[....] Starting enhanced syslogd: rsyslogd[ 12.470080] audit: type=1400 audit(1515544910.263:4): avc: denied { syslog } for pid=3175 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Starting mcstransd:
[....] Starting file context maintaining daemon: restorecond�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.57' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 34.585534] ==================================================================
[ 34.592930] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640
[ 34.599565] Read of size 8 at addr ffff8801c7cd5238 by task syzkaller644710/3340
[ 34.607062]
[ 34.608658] CPU: 1 PID: 3340 Comm: syzkaller644710 Not tainted 4.9.75-g8910fa5 #19
[ 34.616328] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 34.625651] ffff8801c856f870 ffffffff81d93049 ffffea00071f3500 ffff8801c7cd5238
[ 34.633621] 0000000000000000 ffff8801c7cd5238 ffff8801c7cd5238 ffff8801c856f8a8
[ 34.641571] ffffffff8153ca53 ffff8801c7cd5238 0000000000000008 0000000000000000
[ 34.649516] Call Trace:
[ 34.652072] [<ffffffff81d93049>] dump_stack+0xc1/0x128
[ 34.657405] [<ffffffff8153ca53>] print_address_description+0x73/0x280
[ 34.664036] [<ffffffff8153cf75>] kasan_report+0x275/0x360
[ 34.669634] [<ffffffff8123db6f>] ? __lock_acquire+0x2eff/0x3640
[ 34.675747] [<ffffffff8153d0d4>] __asan_report_load8_noabort+0x14/0x20
[ 34.682475] [<ffffffff8123db6f>] __lock_acquire+0x2eff/0x3640
[ 34.688425] [<ffffffff8123b299>] ? __lock_acquire+0x629/0x3640
[ 34.694451] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 34.701440] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 34.708420] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 34.715400] [<ffffffff8123a05f>] ? mark_held_locks+0xaf/0x100
[ 34.721342] [<ffffffff838a7203>] ? mutex_lock_nested+0x5e3/0x870
[ 34.727539] [<ffffffff8123ecee>] lock_acquire+0x12e/0x410
[ 34.733128] [<ffffffff81223254>] ? remove_wait_queue+0x14/0x40
[ 34.739149] [<ffffffff838b08ce>] _raw_spin_lock_irqsave+0x4e/0x70
[ 34.745432] [<ffffffff81223254>] ? remove_wait_queue+0x14/0x40
[ 34.751457] [<ffffffff81223254>] remove_wait_queue+0x14/0x40
[ 34.757321] [<ffffffff8164fa8f>] ep_unregister_pollwait.isra.6+0xaf/0x240
[ 34.764310] [<ffffffff8164fb0a>] ? ep_unregister_pollwait.isra.6+0x12a/0x240
[ 34.771552] [<ffffffff816508f0>] ? ep_free+0x1b0/0x1b0
[ 34.776885] [<ffffffff816507d6>] ep_free+0x96/0x1b0
[ 34.781954] [<ffffffff816508f0>] ? ep_free+0x1b0/0x1b0
[ 34.787281] [<ffffffff81650934>] ep_eventpoll_release+0x44/0x60
[ 34.793391] [<ffffffff81573eec>] __fput+0x28c/0x6e0
[ 34.798461] [<ffffffff815743c5>] ____fput+0x15/0x20
[ 34.803530] [<ffffffff81194675>] task_work_run+0x115/0x190
[ 34.809212] [<ffffffff8113b157>] do_exit+0x7e7/0x2a40
[ 34.814453] [<ffffffff814cd7a0>] ? __pmd_alloc+0x410/0x410
[ 34.820719] [<ffffffff8113a970>] ? release_task+0x1240/0x1240
[ 34.826660] [<ffffffff810dd65c>] ? __do_page_fault+0x5ec/0xd40
[ 34.832692] [<ffffffff8122f8fa>] ? up_read+0x1a/0x40
[ 34.837859] [<ffffffff810dd42d>] ? __do_page_fault+0x3bd/0xd40
[ 34.843909] [<ffffffff81141868>] do_group_exit+0x108/0x320
[ 34.849597] [<ffffffff81141a80>] ? do_group_exit+0x320/0x320
[ 34.855447] [<ffffffff81141a9d>] SyS_exit_group+0x1d/0x20
[ 34.861035] [<ffffffff81006fc7>] do_fast_syscall_32+0x2f7/0x890
[ 34.867144] [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 34.873796] [<ffffffff838b2334>] entry_SYSENTER_compat+0x74/0x83
[ 34.879998]
[ 34.881593] Allocated by task 3340:
[ 34.885186] save_stack_trace+0x16/0x20
[ 34.889134] save_stack+0x43/0xd0
[ 34.892552] kasan_kmalloc+0xad/0xe0
[ 34.896230] kmem_cache_alloc_trace+0xfb/0x2a0
[ 34.900782] binder_get_thread+0x15d/0x750
[ 34.904982] binder_poll+0x4a/0x210
[ 34.908575] SyS_epoll_ctl+0x11d7/0x2190
[ 34.912605] do_fast_syscall_32+0x2f7/0x890
[ 34.916944] entry_SYSENTER_compat+0x74/0x83
[ 34.921324]
[ 34.922917] Freed by task 3340:
[ 34.926176] save_stack_trace+0x16/0x20
[ 34.930114] save_stack+0x43/0xd0
[ 34.933533] kasan_slab_free+0x72/0xc0
[ 34.937381] kfree+0x103/0x300
[ 34.940541] binder_thread_dec_tmpref+0x1cc/0x240
[ 34.945355] binder_thread_release+0x27d/0x540
[ 34.949902] binder_ioctl+0x9c0/0x11b0
[ 34.953754] compat_SyS_ioctl+0x15f/0x2050
[ 34.957956] do_fast_syscall_32+0x2f7/0x890
[ 34.962253] entry_SYSENTER_compat+0x74/0x83
[ 34.966623]
[ 34.968216] The buggy address belongs to the object at ffff8801c7cd5180
[ 34.968216] which belongs to the cache kmalloc-512 of size 512
[ 34.980834] The buggy address is located 184 bytes inside of
[ 34.980834] 512-byte region [ffff8801c7cd5180, ffff8801c7cd5380)
[ 34.992673] The buggy address belongs to the page:
[ 34.997570] page:ffffea00071f3500 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 35.007745] flags: 0x8000000000004080(slab|head)
[ 35.012465] page dumped because: kasan: bad access detected
[ 35.018135]
[ 35.019728] Memory state around the buggy address:
[ 35.024621] ffff8801c7cd5100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 35.031946] ffff8801c7cd5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.039269] >ffff8801c7cd5200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.046605] ^
[ 35.051760] ffff8801c7cd5280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.059084] ffff8801c7cd5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.066415] ==================================================================
[ 35.073738] Disabling lock debugging due to kernel taint
[ 35.079152] Kernel panic - not syncing: panic_on_warn set ...
