0/0x4e0
[   42.543654]  ? find_held_lock+0x35/0x1d0
[   42.543658]  ? handle_mm_fault+0x248/0x8d0
[   42.543662]  ? find_held_lock+0x35/0x1d0
[   42.543667]  ? __do_page_fault+0x5f7/0xc90
[   42.543671]  ? lock_downgrade+0x980/0x980
[   42.543676]  ? handle_mm_fault+0x410/0x8d0
[   42.543679]  ? down_read_trylock+0xdb/0x170
[   42.543682]  ? __do_page_fault+0x32d/0xc90
[   42.543686]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   42.543690]  ? vmacache_find+0x5f/0x280
[   42.543694]  do_group_exit+0x149/0x400
[   42.543698]  ? __do_page_fault+0x3d6/0xc90
[   42.543701]  ? SyS_exit+0x30/0x30
[   42.543707]  ? do_fast_syscall_32+0x156/0xf9d
[   42.543711]  ? do_group_exit+0x400/0x400
[   42.543714]  SyS_exit_group+0x1d/0x20
[   42.543718]  do_fast_syscall_32+0x3ee/0xf9d
[   42.543723]  ? do_int80_syscall_32+0x9d0/0x9d0
[   42.543726]  ? kasan_check_read+0x11/0x20
[   42.543730]  ? syscall_return_slowpath+0x550/0x550
[   42.543735]  ? SyS_rt_sigaction+0x94/0x1b0
[   42.543739]  ? SyS_sigprocmask+0x4b0/0x4b0
[   42.543741]  ? SyS_read+0x184/0x220
[   42.543745]  ? retint_user+0x18/0x18
[   42.543750]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   42.543755]  entry_SYSENTER_compat+0x54/0x63
[   42.543758] RIP: 0023:0xf7ff2c79
[   42.543760] RSP: 002b:00000000ff8c625c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   42.543764] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   42.543766] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0
[   42.543768] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   42.543770] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   42.543772] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   42.543776] 
[   42.543778] Allocated by task 3149:
[   42.543781]  save_stack+0x43/0xd0
[   42.543784]  kasan_kmalloc+0xad/0xe0
[   42.543788]  kmem_cache_alloc_trace+0x136/0x750
[   42.543793]  binder_get_thread+0x1cf/0x870
[   42.543800]  binder_poll+0x8c/0x390
[   42.543803]  ep_item_poll.isra.10+0xec/0x320
[   42.543806]  ep_insert+0x6a3/0x1b10
[   42.543808]  SyS_epoll_ctl+0x12e4/0x1ab0
[   42.543811]  do_fast_syscall_32+0x3ee/0xf9d
[   42.543815]  entry_SYSENTER_compat+0x54/0x63
[   42.543815] 
[   42.543817] Freed by task 3149:
[   42.543819]  save_stack+0x43/0xd0
[   42.543822]  kasan_slab_free+0x71/0xc0
[   42.543824]  kfree+0xd6/0x260
[   42.543827]  binder_thread_dec_tmpref+0x27f/0x310
[   42.543830]  binder_thread_release+0x27d/0x540
[   42.543833]  binder_ioctl+0xc02/0x1417
[   42.543837]  compat_SyS_ioctl+0x151/0x2a30
[   42.543840]  do_fast_syscall_32+0x3ee/0xf9d
[   42.543843]  entry_SYSENTER_compat+0x54/0x63
[   42.543844] 
[   42.543846] The buggy address belongs to the object at ffff8801c8f34d00
[   42.543846]  which belongs to the cache kmalloc-512 of size 512
[   42.543849] The buggy address is located 176 bytes inside of
[   42.543849]  512-byte region [ffff8801c8f34d00, ffff8801c8f34f00)
[   42.543850] The buggy address belongs to the page:
[   42.543854] page:00000000df5183d4 count:1 mapcount:0 mapping:00000000fe375bdc index:0x0
[   42.543858] flags: 0x2fffc0000000100(slab)
[   42.543864] raw: 02fffc0000000100 ffff8801c8f34080 0000000000000000 0000000100000006
[   42.543868] raw: ffffea00072ad0e0 ffffea000723cde0 ffff8801db000940 0000000000000000
[   42.543869] page dumped because: kasan: bad access detected
[   42.543870] 
[   42.543871] Memory state around the buggy address:
[   42.543874]  ffff8801c8f34c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   42.543877]  ffff8801c8f34d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.543879] >ffff8801c8f34d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.543880]                                      ^
[   42.543883]  ffff8801c8f34e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.543886]  ffff8801c8f34e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.543887] ==================================================================
[   42.543888] Disabling lock debugging due to kernel taint
[   42.543890] Kernel panic - not syncing: panic_on_warn set ...
