[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.625368] sshd (4443) used greatest stack depth: 17016 bytes left [ 22.525788] sshd (4452) used greatest stack depth: 16888 bytes left Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts. executing program [ 27.900466] ================================================================== [ 27.907906] BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2de/0x320 [ 27.915414] Read of size 2 at addr ffff8801d96e1000 by task syzkaller995640/4459 [ 27.923205] [ 27.924815] CPU: 0 PID: 4459 Comm: syzkaller995640 Not tainted 4.16.0-rc7+ #7 [ 27.932054] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.941376] Call Trace: [ 27.943934] dump_stack+0x194/0x24d [ 27.947532] ? arch_local_irq_restore+0x53/0x53 [ 27.952172] ? show_regs_print_info+0x18/0x18 [ 27.956636] ? ext4_getblk+0x12a/0x500 [ 27.960497] ? __ext4_check_dir_entry+0x2de/0x320 [ 27.965308] print_address_description+0x73/0x250 [ 27.970132] ? __ext4_check_dir_entry+0x2de/0x320 [ 27.974942] kasan_report+0x23c/0x360 [ 27.978713] __asan_report_load2_noabort+0x14/0x20 [ 27.983610] __ext4_check_dir_entry+0x2de/0x320 [ 27.988252] ext4_readdir+0xd00/0x3600 [ 27.992110] ? lock_release+0xa40/0xa40 [ 27.996057] ? trace_hardirqs_off+0x10/0x10 [ 28.000356] ? __ext4_check_dir_entry+0x320/0x320 [ 28.005173] ? mntput_no_expire+0x15e/0xa90 [ 28.009469] ? lock_acquire+0x1d5/0x580 [ 28.013413] ? lock_acquire+0x1d5/0x580 [ 28.017358] ? iterate_dir+0xc3/0x530 [ 28.021131] ? lock_release+0xa40/0xa40 [ 28.025082] ? check_same_owner+0x320/0x320 [ 28.029370] ? mntput+0x66/0x90 [ 28.032621] ? rcu_note_context_switch+0x710/0x710 [ 28.037519] ? __might_sleep+0x95/0x190 [ 28.041465] ? down_read_killable+0x95/0x180 [ 28.045840] ? iterate_dir+0xc3/0x530 [ 28.049609] ? down_write+0x120/0x120 [ 28.053381] iterate_dir+0x1ca/0x530 [ 28.057067] SyS_getdents64+0x221/0x420 [ 28.061010] ? SyS_getdents+0x450/0x450 [ 28.064951] ? ext4_llseek+0x237/0x2a0 [ 28.068806] ? iterate_dir+0x530/0x530 [ 28.072662] ? ext4_dir_llseek+0x187/0x200 [ 28.076864] ? do_syscall_64+0xb7/0x940 [ 28.080806] ? SyS_getdents+0x450/0x450 [ 28.084748] do_syscall_64+0x281/0x940 [ 28.088603] ? do_syscall_64+0x281/0x940 [ 28.092635] ? vmalloc_sync_all+0x30/0x30 [ 28.096751] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 28.102255] ? syscall_return_slowpath+0x550/0x550 [ 28.107152] ? syscall_return_slowpath+0x2ac/0x550 [ 28.112053] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 28.117393] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.122206] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.127365] RIP: 0033:0x43fd69 [ 28.130533] RSP: 002b:00007ffd16083d48 EFLAGS: 00000203 ORIG_RAX: 00000000000000d9 [ 28.138216] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd69 [ 28.145458] RDX: 00000000200015fc RSI: 0000000020001540 RDI: 0000000000000003 [ 28.152699] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 28.159941] R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401690 [ 28.167187] R13: 0000000000401720 R14: 0000000000000000 R15: 0000000000000000 [ 28.174432] [ 28.176032] Allocated by task 0: [ 28.179364] (stack is not available) [ 28.183045] [ 28.184640] Freed by task 0: [ 28.187622] (stack is not available) [ 28.191299] [ 28.192896] The buggy address belongs to the object at ffff8801d96e1040 [ 28.192896] which belongs to the cache skbuff_head_cache of size 232 [ 28.206055] The buggy address is located 64 bytes to the left of [ 28.206055] 232-byte region [ffff8801d96e1040, ffff8801d96e1128) [ 28.218242] The buggy address belongs to the page: [ 28.223141] page:ffffea000765b840 count:1 mapcount:0 mapping:ffff8801d96e1040 index:0x0 [ 28.231252] flags: 0x2fffc0000000100(slab) [ 28.235460] raw: 02fffc0000000100 ffff8801d96e1040 