[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 43.750830] audit: type=1800 audit(1545718961.444:25): pid=8042 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 43.785601] audit: type=1800 audit(1545718961.444:26): pid=8042 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 43.831108] audit: type=1800 audit(1545718961.454:27): pid=8042 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 48.801479] sshd (8177) used greatest stack depth: 15720 bytes left Warning: Permanently added '10.128.0.126' (ECDSA) to the list of known hosts. executing program [ 72.118595] hrtimer: interrupt took 27544 ns executing program [ 72.289655] ================================================================== [ 72.297217] BUG: KASAN: use-after-free in filemap_fault+0x2818/0x2a70 [ 72.303794] Read of size 8 at addr ffff8881b15026b0 by task syz-executor997/8196 [ 72.311514] [ 72.313221] CPU: 0 PID: 8196 Comm: syz-executor997 Not tainted 4.20.0-rc7-next-20181224 #188 [ 72.321865] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.331525] Call Trace: [ 72.334227] dump_stack+0x1d3/0x2c6 [ 72.337847] ? dump_stack_print_info.cold.1+0x20/0x20 [ 72.343126] ? printk+0xa7/0xcf [ 72.346463] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 72.351409] print_address_description.cold.5+0x9/0x1ff [ 72.356774] ? filemap_fault+0x2818/0x2a70 [ 72.361001] kasan_report.cold.6+0x1b/0x39 [ 72.365333] ? filemap_fault+0x2818/0x2a70 [ 72.369569] ? filemap_fault+0x2818/0x2a70 [ 72.373837] __asan_report_load8_noabort+0x14/0x20 [ 72.378765] filemap_fault+0x2818/0x2a70 [ 72.382853] ? grab_cache_page_write_begin+0xa0/0xa0 [ 72.387953] ? print_usage_bug+0xc0/0xc0 [ 72.392002] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.397525] ? __perf_event_task_sched_in+0x2a9/0xb60 [ 72.402711] ? find_held_lock+0x36/0x1c0 [ 72.406766] ? mark_held_locks+0xc7/0x130 [ 72.410916] ? _raw_spin_unlock_irq+0x27/0x80 [ 72.415414] ? _raw_spin_unlock_irq+0x27/0x80 [ 72.419913] ? lockdep_hardirqs_on+0x421/0x5c0 [ 72.424499] ? trace_hardirqs_on+0xbd/0x310 [ 72.428823] ? kasan_check_read+0x11/0x20 [ 72.432976] ? finish_task_switch+0x1f4/0x910 [ 72.437476] ? graph_lock+0x270/0x270 [ 72.441277] ? compat_start_thread+0x80/0x80 [ 72.445706] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.451252] ? kasan_check_write+0x14/0x20 [ 72.455492] ? __lock_is_held+0xb5/0x140 [ 72.459568] ? lock_acquire+0x1ed/0x520 [ 72.463551] ? ext4_filemap_fault+0x7a/0xad [ 72.467879] ? lock_release+0xa00/0xa00 [ 72.471855] ? arch_local_save_flags+0x40/0x40 [ 72.476438] ? __schedule+0x9e6/0x1ed0 [ 72.480367] ? down_read+0x8d/0x120 [ 72.484000] ? ext4_filemap_fault+0x7a/0xad [ 72.488323] ? __down_interruptible+0x700/0x700 [ 72.493001] ext4_filemap_fault+0x82/0xad [ 72.497150] __do_fault+0x176/0x6f0 [ 72.500782] ? lock_page+0x170/0x170 [ 72.504496] ? pmd_val+0x88/0x100 [ 72.507950] ? add_mm_counter_fast+0xd0/0xd0 [ 72.512368] ? add_mm_counter_fast+0xd0/0xd0 [ 72.516780] ? schedule+0xf9/0x370 [ 72.520321] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 72.525864] __handle_mm_fault+0x373b/0x55f0 [ 