[....] Starting enhanced syslogd: rsyslogd[ 11.261237] audit: type=1400 audit(1516225171.427:4): avc: denied { syslog } for pid=3176 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.232' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 19.856934] ================================================================== [ 19.864328] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 19.870974] Read of size 8 at addr ffff8801cba8c0b8 by task syzkaller485833/3325 [ 19.878472] [ 19.880070] CPU: 1 PID: 3325 Comm: syzkaller485833 Not tainted 4.9.77-g033d019 #24 [ 19.887741] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.897066] ffff8801c9b27870 ffffffff81d941c9 ffffea00072ea300 ffff8801cba8c0b8 [ 19.905035] 0000000000000000 ffff8801cba8c0b8 ffff8801cba8c0b8 ffff8801c9b278a8 [ 19.913003] ffffffff8153db93 ffff8801cba8c0b8 0000000000000008 0000000000000000 [ 19.920973] Call Trace: [ 19.923533] [] dump_stack+0xc1/0x128 [ 19.928868] [] print_address_description+0x73/0x280 [ 19.935503] [] kasan_report+0x275/0x360 [ 19.941103] [] ? __lock_acquire+0x2eff/0x3640 [ 19.947225] [] __asan_report_load8_noabort+0x14/0x20 [ 19.953946] [] __lock_acquire+0x2eff/0x3640 [ 19.959887] [] ? __lock_acquire+0x629/0x3640 [ 19.965915] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.972896] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.979894] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.986878] [] ? mark_held_locks+0xaf/0x100 [ 19.992823] [] ? mutex_lock_nested+0x5e3/0x870 [ 19.999024] [] lock_acquire+0x12e/0x410 [ 20.004614] [] ? remove_wait_queue+0x14/0x40 [ 20.010643] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 20.016927] [] ? remove_wait_queue+0x14/0x40 [ 20.022952] [] remove_wait_queue+0x14/0x40 [ 20.028815] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 20.035812] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 20.043062] [] ? ep_free+0x1b0/0x1b0 [ 20.048406] [] ep_free+0x96/0x1b0 [ 20.053480] [] ? ep_free+0x1b0/0x1b0 [ 20.058812] [] ep_eventpoll_release+0x44/0x60 [ 20.064931] [] __fput+0x28c/0x6e0 [ 20.070008] [] ____fput+0x15/0x20 [ 20.075095] [] task_work_run+0x115/0x190 [ 20.080776] [] do_exit+0x7e7/0x2a40 [ 20.086027] [] ? __pmd_alloc+0x410/0x410 [ 20.091708] [] ? release_task+0x1240/0x1240 [ 20.097671] [] ? __do_page_fault+0x5ec/0xd40 [ 20.103717] [] ? up_read+0x1a/0x40 [ 20.108892] [] ? __do_page_fault+0x3bd/0xd40 [ 20.114942] [] do_group_exit+0x108/0x320 [ 20.120640] [] ? do_group_exit+0x320/0x320 [ 20.126502] [] SyS_exit_group+0x1d/0x20 [ 20.132119] [] do_fast_syscall_32+0x2f7/0x890 [ 20.138254] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 20.144910] [] entry_SYSENTER_compat+0x74/0x83 [ 20.151123] [ 20.152725] Allocated by task 3325: [ 20.156325] save_stack_trace+0x16/0x20 [ 20.160271] save_stack+0x43/0xd0 [ 20.163695] kasan_kmalloc+0xad/0xe0 [ 20.167376] kmem_cache_alloc_trace+0xfb/0x2a0 [ 20.171929] binder_get_thread+0x15d/0x750 [ 20.176139] binder_poll+0x4a/0x210 [ 20.179735] SyS_epoll_ctl+0x11d7/0x2190 [ 20.183776] do_fast_syscall_32+0x2f7/0x890 [ 20.188065] entry_SYSENTER_compat+0x74/0x83 [ 20.192438] [ 20.194032] Freed by task 3325: [ 20.197288] save_stack_trace+0x16/0x20 [ 20.201235] save_stack+0x43/0xd0 [ 20.204669] kasan_slab_free+0x72/0xc0 [ 20.208533] kfree+0x103/0x300 [ 20.211696] binder_thread_dec_tmpref+0x1cc/0x240 [ 20.216505] binder_thread_release+0x27d/0x540 [ 20.221055] binder_ioctl+0x9c0/0x11b0 [ 20.224922] compat_SyS_ioctl+0x15f/0x2050 [ 20.229127] do_fast_syscall_32+0x2f7/0x890 [ 20.233426] entry_SYSENTER_compat+0x74/0x83 [ 20.237800] [ 20.239397] The buggy address belongs to the