[....] Starting enhanced syslogd: rsyslogd[   11.313349] audit: type=1400 audit(1516486282.218:5): avc:  denied  { syslog } for  pid=3476 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.654994] audit: type=1400 audit(1516486290.559:6): avc:  denied  { map } for  pid=3616 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.240' (ECDSA) to the list of known hosts.
[   44.505612] audit: type=1400 audit(1516486315.410:7): avc:  denied  { map } for  pid=3633 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2018/01/20 22:11:55 parsed 1 programs
2018/01/20 22:11:55 executed programs: 0
[   44.783502] audit: type=1400 audit(1516486315.687:8): avc:  denied  { map } for  pid=3633 comm="syz-execprog" path="/root/syzkaller-shm360292205" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
2018/01/20 22:12:00 executed programs: 636
[   51.388657] ==================================================================
[   51.396068] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   51.402720] Read of size 8 at addr ffff8801d0adfa20 by task syz-executor1/8180
[   51.410051] 
[   51.411668] CPU: 0 PID: 8180 Comm: syz-executor1 Not tainted 4.15.0-rc8-mm1+ #59
[   51.419171] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.428503] Call Trace:
[   51.431066]  dump_stack+0x194/0x257
[   51.434668]  ? arch_local_irq_restore+0x53/0x53
[   51.439309]  ? show_regs_print_info+0x18/0x18
[   51.445166]  ? __lock_acquire+0x3d4d/0x3e00
[   51.449726]  print_address_description+0x73/0x250
[   51.454546]  ? __lock_acquire+0x3d4d/0x3e00
[   51.458840]  kasan_report+0x23b/0x360
[   51.463220]  __asan_report_load8_noabort+0x14/0x20
[   51.468124]  __lock_acquire+0x3d4d/0x3e00
[   51.472247]  ? remove_wait_queue+0x81/0x350
[   51.476543]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   51.481705]  ? lock_downgrade+0x980/0x980
[   51.485823]  ? __schedule+0x2060/0x2060
[   51.489780]  ? find_held_lock+0x35/0x1d0
[   51.493824]  ? wait_for_completion+0xe0/0x770
[   51.498291]  ? lock_downgrade+0x980/0x980
[   51.502413]  ? lock_release+0xa40/0xa40
[   51.506365]  ? usleep_range+0x190/0x190
[   51.510318]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   51.516181]  ? do_raw_spin_trylock+0x190/0x190
[   51.520741]  ? _raw_spin_unlock_irq+0x27/0x70
[   51.525207]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   51.530197]  ? trace_hardirqs_on+0xd/0x10
[   51.534320]  ? _raw_spin_unlock_irq+0x27/0x70
[   51.538784]  ? wait_for_completion+0xe0/0x770
[   51.543257]  ? wait_for_completion_interruptible+0x7e0/0x7e0
[   51.549031]  ? __lockdep_init_map+0xe4/0x650
[   51.553419]  ? llist_add_batch+0xf3/0x180
[   51.557540]  lock_acquire+0x1d5/0x580
[   51.561319]  ? lock_acquire+0x1d5/0x580
[   51.565270]  ? remove_wait_queue+0x81/0x350
[   51.569564]  ? wake_up_process+0x10/0x20
[   51.573597]  ? lock_release+0xa40/0xa40
[   51.577547]  ? vhost_work_queue+0xc0/0xc0
[   51.581681]  ? vhost_poll_stop+0x90/0x90
[   51.585718]  ? wait_for_completion+0x770/0x770
[   51.590274]  _raw_spin_lock_irqsave+0x96/0xc0
[   51.594746]  ? remove_wait_queue+0x81/0x350
[   51.599056]  remove_wait_queue+0x81/0x350
[   51.604137]  ? add_wait_queue+0x290/0x290
[   51.608870]  ? vhost_poll_flush+0x3f/0x60
[   51.612992]  ? vhost_net_flush+0x209/0x2a0
[   51.617209]  vhost_dev_stop+0x15c/0x2a0
[   51.621160]  ? vhost_net_compat_ioctl+0x30/0x30
[   51.627786]  vhost_net_release+0x6e/0x190
[   51.631915]  __fput+0x327/0x7e0
[   51.635173]  ? fput+0x140/0x140
[   51.638722]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   51.644591]  ? _raw_spin_unlock_irq+0x27/0x70
[   51.649065]  ____fput+0x15/0x20
[   51.652320]  task_work_run+0x199/0x270
[   51.656179]  ? task_work_cancel+0x210/0x210
