[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.30' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 44.372983] ================================================================== [ 44.380462] BUG: KASAN: use-after-free in __list_add_valid+0x81/0xa0 [ 44.386977] Read of size 8 at addr ffff8880b3cef448 by task syz-executor292/7981 [ 44.394487] [ 44.396095] CPU: 1 PID: 7981 Comm: syz-executor292 Not tainted 4.14.240-syzkaller #0 [ 44.403955] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.413289] Call Trace: [ 44.415864] dump_stack+0x1b2/0x281 [ 44.419472] print_address_description.cold+0x54/0x1d3 [ 44.424725] kasan_report_error.cold+0x8a/0x191 [ 44.429387] ? __list_add_valid+0x81/0xa0 [ 44.433525] __asan_report_load8_noabort+0x68/0x70 [ 44.438436] ? __list_add_valid+0x81/0xa0 [ 44.442562] __list_add_valid+0x81/0xa0 [ 44.446521] chrdev_open+0x45c/0x6d0 [ 44.450218] ? __register_chrdev+0x3d0/0x3d0 [ 44.454604] do_dentry_open+0x44b/0xec0 [ 44.458554] ? __register_chrdev+0x3d0/0x3d0 [ 44.462955] ? __inode_permission+0xcd/0x2f0 [ 44.467439] vfs_open+0x105/0x220 [ 44.470869] path_openat+0x628/0x2970 [ 44.474651] ? path_lookupat+0x780/0x780 [ 44.478693] ? trace_hardirqs_on+0x10/0x10 [ 44.483011] do_filp_open+0x179/0x3c0 [ 44.486810] ? may_open_dev+0xe0/0xe0 [ 44.490601] ? lock_downgrade+0x740/0x740 [ 44.494733] ? do_raw_spin_unlock+0x164/0x220 [ 44.499201] ? _raw_spin_unlock+0x29/0x40 [ 44.503394] ? __alloc_fd+0x1be/0x490 [ 44.507173] do_sys_open+0x296/0x410 [ 44.510863] ? filp_open+0x60/0x60 [ 44.514377] ? _raw_spin_unlock_irq+0x5a/0x80 [ 44.518888] ? do_syscall_64+0x4c/0x640 [ 44.522873] ? SyS_open+0x30/0x30 [ 44.526308] do_syscall_64+0x1d5/0x640 [ 44.530182] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 44.535348] RIP: 0033:0x446809 [ 44.538526] RSP: 002b:00007fa685b1c2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 44.546222] RAX: ffffffffffffffda RBX: 00000000004d0510 RCX: 0000000000446809 [ 44.553513] RDX: 0000000000000000 RSI: 0000000020002100 RDI: 00000000ffffff9c [ 44.560771] RBP: 00000000004a013c R08: 0000000000000000 R09: 0000000000000000 [ 44.568021] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049e138 [ 44.575273] R13: 2f30656c69662f2e R14: 0000000100000001 R15: 00000000004d0518 [ 44.582620] [ 44.584223] Allocated by task 7974: [ 44.587831] kasan_kmalloc+0xeb/0x160 [ 44.591608] kmem_cache_alloc+0x124/0x3c0 [ 44.595761] fuse_alloc_inode+0x1d/0x3f0 [ 44.599795] alloc_inode+0x5d/0x170 [ 44.603415] iget5_locked+0x169/0x450 [ 44.607190] fuse_iget+0x164/0x730 [ 44.610707] fuse_lookup_name+0x3bb/0x550 [ 44.614843] fuse_lookup+0xcd/0x390 [ 44.618443] fuse_atomic_open+0x1bb/0x2d0 [ 44.622565] lookup_open+0xe0e/0x1750 [ 44.626340] path_openat+0x14bb/0x2970 [ 44.630201] do_filp_open+0x179/0x3c0 [ 44.633977] do_sys_open+0x296/0x410 [ 44.637665] do_syscall_64+0x1d5/0x640 [ 44.641531] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 44.646691] [ 44.648294] Freed by task 0: [ 44.651292] kasan_slab_free+0xc3/0x1a0 [ 44.655256] kmem_cache_free+0x7c/0x2b0 [ 44.659205] rcu_process_callbacks+0x780/0x1180 [ 44.663858] __do_softirq+0x24d/0x9ff [ 44.667630] [ 44.669236] The buggy address belongs to the object at ffff8880b3cef0c0 [ 44.669236] which belongs to the cache fuse_inode of size 1272 [ 44.681866] The