[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.97' (ECDSA) to the list of known hosts. syzkaller login: [ 33.715557] IPVS: ftp: loaded support on port[0] = 21 executing program [ 33.811526] ================================================================== [ 33.818959] BUG: KASAN: use-after-free in hfsplus_releasepage+0x4bc/0x540 [ 33.825874] Read of size 4 at addr ffff8880b33f0ab8 by task syz-executor537/8098 [ 33.833416] [ 33.835027] CPU: 0 PID: 8098 Comm: syz-executor537 Not tainted 4.19.211-syzkaller #0 [ 33.842883] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 33.852211] Call Trace: [ 33.854781] dump_stack+0x1fc/0x2ef [ 33.858399] print_address_description.cold+0x54/0x219 [ 33.863655] kasan_report_error.cold+0x8a/0x1b9 [ 33.868303] ? hfsplus_releasepage+0x4bc/0x540 [ 33.872869] __asan_report_load4_noabort+0x88/0x90 [ 33.877782] ? __sanitizer_cov_trace_const_cmp4+0x20/0x20 [ 33.883298] ? hfsplus_releasepage+0x4bc/0x540 [ 33.887862] hfsplus_releasepage+0x4bc/0x540 [ 33.892252] ? hfsplus_show_options+0x580/0x580 [ 33.896900] try_to_release_page+0x242/0x390 [ 33.901291] block_invalidatepage+0x45b/0x4f0 [ 33.905766] ? end_buffer_read_nobh+0x90/0x90 [ 33.910240] truncate_cleanup_page+0x2b7/0x430 [ 33.914804] truncate_inode_pages_range+0x528/0x1b00 [ 33.919895] ? truncate_inode_page+0xc0/0xc0 [ 33.924286] ? __lock_acquire+0x6de/0x3ff0 [ 33.928499] ? mark_held_locks+0xf0/0xf0 [ 33.932544] ? mark_held_locks+0xf0/0xf0 [ 33.936583] ? __cpuusage_read+0x161/0x1f0 [ 33.940800] ? mark_held_locks+0xf0/0xf0 [ 33.944841] ? writeback_single_inode+0x2b/0x440 [ 33.949583] ? truncate_inode_pages_final+0xa0/0xb0 [ 33.954583] ? mark_held_locks+0xa6/0xf0 [ 33.958622] ? _raw_spin_unlock_irq+0x24/0x80 [ 33.963097] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 33.967657] hfsplus_evict_inode+0x16/0xd0 [ 33.971867] ? hfsplus_remount+0x300/0x300 [ 33.976082] evict+0x2ed/0x760 [ 33.979255] iput+0x4f1/0x860 [ 33.982342] hfsplus_put_super+0x270/0x3f0 [ 33.986557] ? hfsplus_sync_fs+0xae0/0xae0 [ 33.990777] generic_shutdown_super+0x144/0x370 [ 33.995426] kill_block_super+0x97/0xf0 [ 33.999381] deactivate_locked_super+0x94/0x160 [ 34.004037] deactivate_super+0x174/0x1a0 [ 34.008163] ? deactivate_locked_super+0x160/0x160 [ 34.013070] ? dput+0x31/0x640 [ 34.016244] cleanup_mnt+0x1a8/0x290 [ 34.019947] task_work_run+0x148/0x1c0 [ 34.023815] do_exit+0xbf3/0x2be0 [ 34.027247] ? lock_downgrade+0x720/0x720 [ 34.031373] ? mm_update_next_owner+0x650/0x650 [ 34.036020] ? up_read+0x17/0x110 [ 34.039454] ? __do_page_fault+0x180/0xd60 [ 34.043669] do_group_exit+0x125/0x310 [ 34.047534] __x64_sys_exit_group+0x3a/0x50 [ 34.051834] do_syscall_64+0xf9/0x620 [ 34.055616] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.060783] RIP: 0033:0x7fc0a619c9a9 [ 34.064480] Code: Bad RIP value. [ 34.067822] RSP: 002b:00007ffe06821d78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 34.075510] RAX: ffffffffffffffda RBX: 00007fc0a6212330 RCX: 00007fc0a619c9a9 [ 34.082763] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 34.090019] RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00000000000005f2 [ 34.097267] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc0a6212330 [ 34.104517] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 34.111768] [ 34.113376] Allocated by task 8098: [ 34.116983] kmem_cache_alloc_trace+0x12f/0x380 [ 34.121629] hfsplus_btree_open+0x4d/0x10a0 [ 34.125926] hfsplus_fill_super+0xa2d/0x19e0 [ 34.130310] mount_bdev+0x2fc/0x3b0 [ 34.133913] mount_fs+0xa3/0x310 [ 34.137258] vfs_kern_mount.part.0+0x68/0x470 [ 34.141734] do_mount+0x115c/0x2f50 [ 34.145337] ksys_mount+0xcf/0x130 [ 34.148883] __x64_sys_mount+0xba/0x150 [ 34.152832] do_syscall_64+0xf9/0x620 [ 34.156610] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.161772] [ 34.163377] Freed by task 8098: [ 34.166633] kfree+0xcc/0x210 [ 34.169715] hfsplus_btree_close+0x1a6/0x300 [ 34.174099] hfsplus_put_super+0x220/0x3f0 [ 34.178311] generic_shutdown_super+0x144/0x370 [ 34.182958] kill_block_super+0x97/0xf0 [ 34.186919] deactivate_locked_super+0x94/0x160 [ 34.191563] deactivate_super+0x174/0x1a0 [ 34.195686] cleanup_mnt+0x1a8/0x290 [ 34.199380] task_work_run+0x148/0x1c0 [ 34.203252] do_exit+0xbf3/0x2be0 [ 34.206682] do_group_exit+0x125/0x310 [ 34.210545] __x64_sys_exit_group+0x3a/0x50 [ 34.214842] do_syscall_64+0xf9/0x620 [ 34.218636] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.223809] [ 34.225424] The buggy address belongs to the object at ffff8880b33f0a80 [ 34.225424] which belongs to the cache kmalloc-4096 of size 4096 [ 34.238252] The buggy address is located 56 bytes inside of [ 34.238252] 4096-byte region [ffff8880b33f0a80, ffff8880b33f1a80) [ 34.250106] The buggy address belongs to the page: [ 34.255017] page:ffffea0002ccfc00 count:1 mapcount:0 mapping:ffff88813bff0dc0 index:0x0 compound_mapcount: 0 [ 34.264963] flags: 0xfff00000008100(slab|head) [ 34.269523] raw: 00fff00000008100 ffffea0002cb9188 ffffea0002cc3c88 ffff88813bff0dc0 [ 34.277475] raw: 0000000000000000 ffff8880b33f0a80 0000000100000001 0000000000000000 [ 34.285332] page dumped because: kasan: bad access detected [ 34.291020] [ 34.292622] Memory state around the buggy address: [ 34.297528] ffff8880b33f0980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.304952] ffff8880b33f0a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.312288] >ffff8880b33f0a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.319710] ^ [ 34.324877] ffff8880b33f0b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.332226] ffff8880b33f0b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.339556] ================================================================== [ 34.346888] Disabling lock debugging due to kernel taint [ 34.355702] Kernel panic - not syncing: panic_on_warn set ... [ 34.355702] [ 34.363094] CPU: 1 PID: 8098 Comm: syz-executor537 Tainted: G B 4.19.211-syzkaller #0 [ 34.372543] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 