OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.230' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 28.012385] EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue [ 28.028634] ================================================================== [ 28.036123] BUG: KASAN: use-after-free in ext4_write_inline_data+0x2ae/0x380 [ 28.043308] Write of size 70 at addr ffff8880b61074ef by task syz-executor568/7952 [ 28.051011] [ 28.052648] CPU: 0 PID: 7952 Comm: syz-executor568 Not tainted 4.14.218-syzkaller #0 [ 28.060516] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.070001] Call Trace: [ 28.072578] dump_stack+0x1b2/0x281 [ 28.076192] print_address_description.cold+0x54/0x1d3 [ 28.081450] kasan_report_error.cold+0x8a/0x191 [ 28.086098] ? ext4_write_inline_data+0x2ae/0x380 [ 28.090919] kasan_report+0x6f/0x80 [ 28.094535] ? ext4_write_inline_data+0x2ae/0x380 [ 28.099360] memcpy+0x35/0x50 [ 28.102456] ext4_write_inline_data+0x2ae/0x380 [ 28.107105] ext4_write_inline_data_end+0x1d3/0x490 [ 28.112099] ? ext4_try_to_write_inline_data+0x1590/0x1590 [ 28.117718] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 28.123151] ext4_write_end+0x18d/0xca0 [ 28.127118] ext4_da_write_end+0x6da/0x8e0 [ 28.131348] generic_perform_write+0x268/0x420 [ 28.135926] ? __mnt_drop_write_file+0x5f/0x90 [ 28.140506] ? filemap_page_mkwrite+0x2d0/0x2d0 [ 28.145194] ? current_time+0xb0/0xb0 [ 28.148978] ? ext4_file_write_iter+0x1cc/0xd20 [ 28.153630] __generic_file_write_iter+0x227/0x590 [ 28.158543] ext4_file_write_iter+0x276/0xd20 [ 28.163021] ? aa_file_perm+0x304/0xab0 [ 28.166983] ? ext4_file_read_iter+0x330/0x330 [ 28.171545] ? trace_hardirqs_on+0x10/0x10 [ 28.175776] ? iov_iter_init+0xa6/0x1c0 [ 28.179729] __vfs_write+0x44c/0x630 [ 28.183421] ? mntput_no_expire+0xc7/0x910 [ 28.187632] ? kernel_read+0x110/0x110 [ 28.191502] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 28.196494] vfs_write+0x17f/0x4d0 [ 28.200039] SyS_write+0xf2/0x210 [ 28.203482] ? SyS_read+0x210/0x210 [ 28.207104] ? do_syscall_64+0x4c/0x640 [ 28.211084] ? SyS_read+0x210/0x210 [ 28.214692] do_syscall_64+0x1d5/0x640 [ 28.218567] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.223739] RIP: 0033:0x44a509 [ 28.226910] RSP: 002b:00007f0582f64208 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 28.234594] RAX: ffffffffffffffda RBX: 00000000004cd428 RCX: 000000000044a509 [ 28.241842] RDX: 0000000000000082 RSI: 0000000020000180 RDI: 0000000000000008 [ 28.249090] RBP: 00000000004cd420 R08: 0000000000000000 R09: 0000000000000000 [ 28.256337] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cd42c [ 28.263583] R13: 00007ffc529d143f R14: 00007f0582f64300 R15: 0000000000022000 [ 28.270834] [ 28.272439] Allocated by task 1: [ 28.275803] kasan_kmalloc+0xeb/0x160 [ 28.279604] __kmalloc+0x15a/0x400 [ 28.283133] tty_write+0x4e0/0x740 [ 28.286649] redirected_tty_write+0x9c/0xb0 [ 28.290944] do_iter_write+0x3da/0x550 [ 28.294847] vfs_writev+0x125/0x290 [ 28.298466] do_writev+0xfc/0x2c0 [ 28.301900] do_syscall_64+0x1d5/0x640 [ 28.305785] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.310950] [ 28.312555] Freed by task 3517: [ 28.315874] kasan_slab_free+0xc3/0x1a0 [ 28.319947] kfree+0xc9/0x250 [ 28.323036] release_one_tty+0x2cf/0x3e0 [ 28.327079] process_one_work+0x793/0x14a0 [ 28.331291] worker_thread+0x5cc/0xff0 [ 28.335153] kthread+0x30d/0x420 [ 28.338493] ret_from_fork+0x24/0x30 [ 28.342178] [ 28.343782] The buggy address belongs to the object at ffff8880b6107200 [ 28.343782] which belongs to the cache kmalloc-1024 of size 1024 [ 28.356761] The buggy address is located 