[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.164' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 43.769994] ================================================================== [ 43.777418] BUG: KASAN: use-after-free in __list_add_valid+0x81/0xa0 [ 43.783899] Read of size 8 at addr ffff8880b2e91448 by task syz-executor338/7993 [ 43.791580] [ 43.793200] CPU: 0 PID: 7993 Comm: syz-executor338 Not tainted 4.14.237-syzkaller #0 [ 43.801075] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.810426] Call Trace: [ 43.812999] dump_stack+0x1b2/0x281 [ 43.816621] print_address_description.cold+0x54/0x1d3 [ 43.821889] kasan_report_error.cold+0x8a/0x191 [ 43.826600] ? __list_add_valid+0x81/0xa0 [ 43.830739] __asan_report_load8_noabort+0x68/0x70 [ 43.835668] ? __list_add_valid+0x81/0xa0 [ 43.839901] __list_add_valid+0x81/0xa0 [ 43.843858] chrdev_open+0x45c/0x6d0 [ 43.847554] ? __register_chrdev+0x3d0/0x3d0 [ 43.852082] do_dentry_open+0x44b/0xec0 [ 43.856036] ? __register_chrdev+0x3d0/0x3d0 [ 43.860425] ? __inode_permission+0xcd/0x2f0 [ 43.864812] vfs_open+0x105/0x220 [ 43.868246] path_openat+0x628/0x2970 [ 43.872030] ? path_lookupat+0x780/0x780 [ 43.876087] ? trace_hardirqs_on+0x10/0x10 [ 43.880420] do_filp_open+0x179/0x3c0 [ 43.884338] ? may_open_dev+0xe0/0xe0 [ 43.888123] ? lock_downgrade+0x740/0x740 [ 43.892267] ? do_raw_spin_unlock+0x164/0x220 [ 43.896753] ? _raw_spin_unlock+0x29/0x40 [ 43.900906] ? __alloc_fd+0x1be/0x490 [ 43.904700] do_sys_open+0x296/0x410 [ 43.908482] ? filp_open+0x60/0x60 [ 43.912024] ? do_syscall_64+0x4c/0x640 [ 43.915995] ? SyS_open+0x30/0x30 [ 43.919431] do_syscall_64+0x1d5/0x640 [ 43.923316] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 43.928483] RIP: 0033:0x446799 [ 43.931655] RSP: 002b:00007f465e6312f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 43.939348] RAX: ffffffffffffffda RBX: 00000000004d0510 RCX: 0000000000446799 [ 43.946619] RDX: 0000000000000000 RSI: 0000000020002040 RDI: 00000000ffffff9c [ 43.953886] RBP: 00000000004a0144 R08: 0000000000000000 R09: 0000000000000000 [ 43.961153] R10: 0000000000000000 R11: 0000000000000246 R12: 2f30656c69662f2e [ 43.968411] R13: 000000000049e140 R14: 8000000000000000 R15: 00000000004d0518 [ 43.975697] [ 43.977330] Allocated by task 7983: [ 43.980962] kasan_kmalloc+0xeb/0x160 [ 43.984772] kmem_cache_alloc+0x124/0x3c0 [ 43.988930] fuse_alloc_inode+0x1d/0x3f0 [ 43.992980] alloc_inode+0x5d/0x170 [ 43.996608] iget5_locked+0x169/0x450 [ 44.000397] fuse_iget+0x164/0x730 [ 44.003919] fuse_lookup_name+0x3bb/0x550 [ 44.008052] fuse_lookup+0xcd/0x390 [ 44.011663] lookup_slow+0x20a/0x400 [ 44.015382] walk_component+0x6a1/0xbc0 [ 44.019342] path_lookupat+0x1bb/0x780 [ 44.023249] filename_lookup+0x18a/0x510 [ 44.027407] vfs_statx+0xd1/0x180 [ 44.030849] SyS_newfstatat+0x8b/0xf0 [ 44.034640] do_syscall_64+0x1d5/0x640 [ 44.038535] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 44.043703] [ 44.045313] Freed by task 0: [ 44.048326] kasan_slab_free+0xc3/0x1a0 [ 44.052286] kmem_cache_free+0x7c/0x2b0 [ 44.056251] rcu_process_callbacks+0x780/0x1180 [ 44.060906] __do_softirq+0x24d/0x9ff [ 44.064687] [ 44.066313] The buggy address belongs to the object at ffff8880b2e910c0 [ 44.066313] which belongs to the cache fuse_inode of size 1272 [ 44.079128] The buggy address is located 904 bytes inside of [ 44.079128] 1272-byte region [ffff8880b2e910c0, ffff8880b2e915b8) [ 44.091173] The buggy address belongs to the page: [ 44.096178] page:ffffea0002cba400 count:1 mapcount:0 mapping:ffff8880b2e90040 index:0xffff8880b2e91ffb compound_mapcount: 0 [ 44.107434] flags: 0xfff00000008100(slab|head) [ 44.112002] raw: 00fff00000008100 ffff8880b2e90040 ffff8880b2e91ffb 0000000100000005 [ 44.119956] raw: ffff8880b1327448 ffff8880b1327448 ffff8880b1326540 0000000000000000 [ 44.127825] page dumped because: kasan: bad access detected [ 44.133532] [ 44.135141] Memory state around the buggy address: [ 44.140054] ffff8880b2e91300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.147501] ffff8880b2e91380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.154990] >ffff8880b2e91400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.162425] ^ [ 44.168129] ffff8880b2e91480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.175477] ffff8880b2e91500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.182817] ================================================================== [ 44.190265] Disabling lock debugging due to kernel taint [ 44.195901] Kernel panic - not syncing: panic_on_warn set ... [ 44.195901] [ 44.203267] CPU: 0 PID: 7993 Comm: syz-executor338 Tainted: G B 4.14.237-syzkaller #0 [ 44.212351] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.221692] Call Trace: [ 44.224268] dump_stack+0x1b2/0x281 [ 44.227872] panic+0x1f9/0x42d [ 44.231038] ? add_taint.cold+0x16/0x16 [ 44.235005] kasan_end_report+0x43/0x49 [ 44.238957] kasan_report_error.cold+0xa7/0x191 [ 44.243628] ? __list_add_valid+0x81/0xa0 [ 44.247752] __asan_report_load8_noabort+0x68/0x70 [ 44.252670] ? __list_add_valid+0x81/0xa0 [ 44.256807] __list_add_valid+0x81/0xa0 [ 44.260759] chrdev_open+0x45c/0x6d0 [ 44.264449] ? __register_chrdev+0x3d0/0x3d0 [ 44.268845] do_dentry_open+0x44b/0xec0 [ 44.272840] ? __register_chrdev+0x3d0/0x3d0 [ 44.280118] ? __inode_permission+0xcd/0x2f0 [ 44.284502] vfs_open+0x105/0x220 [ 44.287934] path_openat+0x628/0x2970 [ 44.291727] ? path_lookupat+0x780/0x780 [ 44.295767] ? trace_hardirqs_on+0x10/0x10 [ 44.299997] do_filp_open+0x179/0x3c0 [ 44.303780] ? may_open_dev+0xe0/0xe0 [ 44.307582] ? lock_downgrade+0x740/0x740 [ 44.311705] ? do_raw_spin_unlock+0x164/0x220 [ 44.316190] ? _raw_spin_unlock+0x29/0x40 [ 44.320402] ? __alloc_fd+0x1be/0x490 [ 44.324179] do_sys_open+0x296/0x410 [ 44.327885] ? filp_open+0x60/0x60 [ 44.331400] ? do_syscall_64+0x4c/0x640 [ 44.335373] ? SyS_open+0x30/0x30 [ 44.338899] do_syscall_64+0x1d5/0x640 [ 44.342852] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 44.348121] RIP: 0033:0x446799 [ 44.351286] RSP: 002b:00007f465e6312f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 44.358981] RAX: ffffffffffffffda RBX: 00000000004d0510 RCX: 0000000000446799 [ 44.366229] RDX: 0000000000000000 RSI: 0000000020002040 RDI: 00000000ffffff9c [ 44.373475] RBP: 00000000004a0144 R08: 0000000000000000 R09: 0000000000000000 [ 44.380721] R10: 0000000000000000 R11: 0000000000000246 R12: 2f30656c69662f2e [ 44.387966] R13: 000000000049e140 R14: 8000000000000000 R15: 00000000004d0518 [ 44.396303] Kernel Offset: disabled [ 44.399929] Rebooting in 86400 seconds..