[ 36.852686] audit: type=1800 audit(1551966480.042:30): pid=7545 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 53.883135] binder: BINDER_SET_CONTEXT_MGR already set [ 53.890977] binder: 7706:7709 ioctl 40046207 0 returned -16 [ 53.890981] binder: BINDER_SET_CONTEXT_MGR already set [ 53.902268] binder: 7707:7712 ioctl 40046207 0 returned -16 [ 53.902305] binder: BINDER_SET_CONTEXT_MGR already set [ 53.913519] binder: 7705:7713 ioctl 40046207 0 returned -16 [ 53.913627] binder: BINDER_SET_CONTEXT_MGR already set [ 53.924574] binder: 7699:7714 ioctl 40046207 0 returned -16 [ 53.924593] binder: BINDER_SET_CONTEXT_MGR already set [ 53.935751] binder: BINDER_SET_CONTEXT_MGR already set [ 53.936948] binder: 7708:7711 ioctl 40046207 0 returned -16 [ 53.941401] binder: BINDER_SET_CONTEXT_MGR already set [ 53.948335] binder: 7706:7716 ioctl 40046207 0 returned -16 [ 53.952445] binder: BINDER_SET_CONTEXT_MGR already set [ 53.963305] binder: 7707:7717 ioctl 40046207 0 returned -16 [ 53.963310] binder: BINDER_SET_CONTEXT_MGR already set [ 53.963339] binder: 7705:7718 ioctl 40046207 0 returned -16 [ 53.969271] binder_alloc: 7699: binder_alloc_buf, no vma [ 53.974634] binder: BINDER_SET_CONTEXT_MGR already set [ 53.980290] binder: 7710:7715 ioctl 40046207 0 returned -16 [ 53.986439] binder: 7708:7719 ioctl 40046207 0 returned -16 [ 53.991105] binder_alloc: 7699: binder_alloc_buf, no vma [ 54.008134] binder: 7699:7703 transaction failed 29189/-3, size 0-32 line 3147 [ 54.008945] binder_alloc: 7699: binder_alloc_buf, no vma [ 54.016102] binder: BINDER_SET_CONTEXT_MGR already set [ 54.021679] binder: 7706:7709 transaction failed 29189/-3, size 0-32 line 3147 [ 54.028231] binder: undelivered TRANSACTION_ERROR: 29189 [ 54.033950] binder_alloc: 7699: binder_alloc_buf, no vma [ 54.039518] binder: 7710:7721 ioctl 40046207 0 returned -16 [ 54.045397] binder_alloc: 7699: binder_alloc_buf, no vma [ 54.052571] binder: 7710:7715 transaction failed 29189/-22, size 0-32 line 2994 [ 54.056816] binder: 7708:7711 transaction failed 29189/-3, size 0-32 line 3147 [ 54.063939] binder: 7707:7712 transaction failed 29189/-3, size 0-32 line 3147 executing program executing program executing program executing program executing program executing program [ 54.072053] binder: 7705:7713 transaction failed 29189/-3, size 0-32 line 3147 [ 54.079608] binder: undelivered TRANSACTION_ERROR: 29189 [ 54.091388] binder: BINDER_SET_CONTEXT_MGR already set [ 54.102022] binder: 7722:7724 ioctl 40046207 0 returned -16 [ 54.102300] binder: undelivered TRANSACTION_ERROR: 29189 [ 54.109266] binder: BINDER_SET_CONTEXT_MGR already set [ 54.119283] binder: 7726:7729 ioctl 40046207 0 returned -16 [ 54.119640] binder: BINDER_SET_CONTEXT_MGR already set [ 54.130640] binder: 7725:7727 ioctl 40046207 0 returned -16 [ 54.130700] binder: BINDER_SET_CONTEXT_MGR already set [ 54.142301] binder: 7728:7730 ioctl 40046207 0 returned -16 [ 54.142626] binder: undelivered TRANSACTION_ERROR: 29189 [ 54.148109] binder_alloc: 7722: binder_alloc_buf, no vma [ 54.153957] binder: undelivered TRANSACTION_ERROR: 29189 [ 54.159247] binder: BINDER_SET_CONTEXT_MGR already set [ 54.166138] binder: 7722:7723 transaction failed 29189/-3, size 0-32 line 3147 [ 54.170760] binder: BINDER_SET_CONTEXT_MGR already set executing program [ 54.177740] binder: 7726:7734 ioctl 40046207 0 returned -16 [ 54.183486] binder: BINDER_SET_CONTEXT_MGR already set [ 54.193938] binder: 7732:7735 ioctl 40046207 0 returned -16 [ 