[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Started getty on tty2-tty6 if dbus and logind are not available.
[[0;32m  OK  [0m] Started OpenBSD Secure Shell server.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.184' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   72.148575][ T6540] ==================================================================
[   72.156880][ T6540] BUG: KASAN: use-after-free in io_submit_one+0x6fb/0x1b80
[   72.164172][ T6540] Write of size 4 at addr ffff8880182820c8 by task syz-executor415/6540
[   72.172514][ T6540] 
[   72.174827][ T6540] CPU: 0 PID: 6540 Comm: syz-executor415 Not tainted 5.16.0-rc4-next-20211207-syzkaller #0
[   72.184787][ T6540] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   72.194828][ T6540] Call Trace:
[   72.198097][ T6540]  <TASK>
[   72.201017][ T6540]  dump_stack_lvl+0xcd/0x134
[   72.205692][ T6540]  print_address_description.constprop.0.cold+0xa5/0x3ed
[   72.212715][ T6540]  ? io_submit_one+0x6fb/0x1b80
[   72.217571][ T6540]  ? io_submit_one+0x6fb/0x1b80
[   72.222427][ T6540]  kasan_report.cold+0x83/0xdf
[   72.227208][ T6540]  ? io_submit_one+0x6fb/0x1b80
[   72.232066][ T6540]  kasan_check_range+0x13d/0x180
[   72.237005][ T6540]  io_submit_one+0x6fb/0x1b80
[   72.241699][ T6540]  ? find_held_lock+0x2d/0x110
[   72.246461][ T6540]  ? put_page+0x2e0/0x2e0
[   72.250803][ T6540]  ? __might_fault+0xd1/0x170
[   72.255479][ T6540]  ? lock_downgrade+0x6e0/0x6e0
[   72.260392][ T6540]  __x64_sys_io_submit+0x18c/0x330
[   72.265510][ T6540]  ? __ia32_sys_io_destroy+0x1e0/0x1e0
[   72.270981][ T6540]  ? syscall_enter_from_user_mode+0x21/0x70
[   72.276990][ T6540]  do_syscall_64+0x35/0xb0
[   72.281420][ T6540]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   72.287321][ T6540] RIP: 0033:0x7f9604613139
[   72.291735][ T6540] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   72.311338][ T6540] RSP: 002b:00007ffdfcd47e58 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
[   72.319750][ T6540] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9604613139
[   72.327729][ T6540] RDX: 0000000020000800 RSI: 0000000000000002 RDI: 00007f96045cb000
[   72.335726][ T6540] RBP: 00007f96045d7120 R08: 0000000000000000 R09: 0000000000000000
[   72.343712][ T6540] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f96045d71b0
[   72.351691][ T6540] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   72.359760][ T6540]  </TASK>
[   72.362782][ T6540] 
[   72.365095][ T6540] Allocated by task 6540:
[   72.369410][ T6540]  kasan_save_stack+0x1e/0x40
[   72.374102][ T6540]  __kasan_slab_alloc+0x90/0xc0
[   72.378959][ T6540]  kmem_cache_alloc+0x202/0x3a0
[   72.383898][ T6540]  io_submit_one+0xfd/0x1b80
[   72.388489][ T6540]  __x64_sys_io_submit+0x18c/0x330
[   72.393604][ T6540]  do_syscall_64+0x35/0xb0
[   72.398023][ T6540]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   72.404000][ T6540] 
[   72.406317][ T6540] Freed by task 6540:
[   72.410299][ T6540]  kasan_save_stack+0x1e/0x40
[   72.414985][ T6540]  kasan_set_track+0x21/0x30
[   72.419581][ T6540]  kasan_set_free_info+0x20/0x30
[   72.424522][ T6540]  ____kasan_slab_free+0x166/0x1a0
[   72.429651][ T6540]  slab_free_freelist_hook+0x8b/0x1c0
[   72.435036][ T6540]  kmem_cache_free+0xdd/0x580
[   72.439712][ T6540]  aio_complete_rw+0x474/0x8c0
[   72.444474][ T6540]  aio_read+0x30d/0x460
[   72.448626][ T6540]  io_submit_one+0xe2b/0x1b80
[   72.453536][ T6540]  __x64_sys_io_submit+0x18c/0x330
[   72.458667][ T6540]  do_syscall_64+0x35/0xb0
[   72.463091][ T6540]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   72.468982][ T6540] 
[   72.471295][ T6540] The buggy address belongs to the object at ffff888018282000
[   72.471295][ T6540]  which belongs to the cache aio_kiocb of size 216
[   72.485170][ T6540] The buggy address is located 200 bytes inside of
[   72.485170][ T6540]  216-byte region [ffff888018282000, ffff8880182820d8)
[   72.498449][ T6540] The buggy address belongs to the page:
[   72.504065][ T6540] page:ffffea000060a080 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x18282
[   72.514236][ T6540] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   72.521784][ T6540] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888144b95dc0
[   72.530370][ T6540] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   72.538948][ T6540] page dumped because: kasan: bad access detected
[   72.545358][ T6540] page_owner tracks the page as allocated
[   72.551058][ T6540] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 6540, ts 72148479011, free_ts 72144305967
