INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-3,10.128.0.33' (ECDSA) to the list of known hosts. 2017/10/04 05:07:10 parsed 1 programs 2017/10/04 05:07:10 executed programs: 0 syzkaller login: [ 55.792234] ================================================================== [ 55.793380] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620 [ 55.794295] Read of size 8 at addr ffff8801cccdc3e8 by task syz-executor4/3431 [ 55.795269] [ 55.795502] CPU: 1 PID: 3431 Comm: syz-executor4 Not tainted 4.14.0-rc3+ #23 [ 55.796442] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.797729] Call Trace: [ 55.798091] dump_stack+0x194/0x257 [ 55.798578] ? arch_local_irq_restore+0x53/0x53 [ 55.799198] ? show_regs_print_info+0x65/0x65 [ 55.799796] ? __kernel_text_address+0xd/0x40 [ 55.800404] ? __lock_acquire+0x407b/0x4620 [ 55.801006] print_address_description+0x73/0x250 [ 55.801699] ? __lock_acquire+0x407b/0x4620 [ 55.802307] kasan_report+0x25b/0x340 [ 55.802836] __asan_report_load8_noabort+0x14/0x20 [ 55.803523] __lock_acquire+0x407b/0x4620 [ 55.804089] ? unwind_dump+0x4c0/0x4c0 [ 55.804652] ? __kernel_text_address+0xd/0x40 [ 55.805275] ? unwind_get_return_address+0x61/0xa0 [ 55.805935] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 55.806641] ? __save_stack_trace+0x61/0xd0 [ 55.807245] ? get_signal+0x73f/0x16d0 [ 55.807775] ? save_stack_trace+0x16/0x20 [ 55.808347] ? __lock_acquire+0x20fd/0x4620 [ 55.808929] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 55.809620] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 55.810312] ? save_stack_trace+0x16/0x20 [ 55.810864] ? __lock_acquire+0x20fd/0x4620 [ 55.811456] ? osq_unlock+0x350/0x350 [ 55.811967] ? save_stack_trace+0x16/0x20 [ 55.814379] ? check_noncircular+0x20/0x20 [ 55.818580] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 55.823740] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 55.828896] ? print_usage_bug+0x480/0x480 [ 55.833095] ? __unwind_start+0x169/0x330 [ 55.837212] ? find_held_lock+0x39/0x1d0 [ 55.841245] ? lock_downgrade+0x990/0x990 [ 55.845357] ? check_noncircular+0x20/0x20 [ 55.849564] lock_acquire+0x1d5/0x580 [ 55.853334] ? exit_pi_state_list+0x369/0x7a0 [ 55.857897] ? lock_release+0xd70/0xd70 [ 55.861840] ? do_raw_spin_trylock+0x190/0x190 [ 55.866395] ? find_held_lock+0x39/0x1d0 [ 55.870432] _raw_spin_lock_irq+0x5e/0x80 [ 55.874548] ? exit_pi_state_list+0x369/0x7a0 [ 55.879011] exit_pi_state_list+0x369/0x7a0 [ 55.883304] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 55.889330] ? lock_release+0xd70/0xd70 [ 55.893277] ? check_same_owner+0x320/0x320 [ 55.897574] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 55.902644] ? __might_sleep+0x95/0x190 [ 55.906589] ? __might_fault+0x188/0x1d0 [ 55.910617] ? do_raw_spin_trylock+0x190/0x190 [ 55.915170] mm_release+0x46d/0x590 [ 55.918762] ? do_raw_spin_trylock+0x190/0x190 [ 55.923313] ? mm_access+0x140/0x140 [ 55.926993] ? _raw_spin_unlock_irq+0x27/0x70 [ 55.931466] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 55.936453] ? trace_hardirqs_on+0xd/0x10 [ 55.940575] ? _raw_spin_unlock_irq+0x27/0x70 [ 55.945040] ? acct_collect+0x637/0x800 [ 55.948984] do_exit+0x481/0x1af0 [ 55.952405] ? mm_update_next_owner+0x930/0x930 [ 55.957041] ? lock_downgrade+0x990/0x990 [ 55.961161] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 55.966505] ? futex_wait+0x3ad/0x990 [ 55.970274] ? do_raw_spin_trylock+0x190/0x190 [ 55.974822] ? fault_in_user_writeable+0x90/0x90 [ 55.979545] ? futex_wake+0x680/0x680 [ 55.983310] ? fault_in_user_writeable+0x90/0x90 [ 55.988032] ? check_noncircular+0x20/0x20 [ 55.992233] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 55.997302] ? futex_wait+0x69e/0x990 [ 56.001067] ? futex_wait_setup+0x3d0/0x3d0 [ 56.005356] ? find_held_lock+0x39/0x1d0 [ 56.009384] ? lock_downgrade+0x990/0x990 [ 56.013497] ? recalc_sigpending_tsk+0x117/0x150 [ 56.018223] ? recalc_sigpending+0x103/0x160 [ 56.022597] ? recalc_sigpending_tsk+0x150/0x150 [ 