[....] Starting enhanced syslogd: rsyslogd[ 11.145947] audit: type=1400 audit(1515254142.563:4): avc: denied { syslog } for pid=3163 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 35.244202] ================================================================== [ 35.245371] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 35.246307] Read of size 8 at addr ffff8801ccbcc5b8 by task syzkaller195827/3335 [ 35.247316] [ 35.247545] CPU: 0 PID: 3335 Comm: syzkaller195827 Not tainted 4.9.75-g06fe41f #16 [ 35.248630] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.249883] ffff8801c818f870 ffffffff81d93049 ffffea000732f300 ffff8801ccbcc5b8 [ 35.251057] 0000000000000000 ffff8801ccbcc5b8 ffff8801ccbcc5b8 ffff8801c818f8a8 [ 35.252185] ffffffff8153ca53 ffff8801ccbcc5b8 0000000000000008 0000000000000000 [ 35.253344] Call Trace: [ 35.253699] [] dump_stack+0xc1/0x128 [ 35.254412] [] print_address_description+0x73/0x280 [ 35.255322] [] kasan_report+0x275/0x360 [ 35.256104] [] ? __lock_acquire+0x2eff/0x3640 [ 35.256912] [] __asan_report_load8_noabort+0x14/0x20 [ 35.257854] [] __lock_acquire+0x2eff/0x3640 [ 35.258639] [] ? __lock_acquire+0x629/0x3640 [ 35.259450] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.260370] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.261350] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.262280] [] ? mark_held_locks+0xaf/0x100 [ 35.263145] [] ? mutex_lock_nested+0x5e3/0x870 [ 35.264007] [] lock_acquire+0x12e/0x410 [ 35.264783] [] ? remove_wait_queue+0x14/0x40 [ 35.270804] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 35.277094] [] ? remove_wait_queue+0x14/0x40 [ 35.283115] [] remove_wait_queue+0x14/0x40 [ 35.288972] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 35.295949] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 35.303188] [] ? ep_free+0x1b0/0x1b0 [ 35.308888] [] ep_free+0x96/0x1b0 [ 35.313958] [] ? ep_free+0x1b0/0x1b0 [ 35.319300] [] ep_eventpoll_release+0x44/0x60 [ 35.325409] [] __fput+0x28c/0x6e0 [ 35.330475] [] ____fput+0x15/0x20 [ 35.335542] [] task_work_run+0x115/0x190 [ 35.341227] [] do_exit+0x7e7/0x2a40 [ 35.346466] [] ? __pmd_alloc+0x410/0x410 [ 35.352235] [] ? release_task+0x1240/0x1240 [ 35.358172] [] ? __do_page_fault+0x5ec/0xd40 [ 35.364196] [] ? up_read+0x1a/0x40 [ 35.369350] [] ? __do_page_fault+0x3bd/0xd40 [ 35.375375] [] do_group_exit+0x108/0x320 [ 35.381053] [] ? do_group_exit+0x320/0x320 [ 35.386900] [] SyS_exit_group+0x1d/0x20 [ 35.392500] [] do_fast_syscall_32+0x2f7/0x890 [ 35.398607] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.405250] [] entry_SYSENTER_compat+0x74/0x83 [ 35.411449] [ 35.413043] Allocated by task 3335: [ 35.416634] save_stack_trace+0x16/0x20 [ 35.420572] save_stack+0x43/0xd0 [ 35.423990] kasan_kmalloc+0xad/0xe0 [ 35.427667] kmem_cache_alloc_trace+0xfb/0x2a0 [ 35.432214] binder_get_thread+0x15d/0x750 [ 35.436411] binder_poll+0x4a/0x210 [ 35.440003] SyS_epoll_ctl+0x11d7/0x2190 [ 35.444029] do_fast_syscall_32+0x2f7/0x890 [ 35.448313] entry_SYSENTER_compat+0x74/0x83 [ 35.452682] [ 35.454272] Freed by task 3335: [ 35.457513] save_stack_trace+0x16/0x20 [ 35.461453] save_stack+0x43/0xd0 [ 35.464871] kasan_slab_free+0x72/0xc0 [ 35.468729] kfree+0x103/0x300 [ 35.471887] binder_thread_dec_tmpref+0x1cc/0x240 [ 35.476693] binder_thread_release+0x27d/0x540 [ 35.481237] binder_ioctl+0x9c0/0x11b0 [ 35.485093] compat_SyS_ioctl+0x15f/0x2050 [ 35.489298] do_fast_syscall_32+0x2f7/0x890 [ 35.493585] entry_SYSENTER_compat+0x74/0x83 [ 35.497953] [ 35.499546] The buggy address belongs to the object at ffff8801ccbcc500 [ 