Debian GNU/Linux 7 syzkaller ttyS0 2017/10/26 00:21:55 parsed 1 programs 2017/10/26 00:21:55 executed programs: 0 syzkaller login: [ 37.597892] ================================================================== [ 37.598660] BUG: KASAN: use-after-free in __lock_acquire+0x3c9f/0x3d50 [ 37.599312] Read of size 8 at addr ffff88003a741a68 by task syz-executor5/3675 [ 37.599978] [ 37.600136] CPU: 0 PID: 3675 Comm: syz-executor5 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 37.600883] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 37.604940] Call Trace: [ 37.605195] dump_stack+0x194/0x257 [ 37.605531] ? arch_local_irq_restore+0x53/0x53 [ 37.605965] ? show_regs_print_info+0x65/0x65 [ 37.606378] ? print_irqtrace_events+0x270/0x270 [ 37.606822] ? print_irqtrace_events+0x270/0x270 [ 37.607273] ? __lock_acquire+0x3c9f/0x3d50 [ 37.607676] print_address_description+0x73/0x250 [ 37.608135] ? __lock_acquire+0x3c9f/0x3d50 [ 37.608543] kasan_report+0x25b/0x340 [ 37.608959] __asan_report_load8_noabort+0x14/0x20 [ 37.609461] __lock_acquire+0x3c9f/0x3d50 [ 37.609843] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.610314] ? exit_pi_state_list+0x369/0x7a0 [ 37.610720] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.611189] ? __lock_acquire+0x6aa/0x3d50 [ 37.611571] ? __lock_acquire+0x6aa/0x3d50 [ 37.612269] ? __lock_acquire+0x6aa/0x3d50 [ 37.612628] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.613105] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.613411] ? find_held_lock+0x35/0x1d0 [ 37.613651] ? osq_unlock+0x350/0x350 [ 37.613931] ? __lock_acquire+0x6aa/0x3d50 [ 37.614325] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.614805] ? check_noncircular+0x20/0x20 [ 37.615098] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.615570] ? finish_task_switch+0x1d3/0x740 [ 37.615995] ? lock_downgrade+0x990/0x990 [ 37.616356] ? find_held_lock+0x35/0x1d0 [ 37.616594] lock_acquire+0x1d5/0x580 [ 37.616907] ? lock_acquire+0x1d5/0x580 [ 37.617291] ? exit_pi_state_list+0x369/0x7a0 [ 37.617661] ? lock_downgrade+0x990/0x990 [ 37.617948] ? lock_release+0xa40/0xa40 [ 37.618214] ? do_raw_spin_trylock+0x190/0x190 [ 37.618488] _raw_spin_lock_irq+0x5e/0x80 [ 37.618836] ? exit_pi_state_list+0x369/0x7a0 [ 37.619126] exit_pi_state_list+0x369/0x7a0 [ 37.619384] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 37.619742] ? lock_release+0xa40/0xa40 [ 37.619980] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 37.620368] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 37.620670] ? __might_sleep+0x95/0x190 [ 37.621006] ? __might_fault+0x188/0x1d0 [ 37.621382] ? do_raw_spin_trylock+0x190/0x190 [ 37.621803] mm_release+0x46d/0x590 [ 37.622137] ? do_raw_spin_trylock+0x190/0x190 [ 37.622557] ? mm_access+0x140/0x140 [ 37.622899] ? _raw_spin_unlock_irq+0x27/0x70 [ 37.623311] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.623775] ? trace_hardirqs_on+0xd/0x10 [ 37.624157] ? _raw_spin_unlock_irq+0x27/0x70 [ 37.624571] ? acct_collect+0x637/0x800 [ 37.624941] do_exit+0x481/0x1ad0 [ 37.625257] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 37.625732] ? trace_hardirqs_on_caller+0x3d0/0x5c0 [ 37.626201] ? mm_update_next_owner+0x930/0x930 [ 37.626636] ? trace_hardirqs_on+0xd/0x10 [ 37.627026] ? hrtimer_try_to_cancel+0x9a/0x5c0 [ 37.627471] ? __hrtimer_get_remaining+0x1c0/0x1c0 [ 37.627924] ? lock_downgrade+0x990/0x990 [ 37.628307] ? do_raw_spin_trylock+0x190/0x190 [ 37.628735] ? futex_wake+0x680/0x680 [ 37.629054] ? memset+0x31/0x40 [ 37.629343] ? hrtimer_cancel+0x2e/0x40 [ 