[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.67' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 58.679708][ T6850] ================================================================== [ 58.679745][ T6850] BUG: KASAN: use-after-free in vcs_read+0xaa7/0xb40 [ 58.679752][ T6850] Write of size 2 at addr ffff888093948000 by task syz-executor760/6850 [ 58.679755][ T6850] [ 58.679764][ T6850] CPU: 0 PID: 6850 Comm: syz-executor760 Not tainted 5.9.0-rc1-next-20200821-syzkaller #0 [ 58.679769][ T6850] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.679773][ T6850] Call Trace: [ 58.679790][ T6850] dump_stack+0x18f/0x20d [ 58.679804][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.679815][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.679832][ T6850] print_address_description.constprop.0.cold+0xae/0x497 [ 58.679848][ T6850] ? lock_release+0x8e0/0x8e0 [ 58.679862][ T6850] ? lock_downgrade+0x830/0x830 [ 58.679877][ T6850] ? vprintk_func+0x97/0x1a6 [ 58.679889][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.679896][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.679904][ T6850] kasan_report.cold+0x1f/0x37 [ 58.679914][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.679923][ T6850] vcs_read+0xaa7/0xb40 [ 58.679937][ T6850] ? vcs_write+0xb50/0xb50 [ 58.679947][ T6850] ? security_file_permission+0x248/0x560 [ 58.679962][ T6850] do_iter_read+0x48e/0x6e0 [ 58.679977][ T6850] vfs_readv+0xe5/0x150 [ 58.679986][ T6850] ? compat_rw_copy_check_uvector+0x4c0/0x4c0 [ 58.679999][ T6850] ? find_held_lock+0x2d/0x110 [ 58.680015][ T6850] ? vmacache_update+0xce/0x140 [ 58.680027][ T6850] __x64_sys_preadv+0x231/0x310 [ 58.680036][ T6850] ? __ia32_sys_writev+0xb0/0xb0 [ 58.680047][ T6850] ? trace_hardirqs_on+0x5f/0x220 [ 58.680057][ T6850] ? lockdep_hardirqs_on+0x76/0xf0 [ 58.680067][ T6850] do_syscall_64+0x2d/0x70 [ 58.680077][ T6850] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.680084][ T6850] RIP: 0033:0x441259 [ 58.680093][ T6850] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.680098][ T6850] RSP: 002b:00007fffb3e6b7d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 58.680108][ T6850] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441259 [ 58.680114][ T6850] RDX: 0000000000000006 RSI: 0000000020001b00 RDI: 0000000000000003 [ 58.680120][ T6850] RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8 [ 58.680125][ T6850] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000402000 [ 58.680130][ T6850] R13: 0000000000402090 R14: 0000000000000000 R15: 0000000000000000 [ 58.680140][ T6850] [ 58.680143][ T6850] The buggy address belongs to the page: [ 58.680153][ T6850] page:000000006b61c24f refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x93948 [ 58.680159][ T6850] flags: 0xfffe0000000000() [ 58.680170][ T6850] raw: 00fffe0000000000 ffffea00029cd508 ffffea00024f3848 0000000000000000 [ 58.680179][ T6850] raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000 [ 58.680183][ T6850] page dumped because: kasan: bad access detected [ 58.680185][ T6850] [ 58.680188][ T6850] Memory state around the buggy address: [ 58.680194][ T6850] ffff888093947f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.680200][ T6850] ffff888093947f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.680207][ T6850] >ffff888093948000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.680210][ T6850] ^ [ 58.680216][ T6850] ffff888093948080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.680222][ T6850] ffff888093948100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.680225][ T6850] ================================================================== [ 58.680228][ T6850] Disabling lock debugging due to kernel taint [ 58.680233][ T6850] Kernel panic - not syncing: panic_on_warn set ... [ 58.680241][ T6850] CPU: 0 PID: 6850 Comm: syz-executor760 Tainted: G B 5.9.0-rc1-next-20200821-syzkaller #0 [ 58.680245][ T6850] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.680247][ T6850] Call Trace: [ 58.680256][ T6850] dump_stack+0x18f/0x20d [ 58.680263][ T6850] ? vcs_read+0xa40/0xb40 [ 58.680272][ T6850] panic+0x2e3/0x75c [ 58.680280][ T6850] ? __warn_printk+0xf3/0xf3 [ 58.680289][ T6850] ? trace_hardirqs_on+0x55/0x220 [ 58.680302][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.680309][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.680316][ T6850] end_report+0x4d/0x53 [ 58.680323][ T6850] kasan_report.cold+0xd/0x37 [ 58.680331][ T6850] ? vcs_read+0xaa7/0xb40 [ 58.680338][ T6850] vcs_read+0xaa7/0xb40 [ 58.680348][ T6850] ? vcs_write+0xb50/0xb50 [ 58.680355][ T6850] ? security_file_permission+0x248/0x560 [ 58.680364][ T6850] do_iter_read+0x48e/0x6e0 [ 58.680374][ T6850] vfs_readv+0xe5/0x150 [ 58.680383][ T6850] ? compat_rw_copy_check_uvector+0x4c0/0x4c0 [ 58.680392][ T6850] ? find_held_lock+0x2d/0x110 [ 58.680402][ T6850] ? vmacache_update+0xce/0x140 [ 58.680411][ T6850] __x64_sys_preadv+0x231/0x310 [ 58.680419][ T6850] ? __ia32_sys_writev+0xb0/0xb0 [ 58.680426][ T6850] ? trace_hardirqs_on+0x5f/0x220 [ 58.680433][ T6850] ? lockdep_hardirqs_on+0x76/0xf0 [ 58.680441][ T6850] do_syscall_64+0x2d/0x70 [ 58.680449][ T6850] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.680454][ T6850] RIP: 0033:0x441259 [ 58.680461][ T6850] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.680465][ T6850] RSP: 002b:00007fffb3e6b7d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 58.680472][ T6850] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441259 [ 58.680477][ T6850] RDX: 0000000000000006 RSI: 0000000020001b00 RDI: 0000000000000003 [ 58.680481][ T6850] RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8 [ 58.680486][ T6850] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000402000 [ 58.680490][ T6850] R13: 0000000000402090 R14: 0000000000000000 R15: 0000000000000000 [ 58.681880][ T6850] Kernel Offset: disabled [ 59.254796][ T6850] Rebooting in 86400 seconds..