[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.245' (ECDSA) to the list of known hosts. syzkaller login: [ 33.737129] audit: type=1400 audit(1588397728.925:8): avc: denied { execmem } for pid=6359 comm="syz-executor162" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 34.011407] IPVS: ftp: loaded support on port[0] = 21 [ 34.827903] chnl_net:caif_netlink_parms(): no params data found [ 34.923572] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.930802] bridge0: port 1(bridge_slave_0) entered disabled state [ 34.937844] device bridge_slave_0 entered promiscuous mode [ 34.945931] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.952418] bridge0: port 2(bridge_slave_1) entered disabled state [ 34.959323] device bridge_slave_1 entered promiscuous mode [ 34.976427] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 34.985559] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 35.003988] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 35.012640] team0: Port device team_slave_0 added [ 35.018831] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 35.026283] team0: Port device team_slave_1 added [ 35.041562] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 35.047890] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 35.073442] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 35.085100] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 35.091906] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 35.117151] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 35.127870] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 35.136410] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 35.191912] device hsr_slave_0 entered promiscuous mode [ 35.239454] device hsr_slave_1 entered promiscuous mode [ 35.279804] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 35.288644] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 35.358582] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.366109] bridge0: port 2(bridge_slave_1) entered forwarding state [ 35.373132] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.380538] bridge0: port 1(bridge_slave_0) entered forwarding state [ 35.411555] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 35.417644] 8021q: adding VLAN 0 to HW filter on device bond0 [ 35.426852] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.435984] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.454608] bridge0: port 1(bridge_slave_0) entered disabled state [ 35.462170] bridge0: port 2(bridge_slave_1) entered disabled state [ 35.472218] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 35.478603] 8021q: adding VLAN 0 to HW filter on device team0 [ 35.487794] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 35.495796] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.502209] bridge0: port 1(bridge_slave_0) entered forwarding state [ 35.512543] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 35.520248] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.526768] bridge0: port 2(bridge_slave_1) entered forwarding state [ 35.546712] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 35.556800] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 35.569936] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 35.578552] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 35.586679] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 35.595358] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 35.603201] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 35.610982] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 35.617779] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 35.630519] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 35.639234] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 35.646943] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 35.657517] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 35.709501] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 35.719808] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 35.746297] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 35.753851] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 35.760533] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 35.770024] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 35.777995] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 35.785097] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 35.794315] device veth0_vlan entered promiscuous mode [ 35.803593] device veth1_vlan entered promiscuous mode [ 35.809845] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 35.816392] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 35.825285] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 