2017/10/26 06:37:39 parsed 1 programs 2017/10/26 06:37:39 executed programs: 0 syzkaller login: [ 27.098075] ================================================================== [ 27.098900] BUG: KASAN: use-after-free in __lock_acquire+0x3c9f/0x3d50 [ 27.099638] Read of size 8 at addr ffff880067f8eb68 by task syz-executor3/3844 [ 27.100367] [ 27.100511] CPU: 3 PID: 3844 Comm: syz-executor3 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 27.101248] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 27.102024] Call Trace: [ 27.102319] dump_stack+0x194/0x257 [ 27.102727] ? arch_local_irq_restore+0x53/0x53 [ 27.103208] ? show_regs_print_info+0x65/0x65 [ 27.103693] ? print_irqtrace_events+0x270/0x270 [ 27.104173] ? print_irqtrace_events+0x270/0x270 [ 27.104670] ? __lock_acquire+0x3c9f/0x3d50 [ 27.105554] print_address_description+0x73/0x250 [ 27.106052] ? __lock_acquire+0x3c9f/0x3d50 [ 27.106511] kasan_report+0x25b/0x340 [ 27.106917] __asan_report_load8_noabort+0x14/0x20 [ 27.107398] __lock_acquire+0x3c9f/0x3d50 [ 27.107822] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.108313] ? exit_pi_state_list+0x369/0x7a0 [ 27.108674] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.109807] ? __lock_acquire+0x6aa/0x3d50 [ 27.110164] ? __lock_acquire+0x6aa/0x3d50 [ 27.110549] ? __lock_acquire+0x6aa/0x3d50 [ 27.110953] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.111850] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.113152] ? find_held_lock+0x35/0x1d0 [ 27.113528] ? osq_unlock+0x350/0x350 [ 27.113888] ? __lock_acquire+0x6aa/0x3d50 [ 27.114281] ? check_noncircular+0x20/0x20 [ 27.114670] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.115141] ? check_noncircular+0x20/0x20 [ 27.115526] ? print_irqtrace_events+0x270/0x270 [ 27.115962] ? find_held_lock+0x35/0x1d0 [ 27.116334] ? kprobe_flush_task+0x1a3/0x5d0 [ 27.116735] ? find_held_lock+0x35/0x1d0 [ 27.117135] lock_acquire+0x1d5/0x580 [ 27.117449] ? lock_acquire+0x1d5/0x580 [ 27.117814] ? exit_pi_state_list+0x369/0x7a0 [ 27.118228] ? lock_downgrade+0x990/0x990 [ 27.118608] ? lock_release+0xa40/0xa40 [ 27.118975] ? do_raw_spin_trylock+0x190/0x190 [ 27.119394] ? trace_hardirqs_on+0xd/0x10 [ 27.119776] _raw_spin_lock_irq+0x5e/0x80 [ 27.120166] ? exit_pi_state_list+0x369/0x7a0 [ 27.120566] exit_pi_state_list+0x369/0x7a0 [ 27.120934] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 27.121492] ? lock_release+0xa40/0xa40 [ 27.121869] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 27.122435] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 27.122988] ? __might_sleep+0x95/0x190 [ 27.123309] ? __might_fault+0x188/0x1d0 [ 27.123622] ? do_raw_spin_trylock+0x190/0x190 [ 27.123989] mm_release+0x46d/0x590 [ 27.124297] ? do_raw_spin_trylock+0x190/0x190 [ 27.124702] ? mm_access+0x140/0x140 [ 27.125053] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.125466] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.125923] ? trace_hardirqs_on+0xd/0x10 [ 27.126304] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.126722] ? acct_collect+0x637/0x800 [ 27.127096] do_exit+0x481/0x1ad0 [ 27.127528] ? mm_update_next_owner+0x930/0x930 [ 27.127935] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 27.128496] ? rcu_note_context_switch+0x710/0x710 [ 27.128952] ? futex_wait_setup+0x14a/0x3d0 [ 27.129348] ? __might_sleep+0x95/0x190 [ 27.129707] ? find_held_lock+0x35/0x1d0 [ 