[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.022946] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 45.884804] random: sshd: uninitialized urandom read (32 bytes read) [ 46.151971] audit: type=1400 audit(1553645292.013:6): avc: denied { map } for pid=1778 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 46.188804] random: sshd: uninitialized urandom read (32 bytes read) [ 46.641379] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.207' (ECDSA) to the list of known hosts. [ 53.067639] urandom_read: 1 callbacks suppressed [ 53.067644] random: sshd: uninitialized urandom read (32 bytes read) [ 53.163227] audit: type=1400 audit(1553645299.023:7): avc: denied { map } for pid=1796 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/03/27 00:08:20 parsed 1 programs [ 54.173624] audit: type=1400 audit(1553645300.033:8): avc: denied { map } for pid=1796 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5010 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 54.824493] random: cc1: uninitialized urandom read (8 bytes read) 2019/03/27 00:08:21 executed programs: 0 [ 55.846368] audit: type=1400 audit(1553645301.703:9): avc: denied { map } for pid=1796 comm="syz-execprog" path="/root/syzkaller-shm040714466" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 57.699489] audit: type=1400 audit(1553645303.553:10): avc: denied { map } for pid=2623 comm="syz-executor.0" path="/dev/binder0" dev="devtmpfs" ino=416 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 [ 57.725646] binder: 2623:2626 Release 1 refcount change on invalid ref 8388609 ret -22 [ 57.736553] binder: BINDER_SET_CONTEXT_MGR already set [ 57.742006] binder: 2623:2633 ioctl 40046207 0 returned -16 [ 57.748282] binder_alloc: 2623: binder_alloc_buf, no vma [ 57.758456] audit: type=1400 audit(1553645303.583:11): avc: denied { set_context_mgr } for pid=2623 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 [ 57.782165] binder: 2623:2633 transaction failed 29189/-3, size 24-8 line 3254 [ 57.789755] binder: 2623:2626 Release 1 refcount change on invalid ref 8388609 ret -22 [ 57.798831] audit: type=1400 audit(1553645303.603:12): avc: denied { call } for pid=2623 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 [ 57.822421] binder: 2623:2626 BC_ACQUIRE_DONE u0000000000000000 no match [ 57.868373] binder: 2661:2664 Release 1 refcount change on invalid ref 8388609 ret -22 [ 57.888509] binder: BINDER_SET_CONTEXT_MGR already set [ 57.896297] binder: 2661:2674 ioctl 40046207 0 returned -16 [ 57.907074] binder_alloc: 2661: binder_alloc_buf, no vma [ 57.913326] binder: 2661:2672 transaction failed 29189/-3, size 24-8 line 3254 [ 57.921946] binder: 2661:2664 Release 1 refcount change on invalid ref 8388609 ret -22 [ 57.922431] binder: 2661:2674 BC_ACQUIRE_DONE u0000000000000000 no match [ 57.955633] binder: 2687:2689 Release 1 refcount change on invalid ref 8388609 ret -22 [ 57.967104] binder: BINDER_SET_CONTEXT_MGR already set [ 57.974424] binder: 2687:2692 ioctl 40046207 0 returned -16 [ 57.980709] binder_alloc: 2687: binder_alloc_buf, no vma [ 57.986819] binder: 2687:2692 transaction failed 29189/-3, size 24-8 line 3254 [ 57.995177] binder: 2687:2689 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.021050] binder: 2705:2707 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.031162] binder: BINDER_SET_CONTEXT_MGR already set [ 58.036525] binder: 2705:2709 ioctl 40046207 0 returned -16 [ 58.043155] binder_alloc: 2705: binder_alloc_buf, no vma [ 