2017/10/25 19:46:30 parsed 1 programs 2017/10/25 19:46:30 executed programs: 0 syzkaller login: [ 26.275706] ================================================================== [ 26.276365] BUG: KASAN: use-after-free in __lock_acquire+0x3c9f/0x3d50 [ 26.276938] Read of size 8 at addr ffff88006c9c0368 by task syz-executor7/3338 [ 26.277584] [ 26.277734] CPU: 0 PID: 3338 Comm: syz-executor7 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 26.278511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 26.279228] Call Trace: [ 26.279457] dump_stack+0x194/0x257 [ 26.279776] ? arch_local_irq_restore+0x53/0x53 [ 26.280173] ? show_regs_print_info+0x65/0x65 [ 26.280594] ? print_irqtrace_events+0x270/0x270 [ 26.281049] ? print_irqtrace_events+0x270/0x270 [ 26.281525] ? __lock_acquire+0x3c9f/0x3d50 [ 26.281949] print_address_description+0x73/0x250 [ 26.282435] ? __lock_acquire+0x3c9f/0x3d50 [ 26.282811] kasan_report+0x25b/0x340 [ 26.283129] __asan_report_load8_noabort+0x14/0x20 [ 26.283533] __lock_acquire+0x3c9f/0x3d50 [ 26.283884] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.284311] ? exit_pi_state_list+0x369/0x7a0 [ 26.284681] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.285110] ? __lock_acquire+0x6aa/0x3d50 [ 26.285464] ? __lock_acquire+0x6aa/0x3d50 [ 26.285828] ? __lock_acquire+0x6aa/0x3d50 [ 26.286175] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.286712] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.287200] ? find_held_lock+0x35/0x1d0 [ 26.287597] ? osq_unlock+0x350/0x350 [ 26.287932] ? __lock_acquire+0x6aa/0x3d50 [ 26.288250] ? find_held_lock+0x35/0x1d0 [ 26.288816] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.289309] ? check_noncircular+0x20/0x20 [ 26.289705] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.290180] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 26.290659] ? trace_hardirqs_on+0xd/0x10 [ 26.291117] ? find_held_lock+0x35/0x1d0 [ 26.291541] lock_acquire+0x1d5/0x580 [ 26.291885] ? lock_acquire+0x1d5/0x580 [ 26.292182] ? exit_pi_state_list+0x369/0x7a0 [ 26.292588] ? lock_downgrade+0x990/0x990 [ 26.292964] ? lock_release+0xa40/0xa40 [ 26.293322] ? do_raw_spin_trylock+0x190/0x190 [ 26.293790] _raw_spin_lock_irq+0x5e/0x80 [ 26.294167] ? exit_pi_state_list+0x369/0x7a0 [ 26.294896] exit_pi_state_list+0x369/0x7a0 [ 26.295240] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 26.295735] ? lock_release+0xa40/0xa40 [ 26.296001] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 26.296407] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 26.296758] ? __might_sleep+0x95/0x190 [ 26.297029] ? __might_fault+0x188/0x1d0 [ 26.297313] ? do_raw_spin_trylock+0x190/0x190 [ 26.297615] mm_release+0x46d/0x590 [ 26.297861] ? do_raw_spin_trylock+0x190/0x190 [ 26.298165] ? mm_access+0x140/0x140 [ 26.298485] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.298832] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.299166] ? trace_hardirqs_on+0xd/0x10 [ 26.299411] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.299694] ? acct_collect+0x637/0x800 [ 26.299928] do_exit+0x481/0x1ad0 [ 26.300131] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 26.300427] ? trace_hardirqs_on_caller+0x3d0/0x5c0 [ 26.300731] ? mm_update_next_owner+0x930/0x930 [ 26.301003] ? trace_hardirqs_on+0xd/0x10 [ 26.301254] ? hrtimer_try_to_cancel+0x9a/0x5c0 [ 26.301666] ? __hrtimer_get_remaining+0x1c0/0x1c0 [ 26.301981] ? lock_downgrade+0x990/0x990 [ 26.302263] ? do_raw_spin_trylock+0x190/0x190 [ 26.302599] ? futex_wake+0x680/0x680 [ 26.302850] ? memset+0x31/0x40 [ 26.303075] ? hrtimer_cancel+0x2e/0x40 [ 26.303336] ? futex_wait_requeue_pi.constprop.19+0x8a8/0x1300 [ 26.303752] ? check_noncircular+0x20/0x20 [ 26.304019] ? futex_requeue+0x2370/0x2370 [ 26.304313] ? futex_wake+0x680/0x680 [ 26.304567] ? __lock_acquire+0x6aa/0x3d50 [ 26.304852] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 26.305198] ? futex_wait+0x69e/0x990 [ 26.305465] ? find_held_lock+0x35/0x1d0 [ 26.305744] ? get_signal+0x7ae/0x16d0 [ 26.306006] ? lock_downgrade+0x990/0x990 [ 26.306288] do_group_exit+0x149/0x400 [ 26.306670] ? __lock_is_held+0xb6/0x140 [ 26.307037] ? SyS_exit+0x30/0x30 [ 26.307384] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.307798] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.308257] get_signal+0x73f/0x16d0 [ 26.308600] ? ptrace_notify+0x130/0x130 [ 26.308971] ? vma_wants_writenotify+0x3b0/0x3b0 [ 26.309720] ? vma_link+0xe9/0x170 [ 26.310046] ? exit_robust_list+0x240/0x240 [ 26.310455] ? find_held_lock+0x35/0x1d0 [ 26.310825] do_signal+0x94/0x1ee0 [ 26.311147] ? vm_mmap_pgoff+0x1ed/0x280 [ 26.311527] ? should_fail+0x23b/0xa40 [ 26.311895] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 26.312275] ? setup_sigcontext+0x7d0/0x7d0 [ 26.312671] ? find_held_lock+0x35/0x1d0 [ 26.313041] ? lock_downgrade+0x990/0x990 [ 26.313418] ? down_read_killable+0x180/0x180 [ 26.313826] ? lock_release+0xa40/0xa40 [ 26.314187] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 26.314670] ? vm_mmap_pgoff+0x1fc/0x280 [ 26.314917] ? exit_to_usermode_loop+0x8c/0x310 [ 26.315225] exit_to_usermode_loop+0x214/0x310 [ 26.315517] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 26.315852] ? kasan_check_write+0x14/0x20 [ 26.316144] syscall_return_slowpath+0x42f/0x510 [ 26.316491] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 26.316826] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 26.317125] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.317490] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.317813] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 26.318101] RIP: 0033:0x447c89 [ 26.318375] RSP: 002b:00007f0bf428bbd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 26.318917] RAX: fffffffffffffdff RBX: 00007f0bf428c6cc RCX: 0000000000447c89 [ 26.319375] RDX: 0000000000000004 RSI: 000080000000000b RDI: 000000002000cffc [ 26.319822] RBP: 0000000000748020 R08: 0000000020048000 R09: 0000000000000000 [ 26.320259] R10: 0000000020564000 R11: 0000000000000246 R12: 00000000ffffffff [ 26.320756] R13: 0000000000000d08 R14: 00000000006e4da8 R15: 00007f0bf428c700 [ 26.321207] [ 26.321305] Allocated by task 3360: [ 26.321559] save_stack+0x43/0xd0 [ 26.321806] kasan_kmalloc+0xad/0xe0 [ 26.322071] kmem_cache_alloc_trace+0x136/0x750 [ 26.322447] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 26.322814] futex_requeue+0x1887/0x2370 [ 26.323085] do_futex+0x7f5/0x20d0 [ 26.323350] SyS_futex+0x260/0x390 [ 26.323614] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 26.323952] [ 26.324070] Freed by task 3354: [ 26.324285] save_stack+0x43/0xd0 [ 26.324511] kasan_slab_free+0x71/0xc0 [ 26.324737] kfree+0xca/0x250 [ 26.324919] do_exit+0x1502/0x1ad0 [ 26.325125] do_group_exit+0x149/0x400 [ 26.325352] get_signal+0x73f/0x16d0 [ 26.325584] do_signal+0x94/0x1ee0 [ 26.325791] exit_to_usermode_loop+0x214/0x310 [ 26.326057] syscall_return_slowpath+0x42f/0x510 [ 26.326378] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 26.326820] [ 26.326972] The buggy address belongs to the object at ffff88006c9c0340 [ 26.326972] which belongs to the cache kmalloc-256 of size 256 [ 26.327940] The buggy address is located 40 bytes inside of [ 26.327940] 