[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.552980] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.438334] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 19.806225] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 20.657928] random: sshd: uninitialized urandom read (32 bytes read, 101 bits of entropy available) [ 20.901525] random: sshd: uninitialized urandom read (32 bytes read, 109 bits of entropy available) Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts. [ 26.288691] random: sshd: uninitialized urandom read (32 bytes read, 115 bits of entropy available) executing program [ 26.388704] ================================================================== [ 26.396094] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 [ 26.402733] Read of size 8 at addr ffff8801d0813c38 by task syzkaller259577/3317 [ 26.410240] [ 26.411837] CPU: 0 PID: 3317 Comm: syzkaller259577 Not tainted 4.4.113-ge70c132 #34 [ 26.419595] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.428921] 0000000000000000 61501b90c7ed09df ffff8801d13a78f0 ffffffff81d0278d [ 26.436886] ffffea0007420480 ffff8801d0813c38 0000000000000000 ffff8801d0813c38 [ 26.444846] 0000000000000000 ffff8801d13a7928 ffffffff814fd053 ffff8801d0813c38 [ 26.452820] Call Trace: [ 26.455379] [] dump_stack+0xc1/0x124 [ 26.460711] [] print_address_description+0x73/0x260 [ 26.467349] [] kasan_report+0x285/0x370 [ 26.472942] [] ? __lock_acquire+0x387e/0x4b50 [ 26.479065] [] __asan_report_load8_noabort+0x14/0x20 [ 26.485787] [] __lock_acquire+0x387e/0x4b50 [ 26.491725] [] ? __lock_acquire+0xb5f/0x4b50 [ 26.497750] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.504732] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.511713] [] ? mark_held_locks+0xaf/0x100 [ 26.517652] [] lock_acquire+0x15e/0x460 [ 26.523244] [] ? remove_wait_queue+0x14/0x40 [ 26.529272] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 26.535560] [] ? remove_wait_queue+0x14/0x40 [ 26.541586] [] remove_wait_queue+0x14/0x40 [ 26.547440] [] ep_unregister_pollwait.isra.6+0xa8/0x220 [ 26.554421] [] ? ep_unregister_pollwait.isra.6+0x114/0x220 [ 26.561664] [] ? ep_free+0x1c0/0x1c0 [ 26.566998] [] ep_free+0x93/0x1c0 [ 26.572078] [] ? ep_free+0x1c0/0x1c0 [ 26.577412] [] ep_eventpoll_release+0x44/0x60 [ 26.583532] [] __fput+0x233/0x6d0 [ 26.588608] [] ____fput+0x15/0x20 [ 26.593681] [] task_work_run+0x104/0x180 [ 26.599362] [] do_exit+0x82a/0x2a10 [ 26.604608] [] ? binder_ioctl_write_read.isra.55+0xbc0/0xbc0 [ 26.612022] [] ? release_task+0x1240/0x1240 [ 26.617960] [] ? SyS_epoll_create+0x190/0x190 [ 26.624075] [] do_group_exit+0x108/0x320 [ 26.629764] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 26.636225] [] SyS_exit_group+0x1d/0x20 [ 26.641816] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 26.648360] [ 26.649955] Allocated by task 3317: [ 26.653548] [] save_stack_trace+0x26/0x50 [ 26.659433] [] save_stack+0x43/0xd0 [ 26.664797] [] kasan_kmalloc+0xad/0xe0 [ 26.670414] [] kmem_cache_alloc_trace+0x100/0x2b0 [ 26.676986] [] binder_get_thread+0x15d/0x750 [ 26.683129] [] binder_poll+0x4a/0x210 [ 26.688662] [] SyS_epoll_ctl+0x10b1/0x2040 [ 26.694628] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 26.701290] [ 26.702887] Freed by task 3317: [ 26.706130] [] save_stack_trace+0x26/0x50 [ 26.712022] [] save_stack+0x43/0xd0 [ 26.717389] [] kasan_slab_free+0x72/0xc0 [ 26.723189] [] kfree+0xfc/0x300 [ 26.728233] [] binder_thread_dec_tmpref+0x1c1/0x250 [ 26.735210] [] binder_thread_release+0x27d/0x540 [ 26.735217] [] binder_ioctl+0xb94/0x12e0 [ 26.735226] [] do_vfs_ioctl+0x7aa/0xee0 [ 26.735237] [] SyS_ioctl+0x8f/0xc0 [ 26.735246] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 26.735248] [ 26.735253] The buggy address belongs to the object at ffff8801d0813b80 [ 26.735253] which belongs to the cache kmalloc-512 of size 512 [ 26.735257] The buggy address is located 184 bytes inside of [ 26.735257] 512-byte region [ffff8801d0813b80, ffff8801d0813d80) [ 26.735258] The buggy address belongs to the page: [ 26.796471] audit: type=1400 audit(1516970829.578:5): avc: denied { use } for pid=3318 comm="init" path="/dev/console" dev="devtmpfs" ino=6304 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd permissive=1 [ 26.818819] ------------[ cut here ]------------ [ 26.823599] WARNING: CPU: 1 PID: 3170 at kernel/locking/lockdep.c:3190 __lock_acquire+0x23b3/0x4b50() [ 26.832952] DEBUG_LOCKS_WARN_ON(id >= MAX_LOCKDEP_KEYS) [ 26.838141] Kernel panic - not syncing: panic_on_warn set ... [ 26.838141] [ 26.845815] CPU: 1 PID: 3170 Comm: rsyslogd Not tainted 4.4.113-ge70c132 #34 [ 26.853001] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.862356] 0000000000000000 071b44b04c65ba47 ffff8800b6707850 ffffffff81d0278d [ 26.870433] ffffffff838439a0 ffff8800b6707928 ffffffff83855780 0000000000000009 [ 26.878478] 0000000000000c76 ffff8800b6707918 ffffffff81419b6a 0000000041b58ab3 [ 26.886530] Call Trace: [ 26.889115] [] dump_stack+0xc1/0x124 [ 26.894483] [] panic+0x1aa/0x388 [ 26.899506] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 26.906440] [] ? warn_slowpath_common+0x10a/0x140 [ 26.912937] [] warn_slowpath_common+0x125/0x140 [ 26.919270] [] ? __lock_acquire+0x23b3/0x4b50 [ 26.925420] [] warn_slowpath_fmt+0xc1/0x110 [ 26.931396] [] ? warn_slowpath_common+0x140/0x140 [ 26.937890] [] ? save_trace+0xe0/0x270 [ 26.943433] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 26.950358] [] ? mark_lock+0x45e/0xfd0 [ 26.955896] [] __lock_acquire+0x23b3/0x4b50 [ 26.961871] [] ? mark_held_locks+0xaf/0x100 [ 26.967855] [] ? quarantine_put+0xab/0x180 [ 26.973751] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.980621] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.987636] [] ? do_syslog+0x983/0xae0 [ 26.993180] [] ? kasan_slab_free+0x88/0xc0 [ 26.999068] [] ? kfree+0xfc/0x300 [ 27.004172] [] ? do_syslog+0xd5/0xae0 [ 27.009633] [] lock_acquire+0x15e/0x460 [ 27.015260] [] ? force_sig_info+0x54/0x300 [ 27.021152] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 27.027474] [] ? force_sig_info+0x54/0x300 [ 27.033364] [] force_sig_info+0x54/0x300 [ 27.039084] [] ? __check_object_size+0x154/0x35b [ 27.045496] [] force_sig_info_fault.constprop.20+0x158/0x1c0 [ 27.052944] [] ? is_prefetch.isra.17+0x380/0x380 [ 27.059356] [] ? spurious_fault+0x370/0x370 [ 27.065331] [] ? __mutex_unlock_slowpath+0x242/0x3b0 [ 27.072090] [] ? __bad_area_nosemaphore+0x3e/0x420 [ 27.078668] [] __bad_area_nosemaphore+0x21b/0x420 [ 27.085171] [] ? vfs_read+0x16a/0x3a0 [ 27.090624] [] bad_area_nosemaphore+0x2a/0x40 [ 27.096777] [] __do_page_fault+0x144/0xa00 [ 27.102667] [] ? trace_hardirqs_off_thunk+0x17/0x19 [ 27.109343] [] do_page_fault+0x27/0x30 [ 27.114886] [] page_fault+0x28/0x30 [ 28.249060] Shutting down cpus with NMI [ 28.253503] Dumping ftrace buffer: [ 28.257034] (ftrace buffer empty) [ 28.260713] Kernel Offset: disabled [ 28.264306] Rebooting in 86400 seconds..