[ OK ] Started OpenBSD Secure Shell server. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.177' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 35.113275] F2FS-fs (loop0): Found nat_bits in checkpoint [ 35.147434] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 35.239897] attempt to access beyond end of device [ 35.245449] loop0: rw=2049, want=57344, limit=40427 [ 35.251825] attempt to access beyond end of device [ 35.258252] loop0: rw=2049, want=57352, limit=40427 executing program [ 35.490196] F2FS-fs (loop0): Found nat_bits in checkpoint [ 35.524632] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 35.614527] attempt to access beyond end of device [ 35.619553] loop0: rw=2049, want=57344, limit=40427 [ 35.626099] attempt to access beyond end of device [ 35.631095] loop0: rw=2049, want=57352, limit=40427 executing program [ 35.858063] F2FS-fs (loop0): Found nat_bits in checkpoint [ 35.892434] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 35.981529] attempt to access beyond end of device [ 35.986560] loop0: rw=2049, want=57344, limit=40427 [ 35.993668] attempt to access beyond end of device [ 35.998600] loop0: rw=2049, want=57352, limit=40427 executing program [ 36.216019] F2FS-fs (loop0): Found nat_bits in checkpoint [ 36.250408] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 36.341590] attempt to access beyond end of device [ 36.341603] loop0: rw=2049, want=57344, limit=40427 [ 36.343227] attempt to access beyond end of device [ 36.356589] loop0: rw=2049, want=57352, limit=40427 executing program [ 36.566115] F2FS-fs (loop0): Found nat_bits in checkpoint [ 36.599032] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 36.691636] attempt to access beyond end of device [ 36.696583] loop0: rw=2049, want=57344, limit=40427 [ 36.703108] attempt to access beyond end of device [ 36.708036] loop0: rw=2049, want=57352, limit=40427 executing program [ 37.048313] attempt to access beyond end of device [ 37.053694] loop0: rw=2049, want=57344, limit=40427 [ 37.059830] attempt to access beyond end of device [ 37.064856] loop0: rw=2049, want=57352, limit=40427 executing program [ 37.400670] attempt to access beyond end of device [ 37.405655] loop0: rw=2049, want=57344, limit=40427 [ 37.412101] attempt to access beyond end of device [ 37.417030] loop0: rw=2049, want=57352, limit=40427 executing program [ 37.747280] attempt to access beyond end of device [ 37.752272] loop0: rw=2049, want=57344, limit=40427 [ 37.758476] attempt to access beyond end of device [ 37.764128] loop0: rw=2049, want=57352, limit=40427 executing program [ 38.098582] attempt to access beyond end of device [ 38.103566] loop0: rw=2049, want=57344, limit=40427 [ 38.109633] attempt to access beyond end of device [ 38.115483] loop0: rw=2049, want=57352, limit=40427 executing program [ 38.439658] attempt to access beyond end of device [ 38.444781] loop0: rw=2049, want=57344, limit=40427 [ 38.451102] attempt to access beyond end of device [ 38.456029] loop0: rw=2049, want=57352, limit=40427 [ 38.495129] ================================================================== [ 38.502552] BUG: KASAN: slab-out-of-bounds in __exchange_data_block+0x2dbc/0x30a0 [ 38.510150] Read