bisecting cause commit starting from 444565650a5fe9c63ddf153e6198e31705dedeb2 building syzkaller on 9682898d6f14dd27f95c419d059fd867bb91b22b testing commit 444565650a5fe9c63ddf153e6198e31705dedeb2 with gcc (GCC) 8.1.0 kernel signature: 8df982f6c5c1662f4731fdd75fa43f707ed69fea70a7a8bf27a3c338e400023e all runs: crashed: WARNING in binder_transaction_buffer_release testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 30f3f261679f9ada9623bfa34d278911abd0af7c9481cddc8e8f9446a2b7feb5 run #0: crashed: WARNING in binder_transaction_buffer_release run #1: crashed: WARNING in binder_transaction_buffer_release run #2: crashed: WARNING in binder_transaction_buffer_release run #3: crashed: WARNING in binder_transaction_buffer_release run #4: crashed: WARNING in binder_transaction_buffer_release run #5: crashed: WARNING in binder_transaction_buffer_release run #6: crashed: WARNING in binder_transaction_buffer_release run #7: crashed: WARNING in binder_transaction_buffer_release run #8: crashed: WARNING in binder_transaction_buffer_release run #9: boot failed: can't ssh into the instance testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 68a9d50c69db5204b52c5ea42160e3675687ed9061d0cb1d00035d91cdb1361e all runs: crashed: WARNING in binder_transaction_buffer_release testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 1b9791038f8764cd7d57ec60bd00c0732ef2b16159662fb536b86429be8b1e52 all runs: crashed: WARNING in binder_transaction_buffer_release testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: ac5c896ed06b20118af258e05a99c7814d0f7ecaabede60718a156b560c9a45a all runs: crashed: WARNING in binder_transaction_buffer_release testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: 6fe1fdbcaaf5ca891a31878edb4b732271adb35b5f9b59486cc15475331420c7 all runs: crashed: WARNING in binder_transaction_buffer_release testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: 5c76c906e59d302d7a6b18a09976dad030489c4d54cbe2801d4a5f556c3ad9a0 all runs: crashed: WARNING in binder_transaction_buffer_release testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: a70f82ca6f0335c1d8e06bd25aae9a559c47625efbc7463055adfb674975559d run #0: crashed: WARNING in binder_transaction_buffer_release run #1: crashed: WARNING in corrupted run #2: crashed: WARNING in binder_transaction_buffer_release run #3: crashed: WARNING in corrupted run #4: crashed: WARNING in binder_transaction_buffer_release run #5: crashed: WARNING in binder_transaction_buffer_release run #6: crashed: WARNING in binder_transaction_buffer_release run #7: crashed: WARNING in binder_transaction_buffer_release run #8: crashed: WARNING in binder_transaction_buffer_release run #9: crashed: WARNING in binder_transaction_buffer_release testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 kernel signature: a420067805b91d69c4f32255a7b02a406c412b26e3fc907a41a08a229c9d52be all runs: crashed: WARNING in binder_transaction_buffer_release testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 kernel signature: b216c6657815fa21cd4df2f33b207745822771a56d58ba2dc61e7dd0a66d20c1 all runs: OK # git bisect start 8fe28cb58bcb235034b64cbbb7550a8a43fd88be 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d Bisecting: 7499 revisions left to test after this (roughly 13 steps) [ec9c166434595382be3babf266febf876327774d] Merge tag 'mips_fixes_4.20_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux testing commit ec9c166434595382be3babf266febf876327774d with gcc (GCC) 8.1.0 kernel signature: 254708225560e2915789bc311452de455c35a06a853e6a3a760d240ce4529385 run #0: crashed: WARNING in binder_transaction_buffer_release run #1: crashed: WARNING in binder_transaction_buffer_release run #2: crashed: WARNING in