58.048704] binder: 2705:2709 transaction failed 29189/-3, size 24-8 line 3254 [ 58.056894] binder: 2705:2707 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.076747] binder: 2720:2721 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.085899] binder: BINDER_SET_CONTEXT_MGR already set [ 58.091337] binder: 2720:2723 ioctl 40046207 0 returned -16 [ 58.097172] binder_alloc: 2720: binder_alloc_buf, no vma [ 58.104077] binder: 2720:2722 transaction failed 29189/-3, size 24-8 line 3254 [ 58.115255] binder: 2720:2721 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.115546] binder: BINDER_SET_CONTEXT_MGR already set [ 58.124144] binder: 2720:2723 BC_ACQUIRE_DONE u0000000000000000 no match [ 58.135183] binder: 2725:2726 ioctl 40046207 0 returned -16 [ 58.148532] binder: 2729:2731 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.148642] binder: 2725:2726 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.158152] binder: BINDER_SET_CONTEXT_MGR already set [ 58.170606] binder: 2729:2732 ioctl 40046207 0 returned -16 [ 58.172490] binder: BINDER_SET_CONTEXT_MGR already set [ 58.182618] binder: 2725:2733 ioctl 40046207 0 returned -16 [ 58.182662] binder_alloc: 2729: binder_alloc_buf, no vma [ 58.194300] binder: 2729:2732 transaction failed 29189/-3, size 24-8 line 3254 [ 58.194311] binder_alloc: 2729: binder_alloc_buf, no vma [ 58.202218] binder: 2729:2731 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.207675] binder: 2725:2733 transaction failed 29189/-3, size 24-8 line 3254 [ 58.224299] binder: 2725:2726 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.239003] binder: 2736:2739 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.241730] binder: BINDER_SET_CONTEXT_MGR already set [ 58.252608] binder: 2738:2741 ioctl 40046207 0 returned -16 [ 58.254171] binder: BINDER_SET_CONTEXT_MGR already set [ 58.262098] binder: 2738:2741 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.264055] binder: 2736:2742 ioctl 40046207 0 returned -16 [ 58.273114] binder: BINDER_SET_CONTEXT_MGR already set [ 58.283177] binder: 2738:2743 ioctl 40046207 0 returned -16 [ 58.283258] binder_alloc: 2736: binder_alloc_buf, no vma [ 58.295003] binder: 2736:2742 transaction failed 29189/-3, size 24-8 line 3254 [ 58.295358] binder_alloc: 2736: binder_alloc_buf, no vma [ 58.302575] binder: 2736:2739 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.307862] binder: 2738:2743 transaction failed 29189/-3, size 24-8 line 3254 [ 58.307975] binder: 2738:2741 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.327797] binder: 2746:2747 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.345223] binder: BINDER_SET_CONTEXT_MGR already set [ 58.350699] binder: 2746:2749 ioctl 40046207 0 returned -16 [ 58.356617] binder_alloc: 2746: binder_alloc_buf, no vma [ 58.362638] binder: 2746:2749 transaction failed 29189/-3, size 24-8 line 3254 [ 58.370279] binder: 2746:2747 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.418628] binder: 2754:2756 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.428104] binder: BINDER_SET_CONTEXT_MGR already set [ 58.434218] binder: 2754:2758 ioctl 40046207 0 returned -16 [ 58.440252] binder_alloc: 2754: binder_alloc_buf, no vma [ 58.445718] binder: 2754:2757 transaction failed 29189/-3, size 24-8 line 3254 [ 58.453345] binder: 2754:2756 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.467607] binder: 2760:2762 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.476847] binder: BINDER_SET_CONTEXT_MGR already set [ 