INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-mmots-kasan-gce-6,10.128.0.17' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 70.269163] ==================================================================
[ 70.270287] BUG: KASAN: use-after-free in handle_userfault+0x206f/0x2390
[ 70.271191] Read of size 8 at addr ffff8801ceb26d88 by task syzkaller268110/2989
[ 70.272198]
[ 70.272434] CPU: 0 PID: 2989 Comm: syzkaller268110 Not tainted 4.13.0-mm1+ #5
[ 70.273389] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 70.274611] Call Trace:
[ 70.274975] dump_stack+0x194/0x257
[ 70.275470] ? arch_local_irq_restore+0x53/0x53
[ 70.276097] ? show_regs_print_info+0x65/0x65
[ 70.276709] ? handle_userfault+0x206f/0x2390
[ 70.277314] print_address_description+0x73/0x250
[ 70.277962] ? handle_userfault+0x206f/0x2390
[ 70.278566] kasan_report+0x24e/0x340
[ 70.279084] __asan_report_load8_noabort+0x14/0x20
[ 70.279742] handle_userfault+0x206f/0x2390
[ 70.280330] ? __lock_acquire+0x732/0x4620
[ 70.280903] ? __save_stack_trace+0x7e/0xd0
[ 70.281485] ? userfaultfd_ioctl+0x4510/0x4510
[ 70.282126] ? debug_check_no_locks_freed+0x3d0/0x3d0
[ 70.282818] ? debug_check_no_locks_freed+0x3d0/0x3d0
[ 70.283510] ? check_noncircular+0x20/0x20
[ 70.284092] ? find_held_lock+0x39/0x1d0
[ 70.284650] ? find_held_lock+0x39/0x1d0
[ 70.285208] ? lock_downgrade+0x990/0x990
[ 70.285767] ? finish_task_switch+0x1aa/0x740
[ 70.286376] ? __handle_mm_fault+0x22b1/0x39c0
[ 70.287001] ? do_raw_spin_trylock+0x190/0x190
[ 70.287642] ? check_noncircular+0x20/0x20
[ 70.288213] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 70.288887] ? trace_hardirqs_on+0xd/0x10
[ 70.290305] ? finish_task_switch+0x1d3/0x740
[ 70.294773] ? finish_task_switch+0x1aa/0x740
[ 70.299254] __handle_mm_fault+0x2d46/0x39c0
[ 70.303642] ? __pmd_alloc+0x4e0/0x4e0
[ 70.307508] ? lock_downgrade+0x990/0x990
[ 70.311634] ? __sched_text_start+0x8/0x8
[ 70.315753] ? find_held_lock+0x39/0x1d0
[ 70.319808] ? __lock_is_held+0xbc/0x140
[ 70.323887] handle_mm_fault+0x334/0x8d0
[ 70.327919] ? down_read_trylock+0xdb/0x170
[ 70.332211] ? __do_page_fault+0x2b8/0xb60
[ 70.336434] ? __handle_mm_fault+0x39c0/0x39c0
[ 70.340986] ? vmacache_find+0x61/0x270
[ 70.344931] ? vmacache_update+0xfe/0x130
[ 70.349053] ? find_vma+0x30/0x150
[ 70.352567] __do_page_fault+0x4f6/0xb60
[ 70.356608] do_page_fault+0xee/0x720
[ 70.360378] ? trace_hardirqs_off+0xd/0x10
[ 70.364585] ? __do_page_fault+0xb60/0xb60
[ 70.368795] ? trace_event_raw_event_sys_exit+0x260/0x260
[ 70.374306] ? lockdep_sys_exit+0x47/0xf0
[ 70.378425] ? syscall_return_slowpath+0x2b3/0x500
[ 70.383324] ? finish_task_switch+0x4c9/0x740
[ 70.387796] ? retint_user+0x18/0x20
[ 70.391485] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 70.396306] page_fault+0x22/0x30
[ 70.399728] RIP: 0033:0x445455
[ 70.402888] RSP: 002b:0000000020013000 EFLAGS: 00010217
