2017/10/26 02:10:19 parsed 1 programs 2017/10/26 02:10:19 executed programs: 0 syzkaller login: [ 17.905581] ================================================================== [ 17.906282] BUG: KASAN: use-after-free in __lock_acquire+0x3c9f/0x3d50 [ 17.906889] Read of size 8 at addr ffff88003b0d4728 by task syz-executor0/2994 [ 17.907405] [ 17.907522] CPU: 3 PID: 2994 Comm: syz-executor0 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 17.908238] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 17.908853] Call Trace: [ 17.909090] dump_stack+0x194/0x257 [ 17.909421] ? arch_local_irq_restore+0x53/0x53 [ 17.909848] ? show_regs_print_info+0x65/0x65 [ 17.910260] ? print_irqtrace_events+0x270/0x270 [ 17.910693] ? print_irqtrace_events+0x270/0x270 [ 17.911365] ? __lock_acquire+0x3c9f/0x3d50 [ 17.911621] print_address_description+0x73/0x250 [ 17.911914] ? __lock_acquire+0x3c9f/0x3d50 [ 17.912186] kasan_report+0x25b/0x340 [ 17.912433] __asan_report_load8_noabort+0x14/0x20 [ 17.912744] __lock_acquire+0x3c9f/0x3d50 [ 17.912987] ? check_noncircular+0x20/0x20 [ 17.913248] ? exit_pi_state_list+0x369/0x7a0 [ 17.913511] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.913824] ? __lock_acquire+0x6aa/0x3d50 [ 17.914127] ? __lock_acquire+0x6aa/0x3d50 [ 17.914517] ? __lock_acquire+0x6aa/0x3d50 [ 17.914903] ? __lock_acquire+0x6aa/0x3d50 [ 17.915350] ? __lock_acquire+0x6aa/0x3d50 [ 17.915744] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.916224] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.916694] ? find_held_lock+0x35/0x1d0 [ 17.917052] ? osq_unlock+0x350/0x350 [ 17.917278] ? is_bpf_text_address+0x7b/0x120 [ 17.917542] ? find_held_lock+0x35/0x1d0 [ 17.917799] ? depot_save_stack+0x3b5/0x490 [ 17.918053] ? lock_downgrade+0x990/0x990 [ 17.918295] ? check_noncircular+0x20/0x20 [ 17.918543] ? do_raw_spin_trylock+0x190/0x190 [ 17.918825] ? is_bpf_text_address+0xa4/0x120 [ 17.919143] ? kernel_text_address+0x102/0x140 [ 17.919519] ? __kernel_text_address+0xd/0x40 [ 17.919996] ? unwind_get_return_address+0x61/0xa0 [ 17.920514] ? find_held_lock+0x35/0x1d0 [ 17.920900] lock_acquire+0x1d5/0x580 [ 17.921246] ? lock_acquire+0x1d5/0x580 [ 17.921602] ? exit_pi_state_list+0x369/0x7a0 [ 17.921883] ? lock_downgrade+0x990/0x990 [ 17.922134] ? lock_release+0xa40/0xa40 [ 17.922368] ? do_raw_spin_trylock+0x190/0x190 [ 17.922637] ? syscall_return_slowpath+0x42f/0x510 [ 17.922995] ? entry_SYSCALL_64_after_hwframe+0x7/0x29 [ 17.923486] _raw_spin_lock_irq+0x5e/0x80 [ 17.923789] ? exit_pi_state_list+0x369/0x7a0 [ 17.924138] exit_pi_state_list+0x369/0x7a0 [ 17.924440] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 17.924864] ? lock_release+0xa40/0xa40 [ 17.925181] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 17.925693] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 17.926080] ? __might_sleep+0x95/0x190 [ 17.926314] ? __might_fault+0x188/0x1d0 [ 17.926610] ? do_raw_spin_trylock+0x190/0x190 [ 17.927070] mm_release+0x46d/0x590 [ 17.927405] ? do_raw_spin_trylock+0x190/0x190 [ 17.927831] ? mm_access+0x140/0x140 [ 17.928177] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 17.928635] ? trace_hardirqs_on+0xd/0x10 [ 17.928927] ? _raw_spin_unlock_irq+0x27/0x70 [ 17.929287] ? acct_collect+0x637/0x800 [ 17.929650] do_exit+0x481/0x1ad0 [ 17.929972] ? mm_update_next_owner+0x930/0x930 [ 17.930407] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 17.930995] ? rcu_note_context_switch+0x710/0x710 [ 17.931522] ? futex_wait_setup+0x14a/0x3d0 [ 17.931984] ? __might_sleep+0x95/0x190 [ 