[....] Starting enhanced syslogd: rsyslogd[   13.231977] audit: type=1400 audit(1517660656.424:4): avc:  denied  { syslog } for  pid=3908 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.15.212' (ECDSA) to the list of known hosts.
2018/02/03 12:24:29 fuzzer started
2018/02/03 12:24:30 dialing manager at 10.128.0.26:41117
syzkaller login: [   28.029606] random: crng init done
2018/02/03 12:24:33 kcov=true, comps=false
2018/02/03 12:24:34 executing program 0:

2018/02/03 12:24:34 executing program 7:

2018/02/03 12:24:34 executing program 1:

2018/02/03 12:24:34 executing program 4:
mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = socket$inet6(0xa, 0x400000000002, 0x0)
setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000b73000)={{{@in=@dev={0xac, 0x14}, @in=@remote={0xac, 0x14, 0xffffffffffffffff, 0xbb}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x2}, {}, {}, 0x0, 0xffffffffffffffff, 0x80000001}, {{@in=@multicast1=0xe0000001}, 0x0, @in6=@loopback={0x0, 0x1}}}, 0xe8)
connect$inet6(r0, &(0x7f00005da000)={0xa, 0xffffffffffffffff, 0x0, @empty}, 0x1c)

2018/02/03 12:24:34 executing program 2:
mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
ioctl$sock_inet_SIOCSIFNETMASK(0xffffffffffffffff, 0x891c, &(0x7f0000144000-0x20)={@common='gre0\x00', @ifru_addrs={0x2, 0xffffffffffffffff, @multicast2=0xe0000002}})
r0 = perf_event_open(&(0x7f0000015000-0x78)={0x1, 0x78, 0x5, 0x0, 0x0, 0x0, 0x0, 0x1, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f00002c3000/0x3000)=nil, 0x3000, 0x0, 0x11, r0, 0x0)
clone(0x0, &(0x7f0000aed000), &(0x7f000051e000), &(0x7f000049d000-0x4), &(0x7f0000c12000))
fchmod(0xffffffffffffffff, 0x0)

2018/02/03 12:24:34 executing program 3:
mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f000001d000)={0x2, 0x78, 0xe2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = syz_open_dev$binder(&(0x7f0000dfe000-0xd)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = epoll_create(0x8000000ffff)
epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r0, &(0x7f0000f9e000-0xc))
ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0)

2018/02/03 12:24:34 executing program 6:
r0 = socket$inet_dccp(0x2, 0x6, 0x0)
r1 = dup(r0)
mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
setsockopt$inet_dccp_buf(r1, 0x21, 0xcf, &(0x7f0000000000)="a442aa1327ddeec5819422f653851242dcde4fde4760110128263b33d2ef5fa267faa6d0437cfa791bf6f1def47a0999fe26fc4862fa676c1b92df1eb0949d2485e3780db2c738e13696129361a9001820788207041c8d161fbd2152588d781e3c92b1ecb60fff7a24158c70ae930e", 0x6f)
bind(r1, &(0x7f0000001000-0x32)=@pppol2tpin6={0x18, 0x1, {0x0, r0, 0x4, 0x3, 0x4, 0x3, {0xa, 0x1, 0x9, @empty, 0x298}}}, 0x32)
mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
ioctl$TIOCSLCKTRMIOS(r1, 0x5457, &(0x7f0000001000))
mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
setsockopt$inet_MCAST_LEAVE_GROUP(r0, 0x0, 0x2d, &(0x7f0000003000-0x90)={0x3f, {{0x2, 0x1, @dev={0xac, 0x14, 0x0, 0xf}}}}, 0x90)
sync()
mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
getpeername(r0, &(0x7f0000002000)=@ax25, &(0x7f0000003000)=0x10)
mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r1, 0x84, 0x70, &(0x7f0000003000-0x108)={<r2=>0x0, @in6={{0xa, 0x1, 0x81, @local={0xfe, 0x80, [], 0x0, 0xaa}, 0x401}}, [0x0, 0x6, 0x5, 0x6, 0xbf, 0x7fffffff, 0x91, 0x80, 0x5, 0x9, 0x10000, 0x5, 0x7fffffff, 0x1f, 0x1]}, &(0x7f0000004000)=0x108)
