INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-1,10.128.0.63' (ECDSA) to the list of known hosts. 2017/10/06 04:17:24 parsed 1 programs 2017/10/06 04:17:24 executed programs: 0 syzkaller login: [ 47.988966] ================================================================== [ 47.996386] BUG: KASAN: use-after-free in __do_page_fault+0xc03/0xd60 [ 48.002935] Read of size 8 at addr ffff8801cde9f680 by task syz-executor1/3030 [ 48.010265] [ 48.011868] CPU: 1 PID: 3030 Comm: syz-executor1 Not tainted 4.14.0-rc3-mm1+ #14 [ 48.019371] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.028695] Call Trace: [ 48.031254] dump_stack+0x194/0x257 [ 48.034859] ? arch_local_irq_restore+0x53/0x53 [ 48.039499] ? show_regs_print_info+0x65/0x65 [ 48.043983] ? __do_page_fault+0xc03/0xd60 [ 48.048194] print_address_description+0x73/0x250 [ 48.053011] ? __do_page_fault+0xc03/0xd60 [ 48.057219] kasan_report+0x25b/0x340 [ 48.060996] __asan_report_load8_noabort+0x14/0x20 [ 48.065894] __do_page_fault+0xc03/0xd60 [ 48.069935] ? mm_fault_error+0x2c0/0x2c0 [ 48.074058] ? free_pidmap.isra.0+0x60/0x60 [ 48.078360] do_page_fault+0xee/0x720 [ 48.082135] ? __do_page_fault+0xd60/0xd60 [ 48.086348] ? SyS_futex+0x269/0x390 [ 48.090040] ? do_futex+0x20d0/0x20d0 [ 48.093815] ? __task_pid_nr_ns+0x2c7/0x540 [ 48.098109] ? entry_SYSCALL_64_fastpath+0x4b/0xbe [ 48.103013] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 48.107833] page_fault+0x22/0x30 [ 48.111257] RIP: 0033:0x44bcf0 [ 48.114423] RSP: 002b:00007fe9fd6e0758 EFLAGS: 00010202 [ 48.119766] RAX: 00007fe9fd6e0800 RBX: 0000000000718000 RCX: 000000000000000e [ 48.127006] RDX: 0000000000000400 RSI: 0000000020012fe0 RDI: 00007fe9fd6e0800 [ 48.134246] RBP: 0000000000005e10 R08: 0000000000000400 R09: 0000000000000000 [ 48.141493] R10: 00000000000f4245 R11: 0000000000000246 R12: 00000000004bbc27 [ 48.148732] R13: 00000000ffffffff R14: 0000000020012fee R15: 0000000000000000 [ 48.155993] [ 48.157593] Allocated by task 3030: [ 48.161193] save_stack_trace+0x16/0x20 [ 48.165136] save_stack+0x43/0xd0 [ 48.168556] kasan_kmalloc+0xad/0xe0 [ 48.172238] kasan_slab_alloc+0x12/0x20 [ 48.176181] kmem_cache_alloc+0x12e/0x760 [ 48.180299] mmap_region+0x7ee/0x15a0 [ 48.184069] do_mmap+0x6a1/0xd50 [ 48.187405] vm_mmap_pgoff+0x1de/0x280 [ 48.191260] SyS_mmap_pgoff+0x23b/0x5f0 [ 48.195202] SyS_mmap+0x16/0x20 [ 48.198452] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 48.203172] [ 48.204771] Freed by task 3038: [ 48.208018] save_stack_trace+0x16/0x20 [ 48.211963] save_stack+0x43/0xd0 [ 48.215386] kasan_slab_free+0x71/0xc0 [ 48.219245] kmem_cache_free+0x77/0x280 [ 48.223196] remove_vma+0x162/0x1b0 [ 48.226879] do_munmap+0x82a/0xdf0 [ 48.230388] mmap_region+0x59e/0x15a0 [ 48.234161] do_mmap+0x6a1/0xd50 [ 48.237501] vm_mmap_pgoff+0x1de/0x280 [ 48.241359] SyS_mmap_pgoff+0x23b/0x5f0 [ 48.245303] SyS_mmap+0x16/0x20 [ 48.248558] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 48.253282] [ 48.254883] The buggy address belongs to the object at ffff8801cde9f630 [ 