[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 534.045552][ T6879] BTRFS: device fsid 3b7b29a3-d79d-449e-8760-f5c6064562ef devid 0 transid 5 /dev/loop5 scanned by syz-executor328 (6879) [ 534.073951][ T6881] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:0 old:/dev/loop5 new:/dev/loop1 [ 534.089151][ T6878] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:0 old:/dev/loop5 new:/dev/loop2 [ 534.178871][ T6880] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:0 old:/dev/loop5 new:/dev/loop0 [ 534.199008][ T6884] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:0 old:/dev/loop5 new:/dev/loop3 [ 534.228451][ T6885] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:0 old:/dev/loop5 new:/dev/loop4 executing program [ 534.377912][ T6881] BTRFS: device fsid 3b7b29a3-d79d-449e-8760-f5c6064562ef devid 1 transid 5 /dev/loop1 scanned by syz-executor328 (6881) [ 534.398079][ T6878] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop1 new:/dev/loop2 [ 534.415506][ T6881] BTRFS info (device loop1): disk space caching is enabled executing program executing program executing program executing program [ 534.424092][ T6881] BTRFS info (device loop1): has skinny extents [ 534.432718][ T6881] BTRFS info (device loop1): flagging fs with big metadata feature [ 534.450807][ T6884] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop1 new:/dev/loop3 executing program executing program [ 534.504704][ T6885] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop1 new:/dev/loop4 executing program executing program executing program [ 534.629001][ T6879] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop1 new:/dev/loop5 [ 534.663739][ T26] BTRFS warning (device loop1): loop1 checksum verify failed on 30556160 wanted 0x8ba6b786 found 0x07dec81f level 0 [ 534.680685][ T6881] BTRFS info (device loop1): read error corrected: ino 0 off 30556160 (dev /dev/loop1 sector 76064) [ 534.692733][ T6881] BTRFS info (device loop1): read error corrected: ino 0 off 30560256 (dev /dev/loop1 sector 76072) [ 534.705607][ T6903] BTRFS warning (device ): duplicate device fsid:devid for 3b7b29a3-d79d-449e-8760-f5c6064562ef:1 old:/dev/loop1 new:/dev/loop2 executing program executing program [ 534.706646][ T6881] BTRFS info (device loop1): read error corrected: ino 0 off 30564352 (dev /dev/loop1 sector 76080) [ 534.734506][ T6881] BTRFS info (device loop1): read error corrected: ino 0 off 30568448 (dev /dev/loop1 sector 76088) [ 534.768642][ T26] BTRFS error (device loop1): bad tree block start, want 30474240 have 0 executing program executing program [ 534.782431][ T6939] BTRFS error (device loop1): bad tree block start, want 30474240 have 0 [ 534.798237][ T6881] BTRFS warning (device loop1): failed to read root (objectid=7): -5 executing program executing program [ 534.869585][ T6881] BTRFS error (device loop1): open_ctree failed [ 534.882032][ T6920] BTRFS info (device loop1): disk space caching is enabled [ 534.908126][ T6920] BTRFS info (device loop1): has skinny extents executing program [ 534.919991][ T6920] BTRFS info (device loop1): flagging fs with big metadata feature executing program executing program executing