[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.35' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 656.909475] ================================================================== [ 656.916978] BUG: KASAN: use-after-free in diAlloc+0x20e/0x1440 [ 656.922951] Read of size 4 at addr ffff8880b02a468c by task syz-executor337/8112 [ 656.930481] [ 656.932120] CPU: 1 PID: 8112 Comm: syz-executor337 Not tainted 4.19.211-syzkaller #0 [ 656.939999] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 656.949341] Call Trace: [ 656.951920] dump_stack+0x1fc/0x2ef [ 656.955532] print_address_description.cold+0x54/0x219 [ 656.960808] kasan_report_error.cold+0x8a/0x1b9 [ 656.965464] ? diAlloc+0x20e/0x1440 [ 656.969071] kasan_report+0x8f/0xa0 [ 656.972694] ? diAlloc+0x20e/0x1440 [ 656.976320] diAlloc+0x20e/0x1440 [ 656.979775] ? do_raw_spin_unlock+0x171/0x230 [ 656.984258] ialloc+0x8c/0x970 [ 656.987436] jfs_create.part.0+0x12b/0x880 [ 656.991651] ? _raw_spin_unlock+0x29/0x40 [ 656.995780] ? d_splice_alias+0x438/0xc30 [ 656.999907] ? jfs_mkdir+0x60/0x60 [ 657.003427] ? jfs_lookup+0xb5/0x1c0 [ 657.007123] ? __dquot_initialize+0x298/0xb70 [ 657.011597] ? userns_put+0xb0/0xb0 [ 657.015205] ? dquot_initialize_needed+0x290/0x290 [ 657.020115] ? param_get_aalockpolicy+0x90/0x90 [ 657.024768] ? __d_lookup+0x411/0x710 [ 657.028554] ? generic_permission+0x116/0x4d0 [ 657.033029] ? security_inode_permission+0xc5/0xf0 [ 657.037938] jfs_create+0x3f/0x60 [ 657.041371] ? jfs_create.part.0+0x880/0x880 [ 657.045764] lookup_open+0x893/0x1a20 [ 657.049549] ? vfs_mkdir+0x7a0/0x7a0 [ 657.053240] ? unlazy_walk+0x1a4/0x540 [ 657.057111] ? check_preemption_disabled+0x41/0x280 [ 657.062115] path_openat+0x1094/0x2df0 [ 657.065987] ? path_lookupat+0x8d0/0x8d0 [ 657.070110] ? mark_held_locks+0xf0/0xf0 [ 657.074153] ? __lock_acquire+0x6de/0x3ff0 [ 657.078368] do_filp_open+0x18c/0x3f0 [ 657.082147] ? may_open_dev+0xf0/0xf0 [ 657.085940] ? lock_downgrade+0x720/0x720 [ 657.090068] ? lock_acquire+0x170/0x3c0 [ 657.094024] ? __alloc_fd+0x34/0x570 [ 657.097723] ? do_raw_spin_unlock+0x171/0x230 [ 657.102198] ? _raw_spin_unlock+0x29/0x40 [ 657.106326] ? __alloc_fd+0x28d/0x570 [ 657.110109] do_sys_open+0x3b3/0x520 [ 657.113823] ? filp_open+0x70/0x70 [ 657.117344] ? fput+0x2b/0x190 [ 657.120521] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 657.125866] ? trace_hardirqs_off_caller+0x6e/0x210 [ 657.130864] ? do_syscall_64+0x21/0x620 [ 657.134820] do_syscall_64+0xf9/0x620 [ 657.138606] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 657.143776] RIP: 0033:0x7fe0d9ce1eb9 [ 657.147472] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 657.166475] RSP: 002b:00007fffbe6589f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 657.174164] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe0d9ce1eb9 [ 657.181412] RDX: 0000000000000000 RSI: 0000000000141042 RDI: 0000000020000200 [ 657.188660] RBP: 00007fe0d9ca1720 R08: 00005555563b82c0 R09: 0000000000000000 [ 657.195910] R10: 00007fffbe6588c0 R11: 0000000000000246 R12: 0000000200000004 [ 657.203158] R13: 0000000000000000 R14: 00080000000000f8 R15: 0000000000000000 [ 657.210413] [ 657.212019] Allocated by task 6238: [ 657.215632] kmem_cache_alloc+0x122/0x370 [ 657.219760] getname_flags+0xce/0x590 [ 657.223537] user_path_at_empty+0x2a/0x50 [ 657.227664] do_readlinkat+0xcd/0x2f0 [ 657.231443] __x64_sys_readlinkat+0x93/0xf0 [ 657.235748] do_syscall_64+0xf9/0x620 [ 657.239530] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 657.244693] [ 657.246297] Freed by task 6238: [ 657.249567] kmem_cache_free+0x7f/0x260 [ 657.253525] putname+0xe1/0x120 [ 657.256793] filename_lookup+0x3d0/0x5a0 [ 657.260838] do_readlinkat+0xcd/0x2f0 [ 657.264623] __x64_sys_readlinkat+0x93/0xf0 [ 657.268928] do_syscall_64+0xf9/0x620 [ 657.272712] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 657.277873] [ 657.279479] The buggy address belongs to the object at ffff8880b02a4380 [ 657.279479] which belongs to the cache names_cache of size 4096 [ 657.292200] The buggy address is located 780 bytes inside of [ 657.292200] 4096-byte region [ffff8880b02a4380, ffff8880b02a5380) [ 657.304135] The buggy address belongs