[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.171' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 39.166590] audit: type=1400 audit(1600644036.258:8): avc: denied { execmem } for pid=6469 comm="syz-executor187" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 39.182304] BFS-fs: bfs_fill_super(): loop0 is unclean, continuing [ 39.199192] ================================================================== [ 39.206676] BUG: KASAN: slab-out-of-bounds in find_first_zero_bit+0xa8/0xb0 [ 39.213804] Read of size 8 at addr ffff8880992ee4c0 by task syz-executor187/6469 [ 39.221366] [ 39.223011] CPU: 0 PID: 6469 Comm: syz-executor187 Not tainted 4.19.146-syzkaller #0 [ 39.230871] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.240204] Call Trace: [ 39.242781] dump_stack+0x22c/0x33e [ 39.246391] print_address_description.cold+0x56/0x25c [ 39.251654] kasan_report_error.cold+0x66/0xb9 [ 39.256229] ? find_first_zero_bit+0xa8/0xb0 [ 39.260685] __asan_report_load8_noabort+0x88/0x90 [ 39.265615] ? find_first_zero_bit+0xa8/0xb0 [ 39.270016] find_first_zero_bit+0xa8/0xb0 [ 39.274323] bfs_create+0xf3/0x580 [ 39.277848] ? bfs_link+0x1a0/0x1a0 [ 39.281457] lookup_open+0x86c/0x19c0 [ 39.285296] ? may_open+0x360/0x360 [ 39.288919] path_openat+0x10d6/0x2e90 [ 39.292791] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.298137] ? path_lookupat+0x8d0/0x8d0 [ 39.302180] ? mark_held_locks+0xf0/0xf0 [ 39.306224] ? mark_held_locks+0xf0/0xf0 [ 39.310271] do_filp_open+0x18c/0x3f0 [ 39.314072] ? may_open_dev+0xf0/0xf0 [ 39.317866] ? lock_downgrade+0x750/0x750 [ 39.321997] ? lock_acquire+0x170/0x3f0 [ 39.325959] ? do_raw_spin_unlock+0x171/0x240 [ 39.330455] ? _raw_spin_unlock+0x29/0x40 [ 39.334601] ? __alloc_fd+0x2ab/0x590 [ 39.338387] do_sys_open+0x3b3/0x520 [ 39.342082] ? filp_open+0x70/0x70 [ 39.345601] ? fput+0x2b/0x190 [ 39.348775] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 39.353512] ? trace_hardirqs_off_caller+0x69/0x210 [ 39.358624] ? do_syscall_64+0x21/0x670 [ 39.362580] do_syscall_64+0xf9/0x670 [ 39.366386] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.371561] RIP: 0033:0x444439 [ 39.374742] Code: 8d d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 39.393623] RSP: 002b:00007ffc319b9908 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 39.401330] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444439 [ 39.408588] RDX: 00000000001015c2 RSI: 0000000020000440 RDI: ffffffffffffff9c [ 39.415839] RBP: 00000000006cf018 R08: 00007ffc00000015 R09: 0000000000000000 [ 39.423102] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402020 [ 39.430371] R13: 00000000004020b0 R14: 0000000000000000 R15: 0000000000000000 [ 39.437675] [ 39.439331] Allocated by task 6469: [ 39.442940] __kmalloc+0x15a/0x4f0 [ 39.446499] bfs_fill_super+0x447/0xfa0 [ 39.450492] mount_bdev+0x2fc/0x3b0 [ 39.454098] mount_fs+0xa3/0x318 [ 39.457445] vfs_kern_mount.part.0+0x68/0x470 [ 39.461934] do_mount+0x51c/0x2f10 [ 39.465455] ksys_mount+0xcf/0x130 [ 39.468980] __x64_sys_mount+0xba/0x150 [ 39.472934] do_syscall_64+0xf9/0x670 [ 39.476714] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.481893] [ 39.483499] Freed by task 4571: [ 39.486776] kfree+0xcc/0x250 [ 39.489876] simple_xattr_set+0x291/0x5c0 [ 39.494017] __vfs_setxattr+0x10e/0x170 [ 39.497973] __vfs_setxattr_noperm+0x11a/0x420 [ 39.502532] __vfs_setxattr_locked+0x176/0x250 [ 39.507194] vfs_setxattr+0xe5/0x270 [ 39.510887] setxattr+0x23d/0x330 [ 39.514316] path_setxattr+0x170/0x190 [ 39.518182] __x64_sys_lsetxattr+0xbd/0x150 [ 39.522481] do_syscall_64+0xf9/0x670 [ 39.526261] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.531436] [ 39.533042] The buggy address belongs to the object