[....] Starting enhanced syslogd: rsyslogd[ 10.434754] audit: type=1400 audit(1515500350.584:4): avc: denied { syslog } for pid=3159 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.607961] ================================================================== [ 34.609227] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 34.610124] Read of size 8 at addr ffff8801c9a19738 by task syzkaller990660/3328 [ 34.611197] [ 34.611430] CPU: 0 PID: 3328 Comm: syzkaller990660 Not tainted 4.9.75-gb54d99a #8 [ 34.612468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.613815] ffff8801c88c78e0 ffffffff81d93049 ffffea0007268600 ffff8801c9a19738 [ 34.615049] 0000000000000000 ffff8801c9a19738 ffff8801c9a19738 ffff8801c88c7918 [ 34.616306] ffffffff8153ca53 ffff8801c9a19738 0000000000000008 0000000000000000 [ 34.617525] Call Trace: [ 34.617918] [] dump_stack+0xc1/0x128 [ 34.618631] [] print_address_description+0x73/0x280 [ 34.619625] [] kasan_report+0x275/0x360 [ 34.620415] [] ? __lock_acquire+0x2eff/0x3640 [ 34.621223] [] __asan_report_load8_noabort+0x14/0x20 [ 34.622108] [] __lock_acquire+0x2eff/0x3640 [ 34.622925] [] ? __lock_acquire+0x629/0x3640 [ 34.623751] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.624713] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.625636] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.626554] [] ? mark_held_locks+0xaf/0x100 [ 34.627417] [] ? mutex_lock_nested+0x5e3/0x870 [ 34.629325] [] lock_acquire+0x12e/0x410 [ 34.634924] [] ? remove_wait_queue+0x14/0x40 [ 34.640949] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 34.647244] [] ? remove_wait_queue+0x14/0x40 [ 34.653267] [] remove_wait_queue+0x14/0x40 [ 34.659121] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 34.666110] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 34.673347] [] ? ep_free+0x1b0/0x1b0 [ 34.678674] [] ep_free+0x96/0x1b0 [ 34.683750] [] ? ep_free+0x1b0/0x1b0 [ 34.689078] [] ep_eventpoll_release+0x44/0x60 [ 34.695198] [] __fput+0x28c/0x6e0 [ 34.700265] [] ____fput+0x15/0x20 [ 34.705333] [] task_work_run+0x115/0x190 [ 34.711011] [] do_exit+0x7e7/0x2a40 [ 34.716270] [] ? selinux_file_ioctl+0x355/0x530 [ 34.722555] [] ? release_task+0x1240/0x1240 [ 34.728494] [] ? SyS_epoll_create+0x190/0x190 [ 34.734608] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 34.741241] [] do_group_exit+0x108/0x320 [ 34.746922] [] SyS_exit_group+0x1d/0x20 [ 34.752512] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 34.759054] [ 34.760648] Allocated by task 3328: [ 34.764243] save_stack_trace+0x16/0x20 [ 34.768184] save_stack+0x43/0xd0 [ 34.771602] kasan_kmalloc+0xad/0xe0 [ 34.775281] kmem_cache_alloc_trace+0xfb/0x2a0 [ 34.779830] binder_get_thread+0x15d/0x750 [ 34.784030] binder_poll+0x4a/0x210 [ 34.787625] SyS_epoll_ctl+0x11d7/0x2190 [ 34.791649] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 34.796367] [ 34.797961] Freed by task 3328: [ 34.801205] save_stack_trace+0x16/0x20 [ 34.805144] save_stack+0x43/0xd0 [ 34.808561] kasan_slab_free+0x72/0xc0 [ 34.812412] kfree+0x103/0x300 [ 34.815579] binder_thread_dec_tmpref+0x1cc/0x240 [ 34.820394] binder_thread_release+0x27d/0x540 [ 34.824941] binder_ioctl+0x9c0/0x11b0 [ 34.828798] do_vfs_ioctl+0x1aa/0x1140 [ 34.832648] SyS_ioctl+0x8f/0xc0 [ 34.835982] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 34.840700] [ 34.842293] The buggy address belongs to the object at ffff8801c9a19680 [ 34.842293] which