INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts. 2018/04/11 15:47:24 parsed 1 programs 2018/04/11 15:47:24 executed programs: 0 syzkaller login: [ 42.781895] IPVS: Creating netns size=2536 id=1 [ 42.832139] binder: 3680:3681 ERROR: BC_REGISTER_LOOPER called without request [ 43.633241] binder: release 3680:3681 transaction 3 out, still active [ 43.639846] binder: release 3680:3681 transaction 2 in, still active [ 43.646311] binder: undelivered TRANSACTION_COMPLETE [ 43.651883] binder: 3680:3681 IncRefs 0 refcount change on invalid ref 3 ret -22 [ 43.659758] binder: 3680:3681 BC_INCREFS_DONE u0000000000000000 node 1 cookie mismatch 0000000000000004 != 0000000000000000 [ 43.671024] binder: 3680:3681 BC_FREE_BUFFER u0000000000000000 no match [ 43.677748] binder: 3680:3681 got transaction to invalid handle [ 43.683796] binder: 3680:3681 transaction failed 29201/-22, size 0-0 line 3010 [ 43.693081] binder: undelivered TRANSACTION_ERROR: 29201 [ 43.699279] binder: release 3680:3682 transaction 5 in, still active [ 43.705778] binder: send failed reply for transaction 5 to 3680:3682 [ 43.712658] ================================================================== [ 43.719996] BUG: KASAN: use-after-free in __list_del_entry+0x1a9/0x1c0 [ 43.726633] Read of size 8 at addr ffff8801ce06c510 by task kworker/1:2/1809 [ 43.731849] binder: 3684:3685 ERROR: BC_REGISTER_LOOPER called without request [ 43.741115] [ 43.742720] CPU: 1 PID: 1809 Comm: kworker/1:2 Not tainted 4.9.93-gf6bec4e #4 [ 43.749963] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.759296] Workqueue: events binder_deferred_func [ 43.764312] ffff8801cefb7a58 ffffffff81d9c299 ffffea0007381b00 ffff8801ce06c510 [ 43.772286] 0000000000000000 ffff8801ce06c510 ffffed003847f809 ffff8801cefb7a90 [ 43.780265] ffffffff8156534b ffff8801ce06c510 0000000000000008 0000000000000000 [ 43.788240] Call Trace: [ 43.790801] [] dump_stack+0xc1/0x128 [ 43.796137] [] print_address_description+0x6c/0x234 [ 43.802775] [] kasan_report.cold.6+0xac/0x2f5 [ 43.808891] [] ? __list_del_entry+0x1a9/0x1c0 [ 43.815009] [] __asan_report_load8_noabort+0x14/0x20 [ 43.821755] [] __list_del_entry+0x1a9/0x1c0 [ 43.827704] [] binder_release_work+0x6f/0x1d0 [ 43.833818] [] ? binder_send_failed_reply+0x1c8/0x230 [ 43.840637] [] binder_thread_release+0x425/0x520 [ 43.847021] [] binder_deferred_func+0x44d/0xc30 [ 43.853312] [] ? __lock_is_held+0xa2/0xf0 [ 43.859087] [] process_one_work+0x7e1/0x1500 [ 43.865116] [] ? process_one_work+0x728/0x1500 [ 43.871318] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 43.877781] [] worker_thread+0xd6/0x10a0 [ 43.883466] [] ? __schedule+0x655/0x1bd0 [ 43.889147] [] kthread+0x26d/0x300 [ 43.894321] [] ? process_one_work+0x1500/0x1500 [ 43.900623] [] ? kthread_park+0xa0/0xa0 [ 43.906216] [] ? kthread_park+0xa0/0xa0 [ 43.911808] [] ? kthread_park+0xa0/0xa0 [ 43.917400] [] ret_from_fork+0x5c/0x70 [ 43.922906] [ 43.924507] Allocated by task 3682: [ 43.928104] save_stack_trace+0x16/0x20 [ 43.932048] save_stack+0x43/0xd0 [ 43.935472] kasan_kmalloc+0xc7/0xe0 [ 43.939157] kmem_cache_alloc_trace+0xfd/0x2b0 [ 43.943717] binder_transaction+0x8d5/0x6230 [ 43.948095] binder_thread_write+0xa40/0x2170 [ 43.952559] binder_ioctl_write_read.isra.46+0x1eb/0x810 [ 43.957980] binder_ioctl+0x702/0x1160 [ 43.961838] do_vfs_ioctl+0x1ac/0x1150 [ 43.965696] SyS_ioctl+0x8f/0xc0 [ 43.969032] do_syscall_64+0x1a6/0x490 [ 43.972891] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 