INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-6,10.128.15.227' (ECDSA) to the list of known hosts. 2017/10/01 01:42:09 parsed 1 programs 2017/10/01 01:42:09 executed programs: 0 syzkaller login: [ 50.371397] ================================================================== [ 50.372467] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620 [ 50.373366] Read of size 8 at addr ffff8801c69763e8 by task syz-executor6/4583 [ 50.374442] [ 50.374684] CPU: 1 PID: 4583 Comm: syz-executor6 Not tainted 4.14.0-rc2-next-20170929+ #32 [ 50.375840] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.377200] Call Trace: [ 50.377586] dump_stack+0x194/0x257 [ 50.378094] ? arch_local_irq_restore+0x53/0x53 [ 50.378102] ? show_regs_print_info+0x65/0x65 [ 50.378111] ? __kernel_text_address+0xd/0x40 [ 50.378119] ? __lock_acquire+0x407b/0x4620 [ 50.378127] print_address_description+0x73/0x250 [ 50.378133] ? __lock_acquire+0x407b/0x4620 [ 50.378137] kasan_report+0x25b/0x340 [ 50.378146] __asan_report_load8_noabort+0x14/0x20 [ 50.378152] __lock_acquire+0x407b/0x4620 [ 50.378160] ? unwind_dump+0x4c0/0x4c0 [ 50.378164] ? __unwind_start+0x169/0x330 [ 50.378170] ? __kernel_text_address+0xd/0x40 [ 50.378176] ? unwind_get_return_address+0x61/0xa0 [ 50.378188] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 50.378193] ? unwind_get_return_address+0x61/0xa0 [ 50.378201] ? __save_stack_trace+0x61/0xd0 [ 50.378209] ? get_signal+0x73f/0x16d0 [ 50.378216] ? save_stack_trace+0x16/0x20 [ 50.378222] ? __lock_acquire+0x20fd/0x4620 [ 50.378232] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 50.378244] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 50.378250] ? save_stack_trace+0x16/0x20 [ 50.378256] ? __lock_acquire+0x20fd/0x4620 [ 50.378262] ? osq_unlock+0x350/0x350 [ 50.378267] ? save_stack_trace+0x16/0x20 [ 50.378275] ? lock_release+0xd70/0xd70 [ 50.378282] ? check_noncircular+0x20/0x20 [ 50.378290] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 50.378299] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 50.378311] ? find_held_lock+0x39/0x1d0 [ 50.378322] ? lock_downgrade+0x990/0x990 [ 50.378328] ? check_noncircular+0x20/0x20 [ 50.378335] lock_acquire+0x1d5/0x580 [ 50.378343] ? exit_pi_state_list+0x369/0x7a0 [ 50.378357] ? lock_release+0xd70/0xd70 [ 50.378362] ? do_raw_spin_trylock+0x190/0x190 [ 50.378368] ? find_held_lock+0x39/0x1d0 [ 50.378382] _raw_spin_lock_irq+0x5e/0x80 [ 50.378388] ? exit_pi_state_list+0x369/0x7a0 [ 50.378393] exit_pi_state_list+0x369/0x7a0 [ 50.378405] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 50.378412] ? lock_release+0xd70/0xd70 [ 50.378419] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 50.378426] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 50.378436] ? __might_sleep+0x95/0x190 [ 50.378444] ? __might_fault+0x188/0x1d0 [ 50.378452] ? do_raw_spin_trylock+0x190/0x190 [ 50.378462] mm_release+0x46d/0x590 [ 50.378467] ? do_raw_spin_trylock+0x190/0x190 [ 50.378473] ? mm_access+0x140/0x140 [ 50.378479] ? _raw_spin_unlock_irq+0x27/0x70 [ 50.378486] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 50.378493] ? trace_hardirqs_on+0xd/0x10 [ 50.378499] ? _raw_spin_unlock_irq+0x27/0x70 [ 50.378505] ? acct_collect+0x637/0x800 [ 50.378512] do_exit+0x481/0x1b00 [ 50.378521] ? mm_update_next_owner+0x930/0x930 [ 50.378529] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 50.378537] ? find_held_lock+0x39/0x1d0 [ 50.378550] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 50.378558] ? check_noncircular+0x20/0x20 [ 50.378569] ? fault_in_user_writeable+0x90/0x90 [ 50.378576] ? futex_wake+0x680/0x680 [ 50.378585] ? find_held_lock+0x39/0x1d0 [ 50.378596] ? lock_downgrade+0x990/0x990 [ 50.378603] ? recalc_sigpending_tsk+0x117/0x150 [ 50.378610] ? recalc_sigpending+0x103/0x160 [ 50.378616] ? recalc_sigpending_tsk+0x150/0x150 [ 50.378621] ? get_signal+0x2b2/0x16d0 [ 50.378631] do_group_exit+0x149/0x400 [ 50.378638] ? __lock_is_held+0xbc/0x140 [ 50.378643] ? SyS_exit+0x30/0x30 [ 