Warning: Permanently added '10.128.0.166' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 49.583859] ================================================================== [ 49.591417] BUG: KASAN: slab-out-of-bounds in dbAllocDmapLev+0x2e0/0x330 [ 49.598260] Read of size 1 at addr ffff888098d36fcd by task syz-executor110/8115 [ 49.605936] [ 49.607591] CPU: 0 PID: 8115 Comm: syz-executor110 Not tainted 4.19.211-syzkaller #0 [ 49.615648] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 49.625100] Call Trace: [ 49.627681] dump_stack+0x1fc/0x2ef [ 49.631299] print_address_description.cold+0x54/0x219 [ 49.636558] kasan_report_error.cold+0x8a/0x1b9 [ 49.641226] ? dbAllocDmapLev+0x2e0/0x330 [ 49.645471] __asan_report_load1_noabort+0x88/0x90 [ 49.650431] ? dbAllocDmapLev+0x2e0/0x330 [ 49.654568] dbAllocDmapLev+0x2e0/0x330 [ 49.658547] ? dbAllocNext+0x400/0x400 [ 49.662421] ? mark_held_locks+0xf0/0xf0 [ 49.666570] ? lock_downgrade+0x720/0x720 [ 49.670726] dbAllocCtl+0x4a2/0x700 [ 49.674371] ? __mutex_unlock_slowpath+0xea/0x610 [ 49.679219] dbAllocAG+0x7d1/0xb90 [ 49.682748] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 49.688618] ? dbAllocCtl+0x700/0x700 [ 49.692404] dbAlloc+0x472/0xb00 [ 49.695758] ? kmem_cache_alloc_trace+0x323/0x380 [ 49.700580] dtSplitUp+0x365/0x4e70 [ 49.704351] ? do_async_page_fault+0xc0/0x140 [ 49.708846] ? __lock_acquire+0x6de/0x3ff0 [ 49.713093] ? dtSplitRoot+0x1590/0x1590 [ 49.717145] ? kfree+0xcc/0x210 [ 49.720405] ? dtSearch+0x1612/0x1ef0 [ 49.724212] ? jfs_create.part.0+0x231/0x880 [ 49.728618] ? jfs_create+0x3f/0x60 [ 49.732323] ? lookup_open+0x893/0x1a20 [ 49.736297] ? path_openat+0x1094/0x2df0 [ 49.740364] ? do_filp_open+0x18c/0x3f0 [ 49.744345] ? do_sys_open+0x3b3/0x520 [ 49.748272] ? do_syscall_64+0xf9/0x620 [ 49.752257] ? mark_held_locks+0xf0/0xf0 [ 49.756319] ? debug_check_no_obj_freed+0x201/0x490 [ 49.761316] ? lock_downgrade+0x720/0x720 [ 49.765447] ? txLockAlloc+0x211/0x2e0 [ 49.769320] ? txLock+0x6b1/0x1bd0 [ 49.772841] ? lock_downgrade+0x720/0x720 [ 49.776979] ? lock_acquire+0x170/0x3c0 [ 49.780953] ? txLock+0x9e/0x1bd0 [ 49.784408] dtInsert+0x7fd/0xa00 [ 49.787849] ? dtSearch+0x1ef0/0x1ef0 [ 49.791632] ? txEnd+0x320/0x320 [ 49.794990] jfs_create.part.0+0x3c6/0x880 [ 49.799225] ? jfs_mkdir+0x60/0x60 [ 49.802928] ? jfs_lookup+0xb5/0x1c0 [ 49.806648] ? __dquot_initialize+0x298/0xb70 [ 49.811143] ? userns_put+0xb0/0xb0 [ 49.814884] ? dquot_initialize_needed+0x290/0x290 [ 49.819843] ? param_get_aalockpolicy+0x90/0x90 [ 49.825775] ? __d_lookup+0x411/0x710 [ 49.829559] ? generic_permission+0x116/0x4d0 [ 49.834789] ? security_inode_permission+0xc5/0xf0 [ 49.839711] jfs_create+0x3f/0x60 [ 49.843194] ? jfs_create.part.0+0x880/0x880 [ 49.847584] lookup_open+0x893/0x1a20 [ 49.851596] ? vfs_mkdir+0x7a0/0x7a0 [ 49.855307] ? unlazy_walk+0x1a4/0x540 [ 49.859398] ? check_preemption_disabled+0x41/0x280 [ 49.864518] path_openat+0x1094/0x2df0 [ 49.868402] ? path_lookupat+0x8d0/0x8d0 [ 49.872449] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.877795] ? mark_held_locks+0xf0/0xf0 [ 49.881863] ? __lock_acquire+0x6de/0x3ff0 [ 49.886099] do_filp_open+0x18c/0x3f0 [ 49.889906] ? may_open_dev+0xf0/0xf0 [ 49.893709] ? lock_downgrade+0x720/0x720 [ 49.897851] ? lock_acquire+0x170/0x3c0 [ 49.901822] ? __alloc_fd+0x34/0x570 [ 49.905535] ? do_raw_spin_unlock+0x171/0x230 [ 49.910022] ? _raw_spin_unlock+0x29/0x40 [ 49.914158] ? __alloc_fd+0x28d/0x570 [ 49.917941] do_sys_open+0x3b3/0x520 [ 49.921638] ? filp_open+0x70/0x70 [ 49.925163] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 49.930509] ? trace_hardirqs_off_caller+0x6e/0x210 [ 49.935955] ? do_syscall_64+0x21/0x620 [ 49.940175] do_syscall_64+0xf9/0x620 [ 49.944331] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.949692] RIP: 0033:0x7f2e9a3f87e9 [ 49.953404] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 49.972557] RSP: 002b:00007ffcf416d9b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 49.980266] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2e9a3f87e9 [ 49.987694] RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c [ 49.995317] RBP: 00007f2e9a3b8080 R08: 0000000000000000 R09: 0000000000000000 [ 50.002668] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2e9a3b8110 [ 50.010010] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 50.017267] [ 50.018892] Allocated by task 8091: [ 50.022574] kmem_cache_alloc+0x122/0x370 [ 50.026745] skb_clone+0x151/0x3d0 [ 50.030271] dev_queue_xmit_nit+0x326/0xa20 [ 50.034573] dev_hard_start_xmit+0xaa/0x920 [ 50.038873] sch_direct_xmit+0x2d6/0xf70 [ 50.042913] __qdisc_run+0x4d0/0x1640 [ 50.046719] __dev_queue_xmit+0x2102/0x2e00 [ 50.051031] ip_finish_output2+0xb6d/0x15a0 [ 50.055331] ip_finish_output+0xae9/0x10b0 [ 50.059550] ip_output+0x203/0x5f0 [ 50.063077] ip_local_out+0xaf/0x170 [ 50.066950] __ip_queue_xmit+0x91e/0x1c10 [ 50.071078] __tcp_transmit_skb+0x1b9c/0x3400 [ 50.075924] __tcp_send_ack.part.0+0x3d9/0x5c0 [ 50.080489] tcp_send_ack+0x7d/0xa0 [ 50.084101] tcp_cleanup_rbuf+0x30f/0x600 [ 50.088229] tcp_recvmsg+0xa8c/0x2a90 [ 50.092009] inet_recvmsg+0x124/0x5c0 [ 50.095789] sock_read_iter+0x339/0x470 [ 50.099927] __vfs_read+0x518/0x750 [ 50.103567] vfs_read+0x194/0x3c0 [ 50.107123] ksys_read+0x12b/0x2a0 [ 50.110843] do_syscall_64+0xf9/0x620 [ 50.114631] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.119798] [ 50.121404] Freed by task 8091: [ 50.124669] kmem_cache_free+0x7f/0x260 [ 50.128627] kfree_skbmem+0xc1/0x140 [ 50.132322] consume_skb+0x120/0x3d0 [ 50.136142] packet_rcv+0xea/0x1490 [ 50.139765] dev_queue_xmit_nit+0x756/0xa20 [ 50.144168] dev_hard_start_xmit+0xaa/0x920 [ 50.148485] sch_direct_xmit+0x2d6/0xf70 [ 50.152605] __qdisc_run+0x4d0/0x1640 [ 50.156398] __dev_queue_xmit+0x2102/0x2e00 [ 50.160705] ip_finish_output2+0xb6d/0x15a0 [ 50.165009] ip_finish_output+0xae9/0x10b0 [ 50.169248] ip_output+0x203/0x5f0 [ 50.172880] ip_local_out+0xaf/0x170 [ 50.176576] __ip_queue_xmit+0x91e/0x1c10 [ 50.180739] __tcp_transmit_skb+0x1b9c/0x3400 [ 50.185340] __tcp_send_ack.part.0+0x3d9/0x5c0 [ 50.190042] tcp_send_ack+0x7d/0xa0 [ 50.193678] tcp_cleanup_rbuf+0x30f/0x600 [ 50.197818] tcp_recvmsg+0xa8c/0x2a90 [ 50.201632] inet_recvmsg+0x124/0x5c0 [ 50.205596] sock_read_iter+0x339/0x470 [ 50.209654] __vfs_read+0x518/0x750 [ 50.213407] vfs_read+0x194/0x3c0 [ 50.216856] ksys_read+0x12b/0x2a0 [ 50.220381] do_syscall_64+0xf9/0x620 [ 50.224169] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.229593] [ 50.231204] The buggy address belongs to the object at ffff888098d36e40 [ 50.231204] which belongs to the cache skbuff_head_cache of size 232 [ 50.244554] The buggy address is located 165 bytes to the right of [ 50.244554] 232-byte region [ffff888098d36e40, ffff888098d36f28) [ 50.256928] The buggy address belongs to the page: [ 50.261858] page:ffffea0002634d80 count:1 mapcount:0 mapping:ffff8880b5b96900 index:0x0 [ 50.270156] flags: 0xfff00000000100(slab) [ 50.274287] raw: 00fff00000000100 ffffea0002ab7c08 ffffea0002821ec8 ffff8880b5b96900 [ 50.282236] raw: 0000000000000000 ffff888098d36080 000000010000000c 0000000000000000 [ 50.290089] page dumped because: kasan: bad access detected [ 50.295772] [ 50.297372] Memory state around the buggy address: [ 50.302295] ffff888098d36e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.309639] ffff888098d36f00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 50.316978] >ffff888098d36f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.324325] ^ [ 50.330040] ffff888098d37000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.337380] ffff888098d37080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.344713] ================================================================== [ 50.352071] Disabling lock debugging due to kernel taint [ 50.368055] Kernel panic - not syncing: panic_on_warn set ... [ 50.368055] [ 50.375465] CPU: 1 PID: 8115 Comm: syz-executor110 Tainted: G B 4.19.211-syzkaller #0 [ 50.384734] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 50.394507] Call Trace: [ 50.397104] dump_stack+0x1fc/0x2ef [ 50.400734] panic+0x26a/0x50e [ 50.403924] ? __warn_printk+0xf3/0xf3 [ 50.407817] ? preempt_schedule_common+0x45/0xc0 [ 50.412579] ? ___preempt_schedule+0x16/0x18 [ 50.416967] ? trace_hardirqs_on+0x55/0x210 [ 50.421271] kasan_end_report+0x43/0x49 [ 50.425229] kasan_report_error.cold+0xa7/0x1b9 [ 50.429882] ? dbAllocDmapLev+0x2e0/0x330 [ 50.434038] __asan_report_load1_noabort+0x88/0x90 [ 50.438964] ? dbAllocDmapLev+0x2e0/0x330 [ 50.443101] dbAllocDmapLev+0x2e0/0x330 [ 50.447067] ? dbAllocNext+0x400/0x400 [ 50.450937] ? mark_held_locks+0xf0/0xf0 [ 50.455067] ? lock_downgrade+0x720/0x720 [ 50.459281] dbAllocCtl+0x4a2/0x700 [ 50.462900] ? __mutex_unlock_slowpath+0xea/0x610 [ 50.467721] dbAllocAG+0x7d1/0xb90 [ 50.471240] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 50.477115] ? dbAllocCtl+0x700/0x700 [ 50.480897] dbAlloc+0x472/0xb00 [ 50.485554] ? kmem_cache_alloc_trace+0x323/0x380 [ 50.490380] dtSplitUp+0x365/0x4e70 [ 50.493985] ? do_async_page_fault+0xc0/0x140 [ 50.498474] ? __lock_acquire+0x6de/0x3ff0 [ 50.502694] ? dtSplitRoot+0x1590/0x1590 [ 50.506828] ? kfree+0xcc/0x210 [ 50.510086] ? dtSearch+0x1612/0x1ef0 [ 50.513866] ? jfs_create.part.0+0x231/0x880 [ 50.518250] ? jfs_create+0x3f/0x60 [ 50.521855] ? lookup_open+0x893/0x1a20 [ 50.525816] ? path_openat+0x1094/0x2df0 [ 50.529853] ? do_filp_open+0x18c/0x3f0 [ 50.533804] ? do_sys_open+0x3b3/0x520 [ 50.537679] ? do_syscall_64+0xf9/0x620 [ 50.541635] ? mark_held_locks+0xf0/0xf0 [ 50.545675] ? debug_check_no_obj_freed+0x201/0x490 [ 50.550677] ? lock_downgrade+0x720/0x720 [ 50.554801] ? txLockAlloc+0x211/0x2e0 [ 50.558686] ? txLock+0x6b1/0x1bd0 [ 50.562204] ? lock_downgrade+0x720/0x720 [ 50.566342] ? lock_acquire+0x170/0x3c0 [ 50.570305] ? txLock+0x9e/0x1bd0 [ 50.574700] dtInsert+0x7fd/0xa00 [ 50.578136] ? dtSearch+0x1ef0/0x1ef0 [ 50.581917] ? txEnd+0x320/0x320 [ 50.585805] jfs_create.part.0+0x3c6/0x880 [ 50.590023] ? jfs_mkdir+0x60/0x60 [ 50.593550] ? jfs_lookup+0xb5/0x1c0 [ 50.597247] ? __dquot_initialize+0x298/0xb70 [ 50.601737] ? userns_put+0xb0/0xb0 [ 50.605346] ? dquot_initialize_needed+0x290/0x290 [ 50.610271] ? param_get_aalockpolicy+0x90/0x90 [ 50.614921] ? __d_lookup+0x411/0x710 [ 50.618730] ? generic_permission+0x116/0x4d0 [ 50.623293] ? security_inode_permission+0xc5/0xf0 [ 50.628205] jfs_create+0x3f/0x60 [ 50.631651] ? jfs_create.part.0+0x880/0x880 [ 50.636994] lookup_open+0x893/0x1a20 [ 50.640790] ? vfs_mkdir+0x7a0/0x7a0 [ 50.644501] ? unlazy_walk+0x1a4/0x540 [ 50.648400] ? check_preemption_disabled+0x41/0x280 [ 50.653418] path_openat+0x1094/0x2df0 [ 50.657295] ? path_lookupat+0x8d0/0x8d0 [ 50.661339] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.666772] ? mark_held_locks+0xf0/0xf0 [ 50.670809] ? __lock_acquire+0x6de/0x3ff0 [ 50.675052] do_filp_open+0x18c/0x3f0 [ 50.678833] ? may_open_dev+0xf0/0xf0 [ 50.682734] ? lock_downgrade+0x720/0x720 [ 50.686862] ? lock_acquire+0x170/0x3c0 [ 50.690813] ? __alloc_fd+0x34/0x570 [ 50.694509] ? do_raw_spin_unlock+0x171/0x230 [ 50.699072] ? _raw_spin_unlock+0x29/0x40 [ 50.703197] ? __alloc_fd+0x28d/0x570 [ 50.707007] do_sys_open+0x3b3/0x520 [ 50.710722] ? filp_open+0x70/0x70 [ 50.714241] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 50.719584] ? trace_hardirqs_off_caller+0x6e/0x210 [ 50.724581] ? do_syscall_64+0x21/0x620 [ 50.728537] do_syscall_64+0xf9/0x620 [ 50.732317] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.737487] RIP: 0033:0x7f2e9a3f87e9 [ 50.741182] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 50.760061] RSP: 002b:00007ffcf416d9b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 50.767747] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2e9a3f87e9 [ 50.775953] RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c [ 50.783202] RBP: 00007f2e9a3b8080 R08: 0000000000000000 R09: 0000000000000000 [ 50.790447] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2e9a3b8110 [ 50.797698] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 50.805154] Kernel Offset: disabled [ 50.809285] Rebooting in 86400 seconds..