27.130076] ? futex_wait+0x402/0x990 [ 27.130506] ? lock_downgrade+0x990/0x990 [ 27.130944] ? do_raw_spin_trylock+0x190/0x190 [ 27.131423] ? check_noncircular+0x20/0x20 [ 27.131864] ? futex_wake+0x680/0x680 [ 27.132259] ? mmdrop+0x18/0x30 [ 27.132592] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 27.133084] ? futex_wait+0x69e/0x990 [ 27.133742] ? find_held_lock+0x35/0x1d0 [ 27.134043] ? get_signal+0x7ae/0x16d0 [ 27.134309] ? lock_downgrade+0x990/0x990 [ 27.134557] do_group_exit+0x149/0x400 [ 27.134835] ? __lock_is_held+0xb6/0x140 [ 27.135131] ? SyS_exit+0x30/0x30 [ 27.135394] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.135697] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.136091] get_signal+0x73f/0x16d0 [ 27.136416] ? ptrace_notify+0x130/0x130 [ 27.136693] ? is_bpf_text_address+0xa4/0x120 [ 27.137148] ? exit_robust_list+0x240/0x240 [ 27.137545] do_signal+0x94/0x1ee0 [ 27.137802] ? lock_release+0xa40/0xa40 [ 27.138111] ? should_fail+0x23b/0xa40 [ 27.138415] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 27.138861] ? setup_sigcontext+0x7d0/0x7d0 [ 27.139251] ? find_held_lock+0x35/0x1d0 [ 27.139667] ? lock_downgrade+0x990/0x990 [ 27.140043] ? lock_release+0xa40/0xa40 [ 27.140398] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 27.140936] ? exit_to_usermode_loop+0x8c/0x310 [ 27.141361] exit_to_usermode_loop+0x214/0x310 [ 27.141779] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 27.142297] ? kasan_check_write+0x14/0x20 [ 27.142811] syscall_return_slowpath+0x42f/0x510 [ 27.143263] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 27.143752] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 27.144226] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.144702] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.145159] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 27.145607] RIP: 0033:0x447c89 [ 27.145863] RSP: 002b:00007fc84dee9ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 27.146362] RAX: fffffffffffffe00 RBX: 0000000000748270 RCX: 0000000000447c89 [ 27.146787] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000748270 [ 27.147373] RBP: 0000000000748270 R08: 0000000000000000 R09: 0000000000748248 [ 27.147809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 27.148250] R13: 0000000000000000 R14: 00007fc84deea9c0 R15: 00007fc84deea700 [ 27.148693] [ 27.148867] Allocated by task 3878: [ 27.149190] save_stack+0x43/0xd0 [ 27.149413] kasan_kmalloc+0xad/0xe0 [ 27.149674] kmem_cache_alloc_trace+0x136/0x750 [ 27.149993] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 27.150302] futex_requeue+0x1887/0x2370 [ 27.150580] do_futex+0x7f5/0x20d0 [ 27.150798] SyS_futex+0x260/0x390 [ 27.151067] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.151349] [ 27.151465] Freed by task 3833: [ 27.151748] save_stack+0x43/0xd0 [ 27.152014] kasan_slab_free+0x71/0xc0 [ 27.152246] kfree+0xca/0x250 [ 27.152431] put_pi_state+0x3f4/0x560 [ 27.152657] unqueue_me_pi+0x4a/0xc0 [ 27.152993] futex_wait_requeue_pi.constprop.19+0xc7f/0x1300 [ 27.153377] do_futex+0x825/0x20d0 [ 27.153606] SyS_futex+0x260/0x390 [ 27.153821] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.154114] [ 27.154212] The buggy address belongs to the object at ffff880067f8eb40 [ 27.154212] which belongs to the cache kmalloc-256 of size 256 [ 27.155843] The buggy address is located 40 bytes inside of [ 27.155843] 256-byte region [ffff880067f8eb40, ffff880067f8ec40) [ 27.156954] The buggy address belongs to the page: [ 27.157454] page:ffffea00019fe380 count:1 mapcount:0 mapping:ffff880067f8e000 index:0xffff880067f8e780 [ 27.158248] flags: 0x500000000000100(slab) [ 27.158575] raw: 0500000000000100 ffff880067f8e000 ffff880067f8e780 0000000100000005 [ 27.159270] raw: ffffea0001aeada0 ffffea0001b4b560 ffff88003e8007c0 0000000000000000 [ 27.159855] page dumped because: kasan: bad access detected [ 27.160353] [ 27.160497] Memory state around the buggy address: [ 27.161059] ffff880067f8ea00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.161719] ffff880067f8ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.162238] >ffff880067f8eb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 27.162708] ^ [ 27.163142] ffff880067f8eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.163629] ffff880067f8ec00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.164078] ================================================================== [ 27.164564] Disabling lock debugging due to kernel taint [ 27.164945] Kernel panic - not syncing: panic_on_warn set ... [ 27.164945] [ 27.165465] CPU: 3 PID: 3844 Comm: syz-executor3 Tainted: G B 4.14.0-rc5-next-20171018+ #8 [ 27.166252] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 27.166954] Call Trace: [ 27.167197] dump_stack+0x194/0x257 [ 27.167523] ? arch_local_irq_restore+0x53/0x53 [ 27.167944] ? kasan_end_report+0x32/0x50 [ 27.168280] ? lock_downgrade+0x990/0x990 [ 27.168623] ? vsnprintf+0x1ed/0x1900 [ 27.169052] ? __lock_acquire+0x3c50/0x3d50 [ 27.169447] panic+0x1e4/0x41c [ 27.169739] ? refcount_error_report+0x214/0x214 [ 27.170220] ? add_taint+0x40/0x50 [ 27.170552] ? add_taint+0x1c/0x50 [ 27.170887] ? __lock_acquire+0x3c9f/0x3d50 [ 27.171288] kasan_end_report+0x50/0x50 [ 27.171663] kasan_report+0x144/0x340 [ 27.172023] __asan_report_load8_noabort+0x14/0x20 [ 27.172470] __lock_acquire+0x3c9f/0x3d50 [ 27.172859] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.173338] ? exit_pi_state_list+0x369/0x7a0 [ 27.173741] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.174214] ? __lock_acquire+0x6aa/0x3d50 [ 27.174603] ? __lock_acquire+0x6aa/0x3d50 [ 27.174993] ? __lock_acquire+0x6aa/0x3d50 [ 27.175386] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.175864] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.177890] ? find_held_lock+0x35/0x1d0 [ 27.178290] ? osq_unlock+0x350/0x350 [ 27.178656] ? __lock_acquire+0x6aa/0x3d50 [ 27.179044] ? check_noncircular+0x20/0x20 [ 27.179418] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.179874] ? check_noncircular+0x20/0x20 [ 27.180251] ? print_irqtrace_events+0x270/0x270 [ 27.180977] ? find_held_lock+0x35/0x1d0 [ 27.181353] ? kprobe_flush_task+0x1a3/0x5d0 [ 27.181764] ? find_held_lock+0x35/0x1d0 [ 27.182068] lock_acquire+0x1d5/0x580 [ 27.182336] ? lock_acquire+0x1d5/0x580 [ 27.182596] ? exit_pi_state_list+0x369/0x7a0 [ 27.182952] ? lock_downgrade+0x990/0x990 [ 27.183340] ? lock_release+0xa40/0xa40 [ 27.183700] ? do_raw_spin_trylock+0x190/0x190 [ 27.184105] ? trace_hardirqs_on+0xd/0x10 [ 27.184443] _raw_spin_lock_irq+0x5e/0x80 [ 27.184754] ? exit_pi_state_list+0x369/0x7a0 [ 27.185160] exit_pi_state_list+0x369/0x7a0 [ 27.185479] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 27.185951] ? lock_release+0xa40/0xa40 [ 27.186249] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 