[....] Starting enhanced syslogd: rsyslogd[   16.706566] audit: type=1400 audit(1520582807.925:5): avc:  denied  { syslog } for  pid=3998 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.475631] audit: type=1400 audit(1520582814.694:6): avc:  denied  { map } for  pid=4140 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts.
[   29.870049] audit: type=1400 audit(1520582821.088:7): avc:  denied  { map } for  pid=4154 comm="syzkaller914861" path="/root/syzkaller914861517" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   29.880873] IPVS: ftp: loaded support on port[0] = 21
executing program
[   29.923702] IPVS: ftp: loaded support on port[0] = 21
executing program
[   29.948966] IPVS: ftp: loaded support on port[0] = 21
executing program
[   29.976527] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
executing program
executing program
[   30.020642] IPVS: ftp: loaded support on port[0] = 21
executing program
[   30.058880] IPVS: ftp: loaded support on port[0] = 21
executing program
[   30.085283] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
executing program
[   30.116446] IPVS: ftp: loaded support on port[0] = 21
[   30.128853] ==================================================================
[   30.136297] BUG: KASAN: use-after-free in sctp_association_free+0x7b7/0x930
[   30.143369] Read of size 8 at addr ffff8801d8006ae0 by task syzkaller914861/4202
[   30.150880] 
[   30.152482] CPU: 1 PID: 4202 Comm: syzkaller914861 Not tainted 4.16.0-rc4+ #258
executing program
executing program
executing program
[   30.159898] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.169225] Call Trace:
[   30.171796]  dump_stack+0x194/0x24d
[   30.175403]  ? arch_local_irq_restore+0x53/0x53
[   30.180048]  ? show_regs_print_info+0x18/0x18
[   30.184522]  ? sctp_association_free+0x7b7/0x930
[   30.189260]  print_address_description+0x73/0x250
[   30.194077]  ? sctp_association_free+0x7b7/0x930
[   30.198806]  kasan_report+0x23c/0x360
[   30.202585]  __asan_report_load8_noabort+0x14/0x20
[   30.207489]  sctp_association_free+0x7b7/0x930
[   30.212050]  ? sctp_asconf_queue_teardown+0x700/0x700
executing program
[   30.217211]  ? sctp_transport_lookup_process+0x180/0x180
[   30.222640]  ? lock_release+0xa40/0xa40
[   30.226604]  ? do_raw_spin_trylock+0x190/0x190
[   30.231164]  ? __local_bh_enable_ip+0x121/0x230
[   30.235810]  ? prepare_to_wait+0x4d0/0x4d0
[   30.240019]  ? trace_hardirqs_on+0xd/0x10
[   30.244142]  ? sctp_sendmsg_update_sinfo+0x118/0x3d0
[   30.249221]  sctp_sendmsg+0xc67/0x1a80
[   30.253093]  ? sctp_id2assoc+0x390/0x390
[   30.257145]  ? check_same_owner+0x320/0x320
[   30.261450]  ? __check_object_size+0x8b/0x530
executing program
executing program
[   30.265925]  inet_sendmsg+0x11f/0x5e0
[   30.269699]  ? __might_sleep+0x95/0x190
[   30.273651]  ? inet_create+0xf50/0xf50
[   30.277520]  ? selinux_socket_sendmsg+0x36/0x40
[   30.282176]  ? security_socket_sendmsg+0x89/0xb0
[   30.286914]  ? inet_create+0xf50/0xf50
[   30.290780]  sock_sendmsg+0xca/0x110
[   30.294476]  SYSC_sendto+0x361/0x5c0
[   30.298171]  ? SYSC_connect+0x4a0/0x4a0
[   30.302126]  ? __do_page_fault+0x5f7/0xc90
[   30.306336]  ? lock_downgrade+0x980/0x980
[   30.310463]  ? handle_mm_fault+0x465/0xb10
executing program
[   30.314669]  ? check_same_owner+0x320/0x320
[   30.318979]  ? __do_page_fault+0x3d6/0xc90
[   30.323194]  ? mm_fault_error+0x2c0/0x2c0
[   30.327317]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   30.332832]  SyS_sendto+0x40/0x50
[   30.336267]  ? SyS_getpeername+0x30/0x30
[   30.340310]  do_syscall_64+0x281/0x940
[   30.344174]  ? __do_page_fault+0xc90/0xc90
