[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.99' (ECDSA) to the list of known hosts. syzkaller login: [ 28.104631] IPVS: ftp: loaded support on port[0] = 21 [ 28.189107] chnl_net:caif_netlink_parms(): no params data found [ 28.256896] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.263466] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.270872] device bridge_slave_0 entered promiscuous mode [ 28.278102] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.284448] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.291616] device bridge_slave_1 entered promiscuous mode [ 28.307603] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 28.316558] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 28.333813] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 28.341106] team0: Port device team_slave_0 added [ 28.346854] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 28.353897] team0: Port device team_slave_1 added [ 28.368481] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 28.374712] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 28.400007] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 28.411233] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 28.417556] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 28.442891] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 28.457495] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 28.464728] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 28.482899] device hsr_slave_0 entered promiscuous mode [ 28.488506] device hsr_slave_1 entered promiscuous mode [ 28.494321] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 28.502098] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 28.562931] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.569347] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.576237] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.582583] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.608518] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 28.614584] 8021q: adding VLAN 0 to HW filter on device bond0 [ 28.623805] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 28.632343] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.651819] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.658975] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.669873] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 28.676070] 8021q: adding VLAN 0 to HW filter on device team0 [ 28.684142] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.691773] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.698167] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.708096] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.715692] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.722012] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.739735] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 28.749654] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 28.761756] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 28.768813] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 28.776589] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 28.784054] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.792231] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.800107] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 28.806980] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 28.819631] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 28.827010] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 28.833632] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 28.843688] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 28.892721] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 28.902810] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.928851] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 28.936754] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 28.943156] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 28.951875] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.960005] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.967006] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.975932] device veth0_vlan entered promiscuous mode [ 28.984064] device veth1_vlan entered promiscuous mode [ 28.990885] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 28.999687] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 29.010592] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 29.022457] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 29.029873] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 29.037202] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 29.046988] device veth0_macvtap entered promiscuous mode [ 29.053013] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 29.061796] device veth1_macvtap entered promiscuous mode [ 29.071147] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 29.080618] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 29.089851] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 29.097202] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 29.105263] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 29.115400] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 29.122029] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 29.175219] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 29.211137] ====================================================== [ 29.211137] WARNING: the mand mount option is being deprecated and [ 29.211137] will be removed in v5.15! [ 29.211137] ====================================================== [ 29.239750] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [ 29.253798] audit: type=1800 audit(1670691991.783:2): pid=7980 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor391" name="bus" dev="loop0" ino=1357 res=0 [ 29.327311] ================================================================== [ 29.334811] BUG: KASAN: use-after-free in udf_close_lvid.isra.0+0x5a1/0x630 [ 29.341904] Write of size 1 at addr ffff88809bb13868 by task syz-executor391/7980 [ 29.349528] [ 29.351136] CPU: 0 PID: 7980 Comm: syz-executor391 Not tainted 4.14.301-syzkaller #0 [ 29.359153] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 29.368482] Call Trace: [ 29.371050] dump_stack+0x1b2/0x281 [ 29.374660] print_address_description.cold+0x54/0x1d3 [ 29.379914] kasan_report_error.cold+0x8a/0x191 [ 29.384563] ? udf_close_lvid.isra.0+0x5a1/0x630 [ 29.389294] __asan_report_store1_noabort+0x68/0x70 [ 29.394287] ? udf_close_lvid.isra.0+0x5a1/0x630 [ 29.399115] udf_close_lvid.isra.0+0x5a1/0x630 [ 29.403677] ? init_once+0x40/0x40 [ 29.407194] ? iput+0x16/0x7e0 [ 29.410887] ? dispose_list+0x1e0/0x1e0 [ 29.414839] udf_put_super+0x211/0x2a0 [ 29.418705] ? udf_sb_free_partitions.isra.0+0xaf0/0xaf0 [ 29.424135] generic_shutdown_super+0x144/0x370 [ 29.428869] kill_block_super+0x95/0xe0 [ 29.432823] deactivate_locked_super+0x6c/0xd0 [ 29.437408] deactivate_super+0x7f/0xa0 [ 29.441367] cleanup_mnt+0x186/0x2c0 [ 29.445072] task_work_run+0x11f/0x190 [ 29.448941] do_exit+0xa44/0x2850 [ 29.452388] ? __do_page_fault+0x571/0xad0 [ 29.456615] ? mm_update_next_owner+0x5b0/0x5b0 [ 29.461265] ? lock_downgrade+0x740/0x740 [ 29.465401] do_group_exit+0x100/0x2e0 [ 29.469271] SyS_exit_group+0x19/0x20 [ 29.473047] ? do_group_exit+0x2e0/0x2e0 [ 29.477088] do_syscall_64+0x1d5/0x640 [ 29.480955] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.486121] RIP: 0033:0x7f5dd17e0549 [ 29.489810] RSP: 002b:00007fff69d535a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 29.497496] RAX: ffffffffffffffda RBX: 00007f5dd1867470 RCX: 00007f5dd17e0549 [ 29.504743] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 29.511988] RBP: 0000000000000001 R08: ffffffffffffffb8 R09: 00007fff69d53628 [ 29.519234] R10: 000080001d00c0d0 R11: 0000000000000246 R12: 00007f5dd1867470 [ 29.526478] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 29.533732] [ 29.535337] Allocated by task 1: [ 29.538705] kasan_kmalloc+0xeb/0x160 [ 29.542481] kmem_cache_alloc+0x124/0x3c0 [ 29.546605] getname_flags+0xc8/0x550 [ 29.550393] do_sys_open+0x1ce/0x410 [ 29.554087] do_syscall_64+0x1d5/0x640 [ 29.557952] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.563139] [ 29.564749] Freed by task 1: [ 29.567744] kasan_slab_free+0xc3/0x1a0 [ 29.571694] kmem_cache_free+0x7c/0x2b0 [ 29.575646] putname+0xcd/0x110 [ 29.578902] do_sys_open+0x203/0x410 [ 29.582591] do_syscall_64+0x1d5/0x640 [ 29.586457] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.591620] [ 29.593229] The buggy address belongs to the object at ffff88809bb12c80 [ 29.593229] which belongs to the cache names_cache of size 4096 [ 29.605947] The buggy address is located 3048 bytes inside of [ 29.605947] 4096-byte region [ffff88809bb12c80, ffff88809bb13c80) [ 29.617975] The buggy address belongs to the page: [ 29.622880] page:ffffea00026ec480 count:1 mapcount:0 mapping:ffff88809bb12c80 index:0x0 compound_mapcount: 0 [ 29.632835] flags: 0xfff00000008100(slab|head) [ 29.637395] raw: 00fff00000008100 ffff88809bb12c80 0000000000000000 0000000100000001 [ 29.645253] raw: ffffea00026eefa0 ffffea00026e8020 ffff88823f8c1200 0000000000000000 [ 29.653239] page dumped because: kasan: bad access detected [ 29.658923] [ 29.660529] Memory state around the buggy address: [ 29.665435] ffff88809bb13700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.672859] ffff88809bb13780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.680280] >ffff88809bb13800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.687614] ^ [ 29.694791] ffff88809bb13880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.703342] ffff88809bb13900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.710680] ================================================================== [ 29.718011] Disabling lock debugging due to kernel taint [ 29.734898] Kernel panic - not syncing: panic_on_warn set ... [ 29.734898] [ 29.742283] CPU: 1 PID: 7980 Comm: syz-executor391 Tainted: G B 4.14.301-syzkaller #0 [ 29.751364] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 29.760696] Call Trace: [ 29.763258] dump_stack+0x1b2/0x281 [ 29.766864] panic+0x1f9/0x42d [ 29.770040] ? add_taint.cold+0x16/0x16 [ 29.773987] ? ___preempt_schedule+0x16/0x18 [ 29.778371] kasan_end_report+0x43/0x49 [ 29.782316] kasan_report_error.cold+0xa7/0x191 [ 29.786966] ? udf_close_lvid.isra.0+0x5a1/0x630 [ 29.791714] __asan_report_store1_noabort+0x68/0x70 [ 29.796704] ? udf_close_lvid.isra.0+0x5a1/0x630 [ 29.801432] udf_close_lvid.isra.0+0x5a1/0x630 [ 29.805987] ? init_once+0x40/0x40 [ 29.809499] ? iput+0x16/0x7e0 [ 29.812668] ? dispose_list+0x1e0/0x1e0 [ 29.816613] udf_put_super+0x211/0x2a0 [ 29.820471] ? udf_sb_free_partitions.isra.0+0xaf0/0xaf0 [ 29.825891] generic_shutdown_super+0x144/0x370 [ 29.830619] kill_block_super+0x95/0xe0 [ 29.834571] deactivate_locked_super+0x6c/0xd0 [ 29.839124] deactivate_super+0x7f/0xa0 [ 29.843089] cleanup_mnt+0x186/0x2c0 [ 29.846776] task_work_run+0x11f/0x190 [ 29.850655] do_exit+0xa44/0x2850 [ 29.854091] ? __do_page_fault+0x571/0xad0 [ 29.858386] ? mm_update_next_owner+0x5b0/0x5b0 [ 29.863029] ? lock_downgrade+0x740/0x740 [ 29.867151] do_group_exit+0x100/0x2e0 [ 29.871013] SyS_exit_group+0x19/0x20 [ 29.874789] ? do_group_exit+0x2e0/0x2e0 [ 29.878820] do_syscall_64+0x1d5/0x640 [ 29.882681] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.887879] RIP: 0033:0x7f5dd17e0549 [ 29.891562] RSP: 002b:00007fff69d535a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 29.899241] RAX: ffffffffffffffda RBX: 00007f5dd1867470 RCX: 00007f5dd17e0549 [ 29.906483] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 29.913726] RBP: 0000000000000001 R08: ffffffffffffffb8 R09: 00007fff69d53628 [ 29.920966] R10: 000080001d00c0d0 R11: 0000000000000246 R12: 00007f5dd1867470 [ 29.928208] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 29.935627] Kernel Offset: disabled [ 29.939229] Rebooting in 86400 seconds..