[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.2' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 35.851229] ================================================================== [ 35.858990] BUG: KASAN: use-after-free in __list_add_valid+0x81/0xa0 [ 35.865802] Read of size 8 at addr ffff88808dfa03c0 by task syz-executor272/8133 [ 35.873491] [ 35.875290] CPU: 0 PID: 8133 Comm: syz-executor272 Not tainted 4.19.199-syzkaller #0 [ 35.883255] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.892604] Call Trace: [ 35.895195] dump_stack+0x1fc/0x2ef [ 35.898900] print_address_description.cold+0x54/0x219 [ 35.904333] kasan_report_error.cold+0x8a/0x1b9 [ 35.909020] ? __list_add_valid+0x81/0xa0 [ 35.913179] __asan_report_load8_noabort+0x88/0x90 [ 35.918105] ? __list_add_valid+0x81/0xa0 [ 35.922258] __list_add_valid+0x81/0xa0 [ 35.926254] chrdev_open+0x4b9/0x770 [ 35.929952] ? __register_chrdev+0x400/0x400 [ 35.934417] do_dentry_open+0x4aa/0x1160 [ 35.938463] ? __register_chrdev+0x400/0x400 [ 35.942859] ? inode_permission.part.0+0x10c/0x450 [ 35.947791] ? chown_common+0x550/0x550 [ 35.951922] ? inode_permission+0x3d/0x140 [ 35.956160] path_openat+0x793/0x2df0 [ 35.960651] ? path_lookupat+0x8d0/0x8d0 [ 35.964707] ? mark_held_locks+0xf0/0xf0 [ 35.968759] do_filp_open+0x18c/0x3f0 [ 35.972545] ? may_open_dev+0xf0/0xf0 [ 35.976346] ? lock_downgrade+0x720/0x720 [ 35.980850] ? lock_acquire+0x170/0x3c0 [ 35.984834] ? __alloc_fd+0x34/0x570 [ 35.988531] ? do_raw_spin_unlock+0x171/0x230 [ 35.993018] ? _raw_spin_unlock+0x29/0x40 [ 35.997160] ? __alloc_fd+0x28d/0x570 [ 36.001049] do_sys_open+0x3b3/0x520 [ 36.004850] ? filp_open+0x70/0x70 [ 36.008390] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.013829] ? trace_hardirqs_off_caller+0x6e/0x210 [ 36.018830] ? do_syscall_64+0x21/0x620 [ 36.022792] do_syscall_64+0xf9/0x620 [ 36.027626] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.032973] RIP: 0033:0x4467f9 [ 36.036148] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 36.055143] RSP: 002b:00007fe5481ec2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 [ 36.062925] RAX: ffffffffffffffda RBX: 00000000004d0510 RCX: 00000000004467f9 [ 36.070188] RDX: 00000000004467f9 RSI: 0000000000000000 RDI: 0000000020000140 [ 36.077449] RBP: 00000000004a013c R08: 0000000000000000 R09: 0000000000000000 [ 36.084798] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049c130 [ 36.092182] R13: 000000000049e138 R14: 2f30656c69662f2e R15: 00000000004d0518 [ 36.099549] [ 36.101269] Allocated by task 8126: [ 36.104980] kmem_cache_alloc+0x122/0x370 [ 36.109204] fuse_alloc_inode+0x1d/0x3f0 [ 36.113257] alloc_inode+0x5d/0x180 [ 36.116870] iget5_locked+0x57/0xd0 [ 36.120483] fuse_iget+0x1a6/0x800 [ 36.124046] fuse_lookup_name+0x413/0x5c0 [ 36.128181] fuse_lookup+0xdf/0x410 [ 36.131793] fuse_atomic_open+0x20a/0x330 [ 36.135928] lookup_open+0x1023/0x1a20 [ 36.139802] path_openat+0x1094/0x2df0 [ 36.143696] do_filp_open+0x18c/0x3f0 [ 36.147484] do_sys_open+0x3b3/0x520 [ 36.151204] do_syscall_64+0xf9/0x620 [ 36.155001] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.160281] [ 36.161984] Freed by task 0: [ 36.164997] kmem_cache_free+0x7f/0x260 [ 36.168961] rcu_process_callbacks+0x8ff/0x18b0 [ 36.173637] __do_softirq+0x265/0x980 [ 36.177680] [ 36.179295] The buggy address belongs to the object at ffff88808dfa0040 [ 36.179295] which belongs to the cache fuse_inode of size 1264 [ 36.192122] The buggy address is located 896 bytes inside of [ 36.192122] 1264-byte