INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-3,10.128.0.34' (ECDSA) to the list of known hosts. 2017/10/04 17:40:29 parsed 1 programs 2017/10/04 17:40:29 executed programs: 0 2017/10/04 17:40:34 executed programs: 352 2017/10/04 17:40:39 executed programs: 699 2017/10/04 17:40:44 executed programs: 1047 2017/10/04 17:40:49 executed programs: 1392 2017/10/04 17:40:54 executed programs: 1736 2017/10/04 17:40:59 executed programs: 2086 syzkaller login: [ 165.115791] ================================================================== [ 165.123188] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620 [ 165.129822] Read of size 8 at addr ffff8801d80b05a8 by task syz-executor1/16767 [ 165.137232] [ 165.138827] CPU: 1 PID: 16767 Comm: syz-executor1 Not tainted 4.14.0-rc3+ #24 [ 165.146062] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 165.155381] Call Trace: [ 165.157944] dump_stack+0x194/0x257 [ 165.161543] ? arch_local_irq_restore+0x53/0x53 [ 165.166191] ? show_regs_print_info+0x65/0x65 [ 165.170665] ? __kernel_text_address+0xd/0x40 [ 165.175129] ? __lock_acquire+0x407b/0x4620 [ 165.179420] print_address_description+0x73/0x250 [ 165.184232] ? __lock_acquire+0x407b/0x4620 [ 165.188520] kasan_report+0x25b/0x340 [ 165.192289] __asan_report_load8_noabort+0x14/0x20 [ 165.197189] __lock_acquire+0x407b/0x4620 [ 165.201307] ? unwind_dump+0x4c0/0x4c0 [ 165.205171] ? __kernel_text_address+0xd/0x40 [ 165.209639] ? unwind_get_return_address+0x61/0xa0 [ 165.214546] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 165.219704] ? __save_stack_trace+0x61/0xd0 [ 165.223992] ? get_signal+0x73f/0x16d0 [ 165.227855] ? save_stack_trace+0x16/0x20 [ 165.231970] ? __lock_acquire+0x20fd/0x4620 [ 165.236259] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 165.241416] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 165.246572] ? save_stack_trace+0x16/0x20 [ 165.250686] ? __lock_acquire+0x20fd/0x4620 [ 165.254973] ? osq_unlock+0x350/0x350 [ 165.258736] ? save_stack_trace+0x16/0x20 [ 165.262851] ? check_noncircular+0x20/0x20 [ 165.267051] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 165.272205] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 165.277363] ? __unwind_start+0x169/0x330 [ 165.281475] ? find_held_lock+0x39/0x1d0 [ 165.285506] ? lock_downgrade+0x990/0x990 [ 165.289617] ? check_noncircular+0x20/0x20 [ 165.293815] lock_acquire+0x1d5/0x580 [ 165.297582] ? exit_pi_state_list+0x369/0x7a0 [ 165.302050] ? lock_release+0xd70/0xd70 [ 165.305990] ? do_raw_spin_trylock+0x190/0x190 [ 165.310536] ? find_held_lock+0x39/0x1d0 [ 165.314564] _raw_spin_lock_irq+0x5e/0x80 [ 165.318685] ? exit_pi_state_list+0x369/0x7a0 [ 165.323152] exit_pi_state_list+0x369/0x7a0 [ 165.327441] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 165.333462] ? lock_release+0xd70/0xd70 [ 165.337400] ? check_same_owner+0x320/0x320 [ 165.341687] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 165.346764] ? __might_sleep+0x95/0x190 [ 165.350709] ? __might_fault+0x188/0x1d0 [ 165.354734] ? do_raw_spin_trylock+0x190/0x190 [ 165.359281] mm_release+0x46d/0x590 [ 165.362871] ? do_raw_spin_trylock+0x190/0x190 [ 165.367417] ? mm_access+0x140/0x140 [ 165.371094] ? _raw_spin_unlock_irq+0x27/0x70 [ 165.375555] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 165.380542] ? trace_hardirqs_on+0xd/0x10 [ 165.384658] ? _raw_spin_unlock_irq+0x27/0x70 [ 165.389116] ? acct_collect+0x637/0x800 [ 165.393054] do_exit+0x481/0x1af0 [ 165.396472] ? mm_update_next_owner+0x930/0x930 [ 165.401104] ? lock_downgrade+0x990/0x990 [ 165.405217] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 165.410543] ? futex_wait+0x3ad/0x990 [ 165.414308] ? do_raw_spin_trylock+0x190/0x190 [ 