[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.89' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program syzkaller login: [ 529.717323][ T28] audit: type=1400 audit(1602444719.083:8): avc: denied { execmem } for pid=6887 comm="syz-executor465" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 executing program [ 529.758413][ T6896] BTRFS: device fsid abb5d618-46c7-4e89-943b-7a9d2665c168 devid 0 transid 0 /dev/loop4 scanned by syz-executor465 (6896) [ 529.775356][ T6895] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:0 old:/dev/loop4 new:/dev/loop0 [ 529.795917][ T6896] BTRFS error (device loop4): superblock checksum mismatch [ 529.806237][ T6894] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:0 old:/dev/loop4 new:/dev/loop5 [ 529.912048][ T6901] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:0 old:/dev/loop4 new:/dev/loop3 [ 529.931217][ T6900] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:0 old:/dev/loop4 new:/dev/loop2 [ 530.010584][ T6899] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:0 old:/dev/loop4 new:/dev/loop1 [ 530.036363][ T6896] BTRFS error (device loop4): open_ctree failed [ 530.041253][ T6914] BTRFS: device fsid abb5d618-46c7-4e89-943b-7a9d2665c168 devid 1 transid 7 /dev/loop5 scanned by systemd-udevd (6914) [ 530.136632][ T6895] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:1 old:/dev/loop5 new:/dev/loop0 [ 530.151839][ T6894] BTRFS info (device loop5): disk space caching is enabled [ 530.161287][ T6894] BTRFS info (device loop5): has skinny extents [ 530.168593][ T6901] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:1 old:/dev/loop5 new:/dev/loop3 executing program [ 530.193293][ T6900] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:1 old:/dev/loop5 new:/dev/loop2 executing program executing program executing program [ 530.282610][ T6899] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:1 old:/dev/loop5 new:/dev/loop1 executing program executing program [ 530.341168][ T6896] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:1 old:/dev/loop5 new:/dev/loop4 [ 530.369710][ T6923] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:1 old:/dev/loop5 new:/dev/loop0 executing program executing program [ 530.439571][ T6894] BTRFS error (device loop5): super_num_devices 1 mismatch with num_devices 1 found here [ 530.477438][ T6894] BTRFS error (device loop5): failed to read chunk tree: -22 [ 530.542086][ T6894] BTRFS error (device loop5): open_ctree failed [ 530.556615][ T6947] BTRFS info (device loop5): disk space caching is enabled [ 530.566399][ T6961] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:1 old:/dev/loop5 new:/dev/loop0 [ 530.591659][ T6947] BTRFS info (device loop5): has skinny extents executing program executing program executing program [ 530.644505][ T6947] BTRFS error (device loop5): super_num_devices 1 mismatch with num_devices 1 found here [ 530.657266][ T6947] BTRFS error (device loop5): failed to read chunk tree: -22 executing program executing program executing program [ 530.727649][ T6947] BTRFS error (device loop5): open_ctree failed [ 530.737880][ T6949] BTRFS info (device loop5): disk space caching is enabled [ 530.746752][ T6949] BTRFS info (device loop5): has skinny extents [ 530.775031][ T6949] BTRFS error (device loop5): super_num_devices 1 mismatch with num_devices 1 found here [ 530.785064][ T6949] BTRFS error (device loop5): failed to read chunk tree: -22 executing program executing program [ 530.823173][ T6947] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:1 old:/dev/loop5 new:/dev/loop3 executing program [ 530.876283][ T6949] BTRFS error (device loop5): open_ctree failed [ 530.887361][ T6954] BTRFS info (device loop5): disk space caching is enabled [ 530.912967][ T6954] BTRFS info (device loop5): has skinny extents [ 530.939496][ T6954] BTRFS error (device loop5): super_num_devices 1 mismatch with num_devices 1 found here [ 530.949779][ T6954] BTRFS error (device loop5): failed to read chunk tree: -22 executing program executing program [ 530.987199][ T6949] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:1 old:/dev/loop5 new:/dev/loop2 [ 531.053210][ T6954] BTRFS error (device loop5): open_ctree failed [ 531.065609][ T6998] BTRFS info (device loop5): disk space caching is enabled [ 531.079210][ T6998] BTRFS info (device loop5): has skinny extents executing program executing program executing program [ 531.156942][ T6954] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:1 old:/dev/loop5 new:/dev/loop1 [ 531.173260][ T6998] BTRFS error (device loop5): super_num_devices 1 mismatch with num_devices 1 found here [ 531.189120][ T6998] BTRFS error (device loop5): failed to read chunk tree: -22 executing program executing program executing program [ 531.256409][ T6998] BTRFS error (device loop5): open_ctree failed [ 531.267675][ T6959] BTRFS info (device loop5): disk space caching is enabled [ 531.279398][ T6959] BTRFS info (device loop5): has skinny extents executing program executing program [ 531.359092][ T6998] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:1 old:/dev/loop5 new:/dev/loop0 [ 531.394492][ T7014] BTRFS warning (device ): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:1 old:/dev/loop5 new:/dev/loop0 executing program executing program executing program [ 531.462276][ T26] BTRFS error (device loop5): bad tree block start, want 5267456 have 0 [ 531.485554][ T6959] BTRFS warning (device loop5): failed to read root (objectid=7): -5 executing program [ 531.554677][ T7122] BTRFS warning (device loop5): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:1 old:/dev/loop5 new:/dev/loop0 [ 531.568999][ T6959] BTRFS error (device loop5): open_ctree failed [ 531.580475][ T7058] BTRFS info (device loop5): disk space caching is enabled [ 531.590069][ T7058] BTRFS info (device loop5): has skinny extents executing program executing program [ 531.637785][ T26] BTRFS error (device loop5): bad tree block start, want 5267456 have 0 [ 531.646571][ T7058] BTRFS warning (device loop5): failed to read root (objectid=7): -5 executing program [ 531.739118][ T6959] BTRFS warning (device loop5): duplicate device fsid:devid for abb5d618-46c7-4e89-943b-7a9d2665c168:1 old:/dev/loop5 new:/dev/loop4 [ 531.768098][ T7058] BTRFS error (device loop5): open_ctree failed [ 531.782895][ T7011] ================================================================== [ 531.783081][ T7011] BUG: KASAN: use-after-free in btrfs_printk+0x38b/0x40c [ 531.783095][ T7011] Read of size 8 at addr ffff88809c1606a8 by task systemd-udevd/7011 [ 531.783100][ T7011] [ 531.783116][ T7011] CPU: 0 PID: 7011 Comm: systemd-udevd Not tainted 5.9.0-rc8-syzkaller #0 [ 531.783125][ T7011] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 531.783157][ T7011] Call Trace: [ 531.783229][ T7011] dump_stack+0x198/0x1fd [ 531.783248][ T7011] ? btrfs_printk+0x38b/0x40c [ 531.783267][ T7011] ? btrfs_printk+0x38b/0x40c [ 531.783288][ T7011] print_address_description.constprop.0.cold+0xae/0x497 [ 531.783306][ T7011] ? btrfs_printk+0x38b/0x40c [ 531.783332][ T7011] ? lockdep_hardirqs_off+0x96/0xd0 [ 531.783349][ T7011] ? vprintk_func+0x95/0x1d4 [ 531.783368][ T7011] ? btrfs_printk+0x38b/0x40c [ 531.783382][ T7011] ? btrfs_printk+0x38b/0x40c [ 531.783397][ T7011] kasan_report.cold+0x1f/0x37 [ 531.783416][ T7011] ? btrfs_printk+0x38b/0x40c [ 531.783432][ T7011] btrfs_printk+0x38b/0x40c [ 531.783451][ T7011] ? btrfs_put_super+0x38/0x38 [ 531.783494][ T7011] ? device_list_add+0xe79/0x1570 [ 531.783517][ T7011] ? lock_release+0x8f0/0x8f0 [ 531.783560][ T7011] ? __mutex_unlock_slowpath+0xe2/0x610 [ 531.783579][ T7011] ? _atomic_dec_and_lock+0x92/0x100 [ 531.783596][ T7011] ? wait_for_completion+0x260/0x260 [ 531.783625][ T7011] device_list_add.cold+0x58/0x2d2 [ 531.783647][ T7011] ? btrfs_alloc_device+0x5d0/0x5d0 [ 531.783665][ T7011] ? do_read_cache_page+0xe6/0x1390 [ 531.783689][ T7011] btrfs_scan_one_device+0x339/0x4a0 [ 531.783706][ T7011] ? device_list_add+0x1570/0x1570 [ 531.783721][ T7011] ? __might_fault+0x190/0x1d0 [ 531.783766][ T7011] ? _copy_from_user+0x138/0x190 [ 531.783790][ T7011] btrfs_control_ioctl+0x12a/0x2d0 [ 531.783804][ T7011] ? btrfs_set_super+0x70/0x70 [ 531.783822][ T7011] __x64_sys_ioctl+0x193/0x200 [ 531.783842][ T7011] do_syscall_64+0x2d/0x70 [ 531.783859][ T7011] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 531.783872][ T7011] RIP: 0033:0x7fdd09050017 [ 531.783888][ T7011] Code: 00 00 00 48 8b 05 81 7e 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 51 7e 2b 00 f7 d8 64 89 01 48 [ 531.783919][ T7011] RSP: 002b:00007ffe99e01348 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 531.783935][ T7011] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdd09050017 [ 531.783945][ T7011] RDX: 00007ffe99e01360 RSI: 0000000090009427 RDI: 000000000000000f [ 531.783953][ T7011] RBP: 00007ffe99e01360 R08: 0000000000000000 R09: 00000000000001c8 [ 531.783961][ T7011] R10: 0000000000000001 R11: 0000000000000246 R12: 000000000000000f [ 531.783970][ T7011] R13: 0000000000000000 R14: 00005610a657c060 R15: 00005610a655f910 [ 531.783995][ T7011] [ 531.784029][ T7011] Allocated by task 7058: [ 531.784044][ T7011] kasan_save_stack+0x1b/0x40 [ 531.784058][ T7011] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 531.784073][ T7011] kvmalloc_node+0xb4/0xf0 [ 531.784087][ T7011] btrfs_mount_root+0x117/0xbb0 [ 531.784100][ T7011] legacy_get_tree+0x105/0x220 [ 531.784112][ T7011] vfs_get_tree+0x89/0x2f0 [ 531.784128][ T7011] vfs_kern_mount.part.0+0xd3/0x170 [ 531.784142][ T7011] vfs_kern_mount+0x3c/0x60 [ 531.784155][ T7011] btrfs_mount+0x234/0xaa0 [ 531.784168][ T7011] legacy_get_tree+0x105/0x220 [ 531.784180][ T7011] vfs_get_tree+0x89/0x2f0 [ 531.784192][ T7011] path_mount+0x1387/0x20a0 [ 531.784205][ T7011] __x64_sys_mount+0x27f/0x300 [ 531.784218][ T7011] do_syscall_64+0x2d/0x70 [ 531.784232][ T7011] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 531.784236][ T7011] [ 531.784243][ T7011] Freed by task 7058: [ 531.784256][ T7011] kasan_save_stack+0x1b/0x40 [ 531.784268][ T7011] kasan_set_track+0x1c/0x30 [ 531.784283][ T7011] kasan_set_free_info+0x1b/0x30 [ 531.784296][ T7011] __kasan_slab_free+0xd8/0x120 [ 531.784307][ T7011] kfree+0x10e/0x2b0 [ 531.784321][ T7011] kvfree+0x42/0x50 [ 531.784334][ T7011] deactivate_locked_super+0x94/0x160 [ 531.784347][ T7011] btrfs_mount_root+0x772/0xbb0 [ 531.784360][ T7011] legacy_get_tree+0x105/0x220 [ 531.784371][ T7011] vfs_get_tree+0x89/0x2f0 [ 531.784387][ T7011] vfs_kern_mount.part.0+0xd3/0x170 [ 531.784401][ T7011] vfs_kern_mount+0x3c/0x60 [ 531.784414][ T7011] btrfs_mount+0x234/0xaa0 [ 531.784425][ T7011] legacy_get_tree+0x105/0x220 [ 531.784435][ T7011] vfs_get_tree+0x89/0x2f0 [ 531.784445][ T7011] path_mount+0x1387/0x20a0 [ 531.784456][ T7011] __x64_sys_mount+0x27f/0x300 [ 531.784467][ T7011] do_syscall_64+0x2d/0x70 [ 531.784479][ T7011] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 531.784483][ T7011] [ 531.784493][ T7011] The buggy address belongs to the object at ffff88809c160000 [ 531.784493][ T7011] which belongs to the cache kmalloc-16k of size 16384 [ 531.784506][ T7011] The buggy address is located 1704 bytes inside of [ 531.784506][ T7011] 16384-byte region [ffff88809c160000, ffff88809c164000) [ 531.784511][ T7011] The buggy address belongs to the page: [ 531.784527][ T7011] page:00000000848bc71a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9c160 [ 531.784538][ T7011] head:00000000848bc71a order:3 compound_mapcount:0 compound_pincount:0 [ 531.784550][ T7011] flags: 0xfffe0000010200(slab|head) [ 531.784569][ T7011] raw: 00fffe0000010200 ffffea0002397808 ffffea00021ca008 ffff8880aa040b00 [ 531.784586][ T7011] raw: 0000000000000000 ffff88809c160000 0000000100000001 0000000000000000 [ 531.784592][ T7011] page dumped because: kasan: bad access detected [ 531.784597][ T7011] [ 531.784601][ T7011] Memory state around the buggy address: [ 531.784613][ T7011] ffff88809c160580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 531.784625][ T7011] ffff88809c160600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 531.784637][ T7011] >ffff88809c160680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 531.784643][ T7011] ^ [ 531.784655][ T7011] ffff88809c160700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 531.784667][ T7011] ffff88809c160780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 531.784673][ T7011] ================================================================== [ 531.784678][ T7011] Disabling lock debugging due to kernel taint [ 531.793373][ T7011] Kernel panic - not syncing: panic_on_warn set ... [ 531.793391][ T7011] CPU: 0 PID: 7011 Comm: systemd-udevd Tainted: G B 5.9.0-rc8-syzkaller #0 [ 531.793397][ T7011] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 531.793401][ T7011] Call Trace: [ 531.793421][ T7011] dump_stack+0x198/0x1fd [ 531.793438][ T7011] ? btrfs_printk+0x2f8/0x40c [ 531.793453][ T7011] panic+0x382/0x7fb [ 531.793467][ T7011] ? __warn_printk+0xf3/0xf3 [ 531.793484][ T7011] ? preempt_schedule_common+0x59/0xc0 [ 531.793497][ T7011] ? btrfs_printk+0x38b/0x40c [ 531.793511][ T7011] ? preempt_schedule_thunk+0x16/0x18 [ 531.793525][ T7011] ? trace_hardirqs_on+0x55/0x220 [ 531.793538][ T7011] ? btrfs_printk+0x38b/0x40c [ 531.793550][ T7011] ? btrfs_printk+0x38b/0x40c [ 531.793564][ T7011] end_report+0x4d/0x53 [ 531.793576][ T7011] kasan_report.cold+0xd/0x37 [ 531.793591][ T7011] ? btrfs_printk+0x38b/0x40c [ 531.793601][ T7011] btrfs_printk+0x38b/0x40c [ 531.793614][ T7011] ? btrfs_put_super+0x38/0x38 [ 531.793634][ T7011] ? device_list_add+0xe79/0x1570 [ 531.793649][ T7011] ? lock_release+0x8f0/0x8f0 [ 531.793664][ T7011] ? __mutex_unlock_slowpath+0xe2/0x610 [ 531.793679][ T7011] ? _atomic_dec_and_lock+0x92/0x100 [ 531.793693][ T7011] ? wait_for_completion+0x260/0x260 [ 531.793709][ T7011] device_list_add.cold+0x58/0x2d2 [ 531.793724][ T7011] ? btrfs_alloc_device+0x5d0/0x5d0 [ 531.793737][ T7011] ? do_read_cache_page+0xe6/0x1390 [ 531.793752][ T7011] btrfs_scan_one_device+0x339/0x4a0 [ 531.793765][ T7011] ? device_list_add+0x1570/0x1570 [ 531.793777][ T7011] ? __might_fault+0x190/0x1d0 [ 531.793791][ T7011] ? _copy_from_user+0x138/0x190 [ 531.793806][ T7011] btrfs_control_ioctl+0x12a/0x2d0 [ 531.793824][ T7011] ? btrfs_set_super+0x70/0x70 [ 531.793839][ T7011] __x64_sys_ioctl+0x193/0x200 [ 531.793854][ T7011] do_syscall_64+0x2d/0x70 [ 531.793868][ T7011] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 531.793879][ T7011] RIP: 0033:0x7fdd09050017 [ 531.793892][ T7011] Code: 00 00 00 48 8b 05 81 7e 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 51 7e 2b 00 f7 d8 64 89 01 48 [ 531.793907][ T7011] RSP: 002b:00007ffe99e01348 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 531.793920][ T7011] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdd09050017 [ 531.793928][ T7011] RDX: 00007ffe99e01360 RSI: 0000000090009427 RDI: 000000000000000f [ 531.793935][ T7011] RBP: 00007ffe99e01360 R08: 0000000000000000 R09: 00000000000001c8 [ 531.793943][ T7011] R10: 0000000000000001 R11: 0000000000000246 R12: 000000000000000f [ 531.793952][ T7011] R13: 0000000000000000 R14: 00005610a657c060 R15: 00005610a655f910 [ 531.795427][ T7011] Kernel Offset: disabled [ 532.651746][ T7011] Rebooting in 86400 seconds..