[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.184' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 349.908026][ T6987] ================================================================== [ 349.916397][ T6987] BUG: KASAN: use-after-free in sock_def_write_space+0x609/0x630 [ 349.924098][ T6987] Read of size 8 at addr ffff8880a4ea15c0 by task syz-executor515/6987 [ 349.932746][ T6987] [ 349.935081][ T6987] CPU: 0 PID: 6987 Comm: syz-executor515 Not tainted 5.8.0-rc5-syzkaller #0 [ 349.943763][ T6987] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 349.953873][ T6987] Call Trace: [ 349.957241][ T6987] dump_stack+0x18f/0x20d [ 349.961570][ T6987] ? sock_def_write_space+0x609/0x630 [ 349.966937][ T6987] ? sock_def_write_space+0x609/0x630 [ 349.972385][ T6987] print_address_description.constprop.0.cold+0xae/0x436 [ 349.979449][ T6987] ? lockdep_hardirqs_off+0x66/0xa0 [ 349.984683][ T6987] ? vprintk_func+0x97/0x1a6 [ 349.989271][ T6987] ? sock_def_write_space+0x609/0x630 [ 349.994627][ T6987] kasan_report.cold+0x1f/0x37 [ 349.999401][ T6987] ? sock_def_write_space+0x609/0x630 [ 350.004768][ T6987] sock_def_write_space+0x609/0x630 [ 350.009959][ T6987] ? kfree_skb+0x7d/0x100 [ 350.014343][ T6987] ? qrtr_tun_poll+0xf0/0xf0 [ 350.018920][ T6987] sock_wfree+0x1cc/0x240 [ 350.023227][ T6987] ? __sk_receive_skb+0x830/0x830 [ 350.028228][ T6987] skb_release_head_state+0x9f/0x250 [ 350.033492][ T6987] kfree_skb.part.0+0x89/0x350 [ 350.038248][ T6987] kfree_skb+0x7d/0x100 [ 350.042385][ T6987] skb_queue_purge+0x14/0x30 [ 350.046975][ T6987] qrtr_tun_release+0x40/0x60 [ 350.051698][ T6987] __fput+0x33c/0x880 [ 350.055720][ T6987] task_work_run+0xdd/0x190 [ 350.060245][ T6987] do_exit+0xb72/0x2a40 [ 350.064432][ T6987] ? lock_acquire+0x1f1/0xad0 [ 350.069105][ T6987] ? find_held_lock+0x2d/0x110 [ 350.073846][ T6987] ? mm_update_next_owner+0x7a0/0x7a0 [ 350.079227][ T6987] ? get_signal+0x332/0x1ee0 [ 350.083807][ T6987] ? lock_downgrade+0x820/0x820 [ 350.088650][ T6987] ? lock_is_held_type+0xb0/0xe0 [ 350.093566][ T6987] do_group_exit+0x125/0x310 [ 350.098134][ T6987] get_signal+0x40b/0x1ee0 [ 350.102570][ T6987] ? futex_exit_release+0x220/0x220 [ 350.107751][ T6987] ? lock_acquire+0x1f1/0xad0 [ 350.112434][ T6987] ? __fd_install+0x1b4/0x600 [ 350.117205][ T6987] do_signal+0x82/0x2520 [ 350.121434][ T6987] ? alloc_file+0x5a0/0x5a0 [ 350.125917][ T6987] ? lock_is_held_type+0xb0/0xe0 [ 350.130833][ T6987] ? copy_siginfo_to_user32+0xa0/0xa0 [ 350.136196][ T6987] ? __x64_sys_futex+0x378/0x4e0 [ 350.141109][ T6987] ? __x64_sys_futex+0x382/0x4e0 [ 350.146039][ T6987] ? do_futex+0x1a60/0x1a60 [ 350.150540][ T6987] ? __prepare_exit_to_usermode+0xcc/0x1f0 [ 350.156341][ T6987] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 350.162322][ T6987] __prepare_exit_to_usermode+0x156/0x1f0 [ 350.168112][ T6987] do_syscall_64+0x6c/0xe0 [ 350.172564][ T6987] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 350.178450][ T6987] RIP: 0033:0x446959 [ 350.182326][ T6987] Code: Bad RIP value. [ 350.186409][ T6987] RSP: 002b:00007f43b3256db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 350.194806][ T6987] RAX: fffffffffffffe00 RBX: 00000000006dbc38 RCX: 