27.186690] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 27.187082] ? __might_sleep+0x95/0x190 [ 27.187375] ? __might_fault+0x188/0x1d0 [ 27.187676] ? do_raw_spin_trylock+0x190/0x190 [ 27.188022] mm_release+0x46d/0x590 [ 27.188295] ? do_raw_spin_trylock+0x190/0x190 [ 27.188633] ? mm_access+0x140/0x140 [ 27.189132] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.189545] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.190002] ? trace_hardirqs_on+0xd/0x10 [ 27.190379] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.190792] ? acct_collect+0x637/0x800 [ 27.191159] do_exit+0x481/0x1ad0 [ 27.191481] ? mm_update_next_owner+0x930/0x930 [ 27.191910] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 27.192389] ? rcu_note_context_switch+0x710/0x710 [ 27.192752] ? futex_wait_setup+0x14a/0x3d0 [ 27.193140] ? __might_sleep+0x95/0x190 [ 27.193430] ? find_held_lock+0x35/0x1d0 [ 27.193726] ? futex_wait+0x402/0x990 [ 27.194005] ? lock_downgrade+0x990/0x990 [ 27.194306] ? do_raw_spin_trylock+0x190/0x190 [ 27.194643] ? check_noncircular+0x20/0x20 [ 27.194963] ? futex_wake+0x680/0x680 [ 27.195246] ? mmdrop+0x18/0x30 [ 27.195489] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 27.195865] ? futex_wait+0x69e/0x990 [ 27.196150] ? find_held_lock+0x35/0x1d0 [ 27.196451] ? get_signal+0x7ae/0x16d0 [ 27.196737] ? lock_downgrade+0x990/0x990 [ 27.197161] do_group_exit+0x149/0x400 [ 27.197521] ? __lock_is_held+0xb6/0x140 [ 27.197896] ? SyS_exit+0x30/0x30 [ 27.198213] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.198623] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.199085] get_signal+0x73f/0x16d0 [ 27.199430] ? ptrace_notify+0x130/0x130 [ 27.199804] ? is_bpf_text_address+0xa4/0x120 [ 27.200219] ? exit_robust_list+0x240/0x240 [ 27.200602] do_signal+0x94/0x1ee0 [ 27.201266] ? lock_release+0xa40/0xa40 [ 27.201599] ? should_fail+0x23b/0xa40 [ 27.201964] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 27.202453] ? setup_sigcontext+0x7d0/0x7d0 [ 27.202867] ? find_held_lock+0x35/0x1d0 [ 27.203241] ? lock_downgrade+0x990/0x990 [ 27.203598] ? lock_release+0xa40/0xa40 [ 27.203967] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 27.204496] ? exit_to_usermode_loop+0x8c/0x310 [ 27.205077] exit_to_usermode_loop+0x214/0x310 [ 27.205501] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 27.206007] ? kasan_check_write+0x14/0x20 [ 27.206399] syscall_return_slowpath+0x42f/0x510 [ 27.206848] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 27.207312] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 27.207770] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.208235] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.208685] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 27.209325] RIP: 0033:0x447c89 [ 27.209667] RSP: 002b:00007fc84dee9ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 27.210488] RAX: fffffffffffffe00 RBX: 0000000000748270 RCX: 0000000000447c89 [ 27.211250] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000748270 [ 27.212023] RBP: 0000000000748270 R08: 0000000000000000 R09: 0000000000748248 [ 27.212683] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 27.213380] R13: 0000000000000000 R14: 00007fc84deea9c0 R15: 00007fc84deea700 [ 27.214089] Dumping ftrace buffer: [ 27.214360] (ftrace buffer empty) [ 27.214646] Kernel Offset: disabled [ 27.214973] Rebooting in 86400 seconds..