INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-9,10.128.15.203' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 46.818687] ================================================================== [ 46.826160] BUG: KASAN: use-after-free in get_mm_exe_file+0x398/0x3d0 [ 46.832728] Read of size 8 at addr ffff8801cf0f3330 by task syzkaller134687/3038 [ 46.840242] [ 46.841854] CPU: 0 PID: 3038 Comm: syzkaller134687 Not tainted 4.13.0-rc5-next-20170817+ #5 [ 46.850323] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.859662] Call Trace: [ 46.862235] dump_stack+0x194/0x257 [ 46.865849] ? arch_local_irq_restore+0x53/0x53 [ 46.870503] ? show_regs_print_info+0x65/0x65 [ 46.874987] ? lock_release+0xa40/0xa40 [ 46.878945] ? get_mm_exe_file+0x398/0x3d0 [ 46.883165] print_address_description+0x73/0x250 [ 46.887996] ? get_mm_exe_file+0x398/0x3d0 [ 46.892212] kasan_report+0x24e/0x340 [ 46.894444] BUG: unable to handle kernel NULL pointer dereference at 00000000000001f0 [ 46.894456] IP: copy_mm+0xb63/0x1247 [ 46.894459] PGD 1cc32c067 [ 46.894461] P4D 1cc32c067 [ 46.894463] PUD 1cc32d067 [ 46.894465] PMD 0 [ 46.894466] [ 46.894470] Oops: 0002 [#1] SMP KASAN [ 46.894476] Dumping ftrace buffer: [ 46.894479] (ftrace buffer empty) [ 46.894481] Modules linked in: [ 46.894488] CPU: 1 PID: 3993 Comm: syzkaller134687 Not tainted 4.13.0-rc5-next-20170817+ #5 [ 46.894491] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.894495] task: ffff8801cc2744c0 task.stack: ffff8801ccc00000 [ 46.894500] RIP: 0010:copy_mm+0xb63/0x1247 [ 46.894503] RSP: 0018:ffff8801ccc071b8 EFLAGS: 00010297 [ 46.894508] RAX: 0000000000000000 RBX: ffff8801cf0f32c0 RCX: ffffffff813f6693 [ 46.894511] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8801cf0f3478 [ 46.894515] RBP: ffff8801ccc07410 R08: 0000000000000001 R09: 1ffff10039980d9b [ 46.894518] R10: 0000000073499bc1 R11: 00000000436b6827 R12: dffffc0000000000 [ 46.894521] R13: ffff8801cc743738 R14: ffff8801cc743788 R15: ffff8801cc45b880 [ 46.894527] FS: 00007f5001766700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 46.894530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 46.894533] CR2: 00000000000001f0 CR3: 00000001cc347000 CR4: 00000000001406e0 [ 46.894539] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 46.894542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 46.894544] Call Trace: [ 46.894562] ? list_add_tail_rcu+0x193/0x193 [ 46.894578] ? check_same_owner+0x320/0x320 [ 46.894587] ? rcu_pm_notify+0xc0/0xc0 [ 46.894597] ? copy_process.part.36+0x2024/0x4af0 [ 46.894606] ? rcu_read_lock_sched_held+0x108/0x120 [ 46.894613] ? kmem_cache_alloc+0x466/0x760 [ 46.894621] ? _raw_spin_unlock+0x22/0x30 [ 46.894632] copy_process.part.36+0x1ea3/0x4af0 [ 46.894648] ? __cleanup_sighand+0x40/0x40 [ 46.894663] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 46.894672] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 46.894679] ? trace_hardirqs_on+0xd/0x10 [ 46.894706] ? drain_local_pages_wq+0x20/0x20 [ 46.894726] ? __lock_acquire+0x6aa/0x3bc0 [ 46.894745] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 46.894770] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 46.894808] ? check_noncircular+0x20/0x20 [ 46.894823] _do_fork+0x1ef/0xfb0 [ 46.894833] ? fork_idle+0x2d0/0x2d0 [ 46.894839] ? find_held_lock+0x35/0x1d0 [ 46.894852] ? kprobe_flush_task+0x1a3/0x5d0 [ 46.894859] ? lock_downgrade+0x990/0x990 [ 46.894868] ? do_raw_spin_trylock+0x190/0x190 [ 46.894876] ? find_held_lock+0x35/0x1d0 [ 46.894886] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 