[....] Starting enhanced syslogd: rsyslogd[ 10.766528] audit: type=1400 audit(1513655024.126:4): avc: denied { syslog } for pid=3157 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-4,10.128.15.234' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 19.744337] ================================================================== [ 19.745481] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 at addr ffff8801c32b0fb8 [ 19.746711] Read of size 8 by task syzkaller036245/3308 [ 19.747485] CPU: 0 PID: 3308 Comm: syzkaller036245 Not tainted 4.9.70-g9542d2a #109 [ 19.748526] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.749835] ffff8801d5fc7890 ffffffff81d90a29 ffff8801da001280 ffff8801c32b0f00 [ 19.750994] ffff8801c32b1100 ffffed00386561f7 ffff8801c32b0fb8 ffff8801d5fc78b8 [ 19.752120] ffffffff8153a45c ffffed00386561f7 ffff8801da001280 0000000000000000 [ 19.753257] Call Trace: [ 19.753616] [] dump_stack+0xc1/0x128 [ 19.754326] [] kasan_object_err+0x1c/0x70 [ 19.755089] [] kasan_report.part.1+0x21c/0x500 [ 19.755919] [] ? __lock_acquire+0x2eff/0x3640 [ 19.756727] [] __asan_report_load8_noabort+0x29/0x30 [ 19.757627] [] __lock_acquire+0x2eff/0x3640 [ 19.758414] [] ? update_stack_state.constprop.5+0xca/0x150 [ 19.759385] [] ? __lock_acquire+0x629/0x3640 [ 19.760193] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.761112] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 19.762032] [] ? __lock_is_held+0xa1/0xf0 [ 19.762798] [] lock_acquire+0x12e/0x410 [ 19.763550] [] ? remove_wait_queue+0x14/0x40 [ 19.764348] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 19.765177] [] ? remove_wait_queue+0x14/0x40 [ 19.771199] [] remove_wait_queue+0x14/0x40 [ 19.777048] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 19.784027] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 19.791267] [] ep_remove+0x41/0x290 [ 19.796514] [] eventpoll_release_file+0xc5/0x140 [ 19.802889] [] __fput+0x5a8/0x6e0 [ 19.807964] [] ____fput+0x15/0x20 [ 19.813035] [] task_work_run+0x115/0x190 [ 19.818714] [] do_exit+0x7e7/0x2a40 [ 19.823965] [] ? selinux_file_ioctl+0x355/0x530 [ 19.830850] [] ? release_task+0x1240/0x1240 [ 19.836798] [] ? SyS_epoll_create+0x190/0x190 [ 19.842918] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 19.849548] [] do_group_exit+0x108/0x320 [ 19.855222] [] SyS_exit_group+0x1d/0x20 [ 19.860814] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 19.867355] Object at ffff8801c32b0f00, in cache kmalloc-512 size: 512 [ 19.873981] Allocated: [ 19.876440] PID = 3308 [ 19.878903] save_stack_trace+0x16/0x20 [ 19.882842] save_stack+0x43/0xd0 [ 19.886263] kasan_kmalloc+0xad/0xe0 [ 19.889951] kmem_cache_alloc_trace+0xfb/0x2a0 [ 19.894499] binder_get_thread+0x15d/0x750 [ 19.898700] binder_poll+0x4a/0x210 [ 19.902292] SyS_epoll_ctl+0x11d7/0x2190 [ 19.906316] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 19.911033] Freed: [ 19.913146] PID = 3308 [ 19.915607] save_stack_trace+0x16/0x20 [ 19.919543] save_stack+0x43/0xd0 [ 19.922959] kasan_slab_free+0x73/0xc0 [ 19.926808] kfree+0xf0/0x2f0 [ 19.929879] binder_thread_dec_tmpref+0x1cc/0x240 [ 19.934684] binder_thread_release+0x27d/0x540 [ 19.939236] binder_ioctl+0x9c0/0x11b0 [ 19.943087] do_vfs_ioctl+0x1aa/0x1140 [ 19.946937] SyS_ioctl+0x8f/0xc0 [ 19.950272] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 19.954990] Memory state around the buggy address: [ 19.959884] ffff8801c32b0e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.967207] ffff8801c32b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.974529] >ffff8801c32b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.981855] ^ [ 19.987006] ffff8801c32b1000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.994329] ffff8801c32b1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.001649] ================================================================== [ 