INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-4,10.128.15.233' (ECDSA) to the list of known hosts. 2017/10/01 21:58:07 parsed 1 programs 2017/10/01 21:58:07 executed programs: 0 2017/10/01 21:58:12 executed programs: 584 2017/10/01 21:58:17 executed programs: 1157 syzkaller login: [ 55.563213] ================================================================== [ 55.564300] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620 [ 55.565743] Read of size 8 at addr ffff8801d6993528 by task syz-executor1/8611 [ 55.566781] [ 55.567080] CPU: 1 PID: 8611 Comm: syz-executor1 Not tainted 4.14.0-rc2-mm1+ #11 [ 55.568638] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.570614] Call Trace: [ 55.570978] dump_stack+0x194/0x257 [ 55.571480] ? arch_local_irq_restore+0x53/0x53 [ 55.572601] ? show_regs_print_info+0x65/0x65 [ 55.573286] ? __kernel_text_address+0xd/0x40 [ 55.573914] ? __lock_acquire+0x407b/0x4620 [ 55.574493] print_address_description+0x73/0x250 [ 55.575141] ? __lock_acquire+0x407b/0x4620 [ 55.575740] kasan_report+0x25b/0x340 [ 55.576251] __asan_report_load8_noabort+0x14/0x20 [ 55.576904] __lock_acquire+0x407b/0x4620 [ 55.577466] ? __unwind_start+0x169/0x330 [ 55.578031] ? __kernel_text_address+0xd/0x40 [ 55.578641] ? unwind_get_return_address+0x61/0xa0 [ 55.579305] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 55.579997] ? unwind_get_return_address+0x61/0xa0 [ 55.580820] ? __save_stack_trace+0x61/0xd0 [ 55.581404] ? get_signal+0x73f/0x16d0 [ 55.581928] ? perf_trace_run_bpf_submit+0x1a9/0x2a0 [ 55.582606] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 55.583294] ? perf_trace_run_bpf_submit+0x1a9/0x2a0 [ 55.583971] ? perf_trace_run_bpf_submit+0x1b2/0x2a0 [ 55.589051] ? perf_tp_event+0xbe0/0xbe0 [ 55.593093] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 55.598257] ? memset+0x31/0x40 [ 55.601506] ? perf_trace_lock+0x3e9/0x860 [ 55.605709] ? check_noncircular+0x20/0x20 [ 55.609919] ? perf_trace_run_bpf_submit+0x1a9/0x2a0 [ 55.614994] ? perf_trace_run_bpf_submit+0x1b2/0x2a0 [ 55.620068] ? perf_trace_run_bpf_submit+0x1a9/0x2a0 [ 55.625134] ? perf_trace_run_bpf_submit+0x1b2/0x2a0 [ 55.630202] ? perf_tp_event+0xbe0/0xbe0 [ 55.634243] ? find_held_lock+0x39/0x1d0 [ 55.638283] ? lock_downgrade+0x990/0x990 [ 55.642397] ? check_noncircular+0x20/0x20 [ 55.646602] lock_acquire+0x1d5/0x580 [ 55.650372] ? exit_pi_state_list+0x369/0x7a0 [ 55.654833] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 55.659554] ? lock_release+0xd70/0xd70 [ 55.663495] ? retint_kernel+0x10/0x10 [ 55.667350] _raw_spin_lock_irq+0x5e/0x80 [ 55.671464] ? exit_pi_state_list+0x369/0x7a0 [ 55.675926] exit_pi_state_list+0x369/0x7a0 [ 55.680214] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 55.686236] ? lock_release+0xd70/0xd70 [ 55.690177] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 55.696031] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 55.701108] ? __might_sleep+0x95/0x190 [ 55.705052] ? __might_fault+0x188/0x1d0 [ 55.709082] ? do_raw_spin_trylock+0x190/0x190 [ 55.713629] mm_release+0x46d/0x590 [ 55.717220] ? do_raw_spin_trylock+0x190/0x190 [ 55.721767] ? mm_access+0x140/0x140 [ 55.725456] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 55.730443] ? trace_hardirqs_on+0xd/0x10 [ 55.734556] ? _raw_spin_unlock_irq+0x27/0x70 [ 55.739022] ? acct_collect+0x637/0x800 [ 55.742969] do_exit+0x481/0x1b00 [ 55.746388] ? mm_update_next_owner+0x930/0x930 [ 55.751028] ? perf_trace_run_bpf_submit+0x1a9/0x2a0 [ 55.756102] ? perf_trace_run_bpf_submit+0x1a9/0x2a0 [ 55.761171] ? perf_trace_run_bpf_submit+0x1b2/0x2a0 [ 55.766242] ? perf_tp_event+0xbe0/0xbe0 [ 55.770269] ? find_held_lock+0x39/0x1d0 [ 55.774296] ? memset+0x31/0x40 [ 55.777544] ? perf_trace_lock+0x3e9/0x860 [ 55.781744] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 55.787072] ? check_noncircular+0x20/0x20 [ 55.791278] ? fault_in_user_writeable+0x90/0x90 [ 55.795998] ? futex_wake+0x680/0x680 [ 55.800131] ? find_held_lock+0x39/0x1d0 [ 55.804159] ? lock_downgrade+0x990/0x990 [ 55.808274] ? recalc_sigpending_tsk+0x117/0x150 [ 55.812997] ? recalc_sigpending+0x103/0x160 [ 55.817372] ? recalc_sigpending_tsk+0x150/0x150 [ 55.822093] ? get_signal+0x2b2/0x16d0 [ 55.825954] do_group_exit+0x149/0x400 [ 55.829807] ? __lock_is_held+0xbc/0x140 [ 55.833831] ? SyS_exit+0x30/0x30 [ 55.837249] ? _raw_spin_unlock_irq+0x27/0x70 [ 55.841711] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 55.846692] get_signal+0x73f/0x16d0 [ 55.850372] ? ptrace_notify+0x130/0x130 [ 55.854403] ? perf_trace_lock+0x3e9/0x860 [ 55.858612] ? exit_robust_list+0x240/0x240 [ 55.862899] ? __do_page_fault+0x31e/0xd60 [ 55.867098] ? __handle_mm_fault+0x39c0/0x39c0 [ 55.871644] ? vmacache_update+0xfe/0x130 [ 55.875759] do_signal+0x94/0x1ee0 [ 55.879263] ? up_read+0x1a/0x40 [ 55.882593] ? __do_page_fault+0x3d6/0xd60 [ 55.886793] ? find_held_lock+0x39/0x1d0 [ 55.890820] ? setup_sigcontext+0x7d0/0x7d0 [ 55.895106] ? lock_downgrade+0x990/0x990 [ 55.899220] ? lock_release+0xd70/0xd70 [ 55.903158] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 55.909008] ? exit_to_usermode_loop+0x8c/0x310 [ 55.913651] exit_to_usermode_loop+0x214/0x310 [ 55.918198] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 55.923698] ? kasan_check_write+0x14/0x20 [ 55.927899] syscall_return_slowpath+0x42f/0x510 [ 55.932622] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 55.937602] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 55.942497] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 55.947477] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 55.952205] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 55.956930] RIP: 0033:0x4520a9 [ 55.960084] RSP: 002b:00007f8ab3758cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 55.967762] RAX: fffffffffffffe00 RBX: 0000000000718028 RCX: 00000000004520a9 [ 55.975003] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718028 [ 55.982244] RBP: 0000000000718000 R08: 0000000000000000 R09: 0000000000000000 [ 55.989481] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 55.996716] R13: 0000000000a6f7ef R14: 00007f8ab37599c0 R15: 0000000000000000 [ 56.003954] [ 56.005550] Allocated by task 8635: [ 56.009145] save_stack_trace+0x16/0x20 [ 56.013087] save_stack+0x43/0xd0 [ 56.016514] kasan_kmalloc+0xad/0xe0 [ 56.020201] kmem_cache_alloc_trace+0x136/0x750 [ 56.024836] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 56.029910] futex_requeue+0x1887/0x2370 [ 56.033942] do_futex+0x7f5/0x20d0 [ 56.037447] SyS_futex+0x260/0x390 [ 56.040954] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 56.045670] [ 56.047264] Freed by task 8623: [ 56.050507] save_stack_trace+0x16/0x20 [ 56.054446] save_stack+0x43/0xd0 [ 56.057865] kasan_slab_free+0x71/0xc0 [ 56.061716] kfree+0xca/0x250 [ 56.064786] do_exit+0x1533/0x1b00 [ 56.068287] do_group_exit+0x149/0x400 [ 56.072145] get_signal+0x73f/0x16d0 [ 56.075831] do_signal+0x94/0x1ee0 [ 56.079335] exit_to_usermode_loop+0x214/0x310 [ 56.083882] syscall_return_slowpath+0x42f/0x510 [ 56.088604] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 56.093321] [ 56.094913] The buggy address belongs to the object at ffff8801d6993500 [ 56.094913] which belongs to the cache kmalloc-256 of size 256 [ 56.107536] The buggy address is located 40 bytes inside of [ 56.107536] 256-byte region [ffff8801d6993500, ffff8801d6993600) [ 56.119288] The buggy address belongs to the page: [ 56.124180] page:ffffea00075a64c0 count:1 mapcount:0 mapping:ffff8801d6993000 index:0x0 [ 56.132286] flags: 0x200000000000100(slab) [ 56.136493] raw: 0200000000000100 ffff8801d6993000 0000000000000000 000000010000000c [ 56.144336] raw: ffffea00075a3e60 ffffea00075a6760 ffff8801dac007c0 0000000000000000 [ 56.152176] page dumped because: kasan: bad access detected [ 56.157847] [ 56.159435] Memory state around the buggy address: [ 56.164328] ffff8801d6993400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.171650] ffff8801d6993480: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.178973] >ffff8801d6993500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.186292] ^ [ 56.190923] ffff8801d6993580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.198244] ffff8801d6993600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 56.205562] ================================================================== [ 56.212880] Disabling lock debugging due to kernel taint [ 56.218290] Kernel panic - not syncing: panic_on_warn set ... [ 56.218290] [ 56.225615] CPU: 1 PID: 8611 Comm: syz-executor1 Tainted: G B 4.14.0-rc2-mm1+ #11 [ 56.234325] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.243641] Call Trace: [ 56.246193] dump_stack+0x194/0x257 [ 56.249784] ? arch_local_irq_restore+0x53/0x53 [ 56.254416] ? vprintk_default+0x28/0x30 [ 56.258441] ? __lock_acquire+0x4060/0x4620 [ 56.262726] panic+0x1e4/0x41c [ 56.265882] ? refcount_error_report+0x214/0x214 [ 56.270604] ? __lock_acquire+0x407b/0x4620 [ 56.274890] kasan_end_report+0x50/0x50 [ 56.278825] kasan_report+0x144/0x340 [ 56.282592] __asan_report_load8_noabort+0x14/0x20 [ 56.287485] __lock_acquire+0x407b/0x4620 [ 56.291597] ? __unwind_start+0x169/0x330 [ 56.295709] ? __kernel_text_address+0xd/0x40 [ 56.300166] ? unwind_get_return_address+0x61/0xa0 [ 56.305064] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 56.310221] ? unwind_get_return_address+0x61/0xa0 [ 56.315113] ? __save_stack_trace+0x61/0xd0 [ 56.319398] ? get_signal+0x73f/0x16d0 [ 56.323252] ? perf_trace_run_bpf_submit+0x1a9/0x2a0 [ 56.328317] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 56.333470] ? perf_trace_run_bpf_submit+0x1a9/0x2a0 [ 56.338536] ? perf_trace_run_bpf_submit+0x1b2/0x2a0 [ 56.343603] ? perf_tp_event+0xbe0/0xbe0 [ 56.347628] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 56.352783] ? memset+0x31/0x40 [ 56.356029] ? perf_trace_lock+0x3e9/0x860 [ 56.360229] ? check_noncircular+0x20/0x20 [ 56.364428] ? perf_trace_run_bpf_submit+0x1a9/0x2a0 [ 56.369496] ? perf_trace_run_bpf_submit+0x1b2/0x2a0 [ 56.374563] ? perf_trace_run_bpf_submit+0x1a9/0x2a0 [ 56.379629] ? perf_trace_run_bpf_submit+0x1b2/0x2a0 [ 56.384694] ? perf_tp_event+0xbe0/0xbe0 [ 56.388719] ? find_held_lock+0x39/0x1d0 [ 56.392748] ? lock_downgrade+0x990/0x990 [ 56.396859] ? check_noncircular+0x20/0x20 [ 56.401058] lock_acquire+0x1d5/0x580 [ 56.404824] ? exit_pi_state_list+0x369/0x7a0 [ 56.409286] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 56.414008] ? lock_release+0xd70/0xd70 [ 56.417951] ? retint_kernel+0x10/0x10 [ 56.421805] _raw_spin_lock_irq+0x5e/0x80 [ 56.425916] ? exit_pi_state_list+0x369/0x7a0 [ 56.430371] exit_pi_state_list+0x369/0x7a0 [ 56.434657] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 56.440678] ? lock_release+0xd70/0xd70 [ 56.444615] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 56.450465] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 56.455530] ? __might_sleep+0x95/0x190 [ 56.459469] ? __might_fault+0x188/0x1d0 [ 56.463494] ? do_raw_spin_trylock+0x190/0x190 [ 56.468041] mm_release+0x46d/0x590 [ 56.471633] ? do_raw_spin_trylock+0x190/0x190 [ 56.476176] ? mm_access+0x140/0x140 [ 56.479854] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 56.484832] ? trace_hardirqs_on+0xd/0x10 [ 56.488942] ? _raw_spin_unlock_irq+0x27/0x70 [ 56.493399] ? acct_collect+0x637/0x800 [ 56.497337] do_exit+0x481/0x1b00 [ 56.500757] ? mm_update_next_owner+0x930/0x930 [ 56.505386] ? perf_trace_run_bpf_submit+0x1a9/0x2a0 [ 56.510451] ? perf_trace_run_bpf_submit+0x1a9/0x2a0 [ 56.515534] ? perf_trace_run_bpf_submit+0x1b2/0x2a0 [ 56.520607] ? perf_tp_event+0xbe0/0xbe0 [ 56.524632] ? find_held_lock+0x39/0x1d0 [ 56.528656] ? memset+0x31/0x40 [ 56.531901] ? perf_trace_lock+0x3e9/0x860 [ 56.536098] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 56.541424] ? check_noncircular+0x20/0x20 [ 56.545622] ? fault_in_user_writeable+0x90/0x90 [ 56.550339] ? futex_wake+0x680/0x680 [ 56.554105] ? find_held_lock+0x39/0x1d0 [ 56.558130] ? lock_downgrade+0x990/0x990 [ 56.562244] ? recalc_sigpending_tsk+0x117/0x150