[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   39.853102] XFS (loop0): Mounting V4 Filesystem
[   39.858779] XFS (loop0): totally zeroed log
[   39.865357] XFS (loop0): Ending clean mount
[   39.870705] XFS (loop0): Quotacheck needed: Please wait.
[   39.880063] attempt to access beyond end of device
[   39.885123] loop0: rw=399361, want=65599, limit=65536
[   39.890732] XFS (loop0): metadata I/O error: block 0xffff ("xlog_iodone") error 5 numblks 64
[   39.899640] XFS (loop0): xfs_do_force_shutdown(0x2) called from line 1244 of file fs/xfs/xfs_log.c.  Return address = 0xffffffff825f6b0b
[   39.913529] XFS (loop0): Quotacheck: Unsuccessful (Error -5): Disabling quotas.
[   39.913531] ==================================================================
[   39.928494] BUG: KASAN: use-after-free in xfs_trans_committed_bulk+0x531/0x630
[   39.936202] Read of size 8 at addr ffff8880a92d6050 by task kworker/1:1H/2796
[   39.943452] 
[   39.945065] CPU: 1 PID: 2796 Comm: kworker/1:1H Not tainted 4.14.302-syzkaller #0
[   39.952658] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   39.962006] Workqueue: xfs-log/loop0 xfs_buf_ioend_work
[   39.967601] Call Trace:
[   39.970279]  dump_stack+0x1b2/0x281
[   39.973906]  print_address_description.cold+0x54/0x1d3
[   39.979203]  kasan_report_error.cold+0x8a/0x191
[   39.983869]  ? xfs_trans_committed_bulk+0x531/0x630
[   39.988965]  __asan_report_load8_noabort+0x68/0x70
[   39.993889]  ? xfs_trans_committed_bulk+0x531/0x630
[   39.998910]  xfs_trans_committed_bulk+0x531/0x630
[   40.003823]  ? save_trace+0xd6/0x290
[   40.007566]  ? __xfs_trans_commit+0x860/0x860
[   40.012039]  ? __lock_acquire+0x5fc/0x3f20
[   40.017064]  ? static_obj+0x50/0x50
[   40.020670]  ? add_lock_to_list.constprop.0+0x17d/0x330
[   40.026011]  ? save_trace+0xd6/0x290
[   40.029708]  ? __lock_acquire+0x5fc/0x3f20
[   40.034119]  ? save_trace+0xd6/0x290
[   40.037811]  ? trace_hardirqs_on+0x10/0x10
[   40.042286]  xlog_cil_committed+0x153/0xf50
[   40.046588]  ? _raw_spin_unlock_irqrestore+0x79/0xe0
[   40.051854]  ? trace_hardirqs_on_caller+0x3a8/0x580
[   40.057321]  ? xlog_discard_endio+0x150/0x150
[   40.061883]  ? lock_acquire+0x170/0x3f0
[   40.066008]  ? lock_downgrade+0x740/0x740
[   40.070135]  ? xlog_state_clean_log+0x221/0x360
[   40.074800]  xlog_state_do_callback+0x3dc/0x790
[   40.079487]  xfs_log_force_umount+0x2b9/0x430
[   40.084006]  xfs_do_force_shutdown+0x78/0x200
[   40.088488]  xlog_iodone+0x15b/0x1e0
[   40.092212]  ? xlog_state_done_syncing+0x150/0x150
[   40.097118]  xfs_buf_ioend+0x248/0x640
[   40.100989]  process_one_work+0x793/0x14a0
[   40.105397]  ? work_busy+0x320/0x320
[   40.109094]  ? worker_thread+0x158/0xff0
[   40.113133]  ? _raw_spin_unlock_irq+0x24/0x80
[   40.117607]  worker_thread+0x5cc/0xff0
[   40.121478]  ? rescuer_thread+0xc80/0xc80
[   40.125606]  kthread+0x30d/0x420
[   40.128957]  ? kthread_create_on_node+0xd0/0xd0
[   40.133781]  ret_from_fork+0x24/0x30
[   40.137497] 
[   40.139103] Allocated by task 7991:
[   40.142720]  kasan_kmalloc+0xeb/0x160
[   40.146500]  kmem_cache_alloc+0x124/0x3c0
[   40.150624]  kmem_zone_alloc+0x7f/0x180
[   40.154577]  xfs_buf_item_init+0xa1/0x560
[   40.158703]  _xfs_trans_bjoin+0x3f/0x120
[   40.162829]  xfs_trans_get_buf_map+0x298/0x710
[   40.167475]  xfs_qm_dqalloc+0x5e6/0xa20
[   40.171456]  xfs_qm_dqtobp+0x926/0xcf0
[   40.175320]  xfs_qm_dqread+0x3a3/0xe50
[   40.179272]  xfs_qm_dqget+0x4f4/0x19a0
