INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-2,10.128.0.45' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 35.824586] ================================================================== [ 35.825986] BUG: KASAN: use-after-free in free_ldt_struct.part.2+0x10a/0x150 [ 35.826945] Read of size 4 at addr ffff8801c6431488 by task syzkaller341978/6858 [ 35.828161] [ 35.828407] CPU: 1 PID: 6858 Comm: syzkaller341978 Not tainted 4.13.0-rc6+ #44 [ 35.829771] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.831035] Call Trace: [ 35.831424] dump_stack+0x194/0x257 [ 35.831928] ? arch_local_irq_restore+0x53/0x53 [ 35.832566] ? show_regs_print_info+0x65/0x65 [ 35.833211] ? free_ldt_struct.part.2+0x10a/0x150 [ 35.833879] print_address_description+0x73/0x250 [ 35.834640] ? free_ldt_struct.part.2+0x10a/0x150 [ 35.835530] kasan_report+0x24e/0x340 [ 35.836067] __asan_report_load4_noabort+0x14/0x20 [ 35.836755] free_ldt_struct.part.2+0x10a/0x150 [ 35.837423] ? rcu_pm_notify+0xc0/0xc0 [ 35.838283] destroy_context_ldt+0x60/0x80 [ 35.838950] __mmdrop+0xe9/0x530 [ 35.839531] ? sighand_ctor+0x50/0x50 [ 35.840163] ? trace_hardirqs_on+0xd/0x10 [ 35.841248] ? percpu_counter_add_batch+0xce/0x130 [ 35.841945] ? free_modinfo_version+0x70/0x70 [ 35.842653] ? __khugepaged_exit+0x43d/0x650 [ 35.843292] ? SyS_munmap+0x30/0x30 [ 35.843825] ? ___might_sleep+0x1/0x470 [ 35.844453] ? __might_sleep+0x95/0x190 [ 35.847204] mmput+0x541/0x6e0 [ 35.850388] ? get_task_exe_file+0xc0/0xc0 [ 35.854624] ? is_current_pgrp_orphaned+0xa0/0xa0 [ 35.859545] ? do_exit+0x979/0x1b10 [ 35.863168] ? lock_downgrade+0x990/0x990 [ 35.867319] ? do_raw_spin_trylock+0x190/0x190 executing program executing program [ 35.871911] ? down_read+0x96/0x150 [ 35.875526] ? do_exit+0x49c/0x1b10 [ 35.879162] ? __down_interruptible+0x6a0/0x6a0 [ 35.883824] ? trace_hardirqs_on+0xd/0x10 [ 35.887962] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.892463] do_exit+0x989/0x1b10 [ 35.895913] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 35.901119] ? mm_update_next_owner+0x930/0x930 [ 35.905805] ? __cleanup_sighand+0x40/0x40 [ 35.910053] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 35.915073] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 35.920088] ? trace_hardirqs_on+0xd/0x10 executing program executing program [ 35.924241] ? perf_trace_lock+0xf1/0x860 [ 35.928396] ? check_noncircular+0x20/0x20 [ 35.932644] ? drain_local_pages_wq+0x20/0x20 [ 35.937183] ? find_held_lock+0x35/0x1d0 [ 35.941253] ? get_signal+0x855/0x17e0 [ 35.945143] ? lock_downgrade+0x990/0x990 [ 35.949310] do_group_exit+0x149/0x400 [ 35.953201] ? __lock_is_held+0xb6/0x140 [ 35.957287] ? SyS_exit+0x30/0x30 [ 35.960731] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.966617] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 35.971632] get_signal+0x7e8/0x17e0 [ 35.975397] ? ptrace_notify+0x130/0x130 [ 35.979499] ? perf_trace_lock+0xf1/0x860 [ 35.983665] ? check_noncircular+0x20/0x20 [ 35.987907] do_signal+0x94/0x1ee0 [ 35.991456] ? _do_fork+0x1ef/0xfb0 [ 35.995071] ? _do_fork+0x2dc/0xfb0 [ 35.998696] ? setup_sigcontext+0x7d0/0x7d0 [ 36.003012] ? fork_idle+0x2d0/0x2d0 [ 36.006717] ? find_held_lock+0x35/0x1d0 [ 36.010790] ? kprobe_flush_task+0x1a3/0x5d0 [ 36.015216] ? do_raw_spin_trylock+0x190/0x190 [ 36.019805] ? find_held_lock+0x35/0x1d0 executing program executing program executing program [ 36.023871] ? exit_to_usermode_loop+0x98/0x300 [ 36.028561] exit_to_usermode_loop+0x224/0x300 [ 36.033149] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 36.038702] do_syscall_64+0x5d4/0x800 [ 36.042595] ? syscall_return_slowpath+0x450/0x450 [ 36.047520] ? syscall_return_slowpath+0x22f/0x450 [ 36.052436] ? prepare_exit_to_usermode+0x220/0x220 [ 36.057450] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 