[....] Starting enhanced syslogd: rsyslogd[ 12.935056] audit: type=1400 audit(1517304188.193:4): avc: denied { syslog } for pid=3861 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.834714] ================================================================== [ 26.842116] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 26.848755] Read of size 8 at addr ffff8801bcf0e0b8 by task syzkaller491241/4017 [ 26.856254] [ 26.857855] CPU: 1 PID: 4017 Comm: syzkaller491241 Not tainted 4.9.78-g7be1985 #24 [ 26.865530] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.874854] ffff8801d38578e0 ffffffff81d94409 ffffea0006f3c380 ffff8801bcf0e0b8 [ 26.882838] 0000000000000000 ffff8801bcf0e0b8 ffff8801bcf0e0b8 ffff8801d3857918 [ 26.890823] ffffffff8153dc73 ffff8801bcf0e0b8 0000000000000008 0000000000000000 [ 26.898790] Call Trace: [ 26.901358] [] dump_stack+0xc1/0x128 [ 26.906707] [] print_address_description+0x73/0x280 [ 26.913341] [] kasan_report+0x275/0x360 [ 26.918936] [] ? __lock_acquire+0x2eff/0x3640 [ 26.925051] [] __asan_report_load8_noabort+0x14/0x20 [ 26.931889] [] __lock_acquire+0x2eff/0x3640 [ 26.937882] [] ? __lock_acquire+0x629/0x3640 [ 26.943913] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.950894] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.957882] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.964869] [] ? mark_held_locks+0xaf/0x100 [ 26.970817] [] ? mutex_lock_nested+0x5e3/0x870 [ 26.977032] [] lock_acquire+0x12e/0x410 [ 26.982626] [] ? remove_wait_queue+0x14/0x40 [ 26.988656] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 26.994944] [] ? remove_wait_queue+0x14/0x40 [ 27.000979] [] remove_wait_queue+0x14/0x40 [ 27.006837] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 27.013820] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 27.021064] [] ? ep_free+0x1b0/0x1b0 [ 27.026405] [] ep_free+0x96/0x1b0 [ 27.031477] [] ? ep_free+0x1b0/0x1b0 [ 27.036810] [] ep_eventpoll_release+0x44/0x60 [ 27.042927] [] __fput+0x28c/0x6e0 [ 27.048007] [] ____fput+0x15/0x20 [ 27.053080] [] task_work_run+0x115/0x190 [ 27.058771] [] do_exit+0x7e7/0x2a40 [ 27.064018] [] ? selinux_file_ioctl+0x355/0x530 [ 27.070305] [] ? release_task+0x1240/0x1240 [ 27.076255] [] ? SyS_epoll_create+0x190/0x190 [ 27.082381] [] ? entry_SYSCALL_64_fastpath+0x5/0xe8 [ 27.089015] [] do_group_exit+0x108/0x320 [ 27.094695] [] SyS_exit_group+0x1d/0x20 [ 27.100290] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 27.106863] [ 27.108462] Allocated by task 4017: [ 27.112061] save_stack_trace+0x16/0x20 [ 27.116009] save_stack+0x43/0xd0 [ 27.119438] kasan_kmalloc+0xad/0xe0 [ 27.123120] kmem_cache_alloc_trace+0xfb/0x2a0 [ 27.127672] binder_get_thread+0x15d/0x750 [ 27.131874] binder_poll+0x4a/0x210 [ 27.135472] SyS_epoll_ctl+0x11d7/0x2190 [ 27.139502] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 27.144224] [ 27.145820] Freed by task 4017: [ 27.149069] save_stack_trace+0x16/0x20 [ 27.153034] save_stack+0x43/0xd0 [ 27.156457] kasan_slab_free+0x72/0xc0 [ 27.160320] kfree+0x103/0x300 [ 27.163490] binder_thread_dec_tmpref+0x1cc/0x240 [ 27.168309] binder_thread_release+0x27d/0x540 [ 27.172858] binder_ioctl+0x9c0/0x11b0 [ 27.176728] do_vfs_ioctl+0x1aa/0x1140 [ 27.180582] SyS_ioctl+0x8f/0xc0 [ 27.183918] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 27.188639] [ 27.190245] The buggy address belongs to the object at ffff8801bcf0e000 [ 27.190245] which