[ 36.195104] audit: type=1800 audit(1552135164.694:30): pid=7386 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.206' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 44.289835] binder: 7544:7544 transaction failed 29189/-22, size 0-8 line 2994 [ 44.291849] binder: 7549:7549 transaction failed 29189/-22, size 0-8 line 2994 [ 44.303057] binder: 7550:7550 transaction failed 29189/-22, size 0-8 line 2994 [ 44.310624] binder: 7551:7551 transaction failed 29189/-22, size 0-8 line 2994 [ 44.315394] binder: 7552:7552 transaction failed 29189/-22, size 0-8 line 2994 [ 44.325593] binder: undelivered TRANSACTION_ERROR: 29189 executing program [ 44.332501] ------------[ cut here ]------------ [ 44.341077] kernel BUG at drivers/android/binder_alloc.c:1141! [ 44.342265] binder: undelivered TRANSACTION_ERROR: 29189 [ 44.348379] binder: BINDER_SET_CONTEXT_MGR already set [ 44.359059] binder: 7544:7544 ioctl 40046207 0 returned -16 [ 44.359443] binder_alloc: 7551: binder_alloc_buf, no vma [ 44.365328] binder: BINDER_SET_CONTEXT_MGR already set [ 44.376155] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 44.376209] binder: 7554:7554 transaction failed 29189/-3, size 0-8 line 3147 [ 44.381530] CPU: 0 PID: 7553 Comm: syz-executor373 Not tainted 5.0.0+ #13 [ 44.381537] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.381556] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 44.381569] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 1f 18 28 fc 4c 89 e6 4c 89 ef e8 34 19 28 fc 4d 39 e5 76 07 e8 0a 18 28 fc <0f> 0b e8 03 18 28 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 11 [ 44.391074] binder: undelivered TRANSACTION_ERROR: 29189 [ 44.395749] RSP: 0018:ffff888088057550 EFLAGS: 00010293 [ 44.395761] RAX: ffff888090bea280 RBX: 0000000020004000 RCX: ffffffff85483dec [ 44.395768] RDX: 0000000000000000 RSI: ffffffff85483df6 RDI: 0000000000000006 [ 44.395774] RBP: ffff8880880575d0 R08: ffff888090bea280 R09: 0000000000000028 [ 44.395781] R10: ffffed101100af01 R11: ffff88808805780f R12: 0000000000000008 [ 44.395787] R13: 0000000000000028 R14: ffff888090ed0b50 R15: 0000000000000000 [ 44.395796] FS: 0000000001942940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 executing program [ 44.395803] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.395812] CR2: 0000000000000000 CR3: 0000000099802000 CR4: 00000000001406f0 [ 44.405359] binder: 7552:7552 ioctl 40046207 0 returned -16 [ 44.410938] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 44.410945] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 44.410949] Call Trace: [ 44.410968] ? memcpy+0x46/0x50 [ 44.410989] binder_alloc_copy_from_buffer+0x37/0x42 [ 44.430111] binder: undelivered TRANSACTION_ERROR: 29189 [ 44.435881] binder_get_object+0xc3/0x200 executing program executing program executing program executing program executing program executing program [ 44.435896] binder_transaction+0x2b4a/0x6690 [ 44.435918] ? binder_thread_read+0x3d50/0x3d50 [ 44.444954] binder_alloc: 7550: binder_alloc_buf, no vma [ 44.448630] ? __lock_acquire+0x548/0x3fb0 [ 44.448648] ? __might_fault+0x12b/0x1e0 [ 44.448661] ? lock_downgrade+0x880/0x880 [ 44.456439] binder: BINDER_SET_CONTEXT_MGR already set [ 44.463188] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 44.463202] ? _copy_from_user+0xdd/0x150 [ 44.470693] binder: 7555:7555 transaction failed 29189/-3, size 0-8 line 3147 executing program [ 44.477716] binder_thread_write+0x64a/0x2820 [ 44.477734] ? binder_transaction+0x6690/0x6690 [ 44.477746] ? __might_fault+0x12b/0x1e0 [ 44.477768] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 44.486383] binder: undelivered TRANSACTION_ERROR: 29189 [ 44.491852] ? _copy_from_user+0xdd/0x150 [ 44.491868] binder_ioctl+0x1033/0x183b [ 44.491882] ? binder_thread_write+0x2820/0x2820 [ 44.499419] binder: 7554:7554 ioctl 40046207 0 returned -16 [ 44.505038] ? tomoyo_path_number_perm+0x263/0x520 