INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-6,10.128.0.23' (ECDSA) to the list of known hosts. 2017/08/14 02:17:35 parsed 1 programs 2017/08/14 02:17:35 executed programs: 0 2017/08/14 02:17:40 executed programs: 357 2017/08/14 02:17:45 executed programs: 704 2017/08/14 02:17:50 executed programs: 1051 2017/08/14 02:17:55 executed programs: 1398 2017/08/14 02:18:00 executed programs: 1745 2017/08/14 02:18:05 executed programs: 2086 2017/08/14 02:18:10 executed programs: 2430 2017/08/14 02:18:15 executed programs: 2772 2017/08/14 02:18:20 executed programs: 3118 2017/08/14 02:18:25 executed programs: 3469 2017/08/14 02:18:30 executed programs: 3817 2017/08/14 02:18:35 executed programs: 4165 2017/08/14 02:18:40 executed programs: 4513 syzkaller login: [ 181.209230] ================================================================== [ 181.216743] BUG: KASAN: use-after-free in free_ldt_struct.part.2+0x10a/0x150 [ 181.223916] Read of size 4 at addr ffff8801d8729788 by task syz-executor2/26619 [ 181.231334] [ 181.232939] CPU: 1 PID: 26619 Comm: syz-executor2 Not tainted 4.13.0-rc4+ #34 [ 181.240182] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 181.249508] Call Trace: [ 181.252075] dump_stack+0x194/0x257 [ 181.255684] ? arch_local_irq_restore+0x53/0x53 [ 181.260327] ? show_regs_print_info+0x65/0x65 [ 181.264812] ? free_ldt_struct.part.2+0x10a/0x150 [ 181.269642] print_address_description+0x73/0x250 [ 181.274468] ? free_ldt_struct.part.2+0x10a/0x150 [ 181.279286] kasan_report+0x24e/0x340 [ 181.283071] __asan_report_load4_noabort+0x14/0x20 [ 181.287980] free_ldt_struct.part.2+0x10a/0x150 [ 181.292622] ? rcu_pm_notify+0xc0/0xc0 [ 181.296486] destroy_context_ldt+0x60/0x80 [ 181.300697] __mmdrop+0xe9/0x530 [ 181.304045] ? sighand_ctor+0x50/0x50 [ 181.307828] ? trace_hardirqs_on+0xd/0x10 [ 181.311959] ? percpu_counter_add_batch+0xce/0x130 [ 181.316876] ? free_modinfo_version+0x70/0x70 [ 181.321343] ? __khugepaged_exit+0x43d/0x650 [ 181.325725] ? SyS_munmap+0x30/0x30 [ 181.329333] ? ___might_sleep+0x1/0x470 [ 181.333304] ? __might_sleep+0x95/0x190 [ 181.337264] mmput+0x541/0x6e0 [ 181.340439] ? get_task_exe_file+0xc0/0xc0 [ 181.344660] ? is_current_pgrp_orphaned+0xa0/0xa0 [ 181.349473] ? do_exit+0x979/0x1b10 [ 181.353077] ? lock_downgrade+0x990/0x990 [ 181.357214] ? do_raw_spin_trylock+0x190/0x190 [ 181.361778] ? down_read+0x96/0x150 [ 181.365376] ? do_exit+0x49c/0x1b10 [ 181.368986] ? __down_interruptible+0x6a0/0x6a0 [ 181.373631] ? trace_hardirqs_on+0xd/0x10 [ 181.377752] ? _raw_spin_unlock_irq+0x27/0x70 [ 181.382246] do_exit+0x989/0x1b10 [ 181.385678] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 181.390867] ? mm_update_next_owner+0x930/0x930 [ 181.395531] ? perf_trace_run_bpf_submit+0x1a7/0x290 [ 181.400614] ? perf_trace_run_bpf_submit+0x1a7/0x290 [ 181.405690] ? perf_trace_run_bpf_submit+0x1ae/0x290 [ 181.410783] ? perf_tp_event+0xae0/0xae0 [ 181.414827] ? memset+0x31/0x40 [ 181.418095] ? perf_trace_lock+0x3e9/0x860 [ 181.422324] ? check_noncircular+0x20/0x20 [ 181.426554] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 181.431725] ? get_futex_value_locked+0xc3/0xf0 [ 181.436393] ? find_held_lock+0x35/0x1d0 [ 181.440455] ? get_signal+0x855/0x17e0 [ 181.444320] ? lock_downgrade+0x990/0x990 [ 181.448462] do_group_exit+0x149/0x400 [ 181.452327] ? __lock_is_held+0xb6/0x140 [ 181.456361] ? SyS_exit+0x30/0x30 [ 181.459799] ? _raw_spin_unlock_irq+0x27/0x70 [ 181.464272] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 181.469274] get_signal+0x7e8/0x17e0 [ 181.473036] ? ptrace_notify+0x130/0x130 [ 181.477069] ? find_held_lock+0x35/0x1d0 [ 181.481118] ? do_futex+0x781/0x20a0 [ 181.484807] ? __fget+0x333/0x570 [ 181.488238] ? lock_downgrade+0x990/0x990 [ 181.492369] ? lock_release+0xa40/0xa40 [ 181.496350] do_signal+0x94/0x1ee0 [ 