[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.6' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 61.242677][ T28] audit: type=1400 audit(1595617353.175:8): avc: denied { execmem } for pid=6834 comm="syz-executor413" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 61.255780][ T6835] IPVS: ftp: loaded support on port[0] = 21 [ 61.387248][ T6835] ================================================================== [ 61.395456][ T6835] BUG: KASAN: use-after-free in sock_def_write_space+0x609/0x630 [ 61.403139][ T6835] Read of size 8 at addr ffff888084a2f080 by task syz-executor413/6835 [ 61.411376][ T6835] [ 61.413682][ T6835] CPU: 1 PID: 6835 Comm: syz-executor413 Not tainted 5.8.0-rc6-syzkaller #0 [ 61.422315][ T6835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.432338][ T6835] Call Trace: [ 61.435610][ T6835] dump_stack+0x18f/0x20d [ 61.439960][ T6835] ? sock_def_write_space+0x609/0x630 [ 61.445299][ T6835] ? sock_def_write_space+0x609/0x630 [ 61.450643][ T6835] print_address_description.constprop.0.cold+0xae/0x436 [ 61.457637][ T6835] ? lockdep_hardirqs_off+0x66/0xa0 [ 61.462805][ T6835] ? vprintk_func+0x97/0x1a6 [ 61.467380][ T6835] ? sock_def_write_space+0x609/0x630 [ 61.472724][ T6835] kasan_report.cold+0x1f/0x37 [ 61.477462][ T6835] ? sock_def_write_space+0x609/0x630 [ 61.482803][ T6835] sock_def_write_space+0x609/0x630 [ 61.487971][ T6835] ? kfree_skb+0x7d/0x100 [ 61.492272][ T6835] ? qrtr_tun_poll+0xf0/0xf0 [ 61.496830][ T6835] sock_wfree+0x1cc/0x240 [ 61.501130][ T6835] ? __sk_receive_skb+0x830/0x830 [ 61.506123][ T6835] skb_release_head_state+0x9f/0x250 [ 61.511386][ T6835] kfree_skb.part.0+0x89/0x350 [ 61.516120][ T6835] kfree_skb+0x7d/0x100 [ 61.520245][ T6835] skb_queue_purge+0x14/0x30 [ 61.524806][ T6835] qrtr_tun_release+0x40/0x60 [ 61.529452][ T6835] __fput+0x33c/0x880 [ 61.533406][ T6835] task_work_run+0xdd/0x190 [ 61.537882][ T6835] __prepare_exit_to_usermode+0x1e9/0x1f0 [ 61.543598][ T6835] do_syscall_64+0x6c/0xe0 [ 61.547987][ T6835] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.553851][ T6835] RIP: 0033:0x401040 [ 61.557710][ T6835] Code: Bad RIP value. [ 61.561748][ T6835] RSP: 002b:00007fffb532dd28 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 61.570127][ T6835] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000401040 [ 61.578067][ T6835] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000006 [ 61.586006][ T6835] RBP: 00007fffb532dd30 R08: 0000000120080522 R09: 0000000120080522 [ 61.593963][ T6835] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004a5ff0 [ 61.601924][ T6835] R13: 0000000000402150 R14: 0000000000000000 R15: 0000000000000000 [ 61.609871][ T6835] [ 61.612169][ T6835] Allocated by task 6835: [ 61.616471][ T6835] save_stack+0x1b/0x40 [ 61.620596][ T6835] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 61.626203][ T6835] kmem_cache_alloc+0x12c/0x3b0 [ 61.631036][ T6835] sock_alloc_inode+0x18/0x1c0 [ 61.635771][ T6835] alloc_inode+0x61/0x230 [ 61.640074][ T6835] new_inode_pseudo+0x14/0xe0 [ 61.644734][ T6835] sock_alloc+0x3c/0x260 [ 61.648945][ T6835] __sock_create+0xb9/0x740 [ 61.653416][ T6835] __sys_socket+0xef/0x200 [ 61.657800][ T6835] __x64_sys_socket+0x6f/0xb0 [ 61.662460][ T6835] do_syscall_64+0x60/0xe0 [ 61.666857][ T6835] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.672712][ T6835] [ 61.675007][ T6835] Freed by task 0: [ 61.678698][ T6835] save_stack+0x1b/0x40 [ 61.682828][ T6835] __kasan_slab_free+0xf5/0x140 [ 61.687650][ T6835] kmem_cache_free+0x7f/0x310 [ 61.692299][ T6835] i_callback+0x3f/0x70 [ 61.696434][ T6835] rcu_core+0x5c7/0x1160 [ 61.700646][ T6835] __do_softirq+0x34c/0xa60 [ 61.705111][ T6835] [ 61.707418][ T6835] The buggy address belongs to the object at