INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-0,10.128.15.228' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 52.183034] ================================================================== [ 52.184173] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 at addr ffff8801cc49e838 [ 52.185352] Read of size 8 by task syzkaller947561/3283 [ 52.186118] CPU: 1 PID: 3283 Comm: syzkaller947561 Not tainted 4.9.66-gb763480 #103 [ 52.187144] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.188364] ffff8801d154f8b0 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 52.189491] ffff8801cc49e980 ffffed0039893d07 ffff8801cc49e838 ffff8801d154f8d8 [ 52.190680] ffffffff8153a32c ffffed0039893d07 ffff8801da001280 0000000000000000 [ 52.191828] Call Trace: [ 52.192187] [] dump_stack+0xc1/0x128 [ 52.192900] [] kasan_object_err+0x1c/0x70 [ 52.193664] [] kasan_report.part.1+0x21c/0x500 [ 52.194487] [] ? __lock_acquire+0x2eff/0x3640 [ 52.195317] [] __asan_report_load8_noabort+0x29/0x30 [ 52.196219] [] __lock_acquire+0x2eff/0x3640 [ 52.197024] [] ? __lock_acquire+0x629/0x3640 [ 52.197861] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 52.198817] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 52.199736] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 52.200669] [] ? mark_held_locks+0xaf/0x100 [ 52.201454] [] ? mutex_lock_nested+0x5e3/0x870 [ 52.202272] [] lock_acquire+0x12e/0x410 [ 52.203011] [] ? remove_wait_queue+0x14/0x40 [ 52.208420] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 52.214704] [] ? remove_wait_queue+0x14/0x40 [ 52.220728] [] remove_wait_queue+0x14/0x40 [ 52.226579] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 52.233556] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 52.240795] [] ? ep_free+0x1b0/0x1b0 [ 52.246127] [] ep_free+0x96/0x1b0 [ 52.251194] [] ? ep_free+0x1b0/0x1b0 [ 52.256555] [] ep_eventpoll_release+0x44/0x60 [ 52.262664] [] __fput+0x28c/0x6e0 [ 52.267729] [] ____fput+0x15/0x20 [ 52.272797] [] task_work_run+0x115/0x190 [ 52.278476] [] do_exit+0x7e7/0x2a40 [ 52.283714] [] ? release_task+0x1240/0x1240 [ 52.289651] [] ? __fdget+0x18/0x20 [ 52.294805] [] ? sockfd_lookup_light+0x118/0x160 [ 52.301174] [] ? SyS_setsockopt+0x17f/0x250 [ 52.307116] [] ? SyS_recv+0x40/0x40 [ 52.312359] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 52.318990] [] do_group_exit+0x108/0x320 [ 52.324663] [] SyS_exit_group+0x1d/0x20 [ 52.330250] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.336790] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 52.343427] Allocated: [ 52.345888] PID = 3283 [ 52.348353] save_stack_trace+0x16/0x20 [ 52.352292] save_stack+0x43/0xd0 [ 52.355706] kasan_kmalloc+0xad/0xe0 [ 52.359381] kmem_cache_alloc_trace+0xfb/0x2a0 [ 52.363926] binder_get_thread+0x15d/0x750 [ 52.368124] binder_poll+0x4a/0x210 [ 52.371715] SyS_epoll_ctl+0x11d7/0x2190 [ 52.375740] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.380455] Freed: [ 52.382566] PID = 3283 [ 52.385026] save_stack_trace+0x16/0x20 [ 52.388963] save_stack+0x43/0xd0 [ 52.392377] kasan_slab_free+0x73/0xc0 [ 52.396225] kfree+0xf0/0x2f0 [ 52.399293] binder_thread_dec_tmpref+0x1cc/0x240 [ 52.404097] binder_thread_release+0x27d/0x540 [ 52.408641] binder_ioctl+0x9c0/0x11b0 [ 52.412499] do_vfs_ioctl+0x1aa/0x1140 [ 52.416357] SyS_ioctl+0x8f/0xc0 [ 52.419688] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.424402] Memory state around the buggy address: [ 52.429293] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.436615] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.443936] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.451256] ^ [ 52.456406] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.463727] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.471047] ================================================================== [ 52.478368] Disabling lock debugging due to kernel taint [ 52.483777] ================================================================== [ 52.491102] BUG: KASAN: use-after-free in __lock_acquire+0x2c56/0x3640 at addr ffff8801cc49e840 [ 52.499900] Read of size 8 by task syzkaller947561/3283 [ 52.505230] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 52.514210] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.523530] ffff8801d154f8b0 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 52.531475] ffff8801cc49e980 ffffed0039893d08 ffff8801cc49e840 ffff8801d154f8d8 [ 52.539428] ffffffff8153a32c ffffed0039893d08 ffff8801da001280 0000000000000000 [ 52.547375] Call Trace: [ 52.549927] [] dump_stack+0xc1/0x128 [ 52.555256] [] kasan_object_err+0x1c/0x70 [ 52.561015] [] kasan_report.part.1+0x21c/0x500 [ 52.567211] [] ? __lock_acquire+0x2c56/0x3640 [ 52.573319] [] __asan_report_load8_noabort+0x29/0x30 [ 52.580034] [] __lock_acquire+0x2c56/0x3640 [ 52.585969] [] ? __lock_acquire+0x629/0x3640 [ 52.591997] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 52.598982] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 52.605959] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 52.612934] [] ? mark_held_locks+0xaf/0x100 [ 52.618870] [] ? mutex_lock_nested+0x5e3/0x870 [ 52.625064] [] lock_acquire+0x12e/0x410 [ 52.630660] [] ? remove_wait_queue+0x14/0x40 [ 52.636684] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 52.642965] [] ? remove_wait_queue+0x14/0x40 [ 52.648987] [] remove_wait_queue+0x14/0x40 [ 52.654837] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 52.661813] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 52.669049] [] ? ep_free+0x1b0/0x1b0 [ 52.674382] [] ep_free+0x96/0x1b0 [ 52.679447] [] ? ep_free+0x1b0/0x1b0 [ 52.684772] [] ep_eventpoll_release+0x44/0x60 [ 52.690881] [] __fput+0x28c/0x6e0 [ 52.695945] [] ____fput+0x15/0x20 [ 52.701013] [] task_work_run+0x115/0x190 [ 52.707350] [] do_exit+0x7e7/0x2a40 [ 52.712593] [] ? release_task+0x1240/0x1240 [ 52.718528] [] ? __fdget+0x18/0x20 [ 52.723683] [] ? sockfd_lookup_light+0x118/0x160 [ 52.730053] [] ? SyS_setsockopt+0x17f/0x250 [ 52.735989] [] ? SyS_recv+0x40/0x40 [ 52.741234] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 52.747864] [] do_group_exit+0x108/0x320 [ 52.753541] [] SyS_exit_group+0x1d/0x20 [ 52.759130] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.765685] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 52.772313] Allocated: [ 52.774779] PID = 3283 [ 52.777243] save_stack_trace+0x16/0x20 [ 52.781183] save_stack+0x43/0xd0 [ 52.784597] kasan_kmalloc+0xad/0xe0 [ 52.788272] kmem_cache_alloc_trace+0xfb/0x2a0 [ 52.792817] binder_get_thread+0x15d/0x750 [ 52.797023] binder_poll+0x4a/0x210 [ 52.800612] SyS_epoll_ctl+0x11d7/0x2190 [ 