2017/10/26 16:06:10 parsed 1 programs 2017/10/26 16:06:10 executed programs: 0 syzkaller login: [ 31.749409] ================================================================== [ 31.749915] BUG: KASAN: use-after-free in __lock_acquire+0x3c9f/0x3d50 [ 31.750890] Read of size 8 at addr ffff88003dd0ba68 by task syz-executor2/4746 [ 31.751483] [ 31.751635] CPU: 2 PID: 4746 Comm: syz-executor2 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 31.752269] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 31.752870] Call Trace: [ 31.753044] dump_stack+0x194/0x257 [ 31.753288] ? arch_local_irq_restore+0x53/0x53 [ 31.753627] ? show_regs_print_info+0x65/0x65 [ 31.754315] ? print_irqtrace_events+0x270/0x270 [ 31.754616] ? print_irqtrace_events+0x270/0x270 [ 31.755032] ? __lock_acquire+0x3c9f/0x3d50 [ 31.755360] print_address_description+0x73/0x250 [ 31.755667] ? __lock_acquire+0x3c9f/0x3d50 [ 31.756008] kasan_report+0x25b/0x340 [ 31.756274] __asan_report_load8_noabort+0x14/0x20 [ 31.756594] __lock_acquire+0x3c9f/0x3d50 [ 31.758058] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 31.758425] ? exit_pi_state_list+0x369/0x7a0 [ 31.758701] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 31.759186] ? mark_held_locks+0xaf/0x100 [ 31.759567] ? retint_kernel+0x10/0x10 [ 31.759909] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.760376] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.760799] ? retint_kernel+0x10/0x10 [ 31.761156] ? exit_pi_state_list+0x361/0x7a0 [ 31.761567] ? queued_spin_lock_slowpath+0x1c4/0xfa0 [ 31.762040] ? osq_unlock+0x350/0x350 [ 31.762507] ? __lock_acquire+0x6aa/0x3d50 [ 31.762876] ? check_noncircular+0x20/0x20 [ 31.763246] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 31.763711] ? check_noncircular+0x20/0x20 [ 31.764077] ? find_held_lock+0x35/0x1d0 [ 31.764439] ? kprobe_flush_task+0x1a3/0x5d0 [ 31.764835] ? find_held_lock+0x35/0x1d0 [ 31.765195] lock_acquire+0x1d5/0x580 [ 31.765519] ? lock_acquire+0x1d5/0x580 [ 31.766349] ? exit_pi_state_list+0x369/0x7a0 [ 31.766740] ? lock_downgrade+0x990/0x990 [ 31.767097] ? lock_release+0xa40/0xa40 [ 31.767451] ? do_raw_spin_trylock+0x190/0x190 [ 31.767812] ? trace_hardirqs_on+0xd/0x10 [ 31.768122] _raw_spin_lock_irq+0x5e/0x80 [ 31.768422] ? exit_pi_state_list+0x369/0x7a0 [ 31.768745] exit_pi_state_list+0x369/0x7a0 [ 31.769065] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 31.769535] ? lock_release+0xa40/0xa40 [ 31.770083] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 31.771210] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 31.771783] ? __might_sleep+0x95/0x190 [ 31.772149] ? __might_fault+0x188/0x1d0 [ 31.772623] ? do_raw_spin_trylock+0x190/0x190 [ 31.773046] mm_release+0x46d/0x590 [ 31.773384] ? do_raw_spin_trylock+0x190/0x190 [ 31.774052] ? mm_access+0x140/0x140 [ 31.774446] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.774730] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.775170] ? trace_hardirqs_on+0xd/0x10 [ 31.775416] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.775775] ? acct_collect+0x637/0x800 [ 31.776136] do_exit+0x481/0x1ad0 [ 31.776462] ? mm_update_next_owner+0x930/0x930 [ 31.776772] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 31.777215] ? rcu_note_context_switch+0x710/0x710 [ 31.777584] ? futex_wait_setup+0x14a/0x3d0 [ 31.778284] ? __might_sleep+0x95/0x190 [ 31.778609] ? _cond_resched+0x14/0x30 [ 31.778937] ? futex_wait_queue_me+0x524/0x7e0 [ 31.779353] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 31.779819] ? memset+0x31/0x40 [ 