[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.206' (ECDSA) to the list of known hosts. syzkaller login: [ 34.981240] audit: type=1400 audit(1588641594.254:8): avc: denied { execmem } for pid=6329 comm="syz-executor085" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 35.218333] IPVS: ftp: loaded support on port[0] = 21 [ 36.050585] chnl_net:caif_netlink_parms(): no params data found [ 36.183244] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.190419] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.198259] device bridge_slave_0 entered promiscuous mode [ 36.206330] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.213032] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.220536] device bridge_slave_1 entered promiscuous mode [ 36.237970] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 36.246916] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 36.264932] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 36.272308] team0: Port device team_slave_0 added [ 36.278291] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 36.285918] team0: Port device team_slave_1 added [ 36.302323] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 36.308657] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 36.334023] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 36.345408] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 36.351791] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 36.377016] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 36.388149] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 36.395548] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 36.448991] device hsr_slave_0 entered promiscuous mode [ 36.486665] device hsr_slave_1 entered promiscuous mode [ 36.537186] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 36.544343] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 36.611451] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.617884] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.624717] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.631737] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.661460] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 36.669011] 8021q: adding VLAN 0 to HW filter on device bond0 [ 36.677739] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 36.685921] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 36.695327] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.712723] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.723036] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 36.729434] 8021q: adding VLAN 0 to HW filter on device team0 [ 36.738226] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 36.745902] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.752308] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.762224] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 36.770332] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.777528] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.792703] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 36.800457] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 36.811195] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 36.823200] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 36.834383] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 36.845963] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 36.853760] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 36.862000] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 36.870188] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 36.881466] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 36.890271] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 36.897597] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 36.907978] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 36.962531] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 36.973210] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 37.004429] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 37.012211] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 37.019875] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 37.029352] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 37.037158] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 37.044548] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 37.051699] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 37.060661] device veth0_vlan entered promiscuous mode [ 37.070254] device veth1_vlan entered promiscuous mode [ 37.083205] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 37.092409] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 37.101170] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 37.109792] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 37.119848] device