[ 20.806332] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 21.746455] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 22.001983] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.928703] random: sshd: uninitialized urandom read (32 bytes read, 102 bits of entropy available) [ 30.471662] random: sshd: uninitialized urandom read (32 bytes read, 112 bits of entropy available) Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. [ 35.835223] random: sshd: uninitialized urandom read (32 bytes read, 115 bits of entropy available) 2018/03/05 12:32:15 parsed 1 programs 2018/03/05 12:32:15 executed programs: 0 [ 36.193791] IPVS: Creating netns size=2552 id=1 [ 36.219037] IPVS: Creating netns size=2552 id=2 [ 36.239076] audit: type=1400 audit(1520253135.394:5): avc: denied { set_context_mgr } for pid=3786 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 [ 36.264085] binder: 3786:3787 ERROR: BC_REGISTER_LOOPER called without request [ 36.266368] IPVS: Creating netns size=2552 id=3 [ 36.287133] IPVS: Creating netns size=2552 id=4 [ 36.294855] audit: type=1400 audit(1520253135.454:6): avc: denied { call } for pid=3786 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 [ 36.299115] binder: BINDER_SET_CONTEXT_MGR already set [ 36.299119] binder: 3795:3796 ioctl 40046207 0 returned -16 [ 36.299640] binder: 3795:3796 ERROR: BC_REGISTER_LOOPER called without request [ 36.323971] binder: release 3786:3787 transaction 3 in, still active [ 36.323976] binder: send failed reply for transaction 3 to 3786:3797 [ 36.325294] binder: 3795:3798 got new transaction with bad transaction stack, transaction 4 has target 3786:0 [ 36.325300] binder: 3795:3798 transaction failed 29201/-71, size 0-0 line 3032 [ 36.326281] binder: 3786:3787 BC_ACQUIRE_DONE u0000000000000000 node 1 cookie mismatch 0000000000000004 != 0000000000000000 [ 36.326439] binder: release 3795:3798 transaction 4 out, still active [ 36.326442] binder: undelivered TRANSACTION_COMPLETE [ 36.326456] binder: undelivered TRANSACTION_ERROR: 29201 [ 36.331852] binder: 3795:3798 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.343075] binder: BINDER_SET_CONTEXT_MGR already set [ 36.343080] binder: 3802:3803 ioctl 40046207 0 returned -16 [ 36.343618] binder: 3802:3803 ERROR: BC_REGISTER_LOOPER called without request [ 36.358690] binder: BINDER_SET_CONTEXT_MGR already set [ 36.358695] binder: 3807:3808 ioctl 40046207 0 returned -16 [ 36.359213] binder: 3807:3808 ERROR: BC_REGISTER_LOOPER called without request [ 36.366197] binder: BINDER_SET_CONTEXT_MGR already set [ 36.366202] binder: 3786:3809 ioctl 40046207 0 returned -16 [ 36.367059] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.367086] binder: 3802:3810 transaction failed 29189/-3, size 0-0 line 3128 [ 36.367343] binder: 3786:3797 ERROR: BC_REGISTER_LOOPER called without request [ 36.367410] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.367432] binder: 3786:3809 transaction failed 29189/-3, size 0-0 line 3128 [ 36.368846] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.368868] binder: 3786:3797 transaction failed 29189/-3, size 0-0 line 3128 [ 36.368880] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.369001] binder: BINDER_SET_CONTEXT_MGR already set [ 36.369004] binder: 3795:3811 ioctl 40046207 0 returned -16 [ 36.369400] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.370031] binder: 3786:3809 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.370128] binder: 3795:3806 ERROR: BC_REGISTER_LOOPER called without request [ 36.370180] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.370202] binder: 3795:3811 transaction failed 29189/-3, size 0-0 line 3128 [ 36.371199] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.371220] binder: 3786:3809 transaction failed 29189/-3, size 0-0 line 3128 [ 36.371350] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.371371] binder: 3795:3806 transaction failed 29189/-3, size 0-0 line 3128 [ 36.371382] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.371616] binder: 3802:3810 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.372523] binder: 3795:3811 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.373766] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.373787] binder: 3795:3811 transaction failed 