INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-6,10.128.15.218' (ECDSA) to the list of known hosts. 2017/09/28 15:52:58 parsed 1 programs 2017/09/28 15:52:58 executed programs: 0 syzkaller login: [ 46.747471] ================================================================== [ 46.754939] BUG: KASAN: use-after-free in __do_page_fault+0xc03/0xd60 [ 46.761492] Read of size 8 at addr ffff8801ccabbbe8 by task syz-executor1/3403 [ 46.768825] [ 46.770432] CPU: 1 PID: 3403 Comm: syz-executor1 Not tainted 4.14.0-rc2-next-20170928+ #31 [ 46.778807] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.788136] Call Trace: [ 46.790704] dump_stack+0x194/0x257 [ 46.794312] ? arch_local_irq_restore+0x53/0x53 [ 46.798960] ? show_regs_print_info+0x65/0x65 [ 46.803438] ? __do_page_fault+0xc03/0xd60 [ 46.807649] print_address_description+0x73/0x250 [ 46.812466] ? __do_page_fault+0xc03/0xd60 [ 46.816678] kasan_report+0x25b/0x340 [ 46.820459] __asan_report_load8_noabort+0x14/0x20 [ 46.825364] __do_page_fault+0xc03/0xd60 [ 46.829408] ? mm_fault_error+0x2c0/0x2c0 [ 46.833536] ? free_pidmap.isra.0+0x70/0x70 [ 46.837844] do_page_fault+0xee/0x720 [ 46.841625] ? __do_page_fault+0xd60/0xd60 [ 46.845860] ? SyS_futex+0x269/0x390 [ 46.849554] ? do_futex+0x20d0/0x20d0 [ 46.853326] ? __task_pid_nr_ns+0x2c7/0x540 [ 46.857643] ? entry_SYSCALL_64_fastpath+0x4b/0xbe [ 46.862566] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 46.867401] page_fault+0x22/0x30 [ 46.870831] RIP: 0033:0x44bcf0 [ 46.874015] RSP: 002b:00007efef4064758 EFLAGS: 00010202 [ 46.879368] RAX: 00007efef4064800 RBX: 0000000000718000 RCX: 000000000000000e [ 46.886618] RDX: 0000000000000400 RSI: 0000000020012fe0 RDI: 00007efef4064800 [ 46.893865] RBP: 0000000000005e10 R08: 0000000000000400 R09: 0000000000000000 [ 46.901113] R10: 00000000000f4245 R11: 0000000000000246 R12: 00000000004bbc27 [ 46.908359] R13: 00000000ffffffff R14: 0000000020012fee R15: 0000000000000000 [ 46.915624] [ 46.917230] Allocated by task 3403: [ 46.920841] save_stack_trace+0x16/0x20 [ 46.924793] save_stack+0x43/0xd0 [ 46.928222] kasan_kmalloc+0xad/0xe0 [ 46.931912] kasan_slab_alloc+0x12/0x20 [ 46.935865] kmem_cache_alloc+0x12e/0x760 [ 46.940005] mmap_region+0x7ee/0x15a0 [ 46.943782] do_mmap+0x6a1/0xd50 [ 46.947121] vm_mmap_pgoff+0x1de/0x280 [ 46.950982] SyS_mmap_pgoff+0x23b/0x5f0 [ 46.954927] SyS_mmap+0x16/0x20 [ 46.958187] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 46.962917] [ 46.964519] Freed by task 3411: [ 46.967774] save_stack_trace+0x16/0x20 [ 46.971724] save_stack+0x43/0xd0 [ 46.975150] kasan_slab_free+0x71/0xc0 [ 46.979011] kmem_cache_free+0x77/0x280 [ 46.982972] remove_vma+0x162/0x1b0 [ 46.986571] do_munmap+0x82a/0xdf0 [ 46.990084] mmap_region+0x59e/0x15a0 [ 46.993858] do_mmap+0x6a1/0xd50 [ 46.997198] vm_mmap_pgoff+0x1de/0x280 [ 47.001056] SyS_mmap_pgoff+0x23b/0x5f0 [ 47.005004] SyS_mmap+0x16/0x20 [ 47.008258] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 47.012996] [ 47.014599] The buggy address belongs to the object at ffff8801ccabbb98 [ 47.014599] which belongs to the cache vm_area_struct of size 200 [ 47.027490] The buggy address is located 80 bytes inside of [ 47.027490] 200-byte region [ffff8801ccabbb98, ffff8801ccabbc60) [ 47.039249] The buggy address belongs to the page: [ 47.044152] page:ffffea000732aec0 count:1 mapcount:0 mapping:ffff8801ccabb040 index:0x0 [ 47.052275] flags: 0x200000000000100(slab) [ 47.056483] raw: 0200000000000100 ffff8801ccabb040 0000000000000000 000000010000000f [ 47.064337] raw: ffffea000734a3a0 ffffea000730cd20 ffff8801dae049c0 0000000000000000 [ 47.072188] page dumped because: kasan: bad access detected [ 47.077870] [ 47.079471] Memory state around the buggy address: [ 47.084372] ffff8801ccabba80: fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.091703] ffff8801ccabbb00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 47.099037] >ffff8801ccabbb80: fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.106384] ^ [ 47.113110] ffff8801ccabbc00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 47.120443] ffff8801ccabbc80: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb [ 47.127774] ================================================================== [ 47.135105] Disabling lock debugging due to kernel taint [ 47.140615] Kernel panic - not syncing: panic_on_warn set ... [ 47.140615] [ 47.147968] CPU: 1 PID: 3403 Comm: syz-executor1 Tainted: G B 4.14.0-rc2-next-20170928+ #31 [ 47.157554] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.166877] Call Trace: [ 47.169437] dump_stack+0x194/0x257 [ 47.173036] ? arch_local_irq_restore+0x53/0x53 [ 47.177685] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.182414] ? __do_page_fault+0xb90/0xd60 [ 47.186619] panic+0x1e4/0x417 [ 47.189782] ? __warn+0x1d9/0x1d9 [ 47.193211] ? __do_page_fault+0xc03/0xd60 [ 47.197413] kasan_end_report+0x50/0x50 [ 47.201356] kasan_report+0x144/0x340 [ 47.205127] __asan_report_load8_noabort+0x14/0x20 [ 47.210029] __do_page_fault+0xc03/0xd60 [ 47.214062] ? mm_fault_error+0x2c0/0x2c0 [ 47.218180] ? free_pidmap.isra.0+0x70/0x70 [ 47.222473] do_page_fault+0xee/0x720 [ 47.226242] ? __do_page_fault+0xd60/0xd60 [ 47.230447] ? SyS_futex+0x269/0x390 [ 47.234131] ? do_futex+0x20d0/0x20d0 [ 47.237897] ? __task_pid_nr_ns+0x2c7/0x540 [ 47.242186] ? entry_SYSCALL_64_fastpath+0x4b/0xbe [ 47.247083] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 47.251898] page_fault+0x22/0x30 [ 47.255322] RIP: 0033:0x44bcf0 [ 47.258480] RSP: 002b:00007efef4064758 EFLAGS: 00010202 [ 47.263810] RAX: 00007efef4064800 RBX: 0000000000718000 RCX: 000000000000000e [ 47.271052] RDX: 0000000000000400 RSI: 0000000020012fe0 RDI: 00007efef4064800 [ 47.278290] RBP: 0000000000005e10 R08: 0000000000000400 R09: 0000000000000000 [ 47.285525] R10: 00000000000f4245 R11: 0000000000000246 R12: 00000000004bbc27 [ 47.292762] R13: 00000000ffffffff R14: 0000000020012fee R15: 0000000000000000 [ 47.300046] Dumping ftrace buffer: [ 47.303555] (ftrace buffer empty) [ 47.307238] Kernel Offset: disabled [ 47.310832] Rebooting in 86400 seconds..