[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.84' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 51.755210][ T6527] loop0: detected capacity change from 0 to 16 [ 51.768761][ T6527] erofs: (device loop0): mounted with root inode @ nid 36. [ 51.789910][ T150] ================================================================== [ 51.798128][ T150] BUG: KASAN: use-after-free in LZ4_decompress_safe_partial+0xff8/0x1580 [ 51.806580][ T150] Read of size 2 at addr ffff88806dd1f000 by task kworker/u5:0/150 [ 51.814565][ T150] [ 51.816893][ T150] CPU: 1 PID: 150 Comm: kworker/u5:0 Not tainted 5.15.0-rc6-syzkaller #0 [ 51.825308][ T150] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.835358][ T150] Workqueue: erofs_unzipd z_erofs_decompressqueue_work [ 51.842211][ T150] Call Trace: [ 51.845487][ T150] dump_stack_lvl+0x1dc/0x2d8 [ 51.850161][ T150] ? show_regs_print_info+0x12/0x12 [ 51.855347][ T150] ? _printk+0xcf/0x118 [ 51.859492][ T150] ? wake_up_klogd+0xb2/0xf0 [ 51.864070][ T150] ? log_buf_vmcoreinfo_setup+0x498/0x498 [ 51.869786][ T150] ? _raw_spin_lock_irqsave+0xdd/0x120 [ 51.875247][ T150] ? rcu_read_lock_sched_held+0x89/0x130 [ 51.880888][ T150] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 51.886872][ T150] print_address_description+0x66/0x3e0 [ 51.892414][ T150] ? LZ4_decompress_safe_partial+0xff8/0x1580 [ 51.898467][ T150] kasan_report+0x19a/0x1f0 [ 51.902972][ T150] ? LZ4_decompress_safe_partial+0xff8/0x1580 [ 51.909034][ T150] LZ4_decompress_safe_partial+0xff8/0x1580 [ 51.914936][ T150] z_erofs_lz4_decompress+0x4c3/0x1100 [ 51.920412][ T150] ? z_erofs_lz4_prepare_destpages+0x730/0x730 [ 51.926636][ T150] z_erofs_decompress+0xa8e/0xe30 [ 51.931667][ T150] z_erofs_decompress_pcluster+0x15e4/0x2550 [ 51.937652][ T150] ? z_erofs_decompressqueue_work+0x1a0/0x1a0 [ 51.943802][ T150] z_erofs_decompressqueue_work+0x123/0x1a0 [ 51.949700][ T150] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 51.955668][ T150] ? z_erofs_decompress_kickoff+0x3c0/0x3c0 [ 51.961554][ T150] ? _raw_spin_unlock_irq+0x1f/0x40 [ 51.966748][ T150] process_one_work+0x853/0x1140 [ 51.971690][ T150] ? worker_detach_from_pool+0x260/0x260 [ 51.977323][ T150] worker_thread+0xac1/0x1320 [ 51.982011][ T150] kthread+0x453/0x480 [ 51.986080][ T150] ? rcu_lock_release+0x20/0x20 [ 51.990915][ T150] ? kthread_blkcg+0xd0/0xd0 [ 51.995491][ T150] ret_from_fork+0x1f/0x30 [ 51.999937][ T150] [ 52.002246][ T150] The buggy address belongs to the page: [ 52.007870][ T150] page:ffffea0001b747c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x6dd1f [ 52.018002][ T150] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 52.025101][ T150] raw: 00fff00000000000 ffffea0001b74408 ffffea0001b74ac8 0000000000000000 [ 52.033673][ T150] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 52.042235][ T150] page dumped because: kasan: bad access detected [ 52.048628][ T150] page_owner tracks the page as freed [ 52.054008][ T150] page last allocated via order 0, migratetype Movable, gfp_mask 0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 6527, ts 51734930672, free_ts 51749499849 [ 52.069528][ T150] get_page_from_freelist+0x779/0xa30 [ 52.074890][ T150] __alloc_pages+0x255/0x580 [ 52.079465][ T150] alloc_pages_vma+0x668/0x1030 [ 52.084301][ T150] do_anonymous_page+0x31b/0x14b0 [ 52.089311][ T150] handle_mm_fault+0x1860/0x2560 [ 52.094233][ T150] do_user_addr_fault+0x8ce/0x10c0 [ 52.099330][ T150] exc_page_fault+0xa1/0x1e0 [ 52.103904][ T150] asm_exc_page_fault+0x1e/0x30 [ 52.108742][ T150] page