[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.11' (ECDSA) to the list of known hosts. executing program executing program executing program executing program syzkaller login: [ 531.567127] audit: type=1400 audit(1600716438.912:8): avc: denied { execmem } for pid=6497 comm="syz-executor367" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 531.601453] BTRFS: device fsid 3b7b29a3-d79d-449e-8760-f5c6064562ef devid 0 transid 5 /dev/loop3 executing program executing program [ 531.623128] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:0 old:/dev/loop3 new:/dev/loop5 executing program executing program [ 531.833916] BTRFS: device fsid 3b7b29a3-d79d-449e-8760-f5c6064562ef devid 1 transid 5 /dev/loop3 executing program [ 531.889541] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop3 new:/dev/loop1 [ 531.910941] BTRFS info (device loop3): disk space caching is enabled [ 531.920980] BTRFS info (device loop3): has skinny extents [ 531.927408] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop3 new:/dev/loop2 [ 531.932132] BTRFS info (device loop3): flagging fs with big metadata feature [ 531.948464] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop3 new:/dev/loop1 executing program executing program executing program executing program executing program executing program executing program [ 532.021599] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop3 new:/dev/loop0 [ 532.043468] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop3 new:/dev/loop4 executing program executing program executing program [ 532.104122] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop3 new:/dev/loop0 [ 532.123748] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop3 new:/dev/loop4 [ 532.139330] BTRFS error (device loop3): bad tree block start, want 30556160 have 0 executing program executing program [ 532.156263] BTRFS info (device loop3): read error corrected: ino 0 off 30556160 (dev /dev/loop3 sector 76064) executing program [ 532.217920] BTRFS info (device loop3): read error corrected: ino 0 off 30560256 (dev /dev/loop3 sector 76072) [ 532.233627] BTRFS info (device loop3): read error corrected: ino 0 off 30564352 (dev /dev/loop3 sector 76080) [ 532.255719] BTRFS info (device loop3): read error corrected: ino 0 off 30568448 (dev /dev/loop3 sector 76088) executing program [ 532.275909] BTRFS error (device loop3): bad tree block start, want 30474240 have 0 [ 532.286173] BTRFS error (device loop3): bad tree block start, want 30474240 have 0 [ 532.295072] BTRFS warning (device loop3): failed to read root (objectid=7): -5 executing program [ 532.330050] BTRFS error (device loop3): open_ctree failed [ 532.340340] BTRFS info (device loop3): disk space caching is enabled [ 532.346871] BTRFS info (device loop3): has skinny extents [ 532.356513] BTRFS info (device loop3): flagging fs with big metadata feature executing program executing program executing program executing program executing program executing program [ 532.522808] BTRFS error (device loop3): bad tree block start, want 30474240 have 0 [ 532.536101] BTRFS error (device loop3): bad tree block start, want 30474240 have 0 [ 532.548797] BTRFS warning (device loop3): failed to read root (objectid=7): -5 executing program executing program executing program [ 532.568720] BTRFS error (device loop3): open_ctree failed [ 532.583760] BTRFS info (device loop3): disk space caching is enabled [ 532.607175] BTRFS info (device loop3): has skinny extents [ 532.614270] BTRFS info (device loop3): flagging fs with big metadata feature [ 532.638876] ================================================================== [ 532.646533] BUG: KASAN: use-after-free in btrfs_printk+0x3e6/0x468 [ 532.652868] Read of size 8 at addr ffff88808b008f60 by task syz-executor367/6551 [ 532.660467] [ 532.662121] CPU: 0 PID: 6551 Comm: syz-executor367 Not tainted 4.19.146-syzkaller #0 [ 532.670007] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 532.679443] Call Trace: [ 532.682152] dump_stack+0x22c/0x33e executing program executing program executing program executing program executing program [ 532.685802] print_address_description.cold+0x56/0x25c [ 532.691123] kasan_report_error.cold+0x66/0xb9 [ 532.695717] ? btrfs_printk+0x3e6/0x468 [ 532.699721] __asan_report_load8_noabort+0x88/0x90 [ 532.704672] ? btrfs_printk+0x3e6/0x468 [ 