[....] Starting enhanced syslogd: rsyslogd[ 12.912564] audit: type=1400 audit(1515747295.984:4): avc: denied { syslog } for pid=3166 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.57' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 24.383512] ================================================================== [ 24.390912] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 24.397543] Read of size 8 at addr ffff8801ccbd8fb8 by task syzkaller852183/3323 [ 24.405035] [ 24.406628] CPU: 1 PID: 3323 Comm: syzkaller852183 Not tainted 4.9.76-g9154940 #20 [ 24.414295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.423613] ffff8801c8157870 ffffffff81d93149 ffffea000732f600 ffff8801ccbd8fb8 [ 24.431561] 0000000000000000 ffff8801ccbd8fb8 ffff8801ccbd8fb8 ffff8801c81578a8 [ 24.439511] ffffffff8153cb43 ffff8801ccbd8fb8 0000000000000008 0000000000000000 [ 24.447454] Call Trace: [ 24.450012] [] dump_stack+0xc1/0x128 [ 24.455342] [] print_address_description+0x73/0x280 [ 24.461970] [] kasan_report+0x275/0x360 [ 24.467557] [] ? __lock_acquire+0x2eff/0x3640 [ 24.473667] [] __asan_report_load8_noabort+0x14/0x20 [ 24.480385] [] __lock_acquire+0x2eff/0x3640 [ 24.486318] [] ? __lock_acquire+0x629/0x3640 [ 24.492341] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 24.499324] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 24.506299] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 24.513276] [] ? mark_held_locks+0xaf/0x100 [ 24.519214] [] ? mutex_lock_nested+0x5e3/0x870 [ 24.525409] [] lock_acquire+0x12e/0x410 [ 24.530996] [] ? remove_wait_queue+0x14/0x40 [ 24.537017] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 24.543299] [] ? remove_wait_queue+0x14/0x40 [ 24.549327] [] remove_wait_queue+0x14/0x40 [ 24.555178] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 24.562156] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 24.569394] [] ? ep_free+0x1b0/0x1b0 [ 24.574721] [] ep_free+0x96/0x1b0 [ 24.579786] [] ? ep_free+0x1b0/0x1b0 [ 24.585111] [] ep_eventpoll_release+0x44/0x60 [ 24.591220] [] __fput+0x28c/0x6e0 [ 24.596284] [] ____fput+0x15/0x20 [ 24.601350] [] task_work_run+0x115/0x190 [ 24.607025] [] do_exit+0x7e7/0x2a40 [ 24.612264] [] ? __pmd_alloc+0x410/0x410 [ 24.617939] [] ? release_task+0x1240/0x1240 [ 24.623875] [] ? __do_page_fault+0x5ec/0xd40 [ 24.629912] [] ? up_read+0x1a/0x40 [ 24.635063] [] ? __do_page_fault+0x3bd/0xd40 [ 24.641086] [] do_group_exit+0x108/0x320 [ 24.646758] [] ? do_group_exit+0x320/0x320 [ 24.652604] [] SyS_exit_group+0x1d/0x20 [ 24.658193] [] do_fast_syscall_32+0x2f7/0x890 [ 24.664299] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.670929] [] entry_SYSENTER_compat+0x74/0x83 [ 24.677121] [ 24.678713] Allocated by task 3323: [ 24.682304] save_stack_trace+0x16/0x20 [ 24.686245] save_stack+0x43/0xd0 [ 24.689663] kasan_kmalloc+0xad/0xe0 [ 24.693344] kmem_cache_alloc_trace+0xfb/0x2a0 [ 24.697889] binder_get_thread+0x15d/0x750 [ 24.702083] binder_poll+0x4a/0x210 [ 24.705676] SyS_epoll_ctl+0x11d7/0x2190 [ 24.709705] do_fast_syscall_32+0x2f7/0x890 [ 24.713989] entry_SYSENTER_compat+0x74/0x83 [ 24.718358] [ 24.719948] Freed by task 3323: [ 24.723190] save_stack_trace+0x16/0x20 [ 24.727127] save_stack+0x43/0xd0 [ 24.730544] kasan_slab_free+0x72/0xc0 [ 24.734391] kfree+0x103/0x300 [ 24.737546] binder_thread_dec_tmpref+0x1cc/0x240 [ 24.742353] binder_thread_release+0x27d/0x540 [ 24.746895] binder_ioctl+0x9c0/0x11b0 [ 24.750746] compat_SyS_ioctl+0x15f/0x2050 [ 24.754942] do_fast_syscall_32+0x2f7/0x890 [ 24.759573] entry_SYSENTER_compat+0x74/0x83 [ 24.763938] [ 24.765532] The buggy address belongs to the