[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.241' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 374.918715] ================================================================== [ 374.926211] BUG: KASAN: slab-out-of-bounds in dtSplitRoot+0x1330/0x14b0 [ 374.933075] Read of size 1 at addr ffff8880a1c3cfc0 by task syz-executor167/8007 [ 374.940587] [ 374.942199] CPU: 1 PID: 8007 Comm: syz-executor167 Not tainted 4.14.295-syzkaller #0 [ 374.950060] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 374.959395] Call Trace: [ 374.961967] dump_stack+0x1b2/0x281 [ 374.965577] print_address_description.cold+0x54/0x1d3 [ 374.970840] kasan_report_error.cold+0x8a/0x191 [ 374.975488] ? dtSplitRoot+0x1330/0x14b0 [ 374.979527] __asan_report_load1_noabort+0x68/0x70 [ 374.984433] ? memset+0x20/0x40 [ 374.987690] ? dtSplitRoot+0x1330/0x14b0 [ 374.991749] dtSplitRoot+0x1330/0x14b0 [ 374.995659] ? lock_downgrade+0x740/0x740 [ 374.999804] ? dtSplitPage+0x3150/0x3150 [ 375.003853] ? up_write+0x17/0x60 [ 375.007290] ? dbAlloc+0x433/0x980 [ 375.010809] ? kmem_cache_alloc_trace+0x36c/0x3d0 [ 375.015632] dtSplitUp+0xeee/0x47d0 [ 375.019243] ? __lock_acquire+0x2190/0x3f20 [ 375.023545] ? dtSplitRoot+0x14b0/0x14b0 [ 375.027604] ? entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 375.032962] ? trace_hardirqs_on+0x10/0x10 [ 375.037190] ? debug_check_no_obj_freed+0x2c0/0x680 [ 375.042184] ? lock_downgrade+0x740/0x740 [ 375.046309] ? up_read+0x17/0x30 [ 375.049654] ? txLockAlloc+0x1c3/0x270 [ 375.053519] ? txLock+0x5e2/0x18a0 [ 375.057048] ? lock_downgrade+0x740/0x740 [ 375.061174] ? do_raw_spin_unlock+0x164/0x220 [ 375.065669] dtInsert+0x77c/0x9e0 [ 375.069106] ? dtSearch+0x1ba0/0x1ba0 [ 375.072891] ? dtInitRoot+0x2ce/0x560 [ 375.076671] jfs_mkdir.part.0+0x38d/0x7e0 [ 375.080829] ? jfs_mknod+0x60/0x60 [ 375.084349] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 375.089430] ? debug_check_no_obj_freed+0x2c0/0x680 [ 375.094425] ? __dquot_initialize+0x228/0xa70 [ 375.098898] ? common_perm+0x3b9/0x560 [ 375.102764] ? dquot_initialize_needed+0x240/0x240 [ 375.107671] ? map_id_up+0xe9/0x180 [ 375.111278] ? security_inode_permission+0xb5/0xf0 [ 375.116185] jfs_mkdir+0x35/0x50 [ 375.119541] vfs_mkdir+0x463/0x6e0 [ 375.123060] SyS_mkdirat+0x1fd/0x270 [ 375.126776] ? SyS_mknod+0x30/0x30 [ 375.130294] ? __close_fd+0x159/0x230 [ 375.134180] ? do_syscall_64+0x4c/0x640 [ 375.138255] ? SyS_mknod+0x30/0x30 [ 375.141787] do_syscall_64+0x1d5/0x640 [ 375.145664] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 375.150836] RIP: 0033:0x7fdd0a9b8fb9 [ 375.154529] RSP: 002b:00007ffd719056e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 [ 375.162220] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdd0a9b8fb9 [ 375.169492] RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 [ 375.176740] RBP: 00007fdd0a978820 R08: 0000000000000000 R09: 00007fdd0a978820 [ 375.183988] R10: 00005555557682c0 R11: 0000000000000246 R12: 00000000f8008000 [ 375.191239] R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 [ 375.198493] [ 375.200101] Allocated by task 4615: [ 375.203710] kasan_kmalloc+0xeb/0x160 [ 375.208271] kmem_cache_alloc+0x124/0x3c0 [ 375.212394] __debug_object_init+0x578/0x7a0 [ 375.216802] debug_object_activate+0x391/0x490 [ 375.221360] __call_rcu.constprop.0+0x31/0x7d0 [ 375.225921] dentry_free+0xab/0x120 [ 375.229524] __dentry_kill+0x3ff/0x550 [ 375.233387] shrink_dentry_list+0x2ab/0xac0 [ 375.237683] shrink_dcache_sb+0x105/0x1b0 [ 375.241808] do_remount_sb+0xdd/0x530 [ 375.245589] do_mount+0x15f3/0x2a30 [ 375.249194] SyS_mount+0xa8/0x120 [ 375.252641] do_syscall_64+0x1d5/0x640 [ 375.256512] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 375.261678] [ 375.263280] Freed by task 24: [ 375.266364] kasan_slab_free+0xc3/0x1a0 [ 375.270315] kmem_cache_free+0x7c/0x2b0 [ 375.274265] free_obj_work+0x200/0x570 [ 375.278129] process_one_work+0x793/0x14a0 [ 375.282340] worker_thread+0x5cc/0xff0 [ 375.286207] kthread+0x30d/0x420 [ 375.289550] ret_from_fork+0x24/0x30 [ 375.293237] [ 375.294848] The buggy address belongs to the object at ffff8880a1c3cf50 [ 375.294848] which belongs to the cache