INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   17.605353] sshd (4432) used greatest stack depth: 17000 bytes left
Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts.
[   24.002293] IPVS: ftp: loaded support on port[0] = 21
executing program
[   24.032247] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
[   24.067394] XFS (loop5): nobarrier option is deprecated, ignoring.
[   24.070395] IPVS: ftp: loaded support on port[0] = 21
[   24.077573] XFS (loop5): Invalid device [./file0], error=-15
[   24.104526] XFS (loop7): nobarrier option is deprecated, ignoring.
[   24.130107] XFS (loop7): Invalid device [./file0], error=-15
[   24.137696] ==================================================================
[   24.145291] BUG: KASAN: use-after-free in radix_tree_next_chunk+0xde1/0xdf0
[   24.152398] Read of size 4 at addr ffff8801b1669250 by task syzkaller476032/4458
[   24.159930] 
[   24.161572] CPU: 1 PID: 4458 Comm: syzkaller476032 Not tainted 4.16.0-rc7+ #7
[   24.168804] IPVS: ftp: loaded support on port[0] = 21
[   24.168845] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.183379] Call Trace:
[   24.185991]  dump_stack+0x194/0x24d
[   24.189638]  ? arch_local_irq_restore+0x53/0x53
[   24.194319]  ? show_regs_print_info+0x18/0x18
[   24.198854]  ? locks_free_lock_context+0xb4/0x440
[   24.203717]  ? radix_tree_next_chunk+0xde1/0xdf0
[   24.208490]  print_address_description+0x73/0x250
[   24.213343]  ? radix_tree_next_chunk+0xde1/0xdf0
[   24.218114]  kasan_report+0x23c/0x360
[   24.221932]  __asan_report_load4_noabort+0x14/0x20
executing program
[   24.226874]  radix_tree_next_chunk+0xde1/0xdf0
[   24.231472]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.236687]  ? __lock_acquire+0x664/0x3e00
[   24.240943]  ? idr_preload+0x30/0x30
[   24.244670]  ? lock_downgrade+0x980/0x980
[   24.248845]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.254062]  ? trace_hardirqs_off+0x10/0x10
[   24.258397]  ? evict+0x57e/0x920
[   24.261782]  ? destroy_inode+0x200/0x200
[   24.265861]  ? _raw_spin_unlock+0x22/0x30
[   24.270031]  radix_tree_gang_lookup_tag+0x36e/0x5e0
[   24.271108] IPVS: ftp: loaded support on port[0] = 21
[   24.275050]  ? radix_tree_gang_lookup_slot+0x3f0/0x3f0
[   24.275063]  ? trace_hardirqs_off+0x10/0x10
[   24.289832]  ? lock_release+0xa40/0xa40
[   24.293825]  ? _cond_resched+0x14/0x30
[   24.297724]  ? dispose_list+0x28e/0x3f0
[   24.301708]  ? rcutorture_record_progress+0x10/0x10
[   24.306740]  xfs_perag_get_tag+0x109/0x6c0
[   24.310990]  ? xfs_perag_get+0x520/0x520
[   24.313416] IPVS: ftp: loaded support on port[0] = 21
[   24.315051]  ? lock_downgrade+0x980/0x980
[   24.315063]  ? lock_release+0xa40/0xa40
[   24.315073]  ? list_lru_walk_one+0x9a/0xc0
[   24.315083]  ? do_raw_spin_trylock+0x190/0x190
[   24.315094]  ? __lock_is_held+0xb6/0x140
[   24.341237]  xfs_reclaim_inodes_count+0x82/0xb0
[   24.345914]  xfs_fs_nr_cached_objects+0x37/0x50
[   24.350596]  ? xfs_fs_free_cached_objects+0x80/0x80
[   24.355624]  super_cache_count+0x96/0x280
[   24.359795]  shrink_slab.part.46+0x30c/0xe80
[   24.364225]  ? current_may_throttle+0x210/0x210
[   24.368922]  ? mem_cgroup_iter+0x2f0/0xbd0
[   24.373176]  ? shrink_active_list+0x15e0/0x15e0
executing program
[   24.377866]  ? print_irqtrace_events+0x270/0x270
[   24.382654]  shrink_slab+0x9d/0xb0
