[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.202' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 73.433139][ T26] audit: type=1400 audit(1601897734.901:8): avc: denied { execmem } for pid=6853 comm="syz-executor116" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 73.435815][ T6853] ================================================================== [ 73.461916][ T6853] BUG: KASAN: slab-out-of-bounds in qrtr_endpoint_post+0x5c1/0x1050 [ 73.469887][ T6853] Read of size 4294967293 at addr ffff8880a78ceba0 by task syz-executor116/6853 [ 73.478885][ T6853] [ 73.481214][ T6853] CPU: 0 PID: 6853 Comm: syz-executor116 Not tainted 5.9.0-rc8-syzkaller #0 [ 73.489871][ T6853] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.499900][ T6853] Call Trace: [ 73.503177][ T6853] dump_stack+0x198/0x1fd [ 73.507489][ T6853] ? qrtr_endpoint_post+0x5c1/0x1050 [ 73.512750][ T6853] ? qrtr_endpoint_post+0x5c1/0x1050 [ 73.518037][ T6853] print_address_description.constprop.0.cold+0xae/0x497 [ 73.525056][ T6853] ? qrtr_endpoint_post+0x5c1/0x1050 [ 73.530324][ T6853] ? lockdep_hardirqs_off+0x96/0xd0 [ 73.535507][ T6853] ? vprintk_func+0x95/0x1d4 [ 73.540077][ T6853] ? qrtr_endpoint_post+0x5c1/0x1050 [ 73.545350][ T6853] ? qrtr_endpoint_post+0x5c1/0x1050 [ 73.551393][ T6853] kasan_report.cold+0x1f/0x37 [ 73.556134][ T6853] ? qrtr_endpoint_post+0x5c1/0x1050 [ 73.561398][ T6853] check_memory_region+0x13d/0x180 [ 73.566514][ T6853] memcpy+0x20/0x60 [ 73.570304][ T6853] qrtr_endpoint_post+0x5c1/0x1050 [ 73.575411][ T6853] qrtr_tun_write_iter+0xf5/0x180 [ 73.580427][ T6853] new_sync_write+0x422/0x650 [ 73.585091][ T6853] ? new_sync_read+0x6e0/0x6e0 [ 73.589836][ T6853] ? selinux_file_permission+0x92/0x520 [ 73.595375][ T6853] ? build_open_flags+0x650/0x650 [ 73.600399][ T6853] vfs_write+0x5ad/0x730 [ 73.604640][ T6853] ksys_write+0x12d/0x250 [ 73.608947][ T6853] ? __ia32_sys_read+0xb0/0xb0 [ 73.613709][ T6853] ? check_preemption_disabled+0x50/0x130 [ 73.619421][ T6853] ? syscall_enter_from_user_mode+0x1d/0x60 [ 73.625317][ T6853] do_syscall_64+0x2d/0x70 [ 73.629736][ T6853] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.635605][ T6853] RIP: 0033:0x440279 [ 73.639484][ T6853] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 73.659086][ T6853] RSP: 002b:00007ffc4447bda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 73.667502][ T6853] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440279 [ 73.675458][ T6853] RDX: 0000000000000020 RSI: 0000000020000000 RDI: 0000000000000003 [ 73.683408][ T6853] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 73.691371][ T6853] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a80 [ 73.699324][ T6853] R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000 [ 73.707288][ T6853] [ 73.709607][ T6853] Allocated by task 6853: [ 73.713918][ T6853] kasan_save_stack+0x1b/0x40 [ 73.718573][ T6853] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 73.724178][ T6853] __kmalloc+0x1b0/0x360 [ 73.728400][ T6853] qrtr_tun_write_iter+0x8a/0x180 [ 73.733487][ T6853] new_sync_write+0x422/0x650 [ 73.738154][ T6853] vfs_write+0x5ad/0x730 [ 73.742372][ T6853] ksys_write+0x12d/0x250 [ 73.746677][ T6853] do_syscall_64+0x2d/0x70 [ 73.751084][ T6853] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.756963][ T6853] [ 73.759299][ T6853] The buggy address belongs to the object at ffff8880a78ceb80 [ 73.759299][ T6853] which belongs to the cache kmalloc-32 of size 32 [ 73.773175][ T6853] The buggy address is located 0 bytes to the right of [ 73.773175][ T6853] 32-byte region [ffff8880a78ceb80, ffff8880a78ceba0) [ 