Warning: Permanently added '10.128.1.47' (ED25519) to the list of known hosts. 2024/03/27 00:50:18 ignoring optional flag "sandboxArg"="0" 2024/03/27 00:50:18 parsed 1 programs 2024/03/27 00:50:20 executed programs: 0 [ 53.069638][ T1436] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 58.107834][ T1863] loop0: detected capacity change from 0 to 16 [ 58.116026][ T1863] erofs: (device loop0): mounted with root inode @ nid 36. [ 58.125994][ T1863] ================================================================== [ 58.134174][ T1863] BUG: KASAN: use-after-free in z_erofs_transform_plain+0x2f7/0x3e0 [ 58.142265][ T1863] Read of size 4096 at addr ffff88817b0ef000 by task syz-executor.0/1863 [ 58.151030][ T1863] [ 58.153340][ T1863] CPU: 1 PID: 1863 Comm: syz-executor.0 Not tainted 6.1.82-syzkaller #0 [ 58.161661][ T1863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 [ 58.171813][ T1863] Call Trace: [ 58.175087][ T1863] [ 58.178017][ T1863] dump_stack_lvl+0xf4/0x251 [ 58.182876][ T1863] ? nf_tcp_handle_invalid+0x2f3/0x2f3 [ 58.188515][ T1863] ? panic+0x3f7/0x3f7 [ 58.192582][ T1863] ? __virt_addr_valid+0x139/0x260 [ 58.197756][ T1863] ? __virt_addr_valid+0x211/0x260 [ 58.203304][ T1863] print_report+0x15f/0x4f0 [ 58.207883][ T1863] ? __virt_addr_valid+0x139/0x260 [ 58.213005][ T1863] ? __virt_addr_valid+0x211/0x260 [ 58.218111][ T1863] ? z_erofs_transform_plain+0x2f7/0x3e0 [ 58.224007][ T1863] kasan_report+0x136/0x160 [ 58.229219][ T1863] ? z_erofs_transform_plain+0x2f7/0x3e0 [ 58.234850][ T1863] kasan_check_range+0x27f/0x290 [ 58.239768][ T1863] ? z_erofs_transform_plain+0x2f7/0x3e0 [ 58.245377][ T1863] memcpy+0x25/0x60 [ 58.249362][ T1863] z_erofs_transform_plain+0x2f7/0x3e0 [ 58.254831][ T1863] z_erofs_decompress_queue+0x1822/0x2920 [ 58.260562][ T1863] ? z_erofs_onlinepage_endio+0x1b0/0x1b0 [ 58.266291][ T1863] ? z_erofs_decompressqueue_endio+0x4b0/0x4b0 [ 58.272460][ T1863] ? erofs_map_blocks+0x1040/0x1040 [ 58.277650][ T1863] z_erofs_runqueue+0x1516/0x16e0 [ 58.282665][ T1863] ? z_erofs_do_read_page+0x3070/0x3070 [ 58.288210][ T1863] ? __filemap_get_folio+0x838/0x970 [ 58.293671][ T1863] z_erofs_read_folio+0x3af/0x590 [ 58.298794][ T1863] ? __lock_acquire+0xb70/0xb70 [ 58.303654][ T1863] ? z_erofs_rcu_callback+0x100/0x100 [ 58.309029][ T1863] ? __down_common+0x700/0x700 [ 58.313774][ T1863] ? filemap_get_read_batch+0x175/0xa20 [ 58.319553][ T1863] ? __up_read+0x286/0x360 [ 58.324056][ T1863] ? z_erofs_rcu_callback+0x100/0x100 [ 58.329505][ T1863] filemap_read_folio+0xc1/0x440 [ 58.334446][ T1863] filemap_read+0x1359/0x24d0 [ 58.339124][ T1863] ? debug_check_no_obj_freed+0x3e9/0x470 [ 58.344859][ T1863] ? find_get_pages_range_tag+0x440/0x440 [ 58.350995][ T1863] __kernel_read+0x393/0x6e0 [ 58.355742][ T1863] ? rw_verify_area+0x100/0x100 [ 58.360576][ T1863] ? crypto_shash_update+0x211/0x290 [ 58.365836][ T1863] ? crypto_shash_setkey+0x220/0x220 [ 58.371094][ T1863] integrity_kernel_read+0xa3/0xf0 [ 58.376198][ T1863] ? integrity_inode_free+0x120/0x120 [ 58.381562][ T1863] ima_calc_file_hash+0x71a/0x1c00 [ 58.386646][ T1863] ? __lock_acquire+0xb70/0xb70 [ 58.391477][ T1863] ? ima_alloc_tfm+0x260/0x260 [ 58.396473][ T1863] ? erofs_getxattr+0x9c0/0x9c0 [ 58.401311][ T1863] ? erofs_getxattr+0xba/0x9c0 [ 58.406053][ T1863] ima_collect_measurement+0x446/0xa50 [ 58.411486][ T1863] ? ima_get_action+0xb0/0xb0 [ 58.416225][ T1863] ? erofs_xattr_user_list+0x90/0x90 [ 58.421485][ T1863] process_measurement+0xddb/0x1890 [ 58.426670][ T1863] ? __lock_acquire+0xb70/0xb70 [ 58.431513][ T1863] ? ima_file_mmap+0x170/0x170 [ 58.436253][ T1863] ? tomoyo_check_open_permission+0x1f8/0x950 [ 58.442294][ T1863] ? apparmor_file_open+0x4ef/0x6b0 [ 58.447553][ T1863] ? apparmor_current_getsecid_subj+0x15b/0x290 [ 58.453766][ T1863] ima_file_check+0xe3/0x160 [ 58.458331][ T1863] ? do_dentry_open+0x8dd/0xd20 [ 58.463164][ T1863] ? ima_bprm_check+0x290/0x290 [ 58.468084][ T1863] path_openat+0x2236/0x27d0 [ 58.472686][ T1863] ? do_filp_open+0x430/0x430 [ 58.477361][ T1863] do_filp_open+0x226/0x430 [ 58.481852][ T1863] ? vfs_tmpfile+0x410/0x410 [ 58.486614][ T1863] ? _raw_spin_unlock+0x24/0x40 [ 58.491456][ T1863] ? alloc_fd+0x3dc/0x470 [ 58.495787][ T1863] do_sys_openat2+0x10b/0x420 [ 58.500592][ T1863] ? rcu_is_watching+0x1b/0x90 [ 58.505472][ T1863] ? do_sys_open+0x1c0/0x1c0 [ 58.510119][ T1863] ? __rseq_handle_notify_resume+0x827/0xdf0 [ 58.516275][ T1863] ? xfd_validate_state+0x12/0x50 [ 58.521647][ T1863] __x64_sys_open+0x1eb/0x240 [ 58.526501][ T1863] ? do_sys_openat2+0x420/0x420 [ 58.531436][ T1863] ? switch_fpu_return+0xc9/0x130 [ 58.536543][ T1863] do_syscall_64+0x3d/0x80 [ 58.540939][ T1863] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.546852][ T1863] RIP: 0033:0x7f82a107dda9 [ 58.551241][ T1863] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 58.571008][ T1863] RSP: 002b:00007f82a1d2a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 58.579616][ T1863] RAX: ffffffffffffffda RBX: 00007f82a11abf80 RCX: 00007f82a107dda9 [ 58.587578][ T1863] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000000 [ 58.595725][ T1863] RBP: 00007f82a10ca47a R08: 0000000000000000 R09: 0000000000000000 [ 58.603691][ T1863] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 58.611739][ T1863] R13: 0000000000000006 R14: 00007f82a11abf80 R15: 00007ffcaf194a08 [ 58.619900][ T1863] [ 58.623007][ T1863] [ 58.625331][ T1863] Allocated by task 1607: [ 58.629638][ T1863] kasan_set_track+0x4b/0x70 [ 58.634308][ T1863] __kasan_slab_alloc+0x65/0x70 [ 58.639876][ T1863] slab_post_alloc_hook+0x54/0x3e0 [ 58.644974][ T1863] kmem_cache_alloc+0x10c/0x290 [ 58.649891][ T1863] vm_area_alloc+0x1b/0xd0 [ 58.654299][ T1863] mmap_region+0xa30/0x1910 [ 58.658786][ T1863] do_mmap+0x69e/0xb60 [ 58.662846][ T1863] vm_mmap_pgoff+0x1b7/0x280 [ 58.667417][ T1863] do_syscall_64+0x3d/0x80 [ 58.671917][ T1863] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.677897][ T1863] [ 58.680226][ T1863] Freed by task 1607: [ 58.684272][ T1863] kasan_set_track+0x4b/0x70 [ 58.688927][ T1863] kasan_save_free_info+0x27/0x40 [ 58.694103][ T1863] ____kasan_slab_free+0x122/0x1e0 [ 58.699395][ T1863] kmem_cache_free+0x2e8/0x510 [ 58.704238][ T1863] exit_mmap+0x34e/0x730 [ 58.708696][ T1863] __mmput+0x9b/0x2d0 [ 58.713017][ T1863] exit_mm+0x122/0x1b0 [ 58.717089][ T1863] do_exit+0x81e/0x2400 [ 58.721331][ T1863] do_group_exit+0x1b5/0x280 [ 58.726025][ T1863] __x64_sys_exit_group+0x3b/0x40 [ 58.731040][ T1863] do_syscall_64+0x3d/0x80 [ 58.735519][ T1863] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.741677][ T1863] [ 58.744069][ T1863] The buggy address belongs to the object at ffff88817b0ef000 [ 58.744069][ T1863] which belongs to the cache vm_area_struct of size 144 [ 58.758388][ T1863] The buggy address is located 0 bytes inside of [ 58.758388][ T1863] 144-byte region [ffff88817b0ef000, ffff88817b0ef090) [ 58.771734][ T1863] [ 58.774045][ T1863] The buggy address belongs to the physical page: [ 58.780433][ T1863] page:ffffea0005ec3bc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17b0ef [ 58.790735][ T1863] flags: 0x100000000000200(slab|node=0|zone=2) [ 58.796874][ T1863] raw: 0100000000000200 ffffea000429be80 dead000000000006 ffff888100195b40 [ 58.805453][ T1863] raw: 0000000000000000 0000000000130013 00000001ffffffff 0000000000000000 [ 58.814895][ T1863] page dumped because: kasan: bad access detected [ 58.821298][ T1863] page_owner tracks the page as allocated [ 58.827005][ T1863] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 792, tgid 792 (dhcpcd-run-hook), ts 9424581029, free_ts 9422772236 [ 58.845332][ T1863] post_alloc_hook+0x286/0x2b0 [ 58.850082][ T1863] get_page_from_freelist+0x398c/0x3b60 [ 58.855603][ T1863] __alloc_pages+0x251/0x640 [ 58.860168][ T1863] alloc_slab_page+0x6a/0x150 [ 58.864818][ T1863] new_slab+0x70/0x250 [ 58.868859][ T1863] ___slab_alloc+0x9df/0xe70 [ 58.873505][ T1863] kmem_cache_alloc+0x18b/0x290 [ 58.878497][ T1863] copy_mm+0x9ab/0x1510 [ 58.882626][ T1863] copy_process+0x127d/0x3510 [ 58.887343][ T1863] kernel_clone+0x190/0x680 [ 58.891849][ T1863] __x64_sys_clone+0x22c/0x270 [ 58.896672][ T1863] do_syscall_64+0x3d/0x80 [ 58.901064][ T1863] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.907106][ T1863] page last free stack trace: [ 58.911754][ T1863] free_unref_page_prepare+0xd38/0xed0 [ 58.917190][ T1863] free_unref_page_list+0x54b/0x7e0 [ 58.922384][ T1863] release_pages+0x17bd/0x1960 [ 58.927212][ T1863] tlb_flush_mmu+0xe5/0x1d0 [ 58.931689][ T1863] tlb_finish_mmu+0xb0/0x1b0 [ 58.936286][ T1863] exit_mmap+0x341/0x730 [ 58.940651][ T1863] __mmput+0x9b/0x2d0 [ 58.944607][ T1863] exit_mm+0x122/0x1b0 [ 58.948647][ T1863] do_exit+0x81e/0x2400 [ 58.952769][ T1863] do_group_exit+0x1b5/0x280 [ 58.957339][ T1863] __x64_sys_exit_group+0x3b/0x40 [ 58.962362][ T1863] do_syscall_64+0x3d/0x80 [ 58.966762][ T1863] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.972643][ T1863] [ 58.974942][ T1863] Memory state around the buggy address: [ 58.980553][ T1863] ffff88817b0eef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.988615][ T1863] ffff88817b0eef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.997109][ T1863] >ffff88817b0ef000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.005669][ T1863] ^ [ 59.009725][ T1863] ffff88817b0ef080: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb [ 59.017870][ T1863] ffff88817b0ef100: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 59.026192][ T1863] ================================================================== [ 59.034788][ T1863] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 59.042340][ T1863] Kernel Offset: disabled [ 59.046647][ T1863] Rebooting in 86400 seconds..