[   24.386214]  shrink_node+0x51e/0xf70
[   24.389962]  ? shrink_node_memcg+0x1690/0x1690
[   24.394562]  ? get_monotonic_coarse64+0x470/0x470
[   24.399419]  ? __queue_work+0x5b4/0x1230
[   24.403498]  ? lock_downgrade+0x980/0x980
[   24.407666]  ? lock_release+0xa40/0xa40
[   24.411672]  do_try_to_free_pages+0x383/0x1020
[   24.416280]  ? shrink_node+0xf70/0xf70
[   24.420191]  try_to_free_mem_cgroup_pages+0x44d/0xb40
[   24.425414]  ? try_to_free_pages+0x9c0/0x9c0
executing program
[   24.429848]  ? cgroup_file_notify+0x5e/0x70
[   24.434194]  ? lock_downgrade+0x980/0x980
[   24.438366]  ? lock_release+0xa40/0xa40
[   24.442356]  ? lock_release+0xa40/0xa40
[   24.446353]  ? do_raw_spin_trylock+0x190/0x190
[   24.447516] IPVS: ftp: loaded support on port[0] = 21
[   24.450937]  ? kernfs_get+0xe1/0x130
[   24.450950]  ? do_raw_spin_trylock+0x190/0x190
[   24.450964]  ? _raw_spin_unlock_irqrestore+0x31/0xc0
[   24.450977]  ? trace_hardirqs_on+0xd/0x10
[   24.450993]  reclaim_high.constprop.64+0x1e2/0x330
executing program
[   24.451003]  ? mem_cgroup_from_task+0x1e0/0x1e0
[   24.483263]  ? task_work_cancel+0x210/0x210
[   24.487596]  ? __close_fd+0x222/0x360
[   24.491408]  ? exit_to_usermode_loop+0x8c/0x2f0
[   24.491443] IPVS: ftp: loaded support on port[0] = 21
[   24.496068]  mem_cgroup_handle_over_high+0x8d/0x130
[   24.496078]  exit_to_usermode_loop+0x242/0x2f0
[   24.496087]  ? filp_open+0x70/0x70
[   24.496097]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   24.496112]  do_syscall_64+0x6ec/0x940
[   24.496123]  ? vmalloc_sync_all+0x30/0x30
[   24.496131]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   24.496139]  ? syscall_return_slowpath+0x550/0x550
[   24.538426]  ? syscall_return_slowpath+0x2ac/0x550
[   24.543384]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   24.548766]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.553626]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.558825] RIP: 0033:0x440fda
[   24.562016] RSP: 002b:00007ffd309f1880 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
[   24.569731] RAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000440fda
executing program
[   24.577005] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
[   24.584281] RBP: 00007ffd309f18a0 R08: 0000000000000001 R09: 00000000020eb880
[   24.591557] R10: 00000000020ebb50 R11: 0000000000000246 R12: 0000000000000001
[   24.598836] R13: 00007ffd309f18d0 R14: 0000000000000000 R15: 00007ffd309f19e8
[   24.606124] 
[   24.607753] Allocated by task 4469:
[   24.611393]  save_stack+0x43/0xd0
[   24.614862]  kasan_kmalloc+0xad/0xe0
[   24.618587]  kmem_cache_alloc_trace+0x136/0x740
[   24.623268]  xfs_fs_fill_super+0xd1/0x1220
[   24.627525]  mount_bdev+0x2b7/0x370
[   24.631156]  xfs_fs_mount+0x34/0x40
[   24.634769]  mount_fs+0x66/0x2d0
[   24.638122]  vfs_kern_mount.part.26+0xc6/0x4a0
[   24.642693]  do_mount+0xea4/0x2bb0
[   24.646218]  SyS_mount+0xab/0x120
[   24.649658]  do_syscall_64+0x281/0x940
[   24.653533]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.658696] 
[   24.660304] Freed by task 4469:
[   24.663575]  save_stack+0x43/0xd0
[   24.667035]  __kasan_slab_free+0x11a/0x170
[   24.671263]  kasan_slab_free+0xe/0x10
[   24.675049]  kfree+0xd9/0x260
[   24.678138]  xfs_fs_fill_super+0x6c3/0x1220
[   24.682442]  mount_bdev+0x2b7/0x370
[   24.686053]  xfs_fs_mount+0x34/0x40
