INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.58' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.538947] IPVS: ftp: loaded support on port[0] = 21 [ 29.601686] EXT4-fs (sda1): re-mounted. Opts: debug_want_extra_isize=7632 [ 29.626137] ================================================================== [ 29.633593] BUG: KASAN: use-after-free in __ext4_expand_extra_isize+0x157/0x230 [ 29.641014] Write of size 7600 at addr ffff8801c7ee86a0 by task syzkaller547255/4428 [ 29.648880] [ 29.650483] CPU: 0 PID: 4428 Comm: syzkaller547255 Not tainted 4.16.0+ #10 [ 29.657463] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.666802] Call Trace: [ 29.669370] dump_stack+0x194/0x24d [ 29.672975] ? arch_local_irq_restore+0x53/0x53 [ 29.677617] ? show_regs_print_info+0x18/0x18 [ 29.682090] ? __ext4_expand_extra_isize+0x157/0x230 [ 29.687164] print_address_description+0x73/0x250 [ 29.691981] ? __ext4_expand_extra_isize+0x157/0x230 [ 29.697056] kasan_report+0x23c/0x360 [ 29.700831] check_memory_region+0x137/0x190 [ 29.705212] memset+0x23/0x40 [ 29.708290] __ext4_expand_extra_isize+0x157/0x230 [ 29.713194] ext4_mark_inode_dirty+0x7a9/0xa10 [ 29.717752] ? ext4_expand_extra_isize+0x580/0x580 [ 29.722661] ? mark_held_locks+0xaf/0x100 [ 29.726786] ? current_kernel_time64+0x122/0x2f0 [ 29.731512] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.736498] ? trace_hardirqs_on+0xd/0x10 [ 29.740618] ? ktime_get_raw+0x380/0x380 [ 29.744651] ? ext4_generic_delete_entry+0x470/0x470 [ 29.749726] ext4_unlink+0xc6f/0x1100 [ 29.753498] ? lock_acquire+0x1d5/0x580 [ 29.757442] ? ext4_rmdir+0xdc0/0xdc0 [ 29.761214] ? lock_release+0xa40/0xa40 [ 29.765160] ? check_same_owner+0x320/0x320 [ 29.769453] ? rcu_note_context_switch+0x710/0x710 [ 29.774354] ? __might_sleep+0x95/0x190 [ 29.778301] ? down_write+0x87/0x120 [ 29.781988] ? vfs_unlink+0xc7/0x480 [ 29.785672] ? down_read+0x150/0x150 [ 29.789358] vfs_unlink+0x283/0x480 [ 29.792956] do_unlinkat+0x731/0x940 [ 29.796646] ? SyS_rmdir+0x20/0x20 [ 29.800156] ? strncpy_from_user+0x323/0x430 [ 29.804537] ? mpi_resize+0x200/0x200 [ 29.808312] ? getname_flags+0x256/0x580 [ 29.812342] ? SyS_unlinkat+0x90/0x90 [ 29.816126] SyS_unlink+0x26/0x30 [ 29.819550] do_syscall_64+0x281/0x940 [ 29.823496] ? vmalloc_sync_all+0x30/0x30 [ 29.827615] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.832350] ? syscall_return_slowpath+0x550/0x550 [ 29.837252] ? syscall_return_slowpath+0x2ac/0x550 [ 29.842153] ? prepare_exit_to_usermode+0x350/0x350 [ 29.847142] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 29.852478] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.857292] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.862451] RIP: 0033:0x447b77 [ 29.865614] RSP: 002b:00007ffc704d9d88 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 [ 29.873292] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000447b77 [ 29.880532] RDX: 00007ffc704d9d90 RSI: 00007ffc704d9d90 RDI: 00007ffc704d9e20 [ 29.887775] RBP: 00007ffc704db5a0 R08: 0000000000000000 R09: 000000000000000a [ 29.895018] R10: 0000000000000006 R11: 0000000000000206 R12: 0000000001c648a0 [ 29.902261] R13: 0000000000000000 R14: 0000000000007384 R15: 00007ffc704daf98 [ 29.909508] [ 29.911104] The buggy address belongs to the page: [ 29.916004] page:ffffea00071fba00 count:2 mapcount:0 mapping:ffff8801d52ef660 index:0x4a7 [ 29.924391] flags: 0x2fffc0000001064(referenced|lru|active|private) [ 29.930769] raw: 02fffc0000001064 ffff8801d52ef660 00000000000004a7 00000002ffffffff [ 29.938622] raw: ffffea0006e70c20 ffffea0006d9a5a0 ffff8801a99933f0 ffff8801d9a96b40 [ 29.946471] page dumped because: kasan: bad access detected [ 29.952153] page->mem_cgroup:ffff8801d9a96b40 [ 29.956619] [ 29.958220] Memory