2017/10/26 08:28:35 parsed 1 programs 2017/10/26 08:28:35 executed programs: 0 syzkaller login: [ 21.067495] ================================================================== [ 21.068012] BUG: KASAN: use-after-free in __lock_acquire+0x3c9f/0x3d50 [ 21.068486] Read of size 8 at addr ffff88003d5c9868 by task syz-executor0/3064 [ 21.068948] [ 21.069074] CPU: 2 PID: 3064 Comm: syz-executor0 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 21.069637] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 21.070201] Call Trace: [ 21.070437] dump_stack+0x194/0x257 [ 21.070778] ? arch_local_irq_restore+0x53/0x53 [ 21.071117] ? show_regs_print_info+0x65/0x65 [ 21.071416] ? print_irqtrace_events+0x270/0x270 [ 21.072567] ? print_irqtrace_events+0x270/0x270 [ 21.073016] ? __lock_acquire+0x3c9f/0x3d50 [ 21.073422] print_address_description+0x73/0x250 [ 21.073874] ? __lock_acquire+0x3c9f/0x3d50 [ 21.074280] kasan_report+0x25b/0x340 [ 21.074639] __asan_report_load8_noabort+0x14/0x20 [ 21.075099] __lock_acquire+0x3c9f/0x3d50 [ 21.075667] ? exit_pi_state_list+0x369/0x7a0 [ 21.076094] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.076581] ? __lock_acquire+0x6aa/0x3d50 [ 21.076978] ? __lock_acquire+0x6aa/0x3d50 [ 21.077376] ? __lock_acquire+0x6aa/0x3d50 [ 21.077773] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.079088] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.079602] ? check_noncircular+0x20/0x20 [ 21.080032] ? osq_unlock+0x350/0x350 [ 21.080390] ? __lock_acquire+0x6aa/0x3d50 [ 21.080788] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.081273] ? check_noncircular+0x20/0x20 [ 21.081678] ? print_irqtrace_events+0x270/0x270 [ 21.082138] ? check_noncircular+0x20/0x20 [ 21.082537] ? lock_release+0xa40/0xa40 [ 21.082912] ? switched_to_fair+0xb0/0xb0 [ 21.083359] ? __lock_is_held+0xb6/0x140 [ 21.083759] ? find_held_lock+0x35/0x1d0 [ 21.084142] lock_acquire+0x1d5/0x580 [ 21.084501] ? lock_acquire+0x1d5/0x580 [ 21.084875] ? exit_pi_state_list+0x369/0x7a0 [ 21.085298] ? lock_downgrade+0x990/0x990 [ 21.085688] ? lock_release+0xa40/0xa40 [ 21.086061] ? do_raw_spin_trylock+0x190/0x190 [ 21.086489] ? lock_downgrade+0x990/0x990 [ 21.086884] _raw_spin_lock_irq+0x5e/0x80 [ 21.087274] ? exit_pi_state_list+0x369/0x7a0 [ 21.087736] exit_pi_state_list+0x369/0x7a0 [ 21.088151] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 21.088720] ? lock_release+0xa40/0xa40 [ 21.089098] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 21.089652] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 21.090139] ? __might_sleep+0x95/0x190 [ 21.090515] ? __might_fault+0x188/0x1d0 [ 21.090898] ? do_raw_spin_trylock+0x190/0x190 [ 21.091328] mm_release+0x46d/0x590 [ 21.091709] ? do_raw_spin_trylock+0x190/0x190 [ 21.092140] ? mm_access+0x140/0x140 [ 21.092489] ? _raw_spin_unlock_irq+0x27/0x70 [ 21.092907] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 21.093667] ? trace_hardirqs_on+0xd/0x10 [ 21.094069] ? _raw_spin_unlock_irq+0x27/0x70 [ 21.094501] ? acct_collect+0x637/0x800 [ 21.094924] do_exit+0x481/0x1ad0 [ 21.095261] ? mm_update_next_owner+0x930/0x930 [ 21.095649] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 21.096094] ? rcu_note_context_switch+0x710/0x710 [ 21.096567] ? futex_wait_setup+0x14a/0x3d0 [ 21.096983] ? __might_sleep+0x95/0x190 [ 21.097369] ? find_held_lock+0x35/0x1d0 [ 21.097771] ? futex_wait+0x402/0x990 [ 21.098142] ? lock_downgrade+0x990/0x990 [ 21.098544] ? do_raw_spin_trylock+0x190/0x190 [ 21.098987] ? check_noncircular+0x20/0x20 [ 21.099395] ? futex_wake+0x680/0x680 [ 21.099815] ? mmdrop+0x18/0x30 [ 21.100134] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 21.100626] ? futex_wait+0x69e/0x990 [ 21.100996] ? find_held_lock+0x35/0x1d0 [ 21.101390] ? get_signal+0x7ae/0x16d0 [ 21.101766] ? lock_downgrade+0x990/0x990 [ 21.102169] do_group_exit+0x149/0x400 [ 21.102555] ? __lock_is_held+0xb6/0x140 [ 21.102952] ? SyS_exit+0x30/0x30 [ 21.103296] ? _raw_spin_unlock_irq+0x27/0x70 [ 21.103768] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 21.104251] get_signal+0x73f/0x16d0 [ 21.104615] ? ptrace_notify+0x130/0x130 [ 21.105006] ? vma_wants_writenotify+0x3b0/0x3b0 [ 21.105463] ? vma_link+0xe9/0x170 [ 21.105808] ? exit_robust_list+0x240/0x240 [ 21.106232] ? find_held_lock+0x35/0x1d0 [ 21.106614] do_signal+0x94/0x1ee0 [ 21.106945] ? vm_mmap_pgoff+0x1ed/0x280 [ 21.107326] ? should_fail+0x23b/0xa40 [ 21.107726] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 21.108202] ? setup_sigcontext+0x7d0/0x7d0 [ 21.108608] ? find_held_lock+0x35/0x1d0 [ 21.109031] ? lock_downgrade+0x990/0x990 [ 21.109420] ? down_read_killable+0x180/0x180 [ 21.109839] ? lock_release+0xa40/0xa40 [ 21.110210] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 21.110755] ? vm_mmap_pgoff+0x1fc/0x280 [ 21.111134] ? exit_to_usermode_loop+0x8c/0x310 [ 21.111632] exit_to_usermode_loop+0x214/0x310 [ 21.112097] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 21.112612] ? kasan_check_write+0x14/0x20 [ 21.113010] syscall_return_slowpath+0x42f/0x510 [ 21.113454] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 21.113922] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 21.114380] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 21.115143] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 21.115630] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 21.116042] RIP: 0033:0x447c89 [ 21.116343] RSP: 002b:00007f42d2824ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 21.117064] RAX: fffffffffffffe00 RBX: 0000000000748048 RCX: 0000000000447c89 [ 21.117742] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000748048 [ 21.118417] RBP: 0000000000748048 R08: 0000000000000000 R09: 0000000000748020 [ 21.119095] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 21.119813] R13: 0000000000000000 R14: 00007f42d28259c0 R15: 00007f42d2825700 [ 21.120707] [ 21.120859] Allocated by task 3066: [ 21.121250] save_stack+0x43/0xd0 [ 21.121574] kasan_kmalloc+0xad/0xe0 [ 21.121975] kmem_cache_alloc_trace+0x136/0x750 [ 21.122424] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 21.122913] futex_requeue+0x1887/0x2370 [ 21.123303] do_futex+0x7f5/0x20d0 [ 21.123641] SyS_futex+0x260/0x390 [ 21.123967] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 21.124404] [ 21.124555] Freed by task 3065: [ 21.124857] save_stack+0x43/0xd0 [ 21.125171] kasan_slab_free+0x71/0xc0 [ 21.125534] kfree+0xca/0x250 [ 21.125834] put_pi_state+0x3f4/0x560 [ 21.126242] unqueue_me_pi+0x4a/0xc0 [ 21.126641] futex_wait_requeue_pi.constprop.19+0xc7f/0x1300 [ 21.127212] do_futex+0x825/0x20d0 [ 21.127540] SyS_futex+0x260/0x390 [ 21.127864] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 21.128285] [ 21.128435] The buggy address belongs to the object at ffff88003d5c9840 [ 21.128435] which belongs to the cache kmalloc-256 of size 256 [ 21.129589] The buggy address is located 40 bytes inside of [ 21.129589] 256-byte