[....] Starting enhanced syslogd: rsyslogd[ 11.977785] audit: type=1400 audit(1514163287.464:4): avc: denied { syslog } for pid=3173 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-9,10.128.15.225' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 32.577605] ================================================================== [ 32.578689] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 32.579565] Read of size 8 at addr ffff8801c8a4afb8 by task syzkaller467194/3344 [ 32.580548] [ 32.580780] CPU: 0 PID: 3344 Comm: syzkaller467194 Not tainted 4.9.71-g2506378 #113 [ 32.581850] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.583068] ffff8801cb3e78e0 ffffffff81d922b9 ffffea0007229280 ffff8801c8a4afb8 [ 32.584197] 0000000000000000 ffff8801c8a4afb8 ffff8801c8a4afb8 ffff8801cb3e7918 [ 32.585326] ffffffff8153bab3 ffff8801c8a4afb8 0000000000000008 0000000000000000 [ 32.586477] Call Trace: [ 32.586832] [] dump_stack+0xc1/0x128 [ 32.587556] [] print_address_description+0x73/0x280 [ 32.588441] [] kasan_report+0x275/0x360 [ 32.589200] [] ? __lock_acquire+0x2eff/0x3640 [ 32.590042] [] __asan_report_load8_noabort+0x14/0x20 [ 32.590939] [] __lock_acquire+0x2eff/0x3640 [ 32.591723] [] ? __lock_acquire+0x629/0x3640 [ 32.592521] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 32.593479] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 32.594400] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 32.595318] [] ? mark_held_locks+0xaf/0x100 [ 32.596108] [] ? mutex_lock_nested+0x5e3/0x870 [ 32.596966] [] lock_acquire+0x12e/0x410 [ 32.597748] [] ? remove_wait_queue+0x14/0x40 [ 32.603782] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 32.610064] [] ? remove_wait_queue+0x14/0x40 [ 32.616086] [] remove_wait_queue+0x14/0x40 [ 32.621944] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 32.628923] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 32.636165] [] ? ep_free+0x1b0/0x1b0 [ 32.641496] [] ep_free+0x96/0x1b0 [ 32.646570] [] ? ep_free+0x1b0/0x1b0 [ 32.651898] [] ep_eventpoll_release+0x44/0x60 [ 32.658009] [] __fput+0x28c/0x6e0 [ 32.663079] [] ____fput+0x15/0x20 [ 32.668147] [] task_work_run+0x115/0x190 [ 32.673822] [] do_exit+0x7e7/0x2a40 [ 32.679066] [] ? selinux_file_ioctl+0x355/0x530 [ 32.685351] [] ? release_task+0x1240/0x1240 [ 32.691633] [] ? SyS_epoll_create+0x190/0x190 [ 32.697745] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 32.704374] [] do_group_exit+0x108/0x320 [ 32.710050] [] SyS_exit_group+0x1d/0x20 [ 32.715640] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 32.722191] [ 32.723793] Allocated by task 3344: [ 32.727396] save_stack_trace+0x16/0x20 [ 32.731340] save_stack+0x43/0xd0 [ 32.734759] kasan_kmalloc+0xad/0xe0 [ 32.738438] kmem_cache_alloc_trace+0xfb/0x2a0 [ 32.743006] binder_get_thread+0x15d/0x750 [ 32.747205] binder_poll+0x4a/0x210 [ 32.750805] SyS_epoll_ctl+0x11d7/0x2190 [ 32.755620] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 32.760337] [ 32.761928] Freed by task 3344: [ 32.765175] save_stack_trace+0x16/0x20 [ 32.769124] save_stack+0x43/0xd0 [ 32.772551] kasan_slab_free+0x72/0xc0 [ 32.776409] kfree+0x103/0x300 [ 32.779566] binder_thread_dec_tmpref+0x1cc/0x240 [ 32.784375] binder_thread_release+0x27d/0x540 [ 32.788926] binder_ioctl+0x9c0/0x11b0 [ 32.792787] do_vfs_ioctl+0x1aa/0x1140 [ 32.796637] SyS_ioctl+0x8f/0xc0 [ 32.799968] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 32.804684] [ 32.806278] The buggy address belongs to the