[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.56' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 379.028595] ================================================================== [ 379.036089] BUG: KASAN: use-after-free in dbNextAG+0x14f/0x530 [ 379.042070] Read of size 4 at addr ffff8880970e2658 by task syz-executor891/8101 [ 379.049602] [ 379.051220] CPU: 0 PID: 8101 Comm: syz-executor891 Not tainted 4.19.211-syzkaller #0 [ 379.059080] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 379.068419] Call Trace: [ 379.070995] dump_stack+0x1fc/0x2ef [ 379.074609] print_address_description.cold+0x54/0x219 [ 379.079871] kasan_report_error.cold+0x8a/0x1b9 [ 379.084525] ? dbNextAG+0x14f/0x530 [ 379.088137] kasan_report+0x8f/0xa0 [ 379.091748] ? dbNextAG+0x14f/0x530 [ 379.095355] dbNextAG+0x14f/0x530 [ 379.098796] diAlloc+0x7ea/0x1440 [ 379.102239] ? do_raw_spin_unlock+0x171/0x230 [ 379.106720] ialloc+0x8c/0x970 [ 379.109896] jfs_mkdir.part.0+0x131/0x870 [ 379.114025] ? debug_check_no_obj_freed+0x201/0x490 [ 379.119042] ? jfs_mknod+0x60/0x60 [ 379.122565] ? lock_downgrade+0x720/0x720 [ 379.126693] ? lock_acquire+0x170/0x3c0 [ 379.130658] ? debug_check_no_obj_freed+0xb5/0x490 [ 379.135570] ? trace_hardirqs_off+0x64/0x200 [ 379.139965] ? common_perm+0x4be/0x800 [ 379.143852] ? __dquot_initialize+0x298/0xb70 [ 379.148331] ? userns_put+0xb0/0xb0 [ 379.151939] ? dquot_initialize_needed+0x290/0x290 [ 379.156858] ? generic_permission+0x116/0x4d0 [ 379.161337] ? security_inode_permission+0xc5/0xf0 [ 379.166257] jfs_mkdir+0x3f/0x60 [ 379.169606] vfs_mkdir+0x508/0x7a0 [ 379.173127] do_mkdirat+0x262/0x2d0 [ 379.176736] ? __ia32_sys_mknod+0x120/0x120 [ 379.181043] ? trace_hardirqs_off_caller+0x6e/0x210 [ 379.186046] ? do_syscall_64+0x21/0x620 [ 379.190005] do_syscall_64+0xf9/0x620 [ 379.193797] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 379.198973] RIP: 0033:0x7f4ec4fc0f59 [ 379.202670] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 379.221900] RSP: 002b:00007ffd6f6e45b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 [ 379.229596] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4ec4fc0f59 [ 379.236846] RDX: 00000000000001ff RSI: 0000000020005280 RDI: ffffffffffffff9c [ 379.244109] RBP: 00007f4ec4f807c0 R08: 000055555730a2c0 R09: 0000000000000000 [ 379.251358] R10: 00007ffd6f6e4480 R11: 0000000000000246 R12: 0000000000007366 [ 379.259042] R13: 0000000000000000 R14: 00080000000000f4 R15: 0000000000000000 [ 379.266297] [ 379.267907] Allocated by task 6166: [ 379.271522] kmem_cache_alloc+0x122/0x370 [ 379.275661] proc_reg_open+0x18c/0x5b0 [ 379.279531] do_dentry_open+0x4aa/0x1160 [ 379.283647] path_openat+0x793/0x2df0 [ 379.287425] do_filp_open+0x18c/0x3f0 [ 379.291217] do_sys_open+0x3b3/0x520 [ 379.295031] do_syscall_64+0xf9/0x620 [ 379.298824] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 379.304172] [ 379.305786] Freed by task 6166: [ 379.309049] kmem_cache_free+0x7f/0x260 [ 379.313046] proc_reg_release+0x21e/0x270 [ 379.317189] __fput+0x2ce/0x890 [ 379.320452] task_work_run+0x148/0x1c0 [ 379.324324] exit_to_usermode_loop+0x251/0x2a0 [ 379.328888] do_syscall_64+0x538/0x620 [ 379.332761] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 379.337934] [ 379.339551] The buggy address belongs to the object at ffff8880970e2658 [ 379.339551] which belongs to the cache pde_opener of size 40 [ 379.352028] The buggy address is located 0 bytes inside of [ 379.352028] 40-byte region [ffff8880970e2658, ffff8880970e2680) [ 379.363623] The