INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-0,10.128.15.212' (ECDSA) to the list of known hosts. 2017/09/19 19:27:50 parsed 1 programs 2017/09/19 19:27:50 executed programs: 0 syzkaller login: [ 30.496895] ================================================================== [ 30.504304] BUG: KASAN: use-after-free in irq_bypass_register_consumer+0x4b4/0x500 [ 30.511985] Write of size 8 at addr ffff8801c5fd99c0 by task syz-executor0/3184 [ 30.519401] [ 30.521007] CPU: 1 PID: 3184 Comm: syz-executor0 Not tainted 4.14.0-rc1+ #1 [ 30.528077] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.537399] Call Trace: [ 30.539958] dump_stack+0x194/0x257 [ 30.543559] ? arch_local_irq_restore+0x53/0x53 [ 30.548199] ? show_regs_print_info+0x65/0x65 [ 30.552669] ? irq_bypass_register_consumer+0x4b4/0x500 [ 30.558005] print_address_description+0x73/0x250 [ 30.562816] ? irq_bypass_register_consumer+0x4b4/0x500 [ 30.568148] kasan_report+0x24e/0x340 [ 30.571924] __asan_report_store8_noabort+0x17/0x20 [ 30.576909] irq_bypass_register_consumer+0x4b4/0x500 [ 30.582069] ? __disconnect+0x1a0/0x1a0 [ 30.586017] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.591009] kvm_irqfd+0x13c9/0x1db0 [ 30.594696] ? __might_sleep+0x95/0x190 [ 30.598653] ? kvm_eventfd_init+0x2a0/0x2a0 [ 30.602947] ? find_held_lock+0x39/0x1d0 [ 30.606990] ? lock_downgrade+0x990/0x990 [ 30.611123] ? __might_fault+0xe0/0x1d0 [ 30.615072] ? lock_release+0xd70/0xd70 [ 30.619016] ? check_same_owner+0x320/0x320 [ 30.623317] ? __might_sleep+0x95/0x190 [ 30.627269] ? kasan_check_write+0x14/0x20 [ 30.631477] ? _copy_from_user+0x99/0x110 [ 30.635600] kvm_vm_ioctl+0x1079/0x1c40 [ 30.639560] ? kvm_set_memory_region+0x50/0x50 [ 30.644143] ? find_held_lock+0x39/0x1d0 [ 30.648187] ? lock_downgrade+0x990/0x990 [ 30.652312] ? __fget+0xbb/0x580 [ 30.655653] ? lock_release+0xd70/0xd70 [ 30.659601] ? __lock_is_held+0xbc/0x140 [ 30.663642] ? __fget+0x362/0x580 [ 30.667071] ? iterate_fd+0x3f0/0x3f0 [ 30.670855] ? retint_kernel+0x10/0x10 [ 30.674719] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.679446] ? cmp_ex_sort+0xb0/0xb0 [ 30.683133] ? retint_kernel+0x10/0x10 [ 30.686991] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.691890] ? selinux_file_ioctl+0x444/0x690 [ 30.696356] ? __fget_light+0x29d/0x390 [ 30.700310] kvm_vm_compat_ioctl+0x2ed/0x3e0 [ 30.704692] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 30.708814] ? _copy_to_user+0xa2/0xc0 [ 30.712677] ? security_file_ioctl+0x7d/0xb0 [ 30.717052] ? security_file_ioctl+0x89/0xb0 [ 30.721437] compat_SyS_ioctl+0x1da/0x3300 [ 30.725645] ? compat_SyS_get_robust_list+0x300/0x300 [ 30.730803] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 30.734926] ? do_ioctl+0x60/0x60 [ 30.738349] ? lock_acquire+0x1d5/0x580 [ 30.742296] ? do_fast_syscall_32+0x158/0xeed [ 30.746767] ? do_ioctl+0x60/0x60 [ 30.750193] do_fast_syscall_32+0x3f2/0xeed [ 30.754487] ? compat_start_thread+0x80/0x80 [ 30.758870] ? do_int80_syscall_32+0x930/0x930 [ 30.763427] ? lockdep_sys_exit+0x47/0xf0 [ 30.767545] ? syscall_return_slowpath+0x2b3/0x500 [ 30.772444] ? finish_task_switch+0x1aa/0x740 [ 30.776912] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 