executing program
syzkaller login: [   35.201754] ==================================================================
[   35.204534] BUG: KASAN: use-after-free in handle_userfault+0x206f/0x2390
[   35.205650] Read of size 8 at addr ffff88003e963d88 by task syzkaller209109/2984
[   35.206927] 
[   35.207241] CPU: 1 PID: 2984 Comm: syzkaller209109 Not tainted 4.13.0-next-20170911+ #1
[   35.208619] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   35.210009] Call Trace:
[   35.210467]  dump_stack+0x194/0x257
[   35.211114]  ? arch_local_irq_restore+0x53/0x53
[   35.211915]  ? show_regs_print_info+0x65/0x65
[   35.212701]  ? handle_userfault+0x206f/0x2390
[   35.213474]  print_address_description+0x73/0x250
[   35.214303]  ? handle_userfault+0x206f/0x2390
[   35.215081]  kasan_report+0x24e/0x340
[   35.215746]  __asan_report_load8_noabort+0x14/0x20
[   35.216588]  handle_userfault+0x206f/0x2390
[   35.217337]  ? __lock_acquire+0x732/0x4620
[   35.218067]  ? __save_stack_trace+0x7e/0xd0
[   35.218811]  ? userfaultfd_ioctl+0x4510/0x4510
[   35.219605]  ? depot_save_stack+0x12c/0x490
[   35.220361]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   35.221247]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   35.222137]  ? check_noncircular+0x20/0x20
[   35.222865]  ? print_usage_bug+0x480/0x480
[   35.223597]  ? __handle_mm_fault+0x36e4/0x39c0
[   35.224444]  ? handle_mm_fault+0x334/0x8d0
[   35.225934]  ? __do_page_fault+0x4f6/0xb60
[   35.226511]  ? do_page_fault+0xee/0x720
[   35.227070]  ? async_page_fault+0x22/0x30
[   35.227645]  ? check_noncircular+0x20/0x20
[   35.228226]  ? find_held_lock+0x39/0x1d0
[   35.228794]  ? lock_downgrade+0x990/0x990
[   35.229368]  ? __handle_mm_fault+0x22b1/0x39c0
[   35.229998]  ? do_raw_spin_trylock+0x190/0x190
[   35.230539]  ? check_noncircular+0x20/0x20
[   35.231020]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   35.231578]  ? __lockdep_init_map+0xe4/0x650
[   35.232090]  __handle_mm_fault+0x2d46/0x39c0
[   35.232589]  ? __pmd_alloc+0x4e0/0x4e0
[   35.233036]  ? lock_downgrade+0x990/0x990
[   35.233507]  ? find_held_lock+0x39/0x1d0
[   35.233965]  ? __lock_is_held+0xbc/0x140
[   35.234450]  handle_mm_fault+0x334/0x8d0
[   35.234901]  ? down_read_trylock+0xdb/0x170
[   35.235363]  ? __do_page_fault+0x2b8/0xb60
[   35.235764]  ? __handle_mm_fault+0x39c0/0x39c0
[   35.236193]  ? vmacache_find+0x61/0x270
[   35.236568]  ? vmacache_update+0xfe/0x130
[   35.236962]  ? find_vma+0x30/0x150
[   35.237302]  __do_page_fault+0x4f6/0xb60
[   35.237694]  do_page_fault+0xee/0x720
[   35.238055]  ? __do_page_fault+0xb60/0xb60
[   35.238455]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   35.238927]  ? lockdep_sys_exit+0x47/0xf0
[   35.239323]  ? syscall_return_slowpath+0x2b3/0x500
[   35.239785]  ? finish_task_switch+0x1aa/0x740
[   35.240214]  ? lockdep_sys_exit+0x47/0xf0
[   35.240554]  ? retint_user+0x18/0x23
[   35.240863]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.241264]  do_async_page_fault+0x72/0xc0
[   35.241611]  async_page_fault+0x22/0x30
[   35.241937] RIP: 0033:0x43a985
