crashes analysis

818 views

Skip to first unread message

Peter Teoh

unread,

Apr 17, 2016, 12:22:01 PM4/17/16

to syzkaller

i have setup the fuzzer as documented, and after running for a day, have got something like 10000 crashes, after aggregating up all the machines.   some questions:

a.   i have yet to fully understand how "crashes" comes about:   is it always arising from running the fuzzer inside the qemu VM, or is it terminated from the host upon some "KASAN" - triggered bugs detected?   KASAN is a form of "what-if" analysis using the shadow memory, so if it were to be executing without the KASAN sanitizer, it would have been resulting in a crash, correct?

b.   The output of qemu-generated logs is a sequence of syscall generated by different threads which concurrently execute together to result in the crash, correct?   so I extracted out the per-thread section from the qemu-log and passed it to the syz-prog2c to get it formatted to a proper C file for compilation.

ie, post-process the qemu log to /tmp/tmp$$ first:

./bin/syz-repro -config ./syz-manager/my.cfg ./workdir/crashes/crash-qemu-0-1460770949265358626 2> /tmp/tmp$$

Then I will extract out the per-thread list of syscall sequence from /tmp/tmp$$ to pass it to syz-prog2c to generate the C file.   Is there a better more direct way?

Dmitry Vyukov

unread,

Apr 17, 2016, 12:44:02 PM4/17/16

to syzkaller

On Sun, Apr 17, 2016 at 6:22 PM, Peter Teoh <htmlde...@gmail.com> wrote:
> i have setup the fuzzer as documented, and after running for a day, have got
> something like 10000 crashes, after aggregating up all the machines. some
> questions:
>
> a. i have yet to fully understand how "crashes" comes about: is it
> always arising from running the fuzzer inside the qemu VM, or is it
> terminated from the host upon some "KASAN" - triggered bugs detected?
> KASAN is a form of "what-if" analysis using the shadow memory, so if it were
> to be executing without the KASAN sanitizer, it would have been resulting in
> a crash, correct?

Hi Peter,

I am not sure I fully understand the question.
syz-manager analyzes console output of qemu/lkvm/adb instances and
looks for strings like "BUG:", "WARNING:", etc. If there is a match,
syz-manager extracts that part of output and saves it to crashes dir.
KASAN prefixes bug reports with "BUG:", so they are automatically
handled by syz-manager.
KASAN is not "what if", it catches an actual bug. Some bugs can lead
to crashes without KASAN, some does not. For example, an out-of-bounds
read will most likely not crash kernel (it can leak sensitive info,
lead to privilege escalation, etc).
Does it answer your question?

> b. The output of qemu-generated logs is a sequence of syscall generated by
> different threads which concurrently execute together to result in the
> crash, correct? so I extracted out the per-thread section from the
> qemu-log and passed it to the syz-prog2c to get it formatted to a proper C
> file for compilation.
>
> ie, post-process the qemu log to /tmp/tmp$$ first:
>
> ./bin/syz-repro -config ./syz-manager/my.cfg
> ./workdir/crashes/crash-qemu-0-1460770949265358626 2> /tmp/tmp$$
>
> Then I will extract out the per-thread list of syscall sequence from
> /tmp/tmp$$ to pass it to syz-prog2c to generate the C file. Is there a
> better more direct way?

What do you mean by per-thread section? Threads are not represented in
crash logs.

If you did not set procs parameter in config file (or set it to 1),
then the crashing program is most likely the one that directly
precedes the crash. So you can save it to a separate file, and then
pass to "syz-prog2c -threaded -collide". However, note that prog2c
does not support the special syz_* syscalls at the moment, so if they
are present in the program, then you will need to manually edit the
generated C program.

Costin Carabas

unread,

Apr 26, 2016, 3:16:35 AM4/26/16

to syzkaller

Hello Dmitry,

I have kind of the same output as Peter: syz-manager tool says I get 10k "crashes" per day, but i don't think that is accurate.

The output of syz-manager is something like this:

2016/04/26 10:03:34 qemu-12: saving crash 'no output' to crash-qemu-12-1461654214058594471
2016/04/26 10:03:36 qemu-9: saving crash 'no output' to crash-qemu-9-1461654216426597343
2016/04/26 10:03:38 qemu-11: saving crash 'no output' to crash-qemu-11-1461654218075812657
2016/04/26 10:03:41 qemu-3: saving crash 'no output' to crash-qemu-3-1461654221673604594
2016/04/26 10:03:41 qemu-4: saving crash 'no output' to crash-qemu-4-1461654221989396009
2016/04/26 10:03:50 qemu-10: saving crash 'no output' to crash-qemu-10-1461654230842674128
2016/04/26 10:03:50 qemu-0: saving crash 'no output' to crash-qemu-0-1461654230843974251
2016/04/26 10:03:59 qemu-2: saving crash 'no output' to crash-qemu-2-1461654239809923876
2016/04/26 10:04:01 qemu-1: saving crash 'no output' to crash-qemu-1-1461654241733035645
2016/04/26 10:04:06 qemu-14: saving crash 'no output' to crash-qemu-14-1461654246457995804
2016/04/26 10:04:07 qemu-5: saving crash 'no output' to crash-qemu-5-1461654247855291141

I accessed via ssh one of the qemu VMs. This is part of the dmesg output. Basically, I get backtraces for all active processes.

