INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-3,10.128.0.5' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 41.097655] ================================================================== [ 41.105114] BUG: KASAN: use-after-free in handle_userfault+0x2076/0x23a0 [ 41.111925] Read of size 8 at addr ffff8801cf4bfd88 by task syzkaller178028/2991 [ 41.119425] [ 41.121026] CPU: 0 PID: 2991 Comm: syzkaller178028 Not tainted 4.14.0-rc2+ #21 [ 41.128352] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.137677] Call Trace: [ 41.140238] dump_stack+0x194/0x257 [ 41.143842] ? arch_local_irq_restore+0x53/0x53 [ 41.148481] ? show_regs_print_info+0x65/0x65 [ 41.152950] ? rcutorture_record_progress+0x10/0x10 [ 41.157938] ? __free_pages_ok+0x718/0x3150 [ 41.162232] ? handle_userfault+0x2076/0x23a0 [ 41.166702] print_address_description+0x73/0x250 [ 41.171516] ? handle_userfault+0x2076/0x23a0 [ 41.175983] kasan_report+0x25b/0x340 [ 41.179760] __asan_report_load8_noabort+0x14/0x20 [ 41.184662] handle_userfault+0x2076/0x23a0 [ 41.188962] ? __lock_acquire+0x732/0x4620 [ 41.193171] ? page_add_file_rmap+0x5b7/0xa90 [ 41.197640] ? userfaultfd_ioctl+0x4510/0x4510 [ 41.202193] ? unwind_get_return_address+0x61/0xa0 [ 41.207094] ? __save_stack_trace+0x7e/0xd0 [ 41.211395] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 41.216557] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 41.221721] ? check_noncircular+0x20/0x20 [ 41.225924] ? save_stack_trace+0x16/0x20 [ 41.230049] ? lock_acquire+0x1d5/0x580 [ 41.233993] ? alloc_set_pte+0x10fe/0x1880 [ 41.238200] ? unwind_get_return_address+0x61/0xa0 [ 41.243112] ? find_held_lock+0x39/0x1d0 [ 41.247157] ? lock_downgrade+0x990/0x990 [ 41.251275] ? alloc_set_pte+0x901/0x1880 [ 41.255401] ? __handle_mm_fault+0x22b1/0x39c0 [ 41.259964] ? do_raw_spin_trylock+0x190/0x190 [ 41.264516] ? check_noncircular+0x20/0x20 [ 41.268723] ? wake_up_page_bit+0x530/0x530 [ 41.273033] __handle_mm_fault+0x2d46/0x39c0 [ 41.277415] ? __pmd_alloc+0x4e0/0x4e0 [ 41.281282] ? lock_downgrade+0x990/0x990 [ 41.285400] ? find_held_lock+0x39/0x1d0 [ 41.289437] ? __lock_is_held+0xbc/0x140 [ 41.293499] handle_mm_fault+0x334/0x8d0 [ 41.297529] ? down_read_trylock+0xdb/0x170 [ 41.301819] ? __do_page_fault+0x31e/0xd60 [ 41.306025] ? __handle_mm_fault+0x39c0/0x39c0 [ 41.310577] ? vmacache_find+0x5f/0x280 [ 41.314522] ? vmacache_update+0xfe/0x130 [ 41.318641] ? find_vma+0x30/0x150 [ 41.322155] __do_page_fault+0x5bd/0xd60 [ 41.326189] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 41.331269] ? mm_fault_error+0x2c0/0x2c0 [ 41.335392] ? __free_pages+0xd8/0x150 [ 41.339256] do_page_fault+0xee/0x720 [ 41.343030] ? __do_page_fault+0xd60/0xd60 [ 41.347238] ? lockdep_sys_exit+0x47/0xf0 [ 41.351360] ? syscall_return_slowpath+0x2b3/0x510 [ 41.356260] ? finish_task_switch+0x4cc/0x740 [ 41.360728] ? lockdep_sys_exit+0x47/0xf0 [ 41.364846] ? retint_user+0x18/0x20 [ 41.368533] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.373353] page_fault+0x22/0x30 [ 41.376781] RIP: 0023:0xf7f4ac79 [ 41.380114] RSP: 