46.894896] ? trace_hardirqs_on+0xd/0x10 [ 46.894909] SyS_clone+0x37/0x50 [ 46.894916] ? ptregs_sys_rt_sigreturn+0x10/0x10 [ 46.894923] do_syscall_64+0x26c/0x8c0 [ 46.894933] ? syscall_return_slowpath+0x500/0x500 [ 46.894939] ? syscall_return_slowpath+0x2b3/0x500 [ 46.894945] ? finish_task_switch+0x4c9/0x740 [ 46.894952] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 46.894958] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 46.894967] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 46.894974] ? sys_vfork+0x30/0x30 [ 46.894982] entry_SYSCALL64_slow_path+0x25/0x25 [ 46.894986] RIP: 0033:0x449819 [ 46.894989] RSP: 002b:00007f5001765dc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000038 [ 46.894995] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000449819 [ 46.894998] RDX: 0000000020f89000 RSI: 0000000020785000 RDI: 0000000000000000 [ 46.895004] RBP: 0000000000000000 R08: 0000000020446000 R09: 00007f5001766700 [ 46.895007] R10: 0000000020550ffc R11: 0000000000000202 R12: 0000000000000000 [ 46.895011] R13: 00007ffc25c8ddbf R14: 00007f50017669c0 R15: 0000000000000000 [ 46.895024] Code: 43 70 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 84 40 62 00 41 f6 45 51 08 74 13 e8 28 d6 2d 00 48 8b 85 b0 fd ff ff ff 88 f0 01 00 00 e8 15 d6 2d 00 48 8b 85 00 fe ff ff 48 8d [ 46.895127] RIP: copy_mm+0xb63/0x1247 RSP: ffff8801ccc071b8 [ 46.895129] CR2: 00000000000001f0 [ 46.895155] ---[ end trace e26e28ce7a8fa12f ]--- [ 46.895158] Kernel panic - not syncing: Fatal exception [ 47.289635] __asan_report_load8_noabort+0x14/0x20 [ 47.294536] get_mm_exe_file+0x398/0x3d0 [ 47.298564] ? mmdrop_async_fn+0x20/0x20 [ 47.302594] ? down_write_nested+0x8b/0x120 [ 47.306881] ? copy_mm+0x43f/0x1247 [ 47.310477] ? _down_write_nest_lock+0x120/0x120 [ 47.315204] ? rcu_read_lock_sched_held+0x108/0x120 [ 47.320195] copy_mm+0x44b/0x1247 [ 47.323621] ? find_held_lock+0x35/0x1d0 [ 47.327654] ? list_add_tail_rcu+0x193/0x193 [ 47.332039] ? check_same_owner+0x320/0x320 [ 47.336327] ? rcu_pm_notify+0xc0/0xc0 [ 47.340185] ? copy_process.part.36+0x2024/0x4af0 [ 47.344999] ? rcu_read_lock_sched_held+0x108/0x120 [ 47.349984] ? kmem_cache_alloc+0x466/0x760 [ 47.354277] ? _raw_spin_unlock+0x22/0x30 [ 47.358396] copy_process.part.36+0x1ea3/0x4af0 [ 47.363043] ? __cleanup_sighand+0x40/0x40 [ 47.367251] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 47.372408] ? call_rcu_sched+0x12/0x20 [ 47.376360] ? delayed_put_task_struct+0x3d0/0x3d0 [ 47.381261] ? flush_tlb_func_remote+0x60/0x60 [ 47.385813] ? check_noncircular+0x20/0x20 [ 47.390015] ? check_noncircular+0x20/0x20 [ 47.394221] ? __lock_acquire+0x6aa/0x3bc0 [ 47.398423] ? lock_downgrade+0x990/0x990 [ 47.402541] ? do_raw_spin_trylock+0x190/0x190 [ 47.407099] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 47.412256] ? wait_consider_task+0x292b/0x33c0 [ 47.416892] ? lock_downgrade+0x990/0x990 [ 47.421007] ? check_noncircular+0x20/0x20 [ 47.425208] ? do_raw_spin_trylock+0x190/0x190 [ 47.429756] ? lock_release+0x9d0/0xa40 [ 47.433701] ? thread_group_cputime_adjusted+0x9f/0xd0 [ 47.438946] ? account_idle_ticks+0x2d0/0x2d0 [ 47.443410] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 47.448396] ? find_held_lock+0x35/0x1d0 [ 47.452429] ? remove_wait_queue+0x1b4/0x350 [ 47.456804] ? lock_downgrade+0x990/0x990 [ 47.460920] ? do_raw_spin_trylock+0x190/0x190 [ 47.465466] ? do_raw_spin_trylock+0x190/0x190 [ 47.470021] ? lock_acquire+0x1d5/0x580 [ 47.473961] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 