[ 80.646695] sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) show-blocked-tasks(w) dump-ftrace-buffer(z)
[ 83.802989] sysrq: SysRq : Show backtrace of all active CPUs
[ 83.803391] Sending NMI to all CPUs:
[ 83.803753] NMI backtrace for cpu 0
[ 83.803985] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.6.0-rc4+ #3
[ 83.804415] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[ 83.804791] task: ffffffff83212cc0 ti: ffffffff83200000 task.ti: ffffffff83200000
[ 83.805172] RIP: 0010:[<ffffffff8106b42a>] [<ffffffff8106b42a>] default_idle+0x1a/0x200
[ 83.805602] RSP: 0018:ffffffff83207e20 EFLAGS: 00000246
[ 83.805837] RAX: 0000000000000000 RBX: ffffffff83208000 RCX: 0100000000000000
[ 83.806230] RDX: 1ffffffff0640001 RSI: 0000000000000000 RDI: ffffffff83200008
[ 83.806640] RBP: ffffffff83207e40 R08: 0000000000000000 R09: 0000000000000000
[ 83.806954] R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff83208000
[ 83.807349] R13: ffffffff835f0158 R14: 0000000000000000 R15: 0000000000000000
[ 83.807785] FS: 0000000000000000(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
[ 83.808198] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 83.808490] CR2: 00005646f7673220 CR3: 000000006c9e9000 CR4: 00000000000006f0
[ 83.808868] Stack:
[ 83.808962] ffffffff83208000 ffffffff83208000 ffffffff835f0158 0000000000000000
[ 83.809336] ffffffff83207e50 ffffffff8106c63a ffffffff83207e68 ffffffff811c2cd8
[ 83.809773] dffffc0000000000 ffffffff83207ed8 ffffffff811c30e1 ffffffff83200000
[ 83.810149] Call Trace:
[ 83.810292] [<ffffffff8106c63a>] arch_cpu_idle+0xa/0x10
[ 83.810538] [<ffffffff811c2cd8>] default_idle_call+0x48/0x60
[ 83.810844] [<ffffffff811c30e1>] cpu_startup_entry+0x3f1/0x510
[ 83.811143] [<ffffffff82baf6ee>] rest_init+0x9e/0xb0
[ 83.811461] [<ffffffff8362167b>] start_kernel+0x5cf/0x5f5
[ 83.811737] [<ffffffff836210ac>] ? thread_info_cache_init+0xb/0xb
[ 83.812081] [<ffffffff836d8c7a>] ? memblock_reserve+0x59/0x5e
[ 83.812396] [<ffffffff83620120>] ? early_idt_handler_array+0x120/0x120
[ 83.812698] [<ffffffff836202f4>] x86_64_start_reservations+0x2a/0x2c
[ 83.813064] [<ffffffff83620441>] x86_64_start_kernel+0x14b/0x15a
[ 83.813403] Code: 00 48 8b 07 55 48 89 e5 48 89 06 5d c3 0f 1f 40 00 55 48 89 e5 41 56 41 55 65 44 8b 35 00 7d fa 7e 41 54 53 0f 1f 44 00 00 fb f4 <65> 44 8b 35 ee 7c fa 7e 0f 1f 44 00 00 5b 41 5c 41 5d 41 5e 5d

So, no crash on the qemu. Is this a false positive? Am I missing something?

Regards,

Costin

Dmitry Vyukov

unread,

Apr 26, 2016, 3:36:39 AM4/26/16

to syzkaller

Hi Costin,

Most of the time "no output" means a real bug (at least in my setup).
You can see examples of bugs detected with "no output" here:

https://groups.google.com/forum/#!topic/syzkaller/zfuHHRXL7Zg
https://groups.google.com/forum/#!msg/syzkaller/6M2Z5r28UDA/nYPsJ1KIBwAJ
https://groups.google.com/forum/#!msg/syzkaller/dSd90m_8O9w/-SAlwCUUCAAJ
https://groups.google.com/forum/#!msg/syzkaller/bUvgnh0owos/Ps7Rep4XCAAJ

Basically a process hangs in such a state that SIGKILL cannot kill it.
A good thing if you want to do local DoS.

Try to replay some logs with syz-execprog tool as described below and
check whether it makes progress and state of the processes:

https://github.com/google/syzkaller/wiki/How-to-execute-syzkaller-programs
https://github.com/google/syzkaller/wiki/Crash-reproducer-programs

Costin Carabas

unread,

May 4, 2016, 8:49:06 AM5/4/16

to syzkaller

Hello Dmitry,

As i tried to reproduce the crash, I did the following:

- started a qemu with the same image and kernel

- pushed a random crash on the qemu

- executed the crash:

./syz-execprog -executor ./syz-executor -cover=0 -repeat=0 -procs=16 crash-qemu-0-1461311199837055970

The output:

2016/05/04 11:47:08 parsed 4 programs

2016/05/04 11:47:08 executed 0 programs

result: failed=false hanged=false err=executor is not serving

2016/05/04 11:48:08 executed 16 programs

result: failed=false hanged=false err=executor is not serving

result: failed=false hanged=false err=executor is not serving
...........
result: failed=false hanged=false err=executor is not serving
2016/05/04 11:49:08 executed 32 programs

result: failed=false hanged=false err=executor is not serving

...........
result: failed=false hanged=false err=executor is not serving

.........

The result was no crash (dmesg).

The strace shows the following:

clone(child_stack=0xc820037fc0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD) = 3085
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
futex(0x97c6f8, FUTEX_WAIT, 0, {59, 999993378}) = ? ERESTART_RESTARTBLOCK (To be restarted)
--- SIGCHLD (Child exited) @ 0 (0) ---
rt_sigreturn(0xc820000000) = -1 EINTR (Interrupted system call)
futex(0x97c6f8, FUTEX_WAIT, 0, {59, 999131373}) = -1 ETIMEDOUT (Connection timed out)
futex(0x97ca20, FUTEX_WAKE, 1) = 1
futex(0xc820027c10, FUTEX_WAKE, 1result: failed=false hanged=false err=executor is not serving

2016/05/04 12:08:22 executed 16 programs
) = 1
futex(0x97c6f8, FUTEX_WAIT, 0, {0, 2093425}) = -1 ETIMEDOUT (Connection timed out)
futex(0x97ca20, FUTEX_WAKE, 1) = 1
futex(0xc82025f310, FUTEX_WAKE, 1result: failed=false hanged=false err=executor is not serving

On the other hand, if I try to run this on the host (Ubuntu, 4.6.0-rc4+) I get a segmentation fault. This is the dmesg output from the host:

crashing_binary[25425]: segfault at 20006000 ip 0000000000400b9b sp 00007ffeba165580 error 6 in crashing_binary[400000+6000]

I also noticed that when i run the tool (syz-manager), i get a crash for every qemu instance.

1. Have you (or anyone else) encountered this behaviour before?

2. Is it relevant that on the host i get a crash?

3. As the strace output shows on the VM, I see that it executes some system calls, but it hangs on futex with Connection timed out error. (This error is for every crash that i tried to replay)

Regards,

Costin

Dmitry Vyukov

unread,

May 4, 2016, 8:56:42 AM5/4/16

to syzkaller

Please execute:

./syz-execprog -executor ./syz-executor -cover=0 -repeat=1 -procs=1
-debug crash-qemu-0-1461311199837055970

./syz-execprog -executor ./syz-executor -cover=0 -repeat=1 -procs=1
-debug -nobody=0 crash-qemu-0-1461311199837055970

./syz-execprog -executor ./syz-executor -cover=1 -repeat=1 -procs=1
-debug -nobody=0 crash-qemu-0-1461311199837055970

and post output here.

Have you enabled CONFIG_NAMESPACES, CONFIG_UTS_NS, CONFIG_USER_NS,
CONFIG_PID_NS and CONFIG_NET_NS for kernel?

On Wed, May 4, 2016 at 2:49 PM, Costin Carabas <costin....@gmail.com> wrote:
> Hello Dmitry,
>

syz-executor can legally crash while executing random programs.

> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Costin Carabas

unread,

May 5, 2016, 4:51:36 AM5/5/16

to syzkaller

Hello Dmitry,

On Wednesday, May 4, 2016 at 3:56:42 PM UTC+3, Dmitry Vyukov wrote:

Please execute:

./syz-execprog -executor ./syz-executor -cover=0 -repeat=1 -procs=1
-debug crash-qemu-0-1461311199837055970

2016/05/04 13:30:15 parsed 4 programs

2016/05/04 13:30:15 executed 0 programs

clone failed (errno 22)

result: failed=false hanged=false err=executor is not serving

clone failed (errno 22)

result: failed=false hanged=false err=executor is not serving

clone failed (errno 22)

result: failed=false hanged=false err=executor is not serving

clone failed (errno 22)

result: failed=false hanged=false err=executor is not serving

2016/05/04 13:34:15 executed 4 programs

./syz-execprog -executor ./syz-executor -cover=0 -repeat=1 -procs=1
-debug -nobody=0 crash-qemu-0-1461311199837055970

completion of call 32 [ioctl$EVIOCGMASK] on thread 1

completion of call 31 [mmap] on thread 0

worker exiting

waitpid(3472)=3472 (2)

rmdir(./3)

result: failed=false hanged=false err=<nil>

control pipe read failed (errno 2)

./syz-execprog -executor ./syz-executor -cover=1 -repeat=1 -procs=1
-debug -nobody=0 crash-qemu-0-1461311199837055970

Same as cover = 0

and post output here.

Have you enabled CONFIG_NAMESPACES, CONFIG_UTS_NS, CONFIG_USER_NS,
CONFIG_PID_NS and CONFIG_NET_NS for kernel?

I didn't enabled CONFIG_USER_NS.

Once i enabled i did, it seems to have a normal behaviour. Output:

2016/05/05 09:00:54 qemu-0: saving crash 'no output' to crash-qemu-0-1462428054923702825

2016/05/05 09:01:20 qemu-1: running long enough, restarting

2016/05/05 09:01:30 qemu-15: running long enough, restarting

2016/05/05 09:05:28 qemu-8: running long enough, restarting

2016/05/05 09:05:31 qemu-12: running long enough, restarting

2016/05/05 09:05:50 qemu-13: running long enough, restarting

2016/05/05 09:05:50 qemu-10: running long enough, restarting

2016/05/05 09:05:54 qemu-4: running long enough, restarting

2016/05/05 09:05:55 qemu-11: running long enough, restarting

2016/05/05 09:06:03 qemu-3: running long enough, restarting

2016/05/05 09:06:04 qemu-5: running long enough, restarting

2016/05/05 09:06:09 qemu-6: running long enough, restarting

2016/05/05 09:13:40 qemu-7: running long enough, restarting

Regards,

Costin

Dmitry Vyukov

unread,

May 5, 2016, 4:54:27 AM5/5/16

to syzkaller

On Thu, May 5, 2016 at 10:51 AM, Costin Carabas
<costin....@gmail.com> wrote:
> Hello Dmitry,
>
>
>

Okay, so _now_ it is working. I guess we need to improve diagnosis of
such common things as unsuitable configs.

cyber...@gmail.com

unread,

Jul 5, 2016, 5:12:47 AM7/5/16

to syzkaller

I run the fuzzer for a week now, have got about 50000crashes with the kernel 4.7-rc5 ,

BUT I CANNOT reproduce ANY of the crashes using the tools given by syzkaller ,like syz-repro 、syz-prog2c、syz-executor etc. Why??? I did all these just as document ,but it did not work . who can help me ?

在 2016年4月18日星期一 UTC+8上午12:22:01，Peter Teoh写道：

Dmitry Vyukov

unread,

Jul 5, 2016, 5:26:29 AM7/5/16

to syzkaller

Hi cybertitan,

Please choose one crash that looks legit and preferably does not
involve data races, post it here and we will work on reproduction.

Message has been deleted

cyber...@gmail.com

unread,

Jul 5, 2016, 9:36:04 PM7/5/16

to syzkaller

Hi Dmitry,

One of the crash log I have tried :

2016/07/02 16:32:10 executing program 0:

r0 = dup3(0x1869f, 0xffffffffffffff9c, 0x80000)

ioctl$KVM_KVMCLOCK_CTRL(r0, 0xaead)

mmap(&(0x7f0000000000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$TCSETSF(r0, 0x5404, &(0x7f0000001000-0x24)={0x5, 0x8, 0x7, 0x101, 0xfffffffffffffffe, 0x7, 0x10000, 0xe63c9a2, 0x4, 0xffffffff7fffffff, 0x8001, 0xa50})

mmap(&(0x7f0000001000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffff9c, 0x4020ae46, &(0x7f0000002000-0x20)={0x101, 0x20000, 0xa42, (0xc00000), &(0x7f0000299000)=nil})

pipe(&(0x7f0000000000)={<r1=>0x0, <r2=>0x0})

mmap(&(0x7f0000002000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

lsetxattr(&(0x7f0000003000-0x6)="2e2f62757300", &(0x7f0000003000-0x29)="6c6f2b5b6370757365745c6370757365746d696d655f7479706576626f786e657431766d6e65743100", &(0x7f0000003000-0x16)="29252fa862646576546574683170726f6373656c696e757897776c616e31757365726e6f64657600", 0x28, 0x1)

ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0xffffffffffffffff)

mmap(&(0x7f0000003000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

setsockopt$SCTP_DELAYED_SACK(r2, 0x84, 0x10, &(0x7f0000003000+0x58)=@sctp_sack_info={0x8, 0x1, 0x2}, 0xc)

mmap(&(0x7f0000004000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

setsockopt$BT_SNDMTU(r0, 0x112, 0xc, &(0x7f0000005000-0x1)=0x7f, 0x2)

mmap(&(0x7f0000005000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

pipe(&(0x7f0000006000-0x6)={<r3=>0x0, 0x0})

mmap(&(0x7f0000006000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

write$fuse_bmap(r0, &(0x7f0000006000)={0x18, 0x2, 0x4, 0x8}, 0x18)

mmap(&(0x7f0000007000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

setsockopt$SCTP_PRIMARY_ADDR(r3, 0x84, 0x6, &(0x7f0000007000+0xc17)={0x7c14b74a990fd994, @sockaddr_storage_in={{0x2, 0x7ab, 0x100007f}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}}, 0x84)

mmap(&(0x7f0000008000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

modify_ldt$read_default(0x2, &(0x7f0000009000-0x1d)=nil, 0xa6)

lseek(r1, 0x18, 0x6)

mmap(&(0x7f0000009000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

rename(&(0x7f0000008000+0x949)="2e2f62757300", &(0x7f0000009000)="2e2f62757300")

mmap(&(0x7f000000a000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$KVM_GET_FPU(r2, 0x81a0ae8c, &(0x7f000000a000+0xf06)=nil)

mmap(&(0x7f000000b000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$TIOCMBIS(r0, 0x5417, &(0x7f000000b000+0x7f0)=0x7f)

