Debian GNU/Linux 7 syzkaller ttyS0 2017/10/26 06:29:45 parsed 1 programs 2017/10/26 06:29:45 executed programs: 0 2017/10/26 06:29:50 executed programs: 35 2017/10/26 06:29:55 executed programs: 70 syzkaller login: [ 37.352201] ================================================================== [ 37.352841] BUG: KASAN: use-after-free in __lock_acquire+0x3c9f/0x3d50 [ 37.353351] Read of size 8 at addr ffff88003d938a68 by task syz-executor0/3422 [ 37.354069] [ 37.354186] CPU: 2 PID: 3422 Comm: syz-executor0 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 37.354776] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 37.355461] Call Trace: [ 37.355704] dump_stack+0x194/0x257 [ 37.356041] ? arch_local_irq_restore+0x53/0x53 [ 37.356464] ? show_regs_print_info+0x65/0x65 [ 37.356879] ? print_irqtrace_events+0x270/0x270 [ 37.357382] ? print_irqtrace_events+0x270/0x270 [ 37.357888] ? __lock_acquire+0x3c9f/0x3d50 [ 37.358351] print_address_description+0x73/0x250 [ 37.358836] ? __lock_acquire+0x3c9f/0x3d50 [ 37.359134] kasan_report+0x25b/0x340 [ 37.359396] __asan_report_load8_noabort+0x14/0x20 [ 37.359754] __lock_acquire+0x3c9f/0x3d50 [ 37.360041] ? exit_pi_state_list+0x369/0x7a0 [ 37.360399] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.360775] ? __lock_acquire+0x6aa/0x3d50 [ 37.361080] ? __lock_acquire+0x6aa/0x3d50 [ 37.361372] ? __lock_acquire+0x6aa/0x3d50 [ 37.361678] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.362211] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.362762] ? check_noncircular+0x20/0x20 [ 37.363217] ? osq_unlock+0x350/0x350 [ 37.363566] ? __lock_acquire+0x6aa/0x3d50 [ 37.364002] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.364509] ? check_noncircular+0x20/0x20 [ 37.364937] ? print_irqtrace_events+0x270/0x270 [ 37.365425] ? check_noncircular+0x20/0x20 [ 37.365836] ? lock_release+0xa40/0xa40 [ 37.366254] ? switched_to_fair+0xb0/0xb0 [ 37.366665] ? __lock_is_held+0xb6/0x140 [ 37.367063] ? find_held_lock+0x35/0x1d0 [ 37.367487] lock_acquire+0x1d5/0x580 [ 37.367833] ? lock_acquire+0x1d5/0x580 [ 37.368792] ? exit_pi_state_list+0x369/0x7a0 [ 37.369290] ? lock_downgrade+0x990/0x990 [ 37.369729] ? lock_release+0xa40/0xa40 [ 37.370153] ? do_raw_spin_trylock+0x190/0x190 [ 37.370641] ? lock_downgrade+0x990/0x990 [ 37.371056] _raw_spin_lock_irq+0x5e/0x80 [ 37.371506] ? exit_pi_state_list+0x369/0x7a0 [ 37.371935] exit_pi_state_list+0x369/0x7a0 [ 37.372364] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 37.373124] ? lock_release+0xa40/0xa40 [ 37.373511] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 37.374171] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 37.374690] ? __might_sleep+0x95/0x190 [ 37.375156] ? __might_fault+0x188/0x1d0 [ 37.375533] ? do_raw_spin_trylock+0x190/0x190 [ 37.375985] mm_release+0x46d/0x590 [ 37.376321] ? do_raw_spin_trylock+0x190/0x190 [ 37.376745] ? mm_access+0x140/0x140 [ 37.377188] ? _raw_spin_unlock_irq+0x27/0x70 [ 37.377635] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.378140] ? trace_hardirqs_on+0xd/0x10 [ 37.378543] ? _raw_spin_unlock_irq+0x27/0x70 [ 37.379040] ? acct_collect+0x637/0x800 [ 37.379436] do_exit+0x481/0x1ad0 [ 37.379750] ? mm_update_next_owner+0x930/0x930 [ 37.380179] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 37.380625] ? rcu_note_context_switch+0x710/0x710 [ 37.381031] ? futex_wait_setup+0x14a/0x3d0 [ 