[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.33' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 60.172199][ T6820] IPVS: ftp: loaded support on port[0] = 21 [ 60.286186][ T6820] ================================================================== [ 60.294381][ T6820] BUG: KASAN: use-after-free in sock_def_write_space+0x609/0x630 [ 60.302080][ T6820] Read of size 8 at addr ffff888098e95b00 by task syz-executor311/6820 [ 60.310417][ T6820] [ 60.312744][ T6820] CPU: 1 PID: 6820 Comm: syz-executor311 Not tainted 5.8.0-rc6-syzkaller #0 [ 60.321390][ T6820] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.331441][ T6820] Call Trace: [ 60.334755][ T6820] dump_stack+0x18f/0x20d [ 60.339089][ T6820] ? sock_def_write_space+0x609/0x630 [ 60.344438][ T6820] ? sock_def_write_space+0x609/0x630 [ 60.349810][ T6820] print_address_description.constprop.0.cold+0xae/0x436 [ 60.356857][ T6820] ? lockdep_hardirqs_off+0x66/0xa0 [ 60.362045][ T6820] ? vprintk_func+0x97/0x1a6 [ 60.366662][ T6820] ? sock_def_write_space+0x609/0x630 [ 60.372009][ T6820] kasan_report.cold+0x1f/0x37 [ 60.376787][ T6820] ? sock_def_write_space+0x609/0x630 [ 60.382138][ T6820] sock_def_write_space+0x609/0x630 [ 60.387323][ T6820] ? kfree_skb+0x7d/0x100 [ 60.391631][ T6820] ? qrtr_tun_poll+0xf0/0xf0 [ 60.396201][ T6820] sock_wfree+0x1cc/0x240 [ 60.400527][ T6820] ? __sk_receive_skb+0x830/0x830 [ 60.405538][ T6820] skb_release_head_state+0x9f/0x250 [ 60.410815][ T6820] kfree_skb.part.0+0x89/0x350 [ 60.415560][ T6820] kfree_skb+0x7d/0x100 [ 60.419714][ T6820] skb_queue_purge+0x14/0x30 [ 60.424285][ T6820] qrtr_tun_release+0x40/0x60 [ 60.429639][ T6820] __fput+0x33c/0x880 [ 60.434237][ T6820] task_work_run+0xdd/0x190 [ 60.438725][ T6820] __prepare_exit_to_usermode+0x1e9/0x1f0 [ 60.444428][ T6820] do_syscall_64+0x6c/0xe0 [ 60.448826][ T6820] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.454695][ T6820] RIP: 0033:0x401040 [ 60.458561][ T6820] Code: Bad RIP value. [ 60.462602][ T6820] RSP: 002b:00007ffe13aa3738 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 60.471008][ T6820] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000401040 [ 60.478983][ T6820] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000006 [ 60.486935][ T6820] RBP: 00007ffe13aa3740 R08: 0000000120080522 R09: 0000000120080522 [ 60.494952][ T6820] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004a5ff0 [ 60.502914][ T6820] R13: 0000000000402150 R14: 0000000000000000 R15: 0000000000000000 [ 60.510874][ T6820] [ 60.513196][ T6820] Allocated by task 6820: [ 60.517525][ T6820] save_stack+0x1b/0x40 [ 60.521657][ T6820] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 60.527266][ T6820] kmem_cache_alloc+0x12c/0x3b0 [ 60.532114][ T6820] sock_alloc_inode+0x18/0x1c0 [ 60.536870][ T6820] alloc_inode+0x61/0x230 [ 60.541190][ T6820] new_inode_pseudo+0x14/0xe0 [ 60.545846][ T6820] sock_alloc+0x3c/0x260 [ 60.550078][ T6820] __sock_create+0xb9/0x740 [ 60.554573][ T6820] __sys_socket+0xef/0x200 [ 60.558980][ T6820] __x64_sys_socket+0x6f/0xb0 [ 60.563635][ T6820] do_syscall_64+0x60/0xe0 [ 60.568049][ T6820] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.574036][ T6820] [ 60.576347][ T6820] Freed by task 0: [ 60.580084][ T6820] save_stack+0x1b/0x40 [ 60.584216][ T6820] __kasan_slab_free+0xf5/0x140 [ 60.589047][ T6820] kmem_cache_free+0x7f/0x310 [ 60.593702][ T6820] i_callback+0x3f/0x70 [ 60.597854][ T6820] rcu_core+0x5c7/0x1160 [ 60.602076][ T6820] __do_softirq+0x34c/0xa60 [ 60.606547][ T6820] [ 60.608853][ T6820] The buggy address belongs to the object at ffff888098e95a80 [ 60.608853][ T6820] which belongs to the cache sock_inode_cache of size 1216 [ 