2016/07/02 16:32:10 executing program 0:

r0 = dup3(0x1869f, 0xffffffffffffff9c, 0x80000)

ioctl$KVM_KVMCLOCK_CTRL(r0, 0xaead)

mmap(&(0x7f0000000000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$TCSETSF(r0, 0x5404, &(0x7f0000001000-0x24)={0x5, 0x8, 0x7, 0x101, 0xfffffffffffffffe, 0x7, 0x10000, 0xe63c9a2, 0x4, 0xffffffff7fffffff, 0x8001, 0xa50})

mmap(&(0x7f0000001000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffff9c, 0x4020ae46, &(0x7f0000002000-0x20)={0x101, 0x20000, 0xa42, (0xc00000), &(0x7f0000299000)=nil})

pipe(&(0x7f0000000000)={<r1=>0x0, <r2=>0x0})

mmap(&(0x7f0000002000)=nil, (0x1000), 0x0, 0x32, r1, 0x0)

mmap(&(0x7f0000002000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0xffffffffffffffff)

mmap(&(0x7f0000003000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

setsockopt$SCTP_DELAYED_SACK(r2, 0x84, 0x10, &(0x7f0000003000+0x58)=@sctp_sack_info={0x8, 0x1, 0x2}, 0xc)

mmap(&(0x7f0000004000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

setsockopt$BT_SNDMTU(r0, 0x112, 0xc, &(0x7f0000005000-0x1)=0x7f, 0x2)

mmap(&(0x7f0000005000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

pipe(&(0x7f0000006000-0x6)={<r3=>0x0, 0x0})

mmap(&(0x7f0000006000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

write$fuse_bmap(r0, &(0x7f0000006000)={0x18, 0x2, 0x4, 0x8}, 0x18)

mmap(&(0x7f0000007000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

mmap(&(0x7f0000008000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

modify_ldt$read_default(0x2, &(0x7f0000009000-0x1d)=nil, 0xa6)

lseek(r1, 0x18, 0x6)

mmap(&(0x7f0000009000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

rename(&(0x7f0000008000+0x949)="2e2f62757300", &(0x7f0000009000)="2e2f62757300")

mmap(&(0x7f000000a000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$KVM_GET_FPU(r2, 0x81a0ae8c, &(0x7f000000a000+0xf06)=nil)

mmap(&(0x7f000000b000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$TIOCMBIS(r0, 0x5417, &(0x7f000000b000+0x7f0)=0x7f)

2016/07/02 16:32:10 executing program 0:

mmap(&(0x7f0000000000)=nil, (0xf000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

mknod(&(0x7f000000a000)="2e2f66696c653000", 0x201d, 0x401)

r0 = creat(&(0x7f000000e000+0x335)="2e2f66696c653000", 0x100)

ioctl$VT_RESIZE(r0, 0x5609, &(0x7f000000e000)={0x0, 0x3, 0x401})

mmap(&(0x7f000000f000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$TCSETA(r0, 0x5402, &(0x7f0000010000-0x14)={0xfffffffffffffbff, 0x60, 0xfffffffffffffffa, 0x0, 0x10000, 0x6, 0x0, 0xff, 0xfffffffffffffffb, 0x20})

[ 3677.926161] ==================================================================

[ 3677.926194] BUG: KASAN: slab-out-of-bounds in vgacon_invert_region+0x82/0xd0 at addr ffff88000e53b436

[ 3677.926202] Read of size 2 by task syz-executor/738

[ 3677.926207] =============================================================================

[ 3677.926218] BUG kmalloc-192 (Tainted: G L ): kasan: bad access detected

[ 3677.926222] -----------------------------------------------------------------------------

[ 3677.926222]

[ 3677.926225] Disabling lock debugging due to kernel taint

[ 3677.926240] INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446615684253016769 cpu=0 pid=0

[ 3677.926255] alloc_pipe_info+0x37/0x200

[ 3677.926270] ___slab_alloc+0x481/0x4c0

[ 3677.926282] __slab_alloc+0x20/0x40

[ 3677.926296] kmem_cache_alloc_trace+0x1e5/0x220

[ 3677.926306] alloc_pipe_info+0x37/0x200

[ 3677.926317] create_pipe_files+0xbf/0x450

[ 3677.926327] __do_pipe_flags+0x3e/0x130

[ 3677.926337] SyS_pipe2+0x91/0x170

[ 3677.926349] do_syscall_64+0x103/0x240

[ 3677.926364] return_from_SYSCALL_64+0x0/0x6a

[ 3677.926376] INFO: Freed in 0x1000bfe9d age=18446615679958049473 cpu=0 pid=0

[ 3677.926388] free_pipe_info+0x133/0x150

[ 3677.926401] __slab_free+0x1e8/0x2e0

[ 3677.926416] kfree+0x196/0x1b0

[ 3677.926426] free_pipe_info+0x133/0x150

[ 3677.926436] put_pipe_info+0x7f/0xa0

[ 3677.926446] pipe_release+0xfc/0x130

[ 3677.926466] __fput+0x17c/0x3c0

[ 3677.926476] ____fput+0x1a/0x20

[ 3677.926490] task_work_run+0xd1/0x100

[ 3677.926500] do_exit+0x504/0x1610

[ 3677.926511] do_group_exit+0x9a/0x170

[ 3677.926521] get_signal+0x411/0x9f0

[ 3677.926532] do_signal+0x83/0xca0

[ 3677.926543] exit_to_usermode_loop+0xf3/0x170

[ 3677.926553] do_syscall_64+0x236/0x240

[ 3677.926566] return_from_SYSCALL_64+0x0/0x6a

[ 3677.926579] INFO: Slab 0xffffea0000394e00 objects=31 used=4 fp=0xffff88000e53b2d0 flags=0x1ffff0000004080

[ 3677.926587] INFO: Object 0xffff88000e53b2c8 @offset=13000 fp=0xbbbbbbbbbbbbbbbb

[ 3677.926587]

[ 3677.926601] Redzone ffff88000e53b2c0: 00 00 00 00 00 00 00 00 ........

[ 3677.926612] Object ffff88000e53b2c8: bb bb bb bb bb bb bb bb 60 96 53 0e 00 88 ff ff ........`.S.....

[ 3677.926624] Object ffff88000e53b2d8: d8 b2 53 0e 00 88 ff ff d8 b2 53 0e 00 88 ff ff ..S.......S.....

[ 3677.926635] Object ffff88000e53b2e8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

[ 3677.926647] Object ffff88000e53b2f8: 00 00 00 00 00 00 00 00 00 b3 53 0e 00 88 ff ff ..........S.....

[ 3677.926659] Object ffff88000e53b308: 00 b3 53 0e 00 88 ff ff 01 00 00 00 00 00 00 00 ..S.............

[ 3677.926671] Object ffff88000e53b318: 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

[ 3677.926683] Object ffff88000e53b328: 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ................

[ 3677.926694] Object ffff88000e53b338: c0 bf 38 00 00 ea ff ff 00 00 00 00 00 00 00 00 ..8.............

[ 3677.926706] Object ffff88000e53b348: 00 00 00 00 00 00 00 00 a8 69 87 0d 00 88 ff ff .........i......

[ 3677.926718] Object ffff88000e53b358: 60 18 ad 82 ff ff ff ff 00 00 00 00 00 00 00 00 `...............

[ 3677.926729] Object ffff88000e53b368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

[ 3677.926741] Object ffff88000e53b378: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

[ 3677.926752] Redzone ffff88000e53b388: 00 00 00 00 00 00 00 00 ........

[ 3677.926763] Padding ffff88000e53b4c0: a2 fe 0b 00 01 00 00 00 ........

[ 3677.926777] CPU: 0 PID: 738 Comm: syz-executor Tainted: G B L 4.7.0-rc5 #2

[ 3677.926784] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011

[ 3677.926800] 00000000ffffffff ffff88000e2cf548 ffffffff81797944 ffff88000e538000

[ 3677.926814] ffff88000e53b2c8 ffff88000f404b40 ffffea0000394e00 ffff88000e2cf578

[ 3677.926827] ffffffff81414e55 ffff88000f404b40 ffffea0000394e00 ffff88000e53b2c8

[ 3677.926829] Call Trace:

[ 3677.926846] [<ffffffff81797944>] dump_stack+0x83/0xaf

[ 3677.926861] [<ffffffff81414e55>] print_trailer+0x115/0x1a0

[ 3677.926876] [<ffffffff8141aa84>] object_err+0x34/0x40

[ 3677.926890] [<ffffffff8141cfa7>] kasan_report_error+0x217/0x530

[ 3677.926906] [<ffffffff811c05e5>] ? __kernel_text_address+0x65/0x80

[ 3677.926922] [<ffffffff8110fe8b>] ? print_context_stack+0x6b/0xf0

[ 3677.926935] [<ffffffff8141d6b9>] kasan_report+0x39/0x40

[ 3677.926949] [<ffffffff8110f300>] ? dump_trace+0x90/0x2e0

[ 3677.926965] [<ffffffff81877552>] ? vgacon_invert_region+0x82/0xd0

[ 3677.926977] [<ffffffff8141c00d>] __asan_load2+0x5d/0x70

[ 3677.926993] [<ffffffff81877552>] vgacon_invert_region+0x82/0xd0

[ 3677.927009] [<ffffffff818774d0>] ? vgacon_build_attr+0x1a0/0x1a0

[ 3677.927025] [<ffffffff819abf05>] invert_screen+0x125/0x3e0

[ 3677.927041] [<ffffffff819abde0>] ? schedule_console_callback+0x40/0x40

[ 3677.927055] [<ffffffff811a3f46>] ? do_send_sig_info+0xc6/0x100

[ 3677.927069] [<ffffffff811a3e80>] ? __lock_task_sighand+0xd0/0xd0

[ 3677.927082] [<ffffffff8199b461>] clear_selection+0x51/0x70

[ 3677.927095] [<ffffffff819a69a2>] hide_cursor+0x142/0x150

[ 3677.927110] [<ffffffff819a856a>] redraw_screen+0x24a/0x460

[ 3677.927123] [<ffffffff819a8320>] ? respond_string+0x230/0x230

[ 3677.927137] [<ffffffff82085f96>] ? mutex_unlock+0x16/0x30

[ 3677.927154] [<ffffffff8197dcd4>] ? tty_do_resize+0x54/0xd0

[ 3677.927168] [<ffffffff819a99f4>] vc_do_resize+0x964/0x990

[ 3677.927183] [<ffffffff819a9090>] ? vc_init+0x1e0/0x1e0

[ 3677.927198] [<ffffffff8167e51b>] ? security_capable+0x7b/0x90

[ 3677.927212] [<ffffffff819a9a5d>] vc_resize+0x3d/0x50

[ 3677.927228] [<ffffffff81997aeb>] vt_ioctl+0x56b/0x1d40

[ 3677.927246] [<ffffffff81997580>] ? complete_change_console+0x1b0/0x1b0

[ 3677.927266] [<ffffffff812675ef>] ? drop_futex_key_refs.isra.14+0x4f/0xb0

[ 3677.927279] [<ffffffff812686bc>] ? futex_wake+0x12c/0x2f0

[ 3677.927293] [<ffffffff819834f8>] tty_ioctl+0x638/0x1540

[ 3677.927308] [<ffffffff81997580>] ? complete_change_console+0x1b0/0x1b0

[ 3677.927320] [<ffffffff81982ec0>] ? no_tty+0x70/0x70

[ 3677.927334] [<ffffffff8110f37b>] ? dump_trace+0x10b/0x2e0

[ 3677.927349] [<ffffffff8126be60>] ? exit_robust_list+0x1a0/0x1a0

[ 3677.927364] [<ffffffff8112253b>] ? save_stack_trace+0x2b/0x50

[ 3677.927379] [<ffffffff81414284>] ? set_track+0x74/0x120

[ 3677.927395] [<ffffffff81414f49>] ? init_object+0x69/0xa0

[ 3677.927411] [<ffffffff81418744>] ? __slab_free+0x1d4/0x2e0

[ 3677.927423] [<ffffffff81982ec0>] ? no_tty+0x70/0x70

[ 3677.927439] [<ffffffff81476c31>] do_vfs_ioctl+0x141/0xa80

[ 3677.927455] [<ffffffff81476af0>] ? ioctl_preallocate+0x170/0x170

[ 3677.927470] [<ffffffff8126d154>] ? SyS_futex+0x144/0x2d0

[ 3677.927486] [<ffffffff81005429>] ? syscall_trace_enter_phase1+0xb9/0x2a0

[ 3677.927500] [<ffffffff81489947>] ? __fget+0xf7/0x150

[ 3677.927516] [<ffffffff81680696>] ? security_file_ioctl+0x76/0x90

[ 3677.927531] [<ffffffff81477604>] SyS_ioctl+0x94/0xc0

[ 3677.927546] [<ffffffff81477570>] ? do_vfs_ioctl+0xa80/0xa80

[ 3677.927560] [<ffffffff81005cc3>] do_syscall_64+0x103/0x240

[ 3677.927578] [<ffffffff82089ba5>] entry_SYSCALL64_slow_path+0x25/0x25

[ 3677.927583] Memory state around the buggy address:

[ 3677.927594] ffff88000e53b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

[ 3677.927605] ffff88000e53b380: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc

[ 3677.927615] >ffff88000e53b400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

[ 3677.927620] ^

[ 3677.927630] ffff88000e53b480: fc fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb

[ 3677.927641] ffff88000e53b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

[ 3677.927644] ==================================================================

