Debian GNU/Linux 7 syzkaller ttyS0 2017/10/28 12:22:06 parsed 1 programs 2017/10/28 12:22:06 executed programs: 0 2017/10/28 12:22:11 executed programs: 37 2017/10/28 12:22:16 executed programs: 73 2017/10/28 12:22:21 executed programs: 110 2017/10/28 12:22:26 executed programs: 144 2017/10/28 12:22:31 executed programs: 178 syzkaller login: [ 123.579198] ================================================================== [ 123.579772] BUG: KASAN: use-after-free in __lock_acquire+0x3c9f/0x3d50 [ 123.580378] Read of size 8 at addr ffff88006bd69be8 by task syz-executor0/4081 [ 123.580907] [ 123.581028] CPU: 1 PID: 4081 Comm: syz-executor0 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 123.582058] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 123.582651] Call Trace: [ 123.582839] dump_stack+0x194/0x257 [ 123.583097] ? arch_local_irq_restore+0x53/0x53 [ 123.583408] ? show_regs_print_info+0x65/0x65 [ 123.583736] ? print_irqtrace_events+0x270/0x270 [ 123.584075] ? print_irqtrace_events+0x270/0x270 [ 123.584432] ? __lock_acquire+0x3c9f/0x3d50 [ 123.584748] print_address_description+0x73/0x250 [ 123.585090] ? __lock_acquire+0x3c9f/0x3d50 [ 123.585401] kasan_report+0x25b/0x340 [ 123.585681] __asan_report_load8_noabort+0x14/0x20 [ 123.586025] __lock_acquire+0x3c9f/0x3d50 [ 123.586322] ? exit_pi_state_list+0x369/0x7a0 [ 123.586644] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 123.587002] ? __lock_acquire+0x6aa/0x3d50 [ 123.587389] ? __lock_acquire+0x6aa/0x3d50 [ 123.587718] ? __lock_acquire+0x6aa/0x3d50 [ 123.588015] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 123.588432] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 123.588901] ? check_noncircular+0x20/0x20 [ 123.589286] ? osq_unlock+0x350/0x350 [ 123.589631] ? __lock_acquire+0x6aa/0x3d50 [ 123.590015] ? __lock_acquire+0x6aa/0x3d50 [ 123.590404] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 123.590764] ? check_noncircular+0x20/0x20 [ 123.591060] ? print_irqtrace_events+0x270/0x270 [ 123.591415] ? check_noncircular+0x20/0x20 [ 123.591713] ? lock_release+0xa40/0xa40 [ 123.591991] ? switched_to_fair+0xb0/0xb0 [ 123.592282] ? __lock_is_held+0xb6/0x140 [ 123.592568] ? find_held_lock+0x35/0x1d0 [ 123.592853] lock_acquire+0x1d5/0x580 [ 123.593118] ? lock_acquire+0x1d5/0x580 [ 123.593395] ? exit_pi_state_list+0x369/0x7a0 [ 123.593709] ? lock_downgrade+0x990/0x990 [ 123.594089] ? lock_release+0xa40/0xa40 [ 123.594454] ? do_raw_spin_trylock+0x190/0x190 [ 123.594869] ? lock_downgrade+0x990/0x990 [ 123.595249] _raw_spin_lock_irq+0x5e/0x80 [ 123.595627] ? exit_pi_state_list+0x369/0x7a0 [ 123.596040] exit_pi_state_list+0x369/0x7a0 [ 123.596437] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 123.596914] ? lock_release+0xa40/0xa40 [ 123.597149] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 123.597494] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 123.597795] ? __might_sleep+0x95/0x190 [ 123.598029] ? __might_fault+0x188/0x1d0 [ 123.598444] ? do_raw_spin_trylock+0x190/0x190 [ 123.598867] mm_release+0x46d/0x590 [ 123.599225] ? do_raw_spin_trylock+0x190/0x190 [ 123.599668] ? mm_access+0x140/0x140 [ 123.600018] ? _raw_spin_unlock_irq+0x27/0x70 [ 123.600432] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 123.600901] ? trace_hardirqs_on+0xd/0x10 [ 123.601284] ? _raw_spin_unlock_irq+0x27/0x70 [ 123.601708] ? acct_collect+0x637/0x800 [ 123.602080] do_exit+0x481/0x1ad0 [ 123.602423] ? mm_update_next_owner+0x930/0x930 [ 123.603240] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 123.603776] ? rcu_note_context_switch+0x710/0x710 [ 123.604136] ? futex_wait_setup+0x14a/0x3d0 [ 123.604450] ? __might_sleep+0x95/0x190 [ 123.604738] ? find_held_lock+0x35/0x1d0 [ 123.605053] ? futex_wait+0x402/0x990 [ 123.605340] ? lock_downgrade+0x990/0x990 [ 123.605650] ? do_raw_spin_trylock+0x190/0x190 [ 123.605990] ? check_noncircular+0x20/0x20 [ 123.606311] ? futex_wake+0x680/0x680 [ 123.606582] ? mmdrop+0x18/0x30 [ 123.606856] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 123.607309] ? futex_wait+0x69e/0x990 [ 123.607648] ? find_held_lock+0x35/0x1d0 [ 123.608009] ? get_signal+0x7ae/0x16d0 [ 123.608364] ? lock_downgrade+0x990/0x990 [ 123.608746] do_group_exit+0x149/0x400 [ 123.609107] ? __lock_is_held+0xb6/0x140 [ 123.609474] ? SyS_exit+0x30/0x30 [ 123.609785] ? _raw_spin_unlock_irq+0x27/0x70 [ 123.610187] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 123.610546] get_signal+0x73f/0x16d0 [ 123.610825] ? ptrace_notify+0x130/0x130 [ 123.611106] ? vma_link+0xe9/0x170 [ 123.611352] ? exit_robust_list+0x240/0x240 [ 123.611650] ? wake_up_q+0x8a/0xe0 [ 123.611893] ? rwsem_wake+0x313/0x520 [ 123.612156] do_signal+0x94/0x1ee0 [ 123.612403] ? vm_mmap_pgoff+0x1ed/0x280 [ 123.612745] ? lock_downgrade+0x990/0x990 [ 123.613127] ? userfaultfd_unmap_complete+0x327/0x510 [ 123.613605] ? setup_sigcontext+0x7d0/0x7d0 [ 123.614006] ? userfaultfd_unmap_prep+0x540/0x540 [ 123.614455] ? call_rwsem_wake+0x1b/0x30 [ 123.614824] ? up_write+0xd8/0x120 [ 123.615145] ? down_read_killable+0x180/0x180 [ 123.615553] ? security_mmap_file+0x143/0x180 [ 123.615960] ? vm_mmap_pgoff+0x1fc/0x280 [ 123.616337] ? exit_to_usermode_loop+0x8c/0x310 [ 123.616772] exit_to_usermode_loop+0x214/0x310 [ 123.617192] ? vma_is_stack_for_current+0xa0/0xa0 [ 123.617636] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 123.618151] ? kasan_check_write+0x14/0x20 [ 123.618556] syscall_return_slowpath+0x42f/0x510 [ 123.618991] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 123.619447] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 123.619900] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 123.620356] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 123.620790] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 123.621219] RIP: 0033:0x447c89 [ 123.621507] RSP: 002b:00007fce2b72cce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 123.622216] RAX: fffffffffffffe00 RBX: 00000000007481b8 RCX: 0000000000447c89 [ 123.622882] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007481b8 [ 123.623546] RBP: 00000000007481b8 R08: 0000000000000000 R09: 0000000000748190 [ 123.624958] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 123.625585] R13: 0000000000000000 R14: 00007fce2b72d9c0 R15: 00007fce2b72d700 [ 123.626108] [ 123.626247] Allocated by task 4082: [ 123.626516] save_stack+0x43/0xd0 [ 123.626776] kasan_kmalloc+0xad/0xe0 [ 123.627049] kmem_cache_alloc_trace+0x136/0x750 [ 123.627414] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 123.627737] futex_requeue+0x1887/0x2370 [ 123.627980] do_futex+0x7f5/0x20d0 [ 123.628207] SyS_futex+0x260/0x390 [ 123.628429] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 123.628755] [ 123.628861] Freed by task 4080: [ 123.629069] save_stack+0x43/0xd0 [ 123.629283] kasan_slab_free+0x71/0xc0 [ 123.629523] kfree+0xca/0x250 [ 123.629708] put_pi_state+0x3f4/0x560 [ 123.629931] unqueue_me_pi+0x4a/0xc0 [ 123.630162] futex_wait_requeue_pi.constprop.19+0xc7f/0x1300 [ 123.630654] do_futex+0x825/0x20d0 [ 123.630904] SyS_futex+0x260/0x390 [ 123.631175] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 123.631571] [ 123.631728] The buggy address belongs to the object at ffff88006bd69bc0 [ 123.631728] which belongs