[    9.780684] audit: type=1400 audit(1513658782.324:5): avc:  denied  { syslog } for  pid=2987 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   12.149784] audit: type=1400 audit(1513658784.693:6): avc:  denied  { map } for  pid=3128 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added 'ci-upstream-kasan-gce-386-1,10.128.0.9' (ECDSA) to the list of known hosts.
executing program
[   23.683424] audit: type=1400 audit(1513658796.227:7): avc:  denied  { map } for  pid=3143 comm="syzkaller098824" path="/root/syzkaller098824977" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   23.687104] ==================================================================
[   23.687116] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   23.687119] Read of size 8 at addr ffff8801c9ebf8b0 by task syzkaller098824/3143
[   23.687120] 
[   23.687125] CPU: 0 PID: 3143 Comm: syzkaller098824 Not tainted 4.15.0-rc4+ #138
[   23.687127] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.687128] Call Trace:
[   23.687136]  dump_stack+0x194/0x257
[   23.687142]  ? arch_local_irq_restore+0x53/0x53
[   23.687147]  ? show_regs_print_info+0x18/0x18
[   23.687152]  ? __lock_acquire+0x3d4d/0x3e00
[   23.687158]  print_address_description+0x73/0x250
[   23.687161]  ? __lock_acquire+0x3d4d/0x3e00
[   23.687165]  kasan_report+0x25b/0x340
[   23.687169]  __asan_report_load8_noabort+0x14/0x20
[   23.687173]  __lock_acquire+0x3d4d/0x3e00
[   23.687177]  ? print_irqtrace_events+0x270/0x270
[   23.687181]  ? print_irqtrace_events+0x270/0x270
[   23.687186]  ? remove_wait_queue+0x81/0x350
[   23.687192]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687196]  ? __lock_acquire+0x664/0x3e00
[   23.687200]  ? print_irqtrace_events+0x270/0x270
[   23.687203]  ? __lock_acquire+0x664/0x3e00
[   23.687209]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687214]  ? __lock_acquire+0x664/0x3e00
[   23.687217]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687221]  ? __lock_acquire+0x664/0x3e00
[   23.687224]  ? check_noncircular+0x20/0x20
[   23.687229]  ? check_noncircular+0x20/0x20
[   23.687232]  ? __lock_acquire+0x664/0x3e00
[   23.687236]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687239]  ? check_noncircular+0x20/0x20
[   23.687242]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687248]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687253]  lock_acquire+0x1d5/0x580
[   23.687256]  ? lock_acquire+0x1d5/0x580
[   23.687259]  ? remove_wait_queue+0x81/0x350
[   23.687264]  ? lock_release+0xa40/0xa40
[   23.687268]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.687274]  ? lock_acquire+0x1d5/0x580
[   23.687276]  ? lock_acquire+0x1d5/0x580
[   23.687283]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   23.687288]  _raw_spin_lock_irqsave+0x96/0xc0
[   23.687291]  ? remove_wait_queue+0x81/0x350
[   23.687295]  remove_wait_queue+0x81/0x350
[   23.687298]  ? eventpoll_release_file+0xba/0x140
[   23.687302]  ? add_wait_queue+0x290/0x290
[   23.687307]  ? rcutorture_record_progress+0x10/0x10
[   23.687314]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   23.687317]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687323]  ? clear_tfile_check_list+0x370/0x370
[   23.687326]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687332]  ? depot_save_stack+0x3b5/0x490
[   23.687336]  ? lock_downgrade+0x980/0x980
[   23.687343]  ? is_bpf_text_address+0xa4/0x120
[   23.687347]  ep_remove+0xcd/0x800
[   23.687352]  ? unwind_get_return_address+0x61/0xa0
[   23.687356]  ? ep_destroy_wakeup_source+0x240/0x240
[   23.687359]  ? check_noncircular+0x20/0x20
