INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-1,10.128.15.220' (ECDSA) to the list of known hosts. 2017/10/06 04:17:23 parsed 1 programs 2017/10/06 04:17:23 executed programs: 0 syzkaller login: [ 62.647896] ================================================================== [ 62.655343] BUG: KASAN: use-after-free in __do_page_fault+0xc03/0xd60 [ 62.661898] Read of size 8 at addr ffff8801ca265050 by task syz-executor5/4072 [ 62.669232] [ 62.670850] CPU: 1 PID: 4072 Comm: syz-executor5 Not tainted 4.14.0-rc3+ #117 [ 62.678111] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.687450] Call Trace: [ 62.690026] dump_stack+0x194/0x257 [ 62.693656] ? arch_local_irq_restore+0x53/0x53 [ 62.698309] ? show_regs_print_info+0x65/0x65 [ 62.702804] ? __do_page_fault+0xc03/0xd60 [ 62.707035] print_address_description+0x73/0x250 [ 62.711872] ? __do_page_fault+0xc03/0xd60 [ 62.716101] kasan_report+0x25b/0x340 [ 62.719905] __asan_report_load8_noabort+0x14/0x20 [ 62.724821] __do_page_fault+0xc03/0xd60 [ 62.728866] ? mm_fault_error+0x2c0/0x2c0 [ 62.732991] ? free_pidmap.isra.0+0x70/0x70 [ 62.737300] do_page_fault+0xee/0x720 [ 62.741090] ? __do_page_fault+0xd60/0xd60 [ 62.745325] ? SyS_futex+0x269/0x390 [ 62.749036] ? do_futex+0x20d0/0x20d0 [ 62.752828] ? __task_pid_nr_ns+0x2c7/0x540 [ 62.757136] ? entry_SYSCALL_64_fastpath+0x4b/0xbe [ 62.762071] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 62.766927] page_fault+0x22/0x30 [ 62.770368] RIP: 0033:0x44bcf0 [ 62.773537] RSP: 002b:00007ff13b67e758 EFLAGS: 00010202 [ 62.778896] RAX: 00007ff13b67e800 RBX: 0000000000718000 RCX: 000000000000000e [ 62.786159] RDX: 0000000000000400 RSI: 0000000020012fe0 RDI: 00007ff13b67e800 [ 62.793410] RBP: 0000000000005e10 R08: 0000000000000400 R09: 0000000000000000 [ 62.800662] R10: 00000000000f4245 R11: 0000000000000246 R12: 00000000004bbc27 [ 62.807920] R13: 00000000ffffffff R14: 0000000020012fee R15: 0000000000000000 [ 62.815186] [ 62.816788] Allocated by task 4072: [ 62.820390] save_stack_trace+0x16/0x20 [ 62.824340] save_stack+0x43/0xd0 [ 62.827862] kasan_kmalloc+0xad/0xe0 [ 62.831556] kasan_slab_alloc+0x12/0x20 [ 62.835504] kmem_cache_alloc+0x12e/0x760 [ 62.839629] mmap_region+0x7ee/0x15a0 [ 62.843399] do_mmap+0x6a1/0xd50 [ 62.846736] vm_mmap_pgoff+0x1de/0x280 [ 62.850595] SyS_mmap_pgoff+0x23b/0x5f0 [ 62.854540] SyS_mmap+0x16/0x20 [ 62.857791] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 62.862520] [ 62.864122] Freed by task 4079: [ 62.867374] save_stack_trace+0x16/0x20 [ 62.871325] save_stack+0x43/0xd0 [ 62.874748] kasan_slab_free+0x71/0xc0 [ 62.878605] kmem_cache_free+0x77/0x280 [ 62.882551] remove_vma+0x162/0x1b0 [ 62.886149] do_munmap+0x82a/0xdf0 [ 62.889657] mmap_region+0x59e/0x15a0 [ 62.893428] do_mmap+0x6a1/0xd50 [ 62.896764] vm_mmap_pgoff+0x1de/0x280 [ 62.900622] SyS_mmap_pgoff+0x23b/0x5f0 [ 62.904566] SyS_mmap+0x16/0x20 [ 62.907818] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 62.912540] [ 62.914142] The buggy address belongs to the object at