[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.10.15' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [   43.183517][ T6781] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   43.558808][ T6852] ==================================================================
[   43.567346][ T6852] BUG: KASAN: use-after-free in smk_write_relabel_self+0x2f6/0x480
[   43.575351][ T6852] Read of size 8 at addr ffff88809184bec0 by task syz-executor032/6852
[   43.583564][ T6852] 
[   43.585895][ T6852] CPU: 0 PID: 6852 Comm: syz-executor032 Not tainted 5.7.0-syzkaller #0
[   43.594204][ T6852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.604237][ T6852] Call Trace:
[   43.607526][ T6852]  dump_stack+0x1e9/0x30e
[   43.611837][ T6852]  print_address_description+0x66/0x5a0
[   43.617442][ T6852]  ? vprintk_emit+0x342/0x3c0
[   43.622115][ T6852]  ? printk+0x62/0x83
[   43.626098][ T6852]  ? trace_irq_disable_rcuidle+0x1f/0x1d0
[   43.631795][ T6852]  ? vprintk_emit+0x339/0x3c0
[   43.636466][ T6852]  kasan_report+0x132/0x1d0
[   43.641047][ T6852]  ? smk_write_relabel_self+0x2f6/0x480
[   43.647705][ T6852]  smk_write_relabel_self+0x2f6/0x480
[   43.653060][ T6852]  ? net6addr_seq_show+0xc0/0xc0
[   43.657972][ T6852]  __vfs_write+0x9c/0x6e0
[   43.662280][ T6852]  ? lockdep_hardirqs_on_prepare+0x425/0x6e0
[   43.668254][ T6852]  __kernel_write+0x120/0x350
[   43.672928][ T6852]  write_pipe_buf+0xf9/0x150
[   43.677533][ T6852]  __splice_from_pipe+0x351/0x8b0
[   43.682668][ T6852]  ? default_file_splice_read+0xa40/0xa40
[   43.688370][ T6852]  direct_splice_actor+0x1eb/0x2a0
[   43.693492][ T6852]  splice_direct_to_actor+0x4a2/0xb60
[   43.698867][ T6852]  ? do_splice_direct+0x340/0x340
[   43.704000][ T6852]  do_splice_direct+0x201/0x340
[   43.709141][ T6852]  do_sendfile+0x809/0xfe0
[   43.714819][ T6852]  __x64_sys_sendfile64+0x164/0x1a0
[   43.719998][ T6852]  do_syscall_64+0xf3/0x1b0
[   43.724499][ T6852]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[   43.730390][ T6852] RIP: 0033:0x446a29
[   43.734265][ T6852] Code: e8 bc b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   43.754115][ T6852] RSP: 002b:00007f662054fdb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   43.762688][ T6852] RAX: ffffffffffffffda RBX: 00000000006dbc88 RCX: 0000000000446a29
[   43.770787][ T6852] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000006
[   43.778761][ T6852] RBP: 00000000006dbc80 R08: 0000000000000000 R09: 0000000000000000
[   43.786716][ T6852] R10: 0000000100000064 R11: 0000000000000246 R12: 00000000006dbc8c
[   43.794671][ T6852] R13: 00007fffa294e1ef R14: 00007f66205509c0 R15: 0000000000000001
[   43.802642][ T6852] 
[   43.804963][ T6852] Allocated by task 6850:
[   43.809289][ T6852]  __kasan_kmalloc+0x103/0x140
[   43.814274][ T6852]  kmem_cache_alloc_trace+0x234/0x300
[   43.819641][ T6852]  smk_parse_label_list+0xff/0x280
[   43.824747][ T6852]  smk_write_relabel_self+0x190/0x480
[   43.830111][ T6852]  __vfs_write+0x9c/0x6e0
[   43.834414][ T6852]  __kernel_write+0x120/0x350
[   43.839068][ T6852]  write_pipe_buf+0xf9/0x150
[   43.843646][ T6852]  __splice_from_pipe+0x351/0x8b0
[   43.848642][ T6852]  direct_splice_actor+0x1eb/0x2a0
[   43.853733][ T6852]  splice_direct_to_actor+0x4a2/0xb60
[   43.859333][ T6852]  do_splice_direct+0x201/0x340
[   43.864156][ T6852]  do_sendfile+0x809/0xfe0
[   43.868643][ T6852]  __x64_sys_sendfile64+0x164/0x1a0
[   43.873827][ T6852]  do_syscall_64+0xf3/0x1b0
[   43.878719][ T6852]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[   43.884694][ T6852] 
[   43.886998][ T6852] Freed by task 6850:
[   43.890958][ T6852]  __kasan_slab_free+0x114/0x170
[   43.895882][ T6852]  kfree+0x10a/0x220
[   43.899754][ T6852]  smk_write_relabel_self+0x302/0x480
[   43.905094][ T6852]  __vfs_write+0x9c/0x6e0
[   43.909500][ T6852]  __kernel_write+0x120/0x350
[   43.914233][ T6852]  write_pipe_buf+0xf9/0x150
[   43.918804][ T6852]  __splice_from_pipe+0x351/0x8b0
[   43.923833][ T6852]  direct_splice_actor+0x1eb/0x2a0
[   43.928938][ T6852]  splice_direct_to_actor+0x4a2/0xb60
