Warning: Permanently added '10.128.10.18' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 266.980649] blkno = 400000, nblocks = 0 [ 266.984804] ERROR: (device loop0): dbUpdatePMap.cold: blocks are outside the map [ 266.984804] [ 266.996152] blkno = 400000, nblocks = 0 [ 267.000157] ERROR: (device loop0): dbFree: block to be freed is outside the map [ 267.000157] executing program [ 267.091126] blkno = 400000, nblocks = 0 [ 267.102680] ERROR: (device loop0): dbUpdatePMap.cold: blocks are outside the map [ 267.102680] [ 267.111934] blkno = 400000, nblocks = 0 [ 267.117550] ERROR: (device loop0): dbFree: block to be freed is outside the map [ 267.117550] executing program executing program [ 267.192750] blkno = 400000, nblocks = 0 [ 267.196780] ERROR: (device loop0): dbUpdatePMap.cold: blocks are outside the map [ 267.196780] [ 267.210657] blkno = 400000, nblocks = 0 [ 267.215774] ERROR: (device loop0): dbFree: block to be freed is outside the map [ 267.215774] executing program [ 267.286641] blkno = 400000, nblocks = 0 [ 267.290754] ERROR: (device loop0): dbUpdatePMap.cold: blocks are outside the map [ 267.290754] [ 267.301003] blkno = 400000, nblocks = 0 [ 267.306133] ERROR: (device loop0): dbFree: block to be freed is outside the map [ 267.306133] [ 267.383502] blkno = 400000, nblocks = 0 [ 267.387805] ERROR: (device loop0): dbUpdatePMap.cold: blocks are outside the map [ 267.387805] [ 267.399316] blkno = 400000, nblocks = 0 [ 267.404085] ERROR: (device loop0): dbFree: block to be freed is outside the map [ 267.404085] executing program [ 267.780707] blkno = 400000, nblocks = 0 [ 267.785120] ERROR: (device loop0): dbUpdatePMap.cold: blocks are outside the map [ 267.785120] [ 267.795619] blkno = 400000, nblocks = 0 [ 267.799620] ERROR: (device loop0): dbFree: block to be freed is outside the map [ 267.799620] executing program [ 267.892897] blkno = 400000, nblocks = 0 [ 267.898770] ERROR: (device loop0): dbUpdatePMap.cold: blocks are outside the map [ 267.898770] [ 267.909802] blkno = 400000, nblocks = 0 [ 267.914488] ERROR: (device loop0): dbFree: block to be freed is outside the map [ 267.914488] executing program [ 268.010737] blkno = 400000, nblocks = 0 [ 268.015332] ERROR: (device loop0): dbUpdatePMap.cold: blocks are outside the map [ 268.015332] [ 268.026641] blkno = 400000, nblocks = 0 [ 268.030757] ERROR: (device loop0): dbFree: block to be freed is outside the map [ 268.030757] executing program [ 268.108762] blkno = 400000, nblocks = 0 [ 268.112868] ERROR: (device loop0): dbUpdatePMap.cold: blocks are outside the map [ 268.112868] [ 268.122159] blkno = 400000, nblocks = 0 [ 268.128032] ERROR: (device loop0): dbFree: block to be freed is outside the map [ 268.128032] executing program [ 268.483851] blkno = 400000, nblocks = 0 [ 268.487946] ERROR: (device loop0): dbUpdatePMap.cold: blocks are outside the map [ 268.487946] [ 268.498691] blkno = 400000, nblocks = 0 [ 268.504878] ERROR: (device loop0): dbFree: block to be freed is outside the map [ 268.504878] executing program [ 268.866726] blkno = 400000, nblocks = 0 [ 268.870746] ERROR: (device loop0): dbUpdatePMap.cold: blocks are outside the map [ 268.870746] [ 268.881036] blkno = 400000, nblocks = 0 [ 268.886497] ERROR: (device loop0): dbFree: block to be freed is outside the map [ 268.886497] [ 268.900025] ================================================================== [ 268.907618] BUG: KASAN: use-after-free in jfs_lazycommit+0x8d6/0x9d0 [ 268.914101] Read of size 4 at addr ffff8880a9ee48d4 by task jfsCommit/1984 [ 268.921090] [ 268.922705] CPU: 1 PID: 1984 Comm: jfsCommit Not tainted 4.19.211-syzkaller #0 [ 268.930042] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 268.939380] Call Trace: [ 268.941958] dump_stack+0x1fc/0x2ef [ 268.945604] print_address_description.cold+0x54/0x219 [ 268.950877] kasan_report_error.cold+0x8a/0x1b9 [ 268.955532] ? jfs_lazycommit+0x8d6/0x9d0 [ 268.959781] __asan_report_load4_noabort+0x88/0x90 [ 268.964716] ? jfs_lazycommit+0x8d6/0x9d0 [ 268.968860] jfs_lazycommit+0x8d6/0x9d0 [ 268.972822] ? txCommit+0x39e0/0x39e0 [ 268.976603] ? lock_acquire+0x170/0x3c0 [ 268.980557] ? __kthread_parkme+0x5d/0x1e0 [ 268.984776] ? wake_up_q+0xe0/0xe0 [ 268.988305] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 268.992869] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 268.997955] ? __kthread_parkme+0x133/0x1e0 [ 269.002255] ? txCommit+0x39e0/0x39e0 [ 269.006040] kthread+0x33f/0x460 [ 269.009384] ? kthread_park+0x180/0x180 [ 269.013339] ret_from_fork+0x24/0x30 [ 269.017035] [ 269.018640] Allocated by task 8195: [ 269.022250] kmem_cache_alloc_trace+0x12f/0x380 [ 269.026950] jfs_fill_super+0xaa/0xb50 [ 269.030824] mount_bdev+0x2fc/0x3b0 [ 269.034437] mount_fs+0xa3/0x310 [ 269.037787] vfs_kern_mount.part.0+0x68/0x470 [ 269.042267] do_mount+0x115c/0x2f50 [ 269.045921] ksys_mount+0xcf/0x130 [ 269.049449] __x64_sys_mount+0xba/0x150 [ 269.053403] do_syscall_64+0xf9/0x620 [ 269.057183] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 269.062344] [ 269.063952] Freed by task 8128: [ 269.067209] kfree+0xcc/0x210 [ 269.070293] generic_shutdown_super+0x144/0x370 [ 269.074942] kill_block_super+0x97/0xf0 [ 269.078894] deactivate_locked_super+0x94/0x160 [ 269.083540] deactivate_super+0x174/0x1a0 [ 269.087667] cleanup_mnt+0x1a8/0x290 [ 269.091360] task_work_run+0x148/0x1c0 [ 269.095226] exit_to_usermode_loop+0x251/0x2a0 [ 269.099797] do_syscall_64+0x538/0x620 [ 269.103707] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 269.108883] [ 269.110584] The buggy address belongs to the object at ffff8880a9ee4840 [ 269.110584] which belongs to the cache kmalloc-256 of size 256 [ 269.123238] The buggy address is located 148 bytes inside of [ 269.123238] 256-byte region [ffff8880a9ee4840, ffff8880a9ee4940) [ 269.135231] The buggy address belongs to the page: [ 269.140141] page:ffffea0002a7b900 count:1 mapcount:0 mapping:ffff88813bff07c0 index:0x0 [ 269.148261] flags: 0xfff00000000100(slab) [ 269.152400] raw: 00fff00000000100 ffffea0002a07fc8 ffffea0002a79bc8 ffff88813bff07c0 [ 269.160265] raw: 0000000000000000 ffff8880a9ee40c0 000000010000000c 0000000000000000 [ 269.168210] page dumped because: kasan: bad access detected [ 269.173892] [ 269.175501] Memory state around the buggy address: [ 269.180413] ffff8880a9ee4780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 269.187766] ffff8880a9ee4800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 269.195118] >ffff8880a9ee4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 269.202461] ^ [ 269.208418] ffff8880a9ee4900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 269.215756] ffff8880a9ee4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 269.223090] ================================================================== [ 269.230597] Disabling lock debugging due to kernel taint [ 269.236020] Kernel panic - not syncing: panic_on_warn set ... [ 269.236020] [ 269.243386] CPU: 1 PID: 1984 Comm: jfsCommit Tainted: G B 4.19.211-syzkaller #0 [ 269.252107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 269.261471] Call Trace: [ 269.264049] dump_stack+0x1fc/0x2ef [ 269.267706] panic+0x26a/0x50e [ 269.270877] ? __warn_printk+0xf3/0xf3 [ 269.274745] ? lock_downgrade+0x720/0x720 [ 269.278877] ? print_shadow_for_address+0xb8/0x114 [ 269.283782] ? trace_hardirqs_off+0x64/0x200 [ 269.288196] kasan_end_report+0x43/0x49 [ 269.292149] kasan_report_error.cold+0xa7/0x1b9 [ 269.296796] ? jfs_lazycommit+0x8d6/0x9d0 [ 269.300924] __asan_report_load4_noabort+0x88/0x90 [ 269.305831] ? jfs_lazycommit+0x8d6/0x9d0 [ 269.309954] jfs_lazycommit+0x8d6/0x9d0 [ 269.313915] ? txCommit+0x39e0/0x39e0 [ 269.317692] ? lock_acquire+0x170/0x3c0 [ 269.321641] ? __kthread_parkme+0x5d/0x1e0 [ 269.325854] ? wake_up_q+0xe0/0xe0 [ 269.329381] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 269.333955] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 269.339046] ? __kthread_parkme+0x133/0x1e0 [ 269.343361] ? txCommit+0x39e0/0x39e0 [ 269.347137] kthread+0x33f/0x460 [ 269.350516] ? kthread_park+0x180/0x180 [ 269.354492] ret_from_fork+0x24/0x30 [ 269.358278] Kernel Offset: disabled [ 269.362016] Rebooting in 86400 seconds..