INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.18' (ECDSA) to the list of known hosts. syzkaller login: [ 110.864355] IPVS: ftp: loaded support on port[0] = 21 executing program [ 110.889156] IPVS: ftp: loaded support on port[0] = 21 executing program [ 110.913943] XFS (loop0): Invalid superblock magic number [ 110.921861] IPVS: ftp: loaded support on port[0] = 21 [ 110.935394] XFS (loop3): Invalid superblock magic number executing program executing program executing program [ 110.960699] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program [ 111.003947] XFS (loop3): Invalid superblock magic number [ 111.012611] IPVS: ftp: loaded support on port[0] = 21 [ 111.013197] XFS (loop0): Invalid superblock magic number [ 111.039232] XFS (loop6): Invalid superblock magic number executing program [ 111.071347] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 111.102542] XFS (loop7): Invalid superblock magic number [ 111.120582] XFS (loop3): Invalid superblock magic number [ 111.127976] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 111.173777] XFS (loop0): Invalid superblock magic number [ 111.179486] XFS (loop6): Invalid superblock magic number [ 111.202719] IPVS: ftp: loaded support on port[0] = 21 [ 111.208364] XFS (loop4): Invalid superblock magic number [ 111.211596] ================================================================== executing program executing program [ 111.221231] BUG: KASAN: use-after-free in radix_tree_next_chunk+0xde1/0xdf0 [ 111.228303] Read of size 4 at addr ffff8801d9090cd0 by task syzkaller717579/4576 [ 111.235810] [ 111.237414] CPU: 0 PID: 4576 Comm: syzkaller717579 Not tainted 4.16.0-rc7+ #9 [ 111.244659] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 111.253985] Call Trace: [ 111.256547] dump_stack+0x194/0x24d [ 111.260148] ? arch_local_irq_restore+0x53/0x53 [ 111.264787] ? show_regs_print_info+0x18/0x18 [ 111.269258] ? radix_tree_next_chunk+0xde1/0xdf0 executing program [ 111.273987] print_address_description+0x73/0x250 [ 111.278807] ? radix_tree_next_chunk+0xde1/0xdf0 [ 111.283535] kasan_report+0x23c/0x360 [ 111.287310] __asan_report_load4_noabort+0x14/0x20 [ 111.292210] radix_tree_next_chunk+0xde1/0xdf0 [ 111.296765] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 111.301927] ? trace_hardirqs_off+0x10/0x10 [ 111.306222] ? trace_hardirqs_off+0xd/0x10 [ 111.310428] ? idr_preload+0x30/0x30 [ 111.314112] ? trace_hardirqs_off+0x10/0x10 [ 111.314185] XFS (loop5): Invalid superblock magic number [ 111.318410] ? trace_hardirqs_off+0x10/0x10 [ 111.318419] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 111.318423] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 111.318432] ? flush_plug_callbacks+0x53b/0x7b0 [ 111.318440] ? ioc_set_batching+0x2c0/0x2c0 [ 111.318445] ? __lock_acquire+0x664/0x3e00 [ 111.318449] ? trace_hardirqs_off+0x10/0x10 [ 111.318456] ? __account_cfs_rq_runtime+0x600/0x600 [ 111.318464] radix_tree_gang_lookup_tag+0x36e/0x5e0 [ 111.365893] ? lock_acquire+0x1d5/0x580 [ 111.369842] ? radix_tree_gang_lookup_slot+0x3f0/0x3f0 [ 111.375091] ? trace_hardirqs_off+0x10/0x10 [ 111.379387] ? lock_release+0xa40/0xa40 [ 111.383333] ? update_curr+0x332/0xac0 [ 111.387194] ? rcutorture_record_progress+0x10/0x10 [ 111.392188] xfs_perag_get_tag+0x109/0x6c0 [ 111.396398] ? xfs_perag_get+0x520/0x520 [ 111.400429] ? lock_downgrade+0x980/0x980 [ 