debug_objects_cache of size 40 [ 375.308086] The buggy address is located 72 bytes to the right of [ 375.308086] 40-byte region [ffff8880a1c3cf50, ffff8880a1c3cf78) [ 375.320280] The buggy address belongs to the page: [ 375.325184] page:ffffea0002870f00 count:1 mapcount:0 mapping:ffff8880a1c3c000 index:0xffff8880a1c3cfb9 [ 375.334609] flags: 0xfff00000000100(slab) [ 375.338736] raw: 00fff00000000100 ffff8880a1c3c000 ffff8880a1c3cfb9 0000000100000030 [ 375.346594] raw: ffffea0002c08d20 ffffea0002d82b20 ffff88813fe6bdc0 0000000000000000 [ 375.354465] page dumped because: kasan: bad access detected [ 375.360149] [ 375.361751] Memory state around the buggy address: [ 375.366656] ffff8880a1c3ce80: 00 00 00 fc fc 00 00 00 00 00 fc fc fb fb fb fb [ 375.373991] ffff8880a1c3cf00: fb fc fc fb fb fb fb fb fc fc fb fb fb fb fb fc [ 375.381339] >ffff8880a1c3cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 375.388672] ^ [ 375.394100] ffff8880a1c3d000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 375.401435] ffff8880a1c3d080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 375.408772] ================================================================== [ 375.416105] Disabling lock debugging due to kernel taint [ 375.430944] Kernel panic - not syncing: panic_on_warn set ... [ 375.430944] [ 375.438355] CPU: 0 PID: 8007 Comm: syz-executor167 Tainted: G B 4.14.295-syzkaller #0 [ 375.447450] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 375.456900] Call Trace: [ 375.459483] dump_stack+0x1b2/0x281 [ 375.463094] panic+0x1f9/0x42d [ 375.466266] ? add_taint.cold+0x16/0x16 [ 375.470331] ? ___preempt_schedule+0x16/0x18 [ 375.474722] kasan_end_report+0x43/0x49 [ 375.478676] kasan_report_error.cold+0xa7/0x191 [ 375.483326] ? dtSplitRoot+0x1330/0x14b0 [ 375.487365] __asan_report_load1_noabort+0x68/0x70 [ 375.492269] ? memset+0x20/0x40 [ 375.495524] ? dtSplitRoot+0x1330/0x14b0 [ 375.499568] dtSplitRoot+0x1330/0x14b0 [ 375.503438] ? lock_downgrade+0x740/0x740 [ 375.507562] ? dtSplitPage+0x3150/0x3150 [ 375.511602] ? up_write+0x17/0x60 [ 375.515035] ? dbAlloc+0x433/0x980 [ 375.518551] ? kmem_cache_alloc_trace+0x36c/0x3d0 [ 375.523371] dtSplitUp+0xeee/0x47d0 [ 375.526978] ? __lock_acquire+0x2190/0x3f20 [ 375.531277] ? dtSplitRoot+0x14b0/0x14b0 [ 375.535324] ? entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 375.540690] ? trace_hardirqs_on+0x10/0x10 [ 375.544914] ? debug_check_no_obj_freed+0x2c0/0x680 [ 375.549918] ? lock_downgrade+0x740/0x740 [ 375.554066] ? up_read+0x17/0x30 [ 375.557413] ? txLockAlloc+0x1c3/0x270 [ 375.561284] ? txLock+0x5e2/0x18a0 [ 375.564929] ? lock_downgrade+0x740/0x740 [ 375.569057] ? do_raw_spin_unlock+0x164/0x220 [ 375.573539] dtInsert+0x77c/0x9e0 [ 375.576975] ? dtSearch+0x1ba0/0x1ba0 [ 375.580785] ? dtInitRoot+0x2ce/0x560 [ 375.584564] jfs_mkdir.part.0+0x38d/0x7e0 [ 375.588689] ? jfs_mknod+0x60/0x60 [ 375.592205] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 375.597308] ? debug_check_no_obj_freed+0x2c0/0x680 [ 375.602302] ? __dquot_initialize+0x228/0xa70 [ 375.606794] ? common_perm+0x3b9/0x560 [ 375.610662] ? dquot_initialize_needed+0x240/0x240 [ 375.615569] ? map_id_up+0xe9/0x180 [ 375.619174] ? security_inode_permission+0xb5/0xf0 [ 375.624081] jfs_mkdir+0x35/0x50 [ 375.627423] vfs_mkdir+0x463/0x6e0 [ 375.630954] SyS_mkdirat+0x1fd/0x270 [ 375.634644] ? SyS_mknod+0x30/0x30 [ 375.638158] ? __close_fd+0x159/0x230 [ 375.641933] ? do_syscall_64+0x4c/0x640 [ 375.645880] ? SyS_mknod+0x30/0x30 [ 375.649397] do_syscall_64+0x1d5/0x640 [ 375.653295] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 375.658476] RIP: 0033:0x7fdd0a9b8fb9 [ 375.662164] RSP: 002b:00007ffd719056e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 [ 375.669846] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdd0a9b8fb9 [ 375.677109] RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 [ 375.684355] RBP: 00007fdd0a978820 R08: 0000000000000000 R09: 00007fdd0a978820 [ 375.691601] R10: 00005555557682c0 R11: 0000000000000246 R12: 00000000f8008000 [ 375.698851] R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 [ 375.706328] Kernel Offset: disabled [ 375.709958] Rebooting in 86400 seconds..