2017/10/26 16:35:03 parsed 1 programs 2017/10/26 16:35:03 executed programs: 0 2017/10/26 16:35:08 executed programs: 22 2017/10/26 16:35:13 executed programs: 48 syzkaller login: [ 36.243221] ================================================================== [ 36.243804] BUG: KASAN: use-after-free in __lock_acquire+0x3c9f/0x3d50 [ 36.244300] Read of size 8 at addr ffff88003c2a56e8 by task syz-executor0/3355 [ 36.244835] [ 36.244961] CPU: 1 PID: 3355 Comm: syz-executor0 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 36.245572] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 36.246276] Call Trace: [ 36.246512] dump_stack+0x194/0x257 [ 36.246825] ? arch_local_irq_restore+0x53/0x53 [ 36.247226] ? show_regs_print_info+0x65/0x65 [ 36.247620] ? print_irqtrace_events+0x270/0x270 [ 36.248034] ? print_irqtrace_events+0x270/0x270 [ 36.248462] ? __lock_acquire+0x3c9f/0x3d50 [ 36.248842] print_address_description+0x73/0x250 [ 36.249257] ? __lock_acquire+0x3c9f/0x3d50 [ 36.249581] kasan_report+0x25b/0x340 [ 36.249919] __asan_report_load8_noabort+0x14/0x20 [ 36.250288] __lock_acquire+0x3c9f/0x3d50 [ 36.250651] ? exit_pi_state_list+0x369/0x7a0 [ 36.251024] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.251477] ? __lock_acquire+0x6aa/0x3d50 [ 36.251860] ? __lock_acquire+0x6aa/0x3d50 [ 36.252256] ? __lock_acquire+0x6aa/0x3d50 [ 36.252623] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.255470] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.255777] ? osq_unlock+0x350/0x350 [ 36.256004] ? __lock_acquire+0x6aa/0x3d50 [ 36.256257] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.256598] ? check_noncircular+0x20/0x20 [ 36.256852] ? print_irqtrace_events+0x270/0x270 [ 36.257136] ? check_noncircular+0x20/0x20 [ 36.257436] ? _raw_spin_unlock+0x22/0x30 [ 36.257685] ? __perf_event_task_sched_in+0x200/0xc20 [ 36.258008] ? find_held_lock+0x35/0x1d0 [ 36.258285] lock_acquire+0x1d5/0x580 [ 36.258530] ? lock_acquire+0x1d5/0x580 [ 36.258767] ? exit_pi_state_list+0x369/0x7a0 [ 36.259049] ? lock_downgrade+0x990/0x990 [ 36.259359] ? lock_release+0xa40/0xa40 [ 36.259639] ? do_raw_spin_trylock+0x190/0x190 [ 36.259960] ? lock_downgrade+0x990/0x990 [ 36.260265] _raw_spin_lock_irq+0x5e/0x80 [ 36.260588] ? exit_pi_state_list+0x369/0x7a0 [ 36.260903] exit_pi_state_list+0x369/0x7a0 [ 36.261216] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 36.261760] ? lock_release+0xa40/0xa40 [ 36.262135] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 36.262674] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 36.263145] ? __might_sleep+0x95/0x190 [ 36.263485] ? __might_fault+0x188/0x1d0 [ 36.263727] ? do_raw_spin_trylock+0x190/0x190 [ 36.263999] mm_release+0x46d/0x590 [ 36.264219] ? do_raw_spin_trylock+0x190/0x190 [ 36.264494] ? mm_access+0x140/0x140 [ 36.264718] ? _raw_spin_unlock_irq+0x27/0x70 [ 36.265026] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.265326] ? trace_hardirqs_on+0xd/0x10 [ 36.265578] ? _raw_spin_unlock_irq+0x27/0x70 [ 36.265930] ? acct_collect+0x637/0x800 [ 36.266298] do_exit+0x481/0x1ad0 [ 36.266664] ? mm_update_next_owner+0x930/0x930 [ 36.267094] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 36.267614] ? rcu_note_context_switch+0x710/0x710 [ 36.268075] ? futex_wait_setup+0x14a/0x3d0 [ 36.268480] ? __might_sleep+0x95/0x190 [ 36.268852] ? find_held_lock+0x35/0x1d0 [ 36.269138] ? futex_wait+0x402/0x990 [ 36.269405] ? lock_downgrade+0x990/0x990 [ 