[....] Starting enhanced syslogd: rsyslogd[   16.693008] audit: type=1400 audit(1520815095.938:5): avc:  denied  { syslog } for  pid=4000 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.599104] audit: type=1400 audit(1520815101.844:6): avc:  denied  { map } for  pid=4138 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.42' (ECDSA) to the list of known hosts.
executing program
[   28.909289] audit: type=1400 audit(1520815108.154:7): avc:  denied  { map } for  pid=4152 comm="syzkaller668790" path="/root/syzkaller668790880" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   28.914480] ==================================================================
[   28.942604] BUG: KASAN: use-after-free in ucma_close+0x2d7/0x2f0
[   28.948721] Read of size 8 at addr ffff8801b8cc6bc0 by task syzkaller668790/4152
[   28.956221] 
[   28.957822] CPU: 1 PID: 4152 Comm: syzkaller668790 Not tainted 4.16.0-rc4+ #350
[   28.965249] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.974573] Call Trace:
[   28.977137]  dump_stack+0x194/0x24d
[   28.980750]  ? arch_local_irq_restore+0x53/0x53
[   28.985393]  ? show_regs_print_info+0x18/0x18
[   28.989867]  ? ucma_close+0x2d7/0x2f0
[   28.993642]  print_address_description+0x73/0x250
[   28.998457]  ? ucma_close+0x2d7/0x2f0
[   29.002233]  kasan_report+0x23c/0x360
[   29.006011]  __asan_report_load8_noabort+0x14/0x20
[   29.010932]  ucma_close+0x2d7/0x2f0
[   29.014533]  ? __might_sleep+0x95/0x190
[   29.018481]  ? ucma_free_ctx+0xd90/0xd90
[   29.022515]  __fput+0x327/0x7e0
[   29.025782]  ? fput+0x140/0x140
[   29.029037]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.033510]  ____fput+0x15/0x20
[   29.036796]  task_work_run+0x199/0x270
[   29.040662]  ? task_work_cancel+0x210/0x210
[   29.044970]  ? _raw_spin_unlock+0x22/0x30
[   29.049091]  ? switch_task_namespaces+0x87/0xc0
[   29.053739]  do_exit+0x9bb/0x1ad0
[   29.057163]  ? ucma_create_id+0x45b/0x620
[   29.061287]  ? mm_update_next_owner+0x930/0x930
[   29.065930]  ? ucma_create_id+0x17b/0x620
[   29.070065]  ? ucma_get_event+0xa90/0xa90
[   29.074195]  ? __might_sleep+0x95/0x190
[   29.078151]  ? kasan_check_write+0x14/0x20
[   29.082362]  ? _copy_from_user+0x99/0x110
[   29.086486]  ? ucma_write+0x11f/0x3d0
[   29.090257]  ? ucma_get_event+0xa90/0xa90
[   29.094378]  ? ucma_resolve_route+0x1a0/0x1a0
[   29.098857]  ? ucma_resolve_route+0x1a0/0x1a0
[   29.103340]  ? __vfs_write+0xf7/0x970
[   29.107116]  ? rcu_note_context_switch+0x710/0x710
[   29.112019]  ? kernel_read+0x120/0x120
[   29.115881]  ? __might_sleep+0x95/0x190
[   29.119831]  ? _cond_resched+0x14/0x30
[   29.123693]  ? __inode_security_revalidate+0xd9/0x130
[   29.128863]  ? avc_policy_seqno+0x9/0x20
[   29.132904]  ? security_file_permission+0x89/0x1e0
[   29.137808]  ? rw_verify_area+0xe5/0x2b0
[   29.141839]  ? __fdget_raw+0x20/0x20
[   29.145527]  ? vfs_write+0x224/0x510
[   29.149220]  do_group_exit+0x149/0x400
[   29.153080]  ? SyS_write+0x184/0x220
[   29.156766]  ? filp_open+0x70/0x70
[   29.160277]  ? SyS_exit+0x30/0x30
[   29.163702]  ? SyS_read+0x220/0x220
[   29.167303]  ? do_syscall_64+0xb7/0x940
[   29.171250]  ? do_group_exit+0x400/0x400
[   29.175285]  SyS_exit_group+0x1d/0x20
[   29.179069]  do_syscall_64+0x281/0x940
[   29.182932]  ? __do_page_fault+0xc90/0xc90
