[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty1. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.54' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 66.910447][ T6529] loop0: detected capacity change from 0 to 224 executing program [ 67.037045][ T6537] loop0: detected capacity change from 0 to 224 [ 67.069661][ T6537] syz-executor936: attempt to access beyond end of device [ 67.069661][ T6537] loop0: rw=524288, want=856162336, limit=224 [ 67.083457][ T6537] syz-executor936: attempt to access beyond end of device [ 67.083457][ T6537] loop0: rw=0, want=856162312, limit=224 [ 67.097114][ T25] audit: type=1800 audit(1633999771.414:2): pid=6537 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor936" name="/" dev="loop0" ino=255 res=0 errno=0 executing program executing program [ 67.217190][ T6544] loop0: detected capacity change from 0 to 224 executing program executing program [ 67.357323][ T6552] loop0: detected capacity change from 0 to 224 executing program [ 67.440844][ T6558] loop0: detected capacity change from 0 to 224 executing program [ 67.535424][ T6564] loop0: detected capacity change from 0 to 224 [ 67.550931][ T6564] syz-executor936: attempt to access beyond end of device [ 67.550931][ T6564] loop0: rw=524288, want=480, limit=224 [ 67.565602][ T6564] syz-executor936: attempt to access beyond end of device [ 67.565602][ T6564] loop0: rw=524288, want=736, limit=224 [ 67.578457][ T6564] syz-executor936: attempt to access beyond end of device executing program executing program [ 67.578457][ T6564] loop0: rw=0, want=232, limit=224 [ 67.591644][ T6564] syz-executor936: attempt to access beyond end of device [ 67.591644][ T6564] loop0: rw=0, want=232, limit=224 [ 67.604451][ T25] audit: type=1800 audit(1633999771.924:3): pid=6564 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor936" name="/" dev="loop0" ino=255 res=0 errno=0 executing program [ 67.683160][ T6572] loop0: detected capacity change from 0 to 224 executing program [ 67.747668][ T6578] loop0: detected capacity change from 0 to 224 [ 67.775454][ T6578] syz-executor936: attempt to access beyond end of device [ 67.775454][ T6578] loop0: rw=524288, want=15179186208, limit=224 [ 67.788846][ T6578] syz-executor936: attempt to access beyond end of device [ 67.788846][ T6578] loop0: rw=0, want=15179186184, limit=224 [ 67.803110][ T25] audit: type=1800 audit(1633999772.124:4): pid=6578 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor936" name="/" dev="loop0" ino=255 res=0 errno=0 executing program [ 67.886620][ T6586] loop0: detected capacity change from 0 to 224 [ 67.900243][ T6586] syz-executor936: attempt to access beyond end of device [ 67.900243][ T6586] loop0: rw=524288, want=14092599328, limit=224 [ 67.913990][ T6586] syz-executor936: attempt to access beyond end of device [ 67.913990][ T6586] loop0: rw=0, want=14092599304, limit=224 executing program [ 67.928968][ T25] audit: type=1800 audit(1633999772.244:5): pid=6586 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor936" name="/" dev="loop0" ino=255 res=0 errno=0 [ 67.986928][ T6592] loop0: detected capacity change from 0 to 224 [ 67.990155][ T6533] blk_update_request: I/O error, dev loop0, sector 0 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0 [ 68.007235][ T6592] ================================================================== [ 68.015376][ T6592] BUG: KASAN: use-after-free in __isofs_iget+0x1c84/0x2100 [ 68.022592][ T6592] Read of size 1 at addr ffff88806ece6015 by task syz-executor936/6592 [ 68.030907][ T6592] [ 68.033235][ T6592] CPU: 0 PID: 6592 Comm: syz-executor936 Not tainted 5.15.0-rc4-next-20211011-syzkaller #0 [ 68.043222][ T6592] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.053281][ T6592] Call Trace: [ 68.056563][ T6592] [ 68.059506][ T6592] dump_stack_lvl+0xcd/0x134 [ 68.064125][ T6592] print_address_description.constprop.0.cold+0x8d/0x320 [ 68.071257][ T6592] ? __isofs_iget+0x1c84/0x2100 [ 68.076121][ T6592] ? __isofs_iget+0x1c84/0x2100 [ 68.080981][ T6592] kasan_report.cold+0x83/0xdf [ 68.085846][ T6592] ? __bread_gfp+0x40/0x3c0 [ 68.090364][ T6592] ? __isofs_iget+0x1c84/0x2100 [ 68.095233][ T6592] __isofs_iget+0x1c84/0x2100 [ 68.099930][ T6592] ? lock_chain_count+0x20/0x20 [ 68.104804][ T6592] ? isofs_dentry_cmp_ms+0x210/0x210 [ 68.110116][ T6592] ? stack_trace_save+0x8c/0xc0 [ 68.114984][ T6592] isofs_fh_to_dentry+0x117/0x1f0 [ 68.120024][ T6592] exportfs_decode_fh_raw+0x127/0x7a0 [ 68.125582][ T6592] ? drop_caches_sysctl_handler+0x110/0x110 [ 68.131490][ T6592] ? isofs_fh_to_parent+0x230/0x230 [ 68.136701][ T6592] ? reconnect_path+0x7e0/0x7e0 [ 68.141654][ T6592] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 68.147693][ T6592] ? find_held_lock+0x2d/0x110 [ 68.152643][ T6592] ? __might_fault+0xd1/0x170 [ 68.157335][ T6592] ? lock_downgrade+0x6e0/0x6e0 [ 68.162210][ T6592] ? drop_caches_sysctl_handler+0x110/0x110 [ 68.168382][ T6592] exportfs_decode_fh+0x38/0x90 [ 68.173251][ T6592] do_handle_open+0x2b6/0x8b0 [ 68.177957][ T6592] ? vfs_dentry_acceptable+0x10/0x10 [ 68.183262][ T6592] ? syscall_enter_from_user_mode+0x21/0x70 [ 68.189178][ T6592] do_syscall_64+0x35/0xb0 [ 68.194318][ T6592] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 68.200400][ T6592] RIP: 0033:0x7fa002798fb9 [ 68.204823][ T6592] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 68.224615][ T6592] RSP: 002b:00007ffffcd5a438 EFLAGS: 00000246 ORIG_RAX: 0000000000000130 [ 68.233042][ T6592] RAX: ffffffffffffffda RBX: 0000000000010939 RCX: 00007fa002798fb9 [ 68.241136][ T6592] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000005 [ 68.249116][ T6592] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffffcd5a460 [ 68.257217][ T6592] R10: 00007ffffcd5a300 R11: 0000000000000246 R12: 00007ffffcd5a45c [ 68.265433][ T6592] R13: 00007ffffcd5a490 R14: 00007ffffcd5a470 R15: 000000000000000d [ 68.273523][ T6592] [ 68.276554][ T6592] [ 68.278876][ T6592] The buggy address belongs to the page: [ 68.284499][ T6592] page:ffffea0001bb3980 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6ece6 [ 68.294756][ T6592] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 68.301882][ T6592] raw: 00fff00000000000 ffffea0001beb708 ffffea0001f38e48 0000000000000000 [ 68.310489][ T6592] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 68.319105][ T6592] page dumped because: kasan: bad access detected [ 68.325514][ T6592] page_owner tracks the page as freed [ 68.330875][ T6592] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 6450, ts 55488123071, free_ts 55808040837 [ 68.346339][ T6592] get_page_from_freelist+0xa72/0x2f50 [ 68.352189][ T6592] __alloc_pages+0x1b2/0x500 [ 68.356804][ T6592] alloc_pages+0x1a7/0x300 [ 68.361266][ T6592] __get_free_pages+0x8/0x40 [ 68.365870][ T6592] pgd_alloc+0x81/0x360 [ 68.370043][ T6592] mm_init+0x60a/0xab0 [ 68.374120][ T6592] mm_alloc+0x99/0xc0 [ 68.378121][ T6592] alloc_bprm+0x1c3/0x8f0 [ 68.382460][ T6592] do_execveat_common+0x232/0x780 [ 68.387497][ T6592] __x64_sys_execve+0x8f/0xc0 [ 68.392189][ T6592] do_syscall_64+0x35/0xb0 [ 68.396611][ T6592] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 68.402522][ T6592] page last free stack trace: [ 68.407198][ T6592] free_pcp_prepare+0x373/0x870 [ 68.412111][ T6592] free_unref_page+0x19/0x690 [ 68.416804][ T6592] __mmdrop+0xcb/0x3f0 [ 68.420882][ T6592] __mmput+0x3f1/0x4b0 [ 68.424966][ T6592] mmput+0x56/0x60 [ 68.428699][ T6592] do_exit+0xb29/0x2b40 [ 68.432864][ T6592] do_group_exit+0x125/0x310 [ 68.437460][ T6592] __x64_sys_exit_group+0x3a/0x50 [ 68.442494][ T6592] do_syscall_64+0x35/0xb0 [ 68.446956][ T6592] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 68.452862][ T6592] [ 68.455185][ T6592] Memory state around the buggy address: [ 68.460985][ T6592] ffff88806ece5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.469221][ T6592] ffff88806ece5f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.477472][ T6592] >ffff88806ece6000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.485537][ T6592] ^ [ 68.490225][ T6592] ffff88806ece6080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.498378][ T6592] ffff88806ece6100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.506879][ T6592] ================================================================== [ 68.514943][ T6592] Disabling lock debugging due to kernel taint [ 68.521510][ T6592] Kernel panic - not syncing: panic_on_warn set ... [ 68.528091][ T6592] CPU: 0 PID: 6592 Comm: syz-executor936 Tainted: G B 5.15.0-rc4-next-20211011-syzkaller #0 [ 68.539461][ T6592] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.549508][ T6592] Call Trace: [ 68.552783][ T6592] [ 68.555717][ T6592] dump_stack_lvl+0xcd/0x134 [ 68.560319][ T6592] panic+0x2b0/0x6dd [ 68.564212][ T6592] ? __warn_printk+0xf3/0xf3 [ 68.569043][ T6592] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 68.575992][ T6592] ? trace_hardirqs_on+0x38/0x1c0 [ 68.581032][ T6592] ? trace_hardirqs_on+0x51/0x1c0 [ 68.586066][ T6592] ? __isofs_iget+0x1c84/0x2100 [ 68.590911][ T6592] ? __isofs_iget+0x1c84/0x2100 [ 68.595763][ T6592] end_report.cold+0x63/0x6f [ 68.600448][ T6592] kasan_report.cold+0x71/0xdf [ 68.605223][ T6592] ? __bread_gfp+0x40/0x3c0 [ 68.609722][ T6592] ? __isofs_iget+0x1c84/0x2100 [ 68.614579][ T6592] __isofs_iget+0x1c84/0x2100 [ 68.619257][ T6592] ? lock_chain_count+0x20/0x20 [ 68.624281][ T6592] ? isofs_dentry_cmp_ms+0x210/0x210 [ 68.629956][ T6592] ? stack_trace_save+0x8c/0xc0 [ 68.634895][ T6592] isofs_fh_to_dentry+0x117/0x1f0 [ 68.639914][ T6592] exportfs_decode_fh_raw+0x127/0x7a0 [ 68.645450][ T6592] ? drop_caches_sysctl_handler+0x110/0x110 [ 68.651334][ T6592] ? isofs_fh_to_parent+0x230/0x230 [ 68.656545][ T6592] ? reconnect_path+0x7e0/0x7e0 [ 68.661387][ T6592] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 68.667375][ T6592] ? find_held_lock+0x2d/0x110 [ 68.672168][ T6592] ? __might_fault+0xd1/0x170 [ 68.676869][ T6592] ? lock_downgrade+0x6e0/0x6e0 [ 68.681720][ T6592] ? drop_caches_sysctl_handler+0x110/0x110 [ 68.687649][ T6592] exportfs_decode_fh+0x38/0x90 [ 68.692517][ T6592] do_handle_open+0x2b6/0x8b0 [ 68.697202][ T6592] ? vfs_dentry_acceptable+0x10/0x10 [ 68.702568][ T6592] ? syscall_enter_from_user_mode+0x21/0x70 [ 68.708465][ T6592] do_syscall_64+0x35/0xb0 [ 68.712882][ T6592] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 68.718774][ T6592] RIP: 0033:0x7fa002798fb9 [ 68.723273][ T6592] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 68.743015][ T6592] RSP: 002b:00007ffffcd5a438 EFLAGS: 00000246 ORIG_RAX: 0000000000000130 [ 68.751433][ T6592] RAX: ffffffffffffffda RBX: 0000000000010939 RCX: 00007fa002798fb9 [ 68.759401][ T6592] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000005 [ 68.767386][ T6592] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffffcd5a460 [ 68.775350][ T6592] R10: 00007ffffcd5a300 R11: 0000000000000246 R12: 00007ffffcd5a45c [ 68.783326][ T6592] R13: 00007ffffcd5a490 R14: 00007ffffcd5a470 R15: 000000000000000d [ 68.791322][ T6592] [ 68.794585][ T6592] Kernel Offset: disabled [ 68.798901][ T6592] Rebooting in 86400 seconds..