[   23.687363]  ? check_noncircular+0x20/0x20
[   23.687369]  ? fsnotify+0x7b3/0x1140
[   23.687376]  eventpoll_release_file+0xc5/0x140
[   23.687380]  __fput+0x5f1/0x7e0
[   23.687385]  ? fput+0x140/0x140
[   23.687388]  ? _raw_spin_unlock_irq+0x27/0x70
[   23.687393]  ____fput+0x15/0x20
[   23.687397]  task_work_run+0x199/0x270
[   23.687402]  ? task_work_cancel+0x210/0x210
[   23.687405]  ? _raw_spin_unlock+0x22/0x30
[   23.687409]  ? switch_task_namespaces+0x87/0xc0
[   23.687414]  do_exit+0x9bb/0x1ad0
[   23.687419]  ? __handle_mm_fault+0x2330/0x3ce0
[   23.687423]  ? mm_update_next_owner+0x930/0x930
[   23.687429]  ? do_raw_spin_trylock+0x190/0x190
[   23.687433]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.687436]  ? check_noncircular+0x20/0x20
[   23.687440]  ? _raw_spin_unlock+0x22/0x30
[   23.687443]  ? __handle_mm_fault+0x80e/0x3ce0
[   23.687448]  ? check_noncircular+0x20/0x20
[   23.687451]  ? __pmd_alloc+0x4e0/0x4e0
[   23.687455]  ? find_held_lock+0x35/0x1d0
[   23.687467]  ? handle_mm_fault+0x248/0x8d0
[   23.687471]  ? find_held_lock+0x35/0x1d0
[   23.687476]  ? __do_page_fault+0x5f7/0xc90
[   23.687480]  ? lock_downgrade+0x980/0x980
[   23.687485]  ? handle_mm_fault+0x410/0x8d0
[   23.687488]  ? down_read_trylock+0xdb/0x170
[   23.687491]  ? __do_page_fault+0x32d/0xc90
[   23.687495]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   23.687500]  ? vmacache_find+0x5f/0x280
[   23.687505]  do_group_exit+0x149/0x400
[   23.687509]  ? __do_page_fault+0x3d6/0xc90
[   23.687512]  ? SyS_exit+0x30/0x30
[   23.687520]  ? do_fast_syscall_32+0x156/0xf9d
[   23.687524]  ? do_group_exit+0x400/0x400
[   23.687527]  SyS_exit_group+0x1d/0x20
[   23.687531]  do_fast_syscall_32+0x3ee/0xf9d
[   23.687536]  ? do_int80_syscall_32+0x9d0/0x9d0
[   23.687539]  ? kasan_check_read+0x11/0x20
[   23.687544]  ? syscall_return_slowpath+0x550/0x550
[   23.687550]  ? SyS_rt_sigaction+0x94/0x1b0
[   23.687554]  ? SyS_sigprocmask+0x4b0/0x4b0
[   23.687556]  ? SyS_read+0x184/0x220
[   23.687560]  ? retint_user+0x18/0x18
[   23.687564]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   23.687570]  entry_SYSENTER_compat+0x54/0x63
[   23.687573] RIP: 0023:0xf7f57c79
[   23.687575] RSP: 002b:00000000ffed70ec EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   23.687580] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   23.687582] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0
[   23.687584] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   23.687586] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   23.687588] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   23.687592] 
[   23.687594] Allocated by task 3143:
[   23.687598]  save_stack+0x43/0xd0
[   23.687600]  kasan_kmalloc+0xad/0xe0
[   23.687606]  kmem_cache_alloc_trace+0x136/0x750
[   23.687610]  binder_get_thread+0x1cf/0x870
[   23.687613]  binder_poll+0x8c/0x390
[   23.687615]  ep_item_poll.isra.10+0xec/0x320
[   23.687618]  ep_insert+0x6a3/0x1b10
[   23.687621]  SyS_epoll_ctl+0x12e4/0x1ab0
[   23.687624]  do_fast_syscall_32+0x3ee/0xf9d
[   23.687627]  entry_SYSENTER_compat+0x54/0x63
[   23.687627] 
[   23.687629] Freed by task 3143:
[   23.687631]  save_stack+0x43/0xd0
[   23.687634]  kasan_slab_free+0x71/0xc0
[   23.687637]  kfree+0xca/0x250
[   23.687640]  binder_thread_dec_tmpref+0x27f/0x310
[   23.687642]  binder_thread_release+0x27d/0x540
[   23.687645]  binder_ioctl+0xc02/0x1417
[   23.687648]  compat_SyS_ioctl+0x151/0x2a30
[   23.687651]  do_fast_syscall_32+0x3ee/0xf9d
[   23.687654]  entry_SYSENTER_compat+0x54/0x63
[   23.687655] 
