[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.44' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.003194] audit: type=1804 audit(1655973612.414:2): pid=7973 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor323" name="/root/bus" dev="sda1" ino=13860 res=1 [ 29.022017] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 29.098005] FAULT_INJECTION: forcing a failure. [ 29.098005] name failslab, interval 1, probability 0, space 0, times 1 [ 29.109479] CPU: 1 PID: 7975 Comm: syz-executor323 Not tainted 4.14.284-syzkaller #0 [ 29.117351] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.126691] Call Trace: [ 29.129268] dump_stack+0x1b2/0x281 [ 29.132894] should_fail.cold+0x10a/0x149 [ 29.137023] should_failslab+0xd6/0x130 [ 29.140982] kmem_cache_alloc_node_trace+0x25a/0x400 [ 29.146066] __kmalloc_node_track_caller+0x38/0x70 [ 29.150976] __alloc_skb+0x96/0x510 [ 29.154582] sk_stream_alloc_skb+0xb1/0x760 [ 29.158879] ? tcp_send_mss+0x9f/0x2e0 [ 29.162742] ? ipv6_frag_exit+0x40/0x40 [ 29.166707] do_tcp_sendpages+0x835/0x1750 [ 29.170924] ? lock_sock_nested+0x98/0x100 [ 29.175152] ? sk_stream_alloc_skb+0x760/0x760 [ 29.179715] tcp_sendpage_locked+0x81/0x130 [ 29.184014] tcp_sendpage+0x3a/0x60 [ 29.187618] inet_sendpage+0x155/0x590 [ 29.191501] ? tcp_sendpage_locked+0x130/0x130 [ 29.196062] ? current_kernel_time64+0x154/0x230 [ 29.200823] ? inet_getname+0x3a0/0x3a0 [ 29.204775] sock_sendpage+0xdf/0x140 [ 29.208556] pipe_to_sendpage+0x226/0x2d0 [ 29.212681] ? sockfs_setattr+0x140/0x140 [ 29.216807] ? direct_splice_actor+0x160/0x160 [ 29.221368] __splice_from_pipe+0x326/0x7a0 [ 29.225676] ? direct_splice_actor+0x160/0x160 [ 29.230236] generic_splice_sendpage+0xc1/0x110 [ 29.234912] ? vmsplice_to_user+0x1b0/0x1b0 [ 29.239214] ? rw_verify_area+0xe1/0x2a0 [ 29.243249] ? vmsplice_to_user+0x1b0/0x1b0 [ 29.247566] direct_splice_actor+0x115/0x160 [ 29.251955] splice_direct_to_actor+0x27c/0x730 [ 29.256602] ? generic_pipe_buf_nosteal+0x10/0x10 [ 29.261421] ? do_splice_to+0x140/0x140 [ 29.265371] ? rw_verify_area+0xe1/0x2a0 [ 29.269428] do_splice_direct+0x164/0x210 [ 29.273570] ? splice_direct_to_actor+0x730/0x730 [ 29.278481] ? rw_verify_area+0xe1/0x2a0 [ 29.282540] do_sendfile+0x47f/0xb30 [ 29.286236] ? do_compat_writev+0x180/0x180 [ 29.290537] SyS_sendfile64+0xff/0x110 [ 29.294402] ? SyS_sendfile+0x130/0x130 [ 29.298469] ? do_syscall_64+0x4c/0x640 [ 29.302441] ? SyS_sendfile+0x130/0x130 [ 29.306400] do_syscall_64+0x1d5/0x640 [ 29.310270] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.315434] RIP: 0033:0x7fbe380f6e99 [ 29.319137] RSP: 002b:00007fbe380662e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 29.326821] RAX: ffffffffffffffda RBX: 00007fbe38180500 RCX: 00007fbe380f6e99 [ 29.334068] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000007 [ 29.341316] RBP: 00007fbe3814d194 R08: 0000000000000001 R09: 0000000000000034 [ 29.348578] R10: 0000800100022007 R11: 0000000000000246 R12: 00007fbe3818050c [ 29.355911] R13: 00007fbe380662f0 R14: 00007fbe38180508 R15: 0000000000000001 [ 29.478432] ================================================================== [ 29.485871] BUG: KASAN: use-after-free in tls_write_space+0x238/0x2d0 [ 29.492440] Read of size 1 at addr ffff8880a1c6dd70 by task syz-executor323/7972 [ 29.499962] [ 29.501573] CPU: 1 PID: 7972 Comm: syz-executor323 Not tainted 4.14.284-syzkaller #0 [ 29.509429] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.518760] Call Trace: [ 29.521329] dump_stack+0x1b2/0x281 [ 29.524935] print_address_description.cold+0x54/0x1d3 [ 29.530201] kasan_report_error.cold+0x8a/0x191 [ 29.534853] ? tls_write_space+0x238/0x2d0 [ 29.539069] __asan_report_load1_noabort+0x68/0x70 [ 29.543986] ? assoc_array_gc+0x10e0/0x1160 [ 29.548302] ? tls_write_space+0x238/0x2d0 [ 29.552519] tls_write_space+0x238/0x2d0 [ 29.556667] tcp_check_space.part.0+0x2ef/0x590 [ 29.561329] tcp_check_space+0xa6/0xd0 [ 29.565193] tcp_write_xmit+0x661/0x53c0 [ 29.569233] ? tcp_trim_head+0x460/0x460 [ 29.573297] ? memset+0x20/0x40 [ 29.576559] __tcp_push_pending_frames+0xa0/0x2d0 [ 29.581376] tcp_send_fin+0x16d/0xc00 [ 29.585211] tcp_close+0x979/0xed0 [ 29.588740] tls_sk_proto_close+0x584/0x8b0 [ 29.593043] ? tcp_check_oom+0x440/0x440 [ 29.597083] ? tls_write_space+0x2d0/0x2d0 [ 29.601298] ? ip_mc_drop_socket+0x16/0x220 [ 29.605700] inet_release+0xdf/0x1b0 [ 29.609392] inet6_release+0x4c/0x70 [ 29.613085] __sock_release+0xcd/0x2b0 [ 29.616955] ? __sock_release+0x2b0/0x2b0 [ 29.621079] sock_close+0x15/0x20 [ 29.624512] __fput+0x25f/0x7a0 [ 29.627780] task_work_run+0x11f/0x190 [ 29.631656] do_exit+0xa44/0x2850 [ 29.635088] ? mm_update_next_owner+0x5b0/0x5b0 [ 29.639733] ? get_signal+0x323/0x1ca0 [ 29.643752] ? lock_acquire+0x170/0x3f0 [ 29.647707] ? lock_downgrade+0x740/0x740 [ 29.651834] do_group_exit+0x100/0x2e0 [ 29.655706] get_signal+0x38d/0x1ca0 [ 29.659410] do_signal+0x7c/0x1550 [ 29.662929] ? lock_downgrade+0x740/0x740 [ 29.667060] ? setup_sigcontext+0x820/0x820 [ 29.671363] ? fput_many+0xe/0x140 [ 29.674879] ? do_sendfile+0x1c6/0xb30 [ 29.678744] ? do_compat_writev+0x180/0x180 [ 29.683041] ? SyS_futex+0x1da/0x290 [ 29.686739] ? exit_to_usermode_loop+0x41/0x200 [ 29.691392] exit_to_usermode_loop+0x160/0x200 [ 29.695952] do_syscall_64+0x4a3/0x640 [ 29.699823] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.704988] RIP: 0033:0x7fbe380f6e99 [ 29.708675] RSP: 002b:00007fbe380a82e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 29.716363] RAX: 00000000006d0000 RBX: 00007fbe381804e0 RCX: 00007fbe380f6e99 [ 29.723612] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000003 [ 29.730943] RBP: 00007fbe3814d194 R08: 0000000000000000 R09: 0000000000000000 [ 29.738194] R10: 00008080fffffffe R11: 0000000000000246 R12: 00007fbe381804ec [ 29.745440] R13: 00007fbe380a82f0 R14: 00007fbe381804e8 R15: 0000000000022000 [ 29.752695] [ 29.754302] Allocated by task 7973: [ 29.757941] kasan_kmalloc+0xeb/0x160 [ 29.761719] kmem_cache_alloc_trace+0x131/0x3d0 [ 29.766364] tls_init+0xb1/0x4e0 [ 29.769708] tcp_set_ulp+0x18f/0x4c0 [ 29.773411] do_tcp_setsockopt.constprop.0+0x1f6/0x1c10 [ 29.778748] tcp_setsockopt+0xa7/0xc0 [ 29.782528] SyS_setsockopt+0x110/0x1e0 [ 29.786481] do_syscall_64+0x1d5/0x640 [ 29.790351] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.795517] [ 29.797117] Freed by task 7972: [ 29.800371] kasan_slab_free+0xc3/0x1a0 [ 29.804334] kfree+0xc9/0x250 [ 29.807422] tls_sk_proto_close+0x568/0x8b0 [ 29.811720] inet_release+0xdf/0x1b0 [ 29.815410] inet6_release+0x4c/0x70 [ 29.819097] __sock_release+0xcd/0x2b0 [ 29.822955] sock_close+0x15/0x20 [ 29.826385] __fput+0x25f/0x7a0 [ 29.829653] task_work_run+0x11f/0x190 [ 29.833537] do_exit+0xa44/0x2850 [ 29.836973] do_group_exit+0x100/0x2e0 [ 29.840841] get_signal+0x38d/0x1ca0 [ 29.844531] do_signal+0x7c/0x1550 [ 29.848048] exit_to_usermode_loop+0x160/0x200 [ 29.852608] do_syscall_64+0x4a3/0x640 [ 29.856472] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.861632] [ 29.863238] The buggy address belongs to the object at ffff8880a1c6dd00 [ 29.863238] which belongs to the cache kmalloc-192 of size 192 [ 29.875868] The buggy address is located 112 bytes inside of [ 29.875868] 192-byte region [ffff8880a1c6dd00, ffff8880a1c6ddc0) [ 29.887807] The buggy address belongs to the page: [ 29.892713] page:ffffea0002871b40 count:1 mapcount:0 mapping:ffff8880a1c6d000 index:0xffff8880a1c6d500 [ 29.902133] flags: 0xfff00000000100(slab) [ 29.906257] raw: 00fff00000000100 ffff8880a1c6d000 ffff8880a1c6d500 000000010000000a [ 29.914113] raw: ffffea0002861520 ffffea0002912de0 ffff88813fe74040 0000000000000000 [ 29.921964] page dumped because: kasan: bad access detected [ 29.927649] [ 29.929253] Memory state around the buggy address: [ 29.934156] ffff8880a1c6dc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.941527] ffff8880a1c6dc80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.948860] >ffff8880a1c6dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.956194] ^ [ 29.963184] ffff8880a1c6dd80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.970604] ffff8880a1c6de00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.977934] ================================================================== [ 29.985265] Disabling lock debugging due to kernel taint [ 29.993767] Kernel panic - not syncing: panic_on_warn set ... [ 29.993767] [ 30.001146] CPU: 0 PID: 7972 Comm: syz-executor323 Tainted: G B 4.14.284-syzkaller #0 [ 30.010226] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.019572] Call Trace: [ 30.022162] dump_stack+0x1b2/0x281 [ 30.025767] panic+0x1f9/0x42d [ 30.028946] ? add_taint.cold+0x16/0x16 [ 30.033033] ? ___preempt_schedule+0x16/0x18 [ 30.037431] kasan_end_report+0x43/0x49 [ 30.041399] kasan_report_error.cold+0xa7/0x191 [ 30.046044] ? tls_write_space+0x238/0x2d0 [ 30.050271] __asan_report_load1_noabort+0x68/0x70 [ 30.055175] ? assoc_array_gc+0x10e0/0x1160 [ 30.059468] ? tls_write_space+0x238/0x2d0 [ 30.063677] tls_write_space+0x238/0x2d0 [ 30.067721] tcp_check_space.part.0+0x2ef/0x590 [ 30.072362] tcp_check_space+0xa6/0xd0 [ 30.076231] tcp_write_xmit+0x661/0x53c0 [ 30.080354] ? tcp_trim_head+0x460/0x460 [ 30.084389] ? memset+0x20/0x40 [ 30.087642] __tcp_push_pending_frames+0xa0/0x2d0 [ 30.092457] tcp_send_fin+0x16d/0xc00 [ 30.096237] tcp_close+0x979/0xed0 [ 30.099753] tls_sk_proto_close+0x584/0x8b0 [ 30.104051] ? tcp_check_oom+0x440/0x440 [ 30.108090] ? tls_write_space+0x2d0/0x2d0 [ 30.112298] ? ip_mc_drop_socket+0x16/0x220 [ 30.116595] inet_release+0xdf/0x1b0 [ 30.120297] inet6_release+0x4c/0x70 [ 30.123984] __sock_release+0xcd/0x2b0 [ 30.127849] ? __sock_release+0x2b0/0x2b0 [ 30.131969] sock_close+0x15/0x20 [ 30.135406] __fput+0x25f/0x7a0 [ 30.138662] task_work_run+0x11f/0x190 [ 30.142523] do_exit+0xa44/0x2850 [ 30.145953] ? mm_update_next_owner+0x5b0/0x5b0 [ 30.150612] ? get_signal+0x323/0x1ca0 [ 30.154473] ? lock_acquire+0x170/0x3f0 [ 30.158421] ? lock_downgrade+0x740/0x740 [ 30.162541] do_group_exit+0x100/0x2e0 [ 30.166402] get_signal+0x38d/0x1ca0 [ 30.170095] do_signal+0x7c/0x1550 [ 30.173609] ? lock_downgrade+0x740/0x740 [ 30.177731] ? setup_sigcontext+0x820/0x820 [ 30.182036] ? fput_many+0xe/0x140 [ 30.185569] ? do_sendfile+0x1c6/0xb30 [ 30.189442] ? do_compat_writev+0x180/0x180 [ 30.193736] ? SyS_futex+0x1da/0x290 [ 30.197425] ? exit_to_usermode_loop+0x41/0x200 [ 30.202068] exit_to_usermode_loop+0x160/0x200 [ 30.206625] do_syscall_64+0x4a3/0x640 [ 30.210493] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.215667] RIP: 0033:0x7fbe380f6e99 [ 30.219352] RSP: 002b:00007fbe380a82e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 30.227033] RAX: 00000000006d0000 RBX: 00007fbe381804e0 RCX: 00007fbe380f6e99 [ 30.234450] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000003 [ 30.241695] RBP: 00007fbe3814d194 R08: 0000000000000000 R09: 0000000000000000 [ 30.248938] R10: 00008080fffffffe R11: 0000000000000246 R12: 00007fbe381804ec [ 30.256182] R13: 00007fbe380a82f0 R14: 00007fbe381804e8 R15: 0000000000022000 [ 30.263593] Kernel Offset: disabled [ 30.267203] Rebooting in 86400 seconds..