INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-4,10.128.15.206' (ECDSA) to the list of known hosts. 2017/09/19 19:41:23 parsed 1 programs 2017/09/19 19:41:23 executed programs: 0 2017/09/19 19:41:28 executed programs: 266 syzkaller login: [ 55.989337] ================================================================== [ 55.996790] BUG: KASAN: use-after-free in irq_bypass_register_consumer+0x4b4/0x500 [ 56.004469] Write of size 8 at addr ffff8801cbe69c40 by task syz-executor0/4638 [ 56.011878] [ 56.013480] CPU: 1 PID: 4638 Comm: syz-executor0 Not tainted 4.14.0-rc1+ #1 [ 56.020544] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.029865] Call Trace: [ 56.032420] dump_stack+0x194/0x257 [ 56.036029] ? arch_local_irq_restore+0x53/0x53 [ 56.040675] ? show_regs_print_info+0x65/0x65 [ 56.045147] ? irq_bypass_register_consumer+0x4b4/0x500 [ 56.050480] print_address_description+0x73/0x250 [ 56.055291] ? irq_bypass_register_consumer+0x4b4/0x500 [ 56.060624] kasan_report+0x24e/0x340 [ 56.064402] __asan_report_store8_noabort+0x17/0x20 [ 56.069389] irq_bypass_register_consumer+0x4b4/0x500 [ 56.074551] ? __disconnect+0x1a0/0x1a0 [ 56.078504] ? kvm_arch_has_irq_bypass+0x11/0x50 [ 56.083236] kvm_irqfd+0x13c9/0x1db0 [ 56.086920] ? __might_sleep+0x95/0x190 [ 56.090879] ? kvm_eventfd_init+0x2a0/0x2a0 [ 56.095174] ? find_held_lock+0x39/0x1d0 [ 56.099215] ? lock_downgrade+0x990/0x990 [ 56.103341] ? __might_fault+0xe0/0x1d0 [ 56.107290] ? lock_release+0xd70/0xd70 [ 56.111232] ? check_same_owner+0x320/0x320 [ 56.115535] ? __might_sleep+0x95/0x190 [ 56.119487] ? kasan_check_write+0x14/0x20 [ 56.123692] ? _copy_from_user+0x99/0x110 [ 56.127812] kvm_vm_ioctl+0x1079/0x1c40 [ 56.131761] ? kvm_set_memory_region+0x50/0x50 [ 56.136310] ? alloc_file+0x26/0x3a0 [ 56.139993] ? anon_inode_getfile+0x26d/0x490 [ 56.144458] ? eventfd_file_create.part.3+0x193/0x250 [ 56.149629] ? find_held_lock+0x39/0x1d0 [ 56.153669] ? lock_downgrade+0x990/0x990 [ 56.157784] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 56.162769] ? __lockdep_init_map+0xe4/0x650 [ 56.167154] ? __fget+0xbb/0x580 [ 56.170499] ? lock_release+0xd70/0xd70 [ 56.174446] ? __lock_is_held+0xbc/0x140 [ 56.178488] ? __fget+0x362/0x580 [ 56.181919] ? iterate_fd+0x3f0/0x3f0 [ 56.185694] ? get_unused_fd_flags+0x190/0x190 [ 56.190255] ? __lock_is_held+0xbc/0x140 [ 56.194290] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 56.199189] ? selinux_file_ioctl+0x444/0x690 [ 56.203651] ? __fget_light+0x29d/0x390 [ 56.207599] kvm_vm_compat_ioctl+0x2ed/0x3e0 [ 56.211975] ? anon_inode_getfile+0x349/0x490 [ 56.216442] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 56.220562] ? get_unused_fd_flags+0x190/0x190 [ 56.225113] ? __init_waitqueue_head+0x97/0x140 [ 56.229756] ? security_file_ioctl+0x7d/0xb0 [ 56.234130] ? security_file_ioctl+0x89/0xb0 [ 56.238511] compat_SyS_ioctl+0x1da/0x3300 [ 56.242718] ? compat_SyS_get_robust_list+0x300/0x300 [ 56.247875] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 56.251997] ? do_ioctl+0x60/0x60 [ 56.255430] ? do_fast_syscall_32+0x158/0xeed [ 56.259899] ? do_ioctl+0x60/0x60 [ 56.263322] do_fast_syscall_32+0x3f2/0xeed [ 56.267615] ? compat_start_thread+0x80/0x80 [ 56.271996] ? do_int80_syscall_32+0x930/0x930 [ 56.276557] ? lockdep_sys_exit+0x47/0xf0 [ 56.280675] ? syscall_return_slowpath+0x2b3/0x500 [ 56.285570] ? finish_task_switch+0x1aa/0x740 [ 56.290043] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 56.295047] ? sysret32_from_system_call+0x5/0x3b [ 56.299865] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.304682] entry_SYSENTER_compat+0x51/0x60 [ 56.309061] RIP: 0023:0xf7f9ec79 [ 56.312401] RSP: 002b:00000000f7f7905c EFLAGS: 00000296 ORIG_RAX: 0000000000000036 [ 56.320091] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000004020ae76 [ 56.327330] RDX: 000000002000d000 RSI: 0000000000000000 RDI: 0000000000000000 [ 56.334568] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 56.341805] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 56.349048] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 56.356302] [ 56.357899] Allocated by task 4638: [ 56.361494] save_stack_trace+0x16/0x20 [ 56.365437] save_stack+0x43/0xd0 [ 56.368863] kasan_kmalloc+0xad/0xe0 [ 56.372544] kmem_cache_alloc_trace+0x136/0x750 [ 56.377181] kvm_irqfd+0x1b6/0x1db0 [ 56.380774] kvm_vm_ioctl+0x1079/0x1c40 [ 56.384716] kvm_vm_compat_ioctl+0x2ed/0x3e0 [ 56.389096] compat_SyS_ioctl+0x1da/0x3300 [ 56.393297] do_fast_syscall_32+0x3f2/0xeed [ 56.397586] entry_SYSENTER_compat+0x51/0x60 [ 56.401957] [ 56.403553] Freed by task 24: [ 56.406629] save_stack_trace+0x16/0x20 [ 56.410570] save_stack+0x43/0xd0 [ 56.413988] kasan_slab_free+0x71/0xc0 [ 56.417844] kfree+0xca/0x250 [ 56.420918] irqfd_shutdown+0x13c/0x1a0 [ 56.424858] process_one_work+0xbfa/0x1bd0 [ 56.429059] worker_thread+0x223/0x1860 [ 56.433006] kthread+0x39c/0x470 [ 56.436350] ret_from_fork+0x2a/0x40 [ 56.440035] [ 56.441639] The buggy address belongs to the object at ffff8801cbe69ac0 [ 56.441639] which belongs to the cache kmalloc-512 of size 512 [ 56.454264] The buggy address is located 384 bytes inside of [ 56.454264] 512-byte region [ffff8801cbe69ac0, ffff8801cbe69cc0) [ 56.466102] The buggy address belongs to the page: [ 56.470998] page:ffffea00072f9a40 count:1 mapcount:0 mapping:ffff8801cbe690c0 index:0x0 [ 56.479121] flags: 0x200000000000100(slab) [ 56.483325] raw: 0200000000000100 ffff8801cbe690c0 0000000000000000 0000000100000006 [ 56.491176] raw: ffffea00072f9e60 ffffea00072e72a0 ffff8801dac00940 0000000000000000 [ 56.499030] page dumped because: kasan: bad access detected [ 56.504712] [ 56.506307] Memory state around the buggy address: [ 56.511205] ffff8801cbe69b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.518531] ffff8801cbe69b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.525856] >ffff8801cbe69c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.533183] ^ [ 56.538602] ffff8801cbe69c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 56.545928] ffff8801cbe69d00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 56.553250] ================================================================== [ 56.560572] Disabling lock debugging due to kernel taint [ 56.566071] Kernel panic - not syncing: panic_on_warn set ... [ 56.566071] [ 56.573409] CPU: 1 PID: 4638 Comm: syz-executor0 Tainted: G B 4.14.0-rc1+ #1 [ 56.581686] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.591002] Call Trace: [ 56.593562] dump_stack+0x194/0x257 [ 56.597154] ? arch_local_irq_restore+0x53/0x53 [ 56.601790] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 56.606510] ? irq_bypass_register_consumer+0x3e0/0x500 [ 56.611841] panic+0x1e4/0x417 [ 56.615001] ? __warn+0x1d9/0x1d9 [ 56.618430] ? irq_bypass_register_consumer+0x4b4/0x500 [ 56.623756] kasan_end_report+0x50/0x50 [ 56.627692] kasan_report+0x137/0x340 [ 56.631457] __asan_report_store8_noabort+0x17/0x20 [ 56.636439] irq_bypass_register_consumer+0x4b4/0x500 [ 56.641595] ? __disconnect+0x1a0/0x1a0 [ 56.645536] ? kvm_arch_has_irq_bypass+0x11/0x50 [ 56.650260] kvm_irqfd+0x13c9/0x1db0 [ 56.653938] ? __might_sleep+0x95/0x190 [ 56.657884] ? kvm_eventfd_init+0x2a0/0x2a0 [ 56.662172] ? find_held_lock+0x39/0x1d0 [ 56.666203] ? lock_downgrade+0x990/0x990 [ 56.670320] ? __might_fault+0xe0/0x1d0 [ 56.674263] ? lock_release+0xd70/0xd70 [ 56.678199] ? check_same_owner+0x320/0x320 [ 56.682488] ? __might_sleep+0x95/0x190 [ 56.686432] ? kasan_check_write+0x14/0x20 [ 56.690630] ? _copy_from_user+0x99/0x110 [ 56.694743] kvm_vm_ioctl+0x1079/0x1c40 [ 56.698682] ? kvm_set_memory_region+0x50/0x50 [ 56.703226] ? alloc_file+0x26/0x3a0 [ 56.706903] ? anon_inode_getfile+0x26d/0x490 [ 56.711362] ? eventfd_file_create.part.3+0x193/0x250 [ 56.716520] ? find_held_lock+0x39/0x1d0 [ 56.720549] ? lock_downgrade+0x990/0x990 [ 56.724660] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 56.729641] ? __lockdep_init_map+0xe4/0x650 [ 56.734020] ? __fget+0xbb/0x580 [ 56.737363] ? lock_release+0xd70/0xd70 [ 56.741301] ? __lock_is_held+0xbc/0x140 [ 56.745335] ? __fget+0x362/0x580 [ 56.748759] ? iterate_fd+0x3f0/0x3f0 [ 56.752526] ? get_unused_fd_flags+0x190/0x190 [ 56.757077] ? __lock_is_held+0xbc/0x140 [ 56.761104] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 56.765995] ? selinux_file_ioctl+0x444/0x690 [ 56.770456] ? __fget_light+0x29d/0x390 [ 56.774397] kvm_vm_compat_ioctl+0x2ed/0x3e0 [ 56.778769] ? anon_inode_getfile+0x349/0x490 [ 56.783230] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 56.787341] ? get_unused_fd_flags+0x190/0x190 [ 56.791888] ? __init_waitqueue_head+0x97/0x140 [ 56.796526] ? security_file_ioctl+0x7d/0xb0 [ 56.800896] ? security_file_ioctl+0x89/0xb0 [ 56.805270] compat_SyS_ioctl+0x1da/0x3300 [ 56.809472] ? compat_SyS_get_robust_list+0x300/0x300 [ 56.814626] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 56.818738] ? do_ioctl+0x60/0x60 [ 56.822159] ? do_fast_syscall_32+0x158/0xeed [ 56.826622] ? do_ioctl+0x60/0x60 [ 56.830043] do_fast_syscall_32+0x3f2/0xeed [ 56.834332] ? compat_start_thread+0x80/0x80 [ 56.838705] ? do_int80_syscall_32+0x930/0x930 [ 56.843253] ? lockdep_sys_exit+0x47/0xf0 [ 56.847363] ? syscall_return_slowpath+0x2b3/0x500 [ 56.852258] ? finish_task_switch+0x1aa/0x740 [ 56.856716] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 56.861702] ? sysret32_from_system_call+0x5/0x3b [ 56.866512] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.871327] entry_SYSENTER_compat+0x51/0x60 [ 56.875697] RIP: 0023:0xf7f9ec79 [ 56.879028] RSP: 002b:00000000f7f7905c EFLAGS: 00000296 ORIG_RAX: 0000000000000036 [ 56.886702] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000004020ae76 [ 56.893934] RDX: 000000002000d000 RSI: 0000000000000000 RDI: 0000000000000000 [ 56.901169] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 56.908403] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 56.915639] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 56.923302] Dumping ftrace buffer: [ 56.926812] (ftrace buffer empty) [ 56.930485] Kernel Offset: disabled [ 56.934077] Rebooting in 86400 seconds..