belongs to the cache kmalloc-512 of size 512 [ 27.202879] The buggy address is located 184 bytes inside of [ 27.202879] 512-byte region [ffff8801bcf0e000, ffff8801bcf0e200) [ 27.214730] The buggy address belongs to the page: [ 27.219639] page:ffffea0006f3c380 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 27.229817] flags: 0x8000000000004080(slab|head) [ 27.234547] page dumped because: kasan: bad access detected [ 27.240232] [ 27.241830] Memory state around the buggy address: [ 27.246737] ffff8801bcf0df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.254065] ffff8801bcf0e000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.261406] >ffff8801bcf0e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.268734] ^ [ 27.273890] ffff8801bcf0e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.281217] ffff8801bcf0e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.288543] ================================================================== [ 27.295868] Disabling lock debugging due to kernel taint [ 27.301286] Kernel panic - not syncing: panic_on_warn set ... [ 27.301286] [ 27.308618] CPU: 1 PID: 4017 Comm: syzkaller491241 Tainted: G B 4.9.78-g7be1985 #24 [ 27.317508] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.326853] ffff8801d3857838 ffffffff81d94409 ffffffff841971bf ffff8801d3857910 [ 27.334840] 0000000000000000 ffff8801bcf0e0b8 ffff8801bcf0e0b8 ffff8801d3857900 [ 27.342813] ffffffff8142f4a1 0000000041b58ab3 ffffffff8418ac30 ffffffff8142f2e5 [ 27.350790] Call Trace: [ 27.353354] [] dump_stack+0xc1/0x128 [ 27.358701] [] panic+0x1bc/0x3a8 [ 27.363687] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 27.371892] [] ? add_taint+0x40/0x50 [ 27.377227] [] kasan_end_report+0x50/0x50 [ 27.383001] [] kasan_report+0x167/0x360 [ 27.388596] [] ? __lock_acquire+0x2eff/0x3640 [ 27.394719] [] __asan_report_load8_noabort+0x14/0x20 [ 27.401441] [] __lock_acquire+0x2eff/0x3640 [ 27.407394] [] ? __lock_acquire+0x629/0x3640 [ 27.413430] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.420412] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.427394] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.434377] [] ? mark_held_locks+0xaf/0x100 [ 27.440321] [] ? mutex_lock_nested+0x5e3/0x870 [ 27.446520] [] lock_acquire+0x12e/0x410 [ 27.452111] [] ? remove_wait_queue+0x14/0x40 [ 27.458139] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 27.464426] [] ? remove_wait_queue+0x14/0x40 [ 27.470454] [] remove_wait_queue+0x14/0x40 [ 27.476321] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 27.483302] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 27.490546] [] ? ep_free+0x1b0/0x1b0 [ 27.495884] [] ep_free+0x96/0x1b0 [ 27.500966] [] ? ep_free+0x1b0/0x1b0 [ 27.506298] [] ep_eventpoll_release+0x44/0x60 [ 27.512421] [] __fput+0x28c/0x6e0 [ 27.517492] [] ____fput+0x15/0x20 [ 27.522563] [] task_work_run+0x115/0x190 [ 27.528243] [] do_exit+0x7e7/0x2a40 [ 27.533489] [] ? selinux_file_ioctl+0x355/0x530 [ 27.539778] [] ? release_task+0x1240/0x1240 [ 27.545719] [] ? SyS_epoll_create+0x190/0x190 [ 27.551834] [] ? entry_SYSCALL_64_fastpath+0x5/0xe8 [ 27.558471] [] do_group_exit+0x108/0x320 [ 27.564150] [] SyS_exit_group+0x1d/0x20 [ 27.569756] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 27.576820] Dumping ftrace buffer: [ 27.580343] (ftrace buffer empty) [ 27.584026] Kernel Offset: disabled [ 27.587633] Rebooting in 86400 seconds..