17.932580] ? find_held_lock+0x35/0x1d0 [ 17.932842] ? futex_wait+0x402/0x990 [ 17.933145] ? lock_downgrade+0x990/0x990 [ 17.933435] ? do_raw_spin_trylock+0x190/0x190 [ 17.933767] ? check_noncircular+0x20/0x20 [ 17.934066] ? futex_wake+0x680/0x680 [ 17.934334] ? mmdrop+0x18/0x30 [ 17.934685] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 17.935238] ? futex_wait+0x69e/0x990 [ 17.935625] ? find_held_lock+0x35/0x1d0 [ 17.935924] ? get_signal+0x7ae/0x16d0 [ 17.936195] ? lock_downgrade+0x990/0x990 [ 17.936484] do_group_exit+0x149/0x400 [ 17.936781] ? __lock_is_held+0xb6/0x140 [ 17.937061] ? SyS_exit+0x30/0x30 [ 17.937299] ? _raw_spin_unlock_irq+0x27/0x70 [ 17.937613] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 17.937971] get_signal+0x73f/0x16d0 [ 17.938229] ? ptrace_notify+0x130/0x130 [ 17.938627] ? vma_wants_writenotify+0x3b0/0x3b0 [ 17.939117] ? exit_robust_list+0x240/0x240 [ 17.939532] ? find_held_lock+0x35/0x1d0 [ 17.939914] do_signal+0x94/0x1ee0 [ 17.940247] ? vm_mmap_pgoff+0x1ed/0x280 [ 17.940625] ? should_fail+0x23b/0xa40 [ 17.940992] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 17.941466] ? setup_sigcontext+0x7d0/0x7d0 [ 17.941897] ? find_held_lock+0x35/0x1d0 [ 17.942297] ? lock_downgrade+0x990/0x990 [ 17.942541] ? down_read_killable+0x180/0x180 [ 17.942826] ? lock_release+0xa40/0xa40 [ 17.943143] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 17.943552] ? vm_mmap_pgoff+0x1fc/0x280 [ 17.943915] ? exit_to_usermode_loop+0x8c/0x310 [ 17.944345] exit_to_usermode_loop+0x214/0x310 [ 17.944765] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 17.945273] ? kasan_check_write+0x14/0x20 [ 17.945664] syscall_return_slowpath+0x42f/0x510 [ 17.946104] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 17.946557] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 17.947021] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 17.947482] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 17.947881] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 17.948229] RIP: 0033:0x447c89 [ 17.948457] RSP: 002b:00007f9f8305dce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 17.949013] RAX: fffffffffffffe00 RBX: 0000000000748048 RCX: 0000000000447c89 [ 17.949527] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000748048 [ 17.950174] RBP: 0000000000748048 R08: 0000000000000000 R09: 0000000000748020 [ 17.950843] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 17.951478] R13: 0000000000000000 R14: 00007f9f8305e9c0 R15: 00007f9f8305e700 [ 17.952153] [ 17.952304] Allocated by task 2996: [ 17.952578] save_stack+0x43/0xd0 [ 17.952886] kasan_kmalloc+0xad/0xe0 [ 17.953535] kmem_cache_alloc_trace+0x136/0x750 [ 17.953893] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 17.954190] futex_requeue+0x1887/0x2370 [ 17.954426] do_futex+0x7f5/0x20d0 [ 17.954633] SyS_futex+0x260/0x390 [ 17.954840] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 17.955180] [ 17.955300] Freed by task 2995: [ 17.955540] save_stack+0x43/0xd0 [ 17.955777] kasan_slab_free+0x71/0xc0 [ 17.956048] kfree+0xca/0x250 [ 17.956264] put_pi_state+0x3f4/0x560 [ 17.956533] unqueue_me_pi+0x4a/0xc0 [ 17.956844] futex_wait_requeue_pi.constprop.19+0xc7f/0x1300 [ 17.957284] do_futex+0x825/0x20d0 [ 17.957543] SyS_futex+0x260/0x390 [ 17.957775] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 17.958056] [ 17.958154] The buggy address belongs to the object at ffff88003b0d4700 [ 17.958154] which belongs to the cache kmalloc-256 of size 256 [ 17.958880] The buggy address is located 40 bytes inside of [ 17.958880] 256-byte region [ffff88003b0d4700, ffff88003b0d4800) [ 17.959592] The buggy address belongs to the page: [ 17.959880] page:ffffea0000ec3500 count:1 mapcount:0 mapping:ffff88003b0d40c0 index:0xffff88003b0d4ac0 [ 17.960429] flags: 0x100000000000100(slab) [ 17.960677] raw: 0100000000000100 ffff88003b0d40c0 ffff88003b0d4ac0 0000000100000003 [ 17.961132] raw: ffffea0000e518e0 ffffea0000ec3060 ffff88003e8007c0 0000000000000000 [ 17.961585] page dumped because: kasan: bad access detected [ 17.961913] [ 17.962008] Memory state around the buggy address: [ 17.962294] ffff88003b0d4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.962717] ffff88003b0d4680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.963230] >ffff88003b0d4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.963908] ^ [ 17.964339] ffff88003b0d4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.964838] ffff88003b0d4800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 17.965460] ================================================================== [ 17.966130] Disabling lock debugging due to kernel taint [ 17.966634] Kernel panic - not syncing: panic_on_warn set ... [ 17.966634] [ 17.967322] CPU: 3 PID: 2994 Comm: syz-executor0 Tainted: G B 4.14.0-rc5-next-20171018+ #8 [ 17.968097] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 17.968731] Call Trace: [ 17.968912] dump_stack+0x194/0x257 [ 17.969126] ? arch_local_irq_restore+0x53/0x53 [ 17.969397] ? kasan_end_report+0x32/0x50 [ 17.969640] ? lock_downgrade+0x990/0x990 [ 17.969882] ? vsnprintf+0x1ed/0x1900 [ 17.970104] ? __lock_acquire+0x3c50/0x3d50 [ 17.970356] panic+0x1e4/0x41c [ 17.970544] ? refcount_error_report+0x214/0x214 [ 17.970821] ? add_taint+0x40/0x50 [ 17.971119] ? add_taint+0x1c/0x50 [ 17.971377] ? __lock_acquire+0x3c9f/0x3d50 [ 17.971696] kasan_end_report+0x50/0x50 [ 17.971997] kasan_report+0x144/0x340 [ 17.972266] __asan_report_load8_noabort+0x14/0x20 [ 17.972643] __lock_acquire+0x3c9f/0x3d50 [ 17.973078] ? check_noncircular+0x20/0x20 [ 17.973437] ? exit_pi_state_list+0x369/0x7a0 [ 17.973785] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.974186] ? __lock_acquire+0x6aa/0x3d50 [ 17.974615] ? __lock_acquire+0x6aa/0x3d50 [ 17.975699] ? __lock_acquire+0x6aa/0x3d50 [ 17.976018] ? __lock_acquire+0x6aa/0x3d50 [ 17.976269] ? __lock_acquire+0x6aa/0x3d50 [ 17.976518] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.976832] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.977136] ? find_held_lock+0x35/0x1d0 [ 17.977374] ? osq_unlock+0x350/0x350 [ 17.977597] ? is_bpf_text_address+0x7b/0x120 [ 17.977896] ? find_held_lock+0x35/0x1d0 [ 17.978136] ? depot_save_stack+0x3b5/0x490 [ 17.978389] ? lock_downgrade+0x990/0x990 [ 17.978631] ? check_noncircular+0x20/0x20 [ 17.978897] ? do_raw_spin_trylock+0x190/0x190 [ 17.979323] ? is_bpf_text_address+0xa4/0x120 [ 17.979726] ? kernel_text_address+0x102/0x140 [ 17.979994] ? __kernel_text_address+0xd/0x40 [ 17.980258] ? unwind_get_return_address+0x61/0xa0 [ 17.980547] ? find_held_lock+0x35/0x1d0 [ 17.980796] lock_acquire+0x1d5/0x580 [ 17.981019] ? lock_acquire+0x1d5/0x580 [ 17.981385] ? exit_pi_state_list+0x369/0x7a0 [ 17.981753] ? lock_downgrade+0x990/0x990 [ 17.981997] ? lock_release+0xa40/0xa40 [ 17.982230] ? do_raw_spin_trylock+0x190/0x190 [ 17.982499] ? syscall_return_slowpath+0x42f/0x510 [ 17.982800] ? entry_SYSCALL_64_after_hwframe+0x7/0x29 [ 17.983164] _raw_spin_lock_irq+0x5e/0x80 [ 17.983449] ? exit_pi_state_list+0x369/0x7a0 [ 17.983769] exit_pi_state_list+0x369/0x7a0 [ 17.984065] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 