binder_transaction_buffer_release run #3: crashed: WARNING in binder_transaction_buffer_release run #4: crashed: WARNING in binder_transaction_buffer_release run #5: crashed: WARNING in corrupted run #6: crashed: WARNING in binder_transaction_buffer_release run #7: crashed: WARNING in binder_transaction_buffer_release run #8: crashed: WARNING in binder_transaction_buffer_release run #9: crashed: WARNING in binder_transaction_buffer_release # git bisect bad ec9c166434595382be3babf266febf876327774d Bisecting: 3252 revisions left to test after this (roughly 12 steps) [50b825d7e87f4cff7070df6eb26390152bb29537] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit 50b825d7e87f4cff7070df6eb26390152bb29537 with gcc (GCC) 8.1.0 kernel signature: bd60410df5fb1842ef10a3605d8d2119af2d3261189c2e966481128a89178d1e run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: KASAN: use-after-free Read in blk_cleanup_queue # git bisect good 50b825d7e87f4cff7070df6eb26390152bb29537 Bisecting: 1617 revisions left to test after this (roughly 11 steps) [62606c224d72a98c35d21a849f95cccf95b0a252] Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 testing commit 62606c224d72a98c35d21a849f95cccf95b0a252 with gcc (GCC) 8.1.0 kernel signature: fccbc8ed3135b81099d1275a15389d835fffe3f730384c5242a07c878abc67e9 all runs: OK # git bisect good 62606c224d72a98c35d21a849f95cccf95b0a252 Bisecting: 850 revisions left to test after this (roughly 10 steps) [26873acacbdbb4e4b444f5dd28dcc4853f0e8ba2] Merge tag 'driver-core-4.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core testing commit 26873acacbdbb4e4b444f5dd28dcc4853f0e8ba2 with gcc (GCC) 8.1.0 kernel signature: 0a87e237ca9c28dbc37c092a2c866bfccca93e6cee1fdd46897a1ec72e43d7e9 all runs: OK # git bisect good 26873acacbdbb4e4b444f5dd28dcc4853f0e8ba2 Bisecting: 422 revisions left to test after this (roughly 9 steps) [b27186abb37b7bd19e0ca434f4f425c807dbd708] Merge tag 'devicetree-for-4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux testing commit b27186abb37b7bd19e0ca434f4f425c807dbd708 with gcc (GCC) 8.1.0 kernel signature: a7b29b973fc1f7e0405e778bac88239efc5a9b9f5ed28e036304678cf5b4b305 all runs: crashed: WARNING in binder_transaction_buffer_release # git bisect bad b27186abb37b7bd19e0ca434f4f425c807dbd708 Bisecting: 213 revisions left to test after this (roughly 8 steps) [3ef230370e05a7a9606377cfcd983b0133bc1ac4] stm class: Update documentation to match the new identification rules testing commit 3ef230370e05a7a9606377cfcd983b0133bc1ac4 with gcc (GCC) 8.1.0 kernel signature: e359a3ae707818c878423ca88335f8f63f720c46b383d9228589f1d8f7db6ac6 run #0: crashed: WARNING in corrupted run #1: crashed: WARNING in binder_transaction_buffer_release run #2: crashed: WARNING in corrupted run #3: crashed: WARNING in corrupted run #4: crashed: WARNING in corrupted run #5: crashed: WARNING in binder_transaction_buffer_release run #6: crashed: WARNING in corrupted run #7: crashed: WARNING in corrupted run #8: crashed: WARNING in binder_transaction_buffer_release run #9: crashed: WARNING in binder_transaction_buffer_release # git bisect bad 3ef230370e05a7a9606377cfcd983b0133bc1ac4 Bisecting: 106 revisions left to test after this (roughly 7 steps) [8840a6f4a7b18cc3da54271b093516afa9eb4362] vmw_balloon: add reset stat testing commit 8840a6f4a7b18cc3da54271b093516afa9eb4362 with gcc (GCC) 8.1.0 kernel signature: 18afdfc0a9b510fdc232283c2b5d8864dc5cac2eeb687f5403c630c3e06f9569 run #0: crashed: WARNING in binder_transaction_buffer_release run #1: crashed: WARNING in binder_transaction_buffer_release run #2: crashed: WARNING in binder_transaction_buffer_release run #3: crashed: WARNING in binder_transaction_buffer_release run #4: crashed: WARNING in binder_transaction_buffer_release run #5: crashed: WARNING in binder_transaction_buffer_release run #6: crashed: WARNING in binder_transaction_buffer_release run #7: crashed: WARNING in corrupted run #8: crashed: WARNING in binder_transaction_buffer_release run #9: crashed: WARNING in binder_transaction_buffer_release # git bisect bad 8840a6f4a7b18cc3da54271b093516afa9eb4362 Bisecting: 53 revisions left to test after this (roughly 6 steps) [a0f9992c809fb73a05de1894734418a88178539f] coresight: platform: Fix refcounting for graph nodes testing commit a0f9992c809fb73a05de1894734418a88178539f with gcc (GCC) 8.1.0 kernel signature: 1ee3a41ce2f779c911101ed3f8586a3acad5194d82ab0e82b496af9491bf4872 run #0: crashed: WARNING in binder_transaction_buffer_release run #1: crashed: WARNING in corrupted run #2: crashed: WARNING in binder_transaction_buffer_release run #3: crashed: WARNING in corrupted run #4: crashed: WARNING in binder_transaction_buffer_release run #5: crashed: WARNING in binder_transaction_buffer_release run #6: crashed: WARNING in binder_transaction_buffer_release run #7: crashed: WARNING in binder_transaction_buffer_release run #8: crashed: WARNING in corrupted run #9: crashed: WARNING in corrupted # git bisect bad a0f9992c809fb73a05de1894734418a88178539f Bisecting: 26 revisions left to test after this (roughly 5 steps) [869fd5023a719a8d2af602ce95afba98751c33fc] platform: goldfish: pipe: Replace an array of 1 with a variable testing commit 869fd5023a719a8d2af602ce95afba98751c33fc with gcc (GCC) 8.1.0 kernel signature: 7dd81687e7dd972a972732a63651698146f014f1a73c18ba77b327fc0212e1b2 all runs: crashed: WARNING in binder_transaction_buffer_release # git bisect bad 869fd5023a719a8d2af602ce95afba98751c33fc Bisecting: 12 revisions left to test after this (roughly 4 steps) [44b73962cb25f1c8170ea695c4564b05a75e1fd4] android: binder: no outgoing transaction when thread todo has transaction testing commit 44b73962cb25f1c8170ea695c4564b05a75e1fd4 with gcc (GCC) 8.1.0 kernel signature: d434b8007579980c3ec924fea0fba9dd897c319d5f9954179492ea6c8be37fc3 all runs: OK # git bisect good 44b73962cb25f1c8170ea695c4564b05a75e1fd4 Bisecting: 6 revisions left to test after this (roughly 3 steps) [aa2eb86060f4473aa22d70164478bc14ce4bb8f8] misc: Convert to using %pOFn instead of device_node.name testing commit aa2eb86060f4473aa22d70164478bc14ce4bb8f8 with gcc (GCC) 8.1.0 kernel signature: c257399992d7794940db81addc8840faff62f51ec6b024f29dfe68392bec5476 run #0: crashed: WARNING in binder_transaction_buffer_release run #1: crashed: WARNING in binder_transaction_buffer_release run #2: crashed: WARNING in binder_transaction_buffer_release run #3: crashed: WARNING in binder_transaction_buffer_release run #4: crashed: WARNING in binder_transaction_buffer_release run #5: crashed: WARNING in binder_transaction_buffer_release run #6: crashed: WARNING in binder_transaction_buffer_release run #7: crashed: WARNING in binder_transaction_buffer_release run #8: crashed: WARNING in binder_transaction_buffer_release run #9: crashed: WARNING in corrupted # git bisect bad aa2eb86060f4473aa22d70164478bc14ce4bb8f8 Bisecting: 2 revisions left to test after this (roughly 2 steps) [b7e6a8961b5d6dd3fc535970e65d497d868bb49f] binder: Add BINDER_GET_NODE_INFO_FOR_REF ioctl. testing commit b7e6a8961b5d6dd3fc535970e65d497d868bb49f with gcc (GCC) 8.1.0 kernel signature: 5c331a46ff047a58ada3c1660040607afb5025536bd79a95752bc012eb4f529b run #0: crashed: WARNING in binder_transaction_buffer_release run #1: crashed: WARNING in binder_transaction_buffer_release run #2: crashed: WARNING in binder_transaction_buffer_release run #3: crashed: WARNING in binder_transaction_buffer_release run #4: crashed: WARNING