[....] Starting enhanced syslogd: rsyslogd[   10.188910] audit: type=1400 audit(1514303170.552:5): avc:  denied  { syslog } for  pid=2994 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   12.692428] audit: type=1400 audit(1514303173.056:6): avc:  denied  { map } for  pid=3132 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added 'ci-upstream-next-kasan-gce-0,10.128.0.62' (ECDSA) to the list of known hosts.
executing program
[   29.031254] audit: type=1400 audit(1514303189.395:7): avc:  denied  { map } for  pid=3149 comm="syzkaller055897" path="/root/syzkaller055897436" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   29.034757] ==================================================================
[   29.034769] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   29.034773] Read of size 8 at addr ffff8801cd71adb8 by task syzkaller055897/3149
[   29.034774] 
[   29.034779] CPU: 1 PID: 3149 Comm: syzkaller055897 Not tainted 4.15.0-rc4-next-20171221+ #78
[   29.034781] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.034783] Call Trace:
[   29.034789]  dump_stack+0x194/0x257
[   29.034794]  ? arch_local_irq_restore+0x53/0x53
[   29.034800]  ? show_regs_print_info+0x18/0x18
[   29.034804]  ? print_irqtrace_events+0x270/0x270
[   29.034807]  ? __lock_acquire+0x664/0x3e00
[   29.034812]  ? __lock_acquire+0x3d4d/0x3e00
[   29.034818]  print_address_description+0x73/0x250
[   29.034822]  ? __lock_acquire+0x3d4d/0x3e00
[   29.034826]  kasan_report+0x25b/0x340
[   29.034831]  __asan_report_load8_noabort+0x14/0x20
[   29.034835]  __lock_acquire+0x3d4d/0x3e00
[   29.034838]  ? __lock_acquire+0x664/0x3e00
[   29.034842]  ? lock_downgrade+0x980/0x980
[   29.034845]  ? lock_downgrade+0x980/0x980
[   29.034851]  ? remove_wait_queue+0x81/0x350
[   29.034857]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   29.034861]  ? __lock_acquire+0x664/0x3e00
[   29.034864]  ? check_noncircular+0x20/0x20
[   29.034872]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   29.034876]  ? lock_acquire+0x1d5/0x580
[   29.034880]  ? lock_acquire+0x1d5/0x580
[   29.034885]  ? ep_free+0xf4/0x320
[   29.034890]  ? lock_release+0xa40/0xa40
[   29.034895]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   29.034899]  ? print_irqtrace_events+0x270/0x270
[   29.034905]  ? rcu_note_context_switch+0x710/0x710
[   29.034910]  ? __might_sleep+0x95/0x190
[   29.034913]  ? ep_free+0xf4/0x320
[   29.034919]  ? __mutex_lock+0x16f/0x1a80
[   29.034922]  ? ep_free+0xf4/0x320
[   29.034926]  ? print_irqtrace_events+0x270/0x270
[   29.034929]  ? ep_free+0xf4/0x320
[   29.034934]  lock_acquire+0x1d5/0x580
[   29.034937]  ? lock_acquire+0x1d5/0x580
[   29.034941]  ? remove_wait_queue+0x81/0x350
[   29.034945]  ? __lock_acquire+0x664/0x3e00
[   29.034949]  ? lock_release+0xa40/0xa40
[   29.034955]  ? lock_acquire+0x1d5/0x580
[   29.034958]  ? lock_acquire+0x1d5/0x580
[   29.034962]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   29.034967]  _raw_spin_lock_irqsave+0x96/0xc0
[   29.034971]  ? remove_wait_queue+0x81/0x350
[   29.034974]  remove_wait_queue+0x81/0x350
[   29.034979]  ? add_wait_queue+0x290/0x290
[   29.034983]  ? rcutorture_record_progress+0x10/0x10
[   29.034990]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   29.034996]  ? __kernel_text_address+0xd/0x40
[   29.035007]  ? clear_tfile_check_list+0x370/0x370
[   29.035012]  ? check_noncircular+0x20/0x20
[   29.035018]  ? locks_remove_file+0x3fa/0x5a0
[   29.035024]  ep_free+0x13f/0x320
[   29.035028]  ? ep_remove+0x800/0x800
[   29.035031]  ? fsnotify_first_mark+0x2b0/0x2b0
[   29.035036]  ? ep_free+0x320/0x320
[   29.035039]  ep_eventpoll_release+0x44/0x60
[   29.035044]  __fput+0x327/0x7e0
[   29.035049]  ? fput+0x140/0x140
[   29.035053]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.035058]  ____fput+0x15/0x20
[   29.035062]  task_work_run+0x199/0x270
[   29.035067]  ? task_work_cancel+0x210/0x210
[   29.035071]  ? _raw_spin_unlock+0x22/0x30
