INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-4,10.128.0.15' (ECDSA) to the list of known hosts. 2017/09/30 22:18:08 parsed 1 programs 2017/09/30 22:18:08 executed programs: 0 2017/09/30 22:18:13 executed programs: 99 2017/09/30 22:18:18 executed programs: 198 syzkaller login: [ 117.537884] ================================================================== [ 117.545277] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620 [ 117.551908] Read of size 8 at addr ffff8801cb76e7a8 by task syz-executor0/3922 [ 117.559229] [ 117.560825] CPU: 0 PID: 3922 Comm: syz-executor0 Not tainted 4.14.0-rc2-next-20170929+ #32 [ 117.569190] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 117.578510] Call Trace: [ 117.581066] dump_stack+0x194/0x257 [ 117.584660] ? arch_local_irq_restore+0x53/0x53 [ 117.589293] ? show_regs_print_info+0x65/0x65 [ 117.593753] ? __kernel_text_address+0xd/0x40 [ 117.598214] ? __lock_acquire+0x407b/0x4620 [ 117.602510] print_address_description+0x73/0x250 [ 117.607318] ? __lock_acquire+0x407b/0x4620 [ 117.611613] kasan_report+0x25b/0x340 [ 117.615378] __asan_report_load8_noabort+0x14/0x20 [ 117.620271] __lock_acquire+0x407b/0x4620 [ 117.624395] ? unwind_dump+0x4c0/0x4c0 [ 117.628245] ? __unwind_start+0x169/0x330 [ 117.632360] ? __kernel_text_address+0xd/0x40 [ 117.636818] ? unwind_get_return_address+0x61/0xa0 [ 117.641716] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 117.646869] ? unwind_get_return_address+0x61/0xa0 [ 117.651764] ? __save_stack_trace+0x61/0xd0 [ 117.656051] ? get_signal+0x73f/0x16d0 [ 117.659905] ? save_stack_trace+0x16/0x20 [ 117.664017] ? __lock_acquire+0x20fd/0x4620 [ 117.668308] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 117.673468] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 117.678639] ? __bpf_address_lookup+0x2b0/0x2b0 [ 117.683274] ? osq_unlock+0x350/0x350 [ 117.687038] ? lock_release+0xd70/0xd70 [ 117.690982] ? __free_insn_slot+0x5c0/0x5c0 [ 117.695272] ? check_noncircular+0x20/0x20 [ 117.699486] ? is_bpf_text_address+0xa4/0x120 [ 117.703963] ? kernel_text_address+0x102/0x140 [ 117.708517] ? __kernel_text_address+0xd/0x40 [ 117.712984] ? find_held_lock+0x39/0x1d0 [ 117.717015] ? lock_downgrade+0x990/0x990 [ 117.721133] ? check_noncircular+0x20/0x20 [ 117.725333] ? kasan_kmalloc+0xad/0xe0 [ 117.729185] lock_acquire+0x1d5/0x580 [ 117.732953] ? exit_pi_state_list+0x369/0x7a0 [ 117.737422] ? lock_release+0xd70/0xd70 [ 117.741363] ? do_raw_spin_trylock+0x190/0x190 [ 117.745910] ? find_held_lock+0x39/0x1d0 [ 117.750030] _raw_spin_lock_irq+0x5e/0x80 [ 117.754143] ? exit_pi_state_list+0x369/0x7a0 [ 117.758603] exit_pi_state_list+0x369/0x7a0 [ 117.762896] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 117.768936] ? lock_release+0xd70/0xd70 [ 117.772874] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 117.778725] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 117.783807] ? __might_sleep+0x95/0x190 [ 117.787750] ? __might_fault+0x188/0x1d0 [ 117.791781] ? do_raw_spin_trylock+0x190/0x190 [ 117.796333] mm_release+0x46d/0x590 [ 117.799923] ? do_raw_spin_trylock+0x190/0x190 [ 117.804471] ? mm_access+0x140/0x140 [ 117.808156] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 117.813138] ? trace_hardirqs_on+0xd/0x10 [ 117.817251] ? _raw_spin_unlock_irq+0x27/0x70 [ 117.821712] ? acct_collect+0x637/0x800 [ 117.825654] do_exit+0x481/0x1b00 [ 117.829074] ? mm_update_next_owner+0x930/0x930 [ 117.833710] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 117.839561] ? find_held_lock+0x39/0x1d0 [ 117.843596] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 117.848928] ? check_noncircular+0x20/0x20 [ 