29189/-3, size 0-0 line 3128 [ 36.382114] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.382138] binder: 3807:3812 transaction failed 29189/-3, size 0-0 line 3128 [ 36.387852] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.388142] binder: release 3795:3806 transaction 7 out, still active [ 36.388144] binder: undelivered TRANSACTION_COMPLETE [ 36.388272] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.394399] binder: 3807:3812 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.394521] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.394615] binder: 3802:3815 transaction failed 29189/-3, size 0-0 line 3128 [ 36.395016] binder: BINDER_SET_CONTEXT_MGR already set [ 36.395020] binder: 3813:3814 ioctl 40046207 0 returned -16 [ 36.395603] binder: 3813:3814 ERROR: BC_REGISTER_LOOPER called without request [ 36.406148] binder: BINDER_SET_CONTEXT_MGR already set [ 36.406153] binder: 3802:3816 ioctl 40046207 0 returned -16 [ 36.407285] binder: 3802:3815 ERROR: BC_REGISTER_LOOPER called without request [ 36.407343] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.407366] binder: 3802:3816 transaction failed 29189/-3, size 0-0 line 3128 [ 36.408524] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.408570] binder: 3802:3815 transaction failed 29189/-3, size 0-0 line 3128 [ 36.408596] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.409821] binder: 3802:3816 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.410982] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.411004] binder: 3802:3816 transaction failed 29189/-3, size 0-0 line 3128 [ 36.417559] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.417584] binder: 3807:3817 transaction failed 29189/-3, size 0-0 line 3128 [ 36.417722] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.417744] binder: 3813:3818 transaction failed 29189/-3, size 0-0 line 3128 [ 36.419970] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.423182] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.423298] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.431181] binder: 3813:3818 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.432805] binder: BINDER_SET_CONTEXT_MGR already set [ 36.432810] binder: 3807:3820 ioctl 40046207 0 returned -16 [ 36.433291] binder: BINDER_SET_CONTEXT_MGR already set [ 36.433295] binder: 3819:3821 ioctl 40046207 0 returned -16 [ 36.433872] binder: 3819:3821 ERROR: BC_REGISTER_LOOPER called without request [ 36.433951] binder: 3807:3817 ERROR: BC_REGISTER_LOOPER called without request [ 36.434008] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.434031] binder: 3807:3820 transaction failed 29189/-3, size 0-0 line 3128 [ 36.435194] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.435216] binder: 3807:3817 transaction failed 29189/-3, size 0-0 line 3128 [ 36.435230] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.436472] binder: 3807:3820 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.437641] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.437664] binder: 3807:3820 transaction failed 29189/-3, size 0-0 line 3128 [ 36.449881] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.449998] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.455217] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.455241] binder: 3813:3822 transaction failed 29189/-3, size 0-0 line 3128 [ 36.456373] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.456396] binder: 3819:3824 transaction failed 29189/-3, size 0-0 line 3128 [ 36.456827] binder: BINDER_SET_CONTEXT_MGR already set [ 36.456831] binder: 3823:3825 ioctl 40046207 0 returned -16 [ 36.457432] binder: 3823:3825 ERROR: BC_REGISTER_LOOPER called without request [ 36.458619] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.460857] binder: 3819:3824 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.466821] binder: BINDER_SET_CONTEXT_MGR already set [ 36.466827] binder: 3813:3826 ioctl 40046207 0 returned -16 [ 36.467964] binder: 3813:3822 ERROR: BC_REGISTER_LOOPER called without request [ 36.468021] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.468057] binder: 3813:3826 transaction failed 29189/-3, size 0-0 line 3128 [ 36.469225] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.469254] binder: 3813:3822 transaction failed 