INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.3' (ECDSA) to the list of known hosts. 2018/04/03 23:44:11 parsed 1 programs 2018/04/03 23:44:11 executed programs: 0 syzkaller login: [ 62.736090] IPVS: ftp: loaded support on port[0] = 21 [ 62.774697] binder: 4491:4493 ioctl 400448c8 20000200 returned -22 [ 63.580346] binder: release 4491:4493 transaction 3 out, still active [ 63.587050] binder: release 4491:4493 transaction 2 in, still active [ 63.593558] binder: undelivered TRANSACTION_COMPLETE [ 63.599281] binder: 4491:4493 ioctl c0306201 20004000 returned -14 [ 63.599386] binder: BINDER_SET_CONTEXT_MGR already set [ 63.611080] binder: 4491:4494 ioctl 40046207 0 returned -16 [ 63.619377] binder: 4491:4493 ioctl 400448c8 20000200 returned -22 RESULT: signal 0, coverage 0 errno 0 [ 63.625982] binder_alloc: 4491: binder_alloc_buf, no vma [ 63.626530] binder_alloc: binder_alloc_mmap_handler: 4491 2000c000-2000e000 already mapped failed -16 [ 63.631777] binder: 4491:4495 transaction failed 29189/-3, size 0-0 line 2963 [ 63.634133] binder: undelivered TRANSACTION_ERROR: 29189 [ 63.641270] binder_alloc: 4491: binder_alloc_buf, no vma [ 63.659442] binder: 4491:4493 transaction failed 29189/-3, size 0-0 line 2963 [ 63.669306] binder: undelivered TRANSACTION_ERROR: 29189 [ 63.674844] binder: release 4491:4494 transaction 3 in, still active [ 63.679574] binder: 4496:4497 ioctl 400448c8 20000200 returned -22 [ 63.681405] binder: release 4491:4494 transaction 2 out, still active [ 63.694379] binder: send failed reply for transaction 3, target dead [ 63.700886] binder: send failed reply for transaction 2, target dead [ 64.483843] binder: release 4496:4497 transaction 8 out, still active [ 64.490466] binder: release 4496:4497 transaction 7 in, still active [ 64.496964] binder: undelivered TRANSACTION_COMPLETE [ 64.502335] binder: BINDER_SET_CONTEXT_MGR already set [ 64.503094] binder: 4496:4497 ioctl c0306201 20004000 returned -14 [ 64.508110] binder: 4496:4499 ioctl 40046207 0 returned -16 [ 64.522103] binder: 4496:4497 ioctl 400448c8 20000200 returned -22 [ 64.528568] binder_alloc: binder_alloc_mmap_handler: 4496 2000c000-2000e000 already mapped failed -16 [ 64.528629] binder_alloc: 4496: binder_alloc_buf, no vma [ 64.543421] binder: 4496:4500 transaction failed 29189/-3, size 0-0 line 2963 [ 64.551880] binder_alloc: 4496: binder_alloc_buf, no vma [ 64.551884] binder: release 4496:4499 transaction 8 in, still active [ 64.563848] binder: release 4496:4499 transaction 7 out, still active [ 64.570418] binder: send failed reply for transaction 8, target dead [ 64.570425] binder: 4496:4497 transaction failed 29189/-3, size 0-0 line 2963 RESULT: signal 0, coverage 0 errno 0 [ 64.584199] binder: send failed reply for transaction 7, target dead [ 64.592782] binder: undelivered TRANSACTION_ERROR: 29189 [ 64.598276] binder: undelivered TRANSACTION_ERROR: 29189 [ 64.602800] binder: 4501:4503 ioctl 400448c8 20000200 returned -22 [ 65.408062] binder: release 4501:4503 transaction 13 out, still active [ 65.414801] binder: release 4501:4503 transaction 12 in, still active [ 65.421394] binder: undelivered TRANSACTION_COMPLETE [ 65.426857] binder: BINDER_SET_CONTEXT_MGR already set [ 65.432434] binder: 4501:4503 ioctl c0306201 20004000 returned -14 [ 65.432625] binder: 4501:4504 ioctl 40046207 0 returned -16 [ 65.446887] binder: 4501:4503 ioctl 400448c8 20000200 returned -22 [ 65.453374] binder_alloc: binder_alloc_mmap_handler: 4501 2000c000-2000e000 already mapped failed -16 [ 65.453428] binder_alloc: 4501: binder_alloc_buf, no vma [ 65.468237] binder: 4501:4505 transaction failed 29189/-3, size 0-0 line 2963 [ 65.476708] binder_alloc: 4501: binder_alloc_buf, no vma [ 65.476713] binder: release 4501:4504 transaction 13 in, still active [ 65.476718] binder: release 4501:4504 transaction 12 out, still active [ 65.495458] binder: send failed reply for transaction 13, target dead RESULT: signal 0, coverage 0 errno 0 [ 65.495464] binder: 4501:4503 transaction failed 29189/-3, size 0-0 line 2963 [ 65.509364] binder: send failed reply for transaction 12, target dead [ 65.517853] binder: undelivered TRANSACTION_ERROR: 29189 [ 65.523331] binder: undelivered TRANSACTION_ERROR: 29189 [ 65.527691] binder: 4506:4508 ioctl 400448c8 20000200 returned -22 [ 66.333516] binder: release 4506:4508 transaction 18 out, still active [ 66.340239] binder: release 4506:4508 transaction 17 in, still active [ 66.346848] binder: undelivered TRANSACTION_COMPLETE [ 66.352461] binder: 4506:4508 ioctl c0306201 20004000 returned -14 [ 66.352464] binder: BINDER_SET_CONTEXT_MGR already set [ 66.352474] binder: 4506:4509 ioctl 40046207 0 returned -16 [ 66.372393] binder: 4506:4508 ioctl 400448c8 20000200 returned -22 [ 66.378962] binder_alloc: binder_alloc_mmap_handler: 4506 2000c000-2000e000 already mapped failed -16 [ 66.378992] binder_alloc: 4506: binder_alloc_buf, no vma [ 66.393853] binder: 4506:4510 transaction failed 29189/-3, size 0-0 line 2963 [ 66.402360] binder_alloc: 4506: binder_alloc_buf, no vma [ 66.402365] binder: release 4506:4509 transaction 18 in, still active [ 66.402371] binder: release 4506:4509 transaction 17 out, still active [ 66.421140] binder: send failed reply for transaction 18, target dead RESULT: signal 0, coverage 0 errno 0 [ 66.421146] binder: 4506:4508 transaction failed 29189/-3, size 0-0 line 2963 [ 66.435059] binder: send failed reply for transaction 17, target dead [ 66.443632] binder: undelivered TRANSACTION_ERROR: 29189 [ 66.449133] binder: undelivered TRANSACTION_ERROR: 29189 [ 66.454452] binder: 4512:4513 ioctl 400448c8 20000200 returned -22 [ 67.259444] binder: release 4512:4513 transaction 23 out, still active [ 67.266221] binder: release 4512:4513 transaction 22 in, still active [ 67.272822] binder: undelivered TRANSACTION_COMPLETE [ 67.278372] binder: BINDER_SET_CONTEXT_MGR already set [ 67.279599] binder: 4512:4513 ioctl c0306201 20004000 returned -14 [ 67.283786] binder: 4512:4514 ioctl 40046207 0 returned -16 [ 67.298454] binder: 4512:4513 ioctl 400448c8 20000200 returned -22 [ 67.304997] binder_alloc: binder_alloc_mmap_handler: 4512 2000c000-2000e000 already mapped failed -16 [ 67.305107] binder_alloc: 4512: binder_alloc_buf, no vma [ 67.319879] binder: 4512:4515 transaction failed 29189/-3, size 0-0 line 2963 [ 67.328405] binder: release 4512:4514 transaction 23 in, still active [ 67.328409] binder_alloc: 4512: binder_alloc_buf, no vma [ 67.340482] binder: release 4512:4514 transaction 22 out, still active [ 67.347157] binder: send failed reply for transaction 23, target dead RESULT: signal 0, coverage 0 errno 0 [ 67.347168] binder: 4512:4513 transaction failed 29189/-3, size 0-0 line 2963 [ 67.353756] binder: send failed reply for transaction 22, target dead [ 67.369668] binder: undelivered TRANSACTION_ERROR: 29189 [ 67.375183] binder: undelivered TRANSACTION_ERROR: 29189 [ 67.385628] binder: 4516:4518 ioctl 400448c8 20000200 returned -22 [ 68.190387] binder: release 4516:4518 transaction 28 out, still active [ 68.197164] binder: release 4516:4518 transaction 27 in, still active [ 68.203773] binder: undelivered TRANSACTION_COMPLETE [ 68.209287] binder: BINDER_SET_CONTEXT_MGR already set [ 68.209329] binder: 4516:4518 ioctl c0306201 20004000 returned -14 [ 68.214640] binder: 4516:4519 ioctl 40046207 0 returned -16 [ 68.229262] binder: 4516:4518 ioctl 400448c8 20000200 returned -22 RESULT: signal 0, coverage 0 errno 0 2018/04/03 23:44:16 executed programs: 6 [ 68.236618] binder_alloc: binder_alloc_mmap_handler: 4516 2000c000-2000e000 already mapped failed -16 [ 68.239855] binder_alloc: 4516: binder_alloc_buf, no vma [ 68.251572] binder: 4516:4519 transaction failed 29189/-3, size 0-0 line 2963 [ 68.261223] binder: release 4516:4519 transaction 29 in, still active [ 68.267896] binder: send failed reply for transaction 29 to 4516:4519 [ 68.271924] binder: 4522:4523 ioctl 400448c8 20000200 returned -22 [ 68.274814] ================================================================== [ 68.288385] BUG: KASAN: use-after-free in __list_del_entry_valid+0x144/0x150 [ 68.295553] Read of size 8 at addr ffff8801ce2ab110 by task kworker/1:0/18 [ 68.302547] [ 68.304157] CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 4.16.0+ #288 [ 68.310760] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.320119] Workqueue: events binder_deferred_func [ 68.325034] Call Trace: [ 68.327612] dump_stack+0x1a7/0x27d [ 68.331239] ? arch_local_irq_restore+0x53/0x53 [ 68.335888] ? show_regs_print_info+0x18/0x18 [ 68.340365] ? kasan_check_write+0x14/0x20 [ 68.344583] ? __list_del_entry_valid+0x144/0x150 [ 68.349409] print_address_description+0x73/0x250 [ 68.354234] ? __list_del_entry_valid+0x144/0x150 [ 68.359061] kasan_report+0x23c/0x360 [ 68.362843] __asan_report_load8_noabort+0x14/0x20 [ 68.367754] __list_del_entry_valid+0x144/0x150 [ 68.372407] binder_release_work+0x163/0x4b0 [ 68.376804] ? binder_free_ref+0xa0/0xa0 [ 68.380861] ? kfree+0xf3/0x260 [ 68.384122] ? binder_free_transaction+0x6a/0xa0 [ 68.388879] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 68.393878] ? trace_hardirqs_on+0xd/0x10 [ 68.398357] ? kasan_check_write+0x14/0x20 [ 68.402571] ? binder_free_transaction+0x7b/0xa0 [ 68.407313] ? binder_send_failed_reply+0x1ce/0x380 [ 68.412324] binder_thread_release+0x4e1/0x730 [ 68.416893] ? binder_release_work+0x4b0/0x4b0 [ 68.421458] ? do_raw_spin_lock+0xc1/0x230 [ 68.425681] ? _raw_spin_unlock+0x22/0x30 [ 68.429817] binder_deferred_func+0x4f4/0x1350 [ 68.434387] ? find_held_lock+0x35/0x1d0 [ 68.438436] ? binder_cleanup_ref_olocked+0xad0/0xad0 [ 68.443609] ? debug_object_deactivate+0x364/0x560 [ 68.448536] ? lock_downgrade+0x980/0x980 [ 68.452668] ? lock_release+0xa40/0xa40 [ 68.456626] ? find_held_lock+0x35/0x1d0 [ 68.460671] ? trace_hardirqs_off+0x10/0x10 [ 68.464974] ? lock_acquire+0x1d5/0x580 [ 68.468939] ? lock_acquire+0x1d5/0x580 [ 68.472895] ? process_one_work+0xbd9/0x1c40 [ 68.477291] ? __lock_is_held+0xb6/0x140 [ 68.481335] process_one_work+0xc97/0x1c40 [ 68.485553] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 68.490726] ? pwq_dec_nr_in_flight+0x470/0x470 [ 68.495381] ? __schedule+0x903/0x1ef0 [ 68.499249] ? _raw_spin_unlock_irqrestore+0xa6/0xc0 [ 68.504337] ? trace_hardirqs_off+0x10/0x10 [ 68.508638] ? lock_downgrade+0x980/0x980 [ 68.512773] ? lock_acquire+0x1d5/0x580 [ 68.516727] ? lock_acquire+0x1d5/0x580 [ 68.520682] ? worker_thread+0x40e/0x1380 [ 68.524810] ? lock_downgrade+0x980/0x980 [ 68.528940] ? lock_release+0xa40/0xa40 [ 68.532902] ? kasan_check_read+0x11/0x20 [ 68.537030] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 68.541621] worker_thread+0x1c3/0x1380 [ 68.545609] ? process_one_work+0x1c40/0x1c40 [ 