47.479033] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 47.484016] ? trace_hardirqs_on+0xd/0x10 [ 47.488131] ? check_noncircular+0x20/0x20 [ 47.492332] ? remove_wait_queue+0x1b4/0x350 [ 47.496706] ? add_wait_queue+0x1bb/0x2d0 [ 47.500821] ? prepare_to_wait+0x4d0/0x4d0 [ 47.505036] _do_fork+0x1ef/0xfb0 [ 47.508460] ? fork_idle+0x2d0/0x2d0 [ 47.512142] ? lock_downgrade+0x990/0x990 [ 47.516258] ? lock_release+0xa40/0xa40 [ 47.520201] ? check_same_owner+0x320/0x320 [ 47.524490] ? find_held_lock+0x35/0x1d0 [ 47.528523] ? __might_sleep+0x95/0x190 [ 47.532468] ? __might_fault+0x188/0x1d0 [ 47.536499] ? kernel_wait4+0x26e/0x370 [ 47.540443] ? SyS_waitid+0x50/0x50 [ 47.544042] ? task_stopped_code+0x140/0x140 [ 47.548423] SyS_clone+0x37/0x50 [ 47.551757] ? ptregs_sys_rt_sigreturn+0x10/0x10 [ 47.556480] do_syscall_64+0x26c/0x8c0 [ 47.560333] ? kernel_wait4+0x370/0x370 [ 47.564272] ? put_timespec64+0xfc/0x180 [ 47.568313] ? syscall_return_slowpath+0x500/0x500 [ 47.573217] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 47.578033] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 47.582844] ? sys_vfork+0x30/0x30 [ 47.586354] entry_SYSCALL64_slow_path+0x25/0x25 [ 47.591078] RIP: 0033:0x44811a [ 47.594236] RSP: 002b:00007ffc25c8ddf0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 [ 47.601914] RAX: ffffffffffffffda RBX: 00007ffc25c8ddf0 RCX: 000000000044811a [ 47.609150] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 [ 47.616389] RBP: 00007ffc25c8de30 R08: 0000000000000bde R09: 0000000001634880 [ 47.623626] R10: 0000000001634b50 R11: 0000000000000246 R12: 0000000000000bde [ 47.630865] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 47.638115] [ 47.639713] Allocated by task 3031: [ 47.643309] save_stack_trace+0x16/0x20 [ 47.647249] save_stack+0x43/0xd0 [ 47.650670] kasan_kmalloc+0xad/0xe0 [ 47.654352] kasan_slab_alloc+0x12/0x20 [ 47.658292] kmem_cache_alloc+0x12e/0x760 [ 47.662407] get_empty_filp+0xfb/0x4f0 [ 47.666275] path_openat+0xed/0x3520 [ 47.669957] do_filp_open+0x25b/0x3b0 [ 47.673725] do_open_execat+0x1b9/0x5c0 [ 47.677668] do_execveat_common.isra.33+0x8fe/0x22e0 [ 47.682738] SyS_execve+0x39/0x50 [ 47.686157] do_syscall_64+0x26c/0x8c0 [ 47.690015] return_from_SYSCALL_64+0x0/0x7a [ 47.694385] [ 47.695979] Freed by task 3895: [ 47.699225] save_stack_trace+0x16/0x20 [ 47.703166] save_stack+0x43/0xd0 [ 47.706586] kasan_slab_free+0x71/0xc0 [ 47.710440] kmem_cache_free+0x77/0x280 [ 47.714381] file_free_rcu+0x5c/0x70 [ 47.718061] rcu_process_callbacks+0xd3e/0x17b0 [ 47.722696] __do_softirq+0x2f5/0xba3 [ 47.726460] [ 47.728056] The buggy address belongs to the object at ffff8801cf0f32c0 [ 47.728056] which belongs to the cache filp of size 456 [ 47.740072] The buggy address is located 112 bytes inside of [ 47.740072] 456-byte region [ffff8801cf0f32c0, ffff8801cf0f3488) [ 47.751911] The buggy address belongs to the page: [ 47.756805] page:ffffea00073c3cc0 count:1 mapcount:0 mapping:ffff8801cf0f3040 index:0x0 [ 47.764914] flags: 0x200000000000100(slab) [ 47.769117] raw: 0200000000000100 ffff8801cf0f3040 0000000000000000 0000000100000006 [ 47.776967] raw: ffffea00073c6fe0 ffffea00073c3ee0 ffff8801dae3d300 0000000000000000 [ 47.784811] page dumped because: kasan: bad access detected [ 47.790484] [ 47.792076] Memory state around the buggy address: [ 47.796971] ffff8801cf0f3200: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.804295] ffff8801cf0f3280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 47.811621] >ffff8801cf0f3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb