[....] Starting enhanced syslogd: rsyslogd[ 11.034620] audit: type=1400 audit(1516452616.267:4): avc: denied { syslog } for pid=3176 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Starting mcstransd:
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting file context maintaining daemon: restorecond�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.56' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 26.905463] ==================================================================
[ 26.906592] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640
[ 26.907489] Read of size 8 at addr ffff8801cd06cd38 by task syzkaller436523/3333
[ 26.908493]
[ 26.908727] CPU: 1 PID: 3333 Comm: syzkaller436523 Not tainted 4.9.77-ge12a9c4 #27
[ 26.909770] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 26.910995] ffff8801c9b17870 ffffffff81d941c9 ffffea0007341b00 ffff8801cd06cd38
[ 26.912157] 0000000000000000 ffff8801cd06cd38 ffff8801cd06cd38 ffff8801c9b178a8
[ 26.913310] ffffffff8153db93 ffff8801cd06cd38 0000000000000008 0000000000000000
[ 26.914492] Call Trace:
[ 26.914856] [<ffffffff81d941c9>] dump_stack+0xc1/0x128
[ 26.915610] [<ffffffff8153db93>] print_address_description+0x73/0x280
[ 26.916536] [<ffffffff8153e0b5>] kasan_report+0x275/0x360
[ 26.917297] [<ffffffff8123ec9f>] ? __lock_acquire+0x2eff/0x3640
[ 26.918121] [<ffffffff8153e214>] __asan_report_load8_noabort+0x14/0x20
[ 26.919046] [<ffffffff8123ec9f>] __lock_acquire+0x2eff/0x3640
[ 26.919840] [<ffffffff8123c3c9>] ? __lock_acquire+0x629/0x3640
[ 26.920641] [<ffffffff8123bda0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 26.921578] [<ffffffff8123bda0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 26.922544] [<ffffffff8123bda0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 26.923466] [<ffffffff8123b18f>] ? mark_held_locks+0xaf/0x100
[ 26.924269] [<ffffffff838a93a3>] ? mutex_lock_nested+0x5e3/0x870
[ 26.925119] [<ffffffff8123fe1e>] lock_acquire+0x12e/0x410
[ 26.927711] [<ffffffff81224384>] ? remove_wait_queue+0x14/0x40
[ 26.933743] [<ffffffff838b2a6e>] _raw_spin_lock_irqsave+0x4e/0x70
[ 26.940034] [<ffffffff81224384>] ? remove_wait_queue+0x14/0x40
[ 26.946062] [<ffffffff81224384>] remove_wait_queue+0x14/0x40
[ 26.951921] [<ffffffff81650bcf>] ep_unregister_pollwait.isra.6+0xaf/0x240
[ 26.958906] [<ffffffff81650c4a>] ? ep_unregister_pollwait.isra.6+0x12a/0x240
[ 26.966149] [<ffffffff81651a30>] ? ep_free+0x1b0/0x1b0
[ 26.971484] [<ffffffff81651916>] ep_free+0x96/0x1b0
[ 26.976558] [<ffffffff81651a30>] ? ep_free+0x1b0/0x1b0
[ 26.981892] [<ffffffff81651a74>] ep_eventpoll_release+0x44/0x60
[ 26.988010] [<ffffffff8157502c>] __fput+0x28c/0x6e0
[ 26.993094] [<ffffffff81575505>] ____fput+0x15/0x20
[ 26.998167] [<ffffffff81195795>] task_work_run+0x115/0x190
[ 27.003939] [<ffffffff8113c247>] do_exit+0x7e7/0x2a40
[ 27.009186] [<ffffffff814ce8e0>] ? __pmd_alloc+0x410/0x410
[ 27.014882] [<ffffffff8113ba60>] ? release_task+0x1240/0x1240
[ 27.020838] [<ffffffff810de65c>] ? __do_page_fault+0x5ec/0xd40
[ 27.026868] [<ffffffff81230a2a>] ? up_read+0x1a/0x40
[ 27.032027] [<ffffffff810de42d>] ? __do_page_fault+0x3bd/0xd40
[ 27.038066] [<ffffffff81142958>] do_group_exit+0x108/0x320
[ 27.043760] [<ffffffff81142b70>] ? do_group_exit+0x320/0x320
[ 27.049620] [<ffffffff81142b8d>] SyS_exit_group+0x1d/0x20
[ 27.055230] [<ffffffff81006fc7>] do_fast_syscall_32+0x2f7/0x890
[ 27.061346] [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 27.067997] [<ffffffff838b44b4>] entry_SYSENTER_compat+0x74/0x83
[ 27.074207]
[ 27.075802] Allocated by task 3333:
[ 27.079402] save_stack_trace+0x16/0x20
[ 27.083354] save_stack+0x43/0xd0
[ 27.086780] kasan_kmalloc+0xad/0xe0
[ 27.090462] kmem_cache_alloc_trace+0xfb/0x2a0
[ 27.095013] binder_get_thread+0x15d/0x750
[ 27.099218] binder_poll+0x4a/0x210
[ 27.102816] SyS_epoll_ctl+0x11d7/0x2190
[ 27.106857] do_fast_syscall_32+0x2f7/0x890
[ 27.111151] entry_SYSENTER_compat+0x74/0x83
[ 27.115543]
[ 27.117139] Freed by task 3333:
[ 27.120388] save_stack_trace+0x16/0x20
[ 27.124330] save_stack+0x43/0xd0
[ 27.127750] kasan_slab_free+0x72/0xc0
[ 27.131616] kfree+0x103/0x300
[ 27.134793] binder_thread_dec_tmpref+0x1cc/0x240
[ 27.139617] binder_thread_release+0x27d/0x540
[ 27.144168] binder_ioctl+0x9c0/0x11b0
[ 27.148040] compat_SyS_ioctl+0x15f/0x2050
[ 27.152246] do_fast_syscall_32+0x2f7/0x890
[ 27.156548] entry_SYSENTER_compat+0x74/0x83
[ 27.160924]
[ 27.162545] The buggy address belongs to the object at ffff8801cd06cc80
[ 27.162545] which belongs to the cache kmalloc-512 of size 512
[ 27.175181] The buggy address is located 184 bytes inside of
[ 27.175181] 512-byte region [ffff8801cd06cc80, ffff8801cd06ce80)
[ 27.187029] The buggy address belongs to the page:
[ 27.191939] page:ffffea0007341b00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 27.202107] flags: 0x8000000000004080(slab|head)
[ 27.206840] page dumped because: kasan: bad access detected
[ 27.212520]
[ 27.214127] Memory state around the buggy address:
[ 27.219028] ffff8801cd06cc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 27.226368] ffff8801cd06cc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.233697] >ffff8801cd06cd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.241041] ^
[ 27.246209] ffff8801cd06cd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.253539] ffff8801cd06ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.260878] ==================================================================
[ 27.268216] Disabling lock debugging due to kernel taint
[ 27.273644] Kernel panic - not syncing: panic_on_warn set ...
