[....] Starting enhanced syslogd: rsyslogd[   10.503442] audit: type=1400 audit(1514403661.680:5): avc:  denied  { syslog } for  pid=2993 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   12.953964] audit: type=1400 audit(1514403664.130:6): avc:  denied  { map } for  pid=3132 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.206' (ECDSA) to the list of known hosts.
executing program
[   34.446034] audit: type=1400 audit(1514403685.622:7): avc:  denied  { map } for  pid=3151 comm="syzkaller050715" path="/root/syzkaller050715352" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   34.450370] ==================================================================
[   34.450380] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   34.450384] Read of size 8 at addr ffff8801c857f3f8 by task syzkaller050715/3151
[   34.450385] 
[   34.450389] CPU: 1 PID: 3151 Comm: syzkaller050715 Not tainted 4.15.0-rc4-mm1+ #49
[   34.450391] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.450393] Call Trace:
[   34.450400]  dump_stack+0x194/0x257
[   34.450405]  ? arch_local_irq_restore+0x53/0x53
[   34.450410]  ? show_regs_print_info+0x18/0x18
[   34.450413]  ? print_irqtrace_events+0x270/0x270
[   34.450417]  ? __lock_acquire+0x664/0x3e00
[   34.450421]  ? __lock_acquire+0x3d4d/0x3e00
[   34.450428]  print_address_description+0x73/0x250
[   34.450431]  ? __lock_acquire+0x3d4d/0x3e00
[   34.450435]  kasan_report+0x23b/0x360
[   34.450440]  __asan_report_load8_noabort+0x14/0x20
[   34.450443]  __lock_acquire+0x3d4d/0x3e00
[   34.450447]  ? __lock_acquire+0x664/0x3e00
[   34.450450]  ? lock_downgrade+0x980/0x980
[   34.450453]  ? lock_downgrade+0x980/0x980
[   34.450459]  ? remove_wait_queue+0x81/0x350
[   34.450465]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   34.450469]  ? __lock_acquire+0x664/0x3e00
[   34.450472]  ? check_noncircular+0x20/0x20
[   34.450480]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   34.450484]  ? lock_acquire+0x1d5/0x580
[   34.450487]  ? lock_acquire+0x1d5/0x580
[   34.450492]  ? ep_free+0xf4/0x320
[   34.450497]  ? lock_release+0xa40/0xa40
[   34.450502]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   34.450505]  ? print_irqtrace_events+0x270/0x270
[   34.450511]  ? rcu_note_context_switch+0x710/0x710
[   34.450515]  ? __might_sleep+0x95/0x190
[   34.450519]  ? ep_free+0xf4/0x320
[   34.450523]  ? __mutex_lock+0x16f/0x1a80
[   34.450525]  ? ep_free+0xf4/0x320
[   34.450530]  ? print_irqtrace_events+0x270/0x270
[   34.450532]  ? ep_free+0xf4/0x320
[   34.450538]  lock_acquire+0x1d5/0x580
[   34.450541]  ? lock_acquire+0x1d5/0x580
[   34.450544]  ? remove_wait_queue+0x81/0x350
[   34.450548]  ? __lock_acquire+0x664/0x3e00
[   34.450552]  ? lock_release+0xa40/0xa40
[   34.450558]  ? lock_acquire+0x1d5/0x580
[   34.450561]  ? lock_acquire+0x1d5/0x580
[   34.450564]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   34.450570]  _raw_spin_lock_irqsave+0x96/0xc0
[   34.450573]  ? remove_wait_queue+0x81/0x350
[   34.450577]  remove_wait_queue+0x81/0x350
[   34.450582]  ? add_wait_queue+0x290/0x290
[   34.450585]  ? rcutorture_record_progress+0x10/0x10
[   34.450592]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   34.450602]  ? __kernel_text_address+0xd/0x40
[   34.450607]  ? clear_tfile_check_list+0x370/0x370
[   34.450612]  ? check_noncircular+0x20/0x20
[   34.450618]  ? locks_remove_file+0x3fa/0x5a0
[   34.450623]  ep_free+0x13f/0x320
[   34.450627]  ? ep_remove+0x800/0x800
[   34.450630]  ? fsnotify_first_mark+0x2b0/0x2b0
[   34.450635]  ? ep_free+0x320/0x320
[   34.450639]  ep_eventpoll_release+0x44/0x60
[   34.450643]  __fput+0x327/0x7e0
[   34.450648]  ? fput+0x140/0x140
[   34.450653]  ? _raw_spin_unlock_irq+0x27/0x70
[   34.450658]  ____fput+0x15/0x20
[   34.450662]  task_work_run+0x199/0x270
[   34.450666]  ? task_work_cancel+0x210/0x210
[   34.450670]  ? _raw_spin_unlock+0x22/0x30
[   34.450674]  ? switch_task_namespaces+0x87/0xc0