35.499546] which belongs to the cache kmalloc-512 of size 512 [ 35.512168] The buggy address is located 184 bytes inside of [ 35.512168] 512-byte region [ffff8801ccbcc500, ffff8801ccbcc700) [ 35.524028] The buggy address belongs to the page: [ 35.528931] page:ffffea000732f300 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 35.539094] flags: 0x8000000000004080(slab|head) [ 35.543827] page dumped because: kasan: bad access detected [ 35.549501] [ 35.551093] Memory state around the buggy address: [ 35.555988] ffff8801ccbcc480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.563322] ffff8801ccbcc500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.570660] >ffff8801ccbcc580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.577986] ^ [ 35.583157] ffff8801ccbcc600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.590481] ffff8801ccbcc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.597807] ================================================================== [ 35.605131] Disabling lock debugging due to kernel taint [ 35.610545] Kernel panic - not syncing: panic_on_warn set ... [ 35.610545] [ 35.617871] CPU: 0 PID: 3335 Comm: syzkaller195827 Tainted: G B 4.9.75-g06fe41f #16 [ 35.626765] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.636086] ffff8801c818f7c8 ffffffff81d93049 ffffffff84195be7 ffff8801c818f8a0 [ 35.644042] 0000000000000000 ffff8801ccbcc5b8 ffff8801ccbcc5b8 ffff8801c818f890 [ 35.651985] ffffffff8142e281 0000000041b58ab3 ffffffff84189648 ffffffff8142e0c5 [ 35.659940] Call Trace: [ 35.662495] [] dump_stack+0xc1/0x128 [ 35.667843] [] panic+0x1bc/0x3a8 [ 35.672826] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 35.681031] [] ? add_taint+0x40/0x50 [ 35.686361] [] kasan_end_report+0x50/0x50 [ 35.692122] [] kasan_report+0x167/0x360 [ 35.697712] [] ? __lock_acquire+0x2eff/0x3640 [ 35.703828] [] __asan_report_load8_noabort+0x14/0x20 [ 35.710547] [] __lock_acquire+0x2eff/0x3640 [ 35.716488] [] ? __lock_acquire+0x629/0x3640 [ 35.722513] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.729492] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.736480] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.743457] [] ? mark_held_locks+0xaf/0x100 [ 35.749415] [] ? mutex_lock_nested+0x5e3/0x870 [ 35.755632] [] lock_acquire+0x12e/0x410 [ 35.761231] [] ? remove_wait_queue+0x14/0x40 [ 35.767252] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 35.773534] [] ? remove_wait_queue+0x14/0x40 [ 35.779567] [] remove_wait_queue+0x14/0x40 [ 35.785417] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 35.792394] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 35.799632] [] ? ep_free+0x1b0/0x1b0 [ 35.804957] [] ep_free+0x96/0x1b0 [ 35.810025] [] ? ep_free+0x1b0/0x1b0 [ 35.815352] [] ep_eventpoll_release+0x44/0x60 [ 35.821465] [] __fput+0x28c/0x6e0 [ 35.826534] [] ____fput+0x15/0x20 [ 35.831605] [] task_work_run+0x115/0x190 [ 35.837280] [] do_exit+0x7e7/0x2a40 [ 35.842523] [] ? __pmd_alloc+0x410/0x410 [ 35.848196] [] ? release_task+0x1240/0x1240 [ 35.854133] [] ? __do_page_fault+0x5ec/0xd40 [ 35.860161] [] ? up_read+0x1a/0x40 [ 35.865327] [] ? __do_page_fault+0x3bd/0xd40 [ 35.871351] [] do_group_exit+0x108/0x320 [ 35.877027] [] ? do_group_exit+0x320/0x320 [ 35.882878] [] SyS_exit_group+0x1d/0x20 [ 35.888485] [] do_fast_syscall_32+0x2f7/0x890 [ 35.894595] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.901238] [] entry_SYSENTER_compat+0x74/0x83 [ 35.907835] Dumping ftrace buffer: [ 35.911342] (ftrace buffer empty) [ 35.915017] Kernel Offset: disabled [ 35.918617] Rebooting in 86400 seconds..