[....] Starting enhanced syslogd: rsyslogd[ 15.969381] audit: type=1400 audit(1520253636.683:4): avc: denied { syslog } for pid=3653 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 46.008390] audit: type=1400 audit(1520253666.723:5): avc: denied { set_context_mgr } for pid=3821 comm="syzkaller856104" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 [ 46.029818] binder: 3821:3823 ERROR: BC_REGISTER_LOOPER called without request [ 46.039565] audit: type=1400 audit(1520253666.753:6): avc: denied { call } for pid=3821 comm="syzkaller856104" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 [ 46.063318] binder: release 3821:3822 transaction 3 out, still active [ 46.069977] binder: undelivered TRANSACTION_COMPLETE [ 46.075184] binder: 3821:3822 BC_ACQUIRE_DONE u0000000000000000 node 2 cookie mismatch 0000000000000004 != 0000000000000000 executing program [ 46.129783] binder: release 3821:3823 transaction 1 out, still active [ 46.136462] binder: undelivered TRANSACTION_COMPLETE [ 46.139131] binder: 3825:3826 ERROR: BC_REGISTER_LOOPER called without request [ 46.148926] binder: release 3821:3824 transaction 4 out, still active [ 46.155476] binder: undelivered TRANSACTION_COMPLETE [ 46.160216] binder: release 3825:3826 transaction 7 out, still active [ 46.160219] binder: release 3825:3826 transaction 6 in, still active [ 46.160222] binder: undelivered TRANSACTION_COMPLETE executing program [ 46.160286] binder: 3825:3826 BC_ACQUIRE_DONE u0000000000000000 node 5 cookie mismatch 0000000000000004 != 0000000000000000 [ 46.190207] binder: send failed reply for transaction 1, target dead [ 46.196741] binder: send failed reply for transaction 3, target dead [ 46.198519] binder: BINDER_SET_CONTEXT_MGR already set [ 46.198530] binder: 3828:3829 ioctl 40046207 0 returned -16 [ 46.199065] binder: 3828:3829 ERROR: BC_REGISTER_LOOPER called without request [ 46.219893] binder_alloc: 3825: binder_alloc_buf, no vma executing program [ 46.219905] binder: 3828:3830 transaction failed 29189/-3, size 0-0 line 3127 [ 46.222063] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.224252] binder: 3828:3830 BC_ACQUIRE_DONE u0000000000000000 no match [ 46.246446] binder: send failed reply for transaction 4, target dead [ 46.246682] binder_alloc: 3825: binder_alloc_buf, no vma [ 46.246695] binder: 3828:3831 transaction failed 29189/-3, size 0-0 line 3127 [ 46.261575] binder: BINDER_SET_CONTEXT_MGR already set [ 46.261580] binder: 3832:3833 ioctl 40046207 0 returned -16 executing program [ 46.262111] binder: 3832:3833 ERROR: BC_REGISTER_LOOPER called without request [ 46.282923] binder_alloc: 3825: binder_alloc_buf, no vma [ 46.282935] binder: 3832:3834 transaction failed 29189/-3, size 0-0 line 3127 [ 46.285150] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.287373] binder: 3832:3834 BC_ACQUIRE_DONE u0000000000000000 no match [ 46.309476] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.310010] binder_alloc: 3825: binder_alloc_buf, no vma [ 46.310022] binder: 3832:3835 transaction failed 29189/-3, size 0-0 line 3127 [ 46.326394] binder: BINDER_SET_CONTEXT_MGR already set [ 46.326399] binder: 3836:3837 ioctl 40046207 0 returned -16 [ 46.326994] binder: 3836:3837 ERROR: BC_REGISTER_LOOPER called without request [ 46.346051] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.347758] binder_alloc: 3825: binder_alloc_buf, no vma [ 46.347770] binder: 3836:3838 transaction failed 29189/-3, size 0-0 line 3127 [ 46.349985] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.352206] binder: 3836:3838 BC_ACQUIRE_DONE u0000000000000000 no match executing program [ 46.374668] binder_alloc: 3825: binder_alloc_buf, no vma [ 