36.062295] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.067129] ? sys_vfork+0x30/0x30 [ 36.070675] entry_SYSCALL64_slow_path+0x25/0x25 [ 36.075506] RIP: 0033:0x44a129 [ 36.078684] RSP: 002b:00007f353c050dc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000038 [ 36.086384] RAX: fffffffffffffdff RBX: 0000000000000000 RCX: 000000000044a129 [ 36.093648] RDX: 0000000020507ffc RSI: 00000000208a8f43 RDI: 0000000000800000 [ 36.100912] RBP: 0000000000000000 R08: 0000000020a8a000 R09: 00007f353c051700 [ 36.108175] R10: 0000000020117ffc R11: 0000000000000202 R12: 0000000000000000 [ 36.115448] R13: 00007fffa12bd83f R14: 00007f353c0519c0 R15: 0000000000000000 [ 36.122755] executing program executing program [ 36.124373] Allocated by task 6818: [ 36.128010] save_stack_trace+0x16/0x20 [ 36.131984] save_stack+0x43/0xd0 [ 36.135519] kasan_kmalloc+0xad/0xe0 [ 36.139223] kmem_cache_alloc_trace+0x12f/0x740 [ 36.143884] alloc_ldt_struct+0x52/0x140 [ 36.147932] write_ldt+0x3e9/0xac0 [ 36.151458] sys_modify_ldt+0x1ef/0x240 [ 36.155422] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 36.160158] [ 36.161782] Freed by task 6858: [ 36.165053] save_stack_trace+0x16/0x20 [ 36.169004] save_stack+0x43/0xd0 [ 36.172445] kasan_slab_free+0x71/0xc0 executing program [ 36.176318] kfree+0xca/0x250 [ 36.179412] free_ldt_struct.part.2+0xdd/0x150 [ 36.183980] destroy_context_ldt+0x60/0x80 [ 36.188212] __mmdrop+0xe9/0x530 [ 36.191576] mmput+0x541/0x6e0 [ 36.194766] copy_process.part.34+0x2315/0x4bd0 [ 36.199426] _do_fork+0x1ef/0xfb0 [ 36.202869] SyS_clone+0x37/0x50 [ 36.206224] do_syscall_64+0x26c/0x800 [ 36.210102] return_from_SYSCALL_64+0x0/0x7a [ 36.214490] [ 36.216105] The buggy address belongs to the object at ffff8801c6431480 executing program executing program [ 36.216105] which belongs to the cache kmalloc-32 of size 32 [ 36.228577] The buggy address is located 8 bytes inside of [ 36.228577] 32-byte region [ffff8801c6431480, ffff8801c64314a0) [ 36.240179] The buggy address belongs to the page: [ 36.245109] page:ffffea0007190c40 count:1 mapcount:0 mapping:ffff8801c6431000 index:0xffff8801c6431fc1 [ 36.254557] flags: 0x200000000000100(slab) [ 36.258784] raw: 0200000000000100 ffff8801c6431000 ffff8801c6431fc1 000000010000003f [ 36.266657] raw: ffffea0007193b20 ffffea0007190ba0 ffff8801dac001c0 0000000000000000 executing program [ 36.274530] page dumped because: kasan: bad access detected [ 36.280225] [ 36.281832] Memory state around the buggy address: [ 36.286748] ffff8801c6431380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 36.294102] ffff8801c6431400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 36.301455] >ffff8801c6431480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 36.308808] ^ [ 36.312424] ffff8801c6431500: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 36.319777] ffff8801c6431580: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc executing program [ 36.327122] ================================================================== [ 36.334489] Disabling lock debugging due to kernel taint [ 36.339999] Kernel panic - not syncing: panic_on_warn set ... [ 36.339999] [ 36.347361] CPU: 1 PID: 6858 Comm: syzkaller341978 Tainted: G B 4.13.0-rc6+ #44 [ 36.355929] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.365284] Call Trace: [ 36.367874] dump_stack+0x194/0x257 [ 36.371511] ? arch_local_irq_restore+0x53/0x53 executing program executing program [ 36.376175] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.380949] ? free_ldt_struct.part.2+0x30/0x150 [ 36.385717] panic+0x1e4/0x417 [ 36.388918] ? __warn+0x1d9/0x1d9 [ 36.392379] ? free_ldt_struct.part.2+0x10a/0x150 [ 36.397212] kasan_end_report+0x50/0x50 [ 36.401179] kasan_report+0x137/0x340 [ 36.404974] __asan_report_load4_noabort+0x14/0x20 [ 36.409893] free_ldt_struct.part.2+0x10a/0x150 [ 36.414552] ? rcu_pm_notify+0xc0/0xc0 [ 36.418438] destroy_context_ldt+0x60/0x80 [ 36.422663] __mmdrop+0xe9/0x530 executing program executing program executing program [ 36.426023] ? sighand_ctor+0x50/0x50 [ 36.429809] ? trace_hardirqs_on+0xd/0x10 [ 36.433949] ? percpu_counter_add_batch+0xce/0x130 [ 36.438872] ? free_modinfo_version+0x70/0x70 [ 36.443351] ? __khugepaged_exit+0x43d/0x650 [ 36.447758] ? SyS_munmap+0x30/0x30 [ 36.451383] ? ___might_sleep+0x1/0x470 [ 36.455393] ? __might_sleep+0x95/0x190 [ 36.459377] mmput+0x541/0x6e0 [ 36.462568] ? get_task_exe_file+0xc0/0xc0 [ 36.466800] ? is_current_pgrp_orphaned+0xa0/0xa0 [ 36.471644] ? do_exit+0x979/0x1b10 executing program executing program [ 36.475279] ? lock_downgrade+0x990/0x990 [ 36.479423] ? do_raw_spin_trylock+0x190/0x190 [ 36.484000] ? down_read+0x96/0x150 [ 36.487639] ? do_exit+0x49c/0x1b10 [ 36.491431] ? __down_interruptible+0x6a0/0x6a0 [ 36.496171] ? trace_hardirqs_on+0xd/0x10 [ 36.500305] ? _raw_spin_unlock_irq+0x27/0x70 [ 36.504806] do_exit+0x989/0x1b10 [ 36.508268] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.513551] ? mm_update_next_owner+0x930/0x930 [ 36.518230] ? __cleanup_sighand+0x40/0x40 [ 36.522564] ? trace_hardirqs_on_caller+0x421/0x5c0 executing program [ 36.527576] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.532592] ? trace_hardirqs_on+0xd/0x10 [ 36.536758] ? perf_trace_lock+0xf1/0x860 [ 36.540905] ? check_noncircular+0x20/0x20 [ 36.545156] ? drain_local_pages_wq+0x20/0x20 [ 36.549661] ? find_held_lock+0x35/0x1d0 [ 36.553721] ? get_signal+0x855/0x17e0 [ 36.557596] ? lock_downgrade+0x990/0x990 [ 36.561742] do_group_exit+0x149/0x400 [ 36.565618] ? __lock_is_held+0xb6/0x140 [ 36.569678] ? SyS_exit+0x30/0x30 [ 36.573126] ? _raw_spin_unlock_irq+0x27/0x70 executing program executing program executing program executing program executing program [ 36.577614] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.582626] get_signal+0x7e8/0x17e0 [ 36.586366] ? ptrace_notify+0x130/0x130 [ 36.590433] ? perf_trace_lock+0xf1/0x860 [ 36.594577] ? check_noncircular+0x20/0x20 [ 36.598808] do_signal+0x94/0x1ee0 [ 36.602347] ? _do_fork+0x1ef/0xfb0 [ 36.606052] ? _do_fork+0x2dc/0xfb0 [ 36.609669] ? setup_sigcontext+0x7d0/0x7d0 [ 36.613974] ? fork_idle+0x2d0/0x2d0 [ 36.617809] ? find_held_lock+0x35/0x1d0 [ 36.621871] ? kprobe_flush_task+0x1a3/0x5d0 executing program [ 36.626293] ? do_raw_spin_trylock+0x190/0x190 [ 36.630865] ? find_held_lock+0x35/0x1d0 [ 36.634919] ? exit_to_usermode_loop+0x98/0x300 [ 36.639599] exit_to_usermode_loop+0x224/0x300 [ 36.644174] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 36.649713] do_syscall_64+0x5d4/0x800 [ 36.653599] ? syscall_return_slowpath+0x450/0x450 [ 36.658520] ? syscall_return_slowpath+0x22f/0x450 [ 36.663452] ? prepare_exit_to_usermode+0x220/0x220 [ 36.668463] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 36.673296] ? trace_hardirqs_off_thunk+0x1a/0x1c executing program executing program executing program executing program executing program [ 36.678137] ? sys_vfork+0x30/0x30 [ 36.681667] entry_SYSCALL64_slow_path+0x25/0x25 [ 36.686406] RIP: 0033:0x44a129 [ 36.689672] RSP: 002b:00007f353c050dc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000038 [ 36.697369] RAX: fffffffffffffdff RBX: 0000000000000000 RCX: 000000000044a129 [ 36.704628] RDX: 0000000020507ffc RSI: 00000000208a8f43 RDI: 0000000000800000 [ 36.711885] RBP: 0000000000000000 R08: 0000000020a8a000 R09: 00007f353c051700 [ 36.719145] R10: 0000000020117ffc R11: 0000000000000202 R12: 0000000000000000 [ 36.726421] R13: 00007fffa12bd83f R14: 00007f353c0519c0 R15: 0000000000000000 [ 36.734142] Dumping ftrace buffer: [ 36.737653] (ftrace buffer empty) [ 36.741328] Kernel Offset: disabled [ 36.744921] Rebooting in 86400 seconds..