2016/07/02 16:32:12 executing program 0:

mmap(&(0x7f0000000000)=nil, (0xe6c000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

seccomp(0x1, 0x1, &(0x7f0000e57000)={0x2, &(0x7f0000e61000-0x10)=[{0x2c, 0xffffffffffffff80, 0xeb, 0x1}, {0x6, 0x80000000, 0x3, 0xfffffffffffffff9}]})

fchown(0xffffffffffffffff, 0x0, 0x0)

mmap(&(0x7f0000e6c000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r0 = openat(0x1869f, &(0x7f0000e6d000-0x8)="2e2f636f6e74726f6c00", 0x40000, 0x8)

r1 = gettid()

mmap(&(0x7f0000e6c000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$TIOCSPGRP(r0, 0x540f, &(0x7f0000e6c000)=r1)

2016/07/02 16:32:12 executing program 0:

mmap(&(0x7f0000000000)=nil, (0x7000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r0 = memfd_create(&(0x7f0000000000+0xc47)="6264657600", 0x2)

write$fuse_interrupt(r0, &(0x7f0000005000-0x10)={0x10, 0x1, 0x9768}, 0x10)

fallocate(r0, 0x0, 0x4b88, 0x10000)

mmap(&(0x7f0000007000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

setxattr(&(0x7f0000008000-0x1)="2e2f636f6e74726f6c00", &(0x7f0000007000+0xb9b)="6264657600", &(0x7f0000007000+0xca9)="6264657600", 0x5, 0x0)

write$fuse_ioctl(r0, &(0x7f0000003000+0x4f5)={0x20, 0x3, 0xfffffffffffffff8, 0x80000001, 0x22, 0x100, 0x7}, 0x20)

fadvise64(r0, 0x0, 0x7223, 0x4)

mmap(&(0x7f0000007000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$TIOCGSID(r0, 0x540f, &(0x7f0000007000)=<r1=>0x0)

mmap(&(0x7f0000007000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

migrate_pages(r1, 0xe4e, &(0x7f0000007000)=0x59, &(0x7f0000008000-0x7)=0x3)

2016/07/02 16:32:12 executing program 0:

mmap(&(0x7f0000000000)=nil, (0x2000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

msgget(0x8e, 0x402)

mmap(&(0x7f0000002000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

io_setup(0xea, &(0x7f0000002000)=<r0=>0x0)

r1 = syz_open_pts(0x1869f, 0x40000)

mmap(&(0x7f0000002000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r2 = syz_open_dev$console(&(0x7f0000002000+0xe82)="2f6465762f636f6e736f6c6500", 0x0, 0x200000)

mmap(&(0x7f0000002000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r3 = socket$netlink(0x10, 0x3, 0x0)

mmap(&(0x7f0000002000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r4 = syz_open_dev$sr(&(0x7f0000002000)="2f6465762f73723000", 0x0, 0x8800)

mmap(&(0x7f0000002000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

io_submit(r0, 0x2, &(0x7f0000001000-0xb)=[&(0x7f0000003000-0x24)={0x2, 0x0, 0x0, 0x3, 0x6, r1, &(0x7f0000003000-0x13)="e0075c8be2056a401e3dc9d396a2cf140562f29ea91b105a3cb47d007c2e0c3271c38bad561af5d23be5f10a85474dd2aa17f8d192de7fb96d94925a2c8b3fc73c7cce2ae1a9b22f21e310e49389066fadd68ab2a84a79a0983138edd9d1a65a4012ac2e052e8816a16fa840c104", 0x6e, 0x4, &(0x7f0000002000)={&(0x7f00006e3000)=nil, 0x1c, 0x1, 0x0, 0x5, 0x100000000, 0x5, 0x5521, 0x8e, 0xb4a7, 0x5}, 0x1, r2}, &(0x7f0000002000)={0xfffffffffffffffc, 0x0, 0x0, 0x6, 0x3, r3, &(0x7f0000002000)="d0843118c3e5ed8c5e09441027ef25be88e1050f67ed6f8987471b", 0x1b, 0xffff, &(0x7f0000001000-0x39)={&(0x7f0000264000)=nil, 0x9, 0x2, 0x3, 0xf32, 0x5, 0x3ff, 0x3, 0x80000001, 0x100000001, 0x4}, 0xff9d7d81c0468f33, r4}])

syz_open_dev$hpet(&(0x7f0000001000)="2f6465762f6870657400", 0x0, 0x6100)

r5 = open(&(0x7f0000002000+0xb04)="2e2f66696c653000", 0x90000, 0xa)

ioctl$void(r5, 0x5450)

2016/07/02 16:32:12 executing program 0:

mmap(&(0x7f0000000000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

mmap(&(0x7f0000010000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

mmap(&(0x7f0000011000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

mmap(&(0x7f0000012000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r0 = syz_open_dev$usb(&(0x7f0000012000+0xeb8)="2f6465762f6275732f7573622f3030232f30302300", 0x2, 0x400)

mmap(&(0x7f0000011000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

setsockopt$NFC_LLCP_RW(r0, 0x118, 0x0, &(0x7f0000012000-0x3)=0x3f, 0x4)

creat(&(0x7f0000010000+0x3b3)="2e2f62757300", 0x1)

mknod(&(0x7f000000a000)="2e2f66696c653000", 0x201d, 0x401)

creat(&(0x7f000000b000+0x354)="2e2f66696c653000", 0x100)

ioctl$TIOCLINUX4(r0, 0x541c, &(0x7f000000e000)=0x4)

2016/07/02 16:32:12 executing program 0:

mmap(&(0x7f0000000000)=nil, (0xa000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r0 = inotify_init1(0x80800)

ppoll(&(0x7f0000001000+0x4e7)=[{r0, 0x2, 0x2}], 0x1, &(0x7f0000001000)={0x0, 0x989680}, &(0x7f0000002000-0x8)={0x5}, 0x8)

mmap(&(0x7f000000a000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r1 = syz_open_dev$hpet(&(0x7f000000a000)="2f6465762f6870657400", 0x0, 0x40000)

mmap(&(0x7f000000a000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$TTUNGETFILTER(r1, 0x801054db, &(0x7f000000b000-0x4)=0x0)

2016/07/02 16:32:13 executing program 0:

mmap(&(0x7f0000000000)=nil, (0x16000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

mkdir(&(0x7f0000004000-0xa)="2e2f636f6e74726f6c00", 0x1)

r0 = inotify_init1(0x80000)

inotify_add_watch(r0, &(0x7f0000010000)="2e2f636f6e74726f6c00", 0x4)

mremap(&(0x7f0000008000)=nil, (0x4000), (0x3000), 0x3, &(0x7f0000000000)=nil)

chown(&(0x7f0000013000+0x1c9)="2e2f636f6e74726f6c00", 0x0, 0x0)

chown(&(0x7f0000008000-0xa)="2e2f636f6e74726f6c00", 0x0, 0x0)