[ 70.408228] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000445449
[ 70.415468] RDX: 0000000020059ffc RSI: 0000000020013000 RDI: 0000000000000400
[ 70.422707] RBP: 0000000000000000 R08: 0000000020058ffd R09: 00007f6b81fe2700
[ 70.429946] R10: 0000000020058ffc R11: 0000000000000202 R12: 0000000000000000
[ 70.437187] R13: 00007ffee89ab8af R14: 00007f6b81fe29c0 R15: 0000000000000000
[ 70.444447]
[ 70.446046] Allocated by task 2987:
[ 70.449644] save_stack_trace+0x16/0x20
[ 70.453588] save_stack+0x43/0xd0
[ 70.457010] kasan_kmalloc+0xad/0xe0
[ 70.460693] kasan_slab_alloc+0x12/0x20
[ 70.464635] kmem_cache_alloc+0x12e/0x760
[ 70.468752] dup_userfaultfd+0x21c/0x890
[ 70.472793] copy_mm+0xa38/0x1310
[ 70.476235] copy_process.part.36+0x1eae/0x4af0
[ 70.480877] _do_fork+0x1ef/0xfe0
[ 70.484300] SyS_clone+0x37/0x50
[ 70.487635] do_syscall_64+0x26c/0x8c0
[ 70.491495] return_from_SYSCALL_64+0x0/0x7a
[ 70.495869]
[ 70.497468] Freed by task 2987:
[ 70.500716] save_stack_trace+0x16/0x20
[ 70.504663] save_stack+0x43/0xd0
[ 70.508084] kasan_slab_free+0x71/0xc0
[ 70.511943] kmem_cache_free+0x77/0x280
[ 70.515888] userfaultfd_ctx_put+0x50c/0x740
[ 70.520265] userfaultfd_event_wait_completion+0x754/0x910
[ 70.525857] dup_userfaultfd_complete+0x2de/0x480
[ 70.530667] copy_mm+0xe9b/0x1310
[ 70.534090] copy_process.part.36+0x1eae/0x4af0
[ 70.538726] _do_fork+0x1ef/0xfe0
[ 70.542148] SyS_clone+0x37/0x50
[ 70.545484] do_syscall_64+0x26c/0x8c0
[ 70.549343] return_from_SYSCALL_64+0x0/0x7a
[ 70.553719]
[ 70.555319] The buggy address belongs to the object at ffff8801ceb26c00
[ 70.555319] which belongs to the cache userfaultfd_ctx_cache of size 400
[ 70.568819] The buggy address is located 392 bytes inside of
[ 70.568819] 400-byte region [ffff8801ceb26c00, ffff8801ceb26d90)
[ 70.580660] The buggy address belongs to the page:
[ 70.585559] page:ffffea00073ac980 count:1 mapcount:0 mapping:ffff8801ceb26000 index:0xffff8801ce9e8400
[ 70.594982] flags: 0x200000000000100(slab)
[ 70.599187] raw: 0200000000000100 ffff8801ceb26000 ffff8801ce9e8400 0000000100000008
[ 70.607037] raw: ffff8801d6295150 ffff8801d6295150 ffff8801d5567c00 0000000000000000
[ 70.614883] page dumped because: kasan: bad access detected
[ 70.620567]
[ 70.622163] Memory state around the buggy address:
[ 70.627060] ffff8801ceb26c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.634388] ffff8801ceb26d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.641717] >ffff8801ceb26d80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 70.649045] ^
[ 70.652641] ffff8801ceb26e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.659975] ffff8801ceb26e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.667303] ==================================================================
[ 70.674629] Disabling lock debugging due to kernel taint
[ 70.680095] Kernel panic - not syncing: panic_on_warn set ...