setsockopt$inet_sctp_SCTP_MAXSEG(r1, 0x84, 0xd, &(0x7f0000004000-0x8)=@assoc_value={r2, 0x7fff}, 0x8)
ioctl$PPPIOCSMRU(r1, 0x40047452, &(0x7f0000004000-0x4)=0x400000004000)
mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
syz_open_dev$evdev(&(0x7f0000005000)='/dev/input/event#\x00', 0x9, 0xa00)
mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
pipe2(&(0x7f0000006000)={0x0, <r3=>0x0}, 0x84000)
connect$unix(r1, &(0x7f0000007000-0xa)=@file={0x1, './file0\x00'}, 0xa)
mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
timerfd_settime(r3, 0x1, &(0x7f0000007000)={{0x77359400}, {0x77359400}}, &(0x7f0000008000-0x20))
mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
openat$rtc(0xffffffffffffff9c, &(0x7f0000008000)='/dev/rtc\x00', 0x14200, 0x0)
ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_INFO(r1, 0xc08c5334, &(0x7f0000001000-0x8c)={0xffffffffffffff01, 0x1, 0x2, 'queue0\x00', 0x3ff})
mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
ioctl$UFFDIO_COPY(r1, 0xc028aa03, &(0x7f0000009000)={&(0x7f0000001000/0x4000)=nil, 0x4000})
mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
ioctl$DRM_IOCTL_ADD_CTX(0xffffffffffffff9c, 0xc0086420, &(0x7f000000a000)={<r4=>0x0})
mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
ioctl$DRM_IOCTL_UNLOCK(r3, 0x4008642b, &(0x7f000000a000)={r4, 0x22})

2018/02/03 12:24:34 executing program 5:
mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0x800, 0x442000)
ioctl$int_in(r0, 0x5421, &(0x7f0000000000)=0x8)
r1 = openat$selinux_user(0xffffffffffffff9c, &(0x7f0000000000)='/selinux/user\x00', 0x2, 0x0)
ioctl(r1, 0x2, &(0x7f0000001000-0x4)="8f848d50")
mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
ioctl$sock_SIOCDELDLCI(r0, 0x8981, &(0x7f0000002000-0x12)={@syzn={0x73, 0x79, 0x7a, 0x0}, 0x2f97})
getsockopt$netrom_NETROM_T2(r0, 0x103, 0x2, &(0x7f0000000000)=0x6, &(0x7f0000001000-0x4)=0x4)
mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
fcntl$getownex(r0, 0x10, &(0x7f0000002000)={0x0, <r2=>0x0})
mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
sendmsg$nl_generic(r0, &(0x7f0000003000-0x38)={&(0x7f0000001000-0xc)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000001000-0x10)={&(0x7f0000001000-0x358)={0x358, 0x19, 0x8, 0x0, 0x0, {0x1a}, [@generic="2bc81cb3f484f73440a620a9a8def0c1abc2397becbbb71de3bb18f1db962b0cc3c876722d8b5f2937d8f486905986b814afd140ed1347826e00ccf9a9d6b69024915cb0227b469712fe10dfbafc614aa0041dcc8e110b0c3ad24327b3af2c6d372bce8348081d4873e27e87f70916349b54fbd6ec274253697b334ac97af626c1c2373a34865525ad347eb912690fbf573963a918c7b426aaab81d0428c1146dddf45dae15f9639b6aa21e94872afe2468bb58fd144f41b55d9d3fb14bfc148e02c086e41b886c094cd8c", @nested={0x5c, 0x48, [@generic="beda4d6b5ffc6c574935a9b515ee00101f4ce20f253accbaddb3", @typed={0x8, 0x69}, @generic="ed7766157ac8a27832e43336246160e57005faf0", @typed={0x18, 0x23, @ipv6=@ipv4={[], [0xff, 0xff], @multicast1=0xe0000001}}, @typed={0x8, 0x1e}]}, @nested={0x15c, 0x7d, [@typed={0x54, 0x7b, @binary="305bea12dbe0760ed330a9bbf5dd0a447355f457e4e67bad9d6151c23b63a79e23d9203a5d239320bd5e667e6370416f812a90779f59465184fab4e7458cbcd8368798741f1b3600a0eb"}, @typed={0xc, 0x59, @pid=r2}, @typed={0x10, 