[   23.687658] The buggy address belongs to the object at ffff8801c9ebf800
[   23.687658]  which belongs to the cache kmalloc-512 of size 512
[   23.687661] The buggy address is located 176 bytes inside of
[   23.687661]  512-byte region [ffff8801c9ebf800, ffff8801c9ebfa00)
[   23.687662] The buggy address belongs to the page:
[   23.687665] page:0000000049c211fd count:1 mapcount:0 mapping:0000000022f89b26 index:0x0
[   23.687669] flags: 0x2fffc0000000100(slab)
[   23.687675] raw: 02fffc0000000100 ffff8801c9ebf080 0000000000000000 0000000100000006
[   23.687679] raw: ffffea000727b160 ffffea000725cea0 ffff8801db000940 0000000000000000
[   23.687680] page dumped because: kasan: bad access detected
[   23.687681] 
[   23.687682] Memory state around the buggy address:
[   23.687685]  ffff8801c9ebf780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.687688]  ffff8801c9ebf800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.687690] >ffff8801c9ebf880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.687696]                                      ^
[   23.687698]  ffff8801c9ebf900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.687701]  ffff8801c9ebf980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.687702] ==================================================================
[   23.687703] Disabling lock debugging due to kernel taint
[   23.687705] Kernel panic - not syncing: panic_on_warn set ...
[   23.687705] 
[   23.687709] CPU: 0 PID: 3143 Comm: syzkaller098824 Tainted: G    B            4.15.0-rc4+ #138
[   23.687711] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.687712] Call Trace:
[   23.687716]  dump_stack+0x194/0x257
[   23.687721]  ? arch_local_irq_restore+0x53/0x53
[   23.687724]  ? kasan_end_report+0x32/0x50
[   23.687728]  ? lock_downgrade+0x980/0x980
[   23.687732]  ? vsnprintf+0x1ed/0x1900
[   23.687735]  ? __lock_acquire+0x3c90/0x3e00
[   23.687739]  panic+0x1e4/0x41c
[   23.687742]  ? refcount_error_report+0x214/0x214
[   23.687746]  ? add_taint+0x40/0x50
[   23.687749]  ? add_taint+0x1c/0x50
[   23.687753]  ? __lock_acquire+0x3d4d/0x3e00
[   23.687756]  kasan_end_report+0x50/0x50
[   23.687760]  kasan_report+0x144/0x340
[   23.687764]  __asan_report_load8_noabort+0x14/0x20
[   23.687767]  __lock_acquire+0x3d4d/0x3e00
[   23.687771]  ? print_irqtrace_events+0x270/0x270
[   23.687775]  ? print_irqtrace_events+0x270/0x270
[   23.687779]  ? remove_wait_queue+0x81/0x350
[   23.687784]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687787]  ? __lock_acquire+0x664/0x3e00
[   23.687791]  ? print_irqtrace_events+0x270/0x270
[   23.687795]  ? __lock_acquire+0x664/0x3e00
[   23.687800]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687805]  ? __lock_acquire+0x664/0x3e00
[   23.687809]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687812]  ? __lock_acquire+0x664/0x3e00
[   23.687815]  ? check_noncircular+0x20/0x20
[   23.687820]  ? check_noncircular+0x20/0x20
[   23.687823]  ? __lock_acquire+0x664/0x3e00
[   23.687827]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687830]  ? check_noncircular+0x20/0x20
[   23.687833]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687839]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687843]  lock_acquire+0x1d5/0x580
[   23.687846]  ? lock_acquire+0x1d5/0x580
[   23.687850]  ? remove_wait_queue+0x81/0x350
[   23.687855]  ? lock_release+0xa40/0xa40
[   23.687858]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.687863]  ? lock_acquire+0x1d5/0x580
[   23.687866]  ? lock_acquire+0x1d5/0x580
[   23.687870]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   23.687874]  _raw_spin_lock_irqsave+0x96/0xc0
