
Debian GNU/Linux 7 syzkaller ttyS0

2017/08/20 05:03:00 parsed 1 programs
2017/08/20 05:03:00 executed programs: 0
syzkaller login: [   23.462389] ==================================================================
[   23.462912] BUG: KASAN: use-after-free in userfaultfd_release+0x5c1/0x6e0
[   23.463745] Read of size 8 at addr ffff88006db44be0 by task syz-executor0/3148
[   23.464172] 
[   23.464283] CPU: 2 PID: 3148 Comm: syz-executor0 Not tainted 4.13.0-rc5-next-20170817+ #5
[   23.464831] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   23.465386] Call Trace:
[   23.465558]  dump_stack+0x194/0x257
[   23.465798]  ? arch_local_irq_restore+0x53/0x53
[   23.466120]  ? show_regs_print_info+0x65/0x65
[   23.466416]  ? is_bpf_text_address+0xa4/0x120
[   23.466712]  ? unwind_get_return_address+0x61/0xa0
[   23.467051]  ? userfaultfd_release+0x5c1/0x6e0
[   23.467377]  print_address_description+0x73/0x250
[   23.467699]  ? userfaultfd_release+0x5c1/0x6e0
[   23.468005]  kasan_report+0x24e/0x340
[   23.468310]  ? userfaultfd_event_wait_completion+0x910/0x910
[   23.468713]  __asan_report_load8_noabort+0x14/0x20
[   23.469140]  userfaultfd_release+0x5c1/0x6e0
[   23.469521]  ? fcntl_setlk+0x10c0/0x10c0
[   23.469790]  ? kmem_cache_free+0x77/0x280
[   23.470060]  ? do_exit+0xa33/0x1b30
[   23.470302]  ? userfaultfd_event_wait_completion+0x910/0x910
[   23.470692]  ? fsnotify+0x1af0/0x1af0
[   23.470947]  ? rcu_note_context_switch+0x710/0x710
[   23.471280]  ? __might_sleep+0x95/0x190
[   23.471547]  ? userfaultfd_event_wait_completion+0x910/0x910
[   23.471932]  __fput+0x327/0x7e0
[   23.472156]  ? fput+0x140/0x140
[   23.472379]  ? do_raw_spin_trylock+0x190/0x190
[   23.472686]  ____fput+0x15/0x20
[   23.472908]  task_work_run+0x199/0x270
[   23.473170]  ? task_work_cancel+0x210/0x210
[   23.473459]  ? _raw_spin_unlock+0x22/0x30
[   23.473737]  ? switch_task_namespaces+0x87/0xc0
[   23.474049]  do_exit+0xa52/0x1b30
[   23.474281]  ? account_kernel_stack+0x155/0x1f0
[   23.474597]  ? mm_update_next_owner+0x930/0x930
[   23.474912]  ? __cleanup_sighand+0x40/0x40
[   23.475198]  ? schedule+0x108/0x440
[   23.475460]  ? lock_downgrade+0x990/0x990
[   23.475738]  ? __schedule+0x2070/0x2070
[   23.476009]  ? check_same_owner+0x320/0x320
[   23.476300]  ? rcu_note_context_switch+0x710/0x710
[   23.476742]  ? futex_wait_setup+0x14a/0x3d0
[   23.477052]  ? __might_sleep+0x95/0x190
[   23.477342]  ? _cond_resched+0x14/0x30
[   23.477645]  ? futex_wait_queue_me+0x524/0x7e0
[   23.478005]  ? get_futex_value_locked+0xc3/0xf0
[   23.478482]  ? futex_wait_setup+0x22e/0x3d0
[   23.478939]  ? __dequeue_signal+0x103/0x7b0
[   23.479337]  ? recalc_sigpending_tsk+0x117/0x150
[   23.479651]  ? get_signal+0x855/0x17e0
[   23.479917]  ? lock_downgrade+0x990/0x990
[   23.480281]  do_group_exit+0x149/0x400
[   23.480616]  ? SyS_exit+0x30/0x30
[   23.480920]  get_signal+0x7e8/0x17e0
[   23.481251]  ? ptrace_notify+0x130/0x130
