audit: type=1800 audit(1571373509.642:515): pid=28146 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="sda1" ino=17155 res=0 EXT4-fs (sda1): Cannot specify journal on remount ================================================================== BUG: KASAN: use-after-free in memset include/linux/string.h:332 [inline] BUG: KASAN: use-after-free in __ext4_expand_extra_isize+0x14f/0x220 fs/ext4/inode.c:5763 Write of size 8388576 at addr ffff8881ba1690a0 by task rs:main Q:Reg/6531 CPU: 0 PID: 6531 Comm: rs:main Q:Reg Not tainted 4.14.150 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x138/0x197 lib/dump_stack.c:53 kasan: CONFIG_KASAN_INLINE enabled print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x123/0x190 mm/kasan/kasan.c:267 memset+0x24/0x40 mm/kasan/kasan.c:285 kasan: GPF could be caused by NULL-ptr deref or user memory access memset include/linux/string.h:332 [inline] __ext4_expand_extra_isize+0x14f/0x220 fs/ext4/inode.c:5763 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5815 [inline] ext4_mark_inode_dirty+0x664/0x860 fs/ext4/inode.c:5891 ext4_dirty_inode+0x73/0xa0 fs/ext4/inode.c:5925 __mark_inode_dirty+0x54c/0x1040 fs/fs-writeback.c:2141 mark_inode_dirty include/linux/fs.h:2019 [inline] generic_write_end+0x1b7/0x290 fs/buffer.c:2218 ext4_da_write_end+0x344/0x8e0 fs/ext4/inode.c:3187 generic_perform_write+0x29f/0x480 mm/filemap.c:3057 general protection fault: 0000 [#1] PREEMPT SMP KASAN Modules linked in: __generic_file_write_iter+0x239/0x5b0 mm/filemap.c:3171 ext4_file_write_iter+0x2ac/0xe90 fs/ext4/file.c:268 CPU: 1 PID: 28145 Comm: syz-executor.3 Not tainted 4.14.150 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8881f7c10240 task.stack: ffff8881e96c8000 RIP: 0010:avc_start_pgoff mm/interval_tree.c:64 [inline] RIP: 0010:anon_vma_interval_tree_verify+0x6d/0x170 mm/interval_tree.c:109 RSP: 0018:ffff8881e96cfb90 EFLAGS: 00010202 call_write_iter include/linux/fs.h:1777 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x4a7/0x6b0 fs/read_write.c:482 RAX: dffffc0000000000 RBX: ffff888098614ee0 RCX: 00000000e8f3f05b RDX: 0000000000000013 RSI: ffff8881f7c10ae8 RDI: 0000000000000098 RBP: ffff8881e96cfbb0 R08: 00000000000032aa R09: ffffffff88c9aa10 R10: ffff8881f7c10ae8 R11: ffff8881f7c10240 R12: 0000000000000000 R13: ffff88807e1e97b0 R14: 0000000000000000 R15: ffff888098614ee0 vfs_write+0x198/0x500 fs/read_write.c:544 FS: 00000000012e2940(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000 SYSC_write fs/read_write.c:590 [inline] SyS_write+0xfd/0x230 fs/read_write.c:582 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000625208 CR3: 0000000213c84000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 Call Trace: validate_mm+0x107/0x5a0 mm/mmap.c:367 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x7f6fec93b19d vma_link+0x117/0x180 mm/mmap.c:623 RSP: 002b:00007f6feaedc000 EFLAGS: 00000293 mmap_region+0xafb/0x1030 mm/mmap.c:1744 ORIG_RAX: 0000000000000001 do_mmap+0x5b8/0xcd0 mm/mmap.c:1501 RAX: ffffffffffffffda RBX: 0000000000000158 RCX: 00007f6fec93b19d do_mmap_pgoff include/linux/mm.h:2178 [inline] vm_mmap_pgoff+0x17a/0x1d0 mm/util.c:333 RDX: 0000000000000158 RSI: 0000000002568a90 RDI: 0000000000000005 RBP: 0000000002568a90 R08: 0000000002568b85 R09: 00007f6fec2b8887 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 SYSC_mmap_pgoff mm/mmap.c:1551 [inline] SyS_mmap_pgoff+0xa3/0x520 mm/mmap.c:1509 R13: 00007f6feaedc480 R14: 0000000000000003 R15: 0000000002568890 The buggy address belongs to the page: page:ffffea0006e85a40 count:2 mapcount:0 mapping:ffff888218430520 index:0x427 SYSC_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 flags: 