INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.699201] binder: 3771:3772 ERROR: BC_REGISTER_LOOPER called without request [ 26.720293] binder: release 3771:3772 transaction 3 out, still active [ 26.726919] binder: release 3771:3772 transaction 2 in, still active [ 26.733561] binder: undelivered TRANSACTION_COMPLETE executing program [ 26.830610] binder: release 3771:3773 transaction 4 in, still active [ 26.837153] binder: send failed reply for transaction 4 to 3771:3773 [ 26.844078] ================================================================== [ 26.847718] binder: 3774:3775 ERROR: BC_REGISTER_LOOPER called without request [ 26.858894] BUG: KASAN: use-after-free in __list_del_entry+0x1a9/0x1c0 [ 26.865543] Read of size 8 at addr ffff8801cfec7c10 by task kworker/0:1/25 [ 26.868833] binder: release 3774:3775 transaction 7 out, still active [ 26.868838] binder: release 3774:3775 transaction 6 in, still active [ 26.868841] binder: undelivered TRANSACTION_COMPLETE [ 26.890630] [ 26.892242] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 4.9.93-gcb02358 #2 [ 26.899318] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.910311] Workqueue: events binder_deferred_func [ 26.915366] ffff8801d9527a58 ffffffff81d9c249 ffffea00073fb1c0 ffff8801cfec7c10 [ 26.923582] 0000000000000000 ffff8801cfec7c10 ffffed00395d1f79 ffff8801d9527a90 [ 26.931615] ffffffff8156533b ffff8801cfec7c10 0000000000000008 0000000000000000 [ 26.939637] Call Trace: [ 26.942212] [] dump_stack+0xc1/0x128 [ 26.947564] [] print_address_description+0x6c/0x234 [ 26.954217] [] kasan_report.cold.6+0xac/0x2f5 [ 26.960348] [] ? __list_del_entry+0x1a9/0x1c0 [ 26.966478] [] __asan_report_load8_noabort+0x14/0x20 [ 26.973215] [] __list_del_entry+0x1a9/0x1c0 [ 26.979805] [] binder_release_work+0x6f/0x1d0 [ 26.985923] [] ? binder_send_failed_reply+0x1c8/0x230 [ 26.992746] [] binder_thread_release+0x425/0x520 [ 26.999136] [] binder_deferred_func+0x44d/0xc30 [ 27.005536] [] ? __lock_is_held+0xa2/0xf0 [ 27.011323] [] process_one_work+0x7e1/0x1500 [ 27.017376] [] ? process_one_work+0x728/0x1500 [ 27.023592] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 27.030091] [] worker_thread+0xd6/0x10a0 [ 27.035782] [] ? __schedule+0x655/0x1bd0 [ 27.041467] [] kthread+0x26d/0x300 [ 27.046637] [] ? process_one_work+0x1500/0x1500 [ 27.052949] [] ? kthread_park+0xa0/0xa0 [ 27.058546] [] ? kthread_park+0xa0/0xa0 [ 27.064153] [] ? kthread_park+0xa0/0xa0 [ 27.069768] [] ret_from_fork+0x5c/0x70 [ 27.075296] [ 27.076911] Allocated by task 3773: [ 27.080517] save_stack_trace+0x16/0x20 [ 27.084467] save_stack+0x43/0xd0 [ 27.087901] kasan_kmalloc+0xc7/0xe0 [ 27.091600] kmem_cache_alloc_trace+0xfd/0x2b0 [ 27.096166] binder_transaction+0x8d5/0x6230 [ 27.100637] binder_thread_write+0xa40/0x2170 [ 27.105110] binder_ioctl_write_read.isra.46+0x1eb/0x810 [ 27.110546] binder_ioctl+0x702/0x1160 [ 27.114887] do_vfs_ioctl+0x1ac/0x1150 [ 27.118751] SyS_ioctl+0x8f/0xc0 [ 27.122092] do_syscall_64+0x1a6/0x490 [ 27.126042] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.131114] [ 27.132718] Freed by task 25: [ 27.135823] save_stack_trace+0x16/0x20 [ 27.139771] save_stack+0x43/0xd0 [ 27.143196] kasan_slab_free+0x72/0xc0 [ 27.147328] kfree+0xfb/0x310 [ 