[....] Starting enhanced syslogd: rsyslogd[ 11.432260] audit: type=1400 audit(1513691354.920:4): avc: denied { syslog } for pid=3167 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-8,10.128.0.2' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 20.745677] ================================================================== [ 20.746788] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 at addr ffff8801c3261238 [ 20.747943] Read of size 8 by task syzkaller016943/3320 [ 20.748650] CPU: 0 PID: 3320 Comm: syzkaller016943 Not tainted 4.9.70-g9542d2a #109 [ 20.749666] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.750913] ffff8801c2d478b0 ffffffff81d90a29 ffff8801da001280 ffff8801c3261180 [ 20.752064] ffff8801c3261380 ffffed003864c247 ffff8801c3261238 ffff8801c2d478d8 [ 20.753264] ffffffff8153a45c ffffed003864c247 ffff8801da001280 0000000000000000 [ 20.754389] Call Trace: [ 20.754744] [] dump_stack+0xc1/0x128 [ 20.755465] [] kasan_object_err+0x1c/0x70 [ 20.756228] [] kasan_report.part.1+0x21c/0x500 [ 20.757080] [] ? __lock_acquire+0x2eff/0x3640 [ 20.757887] [] __asan_report_load8_noabort+0x29/0x30 [ 20.758772] [] __lock_acquire+0x2eff/0x3640 [ 20.759558] [] ? __lock_acquire+0x629/0x3640 [ 20.760356] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 20.761274] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 20.762209] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 20.763127] [] ? mark_held_locks+0xaf/0x100 [ 20.763946] [] ? mutex_lock_nested+0x5e3/0x870 [ 20.764786] [] lock_acquire+0x12e/0x410 [ 20.765544] [] ? remove_wait_queue+0x14/0x40 [ 20.766342] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 20.772624] [] ? remove_wait_queue+0x14/0x40 [ 20.778654] [] remove_wait_queue+0x14/0x40 [ 20.784504] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 20.791483] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 20.798720] [] ? ep_free+0x1b0/0x1b0 [ 20.804045] [] ep_free+0x96/0x1b0 [ 20.809110] [] ? ep_free+0x1b0/0x1b0 [ 20.814435] [] ep_eventpoll_release+0x44/0x60 [ 20.820556] [] __fput+0x28c/0x6e0 [ 20.825623] [] ____fput+0x15/0x20 [ 20.830690] [] task_work_run+0x115/0x190 [ 20.836364] [] do_exit+0x7e7/0x2a40 [ 20.841605] [] ? selinux_file_ioctl+0x355/0x530 [ 20.847884] [] ? release_task+0x1240/0x1240 [ 20.853819] [] ? SyS_epoll_create+0x190/0x190 [ 20.859933] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 20.866560] [] do_group_exit+0x108/0x320 [ 20.872235] [] SyS_exit_group+0x1d/0x20 [ 20.877829] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 20.884371] Object at ffff8801c3261180, in cache kmalloc-512 size: 512 [ 20.890998] Allocated: [ 20.893456] PID = 3320 [ 20.895918] save_stack_trace+0x16/0x20 [ 20.899860] save_stack+0x43/0xd0 [ 20.903273] kasan_kmalloc+0xad/0xe0 [ 20.906950] kmem_cache_alloc_trace+0xfb/0x2a0 [ 20.911494] binder_get_thread+0x15d/0x750 [ 20.915692] binder_poll+0x4a/0x210 [ 20.919281] SyS_epoll_ctl+0x11d7/0x2190 [ 20.923305] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 20.928018] Freed: [ 20.930128] PID = 3320 [ 20.932591] save_stack_trace+0x16/0x20 [ 20.936528] save_stack+0x43/0xd0 [ 20.939943] kasan_slab_free+0x73/0xc0 [ 20.943791] kfree+0xf0/0x2f0 [ 20.946857] binder_thread_dec_tmpref+0x1cc/0x240 [ 20.951661] binder_thread_release+0x27d/0x540 [ 20.956205] binder_ioctl+0x9c0/0x11b0 [ 20.960053] do_vfs_ioctl+0x1aa/0x1140 [ 20.963904] SyS_ioctl+0x8f/0xc0 [ 20.967232] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 20.971946] Memory state around the buggy address: [ 20.976837] ffff8801c3261100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.984158] ffff8801c3261180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.991485] >ffff8801c3261200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.998804] ^ [ 21.003954] ffff8801c3261280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.011275] ffff8801c3261300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.018596] ================================================================== [ 