0x20, @binary="6854817449c8ad03"}, @generic="f2861add54392dd12971cebf99d33ff92d7e708630f7ecd2c97fac4ac434ec222d2ec07f234fc832a0f7fac9c21e05b0cd6f30fadc02e8bfdfd011acb9618434ae5a073039a49d10cdb37a9929fc61149bb559b8df20083785c686a49eb283ae6ba4fe55f3c8606ac7bd40eae868a67f4566239b64ae7c5874f95c6e306f55d4fc0f00c94bbbab34e98f6d2e9a85f0ca93a53a67bf87ee54725bce218a6934bc5903ecd495ec3e32f51ae43f80bd7497db00a4d1a1f7e2e50c858fe484e373d9104fd7db412296544bd79b8dee58ee1287d2b1ad318cdbcc1c155eef9b47466008494823598895"]}, @typed={0xc0, 0x8a, @binary="4ab8b1ead546b54607fbec6fef402fd3dbac7c34247535e52fe67730faa4625036b8b5c93387035bedce15e554c0c3f0ab2b379b4375d20c876c2656b383e62c57ce82440a07b920fb82aec9952357a48883b8026ce2578a98a65f160df141e6e4c686583f635de0b4b1f1e6dfa9740eb9f4044b4587ce85cbbbf2ef242bbfeac055a563901d6fe06b82e7b25f043e593ffbe8b87065b3b865180be9eb0f11e9979dbb5a235c270b4e2e936106fffd83738eece346c9e20f"}]}, 0x358}, 0x1, 0x0, 0x0, 0x20004810}, 0x80)
r3 = openat$selinux_mls(0xffffffffffffff9c, &(0x7f0000001000-0xd)='/selinux/mls\x00', 0x0, 0x0)
setsockopt$packet_int(r0, 0x107, 0xe, &(0x7f0000001000-0x4)=0x20, 0x4)
mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
getsockopt$inet_udp_int(r0, 0x11, 0x65, &(0x7f0000004000-0x4), &(0x7f0000000000)=0x4)
connect$nfc_llcp(r0, &(0x7f0000002000)={0x27, 0x3, 0x5b36, 0x1, 0x2, 0x1000, "364ceeecb54f06ad84882cc8b5f4584996c2748d00bb20787a0904168640488c91f7ab9abf8d37f64a630023d659d08eff87a766afaf099740dc60e3ec2e2c", 0x3}, 0x60)
mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
bind$inet(r3, &(0x7f0000005000-0x10)={0x2, 0x2, @multicast2=0xe0000002}, 0x10)
socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000001000)={<r4=>0x0})
getsockopt$inet_sctp_SCTP_GET_ASSOC_ID_LIST(r0, 0x84, 0x1d, &(0x7f0000000000)={0xa, [0x0, <r5=>0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000002000-0x4)=0x2c)
setsockopt$inet_sctp6_SCTP_ASSOCINFO(r0, 0x84, 0x1, &(0x7f0000002000)={r5, 0x3b, 0x5, 0x5, 0x5c, 0x8}, 0x14)
ioctl$sock_inet6_tcp_SIOCOUTQ(r0, 0x5411, &(0x7f0000002000))
mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
setsockopt$inet6_int(r3, 0x29, 0x16, &(0x7f0000006000-0x4)=0x5, 0x4)
mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
getsockopt$sock_cred(r4, 0x1, 0x11, &(0x7f0000006000-0xc), &(0x7f0000006000)=0xc)
setsockopt$inet6_udp_int(r0, 0x11, 0x67, &(0x7f0000004000-0x4)=0x79, 0x4)
mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
getsockopt$inet_sctp6_SCTP_ENABLE_STREAM_RESET(r0, 0x84, 0x76, &(0x7f0000002000)={r5, 0x7}, &(0x7f0000007000)=0x8)

[   31.442020] audit: type=1400 audit(1517660674.634:5): avc:  denied  { sys_admin } for  pid=4124 comm="syz-executor7" capability=21  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[   31.478160] IPVS: Creating netns size=2536 id=1
[   31.490388] audit: type=1400 audit(1517660674.674:6): avc:  denied  { net_admin } for  pid=4126 comm="syz-executor0" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[   31.536250] IPVS: Creating netns size=2536 id=2
[   31.572464] IPVS: Creating netns size=2536 id=3
[   31.598457] IPVS: Creating netns size=2536 id=4
[   31.638610] IPVS: Creating netns size=2536 id=5
[   31.698829] IPVS: Creating netns size=2536 id=6
[   31.757516] IPVS: Creating netns size=2536 id=7
[   31.821889] IPVS: Creating netns size=2536 id=8
