[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.46' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 61.387509][ T6922] IPVS: ftp: loaded support on port[0] = 21 [ 61.514288][ T6922] ================================================================== [ 61.522517][ T6922] BUG: KASAN: use-after-free in sock_def_write_space+0x609/0x630 [ 61.530222][ T6922] Read of size 8 at addr ffff8880866ed5c0 by task syz-executor525/6922 [ 61.538446][ T6922] [ 61.540767][ T6922] CPU: 1 PID: 6922 Comm: syz-executor525 Not tainted 5.8.0-rc6-syzkaller #0 [ 61.549413][ T6922] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.559594][ T6922] Call Trace: [ 61.562886][ T6922] dump_stack+0x18f/0x20d [ 61.567375][ T6922] ? sock_def_write_space+0x609/0x630 [ 61.572958][ T6922] ? sock_def_write_space+0x609/0x630 [ 61.578418][ T6922] print_address_description.constprop.0.cold+0xae/0x436 [ 61.585458][ T6922] ? lockdep_hardirqs_off+0x66/0xa0 [ 61.590653][ T6922] ? vprintk_func+0x97/0x1a6 [ 61.595222][ T6922] ? sock_def_write_space+0x609/0x630 [ 61.600568][ T6922] kasan_report.cold+0x1f/0x37 [ 61.605328][ T6922] ? sock_def_write_space+0x609/0x630 [ 61.610694][ T6922] sock_def_write_space+0x609/0x630 [ 61.615869][ T6922] ? kfree_skb+0x7d/0x100 [ 61.620176][ T6922] ? qrtr_tun_poll+0xf0/0xf0 [ 61.624740][ T6922] sock_wfree+0x1cc/0x240 [ 61.629045][ T6922] ? __sk_receive_skb+0x830/0x830 [ 61.634072][ T6922] skb_release_head_state+0x9f/0x250 [ 61.639333][ T6922] kfree_skb.part.0+0x89/0x350 [ 61.644092][ T6922] kfree_skb+0x7d/0x100 [ 61.648239][ T6922] skb_queue_purge+0x14/0x30 [ 61.652828][ T6922] qrtr_tun_release+0x40/0x60 [ 61.657487][ T6922] __fput+0x33c/0x880 [ 61.661447][ T6922] task_work_run+0xdd/0x190 [ 61.665935][ T6922] __prepare_exit_to_usermode+0x1e9/0x1f0 [ 61.671631][ T6922] do_syscall_64+0x6c/0xe0 [ 61.676053][ T6922] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.681947][ T6922] RIP: 0033:0x401040 [ 61.685851][ T6922] Code: Bad RIP value. [ 61.689912][ T6922] RSP: 002b:00007ffdd92190e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 61.698326][ T6922] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000401040 [ 61.706278][ T6922] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000006 [ 61.714246][ T6922] RBP: 00007ffdd92190f0 R08: 0000000120080522 R09: 0000000120080522 [ 61.722191][ T6922] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004a5ff0 [ 61.730159][ T6922] R13: 0000000000402150 R14: 0000000000000000 R15: 0000000000000000 [ 61.738130][ T6922] [ 61.740442][ T6922] Allocated by task 6922: [ 61.744757][ T6922] save_stack+0x1b/0x40 [ 61.748904][ T6922] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 61.754527][ T6922] kmem_cache_alloc+0x12c/0x3b0 [ 61.759355][ T6922] sock_alloc_inode+0x18/0x1c0 [ 61.764120][ T6922] alloc_inode+0x61/0x230 [ 61.768510][ T6922] new_inode_pseudo+0x14/0xe0 [ 61.773162][ T6922] sock_alloc+0x3c/0x260 [ 61.777396][ T6922] __sock_create+0xb9/0x740 [ 61.781883][ T6922] __sys_socket+0xef/0x200 [ 61.786320][ T6922] __x64_sys_socket+0x6f/0xb0 [ 61.791005][ T6922] do_syscall_64+0x60/0xe0 [ 61.795403][ T6922] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.801265][ T6922] [ 61.803589][ T6922] Freed by task 0: [ 61.807308][ T6922] save_stack+0x1b/0x40 [ 61.811437][ T6922] __kasan_slab_free+0xf5/0x140 [ 61.816260][ T6922] kmem_cache_free+0x7f/0x310 [ 61.820914][ T6922] i_callback+0x3f/0x70 [ 61.825066][ T6922] rcu_core+0x5c7/0x1160 [ 61.829306][ T6922] __do_softirq+0x34c/0xa60 [ 61.833799][ T6922] [ 61.836126][ T6922] The buggy address belongs to the object at ffff8880866ed540 [ 61.836126][ T6922] which belongs to the cache sock_inode_cache of size 1216 [ 61.850719][ T6922] The buggy address is located 128 bytes inside of [ 61.850719][ T6922] 1216-byte region [ffff8880866ed540, ffff8880866eda00) [ 61.864053][ T6922] The buggy address belongs to the page: [ 61.869723][ T6922] page:ffffea000219bb40 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880866edffd [ 61.880236][ T6922] flags: 0xfffe0000000200(slab) [ 61.885070][ T6922] raw: 00fffe0000000200 ffffea000219bb08 ffff8880a9751d50 ffff88821b77f700 [ 61.893631][ T6922] raw: ffff8880866edffd ffff8880866ed000 0000000100000003 0000000000000000 [ 61.902335][ T6922] page dumped because: kasan: bad access detected [ 61.908731][ T6922] [ 61.911048][ T6922] Memory state around the buggy address: [ 61.916655][ T6922] ffff8880866ed480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.924731][ T6922] ffff8880866ed500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 61.932786][ T6922] >ffff8880866ed580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.940826][ T6922] ^ [ 61.946971][ T6922] ffff8880866ed600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.955011][ T6922] ffff8880866ed680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.963063][ T6922] ================================================================== [ 61.971122][ T6922] Disabling lock debugging due to kernel taint [ 61.977662][ T6922] Kernel panic - not syncing: panic_on_warn set ... [ 61.984266][ T6922] CPU: 1 PID: 6922 Comm: syz-executor525 Tainted: G B 5.8.0-rc6-syzkaller #0 [ 61.994326][ T6922] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.004383][ T6922] Call Trace: [ 62.007679][ T6922] dump_stack+0x18f/0x20d [ 62.011986][ T6922] ? sock_def_write_space+0x540/0x630 [ 62.017442][ T6922] panic+0x2e3/0x75c [ 62.021489][ T6922] ? __warn_printk+0xf3/0xf3 [ 62.026063][ T6922] ? preempt_schedule_common+0x59/0xc0 [ 62.031498][ T6922] ? sock_def_write_space+0x609/0x630 [ 62.036847][ T6922] ? preempt_schedule_thunk+0x16/0x18 [ 62.042207][ T6922] ? trace_hardirqs_on+0x55/0x220 [ 62.047271][ T6922] ? sock_def_write_space+0x609/0x630 [ 62.052643][ T6922] ? sock_def_write_space+0x609/0x630 [ 62.057993][ T6922] end_report+0x4d/0x53 [ 62.062123][ T6922] kasan_report.cold+0xd/0x37 [ 62.066794][ T6922] ? sock_def_write_space+0x609/0x630 [ 62.072153][ T6922] sock_def_write_space+0x609/0x630 [ 62.077326][ T6922] ? kfree_skb+0x7d/0x100 [ 62.081643][ T6922] ? qrtr_tun_poll+0xf0/0xf0 [ 62.086206][ T6922] sock_wfree+0x1cc/0x240 [ 62.090509][ T6922] ? __sk_receive_skb+0x830/0x830 [ 62.095523][ T6922] skb_release_head_state+0x9f/0x250 [ 62.100782][ T6922] kfree_skb.part.0+0x89/0x350 [ 62.105521][ T6922] kfree_skb+0x7d/0x100 [ 62.109650][ T6922] skb_queue_purge+0x14/0x30 [ 62.114214][ T6922] qrtr_tun_release+0x40/0x60 [ 62.118868][ T6922] __fput+0x33c/0x880 [ 62.122830][ T6922] task_work_run+0xdd/0x190 [ 62.127354][ T6922] __prepare_exit_to_usermode+0x1e9/0x1f0 [ 62.133050][ T6922] do_syscall_64+0x6c/0xe0 [ 62.137448][ T6922] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.143315][ T6922] RIP: 0033:0x401040 [ 62.147178][ T6922] Code: Bad RIP value. [ 62.151214][ T6922] RSP: 002b:00007ffdd92190e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 62.159598][ T6922] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000401040 [ 62.167542][ T6922] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000006 [ 62.175488][ T6922] RBP: 00007ffdd92190f0 R08: 0000000120080522 R09: 0000000120080522 [ 62.183432][ T6922] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004a5ff0 [ 62.191377][ T6922] R13: 0000000000402150 R14: 0000000000000000 R15: 0000000000000000 [ 62.200674][ T6922] Kernel Offset: disabled [ 62.204996][ T6922] Rebooting in 86400 seconds..