46.374679] binder: 3836:3839 transaction failed 29189/-3, size 0-0 line 3127 [ 46.389120] binder: BINDER_SET_CONTEXT_MGR already set [ 46.389124] binder: 3840:3841 ioctl 40046207 0 returned -16 [ 46.389661] binder: 3840:3841 ERROR: BC_REGISTER_LOOPER called without request [ 46.407556] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.410429] binder_alloc: 3825: binder_alloc_buf, no vma [ 46.410440] binder: 3840:3842 transaction failed 29189/-3, size 0-0 line 3127 [ 46.412657] binder: undelivered TRANSACTION_ERROR: 29189 executing program [ 46.414873] binder: 3840:3842 BC_ACQUIRE_DONE u0000000000000000 no match [ 46.437257] binder_alloc: 3825: binder_alloc_buf, no vma [ 46.437268] binder: 3840:3843 transaction failed 29189/-3, size 0-0 line 3127 [ 46.450655] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.452244] binder: BINDER_SET_CONTEXT_MGR already set [ 46.452249] binder: 3844:3845 ioctl 40046207 0 returned -16 [ 46.452782] binder: 3844:3845 ERROR: BC_REGISTER_LOOPER called without request [ 46.473655] binder_alloc: 3825: binder_alloc_buf, no vma executing program [ 46.473667] binder: 3844:3846 transaction failed 29189/-3, size 0-0 line 3127 [ 46.475878] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.478099] binder: 3844:3846 BC_ACQUIRE_DONE u0000000000000000 no match [ 46.499490] binder: release 3825:3827 transaction 8 in, still active [ 46.500546] binder: 3844:3847 transaction failed 29189/-22, size 0-0 line 3004 [ 46.513314] binder: send failed reply for transaction 8 to 3825:3827 [ 46.516179] binder: 3848:3849 ERROR: BC_REGISTER_LOOPER called without request executing program [ 46.527263] ================================================================== [ 46.534609] BUG: KASAN: use-after-free in __list_del_entry+0x196/0x1d0 [ 46.537079] binder: release 3848:3849 transaction 21 out, still active [ 46.537083] binder: release 3848:3849 transaction 20 in, still active [ 46.537085] binder: undelivered TRANSACTION_COMPLETE [ 46.537150] binder: 3848:3849 BC_ACQUIRE_DONE u0000000000000000 node 19 cookie mismatch 0000000000000004 != 0000000000000000 [ 46.570833] Read of size 8 at addr ffff8801ce6e8e10 by task kworker/1:2/2403 [ 46.573833] binder: BINDER_SET_CONTEXT_MGR already set [ 46.573838] binder: 3851:3852 ioctl 40046207 0 returned -16 [ 46.574358] binder: 3851:3852 ERROR: BC_REGISTER_LOOPER called without request [ 46.595166] binder_alloc: 3848: binder_alloc_buf, no vma [ 46.595178] binder: 3851:3853 transaction failed 29189/-3, size 0-0 line 3127 [ 46.597455] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.599749] binder: 3851:3853 BC_ACQUIRE_DONE u0000000000000000 no match [ 46.621105] [ 46.622158] binder_alloc: 3848: binder_alloc_buf, no vma executing program [ 46.622170] binder: 3851:3854 transaction failed 29189/-3, size 0-0 line 3127 [ 46.635460] CPU: 1 PID: 2403 Comm: kworker/1:2 Not tainted 4.9.86-gb324a70 #50 [ 46.637105] binder: BINDER_SET_CONTEXT_MGR already set [ 46.637110] binder: 3855:3856 ioctl 40046207 0 returned -16 [ 46.637681] binder: 3855:3856 ERROR: BC_REGISTER_LOOPER called without request [ 46.658434] binder_alloc: 3848: binder_alloc_buf, no vma [ 46.658447] binder: 3855:3857 transaction failed 29189/-3, size 0-0 line 3127 [ 46.660667] binder: undelivered TRANSACTION_ERROR: 29189 executing program [ 46.662940] binder: 3855:3857 BC_ACQUIRE_DONE u0000000000000000 no match [ 46.685357] binder_alloc: 3848: binder_alloc_buf, no vma [ 46.685378] binder: 3855:3858 transaction failed 29189/-3, size 0-0 line 3127 [ 46.698558] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.699904] binder: BINDER_SET_CONTEXT_MGR already set [ 46.699909] binder: 3859:3860 ioctl 