[....] Starting enhanced syslogd: rsyslogd[ 11.034620] audit: type=1400 audit(1516452616.267:4): avc: denied { syslog } for pid=3176 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.56' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.905463] ================================================================== [ 26.906592] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 26.907489] Read of size 8 at addr ffff8801cd06cd38 by task syzkaller436523/3333 [ 26.908493] [ 26.908727] CPU: 1 PID: 3333 Comm: syzkaller436523 Not tainted 4.9.77-ge12a9c4 #27 [ 26.909770] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.910995] ffff8801c9b17870 ffffffff81d941c9 ffffea0007341b00 ffff8801cd06cd38 [ 26.912157] 0000000000000000 ffff8801cd06cd38 ffff8801cd06cd38 ffff8801c9b178a8 [ 26.913310] ffffffff8153db93 ffff8801cd06cd38 0000000000000008 0000000000000000 [ 26.914492] Call Trace: [ 26.914856] [] dump_stack+0xc1/0x128 [ 26.915610] [] print_address_description+0x73/0x280 [ 26.916536] [] kasan_report+0x275/0x360 [ 26.917297] [] ? __lock_acquire+0x2eff/0x3640 [ 26.918121] [] __asan_report_load8_noabort+0x14/0x20 [ 26.919046] [] __lock_acquire+0x2eff/0x3640 [ 26.919840] [] ? __lock_acquire+0x629/0x3640 [ 26.920641] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.921578] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.922544] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.923466] [] ? mark_held_locks+0xaf/0x100 [ 26.924269] [] ? mutex_lock_nested+0x5e3/0x870 [ 26.925119] [] lock_acquire+0x12e/0x410 [ 26.927711] [] ? remove_wait_queue+0x14/0x40 [ 26.933743] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 26.940034] [] ? remove_wait_queue+0x14/0x40 [ 26.946062] [] remove_wait_queue+0x14/0x40 [ 26.951921] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 26.958906] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 26.966149] [] ? ep_free+0x1b0/0x1b0 [ 26.971484] [] ep_free+0x96/0x1b0 [ 26.976558] [] ? ep_free+0x1b0/0x1b0 [ 26.981892] [] ep_eventpoll_release+0x44/0x60 [ 26.988010] [] __fput+0x28c/0x6e0 [ 26.993094] [] ____fput+0x15/0x20 [ 26.998167] [] task_work_run+0x115/0x190 [ 27.003939] [] do_exit+0x7e7/0x2a40 [ 27.009186] [] ? __pmd_alloc+0x410/0x410 [ 27.014882] [] ? release_task+0x1240/0x1240 [ 27.020838] [] ? __do_page_fault+0x5ec/0xd40 [ 27.026868] [] ? up_read+0x1a/0x40 [ 27.032027] [] ? __do_page_fault+0x3bd/0xd40 [ 27.038066] [] do_group_exit+0x108/0x320 [ 27.043760] [] ? do_group_exit+0x320/0x320 [ 27.049620] [] SyS_exit_group+0x1d/0x20 [ 27.055230] [] do_fast_syscall_32+0x2f7/0x890 [ 27.061346] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.067997] [] entry_SYSENTER_compat+0x74/0x83 [ 27.074207] [ 27.075802] Allocated by task 3333: [ 27.079402] save_stack_trace+0x16/0x20 [ 27.083354] save_stack+0x43/0xd0 [ 27.086780] kasan_kmalloc+0xad/0xe0 [ 27.090462] kmem_cache_alloc_trace+0xfb/0x2a0 [ 27.095013] binder_get_thread+0x15d/0x750 [ 27.099218] binder_poll+0x4a/0x210 [ 27.102816] SyS_epoll_ctl+0x11d7/0x2190 [ 27.106857] do_fast_syscall_32+0x2f7/0x890 [ 27.111151] entry_SYSENTER_compat+0x74/0x83 [ 27.115543] [ 27.117139] Freed by task 3333: [ 27.120388] save_stack_trace+0x16/0x20 [ 27.124330] save_stack+0x43/0xd0 [ 27.127750] kasan_slab_free+0x72/0xc0 [ 27.131616] kfree+0x103/0x300 [ 27.134793] binder_thread_dec_tmpref+0x1cc/0x240 [ 27.139617] binder_thread_release+0x27d/0x540 [ 27.144168] binder_ioctl+0x9c0/0x11b0 [ 27.148040] compat_SyS_ioctl+0x15f/0x2050 [ 27.152246] do_fast_syscall_32+0x2f7/0x890 [ 27.156548] entry_SYSENTER_compat+0x74/0x83 [ 27.160924] [ 27.162545] The buggy address belongs to the