52.804634] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.809349] Freed: [ 52.811462] PID = 3283 [ 52.813922] save_stack_trace+0x16/0x20 [ 52.817859] save_stack+0x43/0xd0 [ 52.821275] kasan_slab_free+0x73/0xc0 [ 52.825124] kfree+0xf0/0x2f0 [ 52.828192] binder_thread_dec_tmpref+0x1cc/0x240 [ 52.832998] binder_thread_release+0x27d/0x540 [ 52.837542] binder_ioctl+0x9c0/0x11b0 [ 52.841396] do_vfs_ioctl+0x1aa/0x1140 [ 52.845245] SyS_ioctl+0x8f/0xc0 [ 52.848575] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.853289] Memory state around the buggy address: [ 52.858184] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.865506] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.872829] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.880151] ^ [ 52.885570] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.892902] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.900230] ================================================================== [ 52.907560] ================================================================== [ 52.914893] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1ac/0x1e0 at addr ffff8801cc49e824 [ 52.923691] Read of size 4 by task syzkaller947561/3283 [ 52.929020] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 52.937988] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.947311] ffff8801d154fac0 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 52.955258] ffff8801cc49e980 ffffed0039893d04 ffff8801cc49e824 ffff8801d154fae8 [ 52.963203] ffffffff8153a32c ffffed0039893d04 ffff8801da001280 0000000000000000 [ 52.971141] Call Trace: [ 52.973694] [] dump_stack+0xc1/0x128 [ 52.979023] [] kasan_object_err+0x1c/0x70 [ 52.984782] [] kasan_report.part.1+0x21c/0x500 [ 52.990976] [] ? mutex_lock_nested+0x5e3/0x870 [ 52.997172] [] ? do_raw_spin_lock+0x1ac/0x1e0 [ 53.003280] [] __asan_report_load4_noabort+0x29/0x30 [ 53.009995] [] do_raw_spin_lock+0x1ac/0x1e0 [ 53.015927] [] _raw_spin_lock_irqsave+0x56/0x70 [ 53.022210] [] ? remove_wait_queue+0x14/0x40 [ 53.028232] [] remove_wait_queue+0x14/0x40 [ 53.034078] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 53.041053] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 53.048289] [] ? ep_free+0x1b0/0x1b0 [ 53.053617] [] ep_free+0x96/0x1b0 [ 53.058685] [] ? ep_free+0x1b0/0x1b0 [ 53.064010] [] ep_eventpoll_release+0x44/0x60 [ 53.070118] [] __fput+0x28c/0x6e0 [ 53.075184] [] ____fput+0x15/0x20 [ 53.080249] [] task_work_run+0x115/0x190 [ 53.085923] [] do_exit+0x7e7/0x2a40 [ 53.091162] [] ? release_task+0x1240/0x1240 [ 53.097098] [] ? __fdget+0x18/0x20 [ 53.102252] [] ? sockfd_lookup_light+0x118/0x160 [ 53.108621] [] ? SyS_setsockopt+0x17f/0x250 [ 53.114555] [] ? SyS_recv+0x40/0x40 [ 53.119800] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 53.126429] [] do_group_exit+0x108/0x320 [ 53.132115] [] SyS_exit_group+0x1d/0x20 [ 53.137707] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 53.144251] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 53.150877] Allocated: [ 53.153336] PID = 3283 [ 53.155799] save_stack_trace+0x16/0x20 [ 53.159736] save_stack+0x43/0xd0 [ 53.163152] kasan_kmalloc+0xad/0xe0 [ 53.166829] kmem_cache_alloc_trace+0xfb/0x2a0 [ 53.171373] binder_get_thread+0x15d/0x750 [ 53.175570] binder_poll+0x4a/0x210 [ 53.179161] SyS_epoll_ctl+0x11d7/0x2190 [ 53.183189] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 53.187905] Freed: [ 53.190017] PID = 3283 [ 53.192479] save_stack_trace+0x16/0x20 [ 53.196424] save_stack+0x43/0xd0 [ 53.199840] kasan_slab_free+0x73/0xc0 [ 53.203687] kfree+0xf0/0x2f0 [ 53.206755] binder_thread_dec_tmpref+0x1cc/0x240 [ 53.211560] binder_thread_release+0x27d/0x540 [ 53.216102] binder_ioctl+0x9c0/0x11b0 [ 53.219951] do_vfs_ioctl+0x1aa/0x1140 [ 53.223799] SyS_ioctl+0x8f/0xc0 [ 53.227135] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 53.231867] Memory state around the buggy address: [ 53.236760] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.244082] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.251406] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.258726] ^ [ 53.263096] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.270418] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.277749] ================================================================== [ 53.285069] ================================================================== [ 53.292393] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1d3/0x1e0 at addr ffff8801cc49e830 [ 53.301193] Read of size 8 by task syzkaller947561/3283 [ 53.306520] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 53.315491] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.324809] ffff8801d154fac0 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 53.332758] ffff8801cc49e980 ffffed0039893d06 ffff8801cc49e830 ffff8801d154fae8 [ 53.340699] ffffffff8153a32c ffffed0039893d06 ffff8801da001280 0000000000000000 [ 53.348644] Call Trace: [ 53.351198] [] dump_stack+0xc1/0x128 [ 53.356528] [] kasan_object_err+0x1c/0x70 [ 53.362290] [] kasan_report.part.1+0x21c/0x500 [ 53.368486] [] ? do_raw_spin_lock+0x1d3/0x1e0 [ 53.374594] [] __asan_report_load8_noabort+0x29/0x30 [ 53.381311] [] do_raw_spin_lock+0x1d3/0x1e0 [ 53.387246] [] _raw_spin_lock_irqsave+0x56/0x70 [ 53.393529] [] ? remove_wait_queue+0x14/0x40 [ 53.399548] [] remove_wait_queue+0x14/0x40 [ 53.405397] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 53.412371] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 53.419605] [] ? ep_free+0x1b0/0x1b0 [ 53.424930] [] ep_free+0x96/0x1b0 [ 53.429996] [] ? ep_free+0x1b0/0x1b0 [ 53.435322] [] ep_eventpoll_release+0x44/0x60 [ 53.441435] [] __fput+0x28c/0x6e0 [ 53.446503] [] ____fput+0x15/0x20 [ 53.451575] [] task_work_run+0x115/0x190 [ 53.457248] [] do_exit+0x7e7/0x2a40 [ 53.462491] [] ? release_task+0x1240/0x1240 [ 53.468423] [] ? __fdget+0x18/0x20 [ 53.473584] [] ? sockfd_lookup_light+0x118/0x160 [ 53.479952] [] ? SyS_setsockopt+0x17f/0x250 [ 53.485884] [] ? SyS_recv+0x40/0x40 [ 53.491125] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 53.497755] [] do_group_exit+0x108/0x320 [ 53.503427] [] SyS_exit_group+0x1d/0x20 [ 53.509015] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 53.515558] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 53.522180] Allocated: [ 53.524637] PID = 3283 [ 53.527099] save_stack_trace+0x16/0x20 [ 53.531034] save_stack+0x43/0xd0 [ 53.534453] kasan_kmalloc+0xad/0xe0 [ 53.538128] kmem_cache_alloc_trace+0xfb/0x2a0 [ 53.542672] binder_get_thread+0x15d/0x750 [ 53.546868] binder_poll+0x4a/0x210 [ 53.550457] SyS_epoll_ctl+0x11d7/0x2190 [ 53.554481] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 