[   33.402395] audit: type=1400 audit(1517660676.594:7): avc:  denied  { sys_chroot } for  pid=4126 comm="syz-executor0" capability=18  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
2018/02/03 12:24:36 executing program 1:
mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000001000-0xb)='projid_map\x00')
mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
ioctl$KDGKBENT(r0, 0x4b46, &(0x7f0000000000)={0x7, 0x0, 0x7})
getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f000013a000)={<r1=>0x0}, &(0x7f000030d000)=0xc)
ioprio_get$pid(0x2, r1)
r2 = dup2(0xffffffffffffff9c, 0xffffffffffffff9c)
mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
getsockopt$inet6_mreq(r2, 0x29, 0x18, &(0x7f0000001000-0x14)={@mcast2}, &(0x7f000088a000)=0x1)

[   33.708871] ==================================================================
[   33.716311] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640
[   33.722956] Read of size 8 at addr ffff8801c37e8838 by task syz-executor3/5212
[   33.730283] 
[   33.731886] CPU: 1 PID: 5212 Comm: syz-executor3 Not tainted 4.9.79-g47af77b #26
[   33.739389] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.748718]  ffff8801d9467630 ffffffff81d94b09 ffffea00070dfa00 ffff8801c37e8838
[   33.756704]  0000000000000000 ffff8801c37e8838 ffff8801c37e8838 ffff8801d9467668
[   33.764689]  ffffffff8153e083 ffff8801c37e8838 0000000000000008 0000000000000000
[   33.772685] Call Trace:
[   33.775248]  [<ffffffff81d94b09>] dump_stack+0xc1/0x128
[   33.780585]  [<ffffffff8153e083>] print_address_description+0x73/0x280
[   33.787226]  [<ffffffff8153e5a5>] kasan_report+0x275/0x360
[   33.792824]  [<ffffffff8123ed6f>] ? __lock_acquire+0x2eff/0x3640
[   33.798958]  [<ffffffff8153e704>] __asan_report_load8_noabort+0x14/0x20
[   33.805685]  [<ffffffff8123ed6f>] __lock_acquire+0x2eff/0x3640
[   33.811629]  [<ffffffff8123c499>] ? __lock_acquire+0x629/0x3640
[   33.817660]  [<ffffffff8123be70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   33.824650]  [<ffffffff8123be70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   33.831638]  [<ffffffff8123be70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   33.838632]  [<ffffffff8123b25f>] ? mark_held_locks+0xaf/0x100
[   33.844577]  [<ffffffff838a9be3>] ? mutex_lock_nested+0x5e3/0x870
[   33.850782]  [<ffffffff8123feee>] lock_acquire+0x12e/0x410
[   33.856376]  [<ffffffff81224454>] ? remove_wait_queue+0x14/0x40
[   33.862409]  [<ffffffff838b32ae>] _raw_spin_lock_irqsave+0x4e/0x70
[   33.869879]  [<ffffffff81224454>] ? remove_wait_queue+0x14/0x40
[   33.875916]  [<ffffffff81224454>] remove_wait_queue+0x14/0x40
[   33.881776]  [<ffffffff8165141f>] ep_unregister_pollwait.isra.6+0xaf/0x240
[   33.888760]  [<ffffffff8165149a>] ? ep_unregister_pollwait.isra.6+0x12a/0x240
[   33.896002]  [<ffffffff81652280>] ? ep_free+0x1b0/0x1b0
[   33.901336]  [<ffffffff81652166>] ep_free+0x96/0x1b0
[   33.906411]  [<ffffffff81652280>] ? ep_free+0x1b0/0x1b0
[   33.911745]  [<ffffffff816522c4>] ep_eventpoll_release+0x44/0x60
[   33.917861]  [<ffffffff8157567c>] __fput+0x28c/0x6e0
[   33.922945]  [<ffffffff81575b55>] ____fput+0x15/0x20
[   33.928018]  [<ffffffff811957c5>] task_work_run+0x115/0x190
[   33.933700]  [<ffffffff8113c267>] do_exit+0x7e7/0x2a40
