INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-next-kasan-gce-1,10.128.15.198' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 54.939408] ==================================================================
[ 54.946871] BUG: KASAN: use-after-free in handle_userfault+0x206f/0x2390
[ 54.953687] Read of size 8 at addr ffff8801ce9cad88 by task syzkaller547101/2993
[ 54.961192]
[ 54.962796] CPU: 0 PID: 2993 Comm: syzkaller547101 Not tainted 4.13.0-next-20170911+ #19
[ 54.970996] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 54.980332] Call Trace:
[ 54.982895] dump_stack+0x194/0x257
[ 54.986498] ? arch_local_irq_restore+0x53/0x53
[ 54.991140] ? show_regs_print_info+0x65/0x65
[ 54.995615] ? handle_userfault+0x206f/0x2390
[ 55.000086] print_address_description+0x73/0x250
[ 55.004904] ? handle_userfault+0x206f/0x2390
[ 55.009375] kasan_report+0x24e/0x340
[ 55.013154] __asan_report_load8_noabort+0x14/0x20
[ 55.018059] handle_userfault+0x206f/0x2390
[ 55.022364] ? __lock_acquire+0x732/0x4620
[ 55.027147] ? __save_stack_trace+0x7e/0xd0
[ 55.031449] ? userfaultfd_ioctl+0x4510/0x4510
[ 55.036005] ? depot_save_stack+0x12c/0x490
[ 55.040308] ? debug_check_no_locks_freed+0x3d0/0x3d0
[ 55.045470] ? debug_check_no_locks_freed+0x3d0/0x3d0
[ 55.050634] ? check_noncircular+0x20/0x20
[ 55.054842] ? print_usage_bug+0x480/0x480
[ 55.059050] ? __handle_mm_fault+0x36e4/0x39c0
[ 55.063607] ? handle_mm_fault+0x334/0x8d0
[ 55.067818] ? __do_page_fault+0x4f6/0xb60
[ 55.072027] ? do_page_fault+0xee/0x720
[ 55.075986] ? check_noncircular+0x20/0x20
[ 55.080206] ? find_held_lock+0x39/0x1d0
[ 55.084255] ? lock_downgrade+0x990/0x990
[ 55.088388] ? __handle_mm_fault+0x22b1/0x39c0
[ 55.092962] ? do_raw_spin_trylock+0x190/0x190
[ 55.097526] ? check_noncircular+0x20/0x20
[ 55.101735] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 55.106722] ? __lockdep_init_map+0xe4/0x650
[ 55.111122] __handle_mm_fault+0x2d46/0x39c0
[ 55.115518] ? __pmd_alloc+0x4e0/0x4e0
[ 55.119393] ? lock_downgrade+0x990/0x990
[ 55.123524] ? find_held_lock+0x39/0x1d0
[ 55.127568] ? __lock_is_held+0xbc/0x140
[ 55.131631] handle_mm_fault+0x334/0x8d0
[ 55.135663] ? down_read_trylock+0xdb/0x170
[ 55.139956] ? __do_page_fault+0x2b8/0xb60
[ 55.144164] ? __handle_mm_fault+0x39c0/0x39c0
[ 55.148721] ? vmacache_find+0x61/0x270
[ 55.152668] ? vmacache_update+0xfe/0x130
[ 55.156793] ? find_vma+0x30/0x150
[ 55.160324] __do_page_fault+0x4f6/0xb60
[ 55.164373] do_page_fault+0xee/0x720
[ 55.168151] ? _raw_spin_unlock_irq+0x27/0x70
[ 55.172620] ? __do_page_fault+0xb60/0xb60
[ 55.176829] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 55.181824] ? lockdep_sys_exit+0x47/0xf0
[ 55.185961] ? syscall_return_slowpath+0x2b3/0x500
[ 55.190865] ? finish_task_switch+0x1aa/0x740
[ 55.195340] ? lockdep_sys_exit+0x47/0xf0
[ 55.199467] ? retint_user+0x18/0x20
[ 55.203158] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 55.207982] page_fault+0x22/0x30
[ 55.211411] RIP: 0033:0x445455