buggy address belongs to the page: [ 379.368544] page:ffffea00025c3880 count:1 mapcount:0 mapping:ffff88823b843b00 index:0xffff8880970e2fb9 [ 379.377983] flags: 0xfff00000000100(slab) [ 379.382123] raw: 00fff00000000100 ffffea00028ecb08 ffffea0002672b88 ffff88823b843b00 [ 379.389988] raw: ffff8880970e2fb9 ffff8880970e2000 0000000100000011 0000000000000000 [ 379.397850] page dumped because: kasan: bad access detected [ 379.403537] [ 379.405144] Memory state around the buggy address: [ 379.410056] ffff8880970e2500: fc fb fb fb fb fb fc fc fb fb fb fb fb fc fc fb [ 379.417399] ffff8880970e2580: fb fb fb fb fc fc fb fb fb fb fb fc fc fb fb fb [ 379.424738] >ffff8880970e2600: fb fb fc fc fb fb fb fb fb fc fc fb fb fb fb fb [ 379.432086] ^ [ 379.438295] ffff8880970e2680: fc fc fb fb fb fb fb fc fc fb fb fb fb fb fc fc [ 379.445636] ffff8880970e2700: fb fb fb fb fb fc fc fb fb fb fb fb fc fc fb fb [ 379.452972] ================================================================== [ 379.460311] Disabling lock debugging due to kernel taint [ 379.467016] Kernel panic - not syncing: panic_on_warn set ... [ 379.467016] [ 379.474392] CPU: 0 PID: 8101 Comm: syz-executor891 Tainted: G B 4.19.211-syzkaller #0 [ 379.483663] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 379.493198] Call Trace: [ 379.495787] dump_stack+0x1fc/0x2ef [ 379.499420] panic+0x26a/0x50e [ 379.502619] ? __warn_printk+0xf3/0xf3 [ 379.506508] ? preempt_schedule_common+0x45/0xc0 [ 379.511245] ? ___preempt_schedule+0x16/0x18 [ 379.515729] ? trace_hardirqs_on+0x55/0x210 [ 379.520148] kasan_end_report+0x43/0x49 [ 379.524103] kasan_report_error.cold+0xa7/0x1b9 [ 379.528753] ? dbNextAG+0x14f/0x530 [ 379.532359] kasan_report+0x8f/0xa0 [ 379.535966] ? dbNextAG+0x14f/0x530 [ 379.539572] dbNextAG+0x14f/0x530 [ 379.543005] diAlloc+0x7ea/0x1440 [ 379.546436] ? do_raw_spin_unlock+0x171/0x230 [ 379.550910] ialloc+0x8c/0x970 [ 379.554083] jfs_mkdir.part.0+0x131/0x870 [ 379.558216] ? debug_check_no_obj_freed+0x201/0x490 [ 379.563211] ? jfs_mknod+0x60/0x60 [ 379.566731] ? lock_downgrade+0x720/0x720 [ 379.570869] ? lock_acquire+0x170/0x3c0 [ 379.574829] ? debug_check_no_obj_freed+0xb5/0x490 [ 379.579774] ? trace_hardirqs_off+0x64/0x200 [ 379.584168] ? common_perm+0x4be/0x800 [ 379.588044] ? __dquot_initialize+0x298/0xb70 [ 379.592540] ? userns_put+0xb0/0xb0 [ 379.596149] ? dquot_initialize_needed+0x290/0x290 [ 379.601059] ? generic_permission+0x116/0x4d0 [ 379.605535] ? security_inode_permission+0xc5/0xf0 [ 379.610445] jfs_mkdir+0x3f/0x60 [ 379.613796] vfs_mkdir+0x508/0x7a0 [ 379.617315] do_mkdirat+0x262/0x2d0 [ 379.620920] ? __ia32_sys_mknod+0x120/0x120 [ 379.625220] ? trace_hardirqs_off_caller+0x6e/0x210 [ 379.630216] ? do_syscall_64+0x21/0x620 [ 379.634171] do_syscall_64+0xf9/0x620 [ 379.637983] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 379.643150] RIP: 0033:0x7f4ec4fc0f59 [ 379.646861] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 379.665745] RSP: 002b:00007ffd6f6e45b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 [ 379.673432] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4ec4fc0f59 [ 379.680681] RDX: 00000000000001ff RSI: 0000000020005280 RDI: ffffffffffffff9c [ 379.687930] RBP: 00007f4ec4f807c0 R08: 000055555730a2c0 R09: 0000000000000000 [ 379.695180] R10: 00007ffd6f6e4480 R11: 0000000000000246 R12: 0000000000007366 [ 379.702429] R13: 0000000000000000 R14: 00080000000000f4 R15: 0000000000000000 [ 379.709858] Kernel Offset: disabled [ 379.713482] Rebooting in 86400 seconds..