[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.200' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 61.969619][ T7028] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 62.012401][ T7028] ================================================================== [ 62.020742][ T7028] BUG: KASAN: slab-out-of-bounds in __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 62.029589][ T7028] Read of size 8 at addr ffff8880a70b1468 by task syz-executor080/7028 [ 62.038571][ T7028] [ 62.040990][ T7028] CPU: 1 PID: 7028 Comm: syz-executor080 Not tainted 5.6.0-syzkaller #0 [ 62.050549][ T7028] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.060913][ T7028] Call Trace: [ 62.064454][ T7028] dump_stack+0x188/0x20d [ 62.068788][ T7028] print_address_description.constprop.0.cold+0xd3/0x315 [ 62.076190][ T7028] ? __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 62.082177][ T7028] __kasan_report.cold+0x35/0x4d [ 62.087126][ T7028] ? __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 62.093357][ T7028] ? __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 62.099349][ T7028] kasan_report+0x33/0x50 [ 62.103869][ T7028] __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 62.110341][ T7028] ? __kvm_write_guest_page+0x170/0x170 [ 62.115973][ T7028] kvm_lapic_set_vapic_addr+0x88/0x180 [ 62.121965][ T7028] kvm_arch_vcpu_ioctl+0xf0d/0x2c20 [ 62.127434][ T7028] ? kvm_arch_vcpu_put+0x530/0x530 [ 62.132733][ T7028] ? lock_acquire+0x1f2/0x8f0 [ 62.137417][ T7028] ? kvm_vcpu_ioctl+0x175/0xe60 [ 62.143080][ T7028] ? lock_release+0x800/0x800 [ 62.147854][ T7028] ? find_held_lock+0x2d/0x110 [ 62.152626][ T7028] ? __mutex_lock+0x458/0x13c0 [ 62.157779][ T7028] ? kfree+0x1eb/0x2b0 [ 62.161868][ T7028] ? kvm_vcpu_ioctl+0x175/0xe60 [ 62.168085][ T7028] ? mutex_trylock+0x2c0/0x2c0 [ 62.173153][ T7028] ? tomoyo_execute_permission+0x470/0x470 [ 62.179125][ T7028] kvm_vcpu_ioctl+0x866/0xe60 [ 62.184294][ T7028] ? kvm_get_dirty_log_protect.isra.0+0x670/0x670 [ 62.190975][ T7028] ? ioctl_file_clone+0x180/0x180 [ 62.196453][ T7028] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 62.202988][ T7028] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 62.209892][ T7028] ? __blkcg_punt_bio_submit+0x1d0/0x1d0 [ 62.216525][ T7028] ? kvm_get_dirty_log_protect.isra.0+0x670/0x670 [ 62.223490][ T7028] ksys_ioctl+0x11a/0x180 [ 62.227982][ T7028] __x64_sys_ioctl+0x6f/0xb0 [ 62.232662][ T7028] ? lockdep_hardirqs_on+0x463/0x620 [ 62.238214][ T7028] do_syscall_64+0xf6/0x7d0 [ 62.243898][ T7028] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 62.250195][ T7028] RIP: 0033:0x4401c9 [ 62.254243][ T7028] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.275613][ T7028] RSP: 002b:00007ffc2295e068 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 62.286858][ T7028] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9 [ 62.296070][ T7028] RDX: 0000000020000000 RSI: 000000004008ae93 RDI: 0000000000000005 [ 62.305166][ T7028] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 62.314530][ T7028] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401a50 [ 62.323476][ T7028] R13: 0000000000401ae0 R14: 0000000000000000 R15: 0000000000000000 [ 62.331857][ T7028] [ 62.334655][ T7028] Allocated by task 7028: [ 62.339172][ T7028] save_stack+0x1b/0x80 [ 62.343329][ T7028] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 62.349741][ T7028] kvmalloc_node+0x61/0xf0 [ 62.354525][ T7028] kvm_set_memslot+0x115/0x1530 [ 62.359725][ T7028] __kvm_set_memory_region+0xcf7/0x1320 [ 62.365282][ T7028] __x86_set_memory_region+0x2a3/0x5a0 [ 62.371669][ T7028] vmx_create_vcpu+0x2107/0x2b40 [ 62.377479][ T7028] kvm_arch_vcpu_create+0x6ef/0xb80 [ 62.383241][ T7028] kvm_vm_ioctl+0x15f7/0x23e0 [ 62.388316][ T7028] ksys_ioctl+0x11a/0x180 [ 62.392653][ T7028] __x64_sys_ioctl+0x6f/0xb0 [ 62.398102][ T7028] do_syscall_64+0xf6/0x7d0 [ 62.403152][ T7028] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 62.409420][ T7028] [ 62.411870][ T7028] Freed by task 0: [ 62.415582][ T7028] (stack is not available) [ 62.420491][ T7028] [ 62.422823][ T7028] The buggy address belongs to the object at ffff8880a70b1000 [ 62.422823][ T7028] which belongs to the cache kmalloc-2k of size 2048 [ 62.437207][ T7028] The buggy address is located 1128 bytes inside of [ 62.437207][ T7028] 2048-byte region [ffff8880a70b1000, ffff8880a70b1800) [ 62.452136][ T7028] The buggy address belongs to the page: [ 62.459139][ T7028] page:ffffea00029c2c40 refcount:1 mapcount:0 mapping:0000000069244dce index:0x0 [ 62.468991][ T7028] flags: 0xfffe0000000200(slab) [ 62.474196][ T7028] raw: 00fffe0000000200 ffffea00024d90c8 ffffea00027c0ec8 ffff8880aa000e00 [ 62.483975][ T7028] raw: 0000000000000000 ffff8880a70b1000 0000000100000001 0000000000000000 [ 62.493216][ T7028] page dumped because: kasan: bad access detected [ 62.500156][ T7028] [ 62.502691][ T7028] Memory state around the buggy address: [ 62.508702][ T7028] ffff8880a70b1300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.517336][ T7028] ffff8880a70b1380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.526392][ T7028] >ffff8880a70b1400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc [ 62.536055][ T7028] ^ [ 62.544779][ T7028] ffff8880a70b1480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 62.553026][ T7028] ffff8880a70b1500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 62.561289][ T7028] ================================================================== [ 62.569484][ T7028] Disabling lock debugging due to kernel taint [ 62.576346][ T7028] Kernel panic - not syncing: panic_on_warn set ... [ 62.583986][ T7028] CPU: 1 PID: 7028 Comm: syz-executor080 Tainted: G B 5.6.0-syzkaller #0 [ 62.594352][ T7028] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.605043][ T7028] Call Trace: [ 62.608446][ T7028] dump_stack+0x188/0x20d [ 62.612855][ T7028] panic+0x2e3/0x75c [ 62.616749][ T7028] ? add_taint.cold+0x16/0x16 [ 62.621660][ T7028] ? preempt_schedule_common+0x5e/0xc0 [ 62.627410][ T7028] ? __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 62.633678][ T7028] ? preempt_schedule_thunk+0x16/0x18 [ 62.639306][ T7028] ? trace_hardirqs_on+0x55/0x220 [ 62.645129][ T7028] ? __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 62.652168][ T7028] end_report+0x43/0x49 [ 62.656953][ T7028] __kasan_report.cold+0xd/0x4d [ 62.662165][ T7028] ? __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 62.668880][ T7028] ? __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 62.675458][ T7028] kasan_report+0x33/0x50 [ 62.680393][ T7028] __kvm_gfn_to_hva_cache_init+0x5fb/0x670 [ 62.686495][ T7028] ? __kvm_write_guest_page+0x170/0x170 [ 62.693072][ T7028] kvm_lapic_set_vapic_addr+0x88/0x180 [ 62.699649][ T7028] kvm_arch_vcpu_ioctl+0xf0d/0x2c20 [ 62.705338][ T7028] ? kvm_arch_vcpu_put+0x530/0x530 [ 62.710448][ T7028] ? lock_acquire+0x1f2/0x8f0 [ 62.715206][ T7028] ? kvm_vcpu_ioctl+0x175/0xe60 [ 62.720142][ T7028] ? lock_release+0x800/0x800 [ 62.724950][ T7028] ? find_held_lock+0x2d/0x110 [ 62.729802][ T7028] ? __mutex_lock+0x458/0x13c0 [ 62.734572][ T7028] ? kfree+0x1eb/0x2b0 [ 62.738705][ T7028] ? kvm_vcpu_ioctl+0x175/0xe60 [ 62.744754][ T7028] ? mutex_trylock+0x2c0/0x2c0 [ 62.749820][ T7028] ? tomoyo_execute_permission+0x470/0x470 [ 62.755811][ T7028] kvm_vcpu_ioctl+0x866/0xe60 [ 62.760714][ T7028] ? kvm_get_dirty_log_protect.isra.0+0x670/0x670 [ 62.768019][ T7028] ? ioctl_file_clone+0x180/0x180 [ 62.773257][ T7028] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 62.778839][ T7028] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 62.784823][ T7028] ? __blkcg_punt_bio_submit+0x1d0/0x1d0 [ 62.790459][ T7028] ? kvm_get_dirty_log_protect.isra.0+0x670/0x670 [ 62.797034][ T7028] ksys_ioctl+0x11a/0x180 [ 62.801364][ T7028] __x64_sys_ioctl+0x6f/0xb0 [ 62.805959][ T7028] ? lockdep_hardirqs_on+0x463/0x620 [ 62.811300][ T7028] do_syscall_64+0xf6/0x7d0 [ 62.815807][ T7028] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 62.821700][ T7028] RIP: 0033:0x4401c9 [ 62.825590][ T7028] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.846409][ T7028] RSP: 002b:00007ffc2295e068 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 62.854831][ T7028] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9 [ 62.862807][ T7028] RDX: 0000000020000000 RSI: 000000004008ae93 RDI: 0000000000000005 [ 62.870818][ T7028] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 62.878941][ T7028] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401a50 [ 62.886916][ T7028] R13: 0000000000401ae0 R14: 0000000000000000 R15: 0000000000000000 [ 62.896520][ T7028] Kernel Offset: disabled [ 62.900860][ T7028] Rebooting in 86400 seconds..