73.786696][ T6853] The buggy address belongs to the page: [ 73.792337][ T6853] page:0000000049b6cf59 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a78cefc1 pfn:0xa78ce [ 73.803760][ T6853] flags: 0xfffe0000000200(slab) [ 73.808606][ T6853] raw: 00fffe0000000200 ffffea000277e148 ffffea00027a8c88 ffff8880aa040100 [ 73.817172][ T6853] raw: ffff8880a78cefc1 ffff8880a78ce000 000000010000002d 0000000000000000 [ 73.825744][ T6853] page dumped because: kasan: bad access detected [ 73.832140][ T6853] [ 73.834470][ T6853] Memory state around the buggy address: [ 73.840080][ T6853] ffff8880a78cea80: 00 00 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 73.848219][ T6853] ffff8880a78ceb00: 00 00 fc fc fc fc fc fc fa fb fb fb fc fc fc fc [ 73.856262][ T6853] >ffff8880a78ceb80: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 73.864307][ T6853] ^ [ 73.870975][ T6853] ffff8880a78cec00: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 73.879046][ T6853] ffff8880a78cec80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 73.887086][ T6853] ================================================================== [ 73.895140][ T6853] Disabling lock debugging due to kernel taint [ 73.902731][ T6853] Kernel panic - not syncing: panic_on_warn set ... [ 73.909332][ T6853] CPU: 0 PID: 6853 Comm: syz-executor116 Tainted: G B 5.9.0-rc8-syzkaller #0 [ 73.921292][ T6853] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.931428][ T6853] Call Trace: [ 73.934724][ T6853] dump_stack+0x198/0x1fd [ 73.939030][ T6853] ? qrtr_endpoint_post+0x500/0x1050 [ 73.944643][ T6853] panic+0x382/0x7fb [ 73.948565][ T6853] ? __warn_printk+0xf3/0xf3 [ 73.953134][ T6853] ? preempt_schedule_common+0x59/0xc0 [ 73.958678][ T6853] ? qrtr_endpoint_post+0x5c1/0x1050 [ 73.963937][ T6853] ? preempt_schedule_thunk+0x16/0x18 [ 73.969298][ T6853] ? trace_hardirqs_on+0x55/0x220 [ 73.974311][ T6853] ? qrtr_endpoint_post+0x5c1/0x1050 [ 73.979588][ T6853] ? qrtr_endpoint_post+0x5c1/0x1050 [ 73.984870][ T6853] end_report+0x4d/0x53 [ 73.989013][ T6853] kasan_report.cold+0xd/0x37 [ 73.993679][ T6853] ? qrtr_endpoint_post+0x5c1/0x1050 [ 73.998999][ T6853] check_memory_region+0x13d/0x180 [ 74.004083][ T6853] memcpy+0x20/0x60 [ 74.007865][ T6853] qrtr_endpoint_post+0x5c1/0x1050 [ 74.012951][ T6853] qrtr_tun_write_iter+0xf5/0x180 [ 74.017973][ T6853] new_sync_write+0x422/0x650 [ 74.022726][ T6853] ? new_sync_read+0x6e0/0x6e0 [ 74.027481][ T6853] ? selinux_file_permission+0x92/0x520 [ 74.033013][ T6853] ? build_open_flags+0x650/0x650 [ 74.038014][ T6853] vfs_write+0x5ad/0x730 [ 74.042233][ T6853] ksys_write+0x12d/0x250 [ 74.046534][ T6853] ? __ia32_sys_read+0xb0/0xb0 [ 74.051274][ T6853] ? check_preemption_disabled+0x50/0x130 [ 74.057076][ T6853] ? syscall_enter_from_user_mode+0x1d/0x60 [ 74.063135][ T6853] do_syscall_64+0x2d/0x70 [ 74.067529][ T6853] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 74.073416][ T6853] RIP: 0033:0x440279 [ 74.077293][ T6853] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 74.096992][ T6853] RSP: 002b:00007ffc4447bda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 74.105396][ T6853] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440279 [ 74.113362][ T6853] RDX: 0000000000000020 RSI: 0000000020000000 RDI: 0000000000000003 [ 74.121312][ T6853] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 74.129261][ T6853] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a80 [ 74.137220][ T6853] R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000 [ 74.146294][ T6853] Kernel Offset: disabled [ 74.150607][ T6853] Rebooting in 86400 seconds..