[   35.242198] RSP: 002b:0000000020013000 EFLAGS: 00010217
[   35.242637] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000043a979
[   35.243226] RDX: 0000000020059ffc RSI: 0000000020013000 RDI: 0000000000000400
[   35.243810] RBP: 0000000000000000 R08: 0000000020058ffd R09: 0000000000000000
[   35.244395] R10: 0000000020058ffc R11: 0000000000000206 R12: 0000000000000000
[   35.244979] R13: 0000000000000000 R14: 00007fdea13869c0 R15: 00007fdea1386700
[   35.245901] 
[   35.246027] Allocated by task 2982:
[   35.246294]  save_stack_trace+0x16/0x20
[   35.246584]  save_stack+0x43/0xd0
[   35.246835]  kasan_kmalloc+0xad/0xe0
[   35.247113]  kasan_slab_alloc+0x12/0x20
[   35.247407]  kmem_cache_alloc+0x12e/0x760
[   35.247709]  dup_userfaultfd+0x21c/0x890
[   35.248001]  copy_mm+0xa38/0x1310
[   35.248252]  copy_process.part.36+0x1eae/0x4af0
[   35.248590]  _do_fork+0x1ef/0xfe0
[   35.248839]  SyS_clone+0x37/0x50
[   35.249083]  do_syscall_64+0x26c/0x8c0
[   35.249362]  return_from_SYSCALL_64+0x0/0x7a
[   35.249679] 
[   35.249800] Freed by task 2982:
[   35.250039]  save_stack_trace+0x16/0x20
[   35.250340]  save_stack+0x43/0xd0
[   35.250571]  kasan_slab_free+0x71/0xc0
[   35.250831]  kmem_cache_free+0x77/0x280
[   35.251137]  userfaultfd_ctx_put+0x50c/0x740
[   35.251482]  userfaultfd_event_wait_completion+0x754/0x910
[   35.251877]  dup_userfaultfd_complete+0x2de/0x480
[   35.252298]  copy_mm+0xe9b/0x1310
[   35.252529]  copy_process.part.36+0x1eae/0x4af0
[   35.252838]  _do_fork+0x1ef/0xfe0
[   35.253103]  SyS_clone+0x37/0x50
[   35.253371]  do_syscall_64+0x26c/0x8c0
[   35.253631]  return_from_SYSCALL_64+0x0/0x7a
[   35.253946] 
[   35.254075] The buggy address belongs to the object at ffff88003e963c00
[   35.254075]  which belongs to the cache userfaultfd_ctx_cache of size 400
[   35.255078] The buggy address is located 392 bytes inside of
[   35.255078]  400-byte region [ffff88003e963c00, ffff88003e963d90)
[   35.256052] The buggy address belongs to the page:
[   35.256408] page:ffffea0000fa58c0 count:1 mapcount:0 mapping:ffff88003e963000 index:0xffff88003cb08480
[   35.257072] flags: 0x100000000000100(slab)
[   35.257376] raw: 0100000000000100 ffff88003e963000 ffff88003cb08480 0000000100000008
[   35.257906] raw: ffff88003bc99a50 ffff88003bc99a50 ffff88006b848640 0000000000000000
[   35.258449] page dumped because: kasan: bad access detected
[   35.258850] 
[   35.258961] Memory state around the buggy address:
[   35.259317]  ffff88003e963c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.259799]  ffff88003e963d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.260324] >ffff88003e963d80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.260805]                       ^
[   35.261073]  ffff88003e963e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.261582]  ffff88003e963e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.262076] ==================================================================
[   35.262569] Disabling lock debugging due to kernel taint
[   35.262942] Kernel panic - not syncing: panic_on_warn set ...
