INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-5,10.128.0.56' (ECDSA) to the list of known hosts. 2017/09/29 08:44:11 parsed 1 programs 2017/09/29 08:44:11 executed programs: 0 syzkaller login: [ 26.217355] capability: warning: `syz-executor3' uses 32-bit capabilities (legacy support in use) 2017/09/29 08:44:16 executed programs: 322 [ 31.244393] ================================================================== [ 31.251799] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620 [ 31.258452] Read of size 8 at addr ffff8801c5c9dc28 by task syz-executor3/5626 [ 31.265784] [ 31.267396] CPU: 0 PID: 5626 Comm: syz-executor3 Not tainted 4.14.0-rc2-next-20170929+ #32 [ 31.275772] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.285106] Call Trace: [ 31.287678] dump_stack+0x194/0x257 [ 31.291293] ? arch_local_irq_restore+0x53/0x53 [ 31.295946] ? show_regs_print_info+0x65/0x65 [ 31.300432] ? __kernel_text_address+0xd/0x40 [ 31.304914] ? __lock_acquire+0x407b/0x4620 [ 31.309215] print_address_description+0x73/0x250 [ 31.314040] ? __lock_acquire+0x407b/0x4620 [ 31.318336] kasan_report+0x25b/0x340 [ 31.322113] __asan_report_load8_noabort+0x14/0x20 [ 31.327015] __lock_acquire+0x407b/0x4620 [ 31.331139] ? unwind_dump+0x4c0/0x4c0 [ 31.334997] ? __unwind_start+0x169/0x330 [ 31.339126] ? __kernel_text_address+0xd/0x40 [ 31.343606] ? unwind_get_return_address+0x61/0xa0 [ 31.348528] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 31.353704] ? unwind_get_return_address+0x61/0xa0 [ 31.358612] ? __save_stack_trace+0x61/0xd0 [ 31.362921] ? get_signal+0x73f/0x16d0 [ 31.366799] ? save_stack_trace+0x16/0x20 [ 31.370928] ? __lock_acquire+0x20fd/0x4620 [ 31.375232] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 31.380406] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 31.385579] ? save_stack_trace+0x16/0x20 [ 31.389706] ? __lock_acquire+0x20fd/0x4620 [ 31.394005] ? osq_unlock+0x350/0x350 [ 31.397782] ? save_stack_trace+0x16/0x20 [ 31.401910] ? check_noncircular+0x20/0x20 [ 31.406129] ? check_noncircular+0x20/0x20 [ 31.410344] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 31.415515] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 31.420690] ? __lock_is_held+0xbc/0x140 [ 31.424737] ? find_held_lock+0x39/0x1d0 [ 31.428786] ? lock_downgrade+0x990/0x990 [ 31.432914] ? check_noncircular+0x20/0x20 [ 31.437130] lock_acquire+0x1d5/0x580 [ 31.440912] ? exit_pi_state_list+0x369/0x7a0 [ 31.445389] ? lock_release+0xd70/0xd70 [ 31.449338] ? do_raw_spin_trylock+0x190/0x190 [ 31.453890] ? find_held_lock+0x39/0x1d0 [ 31.457931] _raw_spin_lock_irq+0x5e/0x80 [ 31.462053] ? exit_pi_state_list+0x369/0x7a0 [ 31.466532] exit_pi_state_list+0x369/0x7a0 [ 31.470842] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 31.476877] ? lock_release+0xd70/0xd70 [ 31.480822] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 31.486672] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 31.491741] ? __might_sleep+0x95/0x190 [ 31.495683] ? __might_fault+0x188/0x1d0 [ 31.499710] ? do_raw_spin_trylock+0x190/0x190 [ 31.504257] mm_release+0x46d/0x590 [ 31.507848] ? do_raw_spin_trylock+0x190/0x190 [ 31.512395] ? mm_access+0x140/0x140 [ 31.516076] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.520537] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.525517] ? trace_hardirqs_on+0xd/0x10 [ 31.529628] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.534090] ? acct_collect+0x637/0x800 [ 31.538033] do_exit+0x481/0x1b00 [ 31.541455] ? mm_update_next_owner+0x930/0x930 [ 31.546091] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 31.551940] ? rcu_note_context_switch+0x710/0x710 [ 31.556833] ? futex_wait_setup+0x14a/0x3d0 [ 31.561121] ? __might_sleep+0x95/0x190 [ 31.565059] ? _cond_resched+0x14/0x30 [ 31.568912] ? futex_wait_queue_me+0x524/0x7e0 [ 31.573460] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 31.578789] ? check_noncircular+0x20/0x20 [ 31.582993] ? futex_wait_setup+0x22e/0x3d0 [ 31.587285] ? futex_wake+0x680/0x680 [ 31.591052] ? find_held_lock+0x39/0x1d0 [ 31.595081] ? lock_downgrade+0x990/0x990 [ 31.599194] ? recalc_sigpending_tsk+0x117/0x150 [ 31.603916] ? recalc_sigpending+0x103/0x160 [ 31.608288] ? recalc_sigpending_tsk+0x150/0x150 [ 31.613009] ? get_signal+0x2b2/0x16d0 [ 31.616870] do_group_exit+0x149/0x400 [ 31.620722] ? __lock_is_held+0xbc/0x140 [ 31.624745] ? SyS_exit+0x30/0x30 [ 31.628163] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.632623] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.637603] get_signal+0x73f/0x16d0 [ 31.641286] ? ptrace_notify+0x130/0x130 [ 31.645313] ? cap_ptrace_access_check+0x660/0x660 [ 31.650206] ? lock_release+0xd70/0xd70 [ 31.654149] ? exit_robust_list+0x240/0x240 [ 31.658440] do_signal+0x94/0x1ee0 [ 31.661946] ? avc_has_perm_noaudit+0x520/0x520 [ 31.666579] ? commit_creds+0x719/0x1030 [ 31.670607] ? setup_sigcontext+0x7d0/0x7d0 [ 31.674892] ? prepare_creds+0x360/0x360 [ 31.678920] ? kmemdup+0x44/0x50 [ 31.682252] ? selinux_cred_prepare+0x78/0xa0 [ 31.686711] ? security_prepare_creds+0x89/0xb0 [ 31.691347] ? security_capset+0x99/0xc0 [ 31.695375] ? exit_to_usermode_loop+0x8c/0x310 [ 31.700018] exit_to_usermode_loop+0x214/0x310 [ 31.704568] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 31.710071] ? fget_raw+0x20/0x20 [ 31.713493] syscall_return_slowpath+0x42f/0x510 [ 31.718214] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 31.723195] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 31.728090] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.733070] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.737791] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 31.742510] RIP: 0033:0x4520a9 [ 31.745665] RSP: 002b:00007fbf891ebcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 31.753335] RAX: 0000000000000000 RBX: 0000000000718188 RCX: 00000000004520a9 [ 31.760568] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718188 [ 31.767802] RBP: 0000000000718160 R08: 0000000000000000 R09: 0000000000000000 [ 31.775038] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 31.782273] R13: 00007ffcfe3c255f R14: 00007fbf891ec9c0 R15: 0000000000000006 [ 31.789515] [ 31.791109] Allocated by task 5643: [ 31.794702] save_stack_trace+0x16/0x20 [ 31.798643] save_stack+0x43/0xd0 [ 31.802059] kasan_kmalloc+0xad/0xe0 [ 31.805737] kmem_cache_alloc_trace+0x136/0x750 [ 31.810372] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 31.815443] futex_requeue+0x1887/0x2370 [ 31.819469] do_futex+0x7f5/0x20d0 [ 31.822971] SyS_futex+0x260/0x390 [ 31.826475] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 31.831193] [ 31.832784] Freed by task 5615: [ 31.836030] save_stack_trace+0x16/0x20 [ 31.839970] save_stack+0x43/0xd0 [ 31.843386] kasan_slab_free+0x71/0xc0 [ 31.847235] kfree+0xca/0x250 [ 31.850303] put_pi_state+0x3f4/0x560 [ 31.854066] unqueue_me_pi+0x4a/0xc0 [ 31.857743] futex_wait_requeue_pi.constprop.19+0xc7f/0x1300 [ 31.863503] do_futex+0x825/0x20d0 [ 31.867007] SyS_futex+0x260/0x390 [ 31.870519] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 31.875237] [ 31.876833] The buggy address belongs to the object at ffff8801c5c9dc00 [ 31.876833] which belongs to the cache kmalloc-256 of size 256 [ 31.889452] The buggy address is located 40 bytes inside of [ 31.889452] 