[....] Starting enhanced syslogd: rsyslogd[ 10.434754] audit: type=1400 audit(1515500350.584:4): avc: denied { syslog } for pid=3159 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.607961] ================================================================== [ 34.609227] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 34.610124] Read of size 8 at addr ffff8801c9a19738 by task syzkaller990660/3328 [ 34.611197] [ 34.611430] CPU: 0 PID: 3328 Comm: syzkaller990660 Not tainted 4.9.75-gb54d99a #8 [ 34.612468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.613815] ffff8801c88c78e0 ffffffff81d93049 ffffea0007268600 ffff8801c9a19738 [ 34.615049] 0000000000000000 ffff8801c9a19738 ffff8801c9a19738 ffff8801c88c7918 [ 34.616306] ffffffff8153ca53 ffff8801c9a19738 0000000000000008 0000000000000000 [ 34.617525] Call Trace: [ 34.617918] [<ffffffff81d93049>] dump_stack+0xc1/0x128 [ 34.618631] [<ffffffff8153ca53>] print_address_description+0x73/0x280 [ 34.619625] [<ffffffff8153cf75>] kasan_report+0x275/0x360 [ 34.620415] [<ffffffff8123db6f>] ? __lock_acquire+0x2eff/0x3640 [ 34.621223] [<ffffffff8153d0d4>] __asan_report_load8_noabort+0x14/0x20 [ 34.622108] [<ffffffff8123db6f>] __lock_acquire+0x2eff/0x3640 [ 34.622925] [<ffffffff8123b299>] ? __lock_acquire+0x629/0x3640 [ 34.623751] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.624713] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.625636] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.626554] [<ffffffff8123a05f>] ? mark_held_locks+0xaf/0x100 [ 34.627417] [<ffffffff838a7203>] ? mutex_lock_nested+0x5e3/0x870 [ 34.629325] [<ffffffff8123ecee>] lock_acquire+0x12e/0x410 [ 34.634924] [<ffffffff81223254>] ? remove_wait_queue+0x14/0x40 [ 34.640949] [<ffffffff838b08ce>] _raw_spin_lock_irqsave+0x4e/0x70 [ 34.647244] [<ffffffff81223254>] ? remove_wait_queue+0x14/0x40 [ 34.653267] [<ffffffff81223254>] remove_wait_queue+0x14/0x40 [ 34.659121] [<ffffffff8164fa8f>] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 34.666110] [<ffffffff8164fb0a>] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 34.673347] [<ffffffff816508f0>] ? ep_free+0x1b0/0x1b0 [ 34.678674] [<ffffffff816507d6>] ep_free+0x96/0x1b0 [ 34.683750] [<ffffffff816508f0>] ? ep_free+0x1b0/0x1b0 [ 34.689078] [<ffffffff81650934>] ep_eventpoll_release+0x44/0x60 [ 34.695198] [<ffffffff81573eec>] __fput+0x28c/0x6e0 [ 34.700265] [<ffffffff815743c5>] ____fput+0x15/0x20 [ 34.705333] [<ffffffff81194675>] task_work_run+0x115/0x190 [ 34.711011] [<ffffffff8113b157>] do_exit+0x7e7/0x2a40 [ 34.716270] [<ffffffff81be9385>] ? selinux_file_ioctl+0x355/0x530 [ 34.722555] [<ffffffff8113a970>] ? release_task+0x1240/0x1240 [ 34.728494] [<ffffffff81652830>] ? SyS_epoll_create+0x190/0x190 [ 34.734608] [<ffffffff838b0a8a>] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 34.741241] [<ffffffff81141868>] do_group_exit+0x108/0x320 [ 34.746922] [<ffffffff81141a9d>] SyS_exit_group+0x1d/0x20 [ 34.752512] [<ffffffff838b0aa8>] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 34.759054] [ 34.760648] Allocated by task 3328: [ 34.764243] save_stack_trace+0x16/0x20 [ 34.768184] save_stack+0x43/0xd0 [ 34.771602] kasan_kmalloc+0xad/0xe0 [ 34.775281] kmem_cache_alloc_trace+0xfb/0x2a0 [ 34.779830] binder_get_thread+0x15d/0x750 [ 34.784030] binder_poll+0x4a/0x210 [ 34.787625] SyS_epoll_ctl+0x11d7/0x2190 [ 34.791649] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 34.796367] [ 34.797961] Freed by task 3328: [ 34.801205] save_stack_trace+0x16/0x20 [ 34.805144] save_stack+0x43/0xd0 [ 34.808561] kasan_slab_free+0x72/0xc0 [ 34.812412] kfree+0x103/0x300 [ 34.815579] binder_thread_dec_tmpref+0x1cc/0x240 [ 34.820394] binder_thread_release+0x27d/0x540 [ 34.824941] binder_ioctl+0x9c0/0x11b0 [ 34.828798] do_vfs_ioctl+0x1aa/0x1140 [ 34.832648] SyS_ioctl+0x8f/0xc0 [ 34.835982] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 34.840700] [ 34.842293] The buggy address belongs to the object at ffff8801c9a19680 [ 34.842293] which belongs to the cache kmalloc-512 