INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-mmots-kasan-gce-6,10.128.0.17' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   70.269163] ==================================================================
[   70.270287] BUG: KASAN: use-after-free in handle_userfault+0x206f/0x2390
[   70.271191] Read of size 8 at addr ffff8801ceb26d88 by task syzkaller268110/2989
[   70.272198] 
[   70.272434] CPU: 0 PID: 2989 Comm: syzkaller268110 Not tainted 4.13.0-mm1+ #5
[   70.273389] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   70.274611] Call Trace:
[   70.274975]  dump_stack+0x194/0x257
[   70.275470]  ? arch_local_irq_restore+0x53/0x53
[   70.276097]  ? show_regs_print_info+0x65/0x65
[   70.276709]  ? handle_userfault+0x206f/0x2390
[   70.277314]  print_address_description+0x73/0x250
[   70.277962]  ? handle_userfault+0x206f/0x2390
[   70.278566]  kasan_report+0x24e/0x340
[   70.279084]  __asan_report_load8_noabort+0x14/0x20
[   70.279742]  handle_userfault+0x206f/0x2390
[   70.280330]  ? __lock_acquire+0x732/0x4620
[   70.280903]  ? __save_stack_trace+0x7e/0xd0
[   70.281485]  ? userfaultfd_ioctl+0x4510/0x4510
[   70.282126]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   70.282818]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   70.283510]  ? check_noncircular+0x20/0x20
[   70.284092]  ? find_held_lock+0x39/0x1d0
[   70.284650]  ? find_held_lock+0x39/0x1d0
[   70.285208]  ? lock_downgrade+0x990/0x990
[   70.285767]  ? finish_task_switch+0x1aa/0x740
[   70.286376]  ? __handle_mm_fault+0x22b1/0x39c0
[   70.287001]  ? do_raw_spin_trylock+0x190/0x190
[   70.287642]  ? check_noncircular+0x20/0x20
[   70.288213]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   70.288887]  ? trace_hardirqs_on+0xd/0x10
[   70.290305]  ? finish_task_switch+0x1d3/0x740
[   70.294773]  ? finish_task_switch+0x1aa/0x740
[   70.299254]  __handle_mm_fault+0x2d46/0x39c0
[   70.303642]  ? __pmd_alloc+0x4e0/0x4e0
[   70.307508]  ? lock_downgrade+0x990/0x990
[   70.311634]  ? __sched_text_start+0x8/0x8
[   70.315753]  ? find_held_lock+0x39/0x1d0
[   70.319808]  ? __lock_is_held+0xbc/0x140
[   70.323887]  handle_mm_fault+0x334/0x8d0
[   70.327919]  ? down_read_trylock+0xdb/0x170
[   70.332211]  ? __do_page_fault+0x2b8/0xb60
[   70.336434]  ? __handle_mm_fault+0x39c0/0x39c0
[   70.340986]  ? vmacache_find+0x61/0x270
[   70.344931]  ? vmacache_update+0xfe/0x130
[   70.349053]  ? find_vma+0x30/0x150
[   70.352567]  __do_page_fault+0x4f6/0xb60
[   70.356608]  do_page_fault+0xee/0x720
[   70.360378]  ? trace_hardirqs_off+0xd/0x10
[   70.364585]  ? __do_page_fault+0xb60/0xb60
[   70.368795]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   70.374306]  ? lockdep_sys_exit+0x47/0xf0
[   70.378425]  ? syscall_return_slowpath+0x2b3/0x500
[   70.383324]  ? finish_task_switch+0x4c9/0x740
[   70.387796]  ? retint_user+0x18/0x20
[   70.391485]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   70.396306]  page_fault+0x22/0x30
[   70.399728] RIP: 0033:0x445455
[   70.402888] RSP: 002b:0000000020013000 EFLAGS: 00010217
