Warning: Permanently added '10.128.0.243' (ECDSA) to the list of known hosts. executing program [* ] A start job is running for dev-ttyS0.device (8s / 1min 30s)[** ] A start job is running for dev-ttyS0.device (9s / 1min 30s)[*** ] A start job is running for dev-ttyS0.device (10s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (10s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (10s / 1min 30s)[ ***] A start job is running for dev-ttyS0.device (11s / 1min 30s)[ **] A start job is running for dev-ttyS0.device (11s / 1min 30s)[ *] A start job is running for dev-ttyS0.device (12s / 1min 30s)[ **] A start job is running for dev-ttyS0.device (12s / 1min 30s)[ 20.101532][ T22] audit: type=1400 audit(1620255783.218:8): avc: denied { execmem } for pid=335 comm="syz-executor777" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 20.125169][ T336] EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue [ 20.145007][ T343] ================================================================== [ 20.153935][ T343] BUG: KASAN: use-after-free in ext4_write_inline_data_end+0x500/0x8c0 [ 20.162489][ T343] Write of size 70 at addr ffff8881e89d8016 by task syz-executor777/343 [ 20.170870][ T343] [ 20.173176][ T343] CPU: 1 PID: 343 Comm: syz-executor777 Not tainted 5.4.116-syzkaller-00001-g6aabee0aa2de #0 [ 20.187609][ T343] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.197795][ T343] Call Trace: [ 20.201270][ T343] dump_stack+0x1d8/0x24e [ 20.205722][ T343] ? __getblk_gfp+0x3a/0x750 [ 20.211376][ T343] ? show_regs_print_info+0x12/0x12 [ 20.216820][ T343] ? printk+0xcf/0x114 [ 20.221827][ T343] print_address_description+0x9b/0x650 [ 20.228072][ T343] ? devkmsg_release+0x11c/0x11c [ 20.234054][ T343] __kasan_report+0x182/0x260 [ 20.239664][ T343] ? ext4_write_inline_data_end+0x500/0x8c0 [ 20.246184][ T343] kasan_report+0x30/0x60 [ 20.251135][ T343] check_memory_region+0x2a5/0x2e0 [ 20.256247][ T343] ? ext4_write_inline_data_end+0x500/0x8c0 [ 20.262215][ T343] memcpy+0x38/0x50 [ 20.266767][ T343] ext4_write_inline_data_end+0x500/0x8c0 [ 20.273572][ T343] ? ext4_prepare_inline_data+0x1f0/0x1f0 [ 20.279283][ T343] ? ext4_evict_inode+0x1b10/0x1b10 [ 20.284459][ T343] ? futex_wake+0x6b5/0x820 [ 20.288939][ T343] ext4_write_end+0x1d5/0xe50 [ 20.294544][ T343] ? ext4_da_write_end+0x9e/0xb90 [ 20.299571][ T343] ? ext4_da_write_begin+0x1010/0x1010 [ 20.306663][ T343] generic_perform_write+0x403/0x5a0 [ 20.314334][ T343] ? __mark_inode_dirty+0x14e/0xcf0 [ 20.319682][ T343] ? grab_cache_page_write_begin+0x90/0x90 [ 20.325559][ T343] ? file_remove_privs+0x630/0x630 [ 20.330649][ T343] ? down_write_trylock+0xd8/0x150 [ 20.336339][ T343] __generic_file_write_iter+0x239/0x480 [ 20.342382][ T343] ext4_file_write_iter+0x49e/0x10e0 [ 20.347653][ T343] ? slab_free_freelist_hook+0x7b/0x150 [ 20.353192][ T343] ? ext4_file_read_iter+0x140/0x140 [ 20.358472][ T343] ? setxattr+0x28f/0x3f0 [ 20.362770][ T343] ? iov_iter_init+0x83/0x160 [ 20.367444][ T343] __vfs_write+0x5ec/0x780 [ 20.371835][ T343] ? __kernel_write+0x340/0x340 [ 20.377086][ T343] ? check_preemption_disabled+0x9e/0x330 [ 20.382801][ T343] ? debug_smp_processor_id+0x20/0x20 [ 20.388249][ T343] vfs_write+0x212/0x4e0 [ 20.392655][ T343] ksys_write+0x186/0x2b0 [ 20.396959][ T343] ? __ia32_sys_read+0x80/0x80 [ 20.401710][ T343] do_syscall_64+0xcb/0x1e0 [ 20.406292][ T343] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.412425][ T343] RIP: 0033:0x449c09 [ 20.416314][ T343] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 