[....] Starting enhanced syslogd: rsyslogd[   12.664767] audit: type=1400 audit(1515798464.410:5): avc:  denied  { syslog } for  pid=3344 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.450335] audit: type=1400 audit(1515798470.196:6): avc:  denied  { map } for  pid=3484 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts.
executing program
[   24.695257] audit: type=1400 audit(1515798476.441:7): avc:  denied  { map } for  pid=3498 comm="syzkaller917648" path="/root/syzkaller917648912" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   24.701754] ==================================================================
[   24.701772] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   24.701778] Read of size 8 at addr ffff8801c7c10870 by task syzkaller917648/3498
[   24.701779] 
[   24.701787] CPU: 1 PID: 3498 Comm: syzkaller917648 Not tainted 4.15.0-rc7+ #259
[   24.701790] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.701793] Call Trace:
[   24.701804]  dump_stack+0x194/0x257
[   24.701812]  ? arch_local_irq_restore+0x53/0x53
[   24.701820]  ? show_regs_print_info+0x18/0x18
[   24.701829]  ? __lock_acquire+0x3d4d/0x3e00
[   24.701838]  print_address_description+0x73/0x250
[   24.701845]  ? __lock_acquire+0x3d4d/0x3e00
[   24.701851]  kasan_report+0x25b/0x340
[   24.701860]  __asan_report_load8_noabort+0x14/0x20
[   24.701865]  __lock_acquire+0x3d4d/0x3e00
[   24.701873]  ? print_irqtrace_events+0x270/0x270
[   24.701880]  ? unwind_get_return_address+0x61/0xa0
[   24.701889]  ? remove_wait_queue+0x81/0x350
[   24.701898]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.701905]  ? __lock_acquire+0x664/0x3e00
[   24.701911]  ? print_irqtrace_events+0x270/0x270
[   24.701918]  ? __lock_acquire+0x664/0x3e00
[   24.701928]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.701937]  ? __lock_acquire+0x664/0x3e00
[   24.701944]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.701949]  ? __lock_acquire+0x664/0x3e00
[   24.701955]  ? check_noncircular+0x20/0x20
[   24.701963]  ? check_noncircular+0x20/0x20
[   24.701970]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.701976]  ? __lock_acquire+0x664/0x3e00
[   24.701982]  ? check_noncircular+0x20/0x20
[   24.701995]  lock_acquire+0x1d5/0x580
[   24.702004]  ? lock_acquire+0x1d5/0x580
[   24.702010]  ? remove_wait_queue+0x81/0x350
[   24.702018]  ? lock_release+0xa40/0xa40
[   24.702024]  ? print_irqtrace_events+0x270/0x270
[   24.702030]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.702038]  ? lock_acquire+0x1d5/0x580
[   24.702044]  ? lock_acquire+0x1d5/0x580
[   24.702051]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   24.702060]  _raw_spin_lock_irqsave+0x96/0xc0
[   24.702066]  ? remove_wait_queue+0x81/0x350
[   24.702072]  remove_wait_queue+0x81/0x350
[   24.702078]  ? eventpoll_release_file+0xba/0x140
[   24.702085]  ? add_wait_queue+0x290/0x290
[   24.702093]  ? rcutorture_record_progress+0x10/0x10
[   24.702098]  ? mutex_lock_io_nested+0x1900/0x1900
[   24.702108]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   24.702114]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.702123]  ? clear_tfile_check_list+0x370/0x370
[   24.702130]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.702138]  ? rcutorture_record_progress+0x10/0x10
[   24.702149]  ? is_bpf_text_address+0xa4/0x120
[   24.702157]  ep_remove+0xcd/0x800
[   24.702163]  ? unwind_get_return_address+0x61/0xa0
[   24.702170]  ? ep_destroy_wakeup_source+0x240/0x240
[   24.702176]  ? check_noncircular+0x20/0x20
[   24.702183]  ? check_noncircular+0x20/0x20
[   24.702192]  ? fsnotify+0x7b3/0x1140
[   24.702205]  eventpoll_release_file+0xc5/0x140
[   24.702214]  __fput+0x5f1/0x7e0
[   24.702223]  ? fput+0x140/0x140
[   24.702230]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.702238]  ____fput+0x15/0x20
[   24.702246]  task_work_run+0x199/0x270
[   24.702254]  ? task_work_cancel+0x210/0x210
[   24.702260]  ? _raw_spin_unlock+0x22/0x30