17.984475] ? lock_release+0xa40/0xa40 [ 17.984768] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 17.985292] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 17.985650] ? __might_sleep+0x95/0x190 [ 17.985933] ? __might_fault+0x188/0x1d0 [ 17.986215] ? do_raw_spin_trylock+0x190/0x190 [ 17.986692] mm_release+0x46d/0x590 [ 17.987078] ? do_raw_spin_trylock+0x190/0x190 [ 17.987555] ? mm_access+0x140/0x140 [ 17.987948] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 17.988483] ? trace_hardirqs_on+0xd/0x10 [ 17.988921] ? _raw_spin_unlock_irq+0x27/0x70 [ 17.989391] ? acct_collect+0x637/0x800 [ 17.989795] do_exit+0x481/0x1ad0 [ 17.990020] ? mm_update_next_owner+0x930/0x930 [ 17.990292] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 17.990633] ? rcu_note_context_switch+0x710/0x710 [ 17.990959] ? futex_wait_setup+0x14a/0x3d0 [ 17.991250] ? __might_sleep+0x95/0x190 [ 17.991536] ? find_held_lock+0x35/0x1d0 [ 17.991848] ? futex_wait+0x402/0x990 [ 17.992105] ? lock_downgrade+0x990/0x990 [ 17.992512] ? do_raw_spin_trylock+0x190/0x190 [ 17.992946] ? check_noncircular+0x20/0x20 [ 17.993331] ? futex_wake+0x680/0x680 [ 17.993680] ? mmdrop+0x18/0x30 [ 17.993979] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 17.994445] ? futex_wait+0x69e/0x990 [ 17.994795] ? find_held_lock+0x35/0x1d0 [ 17.995199] ? get_signal+0x7ae/0x16d0 [ 17.995550] ? lock_downgrade+0x990/0x990 [ 17.996257] do_group_exit+0x149/0x400 [ 17.996612] ? __lock_is_held+0xb6/0x140 [ 17.996913] ? SyS_exit+0x30/0x30 [ 17.997142] ? _raw_spin_unlock_irq+0x27/0x70 [ 17.997405] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 17.997717] get_signal+0x73f/0x16d0 [ 17.997937] ? ptrace_notify+0x130/0x130 [ 17.998184] ? vma_wants_writenotify+0x3b0/0x3b0 [ 17.998464] ? exit_robust_list+0x240/0x240 [ 17.998739] ? find_held_lock+0x35/0x1d0 [ 17.999028] do_signal+0x94/0x1ee0 [ 17.999270] ? vm_mmap_pgoff+0x1ed/0x280 [ 17.999508] ? should_fail+0x23b/0xa40 [ 17.999765] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 18.000069] ? setup_sigcontext+0x7d0/0x7d0 [ 18.000323] ? find_held_lock+0x35/0x1d0 [ 18.000562] ? lock_downgrade+0x990/0x990 [ 18.000817] ? down_read_killable+0x180/0x180 [ 18.001079] ? lock_release+0xa40/0xa40 [ 18.001313] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 18.001663] ? vm_mmap_pgoff+0x1fc/0x280 [ 18.001903] ? exit_to_usermode_loop+0x8c/0x310 [ 18.002175] exit_to_usermode_loop+0x214/0x310 [ 18.002442] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 18.002774] ? kasan_check_write+0x14/0x20 [ 18.003064] syscall_return_slowpath+0x42f/0x510 [ 18.003386] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 18.003728] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 18.004062] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 18.004402] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 18.004763] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 18.005192] RIP: 0033:0x447c89 [ 18.005482] RSP: 002b:00007f9f8305dce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 18.006184] RAX: fffffffffffffe00 RBX: 0000000000748048 RCX: 0000000000447c89 [ 18.006840] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000748048 [ 18.007500] RBP: 0000000000748048 R08: 0000000000000000 R09: 0000000000748020 [ 18.008157] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 18.008815] R13: 0000000000000000 R14: 00007f9f8305e9c0 R15: 00007f9f8305e700 [ 18.009507] Dumping ftrace buffer: [ 18.009829] (ftrace buffer empty) [ 18.010164] Kernel Offset: disabled [ 18.010496] Rebooting in 86400 seconds..