[....] Starting enhanced syslogd: rsyslogd[ 13.408861] audit: type=1400 audit(1515618115.810:4): avc: denied { syslog } for pid=3172 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.206' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 51.397418] ================================================================== [ 51.404806] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 51.411444] Read of size 8 at addr ffff8801c956a338 by task syzkaller794661/3343 [ 51.418954] [ 51.420552] CPU: 1 PID: 3343 Comm: syzkaller794661 Not tainted 4.9.76-g9154940 #20 [ 51.428225] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.437550] ffff8801c17a7870 ffffffff81d93149 ffffea0007255a80 ffff8801c956a338 [ 51.445512] 0000000000000000 ffff8801c956a338 ffff8801c956a338 ffff8801c17a78a8 [ 51.453481] ffffffff8153cb43 ffff8801c956a338 0000000000000008 0000000000000000 [ 51.461445] Call Trace: [ 51.464011] [] dump_stack+0xc1/0x128 [ 51.469361] [] print_address_description+0x73/0x280 [ 51.475994] [] kasan_report+0x275/0x360 [ 51.481585] [] ? __lock_acquire+0x2eff/0x3640 [ 51.487711] [] __asan_report_load8_noabort+0x14/0x20 [ 51.494432] [] __lock_acquire+0x2eff/0x3640 [ 51.500370] [] ? __lock_acquire+0x629/0x3640 [ 51.506394] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 51.513374] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 51.520360] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 51.527356] [] ? mark_held_locks+0xaf/0x100 [ 51.533302] [] ? mutex_lock_nested+0x5e3/0x870 [ 51.539510] [] lock_acquire+0x12e/0x410 [ 51.545102] [] ? remove_wait_queue+0x14/0x40 [ 51.551127] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 51.557412] [] ? remove_wait_queue+0x14/0x40 [ 51.563437] [] remove_wait_queue+0x14/0x40 [ 51.569300] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 51.576282] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 51.583524] [] ? ep_free+0x1b0/0x1b0 [ 51.588863] [] ep_free+0x96/0x1b0 [ 51.593933] [] ? ep_free+0x1b0/0x1b0 [ 51.599262] [] ep_eventpoll_release+0x44/0x60 [ 51.605375] [] __fput+0x28c/0x6e0 [ 51.610443] [] ____fput+0x15/0x20 [ 51.615518] [] task_work_run+0x115/0x190 [ 51.621198] [] do_exit+0x7e7/0x2a40 [ 51.626442] [] ? __pmd_alloc+0x410/0x410 [ 51.632134] [] ? release_task+0x1240/0x1240 [ 51.638075] [] ? __do_page_fault+0x5ec/0xd40 [ 51.644107] [] ? up_read+0x1a/0x40 [ 51.649261] [] ? __do_page_fault+0x3bd/0xd40 [ 51.655286] [] do_group_exit+0x108/0x320 [ 51.660962] [] ? do_group_exit+0x320/0x320 [ 51.666820] [] SyS_exit_group+0x1d/0x20 [ 51.672411] [] do_fast_syscall_32+0x2f7/0x890 [ 51.678522] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 51.685157] [] entry_SYSENTER_compat+0x74/0x83 [ 51.691360] [ 51.692961] Allocated by task 3343: [ 51.696553] save_stack_trace+0x16/0x20 [ 51.700505] save_stack+0x43/0xd0 [ 51.703930] kasan_kmalloc+0xad/0xe0 [ 51.707613] kmem_cache_alloc_trace+0xfb/0x2a0 [ 51.712169] binder_get_thread+0x15d/0x750 [ 51.716375] binder_poll+0x4a/0x210 [ 51.719968] SyS_epoll_ctl+0x11d7/0x2190 [ 51.724001] do_fast_syscall_32+0x2f7/0x890 [ 51.728287] entry_SYSENTER_compat+0x74/0x83 [ 51.732671] [ 51.734264] Freed by task 3343: [ 51.737508] save_stack_trace+0x16/0x20 [ 51.741449] save_stack+0x43/0xd0 [ 51.744867] kasan_slab_free+0x72/0xc0 [ 51.748721] kfree+0x103/0x300 [ 51.751882] binder_thread_dec_tmpref+0x1cc/0x240 [ 51.756690] binder_thread_release+0x27d/0x540 [ 51.761238] binder_ioctl+0x9c0/0x11b0 [ 51.765092] compat_SyS_ioctl+0x15f/0x2050 [ 51.769312] do_fast_syscall_32+0x2f7/0x890 [ 51.773603] entry_SYSENTER_compat+0x74/0x83 [ 51.777975] [ 51.779570] The buggy address belongs to the