[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.526173] random: sshd: uninitialized urandom read (32 bytes read) [ 29.235288] audit: type=1400 audit(1553654960.762:6): avc: denied { map } for pid=1773 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 29.305264] random: sshd: uninitialized urandom read (32 bytes read) [ 29.902891] random: sshd: uninitialized urandom read (32 bytes read) [ 30.133915] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.124' (ECDSA) to the list of known hosts. [ 35.685934] random: sshd: uninitialized urandom read (32 bytes read) [ 35.795110] audit: type=1400 audit(1553654967.322:7): avc: denied { map } for pid=1791 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/03/27 02:49:28 parsed 1 programs [ 36.860698] audit: type=1400 audit(1553654968.392:8): avc: denied { map } for pid=1791 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5005 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 37.564787] random: cc1: uninitialized urandom read (8 bytes read) 2019/03/27 02:49:30 executed programs: 0 [ 38.987975] audit: type=1400 audit(1553654970.512:9): avc: denied { map } for pid=1791 comm="syz-execprog" path="/root/syzkaller-shm630754769" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 40.871184] audit: type=1400 audit(1553654972.402:10): avc: denied { map } for pid=2698 comm="syz-executor.2" path="/dev/binder0" dev="devtmpfs" ino=5431 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 [ 40.873427] binder_alloc: binder_alloc_mmap_handler: 2698 20001000-20004000 already mapped failed -16 [ 40.908289] binder: BINDER_SET_CONTEXT_MGR already set [ 40.913598] audit: type=1400 audit(1553654972.402:11): avc: denied { set_context_mgr } for pid=2698 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 [ 40.914543] binder: 2698:2699 ioctl 40046207 0 returned -16 [ 40.938352] binder: BINDER_SET_CONTEXT_MGR already set [ 40.949396] binder: 2697:2702 ioctl 40046207 0 returned -16 [ 40.949828] binder_alloc: 2698: binder_alloc_buf, no vma [ 40.955834] audit: type=1400 audit(1553654972.472:12): avc: denied { call } for pid=2698 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 [ 40.962290] binder: 2698:2701 transaction failed 29189/-3, size 24-8 line 3254 [ 40.986416] binder_alloc: binder_alloc_mmap_handler: 2697 20001000-20004000 already mapped failed -16 [ 41.002778] binder_alloc: 2697: binder_alloc_buf, no vma [ 41.008355] binder: 2697:2703 transaction failed 29189/-3, size 24-8 line 3254 [ 41.020307] binder_alloc: binder_alloc_mmap_handler: 2705 20001000-20004000 already mapped failed -16 [ 41.031517] binder: BINDER_SET_CONTEXT_MGR already set [ 41.037936] binder: BINDER_SET_CONTEXT_MGR already set [ 41.037950] binder: 2708:2710 ioctl 40046207 0 returned -16 [ 41.045198] binder_alloc: 2705: binder_alloc_buf, no vma [ 41.050326] binder_alloc: binder_alloc_mmap_handler: 2708 20001000-20004000 already mapped failed -16 [ 41.055289] binder: 2705:2706 ioctl 40046207 0 returned -16 [ 41.064869] binder: BINDER_SET_CONTEXT_MGR already set [ 41.071805] binder: 2705:2707 transaction failed 29189/-3, size 24-8 line 3254 [ 41.076438] binder_alloc: 2705: binder_alloc_buf, no vma [ 41.086403] binder: 2708:2710 ioctl 40046207 0 returned -16 [ 41.090385] binder: 2708:2711 transaction failed 29189/-3, size 24-8 line 3254 [ 41.097853] binder_alloc: binder_alloc_mmap_handler: 2712 20001000-20004000 already mapped failed -16 [ 41.114143] binder: BINDER_SET_CONTEXT_MGR already set [ 41.119742] binder: 2712:2713 ioctl 40046207 0 returned -16 [ 41.125612] binder: BINDER_SET_CONTEXT_MGR already set [ 41.132362] binder: 2717:2718 ioctl 40046207 0 returned -16 [ 41.132440] binder_alloc: 2712: binder_alloc_buf, no vma [ 41.138869] binder_alloc: binder_alloc_mmap_handler: 2717 20001000-20004000 already mapped failed -16 [ 41.145155] binder: 2712:2714 transaction failed 29189/-3, size 24-8 line 3254 [ 41.153933] binder: BINDER_SET_CONTEXT_MGR already set [ 41.167412] binder: 2717:2718 ioctl 40046207 0 returned -16 [ 41.173734] binder: 2717:2719 transaction failed 29189/-22, size 24-8 line 3117 [ 41.185410] binder_alloc: binder_alloc_mmap_handler: 2721 20001000-20004000 already mapped failed -16 [ 41.198554] binder: BINDER_SET_CONTEXT_MGR already set [ 41.204039] binder: 2721:2722 ioctl 40046207 0 returned -16 [ 41.204190] binder_alloc: 2721: binder_alloc_buf, no vma [ 41.209960] binder: BINDER_SET_CONTEXT_MGR already set [ 41.215927] binder: 2721:2723 transaction failed 29189/-3, size 24-8 line 3254 [ 41.221296] binder: 2724:2726 ioctl 40046207 0 returned -16 [ 41.242644] binder_alloc: binder_alloc_mmap_handler: 2724 20001000-20004000 already mapped failed -16 [ 41.253828] binder_alloc: 2724: binder_alloc_buf, no vma [ 41.259668] binder: 2724:2728 transaction failed 29189/-3, size 24-8 line 3254 [ 41.609862] binder_alloc: binder_alloc_mmap_handler: 2732 20001000-20004000 already mapped failed -16 [ 41.620353] binder: BINDER_SET_CONTEXT_MGR already set [ 41.625986] binder: 2732:2733 ioctl 40046207 0 returned -16 [ 41.626035] binder_alloc: 2732: binder_alloc_buf, no