object at ffff8801cba8c000 [ 20.239397] which belongs to the cache kmalloc-512 of size 512 [ 20.252021] The buggy address is located 184 bytes inside of [ 20.252021] 512-byte region [ffff8801cba8c000, ffff8801cba8c200) [ 20.263862] The buggy address belongs to the page: [ 20.268766] page:ffffea00072ea300 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 20.278931] flags: 0x8000000000004080(slab|head) [ 20.283653] page dumped because: kasan: bad access detected [ 20.289329] [ 20.290925] Memory state around the buggy address: [ 20.295828] ffff8801cba8bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.303155] ffff8801cba8c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.310484] >ffff8801cba8c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.317808] ^ [ 20.322964] ffff8801cba8c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.330297] ffff8801cba8c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.337622] ================================================================== [ 20.344948] Disabling lock debugging due to kernel taint [ 20.350370] Kernel panic - not syncing: panic_on_warn set ... [ 20.350370] [ 20.357710] CPU: 1 PID: 3325 Comm: syzkaller485833 Tainted: G B 4.9.77-g033d019 #24 [ 20.366606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.375962] ffff8801c9b277c8 ffffffff81d941c9 ffffffff841970ff ffff8801c9b278a0 [ 20.383940] 0000000000000000 ffff8801cba8c0b8 ffff8801cba8c0b8 ffff8801c9b27890 [ 20.391923] ffffffff8142f3c1 0000000041b58ab3 ffffffff8418ab70 ffffffff8142f205 [ 20.399888] Call Trace: [ 20.402452] [] dump_stack+0xc1/0x128 [ 20.407795] [] panic+0x1bc/0x3a8 [ 20.412784] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 20.420980] [] ? add_taint+0x40/0x50 [ 20.426314] [] kasan_end_report+0x50/0x50 [ 20.432081] [] kasan_report+0x167/0x360 [ 20.437673] [] ? __lock_acquire+0x2eff/0x3640 [ 20.443799] [] __asan_report_load8_noabort+0x14/0x20 [ 20.450533] [] __lock_acquire+0x2eff/0x3640 [ 20.456473] [] ? __lock_acquire+0x629/0x3640 [ 20.462500] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 20.469490] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 20.476496] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 20.483485] [] ? mark_held_locks+0xaf/0x100 [ 20.489429] [] ? mutex_lock_nested+0x5e3/0x870 [ 20.495626] [] lock_acquire+0x12e/0x410 [ 20.501221] [] ? remove_wait_queue+0x14/0x40 [ 20.507247] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 20.513534] [] ? remove_wait_queue+0x14/0x40 [ 20.519560] [] remove_wait_queue+0x14/0x40 [ 20.525417] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 20.532407] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 20.539652] [] ? ep_free+0x1b0/0x1b0 [ 20.544982] [] ep_free+0x96/0x1b0 [ 20.550063] [] ? ep_free+0x1b0/0x1b0 [ 20.555405] [] ep_eventpoll_release+0x44/0x60 [ 20.561520] [] __fput+0x28c/0x6e0 [ 20.566588] [] ____fput+0x15/0x20 [ 20.571660] [] task_work_run+0x115/0x190 [ 20.577347] [] do_exit+0x7e7/0x2a40 [ 20.582593] [] ? __pmd_alloc+0x410/0x410 [ 20.588273] [] ? release_task+0x1240/0x1240 [ 20.594212] [] ? __do_page_fault+0x5ec/0xd40 [ 20.600236] [] ? up_read+0x1a/0x40 [ 20.605399] [] ? __do_page_fault+0x3bd/0xd40 [ 20.611427] [] do_group_exit+0x108/0x320 [ 20.617103] [] ? do_group_exit+0x320/0x320 [ 20.622956] [] SyS_exit_group+0x1d/0x20 [ 20.628559] [] do_fast_syscall_32+0x2f7/0x890 [ 20.634673] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 20.641309] [] entry_SYSENTER_compat+0x74/0x83 [ 20.647975] Dumping ftrace buffer: [ 20.651492] (ftrace buffer empty) [ 20.655172] Kernel Offset: disabled [ 20.658769] Rebooting in 86400 seconds..