0x6fffc0000001074(referenced|dirty|lru|active|private) entry_SYSCALL_64_after_hwframe+0x42/0xb7 raw: 06fffc0000001074 ffff888218430520 0000000000000427 00000002ffffffff RIP: 0033:0x459aaa raw: ffffea0006e28a20 ffffea0006ed5da0 ffff88807d133348 ffff88821b7321c0 RSP: 002b:00007ffd0577f418 EFLAGS: 00000246 page dumped because: kasan: bad access detected ORIG_RAX: 0000000000000009 page->mem_cgroup:ffff88821b7321c0 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459aaa RDX: 0000000000000003 RSI: 0000000000021000 RDI: 0000000000000000 Memory state around the buggy address: RBP: ffffffffffffffff R08: ffffffffffffffff R09: 0000000000000000 ffff8881ba171f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R10: 0000000000020022 R11: 0000000000000246 R12: 0000000000000000 ffff8881ba171f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R13: 0000000000021000 R14: 0000000000020022 R15: 0000000000000000 >ffff8881ba172000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Code: ^ df ffff8881ba172080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 48 ffff8881ba172100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff c1 ================================================================== ea 03 80 3c 02 00 0f 85 f3 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 23 49 8d bc 24 98 00 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 c3 00 00 00 4d 8b ac 24 98 00 00 00 4d 39 ee RIP: avc_start_pgoff mm/interval_tree.c:64 [inline] RSP: ffff8881e96cfb90 RIP: anon_vma_interval_tree_verify+0x6d/0x170 mm/interval_tree.c:109 RSP: ffff8881e96cfb90 kasan: CONFIG_KASAN_INLINE enabled BUG: unable to handle kernel kasan: GPF could be caused by NULL-ptr deref or user memory access paging request at fffffffffffffe98 IP: mm_update_next_owner+0x401/0x5d0 kernel/exit.c:452 PGD 766d067 P4D 766d067 PUD 766f067 PMD 0 Oops: 0000 [#2] PREEMPT SMP KASAN Modules linked in: CPU: 0 PID: 28116 Comm: syz-executor.4 Tainted: G B D 4.14.150 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff88814cfb2340 task.stack: ffff88820edb0000 RIP: 0010:mm_update_next_owner+0x401/0x5d0 kernel/exit.c:452 RSP: 0018:ffff88820edb7d18 EFLAGS: 00010246 RAX: 1fffffffffffffd3 RBX: dffffc0000000000 RCX: 0000000000000002 RDX: 0000000000000000 RSI: 0000000000000100 RDI: ffff8880915e8840 RBP: ffff88820edb7d78 R08: fffffffffffffe98 R09: 0000000000000000 R10: 0000000000000000 R11: ffff88814cfb2340 R12: fffffffffffffa68 R13: ffff888098d7a040 R14: ffff88804e358080 R15: ffff88814cfb2340 FS: 0000000000000000(0000) GS:ffff8880aee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffffffffffe98 CR3: 00000000a9ba8000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: exit_mm kernel/exit.c:544 [inline] do_exit+0x715/0x2c10 kernel/exit.c:861 do_group_exit+0x111/0x330 kernel/exit.c:977 SYSC_exit_group kernel/exit.c:988 [inline] SyS_exit_group+0x1d/0x20 kernel/exit.c:986 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x459a59 RSP: 002b:00007ffc9331abc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00000000efe35ec7 RCX: 0000000000459a59 RDX: 0000001b31620000 RSI: 0000000016a1eda1 RDI: 0000000000000000 RBP: 000000000000011d R08: 0000000016a1eda5 R09: 00007fb3b3b1f000 R10: 0000000016a1eda1 R11: 0000000000000246 R12: 000000000075bfa8 R13: 0000000080000000 R14: 00007fb3b3d1f008 R15: 0000000000001fff Code: 4c 8d a0 68 fa ff ff 0f 84 ea fe ff ff e8 08 ae 24 00 4d 8d 84 24 30 04 00 00 4c 89 c0 48 c1 e8 03 80 3c 18 00 0f 85 df 00 00 00 <4d> 8b b4 24 30 04 00 00 4d 39 ee 75 90 e9 33 fd ff ff e8 d8 ad RIP: mm_update_next_owner+0x401/0x5d0 kernel/exit.c:452 RSP: ffff88820edb7d18 CR2: fffffffffffffe98 ---[ end trace 77151fd9881e9e4b ]--- general protection fault: 0000 [#3] PREEMPT SMP KASAN Modules linked in: