[....] Starting enhanced syslogd: rsyslogd[ 10.221433] audit: type=1400 audit(1514553755.706:4): avc: denied { syslog } for pid=3171 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.425858] ================================================================== [ 34.426963] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 34.427935] Read of size 8 at addr ffff8801cdcfbc38 by task syzkaller250741/3336 [ 34.428948] [ 34.429181] CPU: 1 PID: 3336 Comm: syzkaller250741 Not tainted 4.9.72-gcb7518e #114 [ 34.430274] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.431640] ffff8801c700f8e0 ffffffff81d922b9 ffffea0007373e80 ffff8801cdcfbc38 [ 34.432855] 0000000000000000 ffff8801cdcfbc38 ffff8801cdcfbc38 ffff8801c700f918 [ 34.434010] ffffffff8153bab3 ffff8801cdcfbc38 0000000000000008 0000000000000000 [ 34.435201] Call Trace: [ 34.435563] [] dump_stack+0xc1/0x128 [ 34.436277] [] print_address_description+0x73/0x280 [ 34.437169] [] kasan_report+0x275/0x360 [ 34.437943] [] ? __lock_acquire+0x2eff/0x3640 [ 34.438753] [] __asan_report_load8_noabort+0x14/0x20 [ 34.439671] [] __lock_acquire+0x2eff/0x3640 [ 34.440477] [] ? __lock_acquire+0x629/0x3640 [ 34.441362] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.442312] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.443234] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.444164] [] ? mark_held_locks+0xaf/0x100 [ 34.444957] [] ? mutex_lock_nested+0x5e3/0x870 [ 34.445778] [] lock_acquire+0x12e/0x410 [ 34.449960] [] ? remove_wait_queue+0x14/0x40 [ 34.455992] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 34.462286] [] ? remove_wait_queue+0x14/0x40 [ 34.468317] [] remove_wait_queue+0x14/0x40 [ 34.474176] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 34.481158] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 34.488401] [] ? ep_free+0x1b0/0x1b0 [ 34.493732] [] ep_free+0x96/0x1b0 [ 34.498805] [] ? ep_free+0x1b0/0x1b0 [ 34.504147] [] ep_eventpoll_release+0x44/0x60 [ 34.510268] [] __fput+0x28c/0x6e0 [ 34.515339] [] ____fput+0x15/0x20 [ 34.520409] [] task_work_run+0x115/0x190 [ 34.526088] [] do_exit+0x7e7/0x2a40 [ 34.531334] [] ? selinux_file_ioctl+0x355/0x530 [ 34.537622] [] ? release_task+0x1240/0x1240 [ 34.543558] [] ? SyS_epoll_create+0x190/0x190 [ 34.549672] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 34.556305] [] do_group_exit+0x108/0x320 [ 34.561982] [] SyS_exit_group+0x1d/0x20 [ 34.567585] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 34.574129] [ 34.575726] Allocated by task 3336: [ 34.579682] save_stack_trace+0x16/0x20 [ 34.585209] save_stack+0x43/0xd0 [ 34.589852] kasan_kmalloc+0xad/0xe0 [ 34.594748] kmem_cache_alloc_trace+0xfb/0x2a0 [ 34.599739] binder_get_thread+0x15d/0x750 [ 34.603942] binder_poll+0x4a/0x210 [ 34.608765] SyS_epoll_ctl+0x11d7/0x2190 [ 34.613754] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 34.618474] [ 34.620066] Freed by task 3336: [ 34.623313] save_stack_trace+0x16/0x20 [ 34.627251] save_stack+0x43/0xd0 [ 34.630672] kasan_slab_free+0x72/0xc0 [ 34.634525] kfree+0x103/0x300 [ 34.637694] binder_thread_dec_tmpref+0x1cc/0x240 [ 34.642502] binder_thread_release+0x27d/0x540 [ 34.647050] binder_ioctl+0x9c0/0x11b0 [ 34.650903] do_vfs_ioctl+0x1aa/0x1140 [ 34.654753] SyS_ioctl+0x8f/0xc0 [ 34.658083] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 34.662802] [ 34.664398] The buggy address belongs to the object at ffff8801cdcfbb80 [ 34.664398] which