48.254883] which belongs to the cache vm_area_struct of size 200 [ 48.267770] The buggy address is located 80 bytes inside of [ 48.267770] 200-byte region [ffff8801cde9f630, ffff8801cde9f6f8) [ 48.279525] The buggy address belongs to the page: [ 48.284432] page:ffffea000737a7c0 count:1 mapcount:0 mapping:ffff8801cde9f000 index:0x0 [ 48.292547] flags: 0x200000000000100(slab) [ 48.296755] raw: 0200000000000100 ffff8801cde9f000 0000000000000000 000000010000000f [ 48.304605] raw: ffffea000737a4e0 ffffea000737e5a0 ffff8801dae049c0 0000000000000000 [ 48.312454] page dumped because: kasan: bad access detected [ 48.318132] [ 48.319728] Memory state around the buggy address: [ 48.324628] ffff8801cde9f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 48.331961] ffff8801cde9f600: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb [ 48.339296] >ffff8801cde9f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc [ 48.346622] ^ [ 48.349955] ffff8801cde9f700: fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb [ 48.357280] ffff8801cde9f780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.364606] ================================================================== [ 48.371933] Disabling lock debugging due to kernel taint [ 48.377434] Kernel panic - not syncing: panic_on_warn set ... [ 48.377434] [ 48.384764] CPU: 1 PID: 3030 Comm: syz-executor1 Tainted: G B 4.14.0-rc3-mm1+ #14 [ 48.393562] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.402882] Call Trace: [ 48.405438] dump_stack+0x194/0x257 [ 48.409031] ? arch_local_irq_restore+0x53/0x53 [ 48.413666] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 48.418390] ? __do_page_fault+0xb90/0xd60 [ 48.422591] panic+0x1e4/0x41c [ 48.425750] ? refcount_error_report+0x214/0x214 [ 48.430478] ? __do_page_fault+0xc03/0xd60 [ 48.434676] kasan_end_report+0x50/0x50 [ 48.438615] kasan_report+0x144/0x340 [ 48.442385] __asan_report_load8_noabort+0x14/0x20 [ 48.447278] __do_page_fault+0xc03/0xd60 [ 48.451309] ? mm_fault_error+0x2c0/0x2c0 [ 48.455422] ? free_pidmap.isra.0+0x60/0x60 [ 48.459712] do_page_fault+0xee/0x720 [ 48.463480] ? __do_page_fault+0xd60/0xd60 [ 48.467683] ? SyS_futex+0x269/0x390 [ 48.471364] ? do_futex+0x20d0/0x20d0 [ 48.475129] ? __task_pid_nr_ns+0x2c7/0x540 [ 48.479417] ? entry_SYSCALL_64_fastpath+0x4b/0xbe [ 48.484322] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 48.489134] page_fault+0x22/0x30 [ 48.492550] RIP: 0033:0x44bcf0 [ 48.495706] RSP: 002b:00007fe9fd6e0758 EFLAGS: 00010202 [ 48.501032] RAX: 00007fe9fd6e0800 RBX: 0000000000718000 RCX: 000000000000000e [ 48.508273] RDX: 0000000000000400 RSI: 0000000020012fe0 RDI: 00007fe9fd6e0800 [ 48.515507] RBP: 0000000000005e10 R08: 0000000000000400 R09: 0000000000000000 [ 48.522739] R10: 00000000000f4245 R11: 0000000000000246 R12: 00000000004bbc27 [ 48.529975] R13: 00000000ffffffff R14: 0000000020012fee R15: 0000000000000000 [ 48.537563] Dumping ftrace buffer: [ 48.541069] (ftrace buffer empty) [ 48.544746] Kernel Offset: disabled [ 48.548339] Rebooting in 86400 seconds..