[....] Starting enhanced syslogd: rsyslogd[   10.589223] audit: type=1400 audit(1514774598.631:5): avc:  denied  { syslog } for  pid=2992 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   17.063116] audit: type=1400 audit(1514774605.104:6): avc:  denied  { map } for  pid=3131 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts.
executing program
[   23.265332] audit: type=1400 audit(1514774611.306:7): avc:  denied  { map } for  pid=3146 comm="syzkaller699699" path="/root/syzkaller699699706" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   23.272748] ==================================================================
[   23.272767] BUG: KASAN: use-after-free in __lock_acquire+0x3d4d/0x3e00
[   23.272773] Read of size 8 at addr ffff8801c9af4378 by task syzkaller699699/3146
[   23.272775] 
[   23.272783] CPU: 1 PID: 3146 Comm: syzkaller699699 Not tainted 4.15.0-rc4-next-20171221+ #78
[   23.272787] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.272790] Call Trace:
[   23.272800]  dump_stack+0x194/0x257
[   23.272808]  ? arch_local_irq_restore+0x53/0x53
[   23.272818]  ? show_regs_print_info+0x18/0x18
[   23.272824]  ? print_irqtrace_events+0x270/0x270
[   23.272831]  ? __lock_acquire+0x664/0x3e00
[   23.272839]  ? __lock_acquire+0x3d4d/0x3e00
[   23.272848]  print_address_description+0x73/0x250
[   23.272855]  ? __lock_acquire+0x3d4d/0x3e00
[   23.272862]  kasan_report+0x25b/0x340
[   23.272871]  __asan_report_load8_noabort+0x14/0x20
[   23.272876]  __lock_acquire+0x3d4d/0x3e00
[   23.272882]  ? __lock_acquire+0x664/0x3e00
[   23.272887]  ? lock_downgrade+0x980/0x980
[   23.272892]  ? lock_downgrade+0x980/0x980
[   23.272901]  ? remove_wait_queue+0x81/0x350
[   23.272911]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.272918]  ? __lock_acquire+0x664/0x3e00
[   23.272925]  ? check_noncircular+0x20/0x20
[   23.272938]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.272946]  ? lock_acquire+0x1d5/0x580
[   23.272952]  ? lock_acquire+0x1d5/0x580
[   23.272958]  ? ep_free+0xf4/0x320
[   23.272968]  ? lock_release+0xa40/0xa40
[   23.272979]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.272985]  ? print_irqtrace_events+0x270/0x270
[   23.272993]  ? rcu_note_context_switch+0x710/0x710
[   23.273004]  ? __might_sleep+0x95/0x190
[   23.273010]  ? ep_free+0xf4/0x320
[   23.273019]  ? __mutex_lock+0x16f/0x1a80
[   23.273024]  ? ep_free+0xf4/0x320
[   23.273031]  ? print_irqtrace_events+0x270/0x270
[   23.273036]  ? ep_free+0xf4/0x320
[   23.273048]  lock_acquire+0x1d5/0x580
[   23.273054]  ? lock_acquire+0x1d5/0x580
[   23.273060]  ? remove_wait_queue+0x81/0x350
[   23.273067]  ? __lock_acquire+0x664/0x3e00
[   23.273078]  ? lock_release+0xa40/0xa40
[   23.273089]  ? lock_acquire+0x1d5/0x580
[   23.273095]  ? lock_acquire+0x1d5/0x580
[   23.273104]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   23.273114]  _raw_spin_lock_irqsave+0x96/0xc0
[   23.273120]  ? remove_wait_queue+0x81/0x350
[   23.273127]  remove_wait_queue+0x81/0x350
[   23.273136]  ? add_wait_queue+0x290/0x290
[   23.273149]  ? rcutorture_record_progress+0x10/0x10
[   23.273160]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   23.273170]  ? __kernel_text_address+0xd/0x40
[   23.273179]  ? clear_tfile_check_list+0x370/0x370
[   23.273188]  ? check_noncircular+0x20/0x20
[   23.273198]  ? locks_remove_file+0x3fa/0x5a0
[   23.273208]  ep_free+0x13f/0x320
[   23.273214]  ? ep_remove+0x800/0x800
[   23.273220]  ? fsnotify_first_mark+0x2b0/0x2b0
[   23.273229]  ? ep_free+0x320/0x320
[   23.273235]  ep_eventpoll_release+0x44/0x60
[   23.273244]  __fput+0x327/0x7e0
[   23.273253]  ? fput+0x140/0x140
[   23.273260]  ? _raw_spin_unlock_irq+0x27/0x70
[   23.273269]  ____fput+0x15/0x20
[   23.273275]  task_work_run+0x199/0x270
[   23.273287]  ? task_work_cancel+0x210/0x210
[   23.273294]  ? _raw_spin_unlock+0x22/0x30
[   23.273301]  ? switch_task_namespaces+0x87/0xc0
