[....] Starting enhanced syslogd: rsyslogd[ 13.634352] audit: type=1400 audit(1519223228.080:4): avc: denied { syslog } for pid=3647 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.219' (ECDSA) to the list of known hosts. 2018/02/21 14:27:22 parsed 1 programs 2018/02/21 14:27:22 executed programs: 0 syzkaller login: [ 27.753094] audit: type=1400 audit(1519223242.190:5): avc: denied { sys_admin } for pid=3809 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 27.777759] IPVS: Creating netns size=2536 id=1 [ 27.809299] IPVS: Creating netns size=2536 id=2 [ 27.819883] IPVS: Creating netns size=2536 id=3 [ 27.824944] audit: type=1400 audit(1519223242.270:6): avc: denied { sys_chroot } for pid=3813 comm="syz-executor2" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 27.850590] audit: type=1400 audit(1519223242.290:7): avc: denied { net_admin } for pid=3813 comm="syz-executor2" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 27.875539] IPVS: Creating netns size=2536 id=4 [ 27.896043] ================================================================== [ 27.903411] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1ac/0x1e0 [ 27.910045] Read of size 4 at addr ffff8801b9fb0aa4 by task syz-executor3/3856 [ 27.917368] [ 27.918969] CPU: 0 PID: 3856 Comm: syz-executor3 Not tainted 4.9.82-gcdfc8df #45 [ 27.926469] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.935798] ffff8801d7987c30 ffffffff81d94fc9 ffffea0006e7ec00 ffff8801b9fb0aa4 [ 27.943779] 0000000000000000 ffff8801b9fb0aa4 ffff8801b400b880 ffff8801d7987c68 [ 27.951748] ffffffff8153e213 ffff8801b9fb0aa4 0000000000000004 0000000000000000 [ 27.959714] Call Trace: [ 27.962272] [] dump_stack+0xc1/0x128 [ 27.967608] [] print_address_description+0x73/0x280 [ 27.974244] [] kasan_report+0x275/0x360 [ 27.979843] [] ? do_raw_spin_lock+0x1ac/0x1e0 [ 27.985961] [] __asan_report_load4_noabort+0x14/0x20 [ 27.992686] [] do_raw_spin_lock+0x1ac/0x1e0 [ 27.998627] [] _raw_spin_lock_irqsave+0x56/0x70 [ 28.004916] [] ? remove_wait_queue+0x14/0x40 [ 28.010941] [] remove_wait_queue+0x14/0x40 [ 28.016796] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 28.023777] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 28.031026] [] ? ep_free+0x1b0/0x1b0 [ 28.036358] [] ep_free+0x96/0x1b0 [ 28.041427] [] ? ep_free+0x1b0/0x1b0 [ 28.046757] [] ep_eventpoll_release+0x44/0x60 [ 28.052868] [] __fput+0x28c/0x6e0 [ 28.057947] [] ____fput+0x15/0x20 [ 28.063020] [] task_work_run+0x115/0x190 [ 28.068699] [] exit_to_usermode_loop+0xfc/0x120 [ 28.074989] [] do_fast_syscall_32+0x5c3/0x870 [ 28.081103] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.087748] [] entry_SYSENTER_compat+0x74/0x83 [ 28.093966] [ 28.095572] Allocated by task 3854: [ 28.099184] save_stack_trace+0x16/0x20 [ 28.103139] save_stack+0x43/0xd0 [ 28.106561] kasan_kmalloc+0xad/0xe0 [ 28.110241] kmem_cache_alloc_trace+0xfb/0x2a0 [ 28.114791] binder_get_thread+0x15d/0x750 [ 28.118991] binder_poll+0x4a/0x210 [ 28.122585] SyS_epoll_ctl+0x11d7/0x2190 [ 28.126612] do_fast_syscall_32+0x2f7/0x870 [ 28.130902] entry_SYSENTER_compat+0x74/0x83 [ 28.135282] [ 28.136885] Freed by task 3854: [ 28.140131] save_stack_trace+0x16/0x20 [ 28.144070] save_stack+0x43/0xd0 [ 28.147496] kasan_slab_free+0x72/0xc0 [ 28.151349] kfree+0x103/0x300 [ 28.154507] binder_thread_dec_tmpref+0x1cc/0x240 [ 28.159318] binder_thread_release+0x3a7/0x5c0 [ 28.163864] binder_ioctl+0x9c0/0x11b0 [ 28.167721] compat_SyS_ioctl+0x15f/0x2050 [ 28.171923] do_fast_syscall_32+0x2f7/0x870 [ 28.176211] entry_SYSENTER_compat+0x74/0x83 [ 28.180584] [ 28.182180] The buggy address belongs to the object at ffff8801b9fb0a00 [ 28.182180] which belongs to the cache kmalloc-512 of size 512 [ 28.194804] The buggy address is located 164 bytes inside of [ 28.194804] 512-byte region [ffff8801b9fb0a00, ffff8801b9fb0c00) [ 28.206652] The buggy address belongs to the page: [ 28.211547] page:ffffea0006e7ec00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 28.221724] flags: 0x8000000000004080(slab|head) [ 28.226444] page dumped because: kasan: bad access detected [ 28.232117] [ 28.233719] Memory state around the buggy address: [ 28.238614] ffff8801b9fb0980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.245942] ffff8801b9fb0a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.253267] >ffff8801b9fb0a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.260592] ^ [ 28.264967] ffff8801b9fb0b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.272292] ffff8801b9fb0b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.279615] ================================================================== [ 28.286943] Disabling lock debugging due to kernel taint [ 28.292361] Kernel panic - not syncing: panic_on_warn set ... [ 28.292361] [ 28.299696] CPU: 0 PID: 3856 Comm: syz-executor3 Tainted: G B 4.9.82-gcdfc8df #45 [ 28.308411] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.317733] ffff8801d7987b88 ffffffff81d94fc9 ffffffff8419777f ffff8801d7987c60 [ 28.325709] 0000000000000000 ffff8801b9fb0aa4 ffff8801b400b880 ffff8801d7987c50 [ 28.333674] ffffffff8142f6c1 0000000041b58ab3 ffffffff8418b1f0 ffffffff8142f505 [ 28.341635] Call Trace: [ 28.344192] [] dump_stack+0xc1/0x128 [ 28.349611] [] panic+0x1bc/0x3a8 [ 28.354605] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 28.362802] [] kasan_end_report+0x50/0x50 [ 28.368568] [] kasan_report+0x167/0x360 [ 28.374166] [] ? do_raw_spin_lock+0x1ac/0x1e0 [ 28.380279] [] __asan_report_load4_noabort+0x14/0x20 [ 28.386996] [] do_raw_spin_lock+0x1ac/0x1e0 [ 28.392936] [] _raw_spin_lock_irqsave+0x56/0x70 [ 28.399230] [] ? remove_wait_queue+0x14/0x40 [ 28.405258] [] remove_wait_queue+0x14/0x40 [ 28.411112] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 28.418100] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 28.425341] [] ? ep_free+0x1b0/0x1b0 [ 28.430671] [] ep_free+0x96/0x1b0 [ 28.435747] [] ? ep_free+0x1b0/0x1b0 [ 28.441080] [] ep_eventpoll_release+0x44/0x60 [ 28.447193] [] __fput+0x28c/0x6e0 [ 28.452273] [] ____fput+0x15/0x20 [ 28.457346] [] task_work_run+0x115/0x190 [ 28.463025] [] exit_to_usermode_loop+0xfc/0x120 [ 28.469321] [] do_fast_syscall_32+0x5c3/0x870 [ 28.475445] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.482079] [] entry_SYSENTER_compat+0x74/0x83 [ 28.488769] Dumping ftrace buffer: [ 28.492277] (ftrace buffer empty) [ 28.495962] Kernel Offset: disabled [ 28.499559] Rebooting in 86400 seconds..