[ 27.273644]
[ 27.280979] CPU: 1 PID: 3333 Comm: syzkaller436523 Tainted: G B 4.9.77-ge12a9c4 #27
[ 27.289871] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 27.299198] ffff8801c9b177c8 ffffffff81d941c9 ffffffff841970ff ffff8801c9b178a0
[ 27.307196] 0000000000000000 ffff8801cd06cd38 ffff8801cd06cd38 ffff8801c9b17890
[ 27.315165] ffffffff8142f3c1 0000000041b58ab3 ffffffff8418ab70 ffffffff8142f205
[ 27.323167] Call Trace:
[ 27.325726] [<ffffffff81d941c9>] dump_stack+0xc1/0x128
[ 27.331064] [<ffffffff8142f3c1>] panic+0x1bc/0x3a8
[ 27.336064] [<ffffffff8142f205>] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7
[ 27.344996] [<ffffffff811309d0>] ? add_taint+0x40/0x50
[ 27.350335] [<ffffffff8153db00>] kasan_end_report+0x50/0x50
[ 27.356113] [<ffffffff8153dfa7>] kasan_report+0x167/0x360
[ 27.361710] [<ffffffff8123ec9f>] ? __lock_acquire+0x2eff/0x3640
[ 27.367825] [<ffffffff8153e214>] __asan_report_load8_noabort+0x14/0x20
[ 27.374551] [<ffffffff8123ec9f>] __lock_acquire+0x2eff/0x3640
[ 27.380495] [<ffffffff8123c3c9>] ? __lock_acquire+0x629/0x3640
[ 27.386526] [<ffffffff8123bda0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 27.393527] [<ffffffff8123bda0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 27.400514] [<ffffffff8123bda0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 27.407496] [<ffffffff8123b18f>] ? mark_held_locks+0xaf/0x100
[ 27.413454] [<ffffffff838a93a3>] ? mutex_lock_nested+0x5e3/0x870
[ 27.419655] [<ffffffff8123fe1e>] lock_acquire+0x12e/0x410
[ 27.425249] [<ffffffff81224384>] ? remove_wait_queue+0x14/0x40
[ 27.431278] [<ffffffff838b2a6e>] _raw_spin_lock_irqsave+0x4e/0x70
[ 27.437565] [<ffffffff81224384>] ? remove_wait_queue+0x14/0x40
[ 27.443604] [<ffffffff81224384>] remove_wait_queue+0x14/0x40
[ 27.449472] [<ffffffff81650bcf>] ep_unregister_pollwait.isra.6+0xaf/0x240
[ 27.456454] [<ffffffff81650c4a>] ? ep_unregister_pollwait.isra.6+0x12a/0x240
[ 27.463699] [<ffffffff81651a30>] ? ep_free+0x1b0/0x1b0
[ 27.469044] [<ffffffff81651916>] ep_free+0x96/0x1b0
[ 27.474117] [<ffffffff81651a30>] ? ep_free+0x1b0/0x1b0
[ 27.479449] [<ffffffff81651a74>] ep_eventpoll_release+0x44/0x60
[ 27.485561] [<ffffffff8157502c>] __fput+0x28c/0x6e0
[ 27.490632] [<ffffffff81575505>] ____fput+0x15/0x20
[ 27.495703] [<ffffffff81195795>] task_work_run+0x115/0x190
[ 27.501380] [<ffffffff8113c247>] do_exit+0x7e7/0x2a40
[ 27.506651] [<ffffffff814ce8e0>] ? __pmd_alloc+0x410/0x410
[ 27.512331] [<ffffffff8113ba60>] ? release_task+0x1240/0x1240
[ 27.518284] [<ffffffff810de65c>] ? __do_page_fault+0x5ec/0xd40
[ 27.524326] [<ffffffff81230a2a>] ? up_read+0x1a/0x40
[ 27.529486] [<ffffffff810de42d>] ? __do_page_fault+0x3bd/0xd40
[ 27.535513] [<ffffffff81142958>] do_group_exit+0x108/0x320
[ 27.541196] [<ffffffff81142b70>] ? do_group_exit+0x320/0x320
[ 27.547062] [<ffffffff81142b8d>] SyS_exit_group+0x1d/0x20
[ 27.552667] [<ffffffff81006fc7>] do_fast_syscall_32+0x2f7/0x890
[ 27.558790] [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 27.565439] [<ffffffff838b44b4>] entry_SYSENTER_compat+0x74/0x83
[ 27.572049] Dumping ftrace buffer:
[ 27.575566] (ftrace buffer empty)
[ 27.579258] Kernel Offset: disabled
[ 27.582854] Rebooting in 86400 seconds..