[   34.450680]  do_exit+0x9bb/0x1ad0
[   34.450687]  ? binder_ioctl+0x551/0x1417
[   34.450690]  ? mm_update_next_owner+0x930/0x930
[   34.450695]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   34.450702]  ? avc_ss_reset+0x110/0x110
[   34.450706]  ? mutex_unlock+0xd/0x10
[   34.450709]  ? SyS_epoll_ctl+0x30a/0x1a80
[   34.450721]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   34.450724]  ? up_read+0x1a/0x40
[   34.450728]  ? rcu_note_context_switch+0x710/0x710
[   34.450732]  ? __fd_install+0x288/0x740
[   34.450737]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   34.450741]  ? do_vfs_ioctl+0x486/0x1520
[   34.450744]  ? _cond_resched+0x14/0x30
[   34.450749]  ? ioctl_preallocate+0x2b0/0x2b0
[   34.450753]  ? selinux_capable+0x40/0x40
[   34.450757]  ? __alloc_fd+0x750/0x750
[   34.450762]  do_group_exit+0x149/0x400
[   34.450766]  ? SyS_exit+0x30/0x30
[   34.450770]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.450776]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.450780]  SyS_exit_group+0x1d/0x20
[   34.450784]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   34.450787] RIP: 0033:0x4429f8
[   34.450789] RSP: 002b:00007ffc156979e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   34.450794] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   34.450796] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   34.450798] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   34.450800] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   34.450802] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   34.450808] 
[   34.450810] Allocated by task 3151:
[   34.450814]  save_stack+0x43/0xd0
[   34.450817]  kasan_kmalloc+0xad/0xe0
[   34.450820]  kmem_cache_alloc_trace+0x136/0x750
[   34.450823]  binder_get_thread+0x1cf/0x870
[   34.450825]  binder_poll+0x8c/0x390
[   34.450828]  ep_item_poll.isra.10+0xf2/0x320
[   34.450831]  ep_insert+0x6a2/0x1ac0
[   34.450834]  SyS_epoll_ctl+0x12bf/0x1a80
[   34.450837]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   34.450837] 
[   34.450839] Freed by task 3151:
[   34.450841]  save_stack+0x43/0xd0
[   34.450844]  kasan_slab_free+0x71/0xc0
[   34.450847]  kfree+0xd6/0x260
[   34.450849]  binder_thread_dec_tmpref+0x27f/0x310
[   34.450852]  binder_thread_release+0x27d/0x540
[   34.450855]  binder_ioctl+0xc02/0x1417
[   34.450857]  do_vfs_ioctl+0x1b1/0x1520
[   34.450860]  SyS_ioctl+0x8f/0xc0
[   34.450863]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   34.450863] 
[   34.450866] The buggy address belongs to the object at ffff8801c857f340
[   34.450866]  which belongs to the cache kmalloc-512 of size 512
[   34.450869] The buggy address is located 184 bytes inside of
[   34.450869]  512-byte region [ffff8801c857f340, ffff8801c857f540)
[   34.450870] The buggy address belongs to the page:
[   34.450873] page:ffffea0007215fc0 count:1 mapcount:0 mapping:ffff8801c857f0c0 index:0x0
[   34.450876] flags: 0x2fffc0000000100(slab)
[   34.450882] raw: 02fffc0000000100 ffff8801c857f0c0 0000000000000000 0000000100000006
[   34.450886] raw: ffffea000726e9a0 ffffea00072161a0 ffff8801dac00940 0000000000000000
[   34.450888] page dumped because: kasan: bad access detected
[   34.450888] 
[   34.450889] Memory state around the buggy address:
[   34.450892]  ffff8801c857f280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.450895]  ffff8801c857f300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   34.450897] >ffff8801c857f380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.450899]                                                                 ^
[   34.450902]  ffff8801c857f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.450904]  ffff8801c857f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.450906] ==================================================================
[   34.450907] Disabling lock debugging due to kernel taint
[   34.450909] Kernel panic - not syncing: panic_on_warn set ...