buggy address is located 904 bytes inside of [ 44.681866] 1272-byte region [ffff8880b3cef0c0, ffff8880b3cef5b8) [ 44.693798] The buggy address belongs to the page: [ 44.698704] page:ffffea0002cf3b80 count:1 mapcount:0 mapping:ffff8880b3cee040 index:0xffff8880b3cefffb compound_mapcount: 0 [ 44.709967] flags: 0xfff00000008100(slab|head) [ 44.714535] raw: 00fff00000008100 ffff8880b3cee040 ffff8880b3cefffb 0000000100000005 [ 44.722391] raw: ffff8880b1346b48 ffffea00026cb020 ffff888238c1e980 0000000000000000 [ 44.730251] page dumped because: kasan: bad access detected [ 44.735951] [ 44.737554] Memory state around the buggy address: [ 44.742463] ffff8880b3cef300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.749798] ffff8880b3cef380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.757217] >ffff8880b3cef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.764548] ^ [ 44.770243] ffff8880b3cef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.777576] ffff8880b3cef500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.784907] ================================================================== [ 44.792237] Disabling lock debugging due to kernel taint [ 44.797909] Kernel panic - not syncing: panic_on_warn set ... [ 44.797909] [ 44.805302] CPU: 1 PID: 7981 Comm: syz-executor292 Tainted: G B 4.14.240-syzkaller #0 [ 44.814399] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.823770] Call Trace: [ 44.826428] dump_stack+0x1b2/0x281 [ 44.830053] panic+0x1f9/0x42d [ 44.833312] ? add_taint.cold+0x16/0x16 [ 44.837261] kasan_end_report+0x43/0x49 [ 44.841207] kasan_report_error.cold+0xa7/0x191 [ 44.845850] ? __list_add_valid+0x81/0xa0 [ 44.849973] __asan_report_load8_noabort+0x68/0x70 [ 44.854874] ? __list_add_valid+0x81/0xa0 [ 44.858997] __list_add_valid+0x81/0xa0 [ 44.862950] chrdev_open+0x45c/0x6d0 [ 44.866637] ? __register_chrdev+0x3d0/0x3d0 [ 44.871018] do_dentry_open+0x44b/0xec0 [ 44.874965] ? __register_chrdev+0x3d0/0x3d0 [ 44.879358] ? __inode_permission+0xcd/0x2f0 [ 44.883753] vfs_open+0x105/0x220 [ 44.887179] path_openat+0x628/0x2970 [ 44.890956] ? path_lookupat+0x780/0x780 [ 44.894990] ? trace_hardirqs_on+0x10/0x10 [ 44.899199] do_filp_open+0x179/0x3c0 [ 44.902980] ? may_open_dev+0xe0/0xe0 [ 44.906766] ? lock_downgrade+0x740/0x740 [ 44.910891] ? do_raw_spin_unlock+0x164/0x220 [ 44.915358] ? _raw_spin_unlock+0x29/0x40 [ 44.919502] ? __alloc_fd+0x1be/0x490 [ 44.923276] do_sys_open+0x296/0x410 [ 44.926967] ? filp_open+0x60/0x60 [ 44.930494] ? _raw_spin_unlock_irq+0x5a/0x80 [ 44.934966] ? do_syscall_64+0x4c/0x640 [ 44.938918] ? SyS_open+0x30/0x30 [ 44.942346] do_syscall_64+0x1d5/0x640 [ 44.946210] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 44.951376] RIP: 0033:0x446809 [ 44.954539] RSP: 002b:00007fa685b1c2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 44.962394] RAX: ffffffffffffffda RBX: 00000000004d0510 RCX: 0000000000446809 [ 44.969640] RDX: 0000000000000000 RSI: 0000000020002100 RDI: 00000000ffffff9c [ 44.976882] RBP: 00000000004a013c R08: 0000000000000000 R09: 0000000000000000 [ 44.984126] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049e138 [ 44.991371] R13: 2f30656c69662f2e R14: 0000000100000001 R15: 00000000004d0518 [ 44.999895] Kernel Offset: disabled [ 45.003515] Rebooting in 86400 seconds..