[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.68' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 47.356841][ T8466] ================================================================== [ 47.365230][ T8466] BUG: KASAN: use-after-free in io_uring_show_cred+0x26e/0x4f0 [ 47.372752][ T8466] Read of size 8 at addr ffff88802110fd20 by task syz-executor339/8466 [ 47.380963][ T8466] [ 47.383277][ T8466] CPU: 0 PID: 8466 Comm: syz-executor339 Not tainted 5.10.0-rc2-syzkaller #0 [ 47.392012][ T8466] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.402048][ T8466] Call Trace: [ 47.405351][ T8466] dump_stack+0x137/0x1be [ 47.409680][ T8466] print_address_description+0x6c/0x660 [ 47.415234][ T8466] ? printk+0x62/0x83 [ 47.419264][ T8466] ? wake_up_klogd+0xb2/0xf0 [ 47.423838][ T8466] kasan_report+0x136/0x1e0 [ 47.428354][ T8466] ? io_uring_show_cred+0x26e/0x4f0 [ 47.433533][ T8466] io_uring_show_cred+0x26e/0x4f0 [ 47.438556][ T8466] idr_for_each+0x16b/0x260 [ 47.443052][ T8466] ? __io_destroy_buffers+0x1d0/0x1d0 [ 47.448599][ T8466] io_uring_show_fdinfo+0x63f/0x990 [ 47.453786][ T8466] ? show_fd_locks+0x195/0x400 [ 47.458536][ T8466] ? io_uring_fasync+0x60/0x60 [ 47.463303][ T8466] seq_show+0x559/0x610 [ 47.467475][ T8466] seq_read+0x41a/0xcd0 [ 47.471626][ T8466] do_iter_read+0x48e/0x660 [ 47.476119][ T8466] do_preadv+0x17b/0x290 [ 47.480374][ T8466] ? syscall_enter_from_user_mode+0x24/0x170 [ 47.486333][ T8466] ? lockdep_hardirqs_on+0x8d/0x130 [ 47.492204][ T8466] ? syscall_enter_from_user_mode+0x24/0x170 [ 47.498177][ T8466] do_syscall_64+0x2d/0x70 [ 47.502586][ T8466] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 47.508457][ T8466] RIP: 0033:0x4403a9 [ 47.512335][ T8466] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 47.531945][ T8466] RSP: 002b:00007ffc85a4e508 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 47.540463][ T8466] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403a9 [ 47.548437][ T8466] RDX: 0000000000000333 RSI: 00000000200017c0 RDI: 0000000000000004 [ 47.556397][ T8466] RBP: 00000000006ca018 R08: 0000000000000000 R09: 65732f636f72702f [ 47.564387][ T8466] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c10 [ 47.572348][ T8466] R13: 0000000000401ca0 R14: 0000000000000000 R15: 0000000000000000 [ 47.580330][ T8466] [ 47.582657][ T8466] Allocated by task 4874: [ 47.586985][ T8466] __kasan_kmalloc+0x111/0x140 [ 47.591724][ T8466] __kmalloc+0x170/0x290 [ 47.595946][ T8466] tomoyo_encode2+0x25a/0x560 [ 47.600597][ T8466] tomoyo_realpath_from_path+0x5c6/0x620 [ 47.606204][ T8466] tomoyo_path_perm+0x191/0x570 [ 47.611038][ T8466] security_inode_getattr+0xc0/0x140 [ 47.616306][ T8466] __x64_sys_newfstat+0x97/0x150 [ 47.621233][ T8466] do_syscall_64+0x2d/0x70 [ 47.625625][ T8466] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 47.631494][ T8466] [ 47.633802][ T8466] Freed by task 4874: [ 47.637761][ T8466] kasan_set_track+0x3d/0x70 [ 47.642324][ T8466] kasan_set_free_info+0x17/0x30 [ 47.647256][ T8466] __kasan_slab_free+0x108/0x140 [ 47.652169][ T8466] slab_free_freelist_hook+0xd6/0x1a0 [ 47.657516][ T8466] kfree+0xd1/0x280 [ 47.661299][ T8466] tomoyo_path_perm+0x447/0x570 [ 47.666126][ T8466] security_inode_getattr+0xc0/0x140 [ 47.671403][ T8466] __x64_sys_newfstat+0x97/0x150 [ 47.676316][ T8466] do_syscall_64+0x2d/0x70 [ 47.680706][ T8466] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 47.686569][ T8466] [ 47.688889][ T8466] The buggy address belongs to the object