[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.47' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 61.140105][ T6868] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 61.186663][ T6868] ================================================================== [ 61.195017][ T6868] BUG: KASAN: use-after-free in paging32_walk_addr_generic+0x155d/0x1980 [ 61.203547][ T6868] Write of size 4 at addr ffff888000105000 by task syz-executor636/6868 [ 61.211852][ T6868] [ 61.214216][ T6868] CPU: 1 PID: 6868 Comm: syz-executor636 Not tainted 5.9.0-rc1-next-20200820-syzkaller #0 [ 61.224096][ T6868] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.234430][ T6868] Call Trace: [ 61.237715][ T6868] dump_stack+0x18f/0x20d [ 61.242037][ T6868] ? paging32_walk_addr_generic+0x155d/0x1980 [ 61.248168][ T6868] ? paging32_walk_addr_generic+0x155d/0x1980 [ 61.254715][ T6868] print_address_description.constprop.0.cold+0xae/0x497 [ 61.261745][ T6868] ? region_intersects+0x257/0x2e0 [ 61.266970][ T6868] ? vprintk_func+0x97/0x1a6 [ 61.271833][ T6868] ? paging32_walk_addr_generic+0x155d/0x1980 [ 61.277946][ T6868] ? paging32_walk_addr_generic+0x155d/0x1980 [ 61.284005][ T6868] kasan_report.cold+0x1f/0x37 [ 61.288880][ T6868] ? paging32_walk_addr_generic+0x155d/0x1980 [ 61.294933][ T6868] check_memory_region+0x13d/0x180 [ 61.300041][ T6868] paging32_walk_addr_generic+0x155d/0x1980 [ 61.306456][ T6868] ? ept_gva_to_gpa+0x1e0/0x1e0 [ 61.311289][ T6868] ? lock_acquire+0x1f1/0xad0 [ 61.316034][ T6868] ? __might_fault+0xef/0x1d0 [ 61.320687][ T6868] ? find_held_lock+0x2d/0x110 [ 61.325430][ T6868] paging32_gva_to_gpa+0xb2/0x1d0 [ 61.330611][ T6868] ? paging32_walk_addr_generic+0x1980/0x1980 [ 61.336744][ T6868] ? vmx_read_guest_seg_ar+0x7a/0x160 [ 61.342096][ T6868] ? __virt_addr_valid+0x1fe/0x2b0 [ 61.347186][ T6868] ? __phys_addr+0x9a/0x110 [ 61.351692][ T6868] ? __phys_addr_symbol+0x2c/0x70 [ 61.356710][ T6868] ? __check_object_size+0x171/0x3e4 [ 61.362073][ T6868] ? __kvm_read_guest_page+0x138/0x170 [ 61.367516][ T6868] ? vmx_segment_cache_test_set+0xc3/0x170 [ 61.373305][ T6868] ? lock_is_held_type+0xbb/0xf0 [ 61.382229][ T6868] emulator_read_write_onepage+0x2f3/0xa70 [ 61.388437][ T6868] ? em_ltr+0xf0/0xf0 [ 61.392661][ T6868] emulator_read_write+0x1c4/0x5a0 [ 61.397752][ T6868] ? decode_operand+0xb7/0x30a0 [ 61.402594][ T6868] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 61.408557][ T6868] emulator_fix_hypercall+0x132/0x190 [ 61.413935][ T6868] ? trace_event_raw_event_kvm_pio+0x490/0x490 [ 61.420139][ T6868] ? em_clts+0x100/0x100 [ 61.424373][ T6868] em_hypercall+0x5d/0x130 [ 61.428781][ T6868] x86_emulate_insn+0x5e8/0x3d20 [ 61.433706][ T6868] ? kvm_put_guest_fpu+0x4c0/0x4c0 [ 61.438801][ T6868] ? init_decode_cache+0xb0/0xb0 [ 61.443722][ T6868] ? lock_is_held_type+0xbb/0xf0 [ 61.448651][ T6868] x86_emulate_instruction+0x752/0x1e00 [ 61.454180][ T6868] handle_ud+0xa8/0x240 [ 61.458472][ T6868] ? kvm_emulate_instruction+0x30/0x30 [ 61.463912][ T6868] ? lock_acquire+0x1f1/0xad0 [ 61.468576][ T6868] ? vcpu_enter_guest+0x1371/0x3b60 [ 61.473755][ T6868] ? vmx_skip_emulated_instruction+0x250/0x250 [ 61.479891][ T6868] handle_exception_nmi+0xaf7/0x1270 [ 61.485162][ T6868] ? vmx_skip_emulated_instruction+0x250/0x250 [ 61.491298][ T6868] vmx_handle_exit+0x293/0x14c0 [ 61.496220][ T6868] vcpu_enter_guest+0x14d6/0x3b60 [ 61.501230][ T6868] ? kvm_vcpu_reload_apic_access_page+0x80/0x80 [ 61.507447][ T6868] ? lock_release+0x8e0/0x8e0 [ 61.512288][ T6868] ? mark_held_locks+0x9f/0xe0 [ 61.517126][ T6868] ? __local_bh_enable_ip+0xd1/0x190 [ 61.522387][ T6868] ? lock_is_held_type+0xbb/0xf0 [ 