[   29.187143]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.191876]  ? syscall_return_slowpath+0x550/0x550
[   29.196778]  ? syscall_return_slowpath+0x2ac/0x550
[   29.201683]  ? prepare_exit_to_usermode+0x350/0x350
[   29.206674]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   29.212016]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.216836]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   29.221997] RIP: 0033:0x43e978
[   29.225159] RSP: 002b:00007fff5aa8f588 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   29.232837] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978
[   29.240077] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   29.247319] RBP: 00000000004be360 R08: 00000000000000e7 R09: ffffffffffffffd0
[   29.254563] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
[   29.261803] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000
[   29.269059] 
[   29.270661] Allocated by task 4152:
[   29.274276]  save_stack+0x43/0xd0
[   29.277701]  kasan_kmalloc+0xad/0xe0
[   29.281387]  kmem_cache_alloc_trace+0x136/0x740
[   29.286026]  ucma_alloc_ctx+0xce/0x610
[   29.289885]  ucma_create_id+0x205/0x620
[   29.293830]  ucma_write+0x2d6/0x3d0
[   29.297427]  __vfs_write+0xef/0x970
[   29.301024]  vfs_write+0x189/0x510
[   29.304534]  SyS_write+0xef/0x220
[   29.307961]  do_syscall_64+0x281/0x940
[   29.311820]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   29.316977] 
[   29.318576] Freed by task 4152:
[   29.321826]  save_stack+0x43/0xd0
[   29.325249]  __kasan_slab_free+0x11a/0x170
[   29.329453]  kasan_slab_free+0xe/0x10
[   29.333225]  kfree+0xd9/0x260
[   29.336301]  ucma_create_id+0x45b/0x620
[   29.340246]  ucma_write+0x2d6/0x3d0
[   29.343841]  __vfs_write+0xef/0x970
[   29.347437]  vfs_write+0x189/0x510
[   29.350947]  SyS_write+0xef/0x220
[   29.354373]  do_syscall_64+0x281/0x940
[   29.358232]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   29.363389] 
[   29.364990] The buggy address belongs to the object at ffff8801b8cc6b40
[   29.364990]  which belongs to the cache kmalloc-256 of size 256
[   29.377618] The buggy address is located 128 bytes inside of
[   29.377618]  256-byte region [ffff8801b8cc6b40, ffff8801b8cc6c40)
[   29.389477] The buggy address belongs to the page:
[   29.394378] page:ffffea0006e33180 count:1 mapcount:0 mapping:ffff8801b8cc6000 index:0xffff8801b8cc6280
[   29.403794] flags: 0x2fffc0000000100(slab)
[   29.408002] raw: 02fffc0000000100 ffff8801b8cc6000 ffff8801b8cc6280 000000010000000a
[   29.415854] raw: ffffea0006e4d220 ffffea0006ebf6a0 ffff8801dac007c0 0000000000000000
[   29.423703] page dumped because: kasan: bad access detected
[   29.429380] 
[   29.430976] Memory state around the buggy address:
[   29.435874]  ffff8801b8cc6a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.443202]  ffff8801b8cc6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   29.450530] >ffff8801b8cc6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.457858]                                            ^
[   29.463279]  ffff8801b8cc6c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   29.470609]  ffff8801b8cc6c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.477936] ==================================================================
[   29.485263] Disabling lock debugging due to kernel taint
[   29.490987] Kernel panic - not syncing: panic_on_warn set ...
