[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.136' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 59.382523][ T7177] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 59.728954][ T7177] ================================================================== [ 59.737193][ T7177] BUG: KASAN: slab-out-of-bounds in kvm_vcpu_gfn_to_memslot+0x50e/0x540 [ 59.745550][ T7177] Read of size 8 at addr ffff888095f51468 by task syz-executor156/7177 [ 59.753788][ T7177] [ 59.756131][ T7177] CPU: 1 PID: 7177 Comm: syz-executor156 Not tainted 5.6.0-syzkaller #0 [ 59.764463][ T7177] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.774527][ T7177] Call Trace: [ 59.777836][ T7177] dump_stack+0x188/0x20d [ 59.782195][ T7177] print_address_description.constprop.0.cold+0xd3/0x315 [ 59.789250][ T7177] ? kvm_vcpu_gfn_to_memslot+0x50e/0x540 [ 59.794892][ T7177] __kasan_report.cold+0x35/0x4d [ 59.799840][ T7177] ? kvm_vcpu_gfn_to_memslot+0x50e/0x540 [ 59.805492][ T7177] ? kvm_vcpu_gfn_to_memslot+0x50e/0x540 [ 59.811125][ T7177] kasan_report+0x33/0x50 [ 59.815470][ T7177] kvm_vcpu_gfn_to_memslot+0x50e/0x540 [ 59.821048][ T7177] try_async_pf+0x12b/0xac0 [ 59.825569][ T7177] ? ept_gva_to_gpa+0x1e0/0x1e0 [ 59.830440][ T7177] ? mark_held_locks+0x9f/0xe0 [ 59.835254][ T7177] ? mmu_topup_memory_caches+0x325/0x460 [ 59.840894][ T7177] direct_page_fault+0x27d/0x1d70 [ 59.845945][ T7177] ? kvm_mmu_get_page+0x1e70/0x1e70 [ 59.851149][ T7177] ? kvm_mtrr_check_gfn_range_consistency+0x254/0x2e0 [ 59.857908][ T7177] ? kvm_vcpu_mtrr_init+0x70/0x70 [ 59.862968][ T7177] kvm_mmu_page_fault+0x187/0x15d0 [ 59.868091][ T7177] ? find_held_lock+0x2d/0x110 [ 59.872956][ T7177] ? kvm_nx_lpage_recovery_worker+0x790/0x790 [ 59.879053][ T7177] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 59.884621][ T7177] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 59.890617][ T7177] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 59.896179][ T7177] ? handle_ept_violation+0x206/0x550 [ 59.901556][ T7177] ? vmx_inject_irq+0x5b0/0x5b0 [ 59.906412][ T7177] vmx_handle_exit+0x2b8/0x1700 [ 59.911269][ T7177] vcpu_enter_guest+0xfea/0x59d0 [ 59.916239][ T7177] ? kvm_vcpu_reload_apic_access_page+0x300/0x300 [ 59.922657][ T7177] ? kvm_vcpu_kick+0x162/0x2a0 [ 59.927436][ T7177] ? __apic_accept_irq+0x423/0xb80 [ 59.932563][ T7177] ? kvm_lapic_enable_pv_eoi+0x160/0x160 [ 59.938208][ T7177] ? kvm_check_async_pf_completion+0x2a4/0x400 [ 59.944379][ T7177] ? kvm_arch_vcpu_ioctl_run+0x3fb/0x16a0 [ 59.950104][ T7177] kvm_arch_vcpu_ioctl_run+0x3fb/0x16a0 [ 59.955677][ T7177] kvm_vcpu_ioctl+0x493/0xe60 [ 59.961837][ T7177] ? kvm_get_dirty_log_protect.isra.0+0x670/0x670 [ 59.968248][ T7177] ? ioctl_file_clone+0x180/0x180 [ 59.973295][ T7177] ? __fget_files+0x32f/0x500 [ 59.977981][ T7177] ? ksys_dup3+0x3c0/0x3c0 [ 59.982425][ T7177] ? __x64_sys_futex+0x376/0x4f0 [ 59.987372][ T7177] ? __x64_sys_futex+0x380/0x4f0 [ 59.992340][ T7177] ? kvm_get_dirty_log_protect.isra.0+0x670/0x670 [ 59.998753][ T7177] ksys_ioctl+0x11a/0x180 [ 60.003150][ T7177] __x64_sys_ioctl+0x6f/0xb0 [ 60.007783][ T7177] ? lockdep_hardirqs_on+0x463/0x620 [ 60.013078][ T7177] do_syscall_64+0xf6/0x7d0 [ 60.017595][ T7177] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.023497][ T7177] RIP: 0033:0x445b29 [ 60.027414][ T7177] Code: e8 dc bd 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb 11 