Debian GNU/Linux 7 syzkaller ttyS0 2017/10/27 06:28:48 parsed 1 programs 2017/10/27 06:28:48 executed programs: 0 2017/10/27 06:28:53 executed programs: 690 2017/10/27 06:28:58 executed programs: 1341 2017/10/27 06:29:03 executed programs: 1997 2017/10/27 06:29:08 executed programs: 2723 2017/10/27 06:29:13 executed programs: 3429 2017/10/27 06:29:18 executed programs: 4092 syzkaller login: [ 197.897513] ================================================================== [ 197.898312] BUG: KASAN: use-after-free in __do_page_fault+0xc03/0xd60 [ 197.898936] Read of size 8 at addr ffff88006b8e1f00 by task syz-executor6/28517 [ 197.899601] [ 197.899761] CPU: 3 PID: 28517 Comm: syz-executor6 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 197.900519] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 197.901252] Call Trace: [ 197.901496] dump_stack+0x194/0x257 [ 197.902086] ? arch_local_irq_restore+0x53/0x53 [ 197.902527] ? show_regs_print_info+0x65/0x65 [ 197.902798] ? __do_page_fault+0xc03/0xd60 [ 197.903081] print_address_description+0x73/0x250 [ 197.903524] ? __do_page_fault+0xc03/0xd60 [ 197.903907] kasan_report+0x25b/0x340 [ 197.904308] __asan_report_load8_noabort+0x14/0x20 [ 197.904753] __do_page_fault+0xc03/0xd60 [ 197.905123] ? mm_fault_error+0x2c0/0x2c0 [ 197.905498] ? __task_pid_nr_ns+0x29b/0x540 [ 197.905884] do_page_fault+0xee/0x720 [ 197.906225] ? lock_release+0xa40/0xa40 [ 197.906870] ? __do_page_fault+0xd60/0xd60 [ 197.907250] ? SyS_futex+0x269/0x390 [ 197.907584] ? do_futex+0x20d0/0x20d0 [ 197.907919] ? __task_pid_nr_ns+0x2c4/0x540 [ 197.908307] ? retint_user+0x18/0x23 [ 197.908642] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 197.909077] do_async_page_fault+0x82/0x110 [ 197.909462] async_page_fault+0x22/0x30 [ 197.909813] RIP: 0033:0x43164f [ 197.910100] RSP: 002b:00007f916f039790 EFLAGS: 00010206 [ 197.910619] RAX: 0000000000000000 RBX: 00007f916f0397c0 RCX: 00007f916f0397bf [ 197.911258] RDX: 0000000000000400 RSI: 0000000020012fee RDI: 00007f916f0397c0 [ 197.911904] RBP: 0000000000748020 R08: 0000000000000000 R09: 0000000000000100 [ 197.912551] R10: 0000000020012fee R11: 0000000000000246 R12: 00000000ffffffff [ 197.913200] R13: 0000000000008430 R14: 00000000006ec4d0 R15: 00007f916f03a700 [ 197.913852] [ 197.913999] Allocated by task 28517: [ 197.914331] save_stack+0x43/0xd0 [ 197.914643] kasan_kmalloc+0xad/0xe0 [ 197.914970] kasan_slab_alloc+0x12/0x20 [ 197.915320] kmem_cache_alloc+0x12e/0x760 [ 197.915683] mmap_region+0x7ee/0x15a0 [ 197.916018] do_mmap+0x69b/0xd40 [ 197.916314] vm_mmap_pgoff+0x1de/0x280 [ 197.916656] SyS_mmap_pgoff+0x23b/0x5f0 [ 197.917004] SyS_mmap+0x16/0x20 [ 197.917295] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 197.917710] [ 197.917858] Freed by task 28540: [ 197.918161] save_stack+0x43/0xd0 [ 197.918483] kasan_slab_free+0x71/0xc0 [ 197.918823] kmem_cache_free+0x77/0x280 [ 197.919181] remove_vma+0x162/0x1b0 [ 197.919511] do_munmap+0x82a/0xdf0 [ 197.919831] mmap_region+0x59e/0x15a0 [ 197.920173] do_mmap+0x69b/0xd40 [ 197.920476] vm_mmap_pgoff+0x1de/0x280 [ 197.920820] SyS_mmap_pgoff+0x23b/0x5f0 [ 197.921170] SyS_mmap+0x16/0x20 [ 197.921463] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 197.921892] [ 197.922044] The buggy address belongs to the object at ffff88006b8e1eb0 [ 