[ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. Starting Load/Save RF Kill Switch Status... [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.2' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 59.788781][ T6813] ================================================================== [ 59.796988][ T6813] BUG: KASAN: use-after-free in userfaultfd_release+0x57f/0x5f0 [ 59.804625][ T6813] Read of size 8 at addr ffff88809b09af88 by task syz-executor902/6813 [ 59.812835][ T6813] [ 59.815144][ T6813] CPU: 0 PID: 6813 Comm: syz-executor902 Not tainted 5.8.0-rc4-next-20200708-syzkaller #0 [ 59.825018][ T6813] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.835067][ T6813] Call Trace: [ 59.838343][ T6813] dump_stack+0x18f/0x20d [ 59.842658][ T6813] ? userfaultfd_release+0x57f/0x5f0 [ 59.847946][ T6813] ? userfaultfd_release+0x57f/0x5f0 [ 59.853233][ T6813] print_address_description.constprop.0.cold+0xae/0x497 [ 59.860261][ T6813] ? lockdep_hardirqs_off+0x66/0xa0 [ 59.865438][ T6813] ? vprintk_func+0x97/0x1a6 [ 59.870007][ T6813] ? userfaultfd_release+0x57f/0x5f0 [ 59.875285][ T6813] ? userfaultfd_release+0x57f/0x5f0 [ 59.880563][ T6813] kasan_report.cold+0x1f/0x37 [ 59.885308][ T6813] ? userfaultfd_release+0x57f/0x5f0 [ 59.890573][ T6813] userfaultfd_release+0x57f/0x5f0 [ 59.895664][ T6813] ? locks_remove_file+0x319/0x580 [ 59.900785][ T6813] ? userfaultfd_event_wait_completion+0xa20/0xa20 [ 59.907265][ T6813] ? lock_is_held_type+0xb0/0xe0 [ 59.912195][ T6813] ? ima_file_free+0xb6/0x420 [ 59.916854][ T6813] ? userfaultfd_event_wait_completion+0xa20/0xa20 [ 59.923349][ T6813] __fput+0x33c/0x880 [ 59.927313][ T6813] task_work_run+0xdd/0x190 [ 59.931798][ T6813] __prepare_exit_to_usermode+0x1e9/0x1f0 [ 59.937510][ T6813] do_syscall_64+0x6c/0xe0 [ 59.941906][ T6813] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.947778][ T6813] RIP: 0033:0x4401f9 [ 59.951657][ T6813] Code: Bad RIP value. [ 59.955698][ T6813] RSP: 002b:00007ffdd722dfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000143 [ 59.964097][ T6813] RAX: ffffffffffffffe8 RBX: 00000000004002c8 RCX: 00000000004401f9 [ 59.972059][ T6813] RDX: 00000000004401f9 RSI: 0000000000400aa0 RDI: 0000000000000000 [ 59.980021][ T6813] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 59.987985][ T6813] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a00 [ 59.995951][ T6813] R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000 [ 60.003908][ T6813] [ 60.006217][ T6813] Allocated by task 6813: [ 60.010523][ T6813] kasan_save_stack+0x1b/0x40 [ 60.015181][ T6813] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 60.020795][ T6813] kmem_cache_alloc+0x148/0x550 [ 60.025641][ T6813] __do_sys_userfaultfd+0x96/0x4b0 [ 60.030734][ T6813] do_syscall_64+0x60/0xe0 [ 60.035151][ T6813] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.041015][ T6813] [ 60.043321][ T6813] Freed by task 6813: [ 60.047301][ T6813] kasan_save_stack+0x1b/0x40 [ 60.051954][ T6813] kasan_set_track+0x1c/0x30 [ 60.056537][ T6813] kasan_set_free_info+0x1b/0x30 [ 60.061464][ T6813] __kasan_slab_free+0xd8/0x120 [ 60.066311][ T6813] kmem_cache_free.part.0+0x67/0x1f0 [ 60.071586][ T6813] __do_sys_userfaultfd+0x3cf/0x4b0 [ 60.076761][ T6813] do_syscall_64+0x60/0xe0 [ 60.081156][ T6813] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.087030][ T6813] [ 60.089351][ T6813] The buggy address belongs to the object at ffff88809b09ae00 [ 60.089351][ T6813] which belongs to the cache userfaultfd_ctx_cache of size 408 [ 60.104262][ T6813] The buggy address is located 392 bytes inside of [ 60.104262][ T6813] 408-byte region [ffff88809b09ae00, ffff88809b09af98) [ 60.117527][ T6813] The buggy address belongs to the page: [ 60.123143][ T6813] page:ffffea00026c2680 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a03d5dc0 [ 60.133529][ T6813] flags: 0xfffe0000000200(slab) [ 60.138359][ T6813] raw: 00fffe0000000200 ffff8880a3de5d50 ffff8880a3de5d50 ffff888219701b00 [ 60.146937][ T6813] raw: ffff8880a03d5dc0 ffff88809b09a000 0000000100000008 0000000000000000 [ 60.155501][ T6813] page dumped because: kasan: bad access detected [ 60.161905][ T6813] [ 60.164213][ T6813] Memory state around the buggy address: [ 60.169836][ T6813] ffff88809b09ae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.177891][ T6813] ffff88809b09af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.185946][ T6813] >ffff88809b09af80: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.193994][ T6813] ^ [ 60.198298][ T6813] ffff88809b09b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.206353][ T6813] ffff88809b09b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.214405][ T6813] ================================================================== [ 60.222457][ T6813] Disabling lock debugging due to kernel taint [ 60.233212][ T6813] Kernel panic - not syncing: panic_on_warn set ... [ 60.239858][ T6813] CPU: 0 PID: 6813 Comm: syz-executor902 Tainted: G B 5.8.0-rc4-next-20200708-syzkaller #0 [ 60.251184][ T6813] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.261237][ T6813] Call Trace: [ 60.264510][ T6813] dump_stack+0x18f/0x20d [ 60.268818][ T6813] ? userfaultfd_release+0x4d0/0x5f0 [ 60.274077][ T6813] panic+0x2e3/0x75c [ 60.277971][ T6813] ? __warn_printk+0xf3/0xf3 [ 60.282539][ T6813] ? preempt_schedule_common+0x59/0xc0 [ 60.287984][ T6813] ? userfaultfd_release+0x57f/0x5f0 [ 60.293244][ T6813] ? preempt_schedule_thunk+0x16/0x18 [ 60.298602][ T6813] ? trace_hardirqs_on+0x55/0x220 [ 60.303621][ T6813] ? userfaultfd_release+0x57f/0x5f0 [ 60.308888][ T6813] ? userfaultfd_release+0x57f/0x5f0 [ 60.314190][ T6813] end_report+0x4d/0x53 [ 60.318320][ T6813] kasan_report.cold+0xd/0x37 [ 60.322978][ T6813] ? userfaultfd_release+0x57f/0x5f0 [ 60.328239][ T6813] userfaultfd_release+0x57f/0x5f0 [ 60.333325][ T6813] ? locks_remove_file+0x319/0x580 [ 60.338411][ T6813] ? userfaultfd_event_wait_completion+0xa20/0xa20 [ 60.344886][ T6813] ? lock_is_held_type+0xb0/0xe0 [ 60.349798][ T6813] ? ima_file_free+0xb6/0x420 [ 60.354486][ T6813] ? userfaultfd_event_wait_completion+0xa20/0xa20 [ 60.360959][ T6813] __fput+0x33c/0x880 [ 60.364917][ T6813] task_work_run+0xdd/0x190 [ 60.369439][ T6813] __prepare_exit_to_usermode+0x1e9/0x1f0 [ 60.375165][ T6813] do_syscall_64+0x6c/0xe0 [ 60.379556][ T6813] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.385420][ T6813] RIP: 0033:0x4401f9 [ 60.389281][ T6813] Code: Bad RIP value. [ 60.393316][ T6813] RSP: 002b:00007ffdd722dfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000143 [ 60.401715][ T6813] RAX: ffffffffffffffe8 RBX: 00000000004002c8 RCX: 00000000004401f9 [ 60.409676][ T6813] RDX: 00000000004401f9 RSI: 0000000000400aa0 RDI: 0000000000000000 [ 60.417651][ T6813] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 60.425596][ T6813] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a00 [ 60.433555][ T6813] R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000 [ 60.442489][ T6813] Kernel Offset: disabled [ 60.446816][ T6813] Rebooting in 86400 seconds..