[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.39' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 42.964434][ T6806] IPVS: ftp: loaded support on port[0] = 21 [ 43.069311][ T6806] ================================================================== [ 43.077498][ T6806] BUG: KASAN: use-after-free in sock_def_write_space+0x1c4/0x350 [ 43.085199][ T6806] Read of size 8 at addr ffff8880890ff080 by task syz-executor778/6806 [ 43.093403][ T6806] [ 43.095722][ T6806] CPU: 1 PID: 6806 Comm: syz-executor778 Not tainted 5.8.0-rc6-syzkaller #0 [ 43.104373][ T6806] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.114667][ T6806] Call Trace: [ 43.117943][ T6806] dump_stack+0x1f0/0x31e [ 43.122262][ T6806] print_address_description+0x66/0x5a0 [ 43.127805][ T6806] ? printk+0x62/0x83 [ 43.131860][ T6806] ? vprintk_emit+0x339/0x3c0 [ 43.136773][ T6806] kasan_report+0x132/0x1d0 [ 43.141252][ T6806] ? sock_def_write_space+0x1c4/0x350 [ 43.146608][ T6806] ? lock_is_held_type+0x87/0xe0 [ 43.151518][ T6806] ? lock_is_held_type+0x87/0xe0 [ 43.156437][ T6806] sock_def_write_space+0x1c4/0x350 [ 43.161627][ T6806] sock_wfree+0x11f/0x200 [ 43.166020][ T6806] skb_release_head_state+0xfb/0x210 [ 43.172418][ T6806] __kfree_skb+0x22/0x1c0 [ 43.176727][ T6806] skb_queue_purge+0x131/0x1c0 [ 43.181477][ T6806] ? qrtr_tun_open+0x180/0x180 [ 43.186260][ T6806] qrtr_tun_release+0x43/0x50 [ 43.190916][ T6806] __fput+0x2f0/0x750 [ 43.194892][ T6806] task_work_run+0x137/0x1c0 [ 43.199461][ T6806] __prepare_exit_to_usermode+0x14c/0x1e0 [ 43.205184][ T6806] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 43.211228][ T6806] do_syscall_64+0x7f/0xe0 [ 43.215633][ T6806] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 43.221510][ T6806] RIP: 0033:0x4057b1 [ 43.225383][ T6806] Code: Bad RIP value. [ 43.229423][ T6806] RSP: 002b:00007fff9ea78020 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 43.237808][ T6806] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00000000004057b1 [ 43.245755][ T6806] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000006 [ 43.253702][ T6806] RBP: 00007fff9ea78040 R08: 0000000120080522 R09: 0000000120080522 [ 43.261669][ T6806] R10: 00007fff9ea78040 R11: 0000000000000293 R12: 0000000000000006 [ 43.269620][ T6806] R13: 00000000006dbc4c R14: 000000000000002d R15: 0000000000000064 [ 43.277661][ T6806] [ 43.279968][ T6806] Allocated by task 6827: [ 43.284456][ T6806] __kasan_kmalloc+0x103/0x140 [ 43.289193][ T6806] kmem_cache_alloc+0x1f5/0x2d0 [ 43.294025][ T6806] sock_alloc_inode+0x17/0xc0 [ 43.298673][ T6806] new_inode_pseudo+0x64/0x240 [ 43.303518][ T6806] __sock_create+0x12b/0x8c0 [ 43.308091][ T6806] __sys_socket+0xde/0x2d0 [ 43.312489][ T6806] __x64_sys_socket+0x76/0x80 [ 43.317176][ T6806] do_syscall_64+0x73/0xe0 [ 43.322008][ T6806] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 43.327866][ T6806] [ 43.330179][ T6806] Freed by task 0: [ 43.333902][ T6806] __kasan_slab_free+0x114/0x170 [ 43.339171][ T6806] kmem_cache_free+0x7e/0xf0 [ 43.343742][ T6806] rcu_core+0x816/0x1120 [ 43.347953][ T6806] __do_softirq+0x268/0x80c [ 43.352424][ T6806] [ 43.354812][ T6806] The buggy address belongs to the object at ffff8880890ff000 [ 43.354812][ T6806] which belongs to the cache sock_inode_cache of size 1216 [ 43.369472][ T6806] The buggy address is located 128 bytes inside of [ 43.369472][ T6806] 1216-byte region [ffff8880890ff000, ffff8880890ff4c0) [ 43.382833][ T6806] The buggy address belongs to the page: [ 43.388454][ T6806] page:ffffea0002243fc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880890ffffd [ 43.398881][ T6806] flags: 0xfffe0000000200(slab) [ 43.403728][ T6806] raw: 00fffe0000000200 ffffea0002244ec8 ffffea0002243ec8 ffff8880a9bcf8c0 [ 43.412289][ T6806] raw: ffff8880890ffffd ffff8880890ff000 0000000100000002 0000000000000000 [ 43.420843][ T6806] page dumped because: kasan: bad access detected [ 43.427223][ T6806] [ 43.429527][ T6806] Memory state around the buggy address: [ 43.435129][ T6806] ffff8880890fef80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 43.443165][ T6806] ffff8880890ff000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.451199][ T6806] >ffff8880890ff080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.459232][ T6806] ^ [ 43.463271][ T6806] ffff8880890ff100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.471304][ T6806] ffff8880890ff180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.479334][ T6806] ================================================================== [ 43.487374][ T6806] Disabling lock debugging due to kernel taint [ 43.493665][ T6806] Kernel panic - not syncing: panic_on_warn set ... [ 43.500254][ T6806] CPU: 1 PID: 6806 Comm: syz-executor778 Tainted: G B 5.8.0-rc6-syzkaller #0 [ 43.510312][ T6806] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.520351][ T6806] Call Trace: [ 43.523614][ T6806] dump_stack+0x1f0/0x31e [ 43.527913][ T6806] panic+0x264/0x7a0 [ 43.531795][ T6806] ? trace_hardirqs_on+0x30/0x80 [ 43.536718][ T6806] kasan_report+0x1c9/0x1d0 [ 43.541201][ T6806] ? sock_def_write_space+0x1c4/0x350 [ 43.546551][ T6806] ? lock_is_held_type+0x87/0xe0 [ 43.551456][ T6806] ? lock_is_held_type+0x87/0xe0 [ 43.556449][ T6806] sock_def_write_space+0x1c4/0x350 [ 43.561617][ T6806] sock_wfree+0x11f/0x200 [ 43.566449][ T6806] skb_release_head_state+0xfb/0x210 [ 43.571719][ T6806] __kfree_skb+0x22/0x1c0 [ 43.576019][ T6806] skb_queue_purge+0x131/0x1c0 [ 43.580756][ T6806] ? qrtr_tun_open+0x180/0x180 [ 43.585487][ T6806] qrtr_tun_release+0x43/0x50 [ 43.590140][ T6806] __fput+0x2f0/0x750 [ 43.594095][ T6806] task_work_run+0x137/0x1c0 [ 43.598659][ T6806] __prepare_exit_to_usermode+0x14c/0x1e0 [ 43.604346][ T6806] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 43.610385][ T6806] do_syscall_64+0x7f/0xe0 [ 43.614774][ T6806] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 43.620641][ T6806] RIP: 0033:0x4057b1 [ 43.624500][ T6806] Code: Bad RIP value. [ 43.628537][ T6806] RSP: 002b:00007fff9ea78020 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 43.636933][ T6806] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00000000004057b1 [ 43.644873][ T6806] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000006 [ 43.652823][ T6806] RBP: 00007fff9ea78040 R08: 0000000120080522 R09: 0000000120080522 [ 43.660771][ T6806] R10: 00007fff9ea78040 R11: 0000000000000293 R12: 0000000000000006 [ 43.668722][ T6806] R13: 00000000006dbc4c R14: 000000000000002d R15: 0000000000000064 [ 43.677691][ T6806] Kernel Offset: disabled [ 43.682967][ T6806] Rebooting in 86400 seconds..