[ 55.214574] RSP: 002b:0000000020013000 EFLAGS: 00010217
[ 55.219915] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000445449
[ 55.227159] RDX: 0000000020059ffc RSI: 0000000020013000 RDI: 0000000000000400
[ 55.234403] RBP: 0000000000000000 R08: 0000000020058ffd R09: 00007f14ef18c700
[ 55.241647] R10: 0000000020058ffc R11: 0000000000000202 R12: 0000000000000000
[ 55.248891] R13: 00007ffca43554df R14: 00007f14ef18c9c0 R15: 0000000000000000
[ 55.256152]
[ 55.257756] Allocated by task 2991:
[ 55.261362] save_stack_trace+0x16/0x20
[ 55.265308] save_stack+0x43/0xd0
[ 55.268734] kasan_kmalloc+0xad/0xe0
[ 55.272421] kasan_slab_alloc+0x12/0x20
[ 55.276371] kmem_cache_alloc+0x12e/0x760
[ 55.280494] dup_userfaultfd+0x21c/0x890
[ 55.284544] copy_mm+0xa38/0x1310
[ 55.287967] copy_process.part.36+0x1eae/0x4af0
[ 55.292621] _do_fork+0x1ef/0xfe0
[ 55.296046] SyS_clone+0x37/0x50
[ 55.299386] do_syscall_64+0x26c/0x8c0
[ 55.303247] return_from_SYSCALL_64+0x0/0x7a
[ 55.307627]
[ 55.309236] Freed by task 2991:
[ 55.312490] save_stack_trace+0x16/0x20
[ 55.316436] save_stack+0x43/0xd0
[ 55.319860] kasan_slab_free+0x71/0xc0
[ 55.323719] kmem_cache_free+0x77/0x280
[ 55.327666] userfaultfd_ctx_put+0x50c/0x740
[ 55.332058] userfaultfd_event_wait_completion+0x754/0x910
[ 55.337669] dup_userfaultfd_complete+0x2de/0x480
[ 55.342484] copy_mm+0xe9b/0x1310
[ 55.345909] copy_process.part.36+0x1eae/0x4af0
[ 55.350550] _do_fork+0x1ef/0xfe0
[ 55.353976] SyS_clone+0x37/0x50
[ 55.357318] do_syscall_64+0x26c/0x8c0
[ 55.361181] return_from_SYSCALL_64+0x0/0x7a
[ 55.365558]
[ 55.367157] The buggy address belongs to the object at ffff8801ce9cac00
[ 55.367157] which belongs to the cache userfaultfd_ctx_cache of size 400
[ 55.380666] The buggy address is located 392 bytes inside of
[ 55.380666] 400-byte region [ffff8801ce9cac00, ffff8801ce9cad90)
[ 55.392513] The buggy address belongs to the page:
[ 55.397420] page:ffffea00073a7280 count:1 mapcount:0 mapping:ffff8801ce9ca000 index:0xffff8801cf2f5300
[ 55.406851] flags: 0x200000000000100(slab)
[ 55.411061] raw: 0200000000000100 ffff8801ce9ca000 ffff8801cf2f5300 0000000100000008
[ 55.418917] raw: ffff8801d56d6f50 ffff8801d56d6f50 ffff8801d56d2600 0000000000000000
[ 55.426781] page dumped because: kasan: bad access detected
[ 55.432476]
[ 55.434089] Memory state around the buggy address:
[ 55.438993] ffff8801ce9cac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 55.446323] ffff8801ce9cad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 55.453653] >ffff8801ce9cad80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 55.460983] ^
[ 55.464582] ffff8801ce9cae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 55.471912] ffff8801ce9cae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 55.479253] ==================================================================
[ 55.486584] Disabling lock debugging due to kernel taint
[ 55.492066] Kernel panic - not syncing: panic_on_warn set ...
