INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-8,10.128.15.229' (ECDSA) to the list of known hosts. 2017/10/06 04:17:48 parsed 1 programs 2017/10/06 04:17:48 executed programs: 0 syzkaller login: [ 42.458950] ================================================================== [ 42.466374] BUG: KASAN: use-after-free in __do_page_fault+0xc03/0xd60 [ 42.473013] Read of size 8 at addr ffff8801ce12bba8 by task syz-executor4/3058 [ 42.480341] [ 42.481946] CPU: 0 PID: 3058 Comm: syz-executor4 Not tainted 4.14.0-rc2-next-20170929+ #32 [ 42.490319] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.499658] Call Trace: [ 42.502221] dump_stack+0x194/0x257 [ 42.505828] ? arch_local_irq_restore+0x53/0x53 [ 42.510472] ? show_regs_print_info+0x65/0x65 [ 42.514947] ? __do_page_fault+0xc03/0xd60 [ 42.519158] print_address_description+0x73/0x250 [ 42.523975] ? __do_page_fault+0xc03/0xd60 [ 42.528184] kasan_report+0x25b/0x340 [ 42.531964] __asan_report_load8_noabort+0x14/0x20 [ 42.536866] __do_page_fault+0xc03/0xd60 [ 42.540912] ? mm_fault_error+0x2c0/0x2c0 [ 42.545035] ? free_pidmap.isra.0+0x70/0x70 [ 42.549344] do_page_fault+0xee/0x720 [ 42.553122] ? __do_page_fault+0xd60/0xd60 [ 42.557333] ? SyS_futex+0x269/0x390 [ 42.561030] ? do_futex+0x20d0/0x20d0 [ 42.564805] ? __task_pid_nr_ns+0x2c7/0x540 [ 42.569102] ? entry_SYSCALL_64_fastpath+0x4b/0xbe [ 42.574014] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.578838] page_fault+0x22/0x30 [ 42.582264] RIP: 0033:0x44bcf0 [ 42.585429] RSP: 002b:00007f1a7ca58758 EFLAGS: 00010202 [ 42.590769] RAX: 00007f1a7ca58800 RBX: 0000000000718000 RCX: 000000000000000e [ 42.598014] RDX: 0000000000000400 RSI: 0000000020012fe0 RDI: 00007f1a7ca58800 [ 42.605258] RBP: 0000000000005e10 R08: 0000000000000400 R09: 0000000000000000 [ 42.612502] R10: 00000000000f4245 R11: 0000000000000246 R12: 00000000004bbc27 [ 42.619748] R13: 00000000ffffffff R14: 0000000020012fee R15: 0000000000000000 [ 42.627011] [ 42.628611] Allocated by task 3058: [ 42.632213] save_stack_trace+0x16/0x20 [ 42.636159] save_stack+0x43/0xd0 [ 42.639582] kasan_kmalloc+0xad/0xe0 [ 42.643266] kasan_slab_alloc+0x12/0x20 [ 42.647212] kmem_cache_alloc+0x12e/0x760 [ 42.651331] mmap_region+0x7ee/0x15a0 [ 42.655103] do_mmap+0x6a1/0xd50 [ 42.658439] vm_mmap_pgoff+0x1de/0x280 [ 42.662295] SyS_mmap_pgoff+0x23b/0x5f0 [ 42.666238] SyS_mmap+0x16/0x20 [ 42.669488] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 42.674210] [ 42.675807] Freed by task 3069: [ 42.679056] save_stack_trace+0x16/0x20 [ 42.682999] save_stack+0x43/0xd0 [ 42.686424] kasan_slab_free+0x71/0xc0 [ 42.690283] kmem_cache_free+0x77/0x280 [ 42.694224] remove_vma+0x162/0x1b0 [ 42.697822] do_munmap+0x82a/0xdf0 [ 42.701329] mmap_region+0x59e/0x15a0 [ 42.705098] do_mmap+0x6a1/0xd50 [ 42.708433] vm_mmap_pgoff+0x1de/0x280 [ 42.712291] SyS_mmap_pgoff+0x23b/0x5f0 [ 42.716236] SyS_mmap+0x16/0x20 [ 42.719486] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 42.724207] [ 42.725805] The buggy address belongs to the object at ffff8801ce12bb58 [ 