37.381383] ? __might_sleep+0x95/0x190 [ 37.381674] ? find_held_lock+0x35/0x1d0 [ 37.381983] ? futex_wait+0x402/0x990 [ 37.382320] ? lock_downgrade+0x990/0x990 [ 37.382626] ? do_raw_spin_trylock+0x190/0x190 [ 37.382959] ? check_noncircular+0x20/0x20 [ 37.383271] ? futex_wake+0x680/0x680 [ 37.383559] ? mmdrop+0x18/0x30 [ 37.383914] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 37.384386] ? futex_wait+0x69e/0x990 [ 37.384681] ? find_held_lock+0x35/0x1d0 [ 37.385064] ? get_signal+0x7ae/0x16d0 [ 37.385357] ? lock_downgrade+0x990/0x990 [ 37.385702] do_group_exit+0x149/0x400 [ 37.386042] ? __lock_is_held+0xb6/0x140 [ 37.386390] ? SyS_exit+0x30/0x30 [ 37.386671] ? _raw_spin_unlock_irq+0x27/0x70 [ 37.387064] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.387508] get_signal+0x73f/0x16d0 [ 37.387806] ? ptrace_notify+0x130/0x130 [ 37.388166] ? exit_robust_list+0x240/0x240 [ 37.388490] do_signal+0x94/0x1ee0 [ 37.388769] ? should_fail+0x23b/0xa40 [ 37.389101] ? check_noncircular+0x20/0x20 [ 37.389484] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 37.390100] ? setup_sigcontext+0x7d0/0x7d0 [ 37.390410] ? find_held_lock+0x35/0x1d0 [ 37.390713] ? lock_downgrade+0x990/0x990 [ 37.391058] ? lock_release+0xa40/0xa40 [ 37.391402] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 37.391851] ? lock_downgrade+0x990/0x990 [ 37.392181] ? exit_to_usermode_loop+0x8c/0x310 [ 37.392521] exit_to_usermode_loop+0x214/0x310 [ 37.392911] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 37.393363] ? kasan_check_write+0x14/0x20 [ 37.393721] syscall_return_slowpath+0x42f/0x510 [ 37.394110] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 37.394473] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 37.394942] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.395443] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 37.395903] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 37.396233] RIP: 0033:0x447c89 [ 37.396465] RSP: 002b:00007f6057b8fce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 37.397060] RAX: fffffffffffffe00 RBX: 00000000007481b8 RCX: 0000000000447c89 [ 37.397726] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007481b8 [ 37.398232] RBP: 00000000007481b8 R08: 0000000000000000 R09: 0000000000748190 [ 37.398776] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 37.399357] R13: 0000000000000000 R14: 00007f6057b909c0 R15: 00007f6057b90700 [ 37.399882] [ 37.400026] Allocated by task 3423: [ 37.400312] save_stack+0x43/0xd0 [ 37.400640] kasan_kmalloc+0xad/0xe0 [ 37.400910] kmem_cache_alloc_trace+0x136/0x750 [ 37.401237] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 37.401590] futex_requeue+0x1887/0x2370 [ 37.401869] do_futex+0x7f5/0x20d0 [ 37.402117] SyS_futex+0x260/0x390 [ 37.402405] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 37.402760] [ 37.402872] Freed by task 3421: [ 37.403127] save_stack+0x43/0xd0 [ 37.403381] kasan_slab_free+0x71/0xc0 [ 37.403667] kfree+0xca/0x250 [ 37.403887] put_pi_state+0x3f4/0x560 [ 37.404153] unqueue_me_pi+0x4a/0xc0 [ 37.404442] futex_wait_requeue_pi.constprop.19+0xc7f/0x1300 [ 37.404800] do_futex+0x825/0x20d0 [ 37.405013] SyS_futex+0x260/0x390 [ 37.405223] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 37.405515] [ 37.405611] The buggy address belongs to the object at ffff88003d938a40 [ 37.405611] which belongs to the cache kmalloc-256 of size 256 [ 37.406415] The buggy address is located 40 bytes inside of [ 37.406415] 256-byte region [ffff88003d938a40, ffff88003d938b40) [ 37.407430] The buggy address belongs to the page: [ 37.407855] page:ffffea0000f64e00 count:1 mapcount:0 mapping:ffff88003d938040 index:0xffff88003d938680 [ 37.408542] flags: 0x100000000000100(slab) [ 37.408921] raw: 0100000000000100 ffff88003d938040 ffff88003d938680 0000000100000006 [ 37.409747] raw: ffffea0000f7e520 ffffea0000f44720 ffff88003e8007c0 0000000000000000 [ 37.410523] page dumped because: kasan: bad access detected [ 37.411503] [ 37.411668] Memory state around the buggy address: [ 37.412179] ffff88003d938900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.412924] ffff88003d938980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.413607] >ffff88003d938a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.414372] ^ [ 37.415099] ffff88003d938a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.415838] ffff88003d938b00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.416435] ================================================================== [ 37.416968] Disabling lock debugging due to kernel taint [ 37.417380] Kernel panic - not syncing: panic_on_warn set ... [ 37.417380] [ 37.417929] CPU: 2 PID: 3422 Comm: syz-executor0 Tainted: G B 4.14.0-rc5-next-20171018+ #8 [ 37.418721] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 37.419359] Call Trace: [ 37.419540] dump_stack+0x194/0x257 [ 37.419836] ? arch_local_irq_restore+0x53/0x53 [ 37.420190] ? kasan_end_report+0x32/0x50 [ 37.420480] ? lock_downgrade+0x990/0x990 [ 37.420794] ? vsnprintf+0x1ed/0x1900 [ 37.421091] ? __lock_acquire+0x3c50/0x3d50 [ 37.421419] panic+0x1e4/0x41c [ 37.421644] ? refcount_error_report+0x214/0x214 [ 37.421979] ? add_taint+0x40/0x50 [ 37.422230] ? add_taint+0x1c/0x50 [ 37.422481] ? __lock_acquire+0x3c9f/0x3d50 [ 37.422784] kasan_end_report+0x50/0x50 [ 37.423063] kasan_report+0x144/0x340 [ 37.423333] __asan_report_load8_noabort+0x14/0x20 [ 37.423679] __lock_acquire+0x3c9f/0x3d50 [ 37.423972] ? exit_pi_state_list+0x369/0x7a0 [ 37.424303] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.424692] ? __lock_acquire+0x6aa/0x3d50 [ 37.425095] ? __lock_acquire+0x6aa/0x3d50 [ 37.425435] ? __lock_acquire+0x6aa/0x3d50 [ 37.425832] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.426310] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.426828] ? check_noncircular+0x20/0x20 [ 37.427269] ? osq_unlock+0x350/0x350 [ 37.427563] ? __lock_acquire+0x6aa/0x3d50 [ 37.427909] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.428321] ? check_noncircular+0x20/0x20 [ 37.428617] ? print_irqtrace_events+0x270/0x270 [ 37.429041] ? check_noncircular+0x20/0x20 [ 37.429461] ? lock_release+0xa40/0xa40 [ 37.429941] ? switched_to_fair+0xb0/0xb0 [ 37.430333] ? __lock_is_held+0xb6/0x140 [ 37.430731] ? find_held_lock+0x35/0x1d0 [ 37.431055] lock_acquire+0x1d5/0x580 [ 37.431481] ? lock_acquire+0x1d5/0x580 [ 37.431849] ? exit_pi_state_list+0x369/0x7a0 [ 37.432716] ? lock_downgrade+0x990/0x990 [ 37.433025] ? lock_release+0xa40/0xa40 [ 37.433309] ? do_raw_spin_trylock+0x190/0x190 [ 37.433632] ? lock_downgrade+0x990/0x990 [ 37.433941] _raw_spin_lock_irq+0x5e/0x80 [ 37.434262] ? exit_pi_state_list+0x369/0x7a0 [ 37.434581] exit_pi_state_list+0x369/0x7a0 [ 37.434890] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 37.435318] ? lock_release+0xa40/0xa40 [ 