INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-1,10.128.15.231' (ECDSA) to the list of known hosts. 2017/09/25 13:46:00 parsed 1 programs 2017/09/25 13:46:00 executed programs: 0 2017/09/25 13:46:05 executed programs: 127 2017/09/25 13:46:10 executed programs: 255 syzkaller login: [ 41.359764] irq bypass consumer (token ffff8801d96a1840) registration fails: -16 [ 41.497186] ================================================================== [ 41.504613] BUG: KASAN: use-after-free in irq_bypass_register_consumer+0x4f0/0x500 [ 41.512295] Read of size 8 at addr ffff8801d90e4190 by task syz-executor0/3901 [ 41.519622] [ 41.521226] CPU: 0 PID: 3901 Comm: syz-executor0 Not tainted 4.14.0-rc2+ #10 [ 41.528381] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.537708] Call Trace: [ 41.540269] dump_stack+0x194/0x257 [ 41.543874] ? arch_local_irq_restore+0x53/0x53 [ 41.548601] ? show_regs_print_info+0x65/0x65 [ 41.553075] ? irq_bypass_register_consumer+0x4f0/0x500 [ 41.558414] print_address_description+0x73/0x250 [ 41.563230] ? irq_bypass_register_consumer+0x4f0/0x500 [ 41.568564] kasan_report+0x25b/0x340 [ 41.572338] __asan_report_load8_noabort+0x14/0x20 [ 41.577240] irq_bypass_register_consumer+0x4f0/0x500 [ 41.582402] ? __disconnect+0x1a0/0x1a0 [ 41.586352] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.591340] ? trace_hardirqs_on+0xd/0x10 [ 41.595461] ? queue_work_on+0x106/0x1c0 [ 41.599497] kvm_irqfd+0x137a/0x1d50 [ 41.603198] ? kvm_eventfd_init+0x2a0/0x2a0 [ 41.607494] ? find_held_lock+0x39/0x1d0 [ 41.611539] ? lock_downgrade+0x990/0x990 [ 41.615669] ? __might_fault+0xe0/0x1d0 [ 41.619617] ? futex_wake+0x680/0x680 [ 41.623390] ? lock_release+0xd70/0xd70 [ 41.627336] ? check_same_owner+0x320/0x320 [ 41.631630] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 41.636710] ? __might_sleep+0x95/0x190 [ 41.640665] ? kasan_check_write+0x14/0x20 [ 41.644873] ? _copy_from_user+0x99/0x110 [ 41.648998] kvm_vm_ioctl+0x1079/0x1c40 [ 41.652946] ? futex_wake+0x2ca/0x680 [ 41.656724] ? kvm_set_memory_region+0x50/0x50 [ 41.661282] ? get_futex_key+0x1d50/0x1d50 [ 41.665499] ? find_held_lock+0x39/0x1d0 [ 41.669546] ? lock_downgrade+0x990/0x990 [ 41.673665] ? up_read+0x1a/0x40 [ 41.677012] ? __fget+0xbb/0x580 [ 41.680355] ? lock_release+0xd70/0xd70 [ 41.684304] ? __lock_is_held+0xbc/0x140 [ 41.688350] ? __fget+0x362/0x580 [ 41.691781] ? iterate_fd+0x3f0/0x3f0 [ 41.695570] ? copy_user_generic_unrolled+0x89/0xc0 [ 41.700558] ? _copy_to_user+0xa2/0xc0 [ 41.704417] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 41.709315] ? selinux_file_ioctl+0x444/0x690 [ 41.713782] ? __fget_light+0x29d/0x390 [ 41.717739] kvm_vm_compat_ioctl+0x2ed/0x3e0 [ 41.722121] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 41.726240] ? get_unused_fd_flags+0x190/0x190 [ 41.730795] ? __init_waitqueue_head+0x97/0x140 [ 41.735443] ? security_file_ioctl+0x89/0xb0 [ 41.739830] compat_SyS_ioctl+0x1d7/0x3290 [ 41.744038] ? compat_SyS_get_robust_list+0x300/0x300 [ 41.749201] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 41.753326] ? do_ioctl+0x60/0x60 [ 41.756752] ? do_fast_syscall_32+0x158/0xf05 [ 41.761221] ? do_ioctl+0x60/0x60 [ 41.764647] do_fast_syscall_32+0x3f2/0xf05 [ 41.768942] ? compat_start_thread+0x80/0x80 [ 41.773324] ? do_int80_syscall_32+0x940/0x940 [ 41.777885] ? lockdep_sys_exit+0x47/0xf0 [ 