[....] Starting enhanced syslogd: rsyslogd[ 13.387621] audit: type=1400 audit(1515662020.478:4): avc: denied { syslog } for pid=3196 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.207' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 20.668162] ================================================================== [ 20.675538] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 20.682174] Read of size 8 at addr ffff8801cd1c8d38 by task syzkaller497098/3344 [ 20.689673] [ 20.691266] CPU: 1 PID: 3344 Comm: syzkaller497098 Not tainted 4.9.76-g9154940 #20 [ 20.698934] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.708253] ffff8801c9e17870 ffffffff81d93149 ffffea0007347200 ffff8801cd1c8d38 [ 20.716199] 0000000000000000 ffff8801cd1c8d38 ffff8801cd1c8d38 ffff8801c9e178a8 [ 20.724147] ffffffff8153cb43 ffff8801cd1c8d38 0000000000000008 0000000000000000 [ 20.732087] Call Trace: [ 20.734644] [] dump_stack+0xc1/0x128 [ 20.739973] [] print_address_description+0x73/0x280 [ 20.746603] [] kasan_report+0x275/0x360 [ 20.752192] [] ? __lock_acquire+0x2eff/0x3640 [ 20.758302] [] __asan_report_load8_noabort+0x14/0x20 [ 20.765021] [] __lock_acquire+0x2eff/0x3640 [ 20.770953] [] ? __lock_acquire+0x629/0x3640 [ 20.776975] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 20.783954] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 20.790933] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 20.797911] [] ? mark_held_locks+0xaf/0x100 [ 20.803860] [] ? mutex_lock_nested+0x5e3/0x870 [ 20.810059] [] lock_acquire+0x12e/0x410 [ 20.815648] [] ? remove_wait_queue+0x14/0x40 [ 20.821669] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 20.827953] [] ? remove_wait_queue+0x14/0x40 [ 20.833975] [] remove_wait_queue+0x14/0x40 [ 20.839826] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 20.846807] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 20.854044] [] ? ep_free+0x1b0/0x1b0 [ 20.859371] [] ep_free+0x96/0x1b0 [ 20.864451] [] ? ep_free+0x1b0/0x1b0 [ 20.869781] [] ep_eventpoll_release+0x44/0x60 [ 20.875899] [] __fput+0x28c/0x6e0 [ 20.880966] [] ____fput+0x15/0x20 [ 20.886033] [] task_work_run+0x115/0x190 [ 20.891709] [] do_exit+0x7e7/0x2a40 [ 20.896951] [] ? __pmd_alloc+0x410/0x410 [ 20.902626] [] ? release_task+0x1240/0x1240 [ 20.908562] [] ? __do_page_fault+0x5ec/0xd40 [ 20.914586] [] ? up_read+0x1a/0x40 [ 20.919742] [] ? __do_page_fault+0x3bd/0xd40 [ 20.925770] [] do_group_exit+0x108/0x320 [ 20.931452] [] ? do_group_exit+0x320/0x320 [ 20.937307] [] SyS_exit_group+0x1d/0x20 [ 20.942898] [] do_fast_syscall_32+0x2f7/0x890 [ 20.949005] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 20.955637] [] entry_SYSENTER_compat+0x74/0x83 [ 20.961831] [ 20.963426] Allocated by task 3344: [ 20.967018] save_stack_trace+0x16/0x20 [ 20.970955] save_stack+0x43/0xd0 [ 20.974377] kasan_kmalloc+0xad/0xe0 [ 20.978059] kmem_cache_alloc_trace+0xfb/0x2a0 [ 20.982606] binder_get_thread+0x15d/0x750 [ 20.986803] binder_poll+0x4a/0x210 [ 20.990395] SyS_epoll_ctl+0x11d7/0x2190 [ 20.994420] do_fast_syscall_32+0x2f7/0x890 [ 20.998706] entry_SYSENTER_compat+0x74/0x83 [ 21.003074] [ 21.004666] Freed by task 3344: [ 21.007907] save_stack_trace+0x16/0x20 [ 21.011843] save_stack+0x43/0xd0 [ 21.015260] kasan_slab_free+0x72/0xc0 [ 21.019111] kfree+0x103/0x300 [ 21.022268] binder_thread_dec_tmpref+0x1cc/0x240 [ 21.027081] binder_thread_release+0x27d/0x540 [ 21.031623] binder_ioctl+0x9c0/0x11b0 [ 21.035480] compat_SyS_ioctl+0x15f/0x2050 [ 21.039677] do_fast_syscall_32+0x2f7/0x890 [ 21.043966] entry_SYSENTER_compat+0x74/0x83 [ 21.048335] [ 21.049925] The buggy address belongs to the object at ffff8801cd1c8c80 [ 21.049925] which belongs to the cache kmalloc-512 of size 512 [ 21.062544] The buggy address is located 184 bytes inside of [ 21.062544] 512-byte region [ffff8801cd1c8c80, ffff8801cd1c8e80) [ 21.074378] The buggy address belongs to the page: [ 21.079285] page:ffffea0007347200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 21.089451] flags: 0x8000000000004080(slab|head) [ 21.094170] page dumped because: kasan: bad access detected [ 21.099848] [ 21.101436] Memory state around the buggy address: [ 21.106329] ffff8801cd1c8c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.113653] ffff8801cd1c8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.120973] >ffff8801cd1c8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.128294] ^ [ 21.133447] ffff8801cd1c8d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.140770] ffff8801cd1c8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.148095] ================================================================== [ 21.155416] Disabling lock debugging due to kernel taint [ 21.160826] Kernel panic - not syncing: panic_on_warn set ... [ 21.160826] [ 21.168154] CPU: 1 PID: 3344 Comm: syzkaller497098 Tainted: G B 4.9.76-g9154940 #20 [ 21.177039] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.186365] ffff8801c9e177c8 ffffffff81d93149 ffffffff84195c17 ffff8801c9e178a0 [ 21.194311] 0000000000000000 ffff8801cd1c8d38 ffff8801cd1c8d38 ffff8801c9e17890 [ 21.202262] ffffffff8142e371 0000000041b58ab3 ffffffff84189678 ffffffff8142e1b5 [ 21.210203] Call Trace: [ 21.212759] [] dump_stack+0xc1/0x128 [ 21.218089] [] panic+0x1bc/0x3a8 [ 21.223068] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 21.231270] [] ? add_taint+0x40/0x50 [ 21.236611] [] kasan_end_report+0x50/0x50 [ 21.242385] [] kasan_report+0x167/0x360 [ 21.247986] [] ? __lock_acquire+0x2eff/0x3640 [ 21.254095] [] __asan_report_load8_noabort+0x14/0x20 [ 21.260810] [] __lock_acquire+0x2eff/0x3640 [ 21.266746] [] ? __lock_acquire+0x629/0x3640 [ 21.272779] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 21.279776] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 21.286754] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 21.293732] [] ? mark_held_locks+0xaf/0x100 [ 21.299665] [] ? mutex_lock_nested+0x5e3/0x870 [ 21.305859] [] lock_acquire+0x12e/0x410 [ 21.311444] [] ? remove_wait_queue+0x14/0x40 [ 21.317466] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 21.323747] [] ? remove_wait_queue+0x14/0x40 [ 21.329767] [] remove_wait_queue+0x14/0x40 [ 21.335617] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 21.342594] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 21.349834] [] ? ep_free+0x1b0/0x1b0 [ 21.355163] [] ep_free+0x96/0x1b0 [ 21.360229] [] ? ep_free+0x1b0/0x1b0 [ 21.365555] [] ep_eventpoll_release+0x44/0x60 [ 21.371664] [] __fput+0x28c/0x6e0 [ 21.376731] [] ____fput+0x15/0x20 [ 21.381798] [] task_work_run+0x115/0x190 [ 21.387474] [] do_exit+0x7e7/0x2a40 [ 21.392713] [] ? __pmd_alloc+0x410/0x410 [ 21.398388] [] ? release_task+0x1240/0x1240 [ 21.404324] [] ? __do_page_fault+0x5ec/0xd40 [ 21.410346] [] ? up_read+0x1a/0x40 [ 21.415500] [] ? __do_page_fault+0x3bd/0xd40 [ 21.421523] [] do_group_exit+0x108/0x320 [ 21.427196] [] ? do_group_exit+0x320/0x320 [ 21.433053] [] SyS_exit_group+0x1d/0x20 [ 21.438641] [] do_fast_syscall_32+0x2f7/0x890 [ 21.444747] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 21.451384] [] entry_SYSENTER_compat+0x74/0x83 [ 21.458028] Dumping ftrace buffer: [ 21.461532] (ftrace buffer empty) [ 21.465210] Kernel Offset: disabled [ 21.468799] Rebooting in 86400 seconds..