36.269698] ? do_raw_spin_trylock+0x190/0x190 [ 36.270027] ? check_noncircular+0x20/0x20 [ 36.270319] ? futex_wake+0x680/0x680 [ 36.270589] ? mmdrop+0x18/0x30 [ 36.270823] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 36.271181] ? futex_wait+0x69e/0x990 [ 36.271447] ? find_held_lock+0x35/0x1d0 [ 36.271737] ? get_signal+0x7ae/0x16d0 [ 36.272012] ? lock_downgrade+0x990/0x990 [ 36.272314] do_group_exit+0x149/0x400 [ 36.272677] ? __lock_is_held+0xb6/0x140 [ 36.272966] ? SyS_exit+0x30/0x30 [ 36.273211] ? _raw_spin_unlock_irq+0x27/0x70 [ 36.273615] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.274087] get_signal+0x73f/0x16d0 [ 36.274712] ? ptrace_notify+0x130/0x130 [ 36.275031] ? vma_wants_writenotify+0x3b0/0x3b0 [ 36.275331] ? vma_link+0xe9/0x170 [ 36.275543] ? exit_robust_list+0x240/0x240 [ 36.275797] ? find_held_lock+0x35/0x1d0 [ 36.276042] do_signal+0x94/0x1ee0 [ 36.276287] ? vm_mmap_pgoff+0x1ed/0x280 [ 36.276529] ? should_fail+0x23b/0xa40 [ 36.276761] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 36.277062] ? setup_sigcontext+0x7d0/0x7d0 [ 36.277411] ? find_held_lock+0x35/0x1d0 [ 36.277783] ? lock_downgrade+0x990/0x990 [ 36.278282] ? down_read_killable+0x180/0x180 [ 36.278753] ? lock_release+0xa40/0xa40 [ 36.279150] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 36.279676] ? vm_mmap_pgoff+0x1fc/0x280 [ 36.280045] ? exit_to_usermode_loop+0x8c/0x310 [ 36.280468] exit_to_usermode_loop+0x214/0x310 [ 36.280893] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 36.281397] ? kasan_check_write+0x14/0x20 [ 36.281785] syscall_return_slowpath+0x42f/0x510 [ 36.282224] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 36.282682] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 36.283033] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.283490] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.283830] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 36.284174] RIP: 0033:0x447c89 [ 36.284401] RSP: 002b:00007f513b6cfce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 36.284946] RAX: fffffffffffffe00 RBX: 00000000007481b8 RCX: 0000000000447c89 [ 36.285464] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007481b8 [ 36.285908] RBP: 00000000007481b8 R08: 0000000000000000 R09: 0000000000748190 [ 36.286408] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 36.286931] R13: 0000000000000000 R14: 00007f513b6d09c0 R15: 00007f513b6d0700 [ 36.287448] [ 36.287599] Allocated by task 3356: [ 36.287859] save_stack+0x43/0xd0 [ 36.288107] kasan_kmalloc+0xad/0xe0 [ 36.288373] kmem_cache_alloc_trace+0x136/0x750 [ 36.288703] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 36.289065] futex_requeue+0x1887/0x2370 [ 36.289354] do_futex+0x7f5/0x20d0 [ 36.289607] SyS_futex+0x260/0x390 [ 36.289875] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 36.290206] [ 36.290328] Freed by task 3354: [ 36.290566] save_stack+0x43/0xd0 [ 36.290812] kasan_slab_free+0x71/0xc0 [ 36.291089] kfree+0xca/0x250 [ 36.291315] put_pi_state+0x3f4/0x560 [ 36.291586] unqueue_me_pi+0x4a/0xc0 [ 36.291850] futex_wait_requeue_pi.constprop.19+0xc7f/0x1300 [ 36.292259] do_futex+0x825/0x20d0 [ 36.292511] SyS_futex+0x260/0x390 [ 36.292762] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 36.293095] [ 36.293217] The buggy address belongs to the object at ffff88003c2a56c0 [ 36.293217] which belongs to the cache kmalloc-256 of size 256 [ 36.294152] The buggy address is located 40 