INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.30' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 24.295955] ================================================================== [ 24.303397] BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2de/0x320 [ 24.310919] Read of size 2 at addr ffff8801ad833002 by task syzkaller726813/4419 [ 24.318436] [ 24.320049] CPU: 1 PID: 4419 Comm: syzkaller726813 Not tainted 4.16.0-rc7+ #9 [ 24.327293] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.336627] Call Trace: [ 24.339194] dump_stack+0x194/0x24d [ 24.342799] ? arch_local_irq_restore+0x53/0x53 [ 24.347444] ? show_regs_print_info+0x18/0x18 [ 24.351913] ? ext4_getblk+0x12a/0x500 [ 24.355794] ? __ext4_check_dir_entry+0x2de/0x320 [ 24.360611] print_address_description+0x73/0x250 [ 24.365444] ? __ext4_check_dir_entry+0x2de/0x320 [ 24.370273] kasan_report+0x23c/0x360 [ 24.374050] __asan_report_load2_noabort+0x14/0x20 [ 24.378956] __ext4_check_dir_entry+0x2de/0x320 [ 24.383602] ext4_readdir+0xd00/0x3600 [ 24.387464] ? lock_release+0xa40/0xa40 [ 24.391411] ? trace_hardirqs_off+0x10/0x10 [ 24.395708] ? __ext4_check_dir_entry+0x320/0x320 [ 24.400523] ? mntput_no_expire+0x15e/0xa90 [ 24.404819] ? lock_acquire+0x1d5/0x580 [ 24.408765] ? lock_acquire+0x1d5/0x580 [ 24.412712] ? iterate_dir+0xc3/0x530 [ 24.416496] ? lock_release+0xa40/0xa40 [ 24.420443] ? check_same_owner+0x320/0x320 [ 24.424737] ? mntput+0x66/0x90 [ 24.427990] ? rcu_note_context_switch+0x710/0x710 [ 24.432893] ? __might_sleep+0x95/0x190 [ 24.436841] ? down_read_killable+0x95/0x180 [ 24.441224] ? iterate_dir+0xc3/0x530 [ 24.445004] ? down_write+0x120/0x120 [ 24.448785] iterate_dir+0x1ca/0x530 [ 24.452482] SyS_getdents64+0x221/0x420 [ 24.456437] ? SyS_getdents+0x450/0x450 [ 24.460385] ? ext4_llseek+0x237/0x2a0 [ 24.464245] ? iterate_dir+0x530/0x530 [ 24.468119] ? ext4_dir_llseek+0x187/0x200 [ 24.472333] ? do_syscall_64+0xb7/0x940 [ 24.476457] ? SyS_getdents+0x450/0x450 [ 24.480408] do_syscall_64+0x281/0x940 [ 24.484275] ? do_syscall_64+0x281/0x940 [ 24.488307] ? vmalloc_sync_all+0x30/0x30 [ 24.492434] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.497163] ? syscall_return_slowpath+0x550/0x550 [ 24.502065] ? syscall_return_slowpath+0x2ac/0x550 [ 24.507060] ? prepare_exit_to_usermode+0x350/0x350 [ 24.512052] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 24.517393] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.522223] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.527389] RIP: 0033:0x43fd69 [ 24.530548] RSP: 002b:00007ffc4562e698 EFLAGS: 00000203 ORIG_RAX: 00000000000000d9 [ 24.538230] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd69 [ 24.545473] RDX: 00000000200015fc RSI: 0000000020001540 RDI: 0000000000000003 [ 24.552715] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 24.559956] R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401690 [ 24.567195] R13: 0000000000401720 R14: 0000000000000000 R15: 0000000000000000 [ 24.574443] [ 24.576043] Allocated by task 0: [ 24.579375] (stack is not available) [ 24.583054] [ 24.584652] Freed by task 0: [ 24.587637] (stack is not available) [ 24.591318] [ 24.592917] The buggy address belongs to the object at ffff8801ad833040 [ 24.592917] which belongs to the cache vm_area_struct of size 200 [ 24.605804] The buggy address is located 62 bytes to the left of [ 24.605804] 200-byte region [ffff8801ad833040, ffff8801ad833108) [ 24.617992] The buggy address belongs to the page: [ 24.622895] page:ffffea0006b60cc0 count:1 mapcount:0 mapping:ffff8801ad833040 index:0x0 [ 24.631011] flags: 0x2fffc0000000100(slab) [ 24.635223] raw: 02fffc0000000100 ffff8801ad833040 0000000000000000 000000010000000f [ 24.643074] raw: ffffea0006b63860 ffffea0006b51420 