[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.140' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 57.480931][ T7049] ================================================================== [ 57.489315][ T7049] BUG: KASAN: use-after-free in inet_diag_bc_sk+0xb64/0xc70 [ 57.496587][ T7049] Read of size 8 at addr ffff888095691260 by task syz-executor848/7049 [ 57.504909][ T7049] [ 57.507246][ T7049] CPU: 0 PID: 7049 Comm: syz-executor848 Not tainted 5.7.0-rc2-syzkaller #0 [ 57.515911][ T7049] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.525945][ T7049] Call Trace: [ 57.529229][ T7049] dump_stack+0x188/0x20d [ 57.533554][ T7049] print_address_description.constprop.0.cold+0xd3/0x315 [ 57.540567][ T7049] ? inet_diag_bc_sk+0xb64/0xc70 [ 57.545478][ T7049] __kasan_report.cold+0x35/0x4d [ 57.550390][ T7049] ? cap_capable+0x1c0/0x250 [ 57.554963][ T7049] ? inet_diag_bc_sk+0xb64/0xc70 [ 57.559902][ T7049] ? inet_diag_bc_sk+0xb64/0xc70 [ 57.564831][ T7049] kasan_report+0x33/0x50 [ 57.569138][ T7049] inet_diag_bc_sk+0xb64/0xc70 [ 57.573892][ T7049] inet_diag_dump_icsk+0xbe4/0x1306 [ 57.579094][ T7049] ? inet_diag_dump_one_icsk+0x340/0x340 [ 57.584701][ T7049] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 57.590515][ T7049] ? mutex_trylock+0x2c0/0x2c0 [ 57.595264][ T7049] ? kmem_cache_alloc_node_trace+0x3a2/0x790 [ 57.601318][ T7049] ? kasan_unpoison_shadow+0x30/0x40 [ 57.606686][ T7049] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 57.612477][ T7049] ? __phys_addr+0x9a/0x110 [ 57.616974][ T7049] __inet_diag_dump+0x8d/0x240 [ 57.621719][ T7049] netlink_dump+0x50b/0xf50 [ 57.626200][ T7049] ? __netlink_sendskb+0xb0/0xb0 [ 57.631112][ T7049] ? __mutex_unlock_slowpath+0xe2/0x660 [ 57.636642][ T7049] __netlink_dump_start+0x63f/0x910 [ 57.641830][ T7049] ? inet_diag_dump_start_compat+0x20/0x20 [ 57.647611][ T7049] ? lock_release+0x800/0x800 [ 57.652264][ T7049] inet_diag_handler_cmd+0x263/0x2c0 [ 57.657538][ T7049] ? inet_diag_rcv_msg_compat+0x2c0/0x2c0 [ 57.663347][ T7049] ? inet_diag_dump_start_compat+0x20/0x20 [ 57.669232][ T7049] ? inet_diag_dump_compat+0x290/0x290 [ 57.674677][ T7049] ? inet_diag_unregister+0xb0/0xb0 [ 57.679868][ T7049] sock_diag_rcv_msg+0x2fe/0x3e0 [ 57.684788][ T7049] netlink_rcv_skb+0x15a/0x410 [ 57.689528][ T7049] ? sock_diag_bind+0x80/0x80 [ 57.694181][ T7049] ? netlink_ack+0xa10/0xa10 [ 57.698755][ T7049] sock_diag_rcv+0x26/0x40 [ 57.703144][ T7049] netlink_unicast+0x537/0x740 [ 57.708407][ T7049] ? netlink_attachskb+0x810/0x810 [ 57.713590][ T7049] ? _copy_from_iter_full+0x25c/0x870 [ 57.718949][ T7049] ? __phys_addr_symbol+0x2c/0x70 [ 57.723958][ T7049] ? __check_object_size+0x171/0x437 [ 57.729220][ T7049] netlink_sendmsg+0x882/0xe10 [ 57.733973][ T7049] ? aa_af_perm+0x260/0x260 [ 57.738471][ T7049] ? netlink_unicast+0x740/0x740 [ 57.743404][ T7049] ? netlink_unicast+0x740/0x740 [ 57.748343][ T7049] sock_sendmsg+0xcf/0x120 [ 57.752744][ T7049] sock_write_iter+0x289/0x3c0 [ 57.758110][ T7049] ? sock_sendmsg+0x120/0x120 [ 57.762781][ T7049] ? common_file_perm+0x2c6/0x910 [ 57.767800][ T7049] do_iter_readv_writev+0x5a8/0x850 [ 57.772985][ T7049] ? no_seek_end_llseek_size+0x60/0x60 [ 57.778429][ T7049] do_iter_write+0x18b/0x600 [ 57.783013][ T7049] ? lockdep_init_map_waits+0x26a/0x890 [ 57.788727][ T7049] vfs_writev+0x1b3/0x2f0 [ 57.793243][ T7049] ? vfs_iter_write+0xa0/0xa0 [ 57.797908][ T7049] ? lock_downgrade+0x840/0x840 [ 57.803190][ T7049] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 57.809246][ T7049] ? _raw_spin_unlock+0x24/0x40 [ 57.814091][ T7049] ? __fget_light+0x1ab/0x270 [ 57.818747][ T7049] do_writev+0x27f/0x300 [ 57.822965][ T7049] ? vfs_writev+0x2f0/0x2f0 [ 57.827481][ T7049] ? trace_hardirqs_off_caller+0x55/0x230 [ 57.833180][ T7049] do_syscall_64+0xf6/0x7d0 [ 57.837667][ T7049] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 57.843533][ T7049] RIP: 0033:0x440c19 [ 57.847407][ T7049] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 57.866984][ T7049] RSP: 002b:00007ffe4fee2558 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 57.875430][ T7049] RAX: ffffffffffffffda RBX: 00007ffe4fee2560 RCX: 0000000000440c19 [ 57.883389][ T7049] RDX: 0000000000000001 RSI: 0000000020000140 RDI: 0000000000000005 [ 57.891370][ T7049] RBP: 0000000000000000 R08: 000000000000001c R09: 0000000000401260 [ 57.899319][ T7049] R10: 000000000000001c R11: 0000000000000246 R12: 00000000004024a0 [ 57.907274][ T7049] R13: 0000000000402530 R14: 0000000000000000 R15: 0000000000000000 [ 57.915240][ T7049] [ 57.917544][ T7049] Allocated by task 5084: [ 57.921849][ T7049] save_stack+0x1b/0x40 [ 57.925979][ T7049] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 57.931592][ T7049] kmem_cache_alloc+0x11b/0x740 [ 57.936415][ T7049] do_epoll_ctl+0xc05/0x33e0 [ 57.941063][ T7049] __x64_sys_epoll_ctl+0x13f/0x1c0 [ 57.946159][ T7049] do_syscall_64+0xf6/0x7d0 [ 57.950639][ T7049] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 57.956499][ T7049] [ 57.958812][ T7049] Freed by task 9: [ 57.962530][ T7049] save_stack+0x1b/0x40 [ 57.966658][ T7049] __kasan_slab_free+0xf7/0x140 [ 57.971492][ T7049] kmem_cache_free+0x7f/0x320 [ 57.976149][ T7049] rcu_core+0x59f/0x1370 [ 57.980363][ T7049] __do_softirq+0x26c/0x9f7 [ 57.984835][ T7049] [ 57.987139][ T7049] The buggy address belongs to the object at ffff888095691240 [ 57.987139][ T7049] which belongs to the cache eventpoll_epi of size 128 [ 58.001782][ T7049] The buggy address is located 32 bytes inside of [ 58.001782][ T7049] 128-byte region [ffff888095691240, ffff8880956912c0) [ 58.014952][ T7049] The buggy address belongs to the page: [ 58.020682][ T7049] page:ffffea000255a440 refcount:1 mapcount:0 mapping:000000008105bd31 index:0xffff888095691300 [ 58.031075][ T7049] flags: 0xfffe0000000200(slab) [ 58.035919][ T7049] raw: 00fffe0000000200 ffffea000271ac08 ffffea00029050c8 ffff88821a8b0380 [ 58.044667][ T7049] raw: ffff888095691300 ffff888095691000 000000010000000c 0000000000000000 [ 58.053665][ T7049] page dumped because: kasan: bad access detected [ 58.060048][ T7049] [ 58.062349][ T7049] Memory state around the buggy address: [ 58.067953][ T7049] ffff888095691100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 58.076000][ T7049] ffff888095691180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.084055][ T7049] >ffff888095691200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 58.092096][ T7049] ^ [ 58.099273][ T7049] ffff888095691280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 58.107329][ T7049] ffff888095691300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.115366][ T7049] ================================================================== [ 58.124451][ T7049] Disabling lock debugging due to kernel taint [ 58.130659][ T7049] Kernel panic - not syncing: panic_on_warn set ... [ 58.137242][ T7049] CPU: 0 PID: 7049 Comm: syz-executor848 Tainted: G B 5.7.0-rc2-syzkaller #0 [ 58.147291][ T7049] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.157602][ T7049] Call Trace: [ 58.160893][ T7049] dump_stack+0x188/0x20d [ 58.165261][ T7049] panic+0x2e3/0x75c [ 58.169189][ T7049] ? add_taint.cold+0x16/0x16 [ 58.173873][ T7049] ? retint_kernel+0x2b/0x2b [ 58.178459][ T7049] ? inet_diag_bc_sk+0xb64/0xc70 [ 58.183420][ T7049] ? trace_hardirqs_on+0x55/0x220 [ 58.188629][ T7049] ? inet_diag_bc_sk+0xb64/0xc70 [ 58.193988][ T7049] end_report+0x4d/0x53 [ 58.198142][ T7049] __kasan_report.cold+0xd/0x4d [ 58.203378][ T7049] ? cap_capable+0x1c0/0x250 [ 