audit: type=1804 audit(1573585176.020:4398): pid=32575 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir889721207/syzkaller.alvHr7/45/file0/file0" dev="sda1" ino=16695 res=1 333230 pages reserved 0 pages cma reserved ================================================================== BUG: KASAN: use-after-free in ceph_destroy_options+0xe9/0x110 net/ceph/ceph_common.c:283 Read of size 8 at addr ffff8880a5f90b50 by task syz-executor.4/32538 CPU: 0 PID: 32538 Comm: syz-executor.4 Not tainted 4.14.153 #0 audit: type=1800 audit(1573585176.070:4399): pid=32579 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=16727 res=0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x138/0x197 lib/dump_stack.c:53 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430 ceph_destroy_options+0xe9/0x110 net/ceph/ceph_common.c:283 ceph_mount+0xb6d/0x1709 fs/ceph/super.c:1009 mount_fs+0x97/0x2a1 fs/super.c:1237 vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x417/0x27d0 fs/namespace.c:2879 audit: type=1804 audit(1573585176.070:4400): pid=32579 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir355231864/syzkaller.A26Wti/121/file0/file0" dev="sda1" ino=16727 res=1 SYSC_mount fs/namespace.c:3095 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3072 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45a219 RSP: 002b:00007f628d0e0c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 000000000045a219 RDX: 0000000020000140 RSI: 00000000200000c0 RDI: 0000000020000500 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f628d0e16d4 R13: 00000000004c6d95 R14: 00000000004dc508 R15: 00000000ffffffff Allocated by task 32538: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc mm/kasan/kasan.c:551 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529 kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618 kmalloc include/linux/slab.h:488 [inline] kzalloc include/linux/slab.h:661 [inline] ceph_parse_options+0xb8/0xe80 net/ceph/ceph_common.c:349 parse_mount_options fs/ceph/super.c:466 [inline] ceph_mount+0x3c1/0x1709 fs/ceph/super.c:998 mount_fs+0x97/0x2a1 fs/super.c:1237 vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x417/0x27d0 fs/namespace.c:2879 SYSC_mount fs/namespace.c:3095 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3072 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 32538: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kfree+0xcc/0x270 mm/slab.c:3815 ceph_destroy_options+0xdc/0x110 net/ceph/ceph_common.c:289 syz-executor.3 invoked oom-killer: gfp_mask=0x15080c0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), nodemask= ceph_destroy_client+0x9d/0xc0 net/ceph/ceph_common.c:671 create_fs_client fs/ceph/super.c:649 [inline] ceph_mount+0xb46/0x1709 fs/ceph/super.c:1005 mount_fs+0x97/0x2a1 fs/super.c:1237 vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x417/0x27d0 fs/namespace.c:2879 SYSC_mount fs/namespace.c:3095 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3072 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 The buggy address belongs to the object at ffff8880a5f90a80 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 208 bytes inside of 256-byte region [ffff8880a5f90a80, ffff8880a5f90b80) The buggy address belongs to the page: page:ffffea000297e400 count:1 mapcount:0 mapping:ffff8880a5f90080 index:0x0 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffff8880a5f90080 0000000000000000 000000010000000c raw: ffffea000230f120 ffffea00023ba8a0 ffff8880aa8007c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a5f90a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880a5f90a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880a5f90b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ (null), order=3, oom_score_adj=1000 