[....] Starting enhanced syslogd: rsyslogd[ 15.969381] audit: type=1400 audit(1520253636.683:4): avc: denied { syslog } for pid=3653 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Starting mcstransd:
[....] Starting file context maintaining daemon: restorecond�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 46.008390] audit: type=1400 audit(1520253666.723:5): avc: denied { set_context_mgr } for pid=3821 comm="syzkaller856104" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1
[ 46.029818] binder: 3821:3823 ERROR: BC_REGISTER_LOOPER called without request
[ 46.039565] audit: type=1400 audit(1520253666.753:6): avc: denied { call } for pid=3821 comm="syzkaller856104" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1
[ 46.063318] binder: release 3821:3822 transaction 3 out, still active
[ 46.069977] binder: undelivered TRANSACTION_COMPLETE
[ 46.075184] binder: 3821:3822 BC_ACQUIRE_DONE u0000000000000000 node 2 cookie mismatch 0000000000000004 != 0000000000000000
executing program
[ 46.129783] binder: release 3821:3823 transaction 1 out, still active
[ 46.136462] binder: undelivered TRANSACTION_COMPLETE
[ 46.139131] binder: 3825:3826 ERROR: BC_REGISTER_LOOPER called without request
[ 46.148926] binder: release 3821:3824 transaction 4 out, still active
[ 46.155476] binder: undelivered TRANSACTION_COMPLETE
[ 46.160216] binder: release 3825:3826 transaction 7 out, still active
[ 46.160219] binder: release 3825:3826 transaction 6 in, still active
[ 46.160222] binder: undelivered TRANSACTION_COMPLETE
executing program
[ 46.160286] binder: 3825:3826 BC_ACQUIRE_DONE u0000000000000000 node 5 cookie mismatch 0000000000000004 != 0000000000000000
[ 46.190207] binder: send failed reply for transaction 1, target dead
[ 46.196741] binder: send failed reply for transaction 3, target dead
[ 46.198519] binder: BINDER_SET_CONTEXT_MGR already set
[ 46.198530] binder: 3828:3829 ioctl 40046207 0 returned -16
[ 46.199065] binder: 3828:3829 ERROR: BC_REGISTER_LOOPER called without request
[ 46.219893] binder_alloc: 3825: binder_alloc_buf, no vma
executing program
[ 46.219905] binder: 3828:3830 transaction failed 29189/-3, size 0-0 line 3127
[ 46.222063] binder: undelivered TRANSACTION_ERROR: 29189
[ 46.224252] binder: 3828:3830 BC_ACQUIRE_DONE u0000000000000000 no match
[ 46.246446] binder: send failed reply for transaction 4, target dead
[ 46.246682] binder_alloc: 3825: binder_alloc_buf, no vma
[ 46.246695] binder: 3828:3831 transaction failed 29189/-3, size 0-0 line 3127
[ 46.261575] binder: BINDER_SET_CONTEXT_MGR already set
[ 46.261580] binder: 3832:3833 ioctl 40046207 0 returned -16
executing program
[ 46.262111] binder: 3832:3833 ERROR: BC_REGISTER_LOOPER called without request
[ 46.282923] binder_alloc: 3825: binder_alloc_buf, no vma
[ 46.282935] binder: 3832:3834 transaction failed 29189/-3, size 0-0 line 3127
[ 46.285150] binder: undelivered TRANSACTION_ERROR: 29189
[ 46.287373] binder: 3832:3834 BC_ACQUIRE_DONE u0000000000000000 no match
[ 46.309476] binder: undelivered TRANSACTION_ERROR: 29189
[ 46.310010] binder_alloc: 3825: binder_alloc_buf, no vma
[ 46.310022] binder: 3832:3835 transaction failed 29189/-3, size 0-0 line 3127
[ 46.326394] binder: BINDER_SET_CONTEXT_MGR already set
[ 46.326399] binder: 3836:3837 ioctl 40046207 0 returned -16
[ 46.326994] binder: 3836:3837 ERROR: BC_REGISTER_LOOPER called without request
