[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 58.264731] audit: type=1400 audit(1588399496.717:8): avc: denied { execmem } for pid=6420 comm="syz-executor240" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 58.281247] IPVS: ftp: loaded support on port[0] = 21 [ 58.327984] audit: type=1800 audit(1588399496.787:9): pid=6421 uid=0 auid=0 ses=5 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor240" name="file0" dev="sda1" ino=15703 res=0 [ 58.333784] MINIX-fs: mounting unchecked file system, running fsck is recommended [ 58.369676] Process accounting resumed [ 58.374858] ================================================================== [ 58.382344] BUG: KASAN: use-after-free in get_block+0x1047/0x1300 [ 58.388573] Read of size 2 at addr ffff8880a0184bb8 by task syz-executor240/6421 [ 58.396086] [ 58.397699] CPU: 0 PID: 6421 Comm: syz-executor240 Not tainted 4.19.119-syzkaller #0 [ 58.405567] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.414902] Call Trace: [ 58.417479] dump_stack+0x188/0x20d [ 58.421107] ? get_block+0x1047/0x1300 [ 58.424987] print_address_description.cold+0x7c/0x212 [ 58.430248] ? get_block+0x1047/0x1300 [ 58.434206] kasan_report.cold+0x88/0x2b9 [ 58.438337] get_block+0x1047/0x1300 [ 58.442045] ? block_to_path.isra.0+0x300/0x300 [ 58.446698] ? create_page_buffers+0x212/0x380 [ 58.451280] ? d_path+0xb6/0x8e0 [ 58.454635] ? lock_downgrade+0x740/0x740 [ 58.458764] ? do_raw_spin_lock+0xcb/0x240 [ 58.462982] ? create_empty_buffers+0x52e/0x830 [ 58.467632] ? __add_to_page_cache_locked+0x5b7/0xc50 [ 58.472803] ? do_raw_spin_unlock+0x171/0x260 [ 58.477283] minix_get_block+0xe5/0x110 [ 58.481240] __block_write_begin_int+0x480/0x17a0 [ 58.486069] ? minix_rename+0x8c0/0x8c0 [ 58.490045] ? __breadahead_gfp+0xf0/0xf0 [ 58.494186] ? pagecache_get_page+0x1b3/0xb20 [ 58.498663] ? wait_for_stable_page+0x124/0x3b0 [ 58.503335] ? minix_rename+0x8c0/0x8c0 [ 58.507305] block_write_begin+0x58/0x2e0 [ 58.511437] minix_write_begin+0x35/0xe0 [ 58.515484] generic_perform_write+0x1f8/0x4d0 [ 58.520054] ? __mnt_drop_write+0x50/0x80 [ 58.524196] ? page_endio+0x950/0x950 [ 58.527981] ? current_time+0x140/0x140 [ 58.531952] ? lock_acquire+0x170/0x400 [ 58.535935] __generic_file_write_iter+0x24c/0x610 [ 58.540864] generic_file_write_iter+0x37f/0x729 [ 58.545617] __vfs_write+0x512/0x760 [ 58.549331] ? kernel_read+0x110/0x110 [ 58.553213] ? lock_acquire+0x170/0x400 [ 58.557171] ? do_acct_process+0xebd/0x10e0 [ 58.561478] __kernel_write+0x109/0x370 [ 58.565438] do_acct_process+0xcd8/0x10e0 [ 58.569575] ? acct_on+0x760/0x760 [ 58.573097] ? acct_process+0x271/0x5c0 [ 58.577078] ? check_preemption_disabled+0x41/0x280 [ 58.582080] acct_process+0x517/0x5c0 [ 58.585949] ? acct_collect+0x810/0x810 [ 58.589905] ? rcu_read_lock_sched_held+0x10a/0x130 [ 58.594901] ? kmem_cache_free+0x218/0x260 [ 58.599149] do_exit+0x1738/0x2f30 [ 58.602681] ? mm_update_next_owner+0x650/0x650 [ 58.607344] ? up_read+0x17/0x110 [ 58.610780] ? __do_page_fault+0x44e/0xdd0 [ 58.615004] do_group_exit+0x125/0x350 [ 58.618890] __x64_sys_exit_group+0x3a/0x50 [ 58.623193] do_syscall_64+0xf9/0x620 [ 58.626979] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.632149] RIP: 0033:0x444648 [ 58.635357] Code: Bad RIP value. [ 58.638702] RSP: 002b:00007ffe23396318 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 58.646403] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000444648 [ 58.653657] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 58.660911] RBP: 00000000004c78f0 R08: 00000000000000e7 R09: ffffffffffffffd4 [ 58.668161] R10: 00007ffe23396230 R11: 0000000000000246 R12: 0000000000000001 [ 58.675432] R13: 00000000006da5e0 R14: 0000000000000000 R15: 0000000000000000 [ 58.682710] [ 58.684331] Allocated by task 3684: [ 58.687944] kasan_kmalloc+0xbf/0xe0 [ 58.691638] kmem_cache_alloc+0x127/0x710 [ 58.695784] getname_flags+0xd2/0x5b0 [ 58.699570] do_mkdirat+0x8d/0x280 [ 58.703104] do_syscall_64+0xf9/0x620 [ 58.706903] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.712072] [ 58.713700] Freed by task 3684: [ 58.716965] __kasan_slab_free+0xf7/0x140 [ 58.721095] kmem_cache_free+0x7f/0x260 [ 58.725054] putname+0xe1/0x120 [ 58.728317] filename_parentat.isra.0+0x3a3/0x410 [ 58.733152] filename_create+0x9e/0x4a0 [ 58.737106] do_mkdirat+0xa0/0x280 [ 58.740640] do_syscall_64+0xf9/0x620 [ 58.744441] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.749707] [ 58.751326] The buggy