[ 35.079152]
[ 35.086478] CPU: 1 PID: 3340 Comm: syzkaller644710 Tainted: G B 4.9.75-g8910fa5 #19
[ 35.095371] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 35.104693] ffff8801c856f7c8 ffffffff81d93049 ffffffff84195be7 ffff8801c856f8a0
[ 35.112639] 0000000000000000 ffff8801c7cd5238 ffff8801c7cd5238 ffff8801c856f890
[ 35.120600] ffffffff8142e281 0000000041b58ab3 ffffffff84189648 ffffffff8142e0c5
[ 35.128541] Call Trace:
[ 35.131098] [<ffffffff81d93049>] dump_stack+0xc1/0x128
[ 35.136428] [<ffffffff8142e281>] panic+0x1bc/0x3a8
[ 35.141410] [<ffffffff8142e0c5>] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7
[ 35.149605] [<ffffffff8112f8e0>] ? add_taint+0x40/0x50
[ 35.154943] [<ffffffff8153c9c0>] kasan_end_report+0x50/0x50
[ 35.160706] [<ffffffff8153ce67>] kasan_report+0x167/0x360
[ 35.166297] [<ffffffff8123db6f>] ? __lock_acquire+0x2eff/0x3640
[ 35.172407] [<ffffffff8153d0d4>] __asan_report_load8_noabort+0x14/0x20
[ 35.179128] [<ffffffff8123db6f>] __lock_acquire+0x2eff/0x3640
[ 35.185072] [<ffffffff8123b299>] ? __lock_acquire+0x629/0x3640
[ 35.191097] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 35.198076] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 35.205055] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 35.212038] [<ffffffff8123a05f>] ? mark_held_locks+0xaf/0x100
[ 35.217977] [<ffffffff838a7203>] ? mutex_lock_nested+0x5e3/0x870
[ 35.224182] [<ffffffff8123ecee>] lock_acquire+0x12e/0x410
[ 35.229779] [<ffffffff81223254>] ? remove_wait_queue+0x14/0x40
[ 35.235810] [<ffffffff838b08ce>] _raw_spin_lock_irqsave+0x4e/0x70
[ 35.242102] [<ffffffff81223254>] ? remove_wait_queue+0x14/0x40
[ 35.248123] [<ffffffff81223254>] remove_wait_queue+0x14/0x40
[ 35.253973] [<ffffffff8164fa8f>] ep_unregister_pollwait.isra.6+0xaf/0x240
[ 35.260956] [<ffffffff8164fb0a>] ? ep_unregister_pollwait.isra.6+0x12a/0x240
[ 35.268196] [<ffffffff816508f0>] ? ep_free+0x1b0/0x1b0
[ 35.273526] [<ffffffff816507d6>] ep_free+0x96/0x1b0
[ 35.278594] [<ffffffff816508f0>] ? ep_free+0x1b0/0x1b0
[ 35.283923] [<ffffffff81650934>] ep_eventpoll_release+0x44/0x60
[ 35.290039] [<ffffffff81573eec>] __fput+0x28c/0x6e0
[ 35.295106] [<ffffffff815743c5>] ____fput+0x15/0x20
[ 35.300180] [<ffffffff81194675>] task_work_run+0x115/0x190
[ 35.305865] [<ffffffff8113b157>] do_exit+0x7e7/0x2a40
[ 35.311107] [<ffffffff814cd7a0>] ? __pmd_alloc+0x410/0x410
[ 35.316790] [<ffffffff8113a970>] ? release_task+0x1240/0x1240
[ 35.322728] [<ffffffff810dd65c>] ? __do_page_fault+0x5ec/0xd40
[ 35.328760] [<ffffffff8122f8fa>] ? up_read+0x1a/0x40
[ 35.333914] [<ffffffff810dd42d>] ? __do_page_fault+0x3bd/0xd40
[ 35.340030] [<ffffffff81141868>] do_group_exit+0x108/0x320
[ 35.345706] [<ffffffff81141a80>] ? do_group_exit+0x320/0x320
[ 35.351554] [<ffffffff81141a9d>] SyS_exit_group+0x1d/0x20
[ 35.357144] [<ffffffff81006fc7>] do_fast_syscall_32+0x2f7/0x890
[ 35.363254] [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 35.369896] [<ffffffff838b2334>] entry_SYSENTER_compat+0x74/0x83
[ 35.376152] Dumping ftrace buffer:
[ 35.379658] (ftrace buffer empty)
[ 35.383335] Kernel Offset: disabled
[ 35.386924] Rebooting in 86400 seconds..