vma [ 41.637432] binder: 2732:2735 transaction failed 29189/-3, size 24-8 line 3254 [ 41.931558] binder_alloc: binder_alloc_mmap_handler: 2742 20001000-20004000 already mapped failed -16 [ 41.943611] binder: BINDER_SET_CONTEXT_MGR already set [ 41.949007] binder: 2742:2743 ioctl 40046207 0 returned -16 [ 41.953428] binder: BINDER_SET_CONTEXT_MGR already set [ 41.961354] binder_alloc: 2742: binder_alloc_buf, no vma [ 41.966979] binder: 2747:2748 ioctl 40046207 0 returned -16 [ 41.970528] binder: 2742:2744 transaction failed 29189/-3, size 24-8 line 3254 [ 41.973718] binder_alloc: binder_alloc_mmap_handler: 2747 20001000-20004000 already mapped failed -16 [ 41.994134] binder_alloc: 2747: binder_alloc_buf, no vma [ 41.998437] binder: BINDER_SET_CONTEXT_MGR already set [ 42.002033] binder: 2747:2749 transaction failed 29189/-3, size 24-8 line 3254 [ 42.009294] binder: 2751:2755 ioctl 40046207 0 returned -16 [ 42.013335] binder: BINDER_SET_CONTEXT_MGR already set [ 42.019690] binder_alloc: binder_alloc_mmap_handler: 2751 20001000-20004000 already mapped failed -16 [ 42.025001] binder: BINDER_SET_CONTEXT_MGR already set [ 42.039060] binder: 2754:2756 ioctl 40046207 0 returned -16 [ 42.039350] binder: BINDER_SET_CONTEXT_MGR already set [ 42.051374] binder: 2753:2758 ioctl 40046207 0 returned -16 [ 42.057377] binder: BINDER_SET_CONTEXT_MGR already set [ 42.059988] binder_alloc: binder_alloc_mmap_handler: 2754 20001000-20004000 already mapped failed -16 [ 42.063490] binder_alloc: 2747: binder_alloc_buf, no vma [ 42.075257] binder: BINDER_SET_CONTEXT_MGR already set [ 42.077883] binder: 2751:2755 ioctl 40046207 0 returned -16 [ 42.084326] binder_alloc: binder_alloc_mmap_handler: 2763 20001000-20004000 already mapped failed -16 [ 42.089874] binder: 2750:2757 ioctl 40046207 0 returned -16 [ 42.098646] binder_alloc: 2763: binder_alloc_buf, no vma [ 42.106600] binder: 2751:2759 transaction failed 29189/-3, size 24-8 line 3254 [ 42.110709] binder: 2754:2756 ioctl 40046207 0 returned -16 [ 42.117851] binder_alloc: binder_alloc_mmap_handler: 2753 20001000-20004000 already mapped failed -16 [ 42.124012] binder: BINDER_SET_CONTEXT_MGR already set [ 42.138441] binder: 2754:2761 transaction failed 29189/-3, size 24-8 line 3254 [ 42.147444] binder_alloc: binder_alloc_mmap_handler: 2750 20001000-20004000 already mapped failed -16 [ 42.150461] binder: 2763:2764 ioctl 40046207 0 returned -16 [ 42.165073] binder: BINDER_SET_CONTEXT_MGR already set [ 42.181206] binder: 2753:2758 ioctl 40046207 0 returned -16 [ 42.183599] binder_alloc: 2763: binder_alloc_buf, no vma [ 42.202291] binder: 2753:2760 transaction failed 29189/-3, size 24-8 line 3254 [ 42.204395] binder_alloc: 2763: binder_alloc_buf, no vma [ 42.216888] binder: BINDER_SET_CONTEXT_MGR already set [ 42.217571] binder: 2763:2768 transaction failed 29189/-3, size 24-8 line 3254 [ 42.222489] binder_alloc: 2763: binder_alloc_buf, no vma [ 42.238152] binder: 2772:2773 ioctl 40046207 0 returned -16 [ 42.248333] binder: 2750:2757 transaction failed 29189/-3, size 24-8 line 3254 [ 42.262096] binder_alloc: binder_alloc_mmap_handler: 2772 20001000-20004000 already mapped failed -16 [ 42.273165] binder_alloc: 2772: binder_alloc_buf, no vma [ 42.278839] binder: 2772:2778 transaction failed 29189/-3, size 24-8 line 3254 [ 42.304200] binder: BINDER_SET_CONTEXT_MGR already set [ 42.310820] binder_alloc: binder_alloc_mmap_handler: 2780 20001000-20004000 already mapped failed -16 [ 42.315505] binder: 2783:2788 ioctl 40046207 0 returned -16 [ 42.320429] binder: BINDER_SET_CONTEXT_MGR already set [ 42.320447] binder: 2784:2791 ioctl 40046207 0 returned -16 [ 42.320770] binder: BINDER_SET_CONTEXT_MGR already set [ 42.327092] binder_alloc: binder_alloc_mmap_handler: 2783 20001000-20004000 already mapped failed -16 [ 42.332474] binder: BINDER_SET_CONTEXT_MGR already set [ 42.341528] binder_alloc: binder_alloc_mmap_handler: 2784 20001000-20004000 already mapped failed -16 [ 42.343403] binder: 2786:2789 ioctl 40046207 0 returned -16 [ 42.353356] binder: 2785:2792 ioctl 40046207 0 returned -16 [ 42.357636] binder: BINDER_SET_CONTEXT_MGR already set [ 42.357654] binder: 2782:2790 ioctl 40046207 0 returned -16 [ 42.368453] binder_alloc: binder_alloc_mmap_handler: 2782 20001000-20004000 already mapped failed -16 [ 42.373325] binder: BINDER_SET_CONTEXT_MGR already set [ 42.405346] binder_alloc: 2780: binder_alloc_buf, no vma [ 42.406511] binder_alloc: binder_alloc_mmap_handler: 2786 20001000-20004000 already mapped failed -16 [ 42.411111] binder: BINDER_SET_CONTEXT_MGR already set [ 42.420866] binder_alloc: binder_alloc_mmap_handler: 2785 20001000-20004000 already mapped failed -16 [ 42.426529] binder: 2783:2794 transaction failed 29189/-3, size 24-8 line 3254 [ 42.436668] binder: 2784:2791 ioctl 40046207 0 returned -16 [ 42.442704] binder_alloc: 2780: binder_alloc_buf, no vma [ 42.449064] binder: BINDER_SET_CONTEXT_MGR already set [ 42.454341] binder: 2783:2788 ioctl 40046207 0 returned -16 [ 42.459464] binder: BINDER_SET_CONTEXT_MGR already set [ 42.465081] binder_alloc: 