[   24.689658]  mount_fs+0x66/0x2d0
[   24.693009]  vfs_kern_mount.part.26+0xc6/0x4a0
[   24.697578]  do_mount+0xea4/0x2bb0
[   24.701102]  SyS_mount+0xab/0x120
[   24.704546]  do_syscall_64+0x281/0x940
[   24.708428]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.713602] 
[   24.715209] The buggy address belongs to the object at ffff8801b1668e80
[   24.715209]  which belongs to the cache kmalloc-4096 of size 4096
[   24.728025] The buggy address is located 976 bytes inside of
[   24.728025]  4096-byte region [ffff8801b1668e80, ffff8801b1669e80)
[   24.739974] The buggy address belongs to the page:
[   24.744898] page:ffffea0006c59a00 count:1 mapcount:0 mapping:ffff8801b1668e80 index:0x0 compound_mapcount: 0
[   24.754864] flags: 0x2fffc0000008100(slab|head)
[   24.759540] raw: 02fffc0000008100 ffff8801b1668e80 0000000000000000 0000000100000001
[   24.767405] raw: ffffea0006c5a2a0 ffffea0006cc47a0 ffff8801dac00dc0 0000000000000000
[   24.775263] page dumped because: kasan: bad access detected
[   24.780955] 
[   24.782566] Memory state around the buggy address:
[   24.787482]  ffff8801b1669100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.794836]  ffff8801b1669180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.802178] >ffff8801b1669200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.809525]                                                  ^
[   24.815496]  ffff8801b1669280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.822845]  ffff8801b1669300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
[   24.830182] ==================================================================
[   24.837524] Disabling lock debugging due to kernel taint
[   24.843090] Kernel panic - not syncing: panic_on_warn set ...
[   24.843090] 
[   24.850457] CPU: 1 PID: 4458 Comm: syzkaller476032 Tainted: G    B            4.16.0-rc7+ #7
[   24.859028] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.868381] Call Trace:
[   24.870965]  dump_stack+0x194/0x24d
[   24.874574]  ? arch_local_irq_restore+0x53/0x53
[   24.879225]  ? kasan_end_report+0x32/0x50
[   24.883359]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   24.888100]  ? vsnprintf+0x1ed/0x1900
[   24.891887]  ? radix_tree_next_chunk+0xda0/0xdf0
[   24.896629]  panic+0x1e4/0x41c
[   24.899818]  ? refcount_error_report+0x214/0x214
[   24.904555]  ? add_taint+0x1c/0x50
[   24.908077]  ? add_taint+0x1c/0x50
[   24.911606]  ? radix_tree_next_chunk+0xde1/0xdf0
[   24.916339]  kasan_end_report+0x50/0x50
[   24.920294]  kasan_report+0x149/0x360
[   24.924076]  __asan_report_load4_noabort+0x14/0x20
[   24.928987]  radix_tree_next_chunk+0xde1/0xdf0
[   24.933557]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.938730]  ? __lock_acquire+0x664/0x3e00
[   24.942958]  ? idr_preload+0x30/0x30
[   24.946676]  ? lock_downgrade+0x980/0x980
[   24.950833]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.956036]  ? trace_hardirqs_off+0x10/0x10
[   24.960339]  ? evict+0x57e/0x920
[   24.963684]  ? destroy_inode+0x200/0x200
[   24.967722]  ? _raw_spin_unlock+0x22/0x30
[   24.971850]  radix_tree_gang_lookup_tag+0x36e/0x5e0
[   24.976853]  ? radix_tree_gang_lookup_slot+0x3f0/0x3f0
[   24.982136]  ? trace_hardirqs_off+0x10/0x10
[   24.986437]  ? lock_release+0xa40/0xa40
[   24.990391]  ? _cond_resched+0x14/0x30
[   24.994260]  ? dispose_list+0x28e/0x3f0