20.008975] Disabling lock debugging due to kernel taint [ 20.014404] ================================================================== [ 20.021729] BUG: KASAN: use-after-free in __lock_acquire+0x2c56/0x3640 at addr ffff8801c32b0fc0 [ 20.030526] Read of size 8 by task syzkaller036245/3308 [ 20.035857] CPU: 0 PID: 3308 Comm: syzkaller036245 Tainted: G B 4.9.70-g9542d2a #109 [ 20.044829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.054149] ffff8801d5fc7890 ffffffff81d90a29 ffff8801da001280 ffff8801c32b0f00 [ 20.062091] ffff8801c32b1100 ffffed00386561f8 ffff8801c32b0fc0 ffff8801d5fc78b8 [ 20.070042] ffffffff8153a45c ffffed00386561f8 ffff8801da001280 0000000000000000 [ 20.078001] Call Trace: [ 20.080553] [] dump_stack+0xc1/0x128 [ 20.085883] [] kasan_object_err+0x1c/0x70 [ 20.091643] [] kasan_report.part.1+0x21c/0x500 [ 20.097839] [] ? __lock_acquire+0x2c56/0x3640 [ 20.103948] [] __asan_report_load8_noabort+0x29/0x30 [ 20.110666] [] __lock_acquire+0x2c56/0x3640 [ 20.116599] [] ? update_stack_state.constprop.5+0xca/0x150 [ 20.123837] [] ? __lock_acquire+0x629/0x3640 [ 20.129861] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 20.136837] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 20.143818] [] ? __lock_is_held+0xa1/0xf0 [ 20.149581] [] lock_acquire+0x12e/0x410 [ 20.155169] [] ? remove_wait_queue+0x14/0x40 [ 20.161195] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 20.167485] [] ? remove_wait_queue+0x14/0x40 [ 20.173509] [] remove_wait_queue+0x14/0x40 [ 20.179358] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 20.186335] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 20.193578] [] ep_remove+0x41/0x290 [ 20.198819] [] eventpoll_release_file+0xc5/0x140 [ 20.205188] [] __fput+0x5a8/0x6e0 [ 20.210268] [] ____fput+0x15/0x20 [ 20.215337] [] task_work_run+0x115/0x190 [ 20.221015] [] do_exit+0x7e7/0x2a40 [ 20.226271] [] ? selinux_file_ioctl+0x355/0x530 [ 20.232557] [] ? release_task+0x1240/0x1240 [ 20.238491] [] ? SyS_epoll_create+0x190/0x190 [ 20.244606] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 20.251235] [] do_group_exit+0x108/0x320 [ 20.256910] [] SyS_exit_group+0x1d/0x20 [ 20.262500] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 20.269046] Object at ffff8801c32b0f00, in cache kmalloc-512 size: 512 [ 20.275675] Allocated: [ 20.278136] PID = 3308 [ 20.280598] save_stack_trace+0x16/0x20 [ 20.284536] save_stack+0x43/0xd0 [ 20.287960] kasan_kmalloc+0xad/0xe0 [ 20.291638] kmem_cache_alloc_trace+0xfb/0x2a0 [ 20.296187] binder_get_thread+0x15d/0x750 [ 20.300385] binder_poll+0x4a/0x210 [ 20.303985] SyS_epoll_ctl+0x11d7/0x2190 [ 20.308020] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 20.312737] Freed: [ 20.314851] PID = 3308 [ 20.317314] save_stack_trace+0x16/0x20 [ 20.321257] save_stack+0x43/0xd0 [ 20.324678] kasan_slab_free+0x73/0xc0 [ 20.328529] kfree+0xf0/0x2f0 [ 20.331602] binder_thread_dec_tmpref+0x1cc/0x240 [ 20.336409] binder_thread_release+0x27d/0x540 [ 20.340952] binder_ioctl+0x9c0/0x11b0 [ 20.344803] do_vfs_ioctl+0x1aa/0x1140 [ 20.348652] SyS_ioctl+0x8f/0xc0 [ 20.351982] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 20.356697] Memory state around the buggy address: [ 20.361599] ffff8801c32b0e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.368922] ffff8801c32b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.376258] >ffff8801c32b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.383669] ^ [ 20.389085] ffff8801c32b1000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.396422] ffff8801c32b1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.403743] ================================================================== [ 20.411066] ================================================================== [ 