29189/-3, size 0-0 line 3128 [ 36.469271] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.470436] binder: 3813:3826 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.471694] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.471717] binder: 3813:3826 transaction failed 29189/-3, size 0-0 line 3128 [ 36.479429] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.479455] binder: 3823:3827 transaction failed 29189/-3, size 0-0 line 3128 [ 36.481673] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.487882] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.487940] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.489131] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.489155] binder: 3819:3828 transaction failed 29189/-3, size 0-0 line 3128 [ 36.490226] binder: 3823:3827 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.490957] binder: BINDER_SET_CONTEXT_MGR already set [ 36.490961] binder: 3829:3830 ioctl 40046207 0 returned -16 [ 36.491582] binder: 3829:3830 ERROR: BC_REGISTER_LOOPER called without request [ 36.500695] binder: BINDER_SET_CONTEXT_MGR already set [ 36.500699] binder: 3819:3831 ioctl 40046207 0 returned -16 [ 36.501833] binder: 3819:3828 ERROR: BC_REGISTER_LOOPER called without request [ 36.501891] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.501915] binder: 3819:3831 transaction failed 29189/-3, size 0-0 line 3128 [ 36.503070] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.503092] binder: 3819:3828 transaction failed 29189/-3, size 0-0 line 3128 [ 36.503104] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.504270] binder: 3819:3831 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.505439] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.505462] binder: 3819:3831 transaction failed 29189/-3, size 0-0 line 3128 [ 36.513609] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.513633] binder: 3823:3833 transaction failed 29189/-3, size 0-0 line 3128 [ 36.513712] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.513733] binder: 3829:3832 transaction failed 29189/-3, size 0-0 line 3128 [ 36.517681] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.517797] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.517904] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.523424] binder: 3829:3832 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.523928] binder: BINDER_SET_CONTEXT_MGR already set [ 36.523932] binder: 3834:3835 ioctl 40046207 0 returned -16 [ 36.524895] binder: 3834:3835 ERROR: BC_REGISTER_LOOPER called without request [ 36.525183] binder: BINDER_SET_CONTEXT_MGR already set [ 36.525187] binder: 3823:3836 ioctl 40046207 0 returned -16 [ 36.526314] binder: 3823:3833 ERROR: BC_REGISTER_LOOPER called without request [ 36.526370] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.526394] binder: 3823:3836 transaction failed 29189/-3, size 0-0 line 3128 [ 36.527544] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.527565] binder: 3823:3833 transaction failed 29189/-3, size 0-0 line 3128 [ 36.527578] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.528719] binder: 3823:3836 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.529881] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.529903] binder: 3823:3836 transaction failed 29189/-3, size 0-0 line 3128 [ 36.542073] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.542193] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.547853] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.547883] binder: 3829:3837 transaction failed 29189/-3, size 0-0 line 3128 [ 36.547972] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.547993] binder: 3834:3838 transaction failed 29189/-3, size 0-0 line 3128 [ 36.549479] binder: BINDER_SET_CONTEXT_MGR already set [ 36.549484] binder: 3839:3840 ioctl 40046207 0 returned -16 [ 36.550069] binder: 3839:3840 ERROR: BC_REGISTER_LOOPER called without request [ 36.550234] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.552476] binder: 3834:3838 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.559441] binder: BINDER_SET_CONTEXT_MGR already set [ 36.559446] binder: 3829:3841 ioctl 40046207 0 returned -16 [ 36.560552] binder: 3829:3837 ERROR: BC_REGISTER_LOOPER called without request [ 