[....] Starting enhanced syslogd: rsyslogd[ 13.000795] audit: type=1400 audit(1516148448.374:4): avc: denied { syslog } for pid=3194 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.639664] ================================================================== [ 26.647075] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 26.653707] Read of size 8 at addr ffff8801c9293c38 by task syzkaller565007/3351 [ 26.661212] [ 26.662808] CPU: 0 PID: 3351 Comm: syzkaller565007 Not tainted 4.9.76-g8dec074 #13 [ 26.670478] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.679804] ffff8801c942f8e0 ffffffff81d93169 ffffea000724a480 ffff8801c9293c38 [ 26.687760] 0000000000000000 ffff8801c9293c38 ffff8801c9293c38 ffff8801c942f918 [ 26.695707] ffffffff8153cb43 ffff8801c9293c38 0000000000000008 0000000000000000 [ 26.703681] Call Trace: [ 26.706245] [] dump_stack+0xc1/0x128 [ 26.711575] [] print_address_description+0x73/0x280 [ 26.718207] [] kasan_report+0x275/0x360 [ 26.723796] [] ? __lock_acquire+0x2eff/0x3640 [ 26.729909] [] __asan_report_load8_noabort+0x14/0x20 [ 26.736657] [] __lock_acquire+0x2eff/0x3640 [ 26.742609] [] ? __lock_acquire+0x629/0x3640 [ 26.748634] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.755613] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.762601] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.769586] [] ? mark_held_locks+0xaf/0x100 [ 26.775522] [] ? mutex_lock_nested+0x5e3/0x870 [ 26.781718] [] lock_acquire+0x12e/0x410 [ 26.787306] [] ? remove_wait_queue+0x14/0x40 [ 26.793327] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 26.799616] [] ? remove_wait_queue+0x14/0x40 [ 26.805643] [] remove_wait_queue+0x14/0x40 [ 26.811511] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 26.818491] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 26.825733] [] ? ep_free+0x1b0/0x1b0 [ 26.831075] [] ep_free+0x96/0x1b0 [ 26.836143] [] ? ep_free+0x1b0/0x1b0 [ 26.841471] [] ep_eventpoll_release+0x44/0x60 [ 26.847581] [] __fput+0x28c/0x6e0 [ 26.852648] [] ____fput+0x15/0x20 [ 26.857716] [] task_work_run+0x115/0x190 [ 26.863393] [] do_exit+0x7e7/0x2a40 [ 26.868637] [] ? selinux_file_ioctl+0x355/0x530 [ 26.874924] [] ? release_task+0x1240/0x1240 [ 26.880863] [] ? SyS_epoll_create+0x190/0x190 [ 26.886974] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 26.893604] [] do_group_exit+0x108/0x320 [ 26.899289] [] SyS_exit_group+0x1d/0x20 [ 26.904880] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 26.911431] [ 26.913026] Allocated by task 3351: [ 26.916624] save_stack_trace+0x16/0x20 [ 26.920564] save_stack+0x43/0xd0 [ 26.923986] kasan_kmalloc+0xad/0xe0 [ 26.927665] kmem_cache_alloc_trace+0xfb/0x2a0 [ 26.932214] binder_get_thread+0x15d/0x750 [ 26.936413] binder_poll+0x4a/0x210 [ 26.940005] SyS_epoll_ctl+0x11d7/0x2190 [ 26.944041] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 26.948759] [ 26.950353] Freed by task 3351: [ 26.953597] save_stack_trace+0x16/0x20 [ 26.957538] save_stack+0x43/0xd0 [ 26.960964] kasan_slab_free+0x72/0xc0 [ 26.964815] kfree+0x103/0x300 [ 26.967983] binder_thread_dec_tmpref+0x1cc/0x240 [ 26.972800] binder_thread_release+0x27d/0x540 [ 26.977354] binder_ioctl+0x9c0/0x11b0 [ 26.981213] do_vfs_ioctl+0x1aa/0x1140 [ 26.985073] SyS_ioctl+0x8f/0xc0 [ 26.988406] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 26.993121] [ 26.994714] The buggy address belongs to the object at ffff8801c9293b80 [ 26.994714] which