object at ffff8801c956a280 [ 51.779570] which belongs to the cache kmalloc-512 of size 512 [ 51.792194] The buggy address is located 184 bytes inside of [ 51.792194] 512-byte region [ffff8801c956a280, ffff8801c956a480) [ 51.804032] The buggy address belongs to the page: [ 51.808930] page:ffffea0007255a80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 51.819085] flags: 0x8000000000004080(slab|head) [ 51.823806] page dumped because: kasan: bad access detected [ 51.829480] [ 51.831070] Memory state around the buggy address: [ 51.835966] ffff8801c956a200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.843293] ffff8801c956a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.850615] >ffff8801c956a300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.857941] ^ [ 51.863139] ffff8801c956a380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.870464] ffff8801c956a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.877795] ================================================================== [ 51.885122] Disabling lock debugging due to kernel taint [ 51.890537] Kernel panic - not syncing: panic_on_warn set ... [ 51.890537] [ 51.897884] CPU: 1 PID: 3343 Comm: syzkaller794661 Tainted: G B 4.9.76-g9154940 #20 [ 51.906771] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.916106] ffff8801c17a77c8 ffffffff81d93149 ffffffff84195c17 ffff8801c17a78a0 [ 51.924098] 0000000000000000 ffff8801c956a338 ffff8801c956a338 ffff8801c17a7890 [ 51.932070] ffffffff8142e371 0000000041b58ab3 ffffffff84189678 ffffffff8142e1b5 [ 51.940030] Call Trace: [ 51.942595] [] dump_stack+0xc1/0x128 [ 51.947940] [] panic+0x1bc/0x3a8 [ 51.952931] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 51.961140] [] ? add_taint+0x40/0x50 [ 51.966483] [] kasan_end_report+0x50/0x50 [ 51.972256] [] kasan_report+0x167/0x360 [ 51.977849] [] ? __lock_acquire+0x2eff/0x3640 [ 51.983961] [] __asan_report_load8_noabort+0x14/0x20 [ 51.990685] [] __lock_acquire+0x2eff/0x3640 [ 51.996637] [] ? __lock_acquire+0x629/0x3640 [ 52.002664] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 52.009645] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 52.016631] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 52.023614] [] ? mark_held_locks+0xaf/0x100 [ 52.029562] [] ? mutex_lock_nested+0x5e3/0x870 [ 52.035765] [] lock_acquire+0x12e/0x410 [ 52.041354] [] ? remove_wait_queue+0x14/0x40 [ 52.047377] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 52.053663] [] ? remove_wait_queue+0x14/0x40 [ 52.059687] [] remove_wait_queue+0x14/0x40 [ 52.065550] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 52.072529] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 52.079770] [] ? ep_free+0x1b0/0x1b0 [ 52.085100] [] ep_free+0x96/0x1b0 [ 52.090167] [] ? ep_free+0x1b0/0x1b0 [ 52.095496] [] ep_eventpoll_release+0x44/0x60 [ 52.101604] [] __fput+0x28c/0x6e0 [ 52.106673] [] ____fput+0x15/0x20 [ 52.111740] [] task_work_run+0x115/0x190 [ 52.117418] [] do_exit+0x7e7/0x2a40 [ 52.122663] [] ? __pmd_alloc+0x410/0x410 [ 52.128339] [] ? release_task+0x1240/0x1240 [ 52.134280] [] ? __do_page_fault+0x5ec/0xd40 [ 52.140303] [] ? up_read+0x1a/0x40 [ 52.145462] [] ? __do_page_fault+0x3bd/0xd40 [ 52.151484] [] do_group_exit+0x108/0x320 [ 52.157161] [] ? do_group_exit+0x320/0x320 [ 52.163011] [] SyS_exit_group+0x1d/0x20 [ 52.168603] [] do_fast_syscall_32+0x2f7/0x890 [ 52.174715] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 52.181347] [] entry_SYSENTER_compat+0x74/0x83 [ 52.187974] Dumping ftrace buffer: [ 52.191484] (ftrace buffer empty) [ 52.195160] Kernel Offset: disabled [ 52.198752] Rebooting in 86400 seconds..