2016/07/02 16:32:13 executing program 0:

mmap(&(0x7f0000000000)=nil, (0xe5c000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

mmap(&(0x7f0000e5c000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

seccomp(0x1, 0x1, &(0x7f0000e5c000)={0x2, &(0x7f0000480000-0x10)=[{0x1c, 0xffffffffffffff80, 0xeb, 0x1}, {0x6, 0x80000000, 0x3, 0xfffffffffffffff9}]})

mprotect(&(0x7f0000352000)=nil, (0x4000), 0x5)

2016/07/02 16:32:13 executing program 0:

mmap(&(0x7f0000000000)=nil, (0x7000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r0 = open(&(0x7f0000000000)="2e2f66696c653000", 0x101042, 0x1)

fallocate(r0, 0x0, 0x81, 0x100000001)

mmap(&(0x7f0000007000)=nil, (0x1000), 0x3, 0x11, r0, 0x0)

ioctl(r0, 0x40, &(0x7f0000008000-0xfe)="5b141110596470a2dd678271be97fc16713b4e2ae4fbaf69d583e0c6982985de054ef176840d22b00fd82a3254b061b5b38101e409684dd58799becd783108882587e255992aa321af35e081eae43e4325ac9332a7e92197d41cc535428640f7c9eb942cd13662b9b154198a3363fa85d0c0aadacb24fc083038738f4357fb89489f4ce8b7845384f9152dfe3592df053401b7bf4153a72fdf8a180baae79373c70f4e360cf9cc370534362b9b86a762c012a65789fc78e89440afa63519f2f210995ba92a21a7deec759aeb2d7b8f44ddeb2f36ba761a21e30234f7f24df0f39814a9460c39406ef40785594603f25b15b8b7bfcedd96b14b42c254225a")

mmap(&(0x7f0000008000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

mmap(&(0x7f0000009000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

setsockopt$SCTP_I_WANT_MAPPED_V4_ADDR(r0, 0x84, 0xc, &(0x7f0000008000-0x3)=0x281c, 0x4)

mmap(&(0x7f000000a000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$EVIOCGPHYS(r0, 0x80404507, &(0x7f000000b000-0x56)=nil)

ioctl$EVIOCGID(r0, 0x80084502, &(0x7f0000009000)=nil)

fsync(r0)

2016/07/02 16:32:13 executing program 0:

mmap(&(0x7f0000000000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r0 = syz_open_dev$loop(&(0x7f0000000000)="2f6465762f6c6f6f702300", 0xffffffff00000001, 0xc0201)

ioctl$KVM_SET_TSC_KHZ(r0, 0xaea2, 0x400)

mmap(&(0x7f0000001000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

setsockopt$udp_int(r0, 0x11, 0x1, &(0x7f0000002000-0x2)=0xefb, 0x4)

mmap(&(0x7f0000002000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

pipe2(&(0x7f0000002000+0x96c)={<r1=>0x0, <r2=>0x0}, 0x80000)

ioctl$TIOCCBRK(r2, 0x5428)

ioctl$KVM_GET_VCPU_MMAP_SIZE(r2, 0xae04)

mmap(&(0x7f0000003000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$PIO_UNISCRNMAP(r0, 0x4b6a, &(0x7f0000003000+0x21b)="c372f5aa8a5dbb70ca087e20d8f4915247296271b5399eebe7ab22e0c0cca3e59b904844b23983252ca2e67fdfe4f924dc5c921894ee2fcf02c94fe86094f5110599b260fba06954691020db29a8c98cf486e869b9d0d9867fb45d6b2da80c0a5d659b92d0827e7cdc")

mmap(&(0x7f0000004000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$RNDADDENTROPY(r1, 0x40085203, &(0x7f0000004000+0xf4b)={0x200, 0x4, [0x7fffffff, 0x100000000, 0x10000, 0xffffffff]})

ioctl$KDSETLED(r0, 0x4b32, 0x80)

mmap(&(0x7f0000005000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$SIOCINQ(r1, 0x541b, &(0x7f0000006000-0x4)=0x0)

getsockopt$ip_ipsec(r2, 0x0, 0x10, &(0x7f0000006000-0x9b)={{{{0x0, 0x0, 0x0, 0x0}, {0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, {0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, {{{0x0, 0x0, 0x0, 0x0}, 0x0, 0x0}, 0x0, {0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, &(0x7f0000002000)=nil)

eventfd2(0x29, 0x80801)

mmap(&(0x7f0000006000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

shmctl(0xffffffffffffffff, 0x3, &(0x7f0000007000-0x50)={0x0, <r3=>0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x7, 0x9, 0x0, 0x1000, 0x9, 0x5, 0x6, 0x0, 0xffffffffffffffff, 0x3ff})

setfsuid(r3)

readahead(r1, 0x7b2, 0x6)

mmap(&(0x7f0000007000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r4 = open(&(0x7f0000007000+0xa42)="2e2f66696c653000", 0x80000, 0x5e)

ioctl$VT_WAITACTIVE(0x1869f, 0x5607)

mmap(&(0x7f0000008000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$KDGETMODE(r4, 0x4b3b, &(0x7f0000009000-0x4)=0x0)

mmap(&(0x7f0000009000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$KDGKBDIACR(r2, 0x4b4a, &(0x7f0000009000)=nil)

mmap(&(0x7f000000a000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$EVIOCGKEYCODE_V2(r4, 0x80284504, &(0x7f000000a000)=nil)

2016/07/02 16:32:13 executing program 0:

mmap(&(0x7f0000000000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r0 = syz_open_dev$loop(&(0x7f0000000000)="2f6465762f6c6f6f702300", 0xffffffff00000001, 0xc0201)

ioctl$KVM_SET_TSC_KHZ(r0, 0xaea2, 0x400)

mmap(&(0x7f0000001000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

setsockopt$udp_int(r0, 0x11, 0x1, &(0x7f0000002000-0x2)=0xefb, 0x4)

mmap(&(0x7f0000002000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

pipe2(&(0x7f0000002000+0x96c)={<r1=>0x0, <r2=>0x0}, 0x80000)

ioctl$TIOCCBRK(r2, 0x5428)

ioctl$KVM_GET_VCPU_MMAP_SIZE(r2, 0xae04)

mmap(&(0x7f0000003000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

mmap(&(0x7f0000004000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$RNDADDENTROPY(r1, 0x40085203, &(0x7f0000004000+0xf4b)={0x200, 0x4, [0x7fffffff, 0x100000000, 0x10000, 0xffffffff]})

ioctl$KDSETLED(r0, 0x4b32, 0x80)

mmap(&(0x7f0000005000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$SIOCINQ(r1, 0x541b, &(0x7f0000006000-0x4)=0x0)

eventfd2(0x29, 0x80801)

mmap(&(0x7f0000006000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

setfsuid(r3)

readahead(r1, 0x7b2, 0x6)

mmap(&(0x7f0000004000)=nil, (0x2000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r4 = open(&(0x7f0000007000+0xa42)="2e2f66696c653000", 0x80000, 0x5e)

ioctl$VT_WAITACTIVE(0x1869f, 0x5607)

mmap(&(0x7f0000008000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$KDGETMODE(r4, 0x4b3b, &(0x7f0000009000-0x4)=0x0)

mmap(&(0x7f0000009000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$KDGKBDIACR(r2, 0x4b4a, &(0x7f0000009000)=nil)

mmap(&(0x7f000000a000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$EVIOCGKEYCODE_V2(r4, 0x80284504, &(0x7f000000a000)=nil)

