[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.148' (ECDSA) to the list of known hosts. syzkaller login: [ 34.451123] IPVS: ftp: loaded support on port[0] = 21 executing program [ 34.523951] VFS: Found a Xenix FS (block size = 1024) on device loop0 [ 34.531537] sysv_free_block: flc_count > flc_size [ 34.537963] sysv_free_block: flc_count > flc_size [ 34.542814] sysv_free_block: flc_count > flc_size [ 34.549629] sysv_free_block: flc_count > flc_size [ 34.555353] sysv_free_block: flc_count > flc_size [ 34.560211] sysv_free_block: flc_count > flc_size [ 34.566203] sysv_free_block: flc_count > flc_size [ 34.571089] sysv_free_block: flc_count > flc_size [ 34.576529] sysv_free_block: flc_count > flc_size [ 34.581404] sysv_free_block: flc_count > flc_size [ 34.587269] ================================================================== [ 34.594693] BUG: KASAN: use-after-free in sysv_new_block+0x79f/0x990 [ 34.601166] Read of size 4 at addr ffff8880904b40c8 by task syz-executor243/8118 [ 34.608674] [ 34.610288] CPU: 0 PID: 8118 Comm: syz-executor243 Not tainted 4.19.211-syzkaller #0 [ 34.618144] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 34.627478] Call Trace: [ 34.630049] dump_stack+0x1fc/0x2ef [ 34.633672] print_address_description.cold+0x54/0x219 [ 34.638944] kasan_report_error.cold+0x8a/0x1b9 [ 34.643608] ? sysv_new_block+0x79f/0x990 [ 34.647746] __asan_report_load4_noabort+0x88/0x90 [ 34.652663] ? sysv_new_block+0x79f/0x990 [ 34.656792] sysv_new_block+0x79f/0x990 [ 34.660754] get_block+0x3fa/0x1510 [ 34.664366] ? get_mem_cgroup_from_page+0x7a/0x3b0 [ 34.669281] ? block_to_path.isra.0+0x440/0x440 [ 34.673928] ? create_page_buffers+0x212/0x350 [ 34.678498] ? alloc_page_buffers+0x2da/0x5c0 [ 34.682974] ? create_empty_buffers+0x4e7/0x760 [ 34.687708] ? do_raw_spin_unlock+0x171/0x230 [ 34.692182] ? _raw_spin_unlock+0x29/0x40 [ 34.696309] ? create_page_buffers+0x190/0x350 [ 34.700871] __block_write_begin_int+0x46c/0x17b0 [ 34.705694] ? block_to_path.isra.0+0x440/0x440 [ 34.710351] ? __breadahead_gfp+0x130/0x130 [ 34.714654] ? mark_held_locks+0xa6/0xf0 [ 34.718692] ? wait_for_stable_page+0x122/0x360 [ 34.723347] ? block_to_path.isra.0+0x440/0x440 [ 34.727995] block_write_begin+0x58/0x2e0 [ 34.732121] sysv_write_begin+0x35/0xe0 [ 34.736084] generic_perform_write+0x1f8/0x4d0 [ 34.740650] ? filemap_page_mkwrite+0x2f0/0x2f0 [ 34.745296] ? current_time+0x1c0/0x1c0 [ 34.749254] ? lock_acquire+0x170/0x3c0 [ 34.753212] __generic_file_write_iter+0x24b/0x610 [ 34.758124] generic_file_write_iter+0x3f8/0x730 [ 34.762863] __vfs_write+0x51b/0x770 [ 34.766556] ? kernel_read+0x110/0x110 [ 34.770456] ? check_preemption_disabled+0x41/0x280 [ 34.775453] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.780448] vfs_write+0x1f3/0x540 [ 34.783967] ksys_write+0x12b/0x2a0 [ 34.787578] ? __ia32_sys_read+0xb0/0xb0 [ 34.791619] ? trace_hardirqs_off_caller+0x6e/0x210 [ 34.796613] ? do_syscall_64+0x21/0x620 [ 34.800568] do_syscall_64+0xf9/0x620 [ 34.804353] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.809520] RIP: 0033:0x7f0f2c45b899 [ 34.813213] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 34.832092] RSP: 002b:00007ffe9a5ec918 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 34.839777] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f0f2c45b899 [ 34.847024] RDX: 00000000fffffe45 RSI: 00000000200000c0 RDI: 0000000000000004 [ 34.854269] RBP: 00007ffe9a5ec980 R08: 00000000000f4240 R09: 00000000000f4240 [ 34.861515] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 34.868761] R13: 00000000000f4240 R14: 00007ffe9a5ec944 R15: 00007ffe9a5ec950 [ 34.876015] [ 34.877617] The buggy address belongs to the page: [ 34.882524] page:ffffea0002412d00 count:0 mapcount:0 mapping:0000000000000000 index:0x1 [ 34.890642] flags: 