region [ffff88003d5c9840, ffff88003d5c9940) [ 21.130625] The buggy address belongs to the page: [ 21.131066] page:ffffea0000f57240 count:1 mapcount:0 mapping:ffff88003d5c90c0 index:0x0 [ 21.131804] flags: 0x100000000000100(slab) [ 21.132190] raw: 0100000000000100 ffff88003d5c90c0 0000000000000000 000000010000000c [ 21.132891] raw: ffffea0000f692e0 ffffea0000f57920 ffff88003e8007c0 0000000000000000 [ 21.133635] page dumped because: kasan: bad access detected [ 21.134138] [ 21.134285] Memory state around the buggy address: [ 21.134720] ffff88003d5c9700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.135425] ffff88003d5c9780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.136103] >ffff88003d5c9800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 21.136751] ^ [ 21.137655] ffff88003d5c9880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.138327] ffff88003d5c9900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.138992] ================================================================== [ 21.139682] Disabling lock debugging due to kernel taint [ 21.140173] Kernel panic - not syncing: panic_on_warn set ... [ 21.140173] [ 21.140846] CPU: 2 PID: 3064 Comm: syz-executor0 Tainted: G B 4.14.0-rc5-next-20171018+ #8 [ 21.141722] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 21.142480] Call Trace: [ 21.142709] dump_stack+0x194/0x257 [ 21.143047] ? arch_local_irq_restore+0x53/0x53 [ 21.143415] ? kasan_end_report+0x32/0x50 [ 21.143883] ? lock_downgrade+0x990/0x990 [ 21.144294] ? vsnprintf+0x1ed/0x1900 [ 21.144653] ? __lock_acquire+0x3c50/0x3d50 [ 21.145058] panic+0x1e4/0x41c [ 21.145359] ? refcount_error_report+0x214/0x214 [ 21.145801] ? add_taint+0x40/0x50 [ 21.146136] ? add_taint+0x1c/0x50 [ 21.146473] ? __lock_acquire+0x3c9f/0x3d50 [ 21.146876] kasan_end_report+0x50/0x50 [ 21.147257] kasan_report+0x144/0x340 [ 21.147664] __asan_report_load8_noabort+0x14/0x20 [ 21.148166] __lock_acquire+0x3c9f/0x3d50 [ 21.148594] ? exit_pi_state_list+0x369/0x7a0 [ 21.149055] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.149588] ? __lock_acquire+0x6aa/0x3d50 [ 21.150027] ? __lock_acquire+0x6aa/0x3d50 [ 21.150460] ? __lock_acquire+0x6aa/0x3d50 [ 21.150897] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.151424] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.151972] ? check_noncircular+0x20/0x20 [ 21.152419] ? osq_unlock+0x350/0x350 [ 21.152813] ? __lock_acquire+0x6aa/0x3d50 [ 21.153252] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.153786] ? check_noncircular+0x20/0x20 [ 21.154227] ? print_irqtrace_events+0x270/0x270 [ 21.154713] ? check_noncircular+0x20/0x20 [ 21.155163] ? lock_release+0xa40/0xa40 [ 21.155580] ? switched_to_fair+0xb0/0xb0 [ 21.156002] ? __lock_is_held+0xb6/0x140 [ 21.156424] ? find_held_lock+0x35/0x1d0 [ 21.156839] lock_acquire+0x1d5/0x580 [ 21.157477] ? lock_acquire+0x1d5/0x580 [ 21.157884] ? exit_pi_state_list+0x369/0x7a0 [ 21.158344] ? lock_downgrade+0x990/0x990 [ 21.158774] ? lock_release+0xa40/0xa40 [ 21.159182] ? do_raw_spin_trylock+0x190/0x190 [ 21.159653] ? lock_downgrade+0x990/0x990 [ 21.160085] _raw_spin_lock_irq+0x5e/0x80 [ 21.160488] ? exit_pi_state_list+0x369/0x7a0 [ 21.160925] exit_pi_state_list+0x369/0x7a0 [ 21.161347] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 21.161930] ? lock_release+0xa40/0xa40 [ 21.162317] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 21.162883] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 