2016/07/02 16:32:14 executing program 0:

mmap(&(0x7f0000000000)=nil, (0xa000), 0x3, 0x31, 0xffffffffffffffff, 0x0)

mmap(&(0x7f000000a000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

mbind(&(0x7f0000001000)=nil, (0x4000), 0x1, &(0x7f000000b000-0x8)=0x6, 0x2, 0x7)

times(&(0x7f0000002000+0x120)={0x0, 0x0, 0x0, 0x0})

r0 = dup(0x1869f)

mmap(&(0x7f000000b000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

setsockopt$ipv6_mreq(r0, 0x29, 0x0, &(0x7f000000b000+0xf06)={{0x0, 0x0, 0x0, 0x1000000}, 0x518}, 0x14)

2016/07/02 16:32:14 executing program 0:

mmap(&(0x7f0000000000)=nil, (0x1a000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

perf_event_open(&(0x7f0000006000-0x78)={0x2, 0x78, 0x1, 0x7, 0x57, 0x2, 0x101, 0x3, 0x7ff, 0x1, 0x0, 0x3, 0x1, 0x9a, 0x1, 0x7fffffff, 0x2, 0x1ff, 0x6, 0x0, 0x0}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x8)

mlockall(0x3)

mmap(&(0x7f000001a000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r0 = open(&(0x7f000001a000)="2e2f636f6e74726f6c00", 0x2, 0x10)

mmap(&(0x7f000001a000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$EVIOCSCLOCKID(r0, 0x400445a0, &(0x7f000001a000)=0x7)

ptrace$getenv(0x4201, 0x0, 0xfffffffffffffff8, &(0x7f000001b000-0x8)=0x0)

mmap(&(0x7f000001b000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

sched_setscheduler(0x0, 0x7, &(0x7f000001b000)=0x9)

mmap(&(0x7f000001a000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

sched_setscheduler(0x0, 0x6, &(0x7f000001a000+0x3a)=0x7)

2016/07/02 16:32:19 executing program 0:

mmap(&(0x7f0000000000)=nil, (0x1e000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r0 = perf_event_open(&(0x7f0000006000-0x78)={0x2, 0x78, 0x1, 0x7, 0x57, 0x2, 0x101, 0x3, 0x7ff, 0x1, 0x0, 0x3, 0x1, 0x9a, 0x1, 0x7fffffff, 0x2, 0x1ff, 0x6, 0x0, 0x0}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x8)

mlockall(0x1)

sendfile(r0, r0, &(0x7f000001d000+0x66b)=0x0, 0x1)

mmap(&(0x7f000001e000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

r1 = syz_open_dev$usb(&(0x7f000001f000-0x2)="2f6465762f6275732f7573622f3030232f30302300", 0x4, 0xa000)

mmap(&(0x7f0000000000)=nil, (0x0), 0x3, 0x32, 0xffffffffffffffff, 0x0)

mmap(&(0x7f000001e000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)

ioctl$GIO_UNIMAP(r1, 0x4b66, &(0x7f000001e000+0xe57)={0x0, &(0x7f0000000000)=[]})

previous crashes:

BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor:5527]

BUG: soft lockup - CPU#0 stuck for 23s! [syz-executor:5534]

BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor:5702]

INFO: rcu_sched self-detected stall on CPU[ 871.186676] INFO: rcu_sched detected stalls on CPUs/tasks:

BUG: soft lockup - CPU#0 stuck for 21s! [syz-executor:5740]

BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor:5740]

INFO: rcu_sched self-detected stall on CPU[ 998.812404] INFO: rcu_sched detected stalls on CPUs/tasks:

BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor:5806]

BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor:5875]

BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor:6055]

BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor:6872]

BUG: soft lockup - CPU#0 stuck for 23s! [syz-executor:6977]

after running for 57m53.746503789s:

BUG: KASAN: slab-out-of-bounds in vgacon_invert_region+0x82/0xd0 at addr ffff88000e53b436

my config file is :

{

"http": "192.168.25.188:5555",

"workdir": "/home/public/syzkaller/syzkaller-master/syz-manager/workdir",

"kernel": "/tmp/vmlinuz-4.7-rc5",

"vmlinux": "/tmp/vmlinux-4.7-rc5",

"image": "/tmp/wheezy.img",

"sshkey": "/root/.ssh/id_rsa",

"syzkaller": "/home/public/syzkaller/syzkaller-master/",

"type": "qemu",

"count": 1,

"procs": 1,

"cpu": 2,

"mem": 512,

"dropprivs": false,

"disable_syscalls": [

"keyctl",

"add_key",

"request_key"

"suppressions": [

"some known bug"

]

}

在 2016年7月5日星期二 UTC+8下午5:26:29，Dmitry Vyukov写道：

Dmitry Vyukov

unread,

Jul 6, 2016, 1:19:13 AM7/6/16

to syzkaller

Hello cybertitan,

The crash seems to involve a data race, because the allocation and
accesses stacks don't match (pipe vs tty). It may help if you update
kernel to HEAD and switch to SLAB, that will include quarantine
feature that helps to better detect such racy-use-after-free.

Since you set procs config param to 1, the guilty program is most
likely the immediately preceding one:

2016/07/02 16:32:10 executing program 0:
mmap(&(0x7f0000000000)=nil, (0xf000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
mknod(&(0x7f000000a000)="2e2f66696c653000", 0x201d, 0x401)
r0 = creat(&(0x7f000000e000+0x335)="2e2f66696c653000", 0x100)
ioctl$VT_RESIZE(r0, 0x5609, &(0x7f000000e000)={0x0, 0x3, 0x401})
mmap(&(0x7f000000f000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
ioctl$TCSETA(r0, 0x5402, &(0x7f0000010000-0x14)={0xfffffffffffffbff,
0x60, 0xfffffffffffffffa, 0x0, 0x10000, 0x6, 0x0, 0xff,
0xfffffffffffffffb, 0x20})

And it in fact does ioctl$VT_RESIZE.
Try to replay this one program for longer time, following the instructions at:
https://github.com/google/syzkaller/wiki/How-to-execute-syzkaller-programs
In short, save the program to file 'program', copy program,
syz-execprog and syz-executor to a VM, then run inside of a VM:
$ ./syz-execprog -cover=0 -repeat=0 -procs=20 program

Reply all

Reply to author

Forward

0 new messages