[....] Starting enhanced syslogd: rsyslogd[ 11.675349] audit: type=1400 audit(1515874088.659:4): avc: denied { syslog } for pid=3182 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.229' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 21.595805] ================================================================== [ 21.603402] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 21.610078] Read of size 8 at addr ffff8801c8ef6838 by task syzkaller173821/3331 [ 21.617611] [ 21.619243] CPU: 1 PID: 3331 Comm: syzkaller173821 Not tainted 4.9.76-g8e170a5 #21 [ 21.626950] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.636308] ffff8801c8147870 ffffffff81d93149 ffffea000723bd80 ffff8801c8ef6838 [ 21.644347] 0000000000000000 ffff8801c8ef6838 ffff8801c8ef6838 ffff8801c81478a8 [ 21.652320] ffffffff8153cb43 ffff8801c8ef6838 0000000000000008 0000000000000000 [ 21.660296] Call Trace: [ 21.662863] [] dump_stack+0xc1/0x128 [ 21.668234] [] print_address_description+0x73/0x280 [ 21.674883] [] kasan_report+0x275/0x360 [ 21.680476] [] ? __lock_acquire+0x2eff/0x3640 [ 21.686588] [] __asan_report_load8_noabort+0x14/0x20 [ 21.693406] [] __lock_acquire+0x2eff/0x3640 [ 21.699346] [] ? __lock_acquire+0x629/0x3640 [ 21.705401] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 21.712386] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 21.719371] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 21.726364] [] ? mark_held_locks+0xaf/0x100 [ 21.732305] [] ? mutex_lock_nested+0x5e3/0x870 [ 21.738519] [] lock_acquire+0x12e/0x410 [ 21.744113] [] ? remove_wait_queue+0x14/0x40 [ 21.750150] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 21.756441] [] ? remove_wait_queue+0x14/0x40 [ 21.762492] [] remove_wait_queue+0x14/0x40 [ 21.768390] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 21.775419] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 21.782697] [] ? ep_free+0x1b0/0x1b0 [ 21.788034] [] ep_free+0x96/0x1b0 [ 21.793133] [] ? ep_free+0x1b0/0x1b0 [ 21.798475] [] ep_eventpoll_release+0x44/0x60 [ 21.804593] [] __fput+0x28c/0x6e0 [ 21.809746] [] ____fput+0x15/0x20 [ 21.814824] [] task_work_run+0x115/0x190 [ 21.820523] [] do_exit+0x7e7/0x2a40 [ 21.825770] [] ? __pmd_alloc+0x410/0x410 [ 21.831448] [] ? release_task+0x1240/0x1240 [ 21.837393] [] ? __do_page_fault+0x5ec/0xd40 [ 21.843441] [] ? up_read+0x1a/0x40 [ 21.848599] [] ? __do_page_fault+0x3bd/0xd40 [ 21.854635] [] do_group_exit+0x108/0x320 [ 21.860315] [] ? do_group_exit+0x320/0x320 [ 21.866170] [] SyS_exit_group+0x1d/0x20 [ 21.871773] [] do_fast_syscall_32+0x2f7/0x890 [ 21.877897] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 21.884536] [] entry_SYSENTER_compat+0x74/0x83 [ 21.890740] [ 21.892337] Allocated by task 3331: [ 21.895937] save_stack_trace+0x16/0x20 [ 21.899881] save_stack+0x43/0xd0 [ 21.903307] kasan_kmalloc+0xad/0xe0 [ 21.906989] kmem_cache_alloc_trace+0xfb/0x2a0 [ 21.911540] binder_get_thread+0x15d/0x750 [ 21.915746] binder_poll+0x4a/0x210 [ 21.919339] SyS_epoll_ctl+0x11d7/0x2190 [ 21.923369] do_fast_syscall_32+0x2f7/0x890 [ 21.927658] entry_SYSENTER_compat+0x74/0x83 [ 21.932032] [ 21.933631] Freed by task 3331: [ 21.936881] save_stack_trace+0x16/0x20 [ 21.940822] save_stack+0x43/0xd0 [ 21.944243] kasan_slab_free+0x72/0xc0 [ 21.948096] kfree+0x103/0x300 [ 21.951258] binder_thread_dec_tmpref+0x1cc/0x240 [ 21.956072] binder_thread_release+0x27d/0x540 [ 21.960647] binder_ioctl+0x9c0/0x11b0 [ 21.964502] compat_SyS_ioctl+0x15f/0x2050 [ 21.968706] do_fast_syscall_32+0x2f7/0x890 [ 21.972996] entry_SYSENTER_compat+0x74/0x83 [ 21.977372] [ 21.978997] The buggy address belongs to the