Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.84' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 62.945138][ T8511] ================================================================== [ 62.953331][ T8511] BUG: KASAN: use-after-free in io_uring_show_cred+0x5bb/0x5f0 [ 62.960864][ T8511] Read of size 8 at addr ffff8880132a04a0 by task syz-executor141/8511 [ 62.969073][ T8511] [ 62.971390][ T8511] CPU: 0 PID: 8511 Comm: syz-executor141 Not tainted 5.10.0-rc2-syzkaller #0 [ 62.980124][ T8511] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.990159][ T8511] Call Trace: [ 62.993435][ T8511] dump_stack+0x107/0x163 [ 62.997747][ T8511] ? io_uring_show_cred+0x5bb/0x5f0 [ 63.002925][ T8511] ? io_uring_show_cred+0x5bb/0x5f0 [ 63.008148][ T8511] print_address_description.constprop.0.cold+0xae/0x4c8 [ 63.015172][ T8511] ? _raw_spin_lock_irqsave+0x4e/0x50 [ 63.020528][ T8511] ? vprintk_func+0x95/0x1e0 [ 63.025105][ T8511] ? io_uring_show_cred+0x5bb/0x5f0 [ 63.030280][ T8511] ? io_uring_show_cred+0x5bb/0x5f0 [ 63.035471][ T8511] kasan_report.cold+0x1f/0x37 [ 63.040220][ T8511] ? io_uring_show_cred+0x5bb/0x5f0 [ 63.045401][ T8511] io_uring_show_cred+0x5bb/0x5f0 [ 63.050412][ T8511] ? __bpf_trace_io_uring_task_add+0x40/0x40 [ 63.056377][ T8511] idr_for_each+0x113/0x220 [ 63.060865][ T8511] ? idr_find+0x50/0x50 [ 63.065008][ T8511] ? io_uring_show_fdinfo+0x8b8/0xda0 [ 63.070386][ T8511] io_uring_show_fdinfo+0x923/0xda0 [ 63.075572][ T8511] ? percpu_ref_put_many+0x260/0x260 [ 63.080838][ T8511] seq_show+0x4a8/0x700 [ 63.084996][ T8511] seq_read+0x432/0x1070 [ 63.089237][ T8511] do_iter_read+0x48e/0x6e0 [ 63.093748][ T8511] vfs_readv+0xe5/0x150 [ 63.097887][ T8511] ? vfs_iter_read+0xa0/0xa0 [ 63.102459][ T8511] ? rcu_read_lock_sched_held+0x3a/0x70 [ 63.108007][ T8511] ? putname+0xe1/0x120 [ 63.112146][ T8511] ? do_sys_openat2+0xa1/0x420 [ 63.116890][ T8511] ? build_open_flags+0x650/0x650 [ 63.121908][ T8511] __x64_sys_preadv+0x231/0x310 [ 63.126741][ T8511] ? __ia32_sys_writev+0xb0/0xb0 [ 63.131680][ T8511] ? syscall_enter_from_user_mode+0x1d/0x50 [ 63.137573][ T8511] do_syscall_64+0x2d/0x70 [ 63.141972][ T8511] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.147861][ T8511] RIP: 0033:0x4403b9 [ 63.151739][ T8511] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 63.171328][ T8511] RSP: 002b:00007ffedd6269c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 63.179738][ T8511] RAX: ffffffffffffffda RBX: 00007ffedd6269d0 RCX: 00000000004403b9 [ 63.187693][ T8511] RDX: 0000000000000001 RSI: 0000000020001400 RDI: 0000000000000004 [ 63.195652][ T8511] RBP: 00000000006ca018 R08: 0000000000000000 R09: 65732f636f72702f [ 63.203607][ T8511] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c20 [ 63.211577][ T8511] R13: 0000000000401cb0 R14: 0000000000000000 R15: 0000000000000000 [ 63.219547][ T8511] [ 63.221860][ T8511] Allocated by task 4887: [ 63.226174][ T8511] kasan_save_stack+0x1b/0x40 [ 63.230834][ T8511] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 63.236445][ T8511] tomoyo_encode2.part.0+0xe9/0x3a0 [ 63.241623][ T8511] tomoyo_encode+0x28/0x50 [ 63.246020][ T8511] tomoyo_realpath_from_path+0x186/0x620 [ 63.251634][ T8511] tomoyo_path_perm+0x21b/0x400 [ 63.256469][ T8511] security_inode_getattr+0xcf/0x140 [ 63.261736][ T8511] vfs_fstat+0x43/0xb0 [ 63.265783][ T8511] __do_sys_newfstat+0x81/0x100 [ 63.270614][ T8511] do_syscall_64+0x2d/0x70 [ 63.275049][ T8511] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.280931][ T8511] [ 63.283253][ T8511] Freed by task 4887: [ 63.287221][ T8511] kasan_save_stack+0x1b/0x40 [ 63.291882][ T8511] kasan_set_track+0x1c/0x30 [ 63.296468][ T8511] kasan_set_free_info+0x1b/0x30 [ 63.301385][ T8511] __kasan_slab_free+0x102/0x140 [ 63.306311][ T8511] slab_free_freelist_hook+0x5d/0x150 [ 63.311664][ T8511] kfree+0xdb/0x360 [ 63.315455][ T8511] tomoyo_path_perm+0x23d/0x400 [ 63.320315][ T8511] security_inode_getattr+0xcf/0x140 [ 63.325586][ T8511] vfs_fstat+0x43/0xb0 [ 63.329638][ T8511] __do_sys_newfstat+0x81/0x100 [ 63.334497][ T8511] do_syscall_64+0x2d/0x70 [ 63.338899][ T8511] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.344767][ T8511] [ 