INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-6,10.128.0.4' (ECDSA) to the list of known hosts. 2017/08/20 03:16:12 parsed 1 programs 2017/08/20 03:16:12 executed programs: 0 syzkaller login: [ 121.548848] ================================================================== [ 121.550030] BUG: KASAN: use-after-free in userfaultfd_release+0x5c1/0x6e0 [ 121.550968] Read of size 8 at addr ffff8801ce0304e0 by task syz-executor0/3223 [ 121.551932] [ 121.552166] CPU: 0 PID: 3223 Comm: syz-executor0 Not tainted 4.13.0-rc5-next-20170817+ #5 [ 121.553251] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 121.554472] Call Trace: [ 121.554840] dump_stack+0x194/0x257 [ 121.555360] ? arch_local_irq_restore+0x53/0x53 [ 121.555984] ? show_regs_print_info+0x65/0x65 [ 121.556603] ? is_bpf_text_address+0xa4/0x120 [ 121.557224] ? unwind_get_return_address+0x61/0xa0 [ 121.557919] ? userfaultfd_release+0x5c1/0x6e0 [ 121.558549] print_address_description+0x73/0x250 [ 121.559194] ? userfaultfd_release+0x5c1/0x6e0 [ 121.559814] kasan_report+0x24e/0x340 [ 121.560329] ? userfaultfd_event_wait_completion+0x910/0x910 [ 121.561112] __asan_report_load8_noabort+0x14/0x20 [ 121.561764] userfaultfd_release+0x5c1/0x6e0 [ 121.562411] ? fcntl_setlk+0x10c0/0x10c0 [ 121.562954] ? kmem_cache_free+0x77/0x280 [ 121.563512] ? userfaultfd_event_wait_completion+0x910/0x910 [ 121.564278] ? fsnotify+0x1af0/0x1af0 [ 121.564815] ? rcu_note_context_switch+0x710/0x710 [ 121.565477] ? __might_sleep+0x95/0x190 [ 121.566011] ? userfaultfd_event_wait_completion+0x910/0x910 [ 121.566777] __fput+0x327/0x7e0 [ 121.567238] ? fput+0x140/0x140 [ 121.567685] ? _raw_spin_unlock_irq+0x27/0x70 [ 121.568310] ____fput+0x15/0x20 [ 121.568756] task_work_run+0x199/0x270 [ 121.570969] ? task_work_cancel+0x210/0x210 [ 121.575259] ? _raw_spin_unlock+0x22/0x30 [ 121.579372] ? switch_task_namespaces+0x87/0xc0 [ 121.584014] do_exit+0xa52/0x1b30 [ 121.587442] ? try_to_wake_up+0xf9/0x1600 [ 121.591562] ? lock_downgrade+0x990/0x990 [ 121.595681] ? mm_update_next_owner+0x930/0x930 [ 121.600315] ? do_raw_spin_trylock+0x190/0x190 [ 121.604868] ? do_raw_spin_trylock+0x190/0x190 [ 121.609435] ? trace_hardirqs_off+0xd/0x10 [ 121.613638] ? _raw_spin_unlock_irqrestore+0xa6/0xba [ 121.618722] ? try_to_wake_up+0xf9/0x1600 [ 121.622840] ? _raw_spin_unlock+0x22/0x30 [ 121.626975] ? check_noncircular+0x20/0x20 [ 121.631186] ? migrate_swap_stop+0x970/0x970 [ 121.635565] ? __pmd_alloc+0x4e0/0x4e0 [ 121.639435] ? find_held_lock+0x35/0x1d0 [ 121.643478] ? find_held_lock+0x35/0x1d0 [ 121.647514] ? do_group_exit+0x318/0x400 [ 121.651543] ? lock_downgrade+0x990/0x990 [ 121.655665] ? do_raw_spin_trylock+0x190/0x190 [ 121.660212] ? signal_wake_up_state+0x3a/0x40 [ 121.664681] ? zap_other_threads+0x1ca/0x240 [ 121.669055] ? force_sig+0x30/0x30 [ 121.672571] ? _raw_spin_unlock_irq+0x27/0x70 [ 121.677036] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 121.682032] do_group_exit+0x149/0x400 [ 121.685892] ? do_futex+0x20a0/0x20a0 [ 121.689659] ? SyS_exit+0x30/0x30 [ 121.693096] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 121.698090] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 121.702818] SyS_exit_group+0x1d/0x20 [ 121.706587] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 121.711310] RIP: 