INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-2,10.128.15.210' (ECDSA) to the list of known hosts. 2017/09/24 23:28:24 parsed 1 programs 2017/09/24 23:28:24 executed programs: 0 syzkaller login: [ 132.819577] ================================================================== [ 132.827045] BUG: KASAN: use-after-free in irq_bypass_register_consumer+0x4f0/0x500 [ 132.834753] Read of size 8 at addr ffff8801d50f7950 by task syz-executor7/3596 [ 132.842100] [ 132.843725] CPU: 0 PID: 3596 Comm: syz-executor7 Not tainted 4.14.0-rc1+ #9 [ 132.850823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 132.860167] Call Trace: [ 132.862749] dump_stack+0x194/0x257 [ 132.866378] ? arch_local_irq_restore+0x53/0x53 [ 132.871040] ? show_regs_print_info+0x65/0x65 [ 132.875540] ? irq_bypass_register_consumer+0x4f0/0x500 [ 132.880903] print_address_description+0x73/0x250 [ 132.885744] ? irq_bypass_register_consumer+0x4f0/0x500 [ 132.891110] kasan_report+0x25b/0x340 [ 132.894914] __asan_report_load8_noabort+0x14/0x20 [ 132.899843] irq_bypass_register_consumer+0x4f0/0x500 [ 132.905036] ? __disconnect+0x1a0/0x1a0 [ 132.909019] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 132.914043] kvm_irqfd+0x137a/0x1d50 [ 132.917792] ? kvm_eventfd_init+0x2a0/0x2a0 [ 132.922111] ? find_held_lock+0x39/0x1d0 [ 132.926193] ? lock_downgrade+0x990/0x990 [ 132.930351] ? __might_fault+0xe0/0x1d0 [ 132.934323] ? futex_wake+0x680/0x680 [ 132.938128] ? lock_release+0xd70/0xd70 [ 132.942096] ? check_same_owner+0x320/0x320 [ 132.946417] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 132.951531] ? __might_sleep+0x95/0x190 [ 132.955519] ? kasan_check_write+0x14/0x20 [ 132.959758] ? _copy_from_user+0x99/0x110 [ 132.963911] kvm_vm_ioctl+0x1079/0x1c40 [ 132.967883] ? futex_wake+0x2ca/0x680 [ 132.971675] ? __fd_install+0x2f7/0x6a0 [ 132.975647] ? kvm_set_memory_region+0x50/0x50 [ 132.980226] ? get_futex_key+0x1d50/0x1d50 [ 132.984477] ? find_held_lock+0x39/0x1d0 [ 132.988556] ? lock_downgrade+0x990/0x990 [ 132.992702] ? fd_install+0x4d/0x60 [ 132.996339] ? __fget+0xbb/0x580 [ 132.999714] ? lock_release+0xd70/0xd70 [ 133.003697] ? __lock_is_held+0xbc/0x140 [ 133.007778] ? __fget+0x362/0x580 [ 133.011241] ? iterate_fd+0x3f0/0x3f0 [ 133.015042] ? userfaultfd_unmap_prep+0x540/0x540 [ 133.019898] ? __might_sleep+0x95/0x190 [ 133.023870] ? up_write+0x6b/0x120 [ 133.027414] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 133.032337] ? selinux_file_ioctl+0x444/0x690 [ 133.036829] ? __fget_light+0x29d/0x390 [ 133.040813] kvm_vm_compat_ioctl+0x2ed/0x3e0 [ 133.045222] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 133.049370] ? vma_is_stack_for_current+0xa0/0xa0 [ 133.054208] ? task_work_run+0x1f4/0x270 [ 133.058276] ? security_file_ioctl+0x89/0xb0 [ 133.062689] compat_SyS_ioctl+0x1d7/0x3290 [ 133.066925] ? compat_SyS_get_robust_list+0x300/0x300 [ 133.072109] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 133.076259] ? do_ioctl+0x60/0x60 [ 133.079712] ? do_fast_syscall_32+0x158/0xf05 [ 133.084213] ? do_ioctl+0x60/0x60 [ 133.087663] do_fast_syscall_32+0x3f2/0xf05 [ 133.091982] ? compat_start_thread+0x80/0x80 [ 133.096398] ? do_int80_syscall_32+0x940/0x940 [ 133.100985] ? lockdep_sys_exit+0x47/0xf0 [ 133.105129] ? syscall_return_slowpath+0x2b3/0x510 [ 133.110054] ? finish_task_switch+0x1aa/0x740 [ 133.114547] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 