INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-6,10.128.0.30' (ECDSA) to the list of known hosts. 2017/09/12 12:09:29 parsed 1 programs 2017/09/12 12:09:29 executed programs: 0 2017/09/12 12:09:34 executed programs: 91 2017/09/12 12:09:39 executed programs: 182 2017/09/12 12:09:45 executed programs: 274 2017/09/12 12:09:50 executed programs: 364 2017/09/12 12:09:55 executed programs: 457 2017/09/12 12:10:00 executed programs: 550 2017/09/12 12:10:05 executed programs: 642 2017/09/12 12:10:10 executed programs: 734 2017/09/12 12:10:15 executed programs: 826 2017/09/12 12:10:20 executed programs: 917 2017/09/12 12:10:25 executed programs: 1008 2017/09/12 12:10:30 executed programs: 1099 syzkaller login: [ 181.967226] ================================================================== [ 181.974645] BUG: KASAN: use-after-free in irq_bypass_register_consumer+0x4b4/0x500 [ 181.982345] Write of size 8 at addr ffff8801cfceac40 by task syz-executor0/7090 [ 181.989771] [ 181.991377] CPU: 1 PID: 7090 Comm: syz-executor0 Not tainted 4.13.0-mm1+ #6 [ 181.998448] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 182.007776] Call Trace: [ 182.010343] dump_stack+0x194/0x257 [ 182.013952] ? arch_local_irq_restore+0x53/0x53 [ 182.018608] ? show_regs_print_info+0x65/0x65 [ 182.023100] ? irq_bypass_register_consumer+0x4b4/0x500 [ 182.028443] print_address_description+0x73/0x250 [ 182.033261] ? irq_bypass_register_consumer+0x4b4/0x500 [ 182.038602] kasan_report+0x24e/0x340 [ 182.042402] __asan_report_store8_noabort+0x17/0x20 [ 182.047393] irq_bypass_register_consumer+0x4b4/0x500 [ 182.052561] ? __disconnect+0x1a0/0x1a0 [ 182.056520] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 182.061524] kvm_irqfd+0x137a/0x1d50 [ 182.065247] ? kvm_eventfd_init+0x2a0/0x2a0 [ 182.069546] ? find_held_lock+0x39/0x1d0 [ 182.073603] ? lock_downgrade+0x990/0x990 [ 182.077726] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 182.082912] ? __might_fault+0xe0/0x1d0 [ 182.086875] ? lock_release+0xd70/0xd70 [ 182.090827] ? check_same_owner+0x320/0x320 [ 182.095151] ? __might_sleep+0x95/0x190 [ 182.099122] ? kasan_check_write+0x14/0x20 [ 182.103336] ? _copy_from_user+0x99/0x110 [ 182.107470] kvm_vm_ioctl+0x1079/0x1c40 [ 182.111427] ? perf_trace_lock+0x3e9/0x860 [ 182.115639] ? kvm_set_memory_region+0x50/0x50 [ 182.120208] ? check_noncircular+0x20/0x20 [ 182.124440] ? memset+0x31/0x40 [ 182.127707] ? do_futex+0x783/0x2130 [ 182.131398] ? perf_trace_lock+0x3e9/0x860 [ 182.135624] ? find_held_lock+0x39/0x1d0 [ 182.139698] ? lock_downgrade+0x990/0x990 [ 182.143843] ? exit_robust_list+0x240/0x240 [ 182.148193] ? __fget+0xbb/0x580 [ 182.151564] ? lock_release+0xd70/0xd70 [ 182.155541] ? __lock_is_held+0xbc/0x140 [ 182.159606] ? __fget+0x362/0x580 [ 182.163053] ? iterate_fd+0x3f0/0x3f0 [ 182.166833] ? __lock_is_held+0xbc/0x140 [ 182.170896] ? kvm_set_memory_region+0x50/0x50 [ 182.175485] do_vfs_ioctl+0x1b1/0x1530 [ 182.179411] ? __fd_install+0x2f7/0x6a0 [ 182.183398] ? anon_inode_getfile+0x349/0x490 [ 182.187891] ? ioctl_preallocate+0x2b0/0x2b0 [ 