bytes inside of [ 36.294152] 256-byte region [ffff88003c2a56c0, ffff88003c2a57c0) [ 36.295117] The buggy address belongs to the page: [ 36.295574] page:ffffea0000f0a940 count:1 mapcount:0 mapping:ffff88003c2a5080 index:0xffff88003c2a5440 [ 36.296725] flags: 0x100000000000100(slab) [ 36.297114] raw: 0100000000000100 ffff88003c2a5080 ffff88003c2a5440 0000000100000004 [ 36.297853] raw: ffffea0000ee1e60 ffffea0000f69960 ffff88003e8007c0 0000000000000000 [ 36.298568] page dumped because: kasan: bad access detected [ 36.299114] [ 36.299265] Memory state around the buggy address: [ 36.299716] ffff88003c2a5580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.300387] ffff88003c2a5600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.301057] >ffff88003c2a5680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 36.301729] ^ [ 36.302351] ffff88003c2a5700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.303021] ffff88003c2a5780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 36.303688] ================================================================== [ 36.304358] Disabling lock debugging due to kernel taint [ 36.304857] Kernel panic - not syncing: panic_on_warn set ... [ 36.304857] [ 36.305509] CPU: 1 PID: 3355 Comm: syz-executor0 Tainted: G B 4.14.0-rc5-next-20171018+ #8 [ 36.306567] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 36.307313] Call Trace: [ 36.307558] dump_stack+0x194/0x257 [ 36.307890] ? arch_local_irq_restore+0x53/0x53 [ 36.308320] ? kasan_end_report+0x32/0x50 [ 36.308701] ? lock_downgrade+0x990/0x990 [ 36.309086] ? vsnprintf+0x1ed/0x1900 [ 36.309441] ? __lock_acquire+0x3c50/0x3d50 [ 36.309851] panic+0x1e4/0x41c [ 36.310149] ? refcount_error_report+0x214/0x214 [ 36.310587] ? add_taint+0x40/0x50 [ 36.310913] ? add_taint+0x1c/0x50 [ 36.311241] ? __lock_acquire+0x3c9f/0x3d50 [ 36.311640] kasan_end_report+0x50/0x50 [ 36.312010] kasan_report+0x144/0x340 [ 36.312368] __asan_report_load8_noabort+0x14/0x20 [ 36.312829] __lock_acquire+0x3c9f/0x3d50 [ 36.313215] ? exit_pi_state_list+0x369/0x7a0 [ 36.313629] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.314114] ? __lock_acquire+0x6aa/0x3d50 [ 36.314505] ? __lock_acquire+0x6aa/0x3d50 [ 36.314897] ? __lock_acquire+0x6aa/0x3d50 [ 36.315296] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.315775] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.316257] ? osq_unlock+0x350/0x350 [ 36.316609] ? __lock_acquire+0x6aa/0x3d50 [ 36.317514] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.318000] ? check_noncircular+0x20/0x20 [ 36.318392] ? print_irqtrace_events+0x270/0x270 [ 36.318828] ? check_noncircular+0x20/0x20 [ 36.319223] ? _raw_spin_unlock+0x22/0x30 [ 36.319608] ? __perf_event_task_sched_in+0x200/0xc20 [ 36.320090] ? find_held_lock+0x35/0x1d0 [ 36.320468] lock_acquire+0x1d5/0x580 [ 36.320817] ? lock_acquire+0x1d5/0x580 [ 36.321187] ? exit_pi_state_list+0x369/0x7a0 [ 36.321601] ? lock_downgrade+0x990/0x990 [ 36.321999] ? lock_release+0xa40/0xa40 [ 36.322363] ? do_raw_spin_trylock+0x190/0x190 [ 36.322699] ? lock_downgrade+0x990/0x990 [ 36.322998] _raw_spin_lock_irq+0x5e/0x80 [ 36.323334] ? exit_pi_state_list+0x369/0x7a0 [ 36.323748] exit_pi_state_list+0x369/0x7a0 [ 36.324140] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 36.324577] ? lock_release+0xa40/0xa40 [ 36.324942] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 36.325482] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 