Warning: Permanently added '10.128.10.26' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 34.183128] ================================================================== [ 34.190567] BUG: KASAN: use-after-free in __list_add_valid+0x81/0xa0 [ 34.197036] Read of size 8 at addr ffff88808dfca3c0 by task syz-executor411/8086 [ 34.204544] [ 34.206158] CPU: 1 PID: 8086 Comm: syz-executor411 Not tainted 4.19.211-syzkaller #0 [ 34.214014] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.223350] Call Trace: [ 34.225925] dump_stack+0x1fc/0x2ef [ 34.229538] print_address_description.cold+0x54/0x219 [ 34.234800] kasan_report_error.cold+0x8a/0x1b9 [ 34.239454] ? __list_add_valid+0x81/0xa0 [ 34.243584] __asan_report_load8_noabort+0x88/0x90 [ 34.248494] ? __list_add_valid+0x81/0xa0 [ 34.252620] __list_add_valid+0x81/0xa0 [ 34.256574] chrdev_open+0x4b9/0x770 [ 34.260270] ? __register_chrdev+0x400/0x400 [ 34.264661] do_dentry_open+0x4aa/0x1160 [ 34.268710] ? __register_chrdev+0x400/0x400 [ 34.273101] ? inode_permission.part.0+0x10c/0x450 [ 34.278009] ? chown_common+0x550/0x550 [ 34.281965] ? inode_permission+0x3d/0x140 [ 34.286181] path_openat+0x793/0x2df0 [ 34.289985] ? path_lookupat+0x8d0/0x8d0 [ 34.294036] ? mark_held_locks+0xf0/0xf0 [ 34.298078] do_filp_open+0x18c/0x3f0 [ 34.301863] ? may_open_dev+0xf0/0xf0 [ 34.305647] ? lock_downgrade+0x720/0x720 [ 34.309776] ? lock_acquire+0x170/0x3c0 [ 34.313732] ? __alloc_fd+0x34/0x570 [ 34.317423] ? do_raw_spin_unlock+0x171/0x230 [ 34.321900] ? _raw_spin_unlock+0x29/0x40 [ 34.326030] ? __alloc_fd+0x28d/0x570 [ 34.329820] do_sys_open+0x3b3/0x520 [ 34.333513] ? filp_open+0x70/0x70 [ 34.337034] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.342388] ? trace_hardirqs_off_caller+0x6e/0x210 [ 34.347385] ? do_syscall_64+0x21/0x620 [ 34.351340] do_syscall_64+0xf9/0x620 [ 34.355121] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.360288] RIP: 0033:0x7fab1f484b29 [ 34.363978] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 34.382859] RSP: 002b:00007fab1f4142f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 34.390547] RAX: ffffffffffffffda RBX: 00007fab1f5124d0 RCX: 00007fab1f484b29 [ 34.397798] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000080 [ 34.405044] RBP: 00007fab1f4df154 R08: 0000000000000000 R09: 0000000000000000 [ 34.412292] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fab1f4db148 [ 34.419538] R13: 00007fab1f4dd150 R14: 2f30656c69662f2e R15: 00007fab1f5124d8 [ 34.426794] [ 34.428401] Allocated by task 8079: [ 34.432009] kmem_cache_alloc+0x122/0x370 [ 34.436134] fuse_alloc_inode+0x1d/0x3f0 [ 34.440175] alloc_inode+0x5d/0x180 [ 34.443779] iget5_locked+0x57/0xd0 [ 34.447384] fuse_iget+0x1a6/0x800 [ 34.450906] fuse_lookup_name+0x413/0x5c0 [ 34.455030] fuse_lookup+0xdf/0x410 [ 34.458632] fuse_atomic_open+0x20a/0x330 [ 34.462758] lookup_open+0x1023/0x1a20 [ 34.466621] path_openat+0x1804/0x2df0 [ 34.470485] do_filp_open+0x18c/0x3f0 [ 34.474266] do_sys_open+0x3b3/0x520 [ 34.477959] do_syscall_64+0xf9/0x620 [ 34.481739] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.486900] [ 34.488508] Freed by task 0: [ 34.491513] kmem_cache_free+0x7f/0x260 [ 34.495464] rcu_process_callbacks+0x8ff/0x18b0 [ 34.500110] __do_softirq+0x265/0x980 [ 34.503893] [ 34.505500] The buggy address belongs to the object at ffff88808dfca040 [ 34.505500] which belongs to the cache fuse_inode of size 1264 [ 34.518134] The buggy address is located 896 bytes inside of [ 34.518134] 1264-byte region [ffff88808dfca040, ffff88808dfca530) [ 34.530068] The buggy address belongs to the page: [ 34.534981] page:ffffea000237f280 count:1 mapcount:0 mapping:ffff8880b0f81780 index:0xffff88808dfcaffe [ 34.544401] flags: 0xfff00000000100(slab) [ 34.548539] raw: 00fff00000000100 ffff8880b0f88a48 ffffea000237e508 ffff8880b0f81780 [ 34.556399] raw: ffff88808dfcaffe ffff88808dfca040 0000000100000002 0000000000000000 [ 34.564252] page dumped because: kasan: bad access detected [ 34.569937] [ 34.571540] Memory state around the buggy address: [ 34.576448] ffff88808dfca280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.583805] ffff88808dfca300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.591156] >ffff88808dfca380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.598496] ^ [ 34.603931] ffff88808dfca400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.611266] ffff88808dfca480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.618596] ================================================================== [ 34.625930] Disabling lock debugging due to kernel taint [ 34.631426] Kernel panic - not syncing: panic_on_warn set ... [ 34.631426] [ 34.638790] CPU: 1 PID: 8086 Comm: syz-executor411 Tainted: G B 4.19.211-syzkaller #0 [ 34.648045] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.657388] Call Trace: [ 34.659988] dump_stack+0x1fc/0x2ef [ 34.663609] panic+0x26a/0x50e [ 34.666782] ? __warn_printk+0xf3/0xf3 [ 34.670649] ? retint_kernel+0x2d/0x2d [ 34.674517] ? trace_hardirqs_on+0x55/0x210 [ 34.678821] kasan_end_report+0x43/0x49 [ 34.682774] kasan_report_error.cold+0xa7/0x1b9 [ 34.687419] ? __list_add_valid+0x81/0xa0 [ 34.691544] __asan_report_load8_noabort+0x88/0x90 [ 34.696451] ? __list_add_valid+0x81/0xa0 [ 34.700574] __list_add_valid+0x81/0xa0 [ 34.704524] chrdev_open+0x4b9/0x770 [ 34.708213] ? __register_chrdev+0x400/0x400 [ 34.712597] do_dentry_open+0x4aa/0x1160 [ 34.716637] ? __register_chrdev+0x400/0x400 [ 34.721022] ? inode_permission.part.0+0x10c/0x450 [ 34.725927] ? chown_common+0x550/0x550 [ 34.729886] ? inode_permission+0x3d/0x140 [ 34.734103] path_openat+0x793/0x2df0 [ 34.737887] ? path_lookupat+0x8d0/0x8d0 [ 34.741930] ? mark_held_locks+0xf0/0xf0 [ 34.745968] do_filp_open+0x18c/0x3f0 [ 34.749749] ? may_open_dev+0xf0/0xf0 [ 34.753540] ? lock_downgrade+0x720/0x720 [ 34.757669] ? lock_acquire+0x170/0x3c0 [ 34.761620] ? __alloc_fd+0x34/0x570 [ 34.765317] ? do_raw_spin_unlock+0x171/0x230 [ 34.769792] ? _raw_spin_unlock+0x29/0x40 [ 34.773926] ? __alloc_fd+0x28d/0x570 [ 34.777717] do_sys_open+0x3b3/0x520 [ 34.781407] ? filp_open+0x70/0x70 [ 34.784925] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.790293] ? trace_hardirqs_off_caller+0x6e/0x210 [ 34.795292] ? do_syscall_64+0x21/0x620 [ 34.799246] do_syscall_64+0xf9/0x620 [ 34.803028] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.808195] RIP: 0033:0x7fab1f484b29 [ 34.811885] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 34.830763] RSP: 002b:00007fab1f4142f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 34.838446] RAX: ffffffffffffffda RBX: 00007fab1f5124d0 RCX: 00007fab1f484b29 [ 34.845704] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000080 [ 34.852963] RBP: 00007fab1f4df154 R08: 0000000000000000 R09: 0000000000000000 [ 34.860211] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fab1f4db148 [ 34.867455] R13: 00007fab1f4dd150 R14: 2f30656c69662f2e R15: 00007fab1f5124d8 [ 34.874917] Kernel Offset: disabled [ 34.878535] Rebooting in 86400 seconds..