40046207 0 returned -16 [ 46.700445] binder: 3859:3860 ERROR: BC_REGISTER_LOOPER called without request [ 46.721233] binder_alloc: 3848: binder_alloc_buf, no vma executing program [ 46.721246] binder: 3859:3861 transaction failed 29189/-3, size 0-0 line 3127 [ 46.723461] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.725680] binder: 3859:3861 BC_ACQUIRE_DONE u0000000000000000 no match [ 46.748058] binder_alloc: 3848: binder_alloc_buf, no vma [ 46.748069] binder: 3859:3862 transaction failed 29189/-3, size 0-0 line 3127 [ 46.762875] binder: BINDER_SET_CONTEXT_MGR already set [ 46.762880] binder: 3863:3864 ioctl 40046207 0 returned -16 [ 46.763407] binder: 3863:3864 ERROR: BC_REGISTER_LOOPER called without request executing program [ 46.782446] Workqueue: events binder_deferred_func[ 46.784177] binder_alloc: 3848: binder_alloc_buf, no vma [ 46.784188] binder: 3863:3865 transaction failed 29189/-3, size 0-0 line 3127 [ 46.786405] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.788623] binder: 3863:3865 BC_ACQUIRE_DONE u0000000000000000 no match [ 46.811009] binder_alloc: 3848: binder_alloc_buf, no vma [ 46.811020] binder: 3863:3866 transaction failed 29189/-3, size 0-0 line 3127 [ 46.824712] ffff8801b3877a50[ 46.825890] binder: BINDER_SET_CONTEXT_MGR already set [ 46.825895] binder: 3867:3868 ioctl 40046207 0 returned -16 [ 46.826419] binder: 3867:3868 ERROR: BC_REGISTER_LOOPER called without request [ 46.845854] ffffffff81d956f9[ 46.847181] binder_alloc: 3848: binder_alloc_buf, no vma [ 46.847192] binder: 3867:3869 transaction failed 29189/-3, size 0-0 line 3127 [ 46.849406] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.851647] binder: 3867:3869 BC_ACQUIRE_DONE u0000000000000000 no match [ 46.873641] ffffea000739ba00[ 46.874093] binder_alloc: 3848: binder_alloc_buf, no vma executing program [ 46.874105] binder: 3867:3870 transaction failed 29189/-3, size 0-0 line 3127 [ 46.889080] binder: BINDER_SET_CONTEXT_MGR already set [ 46.889085] binder: 3871:3872 ioctl 40046207 0 returned -16 [ 46.889637] binder: 3871:3872 ERROR: BC_REGISTER_LOOPER called without request [ 46.907451] ffff8801ce6e8e10 0000000000000000 [ 46.907456] ffff8801ce6e8e10 ffffed00381d0d49 ffff8801b3877a88 ffffffff8153e083 [ 46.907461] ffff8801ce6e8e10 0000000000000008 0000000000000000Call Trace: [ 46.907475] [] dump_stack+0xc1/0x128 [ 46.907483] [] print_address_description+0x73/0x280 [ 46.907487] [] kasan_report+0x275/0x360 [ 46.907493] [] ? __list_del_entry+0x196/0x1d0 [ 46.907498] [] __asan_report_load8_noabort+0x14/0x20 [ 46.907502] [] __list_del_entry+0x196/0x1d0 [ 46.907506] [] binder_release_work+0x8c/0x260 [ 46.907510] [] ? binder_send_failed_reply+0x18a/0x3a0 [ 46.907513] [] binder_thread_release+0x428/0x600 [ 46.907517] [] binder_deferred_func+0x43f/0xd10 [ 46.907524] [] ? __lock_is_held+0xa1/0xf0 [ 46.907530] [] process_one_work+0x7e0/0x1610 [ 46.907534] [] ? process_one_work+0x72c/0x1610 [ 46.907538] [] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 46.907543] [] worker_thread+0xe0/0x10d0 [ 46.907553] [] ? __schedule+0x683/0x1ba0 [ 46.907558] [] kthread+0x26d/0x300 [ 46.907562] [] ? process_one_work+0x1610/0x1610 [ 46.907565] [] ? kthread_park+0xa0/0xa0 [ 46.907570] [] ? kthread_park+0xa0/0xa0 [ 46.907573] [] ? kthread_park+0xa0/0xa0 [ 46.907577] [] ret_from_fork+0x5c/0x70 [ 46.907579] [ 46.907582] Allocated by task 3827: [ 46.907587] save_stack_trace+0x16/0x20 [ 46.907590] save_stack+0x43/0xd0 [ 46.907593] kasan_kmalloc+0xad/0xe0 [ 46.907596] kmem_cache_alloc_trace+0xfb/0x2a0 [ 46.907599] binder_transaction+0x103c/0x7040 [ 46.907602] binder_thread_write+0x8d4/0x31f0 [ 46.907605] binder_ioctl_write_read.isra.55+0x1ed/0x9a0 [ 46.907607] binder_ioctl+0xaea/0x11b0 [ 46.907611] do_vfs_ioctl+0x1aa/0x1140 [ 46.907614] SyS_ioctl+0x8f/0xc0 [ 46.907618] do_syscall_64+0x1a4/0x490 [ 46.907621] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 46.907621] [ 46.907623] Freed by task 2403: [ 46.907626] save_stack_trace+0x16/0x20 [ 46.907629] save_stack+0x43/0xd0 [ 46.907632] kasan_slab_free+0x72/0xc0 [ 46.907634] kfree+0x103/0x300 [ 46.907639] binder_free_transaction+0x6a/0x90 [ 46.907642] binder_send_failed_reply+0x185/0x3a0 [ 46.907644] binder_thread_release+0x416/0x600 [ 46.907647] binder_deferred_func+0x43f/0xd10 [ 46.907650] process_one_work+0x7e0/0x1610 [ 46.907653] worker_thread+0xe0/0x10d0 [ 46.907656] kthread+0x26d/0x300 [ 46.907659] ret_from_fork+0x5c/0x70 [ 46.907659] [ 46.907663] The buggy address belongs to the object at ffff8801ce6e8e00 [ 46.907663] which belongs to the cache kmalloc-192 of size 192 [ 46.907666] The buggy address is located 16 bytes inside of [ 46.907666] 192-byte region [ffff8801ce6e8e00, ffff8801ce6e8ec0) [ 46.907666] The buggy address belongs to the page: [ 46.907671] page:ffffea000739ba00 count:1 mapcount:0 mapping: (null) index:0x0 [ 46.907674] flags: 0x8000000000000080(slab) [ 46.907675] page dumped because: kasan: bad access detected [ 46.907676] [ 46.907677] Memory state around the buggy address: [ 46.907681] ffff8801ce6e8d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 46.907684] ffff8801ce6e8d80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 46.907687] >ffff8801ce6e8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.907688] ^ [ 46.907691] ffff8801ce6e8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 46.907693] ffff8801ce6e8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.907694] ================================================================== [ 46.907695] Disabling lock debugging due to kernel taint [ 46.907756] Kernel panic - not syncing: panic_on_warn set ... [ 46.907756] [ 46.907761] CPU: 1 PID: 2403 Comm: kworker/1:2 Tainted: G B 4.9.86-gb324a70 #50 [ 46.907763] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.907768] Workqueue: events binder_deferred_func [ 46.907775] ffff8801b38779a8 ffffffff81d956f9 ffffffff841979cf ffff8801b3877a80 [ 46.907780] 0000000000000000 ffff8801ce6e8e10 ffffed00381d0d49 ffff8801b3877a70 [ 46.907785] ffffffff8142f531 0000000041b58ab3 ffffffff8418b430 ffffffff8142f375 [ 46.907786] Call Trace: [ 46.907790] [] dump_stack+0xc1/0x128 [ 46.907797] [] panic+0x1bc/0x3a8 [ 46.907802] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 46.907806] [] kasan_end_report+0x50/0x50 [ 46.907810] [] kasan_report+0x167/0x360 [ 46.907814] [] ? __list_del_entry+0x196/0x1d0 [ 46.907819] [] __asan_report_load8_noabort+0x14/0x20 [ 46.907823] [] __list_del_entry+0x196/0x1d0 [ 46.907826] [] binder_release_work+0x8c/0x260 [ 46.907830] [] ? binder_send_failed_reply+0x18a/0x3a0 [ 46.907833] [] binder_thread_release+0x428/0x600 [ 46.907836] [] binder_deferred_func+0x43f/0xd10 [ 46.907841] [] ? __lock_is_held+0xa1/0xf0 [ 46.907845] [] process_one_work+0x7e0/0x1610 [ 46.907849] [] ? process_one_work+0x72c/0x1610 [ 46.907853] [] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 46.907858] [] worker_thread+0xe0/0x10d0 [ 46.907862] [] ? __schedule+0x683/0x1ba0 [ 46.907865] [] kthread+0x26d/0x300 [ 46.907869] [] ? process_one_work+0x1610/0x1610 [ 46.907873] [] ? kthread_park+0xa0/0xa0 [ 46.907877] [] ? kthread_park+0xa0/0xa0 [ 46.907880] [] ? kthread_park+0xa0/0xa0 [ 46.907884] [] ret_from_fork+0x5c/0x70 [ 46.910954] Dumping ftrace buffer: [ 46.910957] (ftrace buffer empty) [ 46.910959] Kernel Offset: disabled [ 47.485962] Rebooting in 86400 seconds..