20.436543][ T343] RSP: 002b:00007f6388c4f2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 20.445553][ T343] RAX: ffffffffffffffda RBX: 00000000004cb420 RCX: 0000000000449c09 [ 20.453640][ T343] RDX: 0000000000000082 RSI: 00000000200000c0 RDI: 0000000000000008 [ 20.461668][ T343] RBP: 000000000049b064 R08: 0000000000000000 R09: 0000000000000000 [ 20.469612][ T343] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 20.477571][ T343] R13: 0000000300000002 R14: efd76d87389d3913 R15: 00000000004cb428 [ 20.485515][ T343] [ 20.487811][ T343] Allocated by task 1: [ 20.492259][ T343] __kasan_kmalloc+0x137/0x1e0 [ 20.497176][ T343] kmem_cache_alloc+0x115/0x290 [ 20.501999][ T343] getname_flags+0xba/0x640 [ 20.506493][ T343] user_path_at_empty+0x28/0x50 [ 20.511315][ T343] __se_sys_newlstat+0xde/0x860 [ 20.516480][ T343] do_syscall_64+0xcb/0x1e0 [ 20.521047][ T343] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.527375][ T343] [ 20.529705][ T343] Freed by task 1: [ 20.533806][ T343] __kasan_slab_free+0x18a/0x240 [ 20.539693][ T343] slab_free_freelist_hook+0x7b/0x150 [ 20.545134][ T343] kmem_cache_free+0xb8/0x5f0 [ 20.551204][ T343] filename_lookup+0x4bb/0x6a0 [ 20.556043][ T343] __se_sys_newlstat+0xde/0x860 [ 20.561317][ T343] do_syscall_64+0xcb/0x1e0 [ 20.566599][ T343] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.572455][ T343] [ 20.574927][ T343] The buggy address belongs to the object at ffff8881e89d8000 [ 20.574927][ T343] which belongs to the cache names_cache of size 4096 [ 20.589736][ T343] The buggy address is located 22 bytes inside of [ 20.589736][ T343] 4096-byte region [ffff8881e89d8000, ffff8881e89d9000) [ 20.603297][ T343] The buggy address belongs to the page: [ 20.608904][ T343] page:ffffea0007a27600 refcount:1 mapcount:0 mapping:ffff8881f5cfb400 index:0x0 compound_mapcount: 0 [ 20.621765][ T343] flags: 0x8000000000010200(slab|head) [ 20.627832][ T343] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cfb400 [ 20.637129][ T343] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 20.646681][ T343] page dumped because: kasan: bad access detected [ 20.653868][ T343] page_owner tracks the page as allocated [ 20.659594][ T343] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC) [ 20.674999][ T343] prep_new_page+0x19a/0x380 [ 20.679563][ T343] get_page_from_freelist+0x550/0x8b0 [ 20.685011][ T343] __alloc_pages_nodemask+0x3a2/0x880 [ 20.690652][ T343] alloc_slab_page+0x39/0x3e0 [ 20.695351][ T343] new_slab+0x97/0x460 [ 20.699502][ T343] ___slab_alloc+0x330/0x4c0 [ 20.704070][ T343] kmem_cache_alloc+0x18b/0x290 [ 20.708920][ T343] getname_flags+0xba/0x640 [ 20.713481][ T343] do_sys_open+0x33e/0x7c0 [ 20.717876][ T343] do_syscall_64+0xcb/0x1e0 [ 20.722360][ T343] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.728228][ T343] page_owner free stack trace missing [ 20.733598][ T343] [ 20.735912][ T343] Memory state around the buggy address: [ 20.742040][ T343] ffff8881e89d7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.752885][ T343] ffff8881e89d7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.761678][ T343] >ffff8881e89d8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.769883][ T343] ^ [ 20.774441][ T343] ffff8881e89d8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.782627][ T343] ffff8881e89d8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.790668][ T343] ================================================================== [ 20.799007][ T343] Disabling lock debugging due to kernel taint