[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.224' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 36.087116] ================================================================== [ 36.094560] BUG: KASAN: use-after-free in __list_add_valid+0x81/0xa0 [ 36.101086] Read of size 8 at addr ffff88808dfc1980 by task syz-executor133/8113 [ 36.108596] [ 36.110209] CPU: 0 PID: 8113 Comm: syz-executor133 Not tainted 4.19.172-syzkaller #0 [ 36.118107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.127451] Call Trace: [ 36.130033] dump_stack+0x1fc/0x2ef [ 36.133665] print_address_description.cold+0x54/0x219 [ 36.138926] kasan_report_error.cold+0x8a/0x1b9 [ 36.143597] ? __list_add_valid+0x81/0xa0 [ 36.147733] __asan_report_load8_noabort+0x88/0x90 [ 36.152659] ? __list_add_valid+0x81/0xa0 [ 36.156789] __list_add_valid+0x81/0xa0 [ 36.160757] chrdev_open+0x4b9/0x770 [ 36.164463] ? __register_chrdev+0x400/0x400 [ 36.168873] do_dentry_open+0x4aa/0x1160 [ 36.172924] ? __register_chrdev+0x400/0x400 [ 36.177339] ? inode_permission.part.0+0x10c/0x450 [ 36.182262] ? chown_common+0x550/0x550 [ 36.186222] ? inode_permission+0x3d/0x140 [ 36.190446] path_openat+0x793/0x2df0 [ 36.194236] ? path_lookupat+0x8d0/0x8d0 [ 36.198295] ? mark_held_locks+0xf0/0xf0 [ 36.202342] do_filp_open+0x18c/0x3f0 [ 36.206126] ? may_open_dev+0xf0/0xf0 [ 36.209914] ? lock_downgrade+0x720/0x720 [ 36.214070] ? lock_acquire+0x170/0x3c0 [ 36.218064] ? __alloc_fd+0x34/0x570 [ 36.221765] ? do_raw_spin_unlock+0x171/0x230 [ 36.226249] ? _raw_spin_unlock+0x29/0x40 [ 36.230469] ? __alloc_fd+0x28d/0x570 [ 36.234269] do_sys_open+0x3b3/0x520 [ 36.237979] ? filp_open+0x70/0x70 [ 36.241504] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.246864] ? trace_hardirqs_off_caller+0x6e/0x210 [ 36.251864] ? do_syscall_64+0x21/0x620 [ 36.255822] do_syscall_64+0xf9/0x620 [ 36.259616] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.264797] RIP: 0033:0x446849 [ 36.267993] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 36.286889] RSP: 002b:00007fbaae0db2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 [ 36.294579] RAX: ffffffffffffffda RBX: 00000000004d0530 RCX: 0000000000446849 [ 36.301844] RDX: 00007fbaae0db700 RSI: 0000000000000000 RDI: 00000000200001c0 [ 36.309115] RBP: 00000000004a013c R08: 00007fbaae0db700 R09: 0000000000000000 [ 36.316366] R10: 00007fbaae0db700 R11: 0000000000000246 R12: 0030656c69662f2e [ 36.323618] R13: 000000000049e138 R14: 2f30656c69662f2e R15: 00000000004d0538 [ 36.330875] [ 36.332493] Allocated by task 8104: [ 36.336109] kmem_cache_alloc+0x122/0x370 [ 36.340240] fuse_alloc_inode+0x1d/0x3f0 [ 36.344282] alloc_inode+0x5d/0x180 [ 36.347887] iget5_locked+0x57/0xd0 [ 36.351500] fuse_iget+0x1a6/0x800 [ 36.355029] fuse_lookup_name+0x413/0x5c0 [ 36.359174] fuse_lookup+0xdf/0x410 [ 36.362793] fuse_atomic_open+0x20a/0x330 [ 36.366923] lookup_open+0x1023/0x1a20 [ 36.370800] path_openat+0x1094/0x2df0 [ 36.374666] do_filp_open+0x18c/0x3f0 [ 36.378448] do_sys_open+0x3b3/0x520 [ 36.382144] do_syscall_64+0xf9/0x620 [ 36.385931] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.391109] [ 36.392727] Freed by task 0: [ 36.395740] kmem_cache_free+0x7f/0x260 [ 36.399706] rcu_process_callbacks+0x8ff/0x18b0 [ 36.404355] __do_softirq+0x265/0x980 [ 36.408131] [ 36.409740] The buggy address belongs to the object at ffff88808dfc1600 [ 36.409740] which belongs to the cache fuse_inode of size 1264 [ 36.422526] The buggy address is located 896 bytes inside of [ 36.422526] 1264-byte