751 bytes inside of [ 28.356761] 1024-byte region [ffff8880b6107200, ffff8880b6107600) [ 28.368695] The buggy address belongs to the page: [ 28.373598] page:ffffea0002d84180 count:1 mapcount:0 mapping:ffff8880b6106000 index:0x0 compound_mapcount: 0 [ 28.383540] flags: 0xfff00000008100(slab|head) [ 28.388112] raw: 00fff00000008100 ffff8880b6106000 0000000000000000 0000000100000007 [ 28.395969] raw: ffffea00025bb920 ffffea00025bf6a0 ffff88813fe80ac0 0000000000000000 [ 28.403821] page dumped because: kasan: bad access detected [ 28.409517] [ 28.411117] Memory state around the buggy address: [ 28.416022] ffff8880b6107380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.423354] ffff8880b6107400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.430688] >ffff8880b6107480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.438021] ^ [ 28.444764] ffff8880b6107500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.452099] ffff8880b6107580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.459437] ================================================================== [ 28.466768] Disabling lock debugging due to kernel taint [ 28.472306] Kernel panic - not syncing: panic_on_warn set ... [ 28.472306] [ 28.479664] CPU: 0 PID: 7952 Comm: syz-executor568 Tainted: G B 4.14.218-syzkaller #0 [ 28.488751] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.498109] Call Trace: [ 28.500694] dump_stack+0x1b2/0x281 [ 28.504319] panic+0x1f9/0x42d [ 28.507508] ? add_taint.cold+0x16/0x16 [ 28.511481] kasan_end_report+0x43/0x49 [ 28.515447] kasan_report_error.cold+0xa7/0x191 [ 28.520096] ? ext4_write_inline_data+0x2ae/0x380 [ 28.524919] kasan_report+0x6f/0x80 [ 28.528521] ? ext4_write_inline_data+0x2ae/0x380 [ 28.533338] memcpy+0x35/0x50 [ 28.536420] ext4_write_inline_data+0x2ae/0x380 [ 28.541079] ext4_write_inline_data_end+0x1d3/0x490 [ 28.546074] ? ext4_try_to_write_inline_data+0x1590/0x1590 [ 28.551675] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 28.557100] ext4_write_end+0x18d/0xca0 [ 28.561069] ext4_da_write_end+0x6da/0x8e0 [ 28.565285] generic_perform_write+0x268/0x420 [ 28.569847] ? __mnt_drop_write_file+0x5f/0x90 [ 28.574419] ? filemap_page_mkwrite+0x2d0/0x2d0 [ 28.579062] ? current_time+0xb0/0xb0 [ 28.582854] ? ext4_file_write_iter+0x1cc/0xd20 [ 28.587497] __generic_file_write_iter+0x227/0x590 [ 28.592409] ext4_file_write_iter+0x276/0xd20 [ 28.596886] ? aa_file_perm+0x304/0xab0 [ 28.600835] ? ext4_file_read_iter+0x330/0x330 [ 28.605396] ? trace_hardirqs_on+0x10/0x10 [ 28.609649] ? iov_iter_init+0xa6/0x1c0 [ 28.613733] __vfs_write+0x44c/0x630 [ 28.617431] ? mntput_no_expire+0xc7/0x910 [ 28.621650] ? kernel_read+0x110/0x110 [ 28.625524] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 28.630521] vfs_write+0x17f/0x4d0 [ 28.634042] SyS_write+0xf2/0x210 [ 28.637475] ? SyS_read+0x210/0x210 [ 28.641078] ? do_syscall_64+0x4c/0x640 [ 28.645027] ? SyS_read+0x210/0x210 [ 28.648629] do_syscall_64+0x1d5/0x640 [ 28.652495] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.657659] RIP: 0033:0x44a509 [ 28.660823] RSP: 002b:00007f0582f64208 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 28.668507] RAX: ffffffffffffffda RBX: 00000000004cd428 RCX: 000000000044a509 [ 28.675753] RDX: 0000000000000082 RSI: 0000000020000180 RDI: 0000000000000008 [ 28.683013] RBP: 00000000004cd420 R08: 0000000000000000 R09: 0000000000000000 [ 28.690258] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cd42c [ 28.697512] R13: 00007ffc529d143f R14: 00007f0582f64300 R15: 0000000000022000 [ 28.705388] Kernel Offset: disabled [ 28.709018] Rebooting in 86400 seconds..