[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.214' (ECDSA) to the list of known hosts. syzkaller login: [ 33.106935] audit: type=1400 audit(1592406889.731:8): avc: denied { execmem } for pid=6342 comm="syz-executor293" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.360212] IPVS: ftp: loaded support on port[0] = 21 executing program [ 34.129174] ================================================================== [ 34.136708] BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x2f9/0x340 [ 34.143888] Read of size 2 at addr ffff8880902be001 by task syz-executor293/6343 [ 34.151407] [ 34.153065] CPU: 0 PID: 6343 Comm: syz-executor293 Not tainted 4.14.184-syzkaller #0 [ 34.160958] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.170326] Call Trace: [ 34.172902] dump_stack+0x1b2/0x283 [ 34.176514] ? __ext4_check_dir_entry+0x2f9/0x340 [ 34.181345] print_address_description.cold+0x54/0x1dc [ 34.186742] ? __ext4_check_dir_entry+0x2f9/0x340 [ 34.191580] kasan_report.cold+0xa9/0x2b9 [ 34.195770] __ext4_check_dir_entry+0x2f9/0x340 [ 34.200956] ext4_readdir+0x819/0x27e0 [ 34.205040] ? __ext4_check_dir_entry+0x340/0x340 [ 34.209869] ? lock_acquire+0x170/0x3f0 [ 34.213943] ? iterate_dir+0xbc/0x5e0 [ 34.217779] iterate_dir+0x1a0/0x5e0 [ 34.221478] SyS_getdents64+0x130/0x240 [ 34.225441] ? SyS_getdents+0x260/0x260 [ 34.229660] ? filldir+0x390/0x390 [ 34.233185] ? ext4_dir_llseek+0x1af/0x200 [ 34.237460] ? do_syscall_64+0x4c/0x640 [ 34.241419] ? SyS_getdents+0x260/0x260 [ 34.245381] do_syscall_64+0x1d5/0x640 [ 34.249258] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.254473] RIP: 0033:0x441369 [ 34.257661] RSP: 002b:00007ffc66332028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 34.265356] RAX: ffffffffffffffda RBX: 00007ffc663320a0 RCX: 0000000000441369 [ 34.272700] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 34.279954] RBP: 00007ffc66332040 R08: 00000000bb1414ac R09: 00000000bb1414ac [ 34.287211] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000003 [ 34.294495] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.301757] [ 34.303369] Allocated by task 4799: [ 34.307101] kasan_kmalloc.part.0+0x4f/0xd0 [ 34.311406] __kmalloc_track_caller+0x155/0x400 [ 34.316074] kmemdup_nul+0x2d/0xa0 [ 34.319600] security_context_to_sid_core+0x94/0x3d0 [ 34.324824] selinux_inode_setsecurity+0x155/0x350 [ 34.329751] selinux_inode_notifysecctx+0x2b/0x50 [ 34.334617] security_inode_notifysecctx+0x76/0xb0 [ 34.339582] kernfs_refresh_inode+0x328/0x4a0 [ 34.344062] kernfs_iop_permission+0x59/0x90 [ 34.348463] __inode_permission+0x1f1/0x2f0 [ 34.352808] inode_permission+0x23/0x100 [ 34.356867] link_path_walk+0x851/0x1080 [ 34.360927] path_lookupat.isra.0+0xcb/0x7b0 [ 34.365386] filename_lookup+0x18e/0x380 [ 34.369436] vfs_statx+0xd1/0x160 [ 34.373018] SyS_newlstat+0x83/0xe0 [ 34.376629] do_syscall_64+0x1d5/0x640 [ 34.380688] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.385869] [ 34.387491] Freed by task 4799: [ 34.390769] kasan_slab_free+0xaf/0x190 [ 34.394879] kfree+0xcb/0x260 [ 34.398116] security_context_to_sid_core+0x284/0x3d0 [ 34.403409] selinux_inode_setsecurity+0x155/0x350 [ 34.408369] selinux_inode_notifysecctx+0x2b/0x50 [ 34.413222] security_inode_notifysecctx+0x76/0xb0 [ 34.418262] kernfs_refresh_inode+0x328/0x4a0 [ 34.422750] kernfs_iop_permission+0x59/0x90 [ 34.427140] __inode_permission+0x1f1/0x2f0 [ 34.431476] inode_permission+0x23/0x100 [ 34.435555] link_path_walk+0x851/0x1080 [ 34.439599] path_lookupat.isra.0+0xcb/0x7b0 [ 34.444002] filename_lookup+0x18e/0x380 [ 34.448057] vfs_statx+0xd1/0x160 [ 34.451528] SyS_newlstat+0x83/0xe0 [ 34.455140] do_syscall_64+0x1d5/0x640 [ 34.459044] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.464211] [ 34.465909] The buggy address belongs to the object at ffff8880902be000 [ 34.465909] which belongs to the cache kmalloc-32 of size 32 [ 34.478463] The buggy address is located 1 bytes inside of [ 34.478463] 32-byte region [ffff8880902be000, ffff8880902be020) [ 34.490089] The buggy address belongs to the page: [ 34.495001] page:ffffea000240af80 count:1 mapcount:0 mapping:ffff8880902be000 index:0xffff8880902befc1 [ 34.504444] flags: 0xfffe0000000100(slab) [ 34.508612] raw: 00fffe0000000100 ffff8880902be000 ffff8880902befc1 000000010000003f [ 34.516489] raw: ffffea00024079e0 ffffea0002aa6720 ffff8880aa8001c0 0000000000000000 [ 34.524351] page dumped because: kasan: bad access detected [ 34.530075] [ 34.531724] Memory state around the buggy address: [ 34.536641] ffff8880902bdf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.544178] ffff8880902bdf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.551883] >ffff8880902be000: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 34.559227] ^ [ 34.562581] ffff8880902be080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 34.569925] ffff8880902be100: 00 00 01 fc fc fc fc fc 00 00 01 fc fc fc fc fc [ 34.577314] ================================================================== [ 34.584759] Disabling lock debugging due to kernel taint [ 34.592987] Kernel panic - not syncing: panic_on_warn set ... [ 34.592987] [ 34.600373] CPU: 1 PID: 6343 Comm: syz-executor293 Tainted: G B 4.14.184-syzkaller #0 [ 34.609464] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.619056] Call Trace: [ 34.621638] dump_stack+0x1b2/0x283 [ 34.625296] panic+0x1f9/0x42d [ 34.628473] ? add_taint.cold+0x16/0x16 [ 34.632433] ? preempt_schedule_common+0x4a/0xc0 [ 34.637183] ? __ext4_check_dir_entry+0x2f9/0x340 [ 34.642012] ? ___preempt_schedule+0x16/0x18 [ 34.646402] ? __ext4_check_dir_entry+0x2f9/0x340 [ 34.651240] kasan_end_report+0x43/0x49 [ 34.655234] kasan_report.cold+0x12f/0x2b9 [ 34.659456] __ext4_check_dir_entry+0x2f9/0x340 [ 34.664112] ext4_readdir+0x819/0x27e0 [ 34.668008] ? __ext4_check_dir_entry+0x340/0x340 [ 34.672839] ? lock_acquire+0x170/0x3f0 [ 34.676830] ? iterate_dir+0xbc/0x5e0 [ 34.680684] iterate_dir+0x1a0/0x5e0 [ 34.684414] SyS_getdents64+0x130/0x240 [ 34.688382] ? SyS_getdents+0x260/0x260 [ 34.692672] ? filldir+0x390/0x390 [ 34.696318] ? ext4_dir_llseek+0x1af/0x200 [ 34.700578] ? do_syscall_64+0x4c/0x640 [ 34.704538] ? SyS_getdents+0x260/0x260 [ 34.708495] do_syscall_64+0x1d5/0x640 [ 34.712506] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.717798] RIP: 0033:0x441369 [ 34.720974] RSP: 002b:00007ffc66332028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 34.728666] RAX: ffffffffffffffda RBX: 00007ffc663320a0 RCX: 0000000000441369 [ 34.736048] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 34.743390] RBP: 00007ffc66332040 R08: 00000000bb1414ac R09: 00000000bb1414ac [ 34.750695] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000003 [ 34.757980] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.766827] Kernel Offset: disabled [ 34.770450] Rebooting in 86400 seconds..