37.629716] ? futex_wait_requeue_pi.constprop.19+0x8a8/0x1300 [ 37.630274] ? check_noncircular+0x20/0x20 [ 37.630600] ? futex_requeue+0x2370/0x2370 [ 37.631008] ? futex_wake+0x680/0x680 [ 37.631377] ? __lock_acquire+0x6aa/0x3d50 [ 37.631772] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 37.632243] ? futex_wait+0x69e/0x990 [ 37.632595] ? find_held_lock+0x35/0x1d0 [ 37.633281] ? get_signal+0x7ae/0x16d0 [ 37.633614] ? lock_downgrade+0x990/0x990 [ 37.633933] do_group_exit+0x149/0x400 [ 37.634224] ? __lock_is_held+0xb6/0x140 [ 37.634512] ? SyS_exit+0x30/0x30 [ 37.634755] ? _raw_spin_unlock_irq+0x27/0x70 [ 37.635085] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.635454] get_signal+0x73f/0x16d0 [ 37.635719] ? ptrace_notify+0x130/0x130 [ 37.636014] ? vma_wants_writenotify+0x3b0/0x3b0 [ 37.636370] ? vma_link+0xe9/0x170 [ 37.636622] ? exit_robust_list+0x240/0x240 [ 37.637085] ? find_held_lock+0x35/0x1d0 [ 37.637400] do_signal+0x94/0x1ee0 [ 37.637664] ? vm_mmap_pgoff+0x1ed/0x280 [ 37.637960] ? should_fail+0x23b/0xa40 [ 37.638295] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 37.638662] ? setup_sigcontext+0x7d0/0x7d0 [ 37.638967] ? find_held_lock+0x35/0x1d0 [ 37.639259] ? lock_downgrade+0x990/0x990 [ 37.639555] ? down_read_killable+0x180/0x180 [ 37.639864] ? lock_release+0xa40/0xa40 [ 37.640152] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 37.640573] ? vm_mmap_pgoff+0x1fc/0x280 [ 37.640858] ? exit_to_usermode_loop+0x8c/0x310 [ 37.641192] exit_to_usermode_loop+0x214/0x310 [ 37.641522] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 37.641903] ? kasan_check_write+0x14/0x20 [ 37.642214] syscall_return_slowpath+0x42f/0x510 [ 37.642560] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 37.642917] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 37.643279] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.643669] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 37.644032] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 37.644358] RIP: 0033:0x447c89 [ 37.644592] RSP: 002b:00007f1ca27e8bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 37.645142] RAX: fffffffffffffdff RBX: 00007f1ca27e96cc RCX: 0000000000447c89 [ 37.645789] RDX: 0000000000000004 RSI: 000080000000000b RDI: 000000002000cffc [ 37.646439] RBP: 0000000000748020 R08: 0000000020048000 R09: 0000000000000000 [ 37.647111] R10: 0000000020564000 R11: 0000000000000246 R12: 00000000ffffffff [ 37.647781] R13: 0000000000000d08 R14: 00000000006e4da8 R15: 00007f1ca27e9700 [ 37.648453] [ 37.648606] Allocated by task 3694: [ 37.648949] save_stack+0x43/0xd0 [ 37.649268] kasan_kmalloc+0xad/0xe0 [ 37.649610] kmem_cache_alloc_trace+0x136/0x750 [ 37.650041] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 37.650512] futex_requeue+0x1887/0x2370 [ 37.650885] do_futex+0x7f5/0x20d0 [ 37.651212] SyS_futex+0x260/0x390 [ 37.651539] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 37.651974] [ 37.652125] Freed by task 3686: [ 37.652427] save_stack+0x43/0xd0 [ 37.652744] kasan_slab_free+0x71/0xc0 [ 37.653107] kfree+0xca/0x250 [ 37.653395] do_exit+0x1502/0x1ad0 [ 37.653738] do_group_exit+0x149/0x400 [ 37.654090] get_signal+0x73f/0x16d0 [ 37.655212] do_signal+0x94/0x1ee0 [ 37.655484] exit_to_usermode_loop+0x214/0x310 [ 37.655871] syscall_return_slowpath+0x42f/0x510 [ 37.656254] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 37.656613] [ 37.656737] The buggy address belongs to the object at ffff88003a741a40 [ 37.656737] which belongs to the cache kmalloc-256 of size 256 [ 37.657594] The buggy address is located 40 