[ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts. syzkaller login: [ 32.437961] IPVS: ftp: loaded support on port[0] = 21 executing program [ 32.543233] ================================================================== [ 32.550706] BUG: KASAN: use-after-free in hfsplus_releasepage+0x4bc/0x540 [ 32.557620] Read of size 4 at addr ffff8880b2e70e78 by task syz-executor380/8083 [ 32.565130] [ 32.566759] CPU: 0 PID: 8083 Comm: syz-executor380 Not tainted 4.19.211-syzkaller #0 [ 32.574637] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 32.583987] Call Trace: [ 32.586568] dump_stack+0x1fc/0x2ef [ 32.590188] print_address_description.cold+0x54/0x219 [ 32.595460] kasan_report_error.cold+0x8a/0x1b9 [ 32.600117] ? hfsplus_releasepage+0x4bc/0x540 [ 32.604686] __asan_report_load4_noabort+0x88/0x90 [ 32.609611] ? __sanitizer_cov_trace_const_cmp4+0x20/0x20 [ 32.615222] ? hfsplus_releasepage+0x4bc/0x540 [ 32.619791] hfsplus_releasepage+0x4bc/0x540 [ 32.624187] ? hfsplus_show_options+0x580/0x580 [ 32.628845] try_to_release_page+0x242/0x390 [ 32.633243] block_invalidatepage+0x45b/0x4f0 [ 32.637738] ? end_buffer_read_nobh+0x90/0x90 [ 32.642220] truncate_cleanup_page+0x2b7/0x430 [ 32.646789] truncate_inode_pages_range+0x528/0x1b00 [ 32.651882] ? truncate_inode_page+0xc0/0xc0 [ 32.656281] ? __lock_acquire+0x6de/0x3ff0 [ 32.661027] ? mark_held_locks+0xf0/0xf0 [ 32.665083] ? mark_held_locks+0xf0/0xf0 [ 32.669136] ? __cpuusage_read+0x161/0x1f0 [ 32.673366] ? mark_held_locks+0xf0/0xf0 [ 32.677413] ? writeback_single_inode+0x2b/0x440 [ 32.682254] ? truncate_inode_pages_final+0xa0/0xb0 [ 32.687266] ? mark_held_locks+0xa6/0xf0 [ 32.691314] ? _raw_spin_unlock_irq+0x24/0x80 [ 32.695805] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 32.700375] hfsplus_evict_inode+0x16/0xd0 [ 32.704596] ? hfsplus_remount+0x300/0x300 [ 32.708814] evict+0x2ed/0x760 [ 32.711993] iput+0x4f1/0x860 [ 32.715089] hfsplus_put_super+0x270/0x3f0 [ 32.719310] ? hfsplus_sync_fs+0xae0/0xae0 [ 32.723537] generic_shutdown_super+0x144/0x370 [ 32.728196] kill_block_super+0x97/0xf0 [ 32.732169] deactivate_locked_super+0x94/0x160 [ 32.736822] deactivate_super+0x174/0x1a0 [ 32.740961] ? deactivate_locked_super+0x160/0x160 [ 32.745879] ? dput+0x31/0x640 [ 32.749072] cleanup_mnt+0x1a8/0x290 [ 32.752775] task_work_run+0x148/0x1c0 [ 32.756653] do_exit+0xbf3/0x2be0 [ 32.760101] ? lock_downgrade+0x720/0x720 [ 32.764236] ? mm_update_next_owner+0x650/0x650 [ 32.768897] ? up_read+0x17/0x110 [ 32.772336] ? __do_page_fault+0x180/0xd60 [ 32.776648] do_group_exit+0x125/0x310 [ 32.780526] __x64_sys_exit_group+0x3a/0x50 [ 32.784840] do_syscall_64+0xf9/0x620 [ 32.788630] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.793806] RIP: 0033:0x7f1ee0e08cc9 [ 32.797692] Code: Bad RIP value. [ 32.801040] RSP: 002b:00007ffdeaa88db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 32.808733] RAX: ffffffffffffffda RBX: 00007f1ee0e7e3f0 RCX: 00007f1ee0e08cc9 [ 