0000000000000000 000000010000000c [ 28.243309] raw: ffffea0007655460 ffff8801d9425c48 ffff8801d9423cc0 0000000000000000 [ 28.251154] page dumped because: kasan: bad access detected [ 28.256829] [ 28.258423] Memory state around the buggy address: [ 28.263321] ffff8801d96e0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.270648] ffff8801d96e0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.277973] >ffff8801d96e1000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.285299] ^ [ 28.288630] ffff8801d96e1080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.295956] ffff8801d96e1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.303281] ================================================================== [ 28.310620] Disabling lock debugging due to kernel taint [ 28.316128] Kernel panic - not syncing: panic_on_warn set ... [ 28.316128] [ 28.323464] CPU: 0 PID: 4459 Comm: syzkaller995640 Tainted: G B 4.16.0-rc7+ #7 [ 28.332003] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.341325] Call Trace: [ 28.343882] dump_stack+0x194/0x24d [ 28.347477] ? arch_local_irq_restore+0x53/0x53 [ 28.352114] ? kasan_end_report+0x32/0x50 [ 28.356239] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.360972] ? vsnprintf+0x1ed/0x1900 [ 28.364740] ? __ext4_check_dir_entry+0x290/0x320 [ 28.369551] panic+0x1e4/0x41c [ 28.372710] ? refcount_error_report+0x214/0x214 [ 28.377435] ? add_taint+0x1c/0x50 [ 28.380943] ? add_taint+0x1c/0x50 [ 28.384458] ? __ext4_check_dir_entry+0x2de/0x320 [ 28.389268] kasan_end_report+0x50/0x50 [ 28.393214] kasan_report+0x149/0x360 [ 28.396994] __asan_report_load2_noabort+0x14/0x20 [ 28.401891] __ext4_check_dir_entry+0x2de/0x320 [ 28.406528] ext4_readdir+0xd00/0x3600 [ 28.410385] ? lock_release+0xa40/0xa40 [ 28.414327] ? trace_hardirqs_off+0x10/0x10 [ 28.418618] ? __ext4_check_dir_entry+0x320/0x320 [ 28.423429] ? mntput_no_expire+0x15e/0xa90 [ 28.427718] ? lock_acquire+0x1d5/0x580 [ 28.431661] ? lock_acquire+0x1d5/0x580 [ 28.435606] ? iterate_dir+0xc3/0x530 [ 28.439385] ? lock_release+0xa40/0xa40 [ 28.443328] ? check_same_owner+0x320/0x320 [ 28.447616] ? mntput+0x66/0x90 [ 28.450865] ? rcu_note_context_switch+0x710/0x710 [ 28.455760] ? __might_sleep+0x95/0x190 [ 28.459703] ? down_read_killable+0x95/0x180 [ 28.464086] ? iterate_dir+0xc3/0x530 [ 28.467853] ? down_write+0x120/0x120 [ 28.471622] iterate_dir+0x1ca/0x530 [ 28.475308] SyS_getdents64+0x221/0x420 [ 28.479251] ? SyS_getdents+0x450/0x450 [ 28.483191] ? ext4_llseek+0x237/0x2a0 [ 28.487047] ? iterate_dir+0x530/0x530 [ 28.490902] ? ext4_dir_llseek+0x187/0x200 [ 28.495105] ? do_syscall_64+0xb7/0x940 [ 28.499047] ? SyS_getdents+0x450/0x450 [ 28.503077] do_syscall_64+0x281/0x940 [ 28.506933] ? do_syscall_64+0x281/0x940 [ 28.510966] ? vmalloc_sync_all+0x30/0x30 [ 28.515081] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 28.520585] ? syscall_return_slowpath+0x550/0x550 [ 28.525480] ? syscall_return_slowpath+0x2ac/0x550 [ 28.530381] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 28.535713] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.540526] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.545684] RIP: 0033:0x43fd69 [ 28.548843] RSP: 002b:00007ffd16083d48 EFLAGS: 00000203 ORIG_RAX: 00000000000000d9 [ 28.556519] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd69 [ 28.563757] RDX: 00000000200015fc RSI: 0000000020001540 RDI: 0000000000000003 [ 28.570999] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 28.578235] R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401690 [ 28.585485] R13: 0000000000401720 R14: 0000000000000000 R15: 0000000000000000 [ 28.593071] Dumping ftrace buffer: [ 28.596580] (ftrace buffer empty) [ 28.600260] Kernel Offset: disabled [ 28.603854] Rebooting in 86400 seconds..