56.027315] ? get_signal+0x2b2/0x16d0 [ 56.031170] do_group_exit+0x149/0x400 [ 56.035033] ? __lock_is_held+0xbc/0x140 [ 56.039059] ? SyS_exit+0x30/0x30 [ 56.042476] ? _raw_spin_unlock_irq+0x27/0x70 [ 56.046934] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 56.051917] get_signal+0x73f/0x16d0 [ 56.055598] ? ptrace_notify+0x130/0x130 [ 56.059626] ? __schedule+0x8f3/0x2080 [ 56.063483] ? __sched_text_start+0x8/0x8 [ 56.067599] do_signal+0x94/0x1ee0 [ 56.071106] ? setup_sigcontext+0x7d0/0x7d0 [ 56.075394] ? schedule+0xf5/0x430 [ 56.078902] ? __schedule+0x2080/0x2080 [ 56.082841] ? find_held_lock+0x39/0x1d0 [ 56.086864] ? __compat_get_timespec+0xd9/0x120 [ 56.091498] ? exit_to_usermode_loop+0x8c/0x310 [ 56.096135] exit_to_usermode_loop+0x214/0x310 [ 56.100684] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 56.106184] ? lock_acquire+0x1d5/0x580 [ 56.110124] ? do_fast_syscall_32+0x158/0xf05 [ 56.114582] do_fast_syscall_32+0x83e/0xf05 [ 56.118865] ? compat_start_thread+0x80/0x80 [ 56.123238] ? do_int80_syscall_32+0x940/0x940 [ 56.127786] ? lockdep_sys_exit+0x47/0xf0 [ 56.131898] ? syscall_return_slowpath+0x2b3/0x510 [ 56.136790] ? finish_task_switch+0x1aa/0x740 [ 56.141251] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 56.146249] ? sysret32_from_system_call+0x5/0x3b [ 56.151055] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.155863] entry_SYSENTER_compat+0x51/0x60 [ 56.160235] RIP: 0023:0xf7f28c79 [ 56.163561] RSP: 002b:00000000f7ee212c EFLAGS: 00000292 ORIG_RAX: 00000000000000f0 [ 56.171231] RAX: fffffffffffffe00 RBX: 00000000081280f8 RCX: 0000000000000000 [ 56.178464] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 56.185697] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 56.192930] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 56.200167] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 56.207409] [ 56.209003] Allocated by task 3449: [ 56.212596] save_stack_trace+0x16/0x20 [ 56.216534] save_stack+0x43/0xd0 [ 56.219953] kasan_kmalloc+0xad/0xe0 [ 56.223630] kmem_cache_alloc_trace+0x136/0x750 [ 56.228265] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 56.233332] futex_requeue+0x1887/0x2370 [ 56.237359] do_futex+0x7f5/0x20d0 [ 56.240862] compat_SyS_futex+0x27f/0x380 [ 56.244975] do_fast_syscall_32+0x3f2/0xf05 [ 56.249258] entry_SYSENTER_compat+0x51/0x60 [ 56.253626] [ 56.255218] Freed by task 3422: [ 56.258458] save_stack_trace+0x16/0x20 [ 56.262395] save_stack+0x43/0xd0 [ 56.265812] kasan_slab_free+0x71/0xc0 [ 56.269662] kfree+0xca/0x250 [ 56.272731] put_pi_state+0x3f4/0x560 [ 56.276493] unqueue_me_pi+0x4a/0xc0 [ 56.280169] futex_wait_requeue_pi.constprop.19+0xc7f/0x1300 [ 56.285929] do_futex+0x825/0x20d0 [ 56.289433] compat_SyS_futex+0x27f/0x380 [ 56.293544] do_fast_syscall_32+0x3f2/0xf05 [ 56.297827] entry_SYSENTER_compat+0x51/0x60 [ 56.302196] [ 56.303789] The buggy address belongs to the object at ffff8801cccdc3c0 [ 56.303789] which belongs to the cache kmalloc-256 of size 256 [ 56.316410] The buggy address is located 40 bytes inside of [ 56.316410] 256-byte region [ffff8801cccdc3c0, ffff8801cccdc4c0) [ 56.328157] The buggy address belongs to the page: [ 56.333053] page:ffffea0007333700 count:1 mapcount:0 mapping:ffff8801cccdc000 index:0x0 [ 56.341161] flags: 0x200000000000100(slab) [ 56.345362] raw: 0200000000000100 ffff8801cccdc000 0000000000000000 000000010000000c [ 56.353210] raw: ffffea0007331c60 ffffea0007318460 ffff8801dac007c0 0000000000000000 [ 56.361050] page dumped because: kasan: bad access detected [ 56.366720] [ 56.368310] Memory state around the buggy address: [ 56.373201] ffff8801cccdc280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.380524] ffff8801cccdc300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.387846] >ffff8801cccdc380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 56.395170] ^ [ 56.401887] ffff8801cccdc400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.409210] ffff8801cccdc480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 