to the cache kmalloc-256 of size 256 [ 123.632817] The buggy address is located 40 bytes inside of [ 123.632817] 256-byte region [ffff88006bd69bc0, ffff88006bd69cc0) [ 123.633537] The buggy address belongs to the page: [ 123.633838] page:ffffea0001af5a40 count:1 mapcount:0 mapping:ffff88006bd69080 index:0x0 [ 123.634431] flags: 0x500000000000100(slab) [ 123.634818] raw: 0500000000000100 ffff88006bd69080 0000000000000000 000000010000000c [ 123.635524] raw: ffffea0001af5da0 ffff88006d800648 ffff88003e8007c0 0000000000000000 [ 123.636229] page dumped because: kasan: bad access detected [ 123.636741] [ 123.636887] Memory state around the buggy address: [ 123.637331] ffff88006bd69a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 123.637993] ffff88006bd69b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 123.638665] >ffff88006bd69b80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 123.639145] ^ [ 123.639544] ffff88006bd69c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 123.640023] ffff88006bd69c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 123.640449] ================================================================== [ 123.640876] Disabling lock debugging due to kernel taint [ 123.641222] Kernel panic - not syncing: panic_on_warn set ... [ 123.641222] [ 123.641654] CPU: 1 PID: 4081 Comm: syz-executor0 Tainted: G B 4.14.0-rc5-next-20171018+ #8 [ 123.642378] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 123.643172] Call Trace: [ 123.643423] dump_stack+0x194/0x257 [ 123.643758] ? arch_local_irq_restore+0x53/0x53 [ 123.644183] ? kasan_end_report+0x32/0x50 [ 123.644574] ? lock_downgrade+0x990/0x990 [ 123.644957] ? vsnprintf+0x1ed/0x1900 [ 123.645306] ? __lock_acquire+0x3c50/0x3d50 [ 123.645701] panic+0x1e4/0x41c [ 123.645997] ? refcount_error_report+0x214/0x214 [ 123.646795] ? add_taint+0x40/0x50 [ 123.647129] ? add_taint+0x1c/0x50 [ 123.647465] ? __lock_acquire+0x3c9f/0x3d50 [ 123.647796] kasan_end_report+0x50/0x50 [ 123.648080] kasan_report+0x144/0x340 [ 123.648376] __asan_report_load8_noabort+0x14/0x20 [ 123.648803] __lock_acquire+0x3c9f/0x3d50 [ 123.649110] ? exit_pi_state_list+0x369/0x7a0 [ 123.649451] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 123.649848] ? __lock_acquire+0x6aa/0x3d50 [ 123.650150] ? __lock_acquire+0x6aa/0x3d50 [ 123.650470] ? __lock_acquire+0x6aa/0x3d50 [ 123.650764] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 123.651143] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 123.651516] ? check_noncircular+0x20/0x20 [ 123.651810] ? osq_unlock+0x350/0x350 [ 123.652095] ? __lock_acquire+0x6aa/0x3d50 [ 123.652452] ? __lock_acquire+0x6aa/0x3d50 [ 123.652766] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 123.653141] ? check_noncircular+0x20/0x20 [ 123.653392] ? print_irqtrace_events+0x270/0x270 [ 123.653698] ? check_noncircular+0x20/0x20 [ 123.653948] ? lock_release+0xa40/0xa40 [ 123.654283] ? switched_to_fair+0xb0/0xb0 [ 123.654666] ? __lock_is_held+0xb6/0x140 [ 123.655041] ? find_held_lock+0x35/0x1d0 [ 123.655361] lock_acquire+0x1d5/0x580 [ 123.655587] ? lock_acquire+0x1d5/0x580 [ 123.655826] ? exit_pi_state_list+0x369/0x7a0 [ 123.656091] ? lock_downgrade+0x990/0x990 [ 123.656355] ? lock_release+0xa40/0xa40 [ 123.656603] ? do_raw_spin_trylock+0x190/0x190 [ 123.656871] ? lock_downgrade+0x990/0x990 [ 123.657118] _raw_spin_lock_irq+0x5e/0x80 [ 123.657362] ? exit_pi_state_list+0x369/0x7a0 [ 123.657646] exit_pi_state_list+0x369/0x7a0 [ 123.657902] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 123.658329] ? lock_release+0xa40/0xa40 [ 123.658589] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 