32.816004] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 32.823261] RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00000000000005f6 [ 32.830515] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ee0e7e3f0 [ 32.837769] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 32.845034] [ 32.846659] Allocated by task 8083: [ 32.850277] kmem_cache_alloc_trace+0x12f/0x380 [ 32.854929] hfsplus_btree_open+0x4d/0x10a0 [ 32.859497] hfsplus_fill_super+0xa2d/0x19e0 [ 32.863890] mount_bdev+0x2fc/0x3b0 [ 32.867499] mount_fs+0xa3/0x310 [ 32.870853] vfs_kern_mount.part.0+0x68/0x470 [ 32.875333] do_mount+0x115c/0x2f50 [ 32.878946] ksys_mount+0xcf/0x130 [ 32.882483] __x64_sys_mount+0xba/0x150 [ 32.886442] do_syscall_64+0xf9/0x620 [ 32.890229] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.895399] [ 32.897008] Freed by task 8083: [ 32.900273] kfree+0xcc/0x210 [ 32.903366] hfsplus_btree_close+0x1a6/0x300 [ 32.907759] hfsplus_put_super+0x220/0x3f0 [ 32.911987] generic_shutdown_super+0x144/0x370 [ 32.916646] kill_block_super+0x97/0xf0 [ 32.920608] deactivate_locked_super+0x94/0x160 [ 32.925262] deactivate_super+0x174/0x1a0 [ 32.929393] cleanup_mnt+0x1a8/0x290 [ 32.933092] task_work_run+0x148/0x1c0 [ 32.936967] do_exit+0xbf3/0x2be0 [ 32.940401] do_group_exit+0x125/0x310 [ 32.944287] __x64_sys_exit_group+0x3a/0x50 [ 32.948594] do_syscall_64+0xf9/0x620 [ 32.952379] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.957546] [ 32.959158] The buggy address belongs to the object at ffff8880b2e70e40 [ 32.959158] which belongs to the cache kmalloc-4096 of size 4096 [ 32.971971] The buggy address is located 56 bytes inside of [ 32.971971] 4096-byte region [ffff8880b2e70e40, ffff8880b2e71e40) [ 32.983824] The buggy address belongs to the page: [ 32.988738] page:ffffea0002cb9c00 count:1 mapcount:0 mapping:ffff88813bff0dc0 index:0x0 compound_mapcount: 0 [ 32.998687] flags: 0xfff00000008100(slab|head) [ 33.003260] raw: 00fff00000008100 ffffea0002cbaf08 ffffea000256ff88 ffff88813bff0dc0 [ 33.011128] raw: 0000000000000000 ffff8880b2e70e40 0000000100000001 0000000000000000 [ 33.019000] page dumped because: kasan: bad access detected [ 33.024693] [ 33.026302] Memory state around the buggy address: [ 33.031214] ffff8880b2e70d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.038567] ffff8880b2e70d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.045909] >ffff8880b2e70e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 33.053341] ^ [ 33.060598] ffff8880b2e70e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.067961] ffff8880b2e70f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.075297] ================================================================== [ 33.082634] Disabling lock debugging due to kernel taint [ 33.091562] Kernel panic - not syncing: panic_on_warn set ... [ 33.091562] [ 33.098939] CPU: 1 PID: 8083 Comm: syz-executor380 Tainted: G B 4.19.211-syzkaller #0 [ 33.108220] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 