[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.170' (ECDSA) to the list of known hosts. syzkaller login: [ 35.573811] IPVS: ftp: loaded support on port[0] = 21 executing program [ 35.663021] ================================================================== [ 35.670545] BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x143/0x170 [ 35.677019] Read of size 1 at addr ffff8880b2f4a5ce by task kworker/u4:0/7 [ 35.684004] [ 35.685616] CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 4.19.211-syzkaller #0 [ 35.692948] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 35.702286] Workqueue: writeback wb_workfn (flush-7:0) [ 35.707536] Call Trace: [ 35.710104] dump_stack+0x1fc/0x2ef [ 35.713720] print_address_description.cold+0x54/0x219 [ 35.719165] kasan_report_error.cold+0x8a/0x1b9 [ 35.723827] ? hfs_strcmp+0x143/0x170 [ 35.727613] __asan_report_load1_noabort+0x88/0x90 [ 35.732528] ? hfs_strcmp+0x143/0x170 [ 35.736323] hfs_strcmp+0x143/0x170 [ 35.740031] hfs_cat_keycmp+0x179/0x1c0 [ 35.743989] ? hfs_cat_create+0x9f0/0x9f0 [ 35.748211] __hfs_brec_find+0x1cc/0x4d0 [ 35.752256] ? hfs_find_exit+0xc0/0xc0 [ 35.756122] ? hfs_find_init+0x1c5/0x230 [ 35.760166] ? mutex_trylock+0x1a0/0x1a0 [ 35.764211] ? lock_acquire+0x170/0x3c0 [ 35.768173] hfs_brec_find+0x1fe/0x4e0 [ 35.772050] ? __hfs_brec_find+0x4d0/0x4d0 [ 35.776271] ? __kmalloc+0x38e/0x3c0 [ 35.779966] ? hfs_find_init+0x91/0x230 [ 35.783927] hfs_write_inode+0x345/0x930 [ 35.787972] ? hfs_inode_write_fork+0x1c0/0x1c0 [ 35.792629] ? do_writepages+0x1f5/0x290 [ 35.796675] ? __writeback_single_inode+0x306/0x11d0 [ 35.801768] ? lock_downgrade+0x720/0x720 [ 35.805914] ? lock_acquire+0x170/0x3c0 [ 35.809897] ? check_preemption_disabled+0x41/0x280 [ 35.814917] __writeback_single_inode+0x733/0x11d0 [ 35.819838] writeback_sb_inodes+0x537/0xef0 [ 35.824243] ? wbc_detach_inode+0x840/0x840 [ 35.828555] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 35.833553] ? queue_io+0x448/0x590 [ 35.837168] wb_writeback+0x28d/0xcc0 [ 35.840960] ? writeback_inodes_wb.constprop.0+0x1d0/0x1d0 [ 35.846577] wb_workfn+0x29b/0x1250 [ 35.850196] ? inode_wait_for_writeback+0x30/0x30 [ 35.855034] ? check_preemption_disabled+0x41/0x280 [ 35.860041] process_one_work+0x864/0x1570 [ 35.864264] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 35.868924] worker_thread+0x64c/0x1130 [ 35.872893] ? process_one_work+0x1570/0x1570 [ 35.877370] kthread+0x33f/0x460 [ 35.880725] ? kthread_park+0x180/0x180 [ 35.884686] ret_from_fork+0x24/0x30 [ 35.888390] [ 35.890000] Allocated by task 7: [ 35.893353] __kmalloc+0x15a/0x3c0 [ 35.896875] hfs_find_init+0x91/0x230 [ 35.900658] hfs_write_inode+0x221/0x930 [ 35.904706] __writeback_single_inode+0x733/0x11d0 [ 35.909618] writeback_sb_inodes+0x537/0xef0 [ 35.914013] wb_writeback+0x28d/0xcc0 [ 35.917796] wb_workfn+0x29b/0x1250 [ 35.921407] process_one_work+0x864/0x1570 [ 35.925625] worker_thread+0x64c/0x1130 [ 35.929578] kthread+0x33f/0x460 [ 35.932931] ret_from_fork+0x24/0x30 [ 35.936620] [ 35.938232] Freed by task 6321: [ 35.941669] kfree+0xcc/0x210 [ 35.944760] apparmor_file_free_security+0x9a/0xd0 [ 35.949673] security_file_free+0x3e/0x70 [ 35.953808] __fput+0x42a/0x890 [ 35.957071] task_work_run+0x148/0x1c0 [ 35.960940] exit_to_usermode_loop+0x251/0x2a0 [ 35.965514] do_syscall_64+0x538/0x620 [ 35.969387] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.974552] [ 35.976161] The buggy address belongs to the object at ffff8880b2f4a580 [ 35.976161] which belongs to the cache kmalloc-96 of size 96 [ 35.988627] The buggy address