[....] Starting enhanced syslogd: rsyslogd[ 10.725571] audit: type=1400 audit(1515014370.351:4): avc: denied { syslog } for pid=3201 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.36' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 19.705399] audit: type=1400 audit(1515014379.331:5): avc: denied { block_suspend } for pid=3350 comm="syzkaller331124" capability=36 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=capability2 permissive=1 [ 19.709990] ================================================================== [ 19.711032] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 19.711906] Read of size 8 at addr ffff8801cd076ab8 by task syzkaller331124/3350 [ 19.712905] [ 19.713135] CPU: 0 PID: 3350 Comm: syzkaller331124 Not tainted 4.9.74-g4406671 #3 [ 19.714129] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.715349] ffff8801bd29f8e0 ffffffff81d91d19 ffffea0007341d80 ffff8801cd076ab8 [ 19.716494] 0000000000000000 ffff8801cd076ab8 ffff8801cd076ab8 ffff8801bd29f918 [ 19.717620] ffffffff8153b503 ffff8801cd076ab8 0000000000000008 0000000000000000 [ 19.718748] Call Trace: [ 19.719102] [] dump_stack+0xc1/0x128 [ 19.719833] [] print_address_description+0x73/0x280 [ 19.720707] [] kasan_report+0x275/0x360 [ 19.721448] [] ? __lock_acquire+0x2eff/0x3640 [ 19.722255] [] __asan_report_load8_noabort+0x14/0x20 [ 19.723142] [] __lock_acquire+0x2eff/0x3640 [ 19.723927] [] ? __lock_acquire+0x629/0x3640 [ 19.724726] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.726582] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.733561] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.740540] [] ? mark_held_locks+0xaf/0x100 [ 19.746478] [] ? mutex_lock_nested+0x5e3/0x870 [ 19.752675] [] lock_acquire+0x12e/0x410 [ 19.758263] [] ? remove_wait_queue+0x14/0x40 [ 19.764287] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 19.770570] [] ? remove_wait_queue+0x14/0x40 [ 19.776593] [] remove_wait_queue+0x14/0x40 [ 19.782439] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 19.789414] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 19.796652] [] ? ep_free+0x1b0/0x1b0 [ 19.801980] [] ep_free+0x96/0x1b0 [ 19.807045] [] ? ep_free+0x1b0/0x1b0 [ 19.812370] [] ep_eventpoll_release+0x44/0x60 [ 19.818476] [] __fput+0x28c/0x6e0 [ 19.823542] [] ____fput+0x15/0x20 [ 19.828606] [] task_work_run+0x115/0x190 [ 19.834280] [] do_exit+0x7e7/0x2a40 [ 19.839521] [] ? selinux_file_ioctl+0x355/0x530 [ 19.845807] [] ? release_task+0x1240/0x1240 [ 19.851740] [] ? SyS_epoll_create+0x190/0x190 [ 19.857846] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 19.864472] [] do_group_exit+0x108/0x320 [ 19.870147] [] SyS_exit_group+0x1d/0x20 [ 19.875731] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 19.882268] [ 19.883861] Allocated by task 3350: [ 19.887453] save_stack_trace+0x16/0x20 [ 19.891394] save_stack+0x43/0xd0 [ 19.894814] kasan_kmalloc+0xad/0xe0 [ 19.898489] kmem_cache_alloc_trace+0xfb/0x2a0 [ 19.903037] binder_get_thread+0x15d/0x750 [ 19.907233] binder_poll+0x4a/0x210 [ 19.910824] SyS_epoll_ctl+0x11d7/0x2190 [ 19.914848] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 19.919563] [ 19.921159] Freed by task 3350: [ 19.924399] save_stack_trace+0x16/0x20 [ 19.928334] save_stack+0x43/0xd0 [ 19.931747] kasan_slab_free+0x72/0xc0 [ 19.935602] kfree+0x103/0x300 [ 19.938761] binder_thread_dec_tmpref+0x1cc/0x240 [ 19.943566] binder_thread_release+0x27d/0x540 [ 19.948111] binder_ioctl+0x9c0/0x11b0 [ 19.951961] do_vfs_ioctl+0x1aa/0x1140 [ 19.955812] SyS_ioctl+0x8f/0xc0 [ 