Debian GNU/Linux 7 syzkaller ttyS0 2017/08/19 22:08:49 parsed 1 programs 2017/08/19 22:08:49 executed programs: 0 syzkaller login: [ 27.416990] ================================================================== [ 27.417654] BUG: KASAN: use-after-free in userfaultfd_release+0x5c1/0x6e0 [ 27.418242] Read of size 8 at addr ffff88003bd3ebe0 by task syz-executor0/3058 [ 27.418715] [ 27.418827] CPU: 0 PID: 3058 Comm: syz-executor0 Not tainted 4.13.0-rc5-next-20170817+ #5 [ 27.419364] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 27.419894] Call Trace: [ 27.420082] dump_stack+0x194/0x257 [ 27.420323] ? arch_local_irq_restore+0x53/0x53 [ 27.420633] ? show_regs_print_info+0x65/0x65 [ 27.420928] ? unwind_get_return_address+0x61/0xa0 [ 27.421251] ? userfaultfd_release+0x5c1/0x6e0 [ 27.421612] print_address_description+0x73/0x250 [ 27.421961] ? userfaultfd_release+0x5c1/0x6e0 [ 27.422256] kasan_report+0x24e/0x340 [ 27.422537] ? userfaultfd_event_wait_completion+0x910/0x910 [ 27.422981] __asan_report_load8_noabort+0x14/0x20 [ 27.423401] userfaultfd_release+0x5c1/0x6e0 [ 27.423779] ? fcntl_setlk+0x10c0/0x10c0 [ 27.424132] ? kmem_cache_free+0x77/0x280 [ 27.424432] ? do_exit+0xa33/0x1b30 [ 27.424744] ? userfaultfd_event_wait_completion+0x910/0x910 [ 27.425234] ? fsnotify+0x1af0/0x1af0 [ 27.425558] ? rcu_note_context_switch+0x710/0x710 [ 27.425977] ? __might_sleep+0x95/0x190 [ 27.426314] ? userfaultfd_event_wait_completion+0x910/0x910 [ 27.426807] __fput+0x327/0x7e0 [ 27.427091] ? fput+0x140/0x140 [ 27.427372] ? do_raw_spin_trylock+0x190/0x190 [ 27.427763] ____fput+0x15/0x20 [ 27.428312] task_work_run+0x199/0x270 [ 27.428580] ? task_work_cancel+0x210/0x210 [ 27.428861] ? _raw_spin_unlock+0x22/0x30 [ 27.429133] ? switch_task_namespaces+0x87/0xc0 [ 27.429439] do_exit+0xa52/0x1b30 [ 27.429664] ? account_kernel_stack+0x155/0x1f0 [ 27.429964] ? mm_update_next_owner+0x930/0x930 [ 27.430356] ? __cleanup_sighand+0x40/0x40 [ 27.430718] ? schedule+0x108/0x440 [ 27.431027] ? lock_downgrade+0x990/0x990 [ 27.431380] ? __schedule+0x2070/0x2070 [ 27.431721] ? check_same_owner+0x320/0x320 [ 27.432101] ? rcu_note_context_switch+0x710/0x710 [ 27.432518] ? futex_wait_setup+0x14a/0x3d0 [ 27.432885] ? __might_sleep+0x95/0x190 [ 27.433224] ? _cond_resched+0x14/0x30 [ 27.433555] ? futex_wait_queue_me+0x524/0x7e0 [ 27.433947] ? lock_release+0xa40/0xa40 [ 27.434287] ? __read_once_size_nocheck.constprop.8+0x10/0x10 [ 27.434789] ? bpf_prog_kallsyms_find+0xbd/0x440 [ 27.435199] ? get_futex_value_locked+0xc3/0xf0 [ 27.435507] ? futex_wait_setup+0x22e/0x3d0 [ 27.435791] ? is_bpf_text_address+0x7b/0x120 [ 27.436087] ? __dequeue_signal+0x103/0x7b0 [ 27.436374] ? recalc_sigpending_tsk+0x117/0x150 [ 27.436687] ? get_signal+0x855/0x17e0 [ 27.436943] ? lock_downgrade+0x990/0x990 [ 27.437219] do_group_exit+0x149/0x400 [ 27.437485] ? SyS_exit+0x30/0x30 [ 27.437716] get_signal+0x7e8/0x17e0 [ 27.437972] ? ptrace_notify+0x130/0x130 [ 27.438240] ? do_futex+0x781/0x20a0 [ 27.438483] ? __fget+0x333/0x570 [ 27.438712] ? lock_downgrade+0x990/0x990 [ 27.438996] ? lock_release+0xa40/0xa40 [ 27.439262] do_signal+0x94/0x1ee0 [ 27.439492] ? kasan_kmalloc+0xad/0xe0 [ 27.439751] ? _do_fork+0x1ef/0xfb0 [ 27.439991] ? _do_fork+0x2dc/0xfb0 [ 27.440231] ? setup_sigcontext+0x7d0/0x7d0 [ 27.440517] ? fork_idle+0x2d0/0x2d0 [ 27.440790] ? iterate_fd+0x3f0/0x3f0 [ 27.441093] ? lock_acquire+0x1d5/0x580 [ 27.441406] ? __fd_install+0x2da/0x6a0 [ 27.441691] ? lock_downgrade+0x990/0x990 [ 27.441956] ? lockdep_init_map+0x9/0x10 [ 27.442291] ? lock_release+0xa40/0xa40 [ 27.442579] ? proc_nr_files+0x60/0x60 [ 27.442886] ? rcu_note_context_switch+0x710/0x710 [ 27.443233] ? __fget_light+0x297/0x380 [ 27.443509] ? fget_raw+0x20/0x20 [ 27.443741] ? __fd_install+0x2f7/0x6a0 [ 27.444101] exit_to_usermode_loop+0x224/0x300 [ 27.444400] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 27.444804] ? SyS_clone+0x37/0x50 [ 27.445063] do_syscall_64+0x65c/0x8c0 [ 27.445386] ? syscall_return_slowpath+0x500/0x500 [ 27.445735] ? do_futex+0x20a0/0x20a0 [ 27.446039] ? SyS_userfaultfd+0xd6/0x470 [ 27.446341] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.446659] ? sys_vfork+0x30/0x30 [ 27.446895] entry_SYSCALL64_slow_path+0x25/0x25 [ 27.447207] RIP: 0033:0x446739 [ 27.447416] RSP: 002b:00007fb99d3fbc08 EFLAGS: 00000286 ORIG_RAX: 0000000000000038 [ 27.447919] RAX: fffffffffffffdff RBX: 0000000000000000 RCX: 0000000000446739 [ 27.448418] RDX: 0000000020f42000 RSI: 0000000020052000 RDI: 0000000000000000 [ 27.449196] RBP: 00000000007080a8 R08: 0000000020ef4ffc R09: 0000000000000000 [ 27.449850] R10: 0000000020a6bffc R11: 0000000000000286 R12: 00000000ffffffff [ 27.450594] R13: 00000000000003b0 R14: 00000000006e2470 R15: 0000000020052000 [ 27.451252] [ 27.451393] Allocated by task 3058: [ 27.451716] save_stack_trace+0x16/0x20 [ 27.452105] save_stack+0x43/0xd0 [ 27.452392] kasan_kmalloc+0xad/0xe0 [ 27.452799] kasan_slab_alloc+0x12/0x20 [ 27.453175] kmem_cache_alloc+0x12e/0x760 [ 27.453552] dup_userfaultfd+0x21c/0x890 [ 27.453922] copy_mm+0xa27/0x1247 [ 27.454185] copy_process.part.36+0x1ea3/0x4af0 [ 27.454551] _do_fork+0x1ef/0xfb0 [ 27.454809] SyS_clone+0x37/0x50 [ 27.455030] do_syscall_64+0x26c/0x8c0 [ 27.455289] return_from_SYSCALL_64+0x0/0x7a [ 27.455610] [ 27.455715] Freed by task 3058: [ 27.455943] save_stack_trace+0x16/0x20 [ 27.456240] save_stack+0x43/0xd0 [ 27.456503] kasan_slab_free+0x71/0xc0 [ 27.456806] kmem_cache_free+0x77/0x280 [ 27.457076] userfaultfd_ctx_put+0x50c/0x740 [ 27.457386] userfaultfd_event_wait_completion+0x754/0x910 [ 27.457793] dup_userfaultfd_complete+0x2de/0x480 [ 27.458102] copy_mm+0xde2/0x1247 [ 27.458337] copy_process.part.36+0x1ea3/0x4af0 [ 27.458672] _do_fork+0x1ef/0xfb0 [ 27.458957] SyS_clone+0x37/0x50 [ 27.459216] do_syscall_64+0x26c/0x8c0 [ 27.459492] return_from_SYSCALL_64+0x0/0x7a [ 27.459771] [ 