INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.17' (ECDSA) to the list of known hosts. 2018/04/04 08:29:21 parsed 1 programs 2018/04/04 08:29:21 executed programs: 0 syzkaller login: [ 26.460507] IPVS: Creating netns size=2536 id=1 [ 27.144336] ================================================================== [ 27.151753] BUG: KASAN: use-after-free in selinux_sb_copy_data+0x25f/0x390 [ 27.158752] Write of size 10 at addr ffff8801da1ee000 by task syz-executor0/3789 [ 27.166259] [ 27.167871] CPU: 0 PID: 3789 Comm: syz-executor0 Not tainted 4.9.92-g13b40d3 #12 [ 27.175380] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.184713] ffff8801b6c0f4b0 ffffffff81d95109 ffffea0007687b80 ffff8801da1ee000 [ 27.192719] 0000000000000001 ffff8801da1ee000 dffffc0000000000 ffff8801b6c0f4e8 [ 27.200727] ffffffff8153d5d3 ffff8801da1ee000 000000000000000a 0000000000000001 [ 27.208730] Call Trace: [ 27.211312] [] dump_stack+0xc1/0x128 [ 27.216655] [] print_address_description+0x73/0x280 [ 27.223310] [] kasan_report+0x255/0x380 [ 27.228914] [] ? selinux_sb_copy_data+0x25f/0x390 [ 27.235383] [] check_memory_region+0x137/0x190 [ 27.241592] [] memcpy+0x37/0x50 [ 27.246499] [] selinux_sb_copy_data+0x25f/0x390 [ 27.252798] [] security_sb_copy_data+0x75/0xb0 [ 27.259008] [] parse_security_options+0x36/0x90 [ 27.265306] [] btrfs_mount+0xa02/0x2c00 [ 27.270908] [] ? btrfs_remount+0x1430/0x1430 [ 27.276942] [] ? _find_next_bit.part.0+0xe0/0x120 [ 27.283414] [] ? pcpu_alloc+0x47f/0xb10 [ 27.289018] [] ? ida_get_new_above+0x3e1/0x4a0 [ 27.295224] [] ? pcpu_create_chunk+0x420/0x420 [ 27.301435] [] ? check_preemption_disabled+0x3b/0x200 [ 27.308253] [] ? __raw_spin_lock_init+0x1c/0x100 [ 27.314637] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.321451] [] ? lockdep_init_map+0xe4/0x5c0 [ 27.327488] [] ? lockdep_init_map+0xe4/0x5c0 [ 27.333526] [] mount_fs+0x27f/0x350 [ 27.338783] [] vfs_kern_mount.part.21+0xd0/0x3e0 [ 27.345163] [] vfs_kern_mount+0x40/0x60 [ 27.350763] [] btrfs_mount+0x2ee/0x2c00 [ 27.356364] [] ? btrfs_remount+0x1430/0x1430 [ 27.362402] [] ? pcpu_alloc+0x47f/0xb10 [ 27.368001] [] ? ida_get_new_above+0x3e1/0x4a0 [ 27.374208] [] ? pcpu_create_chunk+0x420/0x420 [ 27.380417] [] ? check_preemption_disabled+0x3b/0x200 [ 27.387233] [] ? __raw_spin_lock_init+0x1c/0x100 [ 27.393612] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.400430] [] ? lockdep_init_map+0xe4/0x5c0 [ 27.406467] [] ? lockdep_init_map+0xe4/0x5c0 [ 27.412506] [] mount_fs+0x27f/0x350 [ 27.417762] [] vfs_kern_mount.part.21+0xd0/0x3e0 [ 27.424147] [] do_mount+0x3e1/0x28b0 [ 27.429487] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.436042] [] ? copy_mount_string+0x40/0x40 [ 27.442079] [] ? copy_mount_options+0x18b/0x310 [ 27.448375] [] ? copy_mount_options+0x193/0x310 [ 27.454669] [] ? copy_mount_options+0x1f7/0x310 [ 27.460964] [] compat_SyS_mount+0xd0/0x1070 [ 27.466909] [] ? compat_SyS_io_submit+0x100/0x100 [ 27.473380] [] do_fast_syscall_32+0x2f5/0x870 [ 27.479503] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.486148] [] entry_SYSENTER_compat+0x90/0xa2 [ 27.492355] [ 27.493960] The buggy address belongs to the page: [ 27.498869] page:ffffea0007687b80 count:0 mapcount:0 mapping: (null) index:0x0 [ 27.507110] flags: 0x8000000000000000() [ 27.511056] page dumped because: kasan: bad access detected [ 27.516738] [ 27.518341] Memory state around the buggy address: [ 