2780: binder_alloc_buf, no vma [ 42.470620] binder: 2782:2790 ioctl 40046207 0 returned -16 [ 42.476214] binder: 2782:2798 transaction failed 29189/-3, size 24-8 line 3254 [ 42.482000] binder_alloc: 2780: binder_alloc_buf, no vma [ 42.490253] binder: 2784:2795 transaction failed 29189/-3, size 24-8 line 3254 [ 42.495162] binder_alloc: 2786: binder_alloc_buf, no vma [ 42.509467] binder_alloc: 2785: binder_alloc_buf, no vma [ 42.517564] binder: 2785:2797 transaction failed 29189/-3, size 24-8 line 3254 [ 42.525979] binder: 2780:2787 ioctl 40046207 0 returned -16 [ 42.532470] binder: 2786:2796 transaction failed 29189/-3, size 24-8 line 3254 [ 42.536001] binder_alloc: binder_alloc_mmap_handler: 2800 20001000-20004000 already mapped failed -16 [ 42.545360] binder: 2780:2793 transaction failed 29189/-3, size 24-8 line 3254 [ 42.558185] binder: BINDER_SET_CONTEXT_MGR already set [ 42.576927] binder: 2804:2807 ioctl 40046207 0 returned -16 [ 42.578308] binder: BINDER_SET_CONTEXT_MGR already set [ 42.592377] binder: 2805:2808 ioctl 40046207 0 returned -16 [ 42.592379] binder: BINDER_SET_CONTEXT_MGR already set [ 42.592390] binder: 2800:2802 ioctl 40046207 0 returned -16 [ 42.602940] binder_alloc: 2800: binder_alloc_buf, no vma [ 42.607384] binder: BINDER_SET_CONTEXT_MGR already set [ 42.626874] binder_alloc: binder_alloc_mmap_handler: 2805 20001000-20004000 already mapped failed -16 [ 42.630519] binder: 2800:2815 transaction failed 29189/-3, size 24-8 line 3254 [ 42.639122] binder: BINDER_SET_CONTEXT_MGR already set [ 42.645122] binder_alloc: binder_alloc_mmap_handler: 2804 20001000-20004000 already mapped failed -16 [ 42.650434] binder: BINDER_SET_CONTEXT_MGR already set [ 42.666683] binder_alloc: binder_alloc_mmap_handler: 2816 20001000-20004000 already mapped failed -16 [ 42.676306] binder: 2809:2819 ioctl 40046207 0 returned -16 [ 42.682616] binder: 2811:2812 ioctl 40046207 0 returned -16 [ 42.689104] binder: BINDER_SET_CONTEXT_MGR already set [ 42.689109] binder_alloc: 2816: binder_alloc_buf, no vma [ 42.689130] binder: 2805:2818 transaction failed 29189/-3, size 24-8 line 3254 [ 42.695361] binder_alloc: 2816: binder_alloc_buf, no vma [ 42.701304] binder: 2805:2808 ioctl 40046207 0 returned -16 [ 42.708875] binder: 2804:2817 transaction failed 29189/-3, size 24-8 line 3254 [ 42.714011] binder: BINDER_SET_CONTEXT_MGR already set [ 42.730453] binder: 2804:2807 ioctl 40046207 0 returned -16 [ 42.735818] binder: 2816:2820 ioctl 40046207 0 returned -16 [ 42.746429] binder_alloc: binder_alloc_mmap_handler: 2809 20001000-20004000 already mapped failed -16 [ 42.756410] binder_alloc: binder_alloc_mmap_handler: 2811 20001000-20004000 already mapped failed -16 [ 42.762958] binder_alloc: binder_alloc_mmap_handler: 2825 20001000-20004000 already mapped failed -16 [ 42.772799] binder: BINDER_SET_CONTEXT_MGR already set [ 42.781935] binder: BINDER_SET_CONTEXT_MGR already set [ 42.787784] binder: 2809:2819 ioctl 40046207 0 returned -16 [ 42.796528] binder: BINDER_SET_CONTEXT_MGR already set [ 42.802211] binder: 2825:2826 ioctl 40046207 0 returned -16 [ 42.802902] binder_alloc: 2825: binder_alloc_buf, no vma [ 42.808370] binder: 2832:2834 ioctl 40046207 0 returned -16 [ 42.814348] binder_alloc: 2811: binder_alloc_buf, no vma [ 42.823440] binder: BINDER_SET_CONTEXT_MGR already set [ 42.832421] binder_alloc: binder_alloc_mmap_handler: 2832 20001000-20004000 already mapped failed -16 [ 42.836513] binder: 2811:2822 transaction failed 29189/-3, size 24-8 line 3254 [ 42.846761] binder: BINDER_SET_CONTEXT_MGR already set [ 42.856652] binder: 2835:2836 ioctl 40046207 0 returned -16 [ 42.858651] binder: 2809:2823 transaction failed 29189/-3, size 24-8 line 3254 [ 42.863802] binder: 2829:2833 ioctl 40046207 0 returned -16 [ 42.888029] binder: BINDER_SET_CONTEXT_MGR already set [ 42.904047] binder_alloc: binder_alloc_mmap_handler: 2835 20001000-20004000 already mapped failed -16 [ 42.904265] binder: 2839:2842 ioctl 40046207 0 returned -16 [ 42.913842] binder_alloc: 2832: binder_alloc_buf, no vma [ 42.953164] binder_alloc: binder_alloc_mmap_handler: 2829 20001000-20004000 already mapped failed -16 [ 42.962057] binder: 2832:2850 transaction failed 29189/-3, size 24-8 line 3254 [ 42.968168] binder: BINDER_SET_CONTEXT_MGR already set [ 42.975948] binder_alloc: binder_alloc_mmap_handler: 2839 20001000-20004000 already mapped failed -16 [ 42.987081] binder: 2853:2854 ioctl 40046207 0 returned -16 [ 42.993925] binder_alloc: 2835: binder_alloc_buf, no vma [ 42.999000] binder: BINDER_SET_CONTEXT_MGR already set [ 43.005671] binder: 2835:2855 transaction failed 29189/-3, size 24-8 line 3254 [ 43.007579] binder: 2857:2858 ioctl 40046207 0 returned -16 [ 43.013419] binder: BINDER_SET_CONTEXT_MGR already set [ 43.021335] binder_alloc: binder_alloc_mmap_handler: 2853 20001000-20004000 already mapped failed -16 [ 43.031609] binder_alloc: 2829: binder_alloc_buf, no vma [ 43.034831] binder: BINDER_SET_CONTEXT_MGR already set [ 43.045421] binder: 2839:2851 transaction failed 29189/-3, size 24-8 line 3254 [ 43.046747] binder_alloc: binder_alloc_mmap_handler: 2857 20001000-20004000 already mapped failed -16 [ 43.053756] binder: 2839:2842 ioctl 40046207 0 returned -16 [ 43.064534] binder: 2859:2863 ioctl 40046207 0 returned -16 [ 43.070864] binder_alloc: 2829: binder_alloc_buf, no vma [ 43.077294] binder_alloc: 2853: binder_alloc_buf, no vma [ 43.087102] binder: 2829:2862 transaction failed 29189/-3, size 24-8 line 3254 [ 43.092090] binder: BINDER_SET_CONTEXT_MGR already set [ 43.102863] binder: 2853:2861 transaction failed 29189/-3, size 24-8 line 3254 [ 43.113180] binder_alloc: binder_alloc_mmap_handler: 2859 20001000-20004000 already mapped failed -16 [ 43.114609] binder: 2857:2858 ioctl 40046207 0 returned -16 [ 43.126605] binder_alloc: binder_alloc_mmap_handler: 2867 20001000-20004000 already mapped failed -16 [ 43.135229] binder_alloc: 2867: binder_alloc_buf, no vma [ 43.161015] binder: BINDER_SET_CONTEXT_MGR already set [ 43.166478] binder: 2859:2863 ioctl 40046207 0 returned -16 [ 43.173234] binder: BINDER_SET_CONTEXT_MGR already set [ 43.174738] binder: 2857:2872 transaction failed 29189/-3, size 24-8 line 3254 [ 43.178986] binder: 2867:2868 ioctl 40046207 0 returned -16 [ 43.188385] binder: BINDER_SET_CONTEXT_MGR already set [ 43.198772] binder: 2870:2877 ioctl 40046207 0 returned -16 [ 43.199414] binder: BINDER_SET_CONTEXT_MGR already set [ 43.211015] binder_alloc: binder_alloc_mmap_handler: 2870 20001000-20004000 already mapped failed -16 [ 43.211774] binder: 2874:2879 ioctl 40046207 0 returned -16 [ 43.221133] binder_alloc: 2867: binder_alloc_buf, no vma [ 43.228391] binder_alloc: binder_alloc_mmap_handler: 2874 20001000-20004000 already mapped failed -16 [ 43.232637] binder_alloc: 2867: binder_alloc_buf, no vma [ 43.245308] binder: BINDER_SET_CONTEXT_MGR already set [ 43.253473] binder: 2859:2878 transaction failed 29189/-3, size 24-8 line 3254 [ 43.263815] binder: 2875:2880 ioctl 40046207 0 returned -16 [ 43.267278] binder_alloc: 2870: binder_alloc_buf, no vma [ 43.274203] binder: BINDER_SET_CONTEXT_MGR already set [ 43.278723] binder: 2867:2882 transaction failed 29189/-3, size 24-8 line 3254 [ 43.286501] binder: 2874:2879 ioctl 40046207 0 returned -16 [ 43.292249] binder: 2870:2887 transaction failed 29189/-3, size 24-8 line 3254 [ 43.298235] binder: BINDER_SET_CONTEXT_MGR already set [ 43.312115] binder: 2885:2888 ioctl 40046207 0 returned -16 [ 43.318198] binder_alloc: binder_alloc_mmap_handler: 2875 20001000-20004000 already mapped failed -16 [ 43.324989] binder_alloc: binder_alloc_mmap_handler: 2885 20001000-20004000 already mapped failed -16 [ 43.328070] ------------[ cut here ]------------ [ 43.337874] binder_alloc: binder_alloc_mmap_handler: 2890 20001000-20004000 already mapped failed -16 [ 43.342310] kernel BUG at drivers/android/binder_alloc.c:1130! [ 43.348129] binder_alloc: 2890: binder_alloc_buf, no vma [ 43.352537] binder: BINDER_SET_CONTEXT_MGR already set [ 43.371042] binder: 2885:2888 ioctl 40046207 0 returned -16 [ 43.371818] binder: 2875:2884 transaction failed 29189/-3, size 24-8 line 3254 [ 43.380853] binder_alloc: 2890: binder_alloc_buf, no vma [ 43.386424] invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 43.396483] Modules linked in: [ 43.399369] binder: BINDER_SET_CONTEXT_MGR already set [ 43.399686] CPU: 1 PID: 2889 Comm: syz-executor.5 Not tainted 4.14.108+ #38 [ 43.399695] task: ffff8881d909af00 task.stack: ffff8881d6a70000 [ 43.407157] binder: BINDER_SET_CONTEXT_MGR already set [ 43.412258] RIP: 0010:binder_alloc_do_buffer_copy+0xc7/0x500 [ 43.412262] RSP: 0018:ffff8881d6a775d0 EFLAGS: 00010297 [ 43.412268] RAX: ffff8881d909af00 RBX: 0000000020001000 RCX: 0000200000000000 [ 43.412271] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881c99b7358 [ 43.412274] RBP: 0000000000000020 R08: ffff8881d6a778b0 R09: 0000000000000028 [ 43.412277] R10: ffffed103ad4ef06 R11: ffff8881d6a77837 R12: ffff8881d6fd9d98 [ 43.412281] R13: 0000000000000028 R14: 0000200000000000 R15: ffff8881d6a778b0 [ 43.412286] FS: 00007f55c3aee700(0000) GS:ffff8881dbb00000(0000) knlGS:0000000000000000 [ 43.412294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 43.418900] binder: 2875:2880 ioctl 40046207 0 returned -16 [ 43.423789] CR2: 00007fe98e1e0ea0 CR3: 00000001cc84a002 CR4: 00000000001606a0 [ 43.423796] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 43.423800] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 43.423803] Call Trace: [ 43.423823] ? binder_alloc_do_buffer_copy+0x1ef/0x500 [ 43.423833] binder_get_object+0x90/0x190 [ 43.423842] binder_transaction+0x1e2d/0x5640 [ 43.430967] binder: 2890:2895 transaction failed 29189/-3, size 24-8 line 3254 [ 43.435659] ? binder_inc_ref_for_node+0xba0/0xba0 [ 43.435679] ? trace_hardirqs_on+0x10/0x10 [ 43.443326] binder: 2885:2893 transaction failed 29189/-22, size 24-8 line 3117 [ 43.450471] ? __save_stack_trace+0x7a/0xf0 [ 43.450484] ? __might_fault+0x104/0x1b0 [ 43.450491] ? lock_downgrade+0x5d0/0x5d0 [ 43.450496] ? lock_acquire+0x10f/0x380 [ 43.450501] ? __might_fault+0xd4/0x1b0 [ 43.450510] ? __might_fault+0x177/0x1b0 [ 43.460612] binder: 2890:2892 ioctl 40046207 0 returned -16 [ 43.465599] ? binder_thread_write+0x512/0x1f90 [ 43.465611] ? binder_transaction+0x5640/0x5640 [ 43.465627] ? lock_downgrade+0x5d0/0x5d0 [ 43.479973] binder: BINDER_SET_CONTEXT_MGR already set [ 43.481930] ? lock_acquire+0x10f/0x380 [ 43.481940] ? __might_fault+0xd4/0x1b0 [ 43.481951] ? __might_fault+0x177/0x1b0 [ 43.481963] ? binder_ioctl+0xd48/0x14ea [ 43.481972] ? binder_poll+0x230/0x230 [ 43.488473] binder: 2901:2902 ioctl 40046207 0 returned -16 [ 43.493822] ? __lock_acquire+0x56a/0x3fa0 [ 43.493828] ? trace_hardirqs_on+0x10/0x10 [ 43.493836] ? trace_hardirqs_on+0x10/0x10 [ 43.493850] ? binder_poll+0x230/0x230 [ 43.493860] ? do_vfs_ioctl+0xabe/0x1040 [ 43.493869] ? selinux_file_ioctl+0x426/0x590 [ 43.502932] binder_alloc: binder_alloc_mmap_handler: 2901 20001000-20004000 already mapped failed -16 [ 43.508412] ? selinux_file_ioctl+0x116/0x590 [ 43.508425] ? ioctl_preallocate+0x1e0/0x1e0 [ 43.508434] ? selinux_parse_skb.constprop.0+0x16b0/0x16b0 [ 43.508445] ? __fget+0x1ff/0x360 [ 43.516188] binder: BINDER_SET_CONTEXT_MGR already set [ 43.518402] ? lock_downgrade+0x5d0/0x5d0 [ 43.518408] ? lock_acquire+0x10f/0x380 [ 43.518418] ? __fget+0x44/0x360 [ 43.518430] ? check_preemption_disabled+0x35/0x1f0 [ 43.524090] binder: 2898:2899 ioctl 40046207 0 returned -16 [ 43.527843] ? security_file_ioctl+0x7c/0xb0 [ 43.527858] ? SyS_ioctl+0x7f/0xb0 [ 43.532685] ------------[ cut here ]------------ [ 43.539796] ? do_vfs_ioctl+0x1040/0x1040 [ 43.544716] kernel BUG at drivers/android/binder_alloc.c:1130! [ 43.549120] ? do_syscall_64+0x19b/0x4b0 [ 43.557067] binder: BINDER_SET_CONTEXT_MGR already set [ 43.560902] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.560912] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 [ 43.565579] binder: 2901:2902 ioctl 40046207 0 returned -16 [ 43.569287] 3c 02 00 0f 85 0d 04 00 00 48 8b 6d 58 48 29 dd e8 33 33 0d ff 49 [ 43.573734] ------------[ cut here ]------------ [ 43.577246] 39 [ 43.581388] kernel BUG at drivers/android/binder_alloc.c:1130! [ 43.587089] ed 76 07 e8 29 33 0d ff <0f> 0b e8 22 33 0d ff 4c 29 ed 49 39 ee 77 ec e8 15 33 0d ff 41 [ 43.792294] RIP: binder_alloc_do_buffer_copy+0xc7/0x500 RSP: ffff8881d6a775d0 [ 43.799572] invalid opcode: 0000 [#2] PREEMPT SMP KASAN NOPTI [ 43.805563] Modules linked in: [ 43.809139] CPU: 0 PID: 2904 Comm: syz-executor.0 Tainted: G D 4.14.108+ #38 [ 43.813581] binder: BINDER_SET_CONTEXT_MGR already set [ 43.817630] task: ffff8881d6568000 task.stack: ffff8881d6ba0000 [ 43.823223] binder: 2897:2908 ioctl 40046207 0 returned -16 [ 43.829248] RIP: 0010:binder_alloc_do_buffer_copy+0xc7/0x500 [ 43.835972] binder_alloc: binder_alloc_mmap_handler: 2897 20001000-20004000 already mapped failed -16 [ 43.841161] RSP: 0018:ffff8881d6ba75d0 EFLAGS: 00010297 [ 43.841168] RAX: ffff8881d6568000 RBX: 0000000020001000 RCX: 0000200000000000 [ 43.841171] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881d6ef4dd8 [ 43.841174] RBP: 0000000000000020 R08: ffff8881d6ba78b0 R09: 0000000000000028 [ 43.841177] R10: ffffed103ad74f06 R11: ffff8881d6ba7837 R12: ffff8881d67f9498 [ 43.841181] R13: 0000000000000028 R14: 0000200000000000 R15: ffff8881d6ba78b0 [ 43.841185] FS: 00007f1864040700(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000 [ 43.841189] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 43.841192] CR2: 00007fba8baabdb8 CR3: 00000001d1b0e002 CR4: 00000000001606b0 [ 43.841202] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 43.851214] binder: BINDER_SET_CONTEXT_MGR already set [ 43.856628] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 43.864129] ------------[ cut here ]------------ [ 43.871324] Call Trace: [ 43.879071] kernel BUG at drivers/android/binder_alloc.c:1130! [ 43.879149] binder: 2897:2908 ioctl 40046207 0 returned -16 [ 43.887830] ? binder_alloc_do_buffer_copy+0x1ef/0x500 [ 43.887841] binder_get_object+0x90/0x190 [ 43.966516] binder_transaction+0x1e2d/0x5640 [ 43.971013] ? SyS_ioctl+0x7f/0xb0 [ 43.974538] ? binder_inc_ref_for_node+0xba0/0xba0 [ 43.979540] ? trace_hardirqs_on+0x10/0x10 [ 43.983849] ? __save_stack_trace+0x7a/0xf0 [ 43.988153] ? depot_save_stack+0x11d/0x418 [ 43.992562] ? __might_fault+0x104/0x1b0 [ 43.996607] ? lock_downgrade+0x5d0/0x5d0 [ 44.000734] ? lock_acquire+0x10f/0x380 [ 44.005147] ? __might_fault+0xd4/0x1b0 [ 44.009104] ? lock_acquire+0x10f/0x380 [ 44.013261] ? __might_fault+0x177/0x1b0 [ 44.017393] ? binder_thread_write+0x512/0x1f90 [ 44.022158] ? binder_transaction+0x5640/0x5640 [ 44.026811] ? fs_reclaim_acquire+0x10/0x10 [ 44.031136] ? lock_downgrade+0x5d0/0x5d0 [ 44.035262] ? lock_acquire+0x10f/0x380 [ 44.039236] ? __might_fault+0xd4/0x1b0 [ 44.043365] ? __might_fault+0x177/0x1b0 [ 44.047420] ? binder_ioctl+0xd48/0x14ea [ 44.051463] ? binder_poll+0x230/0x230 [ 44.055331] ? trace_hardirqs_on+0x10/0x10 [ 44.059568] ? trace_hardirqs_on+0x10/0x10 [ 44.063790] ? binder_poll+0x230/0x230 [ 44.067746] ? do_vfs_ioctl+0xabe/0x1040 [ 44.071790] ? selinux_file_ioctl+0x426/0x590 [ 44.076526] ? selinux_file_ioctl+0x116/0x590 [ 44.081297] ? ioctl_preallocate+0x1e0/0x1e0 [ 44.085862] ? selinux_parse_skb.constprop.0+0x16b0/0x16b0 [ 44.091469] ? __fget+0x1ff/0x360 [ 44.094913] ? lock_downgrade+0x5d0/0x5d0 [ 44.099199] ? lock_acquire+0x10f/0x380 [ 44.103207] ? __fget+0x44/0x360 [ 44.106565] ? security_file_ioctl+0x7c/0xb0 [ 44.110977] ? SyS_ioctl+0x7f/0xb0 [ 44.114499] ? do_vfs_ioctl+0x1040/0x1040 [ 44.118732] ? do_syscall_64+0x19b/0x4b0 [ 44.123656] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.129110] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 0d 04 00 00 48 8b 6d 58 48 29 dd e8 33 33 0d ff 49 39 ed 76 07 e8 29 33 0d ff <0f> 0b e8 22 33 0d ff 4c 29 ed 49 39 ee 77 ec e8 15 33 0d ff 41 2019/03/27 02:49:35 executed programs: 46 [ 44.155450] RIP: binder_alloc_do_buffer_copy+0xc7/0x500 RSP: ffff8881d6ba75d0 [ 44.170403] invalid opcode: 0000 [#3] PREEMPT SMP KASAN NOPTI [ 44.177102] Modules linked in: [ 44.180788] CPU: 1 PID: 2909 Comm: syz-executor.3 Tainted: G D 4.14.108+ #38 [ 44.192621] task: ffff8881c40e2f00 task.stack: ffff8881d6018000 [ 44.198773] RIP: 0010:binder_alloc_do_buffer_copy+0xc7/0x500 [ 44.204552] RSP: 0018:ffff8881d601f5d0 EFLAGS: 00010297 [ 44.209902] RAX: ffff8881c40e2f00 RBX: 0000000020001040 RCX: 0000200000000000 [ 44.217251] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881c9a0a458 [ 44.225047] RBP: 0000000000000020 R08: ffff8881d601f8b0 R09: 0000000000000028 [ 44.232494] R10: ffffed103ac03f06 R11: ffff8881d601f837 R12: ffff8881d67f9498 [ 44.241069] R13: 0000000000000028 R14: 0000200000000000 R15: ffff8881d601f8b0 [ 44.248848] FS: 00007fa349633700(0000) GS:ffff8881dbb00000(0000) knlGS:0000000000000000 [ 44.257620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.263676] CR2: 000000000073c000 CR3: 00000001d6b58006 CR4: 00000000001606a0 [ 44.271113] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 44.279181] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 44.286618] Call Trace: [ 44.289211] ? binder_alloc_do_buffer_copy+0x1ef/0x500 [ 44.294571] binder_get_object+0x90/0x190 [ 44.298715] binder_transaction+0x1e2d/0x5640 [ 44.303208] ? SyS_ioctl+0x7f/0xb0 [ 44.306747] ? binder_inc_ref_for_node+0xba0/0xba0 [ 44.311665] ? trace_hardirqs_on+0x10/0x10 [ 44.315893] ? __save_stack_trace+0x7a/0xf0 [ 44.320210] ? depot_save_stack+0x11d/0x418 [ 44.324514] ? __might_fault+0x104/0x1b0 [ 44.328579] ? lock_downgrade+0x5d0/0x5d0 [ 44.332706] ? lock_acquire+0x10f/0x380 [ 44.336663] ? __might_fault+0xd4/0x1b0 [ 44.340877] ? lock_acquire+0x10f/0x380 [ 44.344838] ? __might_fault+0x177/0x1b0 [ 44.349001] ? binder_thread_write+0x512/0x1f90 [ 44.353823] ? migrate_swap_stop+0x810/0x810 [ 44.358219] ? plist_check_list+0x70/0xa0 [ 44.362368] ? binder_transaction+0x5640/0x5640 [ 44.367023] ? fs_reclaim_acquire+0x10/0x10 [ 44.371328] ? lock_downgrade+0x5d0/0x5d0 [ 44.375456] ? lock_acquire+0x10f/0x380 [ 44.379415] ? __might_fault+0xd4/0x1b0 [ 44.383379] ? __might_fault+0x177/0x1b0 [ 44.387426] ? binder_ioctl+0xd48/0x14ea [ 44.391652] ? binder_poll+0x230/0x230 [ 44.395526] ? trace_hardirqs_on+0x10/0x10 [ 44.399744] ? trace_hardirqs_on+0x10/0x10 [ 44.403976] ? kasan_unpoison_shadow+0x30/0x40 [ 44.408546] ? mmap_region+0x182/0xf00 [ 44.412503] ? binder_poll+0x230/0x230 [ 44.416390] ? do_vfs_ioctl+0xabe/0x1040 [ 44.420442] ? selinux_file_ioctl+0x426/0x590 [ 44.425109] ? selinux_file_ioctl+0x116/0x590 [ 44.429698] ? ioctl_preallocate+0x1e0/0x1e0 [ 44.434268] ? selinux_parse_skb.constprop.0+0x16b0/0x16b0 [ 44.440137] ? __fget+0x1ff/0x360 [ 44.443587] ? lock_downgrade+0x5d0/0x5d0 [ 44.447977] ? lock_acquire+0x10f/0x380 [ 44.452207] ? __fget+0x44/0x360 [ 44.455584] ? security_file_ioctl+0x7c/0xb0 [ 44.459977] ? SyS_ioctl+0x7f/0xb0 [ 44.463848] ? do_vfs_ioctl+0x1040/0x1040 [ 44.468067] ? do_syscall_64+0x19b/0x4b0 [ 44.472640] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.478000] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 0d 04 00 00 48 8b 6d 58 48 29 dd e8 33 33 0d ff 49 39 ed 76 07 e8 29 33 0d ff <0f> 0b e8 22 33 0d ff 4c 29 ed 49 39 ee 77 ec e8 15 33 0d ff 41 [ 44.497242] RIP: binder_alloc_do_buffer_copy+0xc7/0x500 RSP: ffff8881d601f5d0 [ 44.504611] invalid opcode: 0000 [#4] PREEMPT SMP KASAN NOPTI [ 44.510517] Modules linked in: [ 44.513399] binder: BINDER_SET_CONTEXT_MGR already set [ 44.513746] CPU: 0 PID: 2905 Comm: syz-executor.2 Tainted: G D 4.14.108+ #38 [ 44.521151] binder: 2911:2914 ioctl 40046207 0 returned -16 [ 44.528647] task: ffff8881c4088000 task.stack: ffff8881d6100000 [ 44.528665] RIP: 0010:binder_alloc_do_buffer_copy+0xc7/0x500 [ 44.528668] RSP: 0018:ffff8881d61075d0 EFLAGS: 00010297 [ 44.528679] RAX: ffff8881c4088000 RBX: 0000000020001020 RCX: 0000200000000000 [ 44.535028] binder_alloc: binder_alloc_mmap_handler: 2911 20001000-20004000 already mapped failed -16 [ 44.540710] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881d6ef4e58 [ 44.540714] RBP: 0000000000000020 R08: ffff8881d61078b0 R09: 0000000000000028 [ 44.540717] R10: ffffed103ac20f06 R11: ffff8881d6107837 R12: ffff8881d67f9498 [ 44.540721] R13: 0000000000000028 R14: 