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.047023][ T7177] RSP: 002b:00007f8eeea56ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 60.055435][ T7177] RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000445b29 [ 60.063493][ T7177] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005 [ 60.071470][ T7177] RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000 [ 60.079453][ T7177] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c [ 60.087437][ T7177] R13: 00007ffd2ecb42ff R14: 00007f8eeea579c0 R15: 20c49ba5e353f7cf [ 60.095444][ T7177] [ 60.097770][ T7177] Allocated by task 7177: [ 60.102116][ T7177] save_stack+0x1b/0x80 [ 60.106273][ T7177] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 60.111907][ T7177] kvmalloc_node+0x61/0xf0 [ 60.116327][ T7177] kvm_set_memslot+0x115/0x1530 [ 60.121174][ T7177] __kvm_set_memory_region+0xcf7/0x1320 [ 60.126714][ T7177] __x86_set_memory_region+0x2a3/0x5a0 [ 60.132193][ T7177] vmx_create_vcpu+0x2107/0x2b40 [ 60.137123][ T7177] kvm_arch_vcpu_create+0x6ef/0xb80 [ 60.142318][ T7177] kvm_vm_ioctl+0x15f7/0x23e0 [ 60.147001][ T7177] ksys_ioctl+0x11a/0x180 [ 60.151327][ T7177] __x64_sys_ioctl+0x6f/0xb0 [ 60.155910][ T7177] do_syscall_64+0xf6/0x7d0 [ 60.160409][ T7177] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.166287][ T7177] [ 60.168605][ T7177] Freed by task 0: [ 60.172308][ T7177] (stack is not available) [ 60.176713][ T7177] [ 60.179035][ T7177] The buggy address belongs to the object at ffff888095f51000 [ 60.179035][ T7177] which belongs to the cache kmalloc-2k of size 2048 [ 60.193090][ T7177] The buggy address is located 1128 bytes inside of [ 60.193090][ T7177] 2048-byte region [ffff888095f51000, ffff888095f51800) [ 60.206523][ T7177] The buggy address belongs to the page: [ 60.212163][ T7177] page:ffffea000257d440 refcount:1 mapcount:0 mapping:000000000d9d3db1 index:0x0 [ 60.221302][ T7177] flags: 0xfffe0000000200(slab) [ 60.226167][ T7177] raw: 00fffe0000000200 ffffea000252d688 ffffea0002550248 ffff8880aa000e00 [ 60.234767][ T7177] raw: 0000000000000000 ffff888095f51000 0000000100000001 0000000000000000 [ 60.243350][ T7177] page dumped because: kasan: bad access detected [ 60.249762][ T7177] [ 60.252087][ T7177] Memory state around the buggy address: [ 60.257726][ T7177] ffff888095f51300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 60.265785][ T7177] ffff888095f51380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 60.273871][ T7177] >ffff888095f51400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc [ 60.281933][ T7177] ^ [ 60.289399][ T7177] ffff888095f51480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.297461][ T7177] ffff888095f51500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.305538][ T7177] ================================================================== [ 60.313598][ T7177] Disabling lock debugging due to kernel taint [ 60.321345][ T7177] Kernel panic - not syncing: panic_on_warn set ... [ 60.328048][ T7177] CPU: 1 PID: 7177 Comm: syz-executor156 Tainted: G B 5.6.0-syzkaller #0 [ 60.337758][ T7177] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.348513][ T7177] Call Trace: [ 60.351899][ T7177] dump_stack+0x188/0x20d [ 60.356802][ T7177] panic+0x2e3/0x75c [ 60.361026][ T7177] ? add_taint.cold+0x16/0x16 [ 60.366041][ T7177] ? preempt_schedule_common+0x5e/0xc0 [ 60.373237][ T7177] ? kvm_vcpu_gfn_to_memslot+0x50e/0x540 [ 60.382562][ T7177] ? preempt_schedule_thunk+0x16/0x18 [ 60.387916][ T7177] ? trace_hardirqs_on+0x55/0x220 [ 60.392921][ T7177] ? kvm_vcpu_gfn_to_memslot+0x50e/0x540 [ 60.398531][ T7177] end_report+0x43/0x49 [ 60.402665][ T7177] __kasan_report.cold+0xd/0x4d [ 60.407495][ T7177] ? kvm_vcpu_gfn_to_memslot+0x50e/0x540 [ 60.413103][ T7177] ? kvm_vcpu_gfn_to_memslot+0x50e/0x540 [ 60.419335][ T7177] kasan_report+0x33/0x50 [ 60.423654][ T7177] kvm_vcpu_gfn_to_memslot+0x50e/0x540 [ 60.429197][ T7177] try_async_pf+0x12b/0xac0 [ 60.433677][ T7177] ? ept_gva_to_gpa+0x1e0/0x1e0 [ 60.438527][ T7177] ? mark_held_locks+0x9f/0xe0 [ 60.443268][ T7177] ? mmu_topup_memory_caches+0x325/0x460 [ 60.448887][ T7177] direct_page_fault+0x27d/0x1d70 [ 60.453892][ T7177] ? kvm_mmu_get_page+0x1e70/0x1e70 [ 60.459066][ T7177] ? kvm_mtrr_check_gfn_range_consistency+0x254/0x2e0 [ 60.465803][ T7177] ? kvm_vcpu_mtrr_init+0x70/0x70 [ 60.470822][ T7177] kvm_mmu_page_fault+0x187/0x15d0 [ 60.475922][ T7177] ? find_held_lock+0x2d/0x110 [ 60.480688][ T7177] ? kvm_nx_lpage_recovery_worker+0x790/0x790 [ 60.486796][ T7177] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 60.492453][ T7177] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 60.498448][ T7177] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 60.503978][ T7177] ? handle_ept_violation+0x206/0x550 [ 60.509333][ T7177] ? vmx_inject_irq+0x5b0/0x5b0 [ 60.514179][ T7177] vmx_handle_exit+0x2b8/0x1700 [ 60.519023][ T7177] vcpu_enter_guest+0xfea/0x59d0 [ 60.523943][ T7177] ? kvm_vcpu_reload_apic_access_page+0x300/0x300 [ 60.530350][ T7177] ? kvm_vcpu_kick+0x162/0x2a0 [ 60.535097][ T7177] ? __apic_accept_irq+0x423/0xb80 [ 60.540191][ T7177] ? kvm_lapic_enable_pv_eoi+0x160/0x160 [ 60.545805][ T7177] ? kvm_check_async_pf_completion+0x2a4/0x400 [ 60.551985][ T7177] ? kvm_arch_vcpu_ioctl_run+0x3fb/0x16a0 [ 60.557693][ T7177] kvm_arch_vcpu_ioctl_run+0x3fb/0x16a0 [ 60.563247][ T7177] kvm_vcpu_ioctl+0x493/0xe60 [ 60.567910][ T7177] ? kvm_get_dirty_log_protect.isra.0+0x670/0x670 [ 60.574316][ T7177] ? ioctl_file_clone+0x180/0x180 [ 60.579336][ T7177] ? __fget_files+0x32f/0x500 [ 60.584010][ T7177] ? ksys_dup3+0x3c0/0x3c0 [ 60.588412][ T7177] ? __x64_sys_futex+0x376/0x4f0 [ 60.593361][ T7177] ? __x64_sys_futex+0x380/0x4f0 [ 60.598307][ T7177] ? kvm_get_dirty_log_protect.isra.0+0x670/0x670 [ 60.604713][ T7177] ksys_ioctl+0x11a/0x180 [ 60.609031][ T7177] __x64_sys_ioctl+0x6f/0xb0 [ 60.613636][ T7177] ? lockdep_hardirqs_on+0x463/0x620 [ 60.618936][ T7177] do_syscall_64+0xf6/0x7d0 [ 60.623429][ T7177] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.629316][ T7177] RIP: 0033:0x445b29 [ 60.633207][ T7177] Code: e8 dc bd 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb 11 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.652792][ T7177] RSP: 002b:00007f8eeea56ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 60.661181][ T7177] RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000445b29 [ 60.669148][ T7177] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005 [ 60.677116][ T7177] RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000 [ 60.685068][ T7177] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c [ 60.693034][ T7177] R13: 00007ffd2ecb42ff R14: 00007f8eeea579c0 R15: 20c49ba5e353f7cf [ 60.702033][ T7177] Kernel Offset: disabled [ 60.706359][ T7177] Rebooting in 86400 seconds..