68.550109] ? trace_hardirqs_off+0x10/0x10 [ 68.554420] ? find_held_lock+0x35/0x1d0 [ 68.558465] ? find_held_lock+0x35/0x1d0 [ 68.562522] ? find_held_lock+0x35/0x1d0 [ 68.566564] ? complete+0x62/0x80 [ 68.570002] ? schedule+0xf5/0x430 [ 68.573524] ? __schedule+0x1ef0/0x1ef0 [ 68.577479] ? do_raw_spin_unlock+0x9e/0x310 [ 68.581867] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 68.586428] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 68.591511] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 68.596509] ? trace_hardirqs_on+0xd/0x10 [ 68.600636] ? __kthread_parkme+0x176/0x240 [ 68.604936] kthread+0x33c/0x400 [ 68.608283] ? process_one_work+0x1c40/0x1c40 [ 68.612758] ? kthread_stop+0x7c0/0x7c0 [ 68.616715] ret_from_fork+0x3a/0x50 [ 68.620410] [ 68.622017] Allocated by task 4519: [ 68.625638] save_stack+0x43/0xd0 [ 68.629069] kasan_kmalloc+0xad/0xe0 [ 68.632768] kmem_cache_alloc_trace+0x136/0x740 [ 68.637421] binder_transaction+0x13d2/0x8200 [ 68.641901] binder_thread_write+0xcf1/0x38b0 [ 68.646380] binder_ioctl_write_read.isra.39+0x261/0xcb0 [ 68.651811] binder_ioctl+0xb72/0x1417 [ 68.655681] compat_SyS_ioctl+0x151/0x2a30 [ 68.659906] do_fast_syscall_32+0x3ec/0xf9f [ 68.664214] entry_SYSENTER_compat+0x70/0x7f [ 68.668615] [ 68.670225] Freed by task 18: [ 68.673313] save_stack+0x43/0xd0 [ 68.676760] __kasan_slab_free+0x11a/0x170 [ 68.680976] kasan_slab_free+0xe/0x10 [ 68.684755] kfree+0xd9/0x260 [ 68.687841] binder_free_transaction+0x6a/0xa0 [ 68.692403] binder_send_failed_reply+0x1c9/0x380 [ 68.697482] binder_thread_release+0x4cc/0x730 [ 68.702044] binder_deferred_func+0x4f4/0x1350 [ 68.706604] process_one_work+0xc97/0x1c40 [ 68.710820] worker_thread+0x1c3/0x1380 [ 68.714784] kthread+0x33c/0x400 [ 68.718130] ret_from_fork+0x3a/0x50 [ 68.721816] [ 68.723423] The buggy address belongs to the object at ffff8801ce2ab100 [ 68.723423] which belongs to the cache kmalloc-192 of size 192 [ 68.736066] The buggy address is located 16 bytes inside of [ 68.736066] 192-byte region [ffff8801ce2ab100, ffff8801ce2ab1c0) [ 68.747832] The buggy address belongs to the page: [ 68.752744] page:ffffea000738aac0 count:1 mapcount:0 mapping:ffff8801ce2ab000 index:0x0 [ 68.760870] flags: 0x2fffc0000000100(slab) [ 68.765114] raw: 02fffc0000000100 ffff8801ce2ab000 0000000000000000 0000000100000010 [ 68.772977] raw: ffffea00073574e0 ffffea0007380720 ffff8801dac00040 0000000000000000 [ 68.780834] page dumped because: kasan: bad access detected [ 68.786519] [ 68.788123] Memory state around the buggy address: [ 68.793031] ffff8801ce2ab000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.800381] ffff8801ce2ab080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 68.807723] >ffff8801ce2ab100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.815062] ^ [ 68.818948] ffff8801ce2ab180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 68.826290] ffff8801ce2ab200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.833627] ================================================================== [ 68.840967] Disabling lock debugging due to kernel taint [ 68.846494] Kernel panic - not syncing: panic_on_warn set ... [ 68.846494] [ 68.853842] CPU: 1 PID: 18 Comm: kworker/1:0 Tainted: G B 4.16.0+ #288 [ 68.861702] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.871051] Workqueue: events binder_deferred_func [ 68.875961] Call Trace: [ 68.878530] dump_stack+0x1a7/0x27d [ 68.882139] ? arch_local_irq_restore+0x53/0x53 [ 68.886787] ? kasan_end_report+0x32/0x50 [ 68.890916] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 68.895659] ? vsnprintf+0x1ed/0x1900 [ 