at ffff88802110fd00 [ 47.688889][ T8466] which belongs to the cache kmalloc-96 of size 96 [ 47.702758][ T8466] The buggy address is located 32 bytes inside of [ 47.702758][ T8466] 96-byte region [ffff88802110fd00, ffff88802110fd60) [ 47.715830][ T8466] The buggy address belongs to the page: [ 47.721447][ T8466] page:00000000c5b3a963 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2110f [ 47.731572][ T8466] flags: 0xfff00000000200(slab) [ 47.736476][ T8466] raw: 00fff00000000200 ffffea0000a8e040 0000000200000002 ffff888010441780 [ 47.745049][ T8466] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 47.753612][ T8466] page dumped because: kasan: bad access detected [ 47.760001][ T8466] [ 47.762308][ T8466] Memory state around the buggy address: [ 47.767918][ T8466] ffff88802110fc00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 47.775957][ T8466] ffff88802110fc80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 47.784012][ T8466] >ffff88802110fd00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 47.792048][ T8466] ^ [ 47.797137][ T8466] ffff88802110fd80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 47.805273][ T8466] ffff88802110fe00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 47.813653][ T8466] ================================================================== [ 47.821688][ T8466] Disabling lock debugging due to kernel taint [ 47.834934][ T8466] Kernel panic - not syncing: panic_on_warn set ... [ 47.841621][ T8466] CPU: 0 PID: 8466 Comm: syz-executor339 Tainted: G B 5.10.0-rc2-syzkaller #0 [ 47.851743][ T8466] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.861771][ T8466] Call Trace: [ 47.865037][ T8466] dump_stack+0x137/0x1be [ 47.869338][ T8466] ? panic+0x1f3/0x800 [ 47.873474][ T8466] panic+0x291/0x800 [ 47.877342][ T8466] ? preempt_schedule_thunk+0x16/0x18 [ 47.882682][ T8466] ? trace_hardirqs_on+0x30/0x80 [ 47.887589][ T8466] kasan_report+0x1da/0x1e0 [ 47.892073][ T8466] ? io_uring_show_cred+0x26e/0x4f0 [ 47.897244][ T8466] io_uring_show_cred+0x26e/0x4f0 [ 47.902247][ T8466] idr_for_each+0x16b/0x260 [ 47.906719][ T8466] ? __io_destroy_buffers+0x1d0/0x1d0 [ 47.912065][ T8466] io_uring_show_fdinfo+0x63f/0x990 [ 47.917236][ T8466] ? show_fd_locks+0x195/0x400 [ 47.921967][ T8466] ? io_uring_fasync+0x60/0x60 [ 47.926700][ T8466] seq_show+0x559/0x610 [ 47.930832][ T8466] seq_read+0x41a/0xcd0 [ 47.934964][ T8466] do_iter_read+0x48e/0x660 [ 47.939452][ T8466] do_preadv+0x17b/0x290 [ 47.943666][ T8466] ? syscall_enter_from_user_mode+0x24/0x170 [ 47.949639][ T8466] ? lockdep_hardirqs_on+0x8d/0x130 [ 47.954816][ T8466] ? syscall_enter_from_user_mode+0x24/0x170 [ 47.960779][ T8466] do_syscall_64+0x2d/0x70 [ 47.965454][ T8466] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 47.971332][ T8466] RIP: 0033:0x4403a9 [ 47.975199][ T8466] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 47.994809][ T8466] RSP: 002b:00007ffc85a4e508 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 48.003301][ T8466] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403a9 [ 48.011344][ T8466] RDX: 0000000000000333 RSI: 00000000200017c0 RDI: 0000000000000004 [ 48.019288][ T8466] RBP: 00000000006ca018 R08: 0000000000000000 R09: 65732f636f72702f [ 48.027392][ T8466] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c10 [ 48.035363][ T8466] R13: 0000000000401ca0 R14: 0000000000000000 R15: 0000000000000000 [ 48.044220][ T8466] Kernel Offset: disabled [ 48.048537][ T8466] Rebooting in 86400 seconds..