[   29.035075]  ? switch_task_namespaces+0x87/0xc0
[   29.035081]  do_exit+0x9bb/0x1ad0
[   29.035087]  ? binder_ioctl+0x491/0x1417
[   29.035091]  ? mm_update_next_owner+0x930/0x930
[   29.035095]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   29.035102]  ? avc_ss_reset+0x110/0x110
[   29.035106]  ? mutex_unlock+0xd/0x10
[   29.035110]  ? SyS_epoll_ctl+0x30a/0x1a80
[   29.035122]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   29.035125]  ? up_read+0x1a/0x40
[   29.035129]  ? rcu_note_context_switch+0x710/0x710
[   29.035133]  ? __fd_install+0x288/0x740
[   29.035139]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   29.035143]  ? do_vfs_ioctl+0x486/0x1520
[   29.035147]  ? _cond_resched+0x14/0x30
[   29.035151]  ? ioctl_preallocate+0x2b0/0x2b0
[   29.035157]  ? selinux_capable+0x40/0x40
[   29.035161]  ? __alloc_fd+0x750/0x750
[   29.035166]  do_group_exit+0x149/0x400
[   29.035170]  ? SyS_exit+0x30/0x30
[   29.035174]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.035180]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.035185]  SyS_exit_group+0x1d/0x20
[   29.035189]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   29.035192] RIP: 0033:0x4429f8
[   29.035194] RSP: 002b:00007ffd53e19488 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   29.035198] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   29.035201] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   29.035203] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   29.035205] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   29.035207] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   29.035212] 
[   29.035215] Allocated by task 3149:
[   29.035219]  save_stack+0x43/0xd0
[   29.035222]  kasan_kmalloc+0xad/0xe0
[   29.035225]  kmem_cache_alloc_trace+0x136/0x750
[   29.035228]  binder_get_thread+0x1cf/0x870
[   29.035231]  binder_poll+0x8c/0x390
[   29.035234]  ep_item_poll.isra.10+0xf2/0x320
[   29.035236]  ep_insert+0x6a2/0x1ac0
[   29.035239]  SyS_epoll_ctl+0x12bf/0x1a80
[   29.035242]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   29.035243] 
[   29.035244] Freed by task 3149:
[   29.035247]  save_stack+0x43/0xd0
[   29.035250]  kasan_slab_free+0x71/0xc0
[   29.035252]  kfree+0xd6/0x260
[   29.035255]  binder_thread_dec_tmpref+0x27f/0x310
[   29.035258]  binder_thread_release+0x27d/0x540
[   29.035261]  binder_ioctl+0xc02/0x1417
[   29.035263]  do_vfs_ioctl+0x1b1/0x1520
[   29.035265]  SyS_ioctl+0x8f/0xc0
[   29.035268]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   29.035269] 
[   29.035272] The buggy address belongs to the object at ffff8801cd71ad00
[   29.035272]  which belongs to the cache kmalloc-512 of size 512
[   29.035275] The buggy address is located 184 bytes inside of
[   29.035275]  512-byte region [ffff8801cd71ad00, ffff8801cd71af00)
[   29.035276] The buggy address belongs to the page:
[   29.035280] page:00000000a7fff95f count:1 mapcount:0 mapping:00000000f8f0020e index:0x0
[   29.035283] flags: 0x2fffc0000000100(slab)
[   29.035289] raw: 02fffc0000000100 ffff8801cd71a080 0000000000000000 0000000100000006
[   29.035293] raw: ffffea000725c8e0 ffffea000725cc60 ffff8801dac00940 0000000000000000
[   29.035295] page dumped because: kasan: bad access detected
[   29.035296] 
[   29.035296] Memory state around the buggy address:
[   29.035299]  ffff8801cd71ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.035302]  ffff8801cd71ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.035305] >ffff8801cd71ad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.035307]                                         ^
[   29.035311]  ffff8801cd71ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.035314]  ffff8801cd71ae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.035316] ==================================================================
[   29.035317] Disabling lock debugging due to kernel taint
[   29.035320] Kernel panic - not syncing: panic_on_warn set ...
