[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.139' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 63.638957][ T7123] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 63.681028][ T7123] ================================================================== [ 63.689252][ T7123] BUG: KASAN: slab-out-of-bounds in __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 63.697958][ T7123] Read of size 8 at addr ffff888092c6a468 by task syz-executor094/7123 [ 63.706166][ T7123] [ 63.708477][ T7123] CPU: 0 PID: 7123 Comm: syz-executor094 Not tainted 5.7.0-rc1-next-20200415-syzkaller #0 [ 63.718374][ T7123] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.728414][ T7123] Call Trace: [ 63.731697][ T7123] dump_stack+0x188/0x20d [ 63.736012][ T7123] print_address_description.constprop.0.cold+0xd3/0x315 [ 63.743015][ T7123] ? __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 63.748972][ T7123] __kasan_report.cold+0x35/0x4d [ 63.753889][ T7123] ? __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 63.759895][ T7123] ? __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 63.765852][ T7123] kasan_report+0x33/0x50 [ 63.770163][ T7123] __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 63.775955][ T7123] ? __kvm_write_guest_page+0x170/0x170 [ 63.781487][ T7123] kvm_lapic_set_vapic_addr+0x88/0x180 [ 63.786947][ T7123] kvm_arch_vcpu_ioctl+0xf0d/0x2c00 [ 63.792126][ T7123] ? kvm_arch_vcpu_put+0x530/0x530 [ 63.797236][ T7123] ? lock_acquire+0x1f2/0x8f0 [ 63.801906][ T7123] ? kvm_vcpu_ioctl+0x175/0xe60 [ 63.806753][ T7123] ? lock_release+0x800/0x800 [ 63.811409][ T7123] ? find_held_lock+0x2d/0x110 [ 63.816160][ T7123] ? __mutex_lock+0x458/0x13c0 [ 63.820917][ T7123] ? kfree+0x1eb/0x2b0 [ 63.824980][ T7123] ? kvm_vcpu_ioctl+0x175/0xe60 [ 63.829839][ T7123] ? mutex_trylock+0x2c0/0x2c0 [ 63.834600][ T7123] ? tomoyo_execute_permission+0x470/0x470 [ 63.840424][ T7123] kvm_vcpu_ioctl+0x866/0xe60 [ 63.845083][ T7123] ? kvm_get_dirty_log_protect.isra.0+0x670/0x670 [ 63.851494][ T7123] ? ioctl_file_clone+0x180/0x180 [ 63.856507][ T7123] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 63.862056][ T7123] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 63.868035][ T7123] ? kvm_get_dirty_log_protect.isra.0+0x670/0x670 [ 63.874425][ T7123] ksys_ioctl+0x11a/0x180 [ 63.878737][ T7123] __x64_sys_ioctl+0x6f/0xb0 [ 63.883303][ T7123] ? lockdep_hardirqs_on+0x463/0x620 [ 63.888586][ T7123] do_syscall_64+0xf6/0x7d0 [ 63.893085][ T7123] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 63.898973][ T7123] RIP: 0033:0x440219 [ 63.902848][ T7123] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 63.922531][ T7123] RSP: 002b:00007ffe90e74148 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 63.930925][ T7123] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219 [ 63.938875][ T7123] RDX: 0000000020000000 RSI: 000000004008ae93 RDI: 0000000000000005 [ 63.946826][ T7123] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 63.954782][ T7123] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401aa0 [ 63.962759][ T7123] R13: 0000000000401b30 R14: 0000000000000000 R15: 0000000000000000 [ 63.970718][ T7123] [ 63.973054][ T7123] Allocated by task 7123: [ 63.977367][ T7123] save_stack+0x1b/0x40 [ 63.981501][ T7123] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 63.987111][ T7123] kvmalloc_node+0x61/0xf0 [ 63.991519][ T7123] kvm_set_memslot+0x115/0x1530 [ 63.996369][ T7123] __kvm_set_memory_region+0xcf7/0x1320 [ 64.001912][ T7123] __x86_set_memory_region+0x2a3/0x5a0 [ 64.007346][ T7123] vmx_create_vcpu+0x2107/0x2b40 [ 64.012278][ T7123] kvm_arch_vcpu_create+0x6ef/0xb80 [ 64.017470][ T7123] kvm_vm_ioctl+0x1614/0x2400 [ 64.022139][ T7123] ksys_ioctl+0x11a/0x180 [ 64.026446][ T7123] __x64_sys_ioctl+0x6f/0xb0 [ 64.031028][ T7123] do_syscall_64+0xf6/0x7d0 [ 64.035524][ T7123] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 64.041387][ T7123] [ 64.043708][ T7123] Freed by task 16: [ 64.047495][ T7123] save_stack+0x1b/0x40 [ 64.051638][ T7123] __kasan_slab_free+0xf7/0x140 [ 64.056478][ T7123] kfree+0x109/0x2b0 [ 64.060484][ T7123] __sk_destruct+0x5ad/0x7c0 [ 64.065054][ T7123] sk_destruct+0xc6/0x100 [ 64.069406][ T7123] __sk_free+0xef/0x3d0 [ 64.073540][ T7123] sk_free+0x78/0xa0 [ 64.077529][ T7123] deferred_put_nlk_sk+0x151/0x2e0 [ 64.082656][ T7123] rcu_core+0x59f/0x1370 [ 64.086879][ T7123] __do_softirq+0x26c/0x9f7 [ 64.091469][ T7123] [ 64.093781][ T7123] The buggy address belongs to the object at