53.559196] Freed: [ 53.561306] PID = 3283 [ 53.563768] save_stack_trace+0x16/0x20 [ 53.567703] save_stack+0x43/0xd0 [ 53.571117] kasan_slab_free+0x73/0xc0 [ 53.574964] kfree+0xf0/0x2f0 [ 53.578033] binder_thread_dec_tmpref+0x1cc/0x240 [ 53.582835] binder_thread_release+0x27d/0x540 [ 53.587381] binder_ioctl+0x9c0/0x11b0 [ 53.591231] do_vfs_ioctl+0x1aa/0x1140 [ 53.595083] SyS_ioctl+0x8f/0xc0 [ 53.598413] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 53.603129] Memory state around the buggy address: [ 53.608020] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.615343] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.622665] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.629985] ^ [ 53.634875] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.642196] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.649518] ================================================================== [ 53.656839] ================================================================== [ 53.664166] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1a2/0x1e0 at addr ffff8801cc49e828 [ 53.672964] Read of size 4 by task syzkaller947561/3283 [ 53.678294] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 53.687264] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.696590] ffff8801d154fac0 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 53.704532] ffff8801cc49e980 ffffed0039893d05 ffff8801cc49e828 ffff8801d154fae8 [ 53.712473] ffffffff8153a32c ffffed0039893d05 ffff8801da001280 0000000000000000 [ 53.720417] Call Trace: [ 53.722968] [] dump_stack+0xc1/0x128 [ 53.728296] [] kasan_object_err+0x1c/0x70 [ 53.734056] [] kasan_report.part.1+0x21c/0x500 [ 53.740249] [] ? do_raw_spin_lock+0x1a2/0x1e0 [ 53.746358] [] __asan_report_load4_noabort+0x29/0x30 [ 53.753072] [] do_raw_spin_lock+0x1a2/0x1e0 [ 53.759012] [] _raw_spin_lock_irqsave+0x56/0x70 [ 53.765292] [] ? remove_wait_queue+0x14/0x40 [ 53.771312] [] remove_wait_queue+0x14/0x40 [ 53.777159] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 53.784133] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 53.791367] [] ? ep_free+0x1b0/0x1b0 [ 53.796700] [] ep_free+0x96/0x1b0 [ 53.801765] [] ? ep_free+0x1b0/0x1b0 [ 53.807089] [] ep_eventpoll_release+0x44/0x60 [ 53.813198] [] __fput+0x28c/0x6e0 [ 53.818264] [] ____fput+0x15/0x20 [ 53.823330] [] task_work_run+0x115/0x190 [ 53.829006] [] do_exit+0x7e7/0x2a40 [ 53.834245] [] ? release_task+0x1240/0x1240 [ 53.840178] [] ? __fdget+0x18/0x20 [ 53.845334] [] ? sockfd_lookup_light+0x118/0x160 [ 53.851703] [] ? SyS_setsockopt+0x17f/0x250 [ 53.857732] [] ? SyS_recv+0x40/0x40 [ 53.862971] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 53.869610] [] do_group_exit+0x108/0x320 [ 53.875290] [] SyS_exit_group+0x1d/0x20 [ 53.880878] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 53.887421] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 53.894047] Allocated: [ 53.896509] PID = 3283 [ 53.898972] save_stack_trace+0x16/0x20 [ 53.902909] save_stack+0x43/0xd0 [ 53.906324] kasan_kmalloc+0xad/0xe0 [ 53.910000] kmem_cache_alloc_trace+0xfb/0x2a0 [ 53.914547] binder_get_thread+0x15d/0x750 [ 53.918743] binder_poll+0x4a/0x210 [ 53.922334] SyS_epoll_ctl+0x11d7/0x2190 [ 53.926366] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 53.931083] Freed: [ 53.933191] PID = 3283 [ 53.935653] save_stack_trace+0x16/0x20 [ 53.939590] save_stack+0x43/0xd0 [ 53.943017] kasan_slab_free+0x73/0xc0 [ 53.946866] kfree+0xf0/0x2f0 [ 53.949934] binder_thread_dec_tmpref+0x1cc/0x240 [ 53.954739] binder_thread_release+0x27d/0x540 [ 53.959285] binder_ioctl+0x9c0/0x11b0 [ 53.963134] do_vfs_ioctl+0x1aa/0x1140 [ 53.966985] SyS_ioctl+0x8f/0xc0 [ 53.970339] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 53.975054] Memory state around the buggy address: [ 53.979946] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.987267] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.994591] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.001916] ^ [ 54.006548] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.013869] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.021188] ================================================================== [ 54.028513] ================================================================== [ 54.035851] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1b9/0x1e0 at addr ffff8801cc49e828 [ 54.044657] Write of size 4 by task syzkaller947561/3283 [ 54.050072] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 54.059047] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.068369] ffff8801d154fac0 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 54.076312] ffff8801cc49e980 ffffed0039893d05 ffff8801cc49e828 ffff8801d154fae8 [ 54.084255] ffffffff8153a32c ffffed0039893d05 ffff8801da001280 0000000000000001 [ 54.092210] Call Trace: [ 54.094762] [] dump_stack+0xc1/0x128 [ 54.100090] [] kasan_object_err+0x1c/0x70 [ 54.105851] [] kasan_report.part.1+0x21c/0x500 [ 54.112044] [] ? do_raw_spin_lock+0x1b9/0x1e0 [ 54.118161] [] __asan_report_store4_noabort+0x2c/0x30 [ 54.124965] [] do_raw_spin_lock+0x1b9/0x1e0 [ 54.130900] [] _raw_spin_lock_irqsave+0x56/0x70 [ 54.137184] [] ? remove_wait_queue+0x14/0x40 [ 54.143205] [] remove_wait_queue+0x14/0x40 [ 54.149056] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 54.156040] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 54.163280] [] ? ep_free+0x1b0/0x1b0 [ 54.168604] [] ep_free+0x96/0x1b0 [ 54.173672] [] ? ep_free+0x1b0/0x1b0 [ 54.179000] [] ep_eventpoll_release+0x44/0x60 [ 54.185110] [] __fput+0x28c/0x6e0 [ 54.190188] [] ____fput+0x15/0x20 [ 54.195257] [] task_work_run+0x115/0x190 [ 54.200938] [] do_exit+0x7e7/0x2a40 [ 54.206196] [] ? release_task+0x1240/0x1240 [ 54.212131] [] ? __fdget+0x18/0x20 [ 54.217286] [] ? sockfd_lookup_light+0x118/0x160 [ 54.223661] [] ? SyS_setsockopt+0x17f/0x250 [ 54.229603] [] ? SyS_recv+0x40/0x40 [ 54.234844] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 54.241473] [] do_group_exit+0x108/0x320 [ 54.247151] [] SyS_exit_group+0x1d/0x20 [ 54.252746] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 54.259286] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 54.265911] Allocated: [ 54.268372] PID = 3283 [ 54.270836] save_stack_trace+0x16/0x20 [ 54.274772] save_stack+0x43/0xd0 [ 54.278190] kasan_kmalloc+0xad/0xe0 [ 54.281865] kmem_cache_alloc_trace+0xfb/0x2a0 [ 54.286413] binder_get_thread+0x15d/0x750 [ 54.290608] binder_poll+0x4a/0x210 [ 54.294200] SyS_epoll_ctl+0x11d7/0x2190 [ 54.298227] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 54.302941] Freed: [ 54.305054] PID = 3283 [ 54.307515] save_stack_trace+0x16/0x20 [ 54.311458] save_stack+0x43/0xd0 [ 54.314873] kasan_slab_free+0x73/0xc0 [ 54.318721] kfree+0xf0/0x2f0 [ 54.321789] binder_thread_dec_tmpref+0x1cc/0x240 [ 54.326593] binder_thread_release+0x27d/0x540 [ 54.331137] binder_ioctl+0x9c0/0x11b0 [ 54.334987] do_vfs_ioctl+0x1aa/0x1140 [ 54.338836] SyS_ioctl+0x8f/0xc0 [ 54.342167] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 54.346893] Memory state around the buggy address: [ 54.351785] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.359109] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.366432] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.373755] ^ [ 54.378387] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.385710] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.393031] ================================================================== [ 54.400352] ================================================================== [ 54.407677] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1c6/0x1e0 at addr ffff8801cc49e830 [ 54.416474] Write of size 8 by task syzkaller947561/3283 [ 54.421890] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 54.430862] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.440180] ffff8801d154fac0 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 54.448121] ffff8801cc49e980 ffffed0039893d06 ffff8801cc49e830 ffff8801d154fae8 [ 54.456058] ffffffff8153a32c ffffed0039893d06 ffff8801da001280 0000000000000001 [ 54.464000] Call Trace: [ 54.466550] [] dump_stack+0xc1/0x128 [ 54.471879] [] kasan_object_err+0x1c/0x70 [ 54.477639] [] kasan_report.part.1+0x21c/0x500 [ 54.483835] [] ? do_raw_spin_lock+0x1c6/0x1e0 [ 54.489946] [] __asan_report_store8_noabort+0x2c/0x30 [ 54.496749] [] do_raw_spin_lock+0x1c6/0x1e0 [ 54.502691] [] _raw_spin_lock_irqsave+0x56/0x70 [ 54.508972] [] ? remove_wait_queue+0x14/0x40 [ 54.514994] [] remove_wait_queue+0x14/0x40 [ 54.520842] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 54.527818] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 54.535055] [] ? ep_free+0x1b0/0x1b0 [ 54.540394] [] ep_free+0x96/0x1b0 [ 54.545462] [] ? ep_free+0x1b0/0x1b0 [ 54.550790] [] ep_eventpoll_release+0x44/0x60 [ 54.556899] [] __fput+0x28c/0x6e0 [ 54.561966] [] ____fput+0x15/0x20 [ 54.567032] [] task_work_run+0x115/0x190 [ 54.572709] [] do_exit+0x7e7/0x2a40 [ 54.577949] [] ? release_task+0x1240/0x1240 [ 54.583883] [] ? __fdget+0x18/0x20 [ 54.589040] [] ? sockfd_lookup_light+0x118/0x160 [ 54.595409] [] ? SyS_setsockopt+0x17f/0x250 [ 54.601344] [] ? SyS_recv+0x40/0x40 [ 54.606588] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 54.613216] [] do_group_exit+0x108/0x320 [ 54.618889] [] SyS_exit_group+0x1d/0x20 [ 54.624476] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 54.631019] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 54.637645] Allocated: [ 54.640102] PID = 3283 [ 54.642567] save_stack_trace+0x16/0x20 [ 54.646503] save_stack+0x43/0xd0 [ 54.649916] kasan_kmalloc+0xad/0xe0 [ 54.653592] kmem_cache_alloc_trace+0xfb/0x2a0 [ 54.658139] binder_get_thread+0x15d/0x750 [ 54.662337] binder_poll+0x4a/0x210 [ 54.665926] SyS_epoll_ctl+0x11d7/0x2190 [ 54.669952] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 54.674667] Freed: [ 54.676778] PID = 3283 [ 54.679238] save_stack_trace+0x16/0x20 [ 54.683174] save_stack+0x43/0xd0 [ 54.686586] kasan_slab_free+0x73/0xc0 [ 54.690434] kfree+0xf0/0x2f0 [ 54.693502] binder_thread_dec_tmpref+0x1cc/0x240 [ 54.698307] binder_thread_release+0x27d/0x540 [ 54.703310] binder_ioctl+0x9c0/0x11b0 [ 54.707161] do_vfs_ioctl+0x1aa/0x1140 [ 54.711017] SyS_ioctl+0x8f/0xc0 [ 54.714346] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 54.719061] Memory state around the buggy address: [ 54.723951] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.731271] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.738591] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.745913] ^ [ 54.750804] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.758137] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.765456] ================================================================== [ 54.772775] ================================================================== [ 54.780099] BUG: KASAN: use-after-free in __list_del_entry+0x184/0x1d0 at addr ffff8801cc49e858 [ 54.788894] Read of size 8 by task syzkaller947561/3283 [ 54.794229] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 54.803198] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.812517] ffff8801d154fad8 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 54.820464] ffff8801cc49e980 ffffed0039893d0b ffff8801cc49e858 ffff8801d154fb00 [ 54.828410] ffffffff8153a32c ffffed0039893d0b ffff8801da001280 0000000000000000 [ 54.836359] Call Trace: [ 54.838912] [] dump_stack+0xc1/0x128 [ 54.844240] [] kasan_object_err+0x1c/0x70 [ 54.849999] [] kasan_report.part.1+0x21c/0x500 [ 54.856194] [] ? __list_del_entry+0x184/0x1d0 [ 54.862313] [] __asan_report_load8_noabort+0x29/0x30 [ 54.869034] [] __list_del_entry+0x184/0x1d0 [ 54.874968] [] list_del+0xd/0x70 [ 54.879948] [] remove_wait_queue+0x20/0x40 [ 54.885795] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 54.892769] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 54.900006] [] ? ep_free+0x1b0/0x1b0 [ 54.905332] [] ep_free+0x96/0x1b0 [ 54.910396] [] ? ep_free+0x1b0/0x1b0 [ 54.915723] [] ep_eventpoll_release+0x44/0x60 [ 54.921835] [] __fput+0x28c/0x6e0 [ 54.926901] [] ____fput+0x15/0x20 [ 54.931967] [] task_work_run+0x115/0x190 [ 54.937643] [] do_exit+0x7e7/0x2a40 [ 54.942881] [] ? release_task+0x1240/0x1240 [ 54.948814] [] ? __fdget+0x18/0x20 [ 54.953968] [] ? sockfd_lookup_light+0x118/0x160 [ 54.960347] [] ? SyS_setsockopt+0x17f/0x250 [ 54.966287] [] ? SyS_recv+0x40/0x40 [ 54.971528] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 54.978156] [] do_group_exit+0x108/0x320 [ 54.983829] [] SyS_exit_group+0x1d/0x20 [ 54.989414] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 54.995954] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 55.002579] Allocated: [ 55.005040] PID = 3283 [ 55.007504] save_stack_trace+0x16/0x20 [ 55.011440] save_stack+0x43/0xd0 [ 55.014856] kasan_kmalloc+0xad/0xe0 [ 55.018537] kmem_cache_alloc_trace+0xfb/0x2a0 [ 55.023082] binder_get_thread+0x15d/0x750 [ 55.027281] binder_poll+0x4a/0x210 [ 55.030871] SyS_epoll_ctl+0x11d7/0x2190 [ 55.034894] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 55.039610] Freed: [ 55.041724] PID = 3283 [ 55.044186] save_stack_trace+0x16/0x20 [ 55.048122] save_stack+0x43/0xd0 [ 55.051543] kasan_slab_free+0x73/0xc0 [ 55.055392] kfree+0xf0/0x2f0 [ 