27.459878] The buggy address belongs to the object at ffff88003bd3ea80 [ 27.459878] which belongs to the cache userfaultfd_ctx_cache of size 360 [ 27.460825] The buggy address is located 352 bytes inside of [ 27.460825] 360-byte region [ffff88003bd3ea80, ffff88003bd3ebe8) [ 27.461660] The buggy address belongs to the page: [ 27.461992] page:ffffea0000ef4f80 count:1 mapcount:0 mapping:ffff88003bd3e000 index:0xffff88003bd3eff7 [ 27.462616] flags: 0x100000000000100(slab) [ 27.462897] raw: 0100000000000100 ffff88003bd3e000 ffff88003bd3eff7 0000000100000009 [ 27.463504] raw: ffff88003c82f348 ffffea0000ea2860 ffff88003c82e3c0 0000000000000000 [ 27.464049] page dumped because: kasan: bad access detected [ 27.464447] [ 27.464555] Memory state around the buggy address: [ 27.464881] ffff88003bd3ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.465377] ffff88003bd3eb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.465844] >ffff88003bd3eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 27.466311] ^ [ 27.466803] ffff88003bd3ec00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 27.467471] ffff88003bd3ec80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.468192] ================================================================== [ 27.468941] Kernel panic - not syncing: panic_on_warn set ... [ 27.468941] [ 27.469656] CPU: 0 PID: 3058 Comm: syz-executor0 Tainted: G B 4.13.0-rc5-next-20170817+ #5 [ 27.470818] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 27.471471] Call Trace: [ 27.471665] dump_stack+0x194/0x257 [ 27.472027] ? arch_local_irq_restore+0x53/0x53 [ 27.472352] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.472669] ? userfaultfd_release+0x580/0x6e0 [ 27.472961] panic+0x1e4/0x417 [ 27.473167] ? __warn+0x1d9/0x1d9 [ 27.473456] ? userfaultfd_release+0x5c1/0x6e0 [ 27.473751] kasan_end_report+0x50/0x50 [ 27.474033] kasan_report+0x137/0x340 [ 27.474291] ? userfaultfd_event_wait_completion+0x910/0x910 [ 27.474869] __asan_report_load8_noabort+0x14/0x20 [ 27.475311] userfaultfd_release+0x5c1/0x6e0 [ 27.475778] ? fcntl_setlk+0x10c0/0x10c0 [ 27.476083] ? kmem_cache_free+0x77/0x280 [ 27.476500] ? do_exit+0xa33/0x1b30 [ 27.476909] ? userfaultfd_event_wait_completion+0x910/0x910 [ 27.477524] ? fsnotify+0x1af0/0x1af0 [ 27.477910] ? rcu_note_context_switch+0x710/0x710 [ 27.478370] ? __might_sleep+0x95/0x190 [ 27.478660] ? userfaultfd_event_wait_completion+0x910/0x910 [ 27.479034] __fput+0x327/0x7e0 [ 27.479261] ? fput+0x140/0x140 [ 27.479512] ? do_raw_spin_trylock+0x190/0x190 [ 27.479823] ____fput+0x15/0x20 [ 27.480087] task_work_run+0x199/0x270 [ 27.480341] ? task_work_cancel+0x210/0x210 [ 27.480618] ? _raw_spin_unlock+0x22/0x30 [ 27.480909] ? switch_task_namespaces+0x87/0xc0 [ 27.481239] do_exit+0xa52/0x1b30 [ 27.481491] ? account_kernel_stack+0x155/0x1f0 [ 27.481823] ? mm_update_next_owner+0x930/0x930 [ 27.482143] ? __cleanup_sighand+0x40/0x40 [ 27.482415] ? schedule+0x108/0x440 [ 27.482675] ? lock_downgrade+0x990/0x990 [ 27.482942] ? __schedule+0x2070/0x2070 [ 27.483200] ? check_same_owner+0x320/0x320 [ 27.483481] ? rcu_note_context_switch+0x710/0x710 [ 27.483805] ? futex_wait_setup+0x14a/0x3d0 [ 27.484124] ? __might_sleep+0x95/0x190 [ 27.484434] ? _cond_resched+0x14/0x30 [ 27.484743] ? futex_wait_queue_me+0x524/0x7e0 [ 27.485119] ? lock_release+0xa40/0xa40 [ 27.485429] ? __read_once_size_nocheck.constprop.8+0x10/0x10 [ 27.485844] ? bpf_prog_kallsyms_find+0xbd/0x440 [ 27.486166] ? get_futex_value_locked+0xc3/0xf0 [ 27.486534] ? futex_wait_setup+0x22e/0x3d0 [ 27.486839] ? is_bpf_text_address+0x7b/0x120 [ 27.487187] ? __dequeue_signal+0x103/0x7b0 [ 27.487482] ? recalc_sigpending_tsk+0x117/0x150 [ 27.487790] ? get_signal+0x855/0x17e0 [ 27.488048] ? lock_downgrade+0x990/0x990 [ 27.488331] do_group_exit+0x149/0x400 [ 27.488585] ? SyS_exit+0x30/0x30 [ 27.488855] get_signal+0x7e8/0x17e0 [ 27.489119] ? ptrace_notify+0x130/0x130 [ 27.489385] ? do_futex+0x781/0x20a0 [ 27.489655] ? __fget+0x333/0x570 [ 27.489903] ? lock_downgrade+0x990/0x990 [ 27.490236] ? lock_release+0xa40/0xa40 [ 27.490496] do_signal+0x94/0x1ee0 [ 27.490724] ? kasan_kmalloc+0xad/0xe0 [ 27.491025] ? _do_fork+0x1ef/0xfb0 [ 27.491326] ? _do_fork+0x2dc/0xfb0 [ 27.491576] ? setup_sigcontext+0x7d0/0x7d0 [ 27.492335] ? fork_idle+0x2d0/0x2d0 [ 27.492632] ? iterate_fd+0x3f0/0x3f0 [ 27.492891] ? lock_acquire+0x1d5/0x580 [ 27.493172] ? __fd_install+0x2da/0x6a0 [ 27.493426] ? lock_downgrade+0x990/0x990 [ 27.493706] ? lockdep_init_map+0x9/0x10 [ 27.493996] ? lock_release+0xa40/0xa40 [ 27.494278] ? proc_nr_files+0x60/0x60 [ 27.494570] ? rcu_note_context_switch+0x710/0x710 [ 27.494929] ? __fget_light+0x297/0x380 [ 27.495234] ? fget_raw+0x20/0x20 [ 27.495526] ? __fd_install+0x2f7/0x6a0 [ 27.495851] exit_to_usermode_loop+0x224/0x300 [ 27.496252] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 27.496634] ? SyS_clone+0x37/0x50 [ 27.496858] do_syscall_64+0x65c/0x8c0 [ 27.497135] ? syscall_return_slowpath+0x500/0x500 [ 27.497470] ? do_futex+0x20a0/0x20a0 [ 27.497724] ? SyS_userfaultfd+0xd6/0x470 [ 27.498005] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.498335] ? sys_vfork+0x30/0x30 [ 27.498604] entry_SYSCALL64_slow_path+0x25/0x25 [ 27.498948] RIP: 0033:0x446739 [ 27.499213] RSP: 002b:00007fb99d3fbc08 EFLAGS: 00000286 ORIG_RAX: 0000000000000038 [ 27.499704] RAX: fffffffffffffdff RBX: 0000000000000000 RCX: 0000000000446739 [ 27.500220] RDX: 0000000020f42000 RSI: 0000000020052000 RDI: 0000000000000000 [ 27.500733] RBP: 00000000007080a8 R08: 0000000020ef4ffc R09: 0000000000000000 [ 27.501260] R10: 0000000020a6bffc R11: 0000000000000286 R12: 00000000ffffffff [ 27.501748] R13: 00000000000003b0 R14: 00000000006e2470 R15: 0000000020052000 [ 27.502446] Dumping ftrace buffer: [ 27.502776] (ftrace buffer empty) [ 27.503131] Kernel Offset: disabled [ 27.503455] Rebooting in 86400 seconds..