20.418393] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1ac/0x1e0 at addr ffff8801c32b0fa4 [ 20.427194] Read of size 4 by task syzkaller036245/3308 [ 20.432530] CPU: 0 PID: 3308 Comm: syzkaller036245 Tainted: G B 4.9.70-g9542d2a #109 [ 20.441502] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.450823] ffff8801d5fc7aa0 ffffffff81d90a29 ffff8801da001280 ffff8801c32b0f00 [ 20.458780] ffff8801c32b1100 ffffed00386561f4 ffff8801c32b0fa4 ffff8801d5fc7ac8 [ 20.466732] ffffffff8153a45c ffffed00386561f4 ffff8801da001280 0000000000000000 [ 20.474684] Call Trace: [ 20.477240] [] dump_stack+0xc1/0x128 [ 20.482574] [] kasan_object_err+0x1c/0x70 [ 20.488333] [] kasan_report.part.1+0x21c/0x500 [ 20.494535] [] ? do_raw_spin_lock+0x1ac/0x1e0 [ 20.500649] [] __asan_report_load4_noabort+0x29/0x30 [ 20.507364] [] do_raw_spin_lock+0x1ac/0x1e0 [ 20.513307] [] _raw_spin_lock_irqsave+0x56/0x70 [ 20.519588] [] ? remove_wait_queue+0x14/0x40 [ 20.525609] [] remove_wait_queue+0x14/0x40 [ 20.531457] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 20.538433] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 20.545680] [] ep_remove+0x41/0x290 [ 20.550921] [] eventpoll_release_file+0xc5/0x140 [ 20.557296] [] __fput+0x5a8/0x6e0 [ 20.562363] [] ____fput+0x15/0x20 [ 20.567429] [] task_work_run+0x115/0x190 [ 20.573103] [] do_exit+0x7e7/0x2a40 [ 20.578346] [] ? selinux_file_ioctl+0x355/0x530 [ 20.584629] [] ? release_task+0x1240/0x1240 [ 20.590568] [] ? SyS_epoll_create+0x190/0x190 [ 20.596687] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 20.603323] [] do_group_exit+0x108/0x320 [ 20.609000] [] SyS_exit_group+0x1d/0x20 [ 20.614589] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 20.621134] Object at ffff8801c32b0f00, in cache kmalloc-512 size: 512 [ 20.627764] Allocated: [ 20.630225] PID = 3308 [ 20.632693] save_stack_trace+0x16/0x20 [ 20.636630] save_stack+0x43/0xd0 [ 20.640045] kasan_kmalloc+0xad/0xe0 [ 20.643722] kmem_cache_alloc_trace+0xfb/0x2a0 [ 20.648267] binder_get_thread+0x15d/0x750 [ 20.652465] binder_poll+0x4a/0x210 [ 20.656062] SyS_epoll_ctl+0x11d7/0x2190 [ 20.660089] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 20.664805] Freed: [ 20.666917] PID = 3308 [ 20.669379] save_stack_trace+0x16/0x20 [ 20.673320] save_stack+0x43/0xd0 [ 20.676734] kasan_slab_free+0x73/0xc0 [ 20.680583] kfree+0xf0/0x2f0 [ 20.683651] binder_thread_dec_tmpref+0x1cc/0x240 [ 20.688458] binder_thread_release+0x27d/0x540 [ 20.693010] binder_ioctl+0x9c0/0x11b0 [ 20.696859] do_vfs_ioctl+0x1aa/0x1140 [ 20.700709] SyS_ioctl+0x8f/0xc0 [ 20.704038] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 20.708759] Memory state around the buggy address: [ 20.713655] ffff8801c32b0e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.720980] ffff8801c32b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.728305] >ffff8801c32b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.735633] ^ [ 20.740005] ffff8801c32b1000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.747334] ffff8801c32b1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.754661] ================================================================== [ 20.761984] ================================================================== [ 20.769310] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1d3/0x1e0 at addr ffff8801c32b0fb0 [ 20.778107] Read of size 8 by task syzkaller036245/3308 [ 20.783438] CPU: 0 PID: 3308 Comm: syzkaller036245 Tainted: G B 4.9.70-g9542d2a #109 [ 20.792410] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.801729] ffff8801d5fc7aa0 ffffffff81d90a29 ffff8801da001280 ffff8801c32b0f00 [ 20.809677] ffff8801c32b1100 ffffed00386561f6 ffff8801c32b0fb0 ffff8801d5fc7ac8 [ 20.817627] ffffffff8153a45c ffffed00386561f6 ffff8801da001280 0000000000000000 [ 20.825573] Call