belongs to the cache kmalloc-512 of size 512 [ 27.007336] The buggy address is located 184 bytes inside of [ 27.007336] 512-byte region [ffff8801c9293b80, ffff8801c9293d80) [ 27.019173] The buggy address belongs to the page: [ 27.024074] page:ffffea000724a480 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 27.034234] flags: 0x8000000000004080(slab|head) [ 27.038953] page dumped because: kasan: bad access detected [ 27.044635] [ 27.046227] Memory state around the buggy address: [ 27.051120] ffff8801c9293b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.058442] ffff8801c9293b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.065778] >ffff8801c9293c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.073102] ^ [ 27.078257] ffff8801c9293c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.085589] ffff8801c9293d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.092910] ================================================================== [ 27.100240] Disabling lock debugging due to kernel taint [ 27.105656] Kernel panic - not syncing: panic_on_warn set ... [ 27.105656] [ 27.112991] CPU: 0 PID: 3351 Comm: syzkaller565007 Tainted: G B 4.9.76-g8dec074 #13 [ 27.121889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.131212] ffff8801c942f838 ffffffff81d93169 ffffffff84195c2f ffff8801c942f910 [ 27.139182] 0000000000000000 ffff8801c9293c38 ffff8801c9293c38 ffff8801c942f900 [ 27.147126] ffffffff8142e371 0000000041b58ab3 ffffffff84189690 ffffffff8142e1b5 [ 27.155072] Call Trace: [ 27.157628] [] dump_stack+0xc1/0x128 [ 27.162961] [] panic+0x1bc/0x3a8 [ 27.167942] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 27.176137] [] ? add_taint+0x40/0x50 [ 27.181468] [] kasan_end_report+0x50/0x50 [ 27.187238] [] kasan_report+0x167/0x360 [ 27.192828] [] ? __lock_acquire+0x2eff/0x3640 [ 27.198939] [] __asan_report_load8_noabort+0x14/0x20 [ 27.205659] [] __lock_acquire+0x2eff/0x3640 [ 27.211597] [] ? __lock_acquire+0x629/0x3640 [ 27.217622] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.224603] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.231585] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.238586] [] ? mark_held_locks+0xaf/0x100 [ 27.244524] [] ? mutex_lock_nested+0x5e3/0x870 [ 27.250722] [] lock_acquire+0x12e/0x410 [ 27.256321] [] ? remove_wait_queue+0x14/0x40 [ 27.262343] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 27.268627] [] ? remove_wait_queue+0x14/0x40 [ 27.274651] [] remove_wait_queue+0x14/0x40 [ 27.280502] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 27.287480] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 27.294720] [] ? ep_free+0x1b0/0x1b0 [ 27.300056] [] ep_free+0x96/0x1b0 [ 27.305124] [] ? ep_free+0x1b0/0x1b0 [ 27.310462] [] ep_eventpoll_release+0x44/0x60 [ 27.316580] [] __fput+0x28c/0x6e0 [ 27.321657] [] ____fput+0x15/0x20 [ 27.326733] [] task_work_run+0x115/0x190 [ 27.332409] [] do_exit+0x7e7/0x2a40 [ 27.337655] [] ? selinux_file_ioctl+0x355/0x530 [ 27.343938] [] ? release_task+0x1240/0x1240 [ 27.349875] [] ? SyS_epoll_create+0x190/0x190 [ 27.355991] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 27.362622] [] do_group_exit+0x108/0x320 [ 27.368311] [] SyS_exit_group+0x1d/0x20 [ 27.373900] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 27.380844] Dumping ftrace buffer: [ 27.384350] (ftrace buffer empty) [ 27.388027] Kernel Offset: disabled [ 27.391626] Rebooting in 86400 seconds..