37.435629] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 37.436216] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 37.436773] ? __might_sleep+0x95/0x190 [ 37.437207] ? __might_fault+0x188/0x1d0 [ 37.437650] ? do_raw_spin_trylock+0x190/0x190 [ 37.438165] mm_release+0x46d/0x590 [ 37.438576] ? do_raw_spin_trylock+0x190/0x190 [ 37.439011] ? mm_access+0x140/0x140 [ 37.439359] ? _raw_spin_unlock_irq+0x27/0x70 [ 37.439844] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.440340] ? trace_hardirqs_on+0xd/0x10 [ 37.440784] ? _raw_spin_unlock_irq+0x27/0x70 [ 37.441210] ? acct_collect+0x637/0x800 [ 37.441594] do_exit+0x481/0x1ad0 [ 37.441940] ? mm_update_next_owner+0x930/0x930 [ 37.442439] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 37.443007] ? rcu_note_context_switch+0x710/0x710 [ 37.443474] ? futex_wait_setup+0x14a/0x3d0 [ 37.443949] ? __might_sleep+0x95/0x190 [ 37.444319] ? find_held_lock+0x35/0x1d0 [ 37.444770] ? futex_wait+0x402/0x990 [ 37.445188] ? lock_downgrade+0x990/0x990 [ 37.445591] ? do_raw_spin_trylock+0x190/0x190 [ 37.446108] ? check_noncircular+0x20/0x20 [ 37.446502] ? futex_wake+0x680/0x680 [ 37.446888] ? mmdrop+0x18/0x30 [ 37.447230] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 37.447725] ? futex_wait+0x69e/0x990 [ 37.448104] ? find_held_lock+0x35/0x1d0 [ 37.448532] ? get_signal+0x7ae/0x16d0 [ 37.448925] ? lock_downgrade+0x990/0x990 [ 37.449336] do_group_exit+0x149/0x400 [ 37.449728] ? __lock_is_held+0xb6/0x140 [ 37.450115] ? SyS_exit+0x30/0x30 [ 37.450446] ? _raw_spin_unlock_irq+0x27/0x70 [ 37.450777] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.451168] get_signal+0x73f/0x16d0 [ 37.451514] ? ptrace_notify+0x130/0x130 [ 37.451897] ? exit_robust_list+0x240/0x240 [ 37.452331] do_signal+0x94/0x1ee0 [ 37.452681] ? should_fail+0x23b/0xa40 [ 37.453080] ? check_noncircular+0x20/0x20 [ 37.453487] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 37.453980] ? setup_sigcontext+0x7d0/0x7d0 [ 37.454391] ? find_held_lock+0x35/0x1d0 [ 37.454820] ? lock_downgrade+0x990/0x990 [ 37.455215] ? lock_release+0xa40/0xa40 [ 37.455588] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 37.456055] ? lock_downgrade+0x990/0x990 [ 37.456398] ? exit_to_usermode_loop+0x8c/0x310 [ 37.456779] exit_to_usermode_loop+0x214/0x310 [ 37.457374] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 37.457817] ? kasan_check_write+0x14/0x20 [ 37.458200] syscall_return_slowpath+0x42f/0x510 [ 37.458576] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 37.458950] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 37.459348] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.459862] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 37.460349] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 37.460843] RIP: 0033:0x447c89 [ 37.461167] RSP: 002b:00007f6057b8fce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 37.461917] RAX: fffffffffffffe00 RBX: 00000000007481b8 RCX: 0000000000447c89 [ 37.462614] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007481b8 [ 37.463405] RBP: 00000000007481b8 R08: 0000000000000000 R09: 0000000000748190 [ 37.464119] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 37.464838] R13: 0000000000000000 R14: 00007f6057b909c0 R15: 00007f6057b90700 [ 37.465680] Dumping ftrace buffer: [ 37.466042] (ftrace buffer empty) [ 37.466398] Kernel Offset: disabled [ 37.466747] Rebooting in 86400 seconds..