INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts. 2018/04/12 05:55:32 parsed 1 programs 2018/04/12 05:55:32 executed programs: 0 syzkaller login: [ 27.810278] IPVS: ftp: loaded support on port[0] = 21 [ 27.819644] IPVS: ftp: loaded support on port[0] = 21 [ 27.822572] IPVS: ftp: loaded support on port[0] = 21 [ 27.846424] IPVS: ftp: loaded support on port[0] = 21 [ 27.850822] IPVS: ftp: loaded support on port[0] = 21 [ 27.868620] IPVS: ftp: loaded support on port[0] = 21 [ 27.875477] IPVS: ftp: loaded support on port[0] = 21 [ 27.889441] IPVS: ftp: loaded support on port[0] = 21 [ 28.030565] binder: BINDER_SET_CONTEXT_MGR already set [ 28.036788] binder: 4488:4490 ERROR: BC_REGISTER_LOOPER called without request [ 28.058157] binder: 4492:4493 ioctl 40046207 0 returned -16 [ 28.086644] binder: BINDER_SET_CONTEXT_MGR already set [ 28.093869] binder: BINDER_SET_CONTEXT_MGR already set [ 28.102313] binder: 4492:4493 ERROR: BC_REGISTER_LOOPER called without request [ 28.112535] binder: 4494:4495 ioctl 40046207 0 returned -16 [ 28.113869] binder: 4496:4498 ioctl 40046207 0 returned -16 [ 28.128361] binder: 4494:4495 ERROR: BC_REGISTER_LOOPER called without request [ 28.157563] binder: BINDER_SET_CONTEXT_MGR already set [ 28.163858] binder: BINDER_SET_CONTEXT_MGR already set [ 28.176875] binder: BINDER_SET_CONTEXT_MGR already set [ 28.184367] binder: BINDER_SET_CONTEXT_MGR already set [ 28.188145] binder: 4502:4505 ioctl 40046207 0 returned -16 [ 28.195630] binder: 4504:4509 ioctl 40046207 0 returned -16 [ 28.199075] binder: 4510:4511 ioctl 40046207 0 returned -16 [ 28.204391] binder: 4503:4508 ioctl 40046207 0 returned -16 [ 28.214451] binder: 4502:4505 ERROR: BC_REGISTER_LOOPER called without request [ 28.217735] binder: 4510:4511 ERROR: BC_REGISTER_LOOPER called without request [ 28.230582] binder: 4496:4498 ERROR: BC_REGISTER_LOOPER called without request [ 28.238705] binder: 4504:4509 ERROR: BC_REGISTER_LOOPER called without request [ 28.244359] binder: 4503:4508 ERROR: BC_REGISTER_LOOPER called without request [ 28.826178] binder: release 4488:4490 transaction 3 out, still active [ 28.833054] binder: release 4488:4490 transaction 2 in, still active [ 28.839577] binder: undelivered TRANSACTION_COMPLETE [ 28.842144] binder: 4492:4516 got new transaction with bad transaction stack, transaction 4 has target 4488:0 [ 28.854867] binder: 4492:4516 transaction failed 29201/-71, size 0-0 line 2875 [ 28.866556] binder: release 4492:4516 transaction 4 out, still active [ 28.873267] binder: undelivered TRANSACTION_COMPLETE [ 28.878423] binder: undelivered TRANSACTION_ERROR: 29201 [ 28.881114] binder: 4488:4515 BC_INCREFS_DONE u0000000000000000 node 1 cookie mismatch 0000000000000002 != 0000000000000000 [ 28.895842] binder: 4488:4515 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 28.903450] binder: 4488:4515 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 28.911076] binder: 4488:4515 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 [ 28.913600] binder: 4496:4518 got new transaction with bad transaction stack, transaction 7 has target 4488:0 [ 28.918120] binder: 4494:4517 got new transaction with bad transaction stack, transaction 6 has target 4488:0 [ 28.928188] binder: 4496:4518 transaction failed 29201/-71, size 0-0 line 2875 [ 28.938243] binder: 4494:4517 transaction failed 29201/-71, size 0-0 line 2875 [ 28.950392] binder: release 4496:4518 transaction 7 out, still active [ 28.953053] binder: 4492:4520 BC_INCREFS_DONE u0000000000000000 no match [ 28.953071] binder: 4492:4520 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 