[   23.273311]  do_exit+0x9bb/0x1ad0
[   23.273320]  ? binder_ioctl+0x491/0x1417
[   23.273326]  ? mm_update_next_owner+0x930/0x930
[   23.273334]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   23.273345]  ? avc_ss_reset+0x110/0x110
[   23.273352]  ? mutex_unlock+0xd/0x10
[   23.273358]  ? SyS_epoll_ctl+0x30a/0x1a80
[   23.273378]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.273382]  ? up_read+0x1a/0x40
[   23.273388]  ? rcu_note_context_switch+0x710/0x710
[   23.273394]  ? __fd_install+0x288/0x740
[   23.273403]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   23.273410]  ? do_vfs_ioctl+0x486/0x1520
[   23.273415]  ? _cond_resched+0x14/0x30
[   23.273422]  ? ioctl_preallocate+0x2b0/0x2b0
[   23.273431]  ? selinux_capable+0x40/0x40
[   23.273437]  ? __alloc_fd+0x750/0x750
[   23.273445]  do_group_exit+0x149/0x400
[   23.273452]  ? SyS_exit+0x30/0x30
[   23.273459]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.273468]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.273475]  SyS_exit_group+0x1d/0x20
[   23.273481]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   23.273485] RIP: 0033:0x4429f8
[   23.273488] RSP: 002b:00007ffd153c88e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   23.273494] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   23.273497] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   23.273501] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   23.273504] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   23.273507] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   23.273515] 
[   23.273518] Allocated by task 3146:
[   23.273526]  save_stack+0x43/0xd0
[   23.273531]  kasan_kmalloc+0xad/0xe0
[   23.273536]  kmem_cache_alloc_trace+0x136/0x750
[   23.273540]  binder_get_thread+0x1cf/0x870
[   23.273544]  binder_poll+0x8c/0x390
[   23.273549]  ep_item_poll.isra.10+0xf2/0x320
[   23.273553]  ep_insert+0x6a2/0x1ac0
[   23.273558]  SyS_epoll_ctl+0x12bf/0x1a80
[   23.273562]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   23.273563] 
[   23.273565] Freed by task 3146:
[   23.273570]  save_stack+0x43/0xd0
[   23.273574]  kasan_slab_free+0x71/0xc0
[   23.273578]  kfree+0xd6/0x260
[   23.273582]  binder_thread_dec_tmpref+0x27f/0x310
[   23.273587]  binder_thread_release+0x27d/0x540
[   23.273591]  binder_ioctl+0xc02/0x1417
[   23.273595]  do_vfs_ioctl+0x1b1/0x1520
[   23.273603]  SyS_ioctl+0x8f/0xc0
[   23.273608]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   23.273609] 
[   23.273613] The buggy address belongs to the object at ffff8801c9af42c0
[   23.273613]  which belongs to the cache kmalloc-512 of size 512
[   23.273618] The buggy address is located 184 bytes inside of
[   23.273618]  512-byte region [ffff8801c9af42c0, ffff8801c9af44c0)
[   23.273620] The buggy address belongs to the page:
[   23.273625] page:00000000c44ceefd count:1 mapcount:0 mapping:0000000087de6dcd index:0x0
[   23.273631] flags: 0x2fffc0000000100(slab)
[   23.273640] raw: 02fffc0000000100 ffff8801c9af4040 0000000000000000 0000000100000006
[   23.273646] raw: ffffea0007231760 ffffea00072361a0 ffff8801dac00940 0000000000000000
[   23.273648] page dumped because: kasan: bad access detected
[   23.273649] 
[   23.273653] Memory state around the buggy address:
[   23.273659]  ffff8801c9af4200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   23.273663]  ffff8801c9af4280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   23.273667] >ffff8801c9af4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.273669]                                                                 ^
[   23.273675]  ffff8801c9af4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.273679]  ffff8801c9af4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.273681] ==================================================================
[   23.273683] Disabling lock debugging due to kernel taint
[   23.273687] Kernel panic - not syncing: panic_on_warn set ...