[   51.660479]  ? _raw_spin_unlock+0x22/0x30
[   51.664597]  ? switch_task_namespaces+0x87/0xc0
[   51.669241]  do_exit+0x9bb/0x1ad0
[   51.672666]  ? mm_update_next_owner+0x930/0x930
[   51.678064]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   51.683227]  ? __might_sleep+0x95/0x190
[   51.687174]  ? find_held_lock+0x35/0x1d0
[   51.691209]  ? futex_wait+0x402/0x9a0
[   51.694982]  ? lock_downgrade+0x980/0x980
[   51.700113]  ? __unqueue_futex+0x1c0/0x290
[   51.704325]  ? lock_release+0xa40/0xa40
[   51.708271]  ? fault_in_user_writeable+0x90/0x90
[   51.712999]  ? do_raw_spin_trylock+0x190/0x190
[   51.718008]  ? futex_wake+0x680/0x680
[   51.721788]  ? mmdrop+0x18/0x30
[   51.725048]  ? check_noncircular+0x20/0x20
[   51.729258]  ? futex_wait+0x6a9/0x9a0
[   51.733039]  ? memset+0x31/0x40
[   51.736292]  ? find_held_lock+0x35/0x1d0
[   51.740330]  ? get_signal+0x7a9/0x16d0
[   51.744199]  ? lock_downgrade+0x980/0x980
[   51.748324]  do_group_exit+0x149/0x400
[   51.752183]  ? do_raw_spin_trylock+0x190/0x190
[   51.756745]  ? SyS_exit+0x30/0x30
[   51.760172]  ? _raw_spin_unlock_irq+0x27/0x70
[   51.764639]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   51.769636]  get_signal+0x73a/0x16d0
[   51.773322]  ? ptrace_notify+0x130/0x130
[   51.777358]  ? exit_robust_list+0x240/0x240
[   51.781653]  ? __sched_text_start+0x8/0x8
[   51.785772]  ? vhost_net_stop_vq+0xf0/0xf0
[   51.789977]  ? avc_ss_reset+0x110/0x110
[   51.793930]  ? lock_downgrade+0x980/0x980
[   51.798054]  do_signal+0x90/0x1eb0
[   51.801569]  ? __lock_is_held+0xb6/0x140
[   51.805608]  ? setup_sigcontext+0x7d0/0x7d0
[   51.809905]  ? schedule+0xf5/0x430
[   51.813416]  ? __schedule+0x2060/0x2060
[   51.817363]  ? exit_to_usermode_loop+0x8c/0x2f0
[   51.822010]  exit_to_usermode_loop+0x258/0x2f0
[   51.826570]  ? ioctl_preallocate+0x2b0/0x2b0
[   51.830950]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   51.836980]  ? selinux_capable+0x40/0x40
[   51.841273]  syscall_return_slowpath+0x490/0x550
[   51.846003]  ? prepare_exit_to_usermode+0x340/0x340
[   51.850998]  ? entry_SYSCALL_64_fastpath+0x73/0xa0
[   51.855915]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   51.861304]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   51.866041]  entry_SYSCALL_64_fastpath+0x9e/0xa0
[   51.870777] RIP: 0033:0x452ee9
[   51.873942] RSP: 002b:00007f94b8a49ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   51.881622] RAX: fffffffffffffe00 RBX: 000000000071c0f0 RCX: 0000000000452ee9
[   51.888862] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000071c0f0
[   51.896100] RBP: 000000000071c0f0 R08: 0000000000000000 R09: 000000000071c0c8
[   51.903342] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   51.910581] R13: 00007ffed48d465f R14: 00007f94b8a4a9c0 R15: 0000000000000006
[   51.917825] 
[   51.919426] Allocated by task 8169:
[   51.923033]  save_stack+0x43/0xd0
[   51.926458]  kasan_kmalloc+0xad/0xe0
[   51.930139]  kmem_cache_alloc_trace+0x136/0x750
[   51.934781]  eventfd_file_create.part.3+0x96/0x250
[   51.939686]  SyS_eventfd+0x2c/0x80
[   51.943199]  entry_SYSCALL_64_fastpath+0x29/0xa0
[   51.947919] 
[   51.949513] Freed by task 8180:
[   51.952760]  save_stack+0x43/0xd0
[   51.956180]  __kasan_slab_free+0x11a/0x170
[   51.961254]  kasan_slab_free+0xe/0x10
[   51.965028]  kfree+0xd9/0x260
[   51.968172]  eventfd_ctx_put+0x26/0x30
[   51.972033]  eventfd_release+0x52/0x60
[   51.975896]  __fput+0x327/0x7e0
[   51.979145]  ____fput+0x15/0x20
[   51.982403]  task_work_run+0x199/0x270
[   51.986264]  do_exit+0x9bb/0x1ad0
[   51.989688]  do_group_exit+0x149/0x400
[   51.993547]  get_signal+0x73a/0x16d0
[   51.997231]  do_signal+0x90/0x1eb0
[   52.000742]  exit_to_usermode_loop+0x258/0x2f0
