[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.75' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 41.929467][ T6836] ================================================================== [ 41.937703][ T6836] BUG: KASAN: use-after-free in path_init+0x59/0xf00 [ 41.944351][ T6836] Read of size 8 at addr ffff88809158ea00 by task syz-executor987/6836 [ 41.952555][ T6836] [ 41.954908][ T6836] CPU: 0 PID: 6836 Comm: syz-executor987 Not tainted 5.8.0-syzkaller #0 [ 41.963237][ T6836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.973263][ T6836] Call Trace: [ 41.976529][ T6836] dump_stack+0x1f0/0x31e [ 41.980831][ T6836] print_address_description+0x66/0x620 [ 41.986348][ T6836] ? vprintk_emit+0x342/0x3c0 [ 41.990995][ T6836] ? printk+0x62/0x83 [ 41.994950][ T6836] ? vprintk_emit+0x339/0x3c0 [ 41.999597][ T6836] kasan_report+0x132/0x1d0 [ 42.004073][ T6836] ? path_init+0x59/0xf00 [ 42.008391][ T6836] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 42.014431][ T6836] path_init+0x59/0xf00 [ 42.018559][ T6836] ? trace_lock_release+0x137/0x1a0 [ 42.023727][ T6836] filename_parentat+0x1a6/0xf50 [ 42.028647][ T6836] ? lockdep_hardirqs_off+0x29/0xb0 [ 42.033814][ T6836] ? _raw_spin_unlock_irqrestore+0x68/0xd0 [ 42.039590][ T6836] ? trace_hardirqs_off+0x2d/0x70 [ 42.044586][ T6836] ? _raw_spin_unlock_irqrestore+0xb4/0xd0 [ 42.050363][ T6836] ? check_preemption_disabled+0x51/0x140 [ 42.056055][ T6836] ? do_rmdir+0x40d/0x540 [ 42.060375][ T6836] ? lock_is_held_type+0xb3/0xe0 [ 42.065289][ T6836] do_rmdir+0x472/0x540 [ 42.069423][ T6836] do_syscall_64+0x31/0x70 [ 42.073813][ T6836] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 42.079678][ T6836] RIP: 0033:0x4403e9 [ 42.083545][ T6836] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 42.103121][ T6836] RSP: 002b:00007ffc5820c5d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000054 [ 42.111505][ T6836] RAX: ffffffffffffffda RBX: 69662f7375622f2e RCX: 00000000004403e9 [ 42.119452][ T6836] RDX: 00000000004403e9 RSI: 00000000004403e9 RDI: 0000000020000080 [ 42.127397][ T6836] RBP: 2f31656c69662f2e R08: 0000000000000000 R09: 0000000000000000 [ 42.135427][ T6836] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401bf0 [ 42.143376][ T6836] R13: 0000000000401c80 R14: 0000000000000000 R15: 0000000000000000 [ 42.151325][ T6836] [ 42.153623][ T6836] Allocated by task 6836: [ 42.157930][ T6836] __kasan_kmalloc+0x100/0x130 [ 42.162664][ T6836] slab_post_alloc_hook+0x3e/0x290 [ 42.167745][ T6836] kmem_cache_alloc+0x1d2/0x2d0 [ 42.172566][ T6836] getname_flags+0xb8/0x610 [ 42.177040][ T6836] __x64_sys_rmdir+0x38/0x50 [ 42.181600][ T6836] do_syscall_64+0x31/0x70 [ 42.185984][ T6836] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 42.191930][ T6836] [ 42.194255][ T6836] Freed by task 6836: [ 42.198218][ T6836] kasan_set_track+0x3d/0x70 [ 42.202775][ T6836] kasan_set_free_info+0x17/0x30 [ 42.207695][ T6836] __kasan_slab_free+0xdd/0x110 [ 42.212515][ T6836] kmem_cache_free+0x79/0xf0 [ 42.217096][ T6836] do_rmdir+0x40d/0x540 [ 42.221222][ T6836] do_syscall_64+0x31/0x70 [ 42.225609][ T6836] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 42.231467][ T6836] [ 42.233772][ T6836] The buggy address belongs to the object at ffff88809158ea00 [ 42.233772][ T6836] which belongs to the cache names_cache of size 4096 [ 42.247884][ T6836] The buggy address is located 0 bytes inside of [ 42.247884][ T6836] 4096-byte region [ffff88809158ea00, ffff88809158fa00) [ 42.261036][ T6836] The buggy address belongs to the page: [ 42.267092][ T6836] page:00000000284c5156 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9158e [ 42.277206][ T6836] head:00000000284c5156 order:1 compound_mapcount:0 [ 42.283763][ T6836] flags: 0xfffe0000010200(slab|head) [ 42.289036][ T6836] raw: 00fffe0000010200 ffffea00029e3b88 ffffea00024ac308 ffff8880aa644d00 [ 42.297588][ T6836] raw: 0000000000000000 ffff88809158ea00 0000000100000001 0000000000000000 [ 42.306138][ T6836] page dumped because: kasan: bad access detected [ 42.312517][ T6836] [ 42.314830][ T6836] Memory state around the buggy address: [ 42.320430][ T6836] ffff88809158e900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.328479][ T6836] ffff88809158e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.336515][ T6836] >ffff88809158ea00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.344546][ T6836] ^ [ 42.348600][ T6836] ffff88809158ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.356646][ T6836] ffff88809158eb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.364676][ T6836] ================================================================== [ 42.372704][ T6836] Disabling lock debugging due to kernel taint [ 42.382737][ T6836] Kernel panic - not syncing: panic_on_warn set ... [ 42.389331][ T6836] CPU: 0 PID: 6836 Comm: syz-executor987 Tainted: G B 5.8.0-syzkaller #0 [ 42.399118][ T6836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.409161][ T6836] Call Trace: [ 42.412452][ T6836] dump_stack+0x1f0/0x31e [ 42.416780][ T6836] panic+0x264/0x7a0 [ 42.420665][ T6836] ? trace_hardirqs_on+0x30/0x80 [ 42.425597][ T6836] kasan_report+0x1c9/0x1d0 [ 42.430112][ T6836] ? path_init+0x59/0xf00 [ 42.434437][ T6836] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 42.440491][ T6836] path_init+0x59/0xf00 [ 42.444639][ T6836] ? trace_lock_release+0x137/0x1a0 [ 42.449805][ T6836] filename_parentat+0x1a6/0xf50 [ 42.454731][ T6836] ? lockdep_hardirqs_off+0x29/0xb0 [ 42.459898][ T6836] ? _raw_spin_unlock_irqrestore+0x68/0xd0 [ 42.465702][ T6836] ? trace_hardirqs_off+0x2d/0x70 [ 42.470712][ T6836] ? _raw_spin_unlock_irqrestore+0xb4/0xd0 [ 42.476493][ T6836] ? check_preemption_disabled+0x51/0x140 [ 42.482180][ T6836] ? do_rmdir+0x40d/0x540 [ 42.486480][ T6836] ? lock_is_held_type+0xb3/0xe0 [ 42.491392][ T6836] do_rmdir+0x472/0x540 [ 42.495519][ T6836] do_syscall_64+0x31/0x70 [ 42.499903][ T6836] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 42.505763][ T6836] RIP: 0033:0x4403e9 [ 42.509626][ T6836] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 42.529206][ T6836] RSP: 002b:00007ffc5820c5d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000054 [ 42.537686][ T6836] RAX: ffffffffffffffda RBX: 69662f7375622f2e RCX: 00000000004403e9 [ 42.545629][ T6836] RDX: 00000000004403e9 RSI: 00000000004403e9 RDI: 0000000020000080 [ 42.553570][ T6836] RBP: 2f31656c69662f2e R08: 0000000000000000 R09: 0000000000000000 [ 42.561511][ T6836] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401bf0 [ 42.569453][ T6836] R13: 0000000000401c80 R14: 0000000000000000 R15: 0000000000000000 [ 42.578616][ T6836] Kernel Offset: disabled [ 42.582927][ T6836] Rebooting in 86400 seconds..