133.119567] ? sysret32_from_system_call+0x5/0x3b [ 133.124416] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 133.129272] entry_SYSENTER_compat+0x51/0x60 [ 133.133674] RIP: 0023:0xf7f25c79 [ 133.137031] RSP: 002b:00000000f7f2105c EFLAGS: 00000296 ORIG_RAX: 0000000000000036 [ 133.144759] RAX: ffffffffffffffda RBX: 000000000000000d RCX: 000000004020ae76 [ 133.152021] RDX: 00000000206a2fe0 RSI: 0000000000000000 RDI: 0000000000000000 [ 133.159286] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 133.166546] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 133.173808] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 133.181103] [ 133.182729] Allocated by task 3596: [ 133.186356] save_stack_trace+0x16/0x20 [ 133.190328] save_stack+0x43/0xd0 [ 133.193775] kasan_kmalloc+0xad/0xe0 [ 133.197480] kmem_cache_alloc_trace+0x136/0x750 [ 133.202144] kvm_irqfd+0x16c/0x1d50 [ 133.205765] kvm_vm_ioctl+0x1079/0x1c40 [ 133.209738] kvm_vm_compat_ioctl+0x2ed/0x3e0 [ 133.214139] compat_SyS_ioctl+0x1d7/0x3290 [ 133.218371] do_fast_syscall_32+0x3f2/0xf05 [ 133.222689] entry_SYSENTER_compat+0x51/0x60 [ 133.227087] [ 133.228707] Freed by task 24: [ 133.231815] save_stack_trace+0x16/0x20 [ 133.235785] save_stack+0x43/0xd0 [ 133.239229] kasan_slab_free+0x71/0xc0 [ 133.243109] kfree+0xca/0x250 [ 133.246211] irqfd_shutdown+0x13c/0x1a0 [ 133.250177] process_one_work+0xbfa/0x1bd0 [ 133.254405] worker_thread+0x223/0x1860 [ 133.258370] kthread+0x39c/0x470 [ 133.261735] ret_from_fork+0x2a/0x40 [ 133.265436] [ 133.267060] The buggy address belongs to the object at ffff8801d50f77c0 [ 133.267060] which belongs to the cache kmalloc-512 of size 512 [ 133.279706] The buggy address is located 400 bytes inside of [ 133.279706] 512-byte region [ffff8801d50f77c0, ffff8801d50f79c0) [ 133.291572] The buggy address belongs to the page: [ 133.296490] page:ffffea0007543dc0 count:1 mapcount:0 mapping:ffff8801d50f7040 index:0x0 [ 133.304632] flags: 0x200000000000100(slab) [ 133.308860] raw: 0200000000000100 ffff8801d50f7040 0000000000000000 0000000100000006 [ 133.316741] raw: ffffea0007542560 ffffea00075425a0 ffff8801dac00940 0000000000000000 [ 133.324607] page dumped because: kasan: bad access detected [ 133.330302] [ 133.331919] Memory state around the buggy address: [ 133.336841] ffff8801d50f7800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 133.344194] ffff8801d50f7880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 133.351546] >ffff8801d50f7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 133.358896] ^ [ 133.364859] ffff8801d50f7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 133.372207] ffff8801d50f7a00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 133.379556] ================================================================== [ 133.386901] Disabling lock debugging due to kernel taint [ 133.392414] Kernel panic - not syncing: panic_on_warn set ... [ 133.392414] [ 133.399756] CPU: 0 PID: 3596 Comm: syz-executor7 Tainted: G B 4.14.0-rc1+ #9 [ 133.408047] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 133.417380] Call Trace: [ 133.419954] dump_stack+0x194/0x257 [ 133.423569] ? arch_local_irq_restore+0x53/0x53 [ 133.428226] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 133.432969] ? irq_bypass_register_consumer+0x450/0x500 [ 133.438320] panic+0x1e4/0x417 [ 