belongs to the cache kmalloc-512 of size 512 [ 34.677020] The buggy address is located 184 bytes inside of [ 34.677020] 512-byte region [ffff8801cdcfbb80, ffff8801cdcfbd80) [ 34.688860] The buggy address belongs to the page: [ 34.693757] page:ffffea0007373e80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 34.703929] flags: 0x8000000000004080(slab|head) [ 34.708649] page dumped because: kasan: bad access detected [ 34.714320] [ 34.715912] Memory state around the buggy address: [ 34.720807] ffff8801cdcfbb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.728130] ffff8801cdcfbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.735452] >ffff8801cdcfbc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.742782] ^ [ 34.747936] ffff8801cdcfbc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.755260] ffff8801cdcfbd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.762591] ================================================================== [ 34.769918] Disabling lock debugging due to kernel taint [ 34.775334] Kernel panic - not syncing: panic_on_warn set ... [ 34.775334] [ 34.782675] CPU: 1 PID: 3336 Comm: syzkaller250741 Tainted: G B 4.9.72-gcb7518e #114 [ 34.791658] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.800989] ffff8801c700f838 ffffffff81d922b9 ffffffff841955bf ffff8801c700f910 [ 34.808948] 0000000000000000 ffff8801cdcfbc38 ffff8801cdcfbc38 ffff8801c700f900 [ 34.816902] ffffffff8142d741 0000000041b58ab3 ffffffff84189000 ffffffff8142d585 [ 34.824856] Call Trace: [ 34.827414] [] dump_stack+0xc1/0x128 [ 34.832754] [] panic+0x1bc/0x3a8 [ 34.839387] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 34.848975] [] ? add_taint+0x40/0x50 [ 34.854308] [] kasan_end_report+0x50/0x50 [ 34.860073] [] kasan_report+0x167/0x360 [ 34.865678] [] ? __lock_acquire+0x2eff/0x3640 [ 34.871789] [] __asan_report_load8_noabort+0x14/0x20 [ 34.878510] [] __lock_acquire+0x2eff/0x3640 [ 34.884456] [] ? __lock_acquire+0x629/0x3640 [ 34.890490] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.897483] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.904462] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.911441] [] ? mark_held_locks+0xaf/0x100 [ 34.917389] [] ? mutex_lock_nested+0x5e3/0x870 [ 34.923595] [] lock_acquire+0x12e/0x410 [ 34.929197] [] ? remove_wait_queue+0x14/0x40 [ 34.935219] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 34.941503] [] ? remove_wait_queue+0x14/0x40 [ 34.947526] [] remove_wait_queue+0x14/0x40 [ 34.953384] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 34.960371] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 34.967611] [] ? ep_free+0x1b0/0x1b0 [ 34.972940] [] ep_free+0x96/0x1b0 [ 34.978017] [] ? ep_free+0x1b0/0x1b0 [ 34.984650] [] ep_eventpoll_release+0x44/0x60 [ 34.992763] [] __fput+0x28c/0x6e0 [ 34.999566] [] ____fput+0x15/0x20 [ 35.006307] [] task_work_run+0x115/0x190 [ 35.012004] [] do_exit+0x7e7/0x2a40 [ 35.017251] [] ? selinux_file_ioctl+0x355/0x530 [ 35.023547] [] ? release_task+0x1240/0x1240 [ 35.029496] [] ? SyS_epoll_create+0x190/0x190 [ 35.035608] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 35.042240] [] do_group_exit+0x108/0x320 [ 35.047918] [] SyS_exit_group+0x1d/0x20 [ 35.053509] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 35.060097] Dumping ftrace buffer: [ 35.063607] (ftrace buffer empty) [ 35.067284] Kernel Offset: disabled [ 35.070891] Rebooting in 86400 seconds..