56.416533] ================================================================== [ 56.423852] Disabling lock debugging due to kernel taint [ 56.429265] Kernel panic - not syncing: panic_on_warn set ... [ 56.429265] [ 56.436589] CPU: 1 PID: 3431 Comm: syz-executor4 Tainted: G B 4.14.0-rc3+ #23 [ 56.444951] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.454268] Call Trace: [ 56.456825] dump_stack+0x194/0x257 [ 56.460417] ? arch_local_irq_restore+0x53/0x53 [ 56.465050] ? vprintk_default+0x28/0x30 [ 56.469076] ? __lock_acquire+0x3ff0/0x4620 [ 56.473362] panic+0x1e4/0x417 [ 56.476518] ? __warn+0x1d9/0x1d9 [ 56.479938] ? __lock_acquire+0x407b/0x4620 [ 56.484223] kasan_end_report+0x50/0x50 [ 56.488162] kasan_report+0x144/0x340 [ 56.491928] __asan_report_load8_noabort+0x14/0x20 [ 56.496822] __lock_acquire+0x407b/0x4620 [ 56.500934] ? unwind_dump+0x4c0/0x4c0 [ 56.504786] ? __kernel_text_address+0xd/0x40 [ 56.509253] ? unwind_get_return_address+0x61/0xa0 [ 56.514148] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 56.519301] ? __save_stack_trace+0x61/0xd0 [ 56.523588] ? get_signal+0x73f/0x16d0 [ 56.527440] ? save_stack_trace+0x16/0x20 [ 56.531551] ? __lock_acquire+0x20fd/0x4620 [ 56.535837] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 56.541490] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 56.546650] ? save_stack_trace+0x16/0x20 [ 56.550761] ? __lock_acquire+0x20fd/0x4620 [ 56.555046] ? osq_unlock+0x350/0x350 [ 56.558809] ? save_stack_trace+0x16/0x20 [ 56.562924] ? check_noncircular+0x20/0x20 [ 56.567124] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 56.572279] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 56.577432] ? print_usage_bug+0x480/0x480 [ 56.581631] ? __unwind_start+0x169/0x330 [ 56.585746] ? find_held_lock+0x39/0x1d0 [ 56.589777] ? lock_downgrade+0x990/0x990 [ 56.593894] ? check_noncircular+0x20/0x20 [ 56.598100] lock_acquire+0x1d5/0x580 [ 56.601869] ? exit_pi_state_list+0x369/0x7a0 [ 56.606328] ? lock_release+0xd70/0xd70 [ 56.610266] ? do_raw_spin_trylock+0x190/0x190 [ 56.614812] ? find_held_lock+0x39/0x1d0 [ 56.618844] _raw_spin_lock_irq+0x5e/0x80 [ 56.622969] ? exit_pi_state_list+0x369/0x7a0 [ 56.627429] exit_pi_state_list+0x369/0x7a0 [ 56.631718] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 56.637740] ? lock_release+0xd70/0xd70 [ 56.641678] ? check_same_owner+0x320/0x320 [ 56.645964] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 56.651030] ? __might_sleep+0x95/0x190 [ 56.654969] ? __might_fault+0x188/0x1d0 [ 56.658994] ? do_raw_spin_trylock+0x190/0x190 [ 56.663541] mm_release+0x46d/0x590 [ 56.667131] ? do_raw_spin_trylock+0x190/0x190 [ 56.671677] ? mm_access+0x140/0x140 [ 56.675354] ? _raw_spin_unlock_irq+0x27/0x70 [ 56.679812] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 56.684793] ? trace_hardirqs_on+0xd/0x10 [ 56.688906] ? _raw_spin_unlock_irq+0x27/0x70 [ 56.693369] ? acct_collect+0x637/0x800 [ 56.697308] do_exit+0x481/0x1af0 [ 56.700727] ? mm_update_next_owner+0x930/0x930 [ 56.705365] ? lock_downgrade+0x990/0x990 [ 56.709485] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 56.714812] ? futex_wait+0x3ad/0x990 [ 56.718580] ? do_raw_spin_trylock+0x190/0x190 [ 56.723125] ? fault_in_user_writeable+0x90/0x90 [ 56.727843] ? futex_wake+0x680/0x680 [ 56.731604] ? fault_in_user_writeable+0x90/0x90 [ 56.736322] ? check_noncircular+0x20/0x20 [ 56.740520] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 56.745584] ? futex_wait+0x69e/0x990 [ 56.749350] ? futex_wait_setup+0x3d0/0x3d0 [ 56.753635] ? find_held_lock+0x39/0x1d0 [ 56.757661] ? lock_downgrade+0x990/0x990 [ 56.761777] ? recalc_sigpending_tsk+0x117/0x150 [ 56.766495] ? recalc_sigpending+0x103/0x160 [ 56.770867] ? recalc_sigpending_tsk+0x150/0x150 [ 56.775583] ? get_signal+0x2b2/0x16d0 [ 56.779434] do_group_exit+0x149/0x400 [ 56.783283] ? __lock_is_held+0xbc/0x140 [ 56.787305] ? SyS_exit+0x30/0x30 [ 56.790724] ? _raw_spin_unlock_irq+0x27/0x70