[....] Starting enhanced syslogd: rsyslogd[ 10.360364] audit: type=1400 audit(1514382732.114:4): avc: denied { syslog } for pid=3163 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 19.034113] ================================================================== [ 19.035777] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 19.037446] Read of size 8 at addr ffff8801cbe72d38 by task syzkaller647976/3317 [ 19.038511] [ 19.038749] CPU: 0 PID: 3317 Comm: syzkaller647976 Not tainted 4.9.72-gcb7518e #114 [ 19.039784] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.041011] ffff8801bfd7f8e0 ffffffff81d922b9 ffffea00072f9c80 ffff8801cbe72d38 [ 19.042138] 0000000000000000 ffff8801cbe72d38 ffff8801cbe72d38 ffff8801bfd7f918 [ 19.043286] ffffffff8153bab3 ffff8801cbe72d38 0000000000000008 0000000000000000 [ 19.044416] Call Trace: [ 19.044782] [] dump_stack+0xc1/0x128 [ 19.045510] [] print_address_description+0x73/0x280 [ 19.046402] [] kasan_report+0x275/0x360 [ 19.047155] [] ? __lock_acquire+0x2eff/0x3640 [ 19.047975] [] __asan_report_load8_noabort+0x14/0x20 [ 19.048860] [] __lock_acquire+0x2eff/0x3640 [ 19.049658] [] ? __lock_acquire+0x629/0x3640 [ 19.050455] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.051374] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.052357] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.053277] [] ? mark_held_locks+0xaf/0x100 [ 19.054110] [] ? mutex_lock_nested+0x5e3/0x870 [ 19.058735] [] lock_acquire+0x12e/0x410 [ 19.064323] [] ? remove_wait_queue+0x14/0x40 [ 19.070354] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 19.076642] [] ? remove_wait_queue+0x14/0x40 [ 19.082665] [] remove_wait_queue+0x14/0x40 [ 19.088515] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 19.095494] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 19.102732] [] ? ep_free+0x1b0/0x1b0 [ 19.108060] [] ep_free+0x96/0x1b0 [ 19.113127] [] ? ep_free+0x1b0/0x1b0 [ 19.118478] [] ep_eventpoll_release+0x44/0x60 [ 19.124611] [] __fput+0x28c/0x6e0 [ 19.129680] [] ____fput+0x15/0x20 [ 19.134748] [] task_work_run+0x115/0x190 [ 19.140424] [] do_exit+0x7e7/0x2a40 [ 19.145669] [] ? selinux_file_ioctl+0x355/0x530 [ 19.151959] [] ? release_task+0x1240/0x1240 [ 19.157902] [] ? SyS_epoll_create+0x190/0x190 [ 19.164030] [] ? fd_install+0x4d/0x60 [ 19.169450] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 19.176096] [] do_group_exit+0x108/0x320 [ 19.181779] [] SyS_exit_group+0x1d/0x20 [ 19.187366] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 19.193906] [ 19.195508] Allocated by task 3317: [ 19.199101] save_stack_trace+0x16/0x20 [ 19.203046] save_stack+0x43/0xd0 [ 19.206463] kasan_kmalloc+0xad/0xe0 [ 19.210148] kmem_cache_alloc_trace+0xfb/0x2a0 [ 19.214707] binder_get_thread+0x15d/0x750 [ 19.218904] binder_poll+0x4a/0x210 [ 19.222496] SyS_epoll_ctl+0x11d7/0x2190 [ 19.226520] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 19.231235] [ 19.232836] Freed by task 3317: [ 19.236086] save_stack_trace+0x16/0x20 [ 19.240026] save_stack+0x43/0xd0 [ 19.243443] kasan_slab_free+0x72/0xc0 [ 19.247294] kfree+0x103/0x300 [ 19.250460] binder_thread_dec_tmpref+0x1cc/0x240 [ 19.255269] binder_thread_release+0x27d/0x540 [ 19.259814] binder_ioctl+0x9c0/0x11b0 [ 19.263666] do_vfs_ioctl+0x1aa/0x1140 [ 19.267515] SyS_ioctl+0x8f/0xc0 [ 19.270844] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 19.275560] [ 19.277152] The buggy address belongs to the object at ffff8801cbe72c80 [ 19.277152] which