0xfff00000000000() [ 34.894423] raw: 00fff00000000000 ffffea0002410608 ffffea000237a208 0000000000000000 [ 34.902295] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 34.910151] page dumped because: kasan: bad access detected [ 34.915833] [ 34.917437] Memory state around the buggy address: [ 34.922345] ffff8880904b3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.929683] ffff8880904b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.937051] >ffff8880904b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.944387] ^ [ 34.950077] ffff8880904b4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.957416] ffff8880904b4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.964752] ================================================================== [ 34.972087] Disabling lock debugging due to kernel taint [ 34.977762] Kernel panic - not syncing: panic_on_warn set ... [ 34.977762] [ 34.985131] CPU: 0 PID: 8118 Comm: syz-executor243 Tainted: G B 4.19.211-syzkaller #0 [ 34.994392] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 35.003738] Call Trace: [ 35.006308] dump_stack+0x1fc/0x2ef [ 35.009917] panic+0x26a/0x50e [ 35.013090] ? __warn_printk+0xf3/0xf3 [ 35.016956] ? preempt_schedule_common+0x45/0xc0 [ 35.021690] ? ___preempt_schedule+0x16/0x18 [ 35.026076] ? trace_hardirqs_on+0x55/0x210 [ 35.030377] kasan_end_report+0x43/0x49 [ 35.034333] kasan_report_error.cold+0xa7/0x1b9 [ 35.038981] ? sysv_new_block+0x79f/0x990 [ 35.043110] __asan_report_load4_noabort+0x88/0x90 [ 35.048022] ? sysv_new_block+0x79f/0x990 [ 35.052151] sysv_new_block+0x79f/0x990 [ 35.056102] get_block+0x3fa/0x1510 [ 35.059706] ? get_mem_cgroup_from_page+0x7a/0x3b0 [ 35.064613] ? block_to_path.isra.0+0x440/0x440 [ 35.069261] ? create_page_buffers+0x212/0x350 [ 35.073823] ? alloc_page_buffers+0x2da/0x5c0 [ 35.078297] ? create_empty_buffers+0x4e7/0x760 [ 35.082951] ? do_raw_spin_unlock+0x171/0x230 [ 35.087425] ? _raw_spin_unlock+0x29/0x40 [ 35.091548] ? create_page_buffers+0x190/0x350 [ 35.096107] __block_write_begin_int+0x46c/0x17b0 [ 35.100931] ? block_to_path.isra.0+0x440/0x440 [ 35.105580] ? __breadahead_gfp+0x130/0x130 [ 35.109881] ? mark_held_locks+0xa6/0xf0 [ 35.113920] ? wait_for_stable_page+0x122/0x360 [ 35.118566] ? block_to_path.isra.0+0x440/0x440 [ 35.123212] block_write_begin+0x58/0x2e0 [ 35.127343] sysv_write_begin+0x35/0xe0 [ 35.131307] generic_perform_write+0x1f8/0x4d0 [ 35.135869] ? filemap_page_mkwrite+0x2f0/0x2f0 [ 35.140515] ? current_time+0x1c0/0x1c0 [ 35.144466] ? lock_acquire+0x170/0x3c0 [ 35.148431] __generic_file_write_iter+0x24b/0x610 [ 35.153338] generic_file_write_iter+0x3f8/0x730 [ 35.158071] __vfs_write+0x51b/0x770 [ 35.161764] ? kernel_read+0x110/0x110 [ 35.165636] ? check_preemption_disabled+0x41/0x280 [ 35.170633] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 35.175629] vfs_write+0x1f3/0x540 [ 35.179146] ksys_write+0x12b/0x2a0 [ 35.182751] ? __ia32_sys_read+0xb0/0xb0 [ 35.186789] ? trace_hardirqs_off_caller+0x6e/0x210 [ 35.191781] ? do_syscall_64+0x21/0x620 [ 35.195731] do_syscall_64+0xf9/0x620 [ 35.199513] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.204678] RIP: 0033:0x7f0f2c45b899 [ 35.208370] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 35.227248] RSP: 002b:00007ffe9a5ec918 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 35.234931] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f0f2c45b899 [ 35.242180] RDX: 00000000fffffe45 RSI: 00000000200000c0 RDI: 0000000000000004 [ 35.249426] RBP: 00007ffe9a5ec980 R08: 00000000000f4240 R09: 00000000000f4240 [ 35.256677] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 35.264445] R13: 00000000000f4240 R14: 00007ffe9a5ec944 R15: 00007ffe9a5ec950 [ 35.271873] Kernel Offset: disabled [ 35.275489] Rebooting in 86400 seconds..