[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.134' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 34.341660] ================================================================== [ 34.351144] BUG: KASAN: use-after-free in __list_add_valid+0x81/0xa0 [ 34.358407] Read of size 8 at addr ffff8880aae3da08 by task syz-executor452/7966 [ 34.367680] [ 34.369381] CPU: 0 PID: 7966 Comm: syz-executor452 Not tainted 4.14.218-syzkaller #0 [ 34.378290] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.388420] Call Trace: [ 34.391452] dump_stack+0x1b2/0x281 [ 34.395358] print_address_description.cold+0x54/0x1d3 [ 34.400717] kasan_report_error.cold+0x8a/0x191 [ 34.406175] ? __list_add_valid+0x81/0xa0 [ 34.411204] __asan_report_load8_noabort+0x68/0x70 [ 34.417500] ? __list_add_valid+0x81/0xa0 [ 34.422241] __list_add_valid+0x81/0xa0 [ 34.426408] chrdev_open+0x45c/0x6d0 [ 34.430441] ? __register_chrdev+0x3d0/0x3d0 [ 34.434856] do_dentry_open+0x44b/0xec0 [ 34.439016] ? __register_chrdev+0x3d0/0x3d0 [ 34.443454] ? __inode_permission+0xcd/0x2f0 [ 34.448226] vfs_open+0x105/0x220 [ 34.451809] path_openat+0x628/0x2970 [ 34.455799] ? path_lookupat+0x780/0x780 [ 34.460065] ? trace_hardirqs_on+0x10/0x10 [ 34.464412] do_filp_open+0x179/0x3c0 [ 34.468377] ? may_open_dev+0xe0/0xe0 [ 34.472511] ? lock_downgrade+0x740/0x740 [ 34.476986] ? do_raw_spin_unlock+0x164/0x220 [ 34.482277] ? _raw_spin_unlock+0x29/0x40 [ 34.486520] ? __alloc_fd+0x1be/0x490 [ 34.490419] do_sys_open+0x296/0x410 [ 34.494308] ? filp_open+0x60/0x60 [ 34.498316] ? _raw_spin_unlock_irq+0x5a/0x80 [ 34.503370] ? do_syscall_64+0x4c/0x640 [ 34.507939] ? compat_SyS_openat+0x30/0x30 [ 34.512641] do_syscall_64+0x1d5/0x640 [ 34.516624] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.522420] RIP: 0033:0x446849 [ 34.526043] RSP: 002b:00007fc385e522f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 [ 34.534708] RAX: ffffffffffffffda RBX: 00000000004d0530 RCX: 0000000000446849 [ 34.542102] RDX: 00007fc385e52700 RSI: 0000000000000000 RDI: 00000000200001c0 [ 34.549756] RBP: 00000000004a013c R08: 00007fc385e52700 R09: 0000000000000000 [ 34.557778] R10: 00007fc385e52700 R11: 0000000000000246 R12: 0030656c69662f2e [ 34.565323] R13: 000000000049e138 R14: 2f30656c69662f2e R15: 00000000004d0538 [ 34.572854] [ 34.574483] Allocated by task 7957: [ 34.578222] kasan_kmalloc+0xeb/0x160 [ 34.582556] kmem_cache_alloc+0x124/0x3c0 [ 34.587118] fuse_alloc_inode+0x1d/0x3f0 [ 34.591369] alloc_inode+0x5d/0x170 [ 34.595169] iget5_locked+0x169/0x450 [ 34.599021] fuse_iget+0x164/0x730 [ 34.602633] fuse_lookup_name+0x3bb/0x550 [ 34.607132] fuse_lookup+0xcd/0x390 [ 34.610834] fuse_atomic_open+0x1bb/0x2d0 [ 34.614970] lookup_open+0xe0e/0x1750 [ 34.618842] path_openat+0xe08/0x2970 [ 34.623080] do_filp_open+0x179/0x3c0 [ 34.627266] do_sys_open+0x296/0x410 [ 34.631931] do_syscall_64+0x1d5/0x640 [ 34.636652] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.642357] [ 34.644628] Freed by task 0: [ 34.647958] kasan_slab_free+0xc3/0x1a0 [ 34.652762] kmem_cache_free+0x7c/0x2b0 [ 34.656819] rcu_process_callbacks+0x780/0x1180 [ 34.661635] __do_softirq+0x24d/0x9ff [ 34.665831] [ 34.667460] The buggy address belongs to the object at ffff8880aae3d680 [ 34.667460] which belongs to the cache fuse_inode of size 1272 [ 34.681360] The