INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-0,10.128.0.14' (ECDSA) to the list of known hosts. 2017/08/23 01:34:19 parsed 1 programs 2017/08/23 01:34:19 executed programs: 0 2017/08/23 01:34:24 executed programs: 70 syzkaller login: [ 91.232711] ================================================================== [ 91.233918] BUG: KASAN: use-after-free in userfaultfd_release+0x5c1/0x6e0 [ 91.234849] Read of size 8 at addr ffff8801cd747da0 by task syz-executor0/4102 [ 91.235951] [ 91.236215] CPU: 1 PID: 4102 Comm: syz-executor0 Not tainted 4.13.0-rc6+ #46 [ 91.237156] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 91.238375] Call Trace: [ 91.238733] dump_stack+0x194/0x257 [ 91.239225] ? arch_local_irq_restore+0x53/0x53 [ 91.239848] ? show_regs_print_info+0x65/0x65 [ 91.240454] ? unwind_get_return_address+0x61/0xa0 [ 91.241124] ? userfaultfd_release+0x5c1/0x6e0 [ 91.241741] print_address_description+0x73/0x250 [ 91.242387] ? userfaultfd_release+0x5c1/0x6e0 [ 91.243000] kasan_report+0x24e/0x340 [ 91.243513] ? userfaultfd_event_wait_completion+0x910/0x910 [ 91.244282] __asan_report_load8_noabort+0x14/0x20 [ 91.244937] userfaultfd_release+0x5c1/0x6e0 [ 91.245531] ? fcntl_setlk+0x10c0/0x10c0 [ 91.246076] ? free_fs_struct+0x4f/0x60 [ 91.246614] ? userfaultfd_event_wait_completion+0x910/0x910 [ 91.247386] ? fsnotify+0x1af0/0x1af0 [ 91.247908] ? __might_sleep+0x95/0x190 [ 91.248445] ? userfaultfd_event_wait_completion+0x910/0x910 [ 91.249231] __fput+0x327/0x7e0 [ 91.249683] ? fput+0x140/0x140 [ 91.250157] ? do_raw_spin_trylock+0x190/0x190 [ 91.250772] ? check_same_owner+0x320/0x320 [ 91.251393] ____fput+0x15/0x20 [ 91.251840] task_work_run+0x18a/0x260 [ 91.252365] ? task_work_cancel+0x210/0x210 [ 91.252981] ? _raw_spin_unlock+0x22/0x30 [ 91.257101] ? switch_task_namespaces+0x87/0xc0 [ 91.261747] do_exit+0xa3a/0x1b10 [ 91.265182] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 91.270349] ? __lock_acquire+0x6ef/0x3dc0 [ 91.274553] ? check_noncircular+0x20/0x20 [ 91.278769] ? mm_update_next_owner+0x930/0x930 [ 91.283418] ? __lock_acquire+0x6ef/0x3dc0 [ 91.287620] ? find_held_lock+0x35/0x1d0 [ 91.291661] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 91.296818] ? lock_release+0xa40/0xa40 [ 91.300767] ? __free_insn_slot+0x5c0/0x5c0 [ 91.305065] ? check_noncircular+0x20/0x20 [ 91.309272] ? is_bpf_text_address+0xa4/0x120 [ 91.313737] ? __kernel_text_address+0xae/0xe0 [ 91.318291] ? unwind_get_return_address+0x61/0xa0 [ 91.323200] ? __save_stack_trace+0x7e/0xd0 [ 91.327500] ? find_held_lock+0x35/0x1d0 [ 91.331537] ? get_signal+0x855/0x17e0 [ 91.335401] ? lock_downgrade+0x990/0x990 [ 91.339527] do_group_exit+0x149/0x400 [ 91.343383] ? __lock_is_held+0xb6/0x140 [ 91.347412] ? SyS_exit+0x30/0x30 [ 91.350835] ? _raw_spin_unlock_irq+0x27/0x70 [ 91.355299] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 91.360288] get_signal+0x7e8/0x17e0 [ 91.363995] ? ptrace_notify+0x130/0x130 [ 91.368027] ? call_rcu_sched+0x12/0x20 [ 91.371979] ? is_bpf_text_address+0xa4/0x120 [ 91.376446] ? __kernel_text_address+0xae/0xe0 [ 91.380999] ? unwind_get_return_address+0x61/0xa0 [ 91.385897] ? __save_stack_trace+0x7e/0xd0 [ 91.390194] ? depot_save_stack+0x12c/0x490 [ 91.394489] do_signal+0x94/0x1ee0 [ 91.397999] ? save_stack+0xa3/0xd0 [ 91.401595] ? save_stack_trace+0x16/0x20 [ 91.405709] ? save_stack+0x43/0xd0 [ 91.409301] ? kasan_slab_free+0x71/0xc0 [ 91.413329] ? kmem_cache_free+0x77/0x280 [ 91.417446] ? putname+0xee/0x130 [ 91.420867] ? do_sys_open+0x31b/0x6d0 [ 91.424721] ? SyS_open+0x2d/0x40 [ 91.428144] ? setup_sigcontext+0x7d0/0x7d0 [ 91.432437] ? _raw_spin_unlock+0x22/0x30 [ 91.436551] ? __alloc_fd+0x29b/0x750 [ 91.440325] ? find_held_lock+0x35/0x1d0 [ 91.444358] ? put_unused_fd+0x62/0x70 [ 91.448215] ? lock_downgrade+0x990/0x990 [ 91.452335] ? exit_to_usermode_loop+0x98/0x300 [ 91.456979] exit_to_usermode_loop+0x224/0x300 [ 91.461532] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 91.467037] ? kmem_cache_free+0x249/0x280 [ 91.471243] ? putname+0xf3/0x130 [ 91.474669] syscall_return_slowpath+0x3a7/0x450 [ 91.479393] ? prepare_exit_to_usermode+0x220/0x220 [ 91.484377] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 91.489276] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 91.494261] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 91.498992] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 91.503715] RIP: 0033:0x40b871 [ 91.506872] RSP: 002b:00007f60fc9f1750 EFLAGS: 00000293 ORIG_RAX: 0000000000000002 [ 91.514548] RAX: fffffffffffffff5 RBX: cccccccccccccccd RCX: 000000000040b871 [ 91.521786] RDX: 0000000000000000 RSI: 0000000000002040 RDI: 00007f60fc9f1800 [ 91.529024] RBP: 0000000000005c90 R08: 0000000000000000 R09: 0000000000000000 [ 91.536260] R10: 00000000000f4242 R11: 0000000000000293 R12: 00000000004bac85 [ 91.543498] R13: 00000000ffffffff R14: 0000000020052000 R15: 000000000000007f [ 91.550754] [ 91.552353] Allocated by task 4100: [ 91.555953] save_stack_trace+0x16/0x20 [ 91.559897] save_stack+0x43/0xd0 [ 91.563317] kasan_kmalloc+0xad/0xe0 [ 91.566997] kasan_slab_alloc+0x12/0x20 [ 91.570939] kmem_cache_alloc+0x127/0x750 [ 91.575059] dup_userfaultfd+0x21c/0x890 [ 91.579087] copy_mm+0xa27/0x1247 [ 91.582528] copy_process.part.34+0x1ec4/0x4bd0 [ 91.587174] _do_fork+0x1ef/0xfb0 [ 91.590594] SyS_clone+0x37/0x50 [ 91.593927] do_syscall_64+0x26c/0x800 [ 91.597793] return_from_SYSCALL_64+0x0/0x7a [ 91.602163] [ 91.603756] Freed by task 4100: [ 91.607002] save_stack_trace+0x16/0x20 [ 91.610944] save_stack+0x43/0xd0 [ 91.614362] kasan_slab_free+0x71/0xc0 [ 91.618215] kmem_cache_free+0x77/0x280 [ 91.622156] userfaultfd_ctx_put+0x50c/0x740 [ 91.626531] userfaultfd_event_wait_completion+0x754/0x910 [ 91.632121] dup_userfaultfd_complete+0x2de/0x480 [ 91.636930] copy_mm+0xde2/0x1247 [ 91.640349] copy_process.part.34+0x1ec4/0x4bd0 [ 91.644995] _do_fork+0x1ef/0xfb0 [ 91.648414] SyS_clone+0x37/0x50 [ 91.651748] do_syscall_64+0x26c/0x800 [ 91.655601] return_from_SYSCALL_64+0x0/0x7a [ 91.659976] [ 