34.381889] Call Trace: [ 34.384477] dump_stack+0x1fc/0x2ef [ 34.388113] panic+0x26a/0x50e [ 34.391310] ? __warn_printk+0xf3/0xf3 [ 34.395200] ? preempt_schedule_common+0x45/0xc0 [ 34.400046] ? ___preempt_schedule+0x16/0x18 [ 34.404463] ? trace_hardirqs_on+0x55/0x210 [ 34.408769] kasan_end_report+0x43/0x49 [ 34.412729] kasan_report_error.cold+0xa7/0x1b9 [ 34.417385] ? hfsplus_releasepage+0x4bc/0x540 [ 34.421945] __asan_report_load4_noabort+0x88/0x90 [ 34.426854] ? __sanitizer_cov_trace_const_cmp4+0x20/0x20 [ 34.432368] ? hfsplus_releasepage+0x4bc/0x540 [ 34.436926] hfsplus_releasepage+0x4bc/0x540 [ 34.441313] ? hfsplus_show_options+0x580/0x580 [ 34.445961] try_to_release_page+0x242/0x390 [ 34.450350] block_invalidatepage+0x45b/0x4f0 [ 34.454825] ? end_buffer_read_nobh+0x90/0x90 [ 34.459298] truncate_cleanup_page+0x2b7/0x430 [ 34.463857] truncate_inode_pages_range+0x528/0x1b00 [ 34.468937] ? truncate_inode_page+0xc0/0xc0 [ 34.473324] ? __lock_acquire+0x6de/0x3ff0 [ 34.477541] ? mark_held_locks+0xf0/0xf0 [ 34.481580] ? mark_held_locks+0xf0/0xf0 [ 34.485629] ? __cpuusage_read+0x161/0x1f0 [ 34.489865] ? mark_held_locks+0xf0/0xf0 [ 34.493905] ? writeback_single_inode+0x2b/0x440 [ 34.498636] ? truncate_inode_pages_final+0xa0/0xb0 [ 34.503642] ? mark_held_locks+0xa6/0xf0 [ 34.507681] ? _raw_spin_unlock_irq+0x24/0x80 [ 34.512156] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 34.516991] hfsplus_evict_inode+0x16/0xd0 [ 34.521212] ? hfsplus_remount+0x300/0x300 [ 34.525428] evict+0x2ed/0x760 [ 34.528611] iput+0x4f1/0x860 [ 34.531703] hfsplus_put_super+0x270/0x3f0 [ 34.535932] ? hfsplus_sync_fs+0xae0/0xae0 [ 34.540152] generic_shutdown_super+0x144/0x370 [ 34.544821] kill_block_super+0x97/0xf0 [ 34.548777] deactivate_locked_super+0x94/0x160 [ 34.553459] deactivate_super+0x174/0x1a0 [ 34.557594] ? deactivate_locked_super+0x160/0x160 [ 34.562501] ? dput+0x31/0x640 [ 34.565680] cleanup_mnt+0x1a8/0x290 [ 34.569373] task_work_run+0x148/0x1c0 [ 34.573240] do_exit+0xbf3/0x2be0 [ 34.576674] ? lock_downgrade+0x720/0x720 [ 34.580805] ? mm_update_next_owner+0x650/0x650 [ 34.585468] ? up_read+0x17/0x110 [ 34.588984] ? __do_page_fault+0x180/0xd60 [ 34.593195] do_group_exit+0x125/0x310 [ 34.597059] __x64_sys_exit_group+0x3a/0x50 [ 34.601358] do_syscall_64+0xf9/0x620 [ 34.605141] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.610328] RIP: 0033:0x7fc0a619c9a9 [ 34.614024] Code: Bad RIP value. [ 34.617366] RSP: 002b:00007ffe06821d78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 34.625050] RAX: ffffffffffffffda RBX: 00007fc0a6212330 RCX: 00007fc0a619c9a9 [ 34.632648] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 34.639928] RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00000000000005f2 [ 34.647173] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc0a6212330 [ 34.654417] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 34.661854] Kernel Offset: disabled [ 34.665486] Rebooting in 86400 seconds..