[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.127' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.703881] FAULT_INJECTION: forcing a failure. [ 33.703881] name failslab, interval 1, probability 0, space 0, times 1 [ 33.715394] CPU: 0 PID: 7983 Comm: syz-executor287 Not tainted 4.14.290-syzkaller #0 [ 33.723285] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 33.732624] Call Trace: [ 33.735199] dump_stack+0x1b2/0x281 [ 33.738807] should_fail.cold+0x10a/0x149 [ 33.742936] should_failslab+0xd6/0x130 [ 33.746890] kmem_cache_alloc_trace+0x29a/0x3d0 [ 33.751539] wb_congested_get_create+0x15b/0x360 [ 33.756280] wb_init+0x4f6/0x7c0 [ 33.759629] ? __raw_spin_lock_init+0x28/0x100 [ 33.764193] cgwb_bdi_init+0xe2/0x1e0 [ 33.767974] bdi_alloc_node+0x224/0x2e0 [ 33.771936] super_setup_bdi_name+0x8b/0x220 [ 33.776340] ? kill_block_super+0xe0/0xe0 [ 33.780615] ? v9fs_kill_super+0x90/0x90 [ 33.784671] v9fs_mount+0x1fc/0x860 [ 33.788287] ? alloc_pages_current+0x15d/0x260 [ 33.792855] ? __lockdep_init_map+0x100/0x560 [ 33.797342] mount_fs+0x92/0x2a0 [ 33.800722] vfs_kern_mount.part.0+0x5b/0x470 [ 33.805202] do_mount+0xe65/0x2a30 [ 33.808744] ? copy_mount_string+0x40/0x40 [ 33.812968] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 33.817976] ? copy_mnt_ns+0xa30/0xa30 [ 33.821850] ? copy_mount_options+0x1fa/0x2f0 [ 33.826327] ? copy_mnt_ns+0xa30/0xa30 [ 33.830196] SyS_mount+0xa8/0x120 [ 33.833657] ? copy_mnt_ns+0xa30/0xa30 [ 33.837527] do_syscall_64+0x1d5/0x640 [ 33.841415] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.846586] RIP: 0033:0x7f313f0bff29 executing program [ 33.850277] RSP: 002b:00007fff0db1e758 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 33.857963] RAX: ffffffffffffffda RBX: 00007fff0db1e7b8 RCX: 00007f313f0bff29 [ 33.865323] RDX: 0000000020000500 RSI: 0000000020000000 RDI: 0000000000000000 [ 33.872569] RBP: 00007fff0db1e760 R08: 0000000020000640 R09: 0000000000003034 [ 33.879840] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 [ 33.887108] R13: 0000000000000000 R14: 431bde82d7b634db R15: 0000000000000000 [ 33.901984] FAULT_INJECTION: forcing a failure. [ 33.901984] name failslab, interval 1, probability 0, space 0, times 0 [ 33.913443] CPU: 0 PID: 7986 Comm: syz-executor287 Not tainted 4.14.290-syzkaller #0 [ 33.921325] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 33.930675] Call Trace: [ 33.933247] dump_stack+0x1b2/0x281 [ 33.936858] should_fail.cold+0x10a/0x149 [ 33.940991] should_failslab+0xd6/0x130 [ 33.945044] kmem_cache_alloc_node_trace+0x25a/0x400 [ 33.950127] bdi_alloc_node+0x5d/0x2e0 [ 33.953999] super_setup_bdi_name+0x8b/0x220 [ 33.958401] ? kill_block_super+0xe0/0xe0 [ 33.962541] ? v9fs_kill_super+0x90/0x90 [ 33.966598] v9fs_mount+0x1fc/0x860 [ 33.970324] ? alloc_pages_current+0x15d/0x260 [ 33.974905] ? __lockdep_init_map+0x100/0x560 [ 33.979421] mount_fs+0x92/0x2a0 [ 33.982777] vfs_kern_mount.part.0+0x5b/0x470 [ 33.987255] do_mount+0xe65/0x2a30 [ 33.990803] ? copy_mount_string+0x40/0x40 [ 