[   23.273687] 
[   23.273697] CPU: 1 PID: 3146 Comm: syzkaller699699 Tainted: G    B            4.15.0-rc4-next-20171221+ #78
[   23.273701] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.273702] Call Trace:
[   23.273710]  dump_stack+0x194/0x257
[   23.273719]  ? arch_local_irq_restore+0x53/0x53
[   23.273725]  ? kasan_end_report+0x32/0x50
[   23.273731]  ? lock_downgrade+0x980/0x980
[   23.273738]  ? vsnprintf+0x1ed/0x1900
[   23.273745]  ? __lock_acquire+0x3d30/0x3e00
[   23.273751]  panic+0x1e4/0x41c
[   23.273757]  ? refcount_error_report+0x214/0x214
[   23.273764]  ? add_taint+0x40/0x50
[   23.273769]  ? add_taint+0x1c/0x50
[   23.273775]  ? __lock_acquire+0x3d4d/0x3e00
[   23.273784]  kasan_end_report+0x50/0x50
[   23.273789]  kasan_report+0x144/0x340
[   23.273798]  __asan_report_load8_noabort+0x14/0x20
[   23.273806]  __lock_acquire+0x3d4d/0x3e00
[   23.273812]  ? __lock_acquire+0x664/0x3e00
[   23.273817]  ? lock_downgrade+0x980/0x980
[   23.273821]  ? lock_downgrade+0x980/0x980
[   23.273829]  ? remove_wait_queue+0x81/0x350
[   23.273841]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.273847]  ? __lock_acquire+0x664/0x3e00
[   23.273852]  ? check_noncircular+0x20/0x20
[   23.273864]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.273871]  ? lock_acquire+0x1d5/0x580
[   23.273876]  ? lock_acquire+0x1d5/0x580
[   23.273881]  ? ep_free+0xf4/0x320
[   23.273889]  ? lock_release+0xa40/0xa40
[   23.273897]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.273903]  ? print_irqtrace_events+0x270/0x270
[   23.273911]  ? rcu_note_context_switch+0x710/0x710
[   23.273919]  ? __might_sleep+0x95/0x190
[   23.273924]  ? ep_free+0xf4/0x320
[   23.273931]  ? __mutex_lock+0x16f/0x1a80
[   23.273938]  ? ep_free+0xf4/0x320
[   23.273945]  ? print_irqtrace_events+0x270/0x270
[   23.273949]  ? ep_free+0xf4/0x320
[   23.273956]  lock_acquire+0x1d5/0x580
[   23.273961]  ? lock_acquire+0x1d5/0x580
[   23.273967]  ? remove_wait_queue+0x81/0x350
[   23.273973]  ? __lock_acquire+0x664/0x3e00
[   23.273980]  ? lock_release+0xa40/0xa40
[   23.273988]  ? lock_acquire+0x1d5/0x580
[   23.273993]  ? lock_acquire+0x1d5/0x580
[   23.273999]  ? ep_unregister_pollwait.isra.7+0x323/0x590
[   23.274009]  _raw_spin_lock_irqsave+0x96/0xc0
[   23.274015]  ? remove_wait_queue+0x81/0x350
[   23.274020]  remove_wait_queue+0x81/0x350
[   23.274028]  ? add_wait_queue+0x290/0x290
[   23.274034]  ? rcutorture_record_progress+0x10/0x10
[   23.274043]  ep_unregister_pollwait.isra.7+0x18c/0x590
[   23.274051]  ? __kernel_text_address+0xd/0x40
[   23.274059]  ? clear_tfile_check_list+0x370/0x370
[   23.274066]  ? check_noncircular+0x20/0x20
[   23.274075]  ? locks_remove_file+0x3fa/0x5a0
[   23.274083]  ep_free+0x13f/0x320
[   23.274091]  ? ep_remove+0x800/0x800
[   23.274097]  ? fsnotify_first_mark+0x2b0/0x2b0
[   23.274105]  ? ep_free+0x320/0x320
[   23.274111]  ep_eventpoll_release+0x44/0x60
[   23.274117]  __fput+0x327/0x7e0
[   23.274126]  ? fput+0x140/0x140
[   23.274132]  ? _raw_spin_unlock_irq+0x27/0x70
[   23.274140]  ____fput+0x15/0x20
[   23.274152]  task_work_run+0x199/0x270
[   23.274159]  ? task_work_cancel+0x210/0x210
[   23.274164]  ? _raw_spin_unlock+0x22/0x30
[   23.274171]  ? switch_task_namespaces+0x87/0xc0
[   23.274177]  do_exit+0x9bb/0x1ad0
[   23.274184]  ? binder_ioctl+0x491/0x1417
[   23.274190]  ? mm_update_next_owner+0x930/0x930
[   23.274197]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   23.274205]  ? avc_ss_reset+0x110/0x110
[   23.274211]  ? mutex_unlock+0xd/0x10
[   23.274217]  ? SyS_epoll_ctl+0x30a/0x1a80
[   23.274239]  ? trace_event_raw_event_sched_switch+0x800/0x800
[   23.274244]  ? up_read+0x1a/0x40
[   23.274250]  ? rcu_note_context_switch+0x710/0x710
[   23.274256]  ? __fd_install+0x288/0x740
[   23.274264]  ? binder_ioctl_write_read.isra.38+0xcb0/0xcb0
[   23.274269]  ? do_vfs_ioctl+0x486/0x1520
[   23.274274]  ? _cond_resched+0x14/0x30
[   23.274281]  ? ioctl_preallocate+0x2b0/0x2b0
[   23.274288]  ? selinux_capable+0x40/0x40
[   23.274294]  ? __alloc_fd+0x750/0x750
[   23.274302]  do_group_exit+0x149/0x400
[   23.274309]  ? SyS_exit+0x30/0x30
[   23.274315]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.274325]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.274332]  SyS_exit_group+0x1d/0x20
[   23.274338]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   23.274342] RIP: 0033:0x4429f8
[   23.274345] RSP: 002b:00007ffd153c88e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   23.274351] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004429f8
[   23.274354] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   23.274358] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0
[   23.274361] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
[   23.274364] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
[   23.291241] Dumping ftrace buffer:
[   23.291249]    (ftrace buffer empty)
[   23.291251] Kernel Offset: disabled
[   24.425440] Rebooting in 86400 seconds..