[   23.687877]  ? remove_wait_queue+0x81/0x350
[   23.687881]  remove_wait_queue+0x81/0x350
[   23.687884]  ? eventpoll_release_file+0xba/0x140
[   23.687888]  ? add_wait_queue+0x290/0x290
[   23.687891]  ? rcutorture_record_progress+0x10/0x10
[   23.687897]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   23.687901]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687906]  ? clear_tfile_check_list+0x370/0x370
[   23.687910]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.687913]  ? depot_save_stack+0x3b5/0x490
[   23.687917]  ? lock_downgrade+0x980/0x980
[   23.687922]  ? is_bpf_text_address+0xa4/0x120
[   23.687926]  ep_remove+0xcd/0x800
[   23.687930]  ? unwind_get_return_address+0x61/0xa0
[   23.687934]  ? ep_destroy_wakeup_source+0x240/0x240
[   23.687937]  ? check_noncircular+0x20/0x20
[   23.687941]  ? check_noncircular+0x20/0x20
[   23.687946]  ? fsnotify+0x7b3/0x1140
[   23.687953]  eventpoll_release_file+0xc5/0x140
[   23.687957]  __fput+0x5f1/0x7e0
[   23.687962]  ? fput+0x140/0x140
[   23.687965]  ? _raw_spin_unlock_irq+0x27/0x70
[   23.687970]  ____fput+0x15/0x20
[   23.687973]  task_work_run+0x199/0x270
[   23.687978]  ? task_work_cancel+0x210/0x210
[   23.687981]  ? _raw_spin_unlock+0x22/0x30
[   23.687985]  ? switch_task_namespaces+0x87/0xc0
[   23.687989]  do_exit+0x9bb/0x1ad0
[   23.687992]  ? __handle_mm_fault+0x2330/0x3ce0
[   23.687997]  ? mm_update_next_owner+0x930/0x930
[   23.688005]  ? do_raw_spin_trylock+0x190/0x190
[   23.688009]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.688012]  ? check_noncircular+0x20/0x20
[   23.688016]  ? _raw_spin_unlock+0x22/0x30
[   23.688019]  ? __handle_mm_fault+0x80e/0x3ce0
[   23.688024]  ? check_noncircular+0x20/0x20
[   23.688026]  ? __pmd_alloc+0x4e0/0x4e0
[   23.688031]  ? find_held_lock+0x35/0x1d0
[   23.688036]  ? handle_mm_fault+0x248/0x8d0
[   23.688040]  ? find_held_lock+0x35/0x1d0
[   23.688045]  ? __do_page_fault+0x5f7/0xc90
[   23.688048]  ? lock_downgrade+0x980/0x980
[   23.688053]  ? handle_mm_fault+0x410/0x8d0
[   23.688056]  ? down_read_trylock+0xdb/0x170
[   23.688059]  ? __do_page_fault+0x32d/0xc90
[   23.688063]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   23.688066]  ? vmacache_find+0x5f/0x280
[   23.688071]  do_group_exit+0x149/0x400
[   23.688075]  ? __do_page_fault+0x3d6/0xc90
[   23.688078]  ? SyS_exit+0x30/0x30
[   23.688083]  ? do_fast_syscall_32+0x156/0xf9d
[   23.688087]  ? do_group_exit+0x400/0x400
[   23.688092]  SyS_exit_group+0x1d/0x20
[   23.688097]  do_fast_syscall_32+0x3ee/0xf9d
[   23.688104]  ? do_int80_syscall_32+0x9d0/0x9d0
[   23.688108]  ? kasan_check_read+0x11/0x20
[   23.688114]  ? syscall_return_slowpath+0x550/0x550
[   23.688118]  ? SyS_rt_sigaction+0x94/0x1b0
[   23.688122]  ? SyS_sigprocmask+0x4b0/0x4b0
[   23.688124]  ? SyS_read+0x184/0x220
[   23.688127]  ? retint_user+0x18/0x18
[   23.688132]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   23.688137]  entry_SYSENTER_compat+0x54/0x63
[   23.688139] RIP: 0023:0xf7f57c79
[   23.688141] RSP: 002b:00000000ffed70ec EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   23.688145] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
[   23.688147] RDX: 0000000000000000 RSI: 00000000080d9ab8 RDI: 00000000080f02a0
[   23.688149] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   23.688150] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   23.688152] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   23.709600] Dumping ftrace buffer:
[   23.709604]    (ftrace buffer empty)
[   23.709606] Kernel Offset: disabled
[   24.977456] Rebooting in 86400 seconds..