002b:0000000020013000 EFLAGS: 00010296 [ 41.385449] RAX: 0000000000000000 RBX: 0000000000000400 RCX: 0000000020013000 [ 41.392689] RDX: 0000000020059ffc RSI: 0000000020058ffc RDI: 0000000020058ffd [ 41.399929] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 41.407168] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 41.414414] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 41.421674] [ 41.423274] Allocated by task 2989: [ 41.426877] save_stack_trace+0x16/0x20 [ 41.430823] save_stack+0x43/0xd0 [ 41.434244] kasan_kmalloc+0xad/0xe0 [ 41.437926] kasan_slab_alloc+0x12/0x20 [ 41.441871] kmem_cache_alloc+0x12e/0x760 [ 41.445986] dup_userfaultfd+0x21c/0x890 [ 41.450017] copy_mm+0xa38/0x1310 [ 41.453438] copy_process.part.36+0x1eae/0x4af0 [ 41.458077] _do_fork+0x1ef/0xfe0 [ 41.461499] SyS_clone+0x37/0x50 [ 41.464837] do_fast_syscall_32+0x3f2/0xf05 [ 41.469127] entry_SYSENTER_compat+0x51/0x60 [ 41.473501] [ 41.475099] Freed by task 2989: [ 41.478345] save_stack_trace+0x16/0x20 [ 41.482286] save_stack+0x43/0xd0 [ 41.485705] kasan_slab_free+0x71/0xc0 [ 41.489565] kmem_cache_free+0x77/0x280 [ 41.493507] userfaultfd_ctx_put+0x50c/0x740 [ 41.497883] userfaultfd_event_wait_completion+0x788/0x9c0 [ 41.503476] dup_userfaultfd_complete+0x2de/0x480 [ 41.508286] copy_mm+0xe9b/0x1310 [ 41.511709] copy_process.part.36+0x1eae/0x4af0 [ 41.516346] _do_fork+0x1ef/0xfe0 [ 41.519775] SyS_clone+0x37/0x50 [ 41.523111] do_fast_syscall_32+0x3f2/0xf05 [ 41.527401] entry_SYSENTER_compat+0x51/0x60 [ 41.531779] [ 41.533376] The buggy address belongs to the object at ffff8801cf4bfc00 [ 41.533376] which belongs to the cache userfaultfd_ctx_cache of size 400 [ 41.546868] The buggy address is located 392 bytes inside of [ 41.546868] 400-byte region [ffff8801cf4bfc00, ffff8801cf4bfd90) [ 41.558709] The buggy address belongs to the page: [ 41.563608] page:ffffea00073d2fc0 count:1 mapcount:0 mapping:ffff8801cf4bf000 index:0xffff8801ce868dc0 [ 41.573026] flags: 0x200000000000100(slab) [ 41.577232] raw: 0200000000000100 ffff8801cf4bf000 ffff8801ce868dc0 0000000100000008 [ 41.585083] raw: ffff8801d626e150 ffff8801d626e150 ffff8801d5584c00 0000000000000000 [ 41.592931] page dumped because: kasan: bad access detected [ 41.598781] [ 41.600377] Memory state around the buggy address: [ 41.605272] ffff8801cf4bfc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.612598] ffff8801cf4bfd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.619925] >ffff8801cf4bfd80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.627252] ^ [ 41.630845] ffff8801cf4bfe00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.638174] ffff8801cf4bfe80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.645500] ================================================================== [ 41.652829] Disabling lock debugging due to kernel taint [ 41.658290] Kernel panic - not syncing: panic_on_warn set ... [ 41.658290] [ 41.665620] CPU: 0 PID: 2991 Comm: syzkaller178028 Tainted: G B 4.14.0-rc2+ #21 [ 41.674156] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.683474] Call