[   42.543890] 
[   42.543893] CPU: 0 PID: 3149 Comm: syzkaller202667 Tainted: G    B            4.15.0-rc5+ #148
[   42.543895] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   42.543896] Call Trace:
[   42.543900]  dump_stack+0x194/0x257
[   42.543904]  ? arch_local_irq_restore+0x53/0x53
[   42.543907]  ? kasan_end_report+0x32/0x50
[   42.543911]  ? lock_downgrade+0x980/0x980
[   42.543915]  ? vsnprintf+0x1ed/0x1900
[   42.543919]  ? __lock_acquire+0x3cd0/0x3e00
[   42.543922]  panic+0x1e4/0x41c
[   42.543925]  ? refcount_error_report+0x214/0x214
[   42.543929]  ? add_taint+0x40/0x50
[   42.543932]  ? add_taint+0x1c/0x50
[   42.543936]  ? __lock_acquire+0x3d4d/0x3e00
[   42.543939]  kasan_end_report+0x50/0x50
[   42.543942]  kasan_report+0x144/0x340
[   42.543947]  __asan_report_load8_noabort+0x14/0x20
[   42.543950]  __lock_acquire+0x3d4d/0x3e00
[   42.543954]  ? print_irqtrace_events+0x270/0x270
[   42.543958]  ? print_irqtrace_events+0x270/0x270
[   42.543961]  ? remove_wait_queue+0x81/0x350
[   42.543966]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.543970]  ? __lock_acquire+0x664/0x3e00
[   42.543973]  ? print_irqtrace_events+0x270/0x270
[   42.543977]  ? __lock_acquire+0x664/0x3e00
[   42.543982]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.543987]  ? __lock_acquire+0x664/0x3e00
[   42.543991]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.543994]  ? __lock_acquire+0x664/0x3e00
[   42.543997]  ? check_noncircular+0x20/0x20
[   42.544004]  ? check_noncircular+0x20/0x20
[   42.544008]  ? __lock_acquire+0x664/0x3e00
[   42.544012]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.544015]  ? check_noncircular+0x20/0x20
[   42.544018]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.544024]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.544028]  lock_acquire+0x1d5/0x580
[   42.544031]  ? lock_acquire+0x1d5/0x580
[   42.544034]  ? remove_wait_queue+0x81/0x350
[   42.544039]  ? lock_release+0xa40/0xa40
[   42.544042]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   42.544047]  ? lock_acquire+0x1d5/0x580
[   42.544050]  ? lock_acquire+0x1d5/0x580
[   42.544053]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   42.544057]  _raw_spin_lock_irqsave+0x96/0xc0
[   42.544060]  ? remove_wait_queue+0x81/0x350
[   42.544064]  remove_wait_queue+0x81/0x350
[   42.544067]  ? eventpoll_release_file+0xba/0x140
[   42.544071]  ? add_wait_queue+0x290/0x290
[   42.544074]  ? rcutorture_record_progress+0x10/0x10
[   42.544079]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   42.544083]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.544087]  ? clear_tfile_check_list+0x370/0x370
[   42.544091]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   42.544095]  ? depot_save_stack+0x3b5/0x490
[   42.544098]  ? lock_downgrade+0x980/0x980
[   42.544103]  ? is_bpf_text_address+0xa4/0x120
[   42.544107]  ep_remove+0xcd/0x800