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 44.505051] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 44.505074] ? binder_thread_write+0x2820/0x2820 [ 44.512946] binder: undelivered TRANSACTION_ERROR: 29189 [ 44.519686] do_vfs_ioctl+0xd6e/0x1390 [ 44.519700] ? ioctl_preallocate+0x210/0x210 [ 44.519714] ? __do_page_fault+0x623/0xda0 [ 44.519729] ? lock_downgrade+0x880/0x880 [ 44.525254] binder: undelivered TRANSACTION_ERROR: 29189 [ 44.525564] ? tomoyo_file_ioctl+0x23/0x30 [ 44.533900] binder: 7558:7558 transaction failed 29189/-22, size 0-8 line 2994 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 44.536277] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.536290] ? security_file_ioctl+0x93/0xc0 [ 44.536304] ksys_ioctl+0xab/0xd0 [ 44.541064] binder: undelivered TRANSACTION_ERROR: 29189 [ 44.545905] __x64_sys_ioctl+0x73/0xb0 [ 44.545920] do_syscall_64+0x103/0x610 [ 44.545936] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.545947] RIP: 0033:0x445689 [ 44.554343] binder: 7556:7556 transaction failed 29189/-22, size 0-8 line 2994 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 44.556150] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 44.556156] RSP: 002b:00007fffad011a58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 44.556168] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000445689 [ 44.556174] RDX: 00000000200003c0 RSI: 00000000c0306201 RDI: 0000000000000003 [ 44.556183] RBP: 0000000000000000 R08: 0000000000000004 R09: 00000000004028b0 [ 44.561118] binder: undelivered TRANSACTION_ERROR: 29189 executing program executing program executing program executing program executing program executing program [ 44.564534] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000402820 [ 44.564542] R13: 00000000004028b0 R14: 0000000000000000 R15: 0000000000000000 [ 44.564556] Modules linked in: [ 44.572170] binder_alloc: 7556: binder_alloc_buf, no vma [ 44.581342] ---[ end trace e9be2556065b3ab4 ]--- [ 44.585799] binder: 7561:7561 transaction failed 29189/-22, size 0-8 line 2994 [ 44.591319] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 44.596602] binder: BINDER_SET_CONTEXT_MGR already set [ 44.601269] binder_alloc: 7556: binder_alloc_buf, no vma executing program [ 44.607442] binder: undelivered TRANSACTION_ERROR: 29189 [ 44.611159] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 1f 18 28 fc 4c 89 e6 4c 89 ef e8 34 19 28 fc 4d 39 e5 76 07 e8 0a 18 28 fc <0f> 0b e8 03 18 28 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 11 [ 44.617163] binder: 7561:7561 ioctl 40046207 0 returned -16 [ 44.622049] binder_alloc: 7556: binder_alloc_buf, no vma [ 44.627658] binder_alloc: 7559: binder_alloc_buf, no vma [ 44.631076] binder_alloc: 7556: binder_alloc_buf, no vma [ 44.640441] RSP: 0018:ffff888088057550 EFLAGS: 00010293 [ 44.773194] binder_alloc: 7564: binder_alloc_buf failed to map pages in userspace, no vma [ 44.781836] RAX: ffff888090bea280 RBX: 0000000020004000 RCX: ffffffff85483dec [ 44.808971] binder_alloc: 7564: binder_alloc_buf, no vma [ 44.815101] RDX: 0000000000000000 RSI: ffffffff85483df6 RDI: 0000000000000006 [ 44.818483] binder_alloc: 7564: binder_alloc_buf, no vma [ 44.824499] RBP: ffff8880880575d0 R08: ffff888090bea280 R09: 0000000000000028 [ 44.832740] binder_alloc: 7564: binder_alloc_buf, no vma [ 44.838942] ------------[ cut here ]------------ [ 44.842778] binder: BINDER_SET_CONTEXT_MGR already set [ 44.846919] kernel BUG at drivers/android/binder_alloc.c:1141! [ 44.865676] invalid opcode: 0000 [#2] PREEMPT SMP KASAN [ 44.867277] binder: 7601:7601 ioctl 40046207 0 returned -16 [ 44.871605] CPU: 1 PID: 7610 Comm: syz-executor373 Tainted: G D 5.0.0+ #13 [ 44.871612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.871631] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 44.871645] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 1f 18 28 fc 4c 89 e6 4c 89 ef e8 34 19 28 