123.658932] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 123.659233] ? __might_sleep+0x95/0x190 [ 123.659469] ? __might_fault+0x188/0x1d0 [ 123.659731] ? do_raw_spin_trylock+0x190/0x190 [ 123.660002] mm_release+0x46d/0x590 [ 123.660226] ? do_raw_spin_trylock+0x190/0x190 [ 123.660526] ? mm_access+0x140/0x140 [ 123.660773] ? _raw_spin_unlock_irq+0x27/0x70 [ 123.661044] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 123.661379] ? trace_hardirqs_on+0xd/0x10 [ 123.661650] ? _raw_spin_unlock_irq+0x27/0x70 [ 123.661949] ? acct_collect+0x637/0x800 [ 123.662186] do_exit+0x481/0x1ad0 [ 123.662643] ? mm_update_next_owner+0x930/0x930 [ 123.663069] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 123.663605] ? rcu_note_context_switch+0x710/0x710 [ 123.664053] ? futex_wait_setup+0x14a/0x3d0 [ 123.664449] ? __might_sleep+0x95/0x190 [ 123.664825] ? find_held_lock+0x35/0x1d0 [ 123.665210] ? futex_wait+0x402/0x990 [ 123.665566] ? lock_downgrade+0x990/0x990 [ 123.665952] ? do_raw_spin_trylock+0x190/0x190 [ 123.666388] ? check_noncircular+0x20/0x20 [ 123.667132] ? futex_wake+0x680/0x680 [ 123.667482] ? mmdrop+0x18/0x30 [ 123.667783] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 123.668245] ? futex_wait+0x69e/0x990 [ 123.668594] ? find_held_lock+0x35/0x1d0 [ 123.668967] ? get_signal+0x7ae/0x16d0 [ 123.669357] ? lock_downgrade+0x990/0x990 [ 123.669765] do_group_exit+0x149/0x400 [ 123.670125] ? __lock_is_held+0xb6/0x140 [ 123.670635] ? SyS_exit+0x30/0x30 [ 123.670964] ? _raw_spin_unlock_irq+0x27/0x70 [ 123.671416] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 123.671879] get_signal+0x73f/0x16d0 [ 123.672226] ? ptrace_notify+0x130/0x130 [ 123.672598] ? vma_link+0xe9/0x170 [ 123.672854] ? exit_robust_list+0x240/0x240 [ 123.673159] ? wake_up_q+0x8a/0xe0 [ 123.673486] ? rwsem_wake+0x313/0x520 [ 123.673843] do_signal+0x94/0x1ee0 [ 123.674101] ? vm_mmap_pgoff+0x1ed/0x280 [ 123.674400] ? lock_downgrade+0x990/0x990 [ 123.674704] ? userfaultfd_unmap_complete+0x327/0x510 [ 123.675112] ? setup_sigcontext+0x7d0/0x7d0 [ 123.675497] ? userfaultfd_unmap_prep+0x540/0x540 [ 123.675946] ? call_rwsem_wake+0x1b/0x30 [ 123.676331] ? up_write+0xd8/0x120 [ 123.676591] ? down_read_killable+0x180/0x180 [ 123.676923] ? security_mmap_file+0x143/0x180 [ 123.677337] ? vm_mmap_pgoff+0x1fc/0x280 [ 123.677732] ? exit_to_usermode_loop+0x8c/0x310 [ 123.678170] exit_to_usermode_loop+0x214/0x310 [ 123.678599] ? vma_is_stack_for_current+0xa0/0xa0 [ 123.679042] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 123.679555] ? kasan_check_write+0x14/0x20 [ 123.679958] syscall_return_slowpath+0x42f/0x510 [ 123.680385] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 123.680855] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 123.681321] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 123.681782] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 123.682230] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 123.682662] RIP: 0033:0x447c89 [ 123.682950] RSP: 002b:00007fce2b72cce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 123.683644] RAX: fffffffffffffe00 RBX: 00000000007481b8 RCX: 0000000000447c89 [ 123.684299] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007481b8 [ 123.684961] RBP: 00000000007481b8 R08: 0000000000000000 R09: 0000000000748190 [ 123.685661] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 123.686346] R13: 0000000000000000 R14: 00007fce2b72d9c0 R15: 00007fce2b72d700 [ 123.687111] Dumping ftrace buffer: [ 123.687441] (ftrace buffer empty) [ 123.688075] Kernel Offset: disabled [ 123.688410] Rebooting in 86400 seconds..