31.780119] ? get_futex_value_locked+0xc3/0xf0 [ 31.780537] ? futex_wait_setup+0x22e/0x3d0 [ 31.780915] ? check_noncircular+0x20/0x20 [ 31.781302] ? futex_wake+0x680/0x680 [ 31.781649] ? mmdrop+0x18/0x30 [ 31.781972] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 31.782434] ? futex_wait+0x69e/0x990 [ 31.782789] ? find_held_lock+0x35/0x1d0 [ 31.783158] ? get_signal+0x7ae/0x16d0 [ 31.783499] ? lock_downgrade+0x990/0x990 [ 31.783885] do_group_exit+0x149/0x400 [ 31.784232] ? __lock_is_held+0xb6/0x140 [ 31.784600] ? SyS_exit+0x30/0x30 [ 31.784863] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.785151] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.785546] get_signal+0x73f/0x16d0 [ 31.785892] ? ptrace_notify+0x130/0x130 [ 31.786256] ? vma_wants_writenotify+0x3b0/0x3b0 [ 31.786682] ? vma_link+0xe9/0x170 [ 31.786953] ? exit_robust_list+0x240/0x240 [ 31.787273] ? find_held_lock+0x35/0x1d0 [ 31.787568] do_signal+0x94/0x1ee0 [ 31.787830] ? vm_mmap_pgoff+0x1ed/0x280 [ 31.788127] ? should_fail+0x23b/0xa40 [ 31.788408] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 31.788772] ? setup_sigcontext+0x7d0/0x7d0 [ 31.789086] ? find_held_lock+0x35/0x1d0 [ 31.789379] ? lock_downgrade+0x990/0x990 [ 31.789677] ? down_read_killable+0x180/0x180 [ 31.790058] ? lock_release+0xa40/0xa40 [ 31.790473] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 31.791061] ? vm_mmap_pgoff+0x1fc/0x280 [ 31.791461] ? exit_to_usermode_loop+0x8c/0x310 [ 31.791909] exit_to_usermode_loop+0x214/0x310 [ 31.792328] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 31.792867] ? kasan_check_write+0x14/0x20 [ 31.793296] syscall_return_slowpath+0x42f/0x510 [ 31.793767] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 31.794271] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 31.794764] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.795236] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.795667] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 31.796149] RIP: 0033:0x447c89 [ 31.796480] RSP: 002b:00007f239cc35ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 31.797149] RAX: 0000000000000000 RBX: 0000000000748100 RCX: 0000000000447c89 [ 31.797821] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000748100 [ 31.798534] RBP: 0000000000748100 R08: 0000000000000000 R09: 00000000007480d8 [ 31.799085] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 31.800403] R13: 0000000000000000 R14: 00007f239cc369c0 R15: 00007f239cc36700 [ 31.801004] [ 31.801136] Allocated by task 4772: [ 31.801449] save_stack+0x43/0xd0 [ 31.801791] kasan_kmalloc+0xad/0xe0 [ 31.802384] kmem_cache_alloc_trace+0x136/0x750 [ 31.802830] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 31.803323] futex_requeue+0x1887/0x2370 [ 31.803608] do_futex+0x7f5/0x20d0 [ 31.803873] SyS_futex+0x260/0x390 [ 31.804223] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 31.804614] [ 31.804729] Freed by task 4767: [ 31.804960] save_stack+0x43/0xd0 [ 31.805291] kasan_slab_free+0x71/0xc0 [ 31.805626] kfree+0xca/0x250 [ 31.806085] do_exit+0x1502/0x1ad0 [ 31.806439] do_group_exit+0x149/0x400 [ 31.806750] get_signal+0x73f/0x16d0 [ 31.807080] do_signal+0x94/0x1ee0 [ 31.807448] exit_to_usermode_loop+0x214/0x310 [ 31.807922] syscall_return_slowpath+0x42f/0x510 [ 31.808397] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 31.808814] [ 31.808965] The buggy address belongs to the object at ffff88003dd0ba40 [ 31.808965] which belongs to the cache kmalloc-256 of size 256 [ 31.810131] The buggy address is located 40 bytes inside of [ 