28.953084] binder: 4492:4520 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 28.953097] binder: 4492:4520 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 [ 28.959671] binder: undelivered TRANSACTION_COMPLETE [ 28.959683] binder: undelivered TRANSACTION_ERROR: 29201 [ 28.962114] binder: 4488:4515 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 [ 28.967211] binder: 4492:4520 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 [ 28.974320] binder: 4504:4521 got new transaction with bad transaction stack, transaction 10 has target 4488:0 [ 28.983205] binder: 4503:4523 got new transaction with bad transaction stack, transaction 12 has target 4488:0 [ 28.988598] binder: 4504:4521 transaction failed 29201/-71, size 0-0 line 2875 [ 28.988693] binder: 4502:4522 got new transaction with bad transaction stack, transaction 11 has target 4488:0 [ 28.993819] binder: 4503:4523 transaction failed 29201/-71, size 0-0 line 2875 [ 28.999275] binder: 4502:4522 transaction failed 29201/-71, size 0-0 line 2875 [ 29.006317] binder: 4510:4524 got new transaction with bad transaction stack, transaction 14 has target 4488:0 [ 29.017444] binder: release 4504:4521 transaction 10 out, still active [ 29.023413] binder: 4510:4524 transaction failed 29201/-71, size 0-0 line 2875 [ 29.024314] binder: 4494:4517 BC_INCREFS_DONE u0000000000000000 no match [ 29.033643] binder: undelivered TRANSACTION_COMPLETE [ 29.033658] binder: undelivered TRANSACTION_ERROR: 29201 [ 29.034236] binder: release 4503:4523 transaction 12 out, still active [ 29.041068] binder: 4494:4517 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 29.041083] binder: 4494:4517 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 29.051226] binder: undelivered TRANSACTION_COMPLETE [ 29.051244] binder: undelivered TRANSACTION_ERROR: 29201 [ 29.058607] binder: 4494:4517 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 [ 29.066173] binder: release 4502:4522 transaction 11 out, still active [ 29.076867] binder: 4494:4517 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 [ 29.082857] binder: undelivered TRANSACTION_COMPLETE [ 29.082869] binder: undelivered TRANSACTION_ERROR: 29201 [ 29.114939] binder: release 4510:4524 transaction 14 out, still active [ 29.122062] binder: 4496:4525 BC_INCREFS_DONE u0000000000000000 no match [ 29.129605] binder: undelivered TRANSACTION_COMPLETE [ 29.134712] binder: 4496:4525 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 29.134728] binder: 4496:4525 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 29.140174] binder: undelivered TRANSACTION_ERROR: 29201 [ 29.147042] binder: 4496:4525 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 [ 29.165864] binder: 4504:4528 BC_INCREFS_DONE u0000000000000000 no match [ 29.171983] binder: BINDER_SET_CONTEXT_MGR already set [ 29.178324] binder: 4504:4528 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 29.178339] binder: 4504:4528 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 29.185331] binder: BINDER_SET_CONTEXT_MGR already set [ 29.190344] binder: 4504:4528 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 [ 29.198253] binder: 4488:4530 ioctl 40046207 0 returned -16 [ 29.205524] binder: 4502:4527 BC_INCREFS_DONE u0000000000000000 no match [ 29.211223] binder: 4492:4529 ioctl 40046207 0 returned -16 [ 29.217664] binder: 4502:4527 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 29.217678] binder: 4502:4527 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 29.224761] binder: 4503:4526 BC_INCREFS_DONE u0000000000000000 no match [ 29.229835] binder: 4502:4527 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 [ 29.237374] binder: 4503:4526 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 29.245177] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.250188] binder: 4503:4526 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 29.250201] binder: 4503:4526 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 [ 29.250231] binder: 4504:4528 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 [ 29.251364] binder: 4496:4525 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 [ 29.257129] binder: 4496:4531 transaction failed 29189/-3, size 0-0 line 2963 [ 29.263349] binder: BINDER_SET_CONTEXT_MGR already set [ 29.270062] binder: 4488:4515 ERROR: BC_REGISTER_LOOPER called without request [ 29.365163] binder: 4503:4526 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 [ 29.366295] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.372821] binder: 4502:4527 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 [ 29.377619] binder: 4503:4533 transaction failed 29189/-3, size 0-0 line 2963 [ 29.377835] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.384670] binder: 4492:4520 ERROR: BC_REGISTER_LOOPER called without request [ 29.391915] binder: 4502:4535 transaction failed 29189/-3, size 0-0 line 2963 [ 29.397982] binder: 4494:4532 ioctl 40046207 0 returned -16 [ 29.405101] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.414905] binder: 4494:4519 ERROR: BC_REGISTER_LOOPER called without request [ 29.417841] binder: 4492:4529 transaction failed 29189/-3, size 0-0 line 2963 [ 29.417997] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.424697] binder_alloc: binder_alloc_mmap_handler: 4496 20ffd000-21000000 already mapped failed -16 [ 29.430738] binder: 4504:4528 transaction failed 29189/-3, size 0-0 line 2963 [ 29.431634] binder: undelivered TRANSACTION_ERROR: 29189 [ 29.438317] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.445640] binder: BINDER_SET_CONTEXT_MGR already set [ 29.453141] binder: 4488:4530 transaction failed 29189/-3, size 0-0 line 2963 [ 29.453326] binder: 4510:4538 BC_INCREFS_DONE u0000000000000000 no match [ 29.460651] binder: 4488:4536 BC_INCREFS_DONE u0000000000000000 no match [ 29.465937] binder: 4510:4538 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 29.465951] binder: 4510:4538 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 29.465965] binder: 4510:4538 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 [ 29.466605] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.471468] binder: 4488:4536 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 29.471483] binder: 4488:4536 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 29.476800] binder: 4488:4515 transaction failed 29189/-3, size 0-0 line 2963 [ 29.484063] binder: 4488:4536 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 [ 29.491052] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.499155] binder: 4496:4531 ioctl 40046207 0 returned -16 [ 29.505316] binder: 4494:4519 transaction failed 29189/-3, size 0-0 line 2963 [ 29.505448] binder: 4496:4525 ERROR: BC_REGISTER_LOOPER called without request [ 29.513252] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.522805] binder: 4510:4538 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 [ 29.525200] binder: 4510:4541 transaction failed 29189/-3, size 0-0 line 2963 [ 29.533292] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.541118] binder: BINDER_SET_CONTEXT_MGR already set [ 29.547621] binder: 4492:4520 transaction failed 29189/-3, size 0-0 line 2963 [ 29.561338] binder: 4488:4536 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 [ 