last free stack trace: [ 52.113399][ T150] free_pcp_prepare+0xc29/0xd20 [ 52.118235][ T150] free_unref_page_list+0x11f/0xa50 [ 52.123428][ T150] release_pages+0x18cb/0x1b00 [ 52.128178][ T150] tlb_flush_mmu+0x780/0x910 [ 52.132751][ T150] tlb_finish_mmu+0xcb/0x200 [ 52.137320][ T150] exit_mmap+0x3dd/0x6f0 [ 52.141544][ T150] __mmput+0x111/0x3a0 [ 52.145617][ T150] exec_mmap+0x53e/0x640 [ 52.149852][ T150] begin_new_exec+0x6c9/0x1180 [ 52.154600][ T150] load_elf_binary+0x836/0x3bc0 [ 52.159437][ T150] bprm_execve+0x8eb/0x1470 [ 52.163930][ T150] do_execveat_common+0x44c/0x590 [ 52.168940][ T150] __x64_sys_execve+0x8e/0xa0 [ 52.173602][ T150] do_syscall_64+0x44/0xd0 [ 52.178010][ T150] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 52.183890][ T150] [ 52.186198][ T150] Memory state around the buggy address: [ 52.191813][ T150] ffff88806dd1ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 52.199858][ T150] ffff88806dd1ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 52.207901][ T150] >ffff88806dd1f000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.215994][ T150] ^ [ 52.220044][ T150] ffff88806dd1f080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.228090][ T150] ffff88806dd1f100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.236131][ T150] ================================================================== [ 52.244169][ T150] Disabling lock debugging due to kernel taint [ 52.250436][ T150] Kernel panic - not syncing: panic_on_warn set ... [ 52.257027][ T150] CPU: 1 PID: 150 Comm: kworker/u5:0 Tainted: G B 5.15.0-rc6-syzkaller #0 [ 52.266816][ T150] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.276859][ T150] Workqueue: erofs_unzipd z_erofs_decompressqueue_work [ 52.283701][ T150] Call Trace: [ 52.287053][ T150] dump_stack_lvl+0x1dc/0x2d8 [ 52.291716][ T150] ? show_regs_print_info+0x12/0x12 [ 52.296898][ T150] ? log_buf_vmcoreinfo_setup+0x498/0x498 [ 52.302603][ T150] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 52.308742][ T150] panic+0x2d6/0x810 [ 52.312620][ T150] ? trace_hardirqs_on+0x30/0x80 [ 52.317540][ T150] ? nmi_panic+0x90/0x90 [ 52.321763][ T150] ? _raw_spin_unlock_irqrestore+0xd4/0x130 [ 52.327652][ T150] ? _raw_spin_unlock_irqrestore+0xd9/0x130 [ 52.333529][ T150] ? print_memory_metadata+0xe0/0x140 [ 52.338882][ T150] ? LZ4_decompress_safe_partial+0xff8/0x1580 [ 52.344932][ T150] end_report+0x83/0x90 [ 52.349069][ T150] kasan_report+0x1bf/0x1f0 [ 52.353555][ T150] ? LZ4_decompress_safe_partial+0xff8/0x1580 [ 52.359602][ T150] LZ4_decompress_safe_partial+0xff8/0x1580 [ 52.365519][ T150] z_erofs_lz4_decompress+0x4c3/0x1100 [ 52.370961][ T150] ? z_erofs_lz4_prepare_destpages+0x730/0x730 [ 52.377093][ T150] z_erofs_decompress+0xa8e/0xe30 [ 52.382102][ T150] z_erofs_decompress_pcluster+0x15e4/0x2550 [ 52.388068][ T150] ? z_erofs_decompressqueue_work+0x1a0/0x1a0 [ 52.394148][ T150] z_erofs_decompressqueue_work+0x123/0x1a0 [ 52.400034][ T150] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 52.405998][ T150] ? z_erofs_decompress_kickoff+0x3c0/0x3c0 [ 52.411871][ T150] ? _raw_spin_unlock_irq+0x1f/0x40 [ 52.417055][ T150] process_one_work+0x853/0x1140 [ 52.421981][ T150] ? worker_detach_from_pool+0x260/0x260 [ 52.427599][ T150] worker_thread+0xac1/0x1320 [ 52.432266][ T150] kthread+0x453/0x480 [ 52.436314][ T150] ? rcu_lock_release+0x20/0x20 [ 52.441156][ T150] ? kthread_blkcg+0xd0/0xd0 [ 52.445725][ T150] ret_from_fork+0x1f/0x30 [ 52.450195][ T150] Kernel Offset: disabled [ 52.454504][ T150] Rebooting in 86400 seconds..