36.560609] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.560632] binder: 3829:3841 transaction failed 29189/-3, size 0-0 line 3128 [ 36.561785] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.561806] binder: 3829:3837 transaction failed 29189/-3, size 0-0 line 3128 [ 36.561818] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.562960] binder: 3829:3841 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.564576] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.564598] binder: 3829:3841 transaction failed 29189/-3, size 0-0 line 3128 [ 36.571694] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.571718] binder: 3839:3842 transaction failed 29189/-3, size 0-0 line 3128 [ 36.573932] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.576994] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.577139] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.577352] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.577374] binder: 3834:3843 transaction failed 29189/-3, size 0-0 line 3128 [ 36.582063] binder: 3839:3842 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.583494] binder: BINDER_SET_CONTEXT_MGR already set [ 36.583498] binder: 3844:3845 ioctl 40046207 0 returned -16 [ 36.584046] binder: 3844:3845 ERROR: BC_REGISTER_LOOPER called without request [ 36.588942] binder: BINDER_SET_CONTEXT_MGR already set [ 36.588947] binder: 3834:3846 ioctl 40046207 0 returned -16 [ 36.590045] binder: 3834:3843 ERROR: BC_REGISTER_LOOPER called without request [ 36.590100] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.590123] binder: 3834:3846 transaction failed 29189/-3, size 0-0 line 3128 [ 36.591275] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.591296] binder: 3834:3843 transaction failed 29189/-3, size 0-0 line 3128 [ 36.591308] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.592451] binder: 3834:3846 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.593615] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.593641] binder: 3834:3846 transaction failed 29189/-3, size 0-0 line 3128 [ 36.606651] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.606768] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.606976] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.606999] binder: 3839:3848 transaction failed 29189/-3, size 0-0 line 3128 [ 36.607080] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.607101] binder: 3844:3847 transaction failed 29189/-3, size 0-0 line 3128 [ 36.613353] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.613625] binder: BINDER_SET_CONTEXT_MGR already set [ 36.613629] binder: 3849:3850 ioctl 40046207 0 returned -16 [ 36.614262] binder: 3849:3850 ERROR: BC_REGISTER_LOOPER called without request [ 36.615527] binder: 3844:3847 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.618650] binder: BINDER_SET_CONTEXT_MGR already set [ 36.618655] binder: 3839:3851 ioctl 40046207 0 returned -16 [ 36.619783] binder: 3839:3848 ERROR: BC_REGISTER_LOOPER called without request [ 36.619872] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.619895] binder: 3839:3851 transaction failed 29189/-3, size 0-0 line 3128 [ 36.621050] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.621071] binder: 3839:3848 transaction failed 29189/-3, size 0-0 line 3128 [ 36.621084] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.622287] binder: 3839:3851 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.623478] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.623504] binder: 3839:3851 transaction failed 29189/-3, size 0-0 line 3128 [ 36.636079] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.636194] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.636593] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.636617] binder: 3849:3852 transaction failed 29189/-3, size 0-0 line 3128 [ 36.641437] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.641460] binder: 3844:3853 transaction failed 29189/-3, size 0-0 line 3128 [ 36.642463] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.644728] binder: 3849:3852 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.653176] binder: BINDER_SET_CONTEXT_MGR already set [ 36.653182] binder: 3844:3854 ioctl 40046207 0 returned -16 [ 36.654374] binder: 3844:3853 ERROR: BC_REGISTER_LOOPER called without request [ 