19.959141] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 19.963856] [ 19.965457] The buggy address belongs to the object at ffff8801cd076a00 [ 19.965457] which belongs to the cache kmalloc-512 of size 512 [ 19.978075] The buggy address is located 184 bytes inside of [ 19.978075] 512-byte region [ffff8801cd076a00, ffff8801cd076c00) [ 19.989907] The buggy address belongs to the page: [ 19.994798] page:ffffea0007341d80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 20.004947] flags: 0x8000000000004080(slab|head) [ 20.009665] page dumped because: kasan: bad access detected [ 20.015340] [ 20.016931] Memory state around the buggy address: [ 20.021822] ffff8801cd076980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.029143] ffff8801cd076a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.036463] >ffff8801cd076a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.043784] ^ [ 20.048935] ffff8801cd076b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.056255] ffff8801cd076b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.063574] ================================================================== [ 20.070899] Disabling lock debugging due to kernel taint [ 20.076314] Kernel panic - not syncing: panic_on_warn set ... [ 20.076314] [ 20.083647] CPU: 0 PID: 3350 Comm: syzkaller331124 Tainted: G B 4.9.74-g4406671 #3 [ 20.092444] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.101763] ffff8801bd29f838 ffffffff81d91d19 ffffffff8419562f ffff8801bd29f910 [ 20.109708] 0000000000000000 ffff8801cd076ab8 ffff8801cd076ab8 ffff8801bd29f900 [ 20.117650] ffffffff8142d161 0000000041b58ab3 ffffffff84189070 ffffffff8142cfa5 [ 20.125609] Call Trace: [ 20.128164] [] dump_stack+0xc1/0x128 [ 20.133492] [] panic+0x1bc/0x3a8 [ 20.138472] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 20.146663] [] ? add_taint+0x40/0x50 [ 20.151989] [] kasan_end_report+0x50/0x50 [ 20.157748] [] kasan_report+0x167/0x360 [ 20.163337] [] ? __lock_acquire+0x2eff/0x3640 [ 20.169446] [] __asan_report_load8_noabort+0x14/0x20 [ 20.176166] [] __lock_acquire+0x2eff/0x3640 [ 20.182101] [] ? __lock_acquire+0x629/0x3640 [ 20.188123] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 20.195099] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 20.202074] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 20.209050] [] ? mark_held_locks+0xaf/0x100 [ 20.214985] [] ? mutex_lock_nested+0x5e3/0x870 [ 20.221184] [] lock_acquire+0x12e/0x410 [ 20.226783] [] ? remove_wait_queue+0x14/0x40 [ 20.232814] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 20.239099] [] ? remove_wait_queue+0x14/0x40 [ 20.245117] [] remove_wait_queue+0x14/0x40 [ 20.250967] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 20.257942] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 20.265179] [] ? ep_free+0x1b0/0x1b0 [ 20.270514] [] ep_free+0x96/0x1b0 [ 20.275586] [] ? ep_free+0x1b0/0x1b0 [ 20.280916] [] ep_eventpoll_release+0x44/0x60 [ 20.287025] [] __fput+0x28c/0x6e0 [ 20.292092] [] ____fput+0x15/0x20 [ 20.297157] [] task_work_run+0x115/0x190 [ 20.302831] [] do_exit+0x7e7/0x2a40 [ 20.308075] [] ? selinux_file_ioctl+0x355/0x530 [ 20.314355] [] ? release_task+0x1240/0x1240 [ 20.320291] [] ? SyS_epoll_create+0x190/0x190 [ 20.326399] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 20.333025] [] do_group_exit+0x108/0x320 [ 20.338699] [] SyS_exit_group+0x1d/0x20 [ 20.344287] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 20.351232] Dumping ftrace buffer: [ 20.354748] (ftrace buffer empty) [ 20.358428] Kernel Offset: disabled [ 20.362019] Rebooting in 86400 seconds..