181.499883] ? _do_fork+0x1ef/0xfb0 [ 181.503482] ? _do_fork+0x2dc/0xfb0 [ 181.507086] ? setup_sigcontext+0x7d0/0x7d0 [ 181.511384] ? fork_idle+0x2d0/0x2d0 [ 181.515068] ? iterate_fd+0x3f0/0x3f0 [ 181.518841] ? fget_raw+0x20/0x20 [ 181.522322] ? __fget_light+0x297/0x380 [ 181.526275] ? exit_to_usermode_loop+0x98/0x300 [ 181.530933] exit_to_usermode_loop+0x224/0x300 [ 181.535504] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 181.541049] do_syscall_64+0x5d4/0x800 [ 181.544933] ? syscall_return_slowpath+0x450/0x450 [ 181.549847] ? do_futex+0x20a0/0x20a0 [ 181.553624] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 181.558450] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 181.563270] ? sys_vfork+0x30/0x30 [ 181.566791] entry_SYSCALL64_slow_path+0x25/0x25 [ 181.571518] RIP: 0033:0x4512e9 [ 181.574681] RSP: 002b:00007f2931364c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000038 [ 181.582363] RAX: fffffffffffffdff RBX: 0000000000718000 RCX: 00000000004512e9 [ 181.589605] RDX: 0000000020507ffc RSI: 00000000208a8f43 RDI: 0000000000800000 [ 181.596857] RBP: 00000000000003b0 R08: 0000000020a8a000 R09: 0000000000000000 [ 181.604097] R10: 0000000020117ffc R11: 0000000000000216 R12: 00000000004b65e1 [ 181.611337] R13: 00000000ffffffff R14: 0000000000800000 R15: 00000000208a8f43 [ 181.618618] [ 181.620222] Allocated by task 26619: [ 181.623910] save_stack_trace+0x16/0x20 [ 181.627856] save_stack+0x43/0xd0 [ 181.631280] kasan_kmalloc+0xad/0xe0 [ 181.634965] kmem_cache_alloc_trace+0x12f/0x740 [ 181.639690] alloc_ldt_struct+0x52/0x140 [ 181.643806] write_ldt+0x3e9/0xac0 [ 181.647318] sys_modify_ldt+0x1ef/0x240 [ 181.651264] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 181.655990] [ 181.657599] Freed by task 26619: [ 181.660936] save_stack_trace+0x16/0x20 [ 181.664881] save_stack+0x43/0xd0 [ 181.668307] kasan_slab_free+0x71/0xc0 [ 181.672168] kfree+0xca/0x250 [ 181.675244] free_ldt_struct.part.2+0xdd/0x150 [ 181.679798] destroy_context_ldt+0x60/0x80 [ 181.684006] __mmdrop+0xe9/0x530 [ 181.687347] mmput+0x541/0x6e0 [ 181.690513] copy_process.part.34+0x2315/0x4bd0 [ 181.695153] _do_fork+0x1ef/0xfb0 [ 181.698578] SyS_clone+0x37/0x50 [ 181.701916] do_syscall_64+0x26c/0x800 [ 181.705773] return_from_SYSCALL_64+0x0/0x7a [ 181.710151] [ 181.711753] The buggy address belongs to the object at ffff8801d8729780 [ 181.711753] which belongs to the cache kmalloc-32 of size 32 [ 181.724211] The buggy address is located 8 bytes inside of [ 181.724211] 32-byte region [ffff8801d8729780, ffff8801d87297a0) [ 181.735795] The buggy address belongs to the page: [ 181.740696] page:ffffea000761ca40 count:1 mapcount:0 mapping:ffff8801d8729000 index:0xffff8801d8729fc1 [ 181.750203] flags: 0x200000000000100(slab) [ 181.754411] raw: 0200000000000100 ffff8801d8729000 ffff8801d8729fc1 000000010000003f [ 181.762263] raw: ffffea000761c860 ffffea000761cb20 ffff8801dac001c0 0000000000000000 [ 181.770112] page dumped because: kasan: bad access detected [ 181.775793] [ 181.777393] Memory state around the buggy address: [ 181.782294] ffff8801d8729680: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 181.789625] ffff8801d8729700: 00 05 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 181.796956] >ffff8801d8729780: fb fb fb fb fc fc fc fc 00 05 fc fc fc fc fc fc [ 181.804286] ^ [ 181.807885] ffff8801d8729800: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc [ 181.815222] ffff8801d8729880: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc [ 181.822551] ================================================================== [ 181.829878] Disabling lock debugging due to kernel taint [ 181.835441] Kernel panic - not syncing: panic_on_warn set ... [ 181.835441] [ 181.842802] CPU: 1 PID: 26619 Comm: syz-executor2 Tainted: G B 4.13.0-rc4+ #34 [ 