[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.181' (ECDSA) to the list of known hosts. syzkaller login: [ 38.935447] audit: type=1400 audit(1594583226.412:8): avc: denied { execmem } for pid=6438 comm="syz-executor291" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 38.956365] IPVS: ftp: loaded support on port[0] = 21 [ 39.030745] chnl_net:caif_netlink_parms(): no params data found [ 39.113406] bridge0: port 1(bridge_slave_0) entered blocking state [ 39.120327] bridge0: port 1(bridge_slave_0) entered disabled state [ 39.128194] device bridge_slave_0 entered promiscuous mode [ 39.135477] bridge0: port 2(bridge_slave_1) entered blocking state [ 39.142915] bridge0: port 2(bridge_slave_1) entered disabled state [ 39.150074] device bridge_slave_1 entered promiscuous mode [ 39.168306] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 39.177414] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 39.196233] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 39.203799] team0: Port device team_slave_0 added [ 39.209732] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 39.217262] team0: Port device team_slave_1 added [ 39.232467] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 39.238789] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 39.264976] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 39.276656] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 39.282890] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 39.308196] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 39.319075] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 39.327303] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 39.389162] device hsr_slave_0 entered promiscuous mode [ 39.426759] device hsr_slave_1 entered promiscuous mode [ 39.487114] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 39.494916] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 39.562533] bridge0: port 2(bridge_slave_1) entered blocking state [ 39.568970] bridge0: port 2(bridge_slave_1) entered forwarding state [ 39.575646] bridge0: port 1(bridge_slave_0) entered blocking state [ 39.582061] bridge0: port 1(bridge_slave_0) entered forwarding state [ 39.615770] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 39.623136] 8021q: adding VLAN 0 to HW filter on device bond0 [ 39.631858] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.642548] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.661168] bridge0: port 1(bridge_slave_0) entered disabled state [ 39.668273] bridge0: port 2(bridge_slave_1) entered disabled state [ 39.675280] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 39.687630] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 39.694561] 8021q: adding VLAN 0 to HW filter on device team0 [ 39.710968] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 39.719166] bridge0: port 1(bridge_slave_0) entered blocking state [ 39.725508] bridge0: port 1(bridge_slave_0) entered forwarding state [ 39.735487] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 39.744090] bridge0: port 2(bridge_slave_1) entered blocking state [ 39.750474] bridge0: port 2(bridge_slave_1) entered forwarding state [ 39.768341] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 39.776828] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 39.784518] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 39.795813] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 39.806722] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 39.815591] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 39.821856] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 39.837157] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 39.845139] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 39.852539] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 39.863251] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 39.875979] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 39.885851] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 39.919128] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 39.927233] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 39.933903] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 39.943557] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 39.951268] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 39.958917] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 39.968527] device veth0_vlan entered promiscuous mode [ 39.978374] device veth1_vlan entered promiscuous mode [ 39.984244] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 39.993722] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 40.006286] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 40.015683] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 