is located 78 bytes inside of [ 35.988627] 96-byte region [ffff8880b2f4a580, ffff8880b2f4a5e0) [ 36.000316] The buggy address belongs to the page: [ 36.005229] page:ffffea0002cbd280 count:1 mapcount:0 mapping:ffff88813bff04c0 index:0x0 [ 36.013352] flags: 0xfff00000000100(slab) [ 36.017493] raw: 00fff00000000100 ffffea0002c93608 ffffea0002a92808 ffff88813bff04c0 [ 36.025360] raw: 0000000000000000 ffff8880b2f4a000 0000000100000020 0000000000000000 [ 36.033245] page dumped because: kasan: bad access detected [ 36.038932] [ 36.040537] Memory state around the buggy address: [ 36.045461] ffff8880b2f4a480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 36.052831] ffff8880b2f4a500: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 36.060183] >ffff8880b2f4a580: 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc fc [ 36.067522] ^ [ 36.073233] ffff8880b2f4a600: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 36.080582] ffff8880b2f4a680: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 36.087925] ================================================================== [ 36.095269] Disabling lock debugging due to kernel taint [ 36.104857] Kernel panic - not syncing: panic_on_warn set ... [ 36.104857] [ 36.112233] CPU: 0 PID: 7 Comm: kworker/u4:0 Tainted: G B 4.19.211-syzkaller #0 [ 36.120977] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 36.130340] Workqueue: writeback wb_workfn (flush-7:0) [ 36.135615] Call Trace: [ 36.138310] dump_stack+0x1fc/0x2ef [ 36.142288] panic+0x26a/0x50e [ 36.145474] ? __warn_printk+0xf3/0xf3 [ 36.149342] ? preempt_schedule_common+0x45/0xc0 [ 36.154076] ? ___preempt_schedule+0x16/0x18 [ 36.158464] ? trace_hardirqs_on+0x55/0x210 [ 36.162766] kasan_end_report+0x43/0x49 [ 36.166721] kasan_report_error.cold+0xa7/0x1b9 [ 36.171367] ? hfs_strcmp+0x143/0x170 [ 36.175151] __asan_report_load1_noabort+0x88/0x90 [ 36.180056] ? hfs_strcmp+0x143/0x170 [ 36.183835] hfs_strcmp+0x143/0x170 [ 36.187440] hfs_cat_keycmp+0x179/0x1c0 [ 36.191390] ? hfs_cat_create+0x9f0/0x9f0 [ 36.195515] __hfs_brec_find+0x1cc/0x4d0 [ 36.199639] ? hfs_find_exit+0xc0/0xc0 [ 36.203500] ? hfs_find_init+0x1c5/0x230 [ 36.207538] ? mutex_trylock+0x1a0/0x1a0 [ 36.211574] ? lock_acquire+0x170/0x3c0 [ 36.215524] hfs_brec_find+0x1fe/0x4e0 [ 36.219393] ? __hfs_brec_find+0x4d0/0x4d0 [ 36.223604] ? __kmalloc+0x38e/0x3c0 [ 36.227292] ? hfs_find_init+0x91/0x230 [ 36.231242] hfs_write_inode+0x345/0x930 [ 36.235282] ? hfs_inode_write_fork+0x1c0/0x1c0 [ 36.239933] ? do_writepages+0x1f5/0x290 [ 36.243973] ? __writeback_single_inode+0x306/0x11d0 [ 36.249052] ? lock_downgrade+0x720/0x720 [ 36.253179] ? lock_acquire+0x170/0x3c0 [ 36.257131] ? check_preemption_disabled+0x41/0x280 [ 36.262124] __writeback_single_inode+0x733/0x11d0 [ 36.267030] writeback_sb_inodes+0x537/0xef0 [ 36.271418] ? wbc_detach_inode+0x840/0x840 [ 36.275726] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 36.280720] ? queue_io+0x448/0x590 [ 36.284350] wb_writeback+0x28d/0xcc0 [ 36.288131] ? writeback_inodes_wb.constprop.0+0x1d0/0x1d0 [ 36.293737] wb_workfn+0x29b/0x1250 [ 36.297343] ? inode_wait_for_writeback+0x30/0x30 [ 36.302162] ? check_preemption_disabled+0x41/0x280 [ 36.307163] process_one_work+0x864/0x1570 [ 36.311374] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 36.316109] worker_thread+0x64c/0x1130 [ 36.320084] ? process_one_work+0x1570/0x1570 [ 36.324557] kthread+0x33f/0x460 [ 36.327899] ? kthread_park+0x180/0x180 [ 36.331859] ret_from_fork+0x24/0x30 [ 36.335624] Kernel Offset: disabled [ 36.339243] Rebooting in 86400 seconds..