[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.532819] random: crng init done [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.43' (ECDSA) to the list of known hosts. 2018/11/25 09:33:54 fuzzer started 2018/11/25 09:33:56 dialing manager at 10.128.0.26:37301 2018/11/25 09:33:56 syscalls: 1 2018/11/25 09:33:56 code coverage: enabled 2018/11/25 09:33:56 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2018/11/25 09:33:56 setuid sandbox: enabled 2018/11/25 09:33:56 namespace sandbox: enabled 2018/11/25 09:33:56 Android sandbox: /sys/fs/selinux/policy does not exist 2018/11/25 09:33:56 fault injection: kernel does not have systematic fault injection support 2018/11/25 09:33:56 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2018/11/25 09:33:56 net packet injection: enabled 2018/11/25 09:33:56 net device setup: enabled 09:35:03 executing program 0: 09:35:03 executing program 5: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000480)='/dev/ptmx\x00', 0x0, 0x0) ioctl$TIOCPKT(r0, 0x5420, &(0x7f0000000380)=0x1) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) write(r1, &(0x7f00000001c0), 0xffffffea) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) pselect6(0x40, &(0x7f00000000c0), &(0x7f00000004c0), 0x0, &(0x7f0000000200), &(0x7f0000000300)={&(0x7f00000002c0), 0x8}) clock_gettime(0x0, &(0x7f0000000180)) syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='loginuid\x00') 09:35:03 executing program 2: r0 = openat$keychord(0xffffffffffffff9c, &(0x7f0000000140)='/dev/keychord\x00', 0x200000023e, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) write$eventfd(r0, &(0x7f0000000000)=0x20000100000001, 0x8) write$eventfd(r0, &(0x7f00000000c0), 0x8) 09:35:03 executing program 1: mkdir(&(0x7f0000000000)='./file0\x00', 0x0) mount$bpf(0x20000000, &(0x7f0000002600)='./file0\x00', 0x0, 0x2001001, 0x0) syz_mount_image$ext4(0x0, &(0x7f0000000200)='./file0\x00', 0x0, 0x0, 0x0, 0x100032, &(0x7f0000000100)={[{@noblock_validity='noblock_validity'}]}) 09:35:03 executing program 3: r0 = syz_open_procfs(0x0, &(0x7f0000000080)='\x00\x00\x00\x00\x00') r1 = openat$cgroup_ro(r0, &(0x7f0000000000)="6d656d00017937737761532e63757289c942abe3fa72656e7400", 0x0, 0x0) preadv(r1, &(0x7f0000000180)=[{&(0x7f00000000c0)=""/81, 0x20000111}], 0x1, 0x2000107c) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) 09:35:03 executing program 4: r0 = creat(&(0x7f0000000080)='./file0\x00', 0x0) write$binfmt_elf64(r0, &(0x7f0000000080)=ANY=[], 0x100000118) sched_setattr(0x0, &(0x7f00000001c0)={0x0, 0x2, 0x0, 0x0, 0x3f}, 0x0) chmod(&(0x7f0000000100)='./file0\x00', 0x0) syzkaller login: INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes [ 111.661111] audit: type=1400 audit(1543138510.397:5): avc: denied { associate } for pid=2116 comm="syz-executor0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 09:35:10 executing program 0: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r0, &(0x7f0000deb000)={0x2, 0x4e23, @multicast1}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f00000008c0)={0x2, 0x4e23, @local}, 0x10) write$binfmt_elf64(r0, &(0x7f0000002300)=ANY=[@ANYRES64], 