[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.110' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 33.176141] BTRFS: device fsid fcb2096b-ad15-4c2d-a9a0-86564f36bcc3 devid 0 transid 7 /dev/loop0 executing program [ 33.398648] BTRFS: device fsid fcb2096b-ad15-4c2d-a9a0-86564f36bcc3 devid 1 transid 7 /dev/loop4 [ 33.436370] BTRFS warning (device ): duplicate device /dev/loop4 devid 1 generation 7 scanned by syz-executor461 (8125) executing program [ 33.455820] BTRFS info (device loop5): disk space caching is enabled [ 33.471136] BTRFS info (device loop5): has skinny extents executing program executing program executing program executing program executing program executing program [ 33.500013] BTRFS warning (device ): duplicate device /dev/loop3 devid 1 generation 7 scanned by syz-executor461 (8124) [ 33.514124] BTRFS warning (device ): duplicate device /dev/loop2 devid 1 generation 7 scanned by syz-executor461 (8126) [ 33.528498] BTRFS warning (device ): duplicate device /dev/loop1 devid 1 generation 7 scanned by syz-executor461 (8127) executing program executing program executing program executing program executing program executing program [ 33.551953] BTRFS warning (device ): duplicate device /dev/loop4 devid 1 generation 7 scanned by systemd-udevd (8122) [ 33.577006] BTRFS warning (device ): duplicate device /dev/loop3 devid 1 generation 7 scanned by systemd-udevd (8159) [ 33.590929] BTRFS error (device loop5): bad tree block start, want 5267456 have 0 executing program executing program executing program executing program executing program [ 33.601602] BTRFS warning (device loop5): failed to read root (objectid=7): -5 [ 33.629941] BTRFS warning (device loop5): duplicate device /dev/loop1 devid 1 generation 7 scanned by systemd-udevd (8148) executing program executing program executing program [ 33.690059] BTRFS warning (device loop5): duplicate device /dev/loop2 devid 1 generation 7 scanned by systemd-udevd (8170) executing program [ 33.757028] BTRFS error (device loop5): open_ctree failed [ 33.775507] BTRFS info (device loop5): disk space caching is enabled [ 33.796364] BTRFS info (device loop5): has skinny extents executing program [ 33.820707] BTRFS error (device loop5): bad tree block start, want 5267456 have 0 [ 33.830070] BTRFS warning (device loop5): failed to read root (objectid=7): -5 executing program executing program [ 33.866173] BTRFS error (device loop5): open_ctree failed executing program executing program executing program [ 33.919929] BTRFS info (device loop5): disk space caching is enabled [ 33.926469] BTRFS info (device loop5): has skinny extents executing program executing program executing program executing program executing program executing program executing program executing program [ 34.040052] BTRFS error (device loop5): bad tree block start, want 5267456 have 0 [ 34.049783] BTRFS warning (device loop5): failed to read root (objectid=7): -5 executing program [ 34.100690] BTRFS error (device loop5): open_ctree failed [ 34.110652] BTRFS info (device loop5): disk space caching is enabled [ 34.119787] BTRFS info (device loop5): has skinny extents [ 34.138571] BTRFS error (device loop5): bad tree block start, want 5267456 have 0 executing program executing program [ 34.146326] BTRFS warning (device loop5): failed to read root (objectid=7): -5 [ 34.165805] BTRFS error (device loop5): open_ctree failed [ 34.175014] BTRFS warning (device loop5): duplicate device /dev/loop4 devid 1 generation 7 scanned by syz-executor461 (8207) [ 34.188637] BTRFS info (device loop5): disk space caching is enabled [ 34.194822] BTRFS warning (device loop5): duplicate device /dev/loop4 devid 1 generation 7 scanned by systemd-udevd (8139) [ 34.199801] BTRFS info (device loop5): has skinny extents executing program executing program executing program [ 34.247758] BTRFS error (device loop5): bad tree block start, want 5267456 have 0 [ 34.255555] BTRFS warning (device loop5): failed to read root (objectid=7): -5 [ 34.276153] BTRFS error (device loop5): open_ctree failed executing program executing program [ 34.288278] BTRFS warning (device loop5): duplicate device /dev/loop3 devid 1 generation 7 scanned by syz-executor461 (8215) [ 34.307933] BTRFS info (device loop5): disk space caching is enabled [ 34.323269] BTRFS info (device loop5): has skinny extents [ 34.358814] ================================================================== [ 34.366358] BUG: KASAN: use-after-free in btrfs_printk+0x34f/0x3d0 [ 34.372772] Read of size 8 at addr ffff888093c91a20 by task syz-executor461/8216 [ 34.375896] BTRFS error (device loop5): bad tree block start, want 5267456 have 0 [ 34.380303] [ 34.380319] CPU: 1 PID: 8216 Comm: syz-executor461 Not tainted 4.19.155-syzkaller #0 [ 34.380325] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 executing program executing program executing program executing program executing program [ 34.380329] Call Trace: [ 34.380346] dump_stack+0x1fc/0x2fe [ 34.380365] print_address_description.cold+0x54/0x219 [ 34.380380] kasan_report_error.cold+0x8a/0x1c7 [ 34.380392] ? btrfs_printk+0x34f/0x3d0 [ 34.380402] __asan_report_load8_noabort+0x88/0x90 [ 34.380416] ? btrfs_printk+0x34f/0x3d0 [ 34.389941] BTRFS warning (device loop5): failed to read root (objectid=7): -5 [ 34.397513] btrfs_printk+0x34f/0x3d0 [ 34.397531] ? btrfs_show_devname.cold+0x18/0x18 [ 34.397550] ? __mutex_unlock_slowpath+0xea/0x610 executing program executing program executing program executing program executing program executing program executing program [ 34.397565] ? lock_acquire+0x170/0x3c0 [ 34.397584] ? device_list_add+0x77d/0xdd0 [ 34.397602] device_list_add.cold+0x1a0/0x376 [ 34.469253] ? btrfs_rm_dev_replace_free_srcdev+0x450/0x450 [ 34.474971] btrfs_scan_one_device+0x33f/0xd00 [ 34.479560] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 34.484678] ? debug_check_no_obj_freed+0x201/0x482 [ 34.489696] ? device_list_add+0xdd0/0xdd0 [ 34.493935] ? kfree+0x110/0x210 [ 34.497308] ? btrfs_mount_root+0x107a/0x1830 [ 34.501802] ? lockdep_hardirqs_on+0x3a8/0x5c0 executing program executing program executing program executing program executing program executing program executing program [ 34.506393] btrfs_mount_root+0x9df/0x1830 [ 34.510645] ? btrfs_decode_error+0x70/0x70 [ 34.514965] ? __mutex_unlock_slowpath+0xea/0x610 [ 34.519810] ? check_preemption_disabled+0x41/0x280 [ 34.524839] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.529867] ? pcpu_alloc+0xc9/0x1190 [ 34.533675] ? __lockdep_init_map+0x100/0x5a0 [ 34.538173] mount_fs+0xa3/0x30c [ 34.541543] vfs_kern_mount.part.0+0x68/0x470 [ 34.546054] ? kfree+0x110/0x210 [ 34.549422] vfs_kern_mount+0x3c/0x60 [ 34.553231] btrfs_mount+0x23a/0xa93 executing program executing program executing program executing program executing program executing program executing program [ 34.556949] ? btrfs_show_options+0xfd0/0xfd0 [ 34.561440] ? __mutex_unlock_slowpath+0xea/0x610 [ 34.566287] ? check_preemption_disabled+0x41/0x280 [ 34.571433] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.576440] ? pcpu_alloc+0xc9/0x1190 [ 34.580237] ? __lockdep_init_map+0x100/0x5a0 [ 34.584745] mount_fs+0xa3/0x30c [ 34.588139] vfs_kern_mount.part.0+0x68/0x470 [ 34.592666] do_mount+0x113c/0x2f10 [ 34.596296] ? cmp_ex_sort+0xc0/0xc0 [ 34.600014] ? __do_page_fault+0x180/0xd60 [ 34.604260] ? copy_mount_string+0x40/0x40 executing program executing program executing program executing program executing program executing program executing program [ 34.608495] ? copy_mount_options+0x1cd/0x380 [ 34.612996] ? memset+0x20/0x40 [ 34.616283] ? copy_mount_options+0x26f/0x380 [ 34.620778] ksys_mount+0xcf/0x130 [ 34.624451] __x64_sys_mount+0xba/0x150 [ 34.628421] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 34.633007] do_syscall_64+0xf9/0x620 [ 34.636822] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.642012] RIP: 0033:0x448b6a executing program executing program executing program executing program executing program executing program [ 34.645198] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 34.664093] RSP: 002b:00007ffe686d8548 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 34.671812] RAX: ffffffffffffffda RBX: 00007ffe686d85a0 RCX: 0000000000448b6a [ 34.679088] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe686d8560 [ 34.686364] RBP: 00007ffe686d8560 R08: 00007ffe686d85a0 R09: 0000000000000000 [ 34.693654] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000002b [ 34.700924] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 34.708190] executing program executing program executing program executing program executing program executing program executing program [ 34.709804] Allocated by task 8216: [ 34.713426] __kmalloc_node+0x4c/0x70 [ 34.717220] kvmalloc_node+0xb4/0xf0 [ 34.720931] btrfs_mount_root+0x13f/0x1830 [ 34.725170] mount_fs+0xa3/0x30c [ 34.728541] vfs_kern_mount.part.0+0x68/0x470 [ 34.733046] vfs_kern_mount+0x3c/0x60 [ 34.736852] btrfs_mount+0x23a/0xa93 [ 34.740589] mount_fs+0xa3/0x30c [ 34.743963] vfs_kern_mount.part.0+0x68/0x470 [ 34.748471] do_mount+0x113c/0x2f10 [ 34.752100] ksys_mount+0xcf/0x130 [ 34.755639] __x64_sys_mount+0xba/0x150 executing program executing program executing program executing program executing program executing program executing program [ 34.759634] do_syscall_64+0xf9/0x620 [ 34.763441] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.768625] [ 34.770248] Freed by task 8216: [ 34.773536] kfree+0xcc/0x210 [ 34.776646] kvfree+0x59/0x60 [ 34.779767] deactivate_locked_super+0x94/0x160 [ 34.784458] btrfs_mount_root+0x10a0/0x1830 [ 34.788787] mount_fs+0xa3/0x30c [ 34.792151] vfs_kern_mount.part.0+0x68/0x470 [ 34.796644] vfs_kern_mount+0x3c/0x60 [ 34.800447] btrfs_mount+0x23a/0xa93 [ 34.804170] mount_fs+0xa3/0x30c executing program executing program executing program executing program executing program executing program executing program [ 34.807537] vfs_kern_mount.part.0+0x68/0x470 [ 34.812050] do_mount+0x113c/0x2f10 [ 34.815668] ksys_mount+0xcf/0x130 [ 34.819210] __x64_sys_mount+0xba/0x150 [ 34.823196] do_syscall_64+0xf9/0x620 [ 34.826994] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.832168] [ 34.833801] The buggy address belongs to the object at ffff888093c91400 [ 34.833801] which belongs to the cache kmalloc-8192 of size 8192 [ 34.846664] The buggy address is located 1568 bytes inside of [ 34.846664] 8192-byte region [ffff888093c91400, ffff888093c93400) executing program executing program executing program executing program executing program executing program [ 34.858714] The buggy address belongs to the page: [ 34.863643] page:ffffea00024f2400 count:1 mapcount:0 mapping:ffff88813bff2080 index:0x0 compound_mapcount: 0 [ 34.873597] flags: 0xfff00000008100(slab|head) [ 34.878285] raw: 00fff00000008100 ffffea0002501108 ffffea000249f308 ffff88813bff2080 [ 34.886179] raw: 0000000000000000 ffff888093c91400 0000000100000001 0000000000000000 [ 34.894051] page dumped because: kasan: bad access detected [ 34.899750] [ 34.901370] Memory state around the buggy address: executing program executing program executing program executing program executing program executing program [ 34.906305] ffff888093c91900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.913666] ffff888093c91980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.921031] >ffff888093c91a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.928391] ^ [ 34.932799] ffff888093c91a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.940181] ffff888093c91b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.947551] ================================================================== [ 34.954926] Disabling lock debugging due to kernel taint executing program executing program executing program executing program executing program [ 34.961517] Kernel panic - not syncing: panic_on_warn set ... [ 34.961517] [ 34.968902] CPU: 1 PID: 8216 Comm: syz-executor461 Tainted: G B 4.19.155-syzkaller #0 [ 34.978165] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.987514] Call Trace: [ 34.990108] dump_stack+0x1fc/0x2fe [ 34.993739] panic+0x26a/0x50e [ 34.996931] ? __warn_printk+0xf3/0xf3 [ 35.000819] ? preempt_schedule_common+0x45/0xc0 [ 35.005574] ? ___preempt_schedule+0x16/0x18 executing program executing program executing program executing program executing program executing program executing program executing program [ 35.009977] ? trace_hardirqs_on+0x55/0x210 [ 35.014293] kasan_end_report+0x43/0x49 [ 35.018271] kasan_report_error.cold+0xa7/0x1c7 [ 35.022934] ? btrfs_printk+0x34f/0x3d0 [ 35.026895] __asan_report_load8_noabort+0x88/0x90 [ 35.031814] ? btrfs_printk+0x34f/0x3d0 [ 35.035788] btrfs_printk+0x34f/0x3d0 [ 35.039580] ? btrfs_show_devname.cold+0x18/0x18 [ 35.044341] ? __mutex_unlock_slowpath+0xea/0x610 [ 35.049185] ? lock_acquire+0x170/0x3c0 [ 35.053154] ? device_list_add+0x77d/0xdd0 [ 35.057376] device_list_add.cold+0x1a0/0x376 executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 35.061873] ? btrfs_rm_dev_replace_free_srcdev+0x450/0x450 [ 35.067569] btrfs_scan_one_device+0x33f/0xd00 [ 35.072145] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 35.077240] ? debug_check_no_obj_freed+0x201/0x482 [ 35.082247] ? device_list_add+0xdd0/0xdd0 [ 35.086532] ? kfree+0x110/0x210 [ 35.089895] ? btrfs_mount_root+0x107a/0x1830 [ 35.094381] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 35.098953] btrfs_mount_root+0x9df/0x1830 [ 35.103194] ? btrfs_decode_error+0x70/0x70 [ 35.107553] ? __mutex_unlock_slowpath+0xea/0x610 executing program executing program executing program executing program executing program executing program executing program executing program [ 35.112392] ? check_preemption_disabled+0x41/0x280 [ 35.117402] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 35.122405] ? pcpu_alloc+0xc9/0x1190 [ 35.126201] ? __lockdep_init_map+0x100/0x5a0 [ 35.130700] mount_fs+0xa3/0x30c [ 35.134063] vfs_kern_mount.part.0+0x68/0x470 [ 35.138560] ? kfree+0x110/0x210 [ 35.141961] vfs_kern_mount+0x3c/0x60 [ 35.145750] btrfs_mount+0x23a/0xa93 [ 35.149453] ? btrfs_show_options+0xfd0/0xfd0 [ 35.153939] ? __mutex_unlock_slowpath+0xea/0x610 executing program executing program executing program executing program executing program executing program executing program executing program [ 35.158778] ? check_preemption_disabled+0x41/0x280 [ 35.163883] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 35.168895] ? pcpu_alloc+0xc9/0x1190 [ 35.172696] ? __lockdep_init_map+0x100/0x5a0 [ 35.177184] mount_fs+0xa3/0x30c [ 35.180555] vfs_kern_mount.part.0+0x68/0x470 [ 35.185055] do_mount+0x113c/0x2f10 [ 35.188678] ? cmp_ex_sort+0xc0/0xc0 [ 35.192395] ? __do_page_fault+0x180/0xd60 [ 35.196634] ? copy_mount_string+0x40/0x40 [ 35.200884] ? copy_mount_options+0x1cd/0x380 [ 35.205390] ? memset+0x20/0x40 executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 35.208663] ? copy_mount_options+0x26f/0x380 [ 35.213153] ksys_mount+0xcf/0x130 [ 35.216685] __x64_sys_mount+0xba/0x150 [ 35.220662] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 35.225236] do_syscall_64+0xf9/0x620 [ 35.229028] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.234213] RIP: 0033:0x448b6a [ 35.237400] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00 executing program executing program executing program executing program executing program [ 35.256298] RSP: 002b:00007ffe686d8548 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 35.264021] RAX: ffffffffffffffda RBX: 00007ffe686d85a0 RCX: 0000000000448b6a [ 35.271281] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe686d8560 [ 35.278550] RBP: 00007ffe686d8560 R08: 00007ffe686d85a0 R09: 0000000000000000 [ 35.285815] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000002b [ 35.293119] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 35.300993] Kernel Offset: disabled [ 35.304606] Rebooting in 86400 seconds..