[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Found device /dev/ttyS0. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.31' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.483912] IPVS: ftp: loaded support on port[0] = 21 [ 33.545278] EXT4-fs error (device loop0): ext4_orphan_get:1256: comm syz-executor386: bad orphan inode 15 [ 33.556502] ext4_test_bit(bit=14, block=18) = 1 [ 33.561519] is_bad_inode(inode)=0 [ 33.564974] NEXT_ORPHAN(inode)=0 [ 33.568699] max_ino=32 [ 33.571194] i_nlink=1 [ 33.573660] EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue [ 33.589709] ================================================================== [ 33.597182] BUG: KASAN: slab-out-of-bounds in ext4_rename_dir_prepare+0x3a6/0x440 [ 33.604810] Read of size 4 at addr ffff88809f252000 by task syz-executor386/8108 [ 33.612344] [ 33.613981] CPU: 1 PID: 8108 Comm: syz-executor386 Not tainted 4.19.211-syzkaller #0 [ 33.621965] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 [ 33.631307] Call Trace: [ 33.633887] dump_stack+0x1fc/0x2ef [ 33.637502] print_address_description.cold+0x54/0x219 [ 33.642877] kasan_report_error.cold+0x8a/0x1b9 [ 33.647534] ? ext4_rename_dir_prepare+0x3a6/0x440 [ 33.652453] __asan_report_load4_noabort+0x88/0x90 [ 33.657368] ? ext4_rename_dir_prepare+0x3a6/0x440 [ 33.662281] ext4_rename_dir_prepare+0x3a6/0x440 [ 33.667019] ? ext4_htree_next_block+0x4c0/0x4c0 [ 33.671936] ? ext4_journal_check_start+0x185/0x220 [ 33.677038] ? ext4_get_nojournal+0x53/0xb0 [ 33.681371] ? __ext4_journal_start_sb+0x12d/0x3f0 [ 33.686426] ? ext4_cross_rename+0x85e/0x14f0 [ 33.690915] ext4_cross_rename+0x112f/0x14f0 [ 33.695335] ? ext4_lookup+0x660/0x660 [ 33.699218] ? mark_held_locks+0xf0/0xf0 [ 33.703389] ? __lock_acquire+0x6de/0x3ff0 [ 33.707622] ? mark_held_locks+0xf0/0xf0 [ 33.711676] ? mark_held_locks+0xf0/0xf0 [ 33.715730] ? take_dentry_name_snapshot+0x9e/0x140 [ 33.720737] ? lock_downgrade+0x720/0x720 [ 33.724878] ? lockref_get+0x11/0x50 [ 33.728609] ext4_rename2+0x1be/0x210 [ 33.732403] vfs_rename+0x67e/0x1bc0 [ 33.736103] ? path_openat+0x2df0/0x2df0 [ 33.740152] ? security_path_rename+0x1ed/0x2e0 [ 33.744804] do_renameat2+0xb59/0xc70 [ 33.748592] ? do_mknodat.part.0+0x480/0x480 [ 33.753082] ? mntput_no_expire+0x119/0xa30 [ 33.757566] ? mntput+0x67/0x90 [ 33.760839] ? do_mkdirat+0x1d2/0x2d0 [ 33.764639] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 33.770087] __x64_sys_renameat2+0xba/0x150 [ 33.774392] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 33.778961] do_syscall_64+0xf9/0x620 [ 33.782746] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.787919] RIP: 0033:0x7fc73145f549 [ 33.791618] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 33.810532] RSP: 002b:00007ffe1e5610a8 EFLAGS: 00000246 ORIG_RAX: 000000000000013c [ 33.818320] RAX: ffffffffffffffda RBX: 00007fc7314ceed0 RCX: 00007fc73145f549 [ 33.825571] RDX: 0000000000000004 RSI: 0000000020000240 RDI: 0000000000000004 [ 33.832823] RBP: 00007ffe1e5610c8 R08: 0000000000000002 R09: 0000000000000000 [ 33.840086] R10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe1e5610f0 [ 33.847336] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 33.854596] [ 33.856204] Allocated by task 7919: [ 33.859820] __kmalloc_node_track_caller+0x4c/0x70 [ 33.864748] __alloc_skb+0xae/0x560 [ 33.868361] __napi_alloc_skb+0x74/0x300 [ 33.872581] page_to_skb+0x76/0xa70 [ 33.876243] receive_buf+0x2ab4/0x6780 [ 33.880238] virtnet_poll+0x568/0xe00 [ 33.884035] net_rx_action+0x4ac/0xfb0 [ 33.888122] __do_softirq+0x265/0x980 [ 33.891931] [ 33.893598] Freed by task 7919: [ 33.897104] kfree+0xcc/0x210 [ 33.900290] skb_release_data+0x6de/0x920 [ 33.904509] kfree_skb_partial+0x7e/0xa0 [ 33.908734] tcp_rcv_established+0x1b89/0x1ef0 [ 33.913570] tcp_v4_do_rcv+0x5d6/0x870 [ 33.917459] tcp_v4_rcv+0x2c03/0x3b80 [ 33.921338] ip_local_deliver_finish+0x495/0xc00 [ 33.926087] ip_local_deliver+0x188/0x500 [ 33.930221] ip_rcv_finish+0x1ca/0x2e0 [ 33.934192] ip_rcv+0xca/0x3c0 [ 33.937367] __netif_receive_skb_one_core+0x114/0x180 [ 33.942547] __netif_receive_skb+0x27/0x1c0 [ 33.946948] netif_receive_skb_internal+0xf0/0x3f0 [ 33.951886] napi_gro_receive+0x2e6/0x450 [ 33.956120] receive_buf+0xc2c/0x6780 [ 33.960000] virtnet_poll+0x568/0xe00 [ 33.963787] net_rx_action+0x4ac/0xfb0 [ 33.967655] __do_softirq+0x265/0x980 [ 33.971611] [ 33.973352] The buggy address belongs to the object at ffff88809f252040 [ 33.973352] which belongs to the cache kmalloc-512 of size 512 [ 33.986149] The buggy address is located 64 bytes to the left of [ 33.986149] 512-byte region [ffff88809f252040, ffff88809f252240) [ 33.999317] The buggy address belongs to the page: [ 34.004301] page:ffffea00027c9480 count:1 mapcount:0 mapping:ffff88813bff0940 index:0xffff88809f2527c0 [ 34.014441] flags: 0xfff00000000100(slab) [ 34.018790] raw: 00fff00000000100 ffffea0002a32788 ffffea0002a326c8 ffff88813bff0940 [ 34.027033] raw: ffff88809f2527c0 ffff88809f252040 0000000100000005 0000000000000000 [ 34.035364] page dumped because: kasan: bad access detected [ 34.041078] [ 34.042732] Memory state around the buggy address: [ 34.047818] ffff88809f251f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.055428] ffff88809f251f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.063026] >ffff88809f252000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 34.070754] ^ [ 34.074448] ffff88809f252080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.081832] ffff88809f252100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.089185] ================================================================== [ 34.097223] Disabling lock debugging due to kernel taint [ 34.106655] Kernel panic - not syncing: panic_on_warn set ... [ 34.106655] [ 34.114040] CPU: 1 PID: 8108 Comm: syz-executor386 Tainted: G B 4.19.211-syzkaller #0 [ 34.123308] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 [ 34.132753] Call Trace: [ 34.135351] dump_stack+0x1fc/0x2ef [ 34.138967] panic+0x26a/0x50e [ 34.142159] ? __warn_printk+0xf3/0xf3 [ 34.146046] ? preempt_schedule_common+0x45/0xc0 [ 34.150801] ? ___preempt_schedule+0x16/0x18 [ 34.155211] ? trace_hardirqs_on+0x55/0x210 [ 34.159525] kasan_end_report+0x43/0x49 [ 34.163489] kasan_report_error.cold+0xa7/0x1b9 [ 34.168663] ? ext4_rename_dir_prepare+0x3a6/0x440 [ 34.173584] __asan_report_load4_noabort+0x88/0x90 [ 34.178584] ? ext4_rename_dir_prepare+0x3a6/0x440 [ 34.183516] ext4_rename_dir_prepare+0x3a6/0x440 [ 34.188294] ? ext4_htree_next_block+0x4c0/0x4c0 [ 34.193052] ? ext4_journal_check_start+0x185/0x220 [ 34.198063] ? ext4_get_nojournal+0x53/0xb0 [ 34.202373] ? __ext4_journal_start_sb+0x12d/0x3f0 [ 34.207298] ? ext4_cross_rename+0x85e/0x14f0 [ 34.211845] ext4_cross_rename+0x112f/0x14f0 [ 34.216262] ? ext4_lookup+0x660/0x660 [ 34.220143] ? mark_held_locks+0xf0/0xf0 [ 34.224220] ? __lock_acquire+0x6de/0x3ff0 [ 34.228444] ? mark_held_locks+0xf0/0xf0 [ 34.232493] ? mark_held_locks+0xf0/0xf0 [ 34.236549] ? take_dentry_name_snapshot+0x9e/0x140 [ 34.241555] ? lock_downgrade+0x720/0x720 [ 34.245687] ? lockref_get+0x11/0x50 [ 34.249403] ext4_rename2+0x1be/0x210 [ 34.253190] vfs_rename+0x67e/0x1bc0 [ 34.256885] ? path_openat+0x2df0/0x2df0 [ 34.260949] ? security_path_rename+0x1ed/0x2e0 [ 34.265601] do_renameat2+0xb59/0xc70 [ 34.269399] ? do_mknodat.part.0+0x480/0x480 [ 34.273804] ? mntput_no_expire+0x119/0xa30 [ 34.278136] ? mntput+0x67/0x90 [ 34.281397] ? do_mkdirat+0x1d2/0x2d0 [ 34.285198] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.290546] __x64_sys_renameat2+0xba/0x150 [ 34.294860] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 34.299426] do_syscall_64+0xf9/0x620 [ 34.303307] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.308487] RIP: 0033:0x7fc73145f549 [ 34.312203] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 34.331097] RSP: 002b:00007ffe1e5610a8 EFLAGS: 00000246 ORIG_RAX: 000000000000013c [ 34.338795] RAX: ffffffffffffffda RBX: 00007fc7314ceed0 RCX: 00007fc73145f549 [ 34.346051] RDX: 0000000000000004 RSI: 0000000020000240 RDI: 0000000000000004 [ 34.353307] RBP: 00007ffe1e5610c8 R08: 0000000000000002 R09: 0000000000000000 [ 34.360568] R10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe1e5610f0 [ 34.367823] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.375336] Kernel Offset: disabled [ 34.378971] Rebooting in 86400 seconds..