55.058466] binder_thread_dec_tmpref+0x1cc/0x240 [ 55.063271] binder_thread_release+0x27d/0x540 [ 55.067817] binder_ioctl+0x9c0/0x11b0 [ 55.071674] do_vfs_ioctl+0x1aa/0x1140 [ 55.075523] SyS_ioctl+0x8f/0xc0 [ 55.078862] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 55.083576] Memory state around the buggy address: [ 55.088475] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.095799] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.103119] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.110440] ^ [ 55.116636] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.123959] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.131281] ================================================================== [ 55.138603] ================================================================== [ 55.145926] BUG: KASAN: use-after-free in __list_del_entry+0x196/0x1d0 at addr ffff8801cc49e860 [ 55.154722] Read of size 8 by task syzkaller947561/3283 [ 55.160050] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 55.169018] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.178337] ffff8801d154fad8 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 55.186282] ffff8801cc49e980 ffffed0039893d0c ffff8801cc49e860 ffff8801d154fb00 [ 55.194225] ffffffff8153a32c ffffed0039893d0c ffff8801da001280 0000000000000000 [ 55.202165] Call Trace: [ 55.204726] [] dump_stack+0xc1/0x128 [ 55.210059] [] kasan_object_err+0x1c/0x70 [ 55.215819] [] kasan_report.part.1+0x21c/0x500 [ 55.222013] [] ? __list_del_entry+0x196/0x1d0 [ 55.228131] [] __asan_report_load8_noabort+0x29/0x30 [ 55.234847] [] __list_del_entry+0x196/0x1d0 [ 55.240781] [] list_del+0xd/0x70 [ 55.245760] [] remove_wait_queue+0x20/0x40 [ 55.251610] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 55.258584] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 55.265821] [] ? ep_free+0x1b0/0x1b0 [ 55.271148] [] ep_free+0x96/0x1b0 [ 55.276212] [] ? ep_free+0x1b0/0x1b0 [ 55.281537] [] ep_eventpoll_release+0x44/0x60 [ 55.287644] [] __fput+0x28c/0x6e0 [ 55.292708] [] ____fput+0x15/0x20 [ 55.297773] [] task_work_run+0x115/0x190 [ 55.303446] [] do_exit+0x7e7/0x2a40 [ 55.308686] [] ? release_task+0x1240/0x1240 [ 55.314618] [] ? __fdget+0x18/0x20 [ 55.319772] [] ? sockfd_lookup_light+0x118/0x160 [ 55.326139] [] ? SyS_setsockopt+0x17f/0x250 [ 55.332074] [] ? SyS_recv+0x40/0x40 [ 55.337316] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 55.343942] [] do_group_exit+0x108/0x320 [ 55.349616] [] SyS_exit_group+0x1d/0x20 [ 55.355203] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 55.361744] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 55.368369] Allocated: [ 55.370829] PID = 3283 [ 55.373294] save_stack_trace+0x16/0x20 [ 55.377229] save_stack+0x43/0xd0 [ 55.380643] kasan_kmalloc+0xad/0xe0 [ 55.384320] kmem_cache_alloc_trace+0xfb/0x2a0 [ 55.388866] binder_get_thread+0x15d/0x750 [ 55.393083] binder_poll+0x4a/0x210 [ 55.396675] SyS_epoll_ctl+0x11d7/0x2190 [ 55.400711] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 55.405433] Freed: [ 55.407544] PID = 3283 [ 55.410005] save_stack_trace+0x16/0x20 [ 55.413943] save_stack+0x43/0xd0 [ 55.417361] kasan_slab_free+0x73/0xc0 [ 55.421210] kfree+0xf0/0x2f0 [ 55.424287] binder_thread_dec_tmpref+0x1cc/0x240 [ 55.429098] binder_thread_release+0x27d/0x540 [ 55.433645] binder_ioctl+0x9c0/0x11b0 [ 55.437496] do_vfs_ioctl+0x1aa/0x1140 [ 55.441345] SyS_ioctl+0x8f/0xc0 [ 55.444675] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 55.449388] Memory state around the buggy address: [ 55.454278] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.461600] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.468922] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.476240] ^ [ 55.482691] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.490014] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.497334] ================================================================== [ 55.504654] ================================================================== [ 55.511981] BUG: KASAN: use-after-free in __list_del_entry+0x173/0x1d0 at addr ffff8801cc49e858 [ 55.520777] Write of size 8 by task syzkaller947561/3283 [ 55.526198] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 55.535169] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.544489] ffff8801d154fad8 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 55.552428] ffff8801cc49e980 ffffed0039893d0b ffff8801cc49e858 ffff8801d154fb00 [ 55.560365] ffffffff8153a32c ffffed0039893d0b ffff8801da001280 0000000000000001 [ 55.568306] Call Trace: [ 55.570859] [] dump_stack+0xc1/0x128 [ 55.576185] [] kasan_object_err+0x1c/0x70 [ 55.581945] [] kasan_report.part.1+0x21c/0x500 [ 55.588138] [] ? __list_del_entry+0x173/0x1d0 [ 55.594246] [] __asan_report_store8_noabort+0x2c/0x30 [ 55.601045] [] __list_del_entry+0x173/0x1d0 [ 55.606983] [] list_del+0xd/0x70 [ 55.611964] [] remove_wait_queue+0x20/0x40 [ 55.617812] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 55.624791] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 55.632054] [] ? ep_free+0x1b0/0x1b0 [ 55.637384] [] ep_free+0x96/0x1b0 [ 55.642449] [] ? ep_free+0x1b0/0x1b0 [ 55.647774] [] ep_eventpoll_release+0x44/0x60 [ 55.653881] [] __fput+0x28c/0x6e0 [ 55.658945] [] ____fput+0x15/0x20 [ 55.664010] [] task_work_run+0x115/0x190 [ 55.669685] [] do_exit+0x7e7/0x2a40 [ 55.674925] [] ? release_task+0x1240/0x1240 [ 55.680860] [] ? __fdget+0x18/0x20 [ 55.686017] [] ? sockfd_lookup_light+0x118/0x160 [ 55.692386] [] ? SyS_setsockopt+0x17f/0x250 [ 55.698321] [] ? SyS_recv+0x40/0x40 [ 55.703565] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 55.710194] [] do_group_exit+0x108/0x320 [ 55.715869] [] SyS_exit_group+0x1d/0x20 [ 55.721458] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 55.728000] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 55.734627] Allocated: [ 55.737102] PID = 3283 [ 55.739579] save_stack_trace+0x16/0x20 [ 55.743519] save_stack+0x43/0xd0 [ 55.746945] kasan_kmalloc+0xad/0xe0 [ 55.750621] kmem_cache_alloc_trace+0xfb/0x2a0 [ 55.755169] binder_get_thread+0x15d/0x750 [ 55.759366] binder_poll+0x4a/0x210 [ 55.762957] SyS_epoll_ctl+0x11d7/0x2190 [ 55.766989] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 55.771705] Freed: [ 55.773815] PID = 3283 [ 55.776273] save_stack_trace+0x16/0x20 [ 55.780211] save_stack+0x43/0xd0 [ 55.783624] kasan_slab_free+0x73/0xc0 [ 55.787471] kfree+0xf0/0x2f0 [ 55.790540] binder_thread_dec_tmpref+0x1cc/0x240 [ 55.795348] binder_thread_release+0x27d/0x540 [ 55.799896] binder_ioctl+0x9c0/0x11b0 [ 55.803747] do_vfs_ioctl+0x1aa/0x1140 [ 55.807598] SyS_ioctl+0x8f/0xc0 [ 