[   43.934310][ T6852]  do_splice_direct+0x201/0x340
[   43.939153][ T6852]  do_sendfile+0x809/0xfe0
[   43.943550][ T6852]  __x64_sys_sendfile64+0x164/0x1a0
[   43.948717][ T6852]  do_syscall_64+0xf3/0x1b0
[   43.953194][ T6852]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[   43.959063][ T6852] 
[   43.961368][ T6852] The buggy address belongs to the object at ffff88809184bec0
[   43.961368][ T6852]  which belongs to the cache kmalloc-32 of size 32
[   43.975236][ T6852] The buggy address is located 0 bytes inside of
[   43.975236][ T6852]  32-byte region [ffff88809184bec0, ffff88809184bee0)
[   43.988231][ T6852] The buggy address belongs to the page:
[   43.994198][ T6852] page:ffffea00024612c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809184bfc1
[   44.004724][ T6852] flags: 0xfffe0000000200(slab)
[   44.009552][ T6852] raw: 00fffe0000000200 ffffea00029a8788 ffffea0002a351c8 ffff8880aa4001c0
[   44.018116][ T6852] raw: ffff88809184bfc1 ffff88809184b000 000000010000003f 0000000000000000
[   44.026669][ T6852] page dumped because: kasan: bad access detected
[   44.033151][ T6852] 
[   44.035450][ T6852] Memory state around the buggy address:
[   44.041228][ T6852]  ffff88809184bd80: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
[   44.049348][ T6852]  ffff88809184be00: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
[   44.057408][ T6852] >ffff88809184be80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   44.065527][ T6852]                                            ^
[   44.071671][ T6852]  ffff88809184bf00: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   44.079717][ T6852]  ffff88809184bf80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   44.087766][ T6852] ==================================================================
[   44.095814][ T6852] Disabling lock debugging due to kernel taint
[   44.109407][ T6852] Kernel panic - not syncing: panic_on_warn set ...
[   44.115989][ T6852] CPU: 0 PID: 6852 Comm: syz-executor032 Tainted: G    B             5.7.0-syzkaller #0
[   44.125680][ T6852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   44.135725][ T6852] Call Trace:
[   44.139006][ T6852]  dump_stack+0x1e9/0x30e
[   44.143317][ T6852]  panic+0x264/0x7a0
[   44.147280][ T6852]  ? trace_hardirqs_on+0x30/0x80
[   44.152200][ T6852]  kasan_report+0x1c9/0x1d0
[   44.156686][ T6852]  ? smk_write_relabel_self+0x2f6/0x480
[   44.162309][ T6852]  smk_write_relabel_self+0x2f6/0x480
[   44.167823][ T6852]  ? net6addr_seq_show+0xc0/0xc0
[   44.172762][ T6852]  __vfs_write+0x9c/0x6e0
[   44.177072][ T6852]  ? lockdep_hardirqs_on_prepare+0x425/0x6e0
[   44.183124][ T6852]  __kernel_write+0x120/0x350
[   44.187778][ T6852]  write_pipe_buf+0xf9/0x150
[   44.192609][ T6852]  __splice_from_pipe+0x351/0x8b0
[   44.197633][ T6852]  ? default_file_splice_read+0xa40/0xa40
[   44.203333][ T6852]  direct_splice_actor+0x1eb/0x2a0
[   44.208522][ T6852]  splice_direct_to_actor+0x4a2/0xb60
[   44.213908][ T6852]  ? do_splice_direct+0x340/0x340
[   44.218926][ T6852]  do_splice_direct+0x201/0x340
[   44.223762][ T6852]  do_sendfile+0x809/0xfe0
[   44.228244][ T6852]  __x64_sys_sendfile64+0x164/0x1a0
[   44.233418][ T6852]  do_syscall_64+0xf3/0x1b0
[   44.237900][ T6852]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[   44.243771][ T6852] RIP: 0033:0x446a29
[   44.247639][ T6852] Code: e8 bc b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   44.267402][ T6852] RSP: 002b:00007f662054fdb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   44.275794][ T6852] RAX: ffffffffffffffda RBX: 00000000006dbc88 RCX: 0000000000446a29
[   44.283757][ T6852] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000006
[   44.291870][ T6852] RBP: 00000000006dbc80 R08: 0000000000000000 R09: 0000000000000000
[   44.299842][ T6852] R10: 0000000100000064 R11: 0000000000000246 R12: 00000000006dbc8c
[   44.307893][ T6852] R13: 00007fffa294e1ef R14: 00007f66205509c0 R15: 0000000000000001
[   44.317496][ T6852] Kernel Offset: disabled
[   44.321862][ T6852] Rebooting in 86400 seconds..