60.623569][ T6820] The buggy address is located 128 bytes inside of [ 60.623569][ T6820] 1216-byte region [ffff888098e95a80, ffff888098e95f40) [ 60.636915][ T6820] The buggy address belongs to the page: [ 60.642538][ T6820] page:ffffea000263a540 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888098e95ffd [ 60.652939][ T6820] flags: 0xfffe0000000200(slab) [ 60.657807][ T6820] raw: 00fffe0000000200 ffffea000263c588 ffffea000263cec8 ffff8880a97b48c0 [ 60.666379][ T6820] raw: ffff888098e95ffd ffff888098e95000 0000000100000003 0000000000000000 [ 60.674981][ T6820] page dumped because: kasan: bad access detected [ 60.681369][ T6820] [ 60.683671][ T6820] Memory state around the buggy address: [ 60.689280][ T6820] ffff888098e95a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.697327][ T6820] ffff888098e95a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.705373][ T6820] >ffff888098e95b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.713438][ T6820] ^ [ 60.717525][ T6820] ffff888098e95b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.725613][ T6820] ffff888098e95c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.733656][ T6820] ================================================================== [ 60.741706][ T6820] Disabling lock debugging due to kernel taint [ 60.755180][ T6820] Kernel panic - not syncing: panic_on_warn set ... [ 60.761794][ T6820] CPU: 1 PID: 6820 Comm: syz-executor311 Tainted: G B 5.8.0-rc6-syzkaller #0 [ 60.771901][ T6820] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.782047][ T6820] Call Trace: [ 60.785625][ T6820] dump_stack+0x18f/0x20d [ 60.789942][ T6820] ? sock_def_write_space+0x5d0/0x630 [ 60.795295][ T6820] panic+0x2e3/0x75c [ 60.799171][ T6820] ? __warn_printk+0xf3/0xf3 [ 60.803812][ T6820] ? preempt_schedule_common+0x59/0xc0 [ 60.809296][ T6820] ? sock_def_write_space+0x609/0x630 [ 60.814676][ T6820] ? preempt_schedule_thunk+0x16/0x18 [ 60.820028][ T6820] ? trace_hardirqs_on+0x55/0x220 [ 60.825038][ T6820] ? sock_def_write_space+0x609/0x630 [ 60.830392][ T6820] ? sock_def_write_space+0x609/0x630 [ 60.835742][ T6820] end_report+0x4d/0x53 [ 60.839877][ T6820] kasan_report.cold+0xd/0x37 [ 60.844554][ T6820] ? sock_def_write_space+0x609/0x630 [ 60.849905][ T6820] sock_def_write_space+0x609/0x630 [ 60.855104][ T6820] ? kfree_skb+0x7d/0x100 [ 60.859425][ T6820] ? qrtr_tun_poll+0xf0/0xf0 [ 60.863997][ T6820] sock_wfree+0x1cc/0x240 [ 60.868327][ T6820] ? __sk_receive_skb+0x830/0x830 [ 60.873328][ T6820] skb_release_head_state+0x9f/0x250 [ 60.878605][ T6820] kfree_skb.part.0+0x89/0x350 [ 60.883343][ T6820] kfree_skb+0x7d/0x100 [ 60.887483][ T6820] skb_queue_purge+0x14/0x30 [ 60.892050][ T6820] qrtr_tun_release+0x40/0x60 [ 60.896708][ T6820] __fput+0x33c/0x880 [ 60.900764][ T6820] task_work_run+0xdd/0x190 [ 60.905264][ T6820] __prepare_exit_to_usermode+0x1e9/0x1f0 [ 60.910963][ T6820] do_syscall_64+0x6c/0xe0 [ 60.915393][ T6820] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.921285][ T6820] RIP: 0033:0x401040 [ 60.925150][ T6820] Code: Bad RIP value. [ 60.929206][ T6820] RSP: 002b:00007ffe13aa3738 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 60.937609][ T6820] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000401040 [ 60.945577][ T6820] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000006 [ 60.953530][ T6820] RBP: 00007ffe13aa3740 R08: 0000000120080522 R09: 0000000120080522 [ 60.961591][ T6820] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004a5ff0 [ 60.969541][ T6820] R13: 0000000000402150 R14: 0000000000000000 R15: 0000000000000000 [ 60.978581][ T6820] Kernel Offset: disabled [ 60.982904][ T6820] Rebooting in 86400 seconds..