[....] Starting enhanced syslogd: rsyslogd[ 10.851653] audit: type=1400 audit(1515467861.038:4): avc: denied { syslog } for pid=3173 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Starting mcstransd:
[....] Starting file context maintaining daemon: restorecond�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.57' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 21.763122] ==================================================================
[ 21.764232] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640
[ 21.765120] Read of size 8 at addr ffff8801c9106fb8 by task syzkaller445859/3328
[ 21.766102]
[ 21.766333] CPU: 1 PID: 3328 Comm: syzkaller445859 Not tainted 4.9.75-gb54d99a #18
[ 21.767350] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 21.768570] ffff8801cbd37870 ffffffff81d93049 ffffea0007244180 ffff8801c9106fb8
[ 21.769708] 0000000000000000 ffff8801c9106fb8 ffff8801c9106fb8 ffff8801cbd378a8
[ 21.770896] ffffffff8153ca53 ffff8801c9106fb8 0000000000000008 0000000000000000
[ 21.772093] Call Trace:
[ 21.772451] [<ffffffff81d93049>] dump_stack+0xc1/0x128
[ 21.773183] [<ffffffff8153ca53>] print_address_description+0x73/0x280
[ 21.774058] [<ffffffff8153cf75>] kasan_report+0x275/0x360
[ 21.774813] [<ffffffff8123db6f>] ? __lock_acquire+0x2eff/0x3640
[ 21.775623] [<ffffffff8153d0d4>] __asan_report_load8_noabort+0x14/0x20
[ 21.776512] [<ffffffff8123db6f>] __lock_acquire+0x2eff/0x3640
[ 21.777310] [<ffffffff8123b299>] ? __lock_acquire+0x629/0x3640
[ 21.778128] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 21.779063] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 21.780027] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 21.780965] [<ffffffff8123a05f>] ? mark_held_locks+0xaf/0x100
[ 21.781777] [<ffffffff838a7203>] ? mutex_lock_nested+0x5e3/0x870
[ 21.782617] [<ffffffff8123ecee>] lock_acquire+0x12e/0x410
[ 21.784065] [<ffffffff81223254>] ? remove_wait_queue+0x14/0x40
[ 21.790094] [<ffffffff838b08ce>] _raw_spin_lock_irqsave+0x4e/0x70
[ 21.796380] [<ffffffff81223254>] ? remove_wait_queue+0x14/0x40
[ 21.802406] [<ffffffff81223254>] remove_wait_queue+0x14/0x40
[ 21.808261] [<ffffffff8164fa8f>] ep_unregister_pollwait.isra.6+0xaf/0x240
[ 21.815249] [<ffffffff8164fb0a>] ? ep_unregister_pollwait.isra.6+0x12a/0x240
[ 21.822494] [<ffffffff816508f0>] ? ep_free+0x1b0/0x1b0
[ 21.827824] [<ffffffff816507d6>] ep_free+0x96/0x1b0
[ 21.832893] [<ffffffff816508f0>] ? ep_free+0x1b0/0x1b0
[ 21.838224] [<ffffffff81650934>] ep_eventpoll_release+0x44/0x60
[ 21.845652] [<ffffffff81573eec>] __fput+0x28c/0x6e0
[ 21.851852] [<ffffffff815743c5>] ____fput+0x15/0x20
[ 21.856934] [<ffffffff81194675>] task_work_run+0x115/0x190
[ 21.862614] [<ffffffff8113b157>] do_exit+0x7e7/0x2a40
[ 21.867864] [<ffffffff814cd7a0>] ? __pmd_alloc+0x410/0x410
[ 21.873544] [<ffffffff8113a970>] ? release_task+0x1240/0x1240
[ 21.879487] [<ffffffff810dd65c>] ? __do_page_fault+0x5ec/0xd40
[ 21.885515] [<ffffffff8122f8fa>] ? up_read+0x1a/0x40
[ 21.890674] [<ffffffff810dd42d>] ? __do_page_fault+0x3bd/0xd40
[ 21.896700] [<ffffffff81141868>] do_group_exit+0x108/0x320
[ 21.904108] [<ffffffff81141a80>] ? do_group_exit+0x320/0x320
[ 21.909968] [<ffffffff81141a9d>] SyS_exit_group+0x1d/0x20
[ 21.915559] [<ffffffff81006fc7>] do_fast_syscall_32+0x2f7/0x890
[ 21.921673] [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 21.928306] [<ffffffff838b2334>] entry_SYSENTER_compat+0x74/0x83
[ 21.934503]
[ 21.936100] Allocated by task 3328:
[ 21.939698] save_stack_trace+0x16/0x20
[ 21.943648] save_stack+0x43/0xd0
[ 21.947067] kasan_kmalloc+0xad/0xe0
[ 21.950746] kmem_cache_alloc_trace+0xfb/0x2a0
[ 21.955297] binder_get_thread+0x15d/0x750
[ 21.959497] binder_poll+0x4a/0x210
[ 21.963104] SyS_epoll_ctl+0x11d7/0x2190
[ 21.967129] do_fast_syscall_32+0x2f7/0x890
[ 21.971417] entry_SYSENTER_compat+0x74/0x83
[ 21.975788]
[ 21.977394] Freed by task 3328:
[ 21.980640] save_stack_trace+0x16/0x20
[ 21.984579] save_stack+0x43/0xd0
[ 21.987997] kasan_slab_free+0x72/0xc0
[ 21.991850] kfree+0x103/0x300
[ 21.995010] binder_thread_dec_tmpref+0x1cc/0x240
[ 21.999829] binder_thread_release+0x27d/0x540
[ 22.004387] binder_ioctl+0x9c0/0x11b0
[ 22.008244] compat_SyS_ioctl+0x15f/0x2050
[ 22.012460] do_fast_syscall_32+0x2f7/0x890
[ 22.016754] entry_SYSENTER_compat+0x74/0x83
[ 22.021139]
[ 22.022737] The buggy address belongs to the object at ffff8801c9106f00
[ 22.022737] which belongs to the cache kmalloc-512 of size 512
[ 22.035362] The buggy address is located 184 bytes inside of
[ 22.035362] 512-byte region [ffff8801c9106f00, ffff8801c9107100)
[ 22.047211] The buggy address belongs to the page:
[ 22.052118] page:ffffea0007244180 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 22.062279] flags: 0x8000000000004080(slab|head)
[ 22.066997] page dumped because: kasan: bad access detected
[ 22.072672]
[ 22.074265] Memory state around the buggy address:
[ 22.079164] ffff8801c9106e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 22.086576] ffff8801c9106f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 22.093902] >ffff8801c9106f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 22.101235] ^
[ 22.106404] ffff8801c9107000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 22.113736] ffff8801c9107080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 22.121061] ==================================================================
[ 22.128383] Disabling lock debugging due to kernel taint
[ 22.133797] Kernel panic - not syncing: panic_on_warn set ...
