[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. syzkaller login: [ 27.518999] IPVS: ftp: loaded support on port[0] = 21 executing program [ 27.587799] ================================================================== [ 27.595231] BUG: KASAN: use-after-free in hfsplus_releasepage+0x457/0x4e0 [ 27.602143] Read of size 4 at addr ffff8880b36f8cb8 by task syz-executor216/7979 [ 27.609653] [ 27.611263] CPU: 0 PID: 7979 Comm: syz-executor216 Not tainted 4.14.300-syzkaller #0 [ 27.619118] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 27.628451] Call Trace: [ 27.631021] dump_stack+0x1b2/0x281 [ 27.634629] print_address_description.cold+0x54/0x1d3 [ 27.639883] kasan_report_error.cold+0x8a/0x191 [ 27.644530] ? hfsplus_releasepage+0x457/0x4e0 [ 27.649085] __asan_report_load4_noabort+0x68/0x70 [ 27.653992] ? hfsplus_releasepage+0x457/0x4e0 [ 27.658549] hfsplus_releasepage+0x457/0x4e0 [ 27.662934] ? __wake_up_bit+0xd0/0xd0 [ 27.666799] ? hfsplus_file_open+0x100/0x100 [ 27.671188] try_to_release_page+0x143/0x1e0 [ 27.675575] block_invalidatepage+0x258/0x2f0 [ 27.680047] ? end_buffer_read_sync+0x70/0x70 [ 27.684522] truncate_inode_page+0x212/0x2f0 [ 27.688909] truncate_inode_pages_range+0x1e0/0x13e0 [ 27.693992] ? generic_error_remove_page+0xb0/0xb0 [ 27.698901] ? trace_hardirqs_on+0x10/0x10 [ 27.703111] ? writeback_single_inode+0xeb/0x370 [ 27.707845] ? trace_hardirqs_on+0x10/0x10 [ 27.712054] ? lock_downgrade+0x740/0x740 [ 27.716183] ? truncate_inode_pages_final+0x93/0xb0 [ 27.721177] ? mark_held_locks+0xa6/0xf0 [ 27.725216] ? _raw_spin_unlock_irq+0x24/0x80 [ 27.729687] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 27.734683] hfsplus_evict_inode+0x16/0xc0 [ 27.738892] ? hfsplus_remount+0x280/0x280 [ 27.743102] evict+0x2c8/0x700 [ 27.746273] iput+0x458/0x7e0 [ 27.749360] hfsplus_put_super+0x258/0x3d0 [ 27.753570] ? hfsplus_sync_fs+0xa70/0xa70 [ 27.757783] generic_shutdown_super+0x144/0x370 [ 27.762607] kill_block_super+0x95/0xe0 [ 27.766559] deactivate_locked_super+0x6c/0xd0 [ 27.771121] deactivate_super+0x7f/0xa0 [ 27.775081] cleanup_mnt+0x186/0x2c0 [ 27.778792] task_work_run+0x11f/0x190 [ 27.782661] do_exit+0xa44/0x2850 [ 27.786097] ? __do_page_fault+0x571/0xad0 [ 27.790315] ? mm_update_next_owner+0x5b0/0x5b0 [ 27.794961] ? lock_downgrade+0x740/0x740 [ 27.799110] do_group_exit+0x100/0x2e0 [ 27.802998] SyS_exit_group+0x19/0x20 [ 27.806792] ? do_group_exit+0x2e0/0x2e0 [ 27.810839] do_syscall_64+0x1d5/0x640 [ 27.814714] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 27.819902] [ 27.821523] Allocated by task 7979: [ 27.825137] kasan_kmalloc+0xeb/0x160 [ 27.828928] kmem_cache_alloc_trace+0x131/0x3d0 [ 27.833584] hfsplus_btree_open+0x4d/0xff0 [ 27.837801] hfsplus_fill_super+0x9ce/0x1850 [ 27.842188] mount_bdev+0x2b3/0x360 [ 27.845789] mount_fs+0x92/0x2a0 [ 27.849133] vfs_kern_mount.part.0+0x5b/0x470 [ 27.853610] do_mount+0xe65/0x2a30 [ 27.857126] SyS_mount+0xa8/0x120 [ 27.860554] do_syscall_64+0x1d5/0x640 [ 27.864419] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 27.869614] [ 27.871220] Freed by task 7979: [ 27.874479] kasan_slab_free+0xc3/0x1a0 [ 27.878429] kfree+0xc9/0x250 [ 27.881512] hfsplus_btree_close+0x152/0x1d0 [ 27.885894] hfsplus_put_super+0x208/0x3d0 [ 27.890106] generic_shutdown_super+0x144/0x370 [ 27.894752] kill_block_super+0x95/0xe0 [ 27.898719] deactivate_locked_super+0x6c/0xd0 [ 27.903283] deactivate_super+0x7f/0xa0 [ 27.907252] cleanup_mnt+0x186/0x2c0 [ 27.910941] task_work_run+0x11f/0x190 [ 27.914808] do_exit+0xa44/0x2850 [ 27.918239] do_group_exit+0x100/0x2e0 [ 27.922102] SyS_exit_group+0x19/0x20 [ 27.925977] do_syscall_64+0x1d5/0x640 [ 27.929851] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 