[   23.481604]  ? do_futex+0x781/0x20a0
[   23.481934]  do_signal+0x94/0x1ee0
[   23.482246]  ? _do_fork+0x1ef/0xfb0
[   23.482558]  ? _do_fork+0x2dc/0xfb0
[   23.482871]  ? setup_sigcontext+0x7d0/0x7d0
[   23.483247]  ? fork_idle+0x2d0/0x2d0
[   23.483568]  ? kasan_slab_free+0x71/0xc0
[   23.483917]  ? kmem_cache_free+0x77/0x280
[   23.484273]  ? putname+0xee/0x130
[   23.484571]  ? do_sys_open+0x31b/0x6d0
[   23.485308]  ? SyS_open+0x2d/0x40
[   23.485546]  ? entry_SYSCALL_64_fastpath+0x1f/0xbe
[   23.485892]  ? check_same_owner+0x320/0x320
[   23.486206]  ? rcu_note_context_switch+0x710/0x710
[   23.486554]  ? __might_sleep+0x95/0x190
[   23.486890]  ? __fd_install+0x2f7/0x6a0
[   23.487250]  ? get_unused_fd_flags+0x190/0x190
[   23.487556]  exit_to_usermode_loop+0x224/0x300
[   23.487936]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   23.488412]  ? quarantine_put+0xeb/0x190
[   23.488775]  ? SyS_clone+0x37/0x50
[   23.489124]  do_syscall_64+0x65c/0x8c0
[   23.489511]  ? syscall_return_slowpath+0x500/0x500
[   23.489994]  ? do_futex+0x20a0/0x20a0
[   23.490376]  ? filp_open+0x70/0x70
[   23.490725]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   23.491210]  ? sys_vfork+0x30/0x30
[   23.491564]  entry_SYSCALL64_slow_path+0x25/0x25
[   23.492037] RIP: 0033:0x446749
[   23.492330] RSP: 002b:00007fc4422c0c08 EFLAGS: 00000286 ORIG_RAX: 0000000000000038
[   23.493250] RAX: fffffffffffffdff RBX: 0000000000000000 RCX: 0000000000446749
[   23.494140] RDX: 0000000020f42000 RSI: 0000000020179000 RDI: 0000000000000000
[   23.495413] RBP: 0000000000708150 R08: 0000000020ef4ffc R09: 0000000000000000
[   23.496125] R10: 0000000020a6bffc R11: 0000000000000286 R12: 00000000ffffffff
[   23.496848] R13: 00000000000003b0 R14: 00000000006e2470 R15: 0000000020179000
[   23.497570] 
[   23.497739] Allocated by task 3148:
[   23.498103]  save_stack_trace+0x16/0x20
[   23.498507]  save_stack+0x43/0xd0
[   23.498850]  kasan_kmalloc+0xad/0xe0
[   23.499343]  kasan_slab_alloc+0x12/0x20
[   23.500028]  kmem_cache_alloc+0x12e/0x760
[   23.500726]  dup_userfaultfd+0x21c/0x890
[   23.501375]  copy_mm+0xa27/0x1247
[   23.501862]  copy_process.part.36+0x1ea3/0x4af0
[   23.502306]  _do_fork+0x1ef/0xfb0
[   23.502746]  SyS_clone+0x37/0x50
[   23.503224]  do_syscall_64+0x26c/0x8c0
[   23.503619]  return_from_SYSCALL_64+0x0/0x7a
[   23.504051] 
[   23.504162] Freed by task 3148:
[   23.504384]  save_stack_trace+0x16/0x20
[   23.504648]  save_stack+0x43/0xd0
[   23.504893]  kasan_slab_free+0x71/0xc0
[   23.505152]  kmem_cache_free+0x77/0x280
[   23.505503]  userfaultfd_ctx_put+0x50c/0x740
[   23.506307]  userfaultfd_event_wait_completion+0x754/0x910
[   23.506793]  dup_userfaultfd_complete+0x2de/0x480
[   23.507289]  copy_mm+0xde2/0x1247
[   23.507623]  copy_process.part.36+0x1ea3/0x4af0
[   23.508068]  _do_fork+0x1ef/0xfb0
[   23.508367]  SyS_clone+0x37/0x50
[   23.508690]  do_syscall_64+0x26c/0x8c0
[   23.508945]  return_from_SYSCALL_64+0x0/0x7a
[   23.509231] 