133.441499] ? __warn+0x1d9/0x1d9 [ 133.444943] ? irq_bypass_register_consumer+0x4f0/0x500 [ 133.450289] kasan_end_report+0x50/0x50 [ 133.454249] kasan_report+0x144/0x340 [ 133.458035] __asan_report_load8_noabort+0x14/0x20 [ 133.462948] irq_bypass_register_consumer+0x4f0/0x500 [ 133.468123] ? __disconnect+0x1a0/0x1a0 [ 133.472083] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 133.477089] kvm_irqfd+0x137a/0x1d50 [ 133.480801] ? kvm_eventfd_init+0x2a0/0x2a0 [ 133.485110] ? find_held_lock+0x39/0x1d0 [ 133.489165] ? lock_downgrade+0x990/0x990 [ 133.493307] ? __might_fault+0xe0/0x1d0 [ 133.497267] ? futex_wake+0x680/0x680 [ 133.501054] ? lock_release+0xd70/0xd70 [ 133.505013] ? check_same_owner+0x320/0x320 [ 133.509321] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 133.514414] ? __might_sleep+0x95/0x190 [ 133.518380] ? kasan_check_write+0x14/0x20 [ 133.522599] ? _copy_from_user+0x99/0x110 [ 133.526736] kvm_vm_ioctl+0x1079/0x1c40 [ 133.530691] ? futex_wake+0x2ca/0x680 [ 133.534479] ? __fd_install+0x2f7/0x6a0 [ 133.538439] ? kvm_set_memory_region+0x50/0x50 [ 133.543002] ? get_futex_key+0x1d50/0x1d50 [ 133.547228] ? find_held_lock+0x39/0x1d0 [ 133.551284] ? lock_downgrade+0x990/0x990 [ 133.555418] ? fd_install+0x4d/0x60 [ 133.559030] ? __fget+0xbb/0x580 [ 133.562393] ? lock_release+0xd70/0xd70 [ 133.566362] ? __lock_is_held+0xbc/0x140 [ 133.570420] ? __fget+0x362/0x580 [ 133.573862] ? iterate_fd+0x3f0/0x3f0 [ 133.577647] ? userfaultfd_unmap_prep+0x540/0x540 [ 133.582484] ? __might_sleep+0x95/0x190 [ 133.586444] ? up_write+0x6b/0x120 [ 133.589979] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 133.594895] ? selinux_file_ioctl+0x444/0x690 [ 133.599372] ? __fget_light+0x29d/0x390 [ 133.603334] kvm_vm_compat_ioctl+0x2ed/0x3e0 [ 133.607731] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 133.611865] ? vma_is_stack_for_current+0xa0/0xa0 [ 133.616692] ? task_work_run+0x1f4/0x270 [ 133.620748] ? security_file_ioctl+0x89/0xb0 [ 133.625147] compat_SyS_ioctl+0x1d7/0x3290 [ 133.629369] ? compat_SyS_get_robust_list+0x300/0x300 [ 133.634542] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 133.638678] ? do_ioctl+0x60/0x60 [ 133.642119] ? do_fast_syscall_32+0x158/0xf05 [ 133.646601] ? do_ioctl+0x60/0x60 [ 133.650039] do_fast_syscall_32+0x3f2/0xf05 [ 133.654344] ? compat_start_thread+0x80/0x80 [ 133.658738] ? do_int80_syscall_32+0x940/0x940 [ 133.663308] ? lockdep_sys_exit+0x47/0xf0 [ 133.667443] ? syscall_return_slowpath+0x2b3/0x510 [ 133.672353] ? finish_task_switch+0x1aa/0x740 [ 133.676833] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 133.681833] ? sysret32_from_system_call+0x5/0x3b [ 133.686661] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 133.691493] entry_SYSENTER_compat+0x51/0x60 [ 133.695884] RIP: 0023:0xf7f25c79 [ 133.699231] RSP: 002b:00000000f7f2105c EFLAGS: 00000296 ORIG_RAX: 0000000000000036 [ 133.706922] RAX: ffffffffffffffda RBX: 000000000000000d RCX: 000000004020ae76 [ 133.714171] RDX: 00000000206a2fe0 RSI: 0000000000000000 RDI: 0000000000000000 [ 133.721422] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 133.728674] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 133.735933] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 133.743621] Dumping ftrace buffer: [ 133.747133] (ftrace buffer empty) [ 133.750811] Kernel Offset: disabled [ 133.754402] Rebooting in 86400 seconds..