50.378649] ? _raw_spin_unlock_irq+0x27/0x70 [ 50.378656] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 50.378664] get_signal+0x73f/0x16d0 [ 50.378673] ? ptrace_notify+0x130/0x130 [ 50.378686] ? exit_robust_list+0x240/0x240 [ 50.378698] do_signal+0x94/0x1ee0 [ 50.378705] ? lock_release+0xd70/0xd70 [ 50.378713] ? find_held_lock+0x39/0x1d0 [ 50.378720] ? setup_sigcontext+0x7d0/0x7d0 [ 50.378730] ? lock_downgrade+0x990/0x990 [ 50.378743] ? lock_release+0xd70/0xd70 [ 50.378749] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 50.378758] ? exit_to_usermode_loop+0x8c/0x310 [ 50.378767] exit_to_usermode_loop+0x214/0x310 [ 50.378775] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 50.378781] ? kasan_check_write+0x14/0x20 [ 50.378791] syscall_return_slowpath+0x42f/0x510 [ 50.378798] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 50.378805] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 50.378812] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 50.378819] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.378829] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 50.378834] RIP: 0033:0x4520a9 [ 50.378837] RSP: 002b:00007fa5dcf8ecf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 50.378844] RAX: fffffffffffffe00 RBX: 0000000000718238 RCX: 00000000004520a9 [ 50.378847] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718238 [ 50.378850] RBP: 0000000000718210 R08: 0000000000000000 R09: 0000000000000000 [ 50.378853] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 50.378857] R13: 00007fff9f6b1c5f R14: 00007fa5dcf8f9c0 R15: 000000000000000e [ 50.378866] [ 50.378869] Allocated by task 4607: [ 50.378875] save_stack_trace+0x16/0x20 [ 50.378879] save_stack+0x43/0xd0 [ 50.378883] kasan_kmalloc+0xad/0xe0 [ 50.378890] kmem_cache_alloc_trace+0x136/0x750 [ 50.378895] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 50.378900] futex_requeue+0x1887/0x2370 [ 50.378904] do_futex+0x7f5/0x20d0 [ 50.378909] SyS_futex+0x260/0x390 [ 50.378914] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 50.378915] [ 50.378918] Freed by task 4576: [ 50.378922] save_stack_trace+0x16/0x20 [ 50.378926] save_stack+0x43/0xd0 [ 50.378931] kasan_slab_free+0x71/0xc0 [ 50.378935] kfree+0xca/0x250 [ 50.378939] put_pi_state+0x3f4/0x560 [ 50.378944] unqueue_me_pi+0x4a/0xc0 [ 50.378949] futex_wait_requeue_pi.constprop.19+0xc7f/0x1300 [ 50.378954] do_futex+0x825/0x20d0 [ 50.378958] SyS_futex+0x260/0x390 [ 50.378964] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 50.378965] [ 50.378969] The buggy address belongs to the object at ffff8801c69763c0 [ 50.378969] which belongs to the cache kmalloc-256 of size 256 [ 50.378974] The buggy address is located 40 bytes inside of [ 50.378974] 256-byte region [ffff8801c69763c0, ffff8801c69764c0) [ 50.378975] The buggy address belongs to the page: [ 50.378980] page:ffffea00071a5d80 count:1 mapcount:0 mapping:ffff8801c6976000 index:0x0 [ 50.378985] flags: 0x200000000000100(slab) [ 50.378993] raw: 0200000000000100 ffff8801c6976000 0000000000000000 000000010000000c [ 50.379000] raw: ffffea00071c0da0 ffffea00074084a0 ffff8801dac007c0 0000000000000000 [ 50.379003] page dumped because: kasan: bad access detected [ 50.379004] [ 50.379005] Memory state around the buggy address: [ 50.379010] ffff8801c6976280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.379014] ffff8801c6976300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 50.379019] >ffff8801c6976380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 50.379021] ^ [ 50.379025] ffff8801c6976400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.379029] ffff8801c6976480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 50.379031] ================================================================== [ 50.379032] Disabling lock debugging due to kernel taint [ 50.379036] Kernel panic - not syncing: panic_on_warn set ... [ 50.379036] [ 50.379043] CPU: 1 PID: 4583 Comm: syz-executor6 Tainted: G B 4.14.0-rc2-next-20170929+ #32 [ 50.379046] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.379048] Call