Debian GNU/Linux 11 syzkaller ttyS0 Warning: Permanently added '[localhost]:28806' (ECDSA) to the list of known hosts. 2022/11/07 05:03:01 fuzzer started 2022/11/07 05:03:01 dialing manager at localhost:37641 syzkaller login: [ 36.453106] cgroup: Unknown subsys name 'net' [ 36.549501] cgroup: Unknown subsys name 'rlimit' [ 36.944660] ================================================================== [ 36.945661] BUG: KASAN: use-after-free in __lock_acquire+0x42c9/0x5e70 [ 36.946502] Read of size 8 at addr ffff88800dd01868 by task syz-executor/279 [ 36.950901] [ 36.951142] CPU: 1 PID: 279 Comm: syz-executor Not tainted 6.1.0-rc3-next-20221104 #1 [ 36.952120] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 36.953181] Call Trace: [ 36.953529] [ 36.953838] dump_stack_lvl+0x8b/0xb3 [ 36.954353] print_report+0x175/0x478 [ 36.954861] ? __lock_acquire+0x42c9/0x5e70 [ 36.955416] kasan_report+0xbb/0x1c0 [ 36.955932] ? __lock_acquire+0x42c9/0x5e70 [ 36.956504] __lock_acquire+0x42c9/0x5e70 [ 36.957043] ? __pfx_mark_lock.part.0+0x10/0x10 [ 36.957654] ? finish_task_switch.isra.0+0x22d/0x8a0 [ 36.958299] ? __pfx___lock_acquire+0x10/0x10 [ 36.958882] ? __switch_to+0x5bf/0xf20 [ 36.959407] lock_acquire+0x1a2/0x530 [ 36.959903] ? kmemleak_scan+0x1a0/0x1600 [ 36.960474] ? __pfx_lock_acquire+0x10/0x10 [ 36.961029] ? __call_rcu_common.constprop.0+0x589/0xa40 [ 36.961733] ? __call_rcu_common.constprop.0+0x589/0xa40 [ 36.962426] ? lockdep_hardirqs_on+0x79/0x100 [ 36.963016] ? _raw_spin_lock_irq+0x41/0x50 [ 36.963576] _raw_spin_lock_irq+0x32/0x50 [ 36.964119] ? kmemleak_scan+0x1a0/0x1600 [ 36.964701] kmemleak_scan+0x1a0/0x1600 [ 36.965236] ? __pfx_kmemleak_scan+0x10/0x10 [ 36.965833] ? strncpy_from_user+0x204/0x3e0 [ 36.966408] kmemleak_write+0x570/0x680 [ 36.966935] ? __pfx_kmemleak_write+0x10/0x10 [ 36.967530] ? debugfs_file_get+0x1ce/0x450 [ 36.968099] ? __pfx_debugfs_file_get+0x10/0x10 [ 36.968737] full_proxy_write+0x11d/0x190 [ 36.969283] vfs_write+0x2cb/0xd90 [ 36.969757] ? __pfx_full_proxy_write+0x10/0x10 [ 36.970371] ? __pfx_vfs_write+0x10/0x10 [ 36.970902] ? do_sys_openat2+0xa1/0x4c0 [ 36.971446] ? __pfx_do_sys_openat2+0x10/0x10 [ 36.972044] ? __fget_light+0x212/0x280 [ 36.972606] ksys_write+0x127/0x250 [ 36.973087] ? __pfx_ksys_write+0x10/0x10 [ 36.973622] ? syscall_enter_from_user_mode+0x1d/0x50 [ 36.974298] ? syscall_enter_from_user_mode+0x1d/0x50 [ 36.974973] do_syscall_64+0x3b/0x90 [ 36.975461] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 36.976147] RIP: 0033:0x7f857db255c3 [ 36.976658] Code: 16 00 00 00 eb ae 90 b8 6e 00 00 00 eb a6 e8 44 ef 04 00 0f 1f 40 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18 [ 36.978914] RSP: 002b:00007ffeda156088 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 36.979882] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f857db255c3 [ 36.980821] RDX: 0000000000000004 RSI: 00007ffeda1560b0 RDI: 0000000000000003 [ 36.981730] RBP: 0000000000000003 R08: 0000000000000000 R09: 00007ffeda156000 [ 36.982621] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f857dbcbe61 [ 36.983518] R13: 00007ffeda1560b0 R14: 0000000000000000 R15: 00007f857dc0d6c0 [ 36.984428] [ 36.984741] [ 36.984972] Allocated by task 134: [ 36.985420] kasan_save_stack+0x1e/0x40 [ 36.985961] kasan_set_track+0x21/0x30 [ 36.986484] __kasan_slab_alloc+0x58/0x70 [ 36.987031] kmem_cache_alloc+0x1a9/0x3e0 [ 36.987573] __create_object+0x3d/0xc00 [ 36.988095] kmem_cache_alloc+0x235/0x3e0 [ 36.988670] __alloc_file+0x21/0x240 [ 36.989163] alloc_empty_file+0x6d/0x170 [ 36.989697] alloc_file+0x59/0x800 [ 36.990179] alloc_file_pseudo+0x16a/0x250 [ 36.990737] sock_alloc_file+0x4f/0x1a0 [ 36.991252] __sys_socket+0x1a8/0x250 [ 36.991768] __x64_sys_socket+0x6f/0xb0 [ 36.992293] do_syscall_64+0x3b/0x90 [ 36.992803] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 36.993492] [ 36.993721] Freed by task 13: [ 36.994121] kasan_save_stack+0x1e/0x40 [ 36.994649] kasan_set_track+0x21/0x30 [ 36.995175] kasan_save_free_info+0x2a/0x50 [ 36.995734] __kasan_slab_free+0x106/0x190 [ 36.996292] kmem_cache_free+0xf7/0x610 [ 36.996833] rcu_core+0x7e2/0x2080 [ 36.997310] __do_softirq+0x1c3/0x8f5 [ 36.997817] [ 36.998054] Last potentially related work creation: [ 36.998675] kasan_save_stack+0x1e/0x40 [ 36.999202] __kasan_record_aux_stack+0x95/0xb0 [ 36.999804] __call_rcu_common.constprop.0+0x6a/0xa40 [ 37.000492] kmem_cache_free+0xbd/0x610 [ 37.001027] rcu_core+0x7e2/0x2080 [ 