Warning: Permanently added '10.128.1.48' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 39.145111] EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue [ 39.183793] ================================================================== [ 39.191581] BUG: KASAN: use-after-free in ext4_write_inline_data+0x300/0x3d0 [ 39.198969] Write of size 70 at addr ffff8880b04b0016 by task syz-executor016/8128 [ 39.206779] [ 39.208428] CPU: 1 PID: 8128 Comm: syz-executor016 Not tainted 4.19.193-syzkaller #0 [ 39.216322] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.225780] Call Trace: [ 39.228391] dump_stack+0x1fc/0x2ef [ 39.232264] print_address_description.cold+0x54/0x219 [ 39.237649] kasan_report_error.cold+0x8a/0x1b9 [ 39.242333] ? ext4_write_inline_data+0x300/0x3d0 [ 39.247348] kasan_report+0x8f/0xa0 [ 39.250993] ? ext4_write_inline_data+0x300/0x3d0 [ 39.255863] memcpy+0x35/0x50 [ 39.259194] ext4_write_inline_data+0x300/0x3d0 [ 39.264174] ext4_write_inline_data_end+0x220/0x640 [ 39.269497] ? ext4_try_to_write_inline_data+0x1a20/0x1a20 [ 39.275145] ext4_write_end+0x1de/0xec0 [ 39.279270] ext4_da_write_end+0x860/0xa70 [ 39.283525] generic_perform_write+0x2ae/0x4d0 [ 39.288233] ? __mnt_drop_write_file+0x6f/0xa0 [ 39.293009] ? filemap_page_mkwrite+0x2f0/0x2f0 [ 39.298409] ? current_time+0x1c0/0x1c0 [ 39.302666] ? retint_kernel+0x2d/0x2d [ 39.306576] __generic_file_write_iter+0x24b/0x610 [ 39.311681] ext4_file_write_iter+0x2fe/0xf20 [ 39.316761] ? ext4_file_open+0x600/0x600 [ 39.321006] ? do_futex+0x171/0x1880 [ 39.325062] ? mark_held_locks+0xf0/0xf0 [ 39.329247] __vfs_write+0x51b/0x770 [ 39.332973] ? common_file_perm+0x4e5/0x850 [ 39.337385] ? kernel_read+0x110/0x110 [ 39.341548] ? check_preemption_disabled+0x41/0x280 [ 39.346915] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 39.351930] vfs_write+0x1f3/0x540 [ 39.355818] ksys_write+0x12b/0x2a0 [ 39.359454] ? __ia32_sys_read+0xb0/0xb0 [ 39.363534] ? trace_hardirqs_off_caller+0x6e/0x210 [ 39.368702] ? do_syscall_64+0x21/0x620 [ 39.372676] do_syscall_64+0xf9/0x620 [ 39.376585] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.382286] RIP: 0033:0x44a9f9 [ 39.385482] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 39.406478] RSP: 002b:00007f9f195b9208 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 39.414542] RAX: ffffffffffffffda RBX: 00000000004cc428 RCX: 000000000044a9f9 [ 39.422009] RDX: 0000000000000082 RSI: 00000000200000c0 RDI: 0000000000000008 [ 39.429631] RBP: 00000000004cc420 R08: 0000000000000000 R09: 0000000000000000 [ 39.436991] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cc42c [ 39.444261] R13: 00007ffee825f65f R14: 00007f9f195b9300 R15: 0000000000022000 [ 39.451710] [ 39.453334] Allocated by task 28: [ 39.456874] kmem_cache_alloc+0x122/0x370 [ 39.461098] alloc_pid+0x53/0x8f0 [ 39.464649] copy_process.part.0+0x3bc0/0x8260 [ 39.469243] _do_fork+0x22f/0xf30 [ 39.472683] kernel_thread+0x2f/0x40 [ 39.476395] call_usermodehelper_exec_work+0x16d/0x260 [ 39.481934] process_one_work+0x864/0x1570 [ 39.486348] worker_thread+0x64c/0x1130 [ 39.490416] kthread+0x33f/0x460 [ 39.493771] ret_from_fork+0x24/0x30 [ 39.497473] [ 39.499083] Freed by task 9: [ 39.502107] kmem_cache_free+0x7f/0x260 [ 39.506078] put_pid.part.0+0x109/0x150 [ 39.510123] delayed_put_pid+0x1c/0x30 [ 39.514001] rcu_process_callbacks+0x8ff/0x18b0 [ 39.518929] __do_softirq+0x265/0x980 [ 39.522816] [ 39.524446] The buggy address belongs to the object at ffff8880b04b0000 [ 39.524446] which belongs to the cache pid of size 72 [ 39.536414] The buggy address is located 22 bytes inside of [ 39.536414] 72-byte region [ffff8880b04b0000, ffff8880b04b0048) [ 39.548568] The buggy address belongs to the page: [ 39.553670] page:ffffea0002c12c00 count:1 mapcount:0 mapping:ffff88823b8334c0 index:0xffff8880b04b0f80 [ 39.563447] flags: 0xfff00000000100(slab) [ 39.567593] raw: 00fff00000000100 ffffea0002cbdac8 ffffea0002b77c88 ffff88823b8334c0 [ 39.575573] raw: ffff8880b04b0f80 ffff8880b04b0000 000000010000000e 0000000000000000 [ 39.584220] page dumped because: kasan: bad access detected [ 39.590028] [ 39.591728] Memory state around the buggy address: [ 39.596640] ffff8880b04aff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.603985] ffff8880b04aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.611462] >ffff8880b04b0000: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 39.619090] ^ [ 39.622970] ffff8880b04b0080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 39.630637] ffff8880b04b0100: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 39.638654] ================================================================== [ 39.646008] Disabling lock debugging due to kernel taint [ 39.651872] Kernel panic - not syncing: panic_on_warn set ... [ 39.651872] [ 39.659345] CPU: 1 PID: 8128 Comm: syz-executor016 Tainted: G B 4.19.193-syzkaller #0 [ 39.669062] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.679550] Call Trace: [ 39.682343] dump_stack+0x1fc/0x2ef [ 39.686347] panic+0x26a/0x50e [ 39.689768] ? __warn_printk+0xf3/0xf3 [ 39.693657] ? retint_kernel+0x2d/0x2d [ 39.697661] ? trace_hardirqs_on+0x55/0x210 [ 39.702485] kasan_end_report+0x43/0x49 [ 39.706632] kasan_report_error.cold+0xa7/0x1b9 [ 39.711381] ? ext4_write_inline_data+0x300/0x3d0 [ 39.716321] kasan_report+0x8f/0xa0 [ 39.720753] ? ext4_write_inline_data+0x300/0x3d0 [ 39.726437] memcpy+0x35/0x50 [ 39.729909] ext4_write_inline_data+0x300/0x3d0 [ 39.735457] ext4_write_inline_data_end+0x220/0x640 [ 39.741471] ? ext4_try_to_write_inline_data+0x1a20/0x1a20 [ 39.747908] ext4_write_end+0x1de/0xec0 [ 39.751890] ext4_da_write_end+0x860/0xa70 [ 39.756270] generic_perform_write+0x2ae/0x4d0 [ 39.760934] ? __mnt_drop_write_file+0x6f/0xa0 [ 39.765685] ? filemap_page_mkwrite+0x2f0/0x2f0 [ 39.771135] ? current_time+0x1c0/0x1c0 [ 39.775298] ? retint_kernel+0x2d/0x2d [ 39.779182] __generic_file_write_iter+0x24b/0x610 [ 39.784477] ext4_file_write_iter+0x2fe/0xf20 [ 39.789439] ? ext4_file_open+0x600/0x600 [ 39.793790] ? do_futex+0x171/0x1880 [ 39.798198] ? mark_held_locks+0xf0/0xf0 [ 39.802624] __vfs_write+0x51b/0x770 [ 39.806765] ? common_file_perm+0x4e5/0x850 [ 39.812648] ? kernel_read+0x110/0x110 [ 39.816808] ? check_preemption_disabled+0x41/0x280 [ 39.822181] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 39.827375] vfs_write+0x1f3/0x540 [ 39.831164] ksys_write+0x12b/0x2a0 [ 39.834810] ? __ia32_sys_read+0xb0/0xb0 [ 39.838874] ? trace_hardirqs_off_caller+0x6e/0x210 [ 39.844184] ? do_syscall_64+0x21/0x620 [ 39.848333] do_syscall_64+0xf9/0x620 [ 39.852424] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.858480] RIP: 0033:0x44a9f9 [ 39.862210] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 39.886686] RSP: 002b:00007f9f195b9208 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 39.894810] RAX: ffffffffffffffda RBX: 00000000004cc428 RCX: 000000000044a9f9 [ 39.903729] RDX: 0000000000000082 RSI: 00000000200000c0 RDI: 0000000000000008 [ 39.911283] RBP: 00000000004cc420 R08: 0000000000000000 R09: 0000000000000000 [ 39.918732] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cc42c [ 39.926357] R13: 00007ffee825f65f R14: 00007f9f195b9300 R15: 0000000000022000 [ 39.935414] Kernel Offset: disabled [ 39.939044] Rebooting in 86400 seconds..