[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.40' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.402942] audit: type=1400 audit(1591929086.766:8): avc: denied { execmem } for pid=6334 comm="syz-executor239" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.425882] ================================================================== [ 33.433368] BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2f9/0x340 [ 33.441106] Read of size 2 at addr ffff8880a85d2003 by task syz-executor239/6334 [ 33.448623] [ 33.450241] CPU: 0 PID: 6334 Comm: syz-executor239 Not tainted 4.14.184-syzkaller #0 [ 33.458114] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.467492] Call Trace: [ 33.471376] dump_stack+0x1b2/0x283 [ 33.475149] ? __ext4_check_dir_entry+0x2f9/0x340 [ 33.480197] print_address_description.cold+0x54/0x1dc [ 33.485617] ? __ext4_check_dir_entry+0x2f9/0x340 [ 33.490450] kasan_report.cold+0xa9/0x2b9 [ 33.494612] __ext4_check_dir_entry+0x2f9/0x340 [ 33.499423] ext4_readdir+0x819/0x27e0 [ 33.503317] ? __ext4_check_dir_entry+0x340/0x340 [ 33.508824] ? lock_acquire+0x170/0x3f0 [ 33.512796] ? iterate_dir+0xbc/0x5e0 [ 33.516592] iterate_dir+0x1a0/0x5e0 [ 33.520304] SyS_getdents64+0x130/0x240 [ 33.524274] ? SyS_getdents+0x260/0x260 [ 33.528240] ? filldir+0x390/0x390 [ 33.531768] ? ext4_dir_llseek+0x1af/0x200 [ 33.536077] ? do_syscall_64+0x4c/0x640 [ 33.540093] ? SyS_getdents+0x260/0x260 [ 33.544063] do_syscall_64+0x1d5/0x640 [ 33.548094] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.553274] RIP: 0033:0x440779 [ 33.556866] RSP: 002b:00007ffc0ab092a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 33.565951] RAX: ffffffffffffffda RBX: 00007ffc0ab09350 RCX: 0000000000440779 [ 33.573439] RDX: 00000000c0002521 RSI: 0000000000000000 RDI: 0000000000000004 [ 33.580736] RBP: 0000000000000000 R08: 0000000000400ca0 R09: 0000000000400ca0 [ 33.588177] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000402000 [ 33.595694] R13: 0000000000402090 R14: 0000000000000000 R15: 0000000000000000 [ 33.603276] [ 33.604930] Allocated by task 1: [ 33.608290] kasan_kmalloc.part.0+0x4f/0xd0 [ 33.612692] kmem_cache_alloc+0x124/0x3c0 [ 33.616951] getname_flags+0xc8/0x550 [ 33.620788] user_path_at_empty+0x2a/0x50 [ 33.625231] vfs_statx+0xd1/0x160 [ 33.628674] SyS_newlstat+0x83/0xe0 [ 33.632408] do_syscall_64+0x1d5/0x640 [ 33.636374] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.641757] [ 33.643473] Freed by task 1: [ 33.646596] kasan_slab_free+0xaf/0x190 [ 33.650555] kmem_cache_free+0x7c/0x2b0 [ 33.654523] putname+0xcd/0x110 [ 33.657810] filename_lookup+0x23a/0x380 [ 33.661943] vfs_statx+0xd1/0x160 [ 33.665524] SyS_newlstat+0x83/0xe0 [ 33.669694] do_syscall_64+0x1d5/0x640 [ 33.673662] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.678840] [ 33.680671] The buggy address belongs to the object at ffff8880a85d2ec0 [ 33.680671] which belongs to the cache names_cache of size 4096 [ 33.694815] The buggy address is located 3773 bytes to the left of [ 33.694815] 4096-byte region [ffff8880a85d2ec0, ffff8880a85d3ec0) [ 33.707463] The buggy address belongs to the page: [ 33.712553] page:ffffea0002a17480 count:1 mapcount:0 mapping:ffff8880a85d2ec0 index:0x0 compound_mapcount: 0 [ 33.722856] flags: 0xfffe0000008100(slab|head) [ 33.727463] raw: 00fffe0000008100 ffff8880a85d2ec0 0000000000000000 0000000100000001 [ 33.735500] raw: ffffea00022859a0 ffffea000229d920 ffff8880aa9dacc0 0000000000000000 [ 33.743703] page dumped because: kasan: bad access detected [ 33.749443] [ 33.751061] Memory state around the buggy address: [ 33.756109] ffff8880a85d1f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.763468] ffff8880a85d1f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.770813] >ffff8880a85d2000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.780221] ^ [ 33.783660] ffff8880a85d2080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.791203] ffff8880a85d2100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.798746] ================================================================== [ 33.806095] Disabling lock debugging due to kernel taint [ 33.814600] Kernel panic - not syncing: panic_on_warn set ... [ 33.814600] [ 33.822138] CPU: 0 PID: 6334 Comm: syz-executor239 Tainted: G B 4.14.184-syzkaller #0 [ 33.831334] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.841144] Call Trace: [ 33.843739] dump_stack+0x1b2/0x283 [ 33.847569] panic+0x1f9/0x42d [ 33.850922] ? add_taint.cold+0x16/0x16 [ 33.854981] ? preempt_schedule_common+0x4a/0xc0 [ 33.859766] ? __ext4_check_dir_entry+0x2f9/0x340 [ 33.864598] ? ___preempt_schedule+0x16/0x18 [ 33.868994] ? __ext4_check_dir_entry+0x2f9/0x340 [ 33.873985] kasan_end_report+0x43/0x49 [ 33.877951] kasan_report.cold+0x12f/0x2b9 [ 33.882176] __ext4_check_dir_entry+0x2f9/0x340 [ 33.886830] ext4_readdir+0x819/0x27e0 [ 33.890781] ? __ext4_check_dir_entry+0x340/0x340 [ 33.895614] ? lock_acquire+0x170/0x3f0 [ 33.899570] ? iterate_dir+0xbc/0x5e0 [ 33.903358] iterate_dir+0x1a0/0x5e0 [ 33.907055] SyS_getdents64+0x130/0x240 [ 33.911134] ? SyS_getdents+0x260/0x260 [ 33.915089] ? filldir+0x390/0x390 [ 33.918651] ? ext4_dir_llseek+0x1af/0x200 [ 33.923174] ? do_syscall_64+0x4c/0x640 [ 33.927178] ? SyS_getdents+0x260/0x260 [ 33.931271] do_syscall_64+0x1d5/0x640 [ 33.935146] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.940363] RIP: 0033:0x440779 [ 33.943699] RSP: 002b:00007ffc0ab092a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 33.951443] RAX: ffffffffffffffda RBX: 00007ffc0ab09350 RCX: 0000000000440779 [ 33.958933] RDX: 00000000c0002521 RSI: 0000000000000000 RDI: 0000000000000004 [ 33.966540] RBP: 0000000000000000 R08: 0000000000400ca0 R09: 0000000000400ca0 [ 33.973800] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000402000 [ 33.981103] R13: 0000000000402090 R14: 0000000000000000 R15: 0000000000000000 [ 33.990037] Kernel Offset: disabled [ 33.993869] Rebooting in 86400 seconds..