INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-2,10.128.0.36' (ECDSA) to the list of known hosts. 2017/09/29 16:14:39 parsed 1 programs 2017/09/29 16:14:39 executed programs: 0 syzkaller login: [ 27.686450] ================================================================== [ 27.687635] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620 [ 27.688524] Read of size 8 at addr ffff8801ca553aa8 by task syz-executor3/4321 [ 27.689496] [ 27.689752] CPU: 0 PID: 4321 Comm: syz-executor3 Not tainted 4.14.0-rc2-next-20170929+ #32 [ 27.691212] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.692580] Call Trace: [ 27.692964] dump_stack+0x194/0x257 [ 27.693529] ? arch_local_irq_restore+0x53/0x53 [ 27.694201] ? show_regs_print_info+0x65/0x65 [ 27.694821] ? __kernel_text_address+0xd/0x40 [ 27.695444] ? __lock_acquire+0x407b/0x4620 [ 27.696134] print_address_description+0x73/0x250 [ 27.696814] ? __lock_acquire+0x407b/0x4620 [ 27.697528] kasan_report+0x25b/0x340 [ 27.698113] __asan_report_load8_noabort+0x14/0x20 [ 27.698822] __lock_acquire+0x407b/0x4620 [ 27.699490] ? unwind_dump+0x4c0/0x4c0 [ 27.700290] ? __unwind_start+0x169/0x330 [ 27.700978] ? __kernel_text_address+0xd/0x40 [ 27.701602] ? unwind_get_return_address+0x61/0xa0 [ 27.702286] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 27.702986] ? unwind_get_return_address+0x61/0xa0 [ 27.703656] ? __save_stack_trace+0x61/0xd0 [ 27.704257] ? get_signal+0x73f/0x16d0 [ 27.704795] ? save_stack_trace+0x16/0x20 [ 27.705386] ? __lock_acquire+0x20fd/0x4620 [ 27.705976] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 27.707417] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 27.712589] ? save_stack_trace+0x16/0x20 [ 27.716719] ? __lock_acquire+0x20fd/0x4620 [ 27.721030] ? osq_unlock+0x350/0x350 [ 27.724809] ? save_stack_trace+0x16/0x20 [ 27.728934] ? check_noncircular+0x20/0x20 [ 27.733147] ? check_noncircular+0x20/0x20 [ 27.737370] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 27.742564] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 27.747742] ? find_held_lock+0x39/0x1d0 [ 27.751794] ? lock_downgrade+0x990/0x990 [ 27.755927] ? check_noncircular+0x20/0x20 [ 27.760146] lock_acquire+0x1d5/0x580 [ 27.763937] ? exit_pi_state_list+0x369/0x7a0 [ 27.768423] ? lock_release+0xd70/0xd70 [ 27.772381] ? do_raw_spin_trylock+0x190/0x190 [ 27.776963] _raw_spin_lock_irq+0x5e/0x80 [ 27.781100] ? exit_pi_state_list+0x369/0x7a0 [ 27.785581] exit_pi_state_list+0x369/0x7a0 [ 27.789903] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 27.795957] ? lock_release+0xd70/0xd70 [ 27.799932] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 27.805812] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 27.810913] ? __might_sleep+0x95/0x190 [ 27.814879] ? __might_fault+0x188/0x1d0 [ 27.818936] ? do_raw_spin_trylock+0x190/0x190 [ 27.823495] mm_release+0x46d/0x590 [ 27.827112] ? do_raw_spin_trylock+0x190/0x190 [ 27.831672] ? mm_access+0x140/0x140 [ 27.835376] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.839863] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.844859] ? trace_hardirqs_on+0xd/0x10 [ 27.848986] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.853476] ? acct_collect+0x637/0x800 [ 27.857442] do_exit+0x481/0x1b00 [ 27.860891] ? mm_update_next_owner+0x930/0x930 [ 27.865553] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 27.871427] ? rcu_note_context_switch+0x710/0x710 [ 27.876354] ? futex_wait_setup+0x14a/0x3d0 [ 27.880659] ? __might_sleep+0x95/0x190 [ 27.884625] ? _cond_resched+0x14/0x30 [ 27.888502] ? futex_wait_queue_me+0x524/0x7e0 [ 27.893071] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 27.898439] ? check_noncircular+0x20/0x20 [ 27.902662] ? futex_wait_setup+0x22e/0x3d0 [ 27.906969] ? futex_wake+0x680/0x680 [ 27.910752] ? find_held_lock+0x39/0x1d0 [ 27.914906] ? lock_downgrade+0x990/0x990 [ 27.919047] ? recalc_sigpending_tsk+0x117/0x150 [ 27.923791] ? recalc_sigpending+0x103/0x160 [ 27.928183] ? recalc_sigpending_tsk+0x150/0x150 [ 