40.023627] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 40.031526] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 40.041326] device veth0_macvtap entered promiscuous mode [ 40.050133] device veth1_macvtap entered promiscuous mode [ 40.059281] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 40.069056] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 40.080466] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 40.087795] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 40.094431] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 40.102719] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 40.113297] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 40.120268] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 40.126893] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 40.134608] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 40.239831] audit: type=1800 audit(1594583227.723:9): pid=6661 uid=0 auid=0 ses=5 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor291" name="file0" dev="sda1" ino=15707 res=0 [ 40.271028] MINIX-fs: mounting unchecked file system, running fsck is recommended [ 40.282335] Process accounting resumed [ 40.288353] ================================================================== [ 40.295838] BUG: KASAN: slab-out-of-bounds in get_block+0x1085/0x1340 [ 40.302445] Read of size 2 at addr ffff88809546a18a by task syz-executor291/6661 [ 40.309964] [ 40.311583] CPU: 0 PID: 6661 Comm: syz-executor291 Not tainted 4.19.132-syzkaller #0 [ 40.319473] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.329355] Call Trace: [ 40.331940] dump_stack+0x1fc/0x2fe [ 40.335578] print_address_description.cold+0x54/0x219 [ 40.340836] kasan_report_error.cold+0x8a/0x1c7 [ 40.345776] ? get_block+0x1085/0x1340 [ 40.349662] __asan_report_load2_noabort+0x88/0x90 [ 40.355529] ? get_block+0x1085/0x1340 [ 40.359400] get_block+0x1085/0x1340 [ 40.363109] ? check_preemption_disabled+0x41/0x280 [ 40.368123] ? free_branches+0x280/0x280 [ 40.372167] ? create_page_buffers+0x212/0x350 [ 40.376751] ? d_path+0x5f3/0x910 [ 40.380187] ? lock_downgrade+0x720/0x720 [ 40.384335] ? do_raw_spin_lock+0xcb/0x220 [ 40.388578] ? create_empty_buffers+0x4e7/0x760 [ 40.393229] ? do_raw_spin_unlock+0x171/0x230 [ 40.397708] minix_get_block+0xe5/0x110 [ 40.401700] __block_write_begin_int+0x46c/0x17b0 [ 40.406562] ? minix_mknod+0x1a0/0x1a0 [ 40.410442] ? __breadahead_gfp+0x130/0x130 [ 40.414760] ? wait_for_stable_page+0x122/0x360 [ 40.419453] ? minix_mknod+0x1a0/0x1a0 [ 40.423321] block_write_begin+0x58/0x2e0 [ 40.427461] minix_write_begin+0x35/0x220 [ 40.431613] generic_perform_write+0x1f8/0x4d0 [ 40.436195] ? __mnt_drop_write_file+0x6f/0xa0 [ 40.440760] ? filemap_page_mkwrite+0x2f0/0x2f0 [ 40.445411] ? current_time+0x1c0/0x1c0 [ 40.449388] ? lock_acquire+0x170/0x3c0 [ 40.453389] __generic_file_write_iter+0x24b/0x610 [ 40.458305] generic_file_write_iter+0x3f8/0x729 [ 40.463046] __vfs_write+0x51b/0x770 [ 40.466742] ? kernel_read+0x110/0x110 [ 40.470611] ? check_free_space+0x1b2/0x380 [ 40.474923] ? lock_acquire+0x170/0x3c0 [ 40.478878] ? do_acct_process+0xea3/0x10c0 [ 40.483187] __kernel_write+0x109/0x370 [ 40.487145] do_acct_process+0xcbe/0x10c0 [ 40.491276] ? __se_sys_acct+0x930/0x930 [ 40.495317] ? acct_process+0x27e/0x5e2 [ 40.499274] ? acct_process+0xfd/0x5e2 [ 40.503143] ? check_preemption_disabled+0x41/0x280 [ 40.508167] acct_process+0x49f/0x5e2 [ 40.511949] ? acct_collect+0x810/0x810 [ 40.515931] ? fput+0x2b/0x190 [ 40.519110] do_exit+0x15fb/0x2b70 [ 40.522636] ? lock_downgrade+0x720/0x720 [ 40.526774] ? mm_update_next_owner+0x650/0x650 [ 40.531467] ? up_read+0x17/0x110 [ 40.534911] ? __do_page_fault+0x1ca/0xde0 [ 40.539132] do_group_exit+0x125/0x310 [ 40.543029] __x64_sys_exit_group+0x3a/0x50 [ 40.547340] do_syscall_64+0xf9/0x620 [ 40.551145] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.556342] RIP: 0033:0x447dc8 [ 40.559524] Code: Bad RIP value. [ 40.562867] RSP: 002b:00007ffd73729388 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 40.570558] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000447dc8 [ 40.577826] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 40.585075] RBP: 00000000004caf10 R08: 00000000000000e7 R09: ffffffffffffffd4 [ 40.592342] R10: 00007ffd737292a0 R11: 0000000000000246 R12: 0000000000000001 [ 40.599602] R13: 00000000006e47e0 R14: 0000000000000000 R15: 0000000000000000 [ 40.606886] [ 40.608541] Allocated by task 1: [ 40.611907] kmem_cache_alloc+0x122/0x370 [ 40.616040] getname_flags+0xce/0x590 [ 40.619824] do_sys_open+0x26c/0x520 [ 40.623533] do_syscall_64+0xf9/0x620 [ 40.627323] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.632487] [ 40.634091] Freed by task 1: [ 40.637097] kmem_cache_free+0x7f/0x260 [ 40.641063] putname+0xe1/0x120 [ 40.644341] do_sys_open+0x2ba/0x520 [ 40.648035] do_syscall_64+0xf9/0x620 [ 40.653047] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.658214] [ 40.659834] The buggy address belongs to the object at ffff88809546ae80 [ 40.659834] which belongs to the cache names_cache of size 4096 [ 40.672565] The buggy address is located 3318 bytes to the left of [ 40.672565] 4096-byte region [ffff88809546ae80, ffff88809546be80) [ 40.685035] The buggy address belongs to the page: [ 40.689946] page:ffffea0002551a80 count:1 mapcount:0 mapping:ffff8880aa00ab40 index:0x0 compound_mapcount: 0 [ 40.699978] flags: 0xfffe0000008100(slab|head) [ 40.704550] raw: 00fffe0000008100 ffffea0002526588 ffffea0002510608 ffff8880aa00ab40 [ 40.712411] raw: 0000000000000000 ffff88809546ae80 0000000100000001 0000000000000000 [ 40.720273] page dumped because: kasan: bad access detected [ 40.725963] [ 40.727576] Memory state around the buggy address: [ 40.732493] ffff88809546a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.739842] ffff88809546a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.747180] >ffff88809546a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.754517] ^ [ 40.758122] ffff88809546a200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.765469] ffff88809546a280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.772813] ================================================================== [ 40.780152] Disabling lock debugging due to kernel taint [ 40.788773] Kernel panic - not syncing: panic_on_warn set ... [ 40.788773] [ 40.796154] CPU: 0 PID: 6661 Comm: syz-executor291 Tainted: G B 4.19.132-syzkaller #0 [ 40.806985] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.816358] Call Trace: [ 40.818950] dump_stack+0x1fc/0x2fe [ 40.822580] panic+0x26a/0x50e [ 40.825774] ? __warn_printk+0xf3/0xf3 [ 40.829667] ? trace_hardirqs_on+0x55/0x210 [ 40.833994] kasan_end_report+0x43/0x49 [ 40.837969] kasan_report_error.cold+0xa7/0x1c7 [ 40.842643] ? get_block+0x1085/0x1340 [ 40.846535] __asan_report_load2_noabort+0x88/0x90 [ 40.851458] ? get_block+0x1085/0x1340 [ 40.855335] get_block+0x1085/0x1340 [ 40.859038] ? check_preemption_disabled+0x41/0x280 [ 40.864036] ? free_branches+0x280/0x280 [ 40.868081] ? create_page_buffers+0x212/0x350 [ 40.872649] ? d_path+0x5f3/0x910 [ 40.876095] ? lock_downgrade+0x720/0x720 [ 40.880231] ? do_raw_spin_lock+0xcb/0x220 [ 40.884460] ? create_empty_buffers+0x4e7/0x760 [ 40.889122] ? do_raw_spin_unlock+0x171/0x230 [ 40.893612] minix_get_block+0xe5/0x110 [ 40.897580] __block_write_begin_int+0x46c/0x17b0 [ 40.902404] ? minix_mknod+0x1a0/0x1a0 [ 40.906329] ? __breadahead_gfp+0x130/0x130 [ 40.910659] ? wait_for_stable_page+0x122/0x360 [ 40.915319] ? minix_mknod+0x1a0/0x1a0 [ 40.919198] block_write_begin+0x58/0x2e0 [ 40.923330] minix_write_begin+0x35/0x220 [ 40.927459] generic_perform_write+0x1f8/0x4d0 [ 40.932042] ? __mnt_drop_write_file+0x6f/0xa0 [ 40.936619] ? filemap_page_mkwrite+0x2f0/0x2f0 [ 40.941274] ? current_time+0x1c0/0x1c0 [ 40.945237] ? lock_acquire+0x170/0x3c0 [ 40.949207] __generic_file_write_iter+0x24b/0x610 [ 40.954117] generic_file_write_iter+0x3f8/0x729 [ 40.958870] __vfs_write+0x51b/0x770 [ 40.962580] ? kernel_read+0x110/0x110 [ 40.966456] ? check_free_space+0x1b2/0x380 [ 40.970775] ? lock_acquire+0x170/0x3c0 [ 40.975693] ? do_acct_process+0xea3/0x10c0 [ 40.980023] __kernel_write+0x109/0x370 [ 40.983993] do_acct_process+0xcbe/0x10c0 [ 40.988123] ? __se_sys_acct+0x930/0x930 [ 40.992186] ? acct_process+0x27e/0x5e2 [ 40.996190] ? acct_process+0xfd/0x5e2 [ 41.000059] ? check_preemption_disabled+0x41/0x280 [ 41.005331] acct_process+0x49f/0x5e2 [ 41.009124] ? acct_collect+0x810/0x810 [ 41.013087] ? fput+0x2b/0x190 [ 41.016271] do_exit+0x15fb/0x2b70 [ 41.019793] ? lock_downgrade+0x720/0x720 [ 41.023934] ? mm_update_next_owner+0x650/0x650 [ 41.028582] ? up_read+0x17/0x110 [ 41.032019] ? __do_page_fault+0x1ca/0xde0 [ 41.036250] do_group_exit+0x125/0x310 [ 41.040118] __x64_sys_exit_group+0x3a/0x50 [ 41.044433] do_syscall_64+0xf9/0x620 [ 41.048229] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.053410] RIP: 0033:0x447dc8 [ 41.056593] Code: Bad RIP value. [ 41.059947] RSP: 002b:00007ffd73729388 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.067646] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000447dc8 [ 41.074902] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 41.082671] RBP: 00000000004caf10 R08: 00000000000000e7 R09: ffffffffffffffd4 [ 41.089931] R10: 00007ffd737292a0 R11: 0000000000000246 R12: 0000000000000001 [ 41.097180] R13: 00000000006e47e0 R14: 0000000000000000 R15: 0000000000000000 [ 41.105497] Kernel Offset: disabled [ 41.109108] Rebooting in 86400 seconds..