[   70.408228] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000445449
[   70.415468] RDX: 0000000020059ffc RSI: 0000000020013000 RDI: 0000000000000400
[   70.422707] RBP: 0000000000000000 R08: 0000000020058ffd R09: 00007f6b81fe2700
[   70.429946] R10: 0000000020058ffc R11: 0000000000000202 R12: 0000000000000000
[   70.437187] R13: 00007ffee89ab8af R14: 00007f6b81fe29c0 R15: 0000000000000000
[   70.444447] 
[   70.446046] Allocated by task 2987:
[   70.449644]  save_stack_trace+0x16/0x20
[   70.453588]  save_stack+0x43/0xd0
[   70.457010]  kasan_kmalloc+0xad/0xe0
[   70.460693]  kasan_slab_alloc+0x12/0x20
[   70.464635]  kmem_cache_alloc+0x12e/0x760
[   70.468752]  dup_userfaultfd+0x21c/0x890
[   70.472793]  copy_mm+0xa38/0x1310
[   70.476235]  copy_process.part.36+0x1eae/0x4af0
[   70.480877]  _do_fork+0x1ef/0xfe0
[   70.484300]  SyS_clone+0x37/0x50
[   70.487635]  do_syscall_64+0x26c/0x8c0
[   70.491495]  return_from_SYSCALL_64+0x0/0x7a
[   70.495869] 
[   70.497468] Freed by task 2987:
[   70.500716]  save_stack_trace+0x16/0x20
[   70.504663]  save_stack+0x43/0xd0
[   70.508084]  kasan_slab_free+0x71/0xc0
[   70.511943]  kmem_cache_free+0x77/0x280
[   70.515888]  userfaultfd_ctx_put+0x50c/0x740
[   70.520265]  userfaultfd_event_wait_completion+0x754/0x910
[   70.525857]  dup_userfaultfd_complete+0x2de/0x480
[   70.530667]  copy_mm+0xe9b/0x1310
[   70.534090]  copy_process.part.36+0x1eae/0x4af0
[   70.538726]  _do_fork+0x1ef/0xfe0
[   70.542148]  SyS_clone+0x37/0x50
[   70.545484]  do_syscall_64+0x26c/0x8c0
[   70.549343]  return_from_SYSCALL_64+0x0/0x7a
[   70.553719] 
[   70.555319] The buggy address belongs to the object at ffff8801ceb26c00
[   70.555319]  which belongs to the cache userfaultfd_ctx_cache of size 400
[   70.568819] The buggy address is located 392 bytes inside of
[   70.568819]  400-byte region [ffff8801ceb26c00, ffff8801ceb26d90)
[   70.580660] The buggy address belongs to the page:
[   70.585559] page:ffffea00073ac980 count:1 mapcount:0 mapping:ffff8801ceb26000 index:0xffff8801ce9e8400
[   70.594982] flags: 0x200000000000100(slab)
[   70.599187] raw: 0200000000000100 ffff8801ceb26000 ffff8801ce9e8400 0000000100000008
[   70.607037] raw: ffff8801d6295150 ffff8801d6295150 ffff8801d5567c00 0000000000000000
[   70.614883] page dumped because: kasan: bad access detected
[   70.620567] 
[   70.622163] Memory state around the buggy address:
[   70.627060]  ffff8801ceb26c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.634388]  ffff8801ceb26d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.641717] >ffff8801ceb26d80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   70.649045]                       ^
[   70.652641]  ffff8801ceb26e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.659975]  ffff8801ceb26e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.667303] ==================================================================
[   70.674629] Disabling lock debugging due to kernel taint
[   70.680095] Kernel panic - not syncing: panic_on_warn set ...