belongs to the cache kmalloc-512 of size 512 [ 19.289769] The buggy address is located 184 bytes inside of [ 19.289769] 512-byte region [ffff8801cbe72c80, ffff8801cbe72e80) [ 19.301606] The buggy address belongs to the page: [ 19.306508] page:ffffea00072f9c80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 19.316663] flags: 0x8000000000004080(slab|head) [ 19.321378] page dumped because: kasan: bad access detected [ 19.327059] [ 19.328648] Memory state around the buggy address: [ 19.333539] ffff8801cbe72c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.340861] ffff8801cbe72c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.348183] >ffff8801cbe72d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.355505] ^ [ 19.360656] ffff8801cbe72d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.367980] ffff8801cbe72e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.375299] ================================================================== [ 19.382621] Disabling lock debugging due to kernel taint [ 19.388032] Kernel panic - not syncing: panic_on_warn set ... [ 19.388032] [ 19.395358] CPU: 0 PID: 3317 Comm: syzkaller647976 Tainted: G B 4.9.72-gcb7518e #114 [ 19.404329] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.413649] ffff8801bfd7f838 ffffffff81d922b9 ffffffff841955bf ffff8801bfd7f910 [ 19.421622] 0000000000000000 ffff8801cbe72d38 ffff8801cbe72d38 ffff8801bfd7f900 [ 19.429580] ffffffff8142d741 0000000041b58ab3 ffffffff84189000 ffffffff8142d585 [ 19.437527] Call Trace: [ 19.440084] [] dump_stack+0xc1/0x128 [ 19.445428] [] panic+0x1bc/0x3a8 [ 19.450409] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 19.458603] [] ? add_taint+0x40/0x50 [ 19.463932] [] kasan_end_report+0x50/0x50 [ 19.469701] [] kasan_report+0x167/0x360 [ 19.475290] [] ? __lock_acquire+0x2eff/0x3640 [ 19.481399] [] __asan_report_load8_noabort+0x14/0x20 [ 19.488117] [] __lock_acquire+0x2eff/0x3640 [ 19.494061] [] ? __lock_acquire+0x629/0x3640 [ 19.500084] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.507063] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.514041] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.521108] [] ? mark_held_locks+0xaf/0x100 [ 19.527043] [] ? mutex_lock_nested+0x5e3/0x870 [ 19.533244] [] lock_acquire+0x12e/0x410 [ 19.538830] [] ? remove_wait_queue+0x14/0x40 [ 19.544860] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 19.551148] [] ? remove_wait_queue+0x14/0x40 [ 19.557171] [] remove_wait_queue+0x14/0x40 [ 19.563021] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 19.569996] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 19.577232] [] ? ep_free+0x1b0/0x1b0 [ 19.582566] [] ep_free+0x96/0x1b0 [ 19.587632] [] ? ep_free+0x1b0/0x1b0 [ 19.592961] [] ep_eventpoll_release+0x44/0x60 [ 19.599070] [] __fput+0x28c/0x6e0 [ 19.604500] [] ____fput+0x15/0x20 [ 19.609565] [] task_work_run+0x115/0x190 [ 19.615240] [] do_exit+0x7e7/0x2a40 [ 19.620483] [] ? selinux_file_ioctl+0x355/0x530 [ 19.626782] [] ? release_task+0x1240/0x1240 [ 19.632719] [] ? SyS_epoll_create+0x190/0x190 [ 19.638837] [] ? fd_install+0x4d/0x60 [ 19.644250] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 19.650879] [] do_group_exit+0x108/0x320 [ 19.656553] [] SyS_exit_group+0x1d/0x20 [ 19.662139] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 19.669108] Dumping ftrace buffer: [ 19.672612] (ftrace buffer empty) [ 19.676285] Kernel Offset: disabled [ 19.679875] Rebooting in 86400 seconds..