of size 4 at addr ffff88809236c8a0 by task syz-executor263/8119 [ 38.517671] [ 38.519296] CPU: 0 PID: 8119 Comm: syz-executor263 Not tainted 4.14.307-syzkaller #0 [ 38.527254] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023 [ 38.536588] Call Trace: [ 38.539157] dump_stack+0x1b2/0x281 [ 38.542780] print_address_description.cold+0x54/0x1d3 [ 38.548038] kasan_report_error.cold+0x8a/0x191 [ 38.552695] ? __exchange_data_block+0x2dbc/0x30a0 [ 38.557601] __asan_report_load4_noabort+0x68/0x70 [ 38.562511] ? unlock_page+0x30/0x120 [ 38.566286] ? __exchange_data_block+0x2dbc/0x30a0 [ 38.571194] __exchange_data_block+0x2dbc/0x30a0 [ 38.575934] ? punch_hole.part.0+0x220/0x220 [ 38.580323] ? lock_acquire+0x170/0x3f0 [ 38.584281] f2fs_ioctl+0x52b3/0x6b70 [ 38.588057] ? get_futex_key+0x11b0/0x11b0 [ 38.592273] ? f2fs_fallocate+0x26f0/0x26f0 [ 38.596591] ? lock_acquire+0x170/0x3f0 [ 38.600558] ? lock_downgrade+0x740/0x740 [ 38.604687] ? trace_hardirqs_on+0x10/0x10 [ 38.608902] ? futex_exit_release+0x220/0x220 [ 38.613722] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 38.618805] ? debug_check_no_obj_freed+0x2c0/0x680 [ 38.623799] ? f2fs_fallocate+0x26f0/0x26f0 [ 38.628096] do_vfs_ioctl+0x75a/0xff0 [ 38.631890] ? lock_acquire+0x170/0x3f0 [ 38.635843] ? ioctl_preallocate+0x1a0/0x1a0 [ 38.640227] ? __fget+0x265/0x3e0 [ 38.643656] ? do_vfs_ioctl+0xff0/0xff0 [ 38.647605] ? security_file_ioctl+0x83/0xb0 [ 38.651989] SyS_ioctl+0x7f/0xb0 [ 38.655328] ? do_vfs_ioctl+0xff0/0xff0 [ 38.659277] do_syscall_64+0x1d5/0x640 [ 38.663169] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 38.668356] RIP: 0033:0x7fd26ae79619 [ 38.672043] RSP: 002b:00007fd263dc22f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 38.679726] RAX: ffffffffffffffda RBX: 00007fd26af037b0 RCX: 00007fd26ae79619 [ 38.686973] RDX: 0000000020000100 RSI: 00000000c020f509 RDI: 0000000000000004 [ 38.694219] RBP: 00007fd26aed05a8 R08: 0000000000000000 R09: 0000000000000000 [ 38.701465] R10: 0000000000000000 R11: 0000000000000246 R12: 6c5f657669746361 [ 38.708728] R13: 0030656c69662f2e R14: 0031656c69662f2e R15: 00007fd26af037b8 [ 38.715977] [ 38.717581] Allocated by task 8119: [ 38.721185] kasan_kmalloc+0xeb/0x160 [ 38.724960] __kmalloc_node+0x4c/0x70 [ 38.728757] kvmalloc_node+0x84/0xc0 [ 38.732457] __exchange_data_block+0x132/0x30a0 [ 38.737104] f2fs_ioctl+0x52b3/0x6b70 [ 38.741059] do_vfs_ioctl+0x75a/0xff0 [ 38.744834] SyS_ioctl+0x7f/0xb0 [ 38.748177] do_syscall_64+0x1d5/0x640 [ 38.752042] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 38.757209] [ 38.758813] Freed by task 0: [ 38.761802] (stack is not available) [ 38.765487] [ 38.767092] The buggy address belongs to the object at ffff888092368900 [ 38.767092] which belongs to the cache kmalloc-16384 of size 16384 [ 38.780081] The buggy address is located 16288 bytes inside of [ 38.780081] 16384-byte region [ffff888092368900, ffff88809236c900) [ 38.792274] The buggy address belongs to the page: [ 38.797187] page:ffffea000248da00 count:1 mapcount:0 mapping:ffff888092368900 index:0x0 compound_mapcount: 0 [ 38.807238] flags: 0xfff00000008100(slab|head) [ 38.811798] raw: 00fff00000008100 ffff888092368900 0000000000000000 0000000100000001 [ 38.819656] raw: ffffea00027bea20 ffff88813fe64c48 ffff88813fe65200 0000000000000000 [ 38.827594] page dumped because: kasan: bad access detected [ 38.833281] [ 38.834889] Memory state around the buggy address: [ 38.839797] ffff88809236c780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.847131] ffff88809236c800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.854487] >ffff88809236c880: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 38.861829] ^ [ 38.866211] ffff88809236c900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.873586] ffff88809236c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.881083] ================================================================== [ 38.888430] Disabling lock debugging due to kernel taint [ 38.894130] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 38.894130] [ 38.902096] CPU: 0 PID: 8119 Comm: syz-executor263 Tainted: G B 4.14.307-syzkaller #0 [ 38.911183] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023 [ 38.920523] Call Trace: [ 38.923091] dump_stack+0x1b2/0x281 [ 38.926694] panic+0x21d/0x451 [ 38.929882] ? add_taint.cold+0x16/0x16 [ 38.933835] ? ___preempt_schedule+0x16/0x18 [ 38.938225] ? preempt_schedule_common+0x45/0xc0 [ 38.942957] ? ___preempt_schedule+0x16/0x18 [ 38.947347] check_panic_on_warn.cold+0x19/0x35 [ 38.952013] kasan_end_report+0x3a/0x40 [ 38.955963] kasan_report_error.cold+0xa7/0x191 [ 38.960644] ? __exchange_data_block+0x2dbc/0x30a0 [ 38.965594] __asan_report_load4_noabort+0x68/0x70 [ 38.970506] ? unlock_page+0x30/0x120 [ 38.974284] ? __exchange_data_block+0x2dbc/0x30a0 [ 38.979197] __exchange_data_block+0x2dbc/0x30a0 [ 38.984024] ? punch_hole.part.0+0x220/0x220 [ 38.988415] ? lock_acquire+0x170/0x3f0 [ 38.992372] f2fs_ioctl+0x52b3/0x6b70 [ 38.996158] ? get_futex_key+0x11b0/0x11b0 [ 39.000388] ? f2fs_fallocate+0x26f0/0x26f0 [ 39.004701] ? lock_acquire+0x170/0x3f0 [ 39.008650] ? lock_downgrade+0x740/0x740 [ 39.012776] ? trace_hardirqs_on+0x10/0x10 [ 39.016994] ? futex_exit_release+0x220/0x220 [ 39.021499] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 39.026580] ? debug_check_no_obj_freed+0x2c0/0x680 [ 39.031601] ? f2fs_fallocate+0x26f0/0x26f0 [ 39.035936] do_vfs_ioctl+0x75a/0xff0 [ 39.039742] ? lock_acquire+0x170/0x3f0 [ 39.043725] ? ioctl_preallocate+0x1a0/0x1a0 [ 39.048113] ? __fget+0x265/0x3e0 [ 39.051655] ? do_vfs_ioctl+0xff0/0xff0 [ 39.055615] ? security_file_ioctl+0x83/0xb0 [ 39.060008] SyS_ioctl+0x7f/0xb0 [ 39.063365] ? do_vfs_ioctl+0xff0/0xff0 [ 39.067316] do_syscall_64+0x1d5/0x640 [ 39.071182] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 39.076347] RIP: 0033:0x7fd26ae79619 [ 39.080046] RSP: 002b:00007fd263dc22f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 39.087727] RAX: ffffffffffffffda RBX: 00007fd26af037b0 RCX: 00007fd26ae79619 [ 39.094974] RDX: 0000000020000100 RSI: 00000000c020f509 RDI: 0000000000000004 [ 39.102220] RBP: 00007fd26aed05a8 R08: 0000000000000000 R09: 0000000000000000 [ 39.109462] R10: 0000000000000000 R11: 0000000000000246 R12: 6c5f657669746361 [ 39.116705] R13: 0030656c69662f2e R14: 0031656c69662f2e R15: 00007fd26af037b8 [ 39.124123] Kernel Offset: disabled [ 39.127732] Rebooting in 86400 seconds..