72.530286] ? vmf_insert_mixed_mkwrite+0x40/0x40 [ 72.535127] ? graph_lock+0x270/0x270 [ 72.538927] ? mark_held_locks+0xc7/0x130 [ 72.543079] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 72.547836] ? lockdep_hardirqs_on+0x421/0x5c0 [ 72.552420] ? retint_kernel+0x2d/0x2d [ 72.556330] ? handle_mm_fault+0x42a/0xc70 [ 72.560582] ? lock_downgrade+0x900/0x900 [ 72.564739] ? retint_kernel+0x2d/0x2d [ 72.568640] ? rcu_read_unlock_special+0x370/0x370 [ 72.573587] ? handle_mm_fault+0x421/0xc70 [ 72.577843] ? write_comp_data+0x22/0x70 [ 72.581919] handle_mm_fault+0x54f/0xc70 [ 72.585985] ? __handle_mm_fault+0x55f0/0x55f0 [ 72.590579] ? __do_page_fault+0x3bd/0xd70 [ 72.594825] __do_page_fault+0x5f6/0xd70 [ 72.598898] do_page_fault+0xf2/0x7e0 [ 72.602703] ? vmalloc_sync_all+0x30/0x30 [ 72.606855] ? error_entry+0x70/0xd0 [ 72.610575] ? trace_hardirqs_off_caller+0xbb/0x310 [ 72.615607] ? trace_hardirqs_on_caller+0xc0/0x310 [ 72.620539] ? syscall_return_slowpath+0x5e0/0x5e0 [ 72.625504] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 72.630347] ? trace_hardirqs_on_caller+0x310/0x310 [ 72.635393] ? trace_hardirqs_off+0x310/0x310 [ 72.639909] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 72.644927] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.650468] ? prepare_exit_to_usermode+0x291/0x3b0 [ 72.655490] ? page_fault+0x8/0x30 [ 72.659050] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 72.663898] ? page_fault+0x8/0x30 [ 72.667437] page_fault+0x1e/0x30 [ 72.670875] RIP: 0033:0x400a57 [ 72.674069] Code: 00 00 00 00 e8 ba 59 04 00 8b 03 85 c0 74 d8 c7 45 08 00 00 00 00 83 7d 04 05 0f 87 49 02 00 00 8b 45 04 ff 24 c5 e8 e4 4a 00 04 25 fa ff 00 20 2e 2f 62 75 66 c7 04 25 fe ff 00 20 73 00 b9 [ 72.692961] RSP: 002b:00007f48cd9c0dc0 EFLAGS: 00010293 [ 72.698318] RAX: 0000000000000000 RBX: 00000000006dbc28 RCX: 0000000000446409 [ 72.705590] RDX: 0000000000446409 RSI: 0000000000000081 RDI: 00000000006dbc2c [ 72.712859] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 72.720128] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 72.727394] R13: 00007ffd0bb6676f R14: 00007f48cd9c19c0 R15: 00000000006dbd2c [ 72.734692] [ 72.736313] Allocated by task 8196: [ 72.739942] save_stack+0x43/0xd0 [ 72.743395] kasan_kmalloc+0xcb/0xd0 [ 72.747110] kasan_slab_alloc+0x12/0x20 [ 72.751079] kmem_cache_alloc+0x130/0x730 [ 72.755224] vm_area_alloc+0x7a/0x1d0 [ 72.759027] mmap_region+0x9d7/0x1cd0 [ 72.762835] do_mmap+0xa22/0x1230 [ 72.766290] vm_mmap_pgoff+0x213/0x2c0 [ 72.770179] ksys_mmap_pgoff+0x4da/0x660 [ 72.774239] __x64_sys_mmap+0xe9/0x1b0 [ 72.778131] do_syscall_64+0x1b9/0x820 [ 72.782022] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.787310] [ 72.788922] Freed by task 8197: [ 72.792195] save_stack+0x43/0xd0 [ 72.795650] __kasan_slab_free+0x102/0x150 [ 72.799899] kasan_slab_free+0xe/0x10 [ 72.803697] kmem_cache_free+0x83/0x290 [ 72.807670] vm_area_free+0x1c/0x20 [ 72.811292] remove_vma+0x13a/0x180 [ 72.814912] __do_munmap+0x729/0xf50 [ 72.818613] mmap_region+0x6a7/0x1cd0 [ 72.822397] do_mmap+0xa22/0x1230 [ 72.825834] vm_mmap_pgoff+0x213/0x2c0 [ 72.829818] ksys_mmap_pgoff+0x4da/0x660 [ 72.833882] __x64_sys_mmap+0xe9/0x1b0 [ 72.837773] do_syscall_64+0x1b9/0x820 [ 72.841662] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.846857] [ 72.848486] The buggy address belongs to the object at ffff8881b1502670 [ 72.848486] which belongs to the cache vm_area_struct of size 200 [ 72.861402] The buggy address is located 64 bytes inside of [ 72.861402] 200-byte region [ffff8881b1502670, ffff8881b1502738) [ 72.873179] The buggy address belongs to the page: [ 72.878125] page:ffffea0006c54080 count:1 mapcount:0 mapping:ffff8881da9827c0 index:0xffff8881b1502eb0 [ 72.887570] flags: 0x2fffc0000000200(slab) [ 72.891841] raw: 02fffc0000000200 ffffea0007477408 ffffea0006c5ec48 ffff8881da9827c0 [ 72.899753] raw: ffff8881b1502eb0 ffff8881b1502040 0000000100000004 0000000000000000 [ 72.907628] page dumped because: kasan: bad access detected [ 72.913329] [ 72.914957] Memory state around the buggy address: [ 72.919881] ffff8881b1502580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.927239] ffff8881b1502600: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fb fb [ 72.934598] >ffff8881b1502680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.941948] ^ [ 72.946876] ffff8881b1502700: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fb [ 72.954249] ffff8881b1502780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.961602] ================================================================== [ 72.968967] Disabling lock debugging due to kernel taint [ 72.975898] Kernel panic - not syncing: panic_on_warn set ... [ 72.981804] CPU: 0 PID: 8196 Comm: syz-executor997 Tainted: G B 4.20.0-rc7-next-20181224 #188 [ 72.991760] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.001122] Call Trace: [ 73.003708] dump_stack+0x1d3/0x2c6 [ 73.007375] ? dump_stack_print_info.cold.1+0x20/0x20 [ 73.012570] ? filemap_fault+0x27a0/0x2a70 [ 73.016809] panic+0x2ad/0x632 [ 73.020006] ? add_taint.cold.5+0x16/0x16 [ 73.024156] ? preempt_schedule+0x4d/0x60 [ 73.028308] ? ___preempt_schedule+0x16/0x18 [ 73.032715] ? trace_hardirqs_on+0xb4/0x310 [ 73.037035] ? filemap_fault+0x2818/0x2a70 [ 73.041287] end_report+0x47/0x4f [ 73.044737] kasan_report.cold.6+0xe/0x39 [ 73.048887] ? filemap_fault+0x2818/0x2a70 [ 73.053120] ? filemap_fault+0x2818/0x2a70 [ 73.057355] __asan_report_load8_noabort+0x14/0x20 [ 73.062309] filemap_fault+0x2818/0x2a70 [ 73.066382] ? grab_cache_page_write_begin+0xa0/0xa0 [ 73.071503] ? print_usage_bug+0xc0/0xc0 [ 73.075571] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 73.081107] ? __perf_event_task_sched_in+0x2a9/0xb60 [ 73.086303] ? find_held_lock+0x36/0x1c0 [ 73.090379] ? mark_held_locks+0xc7/0x130 [ 73.094539] ? _raw_spin_unlock_irq+0x27/0x80 [ 73.099067] ? _raw_spin_unlock_irq+0x27/0x80 [ 73.103559] ? lockdep_hardirqs_on+0x421/0x5c0 [ 73.108154] ? trace_hardirqs_on+0xbd/0x310 [ 73.112474] ? kasan_check_read+0x11/0x20 [ 73.116634] ? finish_task_switch+0x1f4/0x910 [ 73.121124] ? graph_lock+0x270/0x270 [ 73.124920] ? compat_start_thread+0x80/0x80 [ 