[....] Starting enhanced syslogd: rsyslogd[ 10.767106] audit: type=1400 audit(1517220726.484:4): avc: denied { syslog } for pid=3174 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.225' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.888811] ================================================================== [ 34.889944] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 34.890821] Read of size 8 at addr ffff8801c87d6d38 by task syzkaller607401/3339 [ 34.891817] [ 34.892049] CPU: 0 PID: 3339 Comm: syzkaller607401 Not tainted 4.9.78-g68d447c #23 [ 34.893072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.894291] ffff8801c7edf8e0 ffffffff81d943a9 ffffea000721f580 ffff8801c87d6d38 [ 34.895494] 0000000000000000 ffff8801c87d6d38 ffff8801c87d6d38 ffff8801c7edf918 [ 34.896645] ffffffff8153dc23 ffff8801c87d6d38 0000000000000008 0000000000000000 [ 34.897814] Call Trace: [ 34.898171] [] dump_stack+0xc1/0x128 [ 34.898888] [] print_address_description+0x73/0x280 [ 34.899767] [] kasan_report+0x275/0x360 [ 34.900512] [] ? __lock_acquire+0x2eff/0x3640 [ 34.901322] [] __asan_report_load8_noabort+0x14/0x20 [ 34.902210] [] __lock_acquire+0x2eff/0x3640 [ 34.903002] [] ? __lock_acquire+0x629/0x3640 [ 34.903801] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.904741] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.905662] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.906586] [] ? mark_held_locks+0xaf/0x100 [ 34.907377] [] ? mutex_lock_nested+0x5e3/0x870 [ 34.908197] [] lock_acquire+0x12e/0x410 [ 34.908941] [] ? remove_wait_queue+0x14/0x40 [ 34.914965] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 34.921253] [] ? remove_wait_queue+0x14/0x40 [ 34.927278] [] remove_wait_queue+0x14/0x40 [ 34.933128] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 34.940105] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 34.947356] [] ? ep_free+0x1b0/0x1b0 [ 34.952684] [] ep_free+0x96/0x1b0 [ 34.957753] [] ? ep_free+0x1b0/0x1b0 [ 34.963083] [] ep_eventpoll_release+0x44/0x60 [ 34.969193] [] __fput+0x28c/0x6e0 [ 34.974260] [] ____fput+0x15/0x20 [ 34.979329] [] task_work_run+0x115/0x190 [ 34.985009] [] do_exit+0x7e7/0x2a40 [ 34.990250] [] ? selinux_file_ioctl+0x355/0x530 [ 34.996534] [] ? release_task+0x1240/0x1240 [ 35.002470] [] ? SyS_epoll_create+0x190/0x190 [ 35.008579] [] ? entry_SYSCALL_64_fastpath+0x5/0xe8 [ 35.015211] [] do_group_exit+0x108/0x320 [ 35.020887] [] SyS_exit_group+0x1d/0x20 [ 35.026478] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 35.033022] [ 35.034616] Allocated by task 3339: [ 35.038213] save_stack_trace+0x16/0x20 [ 35.042152] save_stack+0x43/0xd0 [ 35.045569] kasan_kmalloc+0xad/0xe0 [ 35.049251] kmem_cache_alloc_trace+0xfb/0x2a0 [ 35.053801] binder_get_thread+0x15d/0x750 [ 35.057999] binder_poll+0x4a/0x210 [ 35.061590] SyS_epoll_ctl+0x11d7/0x2190 [ 35.065615] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 35.070332] [ 35.071928] Freed by task 3339: [ 35.075175] save_stack_trace+0x16/0x20 [ 35.079113] save_stack+0x43/0xd0 [ 35.082533] kasan_slab_free+0x72/0xc0 [ 35.086386] kfree+0x103/0x300 [ 35.089547] binder_thread_dec_tmpref+0x1cc/0x240 [ 35.094356] binder_thread_release+0x27d/0x540 [ 35.098901] binder_ioctl+0x9c0/0x11b0 [ 35.102755] do_vfs_ioctl+0x1aa/0x1140 [ 35.106609] SyS_ioctl+0x8f/0xc0 [ 35.109941] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 35.114661] [ 35.116257] The buggy address belongs to the object at