27.935013] [ 27.936619] The buggy address belongs to the object at ffff8880b36f8c80 [ 27.936619] which belongs to the cache kmalloc-4096 of size 4096 [ 27.949427] The buggy address is located 56 bytes inside of [ 27.949427] 4096-byte region [ffff8880b36f8c80, ffff8880b36f9c80) [ 27.961276] The buggy address belongs to the page: [ 27.966186] page:ffffea0002cdbe00 count:1 mapcount:0 mapping:ffff8880b36f8c80 index:0x0 compound_mapcount: 0 [ 27.976130] flags: 0xfff00000008100(slab|head) [ 27.980692] raw: 00fff00000008100 ffff8880b36f8c80 0000000000000000 0000000100000001 [ 27.988572] raw: ffffea0002ce88a0 ffffea00028685a0 ffff88813fe74dc0 0000000000000000 [ 27.996427] page dumped because: kasan: bad access detected [ 28.002144] [ 28.003754] Memory state around the buggy address: [ 28.008660] ffff8880b36f8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.016000] ffff8880b36f8c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.023340] >ffff8880b36f8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.030687] ^ [ 28.035850] ffff8880b36f8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.043184] ffff8880b36f8d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.050516] ================================================================== [ 28.057858] Disabling lock debugging due to kernel taint [ 28.073609] Kernel panic - not syncing: panic_on_warn set ... [ 28.073609] [ 28.080981] CPU: 0 PID: 7979 Comm: syz-executor216 Tainted: G B 4.14.300-syzkaller #0 [ 28.090065] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 28.099404] Call Trace: [ 28.101991] dump_stack+0x1b2/0x281 [ 28.105598] panic+0x1f9/0x42d [ 28.108778] ? add_taint.cold+0x16/0x16 [ 28.112732] ? ___preempt_schedule+0x16/0x18 [ 28.117121] kasan_end_report+0x43/0x49 [ 28.121070] kasan_report_error.cold+0xa7/0x191 [ 28.125715] ? hfsplus_releasepage+0x457/0x4e0 [ 28.130272] __asan_report_load4_noabort+0x68/0x70 [ 28.135180] ? hfsplus_releasepage+0x457/0x4e0 [ 28.139738] hfsplus_releasepage+0x457/0x4e0 [ 28.144129] ? __wake_up_bit+0xd0/0xd0 [ 28.147992] ? hfsplus_file_open+0x100/0x100 [ 28.152378] try_to_release_page+0x143/0x1e0 [ 28.156766] block_invalidatepage+0x258/0x2f0 [ 28.161326] ? end_buffer_read_sync+0x70/0x70 [ 28.165796] truncate_inode_page+0x212/0x2f0 [ 28.170180] truncate_inode_pages_range+0x1e0/0x13e0 [ 28.175261] ? generic_error_remove_page+0xb0/0xb0 [ 28.180165] ? trace_hardirqs_on+0x10/0x10 [ 28.184376] ? writeback_single_inode+0xeb/0x370 [ 28.189109] ? trace_hardirqs_on+0x10/0x10 [ 28.193322] ? lock_downgrade+0x740/0x740 [ 28.197445] ? truncate_inode_pages_final+0x93/0xb0 [ 28.202443] ? mark_held_locks+0xa6/0xf0 [ 28.206479] ? _raw_spin_unlock_irq+0x24/0x80 [ 28.210948] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 28.215946] hfsplus_evict_inode+0x16/0xc0 [ 28.220162] ? hfsplus_remount+0x280/0x280 [ 28.224371] evict+0x2c8/0x700 [ 28.227542] iput+0x458/0x7e0 [ 28.230622] hfsplus_put_super+0x258/0x3d0 [ 28.234839] ? hfsplus_sync_fs+0xa70/0xa70 [ 28.239052] generic_shutdown_super+0x144/0x370 [ 28.244211] kill_block_super+0x95/0xe0 [ 28.248617] deactivate_locked_super+0x6c/0xd0 [ 28.253173] deactivate_super+0x7f/0xa0 [ 28.257124] cleanup_mnt+0x186/0x2c0 [ 28.260817] task_work_run+0x11f/0x190 [ 28.264683] do_exit+0xa44/0x2850 [ 28.268115] ? __do_page_fault+0x571/0xad0 [ 28.272328] ? mm_update_next_owner+0x5b0/0x5b0 [ 28.276972] ? lock_downgrade+0x740/0x740 [ 28.281100] do_group_exit+0x100/0x2e0 [ 28.284968] SyS_exit_group+0x19/0x20 [ 28.288748] ? do_group_exit+0x2e0/0x2e0 [ 28.292783] do_syscall_64+0x1d5/0x640 [ 28.296649] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 28.301981] Kernel Offset: disabled [ 28.305586] Rebooting in 86400 seconds..