[ 46.346051] binder: undelivered TRANSACTION_ERROR: 29189
[ 46.347758] binder_alloc: 3825: binder_alloc_buf, no vma
[ 46.347770] binder: 3836:3838 transaction failed 29189/-3, size 0-0 line 3127
[ 46.349985] binder: undelivered TRANSACTION_ERROR: 29189
[ 46.352206] binder: 3836:3838 BC_ACQUIRE_DONE u0000000000000000 no match
executing program
[ 46.374668] binder_alloc: 3825: binder_alloc_buf, no vma
[ 46.374679] binder: 3836:3839 transaction failed 29189/-3, size 0-0 line 3127
[ 46.389120] binder: BINDER_SET_CONTEXT_MGR already set
[ 46.389124] binder: 3840:3841 ioctl 40046207 0 returned -16
[ 46.389661] binder: 3840:3841 ERROR: BC_REGISTER_LOOPER called without request
[ 46.407556] binder: undelivered TRANSACTION_ERROR: 29189
[ 46.410429] binder_alloc: 3825: binder_alloc_buf, no vma
[ 46.410440] binder: 3840:3842 transaction failed 29189/-3, size 0-0 line 3127
[ 46.412657] binder: undelivered TRANSACTION_ERROR: 29189
executing program
[ 46.414873] binder: 3840:3842 BC_ACQUIRE_DONE u0000000000000000 no match
[ 46.437257] binder_alloc: 3825: binder_alloc_buf, no vma
[ 46.437268] binder: 3840:3843 transaction failed 29189/-3, size 0-0 line 3127
[ 46.450655] binder: undelivered TRANSACTION_ERROR: 29189
[ 46.452244] binder: BINDER_SET_CONTEXT_MGR already set
[ 46.452249] binder: 3844:3845 ioctl 40046207 0 returned -16
[ 46.452782] binder: 3844:3845 ERROR: BC_REGISTER_LOOPER called without request
[ 46.473655] binder_alloc: 3825: binder_alloc_buf, no vma
executing program
[ 46.473667] binder: 3844:3846 transaction failed 29189/-3, size 0-0 line 3127
[ 46.475878] binder: undelivered TRANSACTION_ERROR: 29189
[ 46.478099] binder: 3844:3846 BC_ACQUIRE_DONE u0000000000000000 no match
[ 46.499490] binder: release 3825:3827 transaction 8 in, still active
[ 46.500546] binder: 3844:3847 transaction failed 29189/-22, size 0-0 line 3004
[ 46.513314] binder: send failed reply for transaction 8 to 3825:3827
[ 46.516179] binder: 3848:3849 ERROR: BC_REGISTER_LOOPER called without request
executing program
[ 46.527263] ==================================================================
[ 46.534609] BUG: KASAN: use-after-free in __list_del_entry+0x196/0x1d0
[ 46.537079] binder: release 3848:3849 transaction 21 out, still active
[ 46.537083] binder: release 3848:3849 transaction 20 in, still active
[ 46.537085] binder: undelivered TRANSACTION_COMPLETE
[ 46.537150] binder: 3848:3849 BC_ACQUIRE_DONE u0000000000000000 node 19 cookie mismatch 0000000000000004 != 0000000000000000
[ 46.570833] Read of size 8 at addr ffff8801ce6e8e10 by task kworker/1:2/2403
[ 46.573833] binder: BINDER_SET_CONTEXT_MGR already set
[ 46.573838] binder: 3851:3852 ioctl 40046207 0 returned -16
[ 46.574358] binder: 3851:3852 ERROR: BC_REGISTER_LOOPER called without request
[ 46.595166] binder_alloc: 3848: binder_alloc_buf, no vma
[ 46.595178] binder: 3851:3853 transaction failed 29189/-3, size 0-0 line 3127
[ 46.597455] binder: undelivered TRANSACTION_ERROR: 29189
[ 46.599749] binder: 3851:3853 BC_ACQUIRE_DONE u0000000000000000 no match
[ 46.621105]
[ 46.622158] binder_alloc: 3848: binder_alloc_buf, no vma
executing program
[ 46.622170] binder: 3851:3854 transaction failed 29189/-3, size 0-0 line 3127
[ 46.635460] CPU: 1 PID: 2403 Comm: kworker/1:2 Not tainted 4.9.86-gb324a70 #50
[ 46.637105] binder: BINDER_SET_CONTEXT_MGR already set
