[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.28' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 40.203744] audit: type=1400 audit(1601921389.561:8): avc: denied { execmem } for pid=6499 comm="syz-executor856" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 40.210314] BFS-fs: bfs_fill_super(): loop0 is unclean, continuing [ 40.245132] ================================================================== [ 40.252634] BUG: KASAN: slab-out-of-bounds in find_first_zero_bit+0xa8/0xb0 [ 40.259716] Read of size 8 at addr ffff8880a7486e00 by task syz-executor856/6499 [ 40.267237] [ 40.268854] CPU: 0 PID: 6499 Comm: syz-executor856 Not tainted 4.19.149-syzkaller #0 [ 40.276816] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.286257] Call Trace: [ 40.288859] dump_stack+0x22c/0x33e [ 40.292478] print_address_description.cold+0x56/0x25c [ 40.297761] kasan_report_error.cold+0x66/0xb9 [ 40.302344] ? find_first_zero_bit+0xa8/0xb0 [ 40.307430] __asan_report_load8_noabort+0x88/0x90 [ 40.313823] ? find_first_zero_bit+0xa8/0xb0 [ 40.318645] find_first_zero_bit+0xa8/0xb0 [ 40.322865] bfs_create+0xf3/0x580 [ 40.326405] ? bfs_link+0x1a0/0x1a0 [ 40.330030] lookup_open+0x86c/0x19c0 [ 40.333847] ? may_open+0x360/0x360 [ 40.337467] path_openat+0x10d6/0x2e90 [ 40.341363] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.346734] ? path_lookupat+0x8d0/0x8d0 [ 40.350802] ? mark_held_locks+0xf0/0xf0 [ 40.354874] ? mark_held_locks+0xf0/0xf0 [ 40.358930] do_filp_open+0x18c/0x3f0 [ 40.362723] ? may_open_dev+0xf0/0xf0 [ 40.366620] ? lock_downgrade+0x750/0x750 [ 40.370762] ? lock_acquire+0x170/0x3f0 [ 40.374755] ? do_raw_spin_unlock+0x171/0x240 [ 40.379336] ? _raw_spin_unlock+0x29/0x40 [ 40.383482] ? __alloc_fd+0x2ab/0x590 [ 40.387289] do_sys_open+0x3b3/0x520 [ 40.391010] ? filp_open+0x70/0x70 [ 40.394531] ? fput+0x2b/0x190 [ 40.397822] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 40.403207] ? trace_hardirqs_off_caller+0x6e/0x210 [ 40.408302] ? do_syscall_64+0x21/0x670 [ 40.412275] do_syscall_64+0xf9/0x670 [ 40.416101] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.421294] RIP: 0033:0x444439 [ 40.424485] Code: 8d d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 40.444066] RSP: 002b:00007ffc8a3cce38 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 40.451787] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444439 [ 40.459040] RDX: 00000000001015c2 RSI: 0000000020000440 RDI: ffffffffffffff9c [ 40.466303] RBP: 00000000006cf018 R08: 00007ffc00000015 R09: 0000000000000000 [ 40.473565] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402020 [ 40.480825] R13: 00000000004020b0 R14: 0000000000000000 R15: 0000000000000000 [ 40.488274] [ 40.489899] Allocated by task 6499: [ 40.493527] __kmalloc+0x15a/0x4f0 [ 40.497048] bfs_fill_super+0x447/0xfa0 [ 40.501015] mount_bdev+0x2fc/0x3b0 [ 40.504621] mount_fs+0xa3/0x318 [ 40.507967] vfs_kern_mount.part.0+0x68/0x470 [ 40.512466] do_mount+0x51c/0x2f10 [ 40.515984] ksys_mount+0xcf/0x130 [ 40.519592] __x64_sys_mount+0xba/0x150 [ 40.523548] do_syscall_64+0xf9/0x670 [ 40.527427] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.532608] [ 40.534659] Freed by task 4706: [ 40.538022] kfree+0xcc/0x250 [ 40.541124] walk_component+0x204/0xda0 [ 40.545078] link_path_walk.part.0+0x541/0x1230 [ 40.549748] path_openat+0x21d/0x2e90 [ 40.553545] do_filp_open+0x18c/0x3f0 [ 40.557932] do_sys_open+0x3b3/0x520 [ 40.561645] do_syscall_64+0xf9/0x670 [ 40.565441] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.570627] [ 40.572427] The buggy address belongs to the object at ffff8880a7486e00 [ 40.572427] which belongs to the cache