[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.42' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 530.866324][ T6849] BTRFS: device fsid 3b7b29a3-d79d-449e-8760-f5c6064562ef devid 0 transid 5 /dev/loop4 scanned by syz-executor326 (6849) [ 530.894465][ T6848] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:0 old:/dev/loop4 new:/dev/loop5 [ 530.913253][ T6852] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:0 old:/dev/loop4 new:/dev/loop0 executing program [ 530.968051][ T6850] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:0 old:/dev/loop4 new:/dev/loop1 executing program executing program [ 531.162004][ T6848] BTRFS: device fsid 3b7b29a3-d79d-449e-8760-f5c6064562ef devid 1 transid 5 /dev/loop5 scanned by syz-executor326 (6848) [ 531.192024][ T6850] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop5 new:/dev/loop1 [ 531.214860][ T6848] BTRFS info (device loop5): disk space caching is enabled [ 531.226686][ T6848] BTRFS info (device loop5): has skinny extents [ 531.233784][ T6848] BTRFS info (device loop5): flagging fs with big metadata feature executing program executing program [ 531.280488][ T6849] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop5 new:/dev/loop4 [ 531.314558][ T6853] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop5 new:/dev/loop2 executing program executing program executing program [ 531.335261][ T6854] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop5 new:/dev/loop3 executing program executing program executing program [ 531.402012][ T6878] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop5 new:/dev/loop1 [ 531.423995][ T6893] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop5 new:/dev/loop4 [ 531.459872][ T6909] BTRFS error (device loop5): bad tree block start, want 30556160 have 0 [ 531.508870][ T6848] BTRFS info (device loop5): read error corrected: ino 0 off 30556160 (dev /dev/loop5 sector 76064) [ 531.523988][ T6848] BTRFS info (device loop5): read error corrected: ino 0 off 30560256 (dev /dev/loop5 sector 76072) [ 531.538397][ T6848] BTRFS info (device loop5): read error corrected: ino 0 off 30564352 (dev /dev/loop5 sector 76080) [ 531.550973][ T6848] BTRFS info (device loop5): read error corrected: ino 0 off 30568448 (dev /dev/loop5 sector 76088) [ 531.566218][ T6909] BTRFS error (device loop5): bad tree block start, want 30474240 have 0 [ 531.578623][ T6909] BTRFS error (device loop5): bad tree block start, want 30474240 have 0 executing program [ 531.604504][ T6913] BTRFS warning (device loop5): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop5 new:/dev/loop1 [ 531.619796][ T6848] BTRFS warning (device loop5): failed to read root (objectid=7): -5 executing program executing program executing program [ 531.706555][ T6848] BTRFS error (device loop5): open_ctree failed [ 531.724150][ T6879] BTRFS info (device loop5): disk space caching is enabled [ 531.732823][ T6879] BTRFS info (device loop5): has skinny extents [ 531.740249][ T6879] BTRFS info (device loop5): flagging fs with big metadata feature executing program executing program executing program [ 531.837975][ T21] BTRFS error (device loop5): bad tree block start, want 30474240 have 0 executing program [ 531.886417][ T21] BTRFS error (device loop5): bad tree block start, want 30474240 have 0 executing program executing program [ 531.940006][ T6879] BTRFS warning (device loop5): failed to read root (objectid=7): -5 executing program executing program executing program executing program [ 532.092963][ T6879] BTRFS error (device loop5): open_ctree failed [ 532.103395][ T6906] BTRFS info (device loop5): disk space caching is enabled [ 532.132403][ T6906] BTRFS info (device loop5): has skinny extents executing program executing program executing program executing program [ 532.160779][ T6906] BTRFS info (device loop5): flagging fs with big metadata feature executing program executing program executing program executing program [ 532.220479][ T21] BTRFS error (device loop5): bad tree block start, want 30474240 have 0 [ 532.240868][ T21] BTRFS error (device loop5): bad tree block start, want 30474240 have 0 [ 532.254326][ T6906] BTRFS warning (device loop5): failed to read root (objectid=7): -5 executing program [ 532.308678][ T6906] BTRFS error (device loop5): open_ctree failed [ 532.322126][ T6920] BTRFS info (device loop5): disk space caching is enabled [ 532.332235][ T6920] BTRFS info (device loop5): has skinny extents [ 532.350405][ T6920] BTRFS info (device loop5): flagging fs with big metadata feature executing program [ 532.387151][ T6906] ================================================================== [ 532.396747][ T6906] BUG: KASAN: use-after-free in btrfs_printk+0x3eb/0x435 [ 532.404232][ T6906] Read of size 8 at addr ffff888089df86a8 by task syz-executor326/6906 [ 532.413080][ T6906] [ 532.415496][ T6906] CPU: 1 PID: 6906 Comm: syz-executor326 Not tainted 5.9.0-rc6-syzkaller #0 [ 532.425128][ T6906] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 532.435851][ T6906] Call Trace: [ 532.439474][ T6906] dump_stack+0x1d6/0x29e [ 532.444470][ T6906] print_address_description+0x66/0x620 [ 532.450378][ T6906] ? printk+0x62/0x83 [ 532.454546][ T6906] ? _raw_spin_lock_irqsave+0x84/0xd0 [ 532.460161][ T6906] ? vprintk_emit+0x2f0/0x370 [ 532.465131][ T6906] kasan_report+0x132/0x1d0 [ 532.470618][ T6906] ? btrfs_printk+0x3eb/0x435 [ 532.476287][ T6906] btrfs_printk+0x3eb/0x435 [ 532.482208][ T6906] ? rcu_lock_acquire+0x5/0x30 [ 532.488598][ T6906] ? lock_is_held_type+0xb3/0xe0 [ 532.494961][ T6906] device_list_add+0x1a88/0x1d60 [ 532.500390][ T6906] btrfs_scan_one_device+0x196/0x490 [ 532.506524][ T6906] btrfs_mount_root+0x48f/0xb60 [ 532.511537][ T6906] ? vfs_parse_fs_string+0x150/0x1e0 [ 532.517357][ T6906] ? rcu_read_lock_sched_held+0x2f/0xa0 [ 532.523219][ T6906] ? trace_kfree+0xb2/0x100 [ 532.528066][ T6906] ? vfs_parse_fs_string+0x150/0x1e0 [ 532.534488][ T6906] legacy_get_tree+0xea/0x180 [ 532.539904][ T6906] ? btrfs_control_open+0x40/0x40 [ 532.545618][ T6906] vfs_get_tree+0x88/0x270 [ 532.550498][ T6906] vfs_kern_mount+0xc9/0x160 [ 532.555219][ T6906] btrfs_mount+0x33c/0xae0 [ 532.560174][ T6906] ? vfs_parse_fs_string+0x150/0x1e0 [ 532.566891][ T6906] ? rcu_read_lock_sched_held+0x2f/0xa0 [ 532.573200][ T6906] ? cap_capable+0x23f/0x280 [ 532.578527][ T6906] legacy_get_tree+0xea/0x180 [ 532.583325][ T6906] ? btrfs_resize_thread_pool+0x250/0x250 [ 532.589731][ T6906] vfs_get_tree+0x88/0x270 [ 532.594786][ T6906] path_mount+0x179d/0x29e0 [ 532.599800][ T6906] __se_sys_mount+0x126/0x180 [ 532.604689][ T6906] do_syscall_64+0x31/0x70 [ 532.609952][ T6906] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 532.616823][ T6906] RIP: 0033:0x44972a [ 532.621528][ T6906] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 532.647082][ T6906] RSP: 002b:00007ffd37523f08 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 532.659386][ T6906] RAX: ffffffffffffffda RBX: 00007ffd37523f60 RCX: 000000000044972a [ 532.669966][ T6906] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd37523f20 [ 532.680486][ T6906] RBP: 00007ffd37523f20 R08: 00007ffd37523f60 R09: 0000000000000000 [ 532.691246][ T6906] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000053 [ 532.702244][ T6906] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 532.713198][ T6906] [ 532.716156][ T6906] Allocated by task 6906: [ 532.720794][ T6906] __kasan_kmalloc+0x100/0x130 [ 532.726502][ T6906] kvmalloc_node+0x81/0x110 [ 532.731396][ T6906] btrfs_mount_root+0xd0/0xb60 [ 532.736413][ T6906] legacy_get_tree+0xea/0x180 [ 532.741177][ T6906] vfs_get_tree+0x88/0x270 [ 532.746200][ T6906] vfs_kern_mount+0xc9/0x160 [ 532.751245][ T6906] btrfs_mount+0x33c/0xae0 [ 532.756063][ T6906] legacy_get_tree+0xea/0x180 [ 532.761436][ T6906] vfs_get_tree+0x88/0x270 [ 532.766310][ T6906] path_mount+0x179d/0x29e0 [ 532.771506][ T6906] __se_sys_mount+0x126/0x180 [ 532.776395][ T6906] do_syscall_64+0x31/0x70 [ 532.781110][ T6906] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 532.788781][ T6906] [ 532.791536][ T6906] Freed by task 6906: [ 532.795634][ T6906] kasan_set_track+0x3d/0x70 [ 532.800353][ T6906] kasan_set_free_info+0x17/0x30 [ 532.805685][ T6906] __kasan_slab_free+0xdd/0x110 [ 532.810975][ T6906] kfree+0x113/0x200 [ 532.815396][ T6906] deactivate_locked_super+0xa7/0xf0 [ 532.821168][ T6906] btrfs_mount_root+0x72b/0xb60 [ 532.826118][ T6906] legacy_get_tree+0xea/0x180 [ 532.831368][ T6906] vfs_get_tree+0x88/0x270 [ 532.836344][ T6906] vfs_kern_mount+0xc9/0x160 [ 532.841454][ T6906] btrfs_mount+0x33c/0xae0 [ 532.846855][ T6906] legacy_get_tree+0xea/0x180 [ 532.852174][ T6906] vfs_get_tree+0x88/0x270 [ 532.857171][ T6906] path_mount+0x179d/0x29e0 [ 532.862141][ T6906] __se_sys_mount+0x126/0x180 [ 532.867425][ T6906] do_syscall_64+0x31/0x70 [ 532.872664][ T6906] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 532.879910][ T6906] [ 532.882385][ T6906] The buggy address belongs to the object at ffff888089df8000 [ 532.882385][ T6906] which belongs to the cache kmalloc-16k of size 16384 [ 532.898499][ T6906] The buggy address is located 1704 bytes inside of [ 532.898499][ T6906] 16384-byte region [ffff888089df8000, ffff888089dfc000) [ 532.912797][ T6906] The buggy address belongs to the page: [ 532.918853][ T6906] page:000000006dea76c1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89df8 [ 532.929612][ T6906] head:000000006dea76c1 order:3 compound_mapcount:0 compound_pincount:0 [ 532.938356][ T6906] flags: 0xfffe0000010200(slab|head) [ 532.944874][ T6906] raw: 00fffe0000010200 ffffea000222f808 ffffea0002210008 ffff8880aa440b00 [ 532.954196][ T6906] raw: 0000000000000000 ffff888089df8000 0000000100000001 0000000000000000 [ 532.963985][ T6906] page dumped because: kasan: bad access detected [ 532.970918][ T6906] [ 532.973403][ T6906] Memory state around the buggy address: [ 532.979528][ T6906] ffff888089df8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 532.988316][ T6906] ffff888089df8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 532.997813][ T6906] >ffff888089df8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 533.006806][ T6906] ^ [ 533.012647][ T6906] ffff888089df8700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 533.020923][ T6906] ffff888089df8780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 533.029413][ T6906] ================================================================== executing program executing program executing program [ 533.038070][ T6906] Disabling lock debugging due to kernel taint [ 533.049749][ T6906] Kernel panic - not syncing: panic_on_warn set ... [ 533.056594][ T6906] CPU: 1 PID: 6906 Comm: syz-executor326 Tainted: G B 5.9.0-rc6-syzkaller #0 [ 533.068847][ T6906] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 533.081001][ T6906] Call Trace: [ 533.084855][ T6906] dump_stack+0x1d6/0x29e executing program executing program executing program executing program [ 533.089680][ T6906] panic+0x2c0/0x800 [ 533.094205][ T6906] ? trace_hardirqs_on+0x30/0x80 [ 533.099438][ T6906] kasan_report+0x1c9/0x1d0 [ 533.104107][ T6906] ? btrfs_printk+0x3eb/0x435 [ 533.109183][ T6906] btrfs_printk+0x3eb/0x435 [ 533.113825][ T6906] ? rcu_lock_acquire+0x5/0x30 [ 533.118643][ T6906] ? lock_is_held_type+0xb3/0xe0 [ 533.124225][ T6906] device_list_add+0x1a88/0x1d60 [ 533.129684][ T6906] btrfs_scan_one_device+0x196/0x490 executing program executing program executing program executing program executing program [ 533.135515][ T6906] btrfs_mount_root+0x48f/0xb60 [ 533.141555][ T6906] ? vfs_parse_fs_string+0x150/0x1e0 [ 533.148165][ T6906] ? rcu_read_lock_sched_held+0x2f/0xa0 [ 533.154290][ T6906] ? trace_kfree+0xb2/0x100 [ 533.159422][ T6906] ? vfs_parse_fs_string+0x150/0x1e0 [ 533.165711][ T6906] legacy_get_tree+0xea/0x180 [ 533.170803][ T6906] ? btrfs_control_open+0x40/0x40 [ 533.176615][ T6906] vfs_get_tree+0x88/0x270 [ 533.181814][ T6906] vfs_kern_mount+0xc9/0x160 executing program executing program executing program executing program executing program executing program [ 533.186767][ T6906] btrfs_mount+0x33c/0xae0 [ 533.191784][ T6906] ? vfs_parse_fs_string+0x150/0x1e0 [ 533.197819][ T6906] ? rcu_read_lock_sched_held+0x2f/0xa0 [ 533.203717][ T6906] ? cap_capable+0x23f/0x280 [ 533.209612][ T6906] legacy_get_tree+0xea/0x180 [ 533.214484][ T6906] ? btrfs_resize_thread_pool+0x250/0x250 [ 533.220569][ T6906] vfs_get_tree+0x88/0x270 [ 533.225178][ T6906] path_mount+0x179d/0x29e0 [ 533.230114][ T6906] __se_sys_mount+0x126/0x180 [ 533.234890][ T6906] do_syscall_64+0x31/0x70 executing program executing program executing program executing program executing program [ 533.240095][ T6906] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 533.248300][ T6906] RIP: 0033:0x44972a [ 533.252528][ T6906] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 533.274458][ T6906] RSP: 002b:00007ffd37523f08 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 executing program executing program executing program executing program executing program [ 533.284618][ T6906] RAX: ffffffffffffffda RBX: 00007ffd37523f60 RCX: 000000000044972a [ 533.294707][ T6906] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd37523f20 [ 533.304909][ T6906] RBP: 00007ffd37523f20 R08: 00007ffd37523f60 R09: 0000000000000000 [ 533.315973][ T6906] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000053 [ 533.325740][ T6906] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 533.335928][ T6906] Kernel Offset: disabled [ 533.340558][ T6906] Rebooting in 86400 seconds..