0000200000000000 R15: ffff8881d61078b0 [ 44.540726] FS: 00007fba8baac700(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000 [ 44.540729] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.540732] CR2: 00007ffca2aa32e8 CR3: 00000001d1ae4004 CR4: 00000000001606b0 [ 44.540738] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 44.540741] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 44.540744] Call Trace: [ 44.540764] ? binder_alloc_do_buffer_copy+0x1ef/0x500 [ 44.540776] binder_get_object+0x90/0x190 [ 44.546785] binder: BINDER_SET_CONTEXT_MGR already set [ 44.552473] binder_transaction+0x1e2d/0x5640 [ 44.552493] ? SyS_ioctl+0x7f/0xb0 [ 44.552498] ? binder_inc_ref_for_node+0xba0/0xba0 [ 44.552509] ? trace_hardirqs_on+0x10/0x10 [ 44.552522] ? __save_stack_trace+0x7a/0xf0 [ 44.559804] binder: 2911:2914 ioctl 40046207 0 returned -16 [ 44.569208] ? depot_save_stack+0x11d/0x418 [ 44.569218] ? __might_fault+0x104/0x1b0 [ 44.569224] ? lock_downgrade+0x5d0/0x5d0 [ 44.569229] ? lock_acquire+0x10f/0x380 [ 44.569233] ? __might_fault+0xd4/0x1b0 [ 44.569239] ? lock_acquire+0x10f/0x380 [ 44.569246] ? __might_fault+0x177/0x1b0 [ 44.569255] ? binder_thread_write+0x512/0x1f90 [ 44.569263] ? binder_get_thread+0x1b3/0x800 [ 44.569269] ? binder_transaction+0x5640/0x5640 [ 44.569280] ? fs_reclaim_acquire+0x10/0x10 [ 44.569288] ? lock_downgrade+0x5d0/0x5d0 [ 44.569293] ? lock_acquire+0x10f/0x380 [ 44.569299] ? __might_fault+0xd4/0x1b0 [ 44.569308] ? __might_fault+0x177/0x1b0 [ 44.569314] ? binder_ioctl+0xd48/0x14ea [ 44.569321] ? binder_poll+0x230/0x230 [ 44.569327] ? trace_hardirqs_on+0x10/0x10 [ 44.569333] ? trace_hardirqs_on+0x10/0x10 [ 44.569345] ? binder_poll+0x230/0x230 [ 44.569353] ? do_vfs_ioctl+0xabe/0x1040 [ 44.569360] ? selinux_file_ioctl+0x426/0x590 [ 44.569364] ? selinux_file_ioctl+0x116/0x590 [ 44.569372] ? ioctl_preallocate+0x1e0/0x1e0 [ 44.569382] ? selinux_parse_skb.constprop.0+0x16b0/0x16b0 [ 44.569390] ? __fget+0x1ff/0x360 [ 44.569398] ? lock_downgrade+0x5d0/0x5d0 [ 44.569402] ? lock_acquire+0x10f/0x380 [ 44.569408] ? __fget+0x44/0x360 [ 44.569422] ? security_file_ioctl+0x7c/0xb0 [ 44.569430] ? SyS_ioctl+0x7f/0xb0 [ 44.569437] ? do_vfs_ioctl+0x1040/0x1040 [ 44.569445] ? do_syscall_64+0x19b/0x4b0 [ 44.569460] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.569471] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 0d 04 00 00 48 8b 6d 58 48 29 dd e8 33 [ 44.577085] ------------[ cut here ]------------ [ 44.584128] 33 [ 44.591734] kernel BUG at drivers/android/binder_alloc.c:1130! [ 44.847329] 0d ff 49 39 ed 76 07 e8 29 33 0d ff <0f> 0b e8 22 33 0d ff 4c 29 ed 49 39 ee 77 ec e8 15 33 0d ff 41 [ 44.857958] RIP: binder_alloc_do_buffer_copy+0xc7/0x500 RSP: ffff8881d61075d0 [ 44.865914] invalid opcode: 0000 [#5] PREEMPT SMP KASAN NOPTI [ 44.871826] Modules linked in: [ 44.875129] CPU: 1 PID: 2915 Comm: syz-executor.4 Tainted: G D 4.14.108+ #38 [ 44.880034] binder: BINDER_SET_CONTEXT_MGR already set [ 44.883467] task: ffff8881cc9c1780 task.stack: ffff8881d64b8000 [ 44.883486] RIP: 0010:binder_alloc_do_buffer_copy+0xc7/0x500 [ 44.883494] RSP: 0018:ffff8881d64bf5d0 EFLAGS: 00010297 [ 44.891953] binder: 2913:2916 ioctl 40046207 0 returned -16 [ 44.894905] RAX: ffff8881cc9c1780 RBX: 0000000020001060 RCX: 0000200000000000 [ 44.894908] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881c9a0ab58 [ 44.894912] RBP: 0000000000000020 R08: ffff8881d64bf8b0 R09: 0000000000000028 [ 44.894916] R10: ffffed103ac97f06 R11: ffff8881d64bf837 R12: ffff8881d67f9498 [ 44.894920] R13: 0000000000000028 R14: 0000200000000000 R15: ffff8881d64bf8b0 [ 44.894926] FS: 00007f90e8162700(0000) GS:ffff8881dbb00000(0000) knlGS:0000000000000000 [ 44.894930] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.894936] CR2: 000000000073c000 CR3: 00000001d694a001 CR4: 00000000001606a0 [ 44.901569] binder_alloc: binder_alloc_mmap_handler: 2913 20001000-20004000 already mapped failed -16 [ 44.906445] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 44.906449] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 44.906452] Call Trace: [ 44.906477] ? binder_alloc_do_buffer_copy+0x1ef/0x500 [ 44.906490] binder_get_object+0x90/0x190 [ 44.912824] binder: BINDER_SET_CONTEXT_MGR already set [ 44.919467] binder_transaction+0x1e2d/0x5640 [ 44.919490] ? SyS_ioctl+0x7f/0xb0 [ 44.927141] ------------[ cut here ]------------ [ 44.934150] ? binder_inc_ref_for_node+0xba0/0xba0 [ 44.941411] kernel BUG at drivers/android/binder_alloc.c:1130! [ 44.948931] ? trace_hardirqs_on+0x10/0x10 [ 44.957561] binder: 2913:2916 ioctl 40046207 0 returned -16 [ 44.963013] ? __save_stack_trace+0x7a/0xf0 [ 44.963027] ? depot_save_stack+0x11d/0x418 [ 44.963038] ? __might_fault+0x104/0x1b0 [ 44.963045] ? lock_downgrade+0x5d0/0x5d0 [ 44.963049] ? lock_acquire+0x10f/0x380 [ 44.963057] ? __might_fault+0xd4/0x1b0 [ 45.071713] ? lock_acquire+0x10f/0x380 [ 45.075675] ? __might_fault+0x177/0x1b0 [ 45.079730] ? binder_thread_write+0x512/0x1f90 [ 45.084384] ? ___slab_alloc.constprop.0+0x354/0x470 [ 45.089563] ? migrate_swap_stop+0x810/0x810 [ 