[   52.005305]  syscall_return_slowpath+0x490/0x550
[   52.010036]  entry_SYSCALL_64_fastpath+0x9e/0xa0
[   52.014760] 
[   52.016358] The buggy address belongs to the object at ffff8801d0adfa00
[   52.016358]  which belongs to the cache kmalloc-96 of size 96
[   52.028812] The buggy address is located 32 bytes inside of
[   52.028812]  96-byte region [ffff8801d0adfa00, ffff8801d0adfa60)
[   52.040613] The buggy address belongs to the page:
[   52.045513] page:ffffea000742b7c0 count:1 mapcount:0 mapping:ffff8801d0adf000 index:0x0
[   52.053622] flags: 0x2fffc0000000100(slab)
[   52.057830] raw: 02fffc0000000100 ffff8801d0adf000 0000000000000000 0000000100000020
[   52.067167] raw: ffffea00072704a0 ffffea00071e3860 ffff8801dac004c0 0000000000000000
[   52.075276] page dumped because: kasan: bad access detected
[   52.080952] 
[   52.082550] Memory state around the buggy address:
[   52.087460]  ffff8801d0adf900: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   52.094789]  ffff8801d0adf980: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   52.102116] >ffff8801d0adfa00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   52.109442]                                ^
[   52.113821]  ffff8801d0adfa80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   52.121150]  ffff8801d0adfb00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   52.128476] ==================================================================
[   52.135805] Disabling lock debugging due to kernel taint
[   52.141753] Kernel panic - not syncing: panic_on_warn set ...
[   52.141753] 
[   52.149346] CPU: 0 PID: 8180 Comm: syz-executor1 Tainted: G    B            4.15.0-rc8-mm1+ #59
[   52.158151] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.167474] Call Trace:
[   52.170044]  dump_stack+0x194/0x257
[   52.173643]  ? arch_local_irq_restore+0x53/0x53
[   52.178281]  ? kasan_end_report+0x32/0x50
[   52.182402]  ? lock_downgrade+0x980/0x980
[   52.186524]  ? vsnprintf+0x1ed/0x1900
[   52.190297]  ? __lock_acquire+0x3cc0/0x3e00
[   52.194588]  panic+0x1e4/0x41c
[   52.197757]  ? refcount_error_report+0x214/0x214
[   52.202483]  ? add_taint+0x40/0x50
[   52.205990]  ? add_taint+0x1c/0x50
[   52.209502]  ? __lock_acquire+0x3d4d/0x3e00
[   52.213810]  kasan_end_report+0x50/0x50
[   52.217764]  kasan_report+0x148/0x360
[   52.221538]  __asan_report_load8_noabort+0x14/0x20
[   52.226438]  __lock_acquire+0x3d4d/0x3e00
[   52.230557]  ? remove_wait_queue+0x81/0x350
[   52.234849]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   52.240009]  ? lock_downgrade+0x980/0x980
[   52.244134]  ? __schedule+0x2060/0x2060
[   52.248081]  ? find_held_lock+0x35/0x1d0
[   52.252115]  ? wait_for_completion+0xe0/0x770
[   52.256582]  ? lock_downgrade+0x980/0x980
[   52.260698]  ? lock_release+0xa40/0xa40
[   52.264642]  ? usleep_range+0x190/0x190
[   52.268586]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   52.274439]  ? do_raw_spin_trylock+0x190/0x190
[   52.279004]  ? _raw_spin_unlock_irq+0x27/0x70
[   52.283487]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   52.288475]  ? trace_hardirqs_on+0xd/0x10
[   52.292594]  ? _raw_spin_unlock_irq+0x27/0x70
[   52.297061]  ? wait_for_completion+0xe0/0x770
[   52.301525]  ? wait_for_completion_interruptible+0x7e0/0x7e0
[   52.307294]  ? __lockdep_init_map+0xe4/0x650
[   52.311673]  ? llist_add_batch+0xf3/0x180
[   52.315792]  lock_acquire+0x1d5/0x580
[   52.319565]  ? lock_acquire+0x1d5/0x580
[   52.323514]  ? remove_wait_queue+0x81/0x350
[   52.327805]  ? wake_up_process+0x10/0x20
[   52.331838]  ? lock_release+0xa40/0xa40
[   52.335783]  ? vhost_work_queue+0xc0/0xc0
[   52.339901]  ? vhost_poll_stop+0x90/0x90