36.325962] ? __might_sleep+0x95/0x190 [ 36.326331] ? __might_fault+0x188/0x1d0 [ 36.326708] ? do_raw_spin_trylock+0x190/0x190 [ 36.327134] mm_release+0x46d/0x590 [ 36.327471] ? do_raw_spin_trylock+0x190/0x190 [ 36.327885] ? mm_access+0x140/0x140 [ 36.328215] ? _raw_spin_unlock_irq+0x27/0x70 [ 36.328608] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.329038] ? trace_hardirqs_on+0xd/0x10 [ 36.329407] ? _raw_spin_unlock_irq+0x27/0x70 [ 36.329796] ? acct_collect+0x637/0x800 [ 36.330148] do_exit+0x481/0x1ad0 [ 36.330451] ? mm_update_next_owner+0x930/0x930 [ 36.330856] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 36.331365] ? rcu_note_context_switch+0x710/0x710 [ 36.331791] ? futex_wait_setup+0x14a/0x3d0 [ 36.332167] ? __might_sleep+0x95/0x190 [ 36.332513] ? find_held_lock+0x35/0x1d0 [ 36.332864] ? futex_wait+0x402/0x990 [ 36.333191] ? lock_downgrade+0x990/0x990 [ 36.333548] ? do_raw_spin_trylock+0x190/0x190 [ 36.333967] ? check_noncircular+0x20/0x20 [ 36.334369] ? futex_wake+0x680/0x680 [ 36.334736] ? mmdrop+0x18/0x30 [ 36.335052] ? drop_futex_key_refs.isra.13+0x63/0xa0 [ 36.335544] ? futex_wait+0x69e/0x990 [ 36.335909] ? find_held_lock+0x35/0x1d0 [ 36.336314] ? get_signal+0x7ae/0x16d0 [ 36.336691] ? lock_downgrade+0x990/0x990 [ 36.337131] do_group_exit+0x149/0x400 [ 36.337478] ? __lock_is_held+0xb6/0x140 [ 36.337834] ? SyS_exit+0x30/0x30 [ 36.338133] ? _raw_spin_unlock_irq+0x27/0x70 [ 36.338856] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.339271] get_signal+0x73f/0x16d0 [ 36.339515] ? ptrace_notify+0x130/0x130 [ 36.339804] ? vma_wants_writenotify+0x3b0/0x3b0 [ 36.340219] ? vma_link+0xe9/0x170 [ 36.340508] ? exit_robust_list+0x240/0x240 [ 36.340765] ? find_held_lock+0x35/0x1d0 [ 36.341004] do_signal+0x94/0x1ee0 [ 36.341217] ? vm_mmap_pgoff+0x1ed/0x280 [ 36.341456] ? should_fail+0x23b/0xa40 [ 36.341685] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 36.342072] ? setup_sigcontext+0x7d0/0x7d0 [ 36.342354] ? find_held_lock+0x35/0x1d0 [ 36.342596] ? lock_downgrade+0x990/0x990 [ 36.342841] ? down_read_killable+0x180/0x180 [ 36.343108] ? lock_release+0xa40/0xa40 [ 36.343346] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 36.343697] ? vm_mmap_pgoff+0x1fc/0x280 [ 36.343943] ? exit_to_usermode_loop+0x8c/0x310 [ 36.344227] exit_to_usermode_loop+0x214/0x310 [ 36.344511] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 36.344851] ? kasan_check_write+0x14/0x20 [ 36.345110] syscall_return_slowpath+0x42f/0x510 [ 36.345399] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 36.345700] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 36.346133] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.346581] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.346927] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 36.347236] RIP: 0033:0x447c89 [ 36.347439] RSP: 002b:00007f513b6cfce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 36.347892] RAX: fffffffffffffe00 RBX: 00000000007481b8 RCX: 0000000000447c89 [ 36.348346] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007481b8 [ 36.348775] RBP: 00000000007481b8 R08: 0000000000000000 R09: 0000000000748190 [ 36.349232] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 36.349677] R13: 0000000000000000 R14: 00007f513b6d09c0 R15: 00007f513b6d0700 [ 36.353688] Dumping ftrace buffer: [ 36.353972] (ftrace buffer empty) [ 36.354244] Kernel Offset: disabled [ 36.354540] Rebooting in 86400 seconds..