43.977961] [ 43.979561] Freed by task 1809: [ 43.982819] save_stack_trace+0x16/0x20 [ 43.986762] save_stack+0x43/0xd0 [ 43.990185] kasan_slab_free+0x72/0xc0 [ 43.994045] kfree+0xfb/0x310 [ 43.997125] binder_free_transaction+0x6a/0x90 [ 44.001677] binder_send_failed_reply+0x1c3/0x230 [ 44.006491] binder_thread_release+0x413/0x520 [ 44.011044] binder_deferred_func+0x44d/0xc30 [ 44.015510] process_one_work+0x7e1/0x1500 [ 44.019713] worker_thread+0xd6/0x10a0 [ 44.023571] kthread+0x26d/0x300 [ 44.026909] ret_from_fork+0x5c/0x70 [ 44.030588] [ 44.032185] The buggy address belongs to the object at ffff8801ce06c500 [ 44.032185] which belongs to the cache kmalloc-192 of size 192 [ 44.044809] The buggy address is located 16 bytes inside of [ 44.044809] 192-byte region [ffff8801ce06c500, ffff8801ce06c5c0) [ 44.056563] The buggy address belongs to the page: [ 44.061463] page:ffffea0007381b00 count:1 mapcount:0 mapping: (null) index:0x0 [ 44.069688] flags: 0x8000000000000080(slab) [ 44.073975] page dumped because: kasan: bad access detected [ 44.079652] [ 44.081250] Memory state around the buggy address: [ 44.086147] ffff8801ce06c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.093476] ffff8801ce06c480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 44.100802] >ffff8801ce06c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.108129] ^ [ 44.111983] ffff8801ce06c580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 44.119309] ffff8801ce06c600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.126635] ================================================================== [ 44.133958] Disabling lock debugging due to kernel taint [ 44.139439] Kernel panic - not syncing: panic_on_warn set ... [ 44.139439] [ 44.146774] CPU: 1 PID: 1809 Comm: kworker/1:2 Tainted: G B 4.9.93-gf6bec4e #4 [ 44.155231] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.164564] Workqueue: events binder_deferred_func [ 44.169582] ffff8801cefb79b8 ffffffff81d9c299 ffffffff841a8679 00000000ffffffff [ 44.177559] 0000000000000000 0000000000000001 ffffed003847f809 ffff8801cefb7a78 [ 44.185536] ffffffff8141f825 0000000041b58ab3 ffffffff8419bdb0 ffffffff8141f666 [ 44.193522] Call Trace: [ 44.196081] [] dump_stack+0xc1/0x128 [ 44.201425] [] panic+0x1bf/0x3bc [ 44.206412] [] ? add_taint.cold.6+0x16/0x16 [ 44.212353] [] kasan_end_report+0x47/0x4f [ 44.218118] [] kasan_report.cold.6+0xc9/0x2f5 [ 44.224232] [] ? __list_del_entry+0x1a9/0x1c0 [ 44.230346] [] __asan_report_load8_noabort+0x14/0x20 [ 44.237066] [] __list_del_entry+0x1a9/0x1c0 [ 44.243022] [] binder_release_work+0x6f/0x1d0 [ 44.249135] [] ? binder_send_failed_reply+0x1c8/0x230 [ 44.255945] [] binder_thread_release+0x425/0x520 [ 44.262319] [] binder_deferred_func+0x44d/0xc30 [ 44.268607] [] ? __lock_is_held+0xa2/0xf0 [ 44.274377] [] process_one_work+0x7e1/0x1500 [ 44.280404] [] ? process_one_work+0x728/0x1500 [ 44.286607] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 44.293076] [] worker_thread+0xd6/0x10a0 [ 44.298757] [] ? __schedule+0x655/0x1bd0 [ 44.304448] [] kthread+0x26d/0x300 [ 44.304453] [] ? process_one_work+0x1500/0x1500 [ 44.304456] [] ? kthread_park+0xa0/0xa0 [ 44.304465] [] ? kthread_park+0xa0/0xa0 [ 44.304468] [] ? kthread_park+0xa0/0xa0 [ 44.304473] [] ret_from_fork+0x5c/0x70 [ 44.309660] Dumping ftrace buffer: [ 44.309662] (ftrace buffer empty) [ 44.309665] Kernel Offset: disabled [ 44.348999] Rebooting in 86400 seconds..