117.853132] ? fault_in_user_writeable+0x90/0x90 [ 117.857856] ? futex_wake+0x680/0x680 [ 117.861625] ? find_held_lock+0x39/0x1d0 [ 117.865665] ? lock_downgrade+0x990/0x990 [ 117.869781] ? recalc_sigpending_tsk+0x117/0x150 [ 117.874503] ? recalc_sigpending+0x103/0x160 [ 117.878877] ? recalc_sigpending_tsk+0x150/0x150 [ 117.883602] ? get_signal+0x2b2/0x16d0 [ 117.887457] do_group_exit+0x149/0x400 [ 117.891313] ? __lock_is_held+0xbc/0x140 [ 117.895339] ? SyS_exit+0x30/0x30 [ 117.898758] ? _raw_spin_unlock_irq+0x27/0x70 [ 117.903220] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 117.908205] get_signal+0x73f/0x16d0 [ 117.911889] ? ptrace_notify+0x130/0x130 [ 117.915917] ? vma_wants_writenotify+0x3b0/0x3b0 [ 117.920642] ? exit_robust_list+0x240/0x240 [ 117.924939] ? lock_downgrade+0x990/0x990 [ 117.929056] ? SyS_brk+0x6f0/0x6f0 [ 117.932576] do_signal+0x94/0x1ee0 [ 117.936081] ? arch_get_unmapped_area+0x750/0x750 [ 117.940887] ? lock_acquire+0x1d5/0x580 [ 117.944827] ? find_held_lock+0x39/0x1d0 [ 117.948853] ? setup_sigcontext+0x7d0/0x7d0 [ 117.953140] ? lock_downgrade+0x990/0x990 [ 117.957258] ? down_write+0x120/0x120 [ 117.961034] ? lock_release+0xd70/0xd70 [ 117.964977] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 117.970832] ? vm_mmap_pgoff+0x1fc/0x280 [ 117.974860] ? exit_to_usermode_loop+0x8c/0x310 [ 117.979502] exit_to_usermode_loop+0x214/0x310 [ 117.984058] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 117.989562] ? kasan_check_write+0x14/0x20 [ 117.993782] syscall_return_slowpath+0x42f/0x510 [ 117.998505] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 118.003508] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 118.008406] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 118.013388] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 118.018111] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 118.022831] RIP: 0033:0x4520a9 [ 118.025987] RSP: 002b:00007f81ba911cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 118.033661] RAX: fffffffffffffe00 RBX: 0000000000718028 RCX: 00000000004520a9 [ 118.040895] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718028 [ 118.048132] RBP: 0000000000718000 R08: 0000000000000000 R09: 0000000000000000 [ 118.055370] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 118.062607] R13: 0000000000a6f7ef R14: 00007f81ba9129c0 R15: 0000000000000000 [ 118.069850] [ 118.071445] Allocated by task 3924: [ 118.075041] save_stack_trace+0x16/0x20 [ 118.078982] save_stack+0x43/0xd0 [ 118.082401] kasan_kmalloc+0xad/0xe0 [ 118.086080] kmem_cache_alloc_trace+0x136/0x750 [ 118.090712] refill_pi_state_cache.part.6+0xa5/0x2f0 [ 118.095777] futex_requeue+0x1887/0x2370 [ 118.099801] do_futex+0x7f5/0x20d0 [ 118.103304] SyS_futex+0x260/0x390 [ 118.106810] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 118.111525] [ 118.113118] Freed by task 3923: [ 118.116364] save_stack_trace+0x16/0x20 [ 118.120303] save_stack+0x43/0xd0 [ 118.123729] kasan_slab_free+0x71/0xc0 [ 118.127580] kfree+0xca/0x250 [ 118.130651] put_pi_state+0x3f4/0x560 [ 118.134417] unqueue_me_pi+0x4a/0xc0 [ 118.138096] futex_wait_requeue_pi.constprop.19+0xc7f/0x1300 [ 118.143859] do_futex+0x825/0x20d0 [ 118.147361] SyS_futex+0x260/0x390 [ 118.150866] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 118.155583] [ 118.157178] The buggy address belongs to the object at ffff8801cb76e780 [ 118.157178] which belongs to the cache kmalloc-256 of size 256 [ 118.169886] The buggy address is located 40 bytes inside of [ 118.169886] 256-byte region [ffff8801cb76e780, ffff8801cb76e880) [ 118.181638] The buggy address belongs to the page: [ 118.186532] page:ffffea00072ddb80 count:1 