63.347097][ T8511] The buggy address belongs to the object at ffff8880132a0480 [ 63.347097][ T8511] which belongs to the cache kmalloc-96 of size 96 [ 63.360960][ T8511] The buggy address is located 32 bytes inside of [ 63.360960][ T8511] 96-byte region [ffff8880132a0480, ffff8880132a04e0) [ 63.374990][ T8511] The buggy address belongs to the page: [ 63.380619][ T8511] page:000000005ad008dd refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x132a0 [ 63.390750][ T8511] flags: 0xfff00000000200(slab) [ 63.395587][ T8511] raw: 00fff00000000200 ffffea0000935fc0 0000000700000007 ffff888010041780 [ 63.404175][ T8511] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 63.412758][ T8511] page dumped because: kasan: bad access detected [ 63.419162][ T8511] [ 63.421482][ T8511] Memory state around the buggy address: [ 63.427107][ T8511] ffff8880132a0380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 63.435148][ T8511] ffff8880132a0400: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 63.444144][ T8511] >ffff8880132a0480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 63.452181][ T8511] ^ [ 63.457265][ T8511] ffff8880132a0500: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 63.465315][ T8511] ffff8880132a0580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 63.473359][ T8511] ================================================================== [ 63.481405][ T8511] Disabling lock debugging due to kernel taint [ 63.501211][ T8511] Kernel panic - not syncing: panic_on_warn set ... [ 63.507819][ T8511] CPU: 0 PID: 8511 Comm: syz-executor141 Tainted: G B 5.10.0-rc2-syzkaller #0 [ 63.517956][ T8511] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.528007][ T8511] Call Trace: [ 63.531294][ T8511] dump_stack+0x107/0x163 [ 63.535626][ T8511] ? io_uring_show_cred+0x510/0x5f0 [ 63.540826][ T8511] panic+0x306/0x73d [ 63.544722][ T8511] ? __warn_printk+0xf3/0xf3 [ 63.550265][ T8511] ? preempt_schedule_common+0x59/0xc0 [ 63.555721][ T8511] ? io_uring_show_cred+0x5bb/0x5f0 [ 63.560915][ T8511] ? preempt_schedule_thunk+0x16/0x18 [ 63.566298][ T8511] ? trace_hardirqs_on+0x51/0x1c0 [ 63.571301][ T8511] ? io_uring_show_cred+0x5bb/0x5f0 [ 63.576471][ T8511] ? io_uring_show_cred+0x5bb/0x5f0 [ 63.581640][ T8511] end_report+0x58/0x5e [ 63.585771][ T8511] kasan_report.cold+0xd/0x37 [ 63.590421][ T8511] ? io_uring_show_cred+0x5bb/0x5f0 [ 63.595593][ T8511] io_uring_show_cred+0x5bb/0x5f0 [ 63.600591][ T8511] ? __bpf_trace_io_uring_task_add+0x40/0x40 [ 63.606545][ T8511] idr_for_each+0x113/0x220 [ 63.611543][ T8511] ? idr_find+0x50/0x50 [ 63.615684][ T8511] ? io_uring_show_fdinfo+0x8b8/0xda0 [ 63.621041][ T8511] io_uring_show_fdinfo+0x923/0xda0 [ 63.626212][ T8511] ? percpu_ref_put_many+0x260/0x260 [ 63.631469][ T8511] seq_show+0x4a8/0x700 [ 63.635597][ T8511] seq_read+0x432/0x1070 [ 63.639815][ T8511] do_iter_read+0x48e/0x6e0 [ 63.644294][ T8511] vfs_readv+0xe5/0x150 [ 63.648435][ T8511] ? vfs_iter_read+0xa0/0xa0 [ 63.653009][ T8511] ? rcu_read_lock_sched_held+0x3a/0x70 [ 63.658537][ T8511] ? putname+0xe1/0x120 [ 63.662666][ T8511] ? do_sys_openat2+0xa1/0x420 [ 63.667414][ T8511] ? build_open_flags+0x650/0x650 [ 63.672414][ T8511] __x64_sys_preadv+0x231/0x310 [ 63.677251][ T8511] ? __ia32_sys_writev+0xb0/0xb0 [ 63.682242][ T8511] ? syscall_enter_from_user_mode+0x1d/0x50 [ 63.688116][ T8511] do_syscall_64+0x2d/0x70 [ 63.692532][ T8511] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.698404][ T8511] RIP: 0033:0x4403b9 [ 63.702284][ T8511] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 63.721922][ T8511] RSP: 002b:00007ffedd6269c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 63.730488][ T8511] RAX: ffffffffffffffda RBX: 00007ffedd6269d0 RCX: 00000000004403b9 [ 63.738524][ T8511] RDX: 0000000000000001 RSI: 0000000020001400 RDI: 0000000000000004 [ 63.746473][ T8511] RBP: 00000000006ca018 R08: 0000000000000000 R09: 65732f636f72702f [ 63.754425][ T8511] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c20 [ 63.762385][ T8511] R13: 0000000000401cb0 R14: 0000000000000000 R15: 0000000000000000 [ 63.771140][ T8511] Kernel Offset: disabled [ 63.775461][ T8511] Rebooting in 86400 seconds..