INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-4,10.128.0.45' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 42.325198] ================================================================== [ 42.326310] BUG: KASAN: use-after-free in __lock_acquire+0x465e/0x47f0 [ 42.327185] Read of size 8 at addr ffff8801cbf5f8b0 by task syzkaller354872/3085 [ 42.328166] [ 42.328396] CPU: 1 PID: 3085 Comm: syzkaller354872 Not tainted 4.15.0-rc2+ #206 [ 42.329369] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.330588] Call Trace: [ 42.330942] dump_stack+0x194/0x257 [ 42.331428] ? arch_local_irq_restore+0x53/0x53 [ 42.332047] ? show_regs_print_info+0x65/0x65 [ 42.332644] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 42.333329] ? __lock_acquire+0x6e9/0x47f0 [ 42.333892] ? __lock_acquire+0x465e/0x47f0 [ 42.334470] print_address_description+0x73/0x250 [ 42.335110] ? __lock_acquire+0x465e/0x47f0 [ 42.335685] kasan_report+0x25b/0x340 [ 42.336192] __asan_report_load8_noabort+0x14/0x20 [ 42.336844] __lock_acquire+0x465e/0x47f0 [ 42.337414] ? __lock_acquire+0x6e9/0x47f0 [ 42.337979] ? update_cfs_rq_load_avg.part.70+0x2d0/0x2d0 [ 42.338711] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 42.339395] ? __lock_acquire+0x6e9/0x47f0 [ 42.339958] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 42.340644] ? update_cfs_rq_load_avg.part.70+0x2d0/0x2d0 [ 42.341374] ? _raw_spin_unlock_irqrestore+0xa6/0xba [ 42.342051] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 42.342735] ? lock_acquire+0x1d5/0x580 [ 42.343265] ? ep_free+0xf4/0x320 [ 42.343730] ? lock_release+0xda0/0xda0 [ 42.344258] ? print_usage_bug+0x3f0/0x3f0 [ 42.344821] ? rcu_note_context_switch+0x710/0x710 [ 42.346555] ? __might_sleep+0x95/0x190 [ 42.350491] ? ep_free+0xf4/0x320 [ 42.353907] ? __mutex_lock+0x16f/0x1a80 [ 42.357933] ? ep_free+0xf4/0x320 [ 42.361350] ? ep_free+0xf4/0x320 [ 42.364768] lock_acquire+0x1d5/0x580 [ 42.368533] ? remove_wait_queue+0x81/0x350 [ 42.372819] ? __lock_acquire+0x6e9/0x47f0 [ 42.377018] ? lock_release+0xda0/0xda0 [ 42.380957] ? __lock_acquire+0x6e9/0x47f0 [ 42.385156] ? lock_acquire+0x1d5/0x580 [ 42.389092] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 42.394506] _raw_spin_lock_irqsave+0x96/0xc0 [ 42.398967] ? remove_wait_queue+0x81/0x350 [ 42.403252] remove_wait_queue+0x81/0x350 [ 42.407363] ? prepare_to_wait+0x4d0/0x4d0 [ 42.411560] ? rcutorture_record_progress+0x10/0x10 [ 42.416540] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 42.421778] ? __kernel_text_address+0xd/0x40 [ 42.426236] ? clear_tfile_check_list+0x370/0x370 [ 42.431041] ? check_noncircular+0x20/0x20 [ 42.435240] ? free_fs_struct+0x52/0x60 [ 42.439178] ? locks_remove_file+0x3fa/0x5a0 [ 42.443575] ep_free+0x13f/0x320 [ 42.446904] ? ep_remove+0x800/0x800 [ 42.450581] ? fsnotify_first_mark+0x2b0/0x2b0 [ 42.455126] ? ep_free+0x320/0x320 [ 42.458629] ep_eventpoll_release+0x44/0x60 [ 42.462912] __fput+0x333/0x7f0 [ 42.466155] ? fput+0x140/0x140 [ 42.469398] ? _raw_spin_unlock_irq+0x27/0x70 [ 42.473858] ____fput+0x15/0x20 [ 42.477100] task_work_run+0x199/0x270 [ 42.480954] ? task_work_cancel+0x210/0x210 [ 42.485237] ? _raw_spin_unlock+0x22/0x30 [ 42.489349] ? switch_task_namespaces+0x87/0xc0 [ 42.493984] do_exit+0x9bb/0x1ae0 [ 42.497404] ? binder_ioctl+0x4a1/0x141a [ 42.501439] ? mm_update_next_owner+0x930/0x930 [ 42.506071] ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0 [ 42.511661] ? avc_ss_reset+0x110/0x110 [ 42.515599] ? mutex_unlock+0xd/0x10 [ 42.519275] ? SyS_epoll_ctl+0x30a/0x1ab0 [ 42.523393] ? down_read_trylock+0xdb/0x170 [ 42.527682] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 42.533536] ? up_read+0x1a/0x40 [ 42.536868] ? rcu_note_context_switch+0x710/0x710 [ 42.541760] ? __fd_install+0x288/0x740 [ 42.545699] ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0 [ 42.551288] ? do_vfs_ioctl+0x492/0x1530 [ 42.555316] ? _cond_resched+0x14/0x30 [ 42.559169] ? ioctl_preallocate+0x2b0/0x2b0 [ 42.563544] ? selinux_capable+0x40/0x40 [ 42.567570] ? __alloc_fd+0x750/0x750 [ 42.571338] do_group_exit+0x149/0x400 [ 42.575190] ? SyS_exit+0x30/0x30 [ 42.578611] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 42.583593] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.588311] SyS_exit_group+0x1d/0x20 [ 42.592078] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 42.596796] RIP: 0033:0x442a38 [ 42.599959] RSP: 002b:00007ffcf66ea178 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 42.607632] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000442a38 [ 42.614875] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 42.622113] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 42.629828] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a80 [ 42.637065] R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000 [ 42.644303] [ 42.645895] Allocated by task 3085: [ 42.649490] save_stack+0x43/0xd0 [ 42.652907] kasan_kmalloc+0xad/0xe0 [ 42.656585] kmem_cache_alloc_trace+0x136/0x750 [ 42.661219] binder_get_thread+0x1cf/0x870 [ 42.665415] binder_poll+0x8c/0x390 [ 42.669010] ep_item_poll.isra.10+0xec/0x320 [ 42.673381] ep_insert+0x6a3/0x1b10 [ 42.676972] SyS_epoll_ctl+0x12e4/0x1ab0 [ 42.681000] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 42.685715] [ 42.687308] Freed by task 3085: [ 42.690551] save_stack+0x43/0xd0 [ 42.693967] kasan_slab_free+0x71/0xc0 [ 42.697818] kfree+0xca/0x250 [ 42.700886] binder_thread_dec_tmpref+0x27f/0x310 [ 42.705690] binder_thread_release+0x27d/0x540 [ 42.710241] binder_ioctl+0xc05/0x141a [ 42.714093] do_vfs_ioctl+0x1b1/0x1530 [ 42.717945] SyS_ioctl+0x8f/0xc0 [ 42.721273] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 42.725987] [ 42.727582] The buggy address belongs to the object at ffff8801cbf5f800 [ 42.727582] which belongs to the cache kmalloc-512 of size 512 [ 42.740201] The buggy address is located 176 bytes inside of [ 42.740201] 512-byte region [ffff8801cbf5f800, ffff8801cbf5fa00) [ 42.752036] The buggy address belongs to the page: [ 42.756929] page:000000009e377c8f count:1 mapcount:0 mapping:00000000edffd532 index:0x0 [ 42.765034] flags: 0x2fffc0000000100(slab) [ 42.769233] raw: 02fffc0000000100 ffff8801cbf5f080 0000000000000000 0000000100000006 [ 42.777077] raw: ffffea00072fb320 ffffea000730fd20 ffff8801db000940 0000000000000000 [ 42.784918] page dumped because: kasan: bad access detected [ 42.790587] [ 42.792178] Memory state around the buggy address: [ 42.797073] ffff8801cbf5f780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.804393] ffff8801cbf5f800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.811712] >ffff8801cbf5f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.819032] ^ [ 42.823920] ffff8801cbf5f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.831241] ffff8801cbf5f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.838560] ================================================================== [ 42.845878] Disabling lock debugging due to kernel taint [ 42.851290] Kernel panic - not syncing: panic_on_warn set ... [ 42.851290] [ 42.858615] CPU: 1 PID: 3085 Comm: syzkaller354872 Tainted: G B 4.15.0-rc2+ #206 [ 42.867324] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.876640] Call Trace: [ 42.879194] dump_stack+0x194/0x257 [ 42.882784] ? arch_local_irq_restore+0x53/0x53 [ 42.887419] ? vprintk_default+0x28/0x30 [ 42.891445] ? vsnprintf+0x1ed/0x1900 [ 42.895210] ? __lock_acquire+0x4620/0x47f0 [ 42.899493] panic+0x1e4/0x41c [ 42.902651] ? refcount_error_report+0x214/0x214 [ 42.907371] ? add_taint+0x40/0x50 [ 42.910877] ? add_taint+0x1c/0x50 [ 42.914388] ? __lock_acquire+0x465e/0x47f0 [ 42.918681] kasan_end_report+0x50/0x50 [ 42.922617] kasan_report+0x144/0x340 [ 42.926382] __asan_report_load8_noabort+0x14/0x20 [ 42.931273] __lock_acquire+0x465e/0x47f0 [ 