37.001517] __do_softirq+0x1c3/0x8f5 [ 37.002021] [ 37.002244] Second to last potentially related work creation: [ 37.002959] kasan_save_stack+0x1e/0x40 [ 37.003496] __kasan_record_aux_stack+0x95/0xb0 [ 37.004109] __call_rcu_common.constprop.0+0x6a/0xa40 [ 37.004809] kmem_cache_free+0xbd/0x610 [ 37.005340] rcu_core+0x7e2/0x2080 [ 37.005829] __do_softirq+0x1c3/0x8f5 [ 37.006332] [ 37.006559] The buggy address belongs to the object at ffff88800dd01850 [ 37.006559] which belongs to the cache kmemleak_object of size 240 [ 37.008121] The buggy address is located 24 bytes inside of [ 37.008121] 240-byte region [ffff88800dd01850, ffff88800dd01940) [ 37.009533] [ 37.009761] The buggy address belongs to the physical page: [ 37.010422] page:00000000ca6ceab4 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800dd01980 pfn:0xdd01 [ 37.011641] flags: 0x100000000000200(slab|node=0|zone=1) [ 37.012299] raw: 0100000000000200 ffff88800804f780 ffffea0000393250 ffffea00003b3050 [ 37.013227] raw: ffff88800dd01980 00000000000d000b 00000001ffffffff 0000000000000000 [ 37.014137] page dumped because: kasan: bad access detected [ 37.014793] [ 37.015011] Memory state around the buggy address: [ 37.015582] ffff88800dd01700: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.016443] ffff88800dd01780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.017297] >ffff88800dd01800: 00 00 fc fc fc fc fc fc fc fc fa fb fb fb fb fb [ 37.018143] ^ [ 37.018965] ffff88800dd01880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.019909] ffff88800dd01900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.020873] ================================================================== [ 37.021802] Disabling lock debugging due to kernel taint VM DIAGNOSIS: 05:03:02 Registers: info registers vcpu 0 RAX=0000000080010002 RBX=00000000002aa4fe RCX=0000000000000000 RDX=ffff888015550000 RSI=ffffffff813911da RDI=0000000000000006 RBP=ffff88806d009db8 RSP=ffff88806d009cf8 R8 =0000000000000006 R9 =0000000000aa93f8 R10=000000000032578c R11=0000000000000001 R12=0000000000aa93f8 R13=00202011078d7db0 R14=000000000032578c R15=0000000000000001 RIP=ffffffff813911da RFL=00000046 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 0000000000000000 00000000 00000000 GS =0000 ffff88806d000000 00000000 00000000 LDT=0000 fffffe0000000000 00000000 00000000 TR =0040 fffffe0851416000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe0851414000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00005605cc16e648 CR3=000000000fca4000 CR4=00350ef0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001fa0 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=00000000000000000000000000000000 XMM01=656c696166202974656e202c74656e2f XMM02=202c74656e2f70756f7267637a79732f XMM03=0a3232203a64656c696166202974656e XMM04=00007f023fd9c8000000000000415710 XMM05=0000000000000001000000c000494018 XMM06=0000000000505007000000c00002efc0 XMM07=000000c00002efb0000000c00006c6c0 XMM08=00000000000000000000000000000000 XMM09=00000000004643c10000000000000000 XMM10=000000c0005071c0000000c00018ac60 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000005ec39700000000005ec4e5 XMM14=000000000089cb6800000000005e8f39 XMM15=00000000004643c100000000004360f2 info registers vcpu 1 RAX=0000000000000075 RBX=00000000000003f8 RCX=0000000000000000 RDX=00000000000003f8 RSI=ffffffff824509c1 RDI=ffffffff87ba19a0 RBP=ffffffff87ba1960 RSP=ffff8880164e7358 R8 =0000000000000001 R9 =000000000000000a R10=0000000000000075 R11=0000000000000001 R12=0000000000000075 R13=ffffffff87ba1960 R14=0000000000000010 R15=ffffffff824509b0 RIP=ffffffff82450a19 RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 00005555566b6400 00000000 00000000 GS =0000 ffff88806d100000 00000000 00000000 LDT=0000 fffffe0000000000 00000000 00000000 TR =0040 fffffe3b82f60000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe3b82f5e000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00005605cc1567f0 CR3=000000000901e000 CR4=00350ee0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=00000000000000000000000000000000 XMM01=00005605cc1786400000000000000118 XMM02=00000000000000000000000000000000 XMM03=00000000000000010000000000000000 XMM04=0000000000000000000000000000001a XMM05=00000000000000000000000000000000 XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000 XMM08=0000000000000031535500343d524f4e XMM09=00000000000000000000000000000000 XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000