165.418853] ? fault_in_user_writeable+0x90/0x90 [ 165.423573] ? futex_wake+0x680/0x680 [ 165.427336] ? fault_in_user_writeable+0x90/0x90 [ 165.432057] ? check_noncircular+0x20/0x20 [ 165.436257] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 165.441321] ? futex_wait+0x69e/0x990 [ 165.445086] ? futex_wait_setup+0x3d0/0x3d0 [ 165.449373] ? find_held_lock+0x39/0x1d0 [ 165.453400] ? lock_downgrade+0x990/0x990 [ 165.457517] ? recalc_sigpending_tsk+0x117/0x150 [ 165.462237] ? recalc_sigpending+0x103/0x160 [ 165.466609] ? recalc_sigpending_tsk+0x150/0x150 [ 165.471329] ? get_signal+0x2b2/0x16d0 [ 165.475183] do_group_exit+0x149/0x400 [ 165.479034] ? __lock_is_held+0xbc/0x140 [ 165.483058] ? SyS_exit+0x30/0x30 [ 165.486477] ? _raw_spin_unlock_irq+0x27/0x70 [ 165.490936] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 165.495915] get_signal+0x73f/0x16d0 [ 165.499593] ? ptrace_notify+0x130/0x130 [ 165.503626] do_signal+0x94/0x1ee0 [ 165.507143] ? setup_sigcontext+0x7d0/0x7d0 [ 165.511438] ? find_held_lock+0x39/0x1d0 [ 165.515463] ? __compat_get_timespec+0xd9/0x120 [ 165.520101] ? exit_to_usermode_loop+0x8c/0x310 [ 165.524736] exit_to_usermode_loop+0x214/0x310 [ 165.529284] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 165.534790] ? lock_acquire+0x1d5/0x580 [ 165.538737] ? do_fast_syscall_32+0x158/0xf05 [ 165.543206] do_fast_syscall_32+0x83e/0xf05 [ 165.547499] ? compat_start_thread+0x80/0x80 [ 165.551887] ? do_int80_syscall_32+0x940/0x940 [ 165.556438] ? lockdep_sys_exit+0x47/0xf0 [ 165.560552] ? syscall_return_slowpath+0x2b3/0x510 [ 165.565449] ? finish_task_switch+0x1aa/0x740 [ 165.569907] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 165.574886] ? sysret32_from_system_call+0x5/0x3b [ 165.579693] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 165.584502] entry_SYSENTER_compat+0x51/0x60 [ 165.588875] RIP: 0023:0xf7fc9c79 [ 165.592207] RSP: 002b:00000000f7f8312c EFLAGS: 00000292 ORIG_RAX: 00000000000000f0 [ 165.599887] RAX: fffffffffffffe00 RBX: 00000000081280f8 RCX: 0000000000000000 [ 165.607123] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 165.614360] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 165.621594] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 165.628830] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 165.636067] [ 165.637659] Allocated by task 16785: [ 165.641342] save_stack_trace+0x16/0x20 [ 165.645282] save_stack+0x43/0xd0 [ 165.648700] kasan_kmalloc+0xad/0xe0 [ 165.652376] kmem_cache_alloc_trace+0x136/0x750 [ 165.657008] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 165.662096] futex_requeue+0x1887/0x2370 [ 165.666140] do_futex+0x7f5/0x20d0 [ 165.669643] compat_SyS_futex+0x27f/0x380 [ 165.673758] do_fast_syscall_32+0x3f2/0xf05 [ 165.678051] entry_SYSENTER_compat+0x51/0x60 [ 165.682422] [ 165.684021] Freed by task 16761: [ 165.687358] save_stack_trace+0x16/0x20 [ 165.691303] save_stack+0x43/0xd0 [ 165.694724] kasan_slab_free+0x71/0xc0 [ 165.698577] kfree+0xca/0x250 [ 165.701645] put_pi_state+0x3f4/0x560 [ 165.705416] unqueue_me_pi+0x4a/0xc0 [ 165.709109] futex_wait_requeue_pi.constprop.19+0xc7f/0x1300 [ 165.714877] do_futex+0x825/0x20d0 [ 165.718382] compat_SyS_futex+0x27f/0x380 [ 165.722494] do_fast_syscall_32+0x3f2/0xf05 [ 165.726780] entry_SYSENTER_compat+0x51/0x60 [ 165.731149] [ 165.732742] The buggy address belongs to the object at ffff8801d80b0580 [ 165.732742] which belongs to the cache kmalloc-256 of size 256 [ 165.745380] The buggy address is located 40 bytes inside of [ 165.745380] 256-byte region [ffff8801d80b0580, ffff8801d80b0680) [ 165.757130] The buggy address belongs to the page: [ 165.762029] page:ffffea0007602c00 count:1 mapcount:0 mapping:ffff8801d80b0080 