0x1000001bd) pipe(&(0x7f0000000540)) timerfd_create(0x0, 0x0) write(0xffffffffffffffff, 0x0, 0x0) pselect6(0x40, &(0x7f00000000c0), 0x0, &(0x7f0000000140)={0x8}, &(0x7f0000000200), 0x0) vmsplice(0xffffffffffffffff, 0x0, 0x0, 0x0) [ 111.824528] hrtimer: interrupt took 34944 ns [ 111.833406] audit: type=1400 audit(1543138510.577:6): avc: denied { wake_alarm } for pid=4732 comm="syz-executor0" capability=35 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=capability2 permissive=1 [ 111.874066] ================================================================== [ 111.881443] BUG: KASAN: use-after-free in ext4_data_block_valid+0x28a/0x2e0 [ 111.888540] Read of size 8 at addr ffff8801d5333bb0 by task modprobe/4760 [ 111.895456] [ 111.897084] CPU: 1 PID: 4760 Comm: modprobe Not tainted 4.9.140+ #68 [ 111.903566] ffff8801a2ebf298 ffffffff81b42e79 ffffea000754ccc0 ffff8801d5333bb0 [ 111.911719] 0000000000000000 ffff8801d5333bb0 00000000000021c2 ffff8801a2ebf2d0 [ 111.919784] ffffffff815009b8 ffff8801d5333bb0 0000000000000008 0000000000000000 [ 111.927925] Call Trace: [ 111.930526] [] dump_stack+0xc1/0x128 [ 111.935886] [] print_address_description+0x6c/0x234 [ 111.942574] [] kasan_report.cold.6+0x242/0x2fe [ 111.948824] [] ? ext4_data_block_valid+0x28a/0x2e0 [ 111.955419] [] __asan_report_load8_noabort+0x14/0x20 [ 111.962173] [] ext4_data_block_valid+0x28a/0x2e0 [ 111.968572] [] __check_block_validity.constprop.26+0xc1/0x200 [ 111.976101] [] ext4_map_blocks+0xc80/0x16d0 [ 111.982081] [] ? save_stack_trace+0x16/0x20 [ 111.988091] [] ? kasan_kmalloc.part.1+0x62/0xf0 [ 111.994400] [] ? kasan_kmalloc+0xaf/0xc0 [ 112.000131] [] ? kasan_slab_alloc+0x12/0x20 [ 112.006114] [] ? kmem_cache_alloc+0xd5/0x2b0 [ 112.012165] [] ? __d_alloc+0x2e/0x8f0 [ 112.017608] [] ? d_alloc+0x4f/0x260 [ 112.022896] [] ? ext4_issue_zeroout+0x150/0x150 [ 112.029211] [] ? __ext4_check_dir_entry+0x1b2/0x330 [ 112.035867] [] ext4_getblk+0x2cc/0x450 [ 112.041400] [] ? ext4_dio_get_block+0xe0/0xe0 [ 112.047555] [] ext4_find_entry+0xa94/0x12c0 [ 112.053520] [] ? check_preemption_disabled+0x3b/0x200 [ 112.060373] [] ? ext4_search_dir+0x2a0/0x2a0 [ 112.066426] [] ? mark_held_locks+0xc7/0x130 [ 112.072392] [] ? check_preemption_disabled+0x3b/0x200 [ 112.079228] [] ? d_alloc_parallel+0x60d/0x1710 [ 112.085455] [] ? d_alloc_parallel+0x7f2/0x1710 [ 112.091675] [] ? lookup_open+0x4b1/0x18b0 [ 112.097478] [] ? trace_hardirqs_on+0x10/0x10 [ 112.103557] [] ? check_preemption_disabled+0x3b/0x200 [ 112.110409] [] ? __d_lookup_rcu+0x720/0x720 [ 112.116372] [] ext4_lookup+0x139/0x5e0 [ 112.121894] [] ? d_lookup+0xd9/0x130 [ 112.127230] [] ? ext4_find_entry+0x12c0/0x12c0 [ 112.133437] [] ? d_lookup+0x110/0x130 [ 112.138862] [] ? lookup_open+0x28b/0x18b0 [ 112.144635] [] ? ext4_find_entry+0x12c0/0x12c0 [ 112.150843] [] lookup_open+0x92f/0x18b0 [ 112.156457] [] ? may_open.isra.20+0x2a0/0x2a0 [ 112.162579] [] path_openat+0x1330/0x2790 [ 112.168267] [] ? path_mountpoint+0x6c0/0x6c0 [ 112.174304] [] ? trace_hardirqs_on+0x10/0x10 [ 112.180354] [] ? new_slab+0x22e/0x3d0 [ 