[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.135' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 58.941425][ T6850] ================================================================== [ 58.941465][ T6850] BUG: KASAN: use-after-free in vcs_read+0xaa7/0xb40 [ 58.941472][ T6850] Write of size 2 at addr ffff8880983c6000 by task syz-executor929/6850 [ 58.941475][ T6850] [ 58.941485][ T6850] CPU: 1 PID: 6850 Comm: syz-executor929 Not tainted 5.9.0-rc2-next-20200824-syzkaller #0 [ 58.941490][ T6850] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.941493][ T6850] Call Trace: [ 58.941507][ T6850] dump_stack+0x18f/0x20d [ 58.941516][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.941523][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.941534][ T6850] print_address_description.constprop.0.cold+0xae/0x497 [ 58.941544][ T6850] ? lock_release+0x8e0/0x8e0 [ 58.941552][ T6850] ? lock_downgrade+0x830/0x830 [ 58.941563][ T6850] ? vprintk_func+0x97/0x1a6 [ 58.941572][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.941579][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.941587][ T6850] kasan_report.cold+0x1f/0x37 [ 58.941596][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.941605][ T6850] vcs_read+0xaa7/0xb40 [ 58.941627][ T6850] ? vcs_write+0xb50/0xb50 [ 58.941638][ T6850] ? security_file_permission+0x248/0x560 [ 58.941652][ T6850] do_iter_read+0x48e/0x6e0 [ 58.941667][ T6850] vfs_readv+0xe5/0x150 [ 58.941677][ T6850] ? compat_rw_copy_check_uvector+0x4c0/0x4c0 [ 58.941689][ T6850] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 58.941699][ T6850] ? putname+0xe1/0x120 [ 58.941720][ T6850] __x64_sys_preadv+0x231/0x310 [ 58.941729][ T6850] ? __ia32_sys_writev+0xb0/0xb0 [ 58.941739][ T6850] ? trace_hardirqs_on+0x5f/0x220 [ 58.941749][ T6850] ? lockdep_hardirqs_on+0x76/0xf0 [ 58.941760][ T6850] do_syscall_64+0x2d/0x70 [ 58.941770][ T6850] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.941777][ T6850] RIP: 0033:0x440339 [ 58.941786][ T6850] Code: 23 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.941790][ T6850] RSP: 002b:00007ffc1f157e58 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 58.941800][ T6850] RAX: ffffffffffffffda RBX: 00007ffc1f157e60 RCX: 0000000000440339 [ 58.941806][ T6850] RDX: 0000000000000006 RSI: 0000000020001b00 RDI: 0000000000000003 [ 58.941811][ T6850] RBP: 00000000006cb018 R08: 0000000000000000 R09: 6c616b7a79732f2e [ 58.941817][ T6850] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000401ae0 [ 58.941822][ T6850] R13: 0000000000401b70 R14: 0000000000000000 R15: 0000000000000000 [ 58.941833][ T6850] [ 58.941837][ T6850] Allocated by task 6850: [ 58.941845][ T6850] kasan_save_stack+0x1b/0x40 [ 58.941852][ T6850] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 58.941859][ T6850] __kmalloc+0x1a8/0x320 [ 58.941867][ T6850] tomoyo_realpath_from_path+0xc3/0x620 [ 58.941873][ T6850] tomoyo_path_perm+0x212/0x3f0 [ 58.941881][ T6850] security_inode_getattr+0xcf/0x140 [ 58.941888][ T6850] vfs_statx_fd+0x70/0xf0 [ 58.941895][ T6850] __do_sys_newfstat+0x88/0x100 [ 58.941903][ T6850] do_syscall_64+0x2d/0x70 [ 58.941920][ T6850] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.941922][ T6850] [ 58.941926][ T6850] Freed by task 6850: [ 58.941933][ T6850] kasan_save_stack+0x1b/0x40 [ 58.941940][ T6850] kasan_set_track+0x1c/0x30 [ 58.941948][ T6850] kasan_set_free_info+0x1b/0x30 [ 58.941954][ T6850] __kasan_slab_free+0xd8/0x120 [ 58.941960][ T6850] kfree+0x103/0x2c0 [ 58.941968][ T6850] tomoyo_realpath_from_path+0x191/0x620 [ 58.941974][ T6850] tomoyo_path_perm+0x212/0x3f0 [ 58.941981][ T6850] security_inode_getattr+0xcf/0x140 [ 58.941988][ T6850] vfs_statx_fd+0x70/0xf0 [ 58.941996][ T6850] __do_sys_newfstat+0x88/0x100 [ 58.942003][ T6850] do_syscall_64+0x2d/0x70 [ 58.942011][ T6850] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.942013][ T6850] [ 58.942023][ T6850] The buggy address belongs to the object at ffff8880983c6000 [ 58.942023][ T6850] which belongs to the cache kmalloc-4k of size 4096 [ 58.942030][ T6850] The buggy address is located 0 bytes inside of [ 58.942030][ T6850] 4096-byte region [ffff8880983c6000, ffff8880983c7000) [ 58.942033][ T6850] The buggy address belongs to the page: [ 58.942043][ T6850] page:00000000b618e75c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x983c6 [ 58.942048][ T6850] head:00000000b618e75c order:1 compound_mapcount:0 [ 58.942055][ T6850] flags: 0xfffe0000010200(slab|head) [ 58.942066][ T6850] raw: 00fffe0000010200 ffffea000251f308 ffffea0002381808 ffff8880aa040900 [ 58.942075][ T6850] raw: 0000000000000000 ffff8880983c6000 0000000100000001 0000000000000000 [ 58.942079][ T6850] page dumped because: kasan: bad access detected [ 58.942081][ T6850] [ 58.942084][ T6850] Memory state around the buggy address: [ 58.942091][ T6850] ffff8880983c5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.942097][ T6850] ffff8880983c5f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.942103][ T6850] >ffff8880983c6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.942106][ T6850] ^ [ 58.942112][ T6850] ffff8880983c6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.942118][ T6850] ffff8880983c6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.942122][ T6850] ================================================================== [ 58.942125][ T6850] Disabling lock debugging due to kernel taint [ 58.942129][ T6850] Kernel panic - not syncing: panic_on_warn set ... [ 58.942137][ T6850] CPU: 1 PID: 6850 Comm: syz-executor929 Tainted: G B 5.9.0-rc2-next-20200824-syzkaller #0 [ 58.942141][ T6850] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.942143][ T6850] Call Trace: [ 58.942151][ T6850] dump_stack+0x18f/0x20d [ 58.942159][ T6850] ? vcs_read+0x9e0/0xb40 [ 58.942168][ T6850] panic+0x2e3/0x75c [ 58.942176][ T6850] ? __warn_printk+0xf3/0xf3 [ 58.942185][ T6850] ? trace_hardirqs_on+0x55/0x220 [ 58.942192][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.942198][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.942205][ T6850] end_report+0x4d/0x53 [ 58.942212][ T6850] kasan_report.cold+0xd/0x37 [ 58.942220][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.942227][ T6850] vcs_read+0xaa7/0xb40 [ 58.942236][ T6850] ? vcs_write+0xb50/0xb50 [ 58.942244][ T6850] ? security_file_permission+0x248/0x560 [ 58.942253][ T6850] do_iter_read+0x48e/0x6e0 [ 58.942263][ T6850] vfs_readv+0xe5/0x150 [ 58.942271][ T6850] ? compat_rw_copy_check_uvector+0x4c0/0x4c0 [ 58.942280][ T6850] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 58.942287][ T6850] ? putname+0xe1/0x120 [ 58.942299][ T6850] __x64_sys_preadv+0x231/0x310 [ 58.942307][ T6850] ? __ia32_sys_writev+0xb0/0xb0 [ 58.942315][ T6850] ? trace_hardirqs_on+0x5f/0x220 [ 58.942322][ T6850] ? lockdep_hardirqs_on+0x76/0xf0 [ 58.942330][ T6850] do_syscall_64+0x2d/0x70 [ 58.942338][ T6850] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.942343][ T6850] RIP: 0033:0x440339 [ 58.942350][ T6850] Code: 23 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.942354][ T6850] RSP: 002b:00007ffc1f157e58 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 58.942361][ T6850] RAX: ffffffffffffffda RBX: 00007ffc1f157e60 RCX: 0000000000440339 [ 58.942366][ T6850] RDX: 0000000000000006 RSI: 0000000020001b00 RDI: 0000000000000003 [ 58.942370][ T6850] RBP: 00000000006cb018 R08: 0000000000000000 R09: 6c616b7a79732f2e [ 58.942375][ T6850] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000401ae0 [ 58.942379][ T6850] R13: 0000000000401b70 R14: 0000000000000000 R15: 0000000000000000 [ 58.943843][ T6850] Kernel Offset: disabled [ 59.674094][ T6850] Rebooting in 86400 seconds..