21.163377] ? __might_sleep+0x95/0x190 [ 21.163769] ? __might_fault+0x188/0x1d0 [ 21.164162] ? do_raw_spin_trylock+0x190/0x190 [ 21.164617] mm_release+0x46d/0x590 [ 21.164975] ? do_raw_spin_trylock+0x190/0x190 [ 21.165426] ? mm_access+0x140/0x140 [ 21.165795] ? _raw_spin_unlock_irq+0x27/0x70 [ 21.166239] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 21.166733] ? trace_hardirqs_on+0xd/0x10 [ 21.167144] ? _raw_spin_unlock_irq+0x27/0x70 [ 21.167543] ? acct_collect+0x637/0x800 [ 21.167797] do_exit+0x481/0x1ad0 [ 21.168018] ? mm_update_next_owner+0x930/0x930 [ 21.168315] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 21.168689] ? rcu_note_context_switch+0x710/0x710 [ 21.169002] ? futex_wait_setup+0x14a/0x3d0 [ 21.169277] ? __might_sleep+0x95/0x190 [ 21.169534] ? find_held_lock+0x35/0x1d0 [ 21.169794] ? futex_wait+0x402/0x990 [ 21.170036] ? lock_downgrade+0x990/0x990 [ 21.170300] ? do_raw_spin_trylock+0x190/0x190 [ 21.170592] ? check_noncircular+0x20/0x20 [ 21.170862] ? futex_wake+0x680/0x680 [ 21.171121] ? mmdrop+0x18/0x30 [ 21.171346] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 21.171883] ? futex_wait+0x69e/0x990 [ 21.172272] ? find_held_lock+0x35/0x1d0 [ 21.172690] ? get_signal+0x7ae/0x16d0 [ 21.173088] ? lock_downgrade+0x990/0x990 [ 21.173515] do_group_exit+0x149/0x400 [ 21.173914] ? __lock_is_held+0xb6/0x140 [ 21.174329] ? SyS_exit+0x30/0x30 [ 21.174683] ? _raw_spin_unlock_irq+0x27/0x70 [ 21.175152] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 21.175653] get_signal+0x73f/0x16d0 [ 21.176023] ? ptrace_notify+0x130/0x130 [ 21.176291] ? vma_wants_writenotify+0x3b0/0x3b0 [ 21.176594] ? vma_link+0xe9/0x170 [ 21.176822] ? exit_robust_list+0x240/0x240 [ 21.177099] ? find_held_lock+0x35/0x1d0 [ 21.177368] do_signal+0x94/0x1ee0 [ 21.177596] ? vm_mmap_pgoff+0x1ed/0x280 [ 21.177855] ? should_fail+0x23b/0xa40 [ 21.178104] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 21.178685] ? setup_sigcontext+0x7d0/0x7d0 [ 21.178962] ? find_held_lock+0x35/0x1d0 [ 21.179222] ? lock_downgrade+0x990/0x990 [ 21.179498] ? down_read_killable+0x180/0x180 [ 21.179783] ? lock_release+0xa40/0xa40 [ 21.180037] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 21.180409] ? vm_mmap_pgoff+0x1fc/0x280 [ 21.180667] ? exit_to_usermode_loop+0x8c/0x310 [ 21.180964] exit_to_usermode_loop+0x214/0x310 [ 21.181256] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 21.181607] ? kasan_check_write+0x14/0x20 [ 21.181877] syscall_return_slowpath+0x42f/0x510 [ 21.182236] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 21.182737] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 21.183226] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 21.183730] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 21.184216] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 21.184690] RIP: 0033:0x447c89 [ 21.185004] RSP: 002b:00007f42d2824ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 21.185768] RAX: fffffffffffffe00 RBX: 0000000000748048 RCX: 0000000000447c89 [ 21.186484] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000748048 [ 21.187200] RBP: 0000000000748048 R08: 0000000000000000 R09: 0000000000748020 [ 21.187921] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 21.188637] R13: 0000000000000000 R14: 00007f42d28259c0 R15: 00007f42d2825700 [ 21.191473] Dumping ftrace buffer: [ 21.191816] (ftrace buffer empty) [ 21.192171] Kernel Offset: disabled [ 21.192520] Rebooting in 86400 seconds..