55.810931] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 55.815651] Memory state around the buggy address: [ 55.820543] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.827867] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.835191] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.842513] ^ [ 55.848706] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.856026] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.863354] ================================================================== [ 55.870677] ================================================================== [ 55.878012] BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1d4/0x210 at addr ffff8801cc49e824 [ 55.886995] Read of size 4 by task syzkaller947561/3283 [ 55.892324] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 55.901296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.910617] ffff8801d154fad0 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 55.918562] ffff8801cc49e980 ffffed0039893d04 ffff8801cc49e824 ffff8801d154faf8 [ 55.926512] ffffffff8153a32c ffffed0039893d04 ffff8801da001280 0000000000000000 [ 55.934460] Call Trace: [ 55.937013] [] dump_stack+0xc1/0x128 [ 55.942353] [] kasan_object_err+0x1c/0x70 [ 55.948115] [] kasan_report.part.1+0x21c/0x500 [ 55.954321] [] ? do_raw_spin_unlock+0x1d4/0x210 [ 55.960606] [] __asan_report_load4_noabort+0x29/0x30 [ 55.967323] [] do_raw_spin_unlock+0x1d4/0x210 [ 55.973433] [] _raw_spin_unlock_irqrestore+0x27/0x70 [ 55.980152] [] remove_wait_queue+0x2b/0x40 [ 55.986007] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 55.992992] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 56.000228] [] ? ep_free+0x1b0/0x1b0 [ 56.005555] [] ep_free+0x96/0x1b0 [ 56.010623] [] ? ep_free+0x1b0/0x1b0 [ 56.015949] [] ep_eventpoll_release+0x44/0x60 [ 56.022062] [] __fput+0x28c/0x6e0 [ 56.027128] [] ____fput+0x15/0x20 [ 56.032194] [] task_work_run+0x115/0x190 [ 56.037868] [] do_exit+0x7e7/0x2a40 [ 56.043108] [] ? release_task+0x1240/0x1240 [ 56.049040] [] ? __fdget+0x18/0x20 [ 56.054192] [] ? sockfd_lookup_light+0x118/0x160 [ 56.060562] [] ? SyS_setsockopt+0x17f/0x250 [ 56.066500] [] ? SyS_recv+0x40/0x40 [ 56.071746] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 56.078376] [] do_group_exit+0x108/0x320 [ 56.084052] [] SyS_exit_group+0x1d/0x20 [ 56.089640] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 56.096183] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 56.102808] Allocated: [ 56.105267] PID = 3283 [ 56.107731] save_stack_trace+0x16/0x20 [ 56.111667] save_stack+0x43/0xd0 [ 56.115083] kasan_kmalloc+0xad/0xe0 [ 56.118770] kmem_cache_alloc_trace+0xfb/0x2a0 [ 56.123313] binder_get_thread+0x15d/0x750 [ 56.127512] binder_poll+0x4a/0x210 [ 56.131101] SyS_epoll_ctl+0x11d7/0x2190 [ 56.135124] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 56.139840] Freed: [ 56.141955] PID = 3283 [ 56.144415] save_stack_trace+0x16/0x20 [ 56.148353] save_stack+0x43/0xd0 [ 56.151769] kasan_slab_free+0x73/0xc0 [ 56.155618] kfree+0xf0/0x2f0 [ 56.158687] binder_thread_dec_tmpref+0x1cc/0x240 [ 56.163491] binder_thread_release+0x27d/0x540 [ 56.168036] binder_ioctl+0x9c0/0x11b0 [ 56.171887] do_vfs_ioctl+0x1aa/0x1140 [ 56.175736] SyS_ioctl+0x8f/0xc0 [ 56.179066] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 56.183781] Memory state around the buggy address: [ 56.188673] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.195992] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.203315] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.210637] ^ [ 56.215008] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.222331] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.229652] ================================================================== [ 56.236972] ================================================================== [ 56.244296] BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1ca/0x210 at addr ffff8801cc49e820 [ 56.253268] Read of size 4 by task syzkaller947561/3283 [ 56.258596] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 56.267566] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.276884] ffff8801d154fad0 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 56.284831] ffff8801cc49e980 ffffed0039893d04 ffff8801cc49e820 ffff8801d154faf8 [ 56.292775] ffffffff8153a32c ffffed0039893d04 ffff8801da001280 0000000000000000 [ 56.300713] Call Trace: [ 56.303263] [] dump_stack+0xc1/0x128 [ 56.308591] [] kasan_object_err+0x1c/0x70 [ 56.314352] [] kasan_report.part.1+0x21c/0x500 [ 56.320546] [] ? do_raw_spin_unlock+0x1ca/0x210 [ 56.326829] [] __asan_report_load4_noabort+0x29/0x30 [ 56.333544] [] do_raw_spin_unlock+0x1ca/0x210 [ 56.339653] [] _raw_spin_unlock_irqrestore+0x27/0x70 [ 56.346371] [] remove_wait_queue+0x2b/0x40 [ 56.352218] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 56.359193] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 56.366429] [] ? ep_free+0x1b0/0x1b0 [ 56.371756] [] ep_free+0x96/0x1b0 [ 56.376822] [] ? ep_free+0x1b0/0x1b0 [ 56.382149] [] ep_eventpoll_release+0x44/0x60 [ 56.388258] [] __fput+0x28c/0x6e0 [ 56.393326] [] ____fput+0x15/0x20 [ 56.398391] [] task_work_run+0x115/0x190 [ 56.404066] [] do_exit+0x7e7/0x2a40 [ 56.409304] [] ? release_task+0x1240/0x1240 [ 56.415238] [] ? __fdget+0x18/0x20 [ 56.420392] [] ? sockfd_lookup_light+0x118/0x160 [ 56.426760] [] ? SyS_setsockopt+0x17f/0x250 [ 56.432695] [] ? SyS_recv+0x40/0x40 [ 56.437938] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 56.444567] [] do_group_exit+0x108/0x320 [ 56.450241] [] SyS_exit_group+0x1d/0x20 [ 56.455826] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 56.462368] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 56.468990] Allocated: [ 56.471448] PID = 3283 [ 56.473910] save_stack_trace+0x16/0x20 [ 56.477846] save_stack+0x43/0xd0 [ 56.481260] kasan_kmalloc+0xad/0xe0 [ 56.484935] kmem_cache_alloc_trace+0xfb/0x2a0 [ 56.489481] binder_get_thread+0x15d/0x750 [ 56.493677] binder_poll+0x4a/0x210 [ 56.497268] SyS_epoll_ctl+0x11d7/0x2190 [ 56.501289] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 56.506002] Freed: [ 56.508112] PID = 3283 [ 56.510571] save_stack_trace+0x16/0x20 [ 56.514507] save_stack+0x43/0xd0 [ 56.517922] kasan_slab_free+0x73/0xc0 [ 56.521771] kfree+0xf0/0x2f0 [ 56.524840] binder_thread_dec_tmpref+0x1cc/0x240 [ 56.529645] binder_thread_release+0x27d/0x540 [ 56.534188] binder_ioctl+0x9c0/0x11b0 [ 56.538038] do_vfs_ioctl+0x1aa/0x1140 [ 56.541887] SyS_ioctl+0x8f/0xc0 [ 56.545217] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 56.549941] Memory state around the buggy address: [ 