[   34.450909] 
[   34.450913] CPU: 1 PID: 3151 Comm: syzkaller050715 Tainted: G    B            4.15.0-rc4-mm1+ #49
[   34.450915] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.450916] Call Trace:
[   34.450919]  dump_stack+0x194/0x257
[   34.450923]  ? arch_local_irq_restore+0x53/0x53
[   34.450927]  ? kasan_end_report+0x32/0x50
[   34.450930]  ? lock_downgrade+0x980/0x980
[   34.450934]  ? vsnprintf+0x1ed/0x1900
[   34.450937]  ? __lock_acquire+0x3c90/0x3e00
[   34.450941]  panic+0x1e4/0x41c
[   34.450944]  ? refcount_error_report+0x214/0x214
[   34.450948]  ? add_taint+0x40/0x50
[   34.450951]  ? add_taint+0x1c/0x50
[   34.450955]  ? __lock_acquire+0x3d4d/0x3e00
[   34.450959]  kasan_end_report+0x50/0x50
[   34.450962]  kasan_report+0x148/0x360
[   34.450967]  __asan_report_load8_noabort+0x14/0x20
[   34.450970]  __lock_acquire+0x3d4d/0x3e00
[   34.450973]  ? __lock_acquire+0x664/0x3e00
[   34.450977]  ? lock_downgrade+0x980/0x980
[   34.450980]  ? lock_downgrade+0x980/0x980
[   34.450984]  ? remove_wait_queue+0x81/0x350
[   34.450989]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   34.450993]  ? __lock_acquire+0x664/0x3e00
[   34.450996]  ? check_noncircular+0x20/0x20
[   34.451006]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   34.451010]  ? lock_acquire+0x1d5/0x580
[   34.451013]  ? lock_acquire+0x1d5/0x580
[   34.451016]  ? ep_free+0xf4/0x320
[   34.451021]  ? lock_release+0xa40/0xa40
[   34.451024]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   34.451028]  ? print_irqtrace_events+0x270/0x270
[   34.451031]  ? rcu_note_context_switch+0x710/0x710
[   34.451035]  ? __might_sleep+0x95/0x190
[   34.451039]  ? ep_free+0xf4/0x320
[   34.451042]  ? __mutex_lock+0x16f/0x1a80
[   34.451044]  ? ep_free+0xf4/0x320
[   34.451049]  ? print_irqtrace_events+0x270/0x270
[   34.451051]  ? ep_free+0xf4/0x320
[   34.451056]  lock_acquire+0x1d5/0x580
[   34.451059]  ? lock_acquire+0x1d5/0x580
[   34.451062]  ? remove_wait_queue+0x81/0x350
[   34.451066]  ? __lock_acquire+0x664/0x3e00
[   34.451070]  ? lock_release+0xa40/0xa40
[   34.451075]  ? lock_acquire+0x1d5/0x580
[   34.451078]  ? lock_acquire+0x1d5/0x580
[   34.451082]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   34.451086]  _raw_spin_lock_irqsave+0x96/0xc0
[   34.451089]  ? remove_wait_queue+0x81/0x350
[   34.451093]  remove_wait_queue+0x81/0x350
[   34.451097]  ? add_wait_queue+0x290/0x290
[   34.451101]  ? rcutorture_record_progress+0x10/0x10
[   34.451106]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   34.451110]  ? __kernel_text_address+0xd/0x40
[   34.451114]  ? clear_tfile_check_list+0x370/0x370
[   34.451119]  ? check_noncircular+0x20/0x20
[   34.451123]  ? locks_remove_file+0x3fa/0x5a0
[   34.451128]  ep_free+0x13f/0x320
[   34.451132]  ? ep_remove+0x800/0x800
[   34.451135]  ? fsnotify_first_mark+0x2b0/0x2b0
[   34.451139]  ? ep_free+0x320/0x320
[   34.451142]  ep_eventpoll_release+0x44/0x60
[   34.451146]  __fput+0x327/0x7e0
[   34.451151]  ? fput+0x140/0x140
[   34.451154]  ? _raw_spin_unlock_irq+0x27/0x70
[   34.451159]  ____fput+0x15/0x20
[   34.451163]  task_work_run+0x199/0x270
[   34.451167]  ? task_work_cancel+0x210/0x210
[   34.451170]  ? _raw_spin_unlock+0x22/0x30
[   34.451174]  ? switch_task_namespaces+0x87/0xc0
[   34.451179]  do_exit+0x9bb/0x1ad0
[   34.451183]  ? binder_ioctl+0x551/0x1417
[   34.451186]  ? mm_update_next_owner+0x930/0x930
[   34.451191]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   34.451195]  ? avc_ss_reset+0x110/0x110
[   34.451199]  ? mutex_unlock+0xd/0x10
[   34.451202]  ? SyS_epoll_ctl+0x30a/0x1a80
[   34.451212]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   34.451215]  ? up_read+0x1a/0x40
[   34.451219]  ? rcu_note_context_switch+0x710/0x710
[   34.451222]  ? __fd_install+0x288/0x740
[   34.451226]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   34.451229]  ? do_vfs_ioctl+0x486/0x1520
[   34.451233]  ? _cond_resched+0x14/0x30
[   34.451237]  ? ioctl_preallocate+0x2b0/0x2b0
[   34.451241]  ? selinux_capable+0x40/0x40
[   34.451245]  ? __alloc_fd+0x750/0x750
[   34.451249]  do_group_exit+0x149/0x400
[   34.451253]  ? SyS_exit+0x30/0x30
[   34.451257]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.451261]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.451265]  SyS_exit_group+0x1d/0x20
[   34.451269]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   34.451271] RIP: 0033:0x4429f8
[   34.451273] RSP: 002b:00007ffc156979e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   34.451276] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   34.451278] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   34.451280] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   34.451282] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   34.451284] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   34.471909] Dumping ftrace buffer:
[   34.471913]    (ftrace buffer empty)
[   34.471914] Kernel Offset: disabled
[   35.598277] Rebooting in 86400 seconds..