INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.6' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.008121] XFS (loop0): Mounting V4 Filesystem [ 31.014096] XFS (loop0): totally zeroed log [ 31.019261] ================================================================== [ 31.026678] BUG: KASAN: use-after-free in xfs_inobt_init_key_from_rec+0x6a/0x70 [ 31.034098] Read of size 4 at addr ffff8801af98cf00 by task syzkaller185183/4464 [ 31.041599] [ 31.043200] CPU: 0 PID: 4464 Comm: syzkaller185183 Not tainted 4.16.0+ #12 [ 31.050181] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.059507] Call Trace: [ 31.062068] dump_stack+0x1a7/0x27d [ 31.065667] ? arch_local_irq_restore+0x53/0x53 [ 31.070310] ? show_regs_print_info+0x18/0x18 [ 31.074780] ? kasan_check_write+0x14/0x20 [ 31.078988] ? xfs_inobt_init_key_from_rec+0x6a/0x70 [ 31.084067] print_address_description+0x73/0x250 [ 31.088880] ? xfs_inobt_init_key_from_rec+0x6a/0x70 [ 31.093955] kasan_report+0x23c/0x360 [ 31.097729] __asan_report_load4_noabort+0x14/0x20 [ 31.102630] xfs_inobt_init_key_from_rec+0x6a/0x70 [ 31.107532] xfs_lookup_get_search_key+0x7e/0xc0 [ 31.112262] xfs_btree_lookup+0x932/0x1180 [ 31.116472] ? xfs_btree_overlapped_query_range+0x1420/0x1420 [ 31.122330] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.127318] ? kmem_cache_alloc+0x466/0x760 [ 31.131613] ? xfs_ialloc_read_agi+0xd4/0x5e0 [ 31.136086] ? kmem_zone_alloc+0x133/0x190 [ 31.140294] ? xfs_inobt_init_cursor+0x288/0x4c0 [ 31.145031] xfs_imap_lookup+0x216/0x640 [ 31.149076] ? xfs_difree+0x4b0/0x4b0 [ 31.152850] ? lockdep_init_map+0x9/0x10 [ 31.156893] ? kasan_check_write+0x14/0x20 [ 31.161117] ? __init_rwsem+0x1c6/0x290 [ 31.165064] ? do_raw_write_unlock+0x290/0x290 [ 31.169618] ? mark_held_locks+0xaf/0x100 [ 31.173741] xfs_imap+0x78f/0x960 [ 31.177167] ? xfs_imap_lookup+0x640/0x640 [ 31.181392] ? kasan_check_write+0x14/0x20 [ 31.185601] ? inode_init_always+0xaa0/0xd20 [ 31.189982] ? get_nr_inodes+0x110/0x110 [ 31.194021] ? kmem_zone_alloc+0x8d/0x190 [ 31.198146] xfs_iread+0xc7/0x770 [ 31.201570] ? kmem_cache_alloc+0x466/0x760 [ 31.205862] ? xfs_dinode_calc_crc+0x140/0x140 [ 31.210417] ? memset+0x31/0x40 [ 31.213669] ? xfs_inode_alloc+0x384/0x480 [ 31.217878] xfs_iget+0xcec/0x3060 [ 31.221388] ? mark_held_locks+0xaf/0x100 [ 31.225510] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 31.230587] ? depot_save_stack+0x2ca/0x460 [ 31.234882] ? xfs_inode_set_reclaim_tag+0x780/0x780 [ 31.239955] ? save_stack+0x43/0xd0 [ 31.243552] ? kasan_slab_alloc+0x12/0x20 [ 31.247673] ? kmem_cache_alloc+0x12e/0x760 [ 31.251969] ? kmem_zone_alloc+0x8d/0x190 [ 31.256085] ? xlog_ticket_alloc+0xa6/0x590 [ 31.260378] ? xlog_cil_init_post_recovery+0x7e/0x1a0 [ 31.265538] ? xfs_log_mount+0x5f9/0x6e0 [ 31.269571] ? xfs_mountfs+0x12d5/0x2690 [ 31.273602] ? xfs_fs_fill_super+0xc8d/0x1250 [ 31.278068] ? mount_bdev+0x2b7/0x370 [ 31.281839] ? xfs_fs_mount+0x34/0x40 [ 31.285619] ? mount_fs+0x66/0x2d0 [ 31.289129] ? vfs_kern_mount.part.26+0xc6/0x4a0 [ 31.293856] ? do_mount+0xea4/0x2b90 [ 