56.554836] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.562160] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.569480] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.576803] ^ [ 56.581174] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.588497] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.595817] ================================================================== [ 56.603139] ================================================================== [ 56.610466] BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1fb/0x210 at addr ffff8801cc49e830 [ 56.619436] Read of size 8 by task syzkaller947561/3283 [ 56.624763] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 56.633732] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.643049] ffff8801d154fad0 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 56.650999] ffff8801cc49e980 ffffed0039893d06 ffff8801cc49e830 ffff8801d154faf8 [ 56.658936] ffffffff8153a32c ffffed0039893d06 ffff8801da001280 0000000000000000 [ 56.666874] Call Trace: [ 56.669426] [] dump_stack+0xc1/0x128 [ 56.674755] [] kasan_object_err+0x1c/0x70 [ 56.680517] [] kasan_report.part.1+0x21c/0x500 [ 56.686716] [] ? do_raw_spin_unlock+0x1fb/0x210 [ 56.692995] [] __asan_report_load8_noabort+0x29/0x30 [ 56.699709] [] do_raw_spin_unlock+0x1fb/0x210 [ 56.706349] [] _raw_spin_unlock_irqrestore+0x27/0x70 [ 56.713064] [] remove_wait_queue+0x2b/0x40 [ 56.718911] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 56.725900] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 56.733135] [] ? ep_free+0x1b0/0x1b0 [ 56.738462] [] ep_free+0x96/0x1b0 [ 56.743528] [] ? ep_free+0x1b0/0x1b0 [ 56.748854] [] ep_eventpoll_release+0x44/0x60 [ 56.754959] [] __fput+0x28c/0x6e0 [ 56.760026] [] ____fput+0x15/0x20 [ 56.765093] [] task_work_run+0x115/0x190 [ 56.770766] [] do_exit+0x7e7/0x2a40 [ 56.776003] [] ? release_task+0x1240/0x1240 [ 56.781935] [] ? __fdget+0x18/0x20 [ 56.787093] [] ? sockfd_lookup_light+0x118/0x160 [ 56.793458] [] ? SyS_setsockopt+0x17f/0x250 [ 56.799392] [] ? SyS_recv+0x40/0x40 [ 56.804632] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 56.811260] [] do_group_exit+0x108/0x320 [ 56.816933] [] SyS_exit_group+0x1d/0x20 [ 56.822522] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 56.829063] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 56.835687] Allocated: [ 56.838145] PID = 3283 [ 56.840607] save_stack_trace+0x16/0x20 [ 56.844542] save_stack+0x43/0xd0 [ 56.847957] kasan_kmalloc+0xad/0xe0 [ 56.851632] kmem_cache_alloc_trace+0xfb/0x2a0 [ 56.856176] binder_get_thread+0x15d/0x750 [ 56.860374] binder_poll+0x4a/0x210 [ 56.863962] SyS_epoll_ctl+0x11d7/0x2190 [ 56.867984] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 56.872698] Freed: [ 56.874812] PID = 3283 [ 56.877272] save_stack_trace+0x16/0x20 [ 56.881206] save_stack+0x43/0xd0 [ 56.884623] kasan_slab_free+0x73/0xc0 [ 56.888470] kfree+0xf0/0x2f0 [ 56.891539] binder_thread_dec_tmpref+0x1cc/0x240 [ 56.896345] binder_thread_release+0x27d/0x540 [ 56.900889] binder_ioctl+0x9c0/0x11b0 [ 56.904740] do_vfs_ioctl+0x1aa/0x1140 [ 56.908597] SyS_ioctl+0x8f/0xc0 [ 56.911932] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 56.916653] Memory state around the buggy address: [ 56.921546] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.928874] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.936203] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.943524] ^ [ 56.948415] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.955737] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.963054] ================================================================== [ 56.970375] ================================================================== [ 56.977701] BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1e1/0x210 at addr ffff8801cc49e828 [ 56.986674] Read of size 4 by task syzkaller947561/3283 [ 56.991999] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 57.000968] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.010287] ffff8801d154fad0 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 57.018228] ffff8801cc49e980 ffffed0039893d05 ffff8801cc49e828 ffff8801d154faf8 [ 57.026173] ffffffff8153a32c ffffed0039893d05 ffff8801da001280 0000000000000000 [ 57.034118] Call Trace: [ 57.036670] [] dump_stack+0xc1/0x128 [ 57.041998] [] kasan_object_err+0x1c/0x70 [ 57.047764] [] kasan_report.part.1+0x21c/0x500 [ 57.053967] [] ? do_raw_spin_unlock+0x1e1/0x210 [ 57.060248] [] __asan_report_load4_noabort+0x29/0x30 [ 57.066961] [] do_raw_spin_unlock+0x1e1/0x210 [ 57.073071] [] _raw_spin_unlock_irqrestore+0x27/0x70 [ 57.079786] [] remove_wait_queue+0x2b/0x40 [ 57.086590] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 57.093566] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 57.100816] [] ? ep_free+0x1b0/0x1b0 [ 57.106140] [] ep_free+0x96/0x1b0 [ 57.111207] [] ? ep_free+0x1b0/0x1b0 [ 57.116533] [] ep_eventpoll_release+0x44/0x60 [ 57.122640] [] __fput+0x28c/0x6e0 [ 57.127709] [] ____fput+0x15/0x20 [ 57.132775] [] task_work_run+0x115/0x190 [ 57.138448] [] do_exit+0x7e7/0x2a40 [ 57.143688] [] ? release_task+0x1240/0x1240 [ 57.149623] [] ? __fdget+0x18/0x20 [ 57.154779] [] ? sockfd_lookup_light+0x118/0x160 [ 57.161149] [] ? SyS_setsockopt+0x17f/0x250 [ 57.167082] [] ? SyS_recv+0x40/0x40 [ 57.172323] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 57.178953] [] do_group_exit+0x108/0x320 [ 57.184625] [] SyS_exit_group+0x1d/0x20 [ 57.190213] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 57.196753] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 57.203376] Allocated: [ 57.205835] PID = 3283 [ 57.208297] save_stack_trace+0x16/0x20 [ 57.212235] save_stack+0x43/0xd0 [ 57.215650] kasan_kmalloc+0xad/0xe0 [ 57.219325] kmem_cache_alloc_trace+0xfb/0x2a0 [ 57.223870] binder_get_thread+0x15d/0x750 [ 57.228067] binder_poll+0x4a/0x210 [ 57.231659] SyS_epoll_ctl+0x11d7/0x2190 [ 57.235682] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 57.240398] Freed: [ 57.242509] PID = 3283 [ 57.244969] save_stack_trace+0x16/0x20 [ 57.248914] save_stack+0x43/0xd0 [ 57.252327] kasan_slab_free+0x73/0xc0 [ 57.256175] kfree+0xf0/0x2f0 [ 57.259244] binder_thread_dec_tmpref+0x1cc/0x240 [ 57.264049] binder_thread_release+0x27d/0x540 [ 57.268595] binder_ioctl+0x9c0/0x11b0 [ 57.272445] do_vfs_ioctl+0x1aa/0x1140 [ 57.276296] SyS_ioctl+0x8f/0xc0 [ 57.279625] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 57.284340] Memory state around the buggy address: [ 57.289234] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.296557] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.303879] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.311209] ^ [ 