[....] Starting enhanced syslogd: rsyslogd[ 13.200508] audit: type=1400 audit(1515539866.500:4): avc: denied { syslog } for pid=3175 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.205' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 39.731689] ================================================================== [ 39.739082] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 39.745715] Read of size 8 at addr ffff8801cc150ab8 by task syzkaller828606/3341 [ 39.753223] [ 39.754822] CPU: 1 PID: 3341 Comm: syzkaller828606 Not tainted 4.9.75-g8910fa5 #9 [ 39.762410] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.771739] ffff8801c87cf8e0 ffffffff81d93049 ffffea0007305400 ffff8801cc150ab8 [ 39.779692] 0000000000000000 ffff8801cc150ab8 ffff8801cc150ab8 ffff8801c87cf918 [ 39.787665] ffffffff8153ca53 ffff8801cc150ab8 0000000000000008 0000000000000000 [ 39.795615] Call Trace: [ 39.798171] [] dump_stack+0xc1/0x128 [ 39.803507] [] print_address_description+0x73/0x280 [ 39.810140] [] kasan_report+0x275/0x360 [ 39.815729] [] ? __lock_acquire+0x2eff/0x3640 [ 39.821851] [] __asan_report_load8_noabort+0x14/0x20 [ 39.828571] [] __lock_acquire+0x2eff/0x3640 [ 39.834513] [] ? __lock_acquire+0x629/0x3640 [ 39.840546] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 39.847542] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 39.854521] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 39.861501] [] ? mark_held_locks+0xaf/0x100 [ 39.867437] [] ? mutex_lock_nested+0x5e3/0x870 [ 39.873637] [] lock_acquire+0x12e/0x410 [ 39.879235] [] ? remove_wait_queue+0x14/0x40 [ 39.885257] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 39.891542] [] ? remove_wait_queue+0x14/0x40 [ 39.897566] [] remove_wait_queue+0x14/0x40 [ 39.903419] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 39.910398] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 39.917639] [] ? ep_free+0x1b0/0x1b0 [ 39.922969] [] ep_free+0x96/0x1b0 [ 39.928041] [] ? ep_free+0x1b0/0x1b0 [ 39.933455] [] ep_eventpoll_release+0x44/0x60 [ 39.939574] [] __fput+0x28c/0x6e0 [ 39.944641] [] ____fput+0x15/0x20 [ 39.949708] [] task_work_run+0x115/0x190 [ 39.955397] [] do_exit+0x7e7/0x2a40 [ 39.960642] [] ? selinux_file_ioctl+0x355/0x530 [ 39.966927] [] ? release_task+0x1240/0x1240 [ 39.972873] [] ? SyS_epoll_create+0x190/0x190 [ 39.978996] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 39.985629] [] do_group_exit+0x108/0x320 [ 39.991309] [] SyS_exit_group+0x1d/0x20 [ 39.996900] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 40.003442] [ 40.005039] Allocated by task 3341: [ 40.008637] save_stack_trace+0x16/0x20 [ 40.012583] save_stack+0x43/0xd0 [ 40.016013] kasan_kmalloc+0xad/0xe0 [ 40.019702] kmem_cache_alloc_trace+0xfb/0x2a0 [ 40.024252] binder_get_thread+0x15d/0x750 [ 40.028453] binder_poll+0x4a/0x210 [ 40.032050] SyS_epoll_ctl+0x11d7/0x2190 [ 40.036081] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 40.040798] [ 40.042395] Freed by task 3341: [ 40.045648] save_stack_trace+0x16/0x20 [ 40.049601] save_stack+0x43/0xd0 [ 40.053024] kasan_slab_free+0x72/0xc0 [ 40.056881] kfree+0x103/0x300 [ 40.060052] binder_thread_dec_tmpref+0x1cc/0x240 [ 40.064858] binder_thread_release+0x27d/0x540 [ 40.069403] binder_ioctl+0x9c0/0x11b0 [ 40.073254] do_vfs_ioctl+0x1aa/0x1140 [ 40.077114] SyS_ioctl+0x8f/0xc0 [ 40.080447] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 40.085169] [ 40.086775] The buggy address belongs to the object at