ffff8801c87d6c80 [ 35.116257] which belongs to the cache kmalloc-512 of size 512 [ 35.128878] The buggy address is located 184 bytes inside of [ 35.128878] 512-byte region [ffff8801c87d6c80, ffff8801c87d6e80) [ 35.140717] The buggy address belongs to the page: [ 35.145611] page:ffffea000721f580 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 35.155772] flags: 0x8000000000004080(slab|head) [ 35.160490] page dumped because: kasan: bad access detected [ 35.166163] [ 35.167757] Memory state around the buggy address: [ 35.172649] ffff8801c87d6c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.179973] ffff8801c87d6c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.187298] >ffff8801c87d6d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.194620] ^ [ 35.199771] ffff8801c87d6d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.207094] ffff8801c87d6e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.214417] ================================================================== [ 35.221739] Disabling lock debugging due to kernel taint [ 35.227154] Kernel panic - not syncing: panic_on_warn set ... [ 35.227154] [ 35.234482] CPU: 0 PID: 3339 Comm: syzkaller607401 Tainted: G B 4.9.78-g68d447c #23 [ 35.243368] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.252687] ffff8801c7edf838 ffffffff81d943a9 ffffffff841971bf ffff8801c7edf910 [ 35.260648] 0000000000000000 ffff8801c87d6d38 ffff8801c87d6d38 ffff8801c7edf900 [ 35.268603] ffffffff8142f451 0000000041b58ab3 ffffffff8418ac30 ffffffff8142f295 [ 35.276561] Call Trace: [ 35.279116] [] dump_stack+0xc1/0x128 [ 35.284444] [] panic+0x1bc/0x3a8 [ 35.289426] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 35.297620] [] ? add_taint+0x40/0x50 [ 35.302948] [] kasan_end_report+0x50/0x50 [ 35.308711] [] kasan_report+0x167/0x360 [ 35.314301] [] ? __lock_acquire+0x2eff/0x3640 [ 35.320410] [] __asan_report_load8_noabort+0x14/0x20 [ 35.327129] [] __lock_acquire+0x2eff/0x3640 [ 35.333067] [] ? __lock_acquire+0x629/0x3640 [ 35.339093] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.346071] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.353050] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.360029] [] ? mark_held_locks+0xaf/0x100 [ 35.365963] [] ? mutex_lock_nested+0x5e3/0x870 [ 35.372161] [] lock_acquire+0x12e/0x410 [ 35.377752] [] ? remove_wait_queue+0x14/0x40 [ 35.383774] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 35.390063] [] ? remove_wait_queue+0x14/0x40 [ 35.396085] [] remove_wait_queue+0x14/0x40 [ 35.401935] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 35.408912] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 35.416152] [] ? ep_free+0x1b0/0x1b0 [ 35.421490] [] ep_free+0x96/0x1b0 [ 35.426557] [] ? ep_free+0x1b0/0x1b0 [ 35.431886] [] ep_eventpoll_release+0x44/0x60 [ 35.437994] [] __fput+0x28c/0x6e0 [ 35.443061] [] ____fput+0x15/0x20 [ 35.448127] [] task_work_run+0x115/0x190 [ 35.453806] [] do_exit+0x7e7/0x2a40 [ 35.459047] [] ? selinux_file_ioctl+0x355/0x530 [ 35.465334] [] ? release_task+0x1240/0x1240 [ 35.471269] [] ? SyS_epoll_create+0x190/0x190 [ 35.477379] [] ? entry_SYSCALL_64_fastpath+0x5/0xe8 [ 35.484013] [] do_group_exit+0x108/0x320 [ 35.489690] [] SyS_exit_group+0x1d/0x20 [ 35.495279] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 35.502254] Dumping ftrace buffer: [ 35.505764] (ftrace buffer empty) [ 35.509440] Kernel Offset: disabled [ 35.513034] Rebooting in 86400 seconds..