to the page: [ 657.309044] page:ffffea0002c0a900 count:1 mapcount:0 mapping:ffff88823b843380 index:0x0 compound_mapcount: 0 [ 657.318995] flags: 0xfff00000008100(slab|head) [ 657.323570] raw: 00fff00000008100 ffffea0002522808 ffffea0002beee08 ffff88823b843380 [ 657.331438] raw: 0000000000000000 ffff8880b02a4380 0000000100000001 0000000000000000 [ 657.339292] page dumped because: kasan: bad access detected [ 657.344979] [ 657.346583] Memory state around the buggy address: [ 657.351495] ffff8880b02a4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 657.358832] ffff8880b02a4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 657.366168] >ffff8880b02a4680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 657.373501] ^ [ 657.377107] ffff8880b02a4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 657.384444] ffff8880b02a4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 657.391776] ================================================================== [ 657.399108] Disabling lock debugging due to kernel taint [ 657.409311] Kernel panic - not syncing: panic_on_warn set ... [ 657.409311] [ 657.416695] CPU: 0 PID: 8112 Comm: syz-executor337 Tainted: G B 4.19.211-syzkaller #0 [ 657.425961] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 657.435314] Call Trace: [ 657.437897] dump_stack+0x1fc/0x2ef [ 657.441509] panic+0x26a/0x50e [ 657.444684] ? __warn_printk+0xf3/0xf3 [ 657.448562] ? preempt_schedule_common+0x45/0xc0 [ 657.453295] ? ___preempt_schedule+0x16/0x18 [ 657.457710] ? trace_hardirqs_on+0x55/0x210 [ 657.462012] kasan_end_report+0x43/0x49 [ 657.465965] kasan_report_error.cold+0xa7/0x1b9 [ 657.470614] ? diAlloc+0x20e/0x1440 [ 657.474219] kasan_report+0x8f/0xa0 [ 657.477849] ? diAlloc+0x20e/0x1440 [ 657.481463] diAlloc+0x20e/0x1440 [ 657.484894] ? do_raw_spin_unlock+0x171/0x230 [ 657.489371] ialloc+0x8c/0x970 [ 657.492543] jfs_create.part.0+0x12b/0x880 [ 657.496760] ? _raw_spin_unlock+0x29/0x40 [ 657.500886] ? d_splice_alias+0x438/0xc30 [ 657.505013] ? jfs_mkdir+0x60/0x60 [ 657.508532] ? jfs_lookup+0xb5/0x1c0 [ 657.512255] ? __dquot_initialize+0x298/0xb70 [ 657.516744] ? userns_put+0xb0/0xb0 [ 657.520359] ? dquot_initialize_needed+0x290/0x290 [ 657.525268] ? param_get_aalockpolicy+0x90/0x90 [ 657.529915] ? __d_lookup+0x411/0x710 [ 657.533694] ? generic_permission+0x116/0x4d0 [ 657.538169] ? security_inode_permission+0xc5/0xf0 [ 657.543078] jfs_create+0x3f/0x60 [ 657.546513] ? jfs_create.part.0+0x880/0x880 [ 657.550897] lookup_open+0x893/0x1a20 [ 657.554679] ? vfs_mkdir+0x7a0/0x7a0 [ 657.558369] ? unlazy_walk+0x1a4/0x540 [ 657.562241] ? check_preemption_disabled+0x41/0x280 [ 657.567239] path_openat+0x1094/0x2df0 [ 657.571110] ? path_lookupat+0x8d0/0x8d0 [ 657.575153] ? mark_held_locks+0xf0/0xf0 [ 657.579191] ? __lock_acquire+0x6de/0x3ff0 [ 657.583406] do_filp_open+0x18c/0x3f0 [ 657.587214] ? may_open_dev+0xf0/0xf0 [ 657.590996] ? lock_downgrade+0x720/0x720 [ 657.595120] ? lock_acquire+0x170/0x3c0 [ 657.599072] ? __alloc_fd+0x34/0x570 [ 657.602762] ? do_raw_spin_unlock+0x171/0x230 [ 657.607237] ? _raw_spin_unlock+0x29/0x40 [ 657.611363] ? __alloc_fd+0x28d/0x570 [ 657.615145] do_sys_open+0x3b3/0x520 [ 657.618841] ? filp_open+0x70/0x70 [ 657.622362] ? fput+0x2b/0x190 [ 657.625536] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 657.630880] ? trace_hardirqs_off_caller+0x6e/0x210 [ 657.635876] ? do_syscall_64+0x21/0x620 [ 657.639837] do_syscall_64+0xf9/0x620 [ 657.643620] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 657.648791] RIP: 0033:0x7fe0d9ce1eb9 [ 657.652486] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 657.671364] RSP: 002b:00007fffbe6589f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 657.679050] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe0d9ce1eb9 [ 657.686300] RDX: 0000000000000000 RSI: 0000000000141042 RDI: 0000000020000200 [ 657.693548] RBP: 00007fe0d9ca1720 R08: 00005555563b82c0 R09: 0000000000000000 [ 657.700795] R10: 00007fffbe6588c0 R11: 0000000000000246 R12: 0000000200000004 [ 657.708041] R13: 0000000000000000 R14: 00080000000000f8 R15: 0000000000000000 [ 657.715370] Kernel Offset: disabled [ 657.718981] Rebooting in 86400 seconds..