ffff8801cc150a00 [ 40.086775] which belongs to the cache kmalloc-512 of size 512 [ 40.099398] The buggy address is located 184 bytes inside of [ 40.099398] 512-byte region [ffff8801cc150a00, ffff8801cc150c00) [ 40.111240] The buggy address belongs to the page: [ 40.116137] page:ffffea0007305400 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 40.126297] flags: 0x8000000000004080(slab|head) [ 40.131021] page dumped because: kasan: bad access detected [ 40.136692] [ 40.138283] Memory state around the buggy address: [ 40.143175] ffff8801cc150980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.150507] ffff8801cc150a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.158189] >ffff8801cc150a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.165510] ^ [ 40.170665] ffff8801cc150b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.178000] ffff8801cc150b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.185327] ================================================================== [ 40.192649] Disabling lock debugging due to kernel taint [ 40.198065] Kernel panic - not syncing: panic_on_warn set ... [ 40.198065] [ 40.205397] CPU: 1 PID: 3341 Comm: syzkaller828606 Tainted: G B 4.9.75-g8910fa5 #9 [ 40.214961] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.224286] ffff8801c87cf838 ffffffff81d93049 ffffffff84195be7 ffff8801c87cf910 [ 40.232239] 0000000000000000 ffff8801cc150ab8 ffff8801cc150ab8 ffff8801c87cf900 [ 40.240188] ffffffff8142e281 0000000041b58ab3 ffffffff84189648 ffffffff8142e0c5 [ 40.248148] Call Trace: [ 40.250703] [] dump_stack+0xc1/0x128 [ 40.256555] [] panic+0x1bc/0x3a8 [ 40.261538] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 40.269731] [] ? add_taint+0x40/0x50 [ 40.275061] [] kasan_end_report+0x50/0x50 [ 40.280837] [] kasan_report+0x167/0x360 [ 40.286436] [] ? __lock_acquire+0x2eff/0x3640 [ 40.292564] [] __asan_report_load8_noabort+0x14/0x20 [ 40.299303] [] __lock_acquire+0x2eff/0x3640 [ 40.305343] [] ? __lock_acquire+0x629/0x3640 [ 40.311381] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 40.318364] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 40.325349] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 40.332327] [] ? mark_held_locks+0xaf/0x100 [ 40.338268] [] ? mutex_lock_nested+0x5e3/0x870 [ 40.344484] [] lock_acquire+0x12e/0x410 [ 40.350080] [] ? remove_wait_queue+0x14/0x40 [ 40.356103] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 40.362389] [] ? remove_wait_queue+0x14/0x40 [ 40.368412] [] remove_wait_queue+0x14/0x40 [ 40.374264] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 40.381244] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 40.388482] [] ? ep_free+0x1b0/0x1b0 [ 40.393820] [] ep_free+0x96/0x1b0 [ 40.398896] [] ? ep_free+0x1b0/0x1b0 [ 40.404224] [] ep_eventpoll_release+0x44/0x60 [ 40.410336] [] __fput+0x28c/0x6e0 [ 40.415406] [] ____fput+0x15/0x20 [ 40.420474] [] task_work_run+0x115/0x190 [ 40.426150] [] do_exit+0x7e7/0x2a40 [ 40.431394] [] ? selinux_file_ioctl+0x355/0x530 [ 40.437676] [] ? release_task+0x1240/0x1240 [ 40.443617] [] ? SyS_epoll_create+0x190/0x190 [ 40.449729] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 40.456362] [] do_group_exit+0x108/0x320 [ 40.462037] [] SyS_exit_group+0x1d/0x20 [ 40.467626] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 40.474587] Dumping ftrace buffer: [ 40.478100] (ftrace buffer empty) [ 40.481773] Kernel Offset: disabled [ 40.485363] Rebooting in 86400 seconds..