INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-3,10.128.15.227' (ECDSA) to the list of known hosts. 2017/10/03 20:43:08 parsed 1 programs 2017/10/03 20:43:08 executed programs: 0 syzkaller login: [ 46.703294] ================================================================== [ 46.710771] BUG: KASAN: use-after-free in __do_page_fault+0xc03/0xd60 [ 46.717349] Read of size 8 at addr ffff8801cb9a04b0 by task syz-executor0/3740 [ 46.724694] [ 46.726314] CPU: 0 PID: 3740 Comm: syz-executor0 Not tainted 4.14.0-rc3+ #23 [ 46.733494] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.742835] Call Trace: [ 46.745413] dump_stack+0x194/0x257 [ 46.749029] ? arch_local_irq_restore+0x53/0x53 [ 46.753693] ? show_regs_print_info+0x65/0x65 [ 46.758189] ? __do_page_fault+0xc03/0xd60 [ 46.762410] print_address_description+0x73/0x250 [ 46.767250] ? __do_page_fault+0xc03/0xd60 [ 46.771488] kasan_report+0x25b/0x340 [ 46.775283] __asan_report_load8_noabort+0x14/0x20 [ 46.780190] __do_page_fault+0xc03/0xd60 [ 46.784235] ? __task_pid_nr_ns+0x2c7/0x540 [ 46.788558] ? mm_fault_error+0x2c0/0x2c0 [ 46.792703] ? lockdep_sys_exit+0x47/0xf0 [ 46.796849] do_page_fault+0xee/0x720 [ 46.800647] ? __do_page_fault+0xd60/0xd60 [ 46.804876] ? lockdep_sys_exit+0x47/0xf0 [ 46.809005] ? syscall_return_slowpath+0x2b3/0x510 [ 46.813917] ? finish_task_switch+0x1aa/0x740 [ 46.818391] ? lockdep_sys_exit+0x47/0xf0 [ 46.822528] ? retint_user+0x18/0x20 [ 46.826246] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 46.831091] page_fault+0x22/0x30 [ 46.834523] RIP: 0023:0x8073f4f [ 46.837770] RSP: 002b:00000000f7efdbd0 EFLAGS: 00010202 [ 46.843109] RAX: 00000000f7efdc8c RBX: 0000000000000400 RCX: 000000000000000e [ 46.850355] RDX: 00000000f7efea88 RSI: 0000000020012fe0 RDI: 00000000f7efdc8c [ 46.857612] RBP: 0000000008128000 R08: 0000000000000000 R09: 0000000000000000 [ 46.864859] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 46.872109] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 46.879390] [ 46.881009] Allocated by task 3740: [ 46.884622] save_stack_trace+0x16/0x20 [ 46.888572] save_stack+0x43/0xd0 [ 46.892007] kasan_kmalloc+0xad/0xe0 [ 46.895706] kasan_slab_alloc+0x12/0x20 [ 46.899651] kmem_cache_alloc+0x12e/0x760 [ 46.903784] mmap_region+0x7ee/0x15a0 [ 46.907569] do_mmap+0x6a1/0xd50 [ 46.910909] vm_mmap_pgoff+0x1de/0x280 [ 46.914770] SyS_mmap_pgoff+0x23b/0x5f0 [ 46.918717] do_fast_syscall_32+0x3f2/0xf05 [ 46.923014] entry_SYSENTER_compat+0x51/0x60 [ 46.927408] [ 46.929023] Freed by task 3752: [ 46.932288] save_stack_trace+0x16/0x20 [ 46.936242] save_stack+0x43/0xd0 [ 46.939669] kasan_slab_free+0x71/0xc0 [ 46.943539] kmem_cache_free+0x77/0x280 [ 46.947495] remove_vma+0x162/0x1b0 [ 46.951108] do_munmap+0x82a/0xdf0 [ 46.954634] mmap_region+0x59e/0x15a0 [ 46.958412] do_mmap+0x6a1/0xd50 [ 46.961752] vm_mmap_pgoff+0x1de/0x280 [ 46.965609] SyS_mmap_pgoff+0x23b/0x5f0 [ 46.969563] do_fast_syscall_32+0x3f2/0xf05 [ 46.973877] entry_SYSENTER_compat+0x51/0x60 [ 46.978270] [ 46.979892] The buggy address belongs to the object at ffff8801cb9a0460 [ 46.979892] which belongs to the cache vm_area_struct of size 200 [ 46.992803] The buggy address is located 80 bytes inside of [ 46.992803] 200-byte region [ffff8801cb9a0460, ffff8801cb9a0528) [ 47.004575] The buggy address belongs to the page: [ 47.009497] page:ffffea00072e6800 count:1 mapcount:0 mapping:ffff8801cb9a0040 index:0x0 [ 47.017633] flags: 0x200000000000100(slab) [ 47.021841] raw: 0200000000000100 ffff8801cb9a0040 0000000000000000 000000010000000f [ 47.029704] raw: ffffea000733ca60 ffffea00072f6f60 ffff8801dae069c0 0000000000000000 [ 47.037562] page dumped because: kasan: bad access detected [ 47.043253] [ 47.044852] Memory state around the buggy address: [ 47.049752] ffff8801cb9a0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.057090] ffff8801cb9a0400: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb [ 47.064431] >ffff8801cb9a0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.071773] ^ [ 47.076681] ffff8801cb9a0500: fb fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb [ 47.084024] ffff8801cb9a0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.091368] ================================================================== [ 47.098698] Disabling lock debugging due to kernel taint [ 47.104235] Kernel panic - not syncing: panic_on_warn set ... [ 47.104235] [ 47.111584] CPU: 0 PID: 3740 Comm: syz-executor0 Tainted: G B 4.14.0-rc3+ #23 [ 47.119964] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.129287] Call Trace: [ 47.131842] dump_stack+0x194/0x257 [ 47.135442] ? arch_local_irq_restore+0x53/0x53 [ 47.140093] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.144828] ? __do_page_fault+0xb20/0xd60 [ 47.149034] panic+0x1e4/0x417 [ 47.152197] ? __warn+0x1d9/0x1d9 [ 47.155623] ? __do_page_fault+0xc03/0xd60 [ 47.159839] kasan_end_report+0x50/0x50 [ 47.163782] kasan_report+0x144/0x340 [ 47.167566] __asan_report_load8_noabort+0x14/0x20 [ 47.172462] __do_page_fault+0xc03/0xd60 [ 47.176487] ? __task_pid_nr_ns+0x2c7/0x540 [ 47.180777] ? mm_fault_error+0x2c0/0x2c0 [ 47.184897] ? lockdep_sys_exit+0x47/0xf0 [ 47.189023] do_page_fault+0xee/0x720 [ 47.192797] ? __do_page_fault+0xd60/0xd60 [ 47.197003] ? lockdep_sys_exit+0x47/0xf0 [ 47.201126] ? syscall_return_slowpath+0x2b3/0x510 [ 47.206032] ? finish_task_switch+0x1aa/0x740 [ 47.210504] ? lockdep_sys_exit+0x47/0xf0 [ 47.214625] ? retint_user+0x18/0x20 [ 47.218310] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 47.223123] page_fault+0x22/0x30 [ 47.226551] RIP: 0023:0x8073f4f [ 47.229796] RSP: 002b:00000000f7efdbd0 EFLAGS: 00010202 [ 47.235124] RAX: 00000000f7efdc8c RBX: 0000000000000400 RCX: 000000000000000e [ 47.242360] RDX: 00000000f7efea88 RSI: 0000000020012fe0 RDI: 00000000f7efdc8c [ 47.249595] RBP: 0000000008128000 R08: 0000000000000000 R09: 0000000000000000 [ 47.256831] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 47.264075] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 47.271932] Dumping ftrace buffer: [ 47.275441] (ftrace buffer empty) [ 47.279117] Kernel Offset: disabled [ 47.282711] Rebooting in 86400 seconds..