73.129323] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 73.134861] ? kasan_check_write+0x14/0x20 [ 73.139113] ? __lock_is_held+0xb5/0x140 [ 73.143175] ? lock_acquire+0x1ed/0x520 [ 73.147158] ? ext4_filemap_fault+0x7a/0xad [ 73.151476] ? lock_release+0xa00/0xa00 [ 73.155443] ? arch_local_save_flags+0x40/0x40 [ 73.160021] ? __schedule+0x9e6/0x1ed0 [ 73.163912] ? down_read+0x8d/0x120 [ 73.167540] ? ext4_filemap_fault+0x7a/0xad [ 73.171858] ? __down_interruptible+0x700/0x700 [ 73.176570] ext4_filemap_fault+0x82/0xad [ 73.180717] __do_fault+0x176/0x6f0 [ 73.184341] ? lock_page+0x170/0x170 [ 73.188073] ? pmd_val+0x88/0x100 [ 73.191527] ? add_mm_counter_fast+0xd0/0xd0 [ 73.195933] ? add_mm_counter_fast+0xd0/0xd0 [ 73.200354] ? schedule+0xf9/0x370 [ 73.203921] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 73.209472] __handle_mm_fault+0x373b/0x55f0 [ 73.213890] ? vmf_insert_mixed_mkwrite+0x40/0x40 [ 73.218727] ? graph_lock+0x270/0x270 [ 73.222550] ? mark_held_locks+0xc7/0x130 [ 73.226700] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 73.231458] ? lockdep_hardirqs_on+0x421/0x5c0 [ 73.236056] ? retint_kernel+0x2d/0x2d [ 73.239953] ? handle_mm_fault+0x42a/0xc70 [ 73.244185] ? lock_downgrade+0x900/0x900 [ 73.248333] ? retint_kernel+0x2d/0x2d [ 73.252226] ? rcu_read_unlock_special+0x370/0x370 [ 73.257182] ? handle_mm_fault+0x421/0xc70 [ 73.261432] ? write_comp_data+0x22/0x70 [ 73.265492] handle_mm_fault+0x54f/0xc70 [ 73.269558] ? __handle_mm_fault+0x55f0/0x55f0 [ 73.274153] ? __do_page_fault+0x3bd/0xd70 [ 73.278395] __do_page_fault+0x5f6/0xd70 [ 73.282459] do_page_fault+0xf2/0x7e0 [ 73.286274] ? vmalloc_sync_all+0x30/0x30 [ 73.290422] ? error_entry+0x70/0xd0 [ 73.294131] ? trace_hardirqs_off_caller+0xbb/0x310 [ 73.299158] ? trace_hardirqs_on_caller+0xc0/0x310 [ 73.304093] ? syscall_return_slowpath+0x5e0/0x5e0 [ 73.309036] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 73.313895] ? trace_hardirqs_on_caller+0x310/0x310 [ 73.318905] ? trace_hardirqs_off+0x310/0x310 [ 73.323398] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 73.328439] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 73.334002] ? prepare_exit_to_usermode+0x291/0x3b0 [ 73.339015] ? page_fault+0x8/0x30 [ 73.342556] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 73.347443] ? page_fault+0x8/0x30 [ 73.350982] page_fault+0x1e/0x30 [ 73.354428] RIP: 0033:0x400a57 [ 73.357620] Code: 00 00 00 00 e8 ba 59 04 00 8b 03 85 c0 74 d8 c7 45 08 00 00 00 00 83 7d 04 05 0f 87 49 02 00 00 8b 45 04 ff 24 c5 e8 e4 4a 00 04 25 fa ff 00 20 2e 2f 62 75 66 c7 04 25 fe ff 00 20 73 00 b9 [ 73.376536] RSP: 002b:00007f48cd9c0dc0 EFLAGS: 00010293 [ 73.381897] RAX: 0000000000000000 RBX: 00000000006dbc28 RCX: 0000000000446409 [ 73.389162] RDX: 0000000000446409 RSI: 0000000000000081 RDI: 00000000006dbc2c [ 73.396424] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 73.403690] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 73.410954] R13: 00007ffd0bb6676f R14: 00007f48cd9c19c0 R15: 00000000006dbd2c [ 73.419255] Kernel Offset: disabled [ 73.422879] Rebooting in 86400 seconds..