[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.244' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 35.364243] EXT4-fs: Warning: mounting with data=journal disables delayed allocation and O_DIRECT support! [ 35.384441] EXT4-fs (loop0): mounting with "discard" option, but the device does not support discard [ 35.394253] EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue executing program [ 35.463941] EXT4-fs (loop0): mounting with "discard" option, but the device does not support discard [ 35.476030] EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue [ 35.496335] ================================================================== [ 35.503830] BUG: KASAN: use-after-free in ext4_rename_dir_prepare+0x3a6/0x440 [ 35.511116] Read of size 4 at addr ffff88808f155e02 by task syz-executor413/8142 [ 35.518646] [ 35.520263] CPU: 0 PID: 8142 Comm: syz-executor413 Not tainted 4.19.211-syzkaller #0 [ 35.528118] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 35.537450] Call Trace: [ 35.540024] dump_stack+0x1fc/0x2ef [ 35.543634] print_address_description.cold+0x54/0x219 [ 35.548893] kasan_report_error.cold+0x8a/0x1b9 [ 35.553544] ? ext4_rename_dir_prepare+0x3a6/0x440 [ 35.558460] __asan_report_load4_noabort+0x88/0x90 [ 35.563376] ? ext4_rename_dir_prepare+0x3a6/0x440 [ 35.568293] ext4_rename_dir_prepare+0x3a6/0x440 [ 35.573027] ? ext4_htree_next_block+0x4c0/0x4c0 [ 35.577765] ? ext4_journal_check_start+0x185/0x220 [ 35.582759] ? ext4_get_nojournal+0x53/0xb0 [ 35.587059] ? __ext4_journal_start_sb+0x12d/0x3f0 [ 35.591969] ? ext4_cross_rename+0x85e/0x14f0 [ 35.596442] ext4_cross_rename+0x112f/0x14f0 [ 35.600829] ? lock_downgrade+0x720/0x720 [ 35.604955] ? mark_held_locks+0xf0/0xf0 [ 35.608993] ? ext4_lookup+0x660/0x660 [ 35.612858] ? mark_held_locks+0xf0/0xf0 [ 35.616916] ? _raw_spin_unlock+0x29/0x40 [ 35.621043] ? __ext4_iget+0x166/0x3d30 [ 35.625062] ? take_dentry_name_snapshot+0xe8/0x140 [ 35.630061] ? lock_downgrade+0x720/0x720 [ 35.634186] ? lockref_get+0x11/0x50 [ 35.637881] ext4_rename2+0x1be/0x210 [ 35.641665] vfs_rename+0x67e/0x1bc0 [ 35.645361] ? __d_alloc+0x9a1/0xa10 [ 35.649060] ? path_openat+0x2df0/0x2df0 [ 35.653097] ? do_raw_spin_unlock+0x171/0x230 [ 35.657571] ? _raw_spin_unlock+0x29/0x40 [ 35.661706] ? security_path_rename+0x1ed/0x2e0 [ 35.666355] do_renameat2+0xb59/0xc70 [ 35.670136] ? do_mknodat.part.0+0x480/0x480 [ 35.674526] ? mntput_no_expire+0x119/0xa30 [ 35.678827] ? mntput+0x67/0x90 [ 35.682084] ? do_mkdirat+0x1d2/0x2d0 [ 35.685869] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.691214] __x64_sys_renameat2+0xba/0x150 [ 35.695522] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 35.700089] do_syscall_64+0xf9/0x620 [ 35.703868] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.709035] RIP: 0033:0x7f7fd68de709 [ 35.712727] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 35.731605] RSP: 002b:00007ffd44b239b8 EFLAGS: 00000246 ORIG_RAX: 000000000000013c [ 35.739292] RAX: ffffffffffffffda RBX: 00007f7fd6923ee0 RCX: 00007f7fd68de709 [ 35.746540] RDX: 00000000ffffff9c RSI: 00000000200004c0 RDI: 0000000000000003 [ 35.753786] RBP: 0000000000000000 R08: 0000000000000002 R09: 00007ffd44b239e0 [ 35.761033] R10: 0000000020000000 R11: 0000000000000246 R12: 00007ffd44b239dc [ 35.768280] R13: 00007ffd44b23a10 R14: 00007ffd44b239f0 R15: 0000000000000001 [ 35.775537] [ 35.777141] The buggy address belongs to the page: [ 35.782047] page:ffffea00023c5540 count:0 mapcount:0 mapping:0000000000000000 index:0x1 [ 35.790165] flags: 0xfff00000000000() [ 35.793946] raw: 00fff00000000000 dead000000000100 dead000000000200 0000000000000000 [ 35.801858] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 35.809803] page dumped because: kasan: bad access detected [ 35.815483] [ 35.817156] Memory state around the buggy address: [ 35.822064] ffff88808f155d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.829401] ffff88808f155d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.836736] >ffff88808f155e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.844069] ^ [ 35.847410] ffff88808f155e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.854747] ffff88808f155f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.862081] ================================================================== [ 35.869413] Disabling lock debugging due to kernel taint [ 35.878100] Kernel panic - not syncing: panic_on_warn set ... [ 35.878100] [ 35.885484] CPU: 0 PID: 8142 Comm: syz-executor413 Tainted: G B 4.19.211-syzkaller #0 [ 35.894744] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 35.904082] Call Trace: [ 35.906652] dump_stack+0x1fc/0x2ef [ 35.910266] panic+0x26a/0x50e [ 35.913446] ? __warn_printk+0xf3/0xf3 [ 35.917317] ? preempt_schedule_common+0x45/0xc0 [ 35.922052] ? ___preempt_schedule+0x16/0x18 [ 35.926439] ? trace_hardirqs_on+0x55/0x210 [ 35.930743] kasan_end_report+0x43/0x49 [ 35.934697] kasan_report_error.cold+0xa7/0x1b9 [ 35.939346] ? ext4_rename_dir_prepare+0x3a6/0x440 [ 35.944253] __asan_report_load4_noabort+0x88/0x90 [ 35.949158] ? ext4_rename_dir_prepare+0x3a6/0x440 [ 35.954063] ext4_rename_dir_prepare+0x3a6/0x440 [ 35.958799] ? ext4_htree_next_block+0x4c0/0x4c0 [ 35.963534] ? ext4_journal_check_start+0x185/0x220 [ 35.968529] ? ext4_get_nojournal+0x53/0xb0 [ 35.972828] ? __ext4_journal_start_sb+0x12d/0x3f0 [ 35.977735] ? ext4_cross_rename+0x85e/0x14f0 [ 35.982380] ext4_cross_rename+0x112f/0x14f0 [ 35.986766] ? lock_downgrade+0x720/0x720 [ 35.990909] ? mark_held_locks+0xf0/0xf0 [ 35.994947] ? ext4_lookup+0x660/0x660 [ 35.998810] ? mark_held_locks+0xf0/0xf0 [ 36.002849] ? _raw_spin_unlock+0x29/0x40 [ 36.006981] ? __ext4_iget+0x166/0x3d30 [ 36.010934] ? take_dentry_name_snapshot+0xe8/0x140 [ 36.015927] ? lock_downgrade+0x720/0x720 [ 36.020053] ? lockref_get+0x11/0x50 [ 36.023746] ext4_rename2+0x1be/0x210 [ 36.027526] vfs_rename+0x67e/0x1bc0 [ 36.031219] ? __d_alloc+0x9a1/0xa10 [ 36.034915] ? path_openat+0x2df0/0x2df0 [ 36.038962] ? do_raw_spin_unlock+0x171/0x230 [ 36.043435] ? _raw_spin_unlock+0x29/0x40 [ 36.047566] ? security_path_rename+0x1ed/0x2e0 [ 36.052222] do_renameat2+0xb59/0xc70 [ 36.056008] ? do_mknodat.part.0+0x480/0x480 [ 36.060395] ? mntput_no_expire+0x119/0xa30 [ 36.064693] ? mntput+0x67/0x90 [ 36.067947] ? do_mkdirat+0x1d2/0x2d0 [ 36.071733] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.077075] __x64_sys_renameat2+0xba/0x150 [ 36.081375] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 36.085934] do_syscall_64+0xf9/0x620 [ 36.089715] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.094881] RIP: 0033:0x7f7fd68de709 [ 36.098573] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 36.117455] RSP: 002b:00007ffd44b239b8 EFLAGS: 00000246 ORIG_RAX: 000000000000013c [ 36.125138] RAX: ffffffffffffffda RBX: 00007f7fd6923ee0 RCX: 00007f7fd68de709 [ 36.132388] RDX: 00000000ffffff9c RSI: 00000000200004c0 RDI: 0000000000000003 [ 36.139638] RBP: 0000000000000000 R08: 0000000000000002 R09: 00007ffd44b239e0 [ 36.146891] R10: 0000000020000000 R11: 0000000000000246 R12: 00007ffd44b239dc [ 36.154153] R13: 00007ffd44b23a10 R14: 00007ffd44b239f0 R15: 0000000000000001 [ 36.161682] Kernel Offset: disabled [ 36.165299] Rebooting in 86400 seconds..