256-byte region [ffff8801c5c9dc00, ffff8801c5c9dd00) [ 31.901199] The buggy address belongs to the page: [ 31.906090] page:ffffea0007172740 count:1 mapcount:0 mapping:ffff8801c5c9d0c0 index:0x0 [ 31.914197] flags: 0x200000000000100(slab) [ 31.918400] raw: 0200000000000100 ffff8801c5c9d0c0 0000000000000000 000000010000000c [ 31.926243] raw: ffffea0007170260 ffffea000717fee0 ffff8801dac007c0 0000000000000000 [ 31.934085] page dumped because: kasan: bad access detected [ 31.939754] [ 31.941344] Memory state around the buggy address: [ 31.946239] ffff8801c5c9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.953561] ffff8801c5c9db80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.960883] >ffff8801c5c9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.968202] ^ [ 31.972834] ffff8801c5c9dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.980154] ffff8801c5c9dd00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 31.987476] ================================================================== [ 31.994794] Disabling lock debugging due to kernel taint [ 32.000207] Kernel panic - not syncing: panic_on_warn set ... [ 32.000207] [ 32.007536] CPU: 0 PID: 5626 Comm: syz-executor3 Tainted: G B 4.14.0-rc2-next-20170929+ #32 [ 32.017112] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.026431] Call Trace: [ 32.028986] dump_stack+0x194/0x257 [ 32.032578] ? arch_local_irq_restore+0x53/0x53 [ 32.037213] ? vprintk_default+0x28/0x30 [ 32.041240] ? __lock_acquire+0x4000/0x4620 [ 32.045528] panic+0x1e4/0x41c [ 32.048685] ? refcount_error_report+0x214/0x214 [ 32.053410] ? __lock_acquire+0x407b/0x4620 [ 32.057697] kasan_end_report+0x50/0x50 [ 32.061634] kasan_report+0x144/0x340 [ 32.065401] __asan_report_load8_noabort+0x14/0x20 [ 32.070295] __lock_acquire+0x407b/0x4620 [ 32.074408] ? unwind_dump+0x4c0/0x4c0 [ 32.078258] ? __unwind_start+0x169/0x330 [ 32.082373] ? __kernel_text_address+0xd/0x40 [ 32.086832] ? unwind_get_return_address+0x61/0xa0 [ 32.091729] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 32.096881] ? unwind_get_return_address+0x61/0xa0 [ 32.101774] ? __save_stack_trace+0x61/0xd0 [ 32.106062] ? get_signal+0x73f/0x16d0 [ 32.109916] ? save_stack_trace+0x16/0x20 [ 32.114028] ? __lock_acquire+0x20fd/0x4620 [ 32.118318] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 32.123478] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 32.128635] ? save_stack_trace+0x16/0x20 [ 32.132747] ? __lock_acquire+0x20fd/0x4620 [ 32.137036] ? osq_unlock+0x350/0x350 [ 32.140798] ? save_stack_trace+0x16/0x20 [ 32.144912] ? check_noncircular+0x20/0x20 [ 32.149112] ? check_noncircular+0x20/0x20 [ 32.153311] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 32.158466] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 32.163623] ? __lock_is_held+0xbc/0x140 [ 32.167649] ? find_held_lock+0x39/0x1d0 [ 32.171681] ? lock_downgrade+0x990/0x990 [ 32.175792] ? check_noncircular+0x20/0x20 [ 32.179990] lock_acquire+0x1d5/0x580 [ 32.183755] ? exit_pi_state_list+0x369/0x7a0 [ 32.188547] ? lock_release+0xd70/0xd70 [ 32.192488] ? do_raw_spin_trylock+0x190/0x190 [ 32.197032] ? find_held_lock+0x39/0x1d0 [ 32.201072] _raw_spin_lock_irq+0x5e/0x80 [ 32.205187] ? exit_pi_state_list+0x369/0x7a0 [ 32.209645] exit_pi_state_list+0x369/0x7a0 [ 32.213935] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 32.219958] ? lock_release+0xd70/0xd70 [ 32.223897] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 32.229751] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 32.234820] ? __might_sleep+0x95/0x190 [ 32.238760] ? __might_fault+0x188/0x1d0 [ 32.242787] ? do_raw_spin_trylock+0x190/0x190