33.995034] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.000039] ? copy_mnt_ns+0xa30/0xa30 [ 34.003908] ? copy_mount_options+0x1fa/0x2f0 [ 34.008380] ? copy_mnt_ns+0xa30/0xa30 [ 34.012247] SyS_mount+0xa8/0x120 [ 34.015693] ? copy_mnt_ns+0xa30/0xa30 [ 34.019559] do_syscall_64+0x1d5/0x640 [ 34.023432] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.028599] RIP: 0033:0x7f313f0bff29 [ 34.032291] RSP: 002b:00007fff0db1e758 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 34.039974] RAX: ffffffffffffffda RBX: 00000000000083be RCX: 00007f313f0bff29 [ 34.047223] RDX: 0000000020000500 RSI: 0000000020000000 RDI: 0000000000000000 executing program [ 34.054471] RBP: 00007fff0db1e760 R08: 0000000020000640 R09: 0000000000003034 [ 34.061716] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 [ 34.068965] R13: 00007fff0db1e79c R14: 431bde82d7b634db R15: 0000000000000000 [ 34.082761] FAULT_INJECTION: forcing a failure. [ 34.082761] name failslab, interval 1, probability 0, space 0, times 0 [ 34.094101] CPU: 0 PID: 7989 Comm: syz-executor287 Not tainted 4.14.290-syzkaller #0 [ 34.101985] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 34.111335] Call Trace: [ 34.113906] dump_stack+0x1b2/0x281 [ 34.117514] should_fail.cold+0x10a/0x149 [ 34.121643] should_failslab+0xd6/0x130 [ 34.125600] __kmalloc+0x2c1/0x400 [ 34.129117] ? register_shrinker+0x1ab/0x220 [ 34.133502] register_shrinker+0x1ab/0x220 [ 34.137711] sget_userns+0x9aa/0xc10 [ 34.141405] ? v9fs_kill_super+0x90/0x90 [ 34.145445] ? v9fs_kill_super+0x90/0x90 [ 34.149483] sget+0xd1/0x110 [ 34.152495] v9fs_mount+0x9e/0x860 [ 34.156021] ? alloc_pages_current+0x15d/0x260 [ 34.160594] ? __lockdep_init_map+0x100/0x560 [ 34.165073] mount_fs+0x92/0x2a0 [ 34.168422] vfs_kern_mount.part.0+0x5b/0x470 [ 34.172897] do_mount+0xe65/0x2a30 [ 34.176419] ? copy_mount_string+0x40/0x40 [ 34.180635] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.185630] ? copy_mnt_ns+0xa30/0xa30 [ 34.189493] ? copy_mount_options+0x1fa/0x2f0 [ 34.193964] ? copy_mnt_ns+0xa30/0xa30 [ 34.197827] SyS_mount+0xa8/0x120 [ 34.201256] ? copy_mnt_ns+0xa30/0xa30 [ 34.205121] do_syscall_64+0x1d5/0x640 [ 34.208991] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.214155] RIP: 0033:0x7f313f0bff29 [ 34.217840] RSP: 002b:00007fff0db1e758 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 34.225525] RAX: ffffffffffffffda RBX: 0000000000008487 RCX: 00007f313f0bff29 [ 34.232772] RDX: 0000000020000500 RSI: 0000000020000000 RDI: 0000000000000000 [ 34.240017] RBP: 00007fff0db1e760 R08: 0000000020000640 R09: 0000000000003034 [ 34.247263] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 [ 34.254510] R13: 00007fff0db1e79c R14: 431bde82d7b634db R15: 0000000000000000 [ 34.262243] 9pnet: Found fid 0 not clunked [ 34.266896] ================================================================== [ 34.274379] BUG: KASAN: use-after-free in p9_client_clunk+0x1fc/0x240 [ 34.280949] Read of size 8 at addr ffff8880aadbfa00 by task syz-executor287/7989 [ 34.288456] [ 34.290067] CPU: 