29.566364] binder: BINDER_SET_CONTEXT_MGR already set [ 29.574595] binder: 4502:4527 ERROR: BC_REGISTER_LOOPER called without request [ 29.580428] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.580457] binder: 4494:4537 transaction failed 29189/-3, size 0-0 line 2963 [ 29.586139] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.593420] binder: 4503:4533 ioctl 40046207 0 returned -16 [ 29.600308] binder: 4496:4534 transaction failed 29189/-3, size 0-0 line 2963 [ 29.600668] binder: BINDER_SET_CONTEXT_MGR already set [ 29.606113] binder: 4504:4528 ERROR: BC_REGISTER_LOOPER called without request [ 29.611144] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.619097] binder: 4503:4526 ERROR: BC_REGISTER_LOOPER called without request [ 29.625335] binder: 4494:4532 transaction failed 29189/-3, size 0-0 line 2963 [ 29.630758] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.638347] binder: undelivered TRANSACTION_ERROR: 29189 [ 29.643613] binder: 4504:4545 transaction failed 29189/-3, size 0-0 line 2963 [ 29.657363] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.667443] binder: 4502:4535 ioctl 40046207 0 returned -16 [ 29.669486] binder: 4496:4525 transaction failed 29189/-3, size 0-0 line 2963 [ 29.674840] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.684985] binder: release 4492:4520 transaction 18 out, still active [ 29.687683] binder: 4503:4546 transaction failed 29189/-3, size 0-0 line 2963 [ 29.695079] binder: undelivered TRANSACTION_COMPLETE [ 29.702916] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.739659] binder: BINDER_SET_CONTEXT_MGR already set [ 29.744645] binder: 4502:4544 transaction failed 29189/-3, size 0-0 line 2963 [ 29.749132] binder: 4504:4543 ioctl 40046207 0 returned -16 [ 29.763096] binder: BINDER_SET_CONTEXT_MGR already set [ 29.772833] binder: 4551:4552 ioctl 40046207 0 returned -16 [ 29.781406] binder: 4554:4555 ioctl 40046207 0 returned -16 [ 29.782084] binder_alloc: 4488: binder_alloc_buf, no vma [ 29.788880] binder: undelivered TRANSACTION_ERROR: 29189 [ 29.793053] binder: 4503:4526 transaction failed 29189/-3, size 0-0 line 2963 [ 29.799330] binder: release 4488:4515 transaction 19 in, still active [ 29.809089] binder: 4504:4556 transaction failed 29189/-22, size 0-0 line 2848 [ 29.810049] binder: send failed reply for transaction 19 to 4488:4515 [ 29.830870] binder: 4547:4548 ERROR: BC_REGISTER_LOOPER called without request [ 29.836997] ================================================================== [ 29.852706] binder: 4547:4548 got new transaction with bad transaction stack, transaction 42 has target 4547:0 [ 29.858219] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe7/0xf3 [ 29.858231] Read of size 8 at addr ffff8801b5ca3310 by task kworker/1:1/25 [ 29.858234] [ 29.858249] CPU: 1 PID: 25 Comm: kworker/1:1 Not tainted 4.16.0+ #17 [ 29.858257] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.858274] Workqueue: events binder_deferred_func [ 29.858282] Call Trace: [ 29.858299] dump_stack+0x1b9/0x294 [ 29.858316] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.858329] ? printk+0x9e/0xba [ 29.858342] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.858359] ? kasan_check_write+0x14/0x20 [ 29.868770] binder: 4547:4548 transaction failed 29201/-71, size 0-0 line 2875 [ 29.875728] print_address_description+0x6c/0x20b [ 29.875742] ? __list_del_entry_valid+0xe7/0xf3 [ 29.875759] kasan_report.cold.7+0xac/0x2f5 [ 29.885467] binder: 4503:4533 BC_INCREFS_DONE u0000000000000000 no match [ 29.886975] __asan_report_load8_noabort+0x14/0x20 [ 29.886990] __list_del_entry_valid+0xe7/0xf3 [ 