[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.61' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 58.992364][ T7040] ================================================================== [ 59.000751][ T7040] BUG: KASAN: use-after-free in inet_diag_bc_sk+0xb64/0xc70 [ 59.008183][ T7040] Read of size 8 at addr ffff8880995d9260 by task syz-executor478/7040 [ 59.016552][ T7040] [ 59.018874][ T7040] CPU: 1 PID: 7040 Comm: syz-executor478 Not tainted 5.7.0-rc2-syzkaller #0 [ 59.027528][ T7040] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.037569][ T7040] Call Trace: [ 59.040848][ T7040] dump_stack+0x188/0x20d [ 59.045169][ T7040] print_address_description.constprop.0.cold+0xd3/0x315 [ 59.052223][ T7040] ? inet_diag_bc_sk+0xb64/0xc70 [ 59.057509][ T7040] __kasan_report.cold+0x35/0x4d [ 59.062443][ T7040] ? inet_diag_bc_sk+0xb64/0xc70 [ 59.067366][ T7040] ? inet_diag_bc_sk+0xb64/0xc70 [ 59.072915][ T7040] kasan_report+0x33/0x50 [ 59.077467][ T7040] inet_diag_bc_sk+0xb64/0xc70 [ 59.082224][ T7040] inet_diag_dump_icsk+0xbe4/0x1306 [ 59.087425][ T7040] ? inet_diag_dump_one_icsk+0x340/0x340 [ 59.093149][ T7040] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 59.098966][ T7040] ? mutex_trylock+0x2c0/0x2c0 [ 59.103862][ T7040] ? kmem_cache_alloc_node_trace+0x3a2/0x790 [ 59.109832][ T7040] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 59.115805][ T7040] ? kasan_unpoison_shadow+0x30/0x40 [ 59.121076][ T7040] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 59.126997][ T7040] ? __phys_addr+0x9a/0x110 [ 59.131674][ T7040] __inet_diag_dump+0x8d/0x240 [ 59.136436][ T7040] netlink_dump+0x50b/0xf50 [ 59.140923][ T7040] ? __netlink_sendskb+0xb0/0xb0 [ 59.145884][ T7040] ? __mutex_unlock_slowpath+0xe2/0x660 [ 59.151687][ T7040] __netlink_dump_start+0x63f/0x910 [ 59.157023][ T7040] ? inet_diag_dump_start_compat+0x20/0x20 [ 59.162813][ T7040] ? lock_release+0x800/0x800 [ 59.167480][ T7040] inet_diag_handler_cmd+0x263/0x2c0 [ 59.172751][ T7040] ? inet_diag_rcv_msg_compat+0x2c0/0x2c0 [ 59.178540][ T7040] ? inet_diag_dump_start_compat+0x20/0x20 [ 59.184334][ T7040] ? inet_diag_dump_compat+0x290/0x290 [ 59.189780][ T7040] ? inet_diag_unregister+0xb0/0xb0 [ 59.195263][ T7040] sock_diag_rcv_msg+0x2fe/0x3e0 [ 59.200189][ T7040] netlink_rcv_skb+0x15a/0x410 [ 59.204940][ T7040] ? sock_diag_bind+0x80/0x80 [ 59.209634][ T7040] ? netlink_ack+0xa10/0xa10 [ 59.214221][ T7040] sock_diag_rcv+0x26/0x40 [ 59.218620][ T7040] netlink_unicast+0x537/0x740 [ 59.223374][ T7040] ? netlink_attachskb+0x810/0x810 [ 59.228470][ T7040] ? _copy_from_iter_full+0x25c/0x870 [ 59.233828][ T7040] ? __phys_addr_symbol+0x2c/0x70 [ 59.238838][ T7040] ? __check_object_size+0x171/0x437 [ 59.244163][ T7040] netlink_sendmsg+0x882/0xe10 [ 59.248915][ T7040] ? aa_af_perm+0x260/0x260 [ 59.253404][ T7040] ? netlink_unicast+0x740/0x740 [ 59.258362][ T7040] ? netlink_unicast+0x740/0x740 [ 59.263286][ T7040] sock_sendmsg+0xcf/0x120 [ 59.267686][ T7040] sock_write_iter+0x289/0x3c0 [ 59.272438][ T7040] ? sock_sendmsg+0x120/0x120 [ 59.277107][ T7040] ? common_file_perm+0x2c6/0x910 [ 59.282121][ T7040] do_iter_readv_writev+0x5a8/0x850 [ 59.287308][ T7040] ? no_seek_end_llseek_size+0x60/0x60 [ 59.292764][ T7040] do_iter_write+0x18b/0x600 [ 59.297340][ T7040] ? lockdep_init_map_waits+0x26a/0x890 [ 59.302907][ T7040] vfs_writev+0x1b3/0x2f0 [ 59.307220][ T7040] ? vfs_iter_write+0xa0/0xa0 [ 59.311887][ T7040] ? lock_downgrade+0x840/0x840 [ 59.316724][ T7040] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 59.322685][ T7040] ? _raw_spin_unlock+0x24/0x40 [ 59.327522][ T7040] ? __fget_light+0x1ab/0x270 [ 59.332183][ T7040] do_writev+0x27f/0x300 [ 59.336411][ T7040] ? vfs_writev+0x2f0/0x2f0 [ 59.340900][ T7040] ? trace_hardirqs_off_caller+0x55/0x230 [ 59.346606][ T7040] do_syscall_64+0xf6/0x7d0 [ 59.351094][ T7040] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 59.356967][ T7040] RIP: 0033:0x4403e9 [ 59.360844][ T7040] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.380433][ T7040] RSP: 002b:00007ffcdd5db058 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 59.388829][ T7040] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403e9 [ 59.396784][ T7040] RDX: 0000000000000001 RSI: 0000000020000140 RDI: 0000000000000005 [ 59.404740][ T7040] RBP: 00000000006ca018 R08: 000000000000001c R09: 00000000004002c8 [ 59.412708][ T7040] R10: 000000000000001c R11: 0000000000000246 R12: 0000000000401c70 [ 59.420663][ T7040] R13: 0000000000401d00 R14: 0000000000000000 R15: 0000000000000000 [ 59.428631][ T7040] [ 59.430944][ T7040] Allocated by task 5017: [ 59.435256][ T7040] save_stack+0x1b/0x40 [ 59.439391][ T7040] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 59.445002][ T7040] kmem_cache_alloc+0x11b/0x740 [ 59.449831][ T7040] prepare_creds+0x39/0x6b0 [ 59.454314][ T7040] do_faccessat+0x94/0x7a0 [ 59.458756][ T7040] do_syscall_64+0xf6/0x7d0 [ 59.463276][ T7040] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 59.469143][ T7040] [ 59.471456][ T7040] Freed by task 5017: [ 59.475421][ T7040] save_stack+0x1b/0x40 [ 59.479555][ T7040] __kasan_slab_free+0xf7/0x140 [ 59.484387][ T7040] kmem_cache_free+0x7f/0x320 [ 59.489043][ T7040] __put_cred+0x1de/0x250 [ 59.493352][ T7040] do_faccessat+0x64d/0x7a0 [ 59.497868][ T7040] do_syscall_64+0xf6/0x7d0 [ 59.502355][ T7040] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 59.508222][ T7040] [ 59.510535][ T7040] The buggy address belongs to the object at ffff8880995d9200 [ 59.510535][ T7040] which belongs to the cache cred_jar of size 184 [ 59.524307][ T7040] The buggy address is located 96 bytes inside of [ 59.524307][ T7040] 184-byte region [ffff8880995d9200, ffff8880995d92b8) [ 59.537945][ T7040] The buggy address belongs to the page: [ 59.543565][ T7040] page:ffffea0002657640 refcount:1 mapcount:0 mapping:00000000b1d6d84a index:0xffff8880995d9e00 [ 59.554068][ T7040] flags: 0xfffe0000000200(slab) [ 59.558923][ T7040] raw: 00fffe0000000200 ffffea00029cd2c8 ffffea00026c94c8 ffff8880aa1eba80 [ 59.567523][ T7040] raw: ffff8880995d9e00 ffff8880995d9000 0000000100000005 0000000000000000 [ 59.576897][ T7040] page dumped because: kasan: bad access detected [ 59.583325][ T7040] [ 59.585635][ T7040] Memory state around the buggy address: [ 59.591253][ T7040] ffff8880995d9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.599309][ T7040] ffff8880995d9180: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc [ 59.607648][ T7040] >ffff8880995d9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.615692][ T7040] ^ [ 59.622879][ T7040] ffff8880995d9280: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc [ 59.630925][ T7040] ffff8880995d9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.638967][ T7040] ================================================================== [ 59.647171][ T7040] Disabling lock debugging due to kernel taint [ 59.653360][ T7040] Kernel panic - not syncing: panic_on_warn set ... [ 59.659952][ T7040] CPU: 1 PID: 7040 Comm: syz-executor478 Tainted: G B 5.7.0-rc2-syzkaller #0 [ 59.670005][ T7040] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.680137][ T7040] Call Trace: [ 59.683454][ T7040] dump_stack+0x188/0x20d [ 59.687784][ T7040] panic+0x2e3/0x75c [ 59.691665][ T7040] ? add_taint.cold+0x16/0x16 [ 59.696323][ T7040] ? retint_kernel+0x2b/0x2b [ 59.700931][ T7040] ? inet_diag_bc_sk+0xb64/0xc70 [ 59.705858][ T7040] ? trace_hardirqs_on+0x55/0x220 [ 59.710990][ T7040] ? inet_diag_bc_sk+0xb64/0xc70 [ 59.715933][ T7040] end_report+0x4d/0x53 [ 59.720081][ T7040] __kasan_report.cold+0xd/0x4d [ 59.724915][ T7040] ? inet_diag_bc_sk+0xb64/0xc70 [ 59.729830][ T7040] ? inet_diag_bc_sk+0xb64/0xc70 [ 59.734748][ T7040] kasan_report+0x33/0x50 [ 59.739059][ T7040] inet_diag_bc_sk+0xb64/0xc70 [ 59.743870][ T7040] inet_diag_dump_icsk+0xbe4/0x1306 [ 59.749056][ T7040] ? inet_diag_dump_one_icsk+0x340/0x340 [ 59.754668][ T7040] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 59.760575][ T7040] ? mutex_trylock+0x2c0/0x2c0 [ 59.765318][ T7040] ? kmem_cache_alloc_node_trace+0x3a2/0x790 [ 59.771280][ T7040] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 59.777257][ T7040] ? kasan_unpoison_shadow+0x30/0x40 [ 59.782576][ T7040] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 59.788403][ T7040] ? __phys_addr+0x9a/0x110 [ 59.792893][ T7040] __inet_diag_dump+0x8d/0x240 [ 59.797727][ T7040] netlink_dump+0x50b/0xf50 [ 59.802210][ T7040] ? __netlink_sendskb+0xb0/0xb0 [ 59.807128][ T7040] ? __mutex_unlock_slowpath+0xe2/0x660 [ 59.812659][ T7040] __netlink_dump_start+0x63f/0x910 [ 59.817840][ T7040] ? inet_diag_dump_start_compat+0x20/0x20 [ 59.823624][ T7040] ? lock_release+0x800/0x800 [ 59.828328][ T7040] inet_diag_handler_cmd+0x263/0x2c0 [ 59.833645][ T7040] ? inet_diag_rcv_msg_compat+0x2c0/0x2c0 [ 59.839693][ T7040] ? inet_diag_dump_start_compat+0x20/0x20 [ 59.845526][ T7040] ? inet_diag_dump_compat+0x290/0x290 [ 59.850999][ T7040] ? inet_diag_unregister+0xb0/0xb0 [ 59.856184][ T7040] sock_diag_rcv_msg+0x2fe/0x3e0 [ 59.861108][ T7040] netlink_rcv_skb+0x15a/0x410 [ 59.865860][ T7040] ? sock_diag_bind+0x80/0x80 [ 59.870552][ T7040] ? netlink_ack+0xa10/0xa10 [ 59.875214][ T7040] sock_diag_rcv+0x26/0x40 [ 59.879731][ T7040] netlink_unicast+0x537/0x740 [ 59.884480][ T7040] ? netlink_attachskb+0x810/0x810 [ 59.889573][ T7040] ? _copy_from_iter_full+0x25c/0x870 [ 59.894926][ T7040] ? __phys_addr_symbol+0x2c/0x70 [ 59.899933][ T7040] ? __check_object_size+0x171/0x437 [ 59.905195][ T7040] netlink_sendmsg+0x882/0xe10 [ 59.909942][ T7040] ? aa_af_perm+0x260/0x260 [ 59.914430][ T7040] ? netlink_unicast+0x740/0x740 [ 59.919392][ T7040] ? netlink_unicast+0x740/0x740 [ 59.924311][ T7040] sock_sendmsg+0xcf/0x120 [ 59.928709][ T7040] sock_write_iter+0x289/0x3c0 [ 59.933457][ T7040] ? sock_sendmsg+0x120/0x120 [ 59.938118][ T7040] ? common_file_perm+0x2c6/0x910 [ 59.943265][ T7040] do_iter_readv_writev+0x5a8/0x850 [ 59.948480][ T7040] ? no_seek_end_llseek_size+0x60/0x60 [ 59.954013][ T7040] do_iter_write+0x18b/0x600 [ 59.958589][ T7040] ? lockdep_init_map_waits+0x26a/0x890 [ 59.964179][ T7040] vfs_writev+0x1b3/0x2f0 [ 59.968491][ T7040] ? vfs_iter_write+0xa0/0xa0 [ 59.973154][ T7040] ? lock_downgrade+0x840/0x840 [ 59.977987][ T7040] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 59.983947][ T7040] ? _raw_spin_unlock+0x24/0x40 [ 59.988778][ T7040] ? __fget_light+0x1ab/0x270 [ 59.993481][ T7040] do_writev+0x27f/0x300 [ 59.997704][ T7040] ? vfs_writev+0x2f0/0x2f0 [ 60.002227][ T7040] ? trace_hardirqs_off_caller+0x55/0x230 [ 60.007928][ T7040] do_syscall_64+0xf6/0x7d0 [ 60.012451][ T7040] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.018324][ T7040] RIP: 0033:0x4403e9 [ 60.022202][ T7040] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.041785][ T7040] RSP: 002b:00007ffcdd5db058 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 60.050208][ T7040] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403e9 [ 60.058161][ T7040] RDX: 0000000000000001 RSI: 0000000020000140 RDI: 0000000000000005 [ 60.066146][ T7040] RBP: 00000000006ca018 R08: 000000000000001c R09: 00000000004002c8 [ 60.074097][ T7040] R10: 000000000000001c R11: 0000000000000246 R12: 0000000000401c70 [ 60.082049][ T7040] R13: 0000000000401d00 R14: 0000000000000000 R15: 0000000000000000 [ 60.091520][ T7040] Kernel Offset: disabled [ 60.095841][ T7040] Rebooting in 86400 seconds..