21.025920] Disabling lock debugging due to kernel taint [ 21.031330] ================================================================== [ 21.038656] BUG: KASAN: use-after-free in __lock_acquire+0x2c56/0x3640 at addr ffff8801c3261240 [ 21.047455] Read of size 8 by task syzkaller016943/3320 [ 21.052784] CPU: 0 PID: 3320 Comm: syzkaller016943 Tainted: G B 4.9.70-g9542d2a #109 [ 21.061756] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.071084] ffff8801c2d478b0 ffffffff81d90a29 ffff8801da001280 ffff8801c3261180 [ 21.079053] ffff8801c3261380 ffffed003864c248 ffff8801c3261240 ffff8801c2d478d8 [ 21.087012] ffffffff8153a45c ffffed003864c248 ffff8801da001280 0000000000000000 [ 21.094967] Call Trace: [ 21.097525] [] dump_stack+0xc1/0x128 [ 21.102869] [] kasan_object_err+0x1c/0x70 [ 21.108634] [] kasan_report.part.1+0x21c/0x500 [ 21.114835] [] ? __lock_acquire+0x2c56/0x3640 [ 21.120947] [] __asan_report_load8_noabort+0x29/0x30 [ 21.127677] [] __lock_acquire+0x2c56/0x3640 [ 21.133622] [] ? __lock_acquire+0x629/0x3640 [ 21.139644] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 21.146622] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 21.153601] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 21.160577] [] ? mark_held_locks+0xaf/0x100 [ 21.166515] [] ? mutex_lock_nested+0x5e3/0x870 [ 21.172716] [] lock_acquire+0x12e/0x410 [ 21.178305] [] ? remove_wait_queue+0x14/0x40 [ 21.184342] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 21.190640] [] ? remove_wait_queue+0x14/0x40 [ 21.196679] [] remove_wait_queue+0x14/0x40 [ 21.202528] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 21.209505] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 21.216742] [] ? ep_free+0x1b0/0x1b0 [ 21.222068] [] ep_free+0x96/0x1b0 [ 21.227133] [] ? ep_free+0x1b0/0x1b0 [ 21.232459] [] ep_eventpoll_release+0x44/0x60 [ 21.238568] [] __fput+0x28c/0x6e0 [ 21.243632] [] ____fput+0x15/0x20 [ 21.248697] [] task_work_run+0x115/0x190 [ 21.254371] [] do_exit+0x7e7/0x2a40 [ 21.259613] [] ? selinux_file_ioctl+0x355/0x530 [ 21.265894] [] ? release_task+0x1240/0x1240 [ 21.271838] [] ? SyS_epoll_create+0x190/0x190 [ 21.277953] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 21.284583] [] do_group_exit+0x108/0x320 [ 21.290257] [] SyS_exit_group+0x1d/0x20 [ 21.295845] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 21.302387] Object at ffff8801c3261180, in cache kmalloc-512 size: 512 [ 21.309011] Allocated: [ 21.311472] PID = 3320 [ 21.313935] save_stack_trace+0x16/0x20 [ 21.317871] save_stack+0x43/0xd0 [ 21.321296] kasan_kmalloc+0xad/0xe0 [ 21.324972] kmem_cache_alloc_trace+0xfb/0x2a0 [ 21.329516] binder_get_thread+0x15d/0x750 [ 21.333713] binder_poll+0x4a/0x210 [ 21.337301] SyS_epoll_ctl+0x11d7/0x2190 [ 21.341325] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 21.346041] Freed: [ 21.348152] PID = 3320 [ 21.350613] save_stack_trace+0x16/0x20 [ 21.354547] save_stack+0x43/0xd0 [ 21.357961] kasan_slab_free+0x73/0xc0 [ 21.361810] kfree+0xf0/0x2f0 [ 21.364879] binder_thread_dec_tmpref+0x1cc/0x240 [ 21.369685] binder_thread_release+0x27d/0x540 [ 21.374232] binder_ioctl+0x9c0/0x11b0 [ 21.378083] do_vfs_ioctl+0x1aa/0x1140 [ 21.381932] SyS_ioctl+0x8f/0xc0 [ 21.385265] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 21.389980] Memory state around the buggy address: [ 21.394873] ffff8801c3261100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.402193] ffff8801c3261180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.409514] >ffff8801c3261200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.416833] ^ [ 21.422246] ffff8801c3261280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.429567] ffff8801c3261300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.436897] ================================================================== [ 21.444222] ================================================================== [ 21.451545] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1ac/0x1e0 at addr ffff8801c3261224 [ 21.460341] Read