111.404550] ? lock_release+0xa40/0xa40 [ 111.408494] ? lock_release+0xa40/0xa40 [ 111.412438] ? trace_hardirqs_off+0x10/0x10 [ 111.416820] ? do_raw_spin_trylock+0x190/0x190 [ 111.421371] ? __lock_is_held+0xb6/0x140 [ 111.425407] xfs_reclaim_inodes_count+0x82/0xb0 [ 111.430056] xfs_fs_nr_cached_objects+0x37/0x50 [ 111.434700] ? xfs_fs_free_cached_objects+0x80/0x80 [ 111.439706] super_cache_count+0x96/0x280 [ 111.443840] shrink_slab.part.46+0x30c/0xe80 [ 111.448224] ? current_may_throttle+0x210/0x210 [ 111.452870] ? shrink_active_list+0x15e0/0x15e0 [ 111.457520] shrink_slab+0x9d/0xb0 [ 111.461033] shrink_node+0x51e/0xf70 [ 111.464724] ? shrink_node_memcg+0x1690/0x1690 [ 111.469282] ? get_monotonic_coarse64+0x470/0x470 [ 111.474095] ? __queue_work+0x5b4/0x1230 [ 111.478129] ? lock_downgrade+0x980/0x980 [ 111.482249] ? lock_release+0xa40/0xa40 [ 111.486195] do_try_to_free_pages+0x383/0x1020 [ 111.490753] ? rcu_pm_notify+0xc0/0xc0 [ 111.494610] ? shrink_node+0xf70/0xf70 [ 111.498472] try_to_free_mem_cgroup_pages+0x44d/0xb40 [ 111.503634] ? try_to_free_pages+0x9c0/0x9c0 [ 111.508014] ? cgroup_file_notify+0x5e/0x70 [ 111.512307] ? lock_downgrade+0x980/0x980 [ 111.516438] ? lock_release+0xa40/0xa40 [ 111.520384] ? lock_release+0xa40/0xa40 [ 111.524551] ? do_raw_spin_trylock+0x190/0x190 [ 111.529108] ? kernfs_get+0xe1/0x130 [ 111.532798] ? do_raw_spin_trylock+0x190/0x190 [ 111.537356] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 111.542435] ? trace_hardirqs_on+0xd/0x10 [ 111.546569] reclaim_high.constprop.64+0x1e2/0x330 [ 111.551472] ? mem_cgroup_from_task+0x1e0/0x1e0 [ 111.556110] ? mm_fault_error+0x2c0/0x2c0 [ 111.560230] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 111.565739] ? exit_to_usermode_loop+0x8c/0x2f0 [ 111.570382] mem_cgroup_handle_over_high+0x8d/0x130 [ 111.575372] exit_to_usermode_loop+0x242/0x2f0 [ 111.579927] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 111.585436] ? syscall_return_slowpath+0x550/0x550 [ 111.590339] ? syscall_return_slowpath+0x2ac/0x550 [ 111.595241] prepare_exit_to_usermode+0x2d9/0x350 [ 111.600054] ? perf_trace_sys_enter+0xcb0/0xcb0 [ 111.604692] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 111.609594] ? page_fault+0x2f/0x50 [ 111.613201] retint_user+0x8/0x18 [ 111.616622] RIP: 0033:0x4019e9 [ 111.619789] RSP: 002b:00007ffde3c93e60 EFLAGS: 00010207 [ 111.625132] RAX: 0000000000000012 RBX: 0000000000000001 RCX: 0000000000442a29 [ 111.632373] RDX: 0000000000000012 RSI: 00000000004a48ac RDI: 0000000000000001 [ 111.639614] RBP: 00007ffde3c93f70 R08: 000000000090a880 R09: 0000000300000000 [ 111.646855] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000 [ 111.654105] R13: 0000000000000000 R14: 0000000000001380 R15: 00007ffde3c93f98 [ 111.661354] [ 111.662957] Allocated by task 4520: [ 111.666567] save_stack+0x43/0xd0 [ 111.669989] kasan_kmalloc+0xad/0xe0 [ 111.673673] kmem_cache_alloc_trace+0x136/0x740 [ 111.678313] xfs_fs_fill_super+0xd1/0x1220 [ 111.682519] mount_bdev+0x2b7/0x370 [ 111.686112] xfs_fs_mount+0x34/0x40 [ 111.689710] mount_fs+0x66/0x2d0 [ 111.693047] vfs_kern_mount.part.26+0xc6/0x4a0 [ 111.697599] do_mount+0xea4/0x2bb0 [ 111.701111] SyS_mount+0xab/0x120 [ 111.704534] do_syscall_64+0x281/0x940 [ 111.708393] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 111.713550] [ 111.715145] Freed by task 4520: [ 111.718394] save_stack+0x43/0xd0 [ 111.722252] __kasan_slab_free+0x11a/0x170 [ 111.726457] kasan_slab_free+0xe/0x10 [ 111.730225] kfree+0xd9/0x260 [ 111.733302] xfs_fs_fill_super+0x6c3/0x1220 [ 111.737596] mount_bdev+0x2b7/0x370 [ 111.741195] xfs_fs_mount+0x34/0x40 [ 111.744796] mount_fs+0x66/0x2d0 [ 111.748145] vfs_kern_mount.part.26+0xc6/0x4a0 [ 111.752699] do_mount+0xea4/0x2bb0 [ 111.756309] SyS_mount+0xab/0x120 [ 111.759740] do_syscall_64+0x281/0x940 [ 111.763595] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 111.768752] [ 111.770352] The buggy address belongs to the object at ffff8801d9090900 [ 111.770352] which belongs to the cache kmalloc-4096 of size 4096 [ 111.783154] The buggy address is located 976 bytes inside of [ 111.783154] 4096-byte region [ffff8801d9090900, ffff8801d9091900) [ 111.795083] The buggy address belongs to the page: [ 111.799984] page:ffffea0007642400 count:1 mapcount:0 mapping:ffff8801d9090900 index:0x0 compound_mapcount: 0 [ 111.809933] flags: 0x2fffc0000008100(slab|head) [ 111.814573] raw: 02fffc0000008100 ffff8801d9090900 0000000000000000 0000000100000001 [ 111.822425] raw: ffffea0007640020 ffffea0006b3e320 ffff8801dac00dc0 0000000000000000 [ 111.830275] page dumped because: kasan: bad access detected [ 111.835954] [ 111.837553] Memory state around the buggy address: [ 111.842453] ffff8801d9090b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 111.849784] ffff8801d9090c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 111.857121] >ffff8801d9090c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 111.864453] ^ [ 111.870392] ffff8801d9090d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 111.877719] ffff8801d9090d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 111.885047] ================================================================== [ 111.892374] Disabling lock debugging due to kernel taint [ 111.897976] Kernel panic - not syncing: panic_on_warn set ... [ 111.897976] [ 111.905321] CPU: 0 PID: 4576 Comm: syzkaller717579 Tainted: G B 4.16.0-rc7+ #9 [ 111.913864] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 111.923187] Call Trace: [ 111.925747] dump_stack+0x194/0x24d [ 111.929346] ? arch_local_irq_restore+0x53/0x53 [ 111.933983] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 111.938713] ? vsnprintf+0x1ed/0x1900 [ 111.942486] ? radix_tree_next_chunk+0xde0/0xdf0 [ 111.947213] panic+0x1e4/0x41c [ 111.950377] ? refcount_error_report+0x214/0x214 [ 111.955101] ? add_taint+0x1c/0x50 [ 111.958609] ? add_taint+0x1c/0x50 [ 111.962118] ? radix_tree_next_chunk+0xde1/0xdf0 [ 111.966843] kasan_end_report+0x50/0x50 [ 111.970791] kasan_report+0x149/0x360 [ 111.974562] __asan_report_load4_noabort+0x14/0x20 [ 111.979461] radix_tree_next_chunk+0xde1/0xdf0 [ 111.984023] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 111.989182] ? trace_hardirqs_off+0x10/0x10 [ 111.993476] ? trace_hardirqs_off+0xd/0x10 [ 111.997681] ? idr_preload+0x30/0x30 [ 112.001376] ? trace_hardirqs_off+0x10/0x10 [ 112.005667] ? trace_hardirqs_off+0x10/0x10 [ 112.009968] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 112.015128] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 112.020295] ? flush_plug_callbacks+0x53b/0x7b0 [ 112.024935] ? ioc_set_batching+0x2c0/0x2c0 [ 112.029225] ? __lock_acquire+0x664/0x3e00 [ 112.033428] ? trace_hardirqs_off+0x10/0x10 [ 112.037730] ? __account_cfs_rq_runtime+0x600/0x600 [ 112.042727] radix_tree_gang_lookup_tag+0x36e/0x5e0 [ 112.047715] ? lock_acquire+0x1d5/0x580 [ 112.051657] ? radix_tree_gang_lookup_slot+0x3f0/0x3f0 [ 112.056905] ? trace_hardirqs_off+0x10/0x10 [ 112.061196] ? lock_release+0xa40/0xa40 [ 112.065140] ? update_curr+0x332/0xac0 [ 112.069005] ? rcutorture_record_progress+0x10/0x10 [ 112.073994] xfs_perag_get_tag+0x109/0x6c0 [ 112.078198] ? xfs_perag_get+0x520/0x520 [ 112.082225] ? lock_downgrade+0x980/0x980 [ 112.086340] ? lock_release+0xa40/0xa40 [ 112.090283] ? lock_release+0xa40/0xa40 [ 112.094227] ? trace_hardirqs_off+0x10/0x10 [ 112.098517] ? do_raw_spin_trylock+0x190/0x190 [ 112.103067] ? __lock_is_held+0xb6/0x140 [ 112.107099] xfs_reclaim_inodes_count+0x82/0xb0 [ 112.111735] xfs_fs_nr_cached_objects+0x37/0x50 [ 112.116372] ? xfs_fs_free_cached_objects+0x80/0x80 [ 112.121355] super_cache_count+0x96/0x280 [ 112.125476] shrink_slab.part.46+0x30c/0xe80 [ 112.129856] ? current_may_throttle+0x210/0x210 [ 112.134496] ? shrink_active_list+0x15e0/0x15e0 [ 112.139139] shrink_slab+0x9d/0xb0 [ 112.142648] shrink_node+0x51e/0xf70 [ 112.146330] ? shrink_node_memcg+0x1690/0x1690 [ 112.150881] ? get_monotonic_coarse64+0x470/0x470 [ 112.155693] ? __queue_work+0x5b4/0x1230 [ 112.159723] ? lock_downgrade+0x980/0x980 [ 112.163842] ? lock_release+0xa40/0xa40 [ 112.167786] do_try_to_free_pages+0x383/0x1020 [ 112.172340] ? rcu_pm_notify+0xc0/0xc0 [ 112.176206] ? shrink_node+0xf70/0xf70 [ 112.180064] try_to_free_mem_cgroup_pages+0x44d/0xb40 [ 112.185223] ? try_to_free_pages+0x9c0/0x9c0 [ 112.189602] ? cgroup_file_notify+0x5e/0x70 [ 112.193892] ? lock_downgrade+0x980/0x980 [ 112.198006] ? lock_release+0xa40/0xa40 [ 112.201947] ? lock_release+0xa40/0xa40 [ 112.205889] ? do_raw_spin_trylock+0x190/0x190 [ 112.210437] ? kernfs_get+0xe1/0x130 [ 112.214120] ? do_raw_spin_trylock+0x190/0x190 [ 112.218671] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 112.223744] ? trace_hardirqs_on+0xd/0x10 [ 112.227863] reclaim_high.constprop.64+0x1e2/0x330 [ 112.232760] ? mem_cgroup_from_task+0x1e0/0x1e0 [ 112.237414] ? mm_fault_error+0x2c0/0x2c0 [ 112.241533] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 112.247038] ? exit_to_usermode_loop+0x8c/0x2f0 [ 112.251676] mem_cgroup_handle_over_high+0x8d/0x130 [ 112.256661] exit_to_usermode_loop+0x242/0x2f0 [ 112.261211] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 112.266724] ? syscall_return_slowpath+0x550/0x550 [ 112.271621] ? syscall_return_slowpath+0x2ac/0x550 [ 112.276519] prepare_exit_to_usermode+0x2d9/0x350 [ 112.281330] ? perf_trace_sys_enter+0xcb0/0xcb0 [ 112.285968] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 112.290779] ? page_fault+0x2f/0x50 [ 112.294376] retint_user+0x8/0x18 [ 112.297797] RIP: 0033:0x4019e9 [ 112.300955] RSP: 002b:00007ffde3c93e60 EFLAGS: 00010207 [ 112.306292] RAX: 0000000000000012 RBX: 0000000000000001 RCX: 0000000000442a29 [ 112.313538] RDX: 0000000000000012 RSI: 00000000004a48ac RDI: 0000000000000001 [ 112.320776] RBP: 00007ffde3c93f70 R08: 000000000090a880 R09: 0000000300000000 [ 112.328016] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000 [ 112.335253] R13: 0000000000000000 R14: 0000000000001380 R15: 00007ffde3c93f98 [ 112.342848] Dumping ftrace buffer: [ 112.346359] (ftrace buffer empty) [ 112.350042] Kernel Offset: disabled [ 112.353727] Rebooting in 86400 seconds..