[ 46.637110] binder: 3855:3856 ioctl 40046207 0 returned -16
[ 46.637681] binder: 3855:3856 ERROR: BC_REGISTER_LOOPER called without request
[ 46.658434] binder_alloc: 3848: binder_alloc_buf, no vma
[ 46.658447] binder: 3855:3857 transaction failed 29189/-3, size 0-0 line 3127
[ 46.660667] binder: undelivered TRANSACTION_ERROR: 29189
executing program
[ 46.662940] binder: 3855:3857 BC_ACQUIRE_DONE u0000000000000000 no match
[ 46.685357] binder_alloc: 3848: binder_alloc_buf, no vma
[ 46.685378] binder: 3855:3858 transaction failed 29189/-3, size 0-0 line 3127
[ 46.698558] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 46.699904] binder: BINDER_SET_CONTEXT_MGR already set
[ 46.699909] binder: 3859:3860 ioctl 40046207 0 returned -16
[ 46.700445] binder: 3859:3860 ERROR: BC_REGISTER_LOOPER called without request
[ 46.721233] binder_alloc: 3848: binder_alloc_buf, no vma
executing program
[ 46.721246] binder: 3859:3861 transaction failed 29189/-3, size 0-0 line 3127
[ 46.723461] binder: undelivered TRANSACTION_ERROR: 29189
[ 46.725680] binder: 3859:3861 BC_ACQUIRE_DONE u0000000000000000 no match
[ 46.748058] binder_alloc: 3848: binder_alloc_buf, no vma
[ 46.748069] binder: 3859:3862 transaction failed 29189/-3, size 0-0 line 3127
[ 46.762875] binder: BINDER_SET_CONTEXT_MGR already set
[ 46.762880] binder: 3863:3864 ioctl 40046207 0 returned -16
[ 46.763407] binder: 3863:3864 ERROR: BC_REGISTER_LOOPER called without request
executing program
[ 46.782446] Workqueue: events binder_deferred_func[ 46.784177] binder_alloc: 3848: binder_alloc_buf, no vma
[ 46.784188] binder: 3863:3865 transaction failed 29189/-3, size 0-0 line 3127
[ 46.786405] binder: undelivered TRANSACTION_ERROR: 29189
[ 46.788623] binder: 3863:3865 BC_ACQUIRE_DONE u0000000000000000 no match
[ 46.811009] binder_alloc: 3848: binder_alloc_buf, no vma
[ 46.811020] binder: 3863:3866 transaction failed 29189/-3, size 0-0 line 3127
[ 46.824712] ffff8801b3877a50[ 46.825890] binder: BINDER_SET_CONTEXT_MGR already set
[ 46.825895] binder: 3867:3868 ioctl 40046207 0 returned -16
[ 46.826419] binder: 3867:3868 ERROR: BC_REGISTER_LOOPER called without request
[ 46.845854] ffffffff81d956f9[ 46.847181] binder_alloc: 3848: binder_alloc_buf, no vma
[ 46.847192] binder: 3867:3869 transaction failed 29189/-3, size 0-0 line 3127
[ 46.849406] binder: undelivered TRANSACTION_ERROR: 29189
[ 46.851647] binder: 3867:3869 BC_ACQUIRE_DONE u0000000000000000 no match
[ 46.873641] ffffea000739ba00[ 46.874093] binder_alloc: 3848: binder_alloc_buf, no vma
executing program
[ 46.874105] binder: 3867:3870 transaction failed 29189/-3, size 0-0 line 3127
[ 46.889080] binder: BINDER_SET_CONTEXT_MGR already set
[ 46.889085] binder: 3871:3872 ioctl 40046207 0 returned -16
[ 46.889637] binder: 3871:3872 ERROR: BC_REGISTER_LOOPER called without request
[ 46.907451] ffff8801ce6e8e10 0000000000000000
[ 46.907456] ffff8801ce6e8e10 ffffed00381d0d49 ffff8801b3877a88 ffffffff8153e083
[ 46.907461] ffff8801ce6e8e10 0000000000000008 0000000000000000Call Trace:
[ 46.907475] [<ffffffff81d956f9>] dump_stack+0xc1/0x128
[ 46.907483] [<ffffffff8153e083>] print_address_description+0x73/0x280
[ 46.907487] [<ffffffff8153e5a5>] kasan_report+0x275/0x360
[ 46.907493] [<ffffffff81dfd0b6>] ? __list_del_entry+0x196/0x1d0
[ 46.907498] [<ffffffff8153e704>] __asan_report_load8_noabort+0x14/0x20