Trace: [ 20.828126] [] dump_stack+0xc1/0x128 [ 20.833455] [] kasan_object_err+0x1c/0x70 [ 20.839216] [] kasan_report.part.1+0x21c/0x500 [ 20.845411] [] ? do_raw_spin_lock+0x1d3/0x1e0 [ 20.851520] [] __asan_report_load8_noabort+0x29/0x30 [ 20.858250] [] do_raw_spin_lock+0x1d3/0x1e0 [ 20.864189] [] _raw_spin_lock_irqsave+0x56/0x70 [ 20.870486] [] ? remove_wait_queue+0x14/0x40 [ 20.876511] [] remove_wait_queue+0x14/0x40 [ 20.882362] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 20.889340] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 20.896576] [] ep_remove+0x41/0x290 [ 20.901817] [] eventpoll_release_file+0xc5/0x140 [ 20.908188] [] __fput+0x5a8/0x6e0 [ 20.913254] [] ____fput+0x15/0x20 [ 20.918323] [] task_work_run+0x115/0x190 [ 20.924001] [] do_exit+0x7e7/0x2a40 [ 20.929248] [] ? selinux_file_ioctl+0x355/0x530 [ 20.935528] [] ? release_task+0x1240/0x1240 [ 20.941464] [] ? SyS_epoll_create+0x190/0x190 [ 20.947576] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 20.954209] [] do_group_exit+0x108/0x320 [ 20.959883] [] SyS_exit_group+0x1d/0x20 [ 20.965471] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 20.972021] Object at ffff8801c32b0f00, in cache kmalloc-512 size: 512 [ 20.978652] Allocated: [ 20.981113] PID = 3308 [ 20.983577] save_stack_trace+0x16/0x20 [ 20.987515] save_stack+0x43/0xd0 [ 20.990931] kasan_kmalloc+0xad/0xe0 [ 20.994607] kmem_cache_alloc_trace+0xfb/0x2a0 [ 20.999154] binder_get_thread+0x15d/0x750 [ 21.003352] binder_poll+0x4a/0x210 [ 21.006950] SyS_epoll_ctl+0x11d7/0x2190 [ 21.010976] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 21.015691] Freed: [ 21.017804] PID = 3308 [ 21.020266] save_stack_trace+0x16/0x20 [ 21.024203] save_stack+0x43/0xd0 [ 21.027617] kasan_slab_free+0x73/0xc0 [ 21.031469] kfree+0xf0/0x2f0 [ 21.034539] binder_thread_dec_tmpref+0x1cc/0x240 [ 21.039344] binder_thread_release+0x27d/0x540 [ 21.043889] binder_ioctl+0x9c0/0x11b0 [ 21.047740] do_vfs_ioctl+0x1aa/0x1140 [ 21.051591] SyS_ioctl+0x8f/0xc0 [ 21.054922] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 21.059643] Memory state around the buggy address: [ 21.064535] ffff8801c32b0e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.071858] ffff8801c32b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.079180] >ffff8801c32b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.086501] ^ [ 21.091393] ffff8801c32b1000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.098716] ffff8801c32b1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.106038] ================================================================== [ 21.113361] ================================================================== [ 21.120688] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1a2/0x1e0 at addr ffff8801c32b0fa8 [ 21.129485] Read of size 4 by task syzkaller036245/3308 [ 21.134814] CPU: 0 PID: 3308 Comm: syzkaller036245 Tainted: G B 4.9.70-g9542d2a #109 [ 21.143786] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.153106] ffff8801d5fc7aa0 ffffffff81d90a29 ffff8801da001280 ffff8801c32b0f00 [ 21.161065] ffff8801c32b1100 ffffed00386561f5 ffff8801c32b0fa8 ffff8801d5fc7ac8 [ 21.169012] ffffffff8153a45c ffffed00386561f5 ffff8801da001280 0000000000000000 [ 21.176963] Call Trace: [ 21.179516] [] dump_stack+0xc1/0x128 [ 21.184851] [] kasan_object_err+0x1c/0x70 [ 21.190618] [] kasan_report.part.1+0x21c/0x500 [ 21.196814] [] ? do_raw_spin_lock+0x1a2/0x1e0 [ 21.202939] [] __asan_report_load4_noabort+0x29/0x30 [ 21.209663] [] do_raw_spin_lock+0x1a2/0x1e0 [ 21.215606] [] _raw_spin_lock_irqsave+0x56/0x70 [ 21.221896] [] ? remove_wait_queue+0x14/0x40 [ 21.227915] [] remove_wait_queue+0x14/0x40 [ 21.233773] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 21.240755] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 21.247992] [