[....] Starting enhanced syslogd: rsyslogd[   12.484075] audit: type=1400 audit(1515610365.776:5): avc:  denied  { syslog } for  pid=3340 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.202728] audit: type=1400 audit(1515610372.495:6): avc:  denied  { map } for  pid=3480 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.36' (ECDSA) to the list of known hosts.
executing program
[   25.403625] audit: type=1400 audit(1515610378.696:7): avc:  denied  { map } for  pid=3495 comm="syzkaller534093" path="/root/syzkaller534093450" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   25.409316] ==================================================================
[   25.409330] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   25.409335] Read of size 8 at addr ffff8801c86273f8 by task syzkaller534093/3495
[   25.409337] 
[   25.409343] CPU: 1 PID: 3495 Comm: syzkaller534093 Not tainted 4.15.0-rc6-mm1+ #52
[   25.409347] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.409349] Call Trace:
[   25.409358]  dump_stack+0x194/0x257
[   25.409367]  ? arch_local_irq_restore+0x53/0x53
[   25.409375]  ? show_regs_print_info+0x18/0x18
[   25.409381]  ? __lock_acquire+0x664/0x3e00
[   25.409389]  ? __lock_acquire+0x3d4d/0x3e00
[   25.409398]  print_address_description+0x73/0x250
[   25.409404]  ? __lock_acquire+0x3d4d/0x3e00
[   25.409411]  kasan_report+0x23b/0x360
[   25.409420]  __asan_report_load8_noabort+0x14/0x20
[   25.409425]  __lock_acquire+0x3d4d/0x3e00
[   25.409432]  ? lock_downgrade+0x980/0x980
[   25.409442]  ? remove_wait_queue+0x81/0x350
[   25.409451]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.409458]  ? __lock_acquire+0x664/0x3e00
[   25.409463]  ? check_noncircular+0x20/0x20
[   25.409476]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.409483]  ? lock_acquire+0x1d5/0x580
[   25.409489]  ? lock_acquire+0x1d5/0x580
[   25.409494]  ? ep_free+0xf4/0x320
[   25.409501]  ? check_noncircular+0x20/0x20
[   25.409508]  ? lock_release+0xa40/0xa40
[   25.409514]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   25.409520]  ? print_irqtrace_events+0x270/0x270
[   25.409527]  ? rcu_note_context_switch+0x710/0x710
[   25.409535]  ? __might_sleep+0x95/0x190
[   25.409541]  ? ep_free+0xf4/0x320
[   25.409547]  ? __mutex_lock+0x16f/0x1a80
[   25.409552]  ? ep_free+0xf4/0x320
[   25.409559]  ? print_irqtrace_events+0x270/0x270
[   25.409563]  ? ep_free+0xf4/0x320
[   25.409577]  lock_acquire+0x1d5/0x580
[   25.409582]  ? lock_acquire+0x1d5/0x580
[   25.409588]  ? remove_wait_queue+0x81/0x350
[   25.409594]  ? __lock_acquire+0x664/0x3e00
[   25.409602]  ? lock_release+0xa40/0xa40
[   25.409611]  ? lock_acquire+0x1d5/0x580
[   25.409616]  ? lock_acquire+0x1d5/0x580
[   25.409622]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   25.409629]  _raw_spin_lock_irqsave+0x96/0xc0
[   25.409635]  ? remove_wait_queue+0x81/0x350
[   25.409641]  remove_wait_queue+0x81/0x350
[   25.409648]  ? rcutorture_record_progress+0x10/0x10
[   25.409655]  ? add_wait_queue+0x290/0x290
[   25.409661]  ? rcutorture_record_progress+0x10/0x10
[   25.409670]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   25.409678]  ? unwind_get_return_address+0x61/0xa0
[   25.409685]  ? clear_tfile_check_list+0x370/0x370
[   25.409693]  ? check_noncircular+0x20/0x20
[   25.409701]  ? locks_remove_file+0x3fa/0x5a0
[   25.409710]  ep_free+0x13f/0x320
[   25.409715]  ? ep_remove+0x800/0x800
[   25.409722]  ? fsnotify_first_mark+0x2b0/0x2b0
[   25.409729]  ? ep_free+0x320/0x320
[   25.409735]  ep_eventpoll_release+0x44/0x60
[   25.409742]  __fput+0x327/0x7e0
[   25.409749]  ? fput+0x140/0x140
[   25.409755]  ? _raw_spin_unlock_irq+0x27/0x70
[   25.409763]  ____fput+0x15/0x20
[   25.409769]  task_work_run+0x199/0x270
[   25.409776]  ? task_work_cancel+0x210/0x210
[   25.409782]  ? _raw_spin_unlock+0x22/0x30
[   25.409789]  ? switch_task_namespaces+0x87/0xc0
[   25.409799]  do_exit+0x9bb/0x1ad0
[   25.409808]  ? binder_ioctl+0x481/0x1417