[ 70.680095]
[ 70.687424] CPU: 0 PID: 2989 Comm: syzkaller268110 Tainted: G B 4.13.0-mm1+ #5
[ 70.695874] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 70.705193] Call Trace:
[ 70.707748] dump_stack+0x194/0x257
[ 70.711343] ? arch_local_irq_restore+0x53/0x53
[ 70.715977] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 70.720700] ? handle_userfault+0x2000/0x2390
[ 70.725160] panic+0x1e4/0x417
[ 70.728317] ? __warn+0x1d9/0x1d9
[ 70.731741] ? handle_userfault+0x206f/0x2390
[ 70.736201] kasan_end_report+0x50/0x50
[ 70.740140] kasan_report+0x137/0x340
[ 70.743909] __asan_report_load8_noabort+0x14/0x20
[ 70.748801] handle_userfault+0x206f/0x2390
[ 70.753089] ? __lock_acquire+0x732/0x4620
[ 70.757291] ? __save_stack_trace+0x7e/0xd0
[ 70.761574] ? userfaultfd_ioctl+0x4510/0x4510
[ 70.766125] ? debug_check_no_locks_freed+0x3d0/0x3d0
[ 70.771287] ? debug_check_no_locks_freed+0x3d0/0x3d0
[ 70.776441] ? check_noncircular+0x20/0x20
[ 70.780644] ? find_held_lock+0x39/0x1d0
[ 70.784672] ? find_held_lock+0x39/0x1d0
[ 70.788700] ? lock_downgrade+0x990/0x990
[ 70.792813] ? finish_task_switch+0x1aa/0x740
[ 70.797275] ? __handle_mm_fault+0x22b1/0x39c0
[ 70.801834] ? do_raw_spin_trylock+0x190/0x190
[ 70.806381] ? check_noncircular+0x20/0x20
[ 70.810581] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 70.815563] ? trace_hardirqs_on+0xd/0x10
[ 70.819674] ? finish_task_switch+0x1d3/0x740
[ 70.824134] ? finish_task_switch+0x1aa/0x740
[ 70.828595] __handle_mm_fault+0x2d46/0x39c0
[ 70.832975] ? __pmd_alloc+0x4e0/0x4e0
[ 70.836832] ? lock_downgrade+0x990/0x990
[ 70.840944] ? __sched_text_start+0x8/0x8
[ 70.845055] ? find_held_lock+0x39/0x1d0
[ 70.849081] ? __lock_is_held+0xbc/0x140
[ 70.853119] handle_mm_fault+0x334/0x8d0
[ 70.857143] ? down_read_trylock+0xdb/0x170
[ 70.861427] ? __do_page_fault+0x2b8/0xb60
[ 70.865625] ? __handle_mm_fault+0x39c0/0x39c0
[ 70.870172] ? vmacache_find+0x61/0x270
[ 70.874111] ? vmacache_update+0xfe/0x130
[ 70.878226] ? find_vma+0x30/0x150
[ 70.881730] __do_page_fault+0x4f6/0xb60
[ 70.885760] do_page_fault+0xee/0x720
[ 70.889625] ? trace_hardirqs_off+0xd/0x10
[ 70.893823] ? __do_page_fault+0xb60/0xb60
[ 70.898021] ? trace_event_raw_event_sys_exit+0x260/0x260
[ 70.903523] ? lockdep_sys_exit+0x47/0xf0
[ 70.907634] ? syscall_return_slowpath+0x2b3/0x500
[ 70.912526] ? finish_task_switch+0x4c9/0x740
[ 70.916988] ? retint_user+0x18/0x20
[ 70.920666] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 70.925474] page_fault+0x22/0x30
[ 70.928891] RIP: 0033:0x445455
[ 70.932047] RSP: 002b:0000000020013000 EFLAGS: 00010217
[ 70.937374] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000445449
[ 70.944610] RDX: 0000000020059ffc RSI: 0000000020013000 RDI: 0000000000000400
[ 70.951845] RBP: 0000000000000000 R08: 0000000020058ffd R09: 00007f6b81fe2700
[ 70.959080] R10: 0000000020058ffc R11: 0000000000000202 R12: 0000000000000000
[ 70.966314] R13: 00007ffee89ab8af R14: 00007f6b81fe29c0 R15: 0000000000000000
[ 70.973915] Dumping ftrace buffer:
[ 70.977426] (ftrace buffer empty)
[ 70.981103] Kernel Offset: disabled
[ 70.984703] Rebooting in 86400 seconds..