[   30.348383]  ? _raw_spin_unlock_irq+0x27/0x70
[   30.352859]  ? finish_task_switch+0x1c1/0x7e0
[   30.357330]  ? syscall_return_slowpath+0x550/0x550
[   30.362236]  ? syscall_return_slowpath+0x2ac/0x550
[   30.367144]  ? prepare_exit_to_usermode+0x350/0x350
[   30.372137]  ? retint_user+0x18/0x18
[   30.375834]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.380660]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   30.385827] RIP: 0033:0x446d09
[   30.388992] RSP: 002b:00007f5dbac21da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
[   30.396676] RAX: ffffffffffffffda RBX: 00000000006e29fc RCX: 0000000000446d09
[   30.403922] RDX: 0000000000000001 RSI: 0000000020000340 RDI: 0000000000000003
[   30.411167] RBP: 00000000006e29f8 R08: 00000000204d9000 R09: 000000000000001c
[   30.418408] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000
[   30.425652] R13: 00007fff7b26fb1f R14: 00007f5dbac229c0 R15: 00000000006e2b60
[   30.432922] 
[   30.434525] Allocated by task 4202:
[   30.438132]  save_stack+0x43/0xd0
[   30.441569]  kasan_kmalloc+0xad/0xe0
[   30.445260]  kmem_cache_alloc_trace+0x136/0x740
[   30.449903]  sctp_association_new+0x114/0x2130
[   30.454457]  sctp_sendmsg_new_asoc+0x2e6/0x1000
[   30.459114]  sctp_sendmsg+0x1450/0x1a80
[   30.463066]  inet_sendmsg+0x11f/0x5e0
[   30.466842]  sock_sendmsg+0xca/0x110
[   30.470528]  SYSC_sendto+0x361/0x5c0
[   30.474214]  SyS_sendto+0x40/0x50
[   30.477640]  do_syscall_64+0x281/0x940
[   30.481501]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   30.486659] 
[   30.488261] Freed by task 4202:
[   30.491511]  save_stack+0x43/0xd0
[   30.494934]  __kasan_slab_free+0x11a/0x170
[   30.499138]  kasan_slab_free+0xe/0x10
[   30.502920]  kfree+0xd9/0x260
[   30.506001]  sctp_association_put+0x21c/0x2f0
[   30.510470]  sctp_sendmsg_to_asoc+0x1693/0x1e80
[   30.515123]  sctp_sendmsg+0xc3e/0x1a80
[   30.518988]  inet_sendmsg+0x11f/0x5e0
[   30.522762]  sock_sendmsg+0xca/0x110
[   30.526448]  SYSC_sendto+0x361/0x5c0
[   30.530134]  SyS_sendto+0x40/0x50
[   30.533562]  do_syscall_64+0x281/0x940
[   30.537445]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   30.542603] 
[   30.544209] The buggy address belongs to the object at ffff8801d8006ac0
[   30.544209]  which belongs to the cache kmalloc-4096 of size 4096
[   30.557012] The buggy address is located 32 bytes inside of
[   30.557012]  4096-byte region [ffff8801d8006ac0, ffff8801d8007ac0)
[   30.568859] The buggy address belongs to the page:
[   30.573761] page:ffffea0007600180 count:1 mapcount:0 mapping:ffff8801d8006ac0 index:0x0 compound_mapcount: 0
[   30.583711] flags: 0x2fffc0000008100(slab|head)
[   30.588354] raw: 02fffc0000008100 ffff8801d8006ac0 0000000000000000 0000000100000001
[   30.596216] raw: ffffea0007600120 ffffea0007606c20 ffff8801dac00dc0 0000000000000000
[   30.604072] page dumped because: kasan: bad access detected
[   30.609765] 
[   30.611368] Memory state around the buggy address:
[   30.616271]  ffff8801d8006980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.623601]  ffff8801d8006a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.630933] >ffff8801d8006a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   30.638269]                                                        ^
[   30.644731]  ffff8801d8006b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.652065]  ffff8801d8006b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.659398] ==================================================================
[   30.666728] Disabling lock debugging due to kernel taint
[   30.672276] Kernel panic - not syncing: panic_on_warn set ...