532.708649] btrfs_printk+0x3e6/0x468 [ 532.712462] ? btrfs_show_devname.cold+0x63/0x63 [ 532.717232] ? mntput_no_expire+0x170/0xb30 [ 532.721575] ? __mutex_unlock_slowpath+0xea/0x660 [ 532.726476] device_list_add+0xa10/0x1200 [ 532.730649] ? btrfs_rm_dev_replace_free_srcdev+0x3f0/0x3f0 executing program [ 532.736387] ? do_read_cache_page+0xfe/0x1080 [ 532.740902] btrfs_scan_one_device+0x33f/0xd70 [ 532.745506] ? _raw_spin_unlock_irqrestore+0x6a/0xf0 [ 532.750627] ? device_list_add+0x1200/0x1200 [ 532.755047] ? kfree+0xa0/0x250 [ 532.758338] ? btrfs_mount_root+0x107a/0x1830 [ 532.763088] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 532.767684] btrfs_mount_root+0x9df/0x1830 [ 532.771919] ? btrfs_decode_error+0x70/0x70 [ 532.776262] ? __mutex_unlock_slowpath+0xea/0x660 [ 532.781150] ? check_preemption_disabled+0x41/0x2b0 [ 532.786158] ? rcu_read_lock_sched_held+0x174/0x1e0 [ 532.791215] ? pcpu_alloc+0xc9/0x1220 [ 532.795003] ? __lockdep_init_map+0x100/0x5c0 [ 532.799487] mount_fs+0xa3/0x318 [ 532.802845] vfs_kern_mount.part.0+0x68/0x470 [ 532.807379] ? kfree+0x110/0x250 [ 532.810733] vfs_kern_mount+0x3c/0x60 [ 532.814521] btrfs_mount+0x23a/0xa93 [ 532.818219] ? btrfs_show_options+0xfd0/0xfd0 [ 532.822728] ? __mutex_unlock_slowpath+0xea/0x660 [ 532.827579] ? check_preemption_disabled+0x41/0x2b0 [ 532.832608] ? rcu_read_lock_sched_held+0x174/0x1e0 [ 532.837642] ? pcpu_alloc+0xc9/0x1220 [ 532.841427] ? __lockdep_init_map+0x100/0x5c0 [ 532.845909] mount_fs+0xa3/0x318 [ 532.849275] vfs_kern_mount.part.0+0x68/0x470 [ 532.853755] do_mount+0x51c/0x2f10 [ 532.857294] ? check_preemption_disabled+0x41/0x2b0 [ 532.862293] ? copy_mount_string+0x40/0x40 [ 532.866518] ? kmem_cache_alloc_trace+0x379/0x4b0 [ 532.871354] ? _copy_from_user+0xd2/0x130 [ 532.875496] ? copy_mount_options+0x261/0x370 [ 532.879977] ksys_mount+0xcf/0x130 [ 532.883503] __x64_sys_mount+0xba/0x150 [ 532.887478] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 532.892137] do_syscall_64+0xf9/0x670 [ 532.896047] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 532.901288] RIP: 0033:0x44972a [ 532.904480] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 532.923384] RSP: 002b:00007ffcb91f2428 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 532.931085] RAX: ffffffffffffffda RBX: 00007ffcb91f2480 RCX: 000000000044972a [ 532.939138] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffcb91f2440 [ 532.946413] RBP: 00007ffcb91f2440 R08: 00007ffcb91f2480 R09: 0000000000000000 [ 532.953674] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000053 [ 532.960932] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 532.968206] [ 532.969839] Allocated by task 6551: [ 532.973465] __kmalloc_node+0x4c/0x70 [ 532.977285] kvmalloc_node+0xb4/0xf0 [ 532.980986] btrfs_mount_root+0x13f/0x1830 [ 532.985203] mount_fs+0xa3/0x318 [ 532.988564] vfs_kern_mount.part.0+0x68/0x470 [ 532.993041] vfs_kern_mount+0x3c/0x60 [ 532.997432] btrfs_mount+0x23a/0xa93 [ 533.001132] mount_fs+0xa3/0x318 [ 533.004497] vfs_kern_mount.part.0+0x68/0x470 [ 533.008983] do_mount+0x51c/0x2f10 [ 533.012510] ksys_mount+0xcf/0x130 [ 533.016034] __x64_sys_mount+0xba/0x150 [ 533.019997] do_syscall_64+0xf9/0x670 [ 533.023785] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 533.028950] [ 533.030563] Freed by task 6551: [ 533.033841] kfree+0xcc/0x250 [ 533.037000] kvfree+0x59/0x60 [ 533.040140] deactivate_locked_super+0x8c/0x100 [ 533.044795] btrfs_mount_root+0x10a0/0x1830 [ 533.049103] mount_fs+0xa3/0x318 [ 533.052809] vfs_kern_mount.part.0+0x68/0x470 [ 533.057304] vfs_kern_mount+0x3c/0x60 [ 533.061090] btrfs_mount+0x23a/0xa93 [ 533.064783] mount_fs+0xa3/0x318 [ 533.068148] vfs_kern_mount.part.0+0x68/0x470 [ 533.072625] do_mount+0x51c/0x2f10 [ 533.076154] ksys_mount+0xcf/0x130 [ 533.079682] __x64_sys_mount+0xba/0x150 [ 533.083643] do_syscall_64+0xf9/0x670 [ 533.087433] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 533.092609] [ 533.094318] The buggy address belongs to the object at ffff88808b008940 [ 533.094318] which belongs to the cache kmalloc-16384 of size 16384 [ 533.107459] The buggy address is located 1568 bytes inside of [ 533.107459] 16384-byte region [ffff88808b008940, ffff88808b00c940) [ 533.119619] The buggy address belongs to the page: [ 533.124631] page:ffffea00022c0200 count:1 mapcount:0 mapping:ffff88812c3f5200 index:0x0 compound_mapcount: 