veth0_macvtap entered promiscuous mode [ 37.126249] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 37.134211] device veth1_macvtap entered promiscuous mode [ 37.140629] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 37.149525] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 37.159753] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 37.169301] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 37.177207] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 37.183974] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 37.192552] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 37.200323] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 37.208566] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 37.219924] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 37.227313] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 37.233940] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 37.242266] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 37.323709] audit: type=1800 audit(1588641596.595:9): pid=6558 uid=0 auid=0 ses=5 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="syz-executor085" name="file0" dev="sda1" ino=15703 res=0 [ 37.353825] MINIX-fs: mounting unchecked file system, running fsck is recommended [ 37.374141] Process accounting resumed [ 37.381302] syz-executor085 (6330) used greatest stack depth: 25440 bytes left [ 37.394859] Process accounting resumed [ 37.496850] ================================================================== [ 37.505243] BUG: KASAN: use-after-free in get_block+0xfaa/0x10f0 [ 37.511611] Write of size 2 at addr ffff8880836b67b8 by task syz-executor085/6558 [ 37.519238] [ 37.520847] CPU: 1 PID: 6558 Comm: syz-executor085 Not tainted 4.14.178-syzkaller #0 [ 37.528703] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.538034] Call Trace: [ 37.540608] dump_stack+0x13e/0x194 [ 37.544239] ? get_block+0xfaa/0x10f0 [ 37.548018] print_address_description.cold+0x7c/0x1e2 [ 37.553270] ? get_block+0xfaa/0x10f0 [ 37.557047] kasan_report.cold+0xa9/0x2ae [ 37.561184] get_block+0xfaa/0x10f0 [ 37.564806] ? block_to_path.isra.0+0x2d0/0x2d0 [ 37.569475] ? trace_hardirqs_on+0x10/0x10 [ 37.573712] ? lock_downgrade+0x6e0/0x6e0 [ 37.577852] ? __lock_acquire+0x5f7/0x4620 [ 37.582075] minix_get_block+0xd6/0x100 [ 37.586033] __block_write_begin_int+0x337/0x1030 [ 37.590856] ? minix_rename+0x760/0x760 [ 37.594810] ? __breadahead_gfp+0xd0/0xd0 [ 37.598934] ? wait_for_stable_page+0xe3/0x270 [ 37.603511] ? minix_rename+0x760/0x760 [ 37.607488] block_write_begin+0x58/0x260 [ 37.611622] minix_write_begin+0x35/0xc0 [ 37.615681] generic_perform_write+0x1c9/0x420 [ 37.620242] ? page_endio+0x540/0x540 [ 37.624033] ? current_time+0xb0/0xb0 [ 37.627815] ? lock_acquire+0x170/0x3f0 [ 37.631784] __generic_file_write_iter+0x227/0x590 [ 37.636723] generic_file_write_iter+0x2fa/0x650 [ 37.641453] ? iov_iter_init+0xa6/0x1c0 [ 37.645402] __vfs_write+0x44e/0x630 [ 37.649110] ? save_trace+0x290/0x290 [ 37.652882] ? kernel_read+0x110/0x110 [ 37.656746] ? save_trace+0x290/0x290 [ 37.660525] ? do_acct_process+0xc41/0xf60 [ 37.664746] __kernel_write+0xf5/0x330 [ 37.668698] do_acct_process+0xb49/0xf60 [ 37.672750] ? acct_put+0x40/0x40 [ 37.676180] ? pin_kill+0xfb/0x650 [ 37.679699] acct_pin_kill+0x28/0xe0 [ 37.683385] pin_kill+0x147/0x650 [ 37.686822] ? pin_insert+0x50/0x50 [ 37.690433] ? finish_wait+0x260/0x260 [ 37.694311] ? check_preemption_disabled+0x35/0x240 [ 37.699834] ? mnt_pin_kill+0x62/0x170 [ 37.703706] mnt_pin_kill+0x62/0x170 [ 37.707403] cleanup_mnt+0x110/0x140 [ 37.711131] task_work_run+0x113/0x190 [ 37.714998] do_exit+0x9f2/0x2b00 [ 37.718441] ? futex_lock_pi_atomic+0x131/0x220 [ 37.723102] ? mm_update_next_owner+0x5b0/0x5b0 [ 37.727753] ? get_signal+0x31c/0x1ca0 [ 37.731724] ? lock_downgrade+0x6e0/0x6e0 [ 37.738818] do_group_exit+0x100/0x310 [ 37.742683] get_signal+0x385/0x1ca0 [ 37.746378] do_signal+0x7c/0x1690 [ 37.749901] ? lock_acquire+0x170/0x3f0 [ 37.753882] ? lock_downgrade+0x6e0/0x6e0 [ 37.758019] ? setup_sigcontext+0x820/0x820 [ 37.762325] ? _raw_spin_unlock_irqrestore+0xa0/0xe0 [ 37.767406] ? debug_check_no_obj_freed+0x28e/0x6e4 [ 37.772399] ? check_preemption_disabled+0x35/0x240 [ 37.777395] ? SyS_futex+0x1e8/0x2c0 [ 37.781101] ? SyS_futex+0x1f2/0x2c0 [ 37.784908] ? exit_to_usermode_loop+0x41/0x220 [ 37.789567] exit_to_usermode_loop+0x159/0x220 [ 37.794141] do_syscall_64+0x4a3/0x640 [ 37.798012] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.803177] RIP: 0033:0x44d1b9 [ 37.806353] RSP: 002b:00007feaf5b29cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 37.814042] RAX: fffffffffffffe00 RBX: 00000000006dfc28 RCX: 000000000044d1b9 [ 37.821287] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dfc28 [ 37.828543] RBP: 00000000006dfc20 R08: 0000000000000000 R09: 0000000000000000 [ 37.836929] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dfc2c [ 37.844347] R13: 00007fff7a4a0acf R14: 00007feaf5b2a9c0 R15: 00000000006dfc2c [ 37.851599] [ 37.853212] The buggy address belongs to the page: [ 37.858404] page:ffffea00020dad80 count:0 mapcount:0 mapping: (null) index:0x1 [ 37.866532] flags: 0xfffe0000000000() [ 37.870307] raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff [ 37.878162] raw: ffffea00020f88a0 ffffea00022c86a0 0000000000000000 0000000000000000 [ 37.886025] page dumped because: kasan: bad access detected [ 37.891706] [ 37.893398] Memory state around the buggy address: [ 37.898300] ffff8880836b6680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.905651] ffff8880836b6700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.913104] >ffff8880836b6780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.920489] ^ [ 37.925715] ffff8880836b6800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.933059] ffff8880836b6880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.941393] ================================================================== [ 37.949088] Disabling lock debugging due to kernel taint [ 37.958733] Kernel panic - not syncing: panic_on_warn set ... [ 37.958733] [ 37.966121] CPU: 1 PID: 6558 Comm: syz-executor085 Tainted: G B 4.14.178-syzkaller #0 [ 37.975203] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.984532] Call Trace: [ 37.987105] dump_stack+0x13e/0x194 [ 37.990732] panic+0x1f9/0x42d [ 37.993904] ? add_taint.cold+0x16/0x16 [ 37.997857] ? preempt_schedule_common+0x4a/0xc0 [ 38.002594] ? get_block+0xfaa/0x10f0 [ 38.006374] ? ___preempt_schedule+0x16/0x18 [ 38.010796] ? get_block+0xfaa/0x10f0 [ 38.014574] kasan_end_report+0x43/0x49 [ 38.018538] kasan_report.cold+0x12f/0x2ae [ 38.022757] get_block+0xfaa/0x10f0 [ 38.026381] ? block_to_path.isra.0+0x2d0/0x2d0 [ 38.031025] ? trace_hardirqs_on+0x10/0x10 [ 38.035249] ? lock_downgrade+0x6e0/0x6e0 [ 38.039385] ? __lock_acquire+0x5f7/0x4620 [ 38.043943] minix_get_block+0xd6/0x100 [ 38.047905] __block_write_begin_int+0x337/0x1030 [ 38.052723] ? minix_rename+0x760/0x760 [ 38.056674] ? __breadahead_gfp+0xd0/0xd0 [ 38.060797] ? wait_for_stable_page+0xe3/0x270 [ 38.065352] ? minix_rename+0x760/0x760 [ 38.069304] block_write_begin+0x58/0x260 [ 38.073425] minix_write_begin+0x35/0xc0 [ 38.077473] generic_perform_write+0x1c9/0x420 [ 38.082030] ? page_endio+0x540/0x540 [ 38.085814] ? current_time+0xb0/0xb0 [ 38.089602] ? lock_acquire+0x170/0x3f0 [ 38.093553] __generic_file_write_iter+0x227/0x590 [ 38.098459] generic_file_write_iter+0x2fa/0x650 [ 38.103188] ? iov_iter_init+0xa6/0x1c0 [ 38.107137] __vfs_write+0x44e/0x630 [ 38.114307] ? save_trace+0x290/0x290 [ 38.118081] ? kernel_read+0x110/0x110 [ 38.121959] ? save_trace+0x290/0x290 [ 38.125741] ? do_acct_process+0xc41/0xf60 [ 38.129951] __kernel_write+0xf5/0x330 [ 38.133901] do_acct_process+0xb49/0xf60 [ 38.137949] ? acct_put+0x40/0x40 [ 38.141410] ? pin_kill+0xfb/0x650 [ 38.144935] acct_pin_kill+0x28/0xe0 [ 38.148658] pin_kill+0x147/0x650 [ 38.152102] ? pin_insert+0x50/0x50 [ 38.155808] ? finish_wait+0x260/0x260 [ 38.160032] ? check_preemption_disabled+0x35/0x240 [ 38.165044] ? mnt_pin_kill+0x62/0x170 [ 38.168905] mnt_pin_kill+0x62/0x170 [ 38.172604] cleanup_mnt+0x110/0x140 [ 38.176305] task_work_run+0x113/0x190 [ 38.180188] do_exit+0x9f2/0x2b00 [ 38.183617] ? futex_lock_pi_atomic+0x131/0x220 [ 38.188263] ? mm_update_next_owner+0x5b0/0x5b0 [ 38.192907] ? get_signal+0x31c/0x1ca0 [ 38.196786] ? lock_downgrade+0x6e0/0x6e0 [ 38.200910] do_group_exit+0x100/0x310 [ 38.204779] get_signal+0x385/0x1ca0 [ 38.208471] do_signal+0x7c/0x1690 [ 38.211985] ? lock_acquire+0x170/0x3f0 [ 38.215932] ? lock_downgrade+0x6e0/0x6e0 [ 38.220053] ? setup_sigcontext+0x820/0x820 [ 38.224351] ? _raw_spin_unlock_irqrestore+0xa0/0xe0 [ 38.229430] ? debug_check_no_obj_freed+0x28e/0x6e4 [ 38.234445] ? check_preemption_disabled+0x35/0x240 [ 38.239440] ? SyS_futex+0x1e8/0x2c0 [ 38.243127] ? SyS_futex+0x1f2/0x2c0 [ 38.246817] ? exit_to_usermode_loop+0x41/0x220 [ 38.251462] exit_to_usermode_loop+0x159/0x220 [ 38.256021] do_syscall_64+0x4a3/0x640 [ 38.259888] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.265053] RIP: 0033:0x44d1b9 [ 38.268222] RSP: 002b:00007feaf5b29cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 38.275917] RAX: fffffffffffffe00 RBX: 00000000006dfc28 RCX: 000000000044d1b9 [ 38.283160] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dfc28 [ 38.290402] RBP: 00000000006dfc20 R08: 0000000000000000 R09: 0000000000000000 [ 38.297655] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dfc2c [ 38.304897] R13: 00007fff7a4a0acf R14: 00007feaf5b2a9c0 R15: 00000000006dfc2c [ 38.313438] Kernel Offset: disabled [ 38.317061] Rebooting in 86400 seconds..