[   23.509337] The buggy address belongs to the object at ffff88006db44a80
[   23.509337]  which belongs to the cache userfaultfd_ctx_cache of size 360
[   23.510469] The buggy address is located 352 bytes inside of
[   23.510469]  360-byte region [ffff88006db44a80, ffff88006db44be8)
[   23.511477] The buggy address belongs to the page:
[   23.511971] page:ffffea0001b6d100 count:1 mapcount:0 mapping:ffff88006db44000 index:0xffff88006db44ff7
[   23.512630] flags: 0x500000000000100(slab)
[   23.512938] raw: 0500000000000100 ffff88006db44000 ffff88006db44ff7 0000000100000009
[   23.513455] raw: ffffea0001abc820 ffff88006bc20248 ffff88006bc19800 0000000000000000
[   23.513990] page dumped because: kasan: bad access detected
[   23.514538] 
[   23.514768] Memory state around the buggy address:
[   23.515425]  ffff88006db44a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.516133]  ffff88006db44b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.516696] >ffff88006db44b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[   23.517189]                                                        ^
[   23.517668]  ffff88006db44c00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   23.518288]  ffff88006db44c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   23.518900] ==================================================================
[   23.519465] Kernel panic - not syncing: panic_on_warn set ...
[   23.519465] 
[   23.520090] CPU: 2 PID: 3148 Comm: syz-executor0 Tainted: G    B           4.13.0-rc5-next-20170817+ #5
[   23.520888] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   23.521576] Call Trace:
[   23.521801]  dump_stack+0x194/0x257
[   23.522116]  ? arch_local_irq_restore+0x53/0x53
[   23.522514]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.522922]  ? userfaultfd_release+0x580/0x6e0
[   23.523324]  panic+0x1e4/0x417
[   23.523602]  ? __warn+0x1d9/0x1d9
[   23.523908]  ? userfaultfd_release+0x5c1/0x6e0
[   23.524309]  kasan_end_report+0x50/0x50
[   23.524671]  kasan_report+0x137/0x340
[   23.525005]  ? userfaultfd_event_wait_completion+0x910/0x910
[   23.525515]  __asan_report_load8_noabort+0x14/0x20
[   23.525942]  userfaultfd_release+0x5c1/0x6e0
[   23.526327]  ? fcntl_setlk+0x10c0/0x10c0
[   23.526676]  ? kmem_cache_free+0x77/0x280
[   23.526971]  ? do_exit+0xa33/0x1b30
[   23.527224]  ? userfaultfd_event_wait_completion+0x910/0x910
[   23.528149]  ? fsnotify+0x1af0/0x1af0
[   23.528474]  ? rcu_note_context_switch+0x710/0x710
[   23.528895]  ? __might_sleep+0x95/0x190
[   23.529260]  ? userfaultfd_event_wait_completion+0x910/0x910
[   23.529777]  __fput+0x327/0x7e0
[   23.530059]  ? fput+0x140/0x140
[   23.530392]  ? do_raw_spin_trylock+0x190/0x190
[   23.530809]  ____fput+0x15/0x20
[   23.531104]  task_work_run+0x199/0x270
[   23.531435]  ? task_work_cancel+0x210/0x210
[   23.531802]  ? _raw_spin_unlock+0x22/0x30
[   23.532154]  ? switch_task_namespaces+0x87/0xc0
[   23.532550]  do_exit+0xa52/0x1b30