91.661572] The buggy address belongs to the object at ffff8801cd747c40 [ 91.661572] which belongs to the cache userfaultfd_ctx_cache of size 360 [ 91.675062] The buggy address is located 352 bytes inside of [ 91.675062] 360-byte region [ffff8801cd747c40, ffff8801cd747da8) [ 91.686904] The buggy address belongs to the page: [ 91.691800] page:ffffea000735d1c0 count:1 mapcount:0 mapping:ffff8801cd747000 index:0xffff8801cd747ff7 [ 91.701212] flags: 0x200000000000100(slab) [ 91.705415] raw: 0200000000000100 ffff8801cd747000 ffff8801cd747ff7 0000000100000009 [ 91.713262] raw: ffffea000735d1a0 ffff8801d65fe348 ffff8801d660bc00 0000000000000000 [ 91.721122] page dumped because: kasan: bad access detected [ 91.726797] [ 91.728391] Memory state around the buggy address: [ 91.733288] ffff8801cd747c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 91.740615] ffff8801cd747d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 91.747940] >ffff8801cd747d80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 91.755274] ^ [ 91.759649] ffff8801cd747e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 91.766974] ffff8801cd747e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 91.774304] ================================================================== [ 91.781631] Disabling lock debugging due to kernel taint [ 91.787112] Kernel panic - not syncing: panic_on_warn set ... [ 91.787112] [ 91.794447] CPU: 1 PID: 4102 Comm: syz-executor0 Tainted: G B 4.13.0-rc6+ #46 [ 91.802816] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 91.812136] Call Trace: [ 91.814698] dump_stack+0x194/0x257 [ 91.818294] ? arch_local_irq_restore+0x53/0x53 [ 91.822932] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 91.827655] ? note_gp_changes+0x23a/0x650 [ 91.831860] ? userfaultfd_release+0x570/0x6e0 [ 91.836410] panic+0x1e4/0x417 [ 91.839568] ? __warn+0x1d9/0x1d9 [ 91.843003] ? userfaultfd_release+0x5c1/0x6e0 [ 91.847563] kasan_end_report+0x50/0x50 [ 91.851505] kasan_report+0x137/0x340 [ 91.855273] ? userfaultfd_event_wait_completion+0x910/0x910 [ 91.861036] __asan_report_load8_noabort+0x14/0x20 [ 91.865929] userfaultfd_release+0x5c1/0x6e0 [ 91.870304] ? fcntl_setlk+0x10c0/0x10c0 [ 91.874328] ? free_fs_struct+0x4f/0x60 [ 91.878269] ? userfaultfd_event_wait_completion+0x910/0x910 [ 91.884035] ? fsnotify+0x1af0/0x1af0 [ 91.887808] ? __might_sleep+0x95/0x190 [ 91.891749] ? userfaultfd_event_wait_completion+0x910/0x910 [ 91.897513] __fput+0x327/0x7e0 [ 91.900761] ? fput+0x140/0x140 [ 91.904010] ? do_raw_spin_trylock+0x190/0x190 [ 91.908558] ? check_same_owner+0x320/0x320 [ 91.912848] ____fput+0x15/0x20 [ 91.916099] task_work_run+0x18a/0x260 [ 91.919953] ? task_work_cancel+0x210/0x210 [ 91.924245] ? _raw_spin_unlock+0x22/0x30 [ 91.928360] ? switch_task_namespaces+0x87/0xc0 [ 91.932998] do_exit+0xa3a/0x1b10 [ 91.936419] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 91.941581] ? __lock_acquire+0x6ef/0x3dc0 [ 91.945782] ? check_noncircular+0x20/0x20 [ 91.949988] ? mm_update_next_owner+0x930/0x930 [ 91.954625] ? __lock_acquire+0x6ef/0x3dc0 [ 91.958826] ? find_held_lock+0x35/0x1d0 [ 91.962858] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 91.968013] ? lock_release+0xa40/0xa40 [ 91.971957] ? __free_insn_slot+0x5c0/0x5c0 [ 91.976247] ? check_noncircular+0x20/0x20 [ 91.980451] ? is_bpf_text_address+0xa4/0x120 [ 91.984917] ? __kernel_text_address+0xae/0xe0 [ 91.989468] ? unwind_get_return_address+0x61/0xa0 [ 91.994365] ? __save_stack_trace+0x7e/0xd0 [ 91.998655] ? find_held_lock+0x35/0x1d0 [ 92.002685] ? get_signal+0x855/0x17e0 [ 92.006538] ? lock_downgrade+0x990/0x990 [ 92.010657] do_group_exit+0x149/0x400 [ 92.014508] ? __lock_is_held+0xb6/0x140 [ 92.018534] ? SyS_exit+0x30/0x30 [ 92.021954] ? _raw_spin_unlock_irq+0x27/0x70 [ 92.026415] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 92.031397] get_signal+0x7e8/0x17e0 [ 92.035092] ? ptrace_notify+0x130/0x130 [ 92.039118] ? call_rcu_sched+0x12/0x20 [ 92.043063] ? is_bpf_text_address+0xa4/0x120 [ 92.047524] ? __kernel_text_address+0xae/0xe0 [ 92.052071] ? unwind_get_return_address+0x61/0xa0 [ 92.056968] ? __save_stack_trace+0x7e/0xd0 [ 92.061262] ? depot_save_stack+0x12c/0x490 [ 92.065552] do_signal+0x94/0x1ee0 [ 92.069057] ? save_stack+0xa3/0xd0 [ 92.072649] ? save_stack_trace+0x16/0x20 [ 92.076759] ? save_stack+0x43/0xd0 [ 92.080351] ? kasan_slab_free+0x71/0xc0 [ 92.084373] ? kmem_cache_free+0x77/0x280 [ 92.088485] ? putname+0xee/0x130 [ 92.091904] ? do_sys_open+0x31b/0x6d0 [ 92.095756] ? SyS_open+0x2d/0x40 [ 92.099176] ? setup_sigcontext+0x7d0/0x7d0 [ 92.103467] ? _raw_spin_unlock+0x22/0x30 [ 92.107579] ? __alloc_fd+0x29b/0x750 [ 92.111347] ? find_held_lock+0x35/0x1d0 [ 92.115374] ? put_unused_fd+0x62/0x70 [ 92.119228] ? lock_downgrade+0x990/0x990 [ 92.123348] ? exit_to_usermode_loop+0x98/0x300 [ 92.127987] exit_to_usermode_loop+0x224/0x300 [ 92.132538] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 92.138041] ? kmem_cache_free+0x249/0x280 [ 92.142243] ? putname+0xf3/0x130 [ 92.145663] syscall_return_slowpath+0x3a7/0x450 [ 92.150382] ? prepare_exit_to_usermode+0x220/0x220 [ 92.155365] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 92.160261] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 92.165243] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 92.169965] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 92.174688] RIP: 0033:0x40b871 [ 92.177844] RSP: 002b:00007f60fc9f1750 EFLAGS: 00000293 ORIG_RAX: 0000000000000002 [ 92.185517] RAX: fffffffffffffff5 RBX: cccccccccccccccd RCX: 000000000040b871 [ 92.192753] RDX: 0000000000000000 RSI: 0000000000002040 RDI: 00007f60fc9f1800 [ 92.199988] RBP: 0000000000005c90 R08: 0000000000000000 R09: 0000000000000000 [ 92.207224] R10: 00000000000f4242 R11: 0000000000000293 R12: 00000000004bac85 [ 92.214458] R13: 00000000ffffffff R14: 0000000020052000 R15: 000000000000007f [ 92.221743] Dumping ftrace buffer: [ 92.225249] (ftrace buffer empty) [ 92.228927] Kernel Offset: disabled [ 92.232523] Rebooting in 86400 seconds..