Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.29' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 64.959357][ T8420] ================================================================== [ 64.967665][ T8420] BUG: KASAN: use-after-free in __cpuhp_state_remove_instance+0x58b/0x5b0 [ 64.976173][ T8420] Read of size 8 at addr ffff888013928898 by task syz-executor929/8420 [ 64.984397][ T8420] [ 64.986704][ T8420] CPU: 1 PID: 8420 Comm: syz-executor929 Not tainted 5.11.0-next-20210226-syzkaller #0 [ 64.996337][ T8420] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.006376][ T8420] Call Trace: [ 65.009644][ T8420] dump_stack+0xfa/0x151 [ 65.013890][ T8420] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 65.020034][ T8420] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 65.027049][ T8420] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 65.033196][ T8420] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 65.039337][ T8420] kasan_report.cold+0x7c/0xd8 [ 65.044089][ T8420] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 65.050230][ T8420] __cpuhp_state_remove_instance+0x58b/0x5b0 [ 65.056206][ T8420] io_wq_create+0x6ca/0xbf0 [ 65.060703][ T8420] io_uring_alloc_task_context+0x1bf/0x6a0 [ 65.066510][ T8420] ? io_req_caches_free.constprop.0+0x4d0/0x4d0 [ 65.072798][ T8420] ? io_issue_sqe+0x4f00/0x4f00 [ 65.077641][ T8420] ? io_async_find_and_cancel+0x2f0/0x2f0 [ 65.083351][ T8420] ? do_raw_spin_unlock+0x171/0x230 [ 65.088542][ T8420] ? _raw_spin_unlock+0x24/0x40 [ 65.093451][ T8420] ? alloc_fd+0x2bc/0x640 [ 65.097805][ T8420] io_uring_add_task_file+0x261/0x350 [ 65.103183][ T8420] io_uring_setup+0x14c7/0x2be0 [ 65.108044][ T8420] ? io_async_buf_func+0x720/0x720 [ 65.113160][ T8420] ? syscall_enter_from_user_mode+0x1d/0x50 [ 65.119054][ T8420] do_syscall_64+0x2d/0x70 [ 65.123470][ T8420] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 65.129371][ T8420] RIP: 0033:0x43eec9 [ 65.133250][ T8420] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 65.152871][ T8420] RSP: 002b:00007fff25216ba8 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9 [ 65.161271][ T8420] RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043eec9 [ 65.169227][ T8420] RDX: 000000000043eec9 RSI: 0000000020000040 RDI: 00000000000074c1 [ 65.177209][ T8420] RBP: 0000000000402eb0 R08: 0000000000000000 R09: 0000000000000000 [ 65.185168][ T8420] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402f40 [ 65.193221][ T8420] R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488 [ 65.201191][ T8420] [ 65.203522][ T8420] Allocated by task 8420: [ 65.207824][ T8420] kasan_save_stack+0x1b/0x40 [ 65.212488][ T8420] __kasan_kmalloc+0x99/0xc0 [ 65.217061][ T8420] io_wq_create+0xc0/0xbf0 [ 65.221461][ T8420] io_uring_alloc_task_context+0x1bf/0x6a0 [ 65.227262][ T8420] io_uring_add_task_file+0x261/0x350 [ 65.232616][ T8420] io_uring_setup+0x14c7/0x2be0 [ 65.237901][ T8420] do_syscall_64+0x2d/0x70 [ 65.242301][ T8420] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 65.248177][ T8420] [ 65.250492][ T8420] Freed by task 8420: [ 65.254466][ T8420] kasan_save_stack+0x1b/0x40 [ 65.259129][ T8420] kasan_set_track+0x1c/0x30 [ 65.263702][ T8420] kasan_set_free_info+0x20/0x30 [ 65.268621][ T8420] __kasan_slab_free+0xf5/0x130 [ 65.273452][ T8420] slab_free_freelist_hook+0x72/0x1b0 [ 65.278808][ T8420] kfree+0xe5/0x7b0 [ 65.282596][ T8420] io_wq_put+0x4d0/0x6d0 [ 65.286831][ T8420] io_wq_create+0x92d/0xbf0 [ 65.291340][ T8420] io_uring_alloc_task_context+0x1bf/0x6a0 [ 65.297129][ T8420] io_uring_add_task_file+0x261/0x350 [ 65.302592][ T8420] io_uring_setup+0x14c7/0x2be0 [ 65.307436][ T8420] do_syscall_64+0x2d/0x70 [ 65.311835][ T8420] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 65.317721][ T8420] [ 65.320041][ T8420] Last potentially related work creation: [ 65.325835][ T8420] kasan_save_stack+0x1b/0x40 [ 65.330501][ T8420] kasan_record_aux_stack+0xe5/0x110 [ 65.335786][ T8420] insert_work+0x48/0x370 [ 65.340107][ T8420] __queue_work+0x5c1/0xf00 [ 65.344590][ T8420] queue_work_on+0xae/0xc0 [ 65.348988][ T8420] call_usermodehelper_exec+0x1f0/0x4c0 [ 65.354540][ T8420] kobject_uevent_env+0xf9f/0x1680 [ 65.359638][ T8420] kobject_synth_uevent+0x701/0x850 [ 65.364817][ T8420] uevent_store+0x42/0x90 [ 65.369131][ T8420] drv_attr_store+0x6d/0xa0 [ 65.373630][ T8420] sysfs_kf_write+0x110/0x160 [ 65.378628][ T8420] kernfs_fop_write_iter+0x342/0x500 [ 65.384063][ T8420] new_sync_write+0x426/0x650 [ 65.388737][ T8420] vfs_write+0x796/0xa30 [ 65.392971][ T8420] ksys_write+0x12d/0x250 [ 65.397293][ T8420] do_syscall_64+0x2d/0x70 [ 65.401708][ T8420] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 65.407585][ T8420] [ 