Warning: Permanently added '10.128.1.59' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 537.716855][ T27] audit: type=1400 audit(1602503685.096:8): avc: denied { execmem } for pid=6905 comm="syz-executor265" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 537.765979][ T6914] BTRFS: device fsid 8ae5b401-4ad8-4168-8672-01e7db0b90b5 devid 0 transid 5 /dev/loop4 scanned by syz-executor265 (6914) executing program executing program executing program [ 538.010511][ T6914] BTRFS: device fsid 8ae5b401-4ad8-4168-8672-01e7db0b90b5 devid 1 transid 5 /dev/loop4 scanned by syz-executor265 (6914) executing program [ 538.076002][ T6913] BTRFS warning (device ): duplicate device fsid:devid for 8ae5b401-4ad8-4168-8672-01e7db0b90b5:1 old:/dev/loop4 new:/dev/loop0 [ 538.092678][ T6914] BTRFS info (device loop4): force clearing of disk cache [ 538.100574][ T6914] BTRFS info (device loop4): disabling tree log [ 538.107401][ T6914] BTRFS info (device loop4): disk space caching is enabled executing program executing program [ 538.116001][ T6917] BTRFS warning (device ): duplicate device fsid:devid for 8ae5b401-4ad8-4168-8672-01e7db0b90b5:1 old:/dev/loop4 new:/dev/loop2 [ 538.116972][ T6914] BTRFS info (device loop4): has skinny extents [ 538.149790][ T6918] BTRFS warning (device ): duplicate device fsid:devid for 8ae5b401-4ad8-4168-8672-01e7db0b90b5:1 old:/dev/loop4 new:/dev/loop1 [ 538.241052][ T6921] BTRFS warning (device ): duplicate device fsid:devid for 8ae5b401-4ad8-4168-8672-01e7db0b90b5:1 old:/dev/loop4 new:/dev/loop3 executing program executing program executing program executing program executing program executing program [ 538.361471][ T6939] BTRFS warning (device ): duplicate device fsid:devid for 8ae5b401-4ad8-4168-8672-01e7db0b90b5:1 old:/dev/loop4 new:/dev/loop0 executing program [ 538.503335][ T6969] BTRFS warning (device loop4): duplicate device fsid:devid for 8ae5b401-4ad8-4168-8672-01e7db0b90b5:1 old:/dev/loop4 new:/dev/loop5 [ 538.518222][ T154] BTRFS error (device loop4): bad tree block start, want 30425088 have 0 executing program [ 538.561418][ T154] BTRFS error (device loop4): bad tree block start, want 30425088 have 0 [ 538.584001][ T6914] BTRFS warning (device loop4): failed to read root (objectid=7): -5 executing program executing program [ 538.714848][ T6914] BTRFS error (device loop4): open_ctree failed [ 538.727325][ T6967] BTRFS info (device loop4): force clearing of disk cache [ 538.744121][ T6967] BTRFS info (device loop4): disabling tree log [ 538.753327][ T6967] BTRFS info (device loop4): disk space caching is enabled executing program executing program executing program [ 538.763748][ T6967] BTRFS info (device loop4): has skinny extents executing program executing program [ 538.818112][ T133] BTRFS error (device loop4): bad tree block start, want 30425088 have 0 [ 538.839875][ T133] BTRFS error (device loop4): bad tree block start, want 30425088 have 0 executing program [ 538.862185][ T6967] BTRFS warning (device loop4): failed to read root (objectid=7): -5 executing program [ 538.923101][ T6967] BTRFS error (device loop4): open_ctree failed [ 538.934628][ T6972] BTRFS