2017/09/05 03:01:40 parsed 1 programs 2017/09/05 03:01:40 executed programs: 0 syzkaller login: [ 37.393030] ================================================================== [ 37.395546] BUG: KASAN: out-of-bounds in __list_del_entry_valid+0x10b/0x150 [ 37.400721] Read of size 8 at addr ffff8800391efa80 by task syz-executor3/5431 [ 37.401435] [ 37.401620] CPU: 3 PID: 5431 Comm: syz-executor3 Not tainted 4.13.0-next-20170904+ #14 [ 37.402470] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 37.403327] Call Trace: [ 37.403617] dump_stack+0x194/0x257 [ 37.404013] ? arch_local_irq_restore+0x53/0x53 [ 37.407349] ? show_regs_print_info+0x65/0x65 [ 37.407716] ? do_raw_spin_trylock+0x190/0x190 [ 37.408190] ? __list_del_entry_valid+0x10b/0x150 [ 37.408601] print_address_description+0x73/0x250 [ 37.409068] ? __list_del_entry_valid+0x10b/0x150 [ 37.409679] kasan_report+0x24e/0x340 [ 37.410106] __asan_report_load8_noabort+0x14/0x20 [ 37.410864] __list_del_entry_valid+0x10b/0x150 [ 37.411454] userfaultfd_event_wait_completion+0x519/0x910 [ 37.413326] ? userfaultfd_ctx_get+0x190/0x190 [ 37.413984] ? lock_downgrade+0x990/0x990 [ 37.414487] ? __lock_is_held+0xbc/0x140 [ 37.415273] dup_userfaultfd_complete+0x2de/0x480 [ 37.416075] ? dup_userfaultfd+0x890/0x890 [ 37.416755] ? cpumask_any_but+0x88/0xc0 [ 37.417580] ? wake_up_q+0xe0/0xe0 [ 37.418248] ? __vma_link_rb+0x212/0x320 [ 37.418865] copy_mm+0xe9b/0x1310 [ 37.419265] ? list_add_tail_rcu+0x193/0x193 [ 37.419943] ? check_same_owner+0x320/0x320 [ 37.420569] ? rcu_pm_notify+0xc0/0xc0 [ 37.421296] ? copy_process.part.36+0x202f/0x4af0 [ 37.422165] ? rcu_read_lock_sched_held+0x108/0x120 [ 37.422944] ? kmem_cache_alloc+0x469/0x760 [ 37.423615] ? _raw_spin_unlock+0x22/0x30 [ 37.424264] copy_process.part.36+0x1eae/0x4af0 [ 37.425145] ? __cleanup_sighand+0x40/0x40 [ 37.425953] ? plist_check_head+0x130/0x130 [ 37.426747] ? check_same_owner+0x320/0x320 [ 37.427478] ? rcu_note_context_switch+0x710/0x710 [ 37.428134] ? futex_wait_setup+0x14a/0x3d0 [ 37.428530] ? __might_sleep+0x95/0x190 [ 37.428861] ? _cond_resched+0x14/0x30 [ 37.429224] ? futex_wait_queue_me+0x524/0x7e0 [ 37.429599] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 37.430142] ? get_futex_value_locked+0xc3/0xf0 [ 37.430551] ? futex_wait_setup+0x22e/0x3d0 [ 37.430937] ? futex_wake+0x680/0x680 [ 37.431280] ? __unqueue_futex+0x1c0/0x290 [ 37.431642] ? fault_in_user_writeable+0x90/0x90 [ 37.432076] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 37.432529] ? futex_wait+0x6cf/0xa00 [ 37.432858] ? mark_wake_futex+0xc0/0x1c0 [ 37.433290] ? futex_wait_setup+0x3d0/0x3d0 [ 37.433948] ? do_raw_spin_trylock+0x190/0x190 [ 37.434580] ? wake_up_q+0x8a/0xe0 [ 37.435003] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 37.435556] ? futex_wake+0x2ca/0x680 [ 37.435960] ? get_futex_key+0x1d50/0x1d50 [ 37.436461] ? do_futex+0x783/0x2130 [ 37.436852] ? find_held_lock+0x39/0x1d0 [ 37.437477] _do_fork+0x1ef/0xfe0 [ 37.438107] ? fork_idle+0x2d0/0x2d0 [ 37.438811] ? lock_release+0xd70/0xd70 [ 37.439472] ? __lock_is_held+0xbc/0x140 [ 37.440188] ? __fget+0x362/0x580 [ 37.440722] ? iterate_fd+0x3f0/0x3f0 [ 37.441310] ? lock_downgrade+0x990/0x990 [ 