65.409905][ T8420] Second to last potentially related work creation: [ 65.416467][ T8420] kasan_save_stack+0x1b/0x40 [ 65.421134][ T8420] kasan_record_aux_stack+0xe5/0x110 [ 65.426407][ T8420] insert_work+0x48/0x370 [ 65.430718][ T8420] __queue_work+0x5c1/0xf00 [ 65.435216][ T8420] queue_work_on+0xae/0xc0 [ 65.439616][ T8420] call_usermodehelper_exec+0x1f0/0x4c0 [ 65.445148][ T8420] kobject_uevent_env+0xf9f/0x1680 [ 65.450241][ T8420] param_sysfs_init+0x3bf/0x498 [ 65.455086][ T8420] do_one_initcall+0x103/0x650 [ 65.459831][ T8420] kernel_init_freeable+0x5ff/0x683 [ 65.465018][ T8420] kernel_init+0xd/0x1b8 [ 65.469252][ T8420] ret_from_fork+0x1f/0x30 [ 65.473664][ T8420] [ 65.475967][ T8420] The buggy address belongs to the object at ffff888013928800 [ 65.475967][ T8420] which belongs to the cache kmalloc-192 of size 192 [ 65.489999][ T8420] The buggy address is located 152 bytes inside of [ 65.489999][ T8420] 192-byte region [ffff888013928800, ffff8880139288c0) [ 65.503267][ T8420] The buggy address belongs to the page: [ 65.508875][ T8420] page:00000000bd6bb1df refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13928 [ 65.519007][ T8420] flags: 0xfff00000000200(slab) [ 65.523854][ T8420] raw: 00fff00000000200 0000000000000000 0000000c00000001 ffff888010841a00 [ 65.532441][ T8420] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 65.541011][ T8420] page dumped because: kasan: bad access detected [ 65.547406][ T8420] [ 65.549715][ T8420] Memory state around the buggy address: [ 65.555325][ T8420] ffff888013928780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 65.563370][ T8420] ffff888013928800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.571415][ T8420] >ffff888013928880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 65.579459][ T8420] ^ [ 65.584299][ T8420] ffff888013928900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 65.592355][ T8420] ffff888013928980: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.600522][ T8420] ================================================================== [ 65.608577][ T8420] Disabling lock debugging due to kernel taint [ 65.614965][ T8420] Kernel panic - not syncing: panic_on_warn set ... [ 65.621555][ T8420] CPU: 1 PID: 8420 Comm: syz-executor929 Tainted: G B 5.11.0-next-20210226-syzkaller #0 [ 65.632584][ T8420] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.642640][ T8420] Call Trace: [ 65.645918][ T8420] dump_stack+0xfa/0x151 [ 65.650154][ T8420] panic+0x306/0x73d [ 65.655353][ T8420] ? __warn_printk+0xf3/0xf3 [ 65.660114][ T8420] ? preempt_schedule_common+0x59/0xc0 [ 65.665566][ T8420] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 65.671719][ T8420] ? preempt_schedule_thunk+0x16/0x18 [ 65.677650][ T8420] ? trace_hardirqs_on+0x38/0x1c0 [ 65.682667][ T8420] ? trace_hardirqs_on+0x51/0x1c0 [ 65.687678][ T8420] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 65.693817][ T8420] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 65.700055][ T8420] end_report.cold+0x5a/0x5a [ 65.705943][ T8420] kasan_report.cold+0x6a/0xd8 [ 65.710698][ T8420] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 65.716845][ T8420] __cpuhp_state_remove_instance+0x58b/0x5b0 [ 65.722979][ T8420] io_wq_create+0x6ca/0xbf0 [ 65.727468][ T8420] io_uring_alloc_task_context+0x1bf/0x6a0 [ 65.733265][ T8420] ? io_req_caches_free.constprop.0+0x4d0/0x4d0 [ 65.739529][ T8420] ? io_issue_sqe+0x4f00/0x4f00 [ 65.744376][ T8420] ? io_async_find_and_cancel+0x2f0/0x2f0 [ 65.750090][ T8420] ? do_raw_spin_unlock+0x171/0x230 [ 65.755327][ T8420] ? _raw_spin_unlock+0x24/0x40 [ 65.760285][ T8420] ? alloc_fd+0x2bc/0x640 [ 65.764601][ T8420] io_uring_add_task_file+0x261/0x350 [ 65.769956][ T8420] io_uring_setup+0x14c7/0x2be0 [ 65.774789][ T8420] ? io_async_buf_func+0x720/0x720 [ 65.779886][ T8420] ? syscall_enter_from_user_mode+0x1d/0x50 [ 65.785774][ T8420] do_syscall_64+0x2d/0x70 [ 65.790173][ T8420] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 65.796047][ T8420] RIP: 0033:0x43eec9 [ 65.799932][ T8420] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 65.819517][ T8420] RSP: 002b:00007fff25216ba8 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9 [ 65.827921][ T8420] RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043eec9 [ 65.835880][ T8420] RDX: 000000000043eec9 RSI: 0000000020000040 RDI: 00000000000074c1 [ 65.843850][ T8420] RBP: 0000000000402eb0 R08: 0000000000000000 R09: 0000000000000000 [ 65.851810][ T8420] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402f40 [ 65.860121][ T8420] R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488 [ 65.868724][ T8420] Kernel Offset: disabled [ 65.873034][ T8420] Rebooting in 86400 seconds..