[ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.79' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 35.563031] ================================================================== [ 35.570549] BUG: KASAN: use-after-free in __list_add_valid+0x81/0xa0 [ 35.577239] Read of size 8 at addr ffff88808d7853c0 by task syz-executor190/8123 [ 35.584765] [ 35.586403] CPU: 1 PID: 8123 Comm: syz-executor190 Not tainted 4.19.194-syzkaller #0 [ 35.594291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.603758] Call Trace: [ 35.606515] dump_stack+0x1fc/0x2ef [ 35.610162] print_address_description.cold+0x54/0x219 [ 35.615458] kasan_report_error.cold+0x8a/0x1b9 [ 35.620131] ? __list_add_valid+0x81/0xa0 [ 35.624277] __asan_report_load8_noabort+0x88/0x90 [ 35.629222] ? __list_add_valid+0x81/0xa0 [ 35.633378] __list_add_valid+0x81/0xa0 [ 35.637349] chrdev_open+0x4b9/0x770 [ 35.641055] ? __register_chrdev+0x400/0x400 [ 35.645458] do_dentry_open+0x4aa/0x1160 [ 35.649654] ? __register_chrdev+0x400/0x400 [ 35.654060] ? inode_permission.part.0+0x10c/0x450 [ 35.658998] ? chown_common+0x550/0x550 [ 35.662994] ? inode_permission+0x3d/0x140 [ 35.667298] path_openat+0x793/0x2df0 [ 35.671352] ? path_lookupat+0x8d0/0x8d0 [ 35.675411] ? mark_held_locks+0xf0/0xf0 [ 35.679465] do_filp_open+0x18c/0x3f0 [ 35.683261] ? may_open_dev+0xf0/0xf0 [ 35.687418] ? lock_downgrade+0x720/0x720 [ 35.691756] ? lock_acquire+0x170/0x3c0 [ 35.695985] ? __alloc_fd+0x34/0x570 [ 35.699693] ? do_raw_spin_unlock+0x171/0x230 [ 35.704192] ? _raw_spin_unlock+0x29/0x40 [ 35.708347] ? __alloc_fd+0x28d/0x570 [ 35.712150] do_sys_open+0x3b3/0x520 [ 35.715950] ? filp_open+0x70/0x70 [ 35.719528] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.724888] ? trace_hardirqs_off_caller+0x6e/0x210 [ 35.729916] ? do_syscall_64+0x21/0x620 [ 35.733906] do_syscall_64+0xf9/0x620 [ 35.737823] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.743024] RIP: 0033:0x446799 [ 35.746270] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 35.765269] RSP: 002b:00007f658e3632f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 35.773018] RAX: ffffffffffffffda RBX: 00000000004d0510 RCX: 0000000000446799 [ 35.780294] RDX: 0000000000000000 RSI: 0000000020002040 RDI: 00000000ffffff9c [ 35.787605] RBP: 00000000004a0144 R08: 0000000000000000 R09: 0000000000000000 [ 35.794908] R10: 0000000000000000 R11: 0000000000000246 R12: 2f30656c69662f2e [ 35.802214] R13: 000000000049e140 R14: 8000000000000000 R15: 00000000004d0518 [ 35.809685] [ 35.811316] Allocated by task 8113: [ 35.814952] kmem_cache_alloc+0x122/0x370 [ 35.819206] fuse_alloc_inode+0x1d/0x3f0 [ 35.823297] alloc_inode+0x5d/0x180 [ 35.826933] iget5_locked+0x57/0xd0 [ 35.830651] fuse_iget+0x1a6/0x800 [ 35.834202] fuse_lookup_name+0x413/0x5c0 [ 35.838441] fuse_lookup+0xdf/0x410 [ 35.842091] __lookup_slow+0x246/0x4a0 [ 35.845981] walk_component+0x7ac/0xda0 [ 35.849959] path_lookupat+0x1ff/0x8d0 [ 35.853867] filename_lookup+0x1ac/0x5a0 [ 35.858020] vfs_statx+0x113/0x210 [ 35.861567] __se_sys_newfstatat+0x9e/0x120 [ 35.866173] do_syscall_64+0xf9/0x620 [ 35.870090] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.875291] [ 35.876946] Freed by task 0: [ 35.879971] kmem_cache_free+0x7f/0x260 [ 35.883954] rcu_process_callbacks+0x8ff/0x18b0 [ 35.888652] __do_softirq+0x265/0x980 [ 35.892469] [ 35.894106] The buggy address belongs to the object at ffff88808d785040 [ 35.894106] which belongs to the cache fuse_inode of size 1264 [ 35.907261] The buggy address is located 896 bytes inside of [ 