index:0x0 [ 165.770138] flags: 0x200000000000100(slab) [ 165.774343] raw: 0200000000000100 ffff8801d80b0080 0000000000000000 000000010000000c [ 165.782197] raw: ffffea00076006e0 ffffea0007602860 ffff8801dac007c0 0000000000000000 [ 165.790048] page dumped because: kasan: bad access detected [ 165.795718] [ 165.797313] Memory state around the buggy address: [ 165.802206] ffff8801d80b0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 165.809527] ffff8801d80b0500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 165.816854] >ffff8801d80b0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 165.824184] ^ [ 165.828816] ffff8801d80b0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 165.836140] ffff8801d80b0680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 165.843461] ================================================================== [ 165.850783] Disabling lock debugging due to kernel taint [ 165.856197] Kernel panic - not syncing: panic_on_warn set ... [ 165.856197] [ 165.863522] CPU: 1 PID: 16767 Comm: syz-executor1 Tainted: G B 4.14.0-rc3+ #24 [ 165.871977] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 165.881297] Call Trace: [ 165.883852] dump_stack+0x194/0x257 [ 165.887456] ? arch_local_irq_restore+0x53/0x53 [ 165.892102] ? vprintk_default+0x28/0x30 [ 165.896133] ? __lock_acquire+0x3ff0/0x4620 [ 165.900419] panic+0x1e4/0x417 [ 165.903575] ? __warn+0x1d9/0x1d9 [ 165.906996] ? __lock_acquire+0x407b/0x4620 [ 165.911288] kasan_end_report+0x50/0x50 [ 165.915226] kasan_report+0x144/0x340 [ 165.918989] __asan_report_load8_noabort+0x14/0x20 [ 165.923883] __lock_acquire+0x407b/0x4620 [ 165.927993] ? unwind_dump+0x4c0/0x4c0 [ 165.931853] ? __kernel_text_address+0xd/0x40 [ 165.936318] ? unwind_get_return_address+0x61/0xa0 [ 165.941219] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 165.946375] ? __save_stack_trace+0x61/0xd0 [ 165.950663] ? get_signal+0x73f/0x16d0 [ 165.954530] ? save_stack_trace+0x16/0x20 [ 165.958645] ? __lock_acquire+0x20fd/0x4620 [ 165.962933] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 165.968090] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 165.973247] ? save_stack_trace+0x16/0x20 [ 165.977361] ? __lock_acquire+0x20fd/0x4620 [ 165.981648] ? osq_unlock+0x350/0x350 [ 165.985411] ? save_stack_trace+0x16/0x20 [ 165.989528] ? check_noncircular+0x20/0x20 [ 165.993730] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 165.998902] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 166.004077] ? __unwind_start+0x169/0x330 [ 166.008192] ? find_held_lock+0x39/0x1d0 [ 166.012217] ? lock_downgrade+0x990/0x990 [ 166.016327] ? check_noncircular+0x20/0x20 [ 166.020536] lock_acquire+0x1d5/0x580 [ 166.024310] ? exit_pi_state_list+0x369/0x7a0 [ 166.028770] ? lock_release+0xd70/0xd70 [ 166.032707] ? do_raw_spin_trylock+0x190/0x190 [ 166.037261] ? find_held_lock+0x39/0x1d0 [ 166.041298] _raw_spin_lock_irq+0x5e/0x80 [ 166.045435] ? exit_pi_state_list+0x369/0x7a0 [ 166.049912] exit_pi_state_list+0x369/0x7a0 [ 166.054202] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 166.060229] ? lock_release+0xd70/0xd70 [ 166.064167] ? check_same_owner+0x320/0x320 [ 166.068455] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 166.073523] ? __might_sleep+0x95/0x190 [ 166.077466] ? __might_fault+0x188/0x1d0 [ 166.081492] ? do_raw_spin_trylock+0x190/0x190 [ 166.086038] mm_release+0x46d/0x590 [ 166.089631] ? do_raw_spin_trylock+0x190/0x190 [ 166.094180] ? mm_access+0x140/0x140 [ 166.097858] ? _raw_spin_unlock_irq+0x27/0x70 [ 166.102319] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 166.107300] ? trace_hardirqs_on+0xd/0x10 [ 166.111416] ? _raw_spin_unlock_irq+0x27/0x70 [ 166.115877] ? acct_collect+0x637/0x800