54.195440] binder: 7731:7733 ioctl 40046207 0 returned -16 [ 54.199750] binder: BINDER_SET_CONTEXT_MGR already set [ 54.210971] binder: BINDER_SET_CONTEXT_MGR already set [ 54.216603] binder: 7725:7736 ioctl 40046207 0 returned -16 [ 54.217160] binder_alloc: 7722: binder_alloc_buf, no vma [ 54.228214] binder: BINDER_SET_CONTEXT_MGR already set [ 54.233630] binder: 7728:7738 ioctl 40046207 0 returned -16 [ 54.234374] binder: BINDER_SET_CONTEXT_MGR already set [ 54.239486] binder_alloc: 7722: binder_alloc_buf, no vma [ 54.239513] binder: 7725:7727 transaction failed 29189/-3, size 0-32 line 3147 [ 54.245229] binder: 7731:7742 ioctl 40046207 0 returned -16 [ 54.250245] binder_alloc: 7722: binder_alloc_buf, no vma [ 54.250265] binder: 7728:7730 transaction failed 29189/-3, size 0-32 line 3147 [ 54.250316] binder: 7726:7729 transaction failed 29189/-3, size 0-32 line 3147 executing program executing program executing program executing program executing program [ 54.259309] binder: 7741:7743 ioctl 40046207 0 returned -16 [ 54.265345] binder: undelivered TRANSACTION_ERROR: 29189 [ 54.269883] binder_alloc: 7722: binder_alloc_buf, no vma [ 54.276466] binder: BINDER_SET_CONTEXT_MGR already set [ 54.276492] binder: 7732:7744 ioctl 40046207 0 returned -16 [ 54.276596] binder: undelivered TRANSACTION_ERROR: 29189 [ 54.289008] binder: BINDER_SET_CONTEXT_MGR already set [ 54.324062] binder: BINDER_SET_CONTEXT_MGR already set [ 54.328520] binder: 7741:7745 ioctl 40046207 0 returned -16 executing program [ 54.330640] binder: 7747:7749 ioctl 40046207 0 returned -16 [ 54.335140] binder: undelivered TRANSACTION_ERROR: 29189 [ 54.342607] binder: BINDER_SET_CONTEXT_MGR already set [ 54.352459] binder: 7747:7756 ioctl 40046207 0 returned -16 [ 54.353700] binder: BINDER_SET_CONTEXT_MGR already set [ 54.366967] binder: BINDER_SET_CONTEXT_MGR already set [ 54.369502] binder: 7746:7748 ioctl 40046207 0 returned -16 [ 54.372779] binder: BINDER_SET_CONTEXT_MGR already set [ 54.378331] binder: 7752:7754 ioctl 40046207 0 returned -16 [ 54.383952] binder: undelivered TRANSACTION_ERROR: 29189 [ 54.389843] binder: BINDER_SET_CONTEXT_MGR already set [ 54.400348] binder: 7750:7755 ioctl 40046207 0 returned -16 [ 54.400513] binder: 7746:7758 ioctl 40046207 0 returned -16 [ 54.406241] binder: BINDER_SET_CONTEXT_MGR already set [ 54.417876] binder: BINDER_SET_CONTEXT_MGR already set [ 54.418456] binder: 7751:7753 ioctl 40046207 0 returned -16 [ 54.425480] binder: 7757:7759 ioctl 40046207 0 returned -16 executing program executing program [ 54.429102] binder: undelivered TRANSACTION_ERROR: 29189 [ 54.434853] binder: BINDER_SET_CONTEXT_MGR already set [ 54.445703] binder: 7752:7763 ioctl 40046207 0 returned -16 [ 54.445841] binder: BINDER_SET_CONTEXT_MGR already set [ 54.456836] binder: 7750:7765 ioctl 40046207 0 returned -16 [ 54.459377] ------------[ cut here ]------------ [ 54.465509] binder: BINDER_SET_CONTEXT_MGR already set [ 54.467386] kernel BUG at drivers/android/binder_alloc.c:1141! [ 54.478831] binder: 7770:7771 ioctl 40046207 0 returned -16 [ 54.478863] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 54.484604] binder: BINDER_SET_CONTEXT_MGR already set [ 54.489937] CPU: 0 PID: 7753 Comm: syz-executor185 Not tainted 5.0.0+ #10 [ 54.489942] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.489962] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 54.489971] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 5f 5a 2a fc 4c 89 e6 4c 89 ef e8 74 5b 2a fc 4d 39 e5 76 07 e8 4a 5a 2a fc <0f> 0b e8 43 5a 2a fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 51 [ 54.489975] RSP: 0018:ffff8880990f76d8 EFLAGS: 00010293 [ 54.489982] RAX: ffff8880a91a0280 RBX: 0000000020001000 RCX: ffffffff8545d12c [ 54.489986] RDX: 0000000000000000 RSI: ffffffff8545d136 RDI: 0000000000000006 [ 54.489997] RBP: ffff8880990f7758 R08: ffff8880a91a0280 R09: 0000000000000028 [ 54.495330] binder: BINDER_SET_CONTEXT_MGR already set [ 54.502165] R10: ffffed101321ef32 R11: ffff8880990f7997 R12: 0000000000000020 [ 54.502170] R13: 0000000000000028 R14: ffff88808b463d10 R15: 0000000000000000 [ 54.502176] FS: 0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7f49b40 [ 54.502181] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 54.502186] CR2: 0000000000000000 CR3: 000000008f28e000 CR4: 00000000001406f0 [ 54.502192] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 54.502197] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 54.502205] Call Trace: [ 54.511812] binder: 7766:7768 ioctl 40046207 0 returned -16 [ 54.517355] ? memcpy+0x46/0x50 [ 54.517371] binder_alloc_copy_from_buffer+0x37/0x42 [ 54.536616] ------------[ cut here ]------------ [ 54.541643] binder_get_object+0xc3/0x200 [ 54.548871] kernel BUG at drivers/android/binder_alloc.c:1141! [ 54.548945] binder: 7757:7769 ioctl 40046207 0 returned -16 [ 54.556179] binder_transaction+0x2b4a/0x6690 [ 54.556196] ? binder_thread_read+0x3d20/0x3d20 [ 54.665422] ? __lock_acquire+0x548/0x3fb0 [ 54.669645] ? __might_fault+0x12b/0x1e0 [ 54.673693] ? lock_downgrade+0x880/0x880 [ 54.677829] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.683358] ? _copy_from_user+0xdd/0x150 [ 54.687506] binder_thread_write+0x64a/0x2820 [ 54.692002] ? binder_transaction+0x6690/0x6690 [ 54.696661] ? __might_fault+0x12b/0x1e0 [ 54.700720] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.706253] ? _copy_from_user+0xdd/0x150 [ 54.710394] binder_ioctl+0x1033/0x183b [ 54.714376] ? binder_thread_write+0x2820/0x2820 [ 54.719132] ? __fget+0x367/0x540 [ 54.722583] ? ksys_dup3+0x3e0/0x3e0 [ 54.726288] ? security_file_ioctl+0x93/0xc0 [ 54.730694] ? binder_thread_write+0x2820/0x2820 [ 54.735453] __ia32_compat_sys_ioctl+0x197/0x620 [ 54.740210] do_fast_syscall_32+0x281/0xc98 [ 54.744535] entry_SYSENTER_compat+0x70/0x7f [ 54.748935] RIP: 0023:0xf7f4d869 [ 54.752292] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 54.771198] RSP: 002b:00000000f7f4912c EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 54.778960] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000c0306201 [ 54.786222] RDX: 0000000020000400 RSI: 0000000000000000 RDI: 0000000000000000 [ 54.793479] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 54.800738] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 54.808011] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 54.815278] Modules linked in: [ 54.818484] invalid opcode: 0000 [#2] PREEMPT SMP KASAN [ 54.820211] ------------[ cut here ]------------ [ 54.823850] CPU: 1 PID: 7754 Comm: syz-executor185 Tainted: G D 5.0.0+ #10 [ 54.828604] kernel BUG at drivers/android/binder_alloc.c:1141! [ 54.836882] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.836910] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 54.843663] ------------[ cut here ]------------ [ 54.852211] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 5f 5a 2a fc 4c 89 e6 4c 89 ef e8 74 5b 2a fc 4d 39 e5 76 07 e8 4a 5a 2a fc <0f> 0b e8 43 5a 2a fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 