address belongs to the object at ffff8880a0184540 [ 58.751326] which belongs to the cache names_cache of size 4096 [ 58.764052] The buggy address is located 1656 bytes inside of [ 58.764052] 4096-byte region [ffff8880a0184540, ffff8880a0185540) [ 58.776092] The buggy address belongs to the page: [ 58.781004] page:ffffea0002806100 count:1 mapcount:0 mapping:ffff88821bc46800 index:0x0 compound_mapcount: 0 [ 58.790965] flags: 0xfffe0000008100(slab|head) [ 58.800313] raw: 00fffe0000008100 ffffea00027cce88 ffffea00027cd808 ffff88821bc46800 [ 58.808178] raw: 0000000000000000 ffff8880a0184540 0000000100000001 0000000000000000 [ 58.816072] page dumped because: kasan: bad access detected [ 58.821772] [ 58.823401] Memory state around the buggy address: [ 58.828331] ffff8880a0184a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.835671] ffff8880a0184b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.843022] >ffff8880a0184b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.850370] ^ [ 58.855536] ffff8880a0184c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.862959] ffff8880a0184c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.870310] ================================================================== [ 58.877644] Disabling lock debugging due to kernel taint [ 58.883304] Kernel panic - not syncing: panic_on_warn set ... [ 58.883304] [ 58.890672] CPU: 0 PID: 6421 Comm: syz-executor240 Tainted: G B 4.19.119-syzkaller #0 [ 58.899937] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.909299] Call Trace: [ 58.911886] dump_stack+0x188/0x20d [ 58.915512] panic+0x26a/0x50e [ 58.918707] ? __warn_printk+0xf3/0xf3 [ 58.922602] ? retint_kernel+0x2d/0x2d [ 58.926492] ? trace_hardirqs_on+0x55/0x210 [ 58.930817] ? get_block+0x1047/0x1300 [ 58.934709] kasan_end_report+0x43/0x49 [ 58.938687] kasan_report.cold+0xa4/0x2b9 [ 58.942831] get_block+0x1047/0x1300 [ 58.946530] ? block_to_path.isra.0+0x300/0x300 [ 58.951177] ? create_page_buffers+0x212/0x380 [ 58.955735] ? d_path+0xb6/0x8e0 [ 58.959079] ? lock_downgrade+0x740/0x740 [ 58.963237] ? do_raw_spin_lock+0xcb/0x240 [ 58.967457] ? create_empty_buffers+0x52e/0x830 [ 58.972102] ? __add_to_page_cache_locked+0x5b7/0xc50 [ 58.977269] ? do_raw_spin_unlock+0x171/0x260 [ 58.981743] minix_get_block+0xe5/0x110 [ 58.985693] __block_write_begin_int+0x480/0x17a0 [ 58.990516] ? minix_rename+0x8c0/0x8c0 [ 58.994486] ? __breadahead_gfp+0xf0/0xf0 [ 58.998612] ? pagecache_get_page+0x1b3/0xb20 [ 59.003120] ? wait_for_stable_page+0x124/0x3b0 [ 59.007768] ? minix_rename+0x8c0/0x8c0 [ 59.011719] block_write_begin+0x58/0x2e0 [ 59.015869] minix_write_begin+0x35/0xe0 [ 59.019947] generic_perform_write+0x1f8/0x4d0 [ 59.024524] ? __mnt_drop_write+0x50/0x80 [ 59.028650] ? page_endio+0x950/0x950 [ 59.032447] ? current_time+0x140/0x140 [ 59.036520] ? lock_acquire+0x170/0x400 [ 59.040602] __generic_file_write_iter+0x24c/0x610 [ 59.045509] generic_file_write_iter+0x37f/0x729 [ 59.050279] __vfs_write+0x512/0x760 [ 59.053980] ? kernel_read+0x110/0x110 [ 59.057976] ? lock_acquire+0x170/0x400 [ 59.061925] ? do_acct_process+0xebd/0x10e0 [ 59.066226] __kernel_write+0x109/0x370 [ 59.070176] do_acct_process+0xcd8/0x10e0 [ 59.074346] ? acct_on+0x760/0x760 [ 59.077894] ? acct_process+0x271/0x5c0 [ 59.081850] ? check_preemption_disabled+0x41/0x280 [ 59.086873] acct_process+0x517/0x5c0 [ 59.090661] ? acct_collect+0x810/0x810 [ 59.094720] ? rcu_read_lock_sched_held+0x10a/0x130 [ 59.099714] ? kmem_cache_free+0x218/0x260 [ 59.103927] do_exit+0x1738/0x2f30 [ 59.107447] ? mm_update_next_owner+0x650/0x650 [ 59.112100] ? up_read+0x17/0x110 [ 59.115530] ? __do_page_fault+0x44e/0xdd0 [ 59.119768] do_group_exit+0x125/0x350 [ 59.123632] __x64_sys_exit_group+0x3a/0x50 [ 59.128045] do_syscall_64+0xf9/0x620 [ 59.131822] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.136987] RIP: 0033:0x444648 [ 59.140164] Code: Bad RIP value. [ 59.143502] RSP: 002b:00007ffe23396318 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 59.151195] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000444648 [ 59.158440] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 59.165685] RBP: 00000000004c78f0 R08: 00000000000000e7 R09: ffffffffffffffd4 [ 59.172930] R10: 00007ffe23396230 R11: 0000000000000246 R12: 0000000000000001 [ 59.180189] R13: 00000000006da5e0 R14: 0000000000000000 R15: 0000000000000000 [ 59.188702] Kernel Offset: disabled [ 59.192316] Rebooting in 86400 seconds..