[....] Starting enhanced syslogd: rsyslogd[   10.955431] audit: type=1400 audit(1514160505.436:4): avc:  denied  { syslog } for  pid=3176 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[ ok 8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-android-49-kasan-gce-8,10.128.15.228' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   18.453504] ==================================================================
[   18.454648] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640
[   18.455541] Read of size 8 at addr ffff8801cc93d738 by task syzkaller867213/3324
[   18.456529] 
[   18.456766] CPU: 1 PID: 3324 Comm: syzkaller867213 Not tainted 4.9.71-g2506378 #113
[   18.457800] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   18.459019]  ffff8801c93978e0 ffffffff81d922b9 ffffea0007324f00 ffff8801cc93d738
[   18.460147]  0000000000000000 ffff8801cc93d738 ffff8801cc93d738 ffff8801c9397918
[   18.461274]  ffffffff8153bab3 ffff8801cc93d738 0000000000000008 0000000000000000
[   18.462403] Call Trace:
[   18.462760]  [<ffffffff81d922b9>] dump_stack+0xc1/0x128
[   18.463483]  [<ffffffff8153bab3>] print_address_description+0x73/0x280
[   18.464360]  [<ffffffff8153bfd5>] kasan_report+0x275/0x360
[   18.465104]  [<ffffffff8123cf1f>] ? __lock_acquire+0x2eff/0x3640
[   18.465914]  [<ffffffff8153c134>] __asan_report_load8_noabort+0x14/0x20
[   18.466819]  [<ffffffff8123cf1f>] __lock_acquire+0x2eff/0x3640
[   18.467652]  [<ffffffff8123a649>] ? __lock_acquire+0x629/0x3640
[   18.468450]  [<ffffffff8123a020>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   18.469369]  [<ffffffff8123a020>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   18.470289]  [<ffffffff8123a020>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   18.471241]  [<ffffffff8123940f>] ? mark_held_locks+0xaf/0x100
[   18.472031]  [<ffffffff838a5813>] ? mutex_lock_nested+0x5e3/0x870
[   18.472861]  [<ffffffff8123e09e>] lock_acquire+0x12e/0x410
[   18.473618]  [<ffffffff81222604>] ? remove_wait_queue+0x14/0x40
[   18.479654]  [<ffffffff838aedfe>] _raw_spin_lock_irqsave+0x4e/0x70
[   18.485938]  [<ffffffff81222604>] ? remove_wait_queue+0x14/0x40
[   18.491960]  [<ffffffff81222604>] remove_wait_queue+0x14/0x40
[   18.497816]  [<ffffffff8164eaef>] ep_unregister_pollwait.isra.6+0xaf/0x240
[   18.504793]  [<ffffffff8164eb6a>] ? ep_unregister_pollwait.isra.6+0x12a/0x240
[   18.512031]  [<ffffffff8164f950>] ? ep_free+0x1b0/0x1b0
[   18.517371]  [<ffffffff8164f836>] ep_free+0x96/0x1b0
[   18.522439]  [<ffffffff8164f950>] ? ep_free+0x1b0/0x1b0
[   18.527854]  [<ffffffff8164f994>] ep_eventpoll_release+0x44/0x60
[   18.533964]  [<ffffffff81572f4c>] __fput+0x28c/0x6e0
[   18.539030]  [<ffffffff81573425>] ____fput+0x15/0x20
[   18.544099]  [<ffffffff81193a25>] task_work_run+0x115/0x190
[   18.549775]  [<ffffffff8113a507>] do_exit+0x7e7/0x2a40
[   18.555017]  [<ffffffff81be83e5>] ? selinux_file_ioctl+0x355/0x530
[   18.561301]  [<ffffffff81139d20>] ? release_task+0x1240/0x1240
[   18.567240]  [<ffffffff81651890>] ? SyS_epoll_create+0x190/0x190
[   18.573348]  [<ffffffff838aef67>] ? entry_SYSCALL_64_fastpath+0x5/0xc6
[   18.579977]  [<ffffffff81140c18>] do_group_exit+0x108/0x320
[   18.585652]  [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20
[   18.591240]  [<ffffffff838aef85>] entry_SYSCALL_64_fastpath+0x23/0xc6
[   18.597781] 
[   18.599376] Allocated by task 3324:
[   18.602968]  save_stack_trace+0x16/0x20
[   18.606907]  save_stack+0x43/0xd0
[   18.610327]  kasan_kmalloc+0xad/0xe0
[   18.614003]  kmem_cache_alloc_trace+0xfb/0x2a0
[   18.618553]  binder_get_thread+0x15d/0x750
[   18.622749]  binder_poll+0x4a/0x210
[   18.626340]  SyS_epoll_ctl+0x11d7/0x2190
[   18.630365]  entry_SYSCALL_64_fastpath+0x23/0xc6
[   18.635079] 
[   18.636674] Freed by task 3324:
[   18.639922]  save_stack_trace+0x16/0x20
[   18.643859]  save_stack+0x43/0xd0
[   18.647276]  kasan_slab_free+0x72/0xc0
[   18.651124]  kfree+0x103/0x300
[   18.654279]  binder_thread_dec_tmpref+0x1cc/0x240
[   18.659084]  binder_thread_release+0x27d/0x540
[   18.663640]  binder_ioctl+0x9c0/0x11b0
[   18.667493]  do_vfs_ioctl+0x1aa/0x1140
[   18.671343]  SyS_ioctl+0x8f/0xc0
[   18.674682]  entry_SYSCALL_64_fastpath+0x23/0xc6
[   18.679397] 
[   18.680991] The buggy address belongs to the object at ffff8801cc93d680
[   18.680991]  which belongs to the cache kmalloc-512 of size 512
[   18.693607] The buggy address is located 184 bytes inside of
[   18.693607]  512-byte region [ffff8801cc93d680, ffff8801cc93d880)
[   18.705445] The buggy address belongs to the page:
[   18.710341] page:ffffea0007324f00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   18.720492] flags: 0x8000000000004080(slab|head)
[   18.725208] page dumped because: kasan: bad access detected
[   18.730879] 
[   18.732470] Memory state around the buggy address:
[   18.737363]  ffff8801cc93d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.744685]  ffff8801cc93d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.752010] >ffff8801cc93d700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.759330]                                         ^
[   18.764483]  ffff8801cc93d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.771805]  ffff8801cc93d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.779124] ==================================================================
[   18.786446] Disabling lock debugging due to kernel taint
[   18.791858] Kernel panic - not syncing: panic_on_warn set ...