0033:0x4512e9 [ 121.714483] RSP: 002b:0000000000a6f9e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 121.722161] RAX: ffffffffffffffda RBX: 0000000001eb8914 RCX: 00000000004512e9 [ 121.729396] RDX: 00000000004512e9 RSI: 0000000000763128 RDI: 0000000000000000 [ 121.736633] RBP: 0000000000000086 R08: 00000000007180a8 R09: 00000000000000b4 [ 121.743872] R10: 0000000000763120 R11: 0000000000000206 R12: fffffffffffffffe [ 121.751111] R13: 00000000007181f8 R14: 0000000020053f90 R15: 0000000000000016 [ 121.758368] [ 121.759963] Allocated by task 3227: [ 121.763560] save_stack_trace+0x16/0x20 [ 121.767503] save_stack+0x43/0xd0 [ 121.770921] kasan_kmalloc+0xad/0xe0 [ 121.774598] kasan_slab_alloc+0x12/0x20 [ 121.778537] kmem_cache_alloc+0x12e/0x760 [ 121.782648] dup_userfaultfd+0x21c/0x890 [ 121.786674] copy_mm+0xa27/0x1247 [ 121.790094] copy_process.part.36+0x1ea3/0x4af0 [ 121.794729] _do_fork+0x1ef/0xfb0 [ 121.798148] SyS_clone+0x37/0x50 [ 121.801483] do_syscall_64+0x26c/0x8c0 [ 121.805336] return_from_SYSCALL_64+0x0/0x7a [ 121.809707] [ 121.811299] Freed by task 3227: [ 121.814544] save_stack_trace+0x16/0x20 [ 121.818484] save_stack+0x43/0xd0 [ 121.821915] kasan_slab_free+0x71/0xc0 [ 121.825766] kmem_cache_free+0x77/0x280 [ 121.829705] userfaultfd_ctx_put+0x50c/0x740 [ 121.834081] userfaultfd_event_wait_completion+0x754/0x910 [ 121.839669] dup_userfaultfd_complete+0x2de/0x480 [ 121.844478] copy_mm+0xde2/0x1247 [ 121.847896] copy_process.part.36+0x1ea3/0x4af0 [ 121.852528] _do_fork+0x1ef/0xfb0 [ 121.855948] SyS_clone+0x37/0x50 [ 121.859280] do_syscall_64+0x26c/0x8c0 [ 121.863132] return_from_SYSCALL_64+0x0/0x7a [ 121.867502] [ 121.869099] The buggy address belongs to the object at ffff8801ce030380 [ 121.869099] which belongs to the cache userfaultfd_ctx_cache of size 360 [ 121.882589] The buggy address is located 352 bytes inside of [ 121.882589] 360-byte region [ffff8801ce030380, ffff8801ce0304e8) [ 121.894425] The buggy address belongs to the page: [ 121.899321] page:ffffea0007380c00 count:1 mapcount:0 mapping:ffff8801ce030000 index:0xffff8801ce030ff7 [ 121.908730] flags: 0x200000000000100(slab) [ 121.912931] raw: 0200000000000100 ffff8801ce030000 ffff8801ce030ff7 0000000100000009 [ 121.920777] raw: ffffea00073cbd20 ffff8801d652c848 ffff8801d652b600 0000000000000000 [ 121.928620] page dumped because: kasan: bad access detected [ 121.934291] [ 121.935880] Memory state around the buggy address: [ 121.940774] ffff8801ce030380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 121.948105] ffff8801ce030400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 121.955429] >ffff8801ce030480: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 121.962751] ^ [ 121.969206] ffff8801ce030500: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 121.976531] ffff8801ce030580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 121.983859] ================================================================== [ 121.991180] Disabling lock debugging due to kernel taint [ 121.996688] Kernel panic - not syncing: panic_on_warn set ... [ 121.996688] [ 122.004025] CPU: 0 PID: 3223 Comm: syz-executor0 Tainted: G B 4.13.0-rc5-next-20170817+ #5 [ 122.013516] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 122.022834] Call Trace: [ 122.025386] dump_stack+0x194/0x257 [ 122.028981] ? arch_local_irq_restore+0x53/0x53 [ 122.033617] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 122.038340] ? userfaultfd_release+0x580/0x6e0 [ 122.042889] panic+0x1e4/0x417 [ 122.046049] ? __warn+0x1d9/0x1d9 [ 122.049473] ? userfaultfd_release+0x5c1/0x6e0 [ 122.054020] kasan_end_report+0x50/0x50 [ 122.057959] kasan_report+0x137/0x340 [ 122.061725] ? userfaultfd_event_wait_completion+0x910/0x910 [ 122.067488] __asan_report_load8_noabort+0x14/0x20 [ 122.072384] userfaultfd_release+0x5c1/0x6e0 [ 122.076758] ? fcntl_setlk+0x10c0/0x10c0 [ 122.080783] ? kmem_cache_free+0x77/0x280 [ 122.084894] ? userfaultfd_event_wait_completion+0x910/0x910 [ 122.090657] ? fsnotify+0x1af0/0x1af0 [ 122.094424] ? rcu_note_context_switch+0x710/0x710 [ 122.099322] ? __might_sleep+0x95/0x190 [ 122.103260] ? userfaultfd_event_wait_completion+0x910/0x910 [ 122.109031] __fput+0x327/0x7e0 [ 122.112279] ? fput+0x140/0x140 [ 122.115523] ? _raw_spin_unlock_irq+0x27/0x70 [ 122.119985] ____fput+0x15/0x20 [ 122.123234] task_work_run+0x199/0x270 [ 122.127089] ? task_work_cancel+0x210/0x210 [ 122.131385] ? _raw_spin_unlock+0x22/0x30 [ 122.135503] ? switch_task_namespaces+0x87/0xc0 [ 122.140142] do_exit+0xa52/0x1b30 [ 122.143567] ? try_to_wake_up+0xf9/0x1600 [ 122.147697] ? lock_downgrade+0x990/0x990 [ 122.151812] ? mm_update_next_owner+0x930/0x930 [ 122.156447] ? do_raw_spin_trylock+0x190/0x190 [ 122.160990] ? do_raw_spin_trylock+0x190/0x190 [ 122.165554] ? trace_hardirqs_off+0xd/0x10 [ 122.169792] ? _raw_spin_unlock_irqrestore+0xa6/0xba [ 122.174863] ? try_to_wake_up+0xf9/0x1600 [ 122.178976] ? _raw_spin_unlock+0x22/0x30 [ 122.183090] ? check_noncircular+0x20/0x20 [ 122.187294] ? migrate_swap_stop+0x970/0x970 [ 122.191673] ? __pmd_alloc+0x4e0/0x4e0 [ 122.195538] ? find_held_lock+0x35/0x1d0 [ 122.199568] ? find_held_lock+0x35/0x1d0 [ 122.203600] ? do_group_exit+0x318/0x400 [ 122.207629] ? lock_downgrade+0x990/0x990 [ 122.211746] ? do_raw_spin_trylock+0x190/0x190 [ 122.216297] ? signal_wake_up_state+0x3a/0x40 [ 122.220759] ? zap_other_threads+0x1ca/0x240 [ 122.225134] ? force_sig+0x30/0x30 [ 122.228644] ? _raw_spin_unlock_irq+0x27/0x70 [ 122.233117] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 122.238112] do_group_exit+0x149/0x400 [ 122.241973] ? do_futex+0x20a0/0x20a0 [ 122.245746] ? SyS_exit+0x30/0x30 [ 122.249172] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 122.254169] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 122.258906] SyS_exit_group+0x1d/0x20 [ 122.262676] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 122.267396] RIP: 0033:0x4512e9 [ 122.270550] RSP: 002b:0000000000a6f9e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 122.278224] RAX: ffffffffffffffda RBX: 0000000001eb8914 RCX: 00000000004512e9 [ 122.285459] RDX: 00000000004512e9 RSI: 0000000000763128 RDI: 0000000000000000 [ 122.292695] RBP: 0000000000000086 R08: 00000000007180a8 R09: 00000000000000b4 [ 122.299933] R10: 0000000000763120 R11: 0000000000000206 R12: fffffffffffffffe [ 122.307171] R13: 00000000007181f8 R14: 0000000020053f90 R15: 0000000000000016 [ 122.314702] Dumping ftrace buffer: [ 122.318221] (ftrace buffer empty) [ 122.321897] Kernel Offset: disabled [ 122.325489] Rebooting in 86400 seconds..