61.527309][ T6868] ? kvm_arch_vcpu_ioctl_run+0x440/0x1780 [ 61.533011][ T6868] kvm_arch_vcpu_ioctl_run+0x440/0x1780 [ 61.538626][ T6868] kvm_vcpu_ioctl+0x467/0xdf0 [ 61.543293][ T6868] ? kvm_gfn_to_hva_cache_init+0x1a0/0x1a0 [ 61.549079][ T6868] ? generic_block_fiemap+0x60/0x60 [ 61.554257][ T6868] ? __up_read+0x1a1/0x7b0 [ 61.558654][ T6868] ? _down_write_nest_lock+0x150/0x150 [ 61.564099][ T6868] ? bpf_lsm_file_ioctl+0x5/0x10 [ 61.569115][ T6868] ? kvm_gfn_to_hva_cache_init+0x1a0/0x1a0 [ 61.574899][ T6868] __x64_sys_ioctl+0x193/0x200 [ 61.579906][ T6868] do_syscall_64+0x2d/0x70 [ 61.584301][ T6868] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.590173][ T6868] RIP: 0033:0x443639 [ 61.594050][ T6868] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 0b fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 61.613637][ T6868] RSP: 002b:00007ffce83fede8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 61.622032][ T6868] RAX: ffffffffffffffda RBX: 00007ffce83fedf0 RCX: 0000000000443639 [ 61.629985][ T6868] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006 [ 61.638899][ T6868] RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000004011b0 [ 61.646854][ T6868] R10: 0000000000000012 R11: 0000000000000246 R12: 0000000000404660 [ 61.655238][ T6868] R13: 00000000004046f0 R14: 0000000000000000 R15: 0000000000000000 [ 61.663202][ T6868] [ 61.665505][ T6868] The buggy address belongs to the page: [ 61.671293][ T6868] page:00000000333da1b6 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105 [ 61.682115][ T6868] flags: 0x7ffe0000000000() [ 61.686600][ T6868] raw: 007ffe0000000000 ffffea0000004148 ffffea0000004148 0000000000000000 [ 61.695335][ T6868] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 61.703907][ T6868] page dumped because: kasan: bad access detected [ 61.710294][ T6868] [ 61.712599][ T6868] Memory state around the buggy address: [ 61.718205][ T6868] ffff888000104f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.727197][ T6868] ffff888000104f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.735247][ T6868] >ffff888000105000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.743303][ T6868] ^ [ 61.747350][ T6868] ffff888000105080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.755388][ T6868] ffff888000105100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.763422][ T6868] ================================================================== [ 61.771721][ T6868] Disabling lock debugging due to kernel taint [ 61.780566][ T6868] Kernel panic - not syncing: panic_on_warn set ... [ 61.787182][ T6868] CPU: 0 PID: 6868 Comm: syz-executor636 Tainted: G B 5.9.0-rc1-next-20200820-syzkaller #0 [ 61.798490][ T6868] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.811116][ T6868] Call Trace: [ 61.814531][ T6868] dump_stack+0x18f/0x20d [ 61.818847][ T6868] ? paging32_walk_addr_generic+0x1480/0x1980 [ 61.824904][ T6868] panic+0x2e3/0x75c [ 61.828778][ T6868] ? __warn_printk+0xf3/0xf3 [ 61.833350][ T6868] ? preempt_schedule_common+0x59/0xc0 [ 61.839047][ T6868] ? paging32_walk_addr_generic+0x155d/0x1980 [ 61.845115][ T6868] ? preempt_schedule_thunk+0x16/0x18 [ 61.850550][ T6868] ? trace_hardirqs_on+0x55/0x220 [ 61.855554][ T6868] ? paging32_walk_addr_generic+0x155d/0x1980 [ 61.861591][ T6868] ? paging32_walk_addr_generic+0x155d/0x1980 [ 61.867728][ T6868] end_report+0x4d/0x53 [ 61.871859][ T6868] kasan_report.cold+0xd/0x37 [ 61.876512][ T6868] ? paging32_walk_addr_generic+0x155d/0x1980 [ 61.882560][ T6868] check_memory_region+0x13d/0x180 [ 61.887734][ T6868] paging32_walk_addr_generic+0x155d/0x1980 [ 61.893607][ T6868] ? ept_gva_to_gpa+0x1e0/0x1e0 [ 61.898568][ T6868] ? lock_acquire+0x1f1/0xad0 [ 61.904112][ T6868] ? __might_fault+0xef/0x1d0 [ 61.908866][ T6868] ? find_held_lock+0x2d/0x110 [ 61.913612][ T6868] paging32_gva_to_gpa+0xb2/0x1d0 [ 61.918614][ T6868] ? paging32_walk_addr_generic+0x1980/0x1980 [ 61.924843][ T6868] ? vmx_read_guest_seg_ar+0x7a/0x160 [ 61.930206][ T6868] ? __virt_addr_valid+0x1fe/0x2b0 [ 61.935406][ T6868] ? __phys_addr+0x9a/0x110 [ 61.939892][ T6868] ? __phys_addr_symbol+0x2c/0x70 [ 61.948629][ T6868] ? __check_object_size+0x171/0x3e4 [ 61.953906][ T6868] ? __kvm_read_guest_page+0x138/0x170 [ 61.959457][ T6868] ? vmx_segment_cache_test_set+0xc3/0x170 [ 61.965245][ T6868] ? lock_is_held_type+0xbb/0xf0 [ 61.970181][ T6868] emulator_read_write_onepage+0x2f3/0xa70 [ 61.975997][ T6868] ? em_ltr+0xf0/0xf0 [ 61.979968][ T6868] emulator_read_write+0x1c4/0x5a0 [ 61.986225][ T6868] ? decode_operand+0xb7/0x30a0 [ 61.991052][ T6868] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 61.997095][ T6868] emulator_fix_hypercall+0x132/0x190 [ 62.002528][ T6868] ? trace_event_raw_event_kvm_pio+0x490/0x490 [ 62.008681][ T6868] ? em_clts+0x100/0x100 [ 62.012914][ T6868] em_hypercall+0x5d/0x130 [ 62.017329][ T6868] x86_emulate_insn+0x5e8/0x3d20 [ 62.022678][ T6868] ? kvm_put_guest_fpu+0x4c0/0x4c0 [ 62.027765][ T6868] ? init_decode_cache+0xb0/0xb0 [ 62.032680][ T6868] ? lock_is_held_type+0xbb/0xf0 [ 62.037793][ T6868] x86_emulate_instruction+0x752/0x1e00 [ 62.043333][ T6868] handle_ud+0xa8/0x240 [ 62.047642][ T6868] ? kvm_emulate_instruction+0x30/0x30 [ 62.053093][ T6868] ? lock_acquire+0x1f1/0xad0 [ 62.057750][ T6868] ? vcpu_enter_guest+0x1371/0x3b60 [ 62.063537][ T6868] ? vmx_skip_emulated_instruction+0x250/0x250 [ 62.069693][ T6868] handle_exception_nmi+0xaf7/0x1270 [ 62.075042][ T6868] ? vmx_skip_emulated_instruction+0x250/0x250 [ 62.081177][ T6868] vmx_handle_exit+0x293/0x14c0 [ 62.086008][ T6868] vcpu_enter_guest+0x14d6/0x3b60 [ 62.091068][ T6868] ? kvm_vcpu_reload_apic_access_page+0x80/0x80 [ 62.097383][ T6868] ? lock_release+0x8e0/0x8e0 [ 62.102071][ T6868] ? mark_held_locks+0x9f/0xe0 [ 62.106900][ T6868] ? __local_bh_enable_ip+0xd1/0x190 [ 62.112161][ T6868] ? lock_is_held_type+0xbb/0xf0 [ 62.117078][ T6868] ? kvm_arch_vcpu_ioctl_run+0x440/0x1780 [ 62.122770][ T6868] kvm_arch_vcpu_ioctl_run+0x440/0x1780 [ 62.128382][ T6868] kvm_vcpu_ioctl+0x467/0xdf0 [ 62.133059][ T6868] ? kvm_gfn_to_hva_cache_init+0x1a0/0x1a0 [ 62.138862][ T6868] ? generic_block_fiemap+0x60/0x60 [ 62.144036][ T6868] ? __up_read+0x1a1/0x7b0 [ 62.148461][ T6868] ? _down_write_nest_lock+0x150/0x150 [ 62.153899][ T6868] ? bpf_lsm_file_ioctl+0x5/0x10 [ 62.158818][ T6868] ? kvm_gfn_to_hva_cache_init+0x1a0/0x1a0 [ 62.164623][ T6868] __x64_sys_ioctl+0x193/0x200 [ 62.169383][ T6868] do_syscall_64+0x2d/0x70 [ 62.173778][ T6868] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.179750][ T6868] RIP: 0033:0x443639 [ 62.183654][ T6868] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 0b fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.203243][ T6868] RSP: 002b:00007ffce83fede8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 62.211640][ T6868] RAX: ffffffffffffffda RBX: 00007ffce83fedf0 RCX: 0000000000443639 [ 62.219678][ T6868] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006 [ 62.227647][ T6868] RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000004011b0 [ 62.235613][ T6868] R10: 0000000000000012 R11: 0000000000000246 R12: 0000000000404660 [ 62.243671][ T6868] R13: 00000000004046f0 R14: 0000000000000000 R15: 0000000000000000 [ 62.253409][ T6868] Kernel Offset: disabled [ 62.257736][ T6868] Rebooting in 86400 seconds..