object at ffff8801cd06cc80 [ 27.162545] which belongs to the cache kmalloc-512 of size 512 [ 27.175181] The buggy address is located 184 bytes inside of [ 27.175181] 512-byte region [ffff8801cd06cc80, ffff8801cd06ce80) [ 27.187029] The buggy address belongs to the page: [ 27.191939] page:ffffea0007341b00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 27.202107] flags: 0x8000000000004080(slab|head) [ 27.206840] page dumped because: kasan: bad access detected [ 27.212520] [ 27.214127] Memory state around the buggy address: [ 27.219028] ffff8801cd06cc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.226368] ffff8801cd06cc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.233697] >ffff8801cd06cd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.241041] ^ [ 27.246209] ffff8801cd06cd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.253539] ffff8801cd06ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.260878] ================================================================== [ 27.268216] Disabling lock debugging due to kernel taint [ 27.273644] Kernel panic - not syncing: panic_on_warn set ... [ 27.273644] [ 27.280979] CPU: 1 PID: 3333 Comm: syzkaller436523 Tainted: G B 4.9.77-ge12a9c4 #27 [ 27.289871] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.299198] ffff8801c9b177c8 ffffffff81d941c9 ffffffff841970ff ffff8801c9b178a0 [ 27.307196] 0000000000000000 ffff8801cd06cd38 ffff8801cd06cd38 ffff8801c9b17890 [ 27.315165] ffffffff8142f3c1 0000000041b58ab3 ffffffff8418ab70 ffffffff8142f205 [ 27.323167] Call Trace: [ 27.325726] [] dump_stack+0xc1/0x128 [ 27.331064] [] panic+0x1bc/0x3a8 [ 27.336064] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 27.344996] [] ? add_taint+0x40/0x50 [ 27.350335] [] kasan_end_report+0x50/0x50 [ 27.356113] [] kasan_report+0x167/0x360 [ 27.361710] [] ? __lock_acquire+0x2eff/0x3640 [ 27.367825] [] __asan_report_load8_noabort+0x14/0x20 [ 27.374551] [] __lock_acquire+0x2eff/0x3640 [ 27.380495] [] ? __lock_acquire+0x629/0x3640 [ 27.386526] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.393527] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.400514] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.407496] [] ? mark_held_locks+0xaf/0x100 [ 27.413454] [] ? mutex_lock_nested+0x5e3/0x870 [ 27.419655] [] lock_acquire+0x12e/0x410 [ 27.425249] [] ? remove_wait_queue+0x14/0x40 [ 27.431278] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 27.437565] [] ? remove_wait_queue+0x14/0x40 [ 27.443604] [] remove_wait_queue+0x14/0x40 [ 27.449472] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 27.456454] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 27.463699] [] ? ep_free+0x1b0/0x1b0 [ 27.469044] [] ep_free+0x96/0x1b0 [ 27.474117] [] ? ep_free+0x1b0/0x1b0 [ 27.479449] [] ep_eventpoll_release+0x44/0x60 [ 27.485561] [] __fput+0x28c/0x6e0 [ 27.490632] [] ____fput+0x15/0x20 [ 27.495703] [] task_work_run+0x115/0x190 [ 27.501380] [] do_exit+0x7e7/0x2a40 [ 27.506651] [] ? __pmd_alloc+0x410/0x410 [ 27.512331] [] ? release_task+0x1240/0x1240 [ 27.518284] [] ? __do_page_fault+0x5ec/0xd40 [ 27.524326] [] ? up_read+0x1a/0x40 [ 27.529486] [] ? __do_page_fault+0x3bd/0xd40 [ 27.535513] [] do_group_exit+0x108/0x320 [ 27.541196] [] ? do_group_exit+0x320/0x320 [ 27.547062] [] SyS_exit_group+0x1d/0x20 [ 27.552667] [] do_fast_syscall_32+0x2f7/0x890 [ 27.558790] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.565439] [] entry_SYSENTER_compat+0x74/0x83 [ 27.572049] Dumping ftrace buffer: [ 27.575566] (ftrace buffer empty) [ 27.579258] Kernel Offset: disabled [ 27.582854] Rebooting in 86400 seconds..