[   23.532844]  ? account_kernel_stack+0x155/0x1f0
[   23.533243]  ? mm_update_next_owner+0x930/0x930
[   23.533666]  ? __cleanup_sighand+0x40/0x40
[   23.534054]  ? schedule+0x108/0x440
[   23.534403]  ? lock_downgrade+0x990/0x990
[   23.534795]  ? __schedule+0x2070/0x2070
[   23.535165]  ? check_same_owner+0x320/0x320
[   23.535559]  ? rcu_note_context_switch+0x710/0x710
[   23.535973]  ? futex_wait_setup+0x14a/0x3d0
[   23.536344]  ? __might_sleep+0x95/0x190
[   23.536690]  ? _cond_resched+0x14/0x30
[   23.537020]  ? futex_wait_queue_me+0x524/0x7e0
[   23.537419]  ? get_futex_value_locked+0xc3/0xf0
[   23.537819]  ? futex_wait_setup+0x22e/0x3d0
[   23.538186]  ? __dequeue_signal+0x103/0x7b0
[   23.538635]  ? recalc_sigpending_tsk+0x117/0x150
[   23.539047]  ? get_signal+0x855/0x17e0
[   23.539387]  ? lock_downgrade+0x990/0x990
[   23.539742]  do_group_exit+0x149/0x400
[   23.540075]  ? SyS_exit+0x30/0x30
[   23.540434]  get_signal+0x7e8/0x17e0
[   23.540813]  ? ptrace_notify+0x130/0x130
[   23.541187]  ? do_futex+0x781/0x20a0
[   23.541510]  do_signal+0x94/0x1ee0
[   23.541815]  ? _do_fork+0x1ef/0xfb0
[   23.542106]  ? _do_fork+0x2dc/0xfb0
[   23.542337]  ? setup_sigcontext+0x7d0/0x7d0
[   23.542784]  ? fork_idle+0x2d0/0x2d0
[   23.543133]  ? kasan_slab_free+0x71/0xc0
[   23.543497]  ? kmem_cache_free+0x77/0x280
[   23.543869]  ? putname+0xee/0x130
[   23.544170]  ? do_sys_open+0x31b/0x6d0
[   23.544507]  ? SyS_open+0x2d/0x40
[   23.544806]  ? entry_SYSCALL_64_fastpath+0x1f/0xbe
[   23.545235]  ? check_same_owner+0x320/0x320
[   23.545612]  ? rcu_note_context_switch+0x710/0x710
[   23.546043]  ? __might_sleep+0x95/0x190
[   23.546390]  ? __fd_install+0x2f7/0x6a0
[   23.546735]  ? get_unused_fd_flags+0x190/0x190
[   23.547144]  exit_to_usermode_loop+0x224/0x300
[   23.547544]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   23.548032]  ? quarantine_put+0xeb/0x190
[   23.548387]  ? SyS_clone+0x37/0x50
[   23.548955]  do_syscall_64+0x65c/0x8c0
[   23.549896]  ? syscall_return_slowpath+0x500/0x500
[   23.550334]  ? do_futex+0x20a0/0x20a0
[   23.550671]  ? filp_open+0x70/0x70
[   23.550983]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   23.551430]  ? sys_vfork+0x30/0x30
[   23.551744]  entry_SYSCALL64_slow_path+0x25/0x25
[   23.552162] RIP: 0033:0x446749
[   23.552441] RSP: 002b:00007fc4422c0c08 EFLAGS: 00000286 ORIG_RAX: 0000000000000038
[   23.553120] RAX: fffffffffffffdff RBX: 0000000000000000 RCX: 0000000000446749
[   23.553749] RDX: 0000000020f42000 RSI: 0000000020179000 RDI: 0000000000000000
[   23.554391] RBP: 0000000000708150 R08: 0000000020ef4ffc R09: 0000000000000000
[   23.555088] R10: 0000000020a6bffc R11: 0000000000000286 R12: 00000000ffffffff
[   23.555778] R13: 00000000000003b0 R14: 00000000006e2470 R15: 0000000020179000
[   23.556459] Dumping ftrace buffer:
[   23.556773]    (ftrace buffer empty)
[   23.557097] Kernel Offset: disabled
[   23.557416] Rebooting in 86400 seconds..