[ OK ] Started Regular background program processing daemon. Starting System Logging Service... [ OK ] Started Daily apt download activities. [ OK ] Started Daily apt upgrade and clean activities. [ OK ] Reached target Timers. [ OK ] Started Permit User Sessions. [ OK ] Started System Logging Service. [ OK ] Found device /dev/ttyS0. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.42' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 69.085849][ T28] audit: type=1400 audit(1597268000.554:8): avc: denied { execmem } for pid=6828 comm="syz-executor159" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 69.126290][ T6828] ================================================================== [ 69.134439][ T6828] BUG: KASAN: use-after-free in path_init+0x116b/0x13c0 [ 69.141348][ T6828] Read of size 8 at addr ffff8880a0508700 by task syz-executor159/6828 [ 69.149551][ T6828] [ 69.151857][ T6828] CPU: 1 PID: 6828 Comm: syz-executor159 Not tainted 5.8.0-syzkaller #0 [ 69.160151][ T6828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.170216][ T6828] Call Trace: [ 69.173482][ T6828] dump_stack+0x18f/0x20d [ 69.177786][ T6828] ? path_init+0x116b/0x13c0 [ 69.182347][ T6828] ? path_init+0x116b/0x13c0 [ 69.187000][ T6828] print_address_description.constprop.0.cold+0xae/0x497 [ 69.193997][ T6828] ? vprintk_func+0x97/0x1a6 [ 69.198559][ T6828] ? path_init+0x116b/0x13c0 [ 69.203128][ T6828] ? path_init+0x116b/0x13c0 [ 69.207689][ T6828] kasan_report.cold+0x1f/0x37 [ 69.212485][ T6828] ? path_init+0x116b/0x13c0 [ 69.217047][ T6828] path_init+0x116b/0x13c0 [ 69.221436][ T6828] ? __kasan_slab_free+0xd8/0x120 [ 69.226472][ T6828] ? kmem_cache_free.part.0+0x67/0x1f0 [ 69.231940][ T6828] ? putname+0xe1/0x120 [ 69.236068][ T6828] ? do_rmdir+0x145/0x440 [ 69.240376][ T6828] ? do_syscall_64+0x2d/0x70 [ 69.244952][ T6828] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.250999][ T6828] path_parentat+0x22/0x1b0 [ 69.255475][ T6828] filename_parentat+0x188/0x560 [ 69.260399][ T6828] ? getname+0xd0/0xd0 [ 69.264461][ T6828] ? lockdep_hardirqs_off+0x89/0xc0 [ 69.269633][ T6828] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 69.275413][ T6828] ? lockdep_hardirqs_off+0x89/0xc0 [ 69.280586][ T6828] ? check_preemption_disabled+0x50/0x130 [ 69.286280][ T6828] ? putname+0xe1/0x120 [ 69.290412][ T6828] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 69.295930][ T6828] ? putname+0xe1/0x120 [ 69.300055][ T6828] ? kmem_cache_free.part.0+0x1c4/0x1f0 [ 69.305574][ T6828] do_rmdir+0xa8/0x440 [ 69.309616][ T6828] ? __ia32_sys_mkdir+0x80/0x80 [ 69.314441][ T6828] ? strncpy_from_user+0x2bf/0x3e0 [ 69.319529][ T6828] ? trace_hardirqs_on+0x5f/0x220 [ 69.324531][ T6828] do_syscall_64+0x2d/0x70 [ 69.328925][ T6828] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.334877][ T6828] RIP: 0033:0x4403e9 [ 69.338755][ T6828] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 69.358336][ T6828] RSP: 002b:00007fff37be5c38 EFLAGS: 00000246 ORIG_RAX: 0000000000000054 [ 69.366719][ T6828] RAX: ffffffffffffffda RBX: 69662f7375622f2e RCX: 00000000004403e9 [ 69.374664][ T6828] RDX: 00000000004403e9 RSI: 00000000004403e9 RDI: 0000000020000080 [ 69.382608][ T6828] RBP: 2f31656c69662f2e R08: 0000000000000000 R09: 0000000000000000 [ 69.390552][ T6828] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401bf0 [ 69.398496][ T6828] R13: 0000000000401c80 R14: 0000000000000000 R15: 0000000000000000 [ 69.406447][ T6828] [ 69.408748][ T6828] Allocated by task 6828: [ 69.413055][ T6828] kasan_save_stack+0x1b/0x40 [ 69.417704][ T6828] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 69.423307][ T6828] kmem_cache_alloc+0x138/0x3a0 [ 69.428127][ T6828] getname_flags.part.0+0x50/0x4f0 [ 69.433209][ T6828] __x64_sys_rmdir+0xb1/0x100 [ 69.437867][ T6828] do_syscall_64+0x2d/0x70 [ 69.442255][ T6828] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.448111][ T6828] [ 69.450413][ T6828] Freed by task 6828: [ 69.454366][ T6828] kasan_save_stack+0x1b/0x40 [ 69.459012][ T6828] kasan_set_track+0x1c/0x30 [ 69.463574][ T6828] kasan_set_free_info+0x1b/0x30 [ 69.468481][ T6828] __kasan_slab_free+0xd8/0x120 [ 69.473303][ T6828] kmem_cache_free.part.0+0x67/0x1f0 [ 69.478558][ T6828] putname+0xe1/0x120 [ 69.482524][ T6828] do_rmdir+0x145/0x440 [ 69.486648][ T6828] do_syscall_64+0x2d/0x70 [ 69.491036][ T6828] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.496910][ T6828] [ 