31.297539] ? ksys_mount+0xab/0x120 [ 31.301222] ? SyS_mount+0x39/0x50 [ 31.304734] ? do_syscall_64+0x281/0x940 [ 31.308769] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.314111] ? print_irqtrace_events+0x270/0x270 [ 31.318838] ? trace_hardirqs_off+0x10/0x10 [ 31.323130] ? __lock_is_held+0xb6/0x140 [ 31.327163] ? lock_release+0xa40/0xa40 [ 31.331110] ? kasan_check_read+0x11/0x20 [ 31.335228] ? do_raw_spin_unlock+0x9e/0x310 [ 31.339617] ? __lock_is_held+0xb6/0x140 [ 31.343651] ? kmem_zone_alloc+0x8d/0x190 [ 31.347775] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.352761] ? kmem_cache_alloc+0x466/0x760 [ 31.357056] ? kobj_ns_type_registered+0x50/0x50 [ 31.361787] ? prandom_u32_state+0x13/0x180 [ 31.366080] ? prandom_u32+0x24/0x30 [ 31.369763] ? xlog_ticket_alloc+0x400/0x590 [ 31.374143] ? xfs_log_calc_unit_res+0x1f0/0x1f0 [ 31.378870] ? kset_create_and_add+0x170/0x170 [ 31.383426] ? lockdep_init_map+0x9/0x10 [ 31.387457] ? init_wait_entry+0x1b0/0x1b0 [ 31.391666] ? xlog_cil_init_post_recovery+0x7e/0x1a0 [ 31.396844] ? xfs_log_mount+0x275/0x6e0 [ 31.400879] xfs_mountfs+0x139a/0x2690 [ 31.404745] ? xfs_default_resblks+0x60/0x60 [ 31.409126] ? xfs_mru_cache_create+0x52c/0x6a0 [ 31.413768] ? xfs_filestream_put_ag+0x50/0x50 [ 31.418323] ? xfs_mru_cache_uninit+0x20/0x20 [ 31.422791] ? xfs_readsb+0x2ec/0x570 [ 31.426567] ? set_blocksize+0x1f1/0x260 [ 31.430601] ? xfs_setsize_buftarg+0x24f/0x370 [ 31.435160] xfs_fs_fill_super+0xc8d/0x1250 [ 31.439459] ? xfs_test_remount_options.isra.19+0x90/0x90 [ 31.444971] ? cap_capable+0x1b5/0x230 [ 31.448832] ? snprintf+0xc0/0xf0 [ 31.452258] ? vsprintf+0x40/0x40 [ 31.455687] ? ns_capable_common+0xcf/0x160 [ 31.459986] ? set_blocksize+0x1f1/0x260 [ 31.464033] mount_bdev+0x2b7/0x370 [ 31.467630] ? xfs_test_remount_options.isra.19+0x90/0x90 [ 31.473139] xfs_fs_mount+0x34/0x40 [ 31.476742] mount_fs+0x66/0x2d0 [ 31.480082] vfs_kern_mount.part.26+0xc6/0x4a0 [ 31.484634] ? may_umount+0xa0/0xa0 [ 31.488230] ? _raw_read_unlock+0x22/0x30 [ 31.492349] ? __get_fs_type+0x8a/0xc0 [ 31.496211] do_mount+0xea4/0x2b90 [ 31.499728] ? copy_mount_string+0x40/0x40 [ 31.503936] ? rcu_pm_notify+0xc0/0xc0 [ 31.507819] ? copy_mount_options+0x5f/0x2e0 [ 31.512198] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.517189] ? kmem_cache_alloc_trace+0x459/0x740 [ 31.522006] ? kasan_check_write+0x14/0x20 [ 31.526219] ? _copy_from_user+0x99/0x110 [ 31.530340] ? copy_mount_options+0x1f7/0x2e0 [ 31.534808] ksys_mount+0xab/0x120 [ 31.538322] SyS_mount+0x39/0x50 [ 31.541661] ? ksys_mount+0x120/0x120 [ 31.545441] do_syscall_64+0x281/0x940 [ 31.549300] ? vmalloc_sync_all+0x30/0x30 [ 31.553421] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.558148] ? syscall_return_slowpath+0x550/0x550 [ 31.563050] ? syscall_return_slowpath+0x2ac/0x550 [ 31.567950] ? prepare_exit_to_usermode+0x350/0x350 [ 31.572938] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 31.578280] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.583096] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.588260] RIP: 0033:0x44371a [ 31.591425] RSP: 002b:00007fff43e464c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 31.599107] RAX: ffffffffffffffda RBX: 0000000020000840 RCX: 000000000044371a [ 31.606348] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff43e464d0 [ 31.613590] RBP: 0000000000000003 R08: 0000000020018900 R09: 000000000000000a [ 31.620840] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000004 [ 31.628085] R13: 0000000000402610 R14: 0000000000000000 R15: 0000000000000000 [ 31.635331] [ 31.636932] Allocated by task 4462: [ 31.640533] save_stack+0x43/0xd0 [ 31.643958] kasan_kmalloc+0xad/0xe0 [ 31.647656] kasan_slab_alloc+0x12/0x20 [ 31.651611] kmem_cache_alloc+0x12e/0x760 [ 31.655729] getname_flags+0xcb/0x580 [ 31.659501] getname+0x19/0x20 [ 31.662668] do_sys_open+0x2e7/0x6d0 [ 31.666351] SyS_open+0x2d/0x40 [ 31.669601] do_syscall_64+0x281/0x940 [ 31.673462] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.678619] [ 31.680219] Freed by task 4462: [ 31.683470] save_stack+0x43/0xd0 [ 31.686896] __kasan_slab_free+0x11a/0x170 [ 31.691102] kasan_slab_free+0xe/0x10 [ 31.694872] kmem_cache_free+0x83/0x2a0 [ 31.698816] putname+0xee/0x130 [ 31.702067] do_sys_open+0x31b/0x6d0 [ 31.705750] SyS_open+0x2d/0x40 [ 31.709001] do_syscall_64+0x281/0x940 [ 31.712866] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.718029] [ 31.719632] The buggy address belongs to the object at ffff8801af98c600 [ 31.719632] which belongs to the cache names_cache of size 4096 [ 31.735210] The buggy address is located 2304 bytes inside of [ 31.735210] 4096-byte region [ffff8801af98c600, ffff8801af98d600) [ 31.747226] The buggy address belongs to the page: [ 31.752129] page:ffffea0006be6300 count:1 mapcount:0 mapping:ffff8801af98c600 index:0x0 compound_mapcount: 0 [ 31.762071] flags: 0x2fffc0000008100(slab|head) [ 31.766712] raw: 02fffc0000008100 ffff8801af98c600 0000000000000000 0000000100000001 [ 31.774563] raw: ffffea0006be7aa0 ffffea0006be5f20 ffff8801da5ea600 0000000000000000 [ 31.782412] page dumped because: kasan: bad access detected [ 31.788089] [ 31.789689] Memory state around the buggy address: [ 31.794587] ffff8801af98ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.801917] ffff8801af98ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.809246] >ffff8801af98cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.816578] ^ [ 31.819918] ffff8801af98cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.827247] ffff8801af98d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.834573] ================================================================== [ 31.841898] Disabling lock debugging due to kernel taint [ 31.847446] Kernel panic - not syncing: panic_on_warn set ... [ 31.847446] [ 31.854798] CPU: 0 PID: 4464 Comm: syzkaller185183 Tainted: G B 4.16.0+ #12 [ 31.863100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.872426] Call Trace: [ 31.874986] dump_stack+0x1a7/0x27d [ 31.878593] ? arch_local_irq_restore+0x53/0x53 [ 31.883234] ? kasan_end_report+0x32/0x50 [ 31.887355] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.892082] ? vsnprintf+0x1ed/0x1900 [ 31.895856] ? xfs_inobt_get_maxrecs+0x10/0x90 [ 31.900409] panic+0x1f8/0x42c [ 31.903572] ? refcount_error_report+0x214/0x214 [ 31.908298] ? do_raw_spin_unlock+0x9e/0x310 [ 31.912677] ? do_raw_spin_unlock+0x9e/0x310 [ 31.917059] ? xfs_inobt_init_key_from_rec+0x6a/0x70 [ 31.922131] kasan_end_report+0x50/0x50 [ 31.926075] kasan_report+0x149/0x360 [ 31.929845] __asan_report_load4_noabort+0x14/0x20 [ 31.934742] xfs_inobt_init_key_from_rec+0x6a/0x70 [ 31.939644] xfs_lookup_get_search_key+0x7e/0xc0 [ 31.944374] xfs_btree_lookup+0x932/0x1180 [ 31.948581] ? xfs_btree_overlapped_query_range+0x1420/0x1420 [ 31.954437] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.959426] ? kmem_cache_alloc+0x466/0x760 [ 31.963716] ? xfs_ialloc_read_agi+0xd4/0x5e0 [ 31.968187] ? kmem_zone_alloc+0x133/0x190 [ 31.972393] ? xfs_inobt_init_cursor+0x288/0x4c0 [ 31.977122] xfs_imap_lookup+0x216/0x640 [ 31.981154] ? xfs_difree+0x4b0/0x4b0 [ 31.984925] ? lockdep_init_map+0x9/0x10 [ 31.988958] ? kasan_check_write+0x14/0x20 [ 31.993162] ? __init_rwsem+0x1c6/0x290 [ 31.997106] ? do_raw_write_unlock+0x290/0x290 [ 32.001667] ? mark_held_locks+0xaf/0x100 [ 32.005788] xfs_imap+0x78f/0x960 [ 32.009213] ? xfs_imap_lookup+0x640/0x640 [ 32.013418] ? kasan_check_write+0x14/0x20 [ 32.017622] ? inode_init_always+0xaa0/0xd20 [ 32.022001] ? get_nr_inodes+0x110/0x110 [ 32.026040] ? kmem_zone_alloc+0x8d/0x190 [ 32.030161] xfs_iread+0xc7/0x770 [ 32.033584] ? kmem_cache_alloc+0x466/0x760 [ 32.037876] ? xfs_dinode_calc_crc+0x140/0x140 [ 32.042430] ? memset+0x31/0x40 [ 32.045682] ? xfs_inode_alloc+0x384/0x480 [ 32.049886] xfs_iget+0xcec/0x3060 [ 32.053397] ? mark_held_locks+0xaf/0x100 [ 32.057514] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 32.062588] ? depot_save_stack+0x2ca/0x460 [ 32.066880] ? xfs_inode_set_reclaim_tag+0x780/0x780 [ 32.071951] ? save_stack+0x43/0xd0 [ 32.075548] ? kasan_slab_alloc+0x12/0x20 [ 32.079666] ? kmem_cache_alloc+0x12e/0x760 [ 32.083960] ? kmem_zone_alloc+0x8d/0x190 [ 32.088077] ? xlog_ticket_alloc+0xa6/0x590 [ 32.092369] ? xlog_cil_init_post_recovery+0x7e/0x1a0 [ 32.097528] ? xfs_log_mount+0x5f9/0x6e0 [ 32.101557] ? xfs_mountfs+0x12d5/0x2690 [ 32.105585] ? xfs_fs_fill_super+0xc8d/0x1250 [ 32.110049] ? mount_bdev+0x2b7/0x370 [ 32.113819] ? xfs_fs_mount+0x34/0x40 [ 32.117587] ? mount_fs+0x66/0x2d0 [ 32.121096] ? vfs_kern_mount.part.26+0xc6/0x4a0 [ 32.125820] ? do_mount+0xea4/0x2b90 [ 32.129502] ? ksys_mount+0xab/0x120 [ 32.133185] ? SyS_mount+0x39/0x50 [ 32.136699] ? do_syscall_64+0x281/0x940 [ 32.140732] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.146067] ? print_irqtrace_events+0x270/0x270 [ 32.150793] ? trace_hardirqs_off+0x10/0x10 [ 32.155084] ? __lock_is_held+0xb6/0x140 [ 32.159117] ? lock_release+0xa40/0xa40 [ 32.163062] ? kasan_check_read+0x11/0x20 [ 32.167179] ? do_raw_spin_unlock+0x9e/0x310 [ 32.171557] ? __lock_is_held+0xb6/0x140 [ 32.175589] ? kmem_zone_alloc+0x8d/0x190 [ 32.179717] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.184706] ? kmem_cache_alloc+0x466/0x760 [ 