[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.44' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 62.047501][ T8487] IPVS: ftp: loaded support on port[0] = 21 [ 62.088222][ T8487] ================================================================== [ 62.096382][ T8487] BUG: KASAN: use-after-free in io_submit_sqes+0x15a9/0x25f0 [ 62.103743][ T8487] Write of size 4 at addr ffff888011e08e48 by task syz-executor165/8487 [ 62.112083][ T8487] [ 62.114449][ T8487] CPU: 1 PID: 8487 Comm: syz-executor165 Not tainted 5.10.0-rc1-next-20201102-syzkaller #0 [ 62.124431][ T8487] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.134466][ T8487] Call Trace: [ 62.137740][ T8487] dump_stack+0x107/0x163 [ 62.142050][ T8487] ? io_submit_sqes+0x15a9/0x25f0 [ 62.147050][ T8487] ? io_submit_sqes+0x15a9/0x25f0 [ 62.152056][ T8487] print_address_description.constprop.0.cold+0xae/0x4c8 [ 62.159060][ T8487] ? _raw_spin_lock_irqsave+0x4e/0x50 [ 62.164476][ T8487] ? vprintk_func+0x95/0x1e0 [ 62.169084][ T8487] ? io_submit_sqes+0x15a9/0x25f0 [ 62.174114][ T8487] ? io_submit_sqes+0x15a9/0x25f0 [ 62.179139][ T8487] kasan_report.cold+0x1f/0x37 [ 62.183891][ T8487] ? io_submit_sqes+0x15a9/0x25f0 [ 62.188897][ T8487] check_memory_region+0x13d/0x180 [ 62.194003][ T8487] io_submit_sqes+0x15a9/0x25f0 [ 62.198842][ T8487] ? io_queue_sqe+0xed0/0xed0 [ 62.203501][ T8487] ? __do_sys_io_uring_enter+0xc82/0x1b50 [ 62.209288][ T8487] ? _raw_spin_unlock_irqrestore+0x42/0x50 [ 62.215096][ T8487] ? lockdep_hardirqs_on+0x79/0x100 [ 62.220288][ T8487] __do_sys_io_uring_enter+0xc8e/0x1b50 [ 62.225823][ T8487] ? io_submit_sqes+0x25f0/0x25f0 [ 62.230829][ T8487] ? blkcg_maybe_throttle_current+0x640/0xd70 [ 62.236881][ T8487] ? __blkcg_punt_bio_submit+0x1d0/0x1d0 [ 62.242500][ T8487] ? syscall_enter_from_user_mode+0x1d/0x50 [ 62.248423][ T8487] do_syscall_64+0x2d/0x70 [ 62.252843][ T8487] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.258782][ T8487] RIP: 0033:0x440e19 [ 62.262663][ T8487] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 0f fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.282280][ T8487] RSP: 002b:00007fff644ff178 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa [ 62.290707][ T8487] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000440e19 [ 62.298659][ T8487] RDX: 0000000000000000 RSI: 000000000000450c RDI: 0000000000000003 [ 62.306616][ T8487] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 [ 62.314570][ T8487] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000022b4850 [ 62.322519][ T8487] R13: 0000000000000010 R14: 0000000000000000 R15: 0000000000000000 [ 62.330512][ T8487] [ 62.332830][ T8487] Allocated by task 8487: [ 62.337153][ T8487] kasan_save_stack+0x1b/0x40 [ 62.341807][ T8487] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 62.347421][ T8487] __do_sys_io_uring_register+0x10f0/0x40a0 [ 62.353294][ T8487] do_syscall_64+0x2d/0x70 [ 62.357728][ T8487] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.363597][ T8487] [ 62.365914][ T8487] Freed by task 8487: [ 62.369873][ T8487] kasan_save_stack+0x1b/0x40 [ 62.374528][ T8487] kasan_set_track+0x1c/0x30 [ 62.379095][ T8487] kasan_set_free_info+0x1b/0x30 [ 62.384028][ T8487] __kasan_slab_free+0x102/0x140 [ 62.388941][ T8487] slab_free_freelist_hook+0x5d/0x150 [ 62.394289][ T8487] kfree+0xdb/0x360 [ 62.398077][ T8487] io_prep_async_work+0x903/0xbc0 [ 62.403077][ T8487] io_queue_sqe+0x212/0xed0 [ 62.407554][ T8487] io_submit_sqes+0x14f6/0x25f0 [ 62.412397][ T8487] __do_sys_io_uring_enter+0xc8e/0x1b50 [ 62.417948][ T8487] do_syscall_64+0x2d/0x70 [ 62.422367][ T8487] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.428252][ T8487] [ 62.430581][ T8487] The buggy address belongs to the object at ffff888011e08e00 [ 62.430581][ T8487] which