[ 55.492066]
[ 55.499402] CPU: 0 PID: 2993 Comm: syzkaller547101 Tainted: G B 4.13.0-next-20170911+ #19
[ 55.508814] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 55.518137] Call Trace:
[ 55.520693] dump_stack+0x194/0x257
[ 55.524288] ? arch_local_irq_restore+0x53/0x53
[ 55.528924] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 55.533649] ? handle_userfault+0x2060/0x2390
[ 55.538116] panic+0x1e4/0x417
[ 55.541275] ? __warn+0x1d9/0x1d9
[ 55.544702] ? handle_userfault+0x206f/0x2390
[ 55.549168] kasan_end_report+0x50/0x50
[ 55.553126] kasan_report+0x137/0x340
[ 55.556911] __asan_report_load8_noabort+0x14/0x20
[ 55.561821] handle_userfault+0x206f/0x2390
[ 55.566118] ? __lock_acquire+0x732/0x4620
[ 55.570333] ? __save_stack_trace+0x7e/0xd0
[ 55.574636] ? userfaultfd_ioctl+0x4510/0x4510
[ 55.579189] ? depot_save_stack+0x12c/0x490
[ 55.583484] ? debug_check_no_locks_freed+0x3d0/0x3d0
[ 55.588641] ? debug_check_no_locks_freed+0x3d0/0x3d0
[ 55.593797] ? check_noncircular+0x20/0x20
[ 55.597997] ? print_usage_bug+0x480/0x480
[ 55.602199] ? __handle_mm_fault+0x36e4/0x39c0
[ 55.606746] ? handle_mm_fault+0x334/0x8d0
[ 55.610945] ? __do_page_fault+0x4f6/0xb60
[ 55.615145] ? do_page_fault+0xee/0x720
[ 55.619092] ? check_noncircular+0x20/0x20
[ 55.623308] ? find_held_lock+0x39/0x1d0
[ 55.627345] ? lock_downgrade+0x990/0x990
[ 55.631462] ? __handle_mm_fault+0x22b1/0x39c0
[ 55.636013] ? do_raw_spin_trylock+0x190/0x190
[ 55.640559] ? check_noncircular+0x20/0x20
[ 55.644761] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 55.649752] ? __lockdep_init_map+0xe4/0x650
[ 55.654134] __handle_mm_fault+0x2d46/0x39c0
[ 55.658510] ? __pmd_alloc+0x4e0/0x4e0
[ 55.662367] ? lock_downgrade+0x990/0x990
[ 55.666489] ? find_held_lock+0x39/0x1d0
[ 55.670519] ? __lock_is_held+0xbc/0x140
[ 55.674569] handle_mm_fault+0x334/0x8d0
[ 55.678596] ? down_read_trylock+0xdb/0x170
[ 55.682887] ? __do_page_fault+0x2b8/0xb60
[ 55.687088] ? __handle_mm_fault+0x39c0/0x39c0
[ 55.691638] ? vmacache_find+0x61/0x270
[ 55.695578] ? vmacache_update+0xfe/0x130
[ 55.699694] ? find_vma+0x30/0x150
[ 55.703202] __do_page_fault+0x4f6/0xb60
[ 55.707234] do_page_fault+0xee/0x720
[ 55.711015] ? _raw_spin_unlock_irq+0x27/0x70
[ 55.715476] ? __do_page_fault+0xb60/0xb60
[ 55.719678] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 55.724661] ? lockdep_sys_exit+0x47/0xf0
[ 55.728775] ? syscall_return_slowpath+0x2b3/0x500
[ 55.733681] ? finish_task_switch+0x1aa/0x740
[ 55.738143] ? lockdep_sys_exit+0x47/0xf0
[ 55.742256] ? retint_user+0x18/0x20
[ 55.745937] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 55.750749] page_fault+0x22/0x30
[ 55.754168] RIP: 0033:0x445455
[ 55.757325] RSP: 002b:0000000020013000 EFLAGS: 00010217
[ 55.762657] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000445449
[ 55.769905] RDX: 0000000020059ffc RSI: 0000000020013000 RDI: 0000000000000400
[ 55.777143] RBP: 0000000000000000 R08: 0000000020058ffd R09: 00007f14ef18c700
[ 55.784391] R10: 0000000020058ffc R11: 0000000000000202 R12: 0000000000000000
[ 55.791629] R13: 00007ffca43554df R14: 00007f14ef18c9c0 R15: 0000000000000000
[ 55.798912] Dumping ftrace buffer:
[ 55.802421] (ftrace buffer empty)
[ 55.806098] Kernel Offset: disabled
[ 55.809695] Rebooting in 86400 seconds..