INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-6,10.128.0.44' (ECDSA) to the list of known hosts. 2017/08/16 09:49:46 parsed 1 programs 2017/08/16 09:49:46 executed programs: 0 syzkaller login: [ 27.440267] ================================================================== [ 27.447690] BUG: KASAN: use-after-free in free_ldt_struct.part.2+0x10a/0x150 [ 27.454843] Read of size 4 at addr ffff8801dadf5b48 by task syz-execprog/3039 [ 27.462090] [ 27.463688] CPU: 0 PID: 3039 Comm: syz-execprog Not tainted 4.13.0-rc5-next-20170816+ #4 [ 27.471878] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.481201] Call Trace: [ 27.483764] dump_stack+0x194/0x257 [ 27.487364] ? arch_local_irq_restore+0x53/0x53 [ 27.492003] ? show_regs_print_info+0x65/0x65 [ 27.496469] ? __lock_is_held+0xb6/0x140 [ 27.500498] ? free_ldt_struct.part.2+0x10a/0x150 [ 27.505321] print_address_description+0x73/0x250 [ 27.510129] ? free_ldt_struct.part.2+0x10a/0x150 [ 27.515377] kasan_report+0x24e/0x340 [ 27.519146] __asan_report_load4_noabort+0x14/0x20 [ 27.524804] free_ldt_struct.part.2+0x10a/0x150 [ 27.529445] destroy_context_ldt+0x60/0x80 [ 27.533649] __mmdrop+0xe9/0x530 [ 27.536981] ? find_held_lock+0x35/0x1d0 [ 27.541007] ? sighand_ctor+0x50/0x50 [ 27.544784] ? finish_task_switch+0x1d3/0x740 [ 27.549245] ? lock_downgrade+0x990/0x990 [ 27.553364] ? do_raw_spin_trylock+0x190/0x190 [ 27.557910] ? lock_release+0xa40/0xa40 [ 27.561882] ? compat_start_thread+0x80/0x80 [ 27.566279] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.570749] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.575743] finish_task_switch+0x456/0x740 [ 27.580040] ? preempt_notifier_dec+0x20/0x20 [ 27.584513] __schedule+0x8f0/0x2070 [ 27.588212] ? __sched_text_start+0x8/0x8 [ 27.592338] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.597498] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.602489] ? mutex_unlock+0xd/0x10 [ 27.606179] schedule+0x108/0x440 [ 27.609605] ? ep_eventpoll_release+0x60/0x60 [ 27.614066] ? __schedule+0x2070/0x2070 [ 27.618019] ? mark_wake_futex+0xc0/0x1c0 [ 27.622146] ? hash_futex+0x15/0x210 [ 27.625825] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 27.630903] schedule_hrtimeout_range_clock+0x681/0x810 [ 27.636242] ? hrtimer_nanosleep_restart+0x4f0/0x4f0 [ 27.641315] ? ep_poll+0xa1a/0x11a0 [ 27.644911] ? lock_downgrade+0x990/0x990 [ 27.649038] ? do_raw_spin_trylock+0x190/0x190 [ 27.653591] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.658576] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.663304] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 27.668381] schedule_hrtimeout_range+0x2a/0x40 [ 27.673026] ep_poll+0xa2f/0x11a0 [ 27.676448] ? find_held_lock+0x35/0x1d0 [ 27.680485] ? ep_send_events_proc+0xe80/0xe80 [ 27.685044] ? lock_release+0xa40/0xa40 [ 27.688994] ? __lock_is_held+0xb6/0x140 [ 27.693045] ? __fget+0x35c/0x570 [ 27.696474] ? iterate_fd+0x3f0/0x3f0 [ 27.700249] ? find_held_lock+0x35/0x1d0 [ 27.704287] ? __do_page_fault+0x51b/0xb60 [ 27.708493] ? __fget_light+0x297/0x380 [ 27.712434] ? fget_raw+0x20/0x20 [ 27.715860] ? SyS_futex+0x260/0x390 [ 27.719536] ? SyS_futex+0x269/0x390 [ 27.723225] ? wake_up_q+0xe0/0xe0 [ 27.726739] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 27.731557] SyS_epoll_wait+0x167/0x1c0 [ 27.735507] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.740239] RIP: 0033:0x457999 [ 27.743395] RSP: 002b:000000c420031850 EFLAGS: 00000246 ORIG_RAX: 00000000000000e8 [ 27.751084] RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 0000000000457999 [ 27.758336] RDX: 0000000000000080 RSI: 000000c420031890 RDI: 0000000000000004 [ 27.765580] RBP: 0000000000000086 R08: 0000000000000003 R09: 000000c420000900 [ 27.772819] R10: 00000000ffffffff R11: 0000000000000246 R12: 000000c4204477d0 [ 27.780056] R13: 0000000000699fb0 R14: 00000000004550b0 R15: 0000000000000000 [ 27.787310] [ 27.788904] Allocated by task 3576: [ 27.792504] save_stack_trace+0x16/0x20 [ 27.796445] save_stack+0x43/0xd0 [ 27.799863] kasan_kmalloc+0xad/0xe0 [ 27.803541] kmem_cache_alloc_trace+0x136/0x750 [ 27.808175] alloc_ldt_struct+0x52/0x140 [ 27.812212] write_ldt+0x3ea/0xab0 [ 27.815716] sys_modify_ldt+0x1ef/0x240 [ 27.819670] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.824388] [ 27.825982] Freed by task 3576: [ 27.829227] save_stack_trace+0x16/0x20 [ 27.833174] save_stack+0x43/0xd0 [ 27.836597] kasan_slab_free+0x71/0xc0 [ 27.840456] kfree+0xca/0x250 [ 27.843527] free_ldt_struct.part.2+0xdd/0x150 [ 27.848073] destroy_context_ldt+0x60/0x80 [ 27.852274] __mmdrop+0xe9/0x530 [ 27.855604] mmput+0x541/0x6e0 [ 27.858763] copy_process.part.36+0x22e1/0x4af0 [ 27.863395] _do_fork+0x1ef/0xfb0 [ 27.866812] SyS_clone+0x37/0x50 [ 27.870143] do_syscall_64+0x26c/0x8c0 [ 27.873996] return_from_SYSCALL_64+0x0/0x7a [ 27.878370] [ 27.879965] The buggy address belongs to the object at ffff8801dadf5b40 [ 27.879965] which belongs to the cache kmalloc-32 of size 32 [ 27.892411] The buggy address is located 8 bytes inside of [ 27.892411] 32-byte region [ffff8801dadf5b40, ffff8801dadf5b60) [ 27.903992] The buggy address belongs to the page: [ 27.908890] page:ffffea00076b7d40 count:1 mapcount:0 mapping:ffff8801dadf5000 index:0xffff8801dadf5fc1 [ 27.918301] flags: 0x200000000000100(slab) [ 27.922502] raw: 0200000000000100 ffff8801dadf5000 ffff8801dadf5fc1 0000000100000039 [ 27.930349] raw: ffffea0007610f60 ffff8801dac01238 ffff8801dac001c0 0000000000000000 [ 27.938195] page dumped because: kasan: bad access detected [ 27.943883] [ 27.945475] Memory state around the buggy address: [ 27.950369] ffff8801dadf5a00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 27.957695] ffff8801dadf5a80: 00 03 fc fc fc fc fc fc 00 03 fc fc fc fc fc fc [ 27.965023] >ffff8801dadf5b00: 00 03 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 27.972348] ^ [ 27.978026] ffff8801dadf5b80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 27.985352] ffff8801dadf5c00: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 27.992673] ================================================================== [ 27.999996] Disabling lock debugging due to kernel taint [ 28.005483] Kernel panic - not syncing: panic_on_warn set ... [ 28.005483] [ 28.012823] CPU: 0 PID: 3039 Comm: syz-execprog Tainted: G B 4.13.0-rc5-next-20170816+ #4 [ 28.022230] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.031549] Call Trace: [ 28.034105] dump_stack+0x194/0x257 [ 28.037701] ? arch_local_irq_restore+0x53/0x53 [ 28.042334] ? kasan_end_report+0x32/0x50 [ 