region [ffff88808dfa0040, ffff88808dfa0530) [ 36.204064] The buggy address belongs to the page: [ 36.208983] page:ffffea000237e800 count:1 mapcount:0 mapping:ffff8880b0f1d480 index:0xffff88808dfa0ffe [ 36.218415] flags: 0xfff00000000100(slab) [ 36.222565] raw: 00fff00000000100 ffff8880b0f25848 ffffea000237fbc8 ffff8880b0f1d480 [ 36.230717] raw: ffff88808dfa0ffe ffff88808dfa0040 0000000100000002 0000000000000000 [ 36.238579] page dumped because: kasan: bad access detected [ 36.244293] [ 36.245919] Memory state around the buggy address: [ 36.250837] ffff88808dfa0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.258329] ffff88808dfa0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.265674] >ffff88808dfa0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.273325] ^ [ 36.278776] ffff88808dfa0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.286368] ffff88808dfa0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.293709] ================================================================== [ 36.301051] Disabling lock debugging due to kernel taint [ 36.306784] Kernel panic - not syncing: panic_on_warn set ... [ 36.306784] [ 36.314156] CPU: 0 PID: 8133 Comm: syz-executor272 Tainted: G B 4.19.199-syzkaller #0 [ 36.323420] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.332872] Call Trace: [ 36.335448] dump_stack+0x1fc/0x2ef [ 36.339252] panic+0x26a/0x50e [ 36.342426] ? __warn_printk+0xf3/0xf3 [ 36.346302] ? retint_kernel+0x2d/0x2d [ 36.350174] ? trace_hardirqs_on+0x55/0x210 [ 36.354579] kasan_end_report+0x43/0x49 [ 36.358557] kasan_report_error.cold+0xa7/0x1b9 [ 36.363523] ? __list_add_valid+0x81/0xa0 [ 36.367673] __asan_report_load8_noabort+0x88/0x90 [ 36.372629] ? __list_add_valid+0x81/0xa0 [ 36.376880] __list_add_valid+0x81/0xa0 [ 36.380875] chrdev_open+0x4b9/0x770 [ 36.384575] ? __register_chrdev+0x400/0x400 [ 36.388984] do_dentry_open+0x4aa/0x1160 [ 36.393029] ? __register_chrdev+0x400/0x400 [ 36.397507] ? inode_permission.part.0+0x10c/0x450 [ 36.402420] ? chown_common+0x550/0x550 [ 36.406378] ? inode_permission+0x3d/0x140 [ 36.410631] path_openat+0x793/0x2df0 [ 36.414465] ? path_lookupat+0x8d0/0x8d0 [ 36.418737] ? mark_held_locks+0xf0/0xf0 [ 36.422785] do_filp_open+0x18c/0x3f0 [ 36.426566] ? may_open_dev+0xf0/0xf0 [ 36.430533] ? lock_downgrade+0x720/0x720 [ 36.434664] ? lock_acquire+0x170/0x3c0 [ 36.438619] ? __alloc_fd+0x34/0x570 [ 36.442404] ? do_raw_spin_unlock+0x171/0x230 [ 36.446964] ? _raw_spin_unlock+0x29/0x40 [ 36.451094] ? __alloc_fd+0x28d/0x570 [ 36.454874] do_sys_open+0x3b3/0x520 [ 36.458585] ? filp_open+0x70/0x70 [ 36.462105] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.467808] ? trace_hardirqs_off_caller+0x6e/0x210 [ 36.472817] ? do_syscall_64+0x21/0x620 [ 36.476771] do_syscall_64+0xf9/0x620 [ 36.480599] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.485765] RIP: 0033:0x4467f9 [ 36.488937] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 36.507827] RSP: 002b:00007fe5481ec2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 [ 36.515530] RAX: ffffffffffffffda RBX: 00000000004d0510 RCX: 00000000004467f9 [ 36.523138] RDX: 00000000004467f9 RSI: 0000000000000000 RDI: 0000000020000140 [ 36.530497] RBP: 00000000004a013c R08: 0000000000000000 R09: 0000000000000000 [ 36.537851] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049c130 [ 36.545103] R13: 000000000049e138 R14: 2f30656c69662f2e R15: 00000000004d0518 [ 36.554052] Kernel Offset: disabled [ 36.557700] Rebooting in 86400 seconds..