info (device loop4): force clearing of disk cache [ 538.945943][ T6972] BTRFS info (device loop4): disabling tree log [ 538.960181][ T6972] BTRFS info (device loop4): disk space caching is enabled [ 538.969869][ T6972] BTRFS info (device loop4): has skinny extents [ 538.990510][ T6967] ================================================================== [ 538.998901][ T6967] BUG: KASAN: use-after-free in btrfs_printk+0x38b/0x40c [ 539.005935][ T6967] Read of size 8 at addr ffff88808b5c06a8 by task syz-executor265/6967 [ 539.014169][ T6967] [ 539.016510][ T6967] CPU: 0 PID: 6967 Comm: syz-executor265 Not tainted 5.9.0-rc8-syzkaller #0 [ 539.025180][ T6967] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 539.035318][ T6967] Call Trace: [ 539.038700][ T6967] dump_stack+0x198/0x1fd [ 539.043054][ T6967] ? btrfs_printk+0x38b/0x40c [ 539.047746][ T6967] ? btrfs_printk+0x38b/0x40c [ 539.052478][ T6967] print_address_description.constprop.0.cold+0xae/0x497 [ 539.059531][ T6967] ? btrfs_printk+0x38b/0x40c [ 539.064257][ T6967] ? lockdep_hardirqs_off+0x96/0xd0 [ 539.069478][ T6967] ? vprintk_func+0x95/0x1d4 [ 539.074089][ T6967] ? btrfs_printk+0x38b/0x40c [ 539.078803][ T6967] ? btrfs_printk+0x38b/0x40c [ 539.083491][ T6967] kasan_report.cold+0x1f/0x37 [ 539.088272][ T6967] ? btrfs_printk+0x38b/0x40c [ 539.092996][ T6967] btrfs_printk+0x38b/0x40c [ 539.097520][ T6967] ? btrfs_put_super+0x38/0x38 [ 539.102348][ T6967] ? device_list_add+0xe79/0x1570 [ 539.107389][ T6967] ? lock_release+0x8f0/0x8f0 [ 539.112178][ T6967] ? __mutex_unlock_slowpath+0xe2/0x610 [ 539.118019][ T6967] ? _atomic_dec_and_lock+0x92/0x100 [ 539.123321][ T6967] ? wait_for_completion+0x260/0x260 [ 539.128635][ T6967] device_list_add.cold+0x58/0x2d2 [ 539.133771][ T6967] ? btrfs_alloc_device+0x5d0/0x5d0 [ 539.138987][ T6967] ? do_read_cache_page+0xe6/0x1390 [ 539.144218][ T6967] btrfs_scan_one_device+0x339/0x4a0 [ 539.149521][ T6967] ? device_list_add+0x1570/0x1570 [ 539.154650][ T6967] ? check_preemption_disabled+0x50/0x130 [ 539.160381][ T6967] ? kfree+0x221/0x2b0 [ 539.164496][ T6967] ? btrfs_mount_root+0x73d/0xbb0 [ 539.169534][ T6967] ? lockdep_hardirqs_on+0x53/0x100 [ 539.174758][ T6967] btrfs_mount_root+0x4d5/0xbb0 [ 539.179643][ T6967] ? parse_rescue_options+0x250/0x250 [ 539.185031][ T6967] ? lock_is_held_type+0xbb/0xf0 [ 539.189988][ T6967] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 539.195549][ T6967] ? vfs_parse_fs_string+0xf3/0x150 [ 539.200749][ T6967] ? kfree+0x259/0x2b0 [ 539.204825][ T6967] ? vfs_parse_fs_string+0xf8/0x150 [ 539.210035][ T6967] ? vfs_parse_fs_param+0x550/0x550 [ 539.215249][ T6967] ? parse_rescue_options+0x250/0x250 [ 539.220627][ T6967] legacy_get_tree+0x105/0x220 [ 539.225405][ T6967] vfs_get_tree+0x89/0x2f0 [ 539.229834][ T6967] vfs_kern_mount.part.0+0xd3/0x170 [ 539.235046][ T6967] vfs_kern_mount+0x3c/0x60 [ 539.239560][ T6967] btrfs_mount+0x234/0xaa0 [ 539.243990][ T6967] ? btrfs_show_options+0x1080/0x1080 [ 539.249460][ T6967] ? cred_has_capability.isra.0+0x14e/0x2b0 [ 539.255364][ T6967] ? check_nnp_nosuid.isra.0+0x2a0/0x2a0 [ 539.261013][ T6967] ? rcu_read_lock_sched_held+0x33/0xb0 [ 539.266574][ T6967] ? kfree+0x259/0x2b0 [ 539.270655][ T6967] ? vfs_parse_fs_string+0xf8/0x150 [ 539.275912][ T6967] ? cap_capable+0x1f1/0x270 [ 539.280524][ T6967] ? btrfs_show_options+0x1080/0x1080 [ 539.285905][ T6967] legacy_get_tree+0x105/0x220 [ 539.290692][ T6967] vfs_get_tree+0x89/0x2f0 [ 539.295122][ T6967] path_mount+0x1387/0x20a0 [ 539.299643][ T6967] ? strncpy_from_user+0x2bf/0x3e0 [ 539.304853][ T6967] ? copy_mount_string+0x40/0x40 [ 539.309804][ T6967] ? getname_flags.part.0+0x1dd/0x4f0 [ 539.315200][ T6967] __x64_sys_mount+0x27f/0x300 [ 539.319976][ T6967] ? copy_mnt_ns+0xa60/0xa60 [ 539.324612][ T6967] ? check_preemption_disabled+0x50/0x130 [ 539.330354][ T6967] ? syscall_enter_from_user_mode+0x1d/0x60 [ 539.336300][ T6967] do_syscall_64+0x2d/0x70 [ 539.340733][ T6967] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 539.346626][ T6967] RIP: 0033:0x44939a [ 539.350589][ T6967] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 539.370197][ T6967] RSP: 002b:00007ffdc91e49f8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 539.378633][ T6967] RAX: ffffffffffffffda RBX: 00007ffdc91e4a50 RCX: 000000000044939a [ 539.386616][ T6967] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffdc91e4a10 [ 539.394600][ T6967] RBP: 00007ffdc91e4a10 R08: 00007ffdc91e4a50 R09: 0000000000000000 [ 539.402609][ T6967] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000004d [ 539.410596][ T6967] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 539.418594][ T6967] [ 539.420985][ T6967] Allocated by task 6967: [ 539.425311][ T6967] kasan_save_stack+0x1b/0x40 [ 539.430013][ T6967] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 539.435685][ T6967] kvmalloc_node+0xb4/0xf0 [ 539.440091][ T6967] btrfs_mount_root+0x117/0xbb0 [ 539.444939][ T6967] legacy_get_tree+0x105/0x220 [ 539.449714][ T6967] vfs_get_tree+0x89/0x2f0 [ 539.454177][ T6967] vfs_kern_mount.part.0+0xd3/0x170 [ 539.459375][ T6967] vfs_kern_mount+0x3c/0x60 [ 539.463887][ T6967] btrfs_mount+0x234/0xaa0 [ 539.468317][ T6967] legacy_get_tree+0x105/0x220 [ 539.473097][ T6967] vfs_get_tree+0x89/0x2f0 [ 539.477531][ T6967] path_mount+0x1387/0x20a0 [ 539.482050][ T6967] __x64_sys_mount+0x27f/0x300 [ 539.486831][ T6967] do_syscall_64+0x2d/0x70 [ 539.491265][ T6967] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 539.497170][ T6967] [ 539.499497][ T6967] Freed by task 6967: [ 539.503573][ T6967] kasan_save_stack+0x1b/0x40 [ 539.508232][ T6967] kasan_set_track+0x1c/0x30 [ 539.512805][ T6967] kasan_set_free_info+0x1b/0x30 [ 539.517748][ T6967] __kasan_slab_free+0xd8/0x120 [ 539.522578][ T6967] kfree+0x10e/0x2b0 [ 539.526474][ T6967] kvfree+0x42/0x50 [ 539.530280][ T6967] deactivate_locked_super+0x94/0x160 [ 539.535674][ T6967] btrfs_mount_root+0x772/0xbb0 [ 539.540505][ T6967] legacy_get_tree+0x105/0x220 [ 539.545271][ T6967] vfs_get_tree+0x89/0x2f0 [ 539.549694][ T6967] vfs_kern_mount.part.0+0xd3/0x170 [ 539.554895][ T6967] vfs_kern_mount+0x3c/0x60 [ 539.559397][ T6967] btrfs_mount+0x234/0xaa0 [ 539.563794][ T6967] legacy_get_tree+0x105/0x220 [ 539.568549][ T6967] vfs_get_tree+0x89/0x2f0 [ 539.572972][ T6967] path_mount+0x1387/0x20a0 [ 539.577479][ T6967] __x64_sys_mount+0x27f/0x300 [ 539.582236][ T6967] do_syscall_64+0x2d/0x70 [ 539.586646][ T6967] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 539.592536][ T6967] [ 539.594845][ T6967] The buggy address belongs to the object at ffff88808b5c0000 [ 539.594845][ T6967] which belongs to the cache kmalloc-16k of size 16384 [ 539.609069][ T6967] The buggy address is located 1704 bytes inside of [ 539.609069][ T6967] 16384-byte region [ffff88808b5c0000, ffff88808b5c4000) [ 539.622591][ T6967] The buggy address belongs to the page: [ 539.628210][ T6967] page:00000000ee52e913 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8b5c0 [ 539.638341][ T6967] head:00000000ee52e913 order:3 compound_mapcount:0 compound_pincount:0 [ 539.646640][ T6967] flags: 0xfffe0000010200(slab|head) [ 539.651925][ T6967] raw: 00fffe0000010200 ffffea0002496608 ffffea0002181408 ffff8880aa040b00 [ 539.660498][ T6967] raw: 0000000000000000 ffff88808b5c0000 0000000100000001 0000000000000000 [ 539.669061][ T6967] page dumped because: kasan: bad access detected [ 539.675557][ T6967] [ 539.677865][ T6967] Memory state around the buggy address: [ 539.683475][ T6967] ffff88808b5c0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 539.691517][ T6967] ffff88808b5c0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 539.699567][ T6967] >ffff88808b5c0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 539.707615][ T6967] ^ [ 539.712974][ T6967] ffff88808b5c0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program executing program executing program executing program [ 539.721038][ T6967] ffff88808b5c0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 539.729070][ T6967] ================================================================== [ 539.737103][ T6967] Disabling lock debugging due to kernel taint [ 539.755357][ T6967] Kernel panic - not syncing: panic_on_warn set ... [ 539.761956][ T6967] CPU: 0 PID: 6967 Comm: syz-executor265 Tainted: G B 5.9.0-rc8-syzkaller #0 executing program executing program [ 539.772040][ T6967] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 539.782097][ T6967] Call Trace: [ 539.785394][ T6967] dump_stack+0x198/0x1fd [ 539.789730][ T6967] ? btrfs_printk+0x2b8/0x40c [ 539.794414][ T6967] panic+0x382/0x7fb [ 539.798319][ T6967] ? __warn_printk+0xf3/0xf3 [ 539.802913][ T6967] ? preempt_schedule_common+0x59/0xc0 [ 539.808381][ T6967] ? btrfs_printk+0x38b/0x40c [ 539.813063][ T6967] ? preempt_schedule_thunk+0x16/0x18 [ 539.818445][ T6967] ? trace_hardirqs_on+0x55/0x220 executing program executing program executing program executing program executing program [ 539.823488][ T6967] ? btrfs_printk+0x38b/0x40c [ 539.828167][ T6967] ? btrfs_printk+0x38b/0x40c [ 539.832846][ T6967] end_report+0x4d/0x53 [ 539.836997][ T6967] kasan_report.cold+0xd/0x37 [ 539.841677][ T6967] ? btrfs_printk+0x38b/0x40c [ 539.846360][ T6967] btrfs_printk+0x38b/0x40c [ 539.850858][ T6967] ? btrfs_put_super+0x38/0x38 [ 539.855612][ T6967] ? device_list_add+0xe79/0x1570 [ 539.860639][ T6967] ? lock_release+0x8f0/0x8f0 [ 539.865318][ T6967] ? __mutex_unlock_slowpath+0xe2/0x610 [ 