57.315842] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.323164] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.330483] ================================================================== [ 57.337806] ================================================================== [ 57.345133] BUG: KASAN: use-after-free in do_raw_spin_unlock+0x208/0x210 at addr ffff8801cc49e830 [ 57.354103] Write of size 8 by task syzkaller947561/3283 [ 57.359518] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 57.368489] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.377806] ffff8801d154fad0 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 57.385750] ffff8801cc49e980 ffffed0039893d06 ffff8801cc49e830 ffff8801d154faf8 [ 57.393689] ffffffff8153a32c ffffed0039893d06 ffff8801da001280 0000000000000001 [ 57.401626] Call Trace: [ 57.404180] [] dump_stack+0xc1/0x128 [ 57.409517] [] kasan_object_err+0x1c/0x70 [ 57.415283] [] kasan_report.part.1+0x21c/0x500 [ 57.421478] [] ? do_raw_spin_unlock+0x208/0x210 [ 57.427761] [] __asan_report_store8_noabort+0x2c/0x30 [ 57.434561] [] do_raw_spin_unlock+0x208/0x210 [ 57.440672] [] _raw_spin_unlock_irqrestore+0x27/0x70 [ 57.447388] [] remove_wait_queue+0x2b/0x40 [ 57.453235] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 57.460210] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 57.467446] [] ? ep_free+0x1b0/0x1b0 [ 57.472776] [] ep_free+0x96/0x1b0 [ 57.477842] [] ? ep_free+0x1b0/0x1b0 [ 57.483167] [] ep_eventpoll_release+0x44/0x60 [ 57.489273] [] __fput+0x28c/0x6e0 [ 57.494337] [] ____fput+0x15/0x20 [ 57.499402] [] task_work_run+0x115/0x190 [ 57.505075] [] do_exit+0x7e7/0x2a40 [ 57.510315] [] ? release_task+0x1240/0x1240 [ 57.516247] [] ? __fdget+0x18/0x20 [ 57.521409] [] ? sockfd_lookup_light+0x118/0x160 [ 57.527866] [] ? SyS_setsockopt+0x17f/0x250 [ 57.533807] [] ? SyS_recv+0x40/0x40 [ 57.539057] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 57.545685] [] do_group_exit+0x108/0x320 [ 57.551359] [] SyS_exit_group+0x1d/0x20 [ 57.556950] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 57.563490] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 57.570127] Allocated: [ 57.572586] PID = 3283 [ 57.575046] save_stack_trace+0x16/0x20 [ 57.578984] save_stack+0x43/0xd0 [ 57.582399] kasan_kmalloc+0xad/0xe0 [ 57.586076] kmem_cache_alloc_trace+0xfb/0x2a0 [ 57.590622] binder_get_thread+0x15d/0x750 [ 57.594825] binder_poll+0x4a/0x210 [ 57.598416] SyS_epoll_ctl+0x11d7/0x2190 [ 57.602440] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 57.607157] Freed: [ 57.609269] PID = 3283 [ 57.611729] save_stack_trace+0x16/0x20 [ 57.615668] save_stack+0x43/0xd0 [ 57.619081] kasan_slab_free+0x73/0xc0 [ 57.622931] kfree+0xf0/0x2f0 [ 57.625998] binder_thread_dec_tmpref+0x1cc/0x240 [ 57.630804] binder_thread_release+0x27d/0x540 [ 57.635369] binder_ioctl+0x9c0/0x11b0 [ 57.639219] do_vfs_ioctl+0x1aa/0x1140 [ 57.643069] SyS_ioctl+0x8f/0xc0 [ 57.646399] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 57.651114] Memory state around the buggy address: [ 57.656004] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.663325] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.670649] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.677970] ^ [ 57.682863] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.690184] ffff8801cc49e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.697505] ================================================================== [ 57.704825] ================================================================== [ 57.712150] BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1ee/0x210 at addr ffff8801cc49e828 [ 57.721120] Write of size 4 by task syzkaller947561/3283 [ 57.726535] CPU: 1 PID: 3283 Comm: syzkaller947561 Tainted: G B 4.9.66-gb763480 #103 [ 57.735503] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.744823] ffff8801d154fad0 ffffffff81d90749 ffff8801da001280 ffff8801cc49e780 [ 57.752782] ffff8801cc49e980 ffffed0039893d05 ffff8801cc49e828 ffff8801d154faf8 [ 57.760730] ffffffff8153a32c ffffed0039893d05 ffff8801da001280 0000000000000001 [ 57.768671] Call Trace: [ 57.771224] [] dump_stack+0xc1/0x128 [ 57.776558] [] kasan_object_err+0x1c/0x70 [ 57.782337] [] kasan_report.part.1+0x21c/0x500 [ 57.788535] [] ? do_raw_spin_unlock+0x1ee/0x210 [ 57.794829] [] __asan_report_store4_noabort+0x2c/0x30 [ 57.801634] [] do_raw_spin_unlock+0x1ee/0x210 [ 57.807746] [] _raw_spin_unlock_irqrestore+0x27/0x70 [ 57.814462] [] remove_wait_queue+0x2b/0x40 [ 57.820312] [] ep_unregister_pollwait.isra.6+0xaf/0x240 [ 57.827291] [] ? ep_unregister_pollwait.isra.6+0x12a/0x240 [ 57.834536] [] ? ep_free+0x1b0/0x1b0 [ 57.839865] [] ep_free+0x96/0x1b0 [ 57.844932] [] ? ep_free+0x1b0/0x1b0 [ 57.850257] [] ep_eventpoll_release+0x44/0x60 [ 57.856366] [] __fput+0x28c/0x6e0 [ 57.861434] [] ____fput+0x15/0x20 [ 57.866499] [] task_work_run+0x115/0x190 [ 57.872172] [] do_exit+0x7e7/0x2a40 [ 57.877409] [] ? release_task+0x1240/0x1240 [ 57.883342] [] ? __fdget+0x18/0x20 [ 57.888496] [] ? sockfd_lookup_light+0x118/0x160 [ 57.894863] [] ? SyS_setsockopt+0x17f/0x250 [ 57.900797] [] ? SyS_recv+0x40/0x40 [ 57.906038] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 57.912668] [] do_group_exit+0x108/0x320 [ 57.918342] [] SyS_exit_group+0x1d/0x20 [ 57.923928] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 57.930470] Object at ffff8801cc49e780, in cache kmalloc-512 size: 512 [ 57.937096] Allocated: [ 57.939552] PID = 3283 [ 57.942016] save_stack_trace+0x16/0x20 [ 57.945950] save_stack+0x43/0xd0 [ 57.949363] kasan_kmalloc+0xad/0xe0 [ 57.953049] kmem_cache_alloc_trace+0xfb/0x2a0 [ 57.957593] binder_get_thread+0x15d/0x750 [ 57.961791] binder_poll+0x4a/0x210 [ 57.965379] SyS_epoll_ctl+0x11d7/0x2190 [ 57.969402] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 57.974117] Freed: [ 57.976227] PID = 3283 [ 57.978688] save_stack_trace+0x16/0x20 [ 57.982625] save_stack+0x43/0xd0 [ 57.986038] kasan_slab_free+0x73/0xc0 [ 57.989888] kfree+0xf0/0x2f0 [ 57.992956] binder_thread_dec_tmpref+0x1cc/0x240 [ 57.997759] binder_thread_release+0x27d/0x540 [ 58.002303] binder_ioctl+0x9c0/0x11b0 [ 58.006153] do_vfs_ioctl+0x1aa/0x1140 [ 58.010002] SyS_ioctl+0x8f/0xc0 [ 58.013334] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 58.018049] Memory state around the buggy address: [ 58.022940] ffff8801cc49e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.030262] ffff8801cc49e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.037582] >ffff8801cc49e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.044902] ^ [ 58.049532] ffff8801cc49e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.056853] ffff88