[   18.791858] 
[   18.799185] CPU: 1 PID: 3324 Comm: syzkaller867213 Tainted: G    B           4.9.71-g2506378 #113
[   18.808165] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   18.817486]  ffff8801c9397838 ffffffff81d922b9 ffffffff84194b3f ffff8801c9397910
[   18.825429]  0000000000000000 ffff8801cc93d738 ffff8801cc93d738 ffff8801c9397900
[   18.833372]  ffffffff8142d741 0000000041b58ab3 ffffffff84188580 ffffffff8142d585
[   18.841321] Call Trace:
[   18.843877]  [<ffffffff81d922b9>] dump_stack+0xc1/0x128
[   18.849206]  [<ffffffff8142d741>] panic+0x1bc/0x3a8
[   18.854186]  [<ffffffff8142d585>] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7
[   18.862379]  [<ffffffff8112ec90>] ? add_taint+0x40/0x50
[   18.867709]  [<ffffffff8153ba20>] kasan_end_report+0x50/0x50
[   18.873470]  [<ffffffff8153bec7>] kasan_report+0x167/0x360
[   18.879058]  [<ffffffff8123cf1f>] ? __lock_acquire+0x2eff/0x3640
[   18.885169]  [<ffffffff8153c134>] __asan_report_load8_noabort+0x14/0x20
[   18.891885]  [<ffffffff8123cf1f>] __lock_acquire+0x2eff/0x3640
[   18.897823]  [<ffffffff8123a649>] ? __lock_acquire+0x629/0x3640
[   18.903844]  [<ffffffff8123a020>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   18.910819]  [<ffffffff8123a020>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   18.917797]  [<ffffffff8123a020>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   18.924774]  [<ffffffff8123940f>] ? mark_held_locks+0xaf/0x100
[   18.930711]  [<ffffffff838a5813>] ? mutex_lock_nested+0x5e3/0x870
[   18.936908]  [<ffffffff8123e09e>] lock_acquire+0x12e/0x410
[   18.942496]  [<ffffffff81222604>] ? remove_wait_queue+0x14/0x40
[   18.948519]  [<ffffffff838aedfe>] _raw_spin_lock_irqsave+0x4e/0x70
[   18.954801]  [<ffffffff81222604>] ? remove_wait_queue+0x14/0x40
[   18.960824]  [<ffffffff81222604>] remove_wait_queue+0x14/0x40
[   18.966675]  [<ffffffff8164eaef>] ep_unregister_pollwait.isra.6+0xaf/0x240
[   18.973651]  [<ffffffff8164eb6a>] ? ep_unregister_pollwait.isra.6+0x12a/0x240
[   18.980891]  [<ffffffff8164f950>] ? ep_free+0x1b0/0x1b0
[   18.986219]  [<ffffffff8164f836>] ep_free+0x96/0x1b0
[   18.991285]  [<ffffffff8164f950>] ? ep_free+0x1b0/0x1b0
[   18.996614]  [<ffffffff8164f994>] ep_eventpoll_release+0x44/0x60
[   19.002724]  [<ffffffff81572f4c>] __fput+0x28c/0x6e0
[   19.007791]  [<ffffffff81573425>] ____fput+0x15/0x20
[   19.012858]  [<ffffffff81193a25>] task_work_run+0x115/0x190
[   19.018535]  [<ffffffff8113a507>] do_exit+0x7e7/0x2a40
[   19.023780]  [<ffffffff81be83e5>] ? selinux_file_ioctl+0x355/0x530
[   19.030061]  [<ffffffff81139d20>] ? release_task+0x1240/0x1240
[   19.035996]  [<ffffffff81651890>] ? SyS_epoll_create+0x190/0x190
[   19.042105]  [<ffffffff838aef67>] ? entry_SYSCALL_64_fastpath+0x5/0xc6
[   19.048754]  [<ffffffff81140c18>] do_group_exit+0x108/0x320
[   19.054429]  [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20
[   19.060015]  [<ffffffff838aef85>] entry_SYSCALL_64_fastpath+0x23/0xc6
[   19.067038] Dumping ftrace buffer:
[   19.070550]    (ftrace buffer empty)
[   19.074231] Kernel Offset: disabled
[   19.077837] Rebooting in 86400 seconds..