[   24.998211]  ? rcutorture_record_progress+0x10/0x10
[   25.003208]  xfs_perag_get_tag+0x109/0x6c0
[   25.007426]  ? xfs_perag_get+0x520/0x520
[   25.011467]  ? lock_downgrade+0x980/0x980
[   25.015595]  ? lock_release+0xa40/0xa40
[   25.019548]  ? list_lru_walk_one+0x9a/0xc0
[   25.023761]  ? do_raw_spin_trylock+0x190/0x190
[   25.028322]  ? __lock_is_held+0xb6/0x140
[   25.032374]  xfs_reclaim_inodes_count+0x82/0xb0
[   25.037027]  xfs_fs_nr_cached_objects+0x37/0x50
[   25.041674]  ? xfs_fs_free_cached_objects+0x80/0x80
[   25.046669]  super_cache_count+0x96/0x280
[   25.050802]  shrink_slab.part.46+0x30c/0xe80
[   25.055192]  ? current_may_throttle+0x210/0x210
[   25.059841]  ? mem_cgroup_iter+0x2f0/0xbd0
[   25.064051]  ? shrink_active_list+0x15e0/0x15e0
[   25.068698]  ? print_irqtrace_events+0x270/0x270
[   25.073438]  shrink_slab+0x9d/0xb0
[   25.076961]  shrink_node+0x51e/0xf70
[   25.080651]  ? shrink_node_memcg+0x1690/0x1690
[   25.085208]  ? get_monotonic_coarse64+0x470/0x470
[   25.090029]  ? __queue_work+0x5b4/0x1230
[   25.094074]  ? lock_downgrade+0x980/0x980
[   25.098203]  ? lock_release+0xa40/0xa40
[   25.102154]  do_try_to_free_pages+0x383/0x1020
[   25.106718]  ? shrink_node+0xf70/0xf70
[   25.110596]  try_to_free_mem_cgroup_pages+0x44d/0xb40
[   25.115770]  ? try_to_free_pages+0x9c0/0x9c0
[   25.120161]  ? cgroup_file_notify+0x5e/0x70
[   25.124462]  ? lock_downgrade+0x980/0x980
[   25.128584]  ? lock_release+0xa40/0xa40
[   25.132533]  ? lock_release+0xa40/0xa40
[   25.136483]  ? do_raw_spin_trylock+0x190/0x190
[   25.141046]  ? kernfs_get+0xe1/0x130
[   25.144741]  ? do_raw_spin_trylock+0x190/0x190
[   25.149314]  ? _raw_spin_unlock_irqrestore+0x31/0xc0
[   25.154403]  ? trace_hardirqs_on+0xd/0x10
[   25.158532]  reclaim_high.constprop.64+0x1e2/0x330
[   25.163441]  ? mem_cgroup_from_task+0x1e0/0x1e0
[   25.168088]  ? task_work_cancel+0x210/0x210
[   25.172386]  ? __close_fd+0x222/0x360
[   25.176170]  ? exit_to_usermode_loop+0x8c/0x2f0
[   25.180819]  mem_cgroup_handle_over_high+0x8d/0x130
[   25.185818]  exit_to_usermode_loop+0x242/0x2f0
[   25.190378]  ? filp_open+0x70/0x70
[   25.193899]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   25.199420]  do_syscall_64+0x6ec/0x940
[   25.203286]  ? vmalloc_sync_all+0x30/0x30
[   25.207411]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   25.212929]  ? syscall_return_slowpath+0x550/0x550
[   25.217843]  ? syscall_return_slowpath+0x2ac/0x550
[   25.222754]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   25.228102]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   25.232944]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   25.238109] RIP: 0033:0x440fda
[   25.241275] RSP: 002b:00007ffd309f1880 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
[   25.248960] RAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000440fda
[   25.256209] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
[   25.263455] RBP: 00007ffd309f18a0 R08: 0000000000000001 R09: 00000000020eb880
[   25.270707] R10: 00000000020ebb50 R11: 0000000000000246 R12: 0000000000000001
[   25.277958] R13: 00007ffd309f18d0 R14: 0000000000000000 R15: 00007ffd309f19e8
[   25.285685] Dumping ftrace buffer:
[   25.289202]    (ftrace buffer empty)
[   25.292887] Kernel Offset: disabled
[   25.296492] Rebooting in 86400 seconds..