state around the buggy address: [ 29.963121] ffff8801c7ee9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.970461] ffff8801c7ee9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.977795] >ffff8801c7eea000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.985123] ^ [ 29.988458] ffff8801c7eea080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.995808] ffff8801c7eea100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.003134] ================================================================== [ 30.010463] Disabling lock debugging due to kernel taint [ 30.015957] Kernel panic - not syncing: panic_on_warn set ... [ 30.015957] [ 30.023304] CPU: 0 PID: 4428 Comm: syzkaller547255 Tainted: G B 4.16.0+ #10 [ 30.031592] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.040913] Call Trace: [ 30.043475] dump_stack+0x194/0x24d [ 30.047172] ? arch_local_irq_restore+0x53/0x53 [ 30.051811] ? kasan_end_report+0x32/0x50 [ 30.055929] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.060662] ? vsnprintf+0x1ed/0x1900 [ 30.064433] ? __ext4_expand_extra_isize+0x90/0x230 [ 30.069416] panic+0x1e4/0x41c [ 30.072577] ? refcount_error_report+0x214/0x214 [ 30.077300] ? add_taint+0x1c/0x50 [ 30.080810] ? add_taint+0x1c/0x50 [ 30.084330] ? __ext4_expand_extra_isize+0x157/0x230 [ 30.089402] kasan_end_report+0x50/0x50 [ 30.093345] kasan_report+0x149/0x360 [ 30.097117] check_memory_region+0x137/0x190 [ 30.101494] memset+0x23/0x40 [ 30.104570] __ext4_expand_extra_isize+0x157/0x230 [ 30.109467] ext4_mark_inode_dirty+0x7a9/0xa10 [ 30.114017] ? ext4_expand_extra_isize+0x580/0x580 [ 30.118917] ? mark_held_locks+0xaf/0x100 [ 30.123038] ? current_kernel_time64+0x122/0x2f0 [ 30.127767] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.132751] ? trace_hardirqs_on+0xd/0x10 [ 30.136869] ? ktime_get_raw+0x380/0x380 [ 30.140901] ? ext4_generic_delete_entry+0x470/0x470 [ 30.145976] ext4_unlink+0xc6f/0x1100 [ 30.149743] ? lock_acquire+0x1d5/0x580 [ 30.153689] ? ext4_rmdir+0xdc0/0xdc0 [ 30.157472] ? lock_release+0xa40/0xa40 [ 30.161415] ? check_same_owner+0x320/0x320 [ 30.165705] ? rcu_note_context_switch+0x710/0x710 [ 30.170601] ? __might_sleep+0x95/0x190 [ 30.174543] ? down_write+0x87/0x120 [ 30.178232] ? vfs_unlink+0xc7/0x480 [ 30.181915] ? down_read+0x150/0x150 [ 30.185597] vfs_unlink+0x283/0x480 [ 30.189191] do_unlinkat+0x731/0x940 [ 30.192873] ? SyS_rmdir+0x20/0x20 [ 30.196382] ? strncpy_from_user+0x323/0x430 [ 30.200758] ? mpi_resize+0x200/0x200 [ 30.204529] ? getname_flags+0x256/0x580 [ 30.208558] ? SyS_unlinkat+0x90/0x90 [ 30.212325] SyS_unlink+0x26/0x30 [ 30.215747] do_syscall_64+0x281/0x940 [ 30.219601] ? vmalloc_sync_all+0x30/0x30 [ 30.223728] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.228454] ? syscall_return_slowpath+0x550/0x550 [ 30.233351] ? syscall_return_slowpath+0x2ac/0x550 [ 30.238253] ? prepare_exit_to_usermode+0x350/0x350 [ 30.243238] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 30.248570] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.253383] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.258540] RIP: 0033:0x447b77 [ 30.261702] RSP: 002b:00007ffc704d9d88 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 [ 30.269389] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000447b77 [ 30.276627] RDX: 00007ffc704d9d90 RSI: 00007ffc704d9d90 RDI: 00007ffc704d9e20 [ 30.283866] RBP: 00007ffc704db5a0 R08: 0000000000000000 R09: 000000000000000a [ 30.291111] R10: 0000000000000006 R11: 0000000000000206 R12: 0000000001c648a0 [ 30.298349] R13: 0000000000000000 R14: 0000000000007384 R15: 00007ffc704daf98 [ 30.305926] Dumping ftrace buffer: [ 30.309436] (ftrace buffer empty) [ 30.313118] Kernel Offset: disabled [ 30.316715] Rebooting in 86400 seconds..