[....] Starting enhanced syslogd: rsyslogd[ 10.306372] audit: type=1400 audit(1514490221.931:4): avc: denied { syslog } for pid=3171 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Starting mcstransd:
[....] Starting file context maintaining daemon: restorecond�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.15.224' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 35.710644] ==================================================================
[ 35.711721] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640
[ 35.712598] Read of size 8 at addr ffff8801cc6ad238 by task syzkaller817846/3337
[ 35.713590]
[ 35.713822] CPU: 0 PID: 3337 Comm: syzkaller817846 Not tainted 4.9.72-gcb7518e #114
[ 35.714838] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 35.716055] ffff8801c88bf8e0 ffffffff81d922b9 ffffea000731ab00 ffff8801cc6ad238
[ 35.717183] 0000000000000000 ffff8801cc6ad238 ffff8801cc6ad238 ffff8801c88bf918
[ 35.718309] ffffffff8153bab3 ffff8801cc6ad238 0000000000000008 0000000000000000
[ 35.719441] Call Trace:
[ 35.719805] [<ffffffff81d922b9>] dump_stack+0xc1/0x128
[ 35.720517] [<ffffffff8153bab3>] print_address_description+0x73/0x280
[ 35.721392] [<ffffffff8153bfd5>] kasan_report+0x275/0x360
[ 35.722145] [<ffffffff8123cf1f>] ? __lock_acquire+0x2eff/0x3640
[ 35.722952] [<ffffffff8153c134>] __asan_report_load8_noabort+0x14/0x20
[ 35.723840] [<ffffffff8123cf1f>] __lock_acquire+0x2eff/0x3640
[ 35.724626] [<ffffffff8123a649>] ? __lock_acquire+0x629/0x3640
[ 35.725424] [<ffffffff8123a020>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 35.726355] [<ffffffff8123a020>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 35.727276] [<ffffffff8123a020>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 35.728211] [<ffffffff8123940f>] ? mark_held_locks+0xaf/0x100
[ 35.729009] [<ffffffff838a5e03>] ? mutex_lock_nested+0x5e3/0x870
[ 35.729829] [<ffffffff8123e09e>] lock_acquire+0x12e/0x410
[ 35.730572] [<ffffffff81222604>] ? remove_wait_queue+0x14/0x40
[ 35.731379] [<ffffffff838af3ee>] _raw_spin_lock_irqsave+0x4e/0x70
[ 35.737664] [<ffffffff81222604>] ? remove_wait_queue+0x14/0x40
[ 35.743702] [<ffffffff81222604>] remove_wait_queue+0x14/0x40
[ 35.749577] [<ffffffff8164eaef>] ep_unregister_pollwait.isra.6+0xaf/0x240
[ 35.756557] [<ffffffff8164eb6a>] ? ep_unregister_pollwait.isra.6+0x12a/0x240
[ 35.763796] [<ffffffff8164f950>] ? ep_free+0x1b0/0x1b0
[ 35.769125] [<ffffffff8164f836>] ep_free+0x96/0x1b0
[ 35.774197] [<ffffffff8164f950>] ? ep_free+0x1b0/0x1b0
[ 35.779529] [<ffffffff8164f994>] ep_eventpoll_release+0x44/0x60
[ 35.785640] [<ffffffff81572f4c>] __fput+0x28c/0x6e0
[ 35.790716] [<ffffffff81573425>] ____fput+0x15/0x20
[ 35.795785] [<ffffffff81193a25>] task_work_run+0x115/0x190
[ 35.801462] [<ffffffff8113a507>] do_exit+0x7e7/0x2a40
[ 35.806705] [<ffffffff81be83e5>] ? selinux_file_ioctl+0x355/0x530
[ 35.812988] [<ffffffff81139d20>] ? release_task+0x1240/0x1240
[ 35.818928] [<ffffffff81651890>] ? SyS_epoll_create+0x190/0x190
[ 35.825039] [<ffffffff838af567>] ? entry_SYSCALL_64_fastpath+0x5/0xc6
[ 35.831676] [<ffffffff81140c18>] do_group_exit+0x108/0x320
[ 35.837353] [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20
[ 35.842940] [<ffffffff838af585>] entry_SYSCALL_64_fastpath+0x23/0xc6
[ 35.849484]
[ 35.851075] Allocated by task 3337:
[ 35.854666] save_stack_trace+0x16/0x20
[ 35.858617] save_stack+0x43/0xd0
[ 35.862034] kasan_kmalloc+0xad/0xe0
[ 35.865718] kmem_cache_alloc_trace+0xfb/0x2a0
[ 35.870264] binder_get_thread+0x15d/0x750
[ 35.874464] binder_poll+0x4a/0x210
[ 35.878055] SyS_epoll_ctl+0x11d7/0x2190
[ 35.882082] entry_SYSCALL_64_fastpath+0x23/0xc6
[ 35.886805]
[ 35.888401] Freed by task 3337:
[ 35.891647] save_stack_trace+0x16/0x20
[ 35.895586] save_stack+0x43/0xd0
[ 35.899003] kasan_slab_free+0x72/0xc0
[ 35.902860] kfree+0x103/0x300
[ 35.906015] binder_thread_dec_tmpref+0x1cc/0x240
[ 35.910823] binder_thread_release+0x27d/0x540
[ 35.915368] binder_ioctl+0x9c0/0x11b0
[ 35.919220] do_vfs_ioctl+0x1aa/0x1140
[ 35.923076] SyS_ioctl+0x8f/0xc0
[ 35.926404] entry_SYSCALL_64_fastpath+0x23/0xc6
[ 35.931122]
[ 35.932716] The buggy address belongs to the object at ffff8801cc6ad180
[ 35.932716] which belongs to the cache kmalloc-512 of size 512
[ 35.945342] The buggy address is located 184 bytes inside of
[ 35.945342] 512-byte region [ffff8801cc6ad180, ffff8801cc6ad380)
[ 35.957186] The buggy address belongs to the page:
[ 35.962080] page:ffffea000731ab00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 35.972237] flags: 0x8000000000004080(slab|head)
[ 35.976963] page dumped because: kasan: bad access detected
[ 35.982635]
[ 35.984226] Memory state around the buggy address:
[ 35.989119] ffff8801cc6ad100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 35.996443] ffff8801cc6ad180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 36.003768] >ffff8801cc6ad200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 36.011098] ^
[ 36.016271] ffff8801cc6ad280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 36.023595] ffff8801cc6ad300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 36.030916] ==================================================================
[ 36.038237] Disabling lock debugging due to kernel taint
[ 36.043651] Kernel panic - not syncing: panic_on_warn set ...
