Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.236' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 32.309176] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 32.333157] FAULT_INJECTION: forcing a failure. [ 32.333157] name failslab, interval 1, probability 0, space 0, times 1 [ 32.344768] CPU: 1 PID: 8079 Comm: syz-executor167 Not tainted 4.19.211-syzkaller #0 [ 32.352633] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/18/2022 [ 32.361968] Call Trace: [ 32.364555] dump_stack+0x1fc/0x2ef [ 32.368166] should_fail.cold+0xa/0xf [ 32.371953] ? setup_fault_attr+0x200/0x200 [ 32.376256] ? lock_acquire+0x170/0x3c0 [ 32.380218] __should_failslab+0x115/0x180 [ 32.384435] should_failslab+0x5/0x10 [ 32.388215] __kmalloc+0x2ab/0x3c0 [ 32.391752] ? kvm_io_bus_unregister_dev+0x14a/0x3b0 [ 32.396840] kvm_io_bus_unregister_dev+0x14a/0x3b0 [ 32.401755] kvm_vm_ioctl_unregister_coalesced_mmio+0x1be/0x2c0 [ 32.407806] kvm_vm_ioctl+0x532/0x1700 [ 32.411673] ? _kstrtoull+0x297/0x540 [ 32.415471] ? kvm_vcpu_release+0xa0/0xa0 [ 32.419623] ? _copy_from_user+0xd2/0x130 [ 32.423764] ? get_pid_task+0xcd/0x190 [ 32.427633] ? check_preemption_disabled+0x41/0x280 [ 32.432629] ? lock_downgrade+0x720/0x720 [ 32.436757] ? check_preemption_disabled+0x41/0x280 [ 32.441756] ? get_pid_task+0xf4/0x190 [ 32.445624] ? proc_fail_nth_write+0x95/0x1d0 [ 32.450100] ? proc_tgid_io_accounting+0x7f0/0x7f0 [ 32.455011] ? debug_check_no_obj_freed+0x201/0x490 [ 32.460008] ? __vfs_write+0xff/0x770 [ 32.463797] ? proc_tgid_io_accounting+0x7f0/0x7f0 [ 32.468880] ? common_file_perm+0x4e5/0x850 [ 32.473185] ? kvm_vcpu_release+0xa0/0xa0 [ 32.477327] do_vfs_ioctl+0xcdb/0x12e0 [ 32.481193] ? vfs_write+0x3d7/0x540 [ 32.484890] ? ioctl_preallocate+0x200/0x200 [ 32.489280] ? lock_downgrade+0x720/0x720 [ 32.493410] ? check_preemption_disabled+0x41/0x280 [ 32.498421] ? vfs_write+0x393/0x540 [ 32.502136] ? ksys_write+0x1c8/0x2a0 [ 32.505925] ksys_ioctl+0x9b/0xc0 [ 32.509359] __x64_sys_ioctl+0x6f/0xb0 [ 32.513227] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 32.517788] do_syscall_64+0xf9/0x620 [ 32.521574] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.526744] RIP: 0033:0x7f2f2ecf4739 [ 32.530441] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 32.549336] RSP: 002b:00007ffe5932fcc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 32.557023] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f2f2ecf4739 [ 32.564272] RDX: 00000000200002c0 RSI: 000000004010ae68 RDI: 0000000000000004 [ 32.571522] RBP: 00007ffe5932fcd0 R08: 0000000000000001 R09: 00007f2f2ecb0031 [ 32.578774] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005 [ 32.586023] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 32.594537] kvm: failed to shrink bus, removing it completely [ 32.600995] ================================================================== [ 32.608518] BUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x25a/0x2c0 [ 32.617203] Read of size 8 at addr ffff8880b3a0f080 by task syz-executor167/8079 [ 32.624807] [ 32.626420] CPU: 0 PID: 8079 Comm: syz-executor167 Not tainted 4.19.211-syzkaller #0 [ 32.634285] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/18/2022 [ 32.643624] Call Trace: [ 32.646201] dump_stack+0x1fc/0x2ef [ 32.649820] print_address_description.cold+0x54/0x219 [ 32.655097] kasan_report_error.cold+0x8a/0x1b9 [ 32.659758] ? kvm_vm_ioctl_unregister_coalesced_mmio+0x25a/0x2c0 [ 32.665988] __asan_report_load8_noabort+0x88/0x90 [ 32.670922] ? kvm_vm_ioctl_unregister_coalesced_mmio+0x25a/0x2c0 [ 32.677160] ? kvm_vm_create_worker_thread+0x240/0x240 [ 32.682424] kvm_vm_ioctl_unregister_coalesced_mmio+0x25a/0x2c0 [ 32.688472] kvm_vm_ioctl+0x532/0x1700 [ 32.692352] ? _kstrtoull+0x297/0x540 [ 32.696142] ? kvm_vcpu_release+0xa0/0xa0 [ 32.700278] ? _copy_from_user+0xd2/0x130 [ 32.704415] ? get_pid_task+0xcd/0x190 [ 32.708295] ? check_preemption_disabled+0x41/0x280 [ 32.713349] ? lock_downgrade+0x720/0x720 [ 32.717493] ? check_preemption_disabled+0x41/0x280 [ 32.722505] ? get_pid_task+0xf4/0x190 [ 32.726382] ? proc_fail_nth_write+0x95/0x1d0 [ 32.730860] ? proc_tgid_io_accounting+0x7f0/0x7f0 [ 32.735784] ? debug_check_no_obj_freed+0x201/0x490 [ 32.740852] ? __vfs_write+0xff/0x770 [ 32.744632] ? proc_tgid_io_accounting+0x7f0/0x7f0 [ 32.749589] ? common_file_perm+0x4e5/0x850 [ 32.753909] ? kvm_vcpu_release+0xa0/0xa0 [ 32.758040] do_vfs_ioctl+0xcdb/0x12e0 [ 32.761911] ? vfs_write+0x3d7/0x540 [ 32.765612] ? ioctl_preallocate+0x200/0x200 [ 32.770002] ? lock_downgrade+0x720/0x720 [ 32.774131] ? check_preemption_disabled+0x41/0x280 [ 32.779130] ? vfs_write+0x393/0x540 [ 32.782826] ? ksys_write+0x1c8/0x2a0 [ 32.786606] ksys_ioctl+0x9b/0xc0 [ 32.790065] __x64_sys_ioctl+0x6f/0xb0 [ 32.793930] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 32.798490] do_syscall_64+0xf9/0x620 [ 32.802271] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.807444] RIP: 0033:0x7f2f2ecf4739 [ 32.811152] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 32.830033] RSP: 002b:00007ffe5932fcc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 32.837720] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f2f2ecf4739 [ 32.844968] RDX: 00000000200002c0 RSI: 000000004010ae68 RDI: 0000000000000004 [ 32.852215] RBP: 00007ffe5932fcd0 R08: 0000000000000001 R09: 00007f2f2ecb0031 [ 32.859463] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005 [ 32.866709] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 32.873959] [ 32.875562] Allocated by task 8079: [ 32.879170] kmem_cache_alloc_trace+0x12f/0x380 [ 32.883817] kvm_vm_ioctl_register_coalesced_mmio+0x51/0x350 [ 32.889598] kvm_vm_ioctl+0xc63/0x1700 [ 32.893463] do_vfs_ioctl+0xcdb/0x12e0 [ 32.897328] ksys_ioctl+0x9b/0xc0 [ 32.900757] __x64_sys_ioctl+0x6f/0xb0 [ 32.904621] do_syscall_64+0xf9/0x620 [ 32.908401] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.913561] [ 32.915168] Freed by task 8079: [ 32.918426] kfree+0xcc/0x210 [ 32.921509] kvm_io_bus_unregister_dev.cold+0xf0/0x110 [ 32.926769] kvm_vm_ioctl_unregister_coalesced_mmio+0x1be/0x2c0 [ 32.932802] kvm_vm_ioctl+0x532/0x1700 [ 32.936673] do_vfs_ioctl+0xcdb/0x12e0 [ 32.940534] ksys_ioctl+0x9b/0xc0 [ 32.943967] __x64_sys_ioctl+0x6f/0xb0 [ 32.947830] do_syscall_64+0xf9/0x620 [ 32.951609] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.956781] [ 32.958391] The buggy address belongs to the object at ffff8880b3a0f080 [ 32.958391] which belongs to the cache kmalloc-64 of size 64 [ 32.970849] The buggy address is located 0 bytes inside of [ 32.970849] 64-byte region [ffff8880b3a0f080, ffff8880b3a0f0c0) [ 32.982451] The buggy address belongs to the page: [ 32.987357] page:ffffea0002ce83c0 count:1 mapcount:0 mapping:ffff88813bff0340 index:0x0 [ 32.995472] flags: 0xfff00000000100(slab) [ 32.999601] raw: 00fff00000000100 ffffea0002cbd088 ffffea0002cf3608 ffff88813bff0340 [ 33.007458] raw: 0000000000000000 ffff8880b3a0f000 0000000100000020 