[   33.938947]  [<ffffffff8123be70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   33.945932]  [<ffffffff8113ba80>] ? release_task+0x1240/0x1240
[   33.951873]  [<ffffffff812dfe50>] ? get_futex_key+0x1050/0x1050
[   33.957901]  [<ffffffff8115a8b3>] ? __dequeue_signal+0xa3/0x550
[   33.963930]  [<ffffffff8115a5c2>] ? recalc_sigpending+0x72/0x90
[   33.969961]  [<ffffffff81142978>] do_group_exit+0x108/0x320
[   33.975646]  [<ffffffff811657d4>] get_signal+0x4d4/0x14e0
[   33.981158]  [<ffffffff81052c87>] do_signal+0x87/0x1a00
[   33.986491]  [<ffffffff81052c00>] ? setup_sigcontext+0x7d0/0x7d0
[   33.992607]  [<ffffffff810de66c>] ? __do_page_fault+0x5ec/0xd40
[   33.998638]  [<ffffffff812e561e>] ? SyS_futex+0x22e/0x2d0
[   34.004149]  [<ffffffff810de43d>] ? __do_page_fault+0x3bd/0xd40
[   34.010179]  [<ffffffff812e53f0>] ? do_futex+0x15c0/0x15c0
[   34.015773]  [<ffffffff810039fc>] ? exit_to_usermode_loop+0xac/0x120
[   34.022239]  [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120
[   34.028531]  [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0
[   34.035082]  [<ffffffff838b352b>] entry_SYSCALL_64_fastpath+0xe6/0xe8
[   34.041631] 
[   34.043232] Allocated by task 5210:
[   34.046832]  save_stack_trace+0x16/0x20
[   34.050776]  save_stack+0x43/0xd0
[   34.054199]  kasan_kmalloc+0xad/0xe0
[   34.057883]  kmem_cache_alloc_trace+0xfb/0x2a0
[   34.062433]  binder_get_thread+0x15d/0x750
[   34.066638]  binder_poll+0x4a/0x210
[   34.070236]  SyS_epoll_ctl+0x11d7/0x2190
[   34.074274]  entry_SYSCALL_64_fastpath+0x29/0xe8
[   34.078997] 
[   34.080594] Freed by task 5210:
[   34.083844]  save_stack_trace+0x16/0x20
[   34.087789]  save_stack+0x43/0xd0
[   34.091210]  kasan_slab_free+0x72/0xc0
[   34.095069]  kfree+0x103/0x300
[   34.098235]  binder_thread_dec_tmpref+0x1cc/0x240
[   34.103046]  binder_thread_release+0x27d/0x540
[   34.107596]  binder_ioctl+0x9c0/0x11b0
[   34.111452]  do_vfs_ioctl+0x1aa/0x1140
[   34.115308]  SyS_ioctl+0x8f/0xc0
[   34.118644]  entry_SYSCALL_64_fastpath+0x29/0xe8
[   34.123367] 
[   34.124966] The buggy address belongs to the object at ffff8801c37e8780
[   34.124966]  which belongs to the cache kmalloc-512 of size 512
[   34.137603] The buggy address is located 184 bytes inside of
[   34.137603]  512-byte region [ffff8801c37e8780, ffff8801c37e8980)
[   34.149455] The buggy address belongs to the page:
[   34.154356] page:ffffea00070dfa00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   34.164531] flags: 0x8000000000004080(slab|head)
[   34.169254] page dumped because: kasan: bad access detected
[   34.174930] 
[   34.176528] Memory state around the buggy address:
[   34.181427]  ffff8801c37e8700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.188756]  ffff8801c37e8780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.196088] >ffff8801c37e8800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.203416]                                         ^
[   34.208574]  ffff8801c37e8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.215904]  ffff8801c37e8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.223230] ==================================================================
[   34.230557] Disabling lock debugging due to kernel taint
[   34.235976] Kernel panic - not syncing: panic_on_warn set ...