0 [ 533.134595] flags: 0xfffe0000008100(slab|head) [ 533.139302] raw: 00fffe0000008100 ffffea0002239408 ffffea0002222608 ffff88812c3f5200 [ 533.147208] raw: 0000000000000000 ffff88808b008940 0000000100000001 0000000000000000 [ 533.155074] page dumped because: kasan: bad access detected [ 533.160766] [ 533.162378] Memory state around the buggy address: [ 533.167491] ffff88808b008e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 533.174931] ffff88808b008e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 533.182280] >ffff88808b008f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program [ 533.189626] ^ [ 533.196115] ffff88808b008f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 533.203474] ffff88808b009000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 533.210840] ================================================================== [ 533.218186] Disabling lock debugging due to kernel taint [ 533.232053] Kernel panic - not syncing: panic_on_warn set ... [ 533.232053] [ 533.239450] CPU: 1 PID: 6551 Comm: syz-executor367 Tainted: G B 4.19.146-syzkaller #0 [ 533.248723] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 533.258075] Call Trace: [ 533.260670] dump_stack+0x22c/0x33e [ 533.264308] panic+0x2ac/0x565 [ 533.267505] ? __warn_printk+0xf3/0xf3 [ 533.271398] ? preempt_schedule_common+0x45/0xc0 [ 533.276157] ? ___preempt_schedule+0x16/0x18 [ 533.280552] ? trace_hardirqs_on+0x55/0x210 [ 533.284880] kasan_end_report+0x43/0x49 [ 533.288841] kasan_report_error.cold+0x83/0xb9 [ 533.293519] ? btrfs_printk+0x3e6/0x468 [ 533.297485] __asan_report_load8_noabort+0x88/0x90 [ 533.302412] ? btrfs_printk+0x3e6/0x468 [ 533.306377] btrfs_printk+0x3e6/0x468 [ 533.310167] ? btrfs_show_devname.cold+0x63/0x63 [ 533.314909] ? mntput_no_expire+0x170/0xb30 [ 533.319217] ? __mutex_unlock_slowpath+0xea/0x660 [ 533.324045] device_list_add+0xa10/0x1200 [ 533.328174] ? btrfs_rm_dev_replace_free_srcdev+0x3f0/0x3f0 [ 533.333876] ? do_read_cache_page+0xfe/0x1080 [ 533.338357] btrfs_scan_one_device+0x33f/0xd70 [ 533.342946] ? _raw_spin_unlock_irqrestore+0x6a/0xf0 [ 533.348047] ? device_list_add+0x1200/0x1200 [ 533.352441] ? kfree+0xa0/0x250 [ 533.355715] ? btrfs_mount_root+0x107a/0x1830 [ 533.360193] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 533.364768] btrfs_mount_root+0x9df/0x1830 [ 533.368992] ? btrfs_decode_error+0x70/0x70 [ 533.373353] ? __mutex_unlock_slowpath+0xea/0x660 [ 533.378184] ? check_preemption_disabled+0x41/0x2b0 [ 533.383187] ? rcu_read_lock_sched_held+0x174/0x1e0 [ 533.388197] ? pcpu_alloc+0xc9/0x1220 [ 533.391985] ? __lockdep_init_map+0x100/0x5c0 [ 533.396483] mount_fs+0xa3/0x318 [ 533.399836] vfs_kern_mount.part.0+0x68/0x470 [ 533.404311] ? kfree+0x110/0x250 [ 533.407659] vfs_kern_mount+0x3c/0x60 [ 533.411440] btrfs_mount+0x23a/0xa93 [ 533.415137] ? btrfs_show_options+0xfd0/0xfd0 [ 533.419630] ? __mutex_unlock_slowpath+0xea/0x660 [ 533.424460] ? check_preemption_disabled+0x41/0x2b0 [ 533.429495] ? rcu_read_lock_sched_held+0x174/0x1e0 [ 533.434508] ? pcpu_alloc+0xc9/0x1220 [ 533.438289] ? __lockdep_init_map+0x100/0x5c0 [ 533.442766] mount_fs+0xa3/0x318 [ 533.446130] vfs_kern_mount.part.0+0x68/0x470 [ 533.450604] do_mount+0x51c/0x2f10 [ 533.454128] ? check_preemption_disabled+0x41/0x2b0 [ 533.459124] ? copy_mount_string+0x40/0x40 [ 533.463339] ? kmem_cache_alloc_trace+0x379/0x4b0 [ 533.468166] ? _copy_from_user+0xd2/0x130 [ 533.472294] ? copy_mount_options+0x261/0x370 [ 533.476768] ksys_mount+0xcf/0x130 [ 533.480288] __x64_sys_mount+0xba/0x150 [ 533.484255] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 533.488819] do_syscall_64+0xf9/0x670 [ 533.492612] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 533.497781] RIP: 0033:0x44972a [ 533.500954] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 533.519849] RSP: 002b:00007ffcb91f2428 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 533.527584] RAX: ffffffffffffffda RBX: 00007ffcb91f2480 RCX: 000000000044972a [ 533.534834] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffcb91f2440 [ 533.542084] RBP: 00007ffcb91f2440 R08: 00007ffcb91f2480 R09: 0000000000000000 [ 533.549450] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000053 [ 533.556700] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 533.565715] Kernel Offset: disabled [ 533.569349] Rebooting in 86400 seconds..