42.725805] which belongs to the cache vm_area_struct of size 200 [ 42.738702] The buggy address is located 80 bytes inside of [ 42.738702] 200-byte region [ffff8801ce12bb58, ffff8801ce12bc20) [ 42.750457] The buggy address belongs to the page: [ 42.755355] page:ffffea0007384ac0 count:1 mapcount:0 mapping:ffff8801ce12b000 index:0x0 [ 42.763471] flags: 0x200000000000100(slab) [ 42.767677] raw: 0200000000000100 ffff8801ce12b000 0000000000000000 000000010000000f [ 42.775526] raw: ffffea000738fa20 ffffea000737a160 ffff8801dae049c0 0000000000000000 [ 42.783372] page dumped because: kasan: bad access detected [ 42.789048] [ 42.790646] Memory state around the buggy address: [ 42.795545] ffff8801ce12ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.802877] ffff8801ce12bb00: fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb [ 42.810214] >ffff8801ce12bb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.817545] ^ [ 42.822183] ffff8801ce12bc00: fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00 00 [ 42.829514] ffff8801ce12bc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.836929] ================================================================== [ 42.844256] Disabling lock debugging due to kernel taint [ 42.849770] Kernel panic - not syncing: panic_on_warn set ... [ 42.849770] [ 42.857103] CPU: 0 PID: 3058 Comm: syz-executor4 Tainted: G B 4.14.0-rc2-next-20170929+ #32 [ 42.866686] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.876005] Call Trace: [ 42.878566] dump_stack+0x194/0x257 [ 42.882161] ? arch_local_irq_restore+0x53/0x53 [ 42.886805] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.891532] ? __do_page_fault+0xb90/0xd60 [ 42.895737] panic+0x1e4/0x41c [ 42.898893] ? refcount_error_report+0x214/0x214 [ 42.903624] ? __do_page_fault+0xc03/0xd60 [ 42.907825] kasan_end_report+0x50/0x50 [ 42.911763] kasan_report+0x144/0x340 [ 42.915531] __asan_report_load8_noabort+0x14/0x20 [ 42.920429] __do_page_fault+0xc03/0xd60 [ 42.924460] ? mm_fault_error+0x2c0/0x2c0 [ 42.928575] ? free_pidmap.isra.0+0x70/0x70 [ 42.932864] do_page_fault+0xee/0x720 [ 42.936629] ? __do_page_fault+0xd60/0xd60 [ 42.940833] ? SyS_futex+0x269/0x390 [ 42.944516] ? do_futex+0x20d0/0x20d0 [ 42.948986] ? __task_pid_nr_ns+0x2c7/0x540 [ 42.953276] ? entry_SYSCALL_64_fastpath+0x4b/0xbe [ 42.958174] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.963422] page_fault+0x22/0x30 [ 42.966844] RIP: 0033:0x44bcf0 [ 42.969999] RSP: 002b:00007f1a7ca58758 EFLAGS: 00010202 [ 42.975327] RAX: 00007f1a7ca58800 RBX: 0000000000718000 RCX: 000000000000000e [ 42.982564] RDX: 0000000000000400 RSI: 0000000020012fe0 RDI: 00007f1a7ca58800 [ 42.989800] RBP: 0000000000005e10 R08: 0000000000000400 R09: 0000000000000000 [ 42.997035] R10: 00000000000f4245 R11: 0000000000000246 R12: 00000000004bbc27 [ 43.004269] R13: 00000000ffffffff R14: 0000000020012fee R15: 0000000000000000 [ 43.011551] Dumping ftrace buffer: [ 43.015057] (ftrace buffer empty) [ 43.018734] Kernel Offset: disabled [ 43.022328] Rebooting in 86400 seconds..