[   25.409814]  ? mm_update_next_owner+0x930/0x930
[   25.409822]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   25.409833]  ? avc_ss_reset+0x110/0x110
[   25.409839]  ? mutex_unlock+0xd/0x10
[   25.409844]  ? SyS_epoll_ctl+0x30a/0x1a80
[   25.409864]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   25.409869]  ? up_read+0x1a/0x40
[   25.409875]  ? rcu_note_context_switch+0x710/0x710
[   25.409881]  ? __fd_install+0x288/0x740
[   25.409890]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   25.409896]  ? do_vfs_ioctl+0x486/0x1520
[   25.409902]  ? _cond_resched+0x14/0x30
[   25.409909]  ? ioctl_preallocate+0x2b0/0x2b0
[   25.409916]  ? selinux_capable+0x40/0x40
[   25.409923]  ? __alloc_fd+0x750/0x750
[   25.409932]  do_group_exit+0x149/0x400
[   25.409939]  ? SyS_exit+0x30/0x30
[   25.409945]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.409953]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.409960]  SyS_exit_group+0x1d/0x20
[   25.409966]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   25.409971] RIP: 0033:0x4429f8
[   25.409974] RSP: 002b:00007ffd8acc2a78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   25.409980] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   25.409984] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   25.409987] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   25.409990] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   25.409993] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   25.410005] 
[   25.410008] Allocated by task 3495:
[   25.410014]  save_stack+0x43/0xd0
[   25.410019]  kasan_kmalloc+0xad/0xe0
[   25.410024]  kmem_cache_alloc_trace+0x136/0x750
[   25.410029]  binder_get_thread+0x1cf/0x870
[   25.410033]  binder_poll+0x8c/0x390
[   25.410038]  ep_item_poll.isra.10+0xf2/0x320
[   25.410042]  ep_insert+0x6a2/0x1ac0
[   25.410046]  SyS_epoll_ctl+0x12bf/0x1a80
[   25.410051]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   25.410052] 
[   25.410054] Freed by task 3495:
[   25.410059]  save_stack+0x43/0xd0
[   25.410064]  __kasan_slab_free+0x11a/0x170
[   25.410069]  kasan_slab_free+0xe/0x10
[   25.410074]  kfree+0xd9/0x260
[   25.410078]  binder_thread_dec_tmpref+0x27f/0x310
[   25.410083]  binder_thread_release+0x27d/0x540
[   25.410088]  binder_ioctl+0xc02/0x1417
[   25.410093]  do_vfs_ioctl+0x1b1/0x1520
[   25.410097]  SyS_ioctl+0x8f/0xc0
[   25.410102]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   25.410103] 
[   25.410107] The buggy address belongs to the object at ffff8801c8627340
[   25.410107]  which belongs to the cache kmalloc-512 of size 512
[   25.410112] The buggy address is located 184 bytes inside of
[   25.410112]  512-byte region [ffff8801c8627340, ffff8801c8627540)
[   25.410114] The buggy address belongs to the page:
[   25.410119] page:ffffea00072189c0 count:1 mapcount:0 mapping:ffff8801c86270c0 index:0xffff8801c8627d40
[   25.410124] flags: 0x2fffc0000000100(slab)
[   25.410133] raw: 02fffc0000000100 ffff8801c86270c0 ffff8801c8627d40 0000000100000002
[   25.410139] raw: ffffea0007209020 ffff8801dac01738 ffff8801dac00940 0000000000000000
[   25.410142] page dumped because: kasan: bad access detected
[   25.410143] 
[   25.410144] Memory state around the buggy address:
[   25.410149]  ffff8801c8627280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   25.410153]  ffff8801c8627300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   25.410158] >ffff8801c8627380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.410160]                                                                 ^
[   25.410164]  ffff8801c8627400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.410169]  ffff8801c8627480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.410170] ==================================================================
[   25.410172] Disabling lock debugging due to kernel taint
[   25.410175] Kernel panic - not syncing: panic_on_warn set ...
