Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts. [ 28.032622] random: sshd: uninitialized urandom read (32 bytes read, 120 bits of entropy available) executing program [ 28.127071] ================================================================== [ 28.134451] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 [ 28.141087] Read of size 8 at addr ffff8801d0987c38 by task syzkaller768682/3316 [ 28.148587] [ 28.150188] CPU: 0 PID: 3316 Comm: syzkaller768682 Not tainted 4.4.112-g3fc4284 #25 [ 28.158760] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.168087] 0000000000000000 097de74ceb5ecfa6 ffff8801d0b0f850 ffffffff81d054ed [ 28.176050] ffffea0007426180 ffff8801d0987c38 0000000000000000 ffff8801d0987c38 [ 28.184014] 0000000000000000 ffff8801d0b0f888 ffffffff814fd953 ffff8801d0987c38 [ 28.191976] Call Trace: [ 28.194537] [] dump_stack+0xc1/0x124 [ 28.199868] [] print_address_description+0x73/0x260 [ 28.206505] [] kasan_report+0x285/0x370 [ 28.212098] [] ? __lock_acquire+0x387e/0x4b50 [ 28.218210] [] __asan_report_load8_noabort+0x14/0x20 [ 28.224939] [] __lock_acquire+0x387e/0x4b50 [ 28.230881] [] ? __lock_acquire+0xb5f/0x4b50 [ 28.236913] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.243897] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.250705] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.257685] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.264672] [] lock_acquire+0x15e/0x460 [ 28.270264] [] ? remove_wait_queue+0x14/0x40 [ 28.276293] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 28.282580] [] ? remove_wait_queue+0x14/0x40 [ 28.288603] [] remove_wait_queue+0x14/0x40 [ 28.294458] [] ep_unregister_pollwait.isra.6+0xa8/0x220 [ 28.301439] [] ? ep_unregister_pollwait.isra.6+0x114/0x220 [ 28.308676] [] ? ep_free+0x1c0/0x1c0 [ 28.314005] [] ep_free+0x93/0x1c0 [ 28.319074] [] ? ep_free+0x1c0/0x1c0 [ 28.324402] [] ep_eventpoll_release+0x44/0x60 [ 28.330514] [] __fput+0x233/0x6d0 [ 28.335583] [] ____fput+0x15/0x20 [ 28.340663] [] task_work_run+0x104/0x180 [ 28.346342] [] do_exit+0x871/0x2a20 [ 28.351588] [] ? handle_mm_fault+0x192d/0x3190 [ 28.357784] [] ? handle_mm_fault+0x3f2/0x3190 [ 28.363899] [] ? release_task+0x1240/0x1240 [ 28.369840] [] do_group_exit+0x108/0x320 [ 28.375520] [] SyS_exit_group+0x1d/0x20 [ 28.381112] [] ? do_group_exit+0x320/0x320 [ 28.386963] [] do_fast_syscall_32+0x314/0x890 [ 28.393077] [] sysenter_flags_fixed+0xd/0x17 [ 28.399102] [ 28.400710] Allocated by task 3316: [ 28.404303] [] save_stack_trace+0x26/0x50 [ 28.410189] [] save_stack+0x43/0xd0 [ 28.415553] [] kasan_kmalloc+0xad/0xe0 [ 28.421177] [] kmem_cache_alloc_trace+0x100/0x2b0 [ 28.427756] [] binder_get_thread+0x181/0x7a0 [ 28.433900] [] binder_poll+0x4a/0x210 [ 28.439430] [] SyS_epoll_ctl+0x10b1/0x2050 [ 28.445400] [] do_fast_syscall_32+0x314/0x890 [ 28.451627] [] sysenter_flags_fixed+0xd/0x17 [ 28.457767] [ 28.459361] Freed by task 3316: [ 28.462603] [] save_stack_trace+0x26/0x50 [ 28.468483] [] save_stack+0x43/0xd0 [ 28.473843] [] kasan_slab_free+0x72/0xc0 [ 28.479634] [] kfree+0xfc/0x300 [ 