36.654548] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.654582] binder: 3844:3854 transaction failed 29189/-3, size 0-0 line 3128 [ 36.655814] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.655848] binder: 3844:3853 transaction failed 29189/-3, size 0-0 line 3128 [ 36.655867] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.657030] binder: 3844:3854 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.658199] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.658222] binder: 3844:3854 transaction failed 29189/-3, size 0-0 line 3128 [ 36.667426] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.667450] binder: 3849:3855 transaction failed 29189/-3, size 0-0 line 3128 [ 36.670329] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.670392] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.679079] binder: BINDER_SET_CONTEXT_MGR already set [ 36.679084] binder: 3849:3856 ioctl 40046207 0 returned -16 [ 36.680223] binder: 3849:3855 ERROR: BC_REGISTER_LOOPER called without request [ 36.680281] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.680305] binder: 3849:3856 transaction failed 29189/-3, size 0-0 line 3128 [ 36.681463] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.681484] binder: 3849:3855 transaction failed 29189/-3, size 0-0 line 3128 [ 36.681497] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.682656] binder: 3849:3856 BC_ACQUIRE_DONE u0000000000000000 no match [ 36.683883] binder_alloc: 3786: binder_alloc_buf, no vma [ 36.683905] binder: 3849:3856 transaction failed 29189/-3, size 0-0 line 3128 [ 36.696145] binder: undelivered TRANSACTION_ERROR: 29189 [ 36.696292] binder: undelivered TRANSACTION_ERROR: 29189 [ 37.909751] binder_alloc: 3786: binder_alloc_buf, no vma [ 37.915267] binder: 3786:3793 transaction failed 29189/-3, size 0-0 line 3128 [ 37.925436] binder: undelivered TRANSACTION_ERROR: 29189 [ 37.925696] IPVS: Creating netns size=2552 id=5 [ 37.941614] binder: undelivered TRANSACTION_ERROR: 29189 [ 37.946139] binder: 3858:3862 ERROR: BC_REGISTER_LOOPER called without request [ 37.947739] binder: BINDER_SET_CONTEXT_MGR already set [ 37.947743] binder: 3859:3860 ioctl 40046207 0 returned -16 [ 37.948294] binder: 3859:3860 ERROR: BC_REGISTER_LOOPER called without request [ 37.969806] binder: release 3858:3862 transaction 66 out, still active [ 37.969809] binder: release 3858:3862 transaction 65 in, still active [ 37.969811] binder: undelivered TRANSACTION_COMPLETE [ 37.969903] binder: 3858:3862 BC_ACQUIRE_DONE u0000000000000000 node 64 cookie mismatch 0000000000000004 != 0000000000000000 [ 37.971618] binder: 3859:3865 got new transaction with bad transaction stack, transaction 67 has target 3858:0 [ 37.971624] binder: 3859:3865 transaction failed 29201/-71, size 0-0 line 3032 [ 37.972737] binder: release 3859:3865 transaction 67 out, still active [ 37.972739] binder: undelivered TRANSACTION_COMPLETE [ 37.972749] binder: undelivered TRANSACTION_ERROR: 29201 [ 37.977412] binder: 3859:3865 BC_ACQUIRE_DONE u0000000000000000 no match [ 37.987066] binder: BINDER_SET_CONTEXT_MGR already set [ 37.987071] binder: 3868:3869 ioctl 40046207 0 returned -16 [ 37.987594] binder: 3868:3869 ERROR: BC_REGISTER_LOOPER called without request [ 37.991292] binder: 3858:3864 got new transaction with bad transaction stack, transaction 65 has target 0:0 [ 37.991299] binder: 3858:3864 transaction failed 29201/-71, size 0-0 line 3032 [ 38.002837] binder: BINDER_SET_CONTEXT_MGR already set [ 38.002842] binder: 3858:3871 ioctl 40046207 0 returned -16 [ 38.004044] binder: 3858:3864 ERROR: BC_REGISTER_LOOPER called without request [ 38.004109] binder_alloc: 3858: binder_alloc_buf, no vma [ 38.004189] binder: 3858:3871 transaction failed 29189/-3, size 0-0 line 3128 [ 38.005481] binder_alloc: 3858: binder_alloc_buf, no vma [ 38.005504] binder: 3858:3864 transaction failed 29189/-3, size 0-0 line 3128 [ 38.005518] binder: undelivered TRANSACTION_ERROR: 29189 [ 38.006693] binder: 3858:3871 BC_ACQUIRE_DONE u0000000000000000 no match [ 38.007878] binder_alloc: 3858: binder_alloc_buf, no vma [ 38.007903] binder: 3858:3871 transaction failed 29189/-3, size 0-0 line 3128 [ 38.009418] binder_alloc: 3858: binder_alloc_buf, no vma [ 38.009442] binder: 3868:3872 transaction failed 29189/-3, size 