object at ffff8801c8ef6780 [ 21.978997] which belongs to the cache kmalloc-512 of size 512 [ 21.991656] The buggy address is located 184 bytes inside of [ 21.991656] 512-byte region [ffff8801c8ef6780, ffff8801c8ef6980) [ 22.003510] The buggy address belongs to the page: [ 22.008418] page:ffffea000723bd80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 22.018592] flags: 0x8000000000004080(slab|head) [ 22.023315] page dumped because: kasan: bad access detected [ 22.028998] [ 22.030594] Memory state around the buggy address: [ 22.035492] ffff8801c8ef6700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.042821] ffff8801c8ef6780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.050147] >ffff8801c8ef6800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.057481] ^ [ 22.062634] ffff8801c8ef6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.069970] ffff8801c8ef6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.077302] ================================================================== [ 22.084628] Disabling lock debugging due to kernel taint [ 22.090056] Kernel panic - not syncing: panic_on_warn set ... [ 22.090056] [ 22.097392] CPU: 1 PID: 3331 Comm: syzkaller173821 Tainted: G B 4.9.76-g8e170a5 #21 [ 22.106291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.115710] ffff8801c81477c8 ffffffff81d93149 ffffffff84195c17 ffff8801c81478a0 [ 22.123685] 0000000000000000 ffff8801c8ef6838 ffff8801c8ef6838 ffff8801c8147890 [ 22.131658] ffffffff8142e371 0000000041b58ab3 ffffffff84189678 ffffffff8142e1b5 [ 22.139626] Call Trace: [ 22.142186] [] dump_stack+0xc1/0x128 [ 22.147531] [] panic+0x1bc/0x3a8 [ 22.152515] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 22.160724] [] ? add_taint+0x40/0x50 [ 22.166068] [] kasan_end_report+0x50/0x50 [ 22.171835] [] kasan_report+0x167/0x360 [ 22.177442] [] ? __lock_acquire+0x2eff/0x3640 [ 22.183579] [] __asan_report_load8_noabort+0x14/0x20 [ 22.190307] [] __lock_acquire+0x2eff/0x3640 [ 22.196249] [] ? __lock_acquire+0x629/0x3640 [ 22.202278] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 22.209275] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 22.216260] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 22.223250] [] ? mark_held_locks+0xaf/0x100 [ 22.229198] [] ? mutex_lock_nested+0x5e3/0x870 [ 22.235405] [] lock_acquire+0x12e/0x410 [ 22.240999] [] ? remove_wait_queue+0x14/0x40 [ 22.247028] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 22.253314] [] ? remove_wait_queue+0x14/0x40 [ 22.259342] [] remove_wait_queue+0x14/0x40 [ 22.265201] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 22.272183] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 22.279425] [] ? ep_free+0x1b0/0x1b0 [ 22.284766] [] ep_free+0x96/0x1b0 [ 22.289847] [] ? ep_free+0x1b0/0x1b0 [ 22.295182] [] ep_eventpoll_release+0x44/0x60 [ 22.301302] [] __fput+0x28c/0x6e0 [ 22.306388] [] ____fput+0x15/0x20 [ 22.311462] [] task_work_run+0x115/0x190 [ 22.317146] [] do_exit+0x7e7/0x2a40 [ 22.322392] [] ? __pmd_alloc+0x410/0x410 [ 22.328076] [] ? release_task+0x1240/0x1240 [ 22.334049] [] ? __do_page_fault+0x5ec/0xd40 [ 22.334055] [] ? up_read+0x1a/0x40 [ 22.334059] [] ? __do_page_fault+0x3bd/0xd40 [ 22.334063] [] do_group_exit+0x108/0x320 [ 22.334068] [] ? do_group_exit+0x320/0x320 [ 22.334072] [] SyS_exit_group+0x1d/0x20 [ 22.334079] [] do_fast_syscall_32+0x2f7/0x890 [ 22.334083] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 22.334091] [] entry_SYSENTER_compat+0x74/0x83 [ 22.334648] Dumping ftrace buffer: [ 22.334651] (ftrace buffer empty) [ 22.334653] Kernel Offset: disabled [ 22.399077] Rebooting in 86400 seconds..