[   25.410175] 
[   25.410181] CPU: 1 PID: 3495 Comm: syzkaller534093 Tainted: G    B            4.15.0-rc6-mm1+ #52
[   25.410184] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.410185] Call Trace:
[   25.410192]  dump_stack+0x194/0x257
[   25.410200]  ? arch_local_irq_restore+0x53/0x53
[   25.410205]  ? kasan_end_report+0x32/0x50
[   25.410211]  ? lock_downgrade+0x980/0x980
[   25.410217]  ? vsnprintf+0x1ed/0x1900
[   25.410223]  ? __lock_acquire+0x3c50/0x3e00
[   25.410229]  panic+0x1e4/0x41c
[   25.410235]  ? refcount_error_report+0x214/0x214
[   25.410242]  ? add_taint+0x40/0x50
[   25.410247]  ? add_taint+0x1c/0x50
[   25.410254]  ? __lock_acquire+0x3d4d/0x3e00
[   25.410260]  kasan_end_report+0x50/0x50
[   25.410267]  kasan_report+0x148/0x360
[   25.410275]  __asan_report_load8_noabort+0x14/0x20
[   25.410281]  __lock_acquire+0x3d4d/0x3e00
[   25.410287]  ? lock_downgrade+0x980/0x980
[   25.410295]  ? remove_wait_queue+0x81/0x350
[   25.410304]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.410310]  ? __lock_acquire+0x664/0x3e00
[   25.410316]  ? check_noncircular+0x20/0x20
[   25.410328]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.410335]  ? lock_acquire+0x1d5/0x580
[   25.410340]  ? lock_acquire+0x1d5/0x580
[   25.410345]  ? ep_free+0xf4/0x320
[   25.410351]  ? check_noncircular+0x20/0x20
[   25.410358]  ? lock_release+0xa40/0xa40
[   25.410364]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   25.410370]  ? print_irqtrace_events+0x270/0x270
[   25.410376]  ? rcu_note_context_switch+0x710/0x710
[   25.410384]  ? __might_sleep+0x95/0x190
[   25.410389]  ? ep_free+0xf4/0x320
[   25.410395]  ? __mutex_lock+0x16f/0x1a80
[   25.410399]  ? ep_free+0xf4/0x320
[   25.410406]  ? print_irqtrace_events+0x270/0x270
[   25.410411]  ? ep_free+0xf4/0x320
[   25.410419]  lock_acquire+0x1d5/0x580
[   25.410424]  ? lock_acquire+0x1d5/0x580
[   25.410430]  ? remove_wait_queue+0x81/0x350
[   25.410436]  ? __lock_acquire+0x664/0x3e00
[   25.410444]  ? lock_release+0xa40/0xa40
[   25.410453]  ? lock_acquire+0x1d5/0x580
[   25.410458]  ? lock_acquire+0x1d5/0x580
[   25.410463]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   25.410470]  _raw_spin_lock_irqsave+0x96/0xc0
[   25.410476]  ? remove_wait_queue+0x81/0x350
[   25.410483]  remove_wait_queue+0x81/0x350
[   25.410490]  ? rcutorture_record_progress+0x10/0x10
[   25.410496]  ? add_wait_queue+0x290/0x290
[   25.410502]  ? rcutorture_record_progress+0x10/0x10
[   25.410511]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   25.410517]  ? unwind_get_return_address+0x61/0xa0
[   25.410525]  ? clear_tfile_check_list+0x370/0x370
[   25.410533]  ? check_noncircular+0x20/0x20
[   25.410539]  ? locks_remove_file+0x3fa/0x5a0
[   25.410548]  ep_free+0x13f/0x320
[   25.410553]  ? ep_remove+0x800/0x800
[   25.410559]  ? fsnotify_first_mark+0x2b0/0x2b0
[   25.410566]  ? ep_free+0x320/0x320
[   25.410575]  ep_eventpoll_release+0x44/0x60
[   25.410580]  __fput+0x327/0x7e0
[   25.410588]  ? fput+0x140/0x140
[   25.410594]  ? _raw_spin_unlock_irq+0x27/0x70
[   25.410601]  ____fput+0x15/0x20
[   25.410606]  task_work_run+0x199/0x270
[   25.410613]  ? task_work_cancel+0x210/0x210
[   25.410619]  ? _raw_spin_unlock+0x22/0x30
[   25.410625]  ? switch_task_namespaces+0x87/0xc0
[   25.410633]  do_exit+0x9bb/0x1ad0
[   25.410640]  ? binder_ioctl+0x481/0x1417
[   25.410646]  ? mm_update_next_owner+0x930/0x930
[   25.410654]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   25.410662]  ? avc_ss_reset+0x110/0x110
[   25.410668]  ? mutex_unlock+0xd/0x10
[   25.410673]  ? SyS_epoll_ctl+0x30a/0x1a80
[   25.410691]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   25.410696]  ? up_read+0x1a/0x40
[   25.410703]  ? rcu_note_context_switch+0x710/0x710
[   25.410708]  ? __fd_install+0x288/0x740
[   25.410717]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   25.410722]  ? do_vfs_ioctl+0x486/0x1520
[   25.410727]  ? _cond_resched+0x14/0x30
[   25.410735]  ? ioctl_preallocate+0x2b0/0x2b0
[   25.410742]  ? selinux_capable+0x40/0x40
[   25.410749]  ? __alloc_fd+0x750/0x750
[   25.410757]  do_group_exit+0x149/0x400
[   25.410763]  ? SyS_exit+0x30/0x30
[   25.410770]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.410776]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.410784]  SyS_exit_group+0x1d/0x20
[   25.410790]  entry_SYSCALL_64_fastpath+0x23/0x9a
[   25.410793] RIP: 0033:0x4429f8
[   25.410796] RSP: 002b:00007ffd8acc2a78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   25.410802] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   25.410805] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   25.410808] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   25.410812] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   25.410815] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   25.430085] Dumping ftrace buffer:
[   25.430089]    (ftrace buffer empty)
[   25.430092] Kernel Offset: disabled
[   26.559358] Rebooting in 86400 seconds..