42.935383] ? __lock_acquire+0x6e9/0x47f0 [ 42.939584] ? update_cfs_rq_load_avg.part.70+0x2d0/0x2d0 [ 42.945088] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 42.950246] ? __lock_acquire+0x6e9/0x47f0 [ 42.954450] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 42.959604] ? update_cfs_rq_load_avg.part.70+0x2d0/0x2d0 [ 42.965104] ? _raw_spin_unlock_irqrestore+0xa6/0xba [ 42.970175] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 42.975329] ? lock_acquire+0x1d5/0x580 [ 42.979265] ? ep_free+0xf4/0x320 [ 42.982684] ? lock_release+0xda0/0xda0 [ 42.986623] ? print_usage_bug+0x3f0/0x3f0 [ 42.990820] ? rcu_note_context_switch+0x710/0x710 [ 42.995713] ? __might_sleep+0x95/0x190 [ 42.999648] ? ep_free+0xf4/0x320 [ 43.003067] ? __mutex_lock+0x16f/0x1a80 [ 43.007091] ? ep_free+0xf4/0x320 [ 43.010515] ? ep_free+0xf4/0x320 [ 43.013935] lock_acquire+0x1d5/0x580 [ 43.017701] ? remove_wait_queue+0x81/0x350 [ 43.021985] ? __lock_acquire+0x6e9/0x47f0 [ 43.026184] ? lock_release+0xda0/0xda0 [ 43.030122] ? __lock_acquire+0x6e9/0x47f0 [ 43.034321] ? lock_acquire+0x1d5/0x580 [ 43.038260] ? ep_unregister_pollwait.isra.7+0x323/0x590 [ 43.043674] _raw_spin_lock_irqsave+0x96/0xc0 [ 43.048134] ? remove_wait_queue+0x81/0x350 [ 43.052419] remove_wait_queue+0x81/0x350 [ 43.056532] ? prepare_to_wait+0x4d0/0x4d0 [ 43.060731] ? rcutorture_record_progress+0x10/0x10 [ 43.065714] ep_unregister_pollwait.isra.7+0x18c/0x590 [ 43.070964] ? __kernel_text_address+0xd/0x40 [ 43.075426] ? clear_tfile_check_list+0x370/0x370 [ 43.080234] ? check_noncircular+0x20/0x20 [ 43.084434] ? free_fs_struct+0x52/0x60 [ 43.088373] ? locks_remove_file+0x3fa/0x5a0 [ 43.092749] ep_free+0x13f/0x320 [ 43.096080] ? ep_remove+0x800/0x800 [ 43.099757] ? fsnotify_first_mark+0x2b0/0x2b0 [ 43.104304] ? ep_free+0x320/0x320 [ 43.107808] ep_eventpoll_release+0x44/0x60 [ 43.112093] __fput+0x333/0x7f0 [ 43.115335] ? fput+0x140/0x140 [ 43.118588] ? _raw_spin_unlock_irq+0x27/0x70 [ 43.123053] ____fput+0x15/0x20 [ 43.126296] task_work_run+0x199/0x270 [ 43.130146] ? task_work_cancel+0x210/0x210 [ 43.134435] ? _raw_spin_unlock+0x22/0x30 [ 43.138547] ? switch_task_namespaces+0x87/0xc0 [ 43.143183] do_exit+0x9bb/0x1ae0 [ 43.146600] ? binder_ioctl+0x4a1/0x141a [ 43.150624] ? mm_update_next_owner+0x930/0x930 [ 43.155257] ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0 [ 43.160846] ? avc_ss_reset+0x110/0x110 [ 43.164785] ? mutex_unlock+0xd/0x10 [ 43.168464] ? SyS_epoll_ctl+0x30a/0x1ab0 [ 43.172579] ? down_read_trylock+0xdb/0x170 [ 43.176866] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 43.182712] ? up_read+0x1a/0x40 [ 43.186041] ? rcu_note_context_switch+0x710/0x710 [ 43.190934] ? __fd_install+0x288/0x740 [ 43.194873] ? binder_ioctl_write_read.isra.41+0xcb0/0xcb0 [ 43.200459] ? do_vfs_ioctl+0x492/0x1530 [ 43.204485] ? _cond_resched+0x14/0x30 [ 43.208338] ? ioctl_preallocate+0x2b0/0x2b0 [ 43.212712] ? selinux_capable+0x40/0x40 [ 43.216738] ? __alloc_fd+0x750/0x750 [ 43.220505] do_group_exit+0x149/0x400 [ 43.224356] ? SyS_exit+0x30/0x30 [ 43.227771] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 43.232753] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.237473] SyS_exit_group+0x1d/0x20 [ 43.241239] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 43.245958] RIP: 0033:0x442a38 [ 43.249112] RSP: 002b:00007ffcf66ea178 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 43.256784] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000442a38 [ 43.264019] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 43.271255] RBP: 00000000006ce018 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 43.278489] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a80 [ 43.285723] R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000 [ 43.292997] Dumping ftrace buffer: [ 43.296501] (ftrace buffer empty) [ 43.300179] Kernel Offset: disabled [ 43.303771] Rebooting in 86400 seconds..