58.482220] binder: 2760:2764 ioctl 40046207 0 returned -16 [ 58.488091] binder_alloc: 2760: binder_alloc_buf, no vma [ 58.493635] binder: 2760:2763 transaction failed 29189/-3, size 24-8 line 3254 [ 58.501144] binder: 2760:2762 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.509363] binder: 2760:2764 BC_ACQUIRE_DONE u0000000000000000 no match [ 58.709271] binder: 2767:2768 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.718569] binder: BINDER_SET_CONTEXT_MGR already set [ 58.724035] binder: 2767:2770 ioctl 40046207 0 returned -16 [ 58.729931] binder: 2767:2768 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.745339] binder: 2772:2774 Release 1 refcount change on invalid ref 8388609 ret -22 [ 58.754984] binder: BINDER_SET_CONTEXT_MGR already set [ 58.760961] binder: 2772:2776 ioctl 40046207 0 returned -16 [ 58.766788] binder_alloc: 2772: binder_alloc_buf, no vma [ 58.772327] binder: 2772:2775 transaction failed 29189/-3, size 24-8 line 3254 [ 58.779819] binder: 2772:2774 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.147836] binder: 2781:2782 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.157279] binder: BINDER_SET_CONTEXT_MGR already set [ 59.162754] binder: 2781:2785 ioctl 40046207 0 returned -16 [ 59.168608] binder_alloc: 2781: binder_alloc_buf, no vma [ 59.174143] binder: 2781:2784 transaction failed 29189/-3, size 24-8 line 3254 [ 59.181740] binder: 2781:2782 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.183159] binder: 2781:2785 BC_ACQUIRE_DONE u0000000000000000 no match [ 59.204364] binder: 2786:2788 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.213492] binder: BINDER_SET_CONTEXT_MGR already set [ 59.218766] binder: 2786:2790 ioctl 40046207 0 returned -16 [ 59.224975] binder_alloc: 2786: binder_alloc_buf, no vma [ 59.230787] binder: 2786:2789 transaction failed 29189/-3, size 24-8 line 3254 [ 59.238292] binder: 2786:2788 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.240514] binder: 2786:2790 BC_ACQUIRE_DONE u0000000000000000 no match [ 59.327308] binder: 2793:2794 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.336607] binder: BINDER_SET_CONTEXT_MGR already set [ 59.342189] binder: 2793:2796 ioctl 40046207 0 returned -16 [ 59.347978] binder_alloc: 2793: binder_alloc_buf, no vma [ 59.353941] binder: 2793:2796 transaction failed 29189/-3, size 24-8 line 3254 [ 59.361449] binder: 2793:2794 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.382458] binder: BINDER_SET_CONTEXT_MGR already set [ 59.382571] binder: 2800:2805 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.396766] binder: BINDER_SET_CONTEXT_MGR already set [ 59.402259] binder: 2798:2806 ioctl 40046207 0 returned -16 [ 59.403394] binder: BINDER_SET_CONTEXT_MGR already set [ 59.408236] binder: 2798:2806 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.414070] binder: 2803:2807 ioctl 40046207 0 returned -16 [ 59.423378] binder: 2802:2809 ioctl 40046207 0 returned -16 [ 59.427307] binder: BINDER_SET_CONTEXT_MGR already set [ 59.427330] binder: BINDER_SET_CONTEXT_MGR already set [ 59.427348] binder: 2800:2811 ioctl 40046207 0 returned -16 [ 59.427381] binder: BINDER_SET_CONTEXT_MGR already set [ 59.433697] binder: 2802:2809 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.438706] binder: 2801:2810 ioctl 40046207 0 returned -16 [ 59.444398] binder: 2803:2813 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.451086] binder: 2799:2808 ioctl 40046207 0 returned -16 [ 59.455137] binder: BINDER_SET_CONTEXT_MGR