[   34.235976] 
[   34.243317] CPU: 1 PID: 5212 Comm: syz-executor3 Tainted: G    B           4.9.79-g47af77b #26
[   34.252035] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.261365]  ffff8801d9467588 ffffffff81d94b09 ffffffff8419709f ffff8801d9467660
[   34.269350]  0000000000000000 ffff8801c37e8838 ffff8801c37e8838 ffff8801d9467650
[   34.277322]  ffffffff8142f531 0000000041b58ab3 ffffffff8418ab10 ffffffff8142f375
[   34.285299] Call Trace:
[   34.287865]  [<ffffffff81d94b09>] dump_stack+0xc1/0x128
[   34.293199]  [<ffffffff8142f531>] panic+0x1bc/0x3a8
[   34.298188]  [<ffffffff8142f375>] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7
[   34.306388]  [<ffffffff811309f0>] ? add_taint+0x40/0x50
[   34.311726]  [<ffffffff8153dff0>] kasan_end_report+0x50/0x50
[   34.317496]  [<ffffffff8153e497>] kasan_report+0x167/0x360
[   34.323095]  [<ffffffff8123ed6f>] ? __lock_acquire+0x2eff/0x3640
[   34.329214]  [<ffffffff8153e704>] __asan_report_load8_noabort+0x14/0x20
[   34.335948]  [<ffffffff8123ed6f>] __lock_acquire+0x2eff/0x3640
[   34.341893]  [<ffffffff8123c499>] ? __lock_acquire+0x629/0x3640
[   34.347922]  [<ffffffff8123be70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   34.354908]  [<ffffffff8123be70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   34.361895]  [<ffffffff8123be70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   34.368882]  [<ffffffff8123b25f>] ? mark_held_locks+0xaf/0x100
[   34.374830]  [<ffffffff838a9be3>] ? mutex_lock_nested+0x5e3/0x870
[   34.381033]  [<ffffffff8123feee>] lock_acquire+0x12e/0x410
[   34.386630]  [<ffffffff81224454>] ? remove_wait_queue+0x14/0x40
[   34.392664]  [<ffffffff838b32ae>] _raw_spin_lock_irqsave+0x4e/0x70
[   34.398954]  [<ffffffff81224454>] ? remove_wait_queue+0x14/0x40
[   34.404988]  [<ffffffff81224454>] remove_wait_queue+0x14/0x40
[   34.410844]  [<ffffffff8165141f>] ep_unregister_pollwait.isra.6+0xaf/0x240
[   34.417829]  [<ffffffff8165149a>] ? ep_unregister_pollwait.isra.6+0x12a/0x240
[   34.425077]  [<ffffffff81652280>] ? ep_free+0x1b0/0x1b0
[   34.430416]  [<ffffffff81652166>] ep_free+0x96/0x1b0
[   34.435489]  [<ffffffff81652280>] ? ep_free+0x1b0/0x1b0
[   34.440822]  [<ffffffff816522c4>] ep_eventpoll_release+0x44/0x60
[   34.446936]  [<ffffffff8157567c>] __fput+0x28c/0x6e0
[   34.452030]  [<ffffffff81575b55>] ____fput+0x15/0x20
[   34.457103]  [<ffffffff811957c5>] task_work_run+0x115/0x190
[   34.462786]  [<ffffffff8113c267>] do_exit+0x7e7/0x2a40
[   34.468032]  [<ffffffff8123be70>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   34.475016]  [<ffffffff8113ba80>] ? release_task+0x1240/0x1240
[   34.480961]  [<ffffffff812dfe50>] ? get_futex_key+0x1050/0x1050
[   34.486988]  [<ffffffff8115a8b3>] ? __dequeue_signal+0xa3/0x550
[   34.493016]  [<ffffffff8115a5c2>] ? recalc_sigpending+0x72/0x90
[   34.499043]  [<ffffffff81142978>] do_group_exit+0x108/0x320
[   34.504725]  [<ffffffff811657d4>] get_signal+0x4d4/0x14e0
[   34.510233]  [<ffffffff81052c87>] do_signal+0x87/0x1a00
[   34.515569]  [<ffffffff81052c00>] ? setup_sigcontext+0x7d0/0x7d0
[   34.521689]  [<ffffffff810de66c>] ? __do_page_fault+0x5ec/0xd40
[   34.527721]  [<ffffffff812e561e>] ? SyS_futex+0x22e/0x2d0
[   34.533229]  [<ffffffff810de43d>] ? __do_page_fault+0x3bd/0xd40
[   34.539270]  [<ffffffff812e53f0>] ? do_futex+0x15c0/0x15c0
[   34.544870]  [<ffffffff810039fc>] ? exit_to_usermode_loop+0xac/0x120
[   34.551337]  [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120
[   34.557628]  [<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0
[   34.564181]  [<ffffffff838b352b>] entry_SYSCALL_64_fastpath+0xe6/0xe8
[   34.571185] Dumping ftrace buffer:
[   34.574699]    (ftrace buffer empty)
[   34.578381] Kernel Offset: disabled
[   34.581975] Rebooting in 86400 seconds..