Starting Permit User Sessions... Starting OpenBSD Secure Shell server... [ OK ] Started Permit User Sessions. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty1. [ OK ] Started OpenBSD Secure Shell server. Warning: Permanently added '10.128.0.70' (ECDSA) to the list of known hosts. executing program [* ] A start job is running for dev-ttyS0.device (8s / 1min 30s)[** ] A start job is running for dev-ttyS0.device (9s / 1min 30s)[*** ] A start job is running for dev-ttyS0.device (9s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (10s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (11s / 1min 30s)[ ***] A start job is running for dev-ttyS0.device (11s / 1min 30s)[ 19.618714][ T22] audit: type=1400 audit(1628065872.747:8): avc: denied { execmem } for pid=336 comm="syz-executor523" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 19.657073][ T337] ================================================================== [ 19.665176][ T337] BUG: KASAN: use-after-free in filp_close+0x31/0x140 [ 19.665183][ T337] Read of size 8 at addr ffff8881e5def3b8 by task syz-executor523/337 [ 19.665191][ T337] [ 19.682340][ T337] CPU: 0 PID: 337 Comm: syz-executor523 Not tainted 5.4.125-syzkaller-00012-ge7e1f9adf836 #0 [ 19.692464][ T337] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.702505][ T337] Call Trace: [ 19.705800][ T337] dump_stack+0x1d8/0x24e [ 19.710112][ T337] ? show_regs_print_info+0x12/0x12 [ 19.715303][ T337] ? printk+0xcf/0x114 [ 19.719698][ T337] print_address_description+0x9b/0x650 [ 19.725229][ T337] ? devkmsg_release+0x11c/0x11c [ 19.730147][ T337] __kasan_report+0x182/0x260 [[ 19.734805][ T337] ? filp_close+0x31/0x140 [ 19.739281][ T337] kasan_report+0x30/0x60 *[0;[ 19.743601][ T337] check_memory_region+0x2a5/0x2e0 [ 19.750077][ T337] filp_close+0x31/0x140 [ 19.754303][ T337] __x64_sys_close+0x62/0xc0 1;31m*] [ 19.758877][ T337] do_syscall_64+0xcb/0x1e0 [ 19.764396][ T337] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 19.770267][ T337] RIP: 0033:0x4021c3 A start job is r[ 19.774166][ T337] Code: c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb ba 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 [ 19.795124][ T337] RSP: 002b:00007ffd256a6858 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 19.803531][ T337] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00000000004021c3 unning for dev-t[ 19.811492][ T337] RDX: 00000000200000c0 RSI: 0000000000000005 RDI: 0000000000000005 [ 19.820819][ T337] RBP: 00007ffd256a6868 R08: 0000000000000006 R09: 00000000004aa000 [ 19.828780][ T337] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd256a6870 [ 19.836751][ T337] R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488 tyS0.device (12s[ 19.844701][ T337] [ 19.848386][ T337] Allocated by task 337: / 1min 30s)[ 19.852613][ T337] __kasan_kmalloc+0x137/0x1e0 [ 19.858372][ T337] kmem_cache_alloc+0x115/0x290 [ 19.863199][ T337] __alloc_file+0x26/0x380 [ 19.867591][ T337] alloc_empty_file+0xa9/0x1b0 [ 19.872347][ T337] alloc_file+0x57/0x4d0 [ 19.876564][ T337] alloc_file_pseudo+0x272/0x300 [ 19.881467][ T337] create_pipe_files+0x2de/0x620 [ 19.886377][ T337] __do_pipe_flags+0x46/0x200 [ 19.891026][ T337] do_pipe2+0xd0/0x300 [ 19.895065][ T337] __x64_sys_pipe2+0x56/0x60 [ 19.899628][ T337] do_syscall_64+0xcb/0x1e0 [ 19.904099][ T337] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 19.909951][ T337] [ 19.912252][ T337] Freed by task 337: [ 19.916116][ T337] __kasan_slab_free+0x18a/0x240 [ 19.921021][ T337] slab_free_freelist_hook+0x7b/0x150 [ 19.926361][ T337] kfree+0xe0/0x660 [ 19.930137][ T337] put_fs_context+0x57c/0x690 [ 19.934825][ T337] fscontext_release+0x61/0x80 [ 19.939557][ T337] __fput+0x27d/0x6c0 [ 19.943520][ T337] task_work_run+0x186/0x1b0 [ 19.948074][ T337] prepare_exit_to_usermode+0x2b0/0x310 [ 19.953584][ T337] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 19.959440][ T337] [ 19.961737][ T337] The buggy address belongs to the object at ffff8881e5def380 [ 19.961737][ T337] which belongs to the cache filp of size 280 [ 19.975148][ T337] The buggy address is located 56 bytes inside of [ 19.975148][ T337] 280-byte region [ffff8881e5def380, ffff8881e5def498) [ 19.988305][ T337] The buggy address belongs to the page: [ 19.993904][ T337] page:ffffea0007977b80 refcount:1 mapcount:0 mapping:ffff8881f5cfa000 index:0x0 compound_mapcount: 0 [ 20.004791][ T337] flags: 0x8000000000010200(slab|head) [ 20.010229][ T337] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cfa000 [ 20.018779][ T337] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 [ 20.027336][ T337] page dumped because: kasan: bad access detected [ 20.033711][ T337] page_owner tracks the page as allocated [ 20.039411][ T337] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC) [ 20.054386][ T337] prep_new_page+0x19a/0x380 [ 20.058939][ T337] get_page_from_freelist+0x550/0x8b0 [ 20.064275][ T337] __alloc_pages_nodemask+0x3a2/0x880 [ 20.069613][ T337] alloc_slab_page+0x39/0x3e0 [ 20.074254][ T337] new_slab+0x97/0x460 [ 20.078290][ T337] ___slab_alloc+0x330/0x4c0 [ 20.082845][ T337] kmem_cache_alloc+0x18b/0x290 [ 20.087659][ T337] __alloc_file+0x26/0x380 [ 20.092052][ T337] alloc_empty_file+0xa9/0x1b0 [ 20.096786][ T337] path_openat+0x125/0x3da0 [ 20.101255][ T337] do_filp_open+0x208/0x450 [ 20.105728][ T337] do_sys_open+0x383/0x7c0 [ 20.110114][ T337] do_syscall_64+0xcb/0x1e0 [ 20.114582][ T337] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.120434][ T337] page last free stack trace: [ 20.125080][ T337] __free_pages_ok+0xc60/0xd80 [ 20.129820][ T337] __free_pages+0x8f/0x250 [ 20.134206][ T337] __free_slab+0x237/0x2f0 [ 20.138593][ T337] unfreeze_partials+0x14f/0x180 [ 20.143502][ T337] put_cpu_partial+0xb5/0x150 [ 20.148322][ T337] ___cache_free+0x352/0x4e0 [ 20.152881][ T337] quarantine_reduce+0x17a/0x1e0 [ 20.157789][ T337] __kasan_kmalloc+0x43/0x1e0 [ 20.162434][ T337] __kmalloc+0x140/0x2f0 [ 20.166644][ T337] tty_write+0x304/0x880 [ 20.170866][ T337] __vfs_write+0x103/0x780 [ 20.175246][ T337] vfs_write+0x212/0x4e0 [ 20.179455][ T337] ksys_write+0x186/0x2b0 [ 20.183750][ T337] do_syscall_64+0xcb/0x1e0 [ 20.188226][ T337] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.194080][ T337] [ 20.196373][ T337] Memory state around the buggy address: [ 20.201970][ T337] ffff8881e5def280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.210000][ T337] ffff8881e5def300: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.218044][ T337] >ffff8881e5def38