[ 46.907502] [<ffffffff81dfd0b6>] __list_del_entry+0x196/0x1d0
[ 46.907506] [<ffffffff82d64cbc>] binder_release_work+0x8c/0x260
[ 46.907510] [<ffffffff82d648da>] ? binder_send_failed_reply+0x18a/0x3a0
[ 46.907513] [<ffffffff82d652b8>] binder_thread_release+0x428/0x600
[ 46.907517] [<ffffffff82d658cf>] binder_deferred_func+0x43f/0xd10
[ 46.907524] [<ffffffff81234d01>] ? __lock_is_held+0xa1/0xf0
[ 46.907530] [<ffffffff811898a0>] process_one_work+0x7e0/0x1610
[ 46.907534] [<ffffffff811897ec>] ? process_one_work+0x72c/0x1610
[ 46.907538] [<ffffffff811890c0>] ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[ 46.907543] [<ffffffff8118a7b0>] worker_thread+0xe0/0x10d0
[ 46.907553] [<ffffffff838a4583>] ? __schedule+0x683/0x1ba0
[ 46.907558] [<ffffffff8119a7bd>] kthread+0x26d/0x300
[ 46.907562] [<ffffffff8118a6d0>] ? process_one_work+0x1610/0x1610
[ 46.907565] [<ffffffff8119a550>] ? kthread_park+0xa0/0xa0
[ 46.907570] [<ffffffff8119a550>] ? kthread_park+0xa0/0xa0
[ 46.907573] [<ffffffff8119a550>] ? kthread_park+0xa0/0xa0
[ 46.907577] [<ffffffff838b57ac>] ret_from_fork+0x5c/0x70
[ 46.907579]
[ 46.907582] Allocated by task 3827:
[ 46.907587] save_stack_trace+0x16/0x20
[ 46.907590] save_stack+0x43/0xd0
[ 46.907593] kasan_kmalloc+0xad/0xe0
[ 46.907596] kmem_cache_alloc_trace+0xfb/0x2a0
[ 46.907599] binder_transaction+0x103c/0x7040
[ 46.907602] binder_thread_write+0x8d4/0x31f0
[ 46.907605] binder_ioctl_write_read.isra.55+0x1ed/0x9a0
[ 46.907607] binder_ioctl+0xaea/0x11b0
[ 46.907611] do_vfs_ioctl+0x1aa/0x1140
[ 46.907614] SyS_ioctl+0x8f/0xc0
[ 46.907618] do_syscall_64+0x1a4/0x490
[ 46.907621] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 46.907621]
[ 46.907623] Freed by task 2403:
[ 46.907626] save_stack_trace+0x16/0x20
[ 46.907629] save_stack+0x43/0xd0
[ 46.907632] kasan_slab_free+0x72/0xc0
[ 46.907634] kfree+0x103/0x300
[ 46.907639] binder_free_transaction+0x6a/0x90
[ 46.907642] binder_send_failed_reply+0x185/0x3a0
[ 46.907644] binder_thread_release+0x416/0x600
[ 46.907647] binder_deferred_func+0x43f/0xd10
[ 46.907650] process_one_work+0x7e0/0x1610
[ 46.907653] worker_thread+0xe0/0x10d0
[ 46.907656] kthread+0x26d/0x300
[ 46.907659] ret_from_fork+0x5c/0x70
[ 46.907659]
[ 46.907663] The buggy address belongs to the object at ffff8801ce6e8e00
[ 46.907663] which belongs to the cache kmalloc-192 of size 192
[ 46.907666] The buggy address is located 16 bytes inside of
[ 46.907666] 192-byte region [ffff8801ce6e8e00, ffff8801ce6e8ec0)
[ 46.907666] The buggy address belongs to the page:
[ 46.907671] page:ffffea000739ba00 count:1 mapcount:0 mapping: (null) index:0x0
[ 46.907674] flags: 0x8000000000000080(slab)
[ 46.907675] page dumped because: kasan: bad access detected
[ 46.907676]
[ 46.907677] Memory state around the buggy address:
[ 46.907681] ffff8801ce6e8d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 46.907684] ffff8801ce6e8d80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 46.907687] >ffff8801ce6e8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 46.907688] ^
[ 46.907691] ffff8801ce6e8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 46.907693] ffff8801ce6e8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 46.907694] ==================================================================
[ 46.907695] Disabling lock debugging due to kernel taint
[ 46.907756] Kernel panic - not syncing: panic_on_warn set ...