27.150410] binder_free_transaction+0x6a/0x90 [ 27.154971] binder_send_failed_reply+0x1c3/0x230 [ 27.159792] binder_thread_release+0x413/0x520 [ 27.164349] binder_deferred_func+0x44d/0xc30 [ 27.168821] process_one_work+0x7e1/0x1500 [ 27.173031] worker_thread+0xd6/0x10a0 [ 27.176893] kthread+0x26d/0x300 [ 27.180248] ret_from_fork+0x5c/0x70 [ 27.183955] [ 27.185565] The buggy address belongs to the object at ffff8801cfec7c00 [ 27.185565] which belongs to the cache kmalloc-192 of size 192 [ 27.198217] The buggy address is located 16 bytes inside of [ 27.198217] 192-byte region [ffff8801cfec7c00, ffff8801cfec7cc0) [ 27.209993] The buggy address belongs to the page: [ 27.214923] page:ffffea00073fb1c0 count:1 mapcount:0 mapping: (null) index:0xffff8801cfec7600 [ 27.224481] flags: 0x8000000000000080(slab) [ 27.228774] page dumped because: kasan: bad access detected [ 27.234453] [ 27.236053] Memory state around the buggy address: [ 27.240955] ffff8801cfec7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.248287] ffff8801cfec7b80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.255619] >ffff8801cfec7c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.263041] ^ [ 27.266901] ffff8801cfec7c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.274238] ffff8801cfec7d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.281565] ================================================================== [ 27.288893] Disabling lock debugging due to kernel taint [ 27.294551] Kernel panic - not syncing: panic_on_warn set ... [ 27.294551] [ 27.301908] CPU: 0 PID: 25 Comm: kworker/0:1 Tainted: G B 4.9.93-gcb02358 #2 [ 27.310192] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.319526] Workqueue: events binder_deferred_func [ 27.324543] ffff8801d95279b8 ffffffff81d9c249 ffffffff841a8689 00000000ffffffff [ 27.332564] 0000000000000000 0000000000000000 ffffed00395d1f79 ffff8801d9527a78 [ 27.340556] ffffffff8141f825 0000000041b58ab3 ffffffff8419bdc0 ffffffff8141f666 [ 27.348643] Call Trace: [ 27.351204] [] dump_stack+0xc1/0x128 [ 27.356555] [] panic+0x1bf/0x3bc [ 27.361545] [] ? add_taint.cold.6+0x16/0x16 [ 27.367490] [] kasan_end_report+0x47/0x4f [ 27.373261] [] kasan_report.cold.6+0xc9/0x2f5 [ 27.379387] [] ? __list_del_entry+0x1a9/0x1c0 [ 27.385516] [] __asan_report_load8_noabort+0x14/0x20 [ 27.392243] [] __list_del_entry+0x1a9/0x1c0 [ 27.398188] [] binder_release_work+0x6f/0x1d0 [ 27.405179] [] ? binder_send_failed_reply+0x1c8/0x230 [ 27.412002] [] binder_thread_release+0x425/0x520 [ 27.418402] [] binder_deferred_func+0x44d/0xc30 [ 27.424714] [] ? __lock_is_held+0xa2/0xf0 [ 27.430493] [] process_one_work+0x7e1/0x1500 [ 27.436529] [] ? process_one_work+0x728/0x1500 [ 27.442743] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 27.449228] [] worker_thread+0xd6/0x10a0 [ 27.454914] [] ? __schedule+0x655/0x1bd0 [ 27.460699] [] kthread+0x26d/0x300 [ 27.465868] [] ? process_one_work+0x1500/0x1500 [ 27.472171] [] ? kthread_park+0xa0/0xa0 [ 27.477809] [] ? kthread_park+0xa0/0xa0 [ 27.483426] [] ? kthread_park+0xa0/0xa0 [ 27.489034] [] ret_from_fork+0x5c/0x70 [ 27.495178] Dumping ftrace buffer: [ 27.498704] (ftrace buffer empty) [ 27.502396] Kernel Offset: disabled [ 27.506006] Rebooting in 86400 seconds..