181.851286] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 181.860634] Call Trace: [ 181.863218] dump_stack+0x194/0x257 [ 181.866837] ? arch_local_irq_restore+0x53/0x53 [ 181.871484] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 181.876222] ? free_ldt_struct.part.2+0xe0/0x150 [ 181.880952] panic+0x1e4/0x417 [ 181.884126] ? __warn+0x1d9/0x1d9 [ 181.887576] ? free_ldt_struct.part.2+0x10a/0x150 [ 181.892397] kasan_end_report+0x50/0x50 [ 181.896347] kasan_report+0x137/0x340 [ 181.900145] __asan_report_load4_noabort+0x14/0x20 [ 181.905048] free_ldt_struct.part.2+0x10a/0x150 [ 181.909688] ? rcu_pm_notify+0xc0/0xc0 [ 181.913552] destroy_context_ldt+0x60/0x80 [ 181.917838] __mmdrop+0xe9/0x530 [ 181.921182] ? sighand_ctor+0x50/0x50 [ 181.924973] ? trace_hardirqs_on+0xd/0x10 [ 181.929100] ? percpu_counter_add_batch+0xce/0x130 [ 181.934016] ? free_modinfo_version+0x70/0x70 [ 181.938481] ? __khugepaged_exit+0x43d/0x650 [ 181.942861] ? SyS_munmap+0x30/0x30 [ 181.946464] ? ___might_sleep+0x1/0x470 [ 181.950429] ? __might_sleep+0x95/0x190 [ 181.954382] mmput+0x541/0x6e0 [ 181.957551] ? get_task_exe_file+0xc0/0xc0 [ 181.961765] ? is_current_pgrp_orphaned+0xa0/0xa0 [ 181.966592] ? do_exit+0x979/0x1b10 [ 181.970192] ? lock_downgrade+0x990/0x990 [ 181.974323] ? do_raw_spin_trylock+0x190/0x190 [ 181.978884] ? down_read+0x96/0x150 [ 181.982488] ? do_exit+0x49c/0x1b10 [ 181.986087] ? __down_interruptible+0x6a0/0x6a0 [ 181.990729] ? trace_hardirqs_on+0xd/0x10 [ 181.994848] ? _raw_spin_unlock_irq+0x27/0x70 [ 181.999327] do_exit+0x989/0x1b10 [ 182.002757] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 182.007941] ? mm_update_next_owner+0x930/0x930 [ 182.012599] ? perf_trace_run_bpf_submit+0x1a7/0x290 [ 182.017681] ? perf_trace_run_bpf_submit+0x1a7/0x290 [ 182.022754] ? perf_trace_run_bpf_submit+0x1ae/0x290 [ 182.027835] ? perf_tp_event+0xae0/0xae0 [ 182.031875] ? memset+0x31/0x40 [ 182.035148] ? perf_trace_lock+0x3e9/0x860 [ 182.039371] ? check_noncircular+0x20/0x20 [ 182.043591] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 182.048758] ? get_futex_value_locked+0xc3/0xf0 [ 182.053412] ? find_held_lock+0x35/0x1d0 [ 182.057459] ? get_signal+0x855/0x17e0 [ 182.061320] ? lock_downgrade+0x990/0x990 [ 182.065455] do_group_exit+0x149/0x400 [ 182.069318] ? __lock_is_held+0xb6/0x140 [ 182.073353] ? SyS_exit+0x30/0x30 [ 182.076779] ? _raw_spin_unlock_irq+0x27/0x70 [ 182.081249] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 182.086245] get_signal+0x7e8/0x17e0 [ 182.089982] ? ptrace_notify+0x130/0x130 [ 182.094015] ? find_held_lock+0x35/0x1d0 [ 182.098060] ? do_futex+0x781/0x20a0 [ 182.101746] ? __fget+0x333/0x570 [ 182.105173] ? lock_downgrade+0x990/0x990 [ 182.109302] ? lock_release+0xa40/0xa40 [ 182.113270] do_signal+0x94/0x1ee0 [ 182.116794] ? _do_fork+0x1ef/0xfb0 [ 182.120392] ? _do_fork+0x2dc/0xfb0 [ 182.124005] ? setup_sigcontext+0x7d0/0x7d0 [ 182.128303] ? fork_idle+0x2d0/0x2d0 [ 182.131986] ? iterate_fd+0x3f0/0x3f0 [ 182.135757] ? fget_raw+0x20/0x20 [ 182.139224] ? __fget_light+0x297/0x380 [ 182.143172] ? exit_to_usermode_loop+0x98/0x300 [ 182.147825] exit_to_usermode_loop+0x224/0x300 [ 182.152385] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 182.157914] do_syscall_64+0x5d4/0x800 [ 182.161781] ? syscall_return_slowpath+0x450/0x450 [ 182.166689] ? do_futex+0x20a0/0x20a0 [ 182.170898] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 182.175722] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 182.180548] ? sys_vfork+0x30/0x30 [ 182.184068] entry_SYSCALL64_slow_path+0x25/0x25 [ 182.188795] RIP: 0033:0x4512e9 [ 182.191965] RSP: 002b:00007f2931364c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000038 [ 182.199647] RAX: fffffffffffffdff RBX: 0000000000718000 RCX: 00000000004512e9 [ 182.206887] RDX: 0000000020507ffc RSI: 00000000208a8f43 RDI: 0000000000800000