41.782004] ? syscall_return_slowpath+0x2b3/0x510 [ 41.786906] ? finish_task_switch+0x1aa/0x740 [ 41.791375] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 41.796364] ? sysret32_from_system_call+0x5/0x3b [ 41.801183] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.806006] entry_SYSENTER_compat+0x51/0x60 [ 41.810383] RIP: 0023:0xf7f1bc79 [ 41.813719] RSP: 002b:00000000f7f1705c EFLAGS: 00000296 ORIG_RAX: 0000000000000036 [ 41.821402] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 000000004020ae76 [ 41.828642] RDX: 0000000020025fe0 RSI: 0000000000000000 RDI: 0000000000000000 [ 41.835882] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 41.843122] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 41.850363] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 41.857621] [ 41.859220] Allocated by task 3901: [ 41.862819] save_stack_trace+0x16/0x20 [ 41.866770] save_stack+0x43/0xd0 [ 41.870194] kasan_kmalloc+0xad/0xe0 [ 41.873877] kmem_cache_alloc_trace+0x136/0x750 [ 41.878515] kvm_irqfd+0x16c/0x1d50 [ 41.882110] kvm_vm_ioctl+0x1079/0x1c40 [ 41.886052] kvm_vm_compat_ioctl+0x2ed/0x3e0 [ 41.890431] compat_SyS_ioctl+0x1d7/0x3290 [ 41.894636] do_fast_syscall_32+0x3f2/0xf05 [ 41.898927] entry_SYSENTER_compat+0x51/0x60 [ 41.903303] [ 41.904900] Freed by task 23: [ 41.907976] save_stack_trace+0x16/0x20 [ 41.911922] save_stack+0x43/0xd0 [ 41.915344] kasan_slab_free+0x71/0xc0 [ 41.919201] kfree+0xca/0x250 [ 41.922276] irqfd_shutdown+0x13c/0x1a0 [ 41.926219] process_one_work+0xbfa/0x1bd0 [ 41.930421] worker_thread+0x223/0x1860 [ 41.934366] kthread+0x39c/0x470 [ 41.937702] ret_from_fork+0x2a/0x40 [ 41.941384] [ 41.942984] The buggy address belongs to the object at ffff8801d90e4000 [ 41.942984] which belongs to the cache kmalloc-512 of size 512 [ 41.955609] The buggy address is located 400 bytes inside of [ 41.955609] 512-byte region [ffff8801d90e4000, ffff8801d90e4200) [ 41.967457] The buggy address belongs to the page: [ 41.972361] page:ffffea0007643900 count:1 mapcount:0 mapping:ffff8801d90e4000 index:0x0 [ 41.980481] flags: 0x200000000000100(slab) [ 41.984686] raw: 0200000000000100 ffff8801d90e4000 0000000000000000 0000000100000006 [ 41.992537] raw: ffffea000764a3a0 ffffea0007622b60 ffff8801dac00940 0000000000000000 [ 42.000383] page dumped because: kasan: bad access detected [ 42.006061] [ 42.007658] Memory state around the buggy address: [ 42.012554] ffff8801d90e4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.019886] ffff8801d90e4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.027224] >ffff8801d90e4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.034552] ^ [ 42.038409] ffff8801d90e4200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.045739] ffff8801d90e4280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.053066] ================================================================== [ 42.060391] Disabling lock debugging due to kernel taint [ 42.065894] Kernel panic - not syncing: panic_on_warn set ... [ 42.065894] [ 42.073226] CPU: 0 PID: 3901 Comm: syz-executor0 Tainted: G B 4.14.0-rc2+ #10 [ 42.081593] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.090913] Call Trace: [ 42.093470] dump_stack+0x194/0x257 [ 42.097066] ? arch_local_irq_restore+0x53/0x53 [ 42.101700] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.106425] ? irq_bypass_register_consumer+0x450/0x500 [ 