0-0 line 3128 [ 38.012095] binder: undelivered TRANSACTION_ERROR: 29189 [ 38.012148] binder: BINDER_SET_CONTEXT_MGR already set [ 38.012152] binder: 3859:3873 ioctl 40046207 0 returned -16 [ 38.013267] binder: 3859:3870 ERROR: BC_REGISTER_LOOPER called without request [ 38.013360] binder_alloc: 3858: binder_alloc_buf, no vma [ 38.013383] binder: 3859:3873 transaction failed 29189/-3, size 0-0 line 3128 [ 38.015270] binder_alloc: 3858: binder_alloc_buf, no vma [ 38.015292] binder: 3859:3870 transaction failed 29189/-3, size 0-0 line 3128 [ 38.015309] binder: 3868:3872 BC_ACQUIRE_DONE u0000000000000000 no match [ 38.015339] binder: undelivered TRANSACTION_ERROR: 29189 [ 38.016508] binder: 3859:3873 BC_ACQUIRE_DONE u0000000000000000 no match [ 38.017690] binder_alloc: 3858: binder_alloc_buf, no vma [ 38.017714] binder: 3859:3873 transaction failed 29189/-3, size 0-0 line 3128 [ 38.038457] binder_alloc: 3858: binder_alloc_buf, no vma [ 38.038482] binder: 3868:3874 transaction failed 29189/-3, size 0-0 line 3128 [ 38.050068] binder: BINDER_SET_CONTEXT_MGR already set [ 38.050073] binder: 3868:3875 ioctl 40046207 0 returned -16 [ 38.051202] binder: 3868:3874 ERROR: BC_REGISTER_LOOPER called without request [ 38.051262] binder_alloc: 3858: binder_alloc_buf, no vma [ 38.051285] binder: 3868:3875 transaction failed 29189/-3, size 0-0 line 3128 [ 38.052436] binder_alloc: 3858: binder_alloc_buf, no vma [ 38.052457] binder: 3868:3874 transaction failed 29189/-3, size 0-0 line 3128 [ 38.052469] binder: undelivered TRANSACTION_ERROR: 29189 [ 38.053615] binder: 3868:3875 BC_ACQUIRE_DONE u0000000000000000 no match [ 38.054781] binder_alloc: 3858: binder_alloc_buf, no vma [ 38.054803] binder: 3868:3875 transaction failed 29189/-3, size 0-0 line 3128 [ 38.324872] binder: release 3786:3797 transaction 6 out, still active [ 38.338148] IPVS: Creating netns size=2552 id=6 [ 38.338245] binder: undelivered TRANSACTION_COMPLETE [ 38.338259] binder: undelivered TRANSACTION_ERROR: 29189 [ 38.338261] binder: undelivered TRANSACTION_COMPLETE [ 38.338362] binder: send failed reply for transaction 4, target dead [ 38.338376] binder: send failed reply for transaction 6, target dead [ 38.338395] binder: send failed reply for transaction 7, target dead [ 38.343228] binder: undelivered TRANSACTION_ERROR: 29189 [ 38.343438] binder: undelivered TRANSACTION_ERROR: 29189 [ 38.343608] binder: undelivered TRANSACTION_ERROR: 29189 [ 38.343789] binder: release 3859:3870 transaction 70 out, still active [ 38.343791] binder: undelivered TRANSACTION_COMPLETE [ 38.343970] binder: undelivered TRANSACTION_ERROR: 29189 [ 38.344107] binder: release 3858:3864 transaction 65 out, still active [ 38.344109] binder: undelivered TRANSACTION_COMPLETE [ 38.344185] binder: send failed reply for transaction 66, target dead [ 38.344199] binder: send failed reply for transaction 65, target dead [ 38.344211] binder: undelivered TRANSACTION_ERROR: 29201 [ 38.344278] binder: send failed reply for transaction 67, target dead [ 38.344290] binder: send failed reply for transaction 70, target dead [ 38.477114] IPVS: Creating netns size=2552 id=7 [ 38.505160] IPVS: Creating netns size=2552 id=8 [ 38.525285] binder: 3883:3884 ERROR: BC_REGISTER_LOOPER called without request [ 38.549100] binder: release 3883:3884 transaction 84 out, still active [ 38.555820] binder: release 3883:3884 transaction 83 in, still active [ 38.561804] binder: BINDER_SET_CONTEXT_MGR already set [ 38.561811] binder: 3888:3889 ioctl 40046207 0 returned -16 [ 38.562441] binder: 3888:3889 ERROR: BC_REGISTER_LOOPER called without request [ 38.581327] binder: undelivered TRANSACTION_COMPLETE [ 38.582514] binder: 3883:3885 BC_ACQUIRE_DONE u0000000000000000 node 82 cookie mismatch 0000000000000004 != 0000000000000000 [ 38.599338] binder: 3888:3890 got new transaction with bad transaction stack, transaction 86 has target 3883:0 [ 38.604839] binder: BINDER_SET_CONTEXT_MGR already set [ 38.604844] binder: 3883:3885 ioctl 40046207 0 returned -16 [ 38.606056] binder_alloc: 3883: binder_alloc_buf, no vma [ 38.606096] binder: 3883:3885 transaction failed 29189/-3, size 0-0 line 3128 [ 38.606153] binder: 3883:3884 ERROR: BC_REGISTER_LOOPER called without request [ 38.607151] binder: BINDER_SET_CONTEXT_MGR