51 [ 54.858124] kernel BUG at drivers/android/binder_alloc.c:1141! [ 54.862846] RSP: 0018:ffff8880a4caf6d8 EFLAGS: 00010293 [ 54.893049] RAX: ffff8880a7f522c0 RBX: 0000000020001020 RCX: ffffffff8545d12c [ 54.900294] RDX: 0000000000000000 RSI: ffffffff8545d136 RDI: 0000000000000006 [ 54.907539] RBP: ffff8880a4caf758 R08: ffff8880a7f522c0 R09: 0000000000000028 [ 54.914784] R10: ffffed1014995f32 R11: ffff8880a4caf997 R12: 0000000000000020 [ 54.922029] R13: 0000000000000028 R14: ffff88808b463d10 R15: 0000000000000000 [ 54.929281] FS: 0000000000000000(0000) GS:ffff8880ae900000(0063) knlGS:00000000f7f49b40 [ 54.937486] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 54.943359] CR2: 00000000f7f28db0 CR3: 000000009fda3000 CR4: 00000000001406e0 [ 54.950611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 54.957858] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 54.965101] Call Trace: [ 54.967672] ? memcpy+0x46/0x50 [ 54.970936] binder_alloc_copy_from_buffer+0x37/0x42 [ 54.976017] binder_get_object+0xc3/0x200 [ 54.980145] binder_transaction+0x2b4a/0x6690 [ 54.984625] ? binder_thread_read+0x3d20/0x3d20 [ 54.989280] ? __lock_acquire+0x548/0x3fb0 [ 54.993499] ? __might_fault+0x12b/0x1e0 [ 54.997539] ? lock_downgrade+0x880/0x880 [ 55.001764] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.007286] ? _copy_from_user+0xdd/0x150 [ 55.011478] binder_thread_write+0x64a/0x2820 [ 55.015965] ? binder_transaction+0x6690/0x6690 [ 55.020611] ? __might_fault+0x12b/0x1e0 [ 55.024655] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.030169] ? _copy_from_user+0xdd/0x150 [ 55.034295] binder_ioctl+0x1033/0x183b [ 55.038248] ? binder_thread_write+0x2820/0x2820 [ 55.042980] ? __fget+0x367/0x540 [ 55.046421] ? ksys_dup3+0x3e0/0x3e0 [ 55.050126] ? security_file_ioctl+0x93/0xc0 [ 55.054512] ? binder_thread_write+0x2820/0x2820 [ 55.059245] __ia32_compat_sys_ioctl+0x197/0x620 [ 55.063985] do_fast_syscall_32+0x281/0xc98 [ 55.068297] entry_SYSENTER_compat+0x70/0x7f [ 55.072692] RIP: 0023:0xf7f4d869 [ 55.076034] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 55.095187] RSP: 002b:00000000f7f4912c EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 55.102934] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000c0306201 [ 55.110187] RDX: 0000000020000400 RSI: 0000000000000000 RDI: 0000000000000000 [ 55.117435] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 55.124739] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 55.131993] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 55.139242] Modules linked in: [ 55.142439] invalid opcode: 0000 [#3] PREEMPT SMP KASAN [ 55.143012] ---[ end trace 7f1bc2216782b362 ]--- [ 55.147848] CPU: 0 PID: 7759 Comm: syz-executor185 Tainted: G D 5.0.0+ #10 [ 55.147855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.147872] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 55.147882] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 5f 5a 2a fc 4c 89 e6 4c 89 ef e8 74 5b 2a fc 4d 39 e5 76 07 e8 4a 5a 2a fc <0f> 0b e8 43 5a 2a fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 51 [ 55.147887] RSP: 0018:ffff8880a571f6d8 EFLAGS: 00010293 [ 55.147901] RAX: ffff8880863e4400 RBX: 0000000020001040 RCX: ffffffff8545d12c [ 55.147906] RDX: 0000000000000000 RSI: ffffffff8545d136 RDI: 0000000000000006 [ 55.147910] RBP: ffff8880a571f758 R08: ffff8880863e4400 R09: 0000000000000028 [ 55.147915] R10: ffffed1014ae3f32 R11: ffff8880a571f997 R12: 0000000000000020 [ 55.147919] R13: 