30.781901] ? sysret32_from_system_call+0x5/0x3b [ 30.786718] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.791538] entry_SYSENTER_compat+0x51/0x60 [ 30.795914] RIP: 0023:0xf7f4bc79 [ 30.799249] RSP: 002b:00000000f7f2605c EFLAGS: 00000296 ORIG_RAX: 0000000000000036 [ 30.806931] RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 000000004020ae76 [ 30.814170] RDX: 000000002000d000 RSI: 0000000000000000 RDI: 0000000000000000 [ 30.821407] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 30.828646] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.835887] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.843142] [ 30.844740] Allocated by task 3184: [ 30.848337] save_stack_trace+0x16/0x20 [ 30.852279] save_stack+0x43/0xd0 [ 30.855699] kasan_kmalloc+0xad/0xe0 [ 30.859384] kmem_cache_alloc_trace+0x136/0x750 [ 30.864020] kvm_irqfd+0x1b6/0x1db0 [ 30.867616] kvm_vm_ioctl+0x1079/0x1c40 [ 30.871558] kvm_vm_compat_ioctl+0x2ed/0x3e0 [ 30.875933] compat_SyS_ioctl+0x1da/0x3300 [ 30.880134] do_fast_syscall_32+0x3f2/0xeed [ 30.884426] entry_SYSENTER_compat+0x51/0x60 [ 30.888799] [ 30.890394] Freed by task 23: [ 30.893467] save_stack_trace+0x16/0x20 [ 30.897411] save_stack+0x43/0xd0 [ 30.900832] kasan_slab_free+0x71/0xc0 [ 30.904687] kfree+0xca/0x250 [ 30.907762] irqfd_shutdown+0x13c/0x1a0 [ 30.911706] process_one_work+0xbfa/0x1bd0 [ 30.915908] worker_thread+0x223/0x1860 [ 30.919860] kthread+0x39c/0x470 [ 30.923220] ret_from_fork+0x2a/0x40 [ 30.926922] [ 30.928539] The buggy address belongs to the object at ffff8801c5fd9840 [ 30.928539] which belongs to the cache kmalloc-512 of size 512 [ 30.941182] The buggy address is located 384 bytes inside of [ 30.941182] 512-byte region [ffff8801c5fd9840, ffff8801c5fd9a40) [ 30.953034] The buggy address belongs to the page: [ 30.957936] page:ffffea000717f640 count:1 mapcount:0 mapping:ffff8801c5fd90c0 index:0x0 [ 30.966055] flags: 0x200000000000100(slab) [ 30.970262] raw: 0200000000000100 ffff8801c5fd90c0 0000000000000000 0000000100000006 [ 30.978114] raw: ffffea00071638e0 ffffea0007166ce0 ffff8801dac00940 0000000000000000 [ 30.985965] page dumped because: kasan: bad access detected [ 30.991644] [ 30.993243] Memory state around the buggy address: [ 30.998144] ffff8801c5fd9880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.005473] ffff8801c5fd9900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.012804] >ffff8801c5fd9980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.020133] ^ [ 31.025550] ffff8801c5fd9a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.032888] ffff8801c5fd9a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 31.040216] ================================================================== [ 31.047550] Disabling lock debugging due to kernel taint [ 31.053081] Kernel panic - not syncing: panic_on_warn set ... [ 31.053081] [ 31.060421] CPU: 1 PID: 3184 Comm: syz-executor0 Tainted: G B 4.14.0-rc1+ #1 [ 31.069438] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.078755] Call Trace: [ 31.081310] dump_stack+0x194/0x257 [ 31.084904] ? arch_local_irq_restore+0x53/0x53 [ 31.089540] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.094269] ? irq_bypass_register_consumer+0x3e0/0x500 [ 31.099604] panic+0x1e4/0x417 [ 31.102762] ? __warn+0x1d9/0x1d9 [ 31.106188] ? irq_bypass_register_consumer+0x4b4/0x500 [ 31.111516] kasan_end_report+0x50/0x50 [ 31.115454] kasan_report+0x137/0x340 [ 31.119221] __asan_report_store8_noabort+0x17/0x20 [ 31.124200] irq_bypass_register_consumer+0x4b4/0x500 [ 31.129354] ? __disconnect+0x1a0/0x1a0 [ 31.133297] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.138284] kvm_irqfd+0x13c9/0x1db0 [ 31.141966] ? __might_sleep+0x95/0x190 [ 31.145910] ? kvm_eventfd_init+0x2a0/0x2a0 [ 31.150197] ? find_held_lock+0x39/0x1d0 [ 31.154227] ? lock_downgrade+0x990/0x990 [ 31.158344] ? __might_fault+0xe0/0x1d0 [ 31.162288] ? lock_release+0xd70/0xd70 [ 31.166227] ? check_same_owner+0x320/0x320 [ 31.170517] ? __might_sleep+0x95/0x190 [ 31.174460] ? kasan_check_write+0x14/0x20 [ 31.178669] ? _copy_from_user+0x99/0x110 [ 31.182786] kvm_vm_ioctl+0x1079/0x1c40 [ 31.186729] ? kvm_set_memory_region+0x50/0x50 [ 31.191285] ? find_held_lock+0x39/0x1d0 [ 31.195314] ? lock_downgrade+0x990/0x990 [ 31.199432] ? __fget+0xbb/0x580 [ 31.202765] ? lock_release+0xd70/0xd70 [ 31.206707] ? __lock_is_held+0xbc/0x140 [ 31.210739] ? __fget+0x362/0x580 [ 31.214160] ? iterate_fd+0x3f0/0x3f0 [ 31.217926] ? retint_kernel+0x10/0x10 [ 31.221779] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.226509] ? cmp_ex_sort+0xb0/0xb0 [ 31.230197] ? retint_kernel+0x10/0x10 [ 31.234053] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 31.238946] ? selinux_file_ioctl+0x444/0x690 [ 31.243403] ? __fget_light+0x29d/0x390 [ 31.247345] kvm_vm_compat_ioctl+0x2ed/0x3e0 [ 31.251721] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 31.255832] ? _copy_to_user+0xa2/0xc0 [ 31.259686] ? security_file_ioctl+0x7d/0xb0 [ 31.264059] ? security_file_ioctl+0x89/0xb0 [ 31.268433] compat_SyS_ioctl+0x1da/0x3300 [ 31.272632] ? compat_SyS_get_robust_list+0x300/0x300 [ 31.277785] ? kvm_vm_ioctl+0x1c40/0x1c40 [ 31.281897] ? do_ioctl+0x60/0x60 [ 31.285317] ? lock_acquire+0x1d5/0x580 [ 31.289255] ? do_fast_syscall_32+0x158/0xeed [ 31.293719] ? do_ioctl+0x60/0x60 [ 31.297139] do_fast_syscall_32+0x3f2/0xeed [ 31.301426] ? compat_start_thread+0x80/0x80 [ 31.305801] ? do_int80_syscall_32+0x930/0x930 [ 31.310349] ? lockdep_sys_exit+0x47/0xf0 [ 31.314462] ? syscall_return_slowpath+0x2b3/0x500 [ 31.319355] ? finish_task_switch+0x1aa/0x740 [ 31.323815] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 31.328798] ? sysret32_from_system_call+0x5/0x3b [ 31.333609] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.338421] entry_SYSENTER_compat+0x51/0x60 [ 31.342792] RIP: 0023:0xf7f4bc79 [ 31.346120] RSP: 002b:00000000f7f2605c EFLAGS: 00000296 ORIG_RAX: 0000000000000036 [ 31.353789] RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 000000004020ae76 [ 31.361025] RDX: 000000002000d000 RSI: 0000000000000000 RDI: 0000000000000000 [ 31.368262] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 31.375497] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 31.382731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 31.390415] Dumping ftrace buffer: [ 31.393925] (ftrace buffer empty) [ 31.397601] Kernel Offset: disabled [ 31.401192] Rebooting in 86400 seconds..