58.207949][ T7049] ? inet_diag_bc_sk+0xb64/0xc70 [ 58.213222][ T7049] ? inet_diag_bc_sk+0xb64/0xc70 [ 58.218496][ T7049] kasan_report+0x33/0x50 [ 58.222928][ T7049] inet_diag_bc_sk+0xb64/0xc70 [ 58.227772][ T7049] inet_diag_dump_icsk+0xbe4/0x1306 [ 58.232964][ T7049] ? inet_diag_dump_one_icsk+0x340/0x340 [ 58.238571][ T7049] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 58.244362][ T7049] ? mutex_trylock+0x2c0/0x2c0 [ 58.249448][ T7049] ? kmem_cache_alloc_node_trace+0x3a2/0x790 [ 58.255418][ T7049] ? kasan_unpoison_shadow+0x30/0x40 [ 58.260694][ T7049] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 58.266477][ T7049] ? __phys_addr+0x9a/0x110 [ 58.270987][ T7049] __inet_diag_dump+0x8d/0x240 [ 58.275726][ T7049] netlink_dump+0x50b/0xf50 [ 58.280200][ T7049] ? __netlink_sendskb+0xb0/0xb0 [ 58.285125][ T7049] ? __mutex_unlock_slowpath+0xe2/0x660 [ 58.290661][ T7049] __netlink_dump_start+0x63f/0x910 [ 58.295850][ T7049] ? inet_diag_dump_start_compat+0x20/0x20 [ 58.301659][ T7049] ? lock_release+0x800/0x800 [ 58.306341][ T7049] inet_diag_handler_cmd+0x263/0x2c0 [ 58.311622][ T7049] ? inet_diag_rcv_msg_compat+0x2c0/0x2c0 [ 58.317317][ T7049] ? inet_diag_dump_start_compat+0x20/0x20 [ 58.323096][ T7049] ? inet_diag_dump_compat+0x290/0x290 [ 58.328647][ T7049] ? inet_diag_unregister+0xb0/0xb0 [ 58.334224][ T7049] sock_diag_rcv_msg+0x2fe/0x3e0 [ 58.339235][ T7049] netlink_rcv_skb+0x15a/0x410 [ 58.344100][ T7049] ? sock_diag_bind+0x80/0x80 [ 58.348757][ T7049] ? netlink_ack+0xa10/0xa10 [ 58.353344][ T7049] sock_diag_rcv+0x26/0x40 [ 58.357738][ T7049] netlink_unicast+0x537/0x740 [ 58.362512][ T7049] ? netlink_attachskb+0x810/0x810 [ 58.367604][ T7049] ? _copy_from_iter_full+0x25c/0x870 [ 58.372953][ T7049] ? __phys_addr_symbol+0x2c/0x70 [ 58.378007][ T7049] ? __check_object_size+0x171/0x437 [ 58.383432][ T7049] netlink_sendmsg+0x882/0xe10 [ 58.388178][ T7049] ? aa_af_perm+0x260/0x260 [ 58.392765][ T7049] ? netlink_unicast+0x740/0x740 [ 58.397682][ T7049] ? netlink_unicast+0x740/0x740 [ 58.402598][ T7049] sock_sendmsg+0xcf/0x120 [ 58.407435][ T7049] sock_write_iter+0x289/0x3c0 [ 58.412192][ T7049] ? sock_sendmsg+0x120/0x120 [ 58.416884][ T7049] ? common_file_perm+0x2c6/0x910 [ 58.421902][ T7049] do_iter_readv_writev+0x5a8/0x850 [ 58.427085][ T7049] ? no_seek_end_llseek_size+0x60/0x60 [ 58.432524][ T7049] do_iter_write+0x18b/0x600 [ 58.437109][ T7049] ? lockdep_init_map_waits+0x26a/0x890 [ 58.442692][ T7049] vfs_writev+0x1b3/0x2f0 [ 58.447123][ T7049] ? vfs_iter_write+0xa0/0xa0 [ 58.451798][ T7049] ? lock_downgrade+0x840/0x840 [ 58.456639][ T7049] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 58.462590][ T7049] ? _raw_spin_unlock+0x24/0x40 [ 58.467416][ T7049] ? __fget_light+0x1ab/0x270 [ 58.472150][ T7049] do_writev+0x27f/0x300 [ 58.476366][ T7049] ? vfs_writev+0x2f0/0x2f0 [ 58.480850][ T7049] ? trace_hardirqs_off_caller+0x55/0x230 [ 58.486541][ T7049] do_syscall_64+0xf6/0x7d0 [ 58.491647][ T7049] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 58.497522][ T7049] RIP: 0033:0x440c19 [ 58.501394][ T7049] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.520973][ T7049] RSP: 002b:00007ffe4fee2558 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 58.529372][ T7049] RAX: ffffffffffffffda RBX: 00007ffe4fee2560 RCX: 0000000000440c19 [ 58.537328][ T7049] RDX: 0000000000000001 RSI: 0000000020000140 RDI: 0000000000000005 [ 58.545368][ T7049] RBP: 0000000000000000 R08: 000000000000001c R09: 0000000000401260 [ 58.553332][ T7049] R10: 000000000000001c R11: 0000000000000246 R12: 00000000004024a0 [ 58.561457][ T7049] R13: 0000000000402530 R14: 0000000000000000 R15: 0000000000000000 [ 58.570884][ T7049] Kernel Offset: disabled [ 58.575223][ T7049] Rebooting in 86400 seconds..