0000000000000028 R14: ffff88808b463d10 R15: 0000000000000000 [ 55.147925] FS: 0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7f49b40 [ 55.147930] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 55.147939] CR2: 00000000f7f28db0 CR3: 000000009ec2c000 CR4: 00000000001406f0 [ 55.152813] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 55.161034] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 55.161040] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 55.161044] Call Trace: [ 55.161064] ? memcpy+0x46/0x50 [ 55.161081] binder_alloc_copy_from_buffer+0x37/0x42 [ 55.170461] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 5f 5a 2a fc 4c 89 e6 4c 89 ef e8 74 5b 2a fc 4d 39 e5 76 07 e8 4a 5a 2a fc <0f> 0b e8 43 5a 2a fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 51 [ 55.176237] binder_get_object+0xc3/0x200 [ 55.176250] binder_transaction+0x2b4a/0x6690 [ 55.195430] binder_alloc: binder_alloc_mmap_handler: 7770 20001000-20004000 already mapped failed -16 [ 55.200520] ? binder_thread_read+0x3d20/0x3d20 [ 55.200534] ? mark_held_locks+0xf0/0xf0 [ 55.207837] binder: BINDER_SET_CONTEXT_MGR already set [ 55.215204] ? mark_held_locks+0xf0/0xf0 [ 55.215221] ? __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 55.222557] binder: 7770:7774 ioctl 40046207 0 returned -16 [ 55.229780] ? binder_get_thread+0x1db/0x7c0 [ 55.229794] ? lock_downgrade+0x880/0x880 [ 55.237069] RSP: 0018:ffff8880990f76d8 EFLAGS: 00010293 [ 55.245302] ? __might_fault+0xfb/0x1e0 [ 55.245320] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.251525] ------------[ cut here ]------------ [ 55.258463] ? _copy_from_user+0xdd/0x150 [ 55.264210] kernel BUG at drivers/android/binder_alloc.c:1141! [ 55.393776] binder_thread_write+0x64a/0x2820 [ 55.398273] ? binder_transaction+0x6690/0x6690 [ 55.402931] ? kasan_check_write+0x14/0x20 [ 55.407150] ? do_raw_spin_lock+0x12a/0x2e0 [ 55.411463] ? __might_fault+0xfb/0x1e0 [ 55.415630] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.421157] ? _copy_from_user+0xdd/0x150 [ 55.425308] binder_ioctl+0x1033/0x183b [ 55.429273] ? binder_thread_write+0x2820/0x2820 [ 55.434143] ? __fget+0x367/0x540 [ 55.437583] ? ksys_dup3+0x3e0/0x3e0 [ 55.441302] ? security_file_ioctl+0x93/0xc0 [ 55.445700] ? binder_thread_write+0x2820/0x2820 [ 55.450460] __ia32_compat_sys_ioctl+0x197/0x620 [ 55.455211] do_fast_syscall_32+0x281/0xc98 [ 55.459526] entry_SYSENTER_compat+0x70/0x7f [ 55.463921] RIP: 0023:0xf7f4d869 [ 55.467272] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 55.489092] RSP: 002b:00000000f7f4912c EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 55.496820] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000c0306201 [ 55.504083] RDX: 0000000020000400 RSI: 0000000000000000 RDI: 0000000000000000 [ 55.511404] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 55.518678] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 55.525936] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 55.533199] Modules linked in: [ 55.536405] invalid opcode: 0000 [#4] PREEMPT SMP KASAN [ 55.541792] CPU: 1 PID: 7771 Comm: syz-executor185 Tainted: G D 5.0.0+ #10 [ 55.550085] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.559471] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 55.565258] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 5f 5a 2a fc 4c 89 e6 4c 89 ef e8 74 5b 2a fc 4d 39 e5 76 07 e8 4a 5a 2a fc <0f> 0b e8 43 5a 2a fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 51 [ 55.584141] RSP: 