27.932923] ? get_signal+0x2b2/0x16d0 [ 27.936797] do_group_exit+0x149/0x400 [ 27.940665] ? __lock_is_held+0xbc/0x140 [ 27.944909] ? SyS_exit+0x30/0x30 [ 27.948342] ? _raw_spin_unlock_irq+0x27/0x70 [ 27.952823] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.957827] get_signal+0x73f/0x16d0 [ 27.961526] ? ptrace_notify+0x130/0x130 [ 27.965570] ? __schedule+0x8f0/0x2070 [ 27.969440] ? exit_robust_list+0x240/0x240 [ 27.973735] do_signal+0x94/0x1ee0 [ 27.977256] ? find_held_lock+0x39/0x1d0 [ 27.981306] ? setup_sigcontext+0x7d0/0x7d0 [ 27.985610] ? lock_downgrade+0x990/0x990 [ 27.989747] ? lock_release+0xd70/0xd70 [ 27.993692] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 27.999546] ? lock_acquire+0x1d5/0x580 [ 28.003492] ? finish_task_switch+0x1aa/0x740 [ 28.007966] ? exit_to_usermode_loop+0x8c/0x310 [ 28.012611] exit_to_usermode_loop+0x214/0x310 [ 28.017171] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 28.022678] ? kasan_check_write+0x14/0x20 [ 28.026891] syscall_return_slowpath+0x42f/0x510 [ 28.031615] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 28.036601] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 28.041499] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.046484] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.051297] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 28.056025] RIP: 0033:0x4520a9 [ 28.059190] RSP: 002b:00007ff1fbe09cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 28.066866] RAX: 0000000000000000 RBX: 0000000000718188 RCX: 00000000004520a9 [ 28.074116] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718188 [ 28.081357] RBP: 0000000000718160 R08: 0000000000000000 R09: 0000000000000000 [ 28.088599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 28.095856] R13: 00007fff2d5b5b1f R14: 00007ff1fbe0a9c0 R15: 0000000000000003 [ 28.103120] [ 28.104727] Allocated by task 4348: [ 28.108326] save_stack_trace+0x16/0x20 [ 28.112282] save_stack+0x43/0xd0 [ 28.115715] kasan_kmalloc+0xad/0xe0 [ 28.119403] kmem_cache_alloc_trace+0x136/0x750 [ 28.124045] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 28.129125] futex_requeue+0x1887/0x2370 [ 28.133154] do_futex+0x7f5/0x20d0 [ 28.136661] SyS_futex+0x260/0x390 [ 28.140182] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 28.144905] [ 28.146503] Freed by task 4315: [ 28.149752] save_stack_trace+0x16/0x20 [ 28.153694] save_stack+0x43/0xd0 [ 28.157115] kasan_slab_free+0x71/0xc0 [ 28.160970] kfree+0xca/0x250 [ 28.164047] put_pi_state+0x3f4/0x560 [ 28.167821] unqueue_me_pi+0x4a/0xc0 [ 28.171501] futex_wait_requeue_pi.constprop.19+0xc7f/0x1300 [ 28.177264] do_futex+0x825/0x20d0 [ 28.180777] SyS_futex+0x260/0x390 [ 28.184301] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 28.189024] [ 28.190624] The buggy address belongs to the object at ffff8801ca553a80 [ 28.190624] which belongs to the cache kmalloc-256 of size 256 [ 28.203246] The buggy address is located 40 bytes inside of [ 28.203246] 256-byte region [ffff8801ca553a80, ffff8801ca553b80) [ 28.214997] The buggy address belongs to the page: [ 28.219908] page:ffffea00072954c0 count:1 mapcount:0 mapping:ffff8801ca553080 index:0x0 [ 28.228019] flags: 0x200000000000100(slab) [ 28.232229] raw: 0200000000000100 ffff8801ca553080 0000000000000000 000000010000000c [ 28.240085] raw: ffffea000729a860 ffffea00072bcae0 ffff8801dac007c0 0000000000000000 [ 28.247933] page dumped because: kasan: bad access detected [ 28.253607] [ 28.255198] Memory state around the buggy address: [ 28.260092] ffff8801ca553980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.267418] ffff8801ca553a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.274742] >ffff8801ca553a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.282064] ^ [ 28.286697] ffff8801ca553b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.294027] ffff8801ca553b80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 28.301355] ================================================================== [ 28.308677] Disabling