mapcount:0 mapping:ffff8801cb76e000 index:0x0 [ 118.194639] flags: 0x200000000000100(slab) [ 118.198840] raw: 0200000000000100 ffff8801cb76e000 0000000000000000 000000010000000c [ 118.206685] raw: ffffea00072c24e0 ffffea00072c60e0 ffff8801dac007c0 0000000000000000 [ 118.214526] page dumped because: kasan: bad access detected [ 118.220196] [ 118.221793] Memory state around the buggy address: [ 118.226690] ffff8801cb76e680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.234020] ffff8801cb76e700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 118.241345] >ffff8801cb76e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.248667] ^ [ 118.253298] ffff8801cb76e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.260623] ffff8801cb76e880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 118.267945] ================================================================== [ 118.275266] Disabling lock debugging due to kernel taint [ 118.280677] Kernel panic - not syncing: panic_on_warn set ... [ 118.280677] [ 118.288008] CPU: 0 PID: 3922 Comm: syz-executor0 Tainted: G B 4.14.0-rc2-next-20170929+ #32 [ 118.297586] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 118.306903] Call Trace: [ 118.309459] dump_stack+0x194/0x257 [ 118.313052] ? arch_local_irq_restore+0x53/0x53 [ 118.317688] ? vprintk_default+0x28/0x30 [ 118.321717] ? __lock_acquire+0x4000/0x4620 [ 118.326013] panic+0x1e4/0x41c [ 118.329173] ? refcount_error_report+0x214/0x214 [ 118.333896] ? __lock_acquire+0x407b/0x4620 [ 118.338184] kasan_end_report+0x50/0x50 [ 118.342125] kasan_report+0x144/0x340 [ 118.345892] __asan_report_load8_noabort+0x14/0x20 [ 118.350786] __lock_acquire+0x407b/0x4620 [ 118.354899] ? unwind_dump+0x4c0/0x4c0 [ 118.358750] ? __unwind_start+0x169/0x330 [ 118.362862] ? __kernel_text_address+0xd/0x40 [ 118.367320] ? unwind_get_return_address+0x61/0xa0 [ 118.372217] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 118.377371] ? unwind_get_return_address+0x61/0xa0 [ 118.382265] ? __save_stack_trace+0x61/0xd0 [ 118.386552] ? get_signal+0x73f/0x16d0 [ 118.390405] ? save_stack_trace+0x16/0x20 [ 118.394519] ? __lock_acquire+0x20fd/0x4620 [ 118.398808] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 118.403966] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 118.409121] ? __bpf_address_lookup+0x2b0/0x2b0 [ 118.413756] ? osq_unlock+0x350/0x350 [ 118.417520] ? lock_release+0xd70/0xd70 [ 118.421460] ? __free_insn_slot+0x5c0/0x5c0 [ 118.425747] ? check_noncircular+0x20/0x20 [ 118.429949] ? is_bpf_text_address+0xa4/0x120 [ 118.434408] ? kernel_text_address+0x102/0x140 [ 118.438956] ? __kernel_text_address+0xd/0x40 [ 118.443419] ? find_held_lock+0x39/0x1d0 [ 118.447447] ? lock_downgrade+0x990/0x990 [ 118.451559] ? check_noncircular+0x20/0x20 [ 118.455759] ? kasan_kmalloc+0xad/0xe0 [ 118.459613] lock_acquire+0x1d5/0x580 [ 118.463380] ? exit_pi_state_list+0x369/0x7a0 [ 118.467842] ? lock_release+0xd70/0xd70 [ 118.471781] ? do_raw_spin_trylock+0x190/0x190 [ 118.476327] ? find_held_lock+0x39/0x1d0 [ 118.480358] _raw_spin_lock_irq+0x5e/0x80 [ 118.484478] ? exit_pi_state_list+0x369/0x7a0 [ 118.488945] exit_pi_state_list+0x369/0x7a0 [ 118.493234] ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300 [ 118.499274] ? lock_release+0xd70/0xd70 [ 118.503216] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 118.509067] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 118.514139] ? __might_sleep+0x95/0x190 [ 118.518089] ? __might_fault+0x188/0x1d0 [ 118.522125] ? do_raw_spin_trylock+0x190/0x190 [ 118.526674] mm_release+0x46d/0x590 [ 118.530266] ? do_raw_spin_trylock+0x190/0x190 [ 118.534814] ? mm_access+0x140/0x140