0018:ffff888087b9f6d8 EFLAGS: 00010293 [ 55.589489] RAX: ffff88808b936700 RBX: 0000000020001080 RCX: ffffffff8545d12c [ 55.596739] RDX: 0000000000000000 RSI: ffffffff8545d136 RDI: 0000000000000006 [ 55.603988] RBP: ffff888087b9f758 R08: ffff88808b936700 R09: 0000000000000028 [ 55.611233] R10: ffffed1010f73f32 R11: ffff888087b9f997 R12: 0000000000000020 [ 55.618479] R13: 0000000000000028 R14: ffff88808b463d10 R15: 0000000000000000 [ 55.625728] FS: 0000000000000000(0000) GS:ffff8880ae900000(0063) knlGS:00000000f7f49b40 [ 55.633931] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 55.639788] CR2: 00000000f7f07db0 CR3: 00000000903ef000 CR4: 00000000001406e0 [ 55.647034] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 55.654279] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 55.661520] Call Trace: [ 55.664094] ? memcpy+0x46/0x50 [ 55.667372] binder_alloc_copy_from_buffer+0x37/0x42 [ 55.672465] binder_get_object+0xc3/0x200 [ 55.676595] binder_transaction+0x2b4a/0x6690 [ 55.681076] ? binder_thread_read+0x3d20/0x3d20 [ 55.685724] ? mark_held_locks+0xf0/0xf0 [ 55.689770] ? mark_held_locks+0xf0/0xf0 [ 55.693815] ? __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 55.698913] ? binder_get_thread+0x1db/0x7c0 [ 55.703311] ? lock_downgrade+0x880/0x880 [ 55.707437] ? __might_fault+0xfb/0x1e0 [ 55.711393] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.716918] ? _copy_from_user+0xdd/0x150 [ 55.721048] binder_thread_write+0x64a/0x2820 [ 55.725524] ? trace_hardirqs_on+0x67/0x230 [ 55.729827] ? binder_transaction+0x6690/0x6690 [ 55.734474] ? kasan_check_write+0x14/0x20 [ 55.738785] ? do_raw_spin_lock+0x12a/0x2e0 [ 55.743097] ? __might_fault+0xfb/0x1e0 [ 55.747054] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.752579] ? _copy_from_user+0xdd/0x150 [ 55.756716] binder_ioctl+0x1033/0x183b [ 55.760681] ? binder_thread_write+0x2820/0x2820 [ 55.765426] ? __fget+0x367/0x540 [ 55.768871] ? ksys_dup3+0x3e0/0x3e0 [ 55.772589] ? security_file_ioctl+0x93/0xc0 [ 55.776981] ? binder_thread_write+0x2820/0x2820 [ 55.781715] __ia32_compat_sys_ioctl+0x197/0x620 [ 55.786452] do_fast_syscall_32+0x281/0xc98 [ 55.790754] entry_SYSENTER_compat+0x70/0x7f [ 55.795139] RIP: 0023:0xf7f4d869 [ 55.798483] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 55.817361] RSP: 002b:00000000f7f4912c EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 55.825053] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000c0306201 [ 55.832307] RDX: 0000000020000400 RSI: 0000000000000000 RDI: 0000000000000000 [ 55.839677] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 55.847016] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 55.854263] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 55.861514] Modules linked in: [ 55.864704] invalid opcode: 0000 [#5] PREEMPT SMP KASAN [ 55.865488] RAX: ffff8880a91a0280 RBX: 0000000020001000 RCX: ffffffff8545d12c [ 55.870101] CPU: 0 PID: 7755 Comm: syz-executor185 Tainted: G D 5.0.0+ #10 [ 55.870108] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.870126] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 55.870137] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 5f 5a 2a fc 4c 89 e6 4c 89 ef e8 74 5b 2a fc 4d 39 e5 76 07 e8 4a 5a 2a fc <0f> 0b e8 43 5a 2a fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 51 [ 55.877425] RDX: 0000000000000000 RSI: ffffffff8545d136 RDI: 0000000000000006 [ 55.885707] RSP: 0018:ffff888097f1f6d8 EFLAGS: 00010293 [ 55.885717] RAX: ffff8880a7ffa300 RBX: 