belongs to the cache kmalloc-96 of size 96 [ 62.444461][ T8487] The buggy address is located 72 bytes inside of [ 62.444461][ T8487] 96-byte region [ffff888011e08e00, ffff888011e08e60) [ 62.457555][ T8487] The buggy address belongs to the page: [ 62.463195][ T8487] page:00000000a7104751 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e08 [ 62.473345][ T8487] flags: 0xfff00000000200(slab) [ 62.478205][ T8487] raw: 00fff00000000200 ffffea00004f8540 0000001f00000002 ffff888010041780 [ 62.486801][ T8487] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 62.495373][ T8487] page dumped because: kasan: bad access detected [ 62.501757][ T8487] [ 62.504062][ T8487] Memory state around the buggy address: [ 62.509671][ T8487] ffff888011e08d00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 62.517709][ T8487] ffff888011e08d80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 62.525747][ T8487] >ffff888011e08e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 62.533779][ T8487] ^ [ 62.540168][ T8487] ffff888011e08e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 62.548214][ T8487] ffff888011e08f00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 62.556250][ T8487] ================================================================== [ 62.564297][ T8487] Disabling lock debugging due to kernel taint [ 62.571067][ T8487] Kernel panic - not syncing: panic_on_warn set ... [ 62.577664][ T8487] CPU: 1 PID: 8487 Comm: syz-executor165 Tainted: G B 5.10.0-rc1-next-20201102-syzkaller #0 [ 62.589016][ T8487] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.599054][ T8487] Call Trace: [ 62.602326][ T8487] dump_stack+0x107/0x163 [ 62.606658][ T8487] ? io_submit_sqes+0x1500/0x25f0 [ 62.611651][ T8487] panic+0x306/0x73d [ 62.615528][ T8487] ? __warn_printk+0xf3/0xf3 [ 62.620096][ T8487] ? preempt_schedule_common+0x59/0xc0 [ 62.625537][ T8487] ? io_submit_sqes+0x15a9/0x25f0 [ 62.630547][ T8487] ? preempt_schedule_thunk+0x16/0x18 [ 62.635893][ T8487] ? trace_hardirqs_on+0x51/0x1c0 [ 62.640890][ T8487] ? io_submit_sqes+0x15a9/0x25f0 [ 62.645887][ T8487] ? io_submit_sqes+0x15a9/0x25f0 [ 62.650883][ T8487] end_report+0x58/0x5e [ 62.655029][ T8487] kasan_report.cold+0xd/0x37 [ 62.659689][ T8487] ? io_submit_sqes+0x15a9/0x25f0 [ 62.664686][ T8487] check_memory_region+0x13d/0x180 [ 62.669767][ T8487] io_submit_sqes+0x15a9/0x25f0 [ 62.674594][ T8487] ? io_queue_sqe+0xed0/0xed0 [ 62.679243][ T8487] ? __do_sys_io_uring_enter+0xc82/0x1b50 [ 62.684936][ T8487] ? _raw_spin_unlock_irqrestore+0x42/0x50 [ 62.690714][ T8487] ? lockdep_hardirqs_on+0x79/0x100 [ 62.695887][ T8487] __do_sys_io_uring_enter+0xc8e/0x1b50 [ 62.701420][ T8487] ? io_submit_sqes+0x25f0/0x25f0 [ 62.706424][ T8487] ? blkcg_maybe_throttle_current+0x640/0xd70 [ 62.712476][ T8487] ? __blkcg_punt_bio_submit+0x1d0/0x1d0 [ 62.718080][ T8487] ? syscall_enter_from_user_mode+0x1d/0x50 [ 62.723961][ T8487] do_syscall_64+0x2d/0x70 [ 62.728349][ T8487] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.734214][ T8487] RIP: 0033:0x440e19 [ 62.738082][ T8487] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 0f fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.757659][ T8487] RSP: 002b:00007fff644ff178 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa [ 62.766046][ T8487] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000440e19 [ 62.773992][ T8487] RDX: 0000000000000000 RSI: 000000000000450c RDI: 0000000000000003 [ 62.781937][ T8487] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 [ 62.789893][ T8487] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000022b4850 [ 62.797837][ T8487] R13: 0000000000000010 R14: 0000000000000000 R15: 0000000000000000 [ 62.806475][ T8487] Kernel Offset: disabled [ 62.810797][ T8487] Rebooting in 86400 seconds..