already set [ 38.607156] binder: 3893:3894 ioctl 40046207 0 returned -16 [ 38.607848] binder_alloc: 3883: binder_alloc_buf, no vma [ 38.607890] binder: 3883:3884 transaction failed 29189/-3, size 0-0 line 3128 [ 38.607910] binder: undelivered TRANSACTION_ERROR: 29189 [ 38.608045] binder: 3893:3894 ERROR: BC_REGISTER_LOOPER called without request [ 38.609208] binder: 3883:3885 BC_ACQUIRE_DONE u0000000000000000 no match [ 38.610418] binder_alloc: 3883: binder_alloc_buf, no vma [ 38.610454] binder: 3883:3885 transaction failed 29189/-3, size 0-0 line 3128 [ 38.626301] binder: undelivered TRANSACTION_ERROR: 29189 [ 38.626452] binder: release 3883:3885 transaction 85 in, still active [ 38.626458] binder: send failed reply for transaction 85 to 3883:3885 [ 38.626600] ================================================================== [ 38.626612] BUG: KASAN: use-after-free in __list_del_entry+0x196/0x1d0 [ 38.626616] Read of size 8 at addr ffff8801cc6c2c10 by task kworker/u4:1/19 [ 38.626617] [ 38.626624] CPU: 0 PID: 19 Comm: kworker/u4:1 Not tainted 4.4.119-g855ea74 #28 [ 38.626627] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.626638] Workqueue: binder binder_deferred_func [ 38.626646] 0000000000000000 8b74a5c01ac0db4e ffff8801d94a7a58 ffffffff81d0402d [ 38.626653] ffffea000731b080 ffff8801cc6c2c10 0000000000000000 ffff8801cc6c2c10 [ 38.626660] ffffed00398d6d99 ffff8801d94a7a90 ffffffff814fe103 ffff8801cc6c2c10 [ 38.626662] Call Trace: [ 38.626671] [] dump_stack+0xc1/0x124 [ 38.626679] [] print_address_description+0x73/0x260 [ 38.626685] [] kasan_report+0x285/0x370 [ 38.626690] [] ? __list_del_entry+0x196/0x1d0 [ 38.626696] [] __asan_report_load8_noabort+0x14/0x20 [ 38.626701] [] __list_del_entry+0x196/0x1d0 [ 38.626707] [] binder_release_work+0x6e/0x260 [ 38.626714] [] ? binder_send_failed_reply+0x18a/0x3a0 [ 38.626720] [] binder_thread_release+0x425/0x600 [ 38.626726] [] binder_deferred_func+0x438/0xd10 [ 38.626734] [] ? __lock_is_held+0xa1/0xf0 [ 38.626742] [] process_one_work+0x7d7/0x16e0 [ 38.626747] [] ? process_one_work+0x6f7/0x16e0 [ 38.626754] [] ? pwq_dec_nr_in_flight+0x280/0x280 [ 38.626759] [] ? worker_thread+0x288/0xfc0 [ 38.626765] [] worker_thread+0xd9/0xfc0 [ 38.626772] [] kthread+0x268/0x300 [ 38.626778] [] ? process_one_work+0x16e0/0x16e0 [ 38.626784] [] ? kthread_create_on_node+0x400/0x400 [ 38.626791] [] ? kthread_create_on_node+0x400/0x400 [ 38.626799] [] ret_from_fork+0x55/0x80 [ 38.626806] [] ? kthread_create_on_node+0x400/0x400 [ 38.626807] [ 38.626810] Allocated by task 3885: [ 38.626819] [] save_stack_trace+0x26/0x50 [ 38.626826] [] save_stack+0x43/0xd0 [ 38.626832] [] kasan_kmalloc+0xad/0xe0 [ 38.626839] [] kmem_cache_alloc_trace+0x100/0x2b0 [ 38.626846] [] binder_transaction+0x103c/0x7290 [ 38.626853] [] binder_thread_write+0x81f/0x33e0 [ 38.626861] [] binder_ioctl_write_read.isra.55+0x1cf/0xbc0 [ 38.626874] [] binder_ioctl+0xc50/0x12e0 [ 38.626882] [] compat_SyS_ioctl+0x28a/0x2540 [ 38.626889] [] do_fast_syscall_32+0x321/0x8a0 [ 38.626896] [] sysenter_flags_fixed+0xd/0x17 [ 38.626897] [ 38.626899] Freed by task 19: [ 38.626906] [] save_stack_trace+0x26/0x50 [ 38.626913] [] save_stack+0x43/0xd0 [ 38.626918] [] kasan_slab_free+0x72/0xc0 [ 38.626924] [] kfree+0xfc/0x300 [ 38.626931] [] binder_free_transaction+0x6a/0x90 [ 38.626938] [] binder_send_failed_reply+0x185/0x3a0 [ 38.626945] [] binder_thread_release+0x413/0x600 [ 38.626952] [] binder_deferred_func+0x438/0xd10 [ 38.626958] [] process_one_work+0x7d7/0x16e0 [ 38.626964] [] worker_thread+0xd9/0xfc0 [ 38.626970] [] kthread+0x268/0x300 [ 38.626976] [] ret_from_fork+0x55/0x80 [ 38.626977] [ 38.626981] The buggy address belongs to the object at ffff8801cc6c2c00 [ 38.626981] which belongs to the cache kmalloc-192 of size 192 [ 38.626986] The buggy address is located 16 bytes inside of [ 38.626986] 192-byte region [ffff8801cc6c2c00, ffff8801cc6c2cc0) [ 38.626987] The buggy address belongs to the page: [ 38.640559] kasan: CONFIG_KASAN_INLINE enabled [ 38.640569] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 38.640573] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 38.640578] Dumping ftrace buffer: [ 38.640581] (ftrace buffer empty) [ 38.640584] Modules linked in: [ 38.640591] CPU: 1 PID: 3890 Comm: syz-executor5 Not tainted 4.4.119-g855ea74 #28 [ 38.640594] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.640597] task: ffff8800bb370000 task.stack: ffff8801c6d28000 [ 38.640611] RIP: 0010:[] [] debug_object_deactivate+0x1a6/0x3c0 [ 38.640614] RSP: 0018:ffff8801db307d20 EFLAGS: 00010803 [ 38.640617] RAX: 0000000000000092 RBX: e90006ddb8e80b0f RCX: ffff8801db319c40 [ 38.640620] RDX: 1d2000dbb71d0164 RSI: ffffffff842c6460 RDI: e90006ddb8e80b27 [ 38.640623] RBP: ffff8801db307de8 R08: 1ffff1003b02a273 R09: 0000000000000000 [ 38.640626] R10: ffffed0043fffa09 R11: 0000000000000000 R12: 1ffff1003b660fa8 [ 38.640628] R13: 0000000000000003 R14: dffffc0000000000 R15: ffffffff857d3748 [ 38.640632] FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:00000000f7766b40 [ 38.640635] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 38.640638] CR2: 00007f2d078dfdb8 CR3: 00000000bba18000 CR4: 0000000000160670 [ 38.640644] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 38.640646] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 38.640647] Stack: [ 38.640654] 0000000000000286 0000000000000286 ffffffff842c6460 ffff8801db319c40 [ 38.640659] 0000000041b58ab3 ffffffff83fce929 ffffffff81d65e00 ffffffff842bf1a0 [ 38.640664] 0000000000000286 ffff8801db307da0 ffffffff8121f80f ffffffff842beec0 [ 38.640665] Call Trace: [ 38.640674] [ 38.640674] [] ? debug_object_activate+0x500/0x500 [ 38.640682] [] ? __wake_up+0x3f/0x50 [ 38.640690] [] ? rcu_gp_kthread_wake+0x95/0xb0 [ 38.640697] [] __hrtimer_run_queues+0x492/0xfe0 [ 38.640703] [] ? hrtimer_fixup_init+0x70/0x70 [ 38.640709] [] ? hrtimer_interrupt+0x131/0x440 [ 38.640714] [] hrtimer_interrupt+0x1a6/0x440 [ 38.640722] [] local_apic_timer_interrupt+0x6a/0xb0 [ 38.640731] [] smp_apic_timer_interrupt+0x76/0xa0 [ 38.640736] [] apic_timer_interrupt+0xa0/0xb0 [ 38.640744] [ 38.640744] [] ? console_unlock+0x59b/0xa00 [ 38.640749] [] ? console_unlock+0x5a6/0xa00 [ 38.640755] [] ? vprintk_emit+0x2b0/0x850 [ 38.640760] [] vprintk_emit+0x55e/0x850 [ 38.640765] [] vprintk+0x28/0x30 [ 38.640770] [] vprintk_default+0x1d/0x30 [ 38.640778] [] printk+0xb7/0xe2 [ 38.640783] [] ? pm_qos_get_value.part.4+0xb/0xb [ 38.640791] [] binder_transaction+0x65b5/0x7290 [ 38.640798] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.640806] [] ? trace_event_raw_event_binder_transaction_ref_to_ref+0x520/0x520 [ 38.640813] [] ? __might_fault+0xe4/0x1d0 [ 38.640819] [] ? __might_fault+0x114/0x1d0 [ 38.640825] [] binder_thread_write+0x95b/0x33e0 [ 38.640831] [] ? binder_transaction+0x7290/0x7290 [ 38.640837] [] ? __might_fault+0xe4/0x1d0 [ 38.640842] [] ? __might_fault+0x114/0x1d0 [ 38.640848] [] binder_ioctl_write_read.isra.55+0x1cf/0xbc0 [ 38.640854] [] ? binder_thread_write+0x33e0/0x33e0 [ 38.640861] [] ? binder_get_thread+0x28f/0x750 [ 38.640866] [] binder_ioctl+0xc50/0x12e0 [ 38.640872] [] ? selinux_file_ioctl+0x363/0x570 [ 38.640878] [] ? binder_ioctl_write_read.isra.55+0xbc0/0xbc0 [ 38.640884] [] ? __fget+0x213/0x3b0 [ 38.640889] [] ? __fget+0x23a/0x3b0 [ 38.640893] [] ? __fget+0x47/0x3b0 [ 38.640900] [] ? security_file_ioctl+0x89/0xb0 [ 38.640907] [] compat_SyS_ioctl+0x28a/0x2540 [ 38.640913] [] ? binder_ioctl_write_read.isra.55+0xbc0/0xbc0 [ 38.640918] [] ? compat_SyS_ppoll+0x420/0x420 [ 38.640924] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.640930] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 38.640935] [] ? compat_SyS_get_robust_list+0x300/0x300 [ 38.640940] [] ? _raw_spin_unlock_irq+0x27/0x50 [ 38.640946] [] ? do_fast_syscall_32+0xd7/0x8a0 [ 38.640951] [] ? compat_SyS_ppoll+0x420/0x420 [ 38.640956] [] do_fast_syscall_32+0x321/0x8a0 [ 38.640962] [] sysenter_flags_fixed+0xd/0x17 [ 38.641035] Code: eb 1a 48 89 da 48 c1 ea 03 42 80 3c 32 00 0f 85 86 01 00 00 48 8b 1b 48 85 db 74 7a 48 8d 7b 18 41 83 c5 01 48 89 fa 48 c1 ea 03 <42> 80 3c 32 00 0f 85 3c 01 00 00 48 3b 4b 18 75 c6 48 8d 7b 10 [ 38.641041] RIP [] debug_object_deactivate+0x1a6/0x3c0 [ 38.641043] RSP [ 38.641048] ---[ end trace 0a32d07ee2e18782 ]--- [ 38.641052] Kernel panic - not syncing: Fatal exception in interrupt [ 39.755522] Shutting down cpus with NMI [ 39.756182] Dumping ftrace buffer: [ 39.756185] (ftrace buffer empty) [ 39.756188] Kernel Offset: disabled [ 40.733369] Rebooting in 86400 seconds..