29.887007] binder_release_work+0x114/0x4b0 [ 29.887026] ? binder_cleanup_transaction+0x130/0x130 [ 29.887039] ? kfree+0x111/0x260 [ 29.887053] ? binder_free_transaction+0x6a/0xa0 [ 29.887065] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.887080] ? trace_hardirqs_on+0xd/0x10 [ 29.893572] binder: 4503:4533 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 29.902880] ? kasan_check_write+0x14/0x20 [ 29.902894] ? binder_free_transaction+0x7b/0xa0 [ 29.902908] ? binder_send_failed_reply+0x219/0x290 [ 29.902922] binder_thread_release+0x519/0x660 [ 29.902937] ? binder_release_work+0x4b0/0x4b0 [ 29.902954] ? _raw_spin_unlock+0x22/0x30 [ 29.907891] binder: 4503:4533 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 29.910428] binder_deferred_func+0x6ce/0x1320 [ 29.910441] ? rcu_is_watching+0x85/0x140 [ 29.910463] ? binder_cleanup_ref_olocked+0x7a0/0x7a0 [ 29.914098] binder: 4503:4533 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 [ 29.919227] ? lock_downgrade+0x8e0/0x8e0 [ 29.919244] ? find_held_lock+0x36/0x1c0 [ 29.919257] ? graph_lock+0x170/0x170 [ 29.919271] ? lock_acquire+0x1dc/0x520 [ 29.919284] ? process_one_work+0xb46/0x1b50 [ 29.919299] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 29.922678] binder: 4502:4527 BC_INCREFS_DONE u0000000000000000 no match [ 29.927288] ? __lock_is_held+0xb5/0x140 [ 29.927316] process_one_work+0xc1e/0x1b50 [ 29.931545] binder: 4502:4527 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 29.938855] ? finish_task_switch+0x182/0x820 [ 29.938877] ? pwq_dec_nr_in_flight+0x490/0x490 [ 29.938898] ? __schedule+0x80f/0x1e40 [ 29.943749] binder: 4502:4527 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 29.948366] ? pick_next_task_fair+0x97f/0x1670 [ 29.948378] ? graph_lock+0x170/0x170 [ 29.948389] ? graph_lock+0x170/0x170 [ 29.948405] ? find_held_lock+0x36/0x1c0 [ 29.952724] binder: 4502:4527 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 [ 29.959520] ? find_held_lock+0x36/0x1c0 [ 29.959536] ? lock_acquire+0x1dc/0x520 [ 29.959551] ? lock_downgrade+0x8e0/0x8e0 [ 29.964573] binder: 4504:4528 BC_INCREFS_DONE u0000000000000000 no match [ 29.968926] ? lock_release+0xa10/0xa10 [ 29.968941] ? kasan_check_read+0x11/0x20 [ 29.968958] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 29.973364] binder: 4504:4528 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 29.978513] worker_thread+0x1cc/0x1440 [ 29.978540] ? process_one_work+0x1b50/0x1b50 [ 29.981896] binder: 4504:4528 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 29.986606] ? graph_lock+0x170/0x170 [ 29.986619] ? find_held_lock+0x36/0x1c0 [ 29.986641] ? find_held_lock+0x36/0x1c0 [ 29.991673] binder: 4504:4528 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 [ 29.995761] ? schedule+0xef/0x430 [ 29.995782] ? __schedule+0x1e40/0x1e40 [ 30.004883] binder: 4551:4552 ERROR: BC_REGISTER_LOOPER called without request [ 30.007496] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.007511] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.007526] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 30.007544] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.013535] binder: release 4547:4548 transaction 42 out, still active [ 30.017444] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.017459] ? __kthread_parkme+0x1b7/0x280 [ 30.017476] kthread+0x345/0x410 [ 30.017494] ? process_one_work+0x1b50/0x1b50 [ 30.022071] binder: release 4547:4548 transaction 40 in, still active [ 30.026601] ? kthread_bind+0x40/0x40 [ 30.026618] ret_from_fork+0x3a/0x50 [ 30.026635] [ 30.030806] binder: undelivered TRANSACTION_COMPLETE [ 