[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.206' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 57.707546][ T8445] ================================================================== [ 57.716090][ T8445] BUG: KASAN: use-after-free in filp_close+0x22/0x170 [ 57.722926][ T8445] Read of size 8 at addr ffff888025a40a78 by task syz-executor493/8445 [ 57.731134][ T8445] [ 57.733439][ T8445] CPU: 1 PID: 8445 Comm: syz-executor493 Not tainted 5.14.0-rc1-syzkaller #0 [ 57.742170][ T8445] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.752392][ T8445] Call Trace: [ 57.755650][ T8445] dump_stack_lvl+0xcd/0x134 [ 57.760228][ T8445] print_address_description.constprop.0.cold+0x6c/0x309 [ 57.767504][ T8445] ? filp_close+0x22/0x170 [ 57.771907][ T8445] ? filp_close+0x22/0x170 [ 57.776305][ T8445] kasan_report.cold+0x83/0xdf [ 57.781144][ T8445] ? filp_close+0x22/0x170 [ 57.785545][ T8445] kasan_check_range+0x13d/0x180 [ 57.790471][ T8445] filp_close+0x22/0x170 [ 57.794703][ T8445] close_fd+0x5c/0x80 [ 57.798672][ T8445] __x64_sys_close+0x2f/0xa0 [ 57.803250][ T8445] do_syscall_64+0x35/0xb0 [ 57.807653][ T8445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 57.813539][ T8445] RIP: 0033:0x4021b3 [ 57.817417][ T8445] Code: c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb ba 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 [ 57.837095][ T8445] RSP: 002b:00007ffe62cc73e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 57.845496][ T8445] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004021b3 [ 57.853450][ T8445] RDX: 0000000020000000 RSI: 0000000000000005 RDI: 0000000000000004 [ 57.861645][ T8445] RBP: 00007ffe62cc73f8 R08: 0000000000000004 R09: 00000000004aa000 [ 57.869598][ T8445] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe62cc7400 [ 57.877640][ T8445] R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488 [ 57.885705][ T8445] [ 57.888011][ T8445] Allocated by task 8445: [ 57.892313][ T8445] kasan_save_stack+0x1b/0x40 [ 57.896980][ T8445] __kasan_slab_alloc+0x84/0xa0 [ 57.901901][ T8445] kmem_cache_alloc+0x216/0x3a0 [ 57.906736][ T8445] __alloc_file+0x21/0x280 [ 57.911146][ T8445] alloc_empty_file+0x6d/0x170 [ 57.915890][ T8445] path_openat+0xde/0x27f0 [ 57.920288][ T8445] do_filp_open+0x1aa/0x400 [ 57.924776][ T8445] do_sys_openat2+0x16d/0x420 [ 57.929437][ T8445] __x64_sys_creat+0xc9/0x120 [ 57.934268][ T8445] do_syscall_64+0x35/0xb0 [ 57.938669][ T8445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 57.944548][ T8445] [ 57.947112][ T8445] Freed by task 8445: [ 57.951329][ T8445] kasan_save_stack+0x1b/0x40 [ 57.955987][ T8445] kasan_set_track+0x1c/0x30 [ 57.960564][ T8445] kasan_set_free_info+0x20/0x30 [ 57.965503][ T8445] __kasan_slab_free+0xfb/0x130 [ 57.970338][ T8445] slab_free_freelist_hook+0xdf/0x240 [ 57.975695][ T8445] kfree+0xeb/0x650 [ 57.979488][ T8445] put_fs_context+0x3fb/0x650 [ 57.984145][ T8445] fscontext_release+0x4c/0x60 [ 57.988890][ T8445] __fput+0x288/0x920 [ 57.992853][ T8445] task_work_run+0xdd/0x1a0 [ 57.997531][ T8445] exit_to_user_mode_prepare+0x27e/0x290 [ 58.003486][ T8445] syscall_exit_to_user_mode+0x19/0x60 [ 58.009126][ T8445] do_syscall_64+0x42/0xb0 [ 58.013535][ T8445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 58.019417][ T8445] [ 58.021724][ T8445] Last potentially related work creation: [ 58.027416][ T8445] kasan_save_stack+0x1b/0x40 [ 58.032085][ T8445] kasan_record_aux_stack+0xe5/0x110 [ 58.037355][ T8445] call_rcu+0xb1/0x750 [ 58.041407][ T8445] task_work_run+0xdd/0x1a0 [ 58.045893][ T8445] exit_to_user_mode_prepare+0x27e/0x290 [ 58.051600][ T8445] syscall_exit_to_user_mode+0x19/0x60 [ 58.057045][ T8445] do_syscall_64+0x42/0xb0 [ 58.061446][ T8445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 58.067331][ T8445] [ 58.069634][ T8445] Second to last potentially related work creation: [ 58.076281][ T8445] kasan_save_stack+0x1b/0x40 [ 58.080945][ T8445] kasan_record_aux_stack+0xe5/0x110 [ 58.086216][ T8445] task_work_add+0x3a/0x190 [ 58.090700][ T8445] fput_many.part.0+0xbb/0x170 [ 58.095445][ T8445] fput+0x3b/0x50 [ 58.099078][ T8445] path_openat+0x19bd/0x27f0 [ 58.103650][ T8445] do_filp_open+0x1aa/0x400 [ 58.108133][ T8445] do_sys_openat2+0x16d/0x420 [ 58.112796][ T8445] __x64_sys_open+0x119/0x1c0 [ 58.117457][ T8445] do_syscall_64+0x35/0xb0 [ 58.121855][ T8445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 58.127735][ T8445] [ 58.130042][ T8445] The buggy address belongs to the object at ffff888025a40a00 [ 58.130042][ T8445] which belongs to the cache filp of size 464 [ 58.143647][ T8445] The buggy address is located 120 bytes inside of [ 58.143647][ T8445] 464-byte region [ffff888025a40a00, ffff888025a40bd0) [ 58.156903][ T8445] The buggy address belongs to the page: [ 58.162509][ T8445] page:ffffea0000969000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25a40 [ 58.172647][ T8445] head:ffffea0000969000 order:1 compound_mapcount:0 [ 58.179211][ T8445] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 58.187265][ T8445] raw: 00fff00000010200 0000000000000000 0000000b00000001 ffff8880109c4780 [ 58.196237][ T8445] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 58.204804][ T8445] page dumped because: kasan: bad access detected [ 58.211280][ T8445] page_owner tracks the page as allocated [ 58.216973][ T8445] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4875, ts 15466439710, free_ts 15379402342 [ 58.236058][ T8445] get_page_from_freelist+0xa72/0x2f80 [ 58.241509][ T8445] __alloc_pages+0x1b2/0x500 [ 58.246253][ T8445] alloc_pages+0x18c/0x2a0 [ 58.250652][ T8445] allocate_slab+0x32b/0x4c0 [ 58.255223][ T8445] ___slab_alloc+0x4ba/0x820 [ 58.259881][ T8445] __slab_alloc.constprop.0+0xa7/0xf0 [ 58.265234][ T8445] kmem_cache_alloc+0x372/0x3a0 [ 58.270153][ T8445] __alloc_file+0x21/0x280 [ 58.274725][ T8445] alloc_empty_file+0x6d/0x170 [ 58.279734][ T8445] path_openat+0xde/0x27f0 [ 58.284323][ T8445] do_filp_open+0x1aa/0x400 [ 58.288808][ T8445] do_sys_openat2+0x16d/0x420 [ 58.293642][ T8445] __x64_sys_open+0x119/0x1c0 [ 58.298303][ T8445] do_syscall_64+0x35/0xb0 [ 58.302803][ T8445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 58.308686][ T8445] page last free stack trace: [ 58.313965][ T8445] free_pcp_prepare+0x2c5/0x780 [ 58.318805][ T8445] free_unref_page+0x19/0x690 [ 58.323640][ T8445] qlist_free_all+0x5a/0xc0 [ 58.328130][ T8445] kasan_quarantine_reduce+0x180/0x200 [ 58.333573][ T8445] __kasan_slab_alloc+0x8e/0xa0 [ 58.338407][ T8445] __kmalloc+0x1f4/0x330 [ 58.342633][ T8445] tomoyo_supervisor+0xce8/0xf00 [ 58.347551][ T8445] tomoyo_path_permission+0x270/0x3a0 [ 58.352906][ T8445] tomoyo_path_perm+0x2f0/0x400 [ 58.357736][ T8445] security_inode_getattr+0xcf/0x140 [ 58.363004][ T8445] vfs_statx+0x164/0x390 [ 58.367230][ T8445] __do_sys_newlstat+0x91/0x110 [ 58.372069][ T8445] do_syscall_64+0x35/0xb0 [ 58.376468][ T8445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 58.382350][ T8445] [ 58.384654][ T8445] Memory state around the buggy address: [ 58.390263][ T8445] ffff888025a40900: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 58.398305][ T8445] ffff888025a40980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.406552][ T8445] >ffff888025a40a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.414763][ T8445] ^ [ 58.422715][ T8445] ffff888025a40a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.430757][ T8445] ffff888025a40b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.438798][ T8445] ================================================================== [ 58.446856][ T8445] Disabling lock debugging due to kernel taint [ 58.453273][ T8445] Kernel panic - not syncing: panic_on_warn set ... [ 58.459859][ T8445] CPU: 0 PID: 8445 Comm: syz-executor493 Tainted: G B 5.14.0-rc1-syzkaller #0 [ 58.469999][ T8445] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.480040][ T8445] Call Trace: [ 58.483314][ T8445] dump_stack_lvl+0xcd/0x134 [ 58.487897][ T8445] panic+0x306/0x73d [ 58.491775][ T8445] ? __warn_printk+0xf3/0xf3 [ 58.496348][ T8445] ? preempt_schedule_common+0x59/0xc0 [ 58.501792][ T8445] ? filp_close+0x22/0x170 [ 58.506189][ T8445] ? preempt_schedule_thunk+0x16/0x18 [ 58.511720][ T8445] ? trace_hardirqs_on+0x38/0x1c0 [ 58.516728][ T8445] ? trace_hardirqs_on+0x51/0x1c0 [ 58.521735][ T8445] ? filp_close+0x22/0x170 [ 58.526133][ T8445] ? filp_close+0x22/0x170 [ 58.530531][ T8445] end_report.cold+0x5a/0x5a [ 58.535108][ T8445] kasan_report.cold+0x71/0xdf [ 58.539854][ T8445] ? filp_close+0x22/0x170 [ 58.544251][ T8445] kasan_check_range+0x13d/0x180 [ 58.549171][ T8445] filp_close+0x22/0x170 [ 58.553393][ T8445] close_fd+0x5c/0x80 [ 58.557378][ T8445] __x64_sys_close+0x2f/0xa0 [ 58.561950][ T8445] do_syscall_64+0x35/0xb0 [ 58.566351][ T8445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 58.572231][ T8445] RIP: 0033:0x4021b3 [ 58.576105][ T8445] Code: c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb ba 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 [ 58.595892][ T8445] RSP: 002b:00007ffe62cc73e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 58.604393][ T8445] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004021b3 [ 58.612442][ T8445] RDX: 0000000020000000 RSI: 0000000000000005 RDI: 0000000000000004 [ 58.620393][ T8445] RBP: 00007ffe62cc73f8 R08: 0000000000000004 R09: 00000000004aa000 [ 58.628343][ T8445] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe62cc7400 [ 58.636305][ T8445] R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488 [ 58.650195][ T8445] Kernel Offset: disabled [ 58.654509][ T8445] Rebooting in 86400 seconds..