27.523249] ffff8801da1edf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.530591] ffff8801da1edf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.537925] >ffff8801da1ee000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.545266] ^ [ 27.548605] ffff8801da1ee080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.555937] ffff8801da1ee100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.563269] ================================================================== [ 27.570608] Disabling lock debugging due to kernel taint [ 27.576654] Kernel panic - not syncing: panic_on_warn set ... [ 27.576654] [ 27.584014] CPU: 0 PID: 3789 Comm: syz-executor0 Tainted: G B 4.9.92-g13b40d3 #12 [ 27.592742] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.602070] ffff8801b6c0f408 ffffffff81d95109 ffffffff84197d5f ffff8801b6c0f4e0 [ 27.610070] 0000000000000000 ffff8801da1ee000 dffffc0000000000 ffff8801b6c0f4d0 [ 27.618072] ffffffff8142e791 0000000041b58ab3 ffffffff8418b7b8 ffffffff8142e5d5 [ 27.626074] Call Trace: [ 27.628646] [] dump_stack+0xc1/0x128 [ 27.633985] [] panic+0x1bc/0x3a8 [ 27.638978] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 27.647183] [] ? preempt_schedule+0x25/0x30 [ 27.653133] [] ? ___preempt_schedule+0x16/0x18 [ 27.659342] [] kasan_end_report+0x50/0x50 [ 27.665111] [] kasan_report+0x16b/0x380 [ 27.670710] [] ? selinux_sb_copy_data+0x25f/0x390 [ 27.677179] [] check_memory_region+0x137/0x190 [ 27.683388] [] memcpy+0x37/0x50 [ 27.688290] [] selinux_sb_copy_data+0x25f/0x390 [ 27.694586] [] security_sb_copy_data+0x75/0xb0 [ 27.700805] [] parse_security_options+0x36/0x90 [ 27.707096] [] btrfs_mount+0xa02/0x2c00 [ 27.712693] [] ? btrfs_remount+0x1430/0x1430 [ 27.718744] [] ? _find_next_bit.part.0+0xe0/0x120 [ 27.725210] [] ? pcpu_alloc+0x47f/0xb10 [ 27.730807] [] ? ida_get_new_above+0x3e1/0x4a0 [ 27.737012] [] ? pcpu_create_chunk+0x420/0x420 [ 27.743220] [] ? check_preemption_disabled+0x3b/0x200 [ 27.750041] [] ? __raw_spin_lock_init+0x1c/0x100 [ 27.756421] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.763243] [] ? lockdep_init_map+0xe4/0x5c0 [ 27.769276] [] ? lockdep_init_map+0xe4/0x5c0 [ 27.775313] [] mount_fs+0x27f/0x350 [ 27.780565] [] vfs_kern_mount.part.21+0xd0/0x3e0 [ 27.786946] [] vfs_kern_mount+0x40/0x60 [ 27.792543] [] btrfs_mount+0x2ee/0x2c00 [ 27.798139] [] ? btrfs_remount+0x1430/0x1430 [ 27.804169] [] ? pcpu_alloc+0x47f/0xb10 [ 27.809768] [] ? ida_get_new_above+0x3e1/0x4a0 [ 27.815973] [] ? pcpu_create_chunk+0x420/0x420 [ 27.822179] [] ? check_preemption_disabled+0x3b/0x200 [ 27.828991] [] ? __raw_spin_lock_init+0x1c/0x100 [ 27.835367] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.842179] [] ? lockdep_init_map+0xe4/0x5c0 [ 27.848215] [] ? lockdep_init_map+0xe4/0x5c0 [ 27.854251] [] mount_fs+0x27f/0x350 [ 27.859501] [] vfs_kern_mount.part.21+0xd0/0x3e0 [ 27.865883] [] do_mount+0x3e1/0x28b0 [ 27.871227] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.877780] [] ? copy_mount_string+0x40/0x40 [ 27.883811] [] ? copy_mount_options+0x18b/0x310 [ 27.890101] [] ? copy_mount_options+0x193/0x310 [ 27.896392] [] ? copy_mount_options+0x1f7/0x310 [ 27.902696] [] compat_SyS_mount+0xd0/0x1070 [ 27.908651] [] ? compat_SyS_io_submit+0x100/0x100 [ 27.915114] [] do_fast_syscall_32+0x2f5/0x870 [ 27.921234] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.927878] [] entry_SYSENTER_compat+0x90/0xa2 [ 27.934510] Dumping ftrace buffer: [ 27.938025] (ftrace buffer empty) [ 27.941708] Kernel Offset: disabled [ 27.945313] Rebooting in 86400 seconds..