[....] Starting enhanced syslogd: rsyslogd[ 11.370404] audit: type=1400 audit(1516137063.491:4): avc: denied { syslog } for pid=3168 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.199' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.381248] ================================================================== [ 29.388635] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 29.395268] Read of size 8 at addr ffff8801c9d9c5b8 by task syzkaller254803/3326 [ 29.402764] [ 29.404384] CPU: 0 PID: 3326 Comm: syzkaller254803 Not tainted 4.9.76-g8dec074 #13 [ 29.412062] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.421405] ffff8801c8c578c0 ffffffff81d93169 ffffea0007276700 ffff8801c9d9c5b8 [ 29.429356] 0000000000000000 ffff8801c9d9c5b8 ffff8801c9d9c5b8 ffff8801c8c578f8 [ 29.437307] ffffffff8153cb43 ffff8801c9d9c5b8 0000000000000008 0000000000000000 [ 29.445259] Call Trace: [ 29.447815] [] dump_stack+0xc1/0x128 [ 29.453148] [] print_address_description+0x73/0x280 [ 29.459779] [] kasan_report+0x275/0x360 [ 29.465366] [] ? __lock_acquire+0x2eff/0x3640 [ 29.471477] [] __asan_report_load8_noabort+0x14/0x20 [ 29.478199] [] __lock_acquire+0x2eff/0x3640 [ 29.484136] [] ? __lock_acquire+0x629/0x3640 [ 29.490166] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 29.497144] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 29.504121] [] ? __lock_is_held+0xa1/0xf0 [ 29.509885] [] lock_acquire+0x12e/0x410 [ 29.515479] [] ? remove_wait_queue+0x14/0x40 [ 29.521502] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 29.527793] [] ? remove_wait_queue+0x14/0x40 [ 29.533814] [] remove_wait_queue+0x14/0x40 [ 29.539664] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 29.546642] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 29.553882] [] ep_remove+0x41/0x290 [ 29.559124] [] eventpoll_release_file+0xc5/0x140 [ 29.565496] [] __fput+0x5a8/0x6e0 [ 29.570563] [] ____fput+0x15/0x20 [ 29.575630] [] task_work_run+0x115/0x190 [ 29.581312] [] do_exit+0x7e7/0x2a40 [ 29.586554] [] ? selinux_file_ioctl+0x355/0x530 [ 29.592837] [] ? release_task+0x1240/0x1240 [ 29.598782] [] ? SyS_epoll_create+0x190/0x190 [ 29.604901] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 29.611539] [] do_group_exit+0x108/0x320 [ 29.617220] [] SyS_exit_group+0x1d/0x20 [ 29.622813] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 29.629354] [ 29.630948] Allocated by task 3326: [ 29.634541] save_stack_trace+0x16/0x20 [ 29.638479] save_stack+0x43/0xd0 [ 29.641895] kasan_kmalloc+0xad/0xe0 [ 29.645574] kmem_cache_alloc_trace+0xfb/0x2a0 [ 29.650120] binder_get_thread+0x15d/0x750 [ 29.654323] binder_poll+0x4a/0x210 [ 29.657921] SyS_epoll_ctl+0x11d7/0x2190 [ 29.661946] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 29.666660] [ 29.668253] Freed by task 3326: [ 29.671495] save_stack_trace+0x16/0x20 [ 29.675431] save_stack+0x43/0xd0 [ 29.678848] kasan_slab_free+0x72/0xc0 [ 29.682699] kfree+0x103/0x300 [ 29.685855] binder_thread_dec_tmpref+0x1cc/0x240 [ 29.690659] binder_thread_release+0x27d/0x540 [ 29.695203] binder_ioctl+0x9c0/0x11b0 [ 29.699054] do_vfs_ioctl+0x1aa/0x1140 [ 29.702905] SyS_ioctl+0x8f/0xc0 [ 29.706236] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 29.710955] [ 29.712548] The buggy address belongs to the object at ffff8801c9d9c500 [ 29.712548] which belongs to the cache kmalloc-512 of size 512 [ 29.725167] The buggy address is located 184 bytes inside of [ 29.725167] 512-byte region [ffff8801c9d9c500, ffff8801c9d9c700) [ 29.737005] The buggy address belongs to the page: [ 29.741904] page:ffffea0007276700 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 29.752062] flags: 0x8000000000004080(slab|head) [ 29.756779] page dumped because: kasan: bad access detected [ 29.762451] [ 29.764042] Memory state around the buggy address: [ 29.768939] ffff8801c9d9c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.776261] ffff8801c9d9c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.783581] >ffff8801c9d9c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.790912] ^ [ 29.796065] ffff8801c9d9c600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.803387] ffff8801c9d9c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.810716] ================================================================== [ 29.818037] Disabling lock debugging due to kernel taint [ 29.823449] Kernel panic - not syncing: panic_on_warn set ... [ 29.823449] [ 29.830776] CPU: 0 PID: 3326 Comm: syzkaller254803 Tainted: G B 4.9.76-g8dec074 #13 [ 29.839661] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.848984] ffff8801c8c57818 ffffffff81d93169 ffffffff84195c2f ffff8801c8c578f0 [ 29.856953] 0000000000000000 ffff8801c9d9c5b8 ffff8801c9d9c5b8 ffff8801c8c578e0 [ 29.864905] ffffffff8142e371 0000000041b58ab3 ffffffff84189690 ffffffff8142e1b5 [ 29.872853] Call Trace: [ 29.875410] [] dump_stack+0xc1/0x128 [ 29.880739] [] panic+0x1bc/0x3a8 [ 29.885723] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 29.893921] [] ? add_taint+0x40/0x50 [ 29.899248] [] kasan_end_report+0x50/0x50 [ 29.905012] [] kasan_report+0x167/0x360 [ 29.910605] [] ? __lock_acquire+0x2eff/0x3640 [ 29.916714] [] __asan_report_load8_noabort+0x14/0x20 [ 29.923433] [] __lock_acquire+0x2eff/0x3640 [ 29.929377] [] ? __lock_acquire+0x629/0x3640 [ 29.935400] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 29.942380] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 29.949366] [] ? __lock_is_held+0xa1/0xf0 [ 29.955127] [] lock_acquire+0x12e/0x410 [ 29.960718] [] ? remove_wait_queue+0x14/0x40 [ 29.966742] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 29.973025] [] ? remove_wait_queue+0x14/0x40 [ 29.979047] [] remove_wait_queue+0x14/0x40 [ 29.984902] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 29.991887] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 29.999125] [] ep_remove+0x41/0x290 [ 30.004365] [] eventpoll_release_file+0xc5/0x140 [ 30.010736] [] __fput+0x5a8/0x6e0 [ 30.015815] [] ____fput+0x15/0x20 [ 30.020901] [] task_work_run+0x115/0x190 [ 30.027727] [] do_exit+0x7e7/0x2a40 [ 30.032977] [] ? selinux_file_ioctl+0x355/0x530 [ 30.039274] [] ? release_task+0x1240/0x1240 [ 30.045214] [] ? SyS_epoll_create+0x190/0x190 [ 30.051326] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 30.057958] [] do_group_exit+0x108/0x320 [ 30.063631] [] SyS_exit_group+0x1d/0x20 [ 30.069219] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 30.076192] Dumping ftrace buffer: [ 30.079710] (ftrace buffer empty) [ 30.083396] Kernel Offset: disabled [ 30.086991] Rebooting in 86400 seconds..