0000000000446959 [ 350.202756][ T6987] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38 [ 350.210706][ T6987] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000 [ 350.218676][ T6987] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c [ 350.226677][ T6987] R13: 00007ffce6c8421f R14: 00007f43b32579c0 R15: 0000000000000001 [ 350.234671][ T6987] [ 350.237029][ T6987] Allocated by task 6987: [ 350.241379][ T6987] save_stack+0x1b/0x40 [ 350.245535][ T6987] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 350.254209][ T6987] kmem_cache_alloc+0x12c/0x3b0 [ 350.259109][ T6987] sock_alloc_inode+0x18/0x1c0 [ 350.263907][ T6987] alloc_inode+0x61/0x230 [ 350.268236][ T6987] new_inode_pseudo+0x14/0xe0 [ 350.272892][ T6987] sock_alloc+0x3c/0x260 [ 350.277114][ T6987] __sock_create+0xb9/0x740 [ 350.281610][ T6987] __sys_socket+0xef/0x200 [ 350.286019][ T6987] __x64_sys_socket+0x6f/0xb0 [ 350.290681][ T6987] do_syscall_64+0x60/0xe0 [ 350.295077][ T6987] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 350.300937][ T6987] [ 350.303240][ T6987] Freed by task 0: [ 350.306952][ T6987] save_stack+0x1b/0x40 [ 350.311098][ T6987] __kasan_slab_free+0xf5/0x140 [ 350.315924][ T6987] kmem_cache_free+0x7f/0x310 [ 350.320578][ T6987] i_callback+0x3f/0x70 [ 350.324772][ T6987] rcu_core+0x5c7/0x1160 [ 350.328997][ T6987] __do_softirq+0x34c/0xa60 [ 350.333470][ T6987] [ 350.335793][ T6987] The buggy address belongs to the object at ffff8880a4ea1540 [ 350.335793][ T6987] which belongs to the cache sock_inode_cache of size 1216 [ 350.350340][ T6987] The buggy address is located 128 bytes inside of [ 350.350340][ T6987] 1216-byte region [ffff8880a4ea1540, ffff8880a4ea1a00) [ 350.363668][ T6987] The buggy address belongs to the page: [ 350.369319][ T6987] page:ffffea000293a840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a4ea1ffd [ 350.379708][ T6987] flags: 0xfffe0000000200(slab) [ 350.384537][ T6987] raw: 00fffe0000000200 ffffea00022d1d48 ffffea0002236608 ffff8880a974bc40 [ 350.393114][ T6987] raw: ffff8880a4ea1ffd ffff8880a4ea1000 0000000100000003 0000000000000000 [ 350.401684][ T6987] page dumped because: kasan: bad access detected [ 350.408080][ T6987] [ 350.410384][ T6987] Memory state around the buggy address: [ 350.416004][ T6987] ffff8880a4ea1480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 350.424042][ T6987] ffff8880a4ea1500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 350.432083][ T6987] >ffff8880a4ea1580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 350.440119][ T6987] ^ [ 350.446272][ T6987] ffff8880a4ea1600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program executing program [ 350.454333][ T6987] ffff8880a4ea1680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 350.462368][ T6987] ================================================================== [ 350.470406][ T6987] Disabling lock debugging due to kernel taint [ 350.480453][ T6987] Kernel panic - not syncing: panic_on_warn set ... [ 350.487054][ T6987] CPU: 0 PID: 6987 Comm: syz-executor515 Tainted: G B 5.8.0-rc5-syzkaller #0 [ 350.497104][ T6987] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 350.507154][ T6987] Call Trace: executing program [ 