45.094151] ? binder_get_thread+0x1b3/0x800 [ 45.098547] ? plist_check_list+0x70/0xa0 [ 45.102775] ? binder_transaction+0x5640/0x5640 [ 45.107431] ? fs_reclaim_acquire+0x10/0x10 [ 45.111739] ? lock_downgrade+0x5d0/0x5d0 [ 45.116129] ? lock_acquire+0x10f/0x380 [ 45.120225] ? __might_fault+0xd4/0x1b0 [ 45.124829] ? __might_fault+0x177/0x1b0 [ 45.129226] ? binder_ioctl+0xd48/0x14ea [ 45.133624] ? binder_poll+0x230/0x230 [ 45.137759] ? trace_hardirqs_on+0x10/0x10 [ 45.141974] ? trace_hardirqs_on+0x10/0x10 [ 45.147115] ? kasan_unpoison_shadow+0x30/0x40 [ 45.151772] ? mmap_region+0x182/0xf00 [ 45.155641] ? binder_poll+0x230/0x230 [ 45.159625] ? do_vfs_ioctl+0xabe/0x1040 [ 45.163962] ? selinux_file_ioctl+0x426/0x590 [ 45.168447] ? selinux_file_ioctl+0x116/0x590 [ 45.173707] ? ioctl_preallocate+0x1e0/0x1e0 [ 45.178206] ? selinux_parse_skb.constprop.0+0x16b0/0x16b0 [ 45.188713] ? __fget+0x1ff/0x360 [ 45.193047] ? lock_downgrade+0x5d0/0x5d0 [ 45.197181] ? lock_acquire+0x10f/0x380 [ 45.201139] ? __fget+0x44/0x360 [ 45.204592] ? security_file_ioctl+0x7c/0xb0 [ 45.208992] ? SyS_ioctl+0x7f/0xb0 [ 45.212606] ? do_vfs_ioctl+0x1040/0x1040 [ 45.217432] ? do_syscall_64+0x19b/0x4b0 [ 45.222869] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.228236] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 0d 04 00 00 48 8b 6d 58 48 29 dd e8 33 33 0d ff 49 39 ed 76 07 e8 29 33 0d ff <0f> 0b e8 22 33 0d ff 4c 29 ed 49 39 ee 77 ec e8 15 33 0d ff 41 [ 45.247968] RIP: binder_alloc_do_buffer_copy+0xc7/0x500 RSP: ffff8881d64bf5d0 [ 45.255509] invalid opcode: 0000 [#6] PREEMPT SMP KASAN NOPTI [ 45.261502] Modules linked in: [ 45.264703] CPU: 0 PID: 2917 Comm: syz-executor.1 Tainted: G D 4.14.108+ #38 [ 45.264796] ---[ end trace e3748da8144b2b2a ]--- [ 45.273111] task: ffff8881c408c680 task.stack: ffff8881d6700000 [ 45.273128] RIP: 0010:binder_alloc_do_buffer_copy+0xc7/0x500 [ 45.273131] RSP: 0018:ffff8881d67075d0 EFLAGS: 00010297 [ 45.273137] RAX: ffff8881c408c680 RBX: 0000000020001080 RCX: 0000200000000000 [ 45.273140] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881d737dcd8 [ 45.273143] RBP: 0000000000000020 R08: ffff8881d67078b0 R09: 0000000000000028 [ 45.273146] R10: ffffed103ace0f06 R11: ffff8881d6707837 R12: ffff8881d67f9498 [ 45.273149] R13: 0000000000000028 R14: 0000200000000000 R15: ffff8881d67078b0 [ 45.273154] FS: 00007f89b77ef700(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000 [ 45.273158] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 45.273161] CR2: 000000000073c000 CR3: 00000001d234a005 CR4: 00000000001606b0 [ 45.273168] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 45.273171] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 45.273173] Call Trace: [ 45.273186] ? binder_alloc_do_buffer_copy+0x1ef/0x500 [ 45.278557] Kernel panic - not syncing: Fatal exception [ 45.284552] binder_get_object+0x90/0x190 [ 45.388008] binder_transaction+0x1e2d/0x5640 [ 45.393124] ? SyS_ioctl+0x7f/0xb0 [ 45.396821] ? binder_inc_ref_for_node+0xba0/0xba0 [ 45.402023] ? trace_hardirqs_on+0x10/0x10 [ 45.406243] ? __save_stack_trace+0x7a/0xf0 [ 45.410820] ? depot_save_stack+0x11d/0x418 [ 45.415130] ? __might_fault+0x104/0x1b0 [ 45.419437] ? lock_downgrade+0x5d0/0x5d0 [ 45.423707] ? lock_acquire+0x10f/0x380 [ 45.427751] ? __might_fault+0xd4/0x1b0 [ 45.431942] ? lock_acquire+0x10f/0x380 [ 45.435934] ? __might_fault+0x177/0x1b0 [ 45.440160] ? binder_thread_write+0x512/0x1f90 [ 45.444915] ? migrate_swap_stop+0x810/0x810 [ 45.452691] ? plist_check_list+0x70/0xa0 [ 45.457151] ? binder_transaction+0x5640/0x5640 [ 45.461832] ? fs_reclaim_acquire+0x10/0x10 [ 45.466328] ? lock_downgrade+0x5d0/0x5d0 [ 45.470554] ? lock_acquire+0x10f/0x380 [ 45.474521] ? __might_fault+0xd4/0x1b0 [ 45.478572] ? __might_fault+0x177/0x1b0 [ 45.482647] ? binder_ioctl+0xd48/0x14ea [ 45.487228] ? binder_poll+0x230/0x230 [ 45.491098] ? trace_hardirqs_on+0x10/0x10 [ 45.495404] ? trace_hardirqs_on+0x10/0x10 [ 45.499921] ? kasan_unpoison_shadow+0x30/0x40 [ 45.504688] ? mmap_region+0x182/0xf00 [ 45.508560] ? binder_poll+0x230/0x230 [ 45.512438] ? do_vfs_ioctl+0xabe/0x1040 [ 45.516486] ? selinux_file_ioctl+0x426/0x590 [ 45.520962] ? selinux_file_ioctl+0x116/0x590 [ 45.525458] ? ioctl_preallocate+0x1e0/0x1e0 [ 45.529964] ? selinux_parse_skb.constprop.0+0x16b0/0x16b0 [ 45.535576] ? __fget+0x1ff/0x360 [ 45.539022] ? lock_downgrade+0x5d0/0x5d0 [ 45.543172] ? lock_acquire+0x10f/0x380 [ 45.547376] ? __fget+0x44/0x360 [ 45.550829] ? security_file_ioctl+0x7c/0xb0 [ 45.555413] ? SyS_ioctl+0x7f/0xb0 [ 45.559128] ? do_vfs_ioctl+0x1040/0x1040 [ 45.563451] ? do_syscall_64+0x19b/0x4b0 [ 45.567502] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.572875] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 0d 04 00 00 48 8b 6d 58 48 29 dd e8 33 33 0d ff 49 39 ed 76 07 e8 29 33 0d ff <0f> 0b e8 22 33 0d ff 4c 29 ed 49 39 ee 77 ec e8 15 33 0d ff 41 [ 45.594505] RIP: binder_alloc_do_buffer_copy+0xc7/0x500 RSP: ffff8881d67075d0 [ 45.604618] Kernel Offset: 0x22400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 45.618765] Rebooting in 86400 seconds..