object at ffff8801c8a4af00 [ 32.806278] which belongs to the cache kmalloc-512 of size 512 [ 32.818897] The buggy address is located 184 bytes inside of [ 32.818897] 512-byte region [ffff8801c8a4af00, ffff8801c8a4b100) [ 32.830735] The buggy address belongs to the page: [ 32.835629] page:ffffea0007229280 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 32.845780] flags: 0x8000000000004080(slab|head) [ 32.850515] page dumped because: kasan: bad access detected [ 32.856212] [ 32.857806] Memory state around the buggy address: [ 32.862711] ffff8801c8a4ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.870046] ffff8801c8a4af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.877369] >ffff8801c8a4af80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.884692] ^ [ 32.889850] ffff8801c8a4b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.897181] ffff8801c8a4b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.904517] ================================================================== [ 32.911842] Disabling lock debugging due to kernel taint [ 32.917257] Kernel panic - not syncing: panic_on_warn set ... [ 32.917257] [ 32.924591] CPU: 0 PID: 3344 Comm: syzkaller467194 Tainted: G B 4.9.71-g2506378 #113 [ 32.933561] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.942883] ffff8801cb3e7838 ffffffff81d922b9 ffffffff84194b3f ffff8801cb3e7910 [ 32.950839] 0000000000000000 ffff8801c8a4afb8 ffff8801c8a4afb8 ffff8801cb3e7900 [ 32.958788] ffffffff8142d741 0000000041b58ab3 ffffffff84188580 ffffffff8142d585 [ 32.966736] Call Trace: [ 32.969308] [] dump_stack+0xc1/0x128 [ 32.974638] [] panic+0x1bc/0x3a8 [ 32.979618] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 32.987813] [] ? add_taint+0x40/0x50 [ 32.993150] [] kasan_end_report+0x50/0x50 [ 32.998913] [] kasan_report+0x167/0x360 [ 33.004521] [] ? __lock_acquire+0x2eff/0x3640 [ 33.010634] [] __asan_report_load8_noabort+0x14/0x20 [ 33.017359] [] __lock_acquire+0x2eff/0x3640 [ 33.023295] [] ? __lock_acquire+0x629/0x3640 [ 33.029328] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.036313] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.043291] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.050278] [] ? mark_held_locks+0xaf/0x100 [ 33.056217] [] ? mutex_lock_nested+0x5e3/0x870 [ 33.062420] [] lock_acquire+0x12e/0x410 [ 33.068013] [] ? remove_wait_queue+0x14/0x40 [ 33.074034] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 33.080318] [] ? remove_wait_queue+0x14/0x40 [ 33.086350] [] remove_wait_queue+0x14/0x40 [ 33.092208] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 33.099193] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 33.106432] [] ? ep_free+0x1b0/0x1b0 [ 33.111768] [] ep_free+0x96/0x1b0 [ 33.116836] [] ? ep_free+0x1b0/0x1b0 [ 33.122162] [] ep_eventpoll_release+0x44/0x60 [ 33.128278] [] __fput+0x28c/0x6e0 [ 33.133361] [] ____fput+0x15/0x20 [ 33.138437] [] task_work_run+0x115/0x190 [ 33.144112] [] do_exit+0x7e7/0x2a40 [ 33.149356] [] ? selinux_file_ioctl+0x355/0x530 [ 33.155641] [] ? release_task+0x1240/0x1240 [ 33.161574] [] ? SyS_epoll_create+0x190/0x190 [ 33.167684] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 33.174322] [] do_group_exit+0x108/0x320 [ 33.180000] [] SyS_exit_group+0x1d/0x20 [ 33.185595] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 33.192482] Dumping ftrace buffer: [ 33.195995] (ftrace buffer empty) [ 33.199670] Kernel Offset: disabled [ 33.203260] Rebooting in 86400 seconds..