[   30.672276] 
[   30.679621] CPU: 1 PID: 4202 Comm: syzkaller914861 Tainted: G    B            4.16.0-rc4+ #258
[   30.688347] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.697672] Call Trace:
[   30.700237]  dump_stack+0x194/0x24d
[   30.703842]  ? arch_local_irq_restore+0x53/0x53
[   30.708489]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.713220]  ? vsnprintf+0x1ed/0x1900
[   30.717000]  ? sctp_association_free+0x760/0x930
[   30.721757]  panic+0x1e4/0x41c
[   30.724926]  ? refcount_error_report+0x214/0x214
[   30.729666]  ? add_taint+0x1c/0x50
[   30.733177]  ? add_taint+0x1c/0x50
[   30.736695]  ? sctp_association_free+0x7b7/0x930
[   30.741425]  kasan_end_report+0x50/0x50
[   30.745371]  kasan_report+0x149/0x360
[   30.749151]  __asan_report_load8_noabort+0x14/0x20
[   30.754057]  sctp_association_free+0x7b7/0x930
[   30.758612]  ? sctp_asconf_queue_teardown+0x700/0x700
[   30.763774]  ? sctp_transport_lookup_process+0x180/0x180
[   30.769202]  ? lock_release+0xa40/0xa40
[   30.773151]  ? do_raw_spin_trylock+0x190/0x190
[   30.777710]  ? __local_bh_enable_ip+0x121/0x230
[   30.782352]  ? prepare_to_wait+0x4d0/0x4d0
[   30.786558]  ? trace_hardirqs_on+0xd/0x10
[   30.790683]  ? sctp_sendmsg_update_sinfo+0x118/0x3d0
[   30.795756]  sctp_sendmsg+0xc67/0x1a80
[   30.799620]  ? sctp_id2assoc+0x390/0x390
[   30.803670]  ? check_same_owner+0x320/0x320
[   30.807980]  ? __check_object_size+0x8b/0x530
[   30.812540]  inet_sendmsg+0x11f/0x5e0
[   30.816312]  ? __might_sleep+0x95/0x190
[   30.820267]  ? inet_create+0xf50/0xf50
[   30.824131]  ? selinux_socket_sendmsg+0x36/0x40
[   30.828772]  ? security_socket_sendmsg+0x89/0xb0
[   30.833504]  ? inet_create+0xf50/0xf50
[   30.837369]  sock_sendmsg+0xca/0x110
[   30.841057]  SYSC_sendto+0x361/0x5c0
[   30.844763]  ? SYSC_connect+0x4a0/0x4a0
[   30.848714]  ? __do_page_fault+0x5f7/0xc90
[   30.852923]  ? lock_downgrade+0x980/0x980
[   30.857050]  ? handle_mm_fault+0x465/0xb10
[   30.861263]  ? check_same_owner+0x320/0x320
[   30.865564]  ? __do_page_fault+0x3d6/0xc90
[   30.869776]  ? mm_fault_error+0x2c0/0x2c0
[   30.873909]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   30.879421]  SyS_sendto+0x40/0x50
[   30.882847]  ? SyS_getpeername+0x30/0x30
[   30.886881]  do_syscall_64+0x281/0x940
[   30.890739]  ? __do_page_fault+0xc90/0xc90
[   30.894945]  ? _raw_spin_unlock_irq+0x27/0x70
[   30.899409]  ? finish_task_switch+0x1c1/0x7e0
[   30.903886]  ? syscall_return_slowpath+0x550/0x550
[   30.908788]  ? syscall_return_slowpath+0x2ac/0x550
[   30.913689]  ? prepare_exit_to_usermode+0x350/0x350
[   30.918676]  ? retint_user+0x18/0x18
[   30.922361]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.927191]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   30.932350] RIP: 0033:0x446d09
[   30.935510] RSP: 002b:00007f5dbac21da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
[   30.943190] RAX: ffffffffffffffda RBX: 00000000006e29fc RCX: 0000000000446d09
[   30.950431] RDX: 0000000000000001 RSI: 0000000020000340 RDI: 0000000000000003
[   30.957675] RBP: 00000000006e29f8 R08: 00000000204d9000 R09: 000000000000001c
[   30.964918] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000
[   30.972162] R13: 00007fff7b26fb1f R14: 00007f5dbac229c0 R15: 00000000006e2b60
[   30.979805] Dumping ftrace buffer:
[   30.983315]    (ftrace buffer empty)
[   30.986999] Kernel Offset: disabled
[   30.990602] Rebooting in 86400 seconds..