Trace: [ 41.686028] dump_stack+0x194/0x257 [ 41.689623] ? arch_local_irq_restore+0x53/0x53 [ 41.694259] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.698979] ? handle_userfault+0x2030/0x23a0 [ 41.703441] panic+0x1e4/0x417 [ 41.706598] ? __warn+0x1d9/0x1d9 [ 41.710021] ? handle_userfault+0x2076/0x23a0 [ 41.714481] kasan_end_report+0x50/0x50 [ 41.718421] kasan_report+0x144/0x340 [ 41.722187] __asan_report_load8_noabort+0x14/0x20 [ 41.727080] handle_userfault+0x2076/0x23a0 [ 41.731369] ? __lock_acquire+0x732/0x4620 [ 41.735569] ? page_add_file_rmap+0x5b7/0xa90 [ 41.740030] ? userfaultfd_ioctl+0x4510/0x4510 [ 41.744576] ? unwind_get_return_address+0x61/0xa0 [ 41.749470] ? __save_stack_trace+0x7e/0xd0 [ 41.753765] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 41.758921] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 41.764075] ? check_noncircular+0x20/0x20 [ 41.768274] ? save_stack_trace+0x16/0x20 [ 41.772389] ? lock_acquire+0x1d5/0x580 [ 41.776326] ? alloc_set_pte+0x10fe/0x1880 [ 41.780526] ? unwind_get_return_address+0x61/0xa0 [ 41.785430] ? find_held_lock+0x39/0x1d0 [ 41.789463] ? lock_downgrade+0x990/0x990 [ 41.793575] ? alloc_set_pte+0x901/0x1880 [ 41.797691] ? __handle_mm_fault+0x22b1/0x39c0 [ 41.802242] ? do_raw_spin_trylock+0x190/0x190 [ 41.806788] ? check_noncircular+0x20/0x20 [ 41.810992] ? wake_up_page_bit+0x530/0x530 [ 41.815287] __handle_mm_fault+0x2d46/0x39c0 [ 41.819664] ? __pmd_alloc+0x4e0/0x4e0 [ 41.823521] ? lock_downgrade+0x990/0x990 [ 41.827633] ? find_held_lock+0x39/0x1d0 [ 41.831663] ? __lock_is_held+0xbc/0x140 [ 41.835708] handle_mm_fault+0x334/0x8d0 [ 41.839735] ? down_read_trylock+0xdb/0x170 [ 41.844021] ? __do_page_fault+0x31e/0xd60 [ 41.848219] ? __handle_mm_fault+0x39c0/0x39c0 [ 41.852766] ? vmacache_find+0x5f/0x280 [ 41.856705] ? vmacache_update+0xfe/0x130 [ 41.860818] ? find_vma+0x30/0x150 [ 41.864334] __do_page_fault+0x5bd/0xd60 [ 41.868361] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 41.873433] ? mm_fault_error+0x2c0/0x2c0 [ 41.877545] ? __free_pages+0xd8/0x150 [ 41.881400] do_page_fault+0xee/0x720 [ 41.885167] ? __do_page_fault+0xd60/0xd60 [ 41.889370] ? lockdep_sys_exit+0x47/0xf0 [ 41.893484] ? syscall_return_slowpath+0x2b3/0x510 [ 41.898377] ? finish_task_switch+0x4cc/0x740 [ 41.902838] ? lockdep_sys_exit+0x47/0xf0 [ 41.906949] ? retint_user+0x18/0x20 [ 41.910628] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.915436] page_fault+0x22/0x30 [ 41.918851] RIP: 0023:0xf7f4ac79 [ 41.922178] RSP: 002b:0000000020013000 EFLAGS: 00010296 [ 41.927504] RAX: 0000000000000000 RBX: 0000000000000400 RCX: 0000000020013000 [ 41.934743] RDX: 0000000020059ffc RSI: 0000000020058ffc RDI: 0000000020058ffd [ 41.941978] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 41.949212] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 41.956446] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 41.964050] Dumping ftrace buffer: [ 41.967552] (ftrace buffer empty) [ 41.971226] Kernel Offset: disabled [ 41.974821] Rebooting in 86400 seconds..