[   29.035320] 
[   29.035326] CPU: 1 PID: 3149 Comm: syzkaller055897 Tainted: G    B            4.15.0-rc4-next-20171221+ #78
[   29.035329] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.035331] Call Trace:
[   29.035336]  dump_stack+0x194/0x257
[   29.035342]  ? arch_local_irq_restore+0x53/0x53
[   29.035346]  ? kasan_end_report+0x32/0x50
[   29.035350]  ? lock_downgrade+0x980/0x980
[   29.035353]  ? vsnprintf+0x1ed/0x1900
[   29.035357]  ? __lock_acquire+0x3d30/0x3e00
[   29.035360]  panic+0x1e4/0x41c
[   29.035364]  ? refcount_error_report+0x214/0x214
[   29.035368]  ? add_taint+0x40/0x50
[   29.035371]  ? add_taint+0x1c/0x50
[   29.035375]  ? __lock_acquire+0x3d4d/0x3e00
[   29.035379]  kasan_end_report+0x50/0x50
[   29.035382]  kasan_report+0x144/0x340
[   29.035387]  __asan_report_load8_noabort+0x14/0x20
[   29.035391]  __lock_acquire+0x3d4d/0x3e00
[   29.035394]  ? __lock_acquire+0x664/0x3e00
[   29.035398]  ? lock_downgrade+0x980/0x980
[   29.035401]  ? lock_downgrade+0x980/0x980
[   29.035405]  ? remove_wait_queue+0x81/0x350
[   29.035410]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   29.035414]  ? __lock_acquire+0x664/0x3e00
[   29.035417]  ? check_noncircular+0x20/0x20
[   29.035424]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   29.035428]  ? lock_acquire+0x1d5/0x580
[   29.035432]  ? lock_acquire+0x1d5/0x580
[   29.035435]  ? ep_free+0xf4/0x320
[   29.035439]  ? lock_release+0xa40/0xa40
[   29.035443]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   29.035447]  ? print_irqtrace_events+0x270/0x270
[   29.035451]  ? rcu_note_context_switch+0x710/0x710
[   29.035455]  ? __might_sleep+0x95/0x190
[   29.035458]  ? ep_free+0xf4/0x320
[   29.035462]  ? __mutex_lock+0x16f/0x1a80
[   29.035465]  ? ep_free+0xf4/0x320
[   29.035469]  ? print_irqtrace_events+0x270/0x270
[   29.035472]  ? ep_free+0xf4/0x320
[   29.035477]  lock_acquire+0x1d5/0x580
[   29.035480]  ? lock_acquire+0x1d5/0x580
[   29.035484]  ? remove_wait_queue+0x81/0x350
[   29.035487]  ? __lock_acquire+0x664/0x3e00
[   29.035496]  ? lock_release+0xa40/0xa40
[   29.035501]  ? lock_acquire+0x1d5/0x580
[   29.035504]  ? lock_acquire+0x1d5/0x580
[   29.035508]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   29.035512]  _raw_spin_lock_irqsave+0x96/0xc0
[   29.035516]  ? remove_wait_queue+0x81/0x350
[   29.035520]  remove_wait_queue+0x81/0x350
[   29.035524]  ? add_wait_queue+0x290/0x290
[   29.035528]  ? rcutorture_record_progress+0x10/0x10
[   29.035533]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   29.035537]  ? __kernel_text_address+0xd/0x40
[   29.035542]  ? clear_tfile_check_list+0x370/0x370
[   29.035547]  ? check_noncircular+0x20/0x20
[   29.035551]  ? locks_remove_file+0x3fa/0x5a0
[   29.035556]  ep_free+0x13f/0x320
[   29.035560]  ? ep_remove+0x800/0x800
[   29.035563]  ? fsnotify_first_mark+0x2b0/0x2b0
[   29.035567]  ? ep_free+0x320/0x320
[   29.035571]  ep_eventpoll_release+0x44/0x60
[   29.035574]  __fput+0x327/0x7e0
[   29.035579]  ? fput+0x140/0x140
[   29.035583]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.035588]  ____fput+0x15/0x20
[   29.035592]  task_work_run+0x199/0x270
[   29.035596]  ? task_work_cancel+0x210/0x210
[   29.035600]  ? _raw_spin_unlock+0x22/0x30
[   29.035603]  ? switch_task_namespaces+0x87/0xc0
[   29.035608]  do_exit+0x9bb/0x1ad0
[   29.035612]  ? binder_ioctl+0x491/0x1417
[   29.035616]  ? mm_update_next_owner+0x930/0x930
[   29.035620]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   29.035624]  ? avc_ss_reset+0x110/0x110
[   29.035628]  ? mutex_unlock+0xd/0x10
[   29.035632]  ? SyS_epoll_ctl+0x30a/0x1a80
[   29.035642]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   29.035645]  ? up_read+0x1a/0x40
[   29.035649]  ? rcu_note_context_switch+0x710/0x710
[   29.035652]  ? __fd_install+0x288/0x740
[   29.035657]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   29.035660]  ? do_vfs_ioctl+0x486/0x1520
[   29.035664]  ? _cond_resched+0x14/0x30
[   29.035668]  ? ioctl_preallocate+0x2b0/0x2b0
[   29.035672]  ? selinux_capable+0x40/0x40
[   29.035676]  ? __alloc_fd+0x750/0x750
[   29.035681]  do_group_exit+0x149/0x400
[   29.035685]  ? SyS_exit+0x30/0x30
[   29.035689]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.035693]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.035697]  SyS_exit_group+0x1d/0x20
[   29.035701]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   29.035703] RIP: 0033:0x4429f8
[   29.035705] RSP: 002b:00007ffd53e19488 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   29.035709] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   29.035711] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   29.035713] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   29.035715] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   29.035716] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   29.057140] Dumping ftrace buffer:
[   29.057144]    (ftrace buffer empty)
[   29.057148] Kernel Offset: disabled
[   30.181564] Rebooting in 86400 seconds..