of size 4 by task syzkaller016943/3320 [ 21.465671] CPU: 0 PID: 3320 Comm: syzkaller016943 Tainted: G B 4.9.70-g9542d2a #109 [ 21.474645] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.483968] ffff8801c2d47ac0 ffffffff81d90a29 ffff8801da001280 ffff8801c3261180 [ 21.491910] ffff8801c3261380 ffffed003864c244 ffff8801c3261224 ffff8801c2d47ae8 [ 21.499873] ffffffff8153a45c ffffed003864c244 ffff8801da001280 0000000000000000 [ 21.507816] Call Trace: [ 21.510369] [] dump_stack+0xc1/0x128 [ 21.515697] [] kasan_object_err+0x1c/0x70 [ 21.521456] [] kasan_report.part.1+0x21c/0x500 [ 21.527651] [] ? mutex_lock_nested+0x5e3/0x870 [ 21.533846] [] ? do_raw_spin_lock+0x1ac/0x1e0 [ 21.539954] [] __asan_report_load4_noabort+0x29/0x30 [ 21.546669] [] do_raw_spin_lock+0x1ac/0x1e0 [ 21.552606] [] _raw_spin_lock_irqsave+0x56/0x70 [ 21.558888] [] ? remove_wait_queue+0x14/0x40 [ 21.564925] [] remove_wait_queue+0x14/0x40 [ 21.570772] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 21.577750] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 21.584988] [] ? ep_free+0x1b0/0x1b0 [ 21.590314] [] ep_free+0x96/0x1b0 [ 21.595380] [] ? ep_free+0x1b0/0x1b0 [ 21.600709] [] ep_eventpoll_release+0x44/0x60 [ 21.606818] [] __fput+0x28c/0x6e0 [ 21.611890] [] ____fput+0x15/0x20 [ 21.616956] [] task_work_run+0x115/0x190 [ 21.622635] [] do_exit+0x7e7/0x2a40 [ 21.627876] [] ? selinux_file_ioctl+0x355/0x530 [ 21.634157] [] ? release_task+0x1240/0x1240 [ 21.640094] [] ? SyS_epoll_create+0x190/0x190 [ 21.646204] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 21.652833] [] do_group_exit+0x108/0x320 [ 21.658508] [] SyS_exit_group+0x1d/0x20 [ 21.664096] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 21.670638] Object at ffff8801c3261180, in cache kmalloc-512 size: 512 [ 21.677264] Allocated: [ 21.679724] PID = 3320 [ 21.682193] save_stack_trace+0x16/0x20 [ 21.686141] save_stack+0x43/0xd0 [ 21.689557] kasan_kmalloc+0xad/0xe0 [ 21.693236] kmem_cache_alloc_trace+0xfb/0x2a0 [ 21.697781] binder_get_thread+0x15d/0x750 [ 21.701978] binder_poll+0x4a/0x210 [ 21.705568] SyS_epoll_ctl+0x11d7/0x2190 [ 21.709593] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 21.714320] Freed: [ 21.716432] PID = 3320 [ 21.718894] save_stack_trace+0x16/0x20 [ 21.722830] save_stack+0x43/0xd0 [ 21.726245] kasan_slab_free+0x73/0xc0 [ 21.730092] kfree+0xf0/0x2f0 [ 21.733160] binder_thread_dec_tmpref+0x1cc/0x240 [ 21.737965] binder_thread_release+0x27d/0x540 [ 21.742519] binder_ioctl+0x9c0/0x11b0 [ 21.746373] do_vfs_ioctl+0x1aa/0x1140 [ 21.750234] SyS_ioctl+0x8f/0xc0 [ 21.753582] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 21.758308] Memory state around the buggy address: [ 21.763202] ffff8801c3261100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.770524] ffff8801c3261180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.777847] >ffff8801c3261200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.785169] ^ [ 21.789547] ffff8801c3261280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.796869] ffff8801c3261300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.804188] ================================================================== [ 21.811509] ================================================================== [ 21.818836] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1d3/0x1e0 at addr ffff8801c3261230 [ 21.827637] Read of size 8 by task syzkaller016943/3320 [ 21.832966] CPU: 0 PID: 3320 Comm: syzkaller016943 Tainted: G B 4.9.70-g9542d2a #109 [ 21.841936] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.851254] ffff8801c2d47ac0 ffffffff81d90a29 ffff8801da001280 ffff8801c3261180 [ 21.859212] ffff8801c3261380 ffffed003864c246 ffff8801c3261230 ffff8801c2d47ae8 [ 21.867159] ffffffff8153a45c ffffed003864c246 ffff8801da001280 0000000000000000 [ 21.875130] Call Trace: [ 21.877684] [] dump_stack+0xc1/0x128 [ 21.883014] [] kasan_object_err+0x1c/0x70 [ 21.888773] [] kasan_report.part.1+0x21c/0x500 [ 21.894969] [] ? do_raw_spin_lock+0x1d3/0x1e