Starting Network Time Synchronization... [ OK ] Started Network Time Synchronization. [ OK ] Started Raise network interfaces. [ OK ] Reached target Network. Starting Permit User Sessions... Starting OpenBSD Secure Shell server... [ OK ] Started Permit User Sessions. [ 11.170395][ C1] random: crng init done [ 11.172335][ C1] random: 7 urandom warning(s) missed due to ratelimiting [ OK ] Started OpenBSD Secure Shell server. Warning: Permanently added '10.128.0.84' (ECDSA) to the list of known hosts. executing program [* ] A start job is running for dev-ttyS0.device (9s / 1min 30s) [** ] A start job is running for dev-ttyS0.device (10s / 1min 30s) [*** ] A start job is running for dev-ttyS0.device (10s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (11s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (11s / 1min 30s) [ ***] A start job is running for dev-ttyS0.device (12s / 1min 30s) [ **] A start job is running for dev-ttyS0.device (13s / 1min 30s)[ 20.655685][ T22] audit: type=1400 audit(1597979688.944:8): avc: denied { execmem } for pid=329 comm="syz-executor842" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 20.676347][ T330] ================================================================== [ 20.684436][ T330] BUG: KASAN: use-after-free in __list_del_entry_valid+0x2b/0x100 [ 20.692227][ T330] Read of size 8 at addr ffff8881cdc22b80 by task syz-executor842/330 [ 20.700368][ T330] [ 20.702685][ T330] CPU: 0 PID: 330 Comm: syz-executor842 Not tainted 5.4.59-syzkaller-00509-g013a1a228267 #0 [ 20.712719][ T330] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.722779][ T330] Call Trace: [ 20.726059][ T330] dump_stack+0x14a/0x1ce [ 20.730367][ T330] ? show_regs_print_info+0x12/0x12 [ 20.735596][ T330] ? printk+0xd2/0x114 [ 20.739646][ T330] print_address_description+0x93/0x620 [ 20.745184][ T330] ? devkmsg_release+0x11c/0x11c [ 20.750104][ T330] ? __percpu_ref_switch_mode+0x350/0x5e0 [ 20.755800][ T330] __kasan_report+0x16d/0x1e0 [ 20.760560][ T330] ? __list_del_entry_valid+0x2b/0x100 [ 20.765997][ T330] kasan_report+0x36/0x60 [ 20.770306][ T330] __list_del_entry_valid+0x2b/0x100 [ 20.775584][ T330] io_cancel_async_work+0x9b/0x280 [ 20.780682][ T330] io_ring_ctx_wait_and_kill+0xaf/0x1380 [ 20.786309][ T330] ? xas_set_mark+0x187/0x1e0 [ 20.790963][ T330] ? find_first_bit+0xe1/0x100 [ 20.795703][ T330] ? io_cancel_async_work+0x280/0x280 [ 20.801052][ T330] ? deactivate_super+0x1bf/0x280 [ 20.806054][ T330] io_uring_release+0x59/0x70 [ 20.810708][ T330] ? io_uring_flush+0x130/0x130 [ 20.815557][ T330] __fput+0x27d/0x6c0 [ 20.819520][ T330] task_work_run+0x176/0x1a0 [ 20.824091][ T330] do_exit+0xc42/0x2700 [ 20.828230][ T330] ? mm_update_next_owner+0x600/0x600 [ 20.833585][ T330] ? __up_read+0x6f/0x1b0 [ 20.837898][ T330] ? _raw_spin_trylock_bh+0x190/0x190 [ 20.843261][ T330] ? __down_read+0x210/0x210 [ 20.847830][ T330] ? vmacache_update+0x9f/0xf0 [ 20.852573][ T330] do_group_exit+0x155/0x2b0 [ 20.857145][ T330] __do_sys_exit_group+0x13/0x20 [ 20.862065][ T330] __se_sys_exit_group+0x10/0x10 [ 20.866994][ T330] __x64_sys_exit_group+0x37/0x40 [ 20.871999][ T330] do_syscall_64+0xcb/0x150 [ 20.876480][ T330] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.882355][ T330] RIP: 0033:0x43f998 [ 20.886258][ T330] Code: Bad RIP value. [ 20.890303][ T330] RSP: 002b:00007ffd6753e468 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 20.898695][ T330] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 000000000043f998 [ 20.906650][ T330] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 20.914614][ T330] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 20.922592][ T330] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 20.930556][ T330] R13: 00000000006d11a0 R14: 0000000000000000 R15: 0000000000000000 [ 20.938518][ T330] [ 20.940829][ T330] Allocated by task 330: [ 20.945060][ T330] __kasan_kmalloc+0x12c/0x1c0 [ 20.949812][ T330] kmem_cache_alloc+0x1d5/0x260 [ 20.954675][ T330] io_get_req+0x1e8/0x850 [ 20.959002][ T330] io_submit_sqe+0x83/0xe90 [ 20.963494][ T330] __se_sys_io_uring_enter+0x922/0x1ff0 [ 20.969047][ T330] do_syscall_64+0xcb/0x150 [ 20.973551][ T330] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.979415][ T330] [ 20.981732][ T330] Freed by task 154: [ 20.985612][ T330] __kasan_slab_free+0x181/0x230 [ 20.990529][ T330] slab_free_freelist_hook+0xd0/0x150 [ 20.995896][ T330] kmem_cache_free+0xac/0x600 [ 21.000566][ T330] io_poll_complete_work+0x737/0x940 [ 21.005847][ T330] process_one_work+0x777/0xf90 [ 21.010682][ T330] worker_thread+0xa8f/0x1430 [ 21.015358][ T330] kthread+0x2df/0x300 [ 21.019419][ T330] ret_from_fork+0x1f/0x30 [ 21.023806][ T330] [ 21.026115][ T330] The buggy address belongs to the object at ffff8881cdc22a80 [ 21.026115][ T330] which belongs to the cache io_kiocb of size 264 [ 21.039905][ T330] The buggy address is located 256 bytes inside of [ 21.039905][ T330] 264-byte region [ffff8881cdc22a80, ffff8881cdc22b88) [ 21.053156][ T330] The buggy address belongs to the page: [ 21.058778][ T330] page:ffffea0007370880 refcount:1 mapcount:0 mapping:ffff8881d920cf00 index:0x0 compound_mapcount: 0 [ 21.069690][ T330] flags: 0x8000000000010200(slab|head) [ 21.075132][ T330] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881d920cf00 [ 21.083723][ T330] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 [ 21.092289][ T330] page dumped because: kasan: bad access detected [ 21.098678][ T330] [ 21.100981][ T330] Memory state around the buggy address: [ 21.106591][ T330] ffff8881cdc22a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.114658][ T330] ffff8881cdc22b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.122716][ T330] >ffff8881cdc22b80: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.130798][ T330] ^ [ 21.134851][ T330] ffff8881cdc22c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.142913][ T330] ffff8881cdc22c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.150953][ T330] ==========================================================