350.510442][ T6987] dump_stack+0x18f/0x20d [ 350.514794][ T6987] ? sock_def_write_space+0x5c0/0x630 [ 350.520217][ T6987] panic+0x2e3/0x75c [ 350.524115][ T6987] ? __warn_printk+0xf3/0xf3 [ 350.528732][ T6987] ? preempt_schedule_common+0x59/0xc0 [ 350.534193][ T6987] ? sock_def_write_space+0x609/0x630 [ 350.539629][ T6987] ? preempt_schedule_thunk+0x16/0x18 [ 350.545038][ T6987] ? trace_hardirqs_on+0x55/0x220 [ 350.550045][ T6987] ? sock_def_write_space+0x609/0x630 [ 350.555391][ T6987] ? sock_def_write_space+0x609/0x630 [ 350.560738][ T6987] end_report+0x4d/0x53 [ 350.564872][ T6987] kasan_report.cold+0xd/0x37 [ 350.569547][ T6987] ? sock_def_write_space+0x609/0x630 [ 350.574921][ T6987] sock_def_write_space+0x609/0x630 [ 350.580106][ T6987] ? kfree_skb+0x7d/0x100 [ 350.584412][ T6987] ? qrtr_tun_poll+0xf0/0xf0 [ 350.588986][ T6987] sock_wfree+0x1cc/0x240 [ 350.593327][ T6987] ? __sk_receive_skb+0x830/0x830 [ 350.598339][ T6987] skb_release_head_state+0x9f/0x250 [ 350.603721][ T6987] kfree_skb.part.0+0x89/0x350 [ 350.608488][ T6987] kfree_skb+0x7d/0x100 [ 350.612806][ T6987] skb_queue_purge+0x14/0x30 [ 350.617387][ T6987] qrtr_tun_release+0x40/0x60 [ 350.622072][ T6987] __fput+0x33c/0x880 [ 350.626030][ T6987] task_work_run+0xdd/0x190 [ 350.630695][ T6987] do_exit+0xb72/0x2a40 [ 350.634864][ T6987] ? lock_acquire+0x1f1/0xad0 [ 350.639528][ T6987] ? find_held_lock+0x2d/0x110 [ 350.644282][ T6987] ? mm_update_next_owner+0x7a0/0x7a0 [ 350.649661][ T6987] ? get_signal+0x332/0x1ee0 [ 350.654247][ T6987] ? lock_downgrade+0x820/0x820 [ 350.659096][ T6987] ? lock_is_held_type+0xb0/0xe0 [ 350.664010][ T6987] do_group_exit+0x125/0x310 [ 350.668579][ T6987] get_signal+0x40b/0x1ee0 [ 350.672971][ T6987] ? futex_exit_release+0x220/0x220 [ 350.678145][ T6987] ? lock_acquire+0x1f1/0xad0 [ 350.682798][ T6987] ? __fd_install+0x1b4/0x600 [ 350.687452][ T6987] do_signal+0x82/0x2520 [ 350.691677][ T6987] ? alloc_file+0x5a0/0x5a0 [ 350.696196][ T6987] ? lock_is_held_type+0xb0/0xe0 [ 350.701112][ T6987] ? copy_siginfo_to_user32+0xa0/0xa0 [ 350.706462][ T6987] ? __x64_sys_futex+0x378/0x4e0 [ 350.711376][ T6987] ? __x64_sys_futex+0x382/0x4e0 [ 350.716289][ T6987] ? do_futex+0x1a60/0x1a60 [ 350.720787][ T6987] ? __prepare_exit_to_usermode+0xcc/0x1f0 [ 350.726588][ T6987] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 350.732564][ T6987] __prepare_exit_to_usermode+0x156/0x1f0 [ 350.738279][ T6987] do_syscall_64+0x6c/0xe0 [ 350.742693][ T6987] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 350.748567][ T6987] RIP: 0033:0x446959 [ 350.752444][ T6987] Code: Bad RIP value. [ 350.756526][ T6987] RSP: 002b:00007f43b3256db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 350.764911][ T6987] RAX: fffffffffffffe00 RBX: 00000000006dbc38 RCX: 0000000000446959 [ 350.772868][ T6987] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38 [ 350.780813][ T6987] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000 [ 350.788764][ T6987] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c [ 350.796716][ T6987] R13: 00007ffce6c8421f R14: 00007f43b32579c0 R15: 0000000000000001 [ 350.805915][ T6987] Kernel Offset: disabled [ 350.810249][ T6987] Rebooting in 86400 seconds..