[   29.490987] 
[   29.498343] CPU: 1 PID: 4152 Comm: syzkaller668790 Tainted: G    B            4.16.0-rc4+ #350
[   29.507060] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.516393] Call Trace:
[   29.518952]  dump_stack+0x194/0x24d
[   29.522551]  ? arch_local_irq_restore+0x53/0x53
[   29.527191]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.531916]  ? vsnprintf+0x1ed/0x1900
[   29.535687]  ? ucma_close+0x280/0x2f0
[   29.539460]  panic+0x1e4/0x41c
[   29.542625]  ? refcount_error_report+0x214/0x214
[   29.547364]  ? add_taint+0x1c/0x50
[   29.550872]  ? add_taint+0x1c/0x50
[   29.554392]  ? ucma_close+0x2d7/0x2f0
[   29.558173]  kasan_end_report+0x50/0x50
[   29.562119]  kasan_report+0x149/0x360
[   29.565890]  __asan_report_load8_noabort+0x14/0x20
[   29.570799]  ucma_close+0x2d7/0x2f0
[   29.574398]  ? __might_sleep+0x95/0x190
[   29.578342]  ? ucma_free_ctx+0xd90/0xd90
[   29.582376]  __fput+0x327/0x7e0
[   29.585629]  ? fput+0x140/0x140
[   29.588884]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.593352]  ____fput+0x15/0x20
[   29.596605]  task_work_run+0x199/0x270
[   29.600463]  ? task_work_cancel+0x210/0x210
[   29.604755]  ? _raw_spin_unlock+0x22/0x30
[   29.608875]  ? switch_task_namespaces+0x87/0xc0
[   29.613514]  do_exit+0x9bb/0x1ad0
[   29.616936]  ? ucma_create_id+0x45b/0x620
[   29.621067]  ? mm_update_next_owner+0x930/0x930
[   29.625707]  ? ucma_create_id+0x17b/0x620
[   29.629824]  ? ucma_get_event+0xa90/0xa90
[   29.633960]  ? __might_sleep+0x95/0x190
[   29.637907]  ? kasan_check_write+0x14/0x20
[   29.642112]  ? _copy_from_user+0x99/0x110
[   29.646231]  ? ucma_write+0x11f/0x3d0
[   29.650003]  ? ucma_get_event+0xa90/0xa90
[   29.654127]  ? ucma_resolve_route+0x1a0/0x1a0
[   29.658603]  ? ucma_resolve_route+0x1a0/0x1a0
[   29.663070]  ? __vfs_write+0xf7/0x970
[   29.666841]  ? rcu_note_context_switch+0x710/0x710
[   29.671740]  ? kernel_read+0x120/0x120
[   29.675603]  ? __might_sleep+0x95/0x190
[   29.679547]  ? _cond_resched+0x14/0x30
[   29.683408]  ? __inode_security_revalidate+0xd9/0x130
[   29.688567]  ? avc_policy_seqno+0x9/0x20
[   29.692602]  ? security_file_permission+0x89/0x1e0
[   29.697502]  ? rw_verify_area+0xe5/0x2b0
[   29.701531]  ? __fdget_raw+0x20/0x20
[   29.705214]  ? vfs_write+0x224/0x510
[   29.708898]  do_group_exit+0x149/0x400
[   29.712755]  ? SyS_write+0x184/0x220
[   29.716435]  ? filp_open+0x70/0x70
[   29.719944]  ? SyS_exit+0x30/0x30
[   29.723366]  ? SyS_read+0x220/0x220
[   29.726963]  ? do_syscall_64+0xb7/0x940
[   29.730907]  ? do_group_exit+0x400/0x400
[   29.734948]  SyS_exit_group+0x1d/0x20
[   29.738718]  do_syscall_64+0x281/0x940
[   29.742576]  ? __do_page_fault+0xc90/0xc90
[   29.746781]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.751506]  ? syscall_return_slowpath+0x550/0x550
[   29.756407]  ? syscall_return_slowpath+0x2ac/0x550
[   29.761306]  ? prepare_exit_to_usermode+0x350/0x350
[   29.766291]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   29.771628]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.776444]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   29.781605] RIP: 0033:0x43e978
[   29.784764] RSP: 002b:00007fff5aa8f588 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   29.792440] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978
[   29.799680] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   29.806928] RBP: 00000000004be360 R08: 00000000000000e7 R09: ffffffffffffffd0
[   29.814167] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
[   29.821405] R13: 00000000006cc160 R14: 0000000000000000 R15: 0000000000000000
[   29.829104] Dumping ftrace buffer:
[   29.832620]    (ftrace buffer empty)
[   29.836299] Kernel Offset: disabled
[   29.839897] Rebooting in 86400 seconds..