ffff8801da5d6840 0000000000000000 [ 24.650925] page dumped because: kasan: bad access detected [ 24.656602] [ 24.658201] Memory state around the buggy address: [ 24.663101] ffff8801ad832f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.670429] ffff8801ad832f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.677762] >ffff8801ad833000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.685090] ^ [ 24.688427] ffff8801ad833080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.695757] ffff8801ad833100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.703085] ================================================================== [ 24.710412] Disabling lock debugging due to kernel taint [ 24.715898] Kernel panic - not syncing: panic_on_warn set ... [ 24.715898] [ 24.723241] CPU: 1 PID: 4419 Comm: syzkaller726813 Tainted: G B 4.16.0-rc7+ #9 [ 24.731784] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.741641] Call Trace: [ 24.744205] dump_stack+0x194/0x24d [ 24.747801] ? arch_local_irq_restore+0x53/0x53 [ 24.752438] ? kasan_end_report+0x32/0x50 [ 24.756556] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.761280] ? vsnprintf+0x1ed/0x1900 [ 24.765050] ? __ext4_check_dir_entry+0x280/0x320 [ 24.769864] panic+0x1e4/0x41c [ 24.773030] ? refcount_error_report+0x214/0x214 [ 24.777756] ? add_taint+0x1c/0x50 [ 24.781264] ? add_taint+0x1c/0x50 [ 24.784775] ? __ext4_check_dir_entry+0x2de/0x320 [ 24.789586] kasan_end_report+0x50/0x50 [ 24.793527] kasan_report+0x149/0x360 [ 24.797298] __asan_report_load2_noabort+0x14/0x20 [ 24.802198] __ext4_check_dir_entry+0x2de/0x320 [ 24.806866] ext4_readdir+0xd00/0x3600 [ 24.810741] ? lock_release+0xa40/0xa40 [ 24.814695] ? trace_hardirqs_off+0x10/0x10 [ 24.818991] ? __ext4_check_dir_entry+0x320/0x320 [ 24.823823] ? mntput_no_expire+0x15e/0xa90 [ 24.828117] ? lock_acquire+0x1d5/0x580 [ 24.832062] ? lock_acquire+0x1d5/0x580 [ 24.836014] ? iterate_dir+0xc3/0x530 [ 24.839795] ? lock_release+0xa40/0xa40 [ 24.843740] ? check_same_owner+0x320/0x320 [ 24.848032] ? mntput+0x66/0x90 [ 24.851280] ? rcu_note_context_switch+0x710/0x710 [ 24.856180] ? __might_sleep+0x95/0x190 [ 24.860124] ? down_read_killable+0x95/0x180 [ 24.864504] ? iterate_dir+0xc3/0x530 [ 24.868279] ? down_write+0x120/0x120 [ 24.872050] iterate_dir+0x1ca/0x530 [ 24.875736] SyS_getdents64+0x221/0x420 [ 24.879679] ? SyS_getdents+0x450/0x450 [ 24.883623] ? ext4_llseek+0x237/0x2a0 [ 24.887484] ? iterate_dir+0x530/0x530 [ 24.891342] ? ext4_dir_llseek+0x187/0x200 [ 24.895552] ? do_syscall_64+0xb7/0x940 [ 24.899493] ? SyS_getdents+0x450/0x450 [ 24.903436] do_syscall_64+0x281/0x940 [ 24.907290] ? do_syscall_64+0x281/0x940 [ 24.911328] ? vmalloc_sync_all+0x30/0x30 [ 24.915443] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.920167] ? syscall_return_slowpath+0x550/0x550 [ 24.925067] ? syscall_return_slowpath+0x2ac/0x550 [ 24.929980] ? prepare_exit_to_usermode+0x350/0x350 [ 24.934978] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 24.940323] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.945141] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.950302] RIP: 0033:0x43fd69 [ 24.953460] RSP: 002b:00007ffc4562e698 EFLAGS: 00000203 ORIG_RAX: 00000000000000d9 [ 24.961136] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd69 [ 24.968388] RDX: 00000000200015fc RSI: 0000000020001540 RDI: 0000000000000003 [ 24.975626] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 24.982865] R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401690 [ 24.990105] R13: 0000000000401720 R14: 0000000000000000 R15: 0000000000000000 [ 24.997822] Dumping ftrace buffer: [ 25.001338] (ftrace buffer empty) [ 25.005017] Kernel Offset: disabled [ 25.008613] Rebooting in 86400 seconds..