already set [ 59.463767] binder: 2801:2814 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.470427] binder: 2799:2815 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.479256] binder_alloc: 2800: binder_alloc_buf, no vma [ 59.484312] binder: BINDER_SET_CONTEXT_MGR already set [ 59.490358] binder: 2800:2805 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.498179] binder: 2803:2813 ioctl 40046207 0 returned -16 [ 59.504695] binder: BINDER_SET_CONTEXT_MGR already set [ 59.515294] binder: 2798:2806 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.523351] binder: 2798:2812 ioctl 40046207 0 returned -16 [ 59.530980] binder: 2802:2818 ioctl 40046207 0 returned -16 [ 59.534674] binder: BINDER_SET_CONTEXT_MGR already set [ 59.545141] binder: 2800:2811 transaction failed 29189/-3, size 24-8 line 3254 [ 59.548215] binder_alloc: 2800: binder_alloc_buf, no vma [ 59.548238] binder: 2798:2816 transaction failed 29189/-3, size 24-8 line 3254 [ 59.548407] binder: BINDER_SET_CONTEXT_MGR already set [ 59.555393] binder: 2803:2807 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.559445] binder: 2801:2814 ioctl 40046207 0 returned -16 [ 59.578217] binder: 2802:2809 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.583925] binder: 2801:2810 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.586595] binder: 2802:2809 BC_ACQUIRE_DONE u0000000000000000 no match [ 59.595701] binder: 2799:2815 ioctl 40046207 0 returned -16 [ 59.605336] binder: 2799:2808 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.629435] binder: 2825:2833 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.629657] binder: 2803:2813 transaction failed 29189/-22, size 24-8 line 3117 [ 59.637864] binder: 2802:2817 transaction failed 29189/-22, size 24-8 line 3117 [ 59.646347] binder: 2799:2823 transaction failed 29189/-22, size 24-8 line 3117 [ 59.657925] binder: 2834:2835 Release 1 refcount change on invalid ref 8388609 ret -22 [ 59.661026] ------------[ cut here ]------------ [ 59.668559] binder: 2799:2815 BC_ACQUIRE_DONE u0000000000000000 no match [ 59.676183] kernel BUG at drivers/android/binder_alloc.c:1130! [ 59.677237] binder: BINDER_SET_CONTEXT_MGR already set [ 59.693604] invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 59.695502] binder: 2825:2826 ioctl 40046207 0 returned -16 [ 59.699122] Modules linked in: [ 59.713861] CPU: 0 PID: 2822 Comm: syz-executor.2 Not tainted 4.14.108+ #38 [ 59.721242] task: ffff8881da1f4680 task.stack: ffff8881d6f08000 [ 59.727283] RIP: 0010:binder_alloc_do_buffer_copy+0xc7/0x500 [ 59.733053] RSP: 0018:ffff8881d6f0f5d0 EFLAGS: 00010297 [ 59.738395] RAX: ffff8881da1f4680 RBX: 0000000020001000 RCX: 0500000000000000 [ 59.745643] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881d98298d8 [ 59.752890] RBP: 0000000000000020 R08: ffff8881d6f0f8b0 R09: 0000000000000028 [ 59.760163] R10: ffffed103ade1f06 R11: ffff8881d6f0f837 R12: ffff8881da958b98 [ 59.767431] R13: 0000000000000028 R14: 0500000000000000 R15: ffff8881d6f0f8b0 [ 59.774677] FS: 00007fec38438700(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000 [ 59.782883] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 59.788753] CR2: 0000000000000000 CR3: 00000001c84ee001 CR4: 00000000001606b0 [ 59.796000] Call Trace: [ 59.798572] ? binder_alloc_do_buffer_copy+0x1ef/0x500 [ 59.803844] binder_get_object+0x90/0x190 [ 59.807985] binder_transaction+0x1e2d/0x5640 [ 59.812464] ? binder_inc_ref_for_node+0xba0/0xba0 [ 59.817372] ? trace_hardirqs_on+0x10/0x10 [ 59.821582] ? set_next_entity+0xd8e/0x2820 [ 59.825897] ? check_preemption_disabled+0x35/0x1f0 [ 59.830894] ? __switch_to_xtra+0xaf/0x18f0 [ 59.835204] ? __might_fault+0x104/0x1b0 [ 59.839262] ? lock_downgrade+0x5d0/0x5d0 [ 59.843389] ? lock_acquire+0x10f/0x380 [ 59.847340] ? __might_fault+0xd4/0x1b0 [ 59.851293] ? __might_fault+0x177/0x1b0 [ 59.855515] ? binder_thread_write+0x512/0x1f90 [ 59.860166] ? retint_kernel+0x2d/0x2d [ 59.864037] ? binder_transaction+0x5640/0x5640 [ 59.868682] ? trace_hardirqs_on_caller+0x37b/0x540 [ 59.873676] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 59.878415] ? copy_user_generic_unrolled+0x86/0xb0 [ 59.883409] ? binder_ioctl+0xd48/0x14ea [ 59.887455] ? binder_poll+0x230/0x230 [ 59.891337] ? __lock_acquire+0x56a/0x3fa0 [ 59.895550] ? trace_hardirqs_on+0x10/0x10 [ 59.899769] ? trace_hardirqs_on+0x10/0x10 [ 59.903998] ? binder_poll+0x230/0x230 [ 59.907892] ? do_vfs_ioctl+0xabe/0x1040 [ 59.911928] ? selinux_file_ioctl+0x426/0x590 [ 59.916401] ? selinux_file_ioctl+0x116/0x590 [ 59.920873] ? ioctl_preallocate+0x1e0/0x1e0 [ 59.925260] ? selinux_parse_skb.constprop.0+0x16b0/0x16b0 [ 59.930857] ? __fget+0x1ff/0x360 [ 59.934294] ? lock_downgrade+0x5d0/0x5d0 [ 59.938416] ? lock_acquire+0x10f/0x380 [ 59.942368] ? __fget+0x44/0x360 [ 59.945710] ? check_preemption_disabled+0x35/0x1f0 [ 59.950709] ? security_file_ioctl+0x7c/0xb0 [ 59.955096] ? SyS_ioctl+0x7f/0xb0 [ 59.958608] ? do_vfs_ioctl+0x1040/0x1040 [ 59.962732] ? do_syscall_64+0x19b/0x4b0 [ 59.966769] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 59.972108] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 0d 04 00 00 48 8b 6d 58 48 29 dd e8 33 33 0d ff 49 39 ed 76 07 e8 29 33 0d ff <0f> 0b e8 22 33 0d ff 4c 29 ed 49 39 ee 77 ec e8 15 33 0d ff 41 [ 59.991217] RIP: binder_alloc_do_buffer_copy+0xc7/0x500 RSP: ffff8881d6f0f5d0 [ 60.002388] binder_alloc: 2834: binder_alloc_buf, no vma [ 60.005740] binder: BINDER_SET_CONTEXT_MGR already set [ 60.007895] binder: 2834:2838 transaction failed 29189/-3, size 24-8 line 3254 [ 60.021244] binder: 2834:2837 ioctl 40046207 0 returned -16 [ 60.021246] binder: BINDER_SET_CONTEXT_MGR already set [ 60.021254] binder: 2825:2833 ioctl 40046207 0 returned -16 [ 60.031072] binder: BINDER_SET_CONTEXT_MGR already set [ 60.045296] binder: 2834:2835 Release 1 refcount change on invalid ref 8388609 ret -22 [ 60.054128] binder: BINDER_SET_CONTEXT_MGR already set [ 60.056163] binder: 2843:2846 ioctl 40046207 0 returned -16 [ 60.062471] binder: 2844:2845 ioctl 40046207 0 returned -16 [ 60.065874] binder: BINDER_SET_CONTEXT_MGR already set [ 60.071109] binder: 2844:2845 Release 1 refcount change on invalid ref 8388609 ret -22 [ 60.072119] ---[ end trace f1f1bcfa9fc287c4 ]--- [ 60.079092] binder_alloc: 2834: binder_alloc_buf, no vma [ 60.086933] binder: 2843:2853 Release 1 refcount change on invalid ref 8388609 ret -22 [ 60.089952] binder: 2842:2847 ioctl 40046207 0 returned -16 [ 60.095216] ------------[ cut here ]------------ [ 60.103095] binder: 2825:2826 Release 1 refcount change on invalid ref 8388609 ret -22 [ 60.108702] kernel BUG at drivers/android/binder_alloc.c:1130! [ 60.114487] binder: 2842:2854 Release 1 refcount change on invalid ref 8388609 ret -22 [ 60.126576] Kernel panic - not syncing: Fatal exception [ 60.130829] binder: 2825:2833 transaction failed 29189/-3, size 24-8 line 3254 [ 60.141960] Kernel Offset: 0xe600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 60.160116] Rebooting in 86400 seconds..