INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.25' (ECDSA) to the list of known hosts.
2018/04/11 19:22:34 parsed 1 programs
2018/04/11 19:22:34 executed programs: 0
syzkaller login: [   47.422127] IPVS: Creating netns size=2536 id=1
[   47.536275] binder: 3799:3800 ERROR: BC_REGISTER_LOOPER called without request
[   48.336419] binder: release 3799:3800 transaction 3 out, still active
[   48.343845] binder: release 3799:3800 transaction 2 in, still active
[   48.350364] binder: undelivered TRANSACTION_COMPLETE
[   48.356334] binder: 3799:3800 IncRefs 0 refcount change on invalid ref 3 ret -22
[   48.364261] binder: 3799:3800 BC_INCREFS_DONE u0000000000000000 node 1 cookie mismatch 0000000000000004 != 0000000000000000
[   48.376055] binder: 3799:3800 BC_FREE_BUFFER u0000000000000000 no match
[   48.382896] binder: 3799:3800 got transaction to invalid handle
[   48.388971] binder: 3799:3800 transaction failed 29201/-22, size 0-0 line 3010
[   48.399635] binder: undelivered TRANSACTION_ERROR: 29201
[   48.405317] binder: release 3799:3801 transaction 5 in, still active
[   48.412124] binder: send failed reply for transaction 5 to 3799:3801
[   48.426287] ==================================================================
[   48.434054] BUG: KASAN: use-after-free in __list_del_entry+0x1a9/0x1c0
[   48.440711] Read of size 8 at addr ffff8801ce039d10 by task kworker/1:2/1809
[   48.447994] 
[   48.449616] CPU: 1 PID: 1809 Comm: kworker/1:2 Not tainted 4.9.93-gf6bec4e #4
[   48.456890] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   48.466409] Workqueue: events binder_deferred_func
[   48.471641]  ffff8801cefcfa58 ffffffff81d9c299 ffffea0007380e40 ffff8801ce039d10
[   48.479701]  0000000000000000 ffff8801ce039d10 ffffed0036e705e9 ffff8801cefcfa90
[   48.487814]  ffffffff8156534b ffff8801ce039d10 0000000000000008 0000000000000000
[   48.495812] Call Trace:
[   48.498393]  [<ffffffff81d9c299>] dump_stack+0xc1/0x128
[   48.504766]  [<ffffffff8156534b>] print_address_description+0x6c/0x234
[   48.511516]  [<ffffffff815655bf>] kasan_report.cold.6+0xac/0x2f5
[   48.517661]  [<ffffffff81e04179>] ? __list_del_entry+0x1a9/0x1c0
[   48.523979]  [<ffffffff815393d4>] __asan_report_load8_noabort+0x14/0x20
[   48.530708]  [<ffffffff81e04179>] __list_del_entry+0x1a9/0x1c0
[   48.536745]  [<ffffffff82d3983f>] binder_release_work+0x6f/0x1d0
[   48.542977]  [<ffffffff82d39668>] ? binder_send_failed_reply+0x1c8/0x230
[   48.549801]  [<ffffffff82d39dc5>] binder_thread_release+0x425/0x520
[   48.556461]  [<ffffffff82d3a30d>] binder_deferred_func+0x44d/0xc30
[   48.562952]  [<ffffffff8122dcf2>] ? __lock_is_held+0xa2/0xf0
[   48.568840]  [<ffffffff8118ac91>] process_one_work+0x7e1/0x1500
[   48.574972]  [<ffffffff8118abd8>] ? process_one_work+0x728/0x1500
[   48.581442]  [<ffffffff8118a4b0>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[   48.588140]  [<ffffffff8118ba86>] worker_thread+0xd6/0x10a0
[   48.593874]  [<ffffffff838c4a85>] ? __schedule+0x655/0x1bd0
[   48.599737]  [<ffffffff8119ab4d>] kthread+0x26d/0x300
[   48.605175]  [<ffffffff8118b9b0>] ? process_one_work+0x1500/0x1500
[   48.611468]  [<ffffffff8119a8e0>] ? kthread_park+0xa0/0xa0
[   48.617341]  [<ffffffff8119a8e0>] ? kthread_park+0xa0/0xa0
[   48.623123]  [<ffffffff8119a8e0>] ? kthread_park+0xa0/0xa0
[   48.628916]  [<ffffffff838d5b1c>] ret_from_fork+0x5c/0x70
[   48.634430] 
[   48.636045] Allocated by task 3801:
[   48.639651]  save_stack_trace+0x16/0x20
[   48.643605]  save_stack+0x43/0xd0
[   48.647030]  kasan_kmalloc+0xc7/0xe0
[   48.650729]  kmem_cache_alloc_trace+0xfd/0x2b0
[   48.655296]  binder_transaction+0x8d5/0x6230
[   48.659685]  binder_thread_write+0xa40/0x2170
[   48.664174]  binder_ioctl_write_read.isra.46+0x1eb/0x810
[   48.669619]  binder_ioctl+0x702/0x1160
[   48.673508]  compat_SyS_ioctl+0x126/0x1fe0
[   48.677720]  do_fast_syscall_32+0x2f7/0x870
[   48.682032]  entry_SYSENTER_compat+0x90/0xa2
[   48.686660] 
[   48.689933] Freed by task 1809:
[   48.693289]  save_stack_trace+0x16/0x20
[   48.697509]  save_stack+0x43/0xd0
[   48.701153]  kasan_slab_free+0x72/0xc0
[   48.705018]  kfree+0xfb/0x310
[   48.708096]  binder_free_transaction+0x6a/0x90
[   48.712750]  binder_send_failed_reply+0x1c3/0x230
[   48.717576]  binder_thread_release+0x413/0x520
[   48.722145]  binder_deferred_func+0x44d/0xc30
[   48.726643]  process_one_work+0x7e1/0x1500
[   48.730879]  worker_thread+0xd6/0x10a0
[   48.734756]  kthread+0x26d/0x300
[   48.738105]  ret_from_fork+0x5c/0x70
[   48.741974] 
[   48.743614] The buggy address belongs to the object at ffff8801ce039d00
[   48.743614]  which belongs to the cache kmalloc-192 of size 192
[   48.756808] The buggy address is located 16 bytes inside of
[   48.756808]  192-byte region [ffff8801ce039d00, ffff8801ce039dc0)
[   48.769018] The buggy address belongs to the page:
[   48.773928] page:ffffea0007380e40 count:1 mapcount:0 mapping:          (null) index:0x0
[   48.782368] flags: 0x8000000000000080(slab)
[   48.786835] page dumped because: kasan: bad access detected
[   48.792610] 
[   48.794236] Memory state around the buggy address:
[   48.799149]  ffff8801ce039c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   48.807727]  ffff8801ce039c80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   48.816344] >ffff8801ce039d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.823699]                          ^
[   48.827568]  ffff8801ce039d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   48.834921]  ffff8801ce039e00: fc fc fc fc fc fc fc fc fc