0000000000000000 [ 33.015312] page dumped because: kasan: bad access detected [ 33.021013] [ 33.022615] Memory state around the buggy address: [ 33.027518] ffff8880b3a0ef80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.034858] ffff8880b3a0f000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.042191] >ffff8880b3a0f080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.049524] ^ [ 33.052866] ffff8880b3a0f100: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 33.060215] ffff8880b3a0f180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.067548] ================================================================== [ 33.074899] Disabling lock debugging due to kernel taint [ 33.083721] Kernel panic - not syncing: panic_on_warn set ... [ 33.083721] [ 33.091100] CPU: 0 PID: 8079 Comm: syz-executor167 Tainted: G B 4.19.211-syzkaller #0 [ 33.100356] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/18/2022 [ 33.109693] Call Trace: [ 33.112259] dump_stack+0x1fc/0x2ef [ 33.115864] panic+0x26a/0x50e [ 33.119034] ? __warn_printk+0xf3/0xf3 [ 33.122905] ? preempt_schedule_common+0x45/0xc0 [ 33.127637] ? ___preempt_schedule+0x16/0x18 [ 33.132022] ? trace_hardirqs_on+0x55/0x210 [ 33.136321] kasan_end_report+0x43/0x49 [ 33.140272] kasan_report_error.cold+0xa7/0x1b9 [ 33.144918] ? kvm_vm_ioctl_unregister_coalesced_mmio+0x25a/0x2c0 [ 33.151128] __asan_report_load8_noabort+0x88/0x90 [ 33.156043] ? kvm_vm_ioctl_unregister_coalesced_mmio+0x25a/0x2c0 [ 33.162252] ? kvm_vm_create_worker_thread+0x240/0x240 [ 33.167508] kvm_vm_ioctl_unregister_coalesced_mmio+0x25a/0x2c0 [ 33.173543] kvm_vm_ioctl+0x532/0x1700 [ 33.177409] ? _kstrtoull+0x297/0x540 [ 33.181183] ? kvm_vcpu_release+0xa0/0xa0 [ 33.185306] ? _copy_from_user+0xd2/0x130 [ 33.189432] ? get_pid_task+0xcd/0x190 [ 33.193297] ? check_preemption_disabled+0x41/0x280 [ 33.198292] ? lock_downgrade+0x720/0x720 [ 33.202417] ? check_preemption_disabled+0x41/0x280 [ 33.207410] ? get_pid_task+0xf4/0x190 [ 33.211273] ? proc_fail_nth_write+0x95/0x1d0 [ 33.215747] ? proc_tgid_io_accounting+0x7f0/0x7f0 [ 33.220654] ? debug_check_no_obj_freed+0x201/0x490 [ 33.225648] ? __vfs_write+0xff/0x770 [ 33.229424] ? proc_tgid_io_accounting+0x7f0/0x7f0 [ 33.234329] ? common_file_perm+0x4e5/0x850 [ 33.238628] ? kvm_vcpu_release+0xa0/0xa0 [ 33.242752] do_vfs_ioctl+0xcdb/0x12e0 [ 33.246617] ? vfs_write+0x3d7/0x540 [ 33.250307] ? ioctl_preallocate+0x200/0x200 [ 33.254694] ? lock_downgrade+0x720/0x720 [ 33.258818] ? check_preemption_disabled+0x41/0x280 [ 33.263811] ? vfs_write+0x393/0x540 [ 33.267499] ? ksys_write+0x1c8/0x2a0 [ 33.271275] ksys_ioctl+0x9b/0xc0 [ 33.274703] __x64_sys_ioctl+0x6f/0xb0 [ 33.278655] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 33.283238] do_syscall_64+0xf9/0x620 [ 33.287020] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.292185] RIP: 0033:0x7f2f2ecf4739 [ 33.295877] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 33.314752] RSP: 002b:00007ffe5932fcc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 33.322522] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f2f2ecf4739 [ 33.330034] RDX: 00000000200002c0 RSI: 000000004010ae68 RDI: 0000000000000004 [ 33.337280] RBP: 00007ffe5932fcd0 R08: 0000000000000001 R09: 00007f2f2ecb0031 [ 33.344525] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005 [ 33.351780] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 33.359294] Kernel Offset: disabled [ 33.362906] Rebooting in 86400 seconds..