0000000020001060 RCX: ffffffff8545d12c [ 55.885722] RDX: 0000000000000000 RSI: ffffffff8545d136 RDI: 0000000000000006 [ 55.885726] RBP: ffff888097f1f758 R08: ffff8880a7ffa300 R09: 0000000000000028 [ 55.885734] R10: ffffed1012fe3f32 R11: ffff888097f1f997 R12: 0000000000000020 [ 55.895352] RBP: ffff8880990f7758 R08: ffff8880a91a0280 R09: 0000000000000028 [ 55.901013] R13: 0000000000000028 R14: ffff88808b463d10 R15: 0000000000000000 [ 55.901024] FS: 0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7f49b40 [ 55.901031] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 55.901038] CR2: 00000000f7f27cbc CR3: 000000008b671000 CR4: 00000000001406f0 [ 55.901049] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 55.901056] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 55.901062] Call Trace: [ 55.901090] ? memcpy+0x46/0x50 [ 55.901112] binder_alloc_copy_from_buffer+0x37/0x42 [ 55.920182] R10: ffffed101321ef32 R11: ffff8880990f7997 R12: 0000000000000020 [ 55.927314] binder_get_object+0xc3/0x200 [ 55.927333] binder_transaction+0x2b4a/0x6690 [ 55.927365] ? binder_thread_read+0x3d20/0x3d20 [ 55.932868] R13: 0000000000000028 R14: ffff88808b463d10 R15: 0000000000000000 [ 55.940010] ? __lock_acquire+0x548/0x3fb0 [ 55.940038] ? __might_fault+0x12b/0x1e0 [ 55.940052] ? lock_downgrade+0x880/0x880 [ 55.940076] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.947458] FS: 0000000000000000(0000) GS:ffff8880ae900000(0063) knlGS:00000000f7f49b40 [ 55.954627] ? _copy_from_user+0xdd/0x150 [ 55.954644] binder_thread_write+0x64a/0x2820 [ 55.954665] ? binder_transaction+0x6690/0x6690 [ 55.954680] ? __might_fault+0x12b/0x1e0 [ 55.954705] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.962121] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 55.969255] ? _copy_from_user+0xdd/0x150 [ 55.969274] binder_ioctl+0x1033/0x183b [ 55.969290] ? binder_thread_write+0x2820/0x2820 [ 55.969305] ? __fget+0x367/0x540 [ 55.969321] ? ksys_dup3+0x3e0/0x3e0 [ 55.976709] CR2: 00000000f7f27cbc CR3: 000000009fda3000 CR4: 00000000001406e0 [ 55.984835] ? security_file_ioctl+0x93/0xc0 [ 55.984852] ? binder_thread_write+0x2820/0x2820 [ 55.984869] __ia32_compat_sys_ioctl+0x197/0x620 [ 55.984890] do_fast_syscall_32+0x281/0xc98 [ 55.984920] entry_SYSENTER_compat+0x70/0x7f [ 55.990956] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 55.998070] RIP: 0023:0xf7f4d869 [ 55.998085] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 55.998092] RSP: 002b:00000000f7f4912c EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 55.998104] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000c0306201 [ 55.998110] RDX: 0000000020000400 RSI: 0000000000000000 RDI: 0000000000000000 [ 55.998117] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 55.998123] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 55.998129] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 55.998141] Modules linked in: [ 56.005535] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 56.015644] ---[ end trace 7f1bc2216782b363 ]--- [ 56.018930] binder: BINDER_SET_CONTEXT_MGR already set [ 56.023936] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 56.031564] Kernel panic - not syncing: Fatal exception [ 56.037289] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 5f 5a 2a fc 4c 89 e6 4c 89 ef e8 74 5b 2a fc 4d 39 e5 76 07 e8 4a 5a 2a fc <0f> 0b e8 43 5a 2a fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 51 [ 56.040701] Kernel Offset: disabled [ 56.284509] Rebooting in 86400 seconds..