182.192287] ? selinux_capable+0x40/0x40 [ 182.196334] ? SyS_futex+0x260/0x390 [ 182.200020] ? SyS_futex+0x269/0x390 [ 182.203737] ? security_file_ioctl+0x7d/0xb0 [ 182.208121] ? security_file_ioctl+0x89/0xb0 [ 182.212523] SyS_ioctl+0x8f/0xc0 [ 182.215888] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 182.220639] RIP: 0033:0x451e59 [ 182.223810] RSP: 002b:00007f5c43b2ac08 EFLAGS: 00000216 ORIG_RAX: 0000000000000010 [ 182.231508] RAX: ffffffffffffffda RBX: 00000000007180b0 RCX: 0000000000451e59 [ 182.238762] RDX: 000000002072efe0 RSI: 000000004020ae76 RDI: 0000000000000008 [ 182.246013] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 182.253261] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004ba596 [ 182.260516] R13: 00000000ffffffff R14: ffffffffffffff9c R15: 0000000020969ff7 [ 182.267803] [ 182.269404] Allocated by task 7090: [ 182.273021] save_stack_trace+0x16/0x20 [ 182.276980] save_stack+0x43/0xd0 [ 182.280424] kasan_kmalloc+0xad/0xe0 [ 182.284126] kmem_cache_alloc_trace+0x136/0x750 [ 182.288786] kvm_irqfd+0x16c/0x1d50 [ 182.292400] kvm_vm_ioctl+0x1079/0x1c40 [ 182.296346] do_vfs_ioctl+0x1b1/0x1530 [ 182.300216] SyS_ioctl+0x8f/0xc0 [ 182.303594] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 182.308349] [ 182.309960] Freed by task 24: [ 182.313045] save_stack_trace+0x16/0x20 [ 182.317007] save_stack+0x43/0xd0 [ 182.320450] kasan_slab_free+0x71/0xc0 [ 182.324320] kfree+0xca/0x250 [ 182.327401] irqfd_shutdown+0x13c/0x1a0 [ 182.331349] process_one_work+0xbfa/0x1bd0 [ 182.335556] worker_thread+0x223/0x1860 [ 182.339504] kthread+0x39c/0x470 [ 182.342847] ret_from_fork+0x2a/0x40 [ 182.346534] [ 182.348139] The buggy address belongs to the object at ffff8801cfceaac0 [ 182.348139] which belongs to the cache kmalloc-512 of size 512 [ 182.360776] The buggy address is located 384 bytes inside of [ 182.360776] 512-byte region [ffff8801cfceaac0, ffff8801cfceacc0) [ 182.372621] The buggy address belongs to the page: [ 182.377536] page:ffffea00073f3a80 count:1 mapcount:0 mapping:ffff8801cfcea0c0 index:0x0 [ 182.385656] flags: 0x200000000000100(slab) [ 182.389866] raw: 0200000000000100 ffff8801cfcea0c0 0000000000000000 0000000100000006 [ 182.397725] raw: ffffea00073f40e0 ffff8801dac01750 ffff8801dac00940 0000000000000000 [ 182.405578] page dumped because: kasan: bad access detected [ 182.411271] [ 182.412871] Memory state around the buggy address: [ 182.417774] ffff8801cfceab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 182.425112] ffff8801cfceab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 182.432449] >ffff8801cfceac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 182.439786] ^ [ 182.445211] ffff8801cfceac80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 182.452551] ffff8801cfcead00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 182.459889] ================================================================== [ 182.467221] Disabling lock debugging due to kernel taint [ 182.472737] Kernel panic - not syncing: panic_on_warn set ... [ 182.472737] [ 182.480073] CPU: 1 PID: 7090 Comm: syz-executor0 Tainted: G B 4.13.0-mm1+ #6 [ 182.488359] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 182.497688] Call Trace: [ 182.500248] dump_stack+0x194/0x257 [ 182.503847] ? arch_local_irq_restore+0x53/0x53 [ 182.508497] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 182.513227] ? irq_bypass_register_consumer+0x450/0x500 [ 182.518561] panic+0x1e4/0x417 [ 182.521813] ? __warn+0x1d9/0x1d9 [ 182.525255] ? irq_bypass_register_consumer+0x4b4/0x500 [ 182.530590] kasan_end_report+0x50/0x50 [ 182.534532] kasan_report+0x137/0x340 [ 182.538309] __asan_report_store8_noabort+0x17/0x20 [ 182.543294] irq_bypass_register_consumer+0x4b4/0x500 [ 182.548454] ? __disconnect+0x1a0/0x1a0 [ 182.552402] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 182.557398] kvm_irqfd+0x137a/0x1d50 [ 182.561101] ? kvm_eventfd_init+0x2a0/0x2a0 [ 182.565392] ? find_held_lock+0x39/0x1d0 [ 182.569444] ? lock_downgrade+0x990/0x990 [ 182.573560] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 182.578729] ? __might_fault+0xe0/0x1d0 [ 182.582684] ? lock_release+0xd70/0xd70 [ 182.586626] ? check_same_owner+0x320/0x320 [ 182.590939] ? __might_sleep+0x95/0x190 [ 182.594891] ? kasan_check_write+0x14/0x20 [ 182.599093] ? _copy_from_user+0x99/0x110 [ 182.603216] kvm_vm_ioctl+0x1079/0x1c40 [ 182.607165] ? perf_trace_lock+0x3e9/0x860 [ 182.611372] ? kvm_set_memory_region+0x50/0x50 [ 182.615928] ? check_noncircular+0x20/0x20 [ 182.620146] ? memset+0x31/0x40 [ 182.623409] ? do_futex+0x783/0x2130 [ 182.627092] ? perf_trace_lock+0x3e9/0x860 [ 182.631311] ? find_held_lock+0x39/0x1d0 [ 182.635357] ? lock_downgrade+0x990/0x990 [ 182.639473] ? exit_robust_list+0x240/0x240 [ 182.643772] ? __fget+0xbb/0x580 [ 182.647117] ? lock_release+0xd70/0xd70 [ 182.651072] ? __lock_is_held+0xbc/0x140 [ 182.655118] ? __fget+0x362/0x580 [ 182.658564] ? iterate_fd+0x3f0/0x3f0 [ 182.662336] ? __lock_is_held+0xbc/0x140 [ 182.666379] ? kvm_set_memory_region+0x50/0x50 [ 182.670927] do_vfs_ioctl+0x1b1/0x1530 [ 182.674783] ? __fd_install+0x2f7/0x6a0 [ 182.678730] ? anon_inode_getfile+0x349/0x490 [ 182.683200] ? ioctl_preallocate+0x2b0/0x2b0 [ 182.687592] ? selinux_capable+0x40/0x40 [ 182.691629] ? SyS_futex+0x260/0x390 [ 182.695310] ? SyS_futex+0x269/0x390 [ 182.699008] ? security_file_ioctl+0x7d/0xb0 [ 182.703380] ? security_file_ioctl+0x89/0xb0 [ 182.707762] SyS_ioctl+0x8f/0xc0 [ 182.711106] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 182.715826] RIP: 0033:0x451e59 [ 182.718989] RSP: 002b:00007f5c43b2ac08 EFLAGS: 00000216 ORIG_RAX: 0000000000000010 [ 182.726671] RAX: ffffffffffffffda RBX: 00000000007180b0 RCX: 0000000000451e59 [ 182.733910] RDX: 000000002072efe0 RSI: 000000004020ae76 RDI: 0000000000000008 [ 182.741147] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 182.748389] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004ba596 [ 182.755629] R13: 00000000ffffffff R14: ffffffffffffff9c R15: 0000000020969ff7 [ 182.763271] Dumping ftrace buffer: [ 182.766783] (ftrace buffer empty) [ 182.770460] Kernel Offset: disabled [ 182.774057] Rebooting in 86400 seconds..