buggy address is located 904 bytes inside of [ 34.681360] 1272-byte region [ffff8880aae3d680, ffff8880aae3db78) [ 34.693509] The buggy address belongs to the page: [ 34.698625] page:ffffea0002ab8f00 count:1 mapcount:0 mapping:ffff8880aae3c080 index:0xffff8880aae3dffb compound_mapcount: 0 [ 34.710446] flags: 0xfff00000008100(slab|head) [ 34.715251] raw: 00fff00000008100 ffff8880aae3c080 ffff8880aae3dffb 0000000100000005 [ 34.724564] raw: ffffea000257b8a0 ffff8880b133a548 ffff8880b1326540 0000000000000000 [ 34.733055] page dumped because: kasan: bad access detected [ 34.739458] [ 34.741569] Memory state around the buggy address: [ 34.746589] ffff8880aae3d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.754642] ffff8880aae3d980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.762979] >ffff8880aae3da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.770563] ^ [ 34.774683] ffff8880aae3da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.782571] ffff8880aae3db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc [ 34.790312] ================================================================== [ 34.798049] Disabling lock debugging due to kernel taint [ 34.803685] Kernel panic - not syncing: panic_on_warn set ... [ 34.803685] [ 34.811510] CPU: 0 PID: 7966 Comm: syz-executor452 Tainted: G B 4.14.218-syzkaller #0 [ 34.821232] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.831390] Call Trace: [ 34.834313] dump_stack+0x1b2/0x281 [ 34.838300] panic+0x1f9/0x42d [ 34.841739] ? add_taint.cold+0x16/0x16 [ 34.845707] kasan_end_report+0x43/0x49 [ 34.850178] kasan_report_error.cold+0xa7/0x191 [ 34.855544] ? __list_add_valid+0x81/0xa0 [ 34.859874] __asan_report_load8_noabort+0x68/0x70 [ 34.864887] ? __list_add_valid+0x81/0xa0 [ 34.869040] __list_add_valid+0x81/0xa0 [ 34.873035] chrdev_open+0x45c/0x6d0 [ 34.877216] ? __register_chrdev+0x3d0/0x3d0 [ 34.881792] do_dentry_open+0x44b/0xec0 [ 34.885863] ? __register_chrdev+0x3d0/0x3d0 [ 34.890524] ? __inode_permission+0xcd/0x2f0 [ 34.894931] vfs_open+0x105/0x220 [ 34.898529] path_openat+0x628/0x2970 [ 34.902326] ? path_lookupat+0x780/0x780 [ 34.906571] ? trace_hardirqs_on+0x10/0x10 [ 34.911326] do_filp_open+0x179/0x3c0 [ 34.915262] ? may_open_dev+0xe0/0xe0 [ 34.919267] ? lock_downgrade+0x740/0x740 [ 34.923737] ? do_raw_spin_unlock+0x164/0x220 [ 34.928629] ? _raw_spin_unlock+0x29/0x40 [ 34.933503] ? __alloc_fd+0x1be/0x490 [ 34.937904] do_sys_open+0x296/0x410 [ 34.941994] ? filp_open+0x60/0x60 [ 34.945937] ? _raw_spin_unlock_irq+0x5a/0x80 [ 34.950876] ? do_syscall_64+0x4c/0x640 [ 34.955368] ? compat_SyS_openat+0x30/0x30 [ 34.959684] do_syscall_64+0x1d5/0x640 [ 34.963744] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.968935] RIP: 0033:0x446849 [ 34.972112] RSP: 002b:00007fc385e522f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 [ 34.981292] RAX: ffffffffffffffda RBX: 00000000004d0530 RCX: 0000000000446849 [ 34.988742] RDX: 00007fc385e52700 RSI: 0000000000000000 RDI: 00000000200001c0 [ 34.996531] RBP: 00000000004a013c R08: 00007fc385e52700 R09: 0000000000000000 [ 35.004504] R10: 00007fc385e52700 R11: 0000000000000246 R12: 0030656c69662f2e [ 35.012360] R13: 000000000049e138 R14: 2f30656c69662f2e R15: 00000000004d0538 [ 35.022715] Kernel Offset: disabled [ 35.027372] Rebooting in 86400 seconds..