[   52.344893]  ? wait_for_completion+0x770/0x770
[   52.349741]  _raw_spin_lock_irqsave+0x96/0xc0
[   52.354210]  ? remove_wait_queue+0x81/0x350
[   52.358504]  remove_wait_queue+0x81/0x350
[   52.362644]  ? add_wait_queue+0x290/0x290
[   52.366769]  ? vhost_poll_flush+0x3f/0x60
[   52.370890]  ? vhost_net_flush+0x209/0x2a0
[   52.375095]  vhost_dev_stop+0x15c/0x2a0
[   52.379046]  ? vhost_net_compat_ioctl+0x30/0x30
[   52.383689]  vhost_net_release+0x6e/0x190
[   52.387809]  __fput+0x327/0x7e0
[   52.391064]  ? fput+0x140/0x140
[   52.394316]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   52.400172]  ? _raw_spin_unlock_irq+0x27/0x70
[   52.404641]  ____fput+0x15/0x20
[   52.407897]  task_work_run+0x199/0x270
[   52.411761]  ? task_work_cancel+0x210/0x210
[   52.416056]  ? _raw_spin_unlock+0x22/0x30
[   52.420524]  ? switch_task_namespaces+0x87/0xc0
[   52.425166]  do_exit+0x9bb/0x1ad0
[   52.428592]  ? mm_update_next_owner+0x930/0x930
[   52.433233]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   52.438392]  ? __might_sleep+0x95/0x190
[   52.442343]  ? find_held_lock+0x35/0x1d0
[   52.446376]  ? futex_wait+0x402/0x9a0
[   52.450148]  ? lock_downgrade+0x980/0x980
[   52.454267]  ? __unqueue_futex+0x1c0/0x290
[   52.458474]  ? lock_release+0xa40/0xa40
[   52.462421]  ? fault_in_user_writeable+0x90/0x90
[   52.467147]  ? do_raw_spin_trylock+0x190/0x190
[   52.471698]  ? futex_wake+0x680/0x680
[   52.475470]  ? mmdrop+0x18/0x30
[   52.478733]  ? check_noncircular+0x20/0x20
[   52.482936]  ? futex_wait+0x6a9/0x9a0
[   52.486709]  ? memset+0x31/0x40
[   52.489973]  ? find_held_lock+0x35/0x1d0
[   52.494034]  ? get_signal+0x7a9/0x16d0
[   52.497901]  ? lock_downgrade+0x980/0x980
[   52.502027]  do_group_exit+0x149/0x400
[   52.505934]  ? do_raw_spin_trylock+0x190/0x190
[   52.510484]  ? SyS_exit+0x30/0x30
[   52.513911]  ? _raw_spin_unlock_irq+0x27/0x70
[   52.518377]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   52.523368]  get_signal+0x73a/0x16d0
[   52.527209]  ? ptrace_notify+0x130/0x130
[   52.531242]  ? exit_robust_list+0x240/0x240
[   52.535537]  ? __sched_text_start+0x8/0x8
[   52.539657]  ? vhost_net_stop_vq+0xf0/0xf0
[   52.543863]  ? avc_ss_reset+0x110/0x110
[   52.547807]  ? lock_downgrade+0x980/0x980
[   52.551927]  do_signal+0x90/0x1eb0
[   52.555436]  ? __lock_is_held+0xb6/0x140
[   52.559470]  ? setup_sigcontext+0x7d0/0x7d0
[   52.563766]  ? schedule+0xf5/0x430
[   52.567281]  ? __schedule+0x2060/0x2060
[   52.571232]  ? exit_to_usermode_loop+0x8c/0x2f0
[   52.577695]  exit_to_usermode_loop+0x258/0x2f0
[   52.583903]  ? ioctl_preallocate+0x2b0/0x2b0
[   52.588279]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   52.593787]  ? selinux_capable+0x40/0x40
[   52.597821]  syscall_return_slowpath+0x490/0x550
[   52.602547]  ? prepare_exit_to_usermode+0x340/0x340
[   52.608754]  ? entry_SYSCALL_64_fastpath+0x73/0xa0
[   52.613831]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   52.618819]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   52.626100]  entry_SYSCALL_64_fastpath+0x9e/0xa0
[   52.630827] RIP: 0033:0x452ee9
[   52.633985] RSP: 002b:00007f94b8a49ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   52.642238] RAX: fffffffffffffe00 RBX: 000000000071c0f0 RCX: 0000000000452ee9
[   52.649669] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000071c0f0
[   52.656912] RBP: 000000000071c0f0 R08: 0000000000000000 R09: 000000000071c0c8
[   52.664154] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   52.671398] R13: 00007ffed48d465f R14: 00007f94b8a4a9c0 R15: 0000000000000006
[   52.679075] Dumping ftrace buffer:
[   52.682589]    (ftrace buffer empty)
[   52.686268] Kernel Offset: disabled
[   52.689863] Rebooting in 86400 seconds..