[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.123' (ECDSA) to the list of known hosts. syzkaller login: [ 58.578217][ T6817] IPVS: ftp: loaded support on port[0] = 21 executing program [ 58.740681][ T6817] ================================================================== [ 58.748950][ T6817] BUG: KASAN: use-after-free in sock_def_write_space+0x609/0x630 [ 58.756648][ T6817] Read of size 8 at addr ffff88808a6d25c0 by task syz-executor863/6817 [ 58.764852][ T6817] [ 58.767165][ T6817] CPU: 0 PID: 6817 Comm: syz-executor863 Not tainted 5.8.0-rc6-syzkaller #0 [ 58.775927][ T6817] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.785966][ T6817] Call Trace: [ 58.789243][ T6817] dump_stack+0x18f/0x20d [ 58.793566][ T6817] ? sock_def_write_space+0x609/0x630 [ 58.798915][ T6817] ? sock_def_write_space+0x609/0x630 [ 58.804278][ T6817] print_address_description.constprop.0.cold+0xae/0x436 [ 58.811325][ T6817] ? lockdep_hardirqs_off+0x66/0xa0 [ 58.816511][ T6817] ? vprintk_func+0x97/0x1a6 [ 58.821079][ T6817] ? sock_def_write_space+0x609/0x630 [ 58.826447][ T6817] kasan_report.cold+0x1f/0x37 [ 58.831200][ T6817] ? sock_def_write_space+0x609/0x630 [ 58.836546][ T6817] sock_def_write_space+0x609/0x630 [ 58.841736][ T6817] ? kfree_skb+0x7d/0x100 [ 58.846058][ T6817] ? qrtr_tun_poll+0xf0/0xf0 [ 58.850633][ T6817] sock_wfree+0x1cc/0x240 [ 58.854946][ T6817] ? __sk_receive_skb+0x830/0x830 [ 58.859973][ T6817] skb_release_head_state+0x9f/0x250 [ 58.865260][ T6817] kfree_skb.part.0+0x89/0x350 [ 58.870015][ T6817] kfree_skb+0x7d/0x100 [ 58.874161][ T6817] skb_queue_purge+0x14/0x30 [ 58.878843][ T6817] qrtr_tun_release+0x40/0x60 [ 58.883509][ T6817] __fput+0x33c/0x880 [ 58.887488][ T6817] task_work_run+0xdd/0x190 [ 58.892042][ T6817] __prepare_exit_to_usermode+0x1e9/0x1f0 [ 58.897812][ T6817] do_fast_syscall_32+0x7f/0x120 [ 58.902748][ T6817] entry_SYSENTER_compat_after_hwframe+0x4d/0x5c [ 58.909126][ T6817] RIP: 0023:0xf7fc2569 [ 58.913218][ T6817] Code: Bad RIP value. [ 58.917345][ T6817] RSP: 002b:00000000ffd1de7c EFLAGS: 00000246 ORIG_RAX: 0000000000000006 [ 58.925785][ T6817] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000020000180 [ 58.933744][ T6817] RDX: 0000000000000007 RSI: 00000000080bffdb RDI: 000000002000018e [ 58.941867][ T6817] RBP: 00000000ffd1dee8 R08: 0000000000000000 R09: 0000000000000000 [ 58.949813][ T6817] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 58.957758][ T6817] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 58.965761][ T6817] [ 58.968064][ T6817] Allocated by task 6817: [ 58.972417][ T6817] save_stack+0x1b/0x40 [ 58.976549][ T6817] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 58.982157][ T6817] kmem_cache_alloc+0x12c/0x3b0 [ 58.987067][ T6817] sock_alloc_inode+0x18/0x1c0 [ 58.991949][ T6817] alloc_inode+0x61/0x230 [ 58.996362][ T6817] new_inode_pseudo+0x14/0xe0 [ 59.001014][ T6817] sock_alloc+0x3c/0x260 [ 59.005315][ T6817] __sock_create+0xb9/0x740 [ 59.009790][ T6817] __sys_socket+0xef/0x200 [ 59.014281][ T6817] __ia32_sys_socket+0x6f/0xb0 [ 59.019021][ T6817] do_syscall_32_irqs_on+0x3f/0x60 [ 59.024108][ T6817] do_fast_syscall_32+0x7f/0x120 [ 59.029023][ T6817] entry_SYSENTER_compat_after_hwframe+0x4d/0x5c [ 59.035316][ T6817] [ 59.037620][ T6817] Freed by task 16: [ 59.041416][ T6817] save_stack+0x1b/0x40 [ 59.045545][ T6817] __kasan_slab_free+0xf5/0x140 [ 59.050368][ T6817] kmem_cache_free+0x7f/0x310 [ 59.055017][ T6817] i_callback+0x3f/0x70 [ 59.059160][ T6817] rcu_core+0x5c7/0x1160 [ 59.063376][ T6817] __do_softirq+0x34c/0xa60 [ 59.067847][ T6817] [ 59.070153][ T6817] The buggy address belongs to the object at ffff88808a6d2540 [ 59.070153][ T6817] which belongs to the cache