69.499214][ T6828] The buggy address belongs to the object at ffff8880a0508700 [ 69.499214][ T6828] which belongs to the cache names_cache of size 4096 [ 69.513323][ T6828] The buggy address is located 0 bytes inside of [ 69.513323][ T6828] 4096-byte region [ffff8880a0508700, ffff8880a0509700) [ 69.526474][ T6828] The buggy address belongs to the page: [ 69.532079][ T6828] page:00000000585345a4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa0508 [ 69.542196][ T6828] head:00000000585345a4 order:1 compound_mapcount:0 [ 69.548753][ T6828] flags: 0xfffe0000010200(slab|head) [ 69.554014][ T6828] raw: 00fffe0000010200 ffffea0002832d88 ffff8880aa247150 ffff8880aa241900 [ 69.562570][ T6828] raw: 0000000000000000 ffff8880a0508700 0000000100000001 0000000000000000 [ 69.571118][ T6828] page dumped because: kasan: bad access detected [ 69.577513][ T6828] [ 69.579812][ T6828] Memory state around the buggy address: [ 69.585413][ T6828] ffff8880a0508600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.593445][ T6828] ffff8880a0508680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.601479][ T6828] >ffff8880a0508700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.609605][ T6828] ^ [ 69.613645][ T6828] ffff8880a0508780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.621678][ T6828] ffff8880a0508800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.629705][ T6828] ================================================================== [ 69.637745][ T6828] Disabling lock debugging due to kernel taint [ 69.644510][ T6828] Kernel panic - not syncing: panic_on_warn set ... [ 69.651194][ T6828] CPU: 1 PID: 6828 Comm: syz-executor159 Tainted: G B 5.8.0-syzkaller #0 [ 69.660999][ T6828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.671040][ T6828] Call Trace: [ 69.674325][ T6828] dump_stack+0x18f/0x20d [ 69.678651][ T6828] ? path_init+0x1160/0x13c0 [ 69.683237][ T6828] panic+0x2e3/0x75c [ 69.687133][ T6828] ? __warn_printk+0xf3/0xf3 [ 69.691728][ T6828] ? preempt_schedule_common+0x59/0xc0 [ 69.697178][ T6828] ? path_init+0x116b/0x13c0 [ 69.701744][ T6828] ? preempt_schedule_thunk+0x16/0x18 [ 69.707087][ T6828] ? trace_hardirqs_on+0x55/0x220 [ 69.712192][ T6828] ? path_init+0x116b/0x13c0 [ 69.716763][ T6828] ? path_init+0x116b/0x13c0 [ 69.721327][ T6828] end_report+0x4d/0x53 [ 69.725456][ T6828] kasan_report.cold+0xd/0x37 [ 69.730103][ T6828] ? path_init+0x116b/0x13c0 [ 69.734663][ T6828] path_init+0x116b/0x13c0 [ 69.739049][ T6828] ? __kasan_slab_free+0xd8/0x120 [ 69.744041][ T6828] ? kmem_cache_free.part.0+0x67/0x1f0 [ 69.749466][ T6828] ? putname+0xe1/0x120 [ 69.753590][ T6828] ? do_rmdir+0x145/0x440 [ 69.757892][ T6828] ? do_syscall_64+0x2d/0x70 [ 69.762452][ T6828] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.768487][ T6828] path_parentat+0x22/0x1b0 [ 69.772960][ T6828] filename_parentat+0x188/0x560 [ 69.777867][ T6828] ? getname+0xd0/0xd0 [ 69.781910][ T6828] ? lockdep_hardirqs_off+0x89/0xc0 [ 69.787075][ T6828] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 69.792850][ T6828] ? lockdep_hardirqs_off+0x89/0xc0 [ 69.798016][ T6828] ? check_preemption_disabled+0x50/0x130 [ 69.803709][ T6828] ? putname+0xe1/0x120 [ 69.807838][ T6828] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 69.813352][ T6828] ? putname+0xe1/0x120 [ 69.817475][ T6828] ? kmem_cache_free.part.0+0x1c4/0x1f0 [ 69.822990][ T6828] do_rmdir+0xa8/0x440 [ 69.827029][ T6828] ? __ia32_sys_mkdir+0x80/0x80 [ 69.831852][ T6828] ? strncpy_from_user+0x2bf/0x3e0 [ 69.836940][ T6828] ? trace_hardirqs_on+0x5f/0x220 [ 69.841937][ T6828] do_syscall_64+0x2d/0x70 [ 69.846323][ T6828] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.852194][ T6828] RIP: 0033:0x4403e9 [ 69.856066][ T6828] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 69.877129][ T6828] RSP: 002b:00007fff37be5c38 EFLAGS: 00000246 ORIG_RAX: 0000000000000054 [ 69.885512][ T6828] RAX: ffffffffffffffda RBX: 69662f7375622f2e RCX: 00000000004403e9 [ 69.893457][ T6828] RDX: 00000000004403e9 RSI: 00000000004403e9 RDI: 0000000020000080 [ 69.901522][ T6828] RBP: 2f31656c69662f2e R08: 0000000000000000 R09: 0000000000000000 [ 69.909511][ T6828] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401bf0 [ 69.917831][ T6828] R13: 0000000000401c80 R14: 0000000000000000 R15: 0000000000000000 [ 69.927221][ T6828] Kernel Offset: disabled [ 69.931535][ T6828] Rebooting in 86400 seconds..