object at ffff8801ccbd8f00 [ 24.765532] which belongs to the cache kmalloc-512 of size 512 [ 24.778151] The buggy address is located 184 bytes inside of [ 24.778151] 512-byte region [ffff8801ccbd8f00, ffff8801ccbd9100) [ 24.789986] The buggy address belongs to the page: [ 24.794884] page:ffffea000732f600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 24.805041] flags: 0x8000000000004080(slab|head) [ 24.809758] page dumped because: kasan: bad access detected [ 24.815429] [ 24.817019] Memory state around the buggy address: [ 24.821910] ffff8801ccbd8e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.829238] ffff8801ccbd8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.836558] >ffff8801ccbd8f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.843878] ^ [ 24.849029] ffff8801ccbd9000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.856354] ffff8801ccbd9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.863677] ================================================================== [ 24.870995] Disabling lock debugging due to kernel taint [ 24.876408] Kernel panic - not syncing: panic_on_warn set ... [ 24.876408] [ 24.883821] CPU: 1 PID: 3323 Comm: syzkaller852183 Tainted: G B 4.9.76-g9154940 #20 [ 24.892706] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.902027] ffff8801c81577c8 ffffffff81d93149 ffffffff84195c17 ffff8801c81578a0 [ 24.909970] 0000000000000000 ffff8801ccbd8fb8 ffff8801ccbd8fb8 ffff8801c8157890 [ 24.917917] ffffffff8142e371 0000000041b58ab3 ffffffff84189678 ffffffff8142e1b5 [ 24.925857] Call Trace: [ 24.928410] [] dump_stack+0xc1/0x128 [ 24.933738] [] panic+0x1bc/0x3a8 [ 24.938718] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 24.946909] [] ? add_taint+0x40/0x50 [ 24.952239] [] kasan_end_report+0x50/0x50 [ 24.958001] [] kasan_report+0x167/0x360 [ 24.963590] [] ? __lock_acquire+0x2eff/0x3640 [ 24.969704] [] __asan_report_load8_noabort+0x14/0x20 [ 24.976436] [] __lock_acquire+0x2eff/0x3640 [ 24.982374] [] ? __lock_acquire+0x629/0x3640 [ 24.988398] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 24.995375] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 25.002353] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 25.009330] [] ? mark_held_locks+0xaf/0x100 [ 25.015266] [] ? mutex_lock_nested+0x5e3/0x870 [ 25.021461] [] lock_acquire+0x12e/0x410 [ 25.027054] [] ? remove_wait_queue+0x14/0x40 [ 25.033076] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 25.039358] [] ? remove_wait_queue+0x14/0x40 [ 25.045380] [] remove_wait_queue+0x14/0x40 [ 25.051230] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 25.058207] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 25.065444] [] ? ep_free+0x1b0/0x1b0 [ 25.070772] [] ep_free+0x96/0x1b0 [ 25.075853] [] ? ep_free+0x1b0/0x1b0 [ 25.081181] [] ep_eventpoll_release+0x44/0x60 [ 25.087292] [] __fput+0x28c/0x6e0 [ 25.092360] [] ____fput+0x15/0x20 [ 25.097538] [] task_work_run+0x115/0x190 [ 25.103214] [] do_exit+0x7e7/0x2a40 [ 25.108455] [] ? __pmd_alloc+0x410/0x410 [ 25.114128] [] ? release_task+0x1240/0x1240 [ 25.120062] [] ? __do_page_fault+0x5ec/0xd40 [ 25.126082] [] ? up_read+0x1a/0x40 [ 25.131239] [] ? __do_page_fault+0x3bd/0xd40 [ 25.137258] [] do_group_exit+0x108/0x320 [ 25.142934] [] ? do_group_exit+0x320/0x320 [ 25.148797] [] SyS_exit_group+0x1d/0x20 [ 25.154385] [] do_fast_syscall_32+0x2f7/0x890 [ 25.160507] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.167139] [] entry_SYSENTER_compat+0x74/0x83 [ 25.173805] Dumping ftrace buffer: [ 25.177310] (ftrace buffer empty) [ 25.180984] Kernel Offset: disabled [ 25.184575] Rebooting in 86400 seconds..