[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.120' (ECDSA) to the list of known hosts. 2022/09/26 06:55:24 ignoring optional flag "sandboxArg"="0" 2022/09/26 06:55:24 parsed 1 programs 2022/09/26 06:55:24 executed programs: 0 syzkaller login: [ 2005.061336] IPVS: ftp: loaded support on port[0] = 21 [ 2005.224849] chnl_net:caif_netlink_parms(): no params data found [ 2005.265972] bridge0: port 1(bridge_slave_0) entered blocking state [ 2005.272882] bridge0: port 1(bridge_slave_0) entered disabled state [ 2005.280424] device bridge_slave_0 entered promiscuous mode [ 2005.287835] bridge0: port 2(bridge_slave_1) entered blocking state [ 2005.294248] bridge0: port 2(bridge_slave_1) entered disabled state [ 2005.301531] device bridge_slave_1 entered promiscuous mode [ 2005.318324] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 2005.327362] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 2005.344179] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 2005.351538] team0: Port device team_slave_0 added [ 2005.357133] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 2005.364320] team0: Port device team_slave_1 added [ 2005.378790] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 2005.385018] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 2005.410569] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 2005.421921] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 2005.428210] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 2005.453435] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 2005.467548] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 2005.474864] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 2005.494459] device hsr_slave_0 entered promiscuous mode [ 2005.500158] device hsr_slave_1 entered promiscuous mode [ 2005.506078] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 2005.513216] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 2005.575270] bridge0: port 2(bridge_slave_1) entered blocking state [ 2005.581710] bridge0: port 2(bridge_slave_1) entered forwarding state [ 2005.588468] bridge0: port 1(bridge_slave_0) entered blocking state [ 2005.594799] bridge0: port 1(bridge_slave_0) entered forwarding state [ 2005.624933] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 2005.631794] 8021q: adding VLAN 0 to HW filter on device bond0 [ 2005.640503] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 2005.649107] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 2005.658791] bridge0: port 1(bridge_slave_0) entered disabled state [ 2005.665678] bridge0: port 2(bridge_slave_1) entered disabled state [ 2005.673944] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 2005.684360] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 2005.690658] 8021q: adding VLAN 0 to HW filter on device team0 [ 2005.699904] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 2005.707455] bridge0: port 1(bridge_slave_0) entered blocking state [ 2005.713777] bridge0: port 1(bridge_slave_0) entered forwarding state [ 2005.729834] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 2005.737560] bridge0: port 2(bridge_slave_1) entered blocking state [ 2005.743887] bridge0: port 2(bridge_slave_1) entered forwarding state [ 2005.752531] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 2005.761112] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 2005.770577] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 2005.781268] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 2005.790965] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 2005.800453] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 2005.806436] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 2005.833984] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 2005.842381] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 2005.849888] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 2005.860408] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 2005.893015] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 2005.903142] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 2005.934162] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 2005.941515] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 2005.948845] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 2005.958118] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 2005.965497] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 2005.973111] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 2005.982258] device veth0_vlan entered promiscuous mode [ 2005.991348] device veth1_vlan entered promiscuous mode [ 2005.997545] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 2006.005967] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 2006.018072] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 2006.027947] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 2006.035211] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 2006.042912] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 2006.052574] device veth0_macvtap entered promiscuous mode [ 2006.059555] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 2006.068248] device veth1_macvtap entered promiscuous mode [ 2006.076340] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 2006.086134] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 2006.096280] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 2006.103271] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 2006.111365] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 2006.121460] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 2006.128598] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 2006.232347] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 2006.239077] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 2006.246205] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 2006.254514] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 2006.278264] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 2006.284829] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 2006.291990] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 2006.299220] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 2007.107559] Bluetooth: hci0: command 0x0409 tx timeout 2022/09/26 06:55:29 executed programs: 42 [ 2009.186376] Bluetooth: hci0: command 0x041b tx timeout [ 2011.266124] Bluetooth: hci0: command 0x040f tx timeout [ 2013.345953] Bluetooth: hci0: command 0x0419 tx timeout 2022/09/26 06:55:34 executed programs: 124 2022/09/26 06:55:39 executed programs: 205 2022/09/26 06:55:44 executed programs: 288 2022/09/26 06:55:49 executed programs: 370 2022/09/26 06:55:54 executed programs: 453 [ 2038.545361] ieee802154 phy0 wpan0: encryption failed: -22 [ 2038.551110] ieee802154 phy1 wpan1: encryption failed: -22 2022/09/26 06:55:59 executed programs: 533 2022/09/26 06:56:04 executed programs: 614 2022/09/26 06:56:09 executed programs: 691 2022/09/26 06:56:14 executed programs: 771 2022/09/26 06:56:19 executed programs: 853 2022/09/26 06:56:24 executed programs: 936 2022/09/26 06:56:29 executed programs: 1017 [ 2073.945307] ================================================================== [ 2073.952824] BUG: KASAN: use-after-free in lbmIODone+0xcbf/0xf40 [ 2073.958887] Read of size 4 at addr ffff8880999d1508 by task loop0/14403 [ 2073.965635] [ 2073.967262] CPU: 1 PID: 14403 Comm: loop0 Not tainted 4.19.211-syzkaller #0 [ 2073.974355] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 2073.983709] Call Trace: [ 2073.986306] dump_stack+0x1fc/0x2ef [ 2073.989943] print_address_description.cold+0x54/0x219 [ 2073.995225] kasan_report_error.cold+0x8a/0x1b9 [ 2073.999894] ? lbmIODone+0xcbf/0xf40 [ 2074.003606] __asan_report_load4_noabort+0x88/0x90 [ 2074.008538] ? lbmIODone+0xcbf/0xf40 [ 2074.012255] lbmIODone+0xcbf/0xf40 [ 2074.015807] ? lock_downgrade+0x720/0x720 [ 2074.019956] ? lock_acquire+0x170/0x3c0 [ 2074.023933] ? scale_cookie_change.isra.0+0x380/0x380 [ 2074.029122] ? lbmFree+0x100/0x100 [ 2074.032666] bio_endio+0x488/0x830 [ 2074.036214] blk_update_request+0x30f/0xaf0 [ 2074.040548] blk_mq_end_request+0x4a/0x340 [ 2074.044792] lo_complete_rq+0x201/0x2d0 [ 2074.048771] blk_mq_complete_request+0x472/0x660 [ 2074.053534] loop_queue_work+0x274/0x20c0 [ 2074.057693] ? finish_task_switch+0x146/0x760 [ 2074.062185] ? finish_task_switch+0x118/0x760 [ 2074.066684] ? switch_mm_irqs_off+0x2e5/0x1340 [ 2074.071273] ? lo_fallocate.isra.0+0x170/0x170 [ 2074.075854] ? kthread_worker_fn+0x217/0x730 [ 2074.080268] ? lock_downgrade+0x720/0x720 [ 2074.084419] ? lock_acquire+0x170/0x3c0 [ 2074.088395] ? kthread_worker_fn+0x3e4/0x730 [ 2074.092806] ? _raw_spin_unlock_irq+0x24/0x80 [ 2074.097307] kthread_worker_fn+0x292/0x730 [ 2074.101901] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 2074.106483] ? __kthread_init_worker+0xf0/0xf0 [ 2074.111066] ? __kthread_parkme+0x133/0x1e0 [ 2074.115388] ? loop_info64_to_compat+0x5e0/0x5e0 [ 2074.120145] kthread+0x33f/0x460 [ 2074.123508] ? kthread_park+0x180/0x180 [ 2074.127491] ret_from_fork+0x24/0x30 [ 2074.131205] [ 2074.132826] Allocated by task 14402: [ 2074.136537] kmem_cache_alloc_trace+0x12f/0x380 [ 2074.141203] lmLogInit+0x301/0x13e0 [ 2074.144828] lmLogOpen+0x718/0x11e0 [ 2074.148454] jfs_mount_rw+0x286/0x4b0 [ 2074.152253] jfs_fill_super+0x814/0xb50 [ 2074.156226] mount_bdev+0x2fc/0x3b0 [ 2074.159852] mount_fs+0xa3/0x310 [ 2074.163216] vfs_kern_mount.part.0+0x68/0x470 [ 2074.167726] do_mount+0x115c/0x2f50 [ 2074.171347] ksys_mount+0xcf/0x130 [ 2074.174887] __x64_sys_mount+0xba/0x150 [ 2074.178861] do_syscall_64+0xf9/0x620 [ 2074.182660] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 2074.187837] [ 2074.189458] Freed by task 8191: [ 2074.192734] kfree+0xcc/0x210 2022/09/26 06:56:35 executed programs: 1103 [ 2074.195830] lmLogShutdown+0x2c6/0x580 [ 2074.199708] lmLogClose+0x4a1/0x610 [ 2074.203340] jfs_umount+0x25f/0x310 [ 2074.206966] jfs_put_super+0x61/0x140 [ 2074.210771] generic_shutdown_super+0x144/0x370 [ 2074.215438] kill_block_super+0x97/0xf0 [ 2074.219413] deactivate_locked_super+0x94/0x160 [ 2074.224071] deactivate_super+0x174/0x1a0 [ 2074.228210] cleanup_mnt+0x1a8/0x290 [ 2074.231924] task_work_run+0x148/0x1c0 [ 2074.235813] exit_to_usermode_loop+0x251/0x2a0 [ 2074.240397] do_syscall_64+0x538/0x620 [ 2074.244292] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 2074.249482] [ 2074.251111] The buggy address belongs to the object at ffff8880999d1500 [ 2074.251111] which belongs to the cache kmalloc-192 of size 192 [ 2074.263771] The buggy address is located 8 bytes inside of [ 2074.263771] 192-byte region [ffff8880999d1500, ffff8880999d15c0) [ 2074.275467] The buggy address belongs to the page: [ 2074.280398] page:ffffea0002667440 count:1 mapcount:0 mapping:ffff88813bff0040 index:0x0 [ 2074.288537] flags: 0xfff00000000100(slab) [ 2074.292689] raw: 00fff00000000100 ffffea000263c248 ffffea00026ee8c8 ffff88813bff0040 [ 2074.300571] raw: 0000000000000000 ffff8880999d1000 0000000100000010 0000000000000000 [ 2074.308445] page dumped because: kasan: bad access detected [ 2074.314148] [ 2074.315764] Memory state around the buggy address: [ 2074.320685] ffff8880999d1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2074.328042] ffff8880999d1480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 2074.335405] >ffff8880999d1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2074.342757] ^ [ 2074.346384] ffff8880999d1580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 2074.353744] ffff8880999d1600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2074.361182] ================================================================== [ 2074.368529] Disabling lock debugging due to kernel taint [ 2074.373964] Kernel panic - not syncing: panic_on_warn set ... [ 2074.373964] [ 2074.381326] CPU: 1 PID: 14403 Comm: loop0 Tainted: G B 4.19.211-syzkaller #0 [ 2074.389803] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 2074.399141] Call Trace: [ 2074.401734] dump_stack+0x1fc/0x2ef [ 2074.405364] panic+0x26a/0x50e [ 2074.408556] ? __warn_printk+0xf3/0xf3 [ 2074.412447] ? lock_downgrade+0x720/0x720 [ 2074.416596] ? print_shadow_for_address+0xb8/0x114 [ 2074.421524] ? trace_hardirqs_off+0x64/0x200 [ 2074.425941] kasan_end_report+0x43/0x49 [ 2074.429916] kasan_report_error.cold+0xa7/0x1b9 [ 2074.434586] ? lbmIODone+0xcbf/0xf40 [ 2074.438301] __asan_report_load4_noabort+0x88/0x90 [ 2074.443226] ? lbmIODone+0xcbf/0xf40 [ 2074.446934] lbmIODone+0xcbf/0xf40 [ 2074.450475] ? lock_downgrade+0x720/0x720 [ 2074.454614] ? lock_acquire+0x170/0x3c0 [ 2074.458579] ? scale_cookie_change.isra.0+0x380/0x380 [ 2074.463767] ? lbmFree+0x100/0x100 [ 2074.467303] bio_endio+0x488/0x830 [ 2074.470845] blk_update_request+0x30f/0xaf0 [ 2074.475179] blk_mq_end_request+0x4a/0x340 [ 2074.479417] lo_complete_rq+0x201/0x2d0 [ 2074.483393] blk_mq_complete_request+0x472/0x660 [ 2074.488148] loop_queue_work+0x274/0x20c0 [ 2074.492302] ? finish_task_switch+0x146/0x760 [ 2074.496794] ? finish_task_switch+0x118/0x760 [ 2074.501291] ? switch_mm_irqs_off+0x2e5/0x1340 [ 2074.505873] ? lo_fallocate.isra.0+0x170/0x170 [ 2074.510454] ? kthread_worker_fn+0x217/0x730 [ 2074.514863] ? lock_downgrade+0x720/0x720 [ 2074.519000] ? lock_acquire+0x170/0x3c0 [ 2074.522955] ? kthread_worker_fn+0x3e4/0x730 [ 2074.527358] ? _raw_spin_unlock_irq+0x24/0x80 [ 2074.531858] kthread_worker_fn+0x292/0x730 [ 2074.536097] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 2074.540670] ? __kthread_init_worker+0xf0/0xf0 [ 2074.545243] ? __kthread_parkme+0x133/0x1e0 [ 2074.549567] ? loop_info64_to_compat+0x5e0/0x5e0 [ 2074.554324] kthread+0x33f/0x460 [ 2074.557686] ? kthread_park+0x180/0x180 [ 2074.561662] ret_from_fork+0x24/0x30 [ 2074.565531] Kernel Offset: disabled [ 2074.569143] Rebooting in 86400 seconds..