42.111757] panic+0x1e4/0x417 [ 42.114914] ? __warn+0x1d9/0x1d9 [ 42.118339] ? irq_bypass_register_consumer+0x4f0/0x500 [ 42.123666] kasan_end_report+0x50/0x50 [ 42.127606] kasan_report+0x144/0x340 [ 42.131372] __asan_report_load8_noabort+0x14/0x20 [ 42.136265] irq_bypass_register_consumer+0x4f0/0x500 [ 42.141421] ? __disconnect+0x1a0/0x1a0 [ 42.145364] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 42.150344] ? trace_hardirqs_on+0xd/0x10 [ 42.154457] ? queue_work_on+0x106/0x1c0 [ 42.158484] kvm_irqfd+0x137a/0x1d50 [ 42.162170] ? kvm_eventfd_init+0x2a0/0x2a0 [ 42.166455] ? find_held_lock+0x39/0x1d0 [ 42.170489] ? lock_downgrade+0x990/0x990 [ 42.174606] ? __might_fault+0xe0/0x1d0 [ 42.178546] ? futex_wake+0x680/0x680 [ 42.182312] ? lock_release+0xd70/0xd70 [ 42.186249] ? check_same_owner+0x320/0x320 [ 42.190538] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 42.195607] ? __might_sleep+0x95/0x190 [ 42.199550] ? kasan_check_write+0x14/0x20 [ 42.203750] ? _copy_from_user+0x99/0x110 [ 42.207863] kvm_vm_ioctl+0x1079/0x1c40 [ 42.211803] ? futex_wake+0x2ca/0x680 [ 42.215570] ? kvm_set_memory_region+0x50/0x50 [ 42.220123] ? get_futex_key+0x1d50/0x1d50 [ 42.224328] ? find_held_lock+0x39/0x1d0 [ 42.228361] ? lock_downgrade+0x990/0x990 [ 42.232471] ? up_read+0x1a/0x40 [ 42.235805] ? __fget+0xbb/0x580 [ 42.239141] ? lock_release+0xd70/0xd70 [ 42.243081] ? __lock_is_held+0xbc/0x140 [ 42.247115] ? __fget+0x362/0x580 [ 42.250536] ? iterate_fd+0x3f0/0x3f0 [ 42.254317] ? copy_user_generic_unrolled+0x89/0xc0 [ 42.259298] ? _copy_to_user+0xa2/0xc0 [ 42.263153] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 42.268046] ? selinux_file_ioctl+0x444/0x690 [ 42.272504] ? __fget_light+0x29d/0x390 [ 42.276448] kvm_vm_compat_ioctl+0x2ed/0x3e0 [ 42.280824] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 42.284938] ? get_unused_fd_flags+0x190/0x190 [ 42.289487] ? __init_waitqueue_head+0x97/0x140 [ 42.294126] ? security_file_ioctl+0x89/0xb0 [ 42.298503] compat_SyS_ioctl+0x1d7/0x3290 [ 42.302703] ? compat_SyS_get_robust_list+0x300/0x300 [ 42.307861] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 42.311975] ? do_ioctl+0x60/0x60 [ 42.315397] ? do_fast_syscall_32+0x158/0xf05 [ 42.319866] ? do_ioctl+0x60/0x60 [ 42.323283] do_fast_syscall_32+0x3f2/0xf05 [ 42.327570] ? compat_start_thread+0x80/0x80 [ 42.331944] ? do_int80_syscall_32+0x940/0x940 [ 42.336493] ? lockdep_sys_exit+0x47/0xf0 [ 42.340604] ? syscall_return_slowpath+0x2b3/0x510 [ 42.345498] ? finish_task_switch+0x1aa/0x740 [ 42.349959] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 42.354951] ? sysret32_from_system_call+0x5/0x3b [ 42.359761] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.364574] entry_SYSENTER_compat+0x51/0x60 [ 42.368946] RIP: 0023:0xf7f1bc79 [ 42.372275] RSP: 002b:00000000f7f1705c EFLAGS: 00000296 ORIG_RAX: 0000000000000036 [ 42.379946] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 000000004020ae76 [ 42.387183] RDX: 0000000020025fe0 RSI: 0000000000000000 RDI: 0000000000000000 [ 42.394418] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 42.401651] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 42.408885] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 42.416168] Dumping ftrace buffer: [ 42.419680] (ftrace buffer empty) [ 42.423357] Kernel Offset: disabled [ 42.426950] Rebooting in 86400 seconds..