112.185780] [] ? expand_files.part.3+0x3a9/0x6d0 [ 112.192172] [] do_filp_open+0x197/0x270 [ 112.197787] [] ? may_open_dev+0xe0/0xe0 [ 112.203412] [] ? _raw_spin_unlock+0x2c/0x50 [ 112.209368] [] ? __alloc_fd+0x1d7/0x4a0 [ 112.214982] [] do_sys_open+0x30d/0x5c0 [ 112.220495] [] ? filp_open+0x70/0x70 [ 112.225836] [] ? SyS_fallocate+0x90/0x90 [ 112.231525] [] SyS_open+0x2d/0x40 [ 112.236613] [] ? do_sys_open+0x5c0/0x5c0 [ 112.242303] [] do_syscall_64+0x19f/0x550 [ 112.247997] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 112.254904] [ 112.256503] Allocated by task 1: [ 112.259876] save_stack_trace+0x16/0x20 [ 112.263822] kasan_kmalloc.part.1+0x62/0xf0 [ 112.268135] kasan_kmalloc+0xaf/0xc0 [ 112.271822] kasan_slab_alloc+0x12/0x20 [ 112.275799] kmem_cache_alloc+0xd5/0x2b0 [ 112.279842] add_system_zone+0x26f/0x500 [ 112.283900] ext4_setup_system_zone+0x30a/0x490 [ 112.288557] ext4_fill_super+0x7431/0xb7e0 [ 112.292764] mount_bdev+0x2be/0x380 [ 112.296362] ext4_mount+0x34/0x40 [ 112.299786] mount_fs+0x28c/0x370 [ 112.303213] vfs_kern_mount.part.8+0xd1/0x4b0 [ 112.307680] do_mount+0x3c9/0x28a0 [ 112.311196] SyS_mount+0xea/0x100 [ 112.314651] mount_block_root+0x35d/0x711 [ 112.318779] mount_root+0x77/0x7a [ 112.322210] prepare_namespace+0x1d3/0x210 [ 112.326429] kernel_init_freeable+0x38e/0x3ac [ 112.330900] kernel_init+0x11/0x15e [ 112.334521] ret_from_fork+0x5c/0x70 [ 112.338261] [ 112.339863] Freed by task 4755: [ 112.343133] save_stack_trace+0x16/0x20 [ 112.347082] kasan_slab_free+0xac/0x190 [ 112.351052] kmem_cache_free+0xbe/0x310 [ 112.355009] ext4_release_system_zone+0x7c/0x110 [ 112.359758] ext4_setup_system_zone+0x3cd/0x490 [ 112.364399] ext4_remount+0xc57/0x1c50 [ 112.368270] do_remount_sb2+0x351/0x7d0 [ 112.372246] do_mount+0xf91/0x28a0 [ 112.375779] SyS_mount+0xea/0x100 [ 112.379240] do_syscall_64+0x19f/0x550 [ 112.383111] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 112.388195] [ 112.389825] The buggy address belongs to the object at ffff8801d5333b98 [ 112.389825] which belongs to the cache ext4_system_zone of size 40 [ 112.402810] The buggy address is located 24 bytes inside of [ 112.402810] 40-byte region [ffff8801d5333b98, ffff8801d5333bc0) [ 112.414494] The buggy address belongs to the page: [ 112.419401] page:ffffea000754ccc0 count:1 mapcount:0 mapping: (null) index:0xffff8801d5333b60 [ 112.428940] flags: 0x4000000000000080(slab) [ 112.433246] page dumped because: kasan: bad access detected [ 112.438934] [ 112.440547] Memory state around the buggy address: [ 112.445448] ffff8801d5333a80: fb fb fb fb fb fc fc fb fb fb fb fb fc fc fb fb [ 112.452799] ffff8801d5333b00: fb fb fb fc fc fb fb fb fb fb fc fc fb fb fb fb [ 112.460143] >ffff8801d5333b80: fb fc fc fb fb fb fb fb fc fc fc fc fc fc fc fc [ 112.467484] ^ [ 112.472402] ffff8801d5333c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 112.479757] ffff8801d5333c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 112.487091] ================================================================== [ 112.494427] Disabling lock debugging due to kernel taint [ 112.503808] Kernel panic - not syncing: panic_on_warn set ... [ 112.503808] [ 112.511173] CPU: 0 PID: 4760 Comm: modprobe Tainted: G B 4.9.140+ #68 [ 112.518853] ffff8801a2ebf1f8 ffffffff81b42e79 ffffffff82e37460 00000000ffffffff [ 112.526910] 0000000000000000 0000000000000000 00000000000021c2 ffff8801a2ebf2b8 [ 112.534898] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b45b ffffffff813f6f66 [ 112.542921] Call Trace: [ 112.545477] [] dump_stack+0xc1/0x128 [ 112.550811] [] panic+0x1bf/0x39f [ 112.555802] [] ? add_taint.cold.5+0x16/0x16 [ 112.561760] [] ? ___preempt_schedule+0x16/0x18 [ 112.567986] [] kasan_end_report+0x47/0x4f [ 112.573786] [] kasan_report.cold.6+0x76/0x2fe [ 112.579899] [] ? ext4_data_block_valid+0x28a/0x2e0 [ 112.586448] [] __asan_report_load8_noabort+0x14/0x20 [ 112.593170] [] ext4_data_block_valid+0x28a/0x2e0 [ 112.599546] [] __check_block_validity.constprop.26+0xc1/0x200 [ 112.607070] [] ext4_map_blocks+0xc80/0x16d0 [ 112.613015] [] ? save_stack_trace+0x16/0x20 [ 112.618962] [] ? kasan_kmalloc.part.1+0x62/0xf0 [ 112.625249] [] ? kasan_kmalloc+0xaf/0xc0 [ 112.630928] [] ? kasan_slab_alloc+0x12/0x20 [ 112.636868] [] ? kmem_cache_alloc+0xd5/0x2b0 [ 112.642899] [] ? __d_alloc+0x2e/0x8f0 [ 112.648318] [] ? d_alloc+0x4f/0x260 [ 112.653565] [] ? ext4_issue_zeroout+0x150/0x150 [ 112.659855] [] ? __ext4_check_dir_entry+0x1b2/0x330 [ 112.666492] [] ext4_getblk+0x2cc/0x450 [ 112.672002] [] ? ext4_dio_get_block+0xe0/0xe0 [ 112.678153] [] ext4_find_entry+0xa94/0x12c0 [ 112.684101] [] ? check_preemption_disabled+0x3b/0x200 [ 112.690916] [] ? ext4_search_dir+0x2a0/0x2a0 [ 112.696962] [] ? mark_held_locks+0xc7/0x130 [ 112.702907] [] ? check_preemption_disabled+0x3b/0x200 [ 112.709729] [] ? d_alloc_parallel+0x60d/0x1710 [ 112.715932] [] ? d_alloc_parallel+0x7f2/0x1710 [ 112.722137] [] ? lookup_open+0x4b1/0x18b0 [ 112.727922] [] ? trace_hardirqs_on+0x10/0x10 [ 112.733956] [] ? check_preemption_disabled+0x3b/0x200 [ 112.740769] [] ? __d_lookup_rcu+0x720/0x720 [ 112.746715] [] ext4_lookup+0x139/0x5e0 [ 112.752236] [] ? d_lookup+0xd9/0x130 [ 112.757572] [] ? ext4_find_entry+0x12c0/0x12c0 [ 112.763779] [] ? d_lookup+0x110/0x130 [ 112.769202] [] ? lookup_open+0x28b/0x18b0 [ 112.774974] [] ? ext4_find_entry+0x12c0/0x12c0 [ 112.781181] [] lookup_open+0x92f/0x18b0 [ 112.786794] [] ? may_open.isra.20+0x2a0/0x2a0 [ 112.792915] [] path_openat+0x1330/0x2790 [ 112.798601] [] ? path_mountpoint+0x6c0/0x6c0 [ 112.804632] [] ? trace_hardirqs_on+0x10/0x10 [ 112.810659] [] ? new_slab+0x22e/0x3d0 [ 112.816082] [] ? expand_files.part.3+0x3a9/0x6d0 [ 112.822472] [] do_filp_open+0x197/0x270 [ 112.828069] [] ? may_open_dev+0xe0/0xe0 [ 112.833665] [] ? _raw_spin_unlock+0x2c/0x50 [ 112.839607] [] ? __alloc_fd+0x1d7/0x4a0 [ 112.845204] [] do_sys_open+0x30d/0x5c0 [ 112.850743] [] ? filp_open+0x70/0x70 [ 112.856079] [] ? SyS_fallocate+0x90/0x90 [ 112.861763] [] SyS_open+0x2d/0x40 [ 112.866838] [] ? do_sys_open+0x5c0/0x5c0 [ 112.872551] [] do_syscall_64+0x19f/0x550 [ 112.878259] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 112.885546] Kernel Offset: disabled [ 112.889161] Rebooting in 86400 seconds..