37.441932] ? __lock_is_held+0xbc/0x140 [ 37.442575] ? userfaultfd_read+0x220/0x220 [ 37.443230] ? do_vfs_ioctl+0x1b1/0x1530 [ 37.443813] ? do_vfs_ioctl+0x492/0x1530 [ 37.444447] ? do_raw_spin_trylock+0x190/0x190 [ 37.445109] SyS_clone+0x37/0x50 [ 37.445656] ? ptregs_sys_rt_sigreturn+0x10/0x10 [ 37.446448] do_syscall_64+0x26c/0x8c0 [ 37.447135] ? syscall_return_slowpath+0x500/0x500 [ 37.448047] ? do_futex+0x2130/0x2130 [ 37.448683] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 37.449421] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.449890] ? sys_vfork+0x30/0x30 [ 37.450217] entry_SYSCALL64_slow_path+0x25/0x25 [ 37.450659] RIP: 0033:0x447299 [ 37.450946] RSP: 002b:00007f78ab587c08 EFLAGS: 00000282 ORIG_RAX: 0000000000000038 [ 37.451656] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000447299 [ 37.452307] RDX: 0000000020d6f000 RSI: 0000000020d42fff RDI: 0000000000000000 [ 37.453253] RBP: 0000000000708160 R08: 0000000020497000 R09: 0000000000000000 [ 37.454254] R10: 0000000020a6bffc R11: 0000000000000282 R12: 00000000ffffffff [ 37.455529] R13: 0000000000000450 R14: 00000000006e3510 R15: 0000000020d42fff [ 37.456663] [ 37.457425] The buggy address belongs to the page: [ 37.458098] page:ffffea0000e47bc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 37.459463] flags: 0x100000000000000() [ 37.460387] raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 37.461580] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 37.462291] page dumped because: kasan: bad access detected [ 37.462801] [ 37.462951] Memory state around the buggy address: [ 37.463398] ffff8800391ef980: 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 [ 37.464086] ffff8800391efa00: f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f3 f3 f3 f3 00 [ 37.464758] >ffff8800391efa80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 [ 37.465637] ^ [ 37.466151] ffff8800391efb00: 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 [ 37.466866] ffff8800391efb80: 00 f2 f2 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 00 [ 37.467628] ================================================================== [ 37.468505] Disabling lock debugging due to kernel taint [ 37.469159] Kernel panic - not syncing: panic_on_warn set ... [ 37.469159] [ 37.470081] CPU: 3 PID: 5431 Comm: syz-executor3 Tainted: G B 4.13.0-next-20170904+ #14 [ 37.470974] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 37.471773] Call Trace: [ 37.472011] dump_stack+0x194/0x257 [ 37.472358] ? arch_local_irq_restore+0x53/0x53 [ 37.472826] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 37.473349] ? __list_del_entry_valid+0x70/0x150 [ 37.474156] panic+0x1e4/0x417 [ 37.474697] ? __warn+0x1d9/0x1d9 [ 37.475269] ? __list_del_entry_valid+0x10b/0x150 [ 37.476066] kasan_end_report+0x50/0x50 [ 37.476477] kasan_report+0x137/0x340 [ 37.477139] __asan_report_load8_noabort+0x14/0x20 [ 37.477642] __list_del_entry_valid+0x10b/0x150 [ 37.478070] userfaultfd_event_wait_completion+0x519/0x910 [ 37.478587] ? userfaultfd_ctx_get+0x190/0x190 [ 37.478999] ? lock_downgrade+0x990/0x990 [ 37.479383] ? __lock_is_held+0xbc/0x140 [ 37.479776] dup_userfaultfd_complete+0x2de/0x480 [ 37.480246] ? dup_userfaultfd+0x890/0x890 [ 