OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 28.072722] isofs: isofs_export_get_parent(): child directory not normalized! executing program executing program executing program [ 28.186511] isofs: isofs_export_get_parent(): child directory not normalized! executing program [ 28.241692] isofs: isofs_export_get_parent(): child directory not normalized! executing program executing program [ 28.401490] ================================================================== [ 28.409827] BUG: KASAN: use-after-free in __isofs_iget+0x19dd/0x1de0 [ 28.416880] Read of size 1 at addr ffff88808bd6a015 by task syz-executor181/8027 [ 28.424849] [ 28.426481] CPU: 0 PID: 8027 Comm: syz-executor181 Not tainted 4.14.239-syzkaller #0 [ 28.434406] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.443763] Call Trace: [ 28.446625] dump_stack+0x1b2/0x281 [ 28.450530] print_address_description.cold+0x54/0x1d3 [ 28.456011] kasan_report_error.cold+0x8a/0x191 [ 28.460681] ? __isofs_iget+0x19dd/0x1de0 [ 28.464916] __asan_report_load1_noabort+0x68/0x70 [ 28.470056] ? __isofs_iget+0x19dd/0x1de0 [ 28.474238] __isofs_iget+0x19dd/0x1de0 [ 28.478299] ? isofs_dentry_cmp_ms+0x1c0/0x1c0 [ 28.482877] isofs_fh_to_dentry+0xf7/0x1b0 [ 28.487283] exportfs_decode_fh+0x113/0x6c0 [ 28.491705] ? isofs_fh_to_parent+0x1d0/0x1d0 [ 28.496272] ? drop_caches_sysctl_handler+0xe0/0xe0 [ 28.501276] ? reconnect_path+0x730/0x730 [ 28.505406] ? finish_mkwrite_fault+0x5e0/0x5e0 [ 28.510221] ? __handle_mm_fault+0x80f/0x4620 [ 28.514793] ? __might_fault+0x104/0x1b0 [ 28.518848] ? lock_acquire+0x170/0x3f0 [ 28.522813] ? lock_downgrade+0x740/0x740 [ 28.527201] ? __might_fault+0x177/0x1b0 [ 28.531251] do_handle_open+0x248/0x570 [ 28.535211] ? SyS_name_to_handle_at+0x3f0/0x3f0 [ 28.540219] ? up_read+0x17/0x30 [ 28.543576] ? __do_page_fault+0x159/0xad0 [ 28.547906] ? do_syscall_64+0x4c/0x640 [ 28.551888] ? do_handle_open+0x570/0x570 [ 28.556031] do_syscall_64+0x1d5/0x640 [ 28.560032] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.565315] RIP: 0033:0x444e19 [ 28.568615] RSP: 002b:00007fff54600378 EFLAGS: 00000246 ORIG_RAX: 0000000000000130 [ 28.576943] RAX: ffffffffffffffda RBX: 0000000000006ea4 RCX: 0000000000444e19 [ 28.584604] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000005 [ 28.591993] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007fff546003a0 [ 28.599526] R10: 00007fff54600240 R11: 0000000000000246 R12: 00007fff5460039c [ 28.607318] R13: 00007fff546003d0 R14: 00007fff546003b0 R15: 000000000000000b [ 28.615196] [ 28.617084] The buggy address belongs to the page: [ 28.622188] page:ffffea00022f5a80 count:0 mapcount:0 mapping: (null) index:0x1 [ 28.630596] flags: 0xfff00000000000() [ 28.635007] raw: 00fff00000000000 0000000000000000 0000000000000001 00000000ffffffff [ 28.642975] raw: ffffea00022f5ae0 ffffea00022f78e0 0000000000000000 0000000000000000 [ 28.651359] page dumped because: kasan: bad access detected [ 28.657176] [ 28.658879] Memory state around the buggy address: [ 28.664222] ffff88808bd69f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.671722] ffff88808bd69f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.679203] >ffff88808bd6a000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.686678] ^ [ 28.690548] ffff88808bd6a080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.697993] ffff88808bd6a100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.705430] ================================================================== [ 28.712779] Disabling lock debugging due to kernel taint [ 28.719243] Kernel panic - not syncing: panic_on_warn set ... [ 28.719243] [ 28.727042] CPU: 0 PID: 8027 Comm: syz-executor181 Tainted: G B 4.14.239-syzkaller #0 [ 28.736228] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.746377] Call Trace: [ 28.748955] dump_stack+0x1b2/0x281 [ 28.752922] panic+0x1f9/0x42d [ 28.756243] ? add_taint.cold+0x16/0x16 [ 28.760350] ? ___preempt_schedule+0x16/0x18 [ 28.764770] kasan_end_report+0x43/0x49 [ 28.768797] kasan_report_error.cold+0xa7/0x191 [ 28.773675] ? __isofs_iget+0x19dd/0x1de0 [ 28.778119] __asan_report_load1_noabort+0x68/0x70 [ 28.783045] ? __isofs_iget+0x19dd/0x1de0 [ 28.787465] __isofs_iget+0x19dd/0x1de0 [ 28.791526] ? isofs_dentry_cmp_ms+0x1c0/0x1c0 [ 28.796609] isofs_fh_to_dentry+0xf7/0x1b0 [ 28.801093] exportfs_decode_fh+0x113/0x6c0 [ 28.805418] ? isofs_fh_to_parent+0x1d0/0x1d0 [ 28.810034] ? drop_caches_sysctl_handler+0xe0/0xe0 [ 28.815133] ? reconnect_path+0x730/0x730 [ 28.819447] ? finish_mkwrite_fault+0x5e0/0x5e0 [ 28.824195] ? __handle_mm_fault+0x80f/0x4620 [ 28.828904] ? __might_fault+0x104/0x1b0 [ 28.832960] ? lock_acquire+0x170/0x3f0 [ 28.837262] ? lock_downgrade+0x740/0x740 [ 28.841913] ? __might_fault+0x177/0x1b0 [ 28.846050] do_handle_open+0x248/0x570 [ 28.850016] ? SyS_name_to_handle_at+0x3f0/0x3f0 [ 28.854998] ? up_read+0x17/0x30 [ 28.858530] ? __do_page_fault+0x159/0xad0 [ 28.862893] ? do_syscall_64+0x4c/0x640 [ 28.867052] ? do_handle_open+0x570/0x570 [ 28.871467] do_syscall_64+0x1d5/0x640 [ 28.875515] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.880705] RIP: 0033:0x444e19 [ 28.884016] RSP: 002b:00007fff54600378 EFLAGS: 00000246 ORIG_RAX: 0000000000000130 [ 28.892476] RAX: ffffffffffffffda RBX: 0000000000006ea4 RCX: 0000000000444e19 [ 28.899816] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000005 [ 28.907291] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007fff546003a0 [ 28.915004] R10: 00007fff54600240 R11: 0000000000000246 R12: 00007fff5460039c [ 28.923062] R13: 00007fff546003d0 R14: 00007fff546003b0 R15: 000000000000000b [ 28.932054] Kernel Offset: disabled [ 28.935684] Rebooting in 86400 seconds..