in binder_transaction_buffer_release run #5: crashed: WARNING in corrupted run #6: crashed: WARNING in binder_transaction_buffer_release run #7: crashed: WARNING in corrupted run #8: crashed: WARNING in corrupted run #9: crashed: WARNING in corrupted # git bisect bad b7e6a8961b5d6dd3fc535970e65d497d868bb49f Bisecting: 0 revisions left to test after this (roughly 1 step) [6b6642dadd685af885367d6e30f18553e2a23b22] android: binder: use kstrdup instead of open-coding it testing commit 6b6642dadd685af885367d6e30f18553e2a23b22 with gcc (GCC) 8.1.0 kernel signature: 019cf96033e875c4746cd50139ccdaca9e02aaadb5f85c669331d5701f3546db run #0: crashed: WARNING in binder_transaction_buffer_release run #1: crashed: WARNING in corrupted run #2: crashed: WARNING in binder_transaction_buffer_release run #3: crashed: WARNING in corrupted run #4: crashed: WARNING in binder_transaction_buffer_release run #5: crashed: WARNING in binder_transaction_buffer_release run #6: crashed: WARNING in binder_transaction_buffer_release run #7: crashed: WARNING in binder_transaction_buffer_release run #8: crashed: WARNING in binder_transaction_buffer_release run #9: crashed: WARNING in binder_transaction_buffer_release # git bisect bad 6b6642dadd685af885367d6e30f18553e2a23b22 Bisecting: 0 revisions left to test after this (roughly 0 steps) [44d8047f1d87adc2fd7eccc88533794f6d88c15e] binder: use standard functions to allocate fds testing commit 44d8047f1d87adc2fd7eccc88533794f6d88c15e with gcc (GCC) 8.1.0 kernel signature: a363279cc668a892e93566ec80c442a6fa3102dd2afcff7ef34a4c654eff201d run #0: crashed: WARNING in binder_transaction_buffer_release run #1: crashed: WARNING in binder_transaction_buffer_release run #2: crashed: WARNING in binder_transaction_buffer_release run #3: crashed: WARNING in corrupted run #4: crashed: WARNING in binder_transaction_buffer_release run #5: crashed: WARNING in binder_transaction_buffer_release run #6: crashed: WARNING in binder_transaction_buffer_release run #7: crashed: WARNING in binder_transaction_buffer_release run #8: crashed: WARNING in binder_transaction_buffer_release run #9: crashed: WARNING in binder_transaction_buffer_release # git bisect bad 44d8047f1d87adc2fd7eccc88533794f6d88c15e 44d8047f1d87adc2fd7eccc88533794f6d88c15e is the first bad commit commit 44d8047f1d87adc2fd7eccc88533794f6d88c15e Author: Todd Kjos Date: Tue Aug 28 13:46:25 2018 -0700 binder: use standard functions to allocate fds Binder uses internal fs interfaces to allocate and install fds: __alloc_fd __fd_install __close_fd get_files_struct put_files_struct These were used to support the passing of fds between processes as part of a transaction. The actual allocation and installation of the fds in the target process was handled by the sending process so the standard functions, alloc_fd() and fd_install() which assume task==current couldn't be used. This patch refactors this mechanism so that the fds are allocated and installed by the target process allowing the standard functions to be used. The sender now creates a list of fd fixups that contains the struct *file and the address to fixup with the new fd once it is allocated. This list is processed by the target process when the transaction is dequeued. A new error case is introduced by this change. If an async transaction with file descriptors cannot allocate new fds in the target (probably due to out of file descriptors), the transaction is discarded with a log message. In the old implementation this would have been detected in the sender context and failed prior to sending. Signed-off-by: Todd Kjos Signed-off-by: Greg Kroah-Hartman drivers/android/Kconfig | 2 +- drivers/android/binder.c | 387 ++++++++++++++++++++++++----------------- drivers/android/binder_trace.h | 36 +++- 3 files changed, 260 insertions(+), 165 deletions(-) culprit signature: a363279cc668a892e93566ec80c442a6fa3102dd2afcff7ef34a4c654eff201d parent signature: d434b8007579980c3ec924fea0fba9dd897c319d5f9954179492ea6c8be37fc3 revisions tested: 24, total time: 4h17m29.847508853s (build: 2h18m47.969531338s, test: 1h56m53.27138508s) first bad commit: 44d8047f1d87adc2fd7eccc88533794f6d88c15e binder: use standard functions to allocate fds cc: ["gregkh@linuxfoundation.org" "tkjos@android.com" "tkjos@google.com"] crash: WARNING in binder_transaction_buffer_release IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready audit: type=1400 audit(1590248985.482:12): avc: denied { call } for pid=7709 comm="syz-executor.2" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=binder permissive=1 IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready WARNING: CPU: 1 PID: 7711 at drivers/android/binder.c:2245 binder_transaction_buffer_release+0x2f1/0x990 drivers/android/binder.c:2244 IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready Kernel panic - not syncing: panic_on_warn set ... batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 CPU: 1 PID: 7711 Comm: syz-executor.2 Not tainted 4.19.0-rc3-syzkaller #0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x15a/0x20d lib/dump_stack.c:113 panic+0x1c6/0x36b kernel/panic.c:184 __warn.cold.7+0x120/0x168 kernel/panic.c:536 report_bug+0x1a4/0x200 lib/bug.c:186 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x200/0x350 arch/x86/kernel/traps.c:296 batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:993 IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready RIP: 0010:binder_transaction_buffer_release+0x2f1/0x990 drivers/android/binder.c:2244 batman_adv: batadv0: Interface activated: batadv_slave_0 Code: 48 8b 85 58 ff ff ff 48 89 fa 48 c1 ea 03 42 80 3c 2a 00 4c 8b 78 48 0f 85 1a 05 00 00 4d 3b be 10 05 00 00 0f 85 d4 fe ff ff <0f> 0b 48 83 c3 08 48 39 9d 68 ff ff ff 0f 87 d2 fe ff ff 48 8b 8d RSP: 0018:ffff88008a537548 EFLAGS: 00010246 RAX: ffff8800a881db00 RBX: ffffc90005aac060 RCX: 0000000000000040 RDX: 1ffff100151cb93a RSI: ffff88008a437b58 RDI: ffff8800a8e5c9d0 RBP: ffff88008a537648 R08: ffffed0015d6473b R09: ffffed0015d6473a R10: ffffed0015d6473a R11: ffff8800aeb239d3 R12: ffff88008a437b00 R13: dffffc0000000000 R14: ffff8800a8e5c4c0 R15: ffff8800a89ec440 batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 binder_transaction+0x10c1/0x5460 drivers/android/binder.c:3240 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 binder_thread_write+0x643/0x1e40 drivers/android/binder.c:3539 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 binder_ioctl_write_read.isra.21+0x195/0x670 drivers/android/binder.c:4576 binder_ioctl+0x77f/0xee8 drivers/android/binder.c:4716 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0x196/0x1050 fs/ioctl.c:685 batman_adv: batadv0: Interface activated: batadv_slave_1 device veth0_macvtap entered promiscuous mode ksys_ioctl+0x62/0x90 fs/ioctl.c:702 IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready device veth1_macvtap entered promiscuous mode __do_sys_ioctl fs/ioctl.c:709 [inline] __se_sys_ioctl fs/ioctl.c:707 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:707 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45ca29 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f5bcc6d3c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000004e1340 RCX: 000000000045ca29 RDX: 0000000020000540 RSI: 00000000c0306201 RDI: 0000000000000003 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000214 R14: 00000000004c458f R15: 00007f5bcc6d46d4 Kernel Offset: disabled Rebooting in 86400 seconds..