256-byte region [ffff88006c9c0340, ffff88006c9c0440) [ 26.328658] The buggy address belongs to the page: [ 26.329000] page:ffffea0001b27000 count:1 mapcount:0 mapping:ffff88006c9c00c0 index:0xffff88006c9c0700 [ 26.329657] flags: 0x500000000000100(slab) [ 26.329962] raw: 0500000000000100 ffff88006c9c00c0 ffff88006c9c0700 0000000100000004 [ 26.330475] raw: ffffea0001b437e0 ffffea0001a35c60 ffff88003e8007c0 0000000000000000 [ 26.331247] page dumped because: kasan: bad access detected [ 26.331711] [ 26.331844] Memory state around the buggy address: [ 26.332276] ffff88006c9c0200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.332928] ffff88006c9c0280: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 26.333579] >ffff88006c9c0300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 26.334213] ^ [ 26.334727] ffff88006c9c0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.335385] ffff88006c9c0400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.336042] ================================================================== [ 26.336698] Disabling lock debugging due to kernel taint [ 26.337186] Kernel panic - not syncing: panic_on_warn set ... [ 26.337186] [ 26.337848] CPU: 0 PID: 3338 Comm: syz-executor7 Tainted: G B 4.14.0-rc5-next-20171018+ #8 [ 26.338748] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 26.339472] Call Trace: [ 26.339710] dump_stack+0x194/0x257 [ 26.340040] ? arch_local_irq_restore+0x53/0x53 [ 26.340458] ? kasan_end_report+0x32/0x50 [ 26.340830] ? lock_downgrade+0x990/0x990 [ 26.341201] ? vsnprintf+0x1ed/0x1900 [ 26.341543] ? __lock_acquire+0x3c50/0x3d50 [ 26.341932] panic+0x1e4/0x41c [ 26.342222] ? refcount_error_report+0x214/0x214 [ 26.342926] ? add_taint+0x40/0x50 [ 26.343247] ? add_taint+0x1c/0x50 [ 26.343463] ? __lock_acquire+0x3c9f/0x3d50 [ 26.343758] kasan_end_report+0x50/0x50 [ 26.344030] kasan_report+0x144/0x340 [ 26.344267] __asan_report_load8_noabort+0x14/0x20 [ 26.344576] __lock_acquire+0x3c9f/0x3d50 [ 26.344832] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.345290] ? exit_pi_state_list+0x369/0x7a0 [ 26.345700] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.346172] ? __lock_acquire+0x6aa/0x3d50 [ 26.346605] ? __lock_acquire+0x6aa/0x3d50 [ 26.346992] ? __lock_acquire+0x6aa/0x3d50 [ 26.347377] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.347851] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.348320] ? find_held_lock+0x35/0x1d0 [ 26.348676] ? osq_unlock+0x350/0x350 [ 26.348992] ? __lock_acquire+0x6aa/0x3d50 [ 26.349368] ? find_held_lock+0x35/0x1d0 [ 26.349735] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.350201] ? check_noncircular+0x20/0x20 [ 26.350629] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.351121] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 26.351581] ? trace_hardirqs_on+0xd/0x10 [ 26.351956] ? find_held_lock+0x35/0x1d0 [ 26.352541] lock_acquire+0x1d5/0x580 [ 26.352818] ? lock_acquire+0x1d5/0x580 [ 26.353237] ? exit_pi_state_list+0x369/0x7a0 [ 26.353695] ? lock_downgrade+0x990/0x990 [ 26.354069] ? lock_release+0xa40/0xa40 [ 26.354443] ? do_raw_spin_trylock+0x190/0x190 [ 26.354857] _raw_spin_lock_irq+0x5e/0x80 [ 26.355232] ? exit_pi_state_list+0x369/0x7a0 [ 26.355633] exit_pi_state_list+0x369/0x7a0 [ 26.356021] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 26.356573] ? lock_release+0xa40/0xa40 [ 26.356932] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 26.357328] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 26.357725] ? __might_sleep+0x95/0x190 [ 26.358084] ? __might_fault+0x188/0x1d0 [ 26.358496] ? do_raw_spin_trylock+0x190/0x190 [ 26.358909] mm_release+0x46d/0x590 [ 26.359238] ? do_raw_spin_trylock+0x190/0x190 [ 26.359649] ? mm_access+0x140/0x140 [ 26.359987] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.360435] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.360874] ? trace_hardirqs_on+0xd/0x10 [ 26.361164] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.361441] ? acct_collect+0x637/0x800 [ 26.361696] do_exit+0x481/0x1ad0 [ 26.361923] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 26.362258] ? trace_hardirqs_on_caller+0x3d0/0x5c0 [ 26.362596] ? mm_update_next_owner+0x930/0x930 [ 26.362901] ? trace_hardirqs_on+0xd/0x10 [ 26.363234] ? hrtimer_try_to_cancel+0x9a/0x5c0 [ 26.363654] ? __hrtimer_get_remaining+0x1c0/0x1c0 [ 26.364096] ? lock_downgrade+0x990/0x990 [ 26.364419] ? do_raw_spin_trylock+0x190/0x190 [ 26.364799] ? futex_wake+0x680/0x680 [ 26.365142] ? memset+0x31/0x40 [ 26.365441] ? hrtimer_cancel+0x2e/0x40 [ 26.365799] ? futex_wait_requeue_pi.constprop.19+0x8a8/0x1300 [ 26.366199] ? check_noncircular+0x20/0x20 [ 26.366517] ? futex_requeue+0x2370/0x2370 [ 26.366795] ? futex_wake+0x680/0x680 [ 26.367044] ? __lock_acquire+0x6aa/0x3d50 [ 26.367326] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 26.367662] ? futex_wait+0x69e/0x990 [ 26.367916] ? find_held_lock+0x35/0x1d0 [ 26.368198] ? get_signal+0x7ae/0x16d0 [ 26.368472] ? lock_downgrade+0x990/0x990 [ 26.368848] do_group_exit+0x149/0x400 [ 26.369202] ? __lock_is_held+0xb6/0x140 [ 26.369567] ? SyS_exit+0x30/0x30 [ 26.369907] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.370317] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.370837] get_signal+0x73f/0x16d0 [ 26.371172] ? ptrace_notify+0x130/0x130 [ 26.371534] ? vma_wants_writenotify+0x3b0/0x3b0 [ 26.371959] ? vma_link+0xe9/0x170 [ 26.372281] ? exit_robust_list+0x240/0x240 [ 26.372669] ? find_held_lock+0x35/0x1d0 [ 26.373038] do_signal+0x94/0x1ee0 [ 26.373670] ? vm_mmap_pgoff+0x1ed/0x280 [ 26.374022] ? should_fail+0x23b/0xa40 [ 26.374393] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 26.374854] ? setup_sigcontext+0x7d0/0x7d0 [ 26.375248] ? find_held_lock+0x35/0x1d0 [ 26.375618] ? lock_downgrade+0x990/0x990 [ 26.375992] ? down_read_killable+0x180/0x180 [ 26.376304] ? lock_release+0xa40/0xa40 [ 26.376575] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 26.376935] ? vm_mmap_pgoff+0x1fc/0x280 [ 26.377197] ? exit_to_usermode_loop+0x8c/0x310 [ 26.377490] exit_to_usermode_loop+0x214/0x310 [ 26.377781] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 26.378139] ? kasan_check_write+0x14/0x20 [ 26.378507] syscall_return_slowpath+0x42f/0x510 [ 26.378872] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 26.379324] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 26.379774] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.380230] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.380670] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 26.381105] RIP: 0033:0x447c89 [ 26.381400] RSP: 002b:00007f0bf428bbd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 26.382099] RAX: fffffffffffffdff RBX: 00007f0bf428c6cc RCX: 0000000000447c89 [ 26.382771] RDX: 0000000000000004 RSI: 000080000000000b RDI: 000000002000cffc [ 26.383430] RBP: 0000000000748020 R08: 0000000020048000 R09: 0000000000000000 [ 26.384081] R10: 0000000020564000 R11: 0000000000000246 R12: 00000000ffffffff [ 26.384759] R13: 0000000000000d08 R14: 00000000006e4da8 R15: 00007f0bf428c700 [ 26.390576] Dumping ftrace buffer: [ 26.390846] (ftrace buffer empty) [ 26.391118] Kernel Offset: disabled [ 26.391417] Rebooting in 86400 seconds..