539.870872][ T6967] ? _atomic_dec_and_lock+0x92/0x100 [ 539.876170][ T6967] ? wait_for_completion+0x260/0x260 [ 539.881454][ T6967] device_list_add.cold+0x58/0x2d2 [ 539.886571][ T6967] ? btrfs_alloc_device+0x5d0/0x5d0 [ 539.891762][ T6967] ? do_read_cache_page+0xe6/0x1390 [ 539.896957][ T6967] btrfs_scan_one_device+0x339/0x4a0 [ 539.902228][ T6967] ? device_list_add+0x1570/0x1570 [ 539.907439][ T6967] ? check_preemption_disabled+0x50/0x130 [ 539.913156][ T6967] ? kfree+0x221/0x2b0 [ 539.917234][ T6967] ? btrfs_mount_root+0x73d/0xbb0 [ 539.922257][ T6967] ? lockdep_hardirqs_on+0x53/0x100 [ 539.927455][ T6967] btrfs_mount_root+0x4d5/0xbb0 [ 539.932323][ T6967] ? parse_rescue_options+0x250/0x250 [ 539.937744][ T6967] ? lock_is_held_type+0xbb/0xf0 [ 539.942689][ T6967] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 539.948255][ T6967] ? vfs_parse_fs_string+0xf3/0x150 [ 539.953454][ T6967] ? kfree+0x259/0x2b0 [ 539.957590][ T6967] ? vfs_parse_fs_string+0xf8/0x150 [ 539.962816][ T6967] ? vfs_parse_fs_param+0x550/0x550 [ 539.968045][ T6967] ? parse_rescue_options+0x250/0x250 [ 539.973444][ T6967] legacy_get_tree+0x105/0x220 [ 539.978226][ T6967] vfs_get_tree+0x89/0x2f0 [ 539.982655][ T6967] vfs_kern_mount.part.0+0xd3/0x170 [ 539.987875][ T6967] vfs_kern_mount+0x3c/0x60 [ 539.992474][ T6967] btrfs_mount+0x234/0xaa0 [ 539.996897][ T6967] ? btrfs_show_options+0x1080/0x1080 [ 540.002265][ T6967] ? cred_has_capability.isra.0+0x14e/0x2b0 [ 540.008161][ T6967] ? check_nnp_nosuid.isra.0+0x2a0/0x2a0 [ 540.013790][ T6967] ? rcu_read_lock_sched_held+0x33/0xb0 [ 540.019325][ T6967] ? kfree+0x259/0x2b0 [ 540.023392][ T6967] ? vfs_parse_fs_string+0xf8/0x150 [ 540.028577][ T6967] ? cap_capable+0x1f1/0x270 [ 540.033158][ T6967] ? btrfs_show_options+0x1080/0x1080 [ 540.038564][ T6967] legacy_get_tree+0x105/0x220 [ 540.043303][ T6967] vfs_get_tree+0x89/0x2f0 [ 540.047698][ T6967] path_mount+0x1387/0x20a0 [ 540.052180][ T6967] ? strncpy_from_user+0x2bf/0x3e0 [ 540.057268][ T6967] ? copy_mount_string+0x40/0x40 [ 540.062192][ T6967] ? getname_flags.part.0+0x1dd/0x4f0 [ 540.067558][ T6967] __x64_sys_mount+0x27f/0x300 [ 540.072314][ T6967] ? copy_mnt_ns+0xa60/0xa60 [ 540.076904][ T6967] ? check_preemption_disabled+0x50/0x130 [ 540.082609][ T6967] ? syscall_enter_from_user_mode+0x1d/0x60 [ 540.088483][ T6967] do_syscall_64+0x2d/0x70 [ 540.092896][ T6967] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 540.098779][ T6967] RIP: 0033:0x44939a [ 540.102657][ T6967] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 540.122239][ T6967] RSP: 002b:00007ffdc91e49f8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 540.130633][ T6967] RAX: ffffffffffffffda RBX: 00007ffdc91e4a50 RCX: 000000000044939a [ 540.138579][ T6967] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffdc91e4a10 [ 540.146541][ T6967] RBP: 00007ffdc91e4a10 R08: 00007ffdc91e4a50 R09: 0000000000000000 [ 540.154506][ T6967] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000004d [ 540.162475][ T6967] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 540.171956][ T6967] Kernel Offset: disabled [ 540.176293][ T6967] Rebooting in 86400 seconds..