[   24.702266]  ? switch_task_namespaces+0x87/0xc0
[   24.702276]  do_exit+0x9bb/0x1ad0
[   24.702285]  ? binder_ioctl+0x4e1/0x1417
[   24.702291]  ? mm_update_next_owner+0x930/0x930
[   24.702299]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   24.702309]  ? avc_ss_reset+0x110/0x110
[   24.702315]  ? mutex_unlock+0xd/0x10
[   24.702321]  ? SyS_epoll_ctl+0x30a/0x1ab0
[   24.702340]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.702345]  ? up_read+0x1a/0x40
[   24.702352]  ? rcu_note_context_switch+0x710/0x710
[   24.702361]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   24.702368]  ? do_vfs_ioctl+0x486/0x1520
[   24.702372]  ? _cond_resched+0x14/0x30
[   24.702380]  ? ioctl_preallocate+0x2b0/0x2b0
[   24.702388]  ? selinux_capable+0x40/0x40
[   24.702396]  ? putname+0xf3/0x130
[   24.702404]  do_group_exit+0x149/0x400
[   24.702411]  ? SyS_exit+0x30/0x30
[   24.702418]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   24.702426]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   24.702434]  SyS_exit_group+0x1d/0x20
[   24.702441]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   24.702446] RIP: 0033:0x4429f8
[   24.702450] RSP: 002b:00007ffcd2ea56b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   24.702456] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   24.702460] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   24.702463] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   24.702466] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   24.702470] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   24.702478] 
[   24.702481] Allocated by task 3498:
[   24.702487]  save_stack+0x43/0xd0
[   24.702492]  kasan_kmalloc+0xad/0xe0
[   24.702497]  kmem_cache_alloc_trace+0x136/0x750
[   24.702502]  binder_get_thread+0x1cf/0x870
[   24.702506]  binder_poll+0x8c/0x390
[   24.702511]  ep_item_poll.isra.10+0xec/0x320
[   24.702516]  ep_insert+0x6a3/0x1b10
[   24.702522]  SyS_epoll_ctl+0x12e4/0x1ab0
[   24.702527]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   24.702528] 
[   24.702530] Freed by task 3498:
[   24.702535]  save_stack+0x43/0xd0
[   24.702540]  kasan_slab_free+0x71/0xc0
[   24.702544]  kfree+0xd6/0x260
[   24.702549]  binder_thread_dec_tmpref+0x27f/0x310
[   24.702553]  binder_thread_release+0x27d/0x540
[   24.702558]  binder_ioctl+0xc02/0x1417
[   24.702562]  do_vfs_ioctl+0x1b1/0x1520
[   24.702566]  SyS_ioctl+0x8f/0xc0
[   24.702572]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   24.702573] 
[   24.702577] The buggy address belongs to the object at ffff8801c7c107c0
[   24.702577]  which belongs to the cache kmalloc-512 of size 512
[   24.702582] The buggy address is located 176 bytes inside of
[   24.702582]  512-byte region [ffff8801c7c107c0, ffff8801c7c109c0)
[   24.702584] The buggy address belongs to the page:
[   24.702589] page:ffffea00071f0400 count:1 mapcount:0 mapping:ffff8801c7c10040 index:0x0
[   24.702595] flags: 0x2fffc0000000100(slab)
[   24.702604] raw: 02fffc0000000100 ffff8801c7c10040 0000000000000000 0000000100000006
[   24.702611] raw: ffffea000720cbe0 ffffea000721c0a0 ffff8801dac00940 0000000000000000
[   24.702613] page dumped because: kasan: bad access detected
[   24.702615] 
[   24.702616] Memory state around the buggy address:
[   24.702621]  ffff8801c7c10700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.702625]  ffff8801c7c10780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   24.702630] >ffff8801c7c10800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.702632]                                                              ^
[   24.702636]  ffff8801c7c10880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.702641]  ffff8801c7c10900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.702643] ==================================================================
[   24.702644] Disabling lock debugging due to kernel taint
[   24.702648] Kernel panic - not syncing: panic_on_warn set ...