32.189001] ? kobj_ns_type_registered+0x50/0x50 [ 32.193738] ? prandom_u32_state+0x13/0x180 [ 32.198031] ? prandom_u32+0x24/0x30 [ 32.201715] ? xlog_ticket_alloc+0x400/0x590 [ 32.206093] ? xfs_log_calc_unit_res+0x1f0/0x1f0 [ 32.210819] ? kset_create_and_add+0x170/0x170 [ 32.215371] ? lockdep_init_map+0x9/0x10 [ 32.219412] ? init_wait_entry+0x1b0/0x1b0 [ 32.223617] ? xlog_cil_init_post_recovery+0x7e/0x1a0 [ 32.228778] ? xfs_log_mount+0x275/0x6e0 [ 32.232808] xfs_mountfs+0x139a/0x2690 [ 32.236676] ? xfs_default_resblks+0x60/0x60 [ 32.241054] ? xfs_mru_cache_create+0x52c/0x6a0 [ 32.245693] ? xfs_filestream_put_ag+0x50/0x50 [ 32.250243] ? xfs_mru_cache_uninit+0x20/0x20 [ 32.254709] ? xfs_readsb+0x2ec/0x570 [ 32.258482] ? set_blocksize+0x1f1/0x260 [ 32.262512] ? xfs_setsize_buftarg+0x24f/0x370 [ 32.267066] xfs_fs_fill_super+0xc8d/0x1250 [ 32.271360] ? xfs_test_remount_options.isra.19+0x90/0x90 [ 32.276868] ? cap_capable+0x1b5/0x230 [ 32.280735] ? snprintf+0xc0/0xf0 [ 32.284158] ? vsprintf+0x40/0x40 [ 32.287583] ? ns_capable_common+0xcf/0x160 [ 32.291885] ? set_blocksize+0x1f1/0x260 [ 32.295917] mount_bdev+0x2b7/0x370 [ 32.299525] ? xfs_test_remount_options.isra.19+0x90/0x90 [ 32.305036] xfs_fs_mount+0x34/0x40 [ 32.308642] mount_fs+0x66/0x2d0 [ 32.311980] vfs_kern_mount.part.26+0xc6/0x4a0 [ 32.316533] ? may_umount+0xa0/0xa0 [ 32.320129] ? _raw_read_unlock+0x22/0x30 [ 32.324258] ? __get_fs_type+0x8a/0xc0 [ 32.328115] do_mount+0xea4/0x2b90 [ 32.331624] ? copy_mount_string+0x40/0x40 [ 32.336022] ? rcu_pm_notify+0xc0/0xc0 [ 32.339885] ? copy_mount_options+0x5f/0x2e0 [ 32.344272] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.349259] ? kmem_cache_alloc_trace+0x459/0x740 [ 32.354072] ? kasan_check_write+0x14/0x20 [ 32.358277] ? _copy_from_user+0x99/0x110 [ 32.362404] ? copy_mount_options+0x1f7/0x2e0 [ 32.366868] ksys_mount+0xab/0x120 [ 32.370379] SyS_mount+0x39/0x50 [ 32.373718] ? ksys_mount+0x120/0x120 [ 32.377490] do_syscall_64+0x281/0x940 [ 32.381347] ? vmalloc_sync_all+0x30/0x30 [ 32.385466] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.390195] ? syscall_return_slowpath+0x550/0x550 [ 32.395094] ? syscall_return_slowpath+0x2ac/0x550 [ 32.399993] ? prepare_exit_to_usermode+0x350/0x350 [ 32.404983] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 32.410317] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.415131] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.420292] RIP: 0033:0x44371a [ 32.423452] RSP: 002b:00007fff43e464c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 32.431128] RAX: ffffffffffffffda RBX: 0000000020000840 RCX: 000000000044371a [ 32.438367] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff43e464d0 [ 32.445607] RBP: 0000000000000003 R08: 0000000020018900 R09: 000000000000000a [ 32.452848] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000004 [ 32.460088] R13: 0000000000402610 R14: 0000000000000000 R15: 0000000000000000 [ 32.467866] Dumping ftrace buffer: [ 32.471382] (ftrace buffer empty) [ 32.475063] Kernel Offset: disabled [ 32.478664] Rebooting in 86400 seconds..