ffff888092c6a000 [ 64.093781][ T7123] which belongs to the cache kmalloc-2k of size 2048 [ 64.107867][ T7123] The buggy address is located 1128 bytes inside of [ 64.107867][ T7123] 2048-byte region [ffff888092c6a000, ffff888092c6a800) [ 64.121349][ T7123] The buggy address belongs to the page: [ 64.126965][ T7123] page:ffffea00024b1a80 refcount:1 mapcount:0 mapping:0000000052943283 index:0x0 [ 64.136046][ T7123] flags: 0xfffe0000000200(slab) [ 64.140918][ T7123] raw: 00fffe0000000200 ffffea00024d3008 ffffea0002a48a88 ffff8880aa000e00 [ 64.149520][ T7123] raw: 0000000000000000 ffff888092c6a000 0000000100000001 0000000000000000 [ 64.158075][ T7123] page dumped because: kasan: bad access detected [ 64.164496][ T7123] [ 64.166802][ T7123] Memory state around the buggy address: [ 64.172446][ T7123] ffff888092c6a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.180529][ T7123] ffff888092c6a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.188567][ T7123] >ffff888092c6a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc [ 64.196640][ T7123] ^ [ 64.204072][ T7123] ffff888092c6a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.212130][ T7123] ffff888092c6a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.220167][ T7123] ================================================================== [ 64.228260][ T7123] Disabling lock debugging due to kernel taint [ 64.236264][ T7123] Kernel panic - not syncing: panic_on_warn set ... [ 64.242993][ T7123] CPU: 1 PID: 7123 Comm: syz-executor094 Tainted: G B 5.7.0-rc1-next-20200415-syzkaller #0 [ 64.254297][ T7123] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.264348][ T7123] Call Trace: [ 64.267622][ T7123] dump_stack+0x188/0x20d [ 64.271928][ T7123] panic+0x2e3/0x75c [ 64.275807][ T7123] ? add_taint.cold+0x16/0x16 [ 64.280481][ T7123] ? preempt_schedule_common+0x5e/0xc0 [ 64.285949][ T7123] ? __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 64.291904][ T7123] ? preempt_schedule_thunk+0x16/0x18 [ 64.297376][ T7123] ? trace_hardirqs_on+0x55/0x220 [ 64.302374][ T7123] ? __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 64.308330][ T7123] end_report+0x4d/0x53 [ 64.312473][ T7123] __kasan_report.cold+0xd/0x4d [ 64.317301][ T7123] ? __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 64.323399][ T7123] ? __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 64.329353][ T7123] kasan_report+0x33/0x50 [ 64.333701][ T7123] __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 64.339487][ T7123] ? __kvm_write_guest_page+0x170/0x170 [ 64.345031][ T7123] kvm_lapic_set_vapic_addr+0x88/0x180 [ 64.350481][ T7123] kvm_arch_vcpu_ioctl+0xf0d/0x2c00 [ 64.355658][ T7123] ? kvm_arch_vcpu_put+0x530/0x530 [ 64.360765][ T7123] ? lock_acquire+0x1f2/0x8f0 [ 64.365432][ T7123] ? kvm_vcpu_ioctl+0x175/0xe60 [ 64.370277][ T7123] ? lock_release+0x800/0x800 [ 64.374940][ T7123] ? find_held_lock+0x2d/0x110 [ 64.379680][ T7123] ? __mutex_lock+0x458/0x13c0 [ 64.384419][ T7123] ? kfree+0x1eb/0x2b0 [ 64.388478][ T7123] ? kvm_vcpu_ioctl+0x175/0xe60 [ 64.393303][ T7123] ? mutex_trylock+0x2c0/0x2c0 [ 64.398043][ T7123] ? tomoyo_execute_permission+0x470/0x470 [ 64.403829][ T7123] kvm_vcpu_ioctl+0x866/0xe60 [ 64.408494][ T7123] ? kvm_get_dirty_log_protect.isra.0+0x670/0x670 [ 64.414884][ T7123] ? ioctl_file_clone+0x180/0x180 [ 64.419887][ T7123] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 64.425421][ T7123] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 64.431378][ T7123] ? kvm_get_dirty_log_protect.isra.0+0x670/0x670 [ 64.437866][ T7123] ksys_ioctl+0x11a/0x180 [ 64.442185][ T7123] __x64_sys_ioctl+0x6f/0xb0 [ 64.446772][ T7123] ? lockdep_hardirqs_on+0x463/0x620 [ 64.452120][ T7123] do_syscall_64+0xf6/0x7d0 [ 64.456612][ T7123] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 64.462478][ T7123] RIP: 0033:0x440219 [ 64.466359][ T7123] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 64.485939][ T7123] RSP: 002b:00007ffe90e74148 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 64.494324][ T7123] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219 [ 64.502276][ T7123] RDX: 0000000020000000 RSI: 000000004008ae93 RDI: 0000000000000005 [ 64.510222][ T7123] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 64.518182][ T7123] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401aa0 [ 64.526250][ T7123] R13: 0000000000401b30 R14: 0000000000000000 R15: 0000000000000000 [ 64.535440][ T7123] Kernel Offset: disabled [ 64.539772][ T7123] Rebooting in 86400 seconds..