0 PID: 7989 Comm: syz-executor287 Not tainted 4.14.290-syzkaller #0 [ 34.297930] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 34.307274] Call Trace: [ 34.309844] dump_stack+0x1b2/0x281 [ 34.313457] print_address_description.cold+0x54/0x1d3 [ 34.318716] kasan_report_error.cold+0x8a/0x191 [ 34.323364] ? p9_client_clunk+0x1fc/0x240 [ 34.327577] __asan_report_load8_noabort+0x68/0x70 [ 34.332484] ? p9_client_clunk+0x1fc/0x240 [ 34.336697] p9_client_clunk+0x1fc/0x240 [ 34.340739] v9fs_mount+0x69f/0x860 [ 34.344346] ? alloc_pages_current+0x15d/0x260 [ 34.348907] ? __lockdep_init_map+0x100/0x560 [ 34.353380] mount_fs+0x92/0x2a0 [ 34.356728] vfs_kern_mount.part.0+0x5b/0x470 [ 34.361201] do_mount+0xe65/0x2a30 [ 34.364722] ? copy_mount_string+0x40/0x40 [ 34.368939] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.373931] ? copy_mnt_ns+0xa30/0xa30 [ 34.377798] ? copy_mount_options+0x1fa/0x2f0 [ 34.382271] ? copy_mnt_ns+0xa30/0xa30 [ 34.386134] SyS_mount+0xa8/0x120 [ 34.389568] ? copy_mnt_ns+0xa30/0xa30 [ 34.393433] do_syscall_64+0x1d5/0x640 [ 34.397299] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.402470] RIP: 0033:0x7f313f0bff29 [ 34.406158] RSP: 002b:00007fff0db1e758 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 34.413859] RAX: ffffffffffffffda RBX: 0000000000008487 RCX: 00007f313f0bff29 [ 34.421106] RDX: 0000000020000500 RSI: 0000000020000000 RDI: 0000000000000000 [ 34.428354] RBP: 00007fff0db1e760 R08: 0000000020000640 R09: 0000000000003034 [ 34.435601] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 [ 34.442849] R13: 00007fff0db1e79c R14: 431bde82d7b634db R15: 0000000000000000 [ 34.450105] [ 34.451712] Allocated by task 7989: [ 34.455320] kasan_kmalloc+0xeb/0x160 [ 34.459100] kmem_cache_alloc_trace+0x131/0x3d0 [ 34.463744] p9_fid_create+0x47/0x3a0 [ 34.467525] p9_client_attach+0x6d/0x750 [ 34.471575] v9fs_session_init+0xc03/0x1540 [ 34.475874] v9fs_mount+0x73/0x860 [ 34.479392] mount_fs+0x92/0x2a0 [ 34.482735] vfs_kern_mount.part.0+0x5b/0x470 [ 34.487207] do_mount+0xe65/0x2a30 [ 34.490726] SyS_mount+0xa8/0x120 [ 34.494158] do_syscall_64+0x1d5/0x640 [ 34.498042] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.503209] [ 34.504812] Freed by task 7989: [ 34.508074] kasan_slab_free+0xc3/0x1a0 [ 34.512025] kfree+0xc9/0x250 [ 34.515108] p9_client_destroy.cold+0x67/0xaa [ 34.519585] v9fs_session_close+0x45/0x2c0 [ 34.523796] v9fs_kill_super+0x49/0x90 [ 34.527663] deactivate_locked_super+0x6c/0xd0 [ 34.532219] sget_userns+0x9c4/0xc10 [ 34.535913] sget+0xd1/0x110 [ 34.538909] v9fs_mount+0x9e/0x860 [ 34.542423] mount_fs+0x92/0x2a0 [ 34.545767] vfs_kern_mount.part.0+0x5b/0x470 [ 34.550241] do_mount+0xe65/0x2a30 [ 34.553762] SyS_mount+0xa8/0x120 [ 34.557203] do_syscall_64+0x1d5/0x640 [ 34.561069] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.566232] [ 34.567838] The buggy address belongs to the object at ffff8880aadbfa00 [ 34.567838] which belongs to the cache kmalloc-96 of size 96 [ 34.580296] The buggy address is located 0 bytes inside of [ 34.580296] 96-byte region [ffff8880aadbfa00, ffff8880aadbfa60) [ 34.591895] The buggy address belongs to the page: [ 34.596806] page:ffffea0002ab6fc0 count:1 mapcount:0 mapping:ffff8880aadbf000 index:0x0 [ 34.604923] flags: 0xfff00000000100(slab) [ 34.609048] raw: 00fff00000000100 ffff8880aadbf000 0000000000000000 0000000100000020 [ 34.618395] raw: ffffea0002a25060 ffffea0002ad90a0 ffff88813fe744c0 0000000000000000 [ 34.626252] page dumped because: kasan: bad access detected [ 34.631934] [ 34.633540] Memory state around the buggy address: [ 34.638446] ffff8880aadbf900: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 34.645782] ffff8880aadbf980: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 34.653118] >ffff8880aadbfa00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 34.660459] ^ [ 34.663824] ffff8880aadbfa80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 34.671244] ffff8880aadbfb00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 34.678578] ================================================================== [ 34.685998] Disabling lock debugging due to kernel taint [ 34.691666] Kernel panic - not syncing: panic_on_warn set ... [ 34.691666] [ 34.699035] CPU: 0 PID: 7989 Comm: syz-executor287 Tainted: G B 4.14.290-syzkaller #0 [ 34.708129] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 34.717475] Call Trace: [ 34.720055] dump_stack+0x1b2/0x281 [ 34.723663] panic+0x1f9/0x42d [ 34.726832] ? add_taint.cold+0x16/0x16 [ 34.730784] ? ___preempt_schedule+0x16/0x18 [ 34.735181] kasan_end_report+0x43/0x49 [ 34.739155] kasan_report_error.cold+0xa7/0x191 [ 34.743804] ? p9_client_clunk+0x1fc/0x240 [ 34.748022] __asan_report_load8_noabort+0x68/0x70 [ 34.752929] ? p9_client_clunk+0x1fc/0x240 [ 34.757161] p9_client_clunk+0x1fc/0x240 [ 34.761201] v9fs_mount+0x69f/0x860 [ 34.764807] ? alloc_pages_current+0x15d/0x260 [ 34.769364] ? __lockdep_init_map+0x100/0x560 [ 34.773834] mount_fs+0x92/0x2a0 [ 34.777178] vfs_kern_mount.part.0+0x5b/0x470 [ 34.781652] do_mount+0xe65/0x2a30 [ 34.785200] ? copy_mount_string+0x40/0x40 [ 34.789417] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.794413] ? copy_mnt_ns+0xa30/0xa30 [ 34.798281] ? copy_mount_options+0x1fa/0x2f0 [ 34.802759] ? copy_mnt_ns+0xa30/0xa30 [ 34.806670] SyS_mount+0xa8/0x120 [ 34.810109] ? copy_mnt_ns+0xa30/0xa30 [ 34.813984] do_syscall_64+0x1d5/0x640 [ 34.817859] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.823025] RIP: 0033:0x7f313f0bff29 [ 34.826716] RSP: 002b:00007fff0db1e758 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 34.834402] RAX: ffffffffffffffda RBX: 0000000000008487 RCX: 00007f313f0bff29 [ 34.841650] RDX: 0000000020000500 RSI: 0000000020000000 RDI: 0000000000000000 [ 34.848941] RBP: 00007fff0db1e760 R08: 0000000020000640 R09: 0000000000003034 [ 34.856186] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 [ 34.863443] R13: 00007fff0db1e79c R14: 431bde82d7b634db R15: 0000000000000000 [ 34.870880] Kernel Offset: disabled [ 34.874489] Rebooting in 86400 seconds..