fc 4d 39 e5 76 07 e8 0a 18 28 fc <0f> 0b e8 03 18 28 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 11 [ 44.881326] R10: ffffed101100af01 R11: ffff88808805780f R12: 0000000000000008 [ 44.882512] RSP: 0018:ffff888085827550 EFLAGS: 00010293 [ 44.882523] RAX: ffff88809eac85c0 RBX: 0000000020004000 RCX: ffffffff85483dec [ 44.882531] RDX: 0000000000000000 RSI: ffffffff85483df6 RDI: 0000000000000006 [ 44.882538] RBP: ffff8880858275d0 R08: ffff88809eac85c0 R09: 0000000000000028 [ 44.882545] R10: ffffed1010b04f01 R11: ffff88808582780f R12: 0000000000000008 [ 44.882554] R13: 0000000000000028 R14: ffff888093288b50 R15: 0000000000000000 [ 44.890324] R13: 0000000000000028 R14: ffff888090ed0b50 R15: 0000000000000000 [ 44.893384] FS: 0000000001942940(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 [ 44.893392] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.893400] CR2: 00000000006d0090 CR3: 0000000096525000 CR4: 00000000001406e0 [ 44.893411] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 44.893420] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 44.902019] FS: 0000000001942940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 [ 44.909144] Call Trace: [ 44.909163] ? memcpy+0x46/0x50 [ 44.909185] binder_alloc_copy_from_buffer+0x37/0x42 [ 44.909198] binder_get_object+0xc3/0x200 [ 44.909210] binder_transaction+0x2b4a/0x6690 [ 44.909233] ? binder_thread_read+0x3d50/0x3d50 [ 44.914851] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.921943] ? mark_held_locks+0xf0/0xf0 [ 44.921956] ? mark_held_locks+0xf0/0xf0 [ 44.921979] ? __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 44.921991] ? binder_get_thread+0x1db/0x7c0 [ 44.922007] ? lock_downgrade+0x880/0x880 [ 44.927627] CR2: 00007fffad011a7c CR3: 0000000099802000 CR4: 00000000001406f0 [ 44.934709] ? __might_fault+0xfb/0x1e0 [ 44.934733] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 44.934748] ? _copy_from_user+0xdd/0x150 [ 44.940351] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 44.945018] binder_thread_write+0x64a/0x2820 [ 44.945038] ? binder_transaction+0x6690/0x6690 [ 44.945050] ? kasan_check_write+0x14/0x20 [ 44.945064] ? do_raw_spin_lock+0x12a/0x2e0 [ 44.950555] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 44.956282] ? __might_fault+0xfb/0x1e0 [ 44.956301] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 44.956313] ? _copy_from_user+0xdd/0x150 [ 44.956328] binder_ioctl+0x1033/0x183b [ 44.956343] ? binder_thread_write+0x2820/0x2820 [ 44.961851] Kernel panic - not syncing: Fatal exception [ 44.967500] ? tomoyo_path_number_perm+0x263/0x520 [ 45.250824] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 45.255931] ? binder_thread_write+0x2820/0x2820 [ 45.260699] do_vfs_ioctl+0xd6e/0x1390 [ 45.264580] ? ioctl_preallocate+0x210/0x210 [ 45.268981] ? handle_mm_fault+0xb8/0xb30 [ 45.273211] ? lock_downgrade+0x880/0x880 [ 45.277347] ? trace_hardirqs_on+0x67/0x230 [ 45.281660] ? tomoyo_file_ioctl+0x23/0x30 [ 45.285897] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.291423] ? security_file_ioctl+0x93/0xc0 [ 45.296262] ksys_ioctl+0xab/0xd0 [ 45.299711] __x64_sys_ioctl+0x73/0xb0 [ 45.303590] do_syscall_64+0x103/0x610 [ 45.307469] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.312643] RIP: 0033:0x445689 [ 45.315853] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 45.334743] RSP: 002b:00007fffad011a58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 45.342451] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000445689 [ 45.349713] RDX: 00000000200003c0 RSI: 00000000c0306201 RDI: 0000000000000003 [ 45.357068] RBP: 000000000000aed1 R08: 0000000000000004 R09: 00000000004028b0 [ 45.364325] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000402820 [ 45.371602] R13: 00000000004028b0 R14: 0000000000000000 R15: 0000000000000000 [ 45.378875] Modules linked in: [ 45.383536] Kernel Offset: disabled [ 45.387274] Rebooting in 86400 seconds..