kmalloc-32 of size 32 [ 40.584982] The buggy address is located 0 bytes inside of [ 40.584982] 32-byte region [ffff8880a7486e00, ffff8880a7486e20) [ 40.596847] The buggy address belongs to the page: [ 40.601932] page:ffffea00029d2180 count:1 mapcount:0 mapping:ffff88812c3f61c0 index:0xffff8880a7486fc1 [ 40.611458] flags: 0xfffe0000000100(slab) [ 40.615589] raw: 00fffe0000000100 ffffea0002918988 ffffea0002911e08 ffff88812c3f61c0 [ 40.623467] raw: ffff8880a7486fc1 ffff8880a7486000 0000000100000025 0000000000000000 [ 40.631326] page dumped because: kasan: bad access detected [ 40.637011] [ 40.638613] Memory state around the buggy address: [ 40.643523] ffff8880a7486d00: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc [ 40.651136] ffff8880a7486d80: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 40.658474] >ffff8880a7486e00: 07 fc fc fc fc fc fc fc 00 00 01 fc fc fc fc fc [ 40.665818] ^ [ 40.673004] ffff8880a7486e80: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 40.680343] ffff8880a7486f00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 40.687694] ================================================================== [ 40.695061] Disabling lock debugging due to kernel taint [ 40.710871] Kernel panic - not syncing: panic_on_warn set ... [ 40.710871] [ 40.718255] CPU: 0 PID: 6499 Comm: syz-executor856 Tainted: G B 4.19.149-syzkaller #0 [ 40.727524] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.737410] Call Trace: [ 40.739990] dump_stack+0x22c/0x33e [ 40.743617] panic+0x2ac/0x565 [ 40.746789] ? __warn_printk+0xf3/0xf3 [ 40.750672] ? preempt_schedule_common+0x45/0xc0 [ 40.755476] ? ___preempt_schedule+0x16/0x18 [ 40.759865] ? trace_hardirqs_on+0x55/0x210 [ 40.764180] kasan_end_report+0x43/0x49 [ 40.768135] kasan_report_error.cold+0x83/0xb9 [ 40.772701] ? find_first_zero_bit+0xa8/0xb0 [ 40.777816] __asan_report_load8_noabort+0x88/0x90 [ 40.782726] ? find_first_zero_bit+0xa8/0xb0 [ 40.787114] find_first_zero_bit+0xa8/0xb0 [ 40.791405] bfs_create+0xf3/0x580 [ 40.794966] ? bfs_link+0x1a0/0x1a0 [ 40.798584] lookup_open+0x86c/0x19c0 [ 40.802388] ? may_open+0x360/0x360 [ 40.806015] path_openat+0x10d6/0x2e90 [ 40.809892] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.815845] ? path_lookupat+0x8d0/0x8d0 [ 40.819885] ? mark_held_locks+0xf0/0xf0 [ 40.823927] ? mark_held_locks+0xf0/0xf0 [ 40.827970] do_filp_open+0x18c/0x3f0 [ 40.832547] ? may_open_dev+0xf0/0xf0 [ 40.836468] ? lock_downgrade+0x750/0x750 [ 40.840640] ? lock_acquire+0x170/0x3f0 [ 40.844620] ? do_raw_spin_unlock+0x171/0x240 [ 40.849130] ? _raw_spin_unlock+0x29/0x40 [ 40.853281] ? __alloc_fd+0x2ab/0x590 [ 40.858024] do_sys_open+0x3b3/0x520 [ 40.861807] ? filp_open+0x70/0x70 [ 40.865341] ? fput+0x2b/0x190 [ 40.868516] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 40.873876] ? trace_hardirqs_off_caller+0x6e/0x210 [ 40.878887] ? do_syscall_64+0x21/0x670 [ 40.882842] do_syscall_64+0xf9/0x670 [ 40.886628] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.891797] RIP: 0033:0x444439 [ 40.894976] Code: 8d d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 40.913858] RSP: 002b:00007ffc8a3cce38 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 40.921547] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444439 [ 40.928847] RDX: 00000000001015c2 RSI: 0000000020000440 RDI: ffffffffffffff9c [ 40.936110] RBP: 00000000006cf018 R08: 00007ffc00000015 R09: 0000000000000000 [ 40.943377] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402020 [ 40.950650] R13: 00000000004020b0 R14: 0000000000000000 R15: 0000000000000000 [ 40.959207] Kernel Offset: disabled [ 40.962829] Rebooting in 86400 seconds..