35.840348] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 35.850449] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 35.857275] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 35.866347] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 35.875727] device veth0_macvtap entered promiscuous mode [ 35.882338] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 35.891503] device veth1_macvtap entered promiscuous mode [ 35.897546] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 35.906296] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 35.916335] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 35.925911] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 35.933409] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 35.940671] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 35.947875] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 35.955165] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 35.963063] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 35.973434] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 35.981039] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 35.988491] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 35.996290] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 37.135916] audit: type=1800 audit(1588397732.318:9): pid=6595 uid=0 auid=0 ses=5 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="syz-executor162" name="file0" dev="sda1" ino=15712 res=0 [ 37.141445] MINIX-fs: mounting unchecked file system, running fsck is recommended [ 37.182882] Process accounting resumed [ 37.190903] ================================================================== [ 37.198398] BUG: KASAN: use-after-free in get_block+0xe7c/0x10f0 [ 37.204577] Read of size 2 at addr ffff8880a34d3bb8 by task syz-executor162/6595 [ 37.212110] [ 37.213774] CPU: 0 PID: 6595 Comm: syz-executor162 Not tainted 4.14.177-syzkaller #0 [ 37.221646] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.230979] Call Trace: [ 37.233564] dump_stack+0x13e/0x194 [ 37.237202] ? get_block+0xe7c/0x10f0 [ 37.240996] print_address_description.cold+0x7c/0x1e2 [ 37.246271] ? get_block+0xe7c/0x10f0 [ 37.250055] kasan_report.cold+0xa9/0x2ae [ 37.254203] get_block+0xe7c/0x10f0 [ 37.257811] ? alloc_buffer_head+0x20/0xd0 [ 37.262030] ? block_to_path.isra.0+0x2d0/0x2d0 [ 37.266680] ? create_page_buffers+0x14d/0x1c0 [ 37.272249] ? lock_downgrade+0x6e0/0x6e0 [ 37.277356] ? create_empty_buffers+0x264/0x470 [ 37.282001] ? do_raw_spin_unlock+0x164/0x250 [ 37.286477] minix_get_block+0xd6/0x100 [ 37.290447] __block_write_begin_int+0x337/0x1030 [ 37.295440] ? minix_rename+0x760/0x760 [ 37.299405] ? add_to_page_cache_lru+0x150/0x300 [ 37.304143] ? __breadahead_gfp+0xd0/0xd0 [ 37.308446] ? wait_for_stable_page+0xe3/0x270 [ 37.313011] ? minix_rename+0x760/0x760 [ 37.317069] block_write_begin+0x58/0x260 [ 37.321203] minix_write_begin+0x35/0xc0 [ 37.325253] generic_perform_write+0x1c9/0x420 [ 37.329823] ? __mnt_drop_write+0x40/0x70 [ 37.333955] ? page_endio+0x540/0x540 [ 37.337735] ? current_time+0xb0/0xb0 [ 37.342472] ? lock_acquire+0x170/0x3f0 [ 37.346434] __generic_file_write_iter+0x227/0x590 [ 37.351347] generic_file_write_iter+0x2fa/0x650 [ 37.356097] ? iov_iter_init+0xa6/0x1c0 [ 37.360055] __vfs_write+0x44e/0x630 [ 37.363775] ? save_trace+0x290/0x290 [ 37.367558] ? kernel_read+0x110/0x110 [ 37.371433] ? save_trace+0x290/0x290 [ 37.375218] ? do_acct_process+0xc41/0xf60 [ 37.379438] __kernel_write+0xf5/0x330 [ 37.383496] do_acct_process+0xb49/0xf60 [ 37.388602] ? acct_put+0x40/0x40 [ 37.392209] ? acct_process+0x179/0x422 [ 37.396181] acct_process+0x38a/0x422 [ 37.399971] do_exit+0x1712/0x2b00 [ 37.403498] ? __do_page_fault+0x4e4/0xb40 [ 37.407744] ? mm_update_next_owner+0x5b0/0x5b0 [ 37.412415] ? lock_downgrade+0x6e0/0x6e0 [ 37.416561] do_group_exit+0x100/0x310 [ 37.420441] SyS_exit_group+0x19/0x20 [ 37.424314] ? do_group_exit+0x310/0x310 [ 37.428365] do_syscall_64+0x1d5/0x640 [ 37.432238] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.437424] RIP: 0033:0x448648 [ 37.440593] RSP: 002b:00007ffc6f8ec8d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 37.448286] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000448648 [ 37.455638] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 37.462888] RBP: 00000000004cb9d0 R08: 00000000000000e7 R09: ffffffffffffffd4 [ 37.470177] R10: 00007ffc6f8ec7f0 R11: 0000000000000246 R12: 0000000000000001 [ 37.477443] R13: 00000000006e47e0 R14: 0000000000000000 R15: 0000000000000000 [ 37.484726] [ 37.486339] Allocated by task 1: [ 37.489708] save_stack+0x32/0xa0 [ 37.493156] kasan_kmalloc+0xbf/0xe0 [ 37.496845] kmem_cache_alloc+0x127/0x770 [ 37.500969] get_empty_filp+0x86/0x3e0 [ 37.504852] path_openat+0x8d/0x3c50 [ 37.508543] do_filp_open+0x18e/0x250 [ 37.512321] do_sys_open+0x29d/0x3f0 [ 37.516040] do_syscall_64+0x1d5/0x640 [ 37.519929] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.525093] [ 37.526697] Freed by task 17: [ 37.529979] save_stack+0x32/0xa0 [ 37.533419] kasan_slab_free+0x75/0xc0 [ 37.537281] kmem_cache_free+0x7c/0x2b0 [ 37.541431] rcu_process_callbacks+0x792/0x1190 [ 37.546077] __do_softirq+0x254/0x9bf [ 37.549877] [ 37.551494] The buggy address belongs to the object at ffff8880a34d3a80 [ 37.551494] which belongs to the cache filp of size 456 [ 37.563544] The buggy address is located 312 bytes inside of [ 37.563544] 456-byte region [ffff8880a34d3a80, ffff8880a34d3c48) [ 37.575568] The buggy address belongs to the page: [ 37.580567] page:ffffea00028d34c0 count:1 mapcount:0 mapping:ffff8880a34d3080 index:0x0 [ 37.588708] flags: 0xfffe0000000100(slab) [ 37.592833] raw: 00fffe0000000100 ffff8880a34d3080 0000000000000000 0000000100000006 [ 37.600689] raw: ffffea00028d3520 ffffea0002983860 ffff8880aa587b40 0000000000000000 [ 37.608545] page dumped because: kasan: bad access detected [ 37.614314] [ 37.615935] Memory state around the buggy address: [ 37.620839] ffff8880a34d3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.628319] ffff8880a34d3b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.635675] >ffff8880a34d3b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.643014] ^ [ 37.648199] ffff8880a34d3c00: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 37.655669] ffff8880a34d3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.663024] ================================================================== [ 37.670360] Disabling lock debugging due to kernel taint [ 37.677453] Kernel panic - not syncing: panic_on_warn set ... [ 37.677453] [ 37.684826] CPU: 0 PID: 6595 Comm: syz-executor162 Tainted: G B 4.14.177-syzkaller #0 [ 37.693914] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.703283] Call Trace: [ 37.705863] dump_stack+0x13e/0x194 [ 37.709514] panic+0x1f9/0x42d [ 37.712711] ? add_taint.cold+0x16/0x16 [ 37.716664] ? get_block+0xe7c/0x10f0 [ 37.720439] kasan_end_report+0x43/0x49 [ 37.724386] kasan_report.cold+0x12f/0x2ae [ 37.728601] get_block+0xe7c/0x10f0 [ 37.732206] ? alloc_buffer_head+0x20/0xd0 [ 37.736418] ? block_to_path.isra.0+0x2d0/0x2d0 [ 37.741076] ? create_page_buffers+0x14d/0x1c0 [ 37.745858] ? lock_downgrade+0x6e0/0x6e0 [ 37.749986] ? create_empty_buffers+0x264/0x470 [ 37.754654] ? do_raw_spin_unlock+0x164/0x250 [ 37.759920] minix_get_block+0xd6/0x100 [ 37.763968] __block_write_begin_int+0x337/0x1030 [ 37.768803] ? minix_rename+0x760/0x760 [ 37.772756] ? add_to_page_cache_lru+0x150/0x300 [ 37.777518] ? __breadahead_gfp+0xd0/0xd0 [ 37.781656] ? wait_for_stable_page+0xe3/0x270 [ 37.786225] ? minix_rename+0x760/0x760 [ 37.790205] block_write_begin+0x58/0x260 [ 37.795048] minix_write_begin+0x35/0xc0 [ 37.799088] generic_perform_write+0x1c9/0x420 [ 37.803665] ? __mnt_drop_write+0x40/0x70 [ 37.807831] ? page_endio+0x540/0x540 [ 37.811616] ? current_time+0xb0/0xb0 [ 37.815418] ? lock_acquire+0x170/0x3f0 [ 37.819383] __generic_file_write_iter+0x227/0x590 [ 37.824318] generic_file_write_iter+0x2fa/0x650 [ 37.829063] ? iov_iter_init+0xa6/0x1c0 [ 37.833026] __vfs_write+0x44e/0x630 [ 37.836723] ? save_trace+0x290/0x290 [ 37.840506] ? kernel_read+0x110/0x110 [ 37.844378] ? save_trace+0x290/0x290 [ 37.848165] ? do_acct_process+0xc41/0xf60 [ 37.854394] __kernel_write+0xf5/0x330 [ 37.858470] do_acct_process+0xb49/0xf60 [ 37.862558] ? acct_put+0x40/0x40 [ 37.865995] ? acct_process+0x179/0x422 [ 37.869955] acct_process+0x38a/0x422 [ 37.873739] do_exit+0x1712/0x2b00 [ 37.877258] ? __do_page_fault+0x4e4/0xb40 [ 37.881572] ? mm_update_next_owner+0x5b0/0x5b0 [ 37.886217] ? lock_downgrade+0x6e0/0x6e0 [ 37.890348] do_group_exit+0x100/0x310 [ 37.894212] SyS_exit_group+0x19/0x20 [ 37.898005] ? do_group_exit+0x310/0x310 [ 37.902063] do_syscall_64+0x1d5/0x640 [ 37.905964] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.911204] RIP: 0033:0x448648 [ 37.914407] RSP: 002b:00007ffc6f8ec8d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 37.922097] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000448648 [ 37.929368] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 37.936621] RBP: 00000000004cb9d0 R08: 00000000000000e7 R09: ffffffffffffffd4 [ 37.943887] R10: 00007ffc6f8ec7f0 R11: 0000000000000246 R12: 0000000000000001 [ 37.951137] R13: 00000000006e47e0 R14: 0000000000000000 R15: 0000000000000000 [ 37.959929] Kernel Offset: disabled [ 37.963565] Rebooting in 86400 seconds..