INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-2,10.128.15.230' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 51.427101] ================================================================== [ 51.428206] BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x2eff/0x3640 at addr ffff8801d5f9e078 [ 51.428209] Read of size 8 by task syzkaller453905/3282 [ 51.428217] CPU: 1 PID: 3282 Comm: syzkaller453905 Not tainted 4.9.60-gdfe0a9b #81 [ 51.428219] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.428226] ffff8801d67cf710 ffffffff81d91389 ffff8801d77fe500 ffff8801d5f9e000 [ 51.428231] ffff8801d5f9e060 ffffed003abf3c0f ffff8801d5f9e078 ffff8801d67cf738 [ 51.428235] ffffffff8153c1bc ffffed003abf3c0f ffff8801d77fe500 0000000000000000 [ 51.428236] Call Trace: [ 51.428242] [] dump_stack+0xc1/0x128 [ 51.428248] [] kasan_object_err+0x1c/0x70 [ 51.428252] [] kasan_report.part.1+0x21c/0x500 [ 51.428257] [] ? unwind_next_frame+0x86/0xe0 [ 51.428261] [] ? __lock_acquire+0x2eff/0x3640 [ 51.428265] [] ? __save_stack_trace+0x7d/0xf0 [ 51.428269] [] __asan_report_load8_noabort+0x29/0x30 [ 51.428273] [] __lock_acquire+0x2eff/0x3640 [ 51.428276] [] ? save_stack+0xa3/0xd0 [ 51.428280] [] ? save_stack_trace+0x16/0x20 [ 51.428283] [] ? save_stack+0x43/0xd0 [ 51.428286] [] ? kasan_kmalloc+0xad/0xe0 [ 51.428290] [] ? kmem_cache_alloc_trace+0xfb/0x2a0 [ 51.428293] [] ? sg_read+0xb39/0x1400 [ 51.428299] [] ? do_loop_readv_writev.part.17+0x141/0x1e0 [ 51.428303] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 51.428307] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 51.428311] [] lock_acquire+0x12e/0x410 [ 51.428316] [] ? sg_remove_request+0x70/0x120 [ 51.428322] [] _raw_write_lock_irqsave+0x4e/0x62 [ 51.428326] [] ? sg_remove_request+0x70/0x120 [ 51.428330] [] sg_remove_request+0x70/0x120 [ 51.428333] [] sg_finish_rem_req+0x295/0x340 [ 51.428336] [] sg_read+0x91c/0x1400 [ 51.428341] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 51.428346] [] ? fsnotify+0xf30/0xf30 [ 51.428352] [] ? avc_policy_seqno+0x9/0x20 [ 51.428356] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 51.428360] [] ? security_file_permission+0x89/0x1e0 [ 51.428365] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 51.428369] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 51.428372] [] do_readv_writev+0x520/0x750 [ 51.428376] [] ? vfs_write+0x4e0/0x4e0 [ 51.428380] [] ? __fget+0x47/0x3a0 [ 51.428383] [] vfs_readv+0x84/0xc0 [ 51.428387] [] do_readv+0xe6/0x250 [ 51.428390] [] ? vfs_readv+0xc0/0xc0 [ 51.428394] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 51.428399] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 51.428402] [] SyS_readv+0x27/0x30 [ 51.428406] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 51.428409] Object at ffff8801d5f9e000, in cache fasync_cache size: 96 [ 51.428410] Allocated: [ 51.428411] PID = 3287 [ 51.428414] save_stack_trace+0x16/0x20 [ 51.428417] save_stack+0x43/0xd0 [ 51.428420] kasan_kmalloc+0xad/0xe0 [ 51.428423] kasan_slab_alloc+0x12/0x20 [ 51.428425] kmem_cache_alloc+0xba/0x290 [ 51.428428] fasync_helper+0x37/0xb0 [ 51.428431] sg_fasync+0x86/0xb0 [ 51.428434] SyS_fcntl+0x658/0xc70 [ 51.428437] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 51.428438] Freed: [ 51.428439] PID = 0 [ 51.428440] (stack is not available) [ 51.428441] Memory state around the buggy address: [ 51.428444] ffff8801d5f9df00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 51.428447] ffff8801d5f9df80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 51.428449] >ffff8801d5f9e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 51.428451] ^ [ 51.428453] ffff8801d5f9e080: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 51.428456] ffff8801d5f9e100: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 51.428457] ================================================================== [ 