region [ffff88808dfc1600, ffff88808dfc1af0) [ 36.434468] The buggy address belongs to the page: [ 36.439381] page:ffffea000237f040 count:1 mapcount:0 mapping:ffff888239712c80 index:0xffff88808dfc1ffe [ 36.448805] flags: 0xfff00000000100(slab) [ 36.452950] raw: 00fff00000000100 ffffea000237da48 ffff8880b0e3b648 ffff888239712c80 [ 36.460976] raw: ffff88808dfc1ffe ffff88808dfc1080 0000000100000002 0000000000000000 [ 36.468836] page dumped because: kasan: bad access detected [ 36.474525] [ 36.476131] Memory state around the buggy address: [ 36.481047] ffff88808dfc1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.488398] ffff88808dfc1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.495741] >ffff88808dfc1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.503563] ^ [ 36.506925] ffff88808dfc1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.514266] ffff88808dfc1a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 36.521607] ================================================================== [ 36.528962] Disabling lock debugging due to kernel taint [ 36.534513] Kernel panic - not syncing: panic_on_warn set ... [ 36.534513] [ 36.541890] CPU: 0 PID: 8113 Comm: syz-executor133 Tainted: G B 4.19.172-syzkaller #0 [ 36.551158] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.560505] Call Trace: [ 36.563122] dump_stack+0x1fc/0x2ef [ 36.566752] panic+0x26a/0x50e [ 36.569958] ? __warn_printk+0xf3/0xf3 [ 36.573848] ? retint_kernel+0x2d/0x2d [ 36.577725] ? trace_hardirqs_on+0x55/0x210 [ 36.582030] kasan_end_report+0x43/0x49 [ 36.585986] kasan_report_error.cold+0xa7/0x1b9 [ 36.590639] ? __list_add_valid+0x81/0xa0 [ 36.594771] __asan_report_load8_noabort+0x88/0x90 [ 36.599697] ? __list_add_valid+0x81/0xa0 [ 36.603828] __list_add_valid+0x81/0xa0 [ 36.607799] chrdev_open+0x4b9/0x770 [ 36.611503] ? __register_chrdev+0x400/0x400 [ 36.615936] do_dentry_open+0x4aa/0x1160 [ 36.619987] ? __register_chrdev+0x400/0x400 [ 36.624393] ? inode_permission.part.0+0x10c/0x450 [ 36.629305] ? chown_common+0x550/0x550 [ 36.633380] ? inode_permission+0x3d/0x140 [ 36.637607] path_openat+0x793/0x2df0 [ 36.641396] ? path_lookupat+0x8d0/0x8d0 [ 36.645441] ? mark_held_locks+0xf0/0xf0 [ 36.649485] do_filp_open+0x18c/0x3f0 [ 36.653304] ? may_open_dev+0xf0/0xf0 [ 36.657096] ? lock_downgrade+0x720/0x720 [ 36.661224] ? lock_acquire+0x170/0x3c0 [ 36.665199] ? __alloc_fd+0x34/0x570 [ 36.668907] ? do_raw_spin_unlock+0x171/0x230 [ 36.673392] ? _raw_spin_unlock+0x29/0x40 [ 36.677518] ? __alloc_fd+0x28d/0x570 [ 36.681311] do_sys_open+0x3b3/0x520 [ 36.685021] ? filp_open+0x70/0x70 [ 36.688562] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.693925] ? trace_hardirqs_off_caller+0x6e/0x210 [ 36.698935] ? do_syscall_64+0x21/0x620 [ 36.702904] do_syscall_64+0xf9/0x620 [ 36.706696] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.711876] RIP: 0033:0x446849 [ 36.715066] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 36.733961] RSP: 002b:00007fbaae0db2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 [ 36.741675] RAX: ffffffffffffffda RBX: 00000000004d0530 RCX: 0000000000446849 [ 36.748943] RDX: 00007fbaae0db700 RSI: 0000000000000000 RDI: 00000000200001c0 [ 36.756200] RBP: 00000000004a013c R08: 00007fbaae0db700 R09: 0000000000000000 [ 36.763471] R10: 00007fbaae0db700 R11: 0000000000000246 R12: 0030656c69662f2e [ 36.770735] R13: 000000000049e138 R14: 2f30656c69662f2e R15: 00000000004d0538 [ 36.778633] Kernel Offset: disabled [ 36.782244] Rebooting in 86400 seconds..