[   70.680095] 
[   70.687424] CPU: 0 PID: 2989 Comm: syzkaller268110 Tainted: G    B           4.13.0-mm1+ #5
[   70.695874] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   70.705193] Call Trace:
[   70.707748]  dump_stack+0x194/0x257
[   70.711343]  ? arch_local_irq_restore+0x53/0x53
[   70.715977]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   70.720700]  ? handle_userfault+0x2000/0x2390
[   70.725160]  panic+0x1e4/0x417
[   70.728317]  ? __warn+0x1d9/0x1d9
[   70.731741]  ? handle_userfault+0x206f/0x2390
[   70.736201]  kasan_end_report+0x50/0x50
[   70.740140]  kasan_report+0x137/0x340
[   70.743909]  __asan_report_load8_noabort+0x14/0x20
[   70.748801]  handle_userfault+0x206f/0x2390
[   70.753089]  ? __lock_acquire+0x732/0x4620
[   70.757291]  ? __save_stack_trace+0x7e/0xd0
[   70.761574]  ? userfaultfd_ioctl+0x4510/0x4510
[   70.766125]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   70.771287]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   70.776441]  ? check_noncircular+0x20/0x20
[   70.780644]  ? find_held_lock+0x39/0x1d0
[   70.784672]  ? find_held_lock+0x39/0x1d0
[   70.788700]  ? lock_downgrade+0x990/0x990
[   70.792813]  ? finish_task_switch+0x1aa/0x740
[   70.797275]  ? __handle_mm_fault+0x22b1/0x39c0
[   70.801834]  ? do_raw_spin_trylock+0x190/0x190
[   70.806381]  ? check_noncircular+0x20/0x20
[   70.810581]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   70.815563]  ? trace_hardirqs_on+0xd/0x10
[   70.819674]  ? finish_task_switch+0x1d3/0x740
[   70.824134]  ? finish_task_switch+0x1aa/0x740
[   70.828595]  __handle_mm_fault+0x2d46/0x39c0
[   70.832975]  ? __pmd_alloc+0x4e0/0x4e0
[   70.836832]  ? lock_downgrade+0x990/0x990
[   70.840944]  ? __sched_text_start+0x8/0x8
[   70.845055]  ? find_held_lock+0x39/0x1d0
[   70.849081]  ? __lock_is_held+0xbc/0x140
[   70.853119]  handle_mm_fault+0x334/0x8d0
[   70.857143]  ? down_read_trylock+0xdb/0x170
[   70.861427]  ? __do_page_fault+0x2b8/0xb60
[   70.865625]  ? __handle_mm_fault+0x39c0/0x39c0
[   70.870172]  ? vmacache_find+0x61/0x270
[   70.874111]  ? vmacache_update+0xfe/0x130
[   70.878226]  ? find_vma+0x30/0x150
[   70.881730]  __do_page_fault+0x4f6/0xb60
[   70.885760]  do_page_fault+0xee/0x720
[   70.889625]  ? trace_hardirqs_off+0xd/0x10
[   70.893823]  ? __do_page_fault+0xb60/0xb60
[   70.898021]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   70.903523]  ? lockdep_sys_exit+0x47/0xf0
[   70.907634]  ? syscall_return_slowpath+0x2b3/0x500
[   70.912526]  ? finish_task_switch+0x4c9/0x740
[   70.916988]  ? retint_user+0x18/0x20
[   70.920666]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   70.925474]  page_fault+0x22/0x30
[   70.928891] RIP: 0033:0x445455
[   70.932047] RSP: 002b:0000000020013000 EFLAGS: 00010217
[   70.937374] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000445449
[   70.944610] RDX: 0000000020059ffc RSI: 0000000020013000 RDI: 0000000000000400
[   70.951845] RBP: 0000000000000000 R08: 0000000020058ffd R09: 00007f6b81fe2700
[   70.959080] R10: 0000000020058ffc R11: 0000000000000202 R12: 0000000000000000
[   70.966314] R13: 00007ffee89ab8af R14: 00007f6b81fe29c0 R15: 0000000000000000
[   70.973915] Dumping ftrace buffer:
[   70.977426]    (ftrace buffer empty)
[   70.981103] Kernel Offset: disabled
[   70.984703] Rebooting in 86400 seconds..