28.046447] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.051167] ? free_ldt_struct.part.2+0xf0/0x150 [ 28.055897] panic+0x1e4/0x417 [ 28.059062] ? __warn+0x1d9/0x1d9 [ 28.062486] ? free_ldt_struct.part.2+0x10a/0x150 [ 28.067293] kasan_end_report+0x50/0x50 [ 28.071232] kasan_report+0x137/0x340 [ 28.075001] __asan_report_load4_noabort+0x14/0x20 [ 28.079900] free_ldt_struct.part.2+0x10a/0x150 [ 28.084534] destroy_context_ldt+0x60/0x80 [ 28.088732] __mmdrop+0xe9/0x530 [ 28.092071] ? find_held_lock+0x35/0x1d0 [ 28.096098] ? sighand_ctor+0x50/0x50 [ 28.099876] ? finish_task_switch+0x1d3/0x740 [ 28.104336] ? lock_downgrade+0x990/0x990 [ 28.108451] ? do_raw_spin_trylock+0x190/0x190 [ 28.112996] ? lock_release+0xa40/0xa40 [ 28.116939] ? compat_start_thread+0x80/0x80 [ 28.121317] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.125778] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.130760] finish_task_switch+0x456/0x740 [ 28.135049] ? preempt_notifier_dec+0x20/0x20 [ 28.139526] __schedule+0x8f0/0x2070 [ 28.143209] ? __sched_text_start+0x8/0x8 [ 28.147328] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 28.152485] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.157470] ? mutex_unlock+0xd/0x10 [ 28.161154] schedule+0x108/0x440 [ 28.164579] ? ep_eventpoll_release+0x60/0x60 [ 28.169043] ? __schedule+0x2070/0x2070 [ 28.172983] ? mark_wake_futex+0xc0/0x1c0 [ 28.177098] ? hash_futex+0x15/0x210 [ 28.180776] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 28.185849] schedule_hrtimeout_range_clock+0x681/0x810 [ 28.191185] ? hrtimer_nanosleep_restart+0x4f0/0x4f0 [ 28.196254] ? ep_poll+0xa1a/0x11a0 [ 28.199855] ? lock_downgrade+0x990/0x990 [ 28.203981] ? do_raw_spin_trylock+0x190/0x190 [ 28.208527] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.213508] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.218232] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 28.223303] schedule_hrtimeout_range+0x2a/0x40 [ 28.227939] ep_poll+0xa2f/0x11a0 [ 28.231356] ? find_held_lock+0x35/0x1d0 [ 28.235389] ? ep_send_events_proc+0xe80/0xe80 [ 28.239937] ? lock_release+0xa40/0xa40 [ 28.243878] ? __lock_is_held+0xb6/0x140 [ 28.247910] ? __fget+0x35c/0x570 [ 28.251331] ? iterate_fd+0x3f0/0x3f0 [ 28.255101] ? find_held_lock+0x35/0x1d0 [ 28.259138] ? __do_page_fault+0x51b/0xb60 [ 28.263346] ? __fget_light+0x297/0x380 [ 28.267290] ? fget_raw+0x20/0x20 [ 28.270710] ? SyS_futex+0x260/0x390 [ 28.274392] ? SyS_futex+0x269/0x390 [ 28.278080] ? wake_up_q+0xe0/0xe0 [ 28.281590] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 28.286399] SyS_epoll_wait+0x167/0x1c0 [ 28.290345] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 28.295066] RIP: 0033:0x457999 [ 28.298230] RSP: 002b:000000c420031850 EFLAGS: 00000246 ORIG_RAX: 00000000000000e8 [ 28.305902] RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 0000000000457999 [ 28.313137] RDX: 0000000000000080 RSI: 000000c420031890 RDI: 0000000000000004 [ 28.320373] RBP: 0000000000000086 R08: 0000000000000003 R09: 000000c420000900 [ 28.327609] R10: 00000000ffffffff R11: 0000000000000246 R12: 000000c4204477d0 [ 28.334844] R13: 0000000000699fb0 R14: 00000000004550b0 R15: 0000000000000000 [ 28.342551] Dumping ftrace buffer: [ 28.346059] (ftrace buffer empty) [ 28.349733] Kernel Offset: disabled [ 28.353333] Rebooting in 86400 seconds..