51.428458] Disabling lock debugging due to kernel taint [ 51.428462] kasan: CONFIG_KASAN_INLINE enabled [ 51.428463] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 51.428467] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 51.428470] Dumping ftrace buffer: [ 51.428472] (ftrace buffer empty) [ 51.428474] Modules linked in: [ 51.428478] CPU: 1 PID: 3282 Comm: syzkaller453905 Tainted: G B 4.9.60-gdfe0a9b #81 [ 51.428480] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.428482] task: ffff8801c823c800 task.stack: ffff8801d67c8000 [ 51.428487] RIP: 0010:[] [] __lock_acquire+0x194/0x3640 [ 51.428489] RSP: 0018:ffff8801d67cf7e0 EFLAGS: 00010086 [ 51.428492] RAX: dead4ead00000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 51.428494] RDX: 1ffff1003abf3c10 RSI: 0000000000000000 RDI: ffff8801d5f9e080 [ 51.428496] RBP: ffff8801d67cf9a0 R08: 0000000000000001 R09: 0000000000000001 [ 51.428497] R10: 0000000000000000 R11: ffff8801c823c800 R12: 0000000000000001 [ 51.428499] R13: 0000000000000001 R14: 0000000000000000 R15: ffff8801d5f9e078 [ 51.428502] FS: 00007f514fc85700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 51.428504] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 51.428506] CR2: 00000000208f4f80 CR3: 00000001d07e8000 CR4: 00000000001406e0 [ 51.428510] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 51.428512] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 51.428513] Stack: [ 51.428518] 00000000024000c0 ffff8801cc1ffb68 ffff8801da0018c0 ffff8801d67cfa28 [ 51.428523] ffffffff8153b503 000000400000000b ffff8801d67cf820 ffffffff00000000 [ 51.428527] ffffffff8107c6a6 ffffffff8153b4a3 ffffffff8153b72d ffffffff815377eb [ 51.428528] Call Trace: [ 51.428532] [] ? save_stack+0xa3/0xd0 [ 51.428535] [] ? save_stack_trace+0x16/0x20 [ 51.428538] [] ? save_stack+0x43/0xd0 [ 51.428541] [] ? kasan_kmalloc+0xad/0xe0 [ 51.428545] [] ? kmem_cache_alloc_trace+0xfb/0x2a0 [ 51.428548] [] ? sg_read+0xb39/0x1400 [ 51.428551] [] ? do_loop_readv_writev.part.17+0x141/0x1e0 [ 51.428556] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 51.428560] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 51.428564] [] lock_acquire+0x12e/0x410 [ 51.428568] [] ? sg_remove_request+0x70/0x120 [ 51.428572] [] _raw_write_lock_irqsave+0x4e/0x62 [ 51.428576] [] ? sg_remove_request+0x70/0x120 [ 51.428580] [] sg_remove_request+0x70/0x120 [ 51.428584] [] sg_finish_rem_req+0x295/0x340 [ 51.428587] [] sg_read+0x91c/0x1400 [ 51.428591] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 51.428595] [] ? fsnotify+0xf30/0xf30 [ 51.428599] [] ? avc_policy_seqno+0x9/0x20 [ 51.428602] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 51.428607] [] ? security_file_permission+0x89/0x1e0 [ 51.428611] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 51.428615] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 51.428618] [] do_readv_writev+0x520/0x750 [ 51.428622] [] ? vfs_write+0x4e0/0x4e0 [ 51.428625] [] ? __fget+0x47/0x3a0 [ 51.428629] [] vfs_readv+0x84/0xc0 [ 51.428632] [] do_readv+0xe6/0x250 [ 51.428636] [] ? vfs_readv+0xc0/0xc0 [ 51.428640] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 51.428644] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 51.428647] [] SyS_readv+0x27/0x30 [ 51.428652] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 51.428705] Code: 9e ff ff 44 8b 94 24 98 00 00 00 48 85 c0 8b 8c 24 90 00 00 00 44 8b 8c 24 88 00 00 00 4c 8b 9c 24 80 00 00 00 0f 84 ff 07 00 00 ff 80 98 01 00 00 49 8d b3 a8 08 00 00 48 ba 00 00 00 00 00 [ 51.428710] RIP [] __lock_acquire+0x194/0x3640 [ 51.428711] RSP [ 51.428715] ---[ end trace 6d0fef6a3029bbea ]--- [ 51.428717] Kernel panic - not syncing: Fatal exception [ 51.429459] Dumping ftrace buffer: [ 51.429460] (ftrace buffer empty) [ 51.429461] Kernel Offset: disabled [ 52.143011] Rebooting in 86400 seconds..