[   72.567117][ T6540]  get_page_from_freelist+0xa72/0x2f40
[   72.572578][ T6540]  __alloc_pages+0x1b2/0x500
[   72.577167][ T6540]  alloc_pages+0x1aa/0x310
[   72.581586][ T6540]  new_slab+0x28d/0x3a0
[   72.585738][ T6540]  ___slab_alloc+0x6be/0xd60
[   72.590332][ T6540]  __slab_alloc.constprop.0+0x4d/0xa0
[   72.595706][ T6540]  kmem_cache_alloc+0x35c/0x3a0
[   72.600561][ T6540]  io_submit_one+0xfd/0x1b80
[   72.605150][ T6540]  __x64_sys_io_submit+0x18c/0x330
[   72.610259][ T6540]  do_syscall_64+0x35/0xb0
[   72.614674][ T6540]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   72.620564][ T6540] page last free stack trace:
[   72.625225][ T6540]  free_pcp_prepare+0x414/0xb60
[   72.630070][ T6540]  free_unref_page_list+0x1a9/0xfa0
[   72.635273][ T6540]  release_pages+0x818/0x18e0
[   72.639949][ T6540]  tlb_finish_mmu+0x165/0x8c0
[   72.644622][ T6540]  exit_mmap+0x21b/0x670
[   72.649213][ T6540]  __mmput+0x122/0x4b0
[   72.653303][ T6540]  mmput+0x56/0x60
[   72.657033][ T6540]  begin_new_exec+0x1047/0x2ef0
[   72.661880][ T6540]  load_elf_binary+0x7db/0x4da0
[   72.666732][ T6540]  bprm_execve+0x7ef/0x19b0
[   72.671234][ T6540]  do_execveat_common+0x5e3/0x780
[   72.676270][ T6540]  __x64_sys_execve+0x8f/0xc0
[   72.680954][ T6540]  do_syscall_64+0x35/0xb0
[   72.685381][ T6540]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   72.691280][ T6540] 
[   72.693593][ T6540] Memory state around the buggy address:
[   72.699210][ T6540]  ffff888018281f80: fc fc 00 00 00 00 fc fc 00 00 00 00 fc fc fc fc
[   72.707352][ T6540]  ffff888018282000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   72.715408][ T6540] >ffff888018282080: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[   72.723459][ T6540]                                               ^
[   72.729857][ T6540]  ffff888018282100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   72.737907][ T6540]  ffff888018282180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   72.745955][ T6540] ==================================================================
[   72.754009][ T6540] Disabling lock debugging due to kernel taint
[   72.762862][ T6540] Kernel panic - not syncing: panic_on_warn set ...
[   72.769472][ T6540] CPU: 0 PID: 6540 Comm: syz-executor415 Tainted: G    B             5.16.0-rc4-next-20211207-syzkaller #0
[   72.780842][ T6540] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   72.790896][ T6540] Call Trace:
[   72.794165][ T6540]  <TASK>
[   72.797085][ T6540]  dump_stack_lvl+0xcd/0x134
[   72.801680][ T6540]  panic+0x2b0/0x6dd
[   72.805569][ T6540]  ? __warn_printk+0xf3/0xf3
[   72.810157][ T6540]  ? preempt_schedule_common+0x59/0xc0
[   72.815622][ T6540]  ? io_submit_one+0x6fb/0x1b80
[   72.820471][ T6540]  ? preempt_schedule_thunk+0x16/0x18
[   72.825840][ T6540]  ? trace_hardirqs_on+0x38/0x1c0
[   72.830866][ T6540]  ? trace_hardirqs_on+0x51/0x1c0
[   72.835883][ T6540]  ? io_submit_one+0x6fb/0x1b80
[   72.840745][ T6540]  ? io_submit_one+0x6fb/0x1b80
[   72.845599][ T6540]  end_report.cold+0x63/0x6f
[   72.850622][ T6540]  kasan_report.cold+0x71/0xdf
[   72.855382][ T6540]  ? io_submit_one+0x6fb/0x1b80
[   72.860322][ T6540]  kasan_check_range+0x13d/0x180
[   72.865253][ T6540]  io_submit_one+0x6fb/0x1b80
[   72.869931][ T6540]  ? find_held_lock+0x2d/0x110
[   72.874690][ T6540]  ? put_page+0x2e0/0x2e0
[   72.879015][ T6540]  ? __might_fault+0xd1/0x170
[   72.883686][ T6540]  ? lock_downgrade+0x6e0/0x6e0
[   72.888536][ T6540]  __x64_sys_io_submit+0x18c/0x330
[   72.893656][ T6540]  ? __ia32_sys_io_destroy+0x1e0/0x1e0
[   72.899116][ T6540]  ? syscall_enter_from_user_mode+0x21/0x70
[   72.905023][ T6540]  do_syscall_64+0x35/0xb0
[   72.909438][ T6540]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   72.915324][ T6540] RIP: 0033:0x7f9604613139
[   72.919729][ T6540] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   72.939328][ T6540] RSP: 002b:00007ffdfcd47e58 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
[   72.947733][ T6540] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9604613139
[   72.955694][ T6540] RDX: 0000000020000800 RSI: 0000000000000002 RDI: 00007f96045cb000
[   72.963652][ T6540] RBP: 00007f96045d7120 R08: 0000000000000000 R09: 0000000000000000
[   72.971608][ T6540] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f96045d71b0
[   72.979566][ T6540] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   72.987529][ T6540]  </TASK>
[   72.990768][ T6540] Kernel Offset: disabled
[   72.995076][ T6540] Rebooting in 86400 seconds..