30.038254] Allocated by task 4515: [ 30.038269] save_stack+0x43/0xd0 [ 30.038280] kasan_kmalloc+0xc4/0xe0 [ 30.038294] kmem_cache_alloc_trace+0x152/0x780 [ 30.042883] binder: undelivered TRANSACTION_ERROR: 29201 [ 30.046967] binder_transaction+0x144e/0x7930 [ 30.046979] binder_thread_write+0xdbb/0x2c40 [ 30.046996] binder_ioctl_write_read.isra.41+0x2be/0xaf0 [ 30.052436] binder: 4504:4528 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 [ 30.059061] binder_ioctl+0xcbe/0x13fd [ 30.059074] do_vfs_ioctl+0x1cf/0x1650 [ 30.059084] ksys_ioctl+0xa9/0xd0 [ 30.059096] SyS_ioctl+0x24/0x30 [ 30.059109] do_syscall_64+0x29e/0x9d0 [ 30.059124] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.064058] binder: 4503:4533 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 [ 30.067271] [ 30.067278] Freed by task 25: [ 30.067292] save_stack+0x43/0xd0 [ 30.067304] __kasan_slab_free+0x11a/0x170 [ 30.067316] kasan_slab_free+0xe/0x10 [ 30.067330] kfree+0xd9/0x260 [ 30.072115] binder: 4502:4527 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 [ 30.075057] binder_free_transaction+0x6a/0xa0 [ 30.075070] binder_send_failed_reply+0x214/0x290 [ 30.075082] binder_thread_release+0x504/0x660 [ 30.075094] binder_deferred_func+0x6ce/0x1320 [ 30.075110] process_one_work+0xc1e/0x1b50 [ 30.169058] binder: 4554:4555 ERROR: BC_REGISTER_LOOPER called without request [ 30.169605] worker_thread+0x1cc/0x1440 [ 30.181081] binder: BINDER_SET_CONTEXT_MGR already set [ 30.182252] kthread+0x345/0x410 [ 30.182267] ret_from_fork+0x3a/0x50 [ 30.182271] [ 30.182282] The buggy address belongs to the object at ffff8801b5ca3300 [ 30.182282] which belongs to the cache kmalloc-192 of size 192 [ 30.182294] The buggy address is located 16 bytes inside of [ 30.182294] 192-byte region [ffff8801b5ca3300, ffff8801b5ca33c0) [ 30.182298] The buggy address belongs to the page: [ 30.182310] page:ffffea0006d728c0 count:1 mapcount:0 mapping:ffff8801b5ca3000 index:0x0 [ 30.182322] flags: 0x2fffc0000000100(slab) [ 30.182342] raw: 02fffc0000000100 ffff8801b5ca3000 0000000000000000 0000000100000010 [ 30.193722] binder: 4565:4572 ioctl 40046207 0 returned -16 [ 30.193911] raw: ffffea0007659b60 ffffea000765dd60 ffff8801dac00040 0000000000000000 [ 30.200116] binder: 4565:4572 ERROR: BC_REGISTER_LOOPER called without request [ 30.205886] page dumped because: kasan: bad access detected [ 30.205891] [ 30.205894] Memory state around the buggy address: [ 30.205906] ffff8801b5ca3200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.205917] ffff8801b5ca3280: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 30.205927] >ffff8801b5ca3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.205933] ^ [ 30.205943] ffff8801b5ca3380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.205954] ffff8801b5ca3400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.205959] ================================================================== [ 30.205963] Disabling lock debugging due to kernel taint [ 30.206142] Kernel panic - not syncing: panic_on_warn set ... [ 30.206142] [ 30.216245] binder: BINDER_SET_CONTEXT_MGR already set [ 30.217881] CPU: 1 PID: 25 Comm: kworker/1:1 Tainted: G B 4.16.0+ #17 [ 30.217888] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.217907] Workqueue: events binder_deferred_func [ 30.217914] Call Trace: [ 30.217931] dump_stack+0x1b9/0x294 [ 30.217948] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.225442] binder: 4568:4573 ioctl 40046207 0 returned -16 [ 30.228192] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.228207] ? __list_del_entry_valid+0xb0/0xf3 [ 30.228220] panic+0x22f/0x4de [ 