35.907261] 1264-byte region [ffff88808d785040, ffff88808d785530) [ 35.919331] The buggy address belongs to the page: [ 35.924619] page:ffffea000235e140 count:1 mapcount:0 mapping:ffff8882395b8e00 index:0xffff88808d785ffe [ 35.934243] flags: 0xfff00000000100(slab) [ 35.938733] raw: 00fff00000000100 ffff8880b0e5a648 ffffea00022e01c8 ffff8882395b8e00 [ 35.946723] raw: ffff88808d785ffe ffff88808d785040 0000000100000002 0000000000000000 [ 35.954676] page dumped because: kasan: bad access detected [ 35.960439] [ 35.962066] Memory state around the buggy address: [ 35.966996] ffff88808d785280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.974358] ffff88808d785300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.981725] >ffff88808d785380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.989193] ^ [ 35.994738] ffff88808d785400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.002101] ffff88808d785480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.009651] ================================================================== [ 36.017023] Disabling lock debugging due to kernel taint [ 36.022872] Kernel panic - not syncing: panic_on_warn set ... [ 36.022872] [ 36.030269] CPU: 1 PID: 8123 Comm: syz-executor190 Tainted: G B 4.19.194-syzkaller #0 [ 36.039676] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.049035] Call Trace: [ 36.051670] dump_stack+0x1fc/0x2ef [ 36.055311] panic+0x26a/0x50e [ 36.058525] ? __warn_printk+0xf3/0xf3 [ 36.062543] ? retint_kernel+0x2d/0x2d [ 36.066544] ? trace_hardirqs_on+0x55/0x210 [ 36.070892] kasan_end_report+0x43/0x49 [ 36.074966] kasan_report_error.cold+0xa7/0x1b9 [ 36.079641] ? __list_add_valid+0x81/0xa0 [ 36.083889] __asan_report_load8_noabort+0x88/0x90 [ 36.088810] ? __list_add_valid+0x81/0xa0 [ 36.092962] __list_add_valid+0x81/0xa0 [ 36.096942] chrdev_open+0x4b9/0x770 [ 36.100673] ? __register_chrdev+0x400/0x400 [ 36.105072] do_dentry_open+0x4aa/0x1160 [ 36.111206] ? __register_chrdev+0x400/0x400 [ 36.115602] ? inode_permission.part.0+0x10c/0x450 [ 36.120558] ? chown_common+0x550/0x550 [ 36.124629] ? inode_permission+0x3d/0x140 [ 36.129025] path_openat+0x793/0x2df0 [ 36.132830] ? path_lookupat+0x8d0/0x8d0 [ 36.137065] ? mark_held_locks+0xf0/0xf0 [ 36.141129] do_filp_open+0x18c/0x3f0 [ 36.144915] ? may_open_dev+0xf0/0xf0 [ 36.148718] ? lock_downgrade+0x720/0x720 [ 36.152851] ? lock_acquire+0x170/0x3c0 [ 36.156811] ? __alloc_fd+0x34/0x570 [ 36.160524] ? do_raw_spin_unlock+0x171/0x230 [ 36.165015] ? _raw_spin_unlock+0x29/0x40 [ 36.169151] ? __alloc_fd+0x28d/0x570 [ 36.173030] do_sys_open+0x3b3/0x520 [ 36.176738] ? filp_open+0x70/0x70 [ 36.180280] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.185837] ? trace_hardirqs_off_caller+0x6e/0x210 [ 36.190889] ? do_syscall_64+0x21/0x620 [ 36.195277] do_syscall_64+0xf9/0x620 [ 36.199071] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.204348] RIP: 0033:0x446799 [ 36.207981] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 36.227429] RSP: 002b:00007f658e3632f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 36.235360] RAX: ffffffffffffffda RBX: 00000000004d0510 RCX: 0000000000446799 [ 36.242911] RDX: 0000000000000000 RSI: 0000000020002040 RDI: 00000000ffffff9c [ 36.250273] RBP: 00000000004a0144 R08: 0000000000000000 R09: 0000000000000000 [ 36.257549] R10: 0000000000000000 R11: 0000000000000246 R12: 2f30656c69662f2e [ 36.264805] R13: 000000000049e140 R14: 8000000000000000 R15: 00000000004d0518 [ 36.273139] Kernel Offset: disabled [ 36.276762] Rebooting in 86400 seconds..