[ OK ] Started Network Time Synchronization. [ OK ] Started Raise network interfaces. [ OK ] Reached target Network. Starting Permit User Sessions... Starting OpenBSD Secure Shell server... [ OK ] Started Permit User Sessions. [ OK ] Started OpenBSD Secure Shell server. [ 13.473234][ C1] random: crng init done [ 13.474169][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.1.20' (ECDSA) to the list of known hosts. executing program [* ] A start job is running for dev-ttyS0.device (8s / 1min 30s) [** ] A start job is running for dev-ttyS0.device (9s / 1min 30s) [*** ] A start job is running for dev-ttyS0.device (10s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (10s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (11s / 1min 30s) [ ***] A start job is running for dev-ttyS0.device (12s / 1min 30s) [ **] A start job is running for dev-ttyS0.device (12s / 1min 30s) [ *] A start job is running for dev-ttyS0.device (13s / 1min 30s) [ **] A start job is running for dev-ttyS0.device (13s / 1min 30s) [ ***] A start job is running for dev-ttyS0.device (14s / 1min 30s)[ 20.551368][ T22] audit: type=1400 audit(1598845024.273:8): avc: denied { execmem } for pid=329 comm="syz-executor533" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 20.555989][ T158] ================================================================== [ 20.579938][ T158] BUG: KASAN: use-after-free in __list_del_entry_valid+0x98/0x100 [ 20.587739][ T158] Read of size 8 at addr ffff8881ce189780 by task kworker/u4:2/158 [ 20.595586][ T158] [ 20.597884][ T158] CPU: 1 PID: 158 Comm: kworker/u4:2 Not tainted 5.4.61-syzkaller-00873-ge15cc541b749 #0 [ 20.607640][ T158] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.617670][ T158] Workqueue: io_ring-wq io_sq_wq_submit_work [ 20.623623][ T158] Call Trace: [ 20.626906][ T158] dump_stack+0x14a/0x1ce [ 20.631199][ T158] ? show_regs_print_info+0x12/0x12 [ 20.636394][ T158] ? printk+0xd2/0x114 [ 20.640431][ T158] print_address_description+0x93/0x620 [ 20.645938][ T158] __kasan_report+0x16d/0x1e0 [ 20.650581][ T158] ? __list_del_entry_valid+0x98/0x100 [ 20.656008][ T158] kasan_report+0x36/0x60 [ 20.660332][ T158] __list_del_entry_valid+0x98/0x100 [ 20.665581][ T158] io_sq_wq_submit_work+0x7f5/0x14a0 [ 20.670828][ T158] ? io_free_req+0xab2/0xbf0 [ 20.675390][ T158] ? __io_queue_sqe+0xa00/0xa00 [ 20.680202][ T158] ? _raw_spin_lock_irq+0xa2/0x180 [ 20.685277][ T158] ? read_word_at_a_time+0xe/0x20 [ 20.690264][ T158] ? strscpy+0xa6/0x260 [ 20.694396][ T158] process_one_work+0x777/0xf90 [ 20.699211][ T158] worker_thread+0xa8f/0x1430 [ 20.703852][ T158] kthread+0x317/0x340 [ 20.707883][ T158] ? process_one_work+0xf90/0xf90 [ 20.712881][ T158] ? kthread_destroy_worker+0x280/0x280 [ 20.718387][ T158] ret_from_fork+0x1f/0x30 [ 20.722764][ T158] [ 20.725057][ T158] Allocated by task 329: [ 20.729264][ T158] __kasan_kmalloc+0x12c/0x1c0 [ 20.734004][ T158] kmem_cache_alloc_bulk+0x1cf/0x250 [ 20.739252][ T158] io_get_req+0x27f/0x850 [ 20.743544][ T158] io_submit_sqe+0x83/0xe90 [ 20.748008][ T158] __se_sys_io_uring_enter+0x922/0x1ff0 [ 20.753514][ T158] do_syscall_64+0xcb/0x150 [ 20.757980][ T158] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.763830][ T158] [ 20.766122][ T158] Freed by task 158: [ 20.769991][ T158] __kasan_slab_free+0x181/0x230 [ 20.774889][ T158] slab_free_freelist_hook+0xd0/0x150 [ 20.780227][ T158] kmem_cache_free+0xac/0x600 [ 20.784863][ T158] io_poll_complete_work+0x737/0x940 [ 20.790109][ T158] process_one_work+0x777/0xf90 [ 20.794931][ T158] worker_thread+0xa8f/0x1430 [ 20.799570][ T158] kthread+0x317/0x340 [ 20.803601][ T158] ret_from_fork+0x1f/0x30 [ 20.807985][ T158] [ 20.810333][ T158] The buggy address belongs to the object at ffff8881ce189680 [ 20.810333][ T158] which belongs to the cache io_kiocb of size 264 [ 20.824096][ T158] The buggy address is located 256 bytes inside of [ 20.824096][ T158] 264-byte region [ffff8881ce189680, ffff8881ce189788) [ 20.837324][ T158] The buggy address belongs to the page: [ 20.842920][ T158] page:ffffea0007386200 refcount:1 mapcount:0 mapping:ffff8881d99ba500 index:0x0 compound_mapcount: 0 [ 20.853807][ T158] flags: 0x8000000000010200(slab|head) [ 20.859246][ T158] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881d99ba500 [ 20.867794][ T158] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 [ 20.876349][ T158] page dumped because: kasan: bad access detected [ 20.882732][ T158] [ 20.885023][ T158] Memory state around the buggy address: [ 20.890628][ T158] ffff8881ce189680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.898653][ T158] ffff8881ce189700: fb fb f