sock_inode_cache of size 1216 [ 59.084788][ T6817] The buggy address is located 128 bytes inside of [ 59.084788][ T6817] 1216-byte region [ffff88808a6d2540, ffff88808a6d2a00) [ 59.098909][ T6817] The buggy address belongs to the page: [ 59.104517][ T6817] page:ffffea000229b480 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88808a6d2ffd [ 59.115033][ T6817] flags: 0xfffe0000000200(slab) [ 59.119879][ T6817] raw: 00fffe0000000200 ffffea0002250f88 ffffea000229a608 ffff88821b77f700 [ 59.128446][ T6817] raw: ffff88808a6d2ffd ffff88808a6d2000 0000000100000003 0000000000000000 [ 59.137010][ T6817] page dumped because: kasan: bad access detected [ 59.143391][ T6817] [ 59.145691][ T6817] Memory state around the buggy address: [ 59.151295][ T6817] ffff88808a6d2480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 59.159330][ T6817] ffff88808a6d2500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 59.167379][ T6817] >ffff88808a6d2580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.175409][ T6817] ^ [ 59.181623][ T6817] ffff88808a6d2600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.189659][ T6817] ffff88808a6d2680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.197689][ T6817] ================================================================== [ 59.205722][ T6817] Disabling lock debugging due to kernel taint [ 59.214110][ T6817] Kernel panic - not syncing: panic_on_warn set ... [ 59.220712][ T6817] CPU: 0 PID: 6817 Comm: syz-executor863 Tainted: G B 5.8.0-rc6-syzkaller #0 [ 59.230764][ T6817] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.240819][ T6817] Call Trace: [ 59.244110][ T6817] dump_stack+0x18f/0x20d [ 59.248432][ T6817] ? sock_def_write_space+0x510/0x630 [ 59.253776][ T6817] panic+0x2e3/0x75c [ 59.257643][ T6817] ? __warn_printk+0xf3/0xf3 [ 59.262210][ T6817] ? preempt_schedule_common+0x59/0xc0 [ 59.267642][ T6817] ? sock_def_write_space+0x609/0x630 [ 59.272988][ T6817] ? preempt_schedule_thunk+0x16/0x18 [ 59.278331][ T6817] ? trace_hardirqs_on+0x55/0x220 [ 59.283346][ T6817] ? sock_def_write_space+0x609/0x630 [ 59.288691][ T6817] ? sock_def_write_space+0x609/0x630 [ 59.294032][ T6817] end_report+0x4d/0x53 [ 59.298164][ T6817] kasan_report.cold+0xd/0x37 [ 59.302815][ T6817] ? sock_def_write_space+0x609/0x630 [ 59.308204][ T6817] sock_def_write_space+0x609/0x630 [ 59.313374][ T6817] ? kfree_skb+0x7d/0x100 [ 59.317688][ T6817] ? qrtr_tun_poll+0xf0/0xf0 [ 59.322261][ T6817] sock_wfree+0x1cc/0x240 [ 59.326576][ T6817] ? __sk_receive_skb+0x830/0x830 [ 59.331591][ T6817] skb_release_head_state+0x9f/0x250 [ 59.336850][ T6817] kfree_skb.part.0+0x89/0x350 [ 59.341584][ T6817] kfree_skb+0x7d/0x100 [ 59.345713][ T6817] skb_queue_purge+0x14/0x30 [ 59.350405][ T6817] qrtr_tun_release+0x40/0x60 [ 59.355055][ T6817] __fput+0x33c/0x880 [ 59.359015][ T6817] task_work_run+0xdd/0x190 [ 59.363509][ T6817] __prepare_exit_to_usermode+0x1e9/0x1f0 [ 59.369207][ T6817] do_fast_syscall_32+0x7f/0x120 [ 59.374133][ T6817] entry_SYSENTER_compat_after_hwframe+0x4d/0x5c [ 59.380452][ T6817] RIP: 0023:0xf7fc2569 [ 59.384486][ T6817] Code: Bad RIP value. [ 59.388521][ T6817] RSP: 002b:00000000ffd1de7c EFLAGS: 00000246 ORIG_RAX: 0000000000000006 [ 59.396914][ T6817] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000020000180 [ 59.404858][ T6817] RDX: 0000000000000007 RSI: 00000000080bffdb RDI: 000000002000018e [ 59.412801][ T6817] RBP: 00000000ffd1dee8 R08: 0000000000000000 R09: 0000000000000000 [ 59.420742][ T6817] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 59.428685][ T6817] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 59.438089][ T6817] Kernel Offset: disabled [ 59.442403][ T6817] Rebooting in 86400 seconds..