30.228233] ? add_taint.cold.5+0x16/0x16 [ 30.228250] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.228265] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.232560] binder: BINDER_SET_CONTEXT_MGR already set [ 30.239571] ? __list_del_entry_valid+0xe7/0xf3 [ 30.239586] kasan_end_report+0x47/0x4f [ 30.239599] kasan_report.cold.7+0xc9/0x2f5 [ 30.239614] __asan_report_load8_noabort+0x14/0x20 [ 30.239624] __list_del_entry_valid+0xe7/0xf3 [ 30.239641] binder_release_work+0x114/0x4b0 [ 30.244457] binder: BINDER_SET_CONTEXT_MGR already set [ 30.248578] ? binder_cleanup_transaction+0x130/0x130 [ 30.248589] ? kfree+0x111/0x260 [ 30.248604] ? binder_free_transaction+0x6a/0xa0 [ 30.254371] binder: 4566:4570 ioctl 40046207 0 returned -16 [ 30.258676] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.258685] ? trace_hardirqs_on+0xd/0x10 [ 30.258696] ? kasan_check_write+0x14/0x20 [ 30.258706] ? binder_free_transaction+0x7b/0xa0 [ 30.258718] ? binder_send_failed_reply+0x219/0x290 [ 30.258732] binder_thread_release+0x519/0x660 [ 30.258747] ? binder_release_work+0x4b0/0x4b0 [ 30.258762] ? _raw_spin_unlock+0x22/0x30 [ 30.258776] binder_deferred_func+0x6ce/0x1320 [ 30.258788] ? rcu_is_watching+0x85/0x140 [ 30.258805] ? binder_cleanup_ref_olocked+0x7a0/0x7a0 [ 30.265949] binder: 4564:4571 ioctl 40046207 0 returned -16 [ 30.270953] ? lock_downgrade+0x8e0/0x8e0 [ 30.270967] ? find_held_lock+0x36/0x1c0 [ 30.270980] ? graph_lock+0x170/0x170 [ 30.270993] ? lock_acquire+0x1dc/0x520 [ 30.271008] ? process_one_work+0xb46/0x1b50 [ 30.271021] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 30.271035] ? __lock_is_held+0xb5/0x140 [ 30.271055] process_one_work+0xc1e/0x1b50 [ 30.276308] binder: 4568:4573 ERROR: BC_REGISTER_LOOPER called without request [ 30.278689] ? finish_task_switch+0x182/0x820 [ 30.278709] ? pwq_dec_nr_in_flight+0x490/0x490 [ 30.278727] ? __schedule+0x80f/0x1e40 [ 30.278743] ? pick_next_task_fair+0x97f/0x1670 [ 30.278756] ? graph_lock+0x170/0x170 [ 30.285693] binder: BINDER_SET_CONTEXT_MGR already set [ 30.289777] ? graph_lock+0x170/0x170 [ 30.289791] ? find_held_lock+0x36/0x1c0 [ 30.289806] ? find_held_lock+0x36/0x1c0 [ 30.289821] ? lock_acquire+0x1dc/0x520 [ 30.289832] ? lock_downgrade+0x8e0/0x8e0 [ 30.289846] ? lock_release+0xa10/0xa10 [ 30.294608] binder: 4566:4570 ERROR: BC_REGISTER_LOOPER called without request [ 30.297308] ? kasan_check_read+0x11/0x20 [ 30.297323] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.297343] worker_thread+0x1cc/0x1440 [ 30.297361] ? process_one_work+0x1b50/0x1b50 [ 30.297375] ? graph_lock+0x170/0x170 [ 30.299924] binder: 4564:4571 ERROR: BC_REGISTER_LOOPER called without request [ 30.304056] ? find_held_lock+0x36/0x1c0 [ 30.304073] ? find_held_lock+0x36/0x1c0 [ 30.304092] ? schedule+0xef/0x430 [ 30.304105] ? __schedule+0x1e40/0x1e40 [ 30.304119] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.304135] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.307903] binder: 4567:4574 ioctl 40046207 0 returned -16 [ 30.311165] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 30.311178] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.311195] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.311209] ? __kthread_parkme+0x1b7/0x280 [ 30.311222] kthread+0x345/0x410 [ 30.311235] ? process_one_work+0x1b50/0x1b50 [ 30.311249] ? kthread_bind+0x40/0x40 [ 30.317276] binder: 4567:4574 ERROR: BC_REGISTER_LOOPER called without request [ 30.319583] ret_from_fork+0x3a/0x50 [ 30.320061] Dumping ftrace buffer: [ 30.320066] (ftrace buffer empty) [ 30.320070] Kernel Offset: disabled [ 30.985067] Rebooting in 86400 seconds..