Trace: [ 50.379054] dump_stack+0x194/0x257 [ 50.379062] ? arch_local_irq_restore+0x53/0x53 [ 50.379068] ? vprintk_default+0x28/0x30 [ 50.379076] ? __lock_acquire+0x4000/0x4620 [ 50.379082] panic+0x1e4/0x41c [ 50.379089] ? refcount_error_report+0x214/0x214 [ 50.379101] ? __lock_acquire+0x407b/0x4620 [ 50.379106] kasan_end_report+0x50/0x50 [ 50.379112] kasan_report+0x144/0x340 [ 50.379120] __asan_report_load8_noabort+0x14/0x20 [ 50.379126] __lock_acquire+0x407b/0x4620 [ 50.379132] ? unwind_dump+0x4c0/0x4c0 [ 50.379136] ? __unwind_start+0x169/0x330 [ 50.379142] ? __kernel_text_address+0xd/0x40 [ 50.379148] ? unwind_get_return_address+0x61/0xa0 [ 50.379159] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 50.379164] ? unwind_get_return_address+0x61/0xa0 [ 50.379171] ? __save_stack_trace+0x61/0xd0 [ 50.379178] ? get_signal+0x73f/0x16d0 [ 50.379185] ? save_stack_trace+0x16/0x20 [ 50.379191] ? __lock_acquire+0x20fd/0x4620 [ 50.379201] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 50.379212] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 50.379219] ? save_stack_trace+0x16/0x20 [ 50.379224] ? __lock_acquire+0x20fd/0x4620 [ 50.379230] ? osq_unlock+0x350/0x350 [ 50.379235] ? save_stack_trace+0x16/0x20 [ 50.379243] ? lock_release+0xd70/0xd70 [ 50.379251] ? check_noncircular+0x20/0x20 [ 50.379259] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 50.379267] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 50.379279] ? find_held_lock+0x39/0x1d0 [ 50.379289] ? lock_downgrade+0x990/0x990 [ 50.379295] ? check_noncircular+0x20/0x20 [ 50.379302] lock_acquire+0x1d5/0x580 [ 50.379308] ? exit_pi_state_list+0x369/0x7a0 [ 50.379317] ? lock_release+0xd70/0xd70 [ 50.379322] ? do_raw_spin_trylock+0x190/0x190 [ 50.379327] ? find_held_lock+0x39/0x1d0 [ 50.379340] _raw_spin_lock_irq+0x5e/0x80 [ 50.379345] ? exit_pi_state_list+0x369/0x7a0 [ 50.379351] exit_pi_state_list+0x369/0x7a0 [ 50.379365] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 50.379373] ? lock_release+0xd70/0xd70 [ 50.379379] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 50.379386] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 50.379395] ? __might_sleep+0x95/0x190 [ 50.379402] ? __might_fault+0x188/0x1d0 [ 50.379410] ? do_raw_spin_trylock+0x190/0x190 [ 50.379417] mm_release+0x46d/0x590 [ 50.379422] ? do_raw_spin_trylock+0x190/0x190 [ 50.379428] ? mm_access+0x140/0x140 [ 50.379435] ? _raw_spin_unlock_irq+0x27/0x70 [ 50.379442] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 50.379450] ? trace_hardirqs_on+0xd/0x10 [ 50.379457] ? _raw_spin_unlock_irq+0x27/0x70 [ 50.379462] ? acct_collect+0x637/0x800 [ 50.379470] do_exit+0x481/0x1b00 [ 50.379479] ? mm_update_next_owner+0x930/0x930 [ 50.379487] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 50.379495] ? find_held_lock+0x39/0x1d0 [ 50.379506] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 50.379514] ? check_noncircular+0x20/0x20 [ 50.379525] ? fault_in_user_writeable+0x90/0x90 [ 50.379532] ? futex_wake+0x680/0x680 [ 50.379540] ? find_held_lock+0x39/0x1d0 [ 50.379551] ? lock_downgrade+0x990/0x990 [ 50.379558] ? recalc_sigpending_tsk+0x117/0x150 [ 50.379565] ? recalc_sigpending+0x103/0x160 [ 50.379571] ? recalc_sigpending_tsk+0x150/0x150 [ 50.379576] ? get_signal+0x2b2/0x16d0 [ 50.379586] do_group_exit+0x149/0x400 [ 50.379592] ? __lock_is_held+0xbc/0x140 [ 50.379597] ? SyS_exit+0x30/0x30 [ 50.379603] ? _raw_spin_unlock_irq+0x27/0x70 [ 50.379611] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 50.379618] get_signal+0x73f/0x16d0 [ 50.379627] ? ptrace_notify+0x130/0x130 [ 50.379640] ? exit_robust_list+0x240/0x240 [ 50.379651] do_signal+0x94/0x1ee0 [ 50.379657] ? lock_release+0xd70/0xd70 [ 50.379665] ? find_held_lock+0x39/0x1d0 [ 50.379672] ? setup_sigcontext+0x7d0/0x7d0 [ 50.379681] ? lock_downgrade+0x990/0x990 [ 50.379694] ? lock_release+0xd70/0xd70 [ 50.379701] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 50.379708] ? exit_to_usermode_loop+0x8c/0x310