31.810131] 256-byte region [ffff88003dd0ba40, ffff88003dd0bb40) [ 31.811201] The buggy address belongs to the page: [ 31.811588] page:ffffea0000f742c0 count:1 mapcount:0 mapping:ffff88003dd0b040 index:0x0 [ 31.812319] flags: 0x100000000000100(slab) [ 31.812639] raw: 0100000000000100 ffff88003dd0b040 0000000000000000 000000010000000c [ 31.813329] raw: ffffea0000ea18a0 ffffea0000f8f860 ffff88003e8007c0 0000000000000000 [ 31.814105] page dumped because: kasan: bad access detected [ 31.814604] [ 31.814758] Memory state around the buggy address: [ 31.815200] ffff88003dd0b900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.815857] ffff88003dd0b980: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 31.816505] >ffff88003dd0ba00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 31.817200] ^ [ 31.817787] ffff88003dd0ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.818675] ffff88003dd0bb00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.819384] ================================================================== [ 31.820039] Disabling lock debugging due to kernel taint [ 31.820519] Kernel panic - not syncing: panic_on_warn set ... [ 31.820519] [ 31.822971] CPU: 2 PID: 4746 Comm: syz-executor2 Tainted: G B 4.14.0-rc5-next-20171018+ #8 [ 31.823719] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 31.824332] Call Trace: [ 31.824500] dump_stack+0x194/0x257 [ 31.824747] ? arch_local_irq_restore+0x53/0x53 [ 31.825149] ? kasan_end_report+0x32/0x50 [ 31.825419] ? lock_downgrade+0x990/0x990 [ 31.825666] ? vsnprintf+0x1ed/0x1900 [ 31.826693] ? __lock_acquire+0x3c50/0x3d50 [ 31.827034] panic+0x1e4/0x41c [ 31.827254] ? refcount_error_report+0x214/0x214 [ 31.827558] ? add_taint+0x40/0x50 [ 31.827875] ? add_taint+0x1c/0x50 [ 31.828204] ? __lock_acquire+0x3c9f/0x3d50 [ 31.828602] kasan_end_report+0x50/0x50 [ 31.828941] kasan_report+0x144/0x340 [ 31.829477] __asan_report_load8_noabort+0x14/0x20 [ 31.829920] __lock_acquire+0x3c9f/0x3d50 [ 31.830279] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 31.831078] ? exit_pi_state_list+0x369/0x7a0 [ 31.831483] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 31.832068] ? mark_held_locks+0xaf/0x100 [ 31.832682] ? retint_kernel+0x10/0x10 [ 31.833031] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.833492] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.833927] ? retint_kernel+0x10/0x10 [ 31.834278] ? exit_pi_state_list+0x361/0x7a0 [ 31.834688] ? queued_spin_lock_slowpath+0x1c4/0xfa0 [ 31.835141] ? osq_unlock+0x350/0x350 [ 31.835502] ? __lock_acquire+0x6aa/0x3d50 [ 31.835891] ? check_noncircular+0x20/0x20 [ 31.836221] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 31.836545] ? check_noncircular+0x20/0x20 [ 31.836922] ? find_held_lock+0x35/0x1d0 [ 31.837295] ? kprobe_flush_task+0x1a3/0x5d0 [ 31.837641] ? find_held_lock+0x35/0x1d0 [ 31.840429] lock_acquire+0x1d5/0x580 [ 31.840781] ? lock_acquire+0x1d5/0x580 [ 31.841134] ? exit_pi_state_list+0x369/0x7a0 [ 31.841502] ? lock_downgrade+0x990/0x990 [ 31.842136] ? lock_release+0xa40/0xa40 [ 31.842371] ? do_raw_spin_trylock+0x190/0x190 [ 31.842763] ? trace_hardirqs_on+0xd/0x10 [ 31.843138] _raw_spin_lock_irq+0x5e/0x80 [ 31.843492] ? exit_pi_state_list+0x369/0x7a0 [ 31.843890] exit_pi_state_list+0x369/0x7a0 [ 31.844262] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 31.844757] ? lock_release+0xa40/0xa40 [ 31.845023] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 31.845484] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 31.846324] ? __might_sleep+0x95/0x190 [ 