197.922044] which belongs to the cache vm_area_struct of size 200 [ 197.923143] The buggy address is located 80 bytes inside of [ 197.923143] 200-byte region [ffff88006b8e1eb0, ffff88006b8e1f78) [ 197.923955] The buggy address belongs to the page: [ 197.924398] page:ffffea0001ae3840 count:1 mapcount:0 mapping:ffff88006b8e1040 index:0xffff88006b8e1148 [ 197.925254] flags: 0x500000000000100(slab) [ 197.925642] raw: 0500000000000100 ffff88006b8e1040 ffff88006b8e1148 0000000100000007 [ 197.926357] raw: ffffea0001a0e7e0 ffffea0001ab25a0 ffff88003e87b500 0000000000000000 [ 197.927074] page dumped because: kasan: bad access detected [ 197.927952] [ 197.928106] Memory state around the buggy address: [ 197.928552] ffff88006b8e1e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 197.929269] ffff88006b8e1e80: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb [ 197.929936] >ffff88006b8e1f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc [ 197.930663] ^ [ 197.930967] ffff88006b8e1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 197.931619] ffff88006b8e2000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 197.932267] ================================================================== [ 197.932921] Disabling lock debugging due to kernel taint [ 197.933439] Kernel panic - not syncing: panic_on_warn set ... [ 197.933439] [ 197.934095] CPU: 3 PID: 28517 Comm: syz-executor6 Tainted: G B 4.14.0-rc5-next-20171018+ #8 [ 197.934985] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 197.935729] Call Trace: [ 197.935971] dump_stack+0x194/0x257 [ 197.936307] ? arch_local_irq_restore+0x53/0x53 [ 197.936735] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 197.937171] ? vsnprintf+0x1ed/0x1900 [ 197.937521] ? __do_page_fault+0xb60/0xd60 [ 197.937911] panic+0x1e4/0x41c [ 197.938204] ? refcount_error_report+0x214/0x214 [ 197.938640] ? add_taint+0x1c/0x50 [ 197.938965] ? add_taint+0x1c/0x50 [ 197.939300] ? __do_page_fault+0xc03/0xd60 [ 197.939685] kasan_end_report+0x50/0x50 [ 197.940049] kasan_report+0x144/0x340 [ 197.940394] __asan_report_load8_noabort+0x14/0x20 [ 197.940838] __do_page_fault+0xc03/0xd60 [ 197.941211] ? mm_fault_error+0x2c0/0x2c0 [ 197.941591] ? __task_pid_nr_ns+0x29b/0x540 [ 197.941988] do_page_fault+0xee/0x720 [ 197.942334] ? lock_release+0xa40/0xa40 [ 197.942709] ? __do_page_fault+0xd60/0xd60 [ 197.943092] ? SyS_futex+0x269/0x390 [ 197.943438] ? do_futex+0x20d0/0x20d0 [ 197.943786] ? __task_pid_nr_ns+0x2c4/0x540 [ 197.944181] ? retint_user+0x18/0x23 [ 197.944523] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 197.944971] do_async_page_fault+0x82/0x110 [ 197.945430] async_page_fault+0x22/0x30 [ 197.945794] RIP: 0033:0x43164f [ 197.946083] RSP: 002b:00007f916f039790 EFLAGS: 00010206 [ 197.946579] RAX: 0000000000000000 RBX: 00007f916f0397c0 RCX: 00007f916f0397bf [ 197.947239] RDX: 0000000000000400 RSI: 0000000020012fee RDI: 00007f916f0397c0 [ 197.947911] RBP: 0000000000748020 R08: 0000000000000000 R09: 0000000000000100 [ 197.948577] R10: 0000000020012fee R11: 0000000000000246 R12: 00000000ffffffff [ 197.949251] R13: 0000000000008430 R14: 00000000006ec4d0 R15: 00007f916f03a700 [ 197.950308] Dumping ftrace buffer: [ 197.950632] (ftrace buffer empty) [ 197.950963] Kernel Offset: disabled [ 197.951298] Rebooting in 86400 seconds..