ffff888084a2f000 [ 61.707418][ T6835] which belongs to the cache sock_inode_cache of size 1216 [ 61.721960][ T6835] The buggy address is located 128 bytes inside of [ 61.721960][ T6835] 1216-byte region [ffff888084a2f000, ffff888084a2f4c0) [ 61.735280][ T6835] The buggy address belongs to the page: [ 61.740888][ T6835] page:ffffea0002128bc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888084a2fffd [ 61.751265][ T6835] flags: 0xfffe0000000200(slab) [ 61.756100][ T6835] raw: 00fffe0000000200 ffffea0002128b88 ffff8880a9720a50 ffff88821bb87e00 [ 61.764651][ T6835] raw: ffff888084a2fffd ffff888084a2f000 0000000100000003 0000000000000000 [ 61.773197][ T6835] page dumped because: kasan: bad access detected [ 61.779575][ T6835] [ 61.781889][ T6835] Memory state around the buggy address: [ 61.787490][ T6835] ffff888084a2ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.795560][ T6835] ffff888084a2f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.803588][ T6835] >ffff888084a2f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.811614][ T6835] ^ [ 61.815669][ T6835] ffff888084a2f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.823708][ T6835] ffff888084a2f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.831749][ T6835] ================================================================== [ 61.839776][ T6835] Disabling lock debugging due to kernel taint [ 61.856737][ T6835] Kernel panic - not syncing: panic_on_warn set ... [ 61.863411][ T6835] CPU: 1 PID: 6835 Comm: syz-executor413 Tainted: G B 5.8.0-rc6-syzkaller #0 [ 61.873446][ T6835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.883470][ T6835] Call Trace: [ 61.886736][ T6835] dump_stack+0x18f/0x20d [ 61.891047][ T6835] ? sock_def_write_space+0x540/0x630 [ 61.896391][ T6835] panic+0x2e3/0x75c [ 61.900270][ T6835] ? __warn_printk+0xf3/0xf3 [ 61.904833][ T6835] ? preempt_schedule_common+0x59/0xc0 [ 61.910260][ T6835] ? sock_def_write_space+0x609/0x630 [ 61.915601][ T6835] ? preempt_schedule_thunk+0x16/0x18 [ 61.920954][ T6835] ? trace_hardirqs_on+0x55/0x220 [ 61.925945][ T6835] ? sock_def_write_space+0x609/0x630 [ 61.931285][ T6835] ? sock_def_write_space+0x609/0x630 [ 61.936647][ T6835] end_report+0x4d/0x53 [ 61.940770][ T6835] kasan_report.cold+0xd/0x37 [ 61.945415][ T6835] ? sock_def_write_space+0x609/0x630 [ 61.950767][ T6835] sock_def_write_space+0x609/0x630 [ 61.955933][ T6835] ? kfree_skb+0x7d/0x100 [ 61.960245][ T6835] ? qrtr_tun_poll+0xf0/0xf0 [ 61.964816][ T6835] sock_wfree+0x1cc/0x240 [ 61.969115][ T6835] ? __sk_receive_skb+0x830/0x830 [ 61.974108][ T6835] skb_release_head_state+0x9f/0x250 [ 61.979362][ T6835] kfree_skb.part.0+0x89/0x350 [ 61.984094][ T6835] kfree_skb+0x7d/0x100 [ 61.988219][ T6835] skb_queue_purge+0x14/0x30 [ 61.992808][ T6835] qrtr_tun_release+0x40/0x60 [ 61.997455][ T6835] __fput+0x33c/0x880 [ 62.001408][ T6835] task_work_run+0xdd/0x190 [ 62.005968][ T6835] __prepare_exit_to_usermode+0x1e9/0x1f0 [ 62.011686][ T6835] do_syscall_64+0x6c/0xe0 [ 62.016072][ T6835] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.021938][ T6835] RIP: 0033:0x401040 [ 62.025798][ T6835] Code: Bad RIP value. [ 62.029830][ T6835] RSP: 002b:00007fffb532dd28 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 62.038223][ T6835] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000401040 [ 62.046159][ T6835] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000006 [ 62.054098][ T6835] RBP: 00007fffb532dd30 R08: 0000000120080522 R09: 0000000120080522 [ 62.062077][ T6835] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004a5ff0 [ 62.070016][ T6835] R13: 0000000000402150 R14: 0000000000000000 R15: 0000000000000000 [ 62.079203][ T6835] Kernel Offset: disabled [ 62.083514][ T6835] Rebooting in 86400 seconds..