31.846798] ? __might_fault+0x188/0x1d0 [ 31.847133] ? do_raw_spin_trylock+0x190/0x190 [ 31.847450] mm_release+0x46d/0x590 [ 31.847676] ? do_raw_spin_trylock+0x190/0x190 [ 31.848042] ? mm_access+0x140/0x140 [ 31.848276] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.848545] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.848877] ? trace_hardirqs_on+0xd/0x10 [ 31.849185] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.849579] ? acct_collect+0x637/0x800 [ 31.850389] do_exit+0x481/0x1ad0 [ 31.850716] ? mm_update_next_owner+0x930/0x930 [ 31.851140] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 31.851651] ? rcu_note_context_switch+0x710/0x710 [ 31.852087] ? futex_wait_setup+0x14a/0x3d0 [ 31.852477] ? __might_sleep+0x95/0x190 [ 31.852834] ? _cond_resched+0x14/0x30 [ 31.853181] ? futex_wait_queue_me+0x524/0x7e0 [ 31.853591] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 31.854370] ? memset+0x31/0x40 [ 31.854711] ? get_futex_value_locked+0xc3/0xf0 [ 31.855198] ? futex_wait_setup+0x22e/0x3d0 [ 31.855634] ? check_noncircular+0x20/0x20 [ 31.856049] ? futex_wake+0x680/0x680 [ 31.856423] ? mmdrop+0x18/0x30 [ 31.856727] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 31.857223] ? futex_wait+0x69e/0x990 [ 31.857615] ? find_held_lock+0x35/0x1d0 [ 31.858104] ? get_signal+0x7ae/0x16d0 [ 31.858487] ? lock_downgrade+0x990/0x990 [ 31.858908] do_group_exit+0x149/0x400 [ 31.859369] ? __lock_is_held+0xb6/0x140 [ 31.859729] ? SyS_exit+0x30/0x30 [ 31.860043] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.860441] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.860888] get_signal+0x73f/0x16d0 [ 31.861222] ? ptrace_notify+0x130/0x130 [ 31.861725] ? vma_wants_writenotify+0x3b0/0x3b0 [ 31.862178] ? vma_link+0xe9/0x170 [ 31.862528] ? exit_robust_list+0x240/0x240 [ 31.862938] ? find_held_lock+0x35/0x1d0 [ 31.863855] do_signal+0x94/0x1ee0 [ 31.864961] ? vm_mmap_pgoff+0x1ed/0x280 [ 31.865360] ? should_fail+0x23b/0xa40 [ 31.865722] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 31.866213] ? setup_sigcontext+0x7d0/0x7d0 [ 31.866609] ? find_held_lock+0x35/0x1d0 [ 31.867003] ? lock_downgrade+0x990/0x990 [ 31.867387] ? down_read_killable+0x180/0x180 [ 31.867802] ? lock_release+0xa40/0xa40 [ 31.868162] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 31.868683] ? vm_mmap_pgoff+0x1fc/0x280 [ 31.869045] ? exit_to_usermode_loop+0x8c/0x310 [ 31.869531] exit_to_usermode_loop+0x214/0x310 [ 31.869988] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 31.870524] ? kasan_check_write+0x14/0x20 [ 31.870982] syscall_return_slowpath+0x42f/0x510 [ 31.871446] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 31.871983] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 31.872467] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.872957] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.873429] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 31.873905] RIP: 0033:0x447c89 [ 31.874212] RSP: 002b:00007f239cc35ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 31.874990] RAX: 0000000000000000 RBX: 0000000000748100 RCX: 0000000000447c89 [ 31.875716] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000748100 [ 31.876440] RBP: 0000000000748100 R08: 0000000000000000 R09: 00000000007480d8 [ 31.877160] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 31.877864] R13: 0000000000000000 R14: 00007f239cc369c0 R15: 00007f239cc36700 [ 31.881903] Dumping ftrace buffer: [ 31.882264] (ftrace buffer empty) [ 31.882622] Kernel Offset: disabled [ 31.882976] Rebooting in 86400 seconds..