28.484649] [] binder_thread_dec_tmpref+0x1c1/0x250 [ 28.491407] [] binder_thread_release+0x27d/0x540 [ 28.497907] [] binder_ioctl+0xb94/0x12e0 [ 28.503705] [] compat_SyS_ioctl+0x28a/0x2540 [ 28.509849] [] do_fast_syscall_32+0x314/0x890 [ 28.516087] [] sysenter_flags_fixed+0xd/0x17 [ 28.522229] [ 28.523833] The buggy address belongs to the object at ffff8801d0987b80 [ 28.523833] which belongs to the cache kmalloc-512 of size 512 [ 28.536457] The buggy address is located 184 bytes inside of [ 28.536457] 512-byte region [ffff8801d0987b80, ffff8801d0987d80) [ 28.548297] The buggy address belongs to the page: [ 28.566537] ------------[ cut here ]------------ [ 28.571306] WARNING: CPU: 1 PID: 0 at lib/debugobjects.c:263 debug_print_object+0x17d/0x220() [ 28.579940] ODEBUG: deactivate not available (active state 0) object type: hrtimer hint: 0x8948fff8aa88e883 [ 28.589877] Kernel panic - not syncing: panic_on_warn set ... [ 28.589877] [ 28.597211] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.112-g3fc4284 #25 [ 28.604192] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.613522] 0000000000000000 1022a89c643e5938 ffff8801db307ac8 ffffffff81d054ed [ 28.621495] ffffffff83843200 ffff8801db307ba0 ffffffff839fe0a0 0000000000000009 [ 28.629459] 0000000000000107 ffff8801db307b90 ffffffff81419dca 0000000041b58ab3 [ 28.637429] Call Trace: [ 28.639982] [] dump_stack+0xc1/0x124 [ 28.646051] [] panic+0x1aa/0x388 [ 28.651050] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 28.657953] [] ? warn_slowpath_common+0x10a/0x140 [ 28.664415] [] warn_slowpath_common+0x125/0x140 [ 28.670715] [] ? debug_print_object+0x17d/0x220 [ 28.677004] [] warn_slowpath_fmt+0xc1/0x110 [ 28.682945] [] ? warn_slowpath_common+0x140/0x140 [ 28.689426] [] ? ktime_add_safe+0xa0/0xa0 [ 28.695197] [] debug_print_object+0x17d/0x220 [ 28.701315] [] debug_object_deactivate+0x25d/0x3c0 [ 28.707865] [] ? debug_object_activate+0x500/0x500 [ 28.714418] [] ? dump_page_badflags+0x190/0x250 [ 28.720707] [] ? __lock_is_held+0xa1/0xf0 [ 28.726475] [] ? dump_page_badflags+0x190/0x250 [ 28.732769] [] __hrtimer_run_queues+0x492/0xfe0 [ 28.739061] [] ? hrtimer_fixup_init+0x70/0x70 [ 28.745176] [] ? hrtimer_interrupt+0x131/0x440 [ 28.751378] [] hrtimer_interrupt+0x1a6/0x440 [ 28.757410] [] local_apic_timer_interrupt+0x6a/0xb0 [ 28.764049] [] smp_apic_timer_interrupt+0x76/0xa0 [ 28.770512] [] apic_timer_interrupt+0xa0/0xb0 [ 28.776626] [] ? native_safe_halt+0x6/0x10 [ 28.783215] [] ? trace_hardirqs_on+0xd/0x10 [ 28.789157] [] default_idle+0x55/0x3c0 [ 28.794662] [] arch_cpu_idle+0xa/0x10 [ 28.800089] [] default_idle_call+0x48/0x70 [ 28.805945] [] cpu_startup_entry+0x605/0x820 [ 28.811981] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.818793] [] ? call_cpuidle+0xe0/0xe0 [ 28.824391] [] ? clockevents_register_device+0x122/0x230 [ 28.831466] [] start_secondary+0x304/0x3e0 [ 28.837333] [] ? set_cpu_sibling_map+0x1040/0x1040 [ 29.904854] Shutting down cpus with NMI [ 29.909517] Dumping ftrace buffer: [ 29.913202] (ftrace buffer empty) [ 29.916885] Kernel Offset: disabled [ 29.920606] Rebooting in 86400 seconds..