[   24.702648] 
[   24.702654] CPU: 1 PID: 3498 Comm: syzkaller917648 Tainted: G    B            4.15.0-rc7+ #259
[   24.702657] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.702659] Call Trace:
[   24.702665]  dump_stack+0x194/0x257
[   24.702672]  ? arch_local_irq_restore+0x53/0x53
[   24.702682]  ? kasan_end_report+0x32/0x50
[   24.702688]  ? lock_downgrade+0x980/0x980
[   24.702695]  ? vsnprintf+0x1ed/0x1900
[   24.702701]  ? __lock_acquire+0x3cb0/0x3e00
[   24.702707]  panic+0x1e4/0x41c
[   24.702712]  ? refcount_error_report+0x214/0x214
[   24.702720]  ? add_taint+0x40/0x50
[   24.702725]  ? add_taint+0x1c/0x50
[   24.702732]  ? __lock_acquire+0x3d4d/0x3e00
[   24.702738]  kasan_end_report+0x50/0x50
[   24.702744]  kasan_report+0x144/0x340
[   24.702752]  __asan_report_load8_noabort+0x14/0x20
[   24.702757]  __lock_acquire+0x3d4d/0x3e00
[   24.702764]  ? print_irqtrace_events+0x270/0x270
[   24.702770]  ? unwind_get_return_address+0x61/0xa0
[   24.702777]  ? remove_wait_queue+0x81/0x350
[   24.702786]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.702792]  ? __lock_acquire+0x664/0x3e00
[   24.702799]  ? print_irqtrace_events+0x270/0x270
[   24.702805]  ? __lock_acquire+0x664/0x3e00
[   24.702815]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.702824]  ? __lock_acquire+0x664/0x3e00
[   24.702830]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.702835]  ? __lock_acquire+0x664/0x3e00
[   24.702841]  ? check_noncircular+0x20/0x20
[   24.702849]  ? check_noncircular+0x20/0x20
[   24.702856]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.702862]  ? __lock_acquire+0x664/0x3e00
[   24.702868]  ? check_noncircular+0x20/0x20
[   24.702880]  lock_acquire+0x1d5/0x580
[   24.702886]  ? lock_acquire+0x1d5/0x580
[   24.702891]  ? remove_wait_queue+0x81/0x350
[   24.702900]  ? lock_release+0xa40/0xa40
[   24.702905]  ? print_irqtrace_events+0x270/0x270
[   24.702911]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.702919]  ? lock_acquire+0x1d5/0x580
[   24.702925]  ? lock_acquire+0x1d5/0x580
[   24.702931]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   24.702939]  _raw_spin_lock_irqsave+0x96/0xc0
[   24.702944]  ? remove_wait_queue+0x81/0x350
[   24.702950]  remove_wait_queue+0x81/0x350
[   24.702956]  ? eventpoll_release_file+0xba/0x140
[   24.702964]  ? add_wait_queue+0x290/0x290
[   24.702969]  ? rcutorture_record_progress+0x10/0x10
[   24.702975]  ? mutex_lock_io_nested+0x1900/0x1900
[   24.702984]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   24.702990]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.702998]  ? clear_tfile_check_list+0x370/0x370
[   24.703005]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.703013]  ? rcutorture_record_progress+0x10/0x10
[   24.703021]  ? is_bpf_text_address+0xa4/0x120
[   24.703029]  ep_remove+0xcd/0x800
[   24.703035]  ? unwind_get_return_address+0x61/0xa0
[   24.703042]  ? ep_destroy_wakeup_source+0x240/0x240
[   24.703048]  ? check_noncircular+0x20/0x20
[   24.703055]  ? check_noncircular+0x20/0x20
[   24.703064]  ? fsnotify+0x7b3/0x1140
[   24.703076]  eventpoll_release_file+0xc5/0x140
[   24.703083]  __fput+0x5f1/0x7e0
[   24.703091]  ? fput+0x140/0x140
[   24.703098]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.703107]  ____fput+0x15/0x20
[   24.703113]  task_work_run+0x199/0x270
[   24.703121]  ? task_work_cancel+0x210/0x210
[   24.703127]  ? _raw_spin_unlock+0x22/0x30
[   24.703133]  ? switch_task_namespaces+0x87/0xc0
[   24.703140]  do_exit+0x9bb/0x1ad0
[   24.703148]  ? binder_ioctl+0x4e1/0x1417
[   24.703154]  ? mm_update_next_owner+0x930/0x930
[   24.703161]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   24.703170]  ? avc_ss_reset+0x110/0x110
[   24.703175]  ? mutex_unlock+0xd/0x10
[   24.703181]  ? SyS_epoll_ctl+0x30a/0x1ab0
[   24.703199]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   24.703203]  ? up_read+0x1a/0x40
[   24.703210]  ? rcu_note_context_switch+0x710/0x710
[   24.703219]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   24.703225]  ? do_vfs_ioctl+0x486/0x1520
[   24.703229]  ? _cond_resched+0x14/0x30
[   24.703237]  ? ioctl_preallocate+0x2b0/0x2b0
[   24.703244]  ? selinux_capable+0x40/0x40
[   24.703251]  ? putname+0xf3/0x130
[   24.703259]  do_group_exit+0x149/0x400
[   24.703266]  ? SyS_exit+0x30/0x30
[   24.703273]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   24.703279]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   24.703287]  SyS_exit_group+0x1d/0x20
[   24.703293]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   24.703297] RIP: 0033:0x4429f8
[   24.703300] RSP: 002b:00007ffcd2ea56b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   24.703305] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   24.703308] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   24.703312] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   24.703315] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   24.703318] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   24.721612] Dumping ftrace buffer:
[   24.721617]    (ftrace buffer empty)
[   24.721620] Kernel Offset: disabled
[   25.871743] Rebooting in 86400 seconds..