at ffff8880992ee4c0 [ 39.533042] which belongs to the cache kmalloc-32 of size 32 [ 39.545502] The buggy address is located 0 bytes inside of [ 39.545502] 32-byte region [ffff8880992ee4c0, ffff8880992ee4e0) [ 39.558826] The buggy address belongs to the page: [ 39.563742] page:ffffea000264bb80 count:1 mapcount:0 mapping:ffff88812c3f61c0 index:0xffff8880992eefc1 [ 39.573170] flags: 0xfffe0000000100(slab) [ 39.577305] raw: 00fffe0000000100 ffffea000291e808 ffffea0002913dc8 ffff88812c3f61c0 [ 39.585170] raw: ffff8880992eefc1 ffff8880992ee000 000000010000001e 0000000000000000 [ 39.593028] page dumped because: kasan: bad access detected [ 39.598713] [ 39.600316] Memory state around the buggy address: [ 39.605223] ffff8880992ee380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 39.612563] ffff8880992ee400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 39.619901] >ffff8880992ee480: fb fb fb fb fc fc fc fc 07 fc fc fc fc fc fc fc [ 39.627237] ^ [ 39.632669] ffff8880992ee500: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 39.640007] ffff8880992ee580: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 39.647340] ================================================================== [ 39.654697] Disabling lock debugging due to kernel taint [ 39.665440] Kernel panic - not syncing: panic_on_warn set ... [ 39.665440] [ 39.665457] CPU: 1 PID: 6469 Comm: syz-executor187 Tainted: G B 4.19.146-syzkaller #0 [ 39.665463] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.665466] Call Trace: [ 39.665485] dump_stack+0x22c/0x33e [ 39.665500] panic+0x2ac/0x565 [ 39.665513] ? __warn_printk+0xf3/0xf3 [ 39.665531] ? preempt_schedule_common+0x45/0xc0 [ 39.711729] ? ___preempt_schedule+0x16/0x18 [ 39.716198] ? trace_hardirqs_on+0x55/0x210 [ 39.720542] kasan_end_report+0x43/0x49 [ 39.724502] kasan_report_error.cold+0x83/0xb9 [ 39.729067] ? find_first_zero_bit+0xa8/0xb0 [ 39.733454] __asan_report_load8_noabort+0x88/0x90 [ 39.738372] ? find_first_zero_bit+0xa8/0xb0 [ 39.742758] find_first_zero_bit+0xa8/0xb0 [ 39.746975] bfs_create+0xf3/0x580 [ 39.750564] ? bfs_link+0x1a0/0x1a0 [ 39.754190] lookup_open+0x86c/0x19c0 [ 39.757989] ? may_open+0x360/0x360 [ 39.761624] path_openat+0x10d6/0x2e90 [ 39.765514] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.770856] ? path_lookupat+0x8d0/0x8d0 [ 39.774893] ? mark_held_locks+0xf0/0xf0 [ 39.778931] ? mark_held_locks+0xf0/0xf0 [ 39.782971] do_filp_open+0x18c/0x3f0 [ 39.786782] ? may_open_dev+0xf0/0xf0 [ 39.790563] ? lock_downgrade+0x750/0x750 [ 39.794687] ? lock_acquire+0x170/0x3f0 [ 39.798644] ? do_raw_spin_unlock+0x171/0x240 [ 39.803143] ? _raw_spin_unlock+0x29/0x40 [ 39.807270] ? __alloc_fd+0x2ab/0x590 [ 39.811051] do_sys_open+0x3b3/0x520 [ 39.814746] ? filp_open+0x70/0x70 [ 39.818367] ? fput+0x2b/0x190 [ 39.821541] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 39.826276] ? trace_hardirqs_off_caller+0x69/0x210 [ 39.831270] ? do_syscall_64+0x21/0x670 [ 39.835229] do_syscall_64+0xf9/0x670 [ 39.839052] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.844257] RIP: 0033:0x444439 [ 39.847449] Code: 8d d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 39.866342] RSP: 002b:00007ffc319b9908 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 39.874032] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444439 [ 39.881284] RDX: 00000000001015c2 RSI: 0000000020000440 RDI: ffffffffffffff9c [ 39.888545] RBP: 00000000006cf018 R08: 00007ffc00000015 R09: 0000000000000000 [ 39.895793] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402020 [ 39.903040] R13: 00000000004020b0 R14: 0000000000000000 R15: 0000000000000000 [ 39.911542] Kernel Offset: disabled [ 39.915163] Rebooting in 86400 seconds..