[   35.262942] 
[   35.263565] CPU: 1 PID: 2984 Comm: syzkaller209109 Tainted: G    B           4.13.0-next-20170911+ #1
[   35.264243] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   35.264803] Call Trace:
[   35.264994]  dump_stack+0x194/0x257
[   35.265266]  ? arch_local_irq_restore+0x53/0x53
[   35.265619]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.265930]  ? handle_userfault+0x2060/0x2390
[   35.266281]  panic+0x1e4/0x417
[   35.266490]  ? __warn+0x1d9/0x1d9
[   35.267266]  ? handle_userfault+0x206f/0x2390
[   35.267581]  kasan_end_report+0x50/0x50
[   35.267840]  kasan_report+0x137/0x340
[   35.268120]  __asan_report_load8_noabort+0x14/0x20
[   35.268467]  handle_userfault+0x206f/0x2390
[   35.268751]  ? __lock_acquire+0x732/0x4620
[   35.269047]  ? __save_stack_trace+0x7e/0xd0
[   35.269360]  ? userfaultfd_ioctl+0x4510/0x4510
[   35.269690]  ? depot_save_stack+0x12c/0x490
[   35.270003]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   35.270404]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   35.270757]  ? check_noncircular+0x20/0x20
[   35.271052]  ? print_usage_bug+0x480/0x480
[   35.271364]  ? __handle_mm_fault+0x36e4/0x39c0
[   35.271677]  ? handle_mm_fault+0x334/0x8d0
[   35.271954]  ? __do_page_fault+0x4f6/0xb60
[   35.272251]  ? do_page_fault+0xee/0x720
[   35.272527]  ? async_page_fault+0x22/0x30
[   35.272802]  ? check_noncircular+0x20/0x20
[   35.273098]  ? find_held_lock+0x39/0x1d0
[   35.273389]  ? lock_downgrade+0x990/0x990
[   35.273684]  ? __handle_mm_fault+0x22b1/0x39c0
[   35.273994]  ? do_raw_spin_trylock+0x190/0x190
[   35.274300]  ? check_noncircular+0x20/0x20
[   35.274594]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   35.274921]  ? __lockdep_init_map+0xe4/0x650
[   35.275242]  __handle_mm_fault+0x2d46/0x39c0
[   35.275550]  ? __pmd_alloc+0x4e0/0x4e0
[   35.275807]  ? lock_downgrade+0x990/0x990
[   35.276095]  ? find_held_lock+0x39/0x1d0
[   35.276369]  ? __lock_is_held+0xbc/0x140
[   35.276671]  handle_mm_fault+0x334/0x8d0
[   35.276959]  ? down_read_trylock+0xdb/0x170
[   35.277247]  ? __do_page_fault+0x2b8/0xb60
[   35.277531]  ? __handle_mm_fault+0x39c0/0x39c0
[   35.277842]  ? vmacache_find+0x61/0x270
[   35.278121]  ? vmacache_update+0xfe/0x130
[   35.278412]  ? find_vma+0x30/0x150
[   35.278675]  __do_page_fault+0x4f6/0xb60
[   35.278944]  do_page_fault+0xee/0x720
[   35.279226]  ? __do_page_fault+0xb60/0xb60
[   35.279565]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   35.279893]  ? lockdep_sys_exit+0x47/0xf0
[   35.280194]  ? syscall_return_slowpath+0x2b3/0x500
[   35.280549]  ? finish_task_switch+0x1aa/0x740
[   35.280844]  ? lockdep_sys_exit+0x47/0xf0
[   35.281143]  ? retint_user+0x18/0x23
[   35.281405]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.281741]  do_async_page_fault+0x72/0xc0
[   35.282052]  async_page_fault+0x22/0x30
[   35.282312] RIP: 0033:0x43a985
[   35.282553] RSP: 002b:0000000020013000 EFLAGS: 00010217
[   35.282902] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000043a979
[   35.283433] RDX: 0000000020059ffc RSI: 0000000020013000 RDI: 0000000000000400
[   35.283947] RBP: 0000000000000000 R08: 0000000020058ffd R09: 0000000000000000
[   35.284479] R10: 0000000020058ffc R11: 0000000000000206 R12: 0000000000000000
[   35.284979] R13: 0000000000000000 R14: 00007fdea13869c0 R15: 00007fdea1386700
[   35.285596] Dumping ftrace buffer:
[   35.285844]    (ftrace buffer empty)
[   35.286115] Kernel Offset: disabled
[   35.286355] Rebooting in 86400 seconds..