program executing program [ 535.027850][ T6939] BTRFS error (device loop1): bad tree block start, want 30474240 have 0 [ 535.056436][ T6939] BTRFS error (device loop1): bad tree block start, want 30474240 have 0 [ 535.065797][ T6920] BTRFS warning (device loop1): failed to read root (objectid=7): -5 executing program [ 535.152397][ T6920] BTRFS error (device loop1): open_ctree failed [ 535.162067][ T6934] BTRFS info (device loop1): disk space caching is enabled [ 535.186116][ T6934] BTRFS info (device loop1): has skinny extents [ 535.192521][ T6934] BTRFS info (device loop1): flagging fs with big metadata feature [ 535.213036][ T6920] ================================================================== [ 535.221548][ T6920] BUG: KASAN: use-after-free in btrfs_printk+0x38b/0x40c [ 535.228590][ T6920] Read of size 8 at addr ffff8880a7c986a8 by task syz-executor328/6920 [ 535.236839][ T6920] [ 535.239190][ T6920] CPU: 1 PID: 6920 Comm: syz-executor328 Not tainted 5.9.0-rc7-syzkaller #0 [ 535.247861][ T6920] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 535.258007][ T6920] Call Trace: [ 535.261432][ T6920] dump_stack+0x198/0x1fd [ 535.265787][ T6920] ? btrfs_printk+0x38b/0x40c [ 535.270480][ T6920] ? btrfs_printk+0x38b/0x40c [ 535.275306][ T6920] print_address_description.constprop.0.cold+0xae/0x497 [ 535.282387][ T6920] ? btrfs_printk+0x38b/0x40c [ 535.287241][ T6920] ? lockdep_hardirqs_off+0x96/0xd0 [ 535.292540][ T6920] ? vprintk_func+0x95/0x1d4 [ 535.297188][ T6920] ? btrfs_printk+0x38b/0x40c [ 535.301875][ T6920] ? btrfs_printk+0x38b/0x40c [ 535.306558][ T6920] kasan_report.cold+0x1f/0x37 [ 535.311337][ T6920] ? btrfs_printk+0x38b/0x40c [ 535.316034][ T6920] btrfs_printk+0x38b/0x40c [ 535.320558][ T6920] ? btrfs_put_super+0x38/0x38 [ 535.325419][ T6920] ? device_list_add+0xe79/0x1570 [ 535.330528][ T6920] ? lock_release+0x8f0/0x8f0 [ 535.335300][ T6920] ? __mutex_unlock_slowpath+0xe2/0x610 [ 535.340902][ T6920] ? _atomic_dec_and_lock+0x92/0x100 [ 535.346213][ T6920] ? wait_for_completion+0x260/0x260 [ 535.351615][ T6920] device_list_add.cold+0x58/0x2d2 [ 535.356757][ T6920] ? btrfs_alloc_device+0x5d0/0x5d0 [ 535.362086][ T6920] ? do_read_cache_page+0xe6/0x1390 [ 535.367315][ T6920] btrfs_scan_one_device+0x339/0x4a0 [ 535.372621][ T6920] ? device_list_add+0x1570/0x1570 [ 535.377756][ T6920] ? check_preemption_disabled+0x50/0x130 [ 535.383489][ T6920] ? kfree+0x221/0x2b0 [ 535.387577][ T6920] ? btrfs_mount_root+0x73d/0xbb0 [ 535.392624][ T6920] ? lockdep_hardirqs_on+0x53/0x100 [ 535.397847][ T6920] btrfs_mount_root+0x4d5/0xbb0 [ 535.402723][ T6920] ? parse_rescue_options+0x250/0x250 [ 535.408115][ T6920] ? lock_is_held_type+0xbb/0xf0 [ 535.413216][ T6920] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 535.418914][ T6920] ? vfs_parse_fs_string+0xf3/0x150 [ 535.424161][ T6920] ? kfree+0x259/0x2b0 [ 535.428270][ T6920] ? vfs_parse_fs_string+0xf8/0x150 [ 535.433481][ T6920] ? vfs_parse_fs_param+0x550/0x550 [ 535.438701][ T6920] ? parse_rescue_options+0x250/0x250 [ 535.444080][ T6920] legacy_get_tree+0x105/0x220 [ 535.448982][ T6920] vfs_get_tree+0x89/0x2f0 [ 535.453508][ T6920] vfs_kern_mount.part.0+0xd3/0x170 [ 535.458729][ T6920] vfs_kern_mount+0x3c/0x60 [ 535.463251][ T6920] btrfs_mount+0x234/0xaa0 [ 535.467690][ T6920] ? btrfs_show_options+0x1080/0x1080 [ 535.473096][ T6920] ? lock_is_held_type+0xbb/0xf0 [ 535.478056][ T6920] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 535.483613][ T6920] ? vfs_parse_fs_string+0xf3/0x150 [ 535.488826][ T6920] ? kfree+0x259/0x2b0 [ 535.493016][ T6920] ? apparmor_capable+0x1d8/0x460 [ 535.498070][ T6920] ? btrfs_show_options+0x1080/0x1080 [ 535.503465][ T6920] legacy_get_tree+0x105/0x220 [ 535.508246][ T6920] vfs_get_tree+0x89/0x2f0 [ 535.512678][ T6920] path_mount+0x1387/0x20a0 [ 535.517207][ T6920] ? strncpy_from_user+0x2bf/0x3e0 [ 535.522362][ T6920] ? copy_mount_string+0x40/0x40 [ 535.527316][ T6920] ? getname_flags.part.0+0x1dd/0x4f0 [ 535.532719][ T6920] __x64_sys_mount+0x27f/0x300 [ 535.537506][ T6920] ? copy_mnt_ns+0xa60/0xa60 [ 535.542117][ T6920] ? check_preemption_disabled+0x50/0x130 [ 535.547858][ T6920] ? syscall_enter_from_user_mode+0x1d/0x60 [ 535.553778][ T6920] do_syscall_64+0x2d/0x70 [ 535.558274][ T6920] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 535.564185][ T6920] RIP: 0033:0x449cba [ 535.568089][ T6920] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 535.587747][ T6920] RSP: 002b:00007ffc6ef853c8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 535.596158][ T6920] RAX: ffffffffffffffda RBX: 00007ffc6ef85420 RCX: 0000000000449cba [ 535.604158][ T6920] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc6ef853e0 [ 535.612198][ T6920] RBP: 00007ffc6ef853e0 R08: 00007ffc6ef85420 R09: 0000000000000000 [ 535.620197][ T6920] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000069 [ 535.628189][ T6920] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 535.636194][ T6920] [ 535.638620][ T6920] Allocated by task 6920: [ 535.642969][ T6920] kasan_save_stack+0x1b/0x40 [ 535.647659][ T6920] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 535.653375][ T6920] kvmalloc_node+0xb4/0xf0 [ 535.657812][ T6920] btrfs_mount_root+0x117/0xbb0 [ 535.662679][ T6920] legacy_get_tree+0x105/0x220 [ 535.667453][ T6920] vfs_get_tree+0x89/0x2f0 [ 535.671877][ T6920] vfs_kern_mount.part.0+0xd3/0x170 [ 535.677084][ T6920] vfs_kern_mount+0x3c/0x60 [ 535.681599][ T6920] btrfs_mount+0x234/0xaa0 [ 535.686029][ T6920] legacy_get_tree+0x105/0x220 [ 535.690797][ T6920] vfs_get_tree+0x89/0x2f0 [ 535.695225][ T6920] path_mount+0x1387/0x20a0 [ 535.699739][ T6920] __x64_sys_mount+0x27f/0x300 [ 535.704487][ T6920] do_syscall_64+0x2d/0x70 [ 535.708886][ T6920] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 535.714784][ T6920] [ 535.717093][ T6920] Freed by task 6920: [ 535.721063][ T6920] kasan_save_stack+0x1b/0x40 [ 535.725724][ T6920] kasan_set_track+0x1c/0x30 [ 535.730297][ T6920] kasan_set_free_info+0x1b/0x30 [ 535.735215][ T6920] __kasan_slab_free+0xd8/0x120 [ 535.740051][ T6920] kfree+0x10e/0x2b0 [ 535.743927][ T6920] kvfree+0x42/0x50 [ 535.747725][ T6920] deactivate_locked_super+0x94/0x160 [ 535.753085][ T6920] btrfs_mount_root+0x772/0xbb0 [ 535.757933][ T6920] legacy_get_tree+0x105/0x220 [ 535.762696][ T6920] vfs_get_tree+0x89/0x2f0 [ 535.767114][ T6920] vfs_kern_mount.part.0+0xd3/0x170 [ 535.772305][ T6920] vfs_kern_mount+0x3c/0x60 [ 535.776818][ T6920] btrfs_mount+0x234/0xaa0 [ 535.781221][ T6920] legacy_get_tree+0x105/0x220 [ 535.785977][ T6920] vfs_get_tree+0x89/0x2f0 [ 535.790380][ T6920] path_mount+0x1387/0x20a0 [ 535.794878][ T6920] __x64_sys_mount+0x27f/0x300 [ 535.799633][ T6920] do_syscall_64+0x2d/0x70 [ 535.804046][ T6920] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 535.809913][ T6920] [ 535.812225][ T6920] The buggy address belongs to the object at ffff8880a7c98000 [ 535.812225][ T6920] which belongs to the cache kmalloc-16k of size 16384 [ 535.826457][ T6920] The buggy address is located 1704 bytes inside of [ 535.826457][ T6920] 16384-byte region [ffff8880a7c98000, ffff8880a7c9c000) [ 535.839970][ T6920] The buggy address belongs to the page: [ 535.845638][ T6920] page:000000005939614d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa7c98 [ 535.855785][ T6920] head:000000005939614d order:3 compound_mapcount:0 compound_pincount:0 [ 535.864359][ T6920] flags: 0xfffe0000010200(slab|head) [ 535.869650][ T6920] raw: 00fffe0000010200 ffffea00024b7008 ffffea0002447208 ffff8880aa040b00 [ 535.878226][ T6920] raw: 0000000000000000 ffff8880a7c98000 0000000100000001 0000000000000000 [ 535.886788][ T6920] page dumped because: kasan: bad access detected [ 535.893179][ T6920] [ 535.896355][ T6920] Memory state around the buggy address: [ 535.901972][ T6920] ffff8880a7c98580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 535.910019][ T6920] ffff8880a7c98600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 535.918076][ T6920] >ffff8880a7c98680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 535.926118][ T6920] ^ [ 535.931471][ T6920] ffff8880a7c98700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 535.939575][ T6920] ffff8880a7c98780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 535.947635][ T6920] ================================================================== [ 535.955682][ T6920] Disabling lock debugging due to kernel taint [ 535.965460][ T6920] Kernel panic - not syncing: panic_on_warn set ... [ 535.972089][ T6920] CPU: 1 PID: 6920 Comm: syz-executor328 Tainted: G B 5.9.0-rc7-syzkaller #0 [ 535.982150][ T6920] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 535.992211][ T6920] Call Trace: [ 535.995512][ T6920] dump_stack+0x198/0x1fd [ 535.999844][ T6920] ? btrfs_printk+0x2b8/0x40c [ 536.004630][ T6920] panic+0x382/0x7fb [ 536.008541][ T6920] ? __warn_printk+0xf3/0xf3 [ 536.013132][ T6920] ? preempt_schedule_common+0x59/0xc0 [ 536.018573][ T6920] ? btrfs_printk+0x38b/0x40c [ 536.023336][ T6920] ? preempt_schedule_thunk+0x16/0x18 [ 536.028806][ T6920] ? trace_hardirqs_on+0x55/0x220 [ 536.033813][ T6920] ? btrfs_printk+0x38b/0x40c [ 536.038470][ T6920] ? btrfs_printk+0x38b/0x40c [ 536.043134][ T6920] end_report+0x4d/0x53 [ 536.047276][ T6920] kasan_report.cold+0xd/0x37 [ 536.051934][ T6920] ? btrfs_printk+0x38b/0x40c [ 536.056590][ T6920] btrfs_printk+0x38b/0x40c [ 536.061075][ T6920] ? btrfs_put_super+0x38/0x38 [ 536.065820][ T6920] ? device_list_add+0xe79/0x1570 [ 536.070856][ T6920] ? lock_release+0x8f0/0x8f0 [ 536.075533][ T6920] ? __mutex_unlock_slowpath+0xe2/0x610 [ 536.081065][ T6920] ? _atomic_dec_and_lock+0x92/0x100 [ 536.086332][ T6920] ? wait_for_completion+0x260/0x260 [ 536.091613][ T6920] device_list_add.cold+0x58/0x2d2 [ 536.096725][ T6920] ? btrfs_alloc_device+0x5d0/0x5d0 [ 536.101905][ T6920] ? do_read_cache_page+0xe6/0x1390 [ 536.107108][ T6920] btrfs_scan_one_device+0x339/0x4a0 [ 536.112378][ T6920] ? device_list_add+0x1570/0x1570 [ 536.117524][ T6920] ? check_preemption_disabled+0x50/0x130 [ 536.123221][ T6920] ? kfree+0x221/0x2b0 [ 536.127269][ T6920] ? btrfs_mount_root+0x73d/0xbb0 [ 536.132276][ T6920] ? lockdep_hardirqs_on+0x53/0x100 [ 536.137477][ T6920] btrfs_mount_root+0x4d5/0xbb0 [ 536.142318][ T6920] ? parse_rescue_options+0x250/0x250 [ 536.147681][ T6920] ? lock_is_held_type+0xbb/0xf0 [ 536.152607][ T6920] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 536.158145][ T6920] ? vfs_parse_fs_string+0xf3/0x150 [ 536.163331][ T6920] ? kfree+0x259/0x2b0 [ 536.167408][ T6920] ? vfs_parse_fs_string+0xf8/0x150 [ 536.172622][ T6920] ? vfs_parse_fs_param+0x550/0x550 [ 536.177809][ T6920] ? parse_rescue_options+0x250/0x250 [ 536.183175][ T6920] legacy_get_tree+0x105/0x220 [ 536.188630][ T6920] vfs_get_tree+0x89/0x2f0 [ 536.193041][ T6920] vfs_kern_mount.part.0+0xd3/0x170 [ 536.198234][ T6920] vfs_kern_mount+0x3c/0x60 [ 536.202721][ T6920] btrfs_mount+0x234/0xaa0 [ 536.207116][ T6920] ? btrfs_show_options+0x1080/0x1080 [ 536.212495][ T6920] ? lock_is_held_type+0xbb/0xf0 [ 536.217437][ T6920] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 536.222963][ T6920] ? vfs_parse_fs_string+0xf3/0x150 [ 536.228156][ T6920] ? kfree+0x259/0x2b0 [ 536.232207][ T6920] ? apparmor_capable+0x1d8/0x460 [ 536.237210][ T6920] ? btrfs_show_options+0x1080/0x1080 [ 536.242589][ T6920] legacy_get_tree+0x105/0x220 [ 536.247339][ T6920] vfs_get_tree+0x89/0x2f0 [ 536.251738][ T6920] path_mount+0x1387/0x20a0 [ 536.256240][ T6920] ? strncpy_from_user+0x2bf/0x3e0 [ 536.261332][ T6920] ? copy_mount_string+0x40/0x40 [ 536.266256][ T6920] ? getname_flags.part.0+0x1dd/0x4f0 [ 536.271625][ T6920] __x64_sys_mount+0x27f/0x300 [ 536.276375][ T6920] ? copy_mnt_ns+0xa60/0xa60 [ 536.280972][ T6920] ? check_preemption_disabled+0x50/0x130 [ 536.286693][ T6920] ? syscall_enter_from_user_mode+0x1d/0x60 [ 536.292571][ T6920] do_syscall_64+0x2d/0x70 [ 536.303675][ T6920] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 536.309563][ T6920] RIP: 0033:0x449cba [ 536.313443][ T6920] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 536.333026][ T6920] RSP: 002b:00007ffc6ef853c8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 536.341435][ T6920] RAX: ffffffffffffffda RBX: 00007ffc6ef85420 RCX: 0000000000449cba [ 536.349390][ T6920] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc6ef853e0 [ 536.357340][ T6920] RBP: 00007ffc6ef853e0 R08: 00007ffc6ef85420 R09: 0000000000000000 [ 536.365306][ T6920] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000069 [ 536.373259][ T6920] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 536.382586][ T6920] Kernel Offset: disabled [ 536.386912][ T6920] Rebooting in 86400 seconds..