[ 46.907756]
[ 46.907761] CPU: 1 PID: 2403 Comm: kworker/1:2 Tainted: G B 4.9.86-gb324a70 #50
[ 46.907763] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 46.907768] Workqueue: events binder_deferred_func
[ 46.907775] ffff8801b38779a8 ffffffff81d956f9 ffffffff841979cf ffff8801b3877a80
[ 46.907780] 0000000000000000 ffff8801ce6e8e10 ffffed00381d0d49 ffff8801b3877a70
[ 46.907785] ffffffff8142f531 0000000041b58ab3 ffffffff8418b430 ffffffff8142f375
[ 46.907786] Call Trace:
[ 46.907790] [<ffffffff81d956f9>] dump_stack+0xc1/0x128
[ 46.907797] [<ffffffff8142f531>] panic+0x1bc/0x3a8
[ 46.907802] [<ffffffff8142f375>] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7
[ 46.907806] [<ffffffff8153dff0>] kasan_end_report+0x50/0x50
[ 46.907810] [<ffffffff8153e497>] kasan_report+0x167/0x360
[ 46.907814] [<ffffffff81dfd0b6>] ? __list_del_entry+0x196/0x1d0
[ 46.907819] [<ffffffff8153e704>] __asan_report_load8_noabort+0x14/0x20
[ 46.907823] [<ffffffff81dfd0b6>] __list_del_entry+0x196/0x1d0
[ 46.907826] [<ffffffff82d64cbc>] binder_release_work+0x8c/0x260
[ 46.907830] [<ffffffff82d648da>] ? binder_send_failed_reply+0x18a/0x3a0
[ 46.907833] [<ffffffff82d652b8>] binder_thread_release+0x428/0x600
[ 46.907836] [<ffffffff82d658cf>] binder_deferred_func+0x43f/0xd10
[ 46.907841] [<ffffffff81234d01>] ? __lock_is_held+0xa1/0xf0
[ 46.907845] [<ffffffff811898a0>] process_one_work+0x7e0/0x1610
[ 46.907849] [<ffffffff811897ec>] ? process_one_work+0x72c/0x1610
[ 46.907853] [<ffffffff811890c0>] ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[ 46.907858] [<ffffffff8118a7b0>] worker_thread+0xe0/0x10d0
[ 46.907862] [<ffffffff838a4583>] ? __schedule+0x683/0x1ba0
[ 46.907865] [<ffffffff8119a7bd>] kthread+0x26d/0x300
[ 46.907869] [<ffffffff8118a6d0>] ? process_one_work+0x1610/0x1610
[ 46.907873] [<ffffffff8119a550>] ? kthread_park+0xa0/0xa0
[ 46.907877] [<ffffffff8119a550>] ? kthread_park+0xa0/0xa0
[ 46.907880] [<ffffffff8119a550>] ? kthread_park+0xa0/0xa0
[ 46.907884] [<ffffffff838b57ac>] ret_from_fork+0x5c/0x70
[ 46.910954] Dumping ftrace buffer:
[ 46.910957] (ftrace buffer empty)
[ 46.910959] Kernel Offset: disabled
[ 47.485962] Rebooting in 86400 seconds..