bytes inside of [ 37.657594] 256-byte region [ffff88003a741a40, ffff88003a741b40) [ 37.658337] The buggy address belongs to the page: [ 37.658661] page:ffffea0000e9d040 count:1 mapcount:0 mapping:ffff88003a741040 index:0x0 [ 37.659176] flags: 0x100000000000100(slab) [ 37.659445] raw: 0100000000000100 ffff88003a741040 0000000000000000 000000010000000c [ 37.659953] raw: ffffea0000e63320 ffff88003e801648 ffff88003e8007c0 0000000000000000 [ 37.660466] page dumped because: kasan: bad access detected [ 37.661104] [ 37.661203] Memory state around the buggy address: [ 37.661491] ffff88003a741900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.661931] ffff88003a741980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.662563] >ffff88003a741a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.663045] ^ [ 37.663469] ffff88003a741a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.663895] ffff88003a741b00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.664426] ================================================================== [ 37.664939] Disabling lock debugging due to kernel taint [ 37.665444] Kernel panic - not syncing: panic_on_warn set ... [ 37.665444] [ 37.665913] CPU: 0 PID: 3675 Comm: syz-executor5 Tainted: G B 4.14.0-rc5-next-20171018+ #8 [ 37.666482] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 37.666965] Call Trace: [ 37.667138] dump_stack+0x194/0x257 [ 37.667367] ? arch_local_irq_restore+0x53/0x53 [ 37.667646] ? kasan_end_report+0x32/0x50 [ 37.667908] ? lock_downgrade+0x990/0x990 [ 37.668169] ? vsnprintf+0x1ed/0x1900 [ 37.668393] ? __lock_acquire+0x3c50/0x3d50 [ 37.668655] panic+0x1e4/0x41c [ 37.668932] ? refcount_error_report+0x214/0x214 [ 37.669371] ? add_taint+0x40/0x50 [ 37.669634] ? add_taint+0x1c/0x50 [ 37.669918] ? __lock_acquire+0x3c9f/0x3d50 [ 37.670296] kasan_end_report+0x50/0x50 [ 37.670663] kasan_report+0x144/0x340 [ 37.671021] __asan_report_load8_noabort+0x14/0x20 [ 37.671488] __lock_acquire+0x3c9f/0x3d50 [ 37.671874] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.672354] ? exit_pi_state_list+0x369/0x7a0 [ 37.672773] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.673176] ? __lock_acquire+0x6aa/0x3d50 [ 37.673446] ? __lock_acquire+0x6aa/0x3d50 [ 37.673727] ? __lock_acquire+0x6aa/0x3d50 [ 37.673983] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.674303] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.674616] ? find_held_lock+0x35/0x1d0 [ 37.674858] ? osq_unlock+0x350/0x350 [ 37.675105] ? __lock_acquire+0x6aa/0x3d50 [ 37.675363] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.675668] ? check_noncircular+0x20/0x20 [ 37.676260] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.676688] ? finish_task_switch+0x1d3/0x740 [ 37.677080] ? lock_downgrade+0x990/0x990 [ 37.677373] ? find_held_lock+0x35/0x1d0 [ 37.677643] lock_acquire+0x1d5/0x580 [ 37.677902] ? lock_acquire+0x1d5/0x580 [ 37.678179] ? exit_pi_state_list+0x369/0x7a0 [ 37.678482] ? lock_downgrade+0x990/0x990 [ 37.678775] ? lock_release+0xa40/0xa40 [ 37.679060] ? do_raw_spin_trylock+0x190/0x190 [ 37.679393] _raw_spin_lock_irq+0x5e/0x80 [ 37.679721] ? exit_pi_state_list+0x369/0x7a0 [ 37.680108] exit_pi_state_list+0x369/0x7a0 [ 37.680510] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 37.681019] ? lock_release+0xa40/0xa40 [ 37.681257] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 37.681600] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 37.681902] ? __might_sleep+0x95/0x190 [ 37.682156] ? __might_fault+0x188/0x1d0 [ 37.682395] ? do_raw_spin_trylock+0x190/0x190 [ 37.682662] mm_release+0x46d/0x590 [ 37.682874] ? do_raw_spin_trylock+0x190/0x190 [ 37.683162] ? mm_access+0x140/0x140 [ 37.683379] ? _raw_spin_unlock_irq+0x27/0x70 [ 37.683641] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.683933] ? trace_hardirqs_on+0xd/0x10 [ 37.684194] ? _raw_spin_unlock_irq+0x27/0x70 [ 37.684456] ? acct_collect+0x637/0x800 [ 37.684702] do_exit+0x481/0x1ad0 [ 37.685026] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 37.685378] ? trace_hardirqs_on_caller+0x3d0/0x5c0 [ 37.685727] ? mm_update_next_owner+0x930/0x930 [ 37.686067] ? trace_hardirqs_on+0xd/0x10 [ 37.686349] ? hrtimer_try_to_cancel+0x9a/0x5c0 [ 37.686629] ? __hrtimer_get_remaining+0x1c0/0x1c0 [ 37.686917] ? lock_downgrade+0x990/0x990 [ 37.687179] ? do_raw_spin_trylock+0x190/0x190 [ 37.687475] ? futex_wake+0x680/0x680 [ 37.687741] ? memset+0x31/0x40 [ 37.687968] ? hrtimer_cancel+0x2e/0x40 [ 37.688263] ? futex_wait_requeue_pi.constprop.19+0x8a8/0x1300 [ 37.688676] ? check_noncircular+0x20/0x20 [ 37.689054] ? futex_requeue+0x2370/0x2370 [ 37.689503] ? futex_wake+0x680/0x680 [ 37.689837] ? __lock_acquire+0x6aa/0x3d50 [ 37.690203] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 37.690661] ? futex_wait+0x69e/0x990 [ 37.690950] ? find_held_lock+0x35/0x1d0 [ 37.691346] ? get_signal+0x7ae/0x16d0 [ 37.691761] ? lock_downgrade+0x990/0x990 [ 37.692196] do_group_exit+0x149/0x400 [ 37.692610] ? __lock_is_held+0xb6/0x140 [ 37.693045] ? SyS_exit+0x30/0x30 [ 37.693419] ? _raw_spin_unlock_irq+0x27/0x70 [ 37.693903] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.694438] get_signal+0x73f/0x16d0 [ 37.694840] ? ptrace_notify+0x130/0x130 [ 37.695263] ? vma_wants_writenotify+0x3b0/0x3b0 [ 37.695737] ? vma_link+0xe9/0x170 [ 37.696050] ? exit_robust_list+0x240/0x240 [ 37.696539] ? find_held_lock+0x35/0x1d0 [ 37.696938] do_signal+0x94/0x1ee0 [ 37.698374] ? vm_mmap_pgoff+0x1ed/0x280 [ 37.698767] ? should_fail+0x23b/0xa40 [ 37.699261] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 37.699736] ? setup_sigcontext+0x7d0/0x7d0 [ 37.700143] ? find_held_lock+0x35/0x1d0 [ 37.700523] ? lock_downgrade+0x990/0x990 [ 37.700922] ? down_read_killable+0x180/0x180 [ 37.701513] ? lock_release+0xa40/0xa40 [ 37.702087] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 37.702622] ? vm_mmap_pgoff+0x1fc/0x280 [ 37.703040] ? exit_to_usermode_loop+0x8c/0x310 [ 37.703483] exit_to_usermode_loop+0x214/0x310 [ 37.703939] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 37.704449] ? kasan_check_write+0x14/0x20 [ 37.704849] syscall_return_slowpath+0x42f/0x510 [ 37.705293] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 37.705765] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 37.706223] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.706694] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 37.707139] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 37.707580] RIP: 0033:0x447c89 [ 37.707874] RSP: 002b:00007f1ca27e8bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 37.708658] RAX: fffffffffffffdff RBX: 00007f1ca27e96cc RCX: 0000000000447c89 [ 37.709338] RDX: 0000000000000004 RSI: 000080000000000b RDI: 000000002000cffc [ 37.710012] RBP: 0000000000748020 R08: 0000000020048000 R09: 0000000000000000 [ 37.710684] R10: 0000000020564000 R11: 0000000000000246 R12: 00000000ffffffff [ 37.711353] R13: 0000000000000d08 R14: 00000000006e4da8 R15: 00007f1ca27e9700 [ 37.712863] Dumping ftrace buffer: [ 37.713200] (ftrace buffer empty) [ 37.713540] Kernel Offset: disabled [ 37.713873] Rebooting in 86400 seconds..