[   42.544111]  ? unwind_get_return_address+0x61/0xa0
[   42.544114]  ? ep_destroy_wakeup_source+0x240/0x240
[   42.544118]  ? check_noncircular+0x20/0x20
[   42.544122]  ? check_noncircular+0x20/0x20
[   42.544127]  ? fsnotify+0x7b3/0x1140
[   42.544133]  eventpoll_release_file+0xc5/0x140
[   42.544137]  __fput+0x5f1/0x7e0
[   42.544141]  ? fput+0x140/0x140
[   42.544145]  ? _raw_spin_unlock_irq+0x27/0x70
[   42.544149]  ____fput+0x15/0x20
[   42.544153]  task_work_run+0x199/0x270
[   42.544157]  ? task_work_cancel+0x210/0x210
[   42.544161]  ? _raw_spin_unlock+0x22/0x30
[   42.544164]  ? switch_task_namespaces+0x87/0xc0
[   42.544168]  do_exit+0x9bb/0x1ad0
[   42.544172]  ? __handle_mm_fault+0x2330/0x3ce0
[   42.544176]  ? mm_update_next_owner+0x930/0x930
[   42.544181]  ? do_raw_spin_trylock+0x190/0x190
[   42.544185]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   42.544189]  ? check_noncircular+0x20/0x20
[   42.544192]  ? _raw_spin_unlock+0x22/0x30
[   42.544196]  ? __handle_mm_fault+0x80e/0x3ce0
[   42.544200]  ? check_noncircular+0x20/0x20
[   42.544203]  ? __pmd_alloc+0x4e0/0x4e0
[   42.544207]  ? find_held_lock+0x35/0x1d0
[   42.544212]  ? handle_mm_fault+0x248/0x8d0
[   42.544216]  ? find_held_lock+0x35/0x1d0
[   42.544221]  ? __do_page_fault+0x5f7/0xc90
[   42.544224]  ? lock_downgrade+0x980/0x980
[   42.544229]  ? handle_mm_fault+0x410/0x8d0
[   42.544232]  ? down_read_trylock+0xdb/0x170
[   42.544235]  ? __do_page_fault+0x32d/0xc90
[   42.544239]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   42.544242]  ? vmacache_find+0x5f/0x280
[   42.544247]  do_group_exit+0x149/0x400
[   42.544250]  ? __do_page_fault+0x3d6/0xc90
[   42.544253]  ? SyS_exit+0x30/0x30
[   42.544258]  ? do_fast_syscall_32+0x156/0xf9d
[   42.544261]  ? do_group_exit+0x400/0x400
[   42.544265]  SyS_exit_group+0x1d/0x20
[   42.544268]  do_fast_syscall_32+0x3ee/0xf9d
[   42.544273]  ? do_int80_syscall_32+0x9d0/0x9d0
[   42.544276]  ? kasan_check_read+0x11/0x20
[   42.544280]  ? syscall_return_slowpath+0x550/0x550
[   42.544284]  ? SyS_rt_sigaction+0x94/0x1b0
[   42.544288]  ? SyS_sigprocmask+0x4b0/0x4b0
[   42.544290]  ? SyS_read+0x184/0x220
[   42.544293]  ? retint_user+0x18/0x18
[   42.544298]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   42.544303]  entry_SYSENTER_compat+0x54/0x63
[   42.544305] RIP: 0023:0xf7ff2c79
[   42.544307] RSP: 002b:00000000ff8c625c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   42.544311] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   42.544312] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0
[   42.544314] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   42.544316] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   42.544318] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   42.564511] Dumping ftrace buffer:
[   42.564514]    (ftrace buffer empty)
[   42.564516] Kernel Offset: disabled
[   43.842955] Rebooting in 86400 seconds..