33.117567] Call Trace: [ 33.120154] dump_stack+0x1fc/0x2ef [ 33.123780] panic+0x26a/0x50e [ 33.126955] ? __warn_printk+0xf3/0xf3 [ 33.130828] ? preempt_schedule_common+0x45/0xc0 [ 33.135570] ? ___preempt_schedule+0x16/0x18 [ 33.139961] ? trace_hardirqs_on+0x55/0x210 [ 33.144266] kasan_end_report+0x43/0x49 [ 33.148221] kasan_report_error.cold+0xa7/0x1b9 [ 33.152873] ? hfsplus_releasepage+0x4bc/0x540 [ 33.157435] __asan_report_load4_noabort+0x88/0x90 [ 33.162348] ? __sanitizer_cov_trace_const_cmp4+0x20/0x20 [ 33.167863] ? hfsplus_releasepage+0x4bc/0x540 [ 33.172425] hfsplus_releasepage+0x4bc/0x540 [ 33.176813] ? hfsplus_show_options+0x580/0x580 [ 33.181462] try_to_release_page+0x242/0x390 [ 33.185851] block_invalidatepage+0x45b/0x4f0 [ 33.190326] ? end_buffer_read_nobh+0x90/0x90 [ 33.194840] truncate_cleanup_page+0x2b7/0x430 [ 33.199458] truncate_inode_pages_range+0x528/0x1b00 [ 33.204543] ? truncate_inode_page+0xc0/0xc0 [ 33.208931] ? __lock_acquire+0x6de/0x3ff0 [ 33.213144] ? mark_held_locks+0xf0/0xf0 [ 33.217182] ? mark_held_locks+0xf0/0xf0 [ 33.221220] ? __cpuusage_read+0x161/0x1f0 [ 33.225437] ? mark_held_locks+0xf0/0xf0 [ 33.229475] ? writeback_single_inode+0x2b/0x440 [ 33.234213] ? truncate_inode_pages_final+0xa0/0xb0 [ 33.239207] ? mark_held_locks+0xa6/0xf0 [ 33.243248] ? _raw_spin_unlock_irq+0x24/0x80 [ 33.247724] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 33.252288] hfsplus_evict_inode+0x16/0xd0 [ 33.256502] ? hfsplus_remount+0x300/0x300 [ 33.260716] evict+0x2ed/0x760 [ 33.263886] iput+0x4f1/0x860 [ 33.266989] hfsplus_put_super+0x270/0x3f0 [ 33.271203] ? hfsplus_sync_fs+0xae0/0xae0 [ 33.275418] generic_shutdown_super+0x144/0x370 [ 33.280089] kill_block_super+0x97/0xf0 [ 33.284042] deactivate_locked_super+0x94/0x160 [ 33.288688] deactivate_super+0x174/0x1a0 [ 33.292816] ? deactivate_locked_super+0x160/0x160 [ 33.297728] ? dput+0x31/0x640 [ 33.300900] cleanup_mnt+0x1a8/0x290 [ 33.304603] task_work_run+0x148/0x1c0 [ 33.308471] do_exit+0xbf3/0x2be0 [ 33.311904] ? lock_downgrade+0x720/0x720 [ 33.316030] ? mm_update_next_owner+0x650/0x650 [ 33.320677] ? up_read+0x17/0x110 [ 33.324109] ? __do_page_fault+0x180/0xd60 [ 33.328325] do_group_exit+0x125/0x310 [ 33.332201] __x64_sys_exit_group+0x3a/0x50 [ 33.336506] do_syscall_64+0xf9/0x620 [ 33.340286] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.345458] RIP: 0033:0x7f1ee0e08cc9 [ 33.349154] Code: Bad RIP value. [ 33.352495] RSP: 002b:00007ffdeaa88db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 33.360179] RAX: ffffffffffffffda RBX: 00007f1ee0e7e3f0 RCX: 00007f1ee0e08cc9 [ 33.367434] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 33.374690] RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00000000000005f6 [ 33.381940] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ee0e7e3f0 [ 33.389192] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 33.396530] Kernel Offset: disabled [ 33.400141] Rebooting in 86400 seconds..