68.899438] ? __list_del_entry_valid+0x120/0x150 [ 68.904259] panic+0x1f8/0x42c [ 68.907430] ? refcount_error_report+0x214/0x214 [ 68.912167] ? do_raw_spin_unlock+0x9e/0x310 [ 68.916554] ? do_raw_spin_unlock+0x9e/0x310 [ 68.920945] ? __list_del_entry_valid+0x144/0x150 [ 68.925767] kasan_end_report+0x50/0x50 [ 68.929809] kasan_report+0x149/0x360 [ 68.933590] __asan_report_load8_noabort+0x14/0x20 [ 68.938499] __list_del_entry_valid+0x144/0x150 [ 68.943156] binder_release_work+0x163/0x4b0 [ 68.947561] ? binder_free_ref+0xa0/0xa0 [ 68.951603] ? kfree+0xf3/0x260 [ 68.954863] ? binder_free_transaction+0x6a/0xa0 [ 68.959601] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 68.964598] ? trace_hardirqs_on+0xd/0x10 [ 68.968731] ? kasan_check_write+0x14/0x20 [ 68.972955] ? binder_free_transaction+0x7b/0xa0 [ 68.977700] ? binder_send_failed_reply+0x1ce/0x380 [ 68.983506] binder_thread_release+0x4e1/0x730 [ 68.988072] ? binder_release_work+0x4b0/0x4b0 [ 68.992633] ? do_raw_spin_lock+0xc1/0x230 [ 68.996847] ? _raw_spin_unlock+0x22/0x30 [ 69.000977] binder_deferred_func+0x4f4/0x1350 [ 69.005546] ? find_held_lock+0x35/0x1d0 [ 69.009588] ? binder_cleanup_ref_olocked+0xad0/0xad0 [ 69.014759] ? debug_object_deactivate+0x364/0x560 [ 69.019779] ? lock_downgrade+0x980/0x980 [ 69.023910] ? lock_release+0xa40/0xa40 [ 69.027884] ? find_held_lock+0x35/0x1d0 [ 69.031936] ? trace_hardirqs_off+0x10/0x10 [ 69.036248] ? lock_acquire+0x1d5/0x580 [ 69.040220] ? lock_acquire+0x1d5/0x580 [ 69.044186] ? process_one_work+0xbd9/0x1c40 [ 69.048588] ? __lock_is_held+0xb6/0x140 [ 69.052638] process_one_work+0xc97/0x1c40 [ 69.056863] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 69.062046] ? pwq_dec_nr_in_flight+0x470/0x470 [ 69.066700] ? __schedule+0x903/0x1ef0 [ 69.070565] ? _raw_spin_unlock_irqrestore+0xa6/0xc0 [ 69.075650] ? trace_hardirqs_off+0x10/0x10 [ 69.076177] binder: release 4522:4523 transaction 33 out, still active [ 69.079950] ? lock_downgrade+0x980/0x980 [ 69.079959] ? lock_acquire+0x1d5/0x580 [ 69.079964] ? lock_acquire+0x1d5/0x580 [ 69.079969] ? worker_thread+0x40e/0x1380 [ 69.079978] ? lock_downgrade+0x980/0x980 [ 69.086672] binder: release 4522:4523 transaction 32 in, still active [ 69.090775] ? lock_release+0xa40/0xa40 [ 69.090782] ? kasan_check_read+0x11/0x20 [ 69.090787] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 69.090794] worker_thread+0x1c3/0x1380 [ 69.090802] ? process_one_work+0x1c40/0x1c40 [ 69.094769] binder: undelivered TRANSACTION_COMPLETE [ 69.098717] ? trace_hardirqs_off+0x10/0x10 [ 69.098721] ? find_held_lock+0x35/0x1d0 [ 69.098730] ? find_held_lock+0x35/0x1d0 [ 69.103990] binder: BINDER_SET_CONTEXT_MGR already set [ 69.107004] ? find_held_lock+0x35/0x1d0 [ 69.107009] ? complete+0x62/0x80 [ 69.107017] ? schedule+0xf5/0x430 [ 69.107022] ? __schedule+0x1ef0/0x1ef0 [ 69.107026] ? do_raw_spin_unlock+0x9e/0x310 [ 69.107030] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 69.107039] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 69.113680] binder: 4522:4523 ioctl c0306201 20004000 returned -14 [ 69.117606] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 69.117611] ? trace_hardirqs_on+0xd/0x10 [ 69.117617] ? __kthread_parkme+0x176/0x240 [ 69.117626] kthread+0x33c/0x400 [ 69.122007] binder: 4522:4524 ioctl 40046207 0 returned -16 [ 69.126314] ? process_one_work+0x1c40/0x1c40 [ 69.126318] ? kthread_stop+0x7c0/0x7c0 [ 69.126324] ret_from_fork+0x3a/0x50 [ 69.126745] Dumping ftrace buffer: [ 69.126748] (ftrace buffer empty) [ 69.126751] Kernel Offset: disabled [ 69.238408] Rebooting in 86400 seconds..