[ 36.043651]
[ 36.050984] CPU: 0 PID: 3337 Comm: syzkaller817846 Tainted: G B 4.9.72-gcb7518e #114
[ 36.059958] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 36.069280] ffff8801c88bf838 ffffffff81d922b9 ffffffff841955bf ffff8801c88bf910
[ 36.077227] 0000000000000000 ffff8801cc6ad238 ffff8801cc6ad238 ffff8801c88bf900
[ 36.085173] ffffffff8142d741 0000000041b58ab3 ffffffff84189000 ffffffff8142d585
[ 36.093116] Call Trace:
[ 36.095671] [<ffffffff81d922b9>] dump_stack+0xc1/0x128
[ 36.101001] [<ffffffff8142d741>] panic+0x1bc/0x3a8
[ 36.105981] [<ffffffff8142d585>] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7
[ 36.114179] [<ffffffff8112ec90>] ? add_taint+0x40/0x50
[ 36.119508] [<ffffffff8153ba20>] kasan_end_report+0x50/0x50
[ 36.125271] [<ffffffff8153bec7>] kasan_report+0x167/0x360
[ 36.130864] [<ffffffff8123cf1f>] ? __lock_acquire+0x2eff/0x3640
[ 36.136974] [<ffffffff8153c134>] __asan_report_load8_noabort+0x14/0x20
[ 36.143693] [<ffffffff8123cf1f>] __lock_acquire+0x2eff/0x3640
[ 36.149634] [<ffffffff8123a649>] ? __lock_acquire+0x629/0x3640
[ 36.155661] [<ffffffff8123a020>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 36.162639] [<ffffffff8123a020>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 36.169619] [<ffffffff8123a020>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 36.176605] [<ffffffff8123940f>] ? mark_held_locks+0xaf/0x100
[ 36.182549] [<ffffffff838a5e03>] ? mutex_lock_nested+0x5e3/0x870
[ 36.188744] [<ffffffff8123e09e>] lock_acquire+0x12e/0x410
[ 36.194334] [<ffffffff81222604>] ? remove_wait_queue+0x14/0x40
[ 36.200364] [<ffffffff838af3ee>] _raw_spin_lock_irqsave+0x4e/0x70
[ 36.206655] [<ffffffff81222604>] ? remove_wait_queue+0x14/0x40
[ 36.212676] [<ffffffff81222604>] remove_wait_queue+0x14/0x40
[ 36.218526] [<ffffffff8164eaef>] ep_unregister_pollwait.isra.6+0xaf/0x240
[ 36.225505] [<ffffffff8164eb6a>] ? ep_unregister_pollwait.isra.6+0x12a/0x240
[ 36.232743] [<ffffffff8164f950>] ? ep_free+0x1b0/0x1b0
[ 36.238070] [<ffffffff8164f836>] ep_free+0x96/0x1b0
[ 36.243137] [<ffffffff8164f950>] ? ep_free+0x1b0/0x1b0
[ 36.248466] [<ffffffff8164f994>] ep_eventpoll_release+0x44/0x60
[ 36.254583] [<ffffffff81572f4c>] __fput+0x28c/0x6e0
[ 36.259650] [<ffffffff81573425>] ____fput+0x15/0x20
[ 36.264715] [<ffffffff81193a25>] task_work_run+0x115/0x190
[ 36.270394] [<ffffffff8113a507>] do_exit+0x7e7/0x2a40
[ 36.275643] [<ffffffff81be83e5>] ? selinux_file_ioctl+0x355/0x530
[ 36.281927] [<ffffffff81139d20>] ? release_task+0x1240/0x1240
[ 36.287864] [<ffffffff81651890>] ? SyS_epoll_create+0x190/0x190
[ 36.293973] [<ffffffff838af567>] ? entry_SYSCALL_64_fastpath+0x5/0xc6
[ 36.300605] [<ffffffff81140c18>] do_group_exit+0x108/0x320
[ 36.306280] [<ffffffff81140e4d>] SyS_exit_group+0x1d/0x20
[ 36.311869] [<ffffffff838af585>] entry_SYSCALL_64_fastpath+0x23/0xc6
[ 36.318799] Dumping ftrace buffer:
[ 36.322306] (ftrace buffer empty)
[ 36.325981] Kernel Offset: disabled
[ 36.329571] Rebooting in 86400 seconds..