[ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.179' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 55.311017][ T6836] IPVS: ftp: loaded support on port[0] = 21 [ 55.347195][ T6836] ================================================================== [ 55.347231][ T6836] BUG: KASAN: use-after-free in vcs_read+0xaa7/0xb40 [ 55.347239][ T6836] Write of size 2 at addr ffff8880a0b68000 by task syz-executor825/6836 [ 55.347241][ T6836] [ 55.347250][ T6836] CPU: 0 PID: 6836 Comm: syz-executor825 Not tainted 5.9.0-rc1-next-20200821-syzkaller #0 [ 55.347255][ T6836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.347258][ T6836] Call Trace: [ 55.347270][ T6836] dump_stack+0x18f/0x20d [ 55.347279][ T6836] ? vcs_read+0xaa7/0xb40 [ 55.347286][ T6836] ? vcs_read+0xaa7/0xb40 [ 55.347296][ T6836] print_address_description.constprop.0.cold+0xae/0x497 [ 55.347306][ T6836] ? lock_release+0x8e0/0x8e0 [ 55.347314][ T6836] ? lock_downgrade+0x830/0x830 [ 55.347324][ T6836] ? vprintk_func+0x97/0x1a6 [ 55.347333][ T6836] ? vcs_read+0xaa7/0xb40 [ 55.347340][ T6836] ? vcs_read+0xaa7/0xb40 [ 55.347347][ T6836] kasan_report.cold+0x1f/0x37 [ 55.347356][ T6836] ? vcs_read+0xaa7/0xb40 [ 55.347365][ T6836] vcs_read+0xaa7/0xb40 [ 55.347378][ T6836] ? vcs_write+0xb50/0xb50 [ 55.347388][ T6836] ? security_file_permission+0x248/0x560 [ 55.347403][ T6836] do_iter_read+0x48e/0x6e0 [ 55.347417][ T6836] vfs_readv+0xe5/0x150 [ 55.347426][ T6836] ? compat_rw_copy_check_uvector+0x4c0/0x4c0 [ 55.347438][ T6836] ? find_held_lock+0x2d/0x110 [ 55.347454][ T6836] ? vmacache_update+0xce/0x140 [ 55.347465][ T6836] __x64_sys_preadv+0x231/0x310 [ 55.347474][ T6836] ? __ia32_sys_writev+0xb0/0xb0 [ 55.347484][ T6836] ? trace_hardirqs_on+0x5f/0x220 [ 55.347493][ T6836] ? lockdep_hardirqs_on+0x76/0xf0 [ 55.347504][ T6836] do_syscall_64+0x2d/0x70 [ 55.347513][ T6836] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 55.347521][ T6836] RIP: 0033:0x440af9 [ 55.347530][ T6836] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 0f fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.347535][ T6836] RSP: 002b:00007ffc361d17f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 55.347544][ T6836] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000440af9 [ 55.347549][ T6836] RDX: 0000000000000006 RSI: 0000000020001b00 RDI: 0000000000000003 [ 55.347554][ T6836] RBP: 00007ffc361d1800 R08: 0000000000000000 R09: 0000000120080522 [ 55.347559][ T6836] R10: 0000000000000003 R11: 0000000000000246 R12: 00000000004a2290 [ 55.347564][ T6836] R13: 0000000000402010 R14: 0000000000000000 R15: 0000000000000000 [ 55.347574][ T6836] [ 55.347578][ T6836] Allocated by task 6756: [ 55.347586][ T6836] kasan_save_stack+0x1b/0x40 [ 55.347594][ T6836] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 55.347601][ T6836] kmem_cache_alloc_trace+0x16e/0x2c0 [ 55.347609][ T6836] tomoyo_init_log+0x18a/0x1e50 [ 55.347617][ T6836] tomoyo_supervisor+0x32f/0xeb0 [ 55.347634][ T6836] tomoyo_path_permission+0x25c/0x360 [ 55.347640][ T6836] tomoyo_path_perm+0x2e7/0x3f0 [ 55.347648][ T6836] security_inode_getattr+0xcf/0x140 [ 55.347655][ T6836] vfs_statx_fd+0x70/0xf0 [ 55.347662][ T6836] __do_sys_newfstat+0x88/0x100 [ 55.347669][ T6836] do_syscall_64+0x2d/0x70 [ 55.347677][ T6836] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 55.347679][ T6836] [ 55.347683][ T6836] Freed by task 6756: [ 55.347690][ T6836] kasan_save_stack+0x1b/0x40 [ 55.347697][ T6836] kasan_set_track+0x1c/0x30 [ 55.347704][ T6836] kasan_set_free_info+0x1b/0x30 [ 55.347711][ T6836] __kasan_slab_free+0xd8/0x120 [ 55.347717][ T6836] kfree+0x103/0x2c0 [ 55.347724][ T6836] tomoyo_init_log+0x14b6/0x1e50 [ 55.347731][ T6836] tomoyo_supervisor+0x32f/0xeb0 [ 55.347739][ T6836] tomoyo_path_permission+0x25c/0x360 [ 55.347745][ T6836] tomoyo_path_perm+0x2e7/0x3f0 [ 55.347753][ T6836] security_inode_getattr+0xcf/0x140 [ 55.347759][ T6836] vfs_statx_fd+0x70/0xf0 [ 55.347766][ T6836] __do_sys_newfstat+0x88/0x100 [ 55.347774][ T6836] do_syscall_64+0x2d/0x70 [ 55.347781][ T6836] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 55.347783][ T6836] [ 55.347789][ T6836] The buggy address belongs to the object at ffff8880a0b68000 [ 55.347789][ T6836] which belongs to the cache kmalloc-4k of size 4096 [ 55.347795][ T6836] The buggy address is located 0 bytes inside of [ 55.347795][ T6836] 4096-byte region [ffff8880a0b68000, ffff8880a0b69000) [ 55.347798][ T6836] The buggy address belongs to the page: [ 55.347807][ T6836] page:00000000829a4ea3 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa0b68 [ 55.347813][ T6836] head:00000000829a4ea3 order:1 compound_mapcount:0 [ 55.347819][ T6836] flags: 0xfffe0000010200(slab|head) [ 55.347830][ T6836] raw: 00fffe0000010200 ffffea0002a24688 ffffea0002a2aa88 ffff8880aa040900 [ 55.347839][ T6836] raw: 0000000000000000 ffff8880a0b68000 0000000100000001 0000000000000000 [ 55.347843][ T6836] page dumped because: kasan: bad access detected [ 55.347845][ T6836] [ 55.347848][ T6836] Memory state around the buggy address: [ 55.347854][ T6836] ffff8880a0b67f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.347861][ T6836] ffff8880a0b67f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.347867][ T6836] >ffff8880a0b68000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.347870][ T6836] ^ [ 55.347876][ T6836] ffff8880a0b68080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.347882][ T6836] ffff8880a0b68100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.347885][ T6836] ================================================================== [ 55.347888][ T6836] Disabling lock debugging due to kernel taint [ 55.347893][ T6836] Kernel panic - not syncing: panic_on_warn set ... [ 55.347900][ T6836] CPU: 0 PID: 6836 Comm: syz-executor825 Tainted: G B 5.9.0-rc1-next-20200821-syzkaller #0 [ 55.347904][ T6836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.347906][ T6836] Call Trace: [ 55.347915][ T6836] dump_stack+0x18f/0x20d [ 55.347922][ T6836] ? vcs_read+0xa40/0xb40 [ 55.347931][ T6836] panic+0x2e3/0x75c [ 55.347938][ T6836] ? __warn_printk+0xf3/0xf3 [ 55.347947][ T6836] ? trace_hardirqs_on+0x55/0x220 [ 55.347954][ T6836] ? vcs_read+0xaa7/0xb40 [ 55.347960][ T6836] ? vcs_read+0xaa7/0xb40 [ 55.347967][ T6836] end_report+0x4d/0x53 [ 55.347974][ T6836] kasan_report.cold+0xd/0x37 [ 55.347981][ T6836] ? vcs_read+0xaa7/0xb40 [ 55.347988][ T6836] vcs_read+0xaa7/0xb40 [ 55.347998][ T6836] ? vcs_write+0xb50/0xb50 [ 55.348005][ T6836] ? security_file_permission+0x248/0x560 [ 55.348014][ T6836] do_iter_read+0x48e/0x6e0 [ 55.348023][ T6836] vfs_readv+0xe5/0x150 [ 55.348031][ T6836] ? compat_rw_copy_check_uvector+0x4c0/0x4c0 [ 55.348040][ T6836] ? find_held_lock+0x2d/0x110 [ 55.348049][ T6836] ? vmacache_update+0xce/0x140 [ 55.348058][ T6836] __x64_sys_preadv+0x231/0x310 [ 55.348066][ T6836] ? __ia32_sys_writev+0xb0/0xb0 [ 55.348073][ T6836] ? trace_hardirqs_on+0x5f/0x220 [ 55.348079][ T6836] ? lockdep_hardirqs_on+0x76/0xf0 [ 55.348087][ T6836] do_syscall_64+0x2d/0x70 [ 55.348095][ T6836] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 55.348100][ T6836] RIP: 0033:0x440af9 [ 55.348107][ T6836] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 0f fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.348111][ T6836] RSP: 002b:00007ffc361d17f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 55.348118][ T6836] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000440af9 [ 55.348123][ T6836] RDX: 0000000000000006 RSI: 0000000020001b00 RDI: 0000000000000003 [ 55.348127][ T6836] RBP: 00007ffc361d1800 R08: 0000000000000000 R09: 0000000120080522 [ 55.348131][ T6836] R10: 0000000000000003 R11: 0000000000000246 R12: 00000000004a2290 [ 55.348136][ T6836] R13: 0000000000402010 R14: 0000000000000000 R15: 0000000000000000 [ 55.349201][ T6836] Kernel Offset: disabled [ 56.098712][ T6836] Rebooting in 86400 seconds..