ffff8880a5f90b80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8880a5f90c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== syz-executor.3 cpuset=syz3 mems_allowed=0-1 CPU: 0 PID: 32556 Comm: syz-executor.3 Tainted: G B 4.14.153 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x138/0x197 lib/dump_stack.c:53 dump_header+0x177/0x6cd mm/oom_kill.c:422 oom_kill_process.cold+0x10/0xadd mm/oom_kill.c:861 out_of_memory mm/oom_kill.c:1084 [inline] out_of_memory+0x2ee/0x1180 mm/oom_kill.c:1023 __alloc_pages_may_oom mm/page_alloc.c:3344 [inline] __alloc_pages_slowpath+0x2251/0x2930 mm/page_alloc.c:4033 __alloc_pages_nodemask+0x62c/0x7a0 mm/page_alloc.c:4198 __alloc_pages include/linux/gfp.h:484 [inline] __alloc_pages_node include/linux/gfp.h:497 [inline] alloc_pages_node include/linux/gfp.h:511 [inline] alloc_thread_stack_node kernel/fork.c:240 [inline] dup_task_struct kernel/fork.c:524 [inline] copy_process.part.0+0x26a/0x6a00 kernel/fork.c:1620 copy_process kernel/fork.c:1595 [inline] _do_fork+0x19e/0xce0 kernel/fork.c:2085 SYSC_clone kernel/fork.c:2195 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2189 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45cbe9 RSP: 002b:00007fff968999b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 00007fda0f6dd700 RCX: 000000000045cbe9 RDX: 00007fda0f6dd9d0 RSI: 00007fda0f6dcdb0 RDI: 00000000003d0f00 RBP: 00007fff96899bd0 R08: 00007fda0f6dd700 R09: 00007fda0f6dd700 R10: 00007fda0f6dd9d0 R11: 0000000000000202 R12: 0000000000000000 R13: 00007fff96899a6f R14: 00007fda0f6dd9c0 R15: 000000000075c1cc Mem-Info: active_anon:1355189 inactive_anon:194 isolated_anon:0 active_file:449 inactive_file:408 isolated_file:55 unevictable:0 dirty:84 writeback:1 unstable:0 slab_reclaimable:13879 slab_unreclaimable:105929 mapped:52926 shmem:249 pagetables:21789 bounce:0 free:27609 free_pcp:144 free_cma:0 Node 0 active_anon:1898388kB inactive_anon:764kB active_file:1152kB inactive_file:1784kB unevictable:0kB isolated(anon):0kB isolated(file):232kB mapped:211104kB dirty:308kB writeback:4kB shmem:968kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 1042432kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no Node 1 active_anon:3522368kB inactive_anon:12kB active_file:24kB inactive_file:4kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:0kB dirty:28kB writeback:0kB shmem:28kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 0kB writeback_tmp:0kB unstable:0kB all_unreclaimable? yes Node 0 DMA free:10504kB min:216kB low:268kB high:320kB active_anon:4832kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB kernel_stack:64kB pagetables:16kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 2580 2580 2580 Node 0 DMA32 free:50340kB min:36468kB low:45584kB high:54700kB active_anon:1893556kB inactive_anon:764kB active_file:688kB inactive_file:548kB unevictable:0kB writepending:312kB present:3129332kB managed:2644880kB mlocked:0kB kernel_stack:11360kB pagetables:27292kB bounce:0kB free_pcp:36kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 Node 0 Normal free:0kB min:0kB low:0kB high:0kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:786432kB managed:0kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 Node 1 Normal free:52516kB min:53420kB low:66772kB high:80124kB active_anon:3522368kB inactive_anon:12kB active_file:24kB inactive_file:4kB unevictable:0kB writepending:28kB present:3932160kB managed:3870208kB mlocked:0kB kernel_stack:18656kB pagetables:59848kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 Node 0 DMA: 8*4kB (UME) 25*8kB (MEH) 28*16kB (UMEH) 13*32kB (UEH) 11*64kB (UEH) 8*128kB (UMEH) 2*256kB (EH) 2*512kB (EH) 2*1024kB (ME) 2*2048kB (UE) 0*4096kB = 10504kB Node 0 DMA32: 3060*4kB (UME) 782*8kB (UME) 159*16kB (UME) 186*32kB (UME) 150*64kB (UME) 11*128kB (UME) 5*256kB (UME) 3*512kB (UME) 2*1024kB (UE) 2*2048kB (UM) 1*4096kB (M) = 51056kB