[ 22.133797]
[ 22.141127] CPU: 1 PID: 3328 Comm: syzkaller445859 Tainted: G B 4.9.75-gb54d99a #18
[ 22.150015] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 22.159338] ffff8801cbd377c8 ffffffff81d93049 ffffffff84195be7 ffff8801cbd378a0
[ 22.167301] 0000000000000000 ffff8801c9106fb8 ffff8801c9106fb8 ffff8801cbd37890
[ 22.175262] ffffffff8142e281 0000000041b58ab3 ffffffff84189648 ffffffff8142e0c5
[ 22.183216] Call Trace:
[ 22.185772] [<ffffffff81d93049>] dump_stack+0xc1/0x128
[ 22.191107] [<ffffffff8142e281>] panic+0x1bc/0x3a8
[ 22.196089] [<ffffffff8142e0c5>] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7
[ 22.205079] [<ffffffff8112f8e0>] ? add_taint+0x40/0x50
[ 22.210422] [<ffffffff8153c9c0>] kasan_end_report+0x50/0x50
[ 22.216622] [<ffffffff8153ce67>] kasan_report+0x167/0x360
[ 22.222217] [<ffffffff8123db6f>] ? __lock_acquire+0x2eff/0x3640
[ 22.228330] [<ffffffff8153d0d4>] __asan_report_load8_noabort+0x14/0x20
[ 22.235055] [<ffffffff8123db6f>] __lock_acquire+0x2eff/0x3640
[ 22.240999] [<ffffffff8123b299>] ? __lock_acquire+0x629/0x3640
[ 22.247023] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 22.254013] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 22.261002] [<ffffffff8123ac70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 22.267984] [<ffffffff8123a05f>] ? mark_held_locks+0xaf/0x100
[ 22.273926] [<ffffffff838a7203>] ? mutex_lock_nested+0x5e3/0x870
[ 22.280133] [<ffffffff8123ecee>] lock_acquire+0x12e/0x410
[ 22.285724] [<ffffffff81223254>] ? remove_wait_queue+0x14/0x40
[ 22.291752] [<ffffffff838b08ce>] _raw_spin_lock_irqsave+0x4e/0x70
[ 22.298038] [<ffffffff81223254>] ? remove_wait_queue+0x14/0x40
[ 22.304151] [<ffffffff81223254>] remove_wait_queue+0x14/0x40
[ 22.310006] [<ffffffff8164fa8f>] ep_unregister_pollwait.isra.6+0xaf/0x240
[ 22.316986] [<ffffffff8164fb0a>] ? ep_unregister_pollwait.isra.6+0x12a/0x240
[ 22.324237] [<ffffffff816508f0>] ? ep_free+0x1b0/0x1b0
[ 22.329571] [<ffffffff816507d6>] ep_free+0x96/0x1b0
[ 22.334641] [<ffffffff816508f0>] ? ep_free+0x1b0/0x1b0
[ 22.339983] [<ffffffff81650934>] ep_eventpoll_release+0x44/0x60
[ 22.346097] [<ffffffff81573eec>] __fput+0x28c/0x6e0
[ 22.351178] [<ffffffff815743c5>] ____fput+0x15/0x20
[ 22.356249] [<ffffffff81194675>] task_work_run+0x115/0x190
[ 22.361928] [<ffffffff8113b157>] do_exit+0x7e7/0x2a40
[ 22.367170] [<ffffffff814cd7a0>] ? __pmd_alloc+0x410/0x410
[ 22.372848] [<ffffffff8113a970>] ? release_task+0x1240/0x1240
[ 22.378802] [<ffffffff810dd65c>] ? __do_page_fault+0x5ec/0xd40
[ 22.384828] [<ffffffff8122f8fa>] ? up_read+0x1a/0x40
[ 22.389986] [<ffffffff810dd42d>] ? __do_page_fault+0x3bd/0xd40
[ 22.396012] [<ffffffff81141868>] do_group_exit+0x108/0x320
[ 22.401692] [<ffffffff81141a80>] ? do_group_exit+0x320/0x320
[ 22.407543] [<ffffffff81141a9d>] SyS_exit_group+0x1d/0x20
[ 22.413145] [<ffffffff81006fc7>] do_fast_syscall_32+0x2f7/0x890
[ 22.419267] [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 22.425901] [<ffffffff838b2334>] entry_SYSENTER_compat+0x74/0x83
[ 22.432502] Dumping ftrace buffer:
[ 22.436012] (ftrace buffer empty)
[ 22.439700] Kernel Offset: disabled
[ 22.443293] Rebooting in 86400 seconds..