[   40.183230]  xfs_qm_quotacheck_dqadjust+0x96/0x5c0
[   40.188144]  xfs_qm_dqusage_adjust+0x321/0xc20
[   40.192752]  xfs_bulkstat+0x72a/0xf60
[   40.196532]  xfs_qm_quotacheck+0x223/0x790
[   40.200743]  xfs_qm_mount_quotas+0xe9/0x570
[   40.205043]  xfs_mountfs+0x18be/0x1f40
[   40.208947]  xfs_fs_fill_super+0xb7a/0x1380
[   40.213244]  mount_bdev+0x2b3/0x360
[   40.216848]  mount_fs+0x92/0x2a0
[   40.220194]  vfs_kern_mount.part.0+0x5b/0x470
[   40.224669]  do_mount+0xe65/0x2a30
[   40.228892]  SyS_mount+0xa8/0x120
[   40.232320]  do_syscall_64+0x1d5/0x640
[   40.236183]  entry_SYSCALL_64_after_hwframe+0x5e/0xd3
[   40.241344] 
[   40.242955] Freed by task 7991:
[   40.246212]  kasan_slab_free+0xc3/0x1a0
[   40.250171]  kmem_cache_free+0x7c/0x2b0
[   40.254129]  xfs_buf_do_callbacks+0x97/0xe0
[   40.258426]  xfs_buf_iodone_callbacks+0xff/0xea0
[   40.263247]  xfs_buf_ioend+0x248/0x640
[   40.267111]  xfs_buf_submit+0x58a/0x7c0
[   40.271082]  xfs_buf_delwri_submit_buffers+0x328/0x9c0
[   40.276335]  xfs_buf_delwri_submit+0x76/0x240
[   40.280806]  xfs_qm_quotacheck+0x2a7/0x790
[   40.285018]  xfs_qm_mount_quotas+0xe9/0x570
[   40.289316]  xfs_mountfs+0x18be/0x1f40
[   40.293179]  xfs_fs_fill_super+0xb7a/0x1380
[   40.297561]  mount_bdev+0x2b3/0x360
[   40.301192]  mount_fs+0x92/0x2a0
[   40.304535]  vfs_kern_mount.part.0+0x5b/0x470
[   40.309032]  do_mount+0xe65/0x2a30
[   40.312572]  SyS_mount+0xa8/0x120
[   40.316001]  do_syscall_64+0x1d5/0x640
[   40.319871]  entry_SYSCALL_64_after_hwframe+0x5e/0xd3
[   40.325162] 
[   40.326854] The buggy address belongs to the object at ffff8880a92d6000
[   40.326854]  which belongs to the cache xfs_buf_item of size 248
[   40.339753] The buggy address is located 80 bytes inside of
[   40.339753]  248-byte region [ffff8880a92d6000, ffff8880a92d60f8)
[   40.351603] The buggy address belongs to the page:
[   40.356512] page:ffffea0002a4b580 count:1 mapcount:0 mapping:ffff8880a92d6000 index:0x0
[   40.364640] flags: 0xfff00000000100(slab)
[   40.368766] raw: 00fff00000000100 ffff8880a92d6000 0000000000000000 000000010000000d
[   40.376628] raw: ffff8880b0811248 ffff8880b0811248 ffff8880b17a6200 0000000000000000
[   40.384498] page dumped because: kasan: bad access detected
[   40.390181] 
[   40.391786] Memory state around the buggy address:
[   40.396697]  ffff8880a92d5f00: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.404032]  ffff8880a92d5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.411368] >ffff8880a92d6000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.418700]                                                  ^
[   40.424649]  ffff8880a92d6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[   40.431991]  ffff8880a92d6100: fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb
[   40.439411] ==================================================================
[   40.446754] Disabling lock debugging due to kernel taint
[   40.452470] Kernel panic - not syncing: panic_on_warn set ...
[   40.452470] 
[   40.459827] CPU: 1 PID: 2796 Comm: kworker/1:1H Tainted: G    B           4.14.302-syzkaller #0
[   40.468650] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   40.478007] Workqueue: xfs-log/loop0 xfs_buf_ioend_work
[   40.483361] Call Trace:
[   40.485940]  dump_stack+0x1b2/0x281
[   40.489554]  panic+0x1f9/0x42d
[   40.492735]  ? add_taint.cold+0x16/0x16
[   40.496703]  ? ___preempt_schedule+0x16/0x18
[   40.501104]  kasan_end_report+0x43/0x49
[   40.505071]