belongs to the cache kmalloc-512 of size 512 [ 34.854915] The buggy address is located 184 bytes inside of [ 34.854915] 512-byte region [ffff8801c9a19680, ffff8801c9a19880) [ 34.866754] The buggy address belongs to the page: [ 34.871665] page:ffffea0007268600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 34.881829] flags: 0x8000000000004080(slab|head) [ 34.886572] page dumped because: kasan: bad access detected [ 34.892250] [ 34.893841] Memory state around the buggy address: [ 34.898736] ffff8801c9a19600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.906060] ffff8801c9a19680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.913384] >ffff8801c9a19700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.920717] ^ [ 34.925871] ffff8801c9a19780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.933193] ffff8801c9a19800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.940514] ================================================================== [ 34.947839] Disabling lock debugging due to kernel taint [ 34.953253] Kernel panic - not syncing: panic_on_warn set ... [ 34.953253] [ 34.960666] CPU: 0 PID: 3328 Comm: syzkaller990660 Tainted: G B 4.9.75-gb54d99a #8 [ 34.969465] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.978788] ffff8801c88c7838 ffffffff81d93049 ffffffff84195be7 ffff8801c88c7910 [ 34.986745] 0000000000000000 ffff8801c9a19738 ffff8801c9a19738 ffff8801c88c7900 [ 34.994696] ffffffff8142e281 0000000041b58ab3 ffffffff84189648 ffffffff8142e0c5 [ 35.003259] Call Trace: [ 35.005815] [] dump_stack+0xc1/0x128 [ 35.011143] [] panic+0x1bc/0x3a8 [ 35.016126] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 35.024322] [] ? add_taint+0x40/0x50 [ 35.029655] [] kasan_end_report+0x50/0x50 [ 35.035420] [] kasan_report+0x167/0x360 [ 35.041010] [] ? __lock_acquire+0x2eff/0x3640 [ 35.047120] [] __asan_report_load8_noabort+0x14/0x20 [ 35.053846] [] __lock_acquire+0x2eff/0x3640 [ 35.059792] [] ? __lock_acquire+0x629/0x3640 [ 35.065826] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.072808] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.079788] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.086863] [] ? mark_held_locks+0xaf/0x100 [ 35.092800] [] ? mutex_lock_nested+0x5e3/0x870 [ 35.099000] [] lock_acquire+0x12e/0x410 [ 35.104598] [] ? remove_wait_queue+0x14/0x40 [ 35.110637] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 35.116930] [] ? remove_wait_queue+0x14/0x40 [ 35.122956] [] remove_wait_queue+0x14/0x40 [ 35.128817] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 35.135796] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 35.143034] [] ? ep_free+0x1b0/0x1b0 [ 35.148366] [] ep_free+0x96/0x1b0 [ 35.153435] [] ? ep_free+0x1b0/0x1b0 [ 35.158852] [] ep_eventpoll_release+0x44/0x60 [ 35.164966] [] __fput+0x28c/0x6e0 [ 35.170036] [] ____fput+0x15/0x20 [ 35.175111] [] task_work_run+0x115/0x190 [ 35.180798] [] do_exit+0x7e7/0x2a40 [ 35.186041] [] ? selinux_file_ioctl+0x355/0x530 [ 35.192333] [] ? release_task+0x1240/0x1240 [ 35.198290] [] ? SyS_epoll_create+0x190/0x190 [ 35.204403] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 35.211035] [] do_group_exit+0x108/0x320 [ 35.216712] [] SyS_exit_group+0x1d/0x20 [ 35.222300] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 35.228895] Dumping ftrace buffer: [ 35.232404] (ftrace buffer empty) [ 35.236080] Kernel Offset: disabled [ 35.239670] Rebooting in 86400 seconds..