of size 512 [ 34.854915] The buggy address is located 184 bytes inside of [ 34.854915] 512-byte region [ffff8801c9a19680, ffff8801c9a19880) [ 34.866754] The buggy address belongs to the page: [ 34.871665] page:ffffea0007268600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 34.881829] flags: 0x8000000000004080(slab|head) [ 34.886572] page dumped because: kasan: bad access detected [ 34.892250] [ 34.893841] Memory state around the buggy address: [ 34.898736] ffff8801c9a19600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.906060] ffff8801c9a19680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.913384] >ffff8801c9a19700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.920717] ^ [ 34.925871] ffff8801c9a19780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.933193] ffff8801c9a19800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.940514] ================================================================== [ 34.947839] Disabling lock debugging due to kernel taint [ 34.953253] Kernel panic - not syncing: panic_on_warn set ... [ 34.953253] [ 34.960666] CPU: 0 PID: 3328 Comm: syzkaller990660 Tainted: G B 4.9.75-gb54d99a #8 [ 34.969465] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.978788] ffff8801c88c7838 ffffffff81d93049 ffffffff84195be7 ffff8801c88c7910 [ 34.986745] 0000000000000000 ffff8801c9a19738 ffff8801c9a19738 ffff8801c88c7900 [ 34.994696] ffffffff8142e281 0000000041b58ab3 ffffffff84189648 ffffffff8142e0c5 [ 35.003259] Call Trace: [ 35.005815] [<ffffffff81d93049>] dump_stack+0xc1/0x128 [ 35.011143] [<ffffffff8142e281>] panic+0x1bc/0x3a8 [ 35.016126] [<ffffffff8142e0c5>] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 35.024322] [<ffffffff8112f8e0>] ? add_taint+0x40/0x50 [ 35.029655] [<ffffffff8153c9c0>] kasan_end_report+0x50/0x50 [ 35.035420] [<ffffffff8153ce67>] kasan_report+0x167/0x360 [ 35.041010] [<ffffffff8123db6f>] ? __lock_acquire+0x2eff/0x3640 [ 35.047120] [<ffffffff8153d0d4>] __asan_report_load8_noabort+0x14/0x20 [ 35.053846] [<ffffffff8123db6f>] __lock_acquire+0x2eff/0x3640 [ 35.059792] [<ffffffff8123b299>] ? __lock_acquire+0x629/0x3640 [ 35.065826] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.072808] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.079788] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.086863] [<ffffffff8123a05f>] ? mark_held_locks+0xaf/0x100 [ 35.092800] [<ffffffff838a7203>] ? mutex_lock_nested+0x5e3/0x870 [ 35.099000] [<ffffffff8123ecee>] lock_acquire+0x12e/0x410 [ 35.104598] [<ffffffff81223254>] ? remove_wait_queue+0x14/0x40 [ 35.110637] [<ffffffff838b08ce>] _raw_spin_lock_irqsave+0x4e/0x70 [ 35.116930] [<ffffffff81223254>] ? remove_wait_queue+0x14/0x40 [ 35.122956] [<ffffffff81223254>] remove_wait_queue+0x14/0x40 [ 35.128817] [<ffffffff8164fa8f>] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 35.135796] [<ffffffff8164fb0a>] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 35.143034] [<ffffffff816508f0>] ? ep_free+0x1b0/0x1b0 [ 35.148366] [<ffffffff816507d6>] ep_free+0x96/0x1b0 [ 35.153435] [<ffffffff816508f0>] ? ep_free+0x1b0/0x1b0 [ 35.158852] [<ffffffff81650934>] ep_eventpoll_release+0x44/0x60 [ 35.164966] [<ffffffff81573eec>] __fput+0x28c/0x6e0 [ 35.170036] [<ffffffff815743c5>] ____fput+0x15/0x20 [ 35.175111] [<ffffffff81194675>] task_work_run+0x115/0x190 [ 35.180798] [<ffffffff8113b157>] do_exit+0x7e7/0x2a40 [ 35.186041] [<ffffffff81be9385>] ? selinux_file_ioctl+0x355/0x530 [ 35.192333] [<ffffffff8113a970>] ? release_task+0x1240/0x1240 [ 35.198290] [<ffffffff81652830>] ? SyS_epoll_create+0x190/0x190 [ 35.204403] [<ffffffff838b0a8a>] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 35.211035] [<ffffffff81141868>] do_group_exit+0x108/0x320 [ 35.216712] [<ffffffff81141a9d>] SyS_exit_group+0x1d/0x20 [ 35.222300] [<ffffffff838b0aa8>] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 35.228895] Dumping ftrace buffer: [ 35.232404] (ftrace buffer empty) [ 35.236080] Kernel Offset: disabled [ 35.239670] Rebooting in 86400 seconds..