lock debugging due to kernel taint [ 28.314095] Kernel panic - not syncing: panic_on_warn set ... [ 28.314095] [ 28.321426] CPU: 0 PID: 4321 Comm: syz-executor3 Tainted: G B 4.14.0-rc2-next-20170929+ #32 [ 28.331015] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.340344] Call Trace: [ 28.342904] dump_stack+0x194/0x257 [ 28.346509] ? arch_local_irq_restore+0x53/0x53 [ 28.351146] ? vprintk_default+0x28/0x30 [ 28.355180] ? __lock_acquire+0x4000/0x4620 [ 28.359475] panic+0x1e4/0x41c [ 28.362652] ? refcount_error_report+0x214/0x214 [ 28.367382] ? __lock_acquire+0x407b/0x4620 [ 28.371672] kasan_end_report+0x50/0x50 [ 28.375634] kasan_report+0x144/0x340 [ 28.379405] __asan_report_load8_noabort+0x14/0x20 [ 28.384306] __lock_acquire+0x407b/0x4620 [ 28.388421] ? unwind_dump+0x4c0/0x4c0 [ 28.392273] ? __unwind_start+0x169/0x330 [ 28.396397] ? __kernel_text_address+0xd/0x40 [ 28.400861] ? unwind_get_return_address+0x61/0xa0 [ 28.405758] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 28.410912] ? unwind_get_return_address+0x61/0xa0 [ 28.415819] ? __save_stack_trace+0x61/0xd0 [ 28.420108] ? get_signal+0x73f/0x16d0 [ 28.423969] ? save_stack_trace+0x16/0x20 [ 28.428086] ? __lock_acquire+0x20fd/0x4620 [ 28.432376] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 28.437534] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 28.442689] ? save_stack_trace+0x16/0x20 [ 28.446803] ? __lock_acquire+0x20fd/0x4620 [ 28.451092] ? osq_unlock+0x350/0x350 [ 28.454867] ? save_stack_trace+0x16/0x20 [ 28.458981] ? check_noncircular+0x20/0x20 [ 28.463184] ? check_noncircular+0x20/0x20 [ 28.467386] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 28.472544] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 28.477704] ? find_held_lock+0x39/0x1d0 [ 28.481732] ? lock_downgrade+0x990/0x990 [ 28.485863] ? check_noncircular+0x20/0x20 [ 28.490065] lock_acquire+0x1d5/0x580 [ 28.493835] ? exit_pi_state_list+0x369/0x7a0 [ 28.498305] ? lock_release+0xd70/0xd70 [ 28.502246] ? do_raw_spin_trylock+0x190/0x190 [ 28.506799] _raw_spin_lock_irq+0x5e/0x80 [ 28.510922] ? exit_pi_state_list+0x369/0x7a0 [ 28.515383] exit_pi_state_list+0x369/0x7a0 [ 28.519675] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 28.525699] ? lock_release+0xd70/0xd70 [ 28.529639] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 28.535566] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 28.540637] ? __might_sleep+0x95/0x190 [ 28.544597] ? __might_fault+0x188/0x1d0 [ 28.548641] ? do_raw_spin_trylock+0x190/0x190 [ 28.553193] mm_release+0x46d/0x590 [ 28.556803] ? do_raw_spin_trylock+0x190/0x190 [ 28.561355] ? mm_access+0x140/0x140 [ 28.565046] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.569514] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.574496] ? trace_hardirqs_on+0xd/0x10 [ 28.578611] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.583078] ? acct_collect+0x637/0x800 [ 28.587030] do_exit+0x481/0x1b00 [ 28.590453] ? mm_update_next_owner+0x930/0x930 [ 28.595091] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 28.600943] ? rcu_note_context_switch+0x710/0x710 [ 28.605836] ? futex_wait_setup+0x14a/0x3d0 [ 28.610127] ? __might_sleep+0x95/0x190 [ 28.614069] ? _cond_resched+0x14/0x30 [ 28.617923] ? futex_wait_queue_me+0x524/0x7e0 [ 28.622472] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 28.627819] ? check_noncircular+0x20/0x20 [ 28.632035] ? futex_wait_setup+0x22e/0x3d0 [ 28.636330] ? futex_wake+0x680/0x680 [ 28.640101] ? find_held_lock+0x39/0x1d0 [ 28.644140] ? lock_downgrade+0x990/0x990 [ 28.648261] ? recalc_sigpending_tsk+0x117/0x150 [ 28.652983] ? recalc_sigpending+0x103/0x160 [ 28.657358] ? recalc_sigpending_tsk+0x150/0x150 [ 28.662079] ? get_signal+0x2b2/0x16d0 [ 28.665937] do_group_exit+0x149/0x400 [ 28.669792] ? __lock_is_held+0xbc/0x140 [ 28.673821] ? SyS_exit+0x30/0x30 [ 28.677243] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.681715] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.686703] get_signal+0x73f/0x16d0