37.480642] ? cpumask_any_but+0x88/0xc0 [ 37.481027] ? wake_up_q+0xe0/0xe0 [ 37.481388] ? __vma_link_rb+0x212/0x320 [ 37.481814] copy_mm+0xe9b/0x1310 [ 37.482088] ? list_add_tail_rcu+0x193/0x193 [ 37.482537] ? check_same_owner+0x320/0x320 [ 37.483148] ? rcu_pm_notify+0xc0/0xc0 [ 37.483547] ? copy_process.part.36+0x202f/0x4af0 [ 37.483944] ? rcu_read_lock_sched_held+0x108/0x120 [ 37.484451] ? kmem_cache_alloc+0x469/0x760 [ 37.484891] ? _raw_spin_unlock+0x22/0x30 [ 37.485412] copy_process.part.36+0x1eae/0x4af0 [ 37.486185] ? __cleanup_sighand+0x40/0x40 [ 37.486776] ? plist_check_head+0x130/0x130 [ 37.487366] ? check_same_owner+0x320/0x320 [ 37.487778] ? rcu_note_context_switch+0x710/0x710 [ 37.488234] ? futex_wait_setup+0x14a/0x3d0 [ 37.488648] ? __might_sleep+0x95/0x190 [ 37.489001] ? _cond_resched+0x14/0x30 [ 37.489374] ? futex_wait_queue_me+0x524/0x7e0 [ 37.489801] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 37.490294] ? get_futex_value_locked+0xc3/0xf0 [ 37.490708] ? futex_wait_setup+0x22e/0x3d0 [ 37.491140] ? futex_wake+0x680/0x680 [ 37.491476] ? __unqueue_futex+0x1c0/0x290 [ 37.491856] ? fault_in_user_writeable+0x90/0x90 [ 37.492308] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 37.492761] ? futex_wait+0x6cf/0xa00 [ 37.493128] ? mark_wake_futex+0xc0/0x1c0 [ 37.493514] ? futex_wait_setup+0x3d0/0x3d0 [ 37.493939] ? do_raw_spin_trylock+0x190/0x190 [ 37.494403] ? wake_up_q+0x8a/0xe0 [ 37.495044] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 37.495657] ? futex_wake+0x2ca/0x680 [ 37.496222] ? get_futex_key+0x1d50/0x1d50 [ 37.496667] ? do_futex+0x783/0x2130 [ 37.497081] ? find_held_lock+0x39/0x1d0 [ 37.497809] _do_fork+0x1ef/0xfe0 [ 37.499592] ? fork_idle+0x2d0/0x2d0 [ 37.501233] ? lock_release+0xd70/0xd70 [ 37.501609] ? __lock_is_held+0xbc/0x140 [ 37.502013] ? __fget+0x362/0x580 [ 37.502361] ? iterate_fd+0x3f0/0x3f0 [ 37.502705] ? lock_downgrade+0x990/0x990 [ 37.503097] ? __lock_is_held+0xbc/0x140 [ 37.503472] ? userfaultfd_read+0x220/0x220 [ 37.503860] ? do_vfs_ioctl+0x1b1/0x1530 [ 37.504243] ? do_vfs_ioctl+0x492/0x1530 [ 37.504630] ? do_raw_spin_trylock+0x190/0x190 [ 37.505119] SyS_clone+0x37/0x50 [ 37.505455] ? ptregs_sys_rt_sigreturn+0x10/0x10 [ 37.505872] do_syscall_64+0x26c/0x8c0 [ 37.506246] ? syscall_return_slowpath+0x500/0x500 [ 37.506825] ? do_futex+0x2130/0x2130 [ 37.507333] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 37.507861] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.508399] ? sys_vfork+0x30/0x30 [ 37.508718] entry_SYSCALL64_slow_path+0x25/0x25 [ 37.509170] RIP: 0033:0x447299 [ 37.509456] RSP: 002b:00007f78ab587c08 EFLAGS: 00000282 ORIG_RAX: 0000000000000038 [ 37.510157] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000447299 [ 37.510799] RDX: 0000000020d6f000 RSI: 0000000020d42fff RDI: 0000000000000000 [ 37.511472] RBP: 0000000000708160 R08: 0000000020497000 R09: 0000000000000000 [ 37.512142] R10: 0000000020a6bffc R11: 0000000000000282 R12: 00000000ffffffff [ 37.512781] R13: 0000000000000450 R14: 00000000006e3510 R15: 0000000020d42fff [ 37.515408] Dumping ftrace buffer: [ 37.515718] (ftrace buffer empty) [ 37.516031] Kernel Offset: disabled [ 37.516258] Rebooting in 86400 seconds..