ffff8801ca265000 [ 62.914142] which belongs to the cache vm_area_struct of size 200 [ 62.927034] The buggy address is located 80 bytes inside of [ 62.927034] 200-byte region [ffff8801ca265000, ffff8801ca2650c8) [ 62.938796] The buggy address belongs to the page: [ 62.943697] page:ffffea0007289940 count:1 mapcount:0 mapping:ffff8801ca265000 index:0x0 [ 62.951814] flags: 0x200000000000100(slab) [ 62.956034] raw: 0200000000000100 ffff8801ca265000 0000000000000000 000000010000000f [ 62.963893] raw: ffffea00072882a0 ffffea00075045e0 ffff8801dae069c0 0000000000000000 [ 62.971743] page dumped because: kasan: bad access detected [ 62.977422] [ 62.979024] Memory state around the buggy address: [ 62.983931] ffff8801ca264f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.991260] ffff8801ca264f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.998590] >ffff8801ca265000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.005918] ^ [ 63.011859] ffff8801ca265080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 63.019190] ffff8801ca265100: fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.026522] ================================================================== [ 63.033851] Disabling lock debugging due to kernel taint [ 63.039346] Kernel panic - not syncing: panic_on_warn set ... [ 63.039346] [ 63.046695] CPU: 1 PID: 4072 Comm: syz-executor5 Tainted: G B 4.14.0-rc3+ #117 [ 63.055153] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.064471] Call Trace: [ 63.067030] dump_stack+0x194/0x257 [ 63.070641] ? arch_local_irq_restore+0x53/0x53 [ 63.075295] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 63.080031] ? __do_page_fault+0xb20/0xd60 [ 63.084233] panic+0x1e4/0x417 [ 63.087391] ? __warn+0x1d9/0x1d9 [ 63.090815] ? __do_page_fault+0xc03/0xd60 [ 63.095023] kasan_end_report+0x50/0x50 [ 63.098973] kasan_report+0x144/0x340 [ 63.102741] __asan_report_load8_noabort+0x14/0x20 [ 63.107637] __do_page_fault+0xc03/0xd60 [ 63.111667] ? mm_fault_error+0x2c0/0x2c0 [ 63.115788] ? free_pidmap.isra.0+0x70/0x70 [ 63.120088] do_page_fault+0xee/0x720 [ 63.123861] ? __do_page_fault+0xd60/0xd60 [ 63.128067] ? SyS_futex+0x269/0x390 [ 63.131750] ? do_futex+0x20d0/0x20d0 [ 63.135515] ? __task_pid_nr_ns+0x2c7/0x540 [ 63.139805] ? entry_SYSCALL_64_fastpath+0x4b/0xbe [ 63.144706] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 63.149520] page_fault+0x22/0x30 [ 63.152939] RIP: 0033:0x44bcf0 [ 63.156094] RSP: 002b:00007ff13b67e758 EFLAGS: 00010202 [ 63.161420] RAX: 00007ff13b67e800 RBX: 0000000000718000 RCX: 000000000000000e [ 63.168656] RDX: 0000000000000400 RSI: 0000000020012fe0 RDI: 00007ff13b67e800 [ 63.175891] RBP: 0000000000005e10 R08: 0000000000000400 R09: 0000000000000000 [ 63.183126] R10: 00000000000f4245 R11: 0000000000000246 R12: 00000000004bbc27 [ 63.190364] R13: 00000000ffffffff R14: 0000000020012fee R15: 0000000000000000 [ 63.198057] Dumping ftrace buffer: [ 63.201564] (ftrace buffer empty) [ 63.205238] Kernel Offset: disabled [ 63.208831] Rebooting in 86400 seconds..