[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.124' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 40.292241] audit: type=1400 audit(1594578075.335:9): avc: denied { execmem } for pid=6419 comm="syz-executor687" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 40.313398] audit: type=1800 audit(1594578075.345:10): pid=6420 uid=0 auid=0 ses=5 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor687" name="file0" dev="sda1" ino=15710 res=0 [ 40.317787] MINIX-fs: mounting unchecked file system, running fsck is recommended [ 40.350863] Process accounting resumed [ 40.356445] ================================================================== [ 40.363979] BUG: KASAN: use-after-free in get_block+0x1085/0x1340 [ 40.370231] Read of size 2 at addr ffff88808fc1118a by task syz-executor687/6420 [ 40.371390] Process accounting resumed [ 40.377763] [ 40.377788] CPU: 0 PID: 6420 Comm: syz-executor687 Not tainted 4.19.132-syzkaller #0 [ 40.391296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.400653] Call Trace: [ 40.403240] dump_stack+0x1fc/0x2fe [ 40.406868] print_address_description.cold+0x54/0x219 [ 40.412164] kasan_report_error.cold+0x8a/0x1c7 [ 40.416828] ? get_block+0x1085/0x1340 [ 40.420711] __asan_report_load2_noabort+0x88/0x90 [ 40.425642] ? get_block+0x1085/0x1340 [ 40.429530] get_block+0x1085/0x1340 [ 40.433355] ? check_preemption_disabled+0x41/0x280 [ 40.438369] ? free_branches+0x280/0x280 [ 40.442435] ? create_page_buffers+0x212/0x350 [ 40.447005] ? d_path+0x5f3/0x910 [ 40.450442] ? lock_downgrade+0x720/0x720 [ 40.454581] ? do_raw_spin_lock+0xcb/0x220 [ 40.458916] ? create_empty_buffers+0x4e7/0x760 [ 40.463576] ? do_raw_spin_unlock+0x171/0x230 [ 40.468061] minix_get_block+0xe5/0x110 [ 40.472028] __block_write_begin_int+0x46c/0x17b0 [ 40.476891] ? minix_mknod+0x1a0/0x1a0 [ 40.480771] ? __breadahead_gfp+0x130/0x130 [ 40.485085] ? wait_for_stable_page+0x122/0x360 [ 40.489744] ? minix_mknod+0x1a0/0x1a0 [ 40.493616] block_write_begin+0x58/0x2e0 [ 40.497754] minix_write_begin+0x35/0x220 [ 40.501901] generic_perform_write+0x1f8/0x4d0 [ 40.506499] ? __mnt_drop_write_file+0x6f/0xa0 [ 40.511087] ? filemap_page_mkwrite+0x2f0/0x2f0 [ 40.515775] ? current_time+0x1c0/0x1c0 [ 40.519745] ? lock_acquire+0x170/0x3c0 [ 40.523714] __generic_file_write_iter+0x24b/0x610 [ 40.528643] generic_file_write_iter+0x3f8/0x729 [ 40.533399] __vfs_write+0x51b/0x770 [ 40.537166] ? kernel_read+0x110/0x110 [ 40.541048] ? check_free_space+0x1b2/0x380 [ 40.545375] ? lock_acquire+0x170/0x3c0 [ 40.549350] ? do_acct_process+0xea3/0x10c0 [ 40.553676] __kernel_write+0x109/0x370 [ 40.557653] do_acct_process+0xcbe/0x10c0 [ 40.561803] ? acct_pin_kill+0x21/0xf0 [ 40.565691] ? __se_sys_acct+0x930/0x930 [ 40.569861] ? lock_downgrade+0x720/0x720 [ 40.574009] ? mark_held_locks+0xa6/0xf0 [ 40.578078] acct_pin_kill+0x29/0xf0 [ 40.581790] pin_kill+0x174/0x7b0 [ 40.585237] ? __mutex_add_waiter+0x160/0x160 [ 40.589773] ? pin_insert+0x220/0x220 [ 40.593602] ? __mutex_unlock_slowpath+0xea/0x610 [ 40.598442] ? wait_woken+0x250/0x250 [ 40.602231] ? lock_acquire+0x170/0x3c0 [ 40.606199] ? check_preemption_disabled+0x41/0x280 [ 40.611219] __se_sys_acct+0x5cd/0x930 [ 40.615122] do_syscall_64+0xf9/0x620 [ 40.618965] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.624150] RIP: 0033:0x449ef9 [ 40.627388] Code: fd d5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb d5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 40.646288] RSP: 002b:00007fc3a9aa9ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a3 [ 40.654006] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000449ef9 [ 40.661287] RDX: 0000000000449ef9 RSI: c9958716e52996e0 RDI: 0000000020000480 [ 40.668547] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 40.675808] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 40.683068] R13: 00007ffcb065c67f R14: 00007fc3a9aaa9c0 R15: 20c49ba5e353f7cf [ 40.690335] [ 40.691947] Allocated by task 4478: [ 40.695581] __kmalloc_node_track_caller+0x4c/0x70 [ 40.700519] __alloc_skb+0xae/0x560 [ 40.704138] alloc_uevent_skb+0x7b/0x210 [ 40.708195] kobject_uevent_env+0x911/0x1220 [ 40.712597] kobject_synth_uevent+0x700/0x814 [ 40.717088] uevent_store+0x21/0x70 [ 40.720706] dev_attr_store+0x56/0x80 [ 40.724500] sysfs_kf_write+0x110/0x160 [ 40.728464] kernfs_fop_write+0x2b0/0x470 [ 40.732656] __vfs_write+0xf7/0x770 [ 40.736270] vfs_write+0x1f3/0x540 [ 40.739797] ksys_write+0x12b/0x2a0 [ 40.743414] do_syscall_64+0xf9/0x620 [ 40.747250] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.752426] [ 40.754038] Freed by task 3693: [ 40.757315] kfree+0xcc/0x210 [ 40.760450] skb_release_data+0x6de/0x920 [ 40.764601] consume_skb+0x113/0x3d0 [ 40.768327] skb_free_datagram+0x16/0xf0 [ 40.772404] netlink_recvmsg+0x627/0xea0 [ 40.776479] sock_recvmsg+0xca/0x110 [ 40.780196] ___sys_recvmsg+0x255/0x570 [ 40.784173] __x64_sys_recvmsg+0x12f/0x220 [ 40.788416] do_syscall_64+0xf9/0x620 [ 40.792216] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.797385] [ 40.799008] The buggy address belongs to the object at ffff88808fc110c0 [ 40.799008] which belongs to the cache kmalloc-512 of size 512 [ 40.811653] The buggy address is located 202 bytes inside of [ 40.811653] 512-byte region [ffff88808fc110c0, ffff88808fc112c0) [ 40.823613] The buggy address belongs to the page: [ 40.828544] page:ffffea00023f0440 count:1 mapcount:0 mapping:ffff88812c39c940 index:0xffff88808fc11340 [ 40.837996] flags: 0xfffe0000000100(slab) [ 40.842130] raw: 00fffe0000000100 ffffea0002427a88 ffffea000241b788 ffff88812c39c940 [ 40.850010] raw: ffff88808fc11340 ffff88808fc110c0 0000000100000003 0000000000000000 [ 40.857879] page dumped because: kasan: bad access detected [ 40.863564] [ 40.865166] Memory state around the buggy address: [ 40.870074] ffff88808fc11080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 40.877429] ffff88808fc11100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.884780] >ffff88808fc11180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.892137] ^ [ 40.895759] ffff88808fc11200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.903111] ffff88808fc11280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 40.910455] ================================================================== [ 40.917808] Disabling lock debugging due to kernel taint [ 40.923516] Kernel panic - not syncing: panic_on_warn set ... [ 40.923516] [ 40.930905] CPU: 0 PID: 6420 Comm: syz-executor687 Tainted: G B 4.19.132-syzkaller #0 [ 40.940175] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.949538] Call Trace: [ 40.952138] dump_stack+0x1fc/0x2fe [ 40.955782] panic+0x26a/0x50e [ 40.958981] ? __warn_printk+0xf3/0xf3 [ 40.962876] ? retint_kernel+0x2d/0x2d [ 40.966775] ? trace_hardirqs_on+0x55/0x210 [ 40.971109] kasan_end_report+0x43/0x49 [ 40.975101] kasan_report_error.cold+0xa7/0x1c7 [ 40.979783] ? get_block+0x1085/0x1340 [ 40.983675] __asan_report_load2_noabort+0x88/0x90 [ 40.988603] ? get_block+0x1085/0x1340 [ 40.992734] get_block+0x1085/0x1340 [ 40.996451] ? check_preemption_disabled+0x41/0x280 [ 41.001459] ? free_branches+0x280/0x280 [ 41.005508] ? create_page_buffers+0x212/0x350 [ 41.010101] ? d_path+0x5f3/0x910 [ 41.013540] ? lock_downgrade+0x720/0x720 [ 41.017691] ? do_raw_spin_lock+0xcb/0x220 [ 41.021932] ? create_empty_buffers+0x4e7/0x760 [ 41.026589] ? do_raw_spin_unlock+0x171/0x230 [ 41.031079] minix_get_block+0xe5/0x110 [ 41.035057] __block_write_begin_int+0x46c/0x17b0 [ 41.039895] ? minix_mknod+0x1a0/0x1a0 [ 41.043774] ? __breadahead_gfp+0x130/0x130 [ 41.048083] ? wait_for_stable_page+0x122/0x360 [ 41.052743] ? minix_mknod+0x1a0/0x1a0 [ 41.056616] block_write_begin+0x58/0x2e0 [ 41.060807] minix_write_begin+0x35/0x220 [ 41.065009] generic_perform_write+0x1f8/0x4d0 [ 41.069581] ? __mnt_drop_write_file+0x6f/0xa0 [ 41.074152] ? filemap_page_mkwrite+0x2f0/0x2f0 [ 41.078832] ? current_time+0x1c0/0x1c0 [ 41.082795] ? lock_acquire+0x170/0x3c0 [ 41.086757] __generic_file_write_iter+0x24b/0x610 [ 41.091704] generic_file_write_iter+0x3f8/0x729 [ 41.096470] __vfs_write+0x51b/0x770 [ 41.100169] ? kernel_read+0x110/0x110 [ 41.104057] ? check_free_space+0x1b2/0x380 [ 41.108392] ? lock_acquire+0x170/0x3c0 [ 41.112373] ? do_acct_process+0xea3/0x10c0 [ 41.116697] __kernel_write+0x109/0x370 [ 41.120653] do_acct_process+0xcbe/0x10c0 [ 41.124804] ? acct_pin_kill+0x21/0xf0 [ 41.128685] ? __se_sys_acct+0x930/0x930 [ 41.132733] ? lock_downgrade+0x720/0x720 [ 41.136878] ? mark_held_locks+0xa6/0xf0 [ 41.140937] acct_pin_kill+0x29/0xf0 [ 41.144650] pin_kill+0x174/0x7b0 [ 41.148084] ? __mutex_add_waiter+0x160/0x160 [ 41.152577] ? pin_insert+0x220/0x220 [ 41.156372] ? __mutex_unlock_slowpath+0xea/0x610 [ 41.161193] ? wait_woken+0x250/0x250 [ 41.164972] ? lock_acquire+0x170/0x3c0 [ 41.168925] ? check_preemption_disabled+0x41/0x280 [ 41.173943] __se_sys_acct+0x5cd/0x930 [ 41.177833] do_syscall_64+0xf9/0x620 [ 41.181634] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.186819] RIP: 0033:0x449ef9 [ 41.189990] Code: fd d5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb d5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 41.208882] RSP: 002b:00007fc3a9aa9ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a3 [ 41.216581] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000449ef9 [ 41.223842] RDX: 0000000000449ef9 RSI: c9958716e52996e0 RDI: 0000000020000480 [ 41.231104] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 41.238362] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 41.245656] R13: 00007ffcb065c67f R14: 00007fc3a9aaa9c0 R15: 20c49ba